From bb4d7d8d9f2ce34d3dded9b96eaf800e38b92434 Mon Sep 17 00:00:00 2001 From: Jacek Migacz Date: Tue, 27 Jun 2023 19:42:23 +0200 Subject: [PATCH] Resolves: CVE-2023-28321 - fix host name wildcard checking --- 0031-curl-7.76.1-CVE-2023-28321.patch | 304 ++++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 309 insertions(+) create mode 100644 0031-curl-7.76.1-CVE-2023-28321.patch diff --git a/0031-curl-7.76.1-CVE-2023-28321.patch b/0031-curl-7.76.1-CVE-2023-28321.patch new file mode 100644 index 0000000..b306e91 --- /dev/null +++ b/0031-curl-7.76.1-CVE-2023-28321.patch @@ -0,0 +1,304 @@ +From 199f2d440d8659b42670c1b796220792b01a97bf Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 24 Apr 2023 21:07:02 +0200 +Subject: [PATCH] hostcheck: fix host name wildcard checking + +The leftmost "label" of the host name can now only match against single +'*'. Like the browsers have worked for a long time. + +- extended unit test 1397 for this +- move some SOURCE variables from unit/Makefile.am to unit/Makefile.inc + +Reported-by: Hiroki Kurosawa +Closes #11018 +--- + lib/hostcheck.c | 50 +++++++-------- + tests/data/test1397 | 10 ++- + tests/unit/Makefile.am | 94 ---------------------------- + tests/unit/Makefile.inc | 94 ++++++++++++++++++++++++++++ + tests/unit/unit1397.c | 134 ++++++++++++++++++++++++---------------- + 5 files changed, 202 insertions(+), 180 deletions(-) + +diff --git a/lib/hostcheck.c b/lib/hostcheck.c +index e827dc58f378c..d061c6356f97f 100644 +--- a/lib/hostcheck.c ++++ b/lib/hostcheck.c +@@ -43,6 +43,17 @@ + /* The last #include file should be: */ + #include "memdebug.h" + ++/* check the two input strings with given length, but do not ++ assume they end in nul-bytes */ ++static int pmatch(const char *hostname, size_t hostlen, ++ const char *pattern, size_t patternlen) ++{ ++ if(hostlen != patternlen) ++ return CURL_HOST_NOMATCH; ++ return strncasecompare(hostname, pattern, hostