new upstream release - 7.43.0 (fixes CVE-2015-3236 and CVE-2015-3237)

2015-06-17 15:48:15 +02:00 · 2015-06-17 15:48:15 +02:00 · 712c550596
commit 712c550596
parent a21f0d7f44
7 changed files with 14 additions and 195 deletions
--- a/0001-curl-7.42.1-b47c17d6.patch
+++ b/0001-curl-7.42.1-b47c17d6.patch
@ -1,150 +0,0 @@
 From e5b6de7f78806f82dee0c5359e18d904e56836c6 Mon Sep 17 00:00:00 2001
 From: Kamil Dudka <kdudka@redhat.com>
 Date: Wed, 25 Mar 2015 13:48:41 +0100
 Subject: [PATCH] nss: implement public key pinning for NSS backend
 Bug: https://bugzilla.redhat.com/1195771
 Upstream-commit: b47c17d67c9b5c9e985375b090f0140bf43cb146
 Signed-off-by: Kamil Dudka <kdudka@redhat.com>
 ---
 docs/curl.1                                 |  3 +-
 docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3 |  2 +-
 lib/vtls/nss.c                              | 53 +++++++++++++++++++++++++++++
 src/tool_help.c                             |  2 +-
 tests/runtests.pl                           |  1 +
 5 files changed, 58 insertions(+), 3 deletions(-)
 diff --git a/docs/curl.1 b/docs/curl.1
 index 908f648..0e56715 100644
 --- a/docs/curl.1
 +++ b/docs/curl.1
@@ -548,7 +548,8 @@ indicating its identity. A public key is extracted from this certificate and
 if it does not exactly match the public key provided to this option, curl will
 abort the connection before sending or receiving any data.
 -This is currently only implemented in the OpenSSL, GnuTLS and GSKit backends.
 +This is currently only implemented in the OpenSSL, GnuTLS, NSS and GSKit
 +backends.
 If this option is used several times, the last one will be used.
 (Added in 7.39.0)
 diff --git a/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3 b/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3
 index 2d86392..4cc68b1 100644
 --- a/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3
 +++ b/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3
@@ -52,7 +52,7 @@ if(curl) {
 .fi
 .SH AVAILABILITY
 If built TLS enabled. This is currently only implemented in the OpenSSL,
 -GnuTLS and GSKit backends.
 +GnuTLS, NSS and GSKit backends.
 Added in libcurl 7.39.0
 .SH RETURN VALUE
 diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
 index feb00ca..daf12a9 100644
 --- a/lib/vtls/nss.c
 +++ b/lib/vtls/nss.c
@@ -56,6 +56,7 @@
 #include <base64.h>
 #include <cert.h>
 #include <prerror.h>
 +#include <keyhi.h>        /* for SECKEY_DestroyPublicKey() */
 #define NSSVERNUM ((NSS_VMAJOR<<16)|(NSS_VMINOR<<8)|NSS_VPATCH)
@@ -943,6 +944,53 @@ static SECStatus check_issuer_cert(PRFileDesc *sock,
   return res;
 }
 +static CURLcode cmp_peer_pubkey(struct ssl_connect_data *connssl,
 +                                const char *pinnedpubkey)
 +{
 +  CURLcode result = CURLE_SSL_PINNEDPUBKEYNOTMATCH;
 +  struct SessionHandle *data = connssl->data;
 +  CERTCertificate *cert;
 +
 +  if(!pinnedpubkey)
 +    /* no pinned public key specified */
 +    return CURLE_OK;
 +
 +  /* get peer certificate */
 +  cert = SSL_PeerCertificate(connssl->handle);
 +  if(cert) {
 +    /* extract public key from peer certificate */
 +    SECKEYPublicKey *pubkey = CERT_ExtractPublicKey(cert);
 +    if(pubkey) {
 +      /* encode the public key as DER */
 +      SECItem *cert_der = PK11_DEREncodePublicKey(pubkey);
 +      if(cert_der) {
 +        /* compare the public key with the pinned public key */
 +        result = Curl_pin_peer_pubkey(pinnedpubkey,
 +                                      cert_der->data,
 +                                      cert_der->len);
 +        SECITEM_FreeItem(cert_der, PR_TRUE);
 +      }
 +      SECKEY_DestroyPublicKey(pubkey);
 +    }
 +    CERT_DestroyCertificate(cert);
 +  }
 +
 +  /* report the resulting status */
 +  switch(result) {
 +  case CURLE_OK:
 +    infof(data, "pinned public key verified successfully!\n");
 +    break;
 +  case CURLE_SSL_PINNEDPUBKEYNOTMATCH:
 +    failf(data, "failed to verify pinned public key");
 +    break;
 +  default:
 +    /* OOM, etc. */
 +    break;
 +  }
 +
 +  return result;
 +}
 +
 /**
  *
  * Callback to pick the SSL client certificate.
