Resolves: #1219544 - ssl: set engine implicitly when a PKCS#11 URI is provided
This commit is contained in:
		
							parent
							
								
									35134a4aee
								
							
						
					
					
						commit
						178b0fc823
					
				
							
								
								
									
										272
									
								
								0001-curl-7.61.0-pkcs11.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										272
									
								
								0001-curl-7.61.0-pkcs11.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,272 @@ | ||||
| From a9a65ae9f6516faf042b36eca2450db7d34bff47 Mon Sep 17 00:00:00 2001 | ||||
| From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> | ||||
| Date: Mon, 19 Feb 2018 14:31:06 +0100 | ||||
| Subject: [PATCH 1/2] ssl: set engine implicitly when a PKCS#11 URI is provided | ||||
| 
 | ||||
| This allows the use of PKCS#11 URI for certificates and keys without | ||||
| setting the corresponding type as "ENG" and the engine as "pkcs11" | ||||
| explicitly. If a PKCS#11 URI is provided for certificate, key, | ||||
| proxy_certificate or proxy_key, the corresponding type is set as "ENG" | ||||
| if not provided and the engine is set to "pkcs11" if not provided. | ||||
| 
 | ||||
| Acked-by: Nikos Mavrogiannopoulos | ||||
| Closes #2333 | ||||
| 
 | ||||
| Upstream-commit: 298d2565e2a2f06a859b7f5a1cc24ba7c87a8ce2 | ||||
| Signed-off-by: Kamil Dudka <kdudka@redhat.com> | ||||
| ---
 | ||||
|  docs/cmdline-opts/cert.d |  7 ++++++ | ||||
|  docs/cmdline-opts/key.d  |  7 ++++++ | ||||
|  lib/vtls/openssl.c       | 38 ++++++++++++++++++++++++++++ | ||||
|  src/tool_getparam.c      |  2 +- | ||||
|  src/tool_operate.c       | 53 ++++++++++++++++++++++++++++++++++++++++ | ||||
|  tests/unit/unit1394.c    |  3 +++ | ||||
|  6 files changed, 109 insertions(+), 1 deletion(-) | ||||
| 
 | ||||
| diff --git a/docs/cmdline-opts/cert.d b/docs/cmdline-opts/cert.d
 | ||||
| index adf62fc..510b833 100644
 | ||||
| --- a/docs/cmdline-opts/cert.d
 | ||||
| +++ b/docs/cmdline-opts/cert.d
 | ||||
| @@ -23,6 +23,13 @@ nickname contains ":", it needs to be preceded by "\\" so that it is not
 | ||||
|  recognized as password delimiter.  If the nickname contains "\\", it needs to | ||||
|  be escaped as "\\\\" so that it is not recognized as an escape character. | ||||
|   | ||||
| +If curl is built against OpenSSL library, and the engine pkcs11 is available,
 | ||||
| +then a PKCS#11 URI (RFC 7512) can be used to specify a certificate located in
 | ||||
| +a PKCS#11 device. A string beginning with "pkcs11:" will be interpreted as a
 | ||||
| +PKCS#11 URI. If a PKCS#11 URI is provided, then the --engine option will be set
 | ||||
| +as "pkcs11" if none was provided and the --cert-type option will be set as
 | ||||
| +"ENG" if none was provided.
 | ||||
| +
 | ||||
|  (iOS and macOS only) If curl is built against Secure Transport, then the | ||||
|  certificate string can either be the name of a certificate/private key in the | ||||
|  system or user keychain, or the path to a PKCS#12-encoded certificate and | ||||
| diff --git a/docs/cmdline-opts/key.d b/docs/cmdline-opts/key.d
 | ||||
| index fbf583a..4877b42 100644
 | ||||
| --- a/docs/cmdline-opts/key.d
 | ||||
| +++ b/docs/cmdline-opts/key.d
 | ||||
| @@ -7,4 +7,11 @@ Private key file name. Allows you to provide your private key in this separate
 | ||||
|  file. For SSH, if not specified, curl tries the following candidates in order: | ||||
|  '~/.ssh/id_rsa', '~/.ssh/id_dsa', './id_rsa', './id_dsa'. | ||||
|   | ||||
| +If curl is built against OpenSSL library, and the engine pkcs11 is available,
 | ||||
