Blame SOURCES/0014-curl-7.76.1-CVE-2022-27782.patch

372e18
From 50481ac42b4beae6ea85345e37b051124ac00f11 Mon Sep 17 00:00:00 2001
372e18
From: Daniel Stenberg <daniel@haxx.se>
372e18
Date: Fri, 28 Jan 2022 16:48:38 +0100
372e18
Subject: [PATCH 1/3] setopt: fix the TLSAUTH #ifdefs for proxy-disabled builds
372e18
372e18
Closes #8350
372e18
372e18
Upstream-commit: 96629ba2c212cda2bd1b7b04e2a9fc01ef70b75d
372e18
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
372e18
---
372e18
 lib/setopt.c | 10 +++++-----
372e18
 1 file changed, 5 insertions(+), 5 deletions(-)
372e18
372e18
diff --git a/lib/setopt.c b/lib/setopt.c
372e18
index 08827d1..9eaa187 100644
372e18
--- a/lib/setopt.c
372e18
+++ b/lib/setopt.c
372e18
@@ -5,7 +5,7 @@
372e18
  *                            | (__| |_| |  _ <| |___
372e18
  *                             \___|\___/|_| \_\_____|
372e18
  *
372e18
- * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
372e18
+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
372e18
  *
372e18
  * This software is licensed as described in the file COPYING, which
372e18
  * you should have received as part of this distribution. The terms
372e18
@@ -2699,30 +2699,30 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
372e18
     if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
372e18
       data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
372e18
     break;
372e18
+#ifndef CURL_DISABLE_PROXY
372e18
   case CURLOPT_PROXY_TLSAUTH_USERNAME:
372e18
     result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY],
372e18
                             va_arg(param, char *));
372e18
-#ifndef CURL_DISABLE_PROXY
372e18
     if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
372e18
        !data->set.proxy_ssl.authtype)
372e18
       data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
372e18
-#endif
372e18
     break;
372e18
+#endif
372e18
   case CURLOPT_TLSAUTH_PASSWORD:
372e18
     result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD],
372e18
                             va_arg(param, char *));
372e18
     if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
372e18
       data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
372e18
     break;
372e18
+#ifndef CURL_DISABLE_PROXY
372e18
   case CURLOPT_PROXY_TLSAUTH_PASSWORD:
372e18
     result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY],
372e18
                             va_arg(param, char *));
372e18
-#ifndef CURL_DISABLE_PROXY
372e18
     if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
372e18
        !data->set.proxy_ssl.authtype)
372e18
       data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
372e18
-#endif
372e18
     break;
372e18
+#endif
372e18
   case CURLOPT_TLSAUTH_TYPE:
372e18
     argptr = va_arg(param, char *);
372e18
     if(!argptr ||
372e18
-- 
372e18
2.34.1
372e18
372e18
372e18
From 931fbabcae0b5d1a91657e6bb85f4f23fce7ac3d Mon Sep 17 00:00:00 2001
372e18
From: Daniel Stenberg <daniel@haxx.se>
372e18
Date: Mon, 9 May 2022 23:13:53 +0200
372e18
Subject: [PATCH 2/3] tls: check more TLS details for connection reuse
372e18
372e18
CVE-2022-27782
372e18
372e18
Reported-by: Harry Sintonen
372e18
Bug: https://curl.se/docs/CVE-2022-27782.html
372e18
Closes #8825
372e18
372e18
Upstream-commit: f18af4f874cecab82a9797e8c7541e0990c7a64c
372e18
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
372e18
---
372e18
 lib/setopt.c       | 29 +++++++++++++++++------------
372e18
 lib/url.c          | 23 ++++++++++++++++-------
372e18
 lib/urldata.h      | 13 +++++++------
372e18
 lib/vtls/openssl.c | 10 +++++-----
372e18
 lib/vtls/vtls.c    | 21 +++++++++++++++++++++
372e18
 5 files changed, 66 insertions(+), 30 deletions(-)
372e18
372e18
diff --git a/lib/setopt.c b/lib/setopt.c
372e18
index 8e1bf12..7aa6fdb 100644
372e18
--- a/lib/setopt.c
372e18
+++ b/lib/setopt.c
372e18
@@ -2268,6 +2268,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
372e18
 
