Resolves: CVE-2021-22924 - fix bad connection reuse due to flawed path name checks

0005-curl-7.76.1-CVE-2021-22924.patch

@@ -0,0 +1,279 @@
+From 30c7b4dd01734b6ba20bfc7790b9fe8bc0500214 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 19 Jun 2021 00:42:28 +0200
+Subject: [PATCH] vtls: fix connection reuse checks for issuer cert and case
+ sensitivity
+
+CVE-2021-22924
+
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2021-22924.html
+
+Upstream-commit: 5ea3145850ebff1dc2b13d17440300a01ca38161
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/url.c          | 10 ++++++----
+ lib/urldata.h      |  4 ++--
+ lib/vtls/gtls.c    | 10 +++++-----
+ lib/vtls/nss.c     |  4 ++--
+ lib/vtls/openssl.c | 18 +++++++++---------
+ lib/vtls/vtls.c    | 26 +++++++++++++++++++++-----
+ 6 files changed, 45 insertions(+), 27 deletions(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index 9f2c9f2..bdcb095 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -3723,6 +3723,8 @@ static CURLcode create_conn(struct Curl_easy *data,
+   */
+   data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH];
+   data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE];
++  data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
++  data->set.ssl.primary.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT];
+   data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE];
+   data->set.ssl.primary.egdsocket = data->set.str[STRING_SSL_EGDSOCKET];
+   data->set.ssl.primary.cipher_list =
+@@ -3747,8 +3749,11 @@ static CURLcode create_conn(struct Curl_easy *data,
+   data->set.proxy_ssl.primary.pinned_key =
+     data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY];
+   data->set.proxy_ssl.primary.cert_blob = data->set.blobs[BLOB_CERT_PROXY];
++  data->set.proxy_ssl.primary.issuercert =
++    data->set.str[STRING_SSL_ISSUERCERT_PROXY];
++  data->set.proxy_ssl.primary.issuercert_blob =
++    data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY];
+   data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
+-  data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY];
+   data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];
+   data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];
+   data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY];
+@@ -3757,7 +3762,6 @@ static CURLcode create_conn(struct Curl_easy *data,
+   data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
+ #endif
+   data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];
+-  data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
+   data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
+   data->set.ssl.key = data->set.str[STRING_KEY];
+   data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE];
+@@ -3771,9 +3775,7 @@ static CURLcode create_conn(struct Curl_easy *data,
+   data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
+ #endif
+ #endif
+-
+   data->set.ssl.key_blob = data->set.blobs[BLOB_KEY];
+-  data->set.ssl.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT];
+ 
+   if(!Curl_clone_primary_ssl_config(&data->set.ssl.primary,
+                                     &conn->ssl_config)) {
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 2bb7d81..7cf63d0 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -246,6 +246,7 @@ struct ssl_primary_config {
+   long version_max;      /* max supported version the client wants to use*/
+   char *CApath;          /* certificate dir (doesn't work on windows) */
+   char *CAfile;          /* certificate to verify peer against */
++  char *issuercert;      /* optional issuer certificate filename */
+   char *clientcert;
+   char *random_file;     /* path to file containing "random" data */
+   char *egdsocket;       /* path to file containing the EGD daemon socket */
+@@ -253,6 +254,7 @@ struct ssl_primary_config {
+   char *cipher_list13;   /* list of TLS 1.3 cipher suites to use */
+   char *pinned_key;
+   struct curl_blob *cert_blob;
++  struct curl_blob *issuercert_blob;
+   char *curves;          /* list of curves to use */
+   BIT(verifypeer);       /* set TRUE if this is desired */
+   BIT(verifyhost);       /* set TRUE if CN/SAN must match hostname */
+@@ -264,8 +266,6 @@ struct ssl_config_data {
+   struct ssl_primary_config primary;
+   long certverifyresult; /* result from the certificate verification */
+   char *CRLfile;   /* CRL to check certificate revocation */
+-  char *issuercert;/* optional issuer certificate filename */
+-  struct curl_blob *issuercert_blob;
+   curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
+   void *fsslctxp;        /* parameter for call back */
+   char *cert_type; /* format for certificate (default: PEM)*/
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index ea54fe3..ccc5ce8 100644
+--- a/lib/vtls/gtls.c
++++ b/lib/vtls/gtls.c
+@@ -849,7 +849,7 @@ gtls_connect_step3(struct Curl_easy *data,
+   if(!chainp) {
+     if(SSL_CONN_CONFIG(verifypeer) ||
+        SSL_CONN_CONFIG(verifyhost) ||
+-       SSL_SET_OPTION(issuercert)) {
++       SSL_CONN_CONFIG(issuercert)) {
+ #ifdef HAVE_GNUTLS_SRP
+       if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
+          && SSL_SET_OPTION(username) != NULL
+@@ -1033,21 +1033,21 @@ gtls_connect_step3(struct Curl_easy *data,
+        gnutls_x509_crt_t format */
+     gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER);
+ 
+-  if(SSL_SET_OPTION(issuercert)) {
++  if(SSL_CONN_CONFIG(issuercert)) {
+     gnutls_x509_crt_init(&x509_issuer);
+-    issuerp = load_file(SSL_SET_OPTION(issuercert));
++    issuerp = load_file(SSL_CONN_CONFIG(issuercert));
+     gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM);
+     rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer);
+     gnutls_x509_crt_deinit(x509_issuer);
+     unload_file(issuerp);
+     if(rc <= 0) {
+       failf(data, "server certificate issuer check failed (IssuerCert: %s)",
+-            SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
++            SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
+       gnutls_x509_crt_deinit(x509_cert);
+       return CURLE_SSL_ISSUER_ERROR;
