Blame SOURCES/0024-curl-7.61.1-openssl-partial-chain.patch

9b977c
From 673adb0a7a21ca3a877ee03dc9e197d5be15a9d3 Mon Sep 17 00:00:00 2001
9b977c
From: Daniel Stenberg <daniel@haxx.se>
9b977c
Date: Mon, 2 Dec 2019 10:45:55 +0100
9b977c
Subject: [PATCH 1/3] openssl: set X509_V_FLAG_PARTIAL_CHAIN
9b977c
9b977c
Have intermediate certificates in the trust store be treated as
9b977c
trust-anchors, in the same way as self-signed root CA certificates
9b977c
are. This allows users to verify servers using the intermediate cert
9b977c
only, instead of needing the whole chain.
9b977c
9b977c
Other TLS backends already accept partial chains.
9b977c
9b977c
Reported-by: Jeffrey Walton
9b977c
Bug: https://curl.haxx.se/mail/lib-2019-11/0094.html
9b977c
9b977c
Upstream-commit: 94f1f771586913addf5c68f9219e176036c50115
9b977c
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
9b977c
---
9b977c
 lib/vtls/openssl.c | 26 +++++++++++++++++---------
9b977c
 1 file changed, 17 insertions(+), 9 deletions(-)
9b977c
9b977c
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
9b977c
index d8bcc4f..8e791b9 100644
9b977c
--- a/lib/vtls/openssl.c
9b977c
+++ b/lib/vtls/openssl.c
9b977c
@@ -2551,19 +2551,27 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
9b977c
     infof(data, "  CRLfile: %s\n", ssl_crlfile);
9b977c
   }
9b977c
 
9b977c
-  /* Try building a chain using issuers in the trusted store first to avoid
9b977c
-  problems with server-sent legacy intermediates.
9b977c
-  Newer versions of OpenSSL do alternate chain checking by default which
9b977c
-  gives us the same fix without as much of a performance hit (slight), so we
9b977c
-  prefer that if available.
9b977c
-  https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
9b977c
-  */
9b977c
-#if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS)
9b977c
   if(verifypeer) {
9b977c
+    /* Try building a chain using issuers in the trusted store first to avoid
9b977c
+       problems with server-sent legacy intermediates.  Newer versions of
9b977c
+       OpenSSL do alternate chain checking by default which gives us the same
9b977c
+       fix without as much of a performance hit (slight), so we prefer that if
9b977c
+       available.
9b977c
+       https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
9b977c
+    */
9b977c
+#if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS)
9b977c
     X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
9b977c
                          X509_V_FLAG_TRUSTED_FIRST);
9b977c
-  }
9b977c
 #endif
9b977c
+#ifdef X509_V_FLAG_PARTIAL_CHAIN
9b977c
+    /* Have intermediate certificates in the trust store be treated as
9b977c
+       trust-anchors, in the same way as self-signed root CA certificates
9b977c
+       are. This allows users to verify servers using the intermediate cert
9b977c
+       only, instead of needing the whole chain. */
9b977c
+    X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
9b977c
+                         X509_V_FLAG_PARTIAL_CHAIN);
9b977c
+#endif
9b977c
+  }
9b977c
 
9b977c
   /* SSL always tries to verify the peer, this only says whether it should
9b977c
    * fail to connect if the verification fails, or if it should continue
9b977c
-- 
9b977c
2.26.2
9b977c
9b977c
9b977c
From b2e6e39b60e1722aecf250ff79a69867df5d3aa8 Mon Sep 17 00:00:00 2001
9b977c
From: Daniel Stenberg <daniel@haxx.se>
9b977c
Date: Mon, 2 Dec 2019 10:55:33 +0100
9b977c
Subject: [PATCH 2/3] openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial
9b977c
 cert chains
9b977c
9b977c
Closes #4655
9b977c
9b977c
Upstream-commit: 564d88a8bd190a21b362d6da535fccf74d33394d
9b977c
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
9b977c
---
9b977c
 docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3 | 40 +++++++++++++------------
9b977c
 docs/libcurl/symbols-in-versions        |  1 +
9b977c
 include/curl/curl.h                     |  4 +++
9b977c
 lib/setopt.c                            |  1 +
9b977c
 lib/urldata.h                           |  1 +
9b977c
 lib/vtls/openssl.c                      | 14 +++++----
9b977c
 6 files changed, 36 insertions(+), 25 deletions(-)
9b977c
9b977c
diff --git a/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3 b/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3
9b977c
index d781434..6286a64 100644
9b977c
--- a/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3
9b977c
+++ b/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3
9b977c
@@ -29,25 +29,27 @@ CURLOPT_SSL_OPTIONS \- set SSL behavior options
9b977c
 