372e18
   case CURLOPT_SSL_OPTIONS:
372e18
     arg = va_arg(param, long);
372e18
+    data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
372e18
     data->set.ssl.enable_beast =
372e18
       (bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE);
372e18
     data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
372e18
@@ -2281,6 +2282,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
372e18
 #ifndef CURL_DISABLE_PROXY
372e18
   case CURLOPT_PROXY_SSL_OPTIONS:
372e18
     arg = va_arg(param, long);
372e18
+    data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
372e18
     data->set.proxy_ssl.enable_beast =
372e18
       (bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE);
372e18
     data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
372e18
@@ -2696,49 +2698,52 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
372e18
   case CURLOPT_TLSAUTH_USERNAME:
372e18
     result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME],
372e18
                             va_arg(param, char *));
372e18
-    if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
372e18
-      data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
372e18
+    if(data->set.str[STRING_TLSAUTH_USERNAME] &&
372e18
+       !data->set.ssl.primary.authtype)
372e18
+      data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
372e18
     break;
372e18
 #ifndef CURL_DISABLE_PROXY
372e18
   case CURLOPT_PROXY_TLSAUTH_USERNAME:
372e18
     result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY],
372e18
                             va_arg(param, char *));
372e18
     if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
372e18
-       !data->set.proxy_ssl.authtype)
372e18
-      data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
372e18
+       !data->set.proxy_ssl.primary.authtype)
372e18
+      data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to
372e18
+                                                                  SRP */
372e18
     break;
372e18
 #endif
372e18
   case CURLOPT_TLSAUTH_PASSWORD:
372e18
     result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD],
372e18
                             va_arg(param, char *));
372e18
-    if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
372e18
-      data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
372e18
+    if(data->set.str[STRING_TLSAUTH_USERNAME] &&
372e18
+       !data->set.ssl.primary.authtype)
372e18
+      data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */
372e18
     break;
372e18
 #ifndef CURL_DISABLE_PROXY
372e18
   case CURLOPT_PROXY_TLSAUTH_PASSWORD:
372e18
     result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY],
372e18
                             va_arg(param, char *));
372e18
     if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
372e18
-       !data->set.proxy_ssl.authtype)
372e18
-      data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
372e18
+       !data->set.proxy_ssl.primary.authtype)
372e18
+      data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */
372e18
     break;
372e18
 #endif
372e18
   case CURLOPT_TLSAUTH_TYPE:
372e18
     argptr = va_arg(param, char *);
372e18
     if(!argptr ||
372e18
        strncasecompare(argptr, "SRP", strlen("SRP")))
372e18
-      data->set.ssl.authtype = CURL_TLSAUTH_SRP;
372e18
+      data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP;
372e18
     else
372e18
-      data->set.ssl.authtype = CURL_TLSAUTH_NONE;
372e18
+      data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE;
372e18
     break;
372e18
 #ifndef CURL_DISABLE_PROXY
372e18
   case CURLOPT_PROXY_TLSAUTH_TYPE:
372e18
     argptr = va_arg(param, char *);
372e18
     if(!argptr ||
372e18
        strncasecompare(argptr, "SRP", strlen("SRP")))
372e18
-      data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP;
372e18
+      data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP;
372e18
     else
372e18
-      data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE;
372e18
+      data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE;
372e18
     break;
372e18
 #endif
372e18
 #endif
372e18
diff --git a/lib/url.c b/lib/url.c
372e18
index 94e3406..5ebf5e2 100644
372e18
--- a/lib/url.c
372e18
+++ b/lib/url.c
372e18
@@ -540,7 +540,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
372e18
   set->ssl.primary.verifypeer = TRUE;
372e18
   set->ssl.primary.verifyhost = TRUE;
372e18
 #ifdef USE_TLS_SRP
372e18
-  set->ssl.authtype = CURL_TLSAUTH_NONE;
372e18
+  set->ssl.primary.authtype = CURL_TLSAUTH_NONE;
372e18
 #endif
372e18
   set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth
372e18
                                                       type */
372e18
@@ -1719,11 +1719,17 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
372e18
   conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus;
372e18
   conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer;
372e18
   conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost;
372e18
+  conn->ssl_config.ssl_options = data->set.ssl.primary.ssl_options;
372e18
+#ifdef USE_TLS_SRP
372e18
+#endif
372e18
 #ifndef CURL_DISABLE_PROXY
372e18
   conn->proxy_ssl_config.verifystatus =
372e18
     data->set.proxy_ssl.primary.verifystatus;
372e18
   conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer;
372e18
   conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost;
372e18
+  conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options;
372e18
+#ifdef USE_TLS_SRP
372e18
+#endif
372e18
 #endif
372e18
   conn->ip_version = data->set.ipver;
372e18
   conn->bits.connect_only = data->set.connect_only;
372e18
@@ -3764,7 +3770,8 @@ static CURLcode create_conn(struct Curl_easy *data,
372e18
     data->set.str[STRING_SSL_ISSUERCERT_PROXY];
372e18
   data->set.proxy_ssl.primary.issuercert_blob =
372e18
     data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY];