| +then a PKCS#11 URI (RFC 7512) can be used to specify a private key located in a
 | ||||
| +PKCS#11 device. A string beginning with "pkcs11:" will be interpreted as a
 | ||||
| +PKCS#11 URI. If a PKCS#11 URI is provided, then the --engine option will be set
 | ||||
| +as "pkcs11" if none was provided and the --key-type option will be set as
 | ||||
| +"ENG" if none was provided.
 | ||||
| +
 | ||||
|  If this option is used several times, the last one will be used. | ||||
| diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
 | ||||
| index 0b1929b..bc46eca 100644
 | ||||
| --- a/lib/vtls/openssl.c
 | ||||
| +++ b/lib/vtls/openssl.c
 | ||||
| @@ -558,8 +558,25 @@ static int ssl_ui_writer(UI *ui, UI_STRING *uis)
 | ||||
|    } | ||||
|    return (UI_method_get_writer(UI_OpenSSL()))(ui, uis); | ||||
|  } | ||||
| +
 | ||||
| +/*
 | ||||
| + * Check if a given string is a PKCS#11 URI
 | ||||
| + */
 | ||||
| +static bool is_pkcs11_uri(const char *string)
 | ||||
| +{
 | ||||
| +  if(strncasecompare(string, "pkcs11:", 7)) {
 | ||||
| +    return TRUE;
 | ||||
| +  }
 | ||||
| +  else {
 | ||||
| +    return FALSE;
 | ||||
| +  }
 | ||||
| +}
 | ||||
| +
 | ||||
|  #endif | ||||
|   | ||||
| +static CURLcode Curl_ossl_set_engine(struct Curl_easy *data,
 | ||||
| +                                     const char *engine);
 | ||||
| +
 | ||||
|  static | ||||
|  int cert_stuff(struct connectdata *conn, | ||||
|                 SSL_CTX* ctx, | ||||
| @@ -622,6 +639,16 @@ int cert_stuff(struct connectdata *conn,
 | ||||
|      case SSL_FILETYPE_ENGINE: | ||||
|  #if defined(USE_OPENSSL_ENGINE) && defined(ENGINE_CTRL_GET_CMD_FROM_NAME) | ||||
|        { | ||||
| +        /* Implicitly use pkcs11 engine if none was provided and the
 | ||||
| +         * cert_file is a PKCS#11 URI */
 | ||||
| +        if(!data->state.engine) {
 | ||||
| +          if(is_pkcs11_uri(cert_file)) {
 | ||||
| +            if(Curl_ossl_set_engine(data, "pkcs11") != CURLE_OK) {
 | ||||
| +              return 0;
 | ||||
| +            }
 | ||||
| +          }
 | ||||
| +        }
 | ||||
| +
 | ||||
|          if(data->state.engine) { | ||||
|            const char *cmd_name = "LOAD_CERT_CTRL"; | ||||
|            struct { | ||||
| @@ -798,6 +825,17 @@ int cert_stuff(struct connectdata *conn,
 | ||||
|  #ifdef USE_OPENSSL_ENGINE | ||||
|        {                         /* XXXX still needs some work */ | ||||
|          EVP_PKEY *priv_key = NULL; | ||||
| +
 | ||||
| +        /* Implicitly use pkcs11 engine if none was provided and the
 | ||||
| +         * key_file is a PKCS#11 URI */
 | ||||
| +        if(!data->state.engine) {
 | ||||
| +          if(is_pkcs11_uri(key_file)) {
 | ||||
| +            if(Curl_ossl_set_engine(data, "pkcs11") != CURLE_OK) {
 | ||||
| +              return 0;
 | ||||
| +            }
 | ||||
| +          }
 | ||||
| +        }
 | ||||
| +
 | ||||
|          if(data->state.engine) { | ||||
|            UI_METHOD *ui_method = | ||||
|              UI_create_method((char *)"curl user interface"); | ||||
| diff --git a/src/tool_getparam.c b/src/tool_getparam.c
 | ||||
| index cc3fcf3..a7bb7f9 100644
 | ||||
| --- a/src/tool_getparam.c
 | ||||
| +++ b/src/tool_getparam.c
 | ||||
| @@ -342,7 +342,7 @@ void parse_cert_parameter(const char *cert_parameter,
 | ||||
|     * looks like a RFC7512 PKCS#11 URI which can be used as-is. | ||||
|     * Also if cert_parameter contains no colon nor backslash, this | ||||
|     * means no passphrase was given and no characters escaped */ | ||||
| -  if(!strncmp(cert_parameter, "pkcs11:", 7) ||
 | ||||
| +  if(curl_strnequal(cert_parameter, "pkcs11:", 7) ||
 | ||||
|       !strpbrk(cert_parameter, ":\\")) { | ||||
|      *certname = strdup(cert_parameter); | ||||
|      return; | ||||
| diff --git a/src/tool_operate.c b/src/tool_operate.c
 | ||||
| index 26fc251..25d450c 100644
 | ||||
| --- a/src/tool_operate.c
 | ||||
| +++ b/src/tool_operate.c
 | ||||
| @@ -113,6 +113,19 @@ static bool is_fatal_error(CURLcode code)
 | ||||
|    return FALSE; | ||||
|  } | ||||
|   | ||||
| +/*
 | ||||
| + * Check if a given string is a PKCS#11 URI
 | ||||
| + */
 | ||||
| +static bool is_pkcs11_uri(const char *string)
 | ||||
| +{
 | ||||
| +  if(curl_strnequal(string, "pkcs11:", 7)) {
 | ||||
| +    return TRUE;
 | ||||
| +  }
 | ||||
| +  else {
 | ||||
| +    return FALSE;
 | ||||
| +  }
 | ||||
| +}
 | ||||
| +
 | ||||
|  #ifdef __VMS | ||||
|  /* | ||||
|   * get_vms_file_size does what it takes to get the real size of the file | ||||
| @@ -1073,6 +1086,46 @@ static CURLcode operate_do(struct GlobalConfig *global,
 | ||||
|            my_setopt_str(curl, CURLOPT_PINNEDPUBLICKEY, config->pinnedpubkey); | ||||
|   | ||||
|          if(curlinfo->features & CURL_VERSION_SSL) { | ||||
| +          /* Check if config->cert is a PKCS#11 URI and set the
 | ||||
| +           * config->cert_type if necessary */
 | ||||
| +          if(config->cert) {
 | ||||
| +            if(!config->cert_type) {
 | ||||
| +              if(is_pkcs11_uri(config->cert)) {
 | ||||
| +                config->cert_type = strdup("ENG");
 | ||||
| +              }
 | ||||
| +            }
 | ||||
| +          }
 | ||||
| +
 | ||||
| +          /* Check if config->key is a PKCS#11 URI and set the
 | ||||
| +           * config->key_type if necessary */
 | ||||
| +          if(config->key) {
 | ||||
| +            if(!config->key_type) {
 | ||||
| +              if(is_pkcs11_uri(config->key)) {
 | ||||
| +                config->key_type = strdup("ENG");
 | ||||
| +              }
 | ||||
| +            }
 | ||||
| +          }
 | ||||
| +
 | ||||
| +          /* Check if config->proxy_cert is a PKCS#11 URI and set the
 | ||||
| +           * config->proxy_type if necessary */
 | ||||
| +          if(config->proxy_cert) {
 | ||||
| +            if(!config->proxy_cert_type) {
 | ||||
| +              if(is_pkcs11_uri(config->proxy_cert)) {
 | ||||
| +                config->proxy_cert_type = strdup("ENG");
 | ||||
| +              }
 | ||||
| +            }
 | ||||
| +          }
 | ||||
| +
 | ||||
| +          /* Check if config->proxy_key is a PKCS#11 URI and set the
 | ||||
| +           * config->proxy_key_type if necessary */
 | ||||
| +          if(config->proxy_key) {
 | ||||
| +            if(!config->proxy_key_type) {
 | ||||
| +              if(is_pkcs11_uri(config->proxy_key)) {
 | ||||
| +                config->proxy_key_type = strdup("ENG");
 | ||||
| +              }
 | ||||
| +            }
 | ||||
| +          }
 | ||||
| +
 | ||||
|            my_setopt_str(curl, CURLOPT_SSLCERT, config->cert); | ||||
|            my_setopt_str(curl, CURLOPT_PROXY_SSLCERT, config->proxy_cert); | ||||
|            my_setopt_str(curl, CURLOPT_SSLCERTTYPE, config->cert_type); | ||||
| diff --git a/tests/unit/unit1394.c b/tests/unit/unit1394.c
 | ||||
| index 667991d..010f052 100644
 | ||||
| --- a/tests/unit/unit1394.c
 | ||||
| +++ b/tests/unit/unit1394.c
 | ||||
| @@ -56,6 +56,9 @@ UNITTEST_START
 | ||||
|      "foo:bar\\\\",            "foo",                "bar\\\\", | ||||
|      "foo:bar:",               "foo",                "bar:", | ||||
|      "foo\\::bar\\:",          "foo:",               "bar\\:", | ||||
| +    "pkcs11:foobar",          "pkcs11:foobar",      NULL,
 | ||||
| +    "PKCS11:foobar",          "PKCS11:foobar",      NULL,