9b977c
 CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSL_OPTIONS, long bitmask);
9b977c
 .SH DESCRIPTION
9b977c
-Pass a long with a bitmask to tell libcurl about specific SSL behaviors.
9b977c
-
9b977c
-\fICURLSSLOPT_ALLOW_BEAST\fP tells libcurl to not attempt to use any
9b977c
-workarounds for a security flaw in the SSL3 and TLS1.0 protocols.  If this
9b977c
-option isn't used or this bit is set to 0, the SSL layer libcurl uses may use a
9b977c
-work-around for this flaw although it might cause interoperability problems
9b977c
-with some (older) SSL implementations. WARNING: avoiding this work-around
9b977c
-lessens the security, and by setting this option to 1 you ask for exactly that.
9b977c
-This option is only supported for DarwinSSL, NSS and OpenSSL.
9b977c
-
9b977c
-Added in 7.44.0:
9b977c
-
9b977c
-\fICURLSSLOPT_NO_REVOKE\fP tells libcurl to disable certificate revocation
9b977c
-checks for those SSL backends where such behavior is present. \fBCurrently this
9b977c
-option is only supported for WinSSL (the native Windows SSL library), with an
9b977c
-exception in the case of Windows' Untrusted Publishers blacklist which it seems
9b977c
-can't be bypassed.\fP This option may have broader support to accommodate other
9b977c
-SSL backends in the future.
9b977c
-https://curl.haxx.se/docs/ssl-compared.html
9b977c
+Pass a long with a bitmask to tell libcurl about specific SSL
9b977c
+behaviors. Available bits:
9b977c
+.IP CURLSSLOPT_ALLOW_BEAST
9b977c
+Tells libcurl to not attempt to use any workarounds for a security flaw in the
9b977c
+SSL3 and TLS1.0 protocols.  If this option isn't used or this bit is set to 0,
9b977c
+the SSL layer libcurl uses may use a work-around for this flaw although it
9b977c
+might cause interoperability problems with some (older) SSL
9b977c
+implementations. WARNING: avoiding this work-around lessens the security, and
9b977c
+by setting this option to 1 you ask for exactly that.  This option is only
9b977c
+supported for DarwinSSL, NSS and OpenSSL.
9b977c
+.IP CURLSSLOPT_NO_REVOKE
9b977c
+Tells libcurl to disable certificate revocation checks for those SSL backends
9b977c
+where such behavior is present. This option is only supported for Schannel
9b977c
+(the native Windows SSL library), with an exception in the case of Windows'
9b977c
+Untrusted Publishers blacklist which it seems can't be bypassed. (Added in
9b977c
+7.44.0)
9b977c
+.IP CURLSSLOPT_NO_PARTIALCHAIN
9b977c
+Tells libcurl to not accept "partial" certificate chains, which it otherwise
9b977c
+does by default. This option is only supported for OpenSSL and will fail the
9b977c
+certificate verification if the chain ends with an intermediate certificate
9b977c
+and not with a root cert. (Added in 7.68.0)
9b977c
 .SH DEFAULT
9b977c
 0
9b977c
 .SH PROTOCOLS
9b977c
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
9b977c
index 3b3861f..54923d0 100644
9b977c
--- a/docs/libcurl/symbols-in-versions
9b977c
+++ b/docs/libcurl/symbols-in-versions
9b977c
@@ -713,6 +713,7 @@ CURLSSLBACKEND_QSOSSL           7.34.0        -           7.38.1
9b977c
 CURLSSLBACKEND_SCHANNEL         7.34.0
9b977c
 CURLSSLBACKEND_WOLFSSL          7.49.0
9b977c
 CURLSSLOPT_ALLOW_BEAST          7.25.0
9b977c
+CURLSSLOPT_NO_PARTIALCHAIN      7.68.0
9b977c
 CURLSSLOPT_NO_REVOKE            7.44.0
9b977c
 CURLSSLSET_NO_BACKENDS          7.56.0
9b977c
 CURLSSLSET_OK                   7.56.0
9b977c
diff --git a/include/curl/curl.h b/include/curl/curl.h
9b977c
index 8f473e2..75f9384 100644
9b977c
--- a/include/curl/curl.h
9b977c
+++ b/include/curl/curl.h
9b977c
@@ -795,6 +795,10 @@ typedef enum {
9b977c
    SSL backends where such behavior is present. */
9b977c
 #define CURLSSLOPT_NO_REVOKE (1<<1)
9b977c
 