372e18
-  data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
372e18
+  data->set.proxy_ssl.primary.CRLfile =
372e18
+    data->set.str[STRING_SSL_CRLFILE_PROXY];
372e18
   data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];
372e18
   data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];
372e18
   data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY];
372e18
@@ -3772,18 +3779,20 @@ static CURLcode create_conn(struct Curl_easy *data,
372e18
   data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY];
372e18
   data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
372e18
 #endif
372e18
-  data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];
372e18
+  data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE];
372e18
   data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
372e18
   data->set.ssl.key = data->set.str[STRING_KEY];
372e18
   data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE];
372e18
   data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD];
372e18
   data->set.ssl.primary.clientcert = data->set.str[STRING_CERT];
372e18
 #ifdef USE_TLS_SRP
372e18
-  data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME];
372e18
-  data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD];
372e18
+  data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME];
372e18
+  data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD];
372e18
 #ifndef CURL_DISABLE_PROXY
372e18
-  data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
372e18
-  data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
372e18
+  data->set.proxy_ssl.primary.username =
372e18
+    data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
372e18
+  data->set.proxy_ssl.primary.password =
372e18
+    data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
372e18
 #endif
372e18
 #endif
372e18
   data->set.ssl.key_blob = data->set.blobs[BLOB_KEY];
372e18
diff --git a/lib/urldata.h b/lib/urldata.h
372e18
index 5218f76..e006495 100644
372e18
--- a/lib/urldata.h
372e18
+++ b/lib/urldata.h
372e18
@@ -253,9 +253,16 @@ struct ssl_primary_config {
372e18
   char *cipher_list;     /* list of ciphers to use */
372e18
   char *cipher_list13;   /* list of TLS 1.3 cipher suites to use */
372e18
   char *pinned_key;
372e18
+  char *CRLfile;         /* CRL to check certificate revocation */
372e18
   struct curl_blob *cert_blob;
372e18
   struct curl_blob *issuercert_blob;
372e18
+#ifdef USE_TLS_SRP
372e18
+  char *username; /* TLS username (for, e.g., SRP) */
372e18
+  char *password; /* TLS password (for, e.g., SRP) */
372e18
+  enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
372e18
+#endif
372e18
   char *curves;          /* list of curves to use */
372e18
+  unsigned char ssl_options;  /* the CURLOPT_SSL_OPTIONS bitmask */
372e18
   BIT(verifypeer);       /* set TRUE if this is desired */
372e18
   BIT(verifyhost);       /* set TRUE if CN/SAN must match hostname */
372e18
   BIT(verifystatus);     /* set TRUE if certificate status must be checked */
372e18
@@ -265,7 +272,6 @@ struct ssl_primary_config {
372e18
 struct ssl_config_data {
372e18
   struct ssl_primary_config primary;
372e18
   long certverifyresult; /* result from the certificate verification */
372e18
-  char *CRLfile;   /* CRL to check certificate revocation */
372e18
   curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
372e18
   void *fsslctxp;        /* parameter for call back */
372e18
   char *cert_type; /* format for certificate (default: PEM)*/
372e18
@@ -273,11 +279,6 @@ struct ssl_config_data {
372e18
   struct curl_blob *key_blob;
372e18
   char *key_type; /* format for private key (default: PEM) */
372e18
   char *key_passwd; /* plain text private key password */
372e18
-#ifdef USE_TLS_SRP
372e18
-  char *username; /* TLS username (for, e.g., SRP) */
372e18
-  char *password; /* TLS password (for, e.g., SRP) */
372e18
-  enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
372e18
-#endif
372e18
   BIT(certinfo);     /* gather lots of certificate info */
372e18
   BIT(falsestart);
372e18
   BIT(enable_beast); /* allow this flaw for interoperability's sake*/
372e18
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
372e18
index 97c5666..a4ef9d1 100644
372e18
--- a/lib/vtls/openssl.c
372e18
+++ b/lib/vtls/openssl.c
372e18
@@ -2546,7 +2546,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
372e18
 #endif
372e18
   const long int ssl_version = SSL_CONN_CONFIG(version);
372e18
 #ifdef USE_OPENSSL_SRP
372e18
-  const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype);
372e18
+  const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype);
372e18
 #endif
372e18
   char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
372e18
   const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
372e18
@@ -2554,7 +2554,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
372e18
   const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
372e18
   const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
372e18
   const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
372e18
-  const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
372e18
+  const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile);
372e18
   char error_buffer[256];
372e18
   struct ssl_backend_data *backend = connssl->backend;
372e18
   bool imported_native_ca = false;
372e18
@@ -2859,15 +2859,15 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
372e18
 #ifdef USE_OPENSSL_SRP
372e18
   if((ssl_authtype == CURL_TLSAUTH_SRP) &&
372e18
      Curl_allow_auth_to_host(data)) {
372e18
-    char * const ssl_username = SSL_SET_OPTION(username);
372e18
-
372e18
+    char * const ssl_username = SSL_SET_OPTION(primary.username);
372e18
+    char * const ssl_password = SSL_SET_OPTION(primary.password);
372e18
     infof(data, "Using TLS-SRP username: %s\n", ssl_username);
372e18
 
372e18
     if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) {
372e18
       failf(data, "Unable to set SRP user name");
372e18
       return CURLE_BAD_FUNCTION_ARGUMENT;
372e18
     }
372e18
-    if(!SSL_CTX_set_srp_password(backend->ctx, SSL_SET_OPTION(password))) {
372e18
+    if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) {
372e18
       failf(data, "failed setting SRP password");
372e18
       return CURLE_BAD_FUNCTION_ARGUMENT;
372e18
     }
372e18
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
372e18
index a40ac06..e2d3438 100644
372e18
--- a/lib/vtls/vtls.c
372e18
+++ b/lib/vtls/vtls.c
372e18
@@ -132,6 +132,7 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
372e18
 {
372e18
   if((data->version == needle->version) &&
372e18
      (data->version_max == needle->version_max) &&
372e18
+     (data->ssl_options == needle->ssl_options) &&
372e18
      (data->verifypeer == needle->verifypeer) &&
372e18
      (data->verifyhost == needle->verifyhost) &&
372e18
      (data->verifystatus == needle->verifystatus) &&
372e18
@@ -143,9 +144,15 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
372e18
      Curl_safecmp(data->clientcert, needle->clientcert) &&
372e18
      Curl_safecmp(data->random_file, needle->random_file) &&
372e18
      Curl_safecmp(data->egdsocket, needle->egdsocket) &&
372e18
+#ifdef USE_TLS_SRP
372e18
+     Curl_safecmp(data->username, needle->username) &&
372e18
+     Curl_safecmp(data->password, needle->password) &&
372e18
+     (data->authtype == needle->authtype) &&
372e18
+#endif
372e18
      Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
372e18
      Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
372e18
      Curl_safe_strcasecompare(data->curves, needle->curves) &&
372e18
+     Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) &&
372e18
      Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key))
372e18
     return TRUE;
372e18
 
372e18
@@ -162,6 +169,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
372e18
   dest->verifyhost = source->verifyhost;
372e18
   dest->verifystatus = source->verifystatus;
372e18
   dest->sessionid = source->sessionid;
372e18
+  dest->ssl_options = source->ssl_options;
372e18
+#ifdef USE_TLS_SRP
372e18
+  dest->authtype = source->authtype;
372e18
+#endif
372e18
 
372e18
   CLONE_BLOB(cert_blob);
372e18
   CLONE_BLOB(issuercert_blob);
372e18
@@ -175,6 +186,11 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
372e18
   CLONE_STRING(cipher_list13);
372e18
   CLONE_STRING(pinned_key);
372e18
   CLONE_STRING(curves);
372e18
+  CLONE_STRING(CRLfile);
372e18
+#ifdef USE_TLS_SRP
372e18
+  CLONE_STRING(username);
372e18
+  CLONE_STRING(password);
372e18
+#endif
372e18
 
372e18
   return TRUE;
372e18
 }
372e18
@@ -193,6 +209,11 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
372e18
   Curl_safefree(sslc->cert_blob);
372e18
   Curl_safefree(sslc->issuercert_blob);
372e18
   Curl_safefree(sslc->curves);
372e18
+  Curl_safefree(sslc->CRLfile);
372e18
+#ifdef USE_TLS_SRP
372e18
+  Curl_safefree(sslc->username);
372e18
+  Curl_safefree(sslc->password);
372e18
+#endif
372e18
 }
372e18
 
372e18
 #ifdef USE_SSL
372e18
-- 
372e18
2.34.1
372e18
372e18
372e18
From 5e9832048b30492e02dd222cd8bfe997e03cffa1 Mon Sep 17 00:00:00 2001
372e18
From: Daniel Stenberg <daniel@haxx.se>
372e18
Date: Mon, 9 May 2022 23:13:53 +0200
372e18
Subject: [PATCH 3/3] url: check SSH config match on connection reuse
372e18
372e18
CVE-2022-27782
372e18
372e18
Reported-by: Harry Sintonen
372e18
Bug: https://curl.se/docs/CVE-2022-27782.html
372e18
Closes #8825
372e18
372e18
Upstream-commit: 1645e9b44505abd5cbaf65da5282c3f33b5924a5
372e18
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
372e18
---
372e18
 lib/url.c      | 11 +++++++++++
372e18
 lib/vssh/ssh.h |  6 +++---
372e18
 2 files changed, 14 insertions(+), 3 deletions(-)
372e18
372e18
diff --git a/lib/url.c b/lib/url.c
372e18
index 5ebf5e2..c713e54 100644
372e18
--- a/lib/url.c
372e18
+++ b/lib/url.c
372e18
@@ -1073,6 +1073,12 @@ static void prune_dead_connections(struct Curl_easy *data)
372e18
   }
372e18
 }
372e18
 
372e18
+static bool ssh_config_matches(struct connectdata *one,
372e18
+                               struct connectdata *two)
372e18
+{
372e18
+  return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) &&
372e18
+          Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub));
372e18
+}
372e18
 /*
372e18
  * Given one filled in connection struct (named needle), this function should
372e18
  * detect if there already is one that has all the significant details
372e18
@@ -1319,6 +1325,11 @@ ConnectionExists(struct Curl_easy *data,
372e18
         }
372e18
       }
372e18
 
372e18
+      if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
372e18
+        if(!ssh_config_matches(needle, check))
372e18
+          continue;
372e18
+      }
372e18
+
372e18
       if((needle->handler->flags&PROTOPT_SSL)
372e18
 #ifndef CURL_DISABLE_PROXY
372e18
          || !needle->bits.httpproxy || needle->bits.tunnel_proxy
372e18
diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h
372e18
index 7972081..30d82e5 100644
372e18
--- a/lib/vssh/ssh.h
372e18
+++ b/lib/vssh/ssh.h
372e18
@@ -7,7 +7,7 @@
372e18
  *                            | (__| |_| |  _ <| |___
372e18
  *                             \___|\___/|_| \_\_____|
372e18
  *
372e18
- * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
372e18
+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
372e18
  *
372e18
  * This software is licensed as described in the file COPYING, which
372e18
  * you should have received as part of this distribution. The terms
372e18
@@ -131,8 +131,8 @@ struct ssh_conn {
372e18
 
372e18
   /* common */
372e18
   const char *passphrase;     /* pass-phrase to use */
372e18
-  char *rsa_pub;              /* path name */
372e18
-  char *rsa;                  /* path name */
372e18
+  char *rsa_pub;              /* strdup'ed public key file */
372e18
+  char *rsa;                  /* strdup'ed private key file */
372e18
   bool authed;                /* the connection has been authenticated fine */
372e18
   bool acceptfail;            /* used by the SFTP_QUOTE (continue if
372e18
                                  quote command fails) */
372e18
-- 
372e18
2.34.1
372e18