new upstream release - 7.43.0 (fixes CVE-2015-3236 and CVE-2015-3237)
This commit is contained in:
Kamil Dudka
parent
a21f0d7f44
commit
712c550596
@ -1,150 +0,0 @@
|
||||
From e5b6de7f78806f82dee0c5359e18d904e56836c6 Mon Sep 17 00:00:00 2001
|
||||
From: Kamil Dudka <kdudka@redhat.com>
|
||||
Date: Wed, 25 Mar 2015 13:48:41 +0100
|
||||
Subject: [PATCH] nss: implement public key pinning for NSS backend
|
||||
|
||||
Bug: https://bugzilla.redhat.com/1195771
|
||||
|
||||
Upstream-commit: b47c17d67c9b5c9e985375b090f0140bf43cb146
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
docs/curl.1 | 3 +-
|
||||
docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3 | 2 +-
|
||||
lib/vtls/nss.c | 53 +++++++++++++++++++++++++++++
|
||||
src/tool_help.c | 2 +-
|
||||
tests/runtests.pl | 1 +
|
||||
5 files changed, 58 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/docs/curl.1 b/docs/curl.1
|
||||
index 908f648..0e56715 100644
|
||||
--- a/docs/curl.1
|
||||
+++ b/docs/curl.1
|
||||
@@ -548,7 +548,8 @@ indicating its identity. A public key is extracted from this certificate and
|
||||
if it does not exactly match the public key provided to this option, curl will
|
||||
abort the connection before sending or receiving any data.
|
||||
|
||||
-This is currently only implemented in the OpenSSL, GnuTLS and GSKit backends.
|
||||
+This is currently only implemented in the OpenSSL, GnuTLS, NSS and GSKit
|
||||
+backends.
|
||||
|
||||
If this option is used several times, the last one will be used.
|
||||
(Added in 7.39.0)
|
||||
diff --git a/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3 b/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3
|
||||
index 2d86392..4cc68b1 100644
|
||||
--- a/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3
|
||||
+++ b/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3
|
||||
@@ -52,7 +52,7 @@ if(curl) {
|
||||
.fi
|
||||
.SH AVAILABILITY
|
||||
If built TLS enabled. This is currently only implemented in the OpenSSL,
|
||||
-GnuTLS and GSKit backends.
|
||||
+GnuTLS, NSS and GSKit backends.
|
||||
|
||||
Added in libcurl 7.39.0
|
||||
.SH RETURN VALUE
|
||||
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
|
||||
index feb00ca..daf12a9 100644
|
||||
--- a/lib/vtls/nss.c
|
||||
+++ b/lib/vtls/nss.c
|
||||
@@ -56,6 +56,7 @@
|
||||
#include <base64.h>
|
||||
#include <cert.h>
|
||||
#include <prerror.h>
|
||||
+#include <keyhi.h> /* for SECKEY_DestroyPublicKey() */
|
||||
|
||||
#define NSSVERNUM ((NSS_VMAJOR<<16)|(NSS_VMINOR<<8)|NSS_VPATCH)
|
||||
|
||||
@@ -943,6 +944,53 @@ static SECStatus check_issuer_cert(PRFileDesc *sock,
|
||||
return res;
|
||||
}
|
||||
|
||||
+static CURLcode cmp_peer_pubkey(struct ssl_connect_data *connssl,
|
||||
+ const char *pinnedpubkey)
|
||||
+{
|
||||
+ CURLcode result = CURLE_SSL_PINNEDPUBKEYNOTMATCH;
|
||||
+ struct SessionHandle *data = connssl->data;
|
||||
+ CERTCertificate *cert;
|
||||
+
|
||||
+ if(!pinnedpubkey)
|
||||
+ /* no pinned public key specified */
|
||||
+ return CURLE_OK;
|
||||
+
|
||||
+ /* get peer certificate */
|
||||
+ cert = SSL_PeerCertificate(connssl->handle);
|
||||
+ if(cert) {
|
||||
+ /* extract public key from peer certificate */