+     }
+     infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n",
+-          SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
++          SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
+   }
+ 
+   size = sizeof(certname);
+diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
+index ae3945c..b0b1e8c 100644
+--- a/lib/vtls/nss.c
++++ b/lib/vtls/nss.c
+@@ -2156,9 +2156,9 @@ static CURLcode nss_do_connect(struct Curl_easy *data,
+   if(result)
+     goto error;
+ 
+-  if(SSL_SET_OPTION(issuercert)) {
++  if(SSL_CONN_CONFIG(issuercert)) {
+     SECStatus ret = SECFailure;
+-    char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert));
++    char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert));
+     if(nickname) {
+       /* we support only nicknames in case of issuercert for now */
+       ret = check_issuer_cert(backend->handle, nickname);
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 2404393..be7b811 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -3872,10 +3872,10 @@ static CURLcode servercert(struct Curl_easy *data,
+        deallocating the certificate. */
+ 
+     /* e.g. match issuer name with provided issuer certificate */
+-    if(SSL_SET_OPTION(issuercert) || SSL_SET_OPTION(issuercert_blob)) {
+-      if(SSL_SET_OPTION(issuercert_blob))
+-        fp = BIO_new_mem_buf(SSL_SET_OPTION(issuercert_blob)->data,
+-                             (int)SSL_SET_OPTION(issuercert_blob)->len);
++    if(SSL_CONN_CONFIG(issuercert) || SSL_CONN_CONFIG(issuercert_blob)) {
++      if(SSL_CONN_CONFIG(issuercert_blob))
++        fp = BIO_new_mem_buf(SSL_CONN_CONFIG(issuercert_blob)->data,
++                             (int)SSL_CONN_CONFIG(issuercert_blob)->len);
+       else {
+         fp = BIO_new(BIO_s_file());
+         if(fp == NULL) {
+@@ -3889,10 +3889,10 @@ static CURLcode servercert(struct Curl_easy *data,
+           return CURLE_OUT_OF_MEMORY;
+         }
+ 
+-        if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) {
++        if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) {
+           if(strict)
+             failf(data, "SSL: Unable to open issuer cert (%s)",
+-                  SSL_SET_OPTION(issuercert));
++                  SSL_CONN_CONFIG(issuercert));
+           BIO_free(fp);
+           X509_free(backend->server_cert);
+           backend->server_cert = NULL;
+@@ -3904,7 +3904,7 @@ static CURLcode servercert(struct Curl_easy *data,
+       if(!issuer) {
+         if(strict)
+           failf(data, "SSL: Unable to read issuer cert (%s)",
+-                SSL_SET_OPTION(issuercert));
++                SSL_CONN_CONFIG(issuercert));
+         BIO_free(fp);
+         X509_free(issuer);
+         X509_free(backend->server_cert);
+@@ -3915,7 +3915,7 @@ static CURLcode servercert(struct Curl_easy *data,
+       if(X509_check_issued(issuer, backend->server_cert) != X509_V_OK) {
+         if(strict)
+           failf(data, "SSL: Certificate issuer check failed (%s)",
+-                SSL_SET_OPTION(issuercert));
++                SSL_CONN_CONFIG(issuercert));
+         BIO_free(fp);
+         X509_free(issuer);
+         X509_free(backend->server_cert);
+@@ -3924,7 +3924,7 @@ static CURLcode servercert(struct Curl_easy *data,
+       }
+ 
+       infof(data, " SSL certificate issuer check ok (%s)\n",
+-            SSL_SET_OPTION(issuercert));
++            SSL_CONN_CONFIG(issuercert));
+       BIO_free(fp);
+       X509_free(issuer);
+     }
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index fa8a6fa..1aa6fc8 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -125,6 +125,16 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second)
+   return !memcmp(first->data, second->data, first->len); /* same data */
+ }
+ 
++static bool safecmp(char *a, char *b)
++{
++  if(a && b)
++    return !strcmp(a, b);
++  else if(!a && !b)
++    return TRUE; /* match */
++  return FALSE; /* no match */
++}
++
++
+ bool
+ Curl_ssl_config_matches(struct ssl_primary_config *data,
+                         struct ssl_primary_config *needle)
+@@ -135,11 +145,13 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
+      (data->verifyhost == needle->verifyhost) &&
+      (data->verifystatus == needle->verifystatus) &&
+      blobcmp(data->cert_blob, needle->cert_blob) &&
+-     Curl_safe_strcasecompare(data->CApath, needle->CApath) &&
+-     Curl_safe_strcasecompare(data->CAfile, needle->CAfile) &&
+-     Curl_safe_strcasecompare(data->clientcert, needle->clientcert) &&
+-     Curl_safe_strcasecompare(data->random_file, needle->random_file) &&
+-     Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) &&
++     blobcmp(data->issuercert_blob, needle->issuercert_blob) &&
++     safecmp(data->CApath, needle->CApath) &&
++     safecmp(data->CAfile, needle->CAfile) &&
++     safecmp(data->issuercert, needle->issuercert) &&
++     safecmp(data->clientcert, needle->clientcert) &&
++     safecmp(data->random_file, needle->random_file) &&
++     safecmp(data->egdsocket, needle->egdsocket) &&
+      Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
+      Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
+      Curl_safe_strcasecompare(data->curves, needle->curves) &&
+@@ -161,8 +173,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
+   dest->sessionid = source->sessionid;
+ 
+   CLONE_BLOB(cert_blob);
++  CLONE_BLOB(issuercert_blob);
+   CLONE_STRING(CApath);
+   CLONE_STRING(CAfile);
++  CLONE_STRING(issuercert);
+   CLONE_STRING(clientcert);
+   CLONE_STRING(random_file);
+   CLONE_STRING(egdsocket);
+@@ -178,6 +192,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
+ {
+   Curl_safefree(sslc->CApath);
+   Curl_safefree(sslc->CAfile);
++  Curl_safefree(sslc->issuercert);
+   Curl_safefree(sslc->clientcert);
+   Curl_safefree(sslc->random_file);
+   Curl_safefree(sslc->egdsocket);
+@@ -185,6 +200,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
+   Curl_safefree(sslc->cipher_list13);
+   Curl_safefree(sslc->pinned_key);
+   Curl_safefree(sslc->cert_blob);
++  Curl_safefree(sslc->issuercert_blob);
+   Curl_safefree(sslc->curves);
+ }
+ 
+-- 
+2.31.1
+