9b977c
+/* - NO_PARTIALCHAIN tells libcurl to *NOT* accept a partial certificate chain
9b977c
+   if possible. The OpenSSL backend has this ability. */
9b977c
+#define CURLSSLOPT_NO_PARTIALCHAIN (1<<2)
9b977c
+
9b977c
 /* The default connection attempt delay in milliseconds for happy eyeballs.
9b977c
    CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS.3 and happy-eyeballs-timeout-ms.d document
9b977c
    this value, keep them in sync. */
9b977c
diff --git a/lib/setopt.c b/lib/setopt.c
9b977c
index 5c5f4b3..4f04962 100644
9b977c
--- a/lib/setopt.c
9b977c
+++ b/lib/setopt.c
9b977c
@@ -2046,6 +2046,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
9b977c
     arg = va_arg(param, long);
9b977c
     data->set.ssl.enable_beast = arg&CURLSSLOPT_ALLOW_BEAST?TRUE:FALSE;
9b977c
     data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
9b977c
+    data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN);
9b977c
     break;
9b977c
 
9b977c
   case CURLOPT_PROXY_SSL_OPTIONS:
9b977c
diff --git a/lib/urldata.h b/lib/urldata.h
9b977c
index 4b70cc5..c70290a 100644
9b977c
--- a/lib/urldata.h
9b977c
+++ b/lib/urldata.h
9b977c
@@ -235,6 +235,7 @@ struct ssl_config_data {
9b977c
   bool enable_beast; /* especially allow this flaw for interoperability's
9b977c
                         sake*/
9b977c
   bool no_revoke;    /* disable SSL certificate revocation checks */
9b977c
+  bool no_partialchain;  /* don't accept partial certificate chains */
9b977c
   long certverifyresult; /* result from the certificate verification */
9b977c
   char *CRLfile;   /* CRL to check certificate revocation */
9b977c
   char *issuercert;/* optional issuer certificate filename */
9b977c
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
9b977c
index 8e791b9..87f6c4c 100644
9b977c
--- a/lib/vtls/openssl.c
9b977c
+++ b/lib/vtls/openssl.c
9b977c
@@ -2564,12 +2564,14 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
9b977c
                          X509_V_FLAG_TRUSTED_FIRST);
9b977c
 #endif
9b977c
 #ifdef X509_V_FLAG_PARTIAL_CHAIN
9b977c
-    /* Have intermediate certificates in the trust store be treated as
9b977c
-       trust-anchors, in the same way as self-signed root CA certificates
9b977c
-       are. This allows users to verify servers using the intermediate cert
9b977c
-       only, instead of needing the whole chain. */
9b977c
-    X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
9b977c
-                         X509_V_FLAG_PARTIAL_CHAIN);
9b977c
+    if(!SSL_SET_OPTION(no_partialchain)) {
9b977c
+      /* Have intermediate certificates in the trust store be treated as
9b977c
+         trust-anchors, in the same way as self-signed root CA certificates
9b977c
+         are. This allows users to verify servers using the intermediate cert
9b977c
+         only, instead of needing the whole chain. */
9b977c
+      X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
9b977c
+                           X509_V_FLAG_PARTIAL_CHAIN);
9b977c
+    }
9b977c
 #endif
9b977c
   }
9b977c
 