@@ -1806,6 +1854,11 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
     }
   }
 +  result = cmp_peer_pubkey(connssl, data->set.str[STRING_SSL_PINNEDPUBLICKEY]);
 +  if(result)
 +    /* status already printed */
 +    goto error;
 +
   return CURLE_OK;
 error:
 diff --git a/src/tool_help.c b/src/tool_help.c
 index bb7aa7c..27638ef 100644
 --- a/src/tool_help.c
 +++ b/src/tool_help.c
@@ -156,7 +156,7 @@ static const char *const helptext[] = {
   "     --pass PASS     Pass phrase for the private key (SSL/SSH)",
   "     --path-as-is    Do not squash .. sequences in URL path",
   "     --pinnedpubkey FILE  Public key (PEM/DER) to verify peer against "
 -  "(OpenSSL/GnuTLS/GSKit only)",
 +  "(OpenSSL/GnuTLS/NSS/GSKit only)",
   "     --post301       "
   "Do not switch to GET after following a 301 redirect (H)",
   "     --post302       "
 diff --git a/tests/runtests.pl b/tests/runtests.pl
 index ef9d3c8..b64c423 100755
 --- a/tests/runtests.pl
 +++ b/tests/runtests.pl
@@ -2346,6 +2346,7 @@ sub checksystem {
            }
            elsif ($libcurl =~ /nss/i) {
                $has_nss=1;
 +               $has_sslpinning=1;
                $ssllib="NSS";
            }
            elsif ($libcurl =~ /(yassl|wolfssl)/i) {
 -- 
 2.3.5
--- a/0102-curl-7.36.0-debug.patch
+++ b/0102-curl-7.36.0-debug.patch
@ -12,7 +12,7 @@ diff --git a/configure b/configure
 index 8f079a3..53b4774 100755
 --- a/configure
 +++ b/configure
-@@ -16068,18 +16068,11 @@ $as_echo "yes" >&6; }
+@@ -16075,18 +16075,11 @@ $as_echo "yes" >&6; }
     gccvhi=`echo $gccver | cut -d . -f1`
     gccvlo=`echo $gccver | cut -d . -f2`
     compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
--- a/0108-curl-7.32.0-utf8.patch
+++ b/0108-curl-7.32.0-utf8.patch
@ -1,25 +0,0 @@
 From c6246783cf347652f70d95c0562dd411747e9d53 Mon Sep 17 00:00:00 2001
 From: Kamil Dudka <kdudka@redhat.com>
 Date: Wed, 31 Oct 2012 11:40:30 +0100
 Subject: [PATCH] Fix character encoding of docs
 ..., which are of mixed encoding originally so a simple iconv can't
 fix them.
 ---
 README |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)
 diff --git a/README b/README
 index 2ffacc3..cfd6760 100644
 --- a/README
 +++ b/README
@@ -45,5 +45,5 @@ GIT
 NOTICE
   Curl contains pieces of source code that is Copyright (c) 1998, 1999
 -  Kungliga Tekniska Högskolan. This notice is included here to comply with the
 +  Kungliga Tekniska HÃ¶gskolan. This notice is included here to comply with the
   distribution terms.
 -- 
 1.7.1
--- a/curl-7.42.1.tar.lzma.asc
+++ b/curl-7.42.1.tar.lzma.asc
@ -1,7 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 iEYEABECAAYFAlVAdY8ACgkQeOEcayedXJEnugCeKbbLQ/LtJLXKFY4RI1pxERMo
 9dIAnRheh6V5PzOCo1CuzaAfyVM+5Xfj
 =kzMD
 -----END PGP SIGNATURE-----
--- a/curl-7.43.0.tar.lzma.asc
+++ b/curl-7.43.0.tar.lzma.asc
@ -0,0 +1,7 @@
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 iEYEABECAAYFAlWBDEMACgkQeOEcayedXJEmEACfRhRhpQINTGbbdK2u/p97qMzq
 EBsAn1SxVVYoOudPZ0SOZ+10cau0b0sC
 =Zuc9
 -----END PGP SIGNATURE-----
--- a/curl.spec
+++ b/curl.spec
@ -1,15 +1,12 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
-Version: 7.42.1
+Version: 7.43.0
-Release: 3%{?dist}
+Release: 1%{?dist}
 License: MIT
 Group: Applications/Internet
 Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
 Source2: curlbuild.h
 # implement public key pinning for NSS backend (#1195771)
 Patch1: 0001-curl-7.42.1-b47c17d6.patch
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
@ -22,10 +19,6 @@ Patch104: 0104-curl-7.19.7-localhost6.patch
 # work around valgrind bug (#678518)
 Patch107: 0107-curl-7.21.4-libidn-valgrind.patch
 # Fix character encoding of docs, which are of mixed encoding originally so
 # a simple iconv can't fix them
 Patch108: 0108-curl-7.32.0-utf8.patch
 Provides: webclient
 URL: http://curl.haxx.se/
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu)
@ -118,14 +111,12 @@ documentation of the library, too.
 %setup -q
 # upstream patches
 %patch1 -p1
 # Fedora patches
 %patch101 -p1
 %patch102 -p1
 %patch104 -p1
 %patch107 -p1
 %patch108 -p1
 # replace hard wired port numbers in the test suite (this only boosts test
 # coverage by enabling tests that would otherwise be disabled due to using
@ -237,6 +228,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_datadir}/aclocal/libcurl.m4
 %changelog
 * Wed Jun 17 2015 Kamil Dudka <kdudka@redhat.com> 7.43.0-1
 - new upstream release (fixes CVE-2015-3236 and CVE-2015-3237)
 * Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 7.42.1-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
--- a/2
+++ b/2
@ -1 +1 @@
-f1e460020a99da039b153e4bf0cd8600  curl-7.42.1.tar.lzma
+95df6d1ce9c970289d2997e603d6fd79  curl-7.43.0.tar.lzma
`@ -1 +1 @@`
	`f1e460020a99da039b153e4bf0cd8600 curl-7.42.1.tar.lzma`	`95df6d1ce9c970289d2997e603d6fd79 curl-7.43.0.tar.lzma`