curl.spec

@@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.76.1
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: MIT
 Source: https://curl.se/download/%{name}-%{version}.tar.xz
 
@@ -17,6 +17,9 @@ Patch3:   0003-curl-7.76.1-CVE-2021-22901.patch
 # fix SIGSEGV upon disconnect of a ldaps:// transfer (#1941925)
 Patch4:   0004-curl-7.76.1-ldaps-segv.patch
 
+# fix bad connection reuse due to flawed path name checks (CVE-2021-22924)
+Patch5:   0005-curl-7.76.1-CVE-2021-22924.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -195,6 +198,7 @@ be installed.
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
 
 # Fedora patches
 %patch101 -p1
@@ -374,10 +378,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 
 %changelog
-* Tue Jun 15 2021 Mohan Boddu <mboddu@redhat.com> - 7.76.1-6
-- Rebuilt for RHEL 9 BETA for openssl 3.0
+* Wed Jul 21 2021 Kamil Dudka <kdudka@redhat.com> - 7.76.1-7
+- fix bad connection reuse due to flawed path name checks (CVE-2021-22924)
 
-Related: rhbz#1971065
+* Tue Jun 15 2021 Mohan Boddu <mboddu@redhat.com> - 7.76.1-6
+- Rebuilt for RHEL 9 BETA for openssl 3.0 Related: rhbz#1971065
 
 * Wed Jun 02 2021 Kamil Dudka <kdudka@redhat.com> - 7.77.0-5
 - build the curl tool without metalink support (#1967213)