|
||||
+ SECKEYPublicKey *pubkey = CERT_ExtractPublicKey(cert);
|
||||
+ if(pubkey) {
|
||||
+ /* encode the public key as DER */
|
||||
+ SECItem *cert_der = PK11_DEREncodePublicKey(pubkey);
|
||||
+ if(cert_der) {
|
||||
+ /* compare the public key with the pinned public key */
|
||||
+ result = Curl_pin_peer_pubkey(pinnedpubkey,
|
||||
+ cert_der->data,
|
||||
+ cert_der->len);
|
||||
+ SECITEM_FreeItem(cert_der, PR_TRUE);
|
||||
+ }
|
||||
+ SECKEY_DestroyPublicKey(pubkey);
|
||||
+ }
|
||||
+ CERT_DestroyCertificate(cert);
|
||||
+ }
|
||||
+
|
||||
+ /* report the resulting status */
|
||||
+ switch(result) {
|
||||
+ case CURLE_OK:
|
||||
+ infof(data, "pinned public key verified successfully!\n");
|
||||
+ break;
|
||||
+ case CURLE_SSL_PINNEDPUBKEYNOTMATCH:
|
||||
+ failf(data, "failed to verify pinned public key");
|
||||
+ break;
|
||||
+ default:
|
||||
+ /* OOM, etc. */
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ return result;
|
||||
+}
|
||||
+
|
||||
/**
|
||||
*
|
||||
* Callback to pick the SSL client certificate.
|
||||
@@ -1806,6 +1854,11 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
|
||||
}
|
||||
}
|
||||
|
||||
+ result = cmp_peer_pubkey(connssl, data->set.str[STRING_SSL_PINNEDPUBLICKEY]);
|
||||
+ if(result)
|
||||
+ /* status already printed */
|
||||
+ goto error;
|
||||
+
|
||||
return CURLE_OK;
|
||||
|
||||
error:
|
||||
diff --git a/src/tool_help.c b/src/tool_help.c
|
||||
index bb7aa7c..27638ef 100644
|
||||
--- a/src/tool_help.c
|
||||
+++ b/src/tool_help.c
|
||||
@@ -156,7 +156,7 @@ static const char *const helptext[] = {
|
||||
" --pass PASS Pass phrase for the private key (SSL/SSH)",
|
||||
" --path-as-is Do not squash .. sequences in URL path",
|
||||
" --pinnedpubkey FILE Public key (PEM/DER) to verify peer against "
|
||||
- "(OpenSSL/GnuTLS/GSKit only)",
|
||||
+ "(OpenSSL/GnuTLS/NSS/GSKit only)",
|
||||
" --post301 "
|
||||
"Do not switch to GET after following a 301 redirect (H)",
|
||||
" --post302 "
|
||||
diff --git a/tests/runtests.pl b/tests/runtests.pl
|
||||
index ef9d3c8..b64c423 100755
|
||||
--- a/tests/runtests.pl
|
||||
+++ b/tests/runtests.pl
|
||||
@@ -2346,6 +2346,7 @@ sub checksystem {
|
||||
}
|
||||
elsif ($libcurl =~ /nss/i) {
|
||||
$has_nss=1;
|
||||
+ $has_sslpinning=1;
|
||||
$ssllib="NSS";
|
||||
}
|
||||
elsif ($libcurl =~ /(yassl|wolfssl)/i) {
|
||||
--
|
||||
2.3.5
|
||||
|
||||
@ -12,7 +12,7 @@ diff --git a/configure b/configure
|
||||
index 8f079a3..53b4774 100755
|
||||
--- a/configure
|
||||
+++ b/configure
|
||||
@@ -16068,18 +16068,11 @@ $as_echo "yes" >&6; }
|
||||
@@ -16075,18 +16075,11 @@ $as_echo "yes" >&6; }
|
||||
gccvhi=`echo $gccver | cut -d . -f1`
|
||||
gccvlo=`echo $gccver | cut -d . -f2`
|
||||
compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
|
||||
|
||||
@ -1,25 +0,0 @@
|
||||
From c6246783cf347652f70d95c0562dd411747e9d53 Mon Sep 17 00:00:00 2001
|
||||
From: Kamil Dudka <kdudka@redhat.com>
|
||||
Date: Wed, 31 Oct 2012 11:40:30 +0100
|
||||
Subject: [PATCH] Fix character encoding of docs
|
||||
|
||||
..., which are of mixed encoding originally so a simple iconv can't
|
||||
fix them.