9b977c
-- 
9b977c
2.26.2
9b977c
9b977c
9b977c
From d149ba12f302e5275b408d82ffb349eac16b9226 Mon Sep 17 00:00:00 2001
9b977c
From: Daniel Stenberg <daniel@haxx.se>
9b977c
Date: Mon, 11 May 2020 23:00:31 +0200
9b977c
Subject: [PATCH 3/3] OpenSSL: have CURLOPT_CRLFILE imply
9b977c
 CURLSSLOPT_NO_PARTIALCHAIN
9b977c
9b977c
... to avoid an OpenSSL bug that otherwise makes the CRL check to fail.
9b977c
9b977c
Reported-by: Michael Kaufmann
9b977c
Fixes #5374
9b977c
Closes #5376
9b977c
9b977c
Upstream-commit: 81a54b12c631e8126e3eb484c74040b991e78f0c
9b977c
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
9b977c
---
9b977c
 docs/libcurl/opts/CURLOPT_CRLFILE.3 | 13 ++++++++-----
9b977c
 lib/vtls/openssl.c                  |  8 ++++++--
9b977c
 2 files changed, 14 insertions(+), 7 deletions(-)
9b977c
9b977c
diff --git a/docs/libcurl/opts/CURLOPT_CRLFILE.3 b/docs/libcurl/opts/CURLOPT_CRLFILE.3
9b977c
index 080caa7..f111585 100644
9b977c
--- a/docs/libcurl/opts/CURLOPT_CRLFILE.3
9b977c
+++ b/docs/libcurl/opts/CURLOPT_CRLFILE.3
9b977c
@@ -5,7 +5,7 @@
9b977c
 .\" *                            | (__| |_| |  _ <| |___
9b977c
 .\" *                             \___|\___/|_| \_\_____|
9b977c
 .\" *
9b977c
-.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
9b977c
+.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
9b977c
 .\" *
9b977c
 .\" * This software is licensed as described in the file COPYING, which
9b977c
 .\" * you should have received as part of this distribution. The terms
9b977c
@@ -34,10 +34,13 @@ concatenation of CRL (in PEM format) to use in the certificate validation that
9b977c
 occurs during the SSL exchange.
9b977c
 
9b977c
 When curl is built to use NSS or GnuTLS, there is no way to influence the use
9b977c
-of CRL passed to help in the verification process. When libcurl is built with
9b977c
-OpenSSL support, X509_V_FLAG_CRL_CHECK and X509_V_FLAG_CRL_CHECK_ALL are both
9b977c
-set, requiring CRL check against all the elements of the certificate chain if
9b977c
-a CRL file is passed.
9b977c
+of CRL passed to help in the verification process.
9b977c
+
9b977c
+When libcurl is built with OpenSSL support, X509_V_FLAG_CRL_CHECK and
9b977c
+X509_V_FLAG_CRL_CHECK_ALL are both set, requiring CRL check against all the
9b977c
+elements of the certificate chain if a CRL file is passed. Also note that
9b977c
+\fICURLOPT_CRLFILE(3)\fP will imply \fBCURLSSLOPT_NO_PARTIALCHAIN\fP (see
9b977c
+\fICURLOPT_SSL_OPTIONS(3)\fP) since curl 7.71.0 due to an OpenSSL bug.
9b977c
 
9b977c
 This option makes sense only when used in combination with the
9b977c
 \fICURLOPT_SSL_VERIFYPEER(3)\fP option.
9b977c
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
9b977c
index 87f6c4c..9476773 100644
9b977c
--- a/lib/vtls/openssl.c
9b977c
+++ b/lib/vtls/openssl.c
9b977c
@@ -2564,11 +2564,15 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
9b977c
                          X509_V_FLAG_TRUSTED_FIRST);
9b977c
 #endif
9b977c
 #ifdef X509_V_FLAG_PARTIAL_CHAIN
9b977c
-    if(!SSL_SET_OPTION(no_partialchain)) {
9b977c
+    if(!SSL_SET_OPTION(no_partialchain) && !ssl_crlfile) {
9b977c
       /* Have intermediate certificates in the trust store be treated as
9b977c
          trust-anchors, in the same way as self-signed root CA certificates
9b977c
          are. This allows users to verify servers using the intermediate cert
9b977c
-         only, instead of needing the whole chain. */
9b977c
+         only, instead of needing the whole chain.
9b977c
+
9b977c
+         Due to OpenSSL bug https://github.com/openssl/openssl/issues/5081 we
9b977c
+         cannot do partial chains with CRL check.
9b977c
+      */
9b977c
       X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
9b977c
                            X509_V_FLAG_PARTIAL_CHAIN);
9b977c
     }
9b977c
-- 
9b977c
2.26.2
9b977c