From 85d1103c2fc0c9b1bdfae470dbafd45758e1c2f0 Mon Sep 17 00:00:00 2001

From: Patrick Monnerat <patrick@monnerat.net>

Date: Mon, 25 Apr 2022 11:44:05 +0200

Subject: [PATCH] url: check sasl additional parameters for connection reuse.

Also move static function safecmp() as non-static Curl_safecmp() since

its purpose is needed at several places.

Bug: https://curl.se/docs/CVE-2022-22576.html

CVE-2022-22576

Closes #8746

Upstream-commit: 852aa5ad351ea53e5f01d2f44b5b4370c2bf5425

Signed-off-by: Kamil Dudka <kdudka@redhat.com>

---

 lib/strcase.c   | 10 ++++++++++

 lib/strcase.h   |  2 ++

 lib/url.c       | 13 ++++++++++++-

 lib/urldata.h   |  1 +

 lib/vtls/vtls.c | 21 ++++++---------------

 5 files changed, 31 insertions(+), 16 deletions(-)

diff --git a/lib/strcase.c b/lib/strcase.c

index dd46ca1..692a3f1 100644

--- a/lib/strcase.c

+++ b/lib/strcase.c

@@ -251,6 +251,16 @@ void Curl_strntolower(char *dest, const char *src, size_t n)

   } while(*src++ && --n);

 }

+/* Compare case-sensitive NUL-terminated strings, taking care of possible

+ * null pointers. Return true if arguments match.

+ */

+bool Curl_safecmp(char *a, char *b)

+{

+  if(a && b)

+    return !strcmp(a, b);

+  return !a && !b;

+}

+

 /* --- public functions --- */

 int curl_strequal(const char *first, const char *second)

diff --git a/lib/strcase.h b/lib/strcase.h

index b628656..382b80a 100644

--- a/lib/strcase.h

+++ b/lib/strcase.h

@@ -48,4 +48,6 @@ char Curl_raw_toupper(char in);

 void Curl_strntoupper(char *dest, const char *src, size_t n);

 void Curl_strntolower(char *dest, const char *src, size_t n);

+bool Curl_safecmp(char *a, char *b);

+

 #endif /* HEADER_CURL_STRCASE_H */

diff --git a/lib/url.c b/lib/url.c

index adef2cd..94e3406 100644

--- a/lib/url.c

+++ b/lib/url.c

@@ -768,6 +768,7 @@ static void conn_free(struct connectdata *conn)

   Curl_safefree(conn->passwd);

   Curl_safefree(conn->sasl_authzid);

   Curl_safefree(conn->options);

+  Curl_safefree(conn->oauth_bearer);

   Curl_dyn_free(&conn->trailer);

   Curl_safefree(conn->host.rawalloc); /* host name buffer */

   Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */

@@ -1310,7 +1311,9 @@ ConnectionExists(struct Curl_easy *data,

         /* This protocol requires credentials per connection,

            so verify that we're using the same name and password as well */

         if(strcmp(needle->user, check->user) ||

-           strcmp(needle->passwd, check->passwd)) {

+           strcmp(needle->passwd, check->passwd) ||

+           !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) ||

+           !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) {

           /* one of them was different */

           continue;

         }

@@ -3554,6 +3557,14 @@ static CURLcode create_conn(struct Curl_easy *data,

     }

   }

+  if(data->set.str[STRING_BEARER]) {

+    conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]);

+    if(!conn->oauth_bearer) {

+      result = CURLE_OUT_OF_MEMORY;

+      goto out;

+    }

+  }

+

 #ifdef USE_UNIX_SOCKETS

   if(data->set.str[STRING_UNIX_SOCKET_PATH]) {

     conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]);

diff --git a/lib/urldata.h b/lib/urldata.h

index cc8a600..03da59a 100644

--- a/lib/urldata.h

+++ b/lib/urldata.h

@@ -991,6 +991,7 @@ struct connectdata {

   char *passwd;  /* password string, allocated */

   char *options; /* options string, allocated */

   char *sasl_authzid;     /* authorisation identity string, allocated */

+  char *oauth_bearer; /* OAUTH2 bearer, allocated */

   unsigned char httpversion; /* the HTTP version*10 reported by the server */

   struct curltime now;     /* "current" time */

   struct curltime created; /* creation time */

diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c

index 03b85ba..a40ac06 100644

--- a/lib/vtls/vtls.c

+++ b/lib/vtls/vtls.c

@@ -125,15 +125,6 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second)

   return !memcmp(first->data, second->data, first->len); /* same data */

 }

-static bool safecmp(char *a, char *b)

-{

-  if(a && b)

-    return !strcmp(a, b);

-  else if(!a && !b)

-    return TRUE; /* match */

-  return FALSE; /* no match */

-}

-

 bool

 Curl_ssl_config_matches(struct ssl_primary_config *data,

@@ -146,12 +137,12 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,

      (data->verifystatus == needle->verifystatus) &&

      blobcmp(data->cert_blob, needle->cert_blob) &&

      blobcmp(data->issuercert_blob, needle->issuercert_blob) &&

-     safecmp(data->CApath, needle->CApath) &&

-     safecmp(data->CAfile, needle->CAfile) &&

-     safecmp(data->issuercert, needle->issuercert) &&

-     safecmp(data->clientcert, needle->clientcert) &&

-     safecmp(data->random_file, needle->random_file) &&

-     safecmp(data->egdsocket, needle->egdsocket) &&

+     Curl_safecmp(data->CApath, needle->CApath) &&

+     Curl_safecmp(data->CAfile, needle->CAfile) &&

+     Curl_safecmp(data->issuercert, needle->issuercert) &&

+     Curl_safecmp(data->clientcert, needle->clientcert) &&

+     Curl_safecmp(data->random_file, needle->random_file) &&

+     Curl_safecmp(data->egdsocket, needle->egdsocket) &&

      Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&

      Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&

      Curl_safe_strcasecompare(data->curves, needle->curves) &&

-- 

2.34.1