 | ||||
| +    "PkCs11:foobar",          "PkCs11:foobar",      NULL,
 | ||||
|  #ifdef WIN32 | ||||
|      "c:\\foo:bar:baz",        "c:\\foo",            "bar:baz", | ||||
|      "c:\\foo\\:bar:baz",      "c:\\foo:bar",        "baz", | ||||
| -- 
 | ||||
| 2.17.1 | ||||
| 
 | ||||
| 
 | ||||
| From 2be42ac65f4c345ed3ddc97917c8ef54e13fcbfd Mon Sep 17 00:00:00 2001 | ||||
| From: Kamil Dudka <kdudka@redhat.com> | ||||
| Date: Thu, 9 Aug 2018 15:34:22 +0200 | ||||
| Subject: [PATCH 2/2] docs: add files needed to regenerate curl.1 man page | ||||
| 
 | ||||
| Bug: https://github.com/curl/curl/pull/2856 | ||||
| ---
 | ||||
|  docs/cmdline-opts/disallow-username-in-url.d |  7 +++++++ | ||||
|  docs/cmdline-opts/haproxy-protocol.d         | 11 +++++++++++ | ||||
|  2 files changed, 18 insertions(+) | ||||
|  create mode 100644 docs/cmdline-opts/disallow-username-in-url.d | ||||
|  create mode 100644 docs/cmdline-opts/haproxy-protocol.d | ||||
| 
 | ||||
| diff --git a/docs/cmdline-opts/disallow-username-in-url.d b/docs/cmdline-opts/disallow-username-in-url.d
 | ||||
| new file mode 100644 | ||||
| index 0000000..a7f46ea
 | ||||
| --- /dev/null
 | ||||
| +++ b/docs/cmdline-opts/disallow-username-in-url.d
 | ||||
| @@ -0,0 +1,7 @@
 | ||||
| +Long: disallow-username-in-url
 | ||||
| +Help: Disallow username in url
 | ||||
| +Protocols: HTTP
 | ||||
| +Added: 7.61.0
 | ||||
| +See-also: proto
 | ||||
| +---
 | ||||
| +This tells curl to exit if passed a url containing a username.
 | ||||
| diff --git a/docs/cmdline-opts/haproxy-protocol.d b/docs/cmdline-opts/haproxy-protocol.d
 | ||||
| new file mode 100644 | ||||
| index 0000000..cc41c9c
 | ||||
| --- /dev/null
 | ||||
| +++ b/docs/cmdline-opts/haproxy-protocol.d
 | ||||
| @@ -0,0 +1,11 @@
 | ||||
| +Long: haproxy-protocol
 | ||||
| +Help: Send HAProxy PROXY protocol v1 header
 | ||||
| +Protocols: HTTP
 | ||||
| +Added: 7.60.0
 | ||||
| +---
 | ||||
| +Send a HAProxy PROXY protocol v1 header at the beginning of the connection. This
 | ||||
| +is used by some load balancers and reverse proxies to indicate the client's
 | ||||
| +true IP address and port.
 | ||||
| +
 | ||||
| +This option is primarily useful when sending test requests to a service that
 | ||||
| +expects this header.
 | ||||
| -- 
 | ||||
| 2.17.1 | ||||
| 
 | ||||
| @ -1,10 +1,13 @@ | ||||
| Summary: A utility for getting files from remote servers (FTP, HTTP, and others) | ||||
| Name: curl | ||||
| Version: 7.61.0 | ||||
| Release: 4%{?dist} | ||||
| Release: 5%{?dist} | ||||
| License: MIT | ||||
| Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz | ||||
| 
 | ||||
| # ssl: set engine implicitly when a PKCS#11 URI is provided (#1219544) | ||||
| Patch1:   0001-curl-7.61.0-pkcs11.patch | ||||
| 
 | ||||
| # patch making libcurl multilib ready | ||||
| Patch101: 0101-curl-7.32.0-multilib.patch | ||||
| 
 | ||||
| @ -155,6 +158,7 @@ be installed. | ||||
| %setup -q | ||||
| 
 | ||||
| # upstream patches | ||||
| %patch1 -p1 | ||||
| 
 | ||||
| # Fedora patches | ||||
| %patch101 -p1 | ||||
| @ -321,6 +325,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la | ||||
| %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal | ||||
| 
 | ||||
| %changelog | ||||
| * Thu Aug 09 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-5 | ||||
| - ssl: set engine implicitly when a PKCS#11 URI is provided (#1219544) | ||||
| 
 | ||||
| * Tue Aug 07 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-4 | ||||
| - relax crypto policy for the test-suite to make it pass again (#1610888) | ||||
| 
 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user