|
||||
---
|
||||
README | 2 +-
|
||||
1 files changed, 1 insertions(+), 1 deletions(-)
|
||||
|
||||
diff --git a/README b/README
|
||||
index 2ffacc3..cfd6760 100644
|
||||
--- a/README
|
||||
+++ b/README
|
||||
@@ -45,5 +45,5 @@ GIT
|
||||
NOTICE
|
||||
|
||||
Curl contains pieces of source code that is Copyright (c) 1998, 1999
|
||||
- Kungliga Tekniska Högskolan. This notice is included here to comply with the
|
||||
+ Kungliga Tekniska Högskolan. This notice is included here to comply with the
|
||||
distribution terms.
|
||||
--
|
||||
1.7.1
|
||||
|
||||
@ -1,7 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v1
|
||||
|
||||
iEYEABECAAYFAlVAdY8ACgkQeOEcayedXJEnugCeKbbLQ/LtJLXKFY4RI1pxERMo
|
||||
9dIAnRheh6V5PzOCo1CuzaAfyVM+5Xfj
|
||||
=kzMD
|
||||
-----END PGP SIGNATURE-----
|
||||
7
curl-7.43.0.tar.lzma.asc
Normal file
7
curl-7.43.0.tar.lzma.asc
Normal file
@ -0,0 +1,7 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v1
|
||||
|
||||
iEYEABECAAYFAlWBDEMACgkQeOEcayedXJEmEACfRhRhpQINTGbbdK2u/p97qMzq
|
||||
EBsAn1SxVVYoOudPZ0SOZ+10cau0b0sC
|
||||
=Zuc9
|
||||
-----END PGP SIGNATURE-----
|
||||
16
curl.spec
16
curl.spec
@ -1,15 +1,12 @@
|
||||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||
Name: curl
|
||||
Version: 7.42.1
|
||||
Release: 3%{?dist}
|
||||
Version: 7.43.0
|
||||
Release: 1%{?dist}
|
||||
License: MIT
|
||||
Group: Applications/Internet
|
||||
Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
|
||||
Source2: curlbuild.h
|
||||
|
||||
# implement public key pinning for NSS backend (#1195771)
|
||||
Patch1: 0001-curl-7.42.1-b47c17d6.patch
|
||||
|
||||
# patch making libcurl multilib ready
|
||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||
|
||||
@ -22,10 +19,6 @@ Patch104: 0104-curl-7.19.7-localhost6.patch
|
||||
# work around valgrind bug (#678518)
|
||||
Patch107: 0107-curl-7.21.4-libidn-valgrind.patch
|
||||
|
||||
# Fix character encoding of docs, which are of mixed encoding originally so
|
||||
# a simple iconv can't fix them
|
||||
Patch108: 0108-curl-7.32.0-utf8.patch
|
||||
|
||||
Provides: webclient
|
||||
URL: http://curl.haxx.se/
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu)
|
||||
@ -118,14 +111,12 @@ documentation of the library, too.
|
||||
%setup -q
|
||||
|
||||
# upstream patches
|
||||
%patch1 -p1
|
||||
|
||||
# Fedora patches
|
||||
%patch101 -p1
|
||||
%patch102 -p1
|
||||
%patch104 -p1
|
||||
%patch107 -p1
|
||||
%patch108 -p1
|
||||
|
||||
# replace hard wired port numbers in the test suite (this only boosts test
|
||||
# coverage by enabling tests that would otherwise be disabled due to using
|
||||
@ -237,6 +228,9 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%{_datadir}/aclocal/libcurl.m4
|
||||
|
||||
%changelog
|
||||
* Wed Jun 17 2015 Kamil Dudka <kdudka@redhat.com> 7.43.0-1
|
||||
- new upstream release (fixes CVE-2015-3236 and CVE-2015-3237)
|
||||
|
||||
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 7.42.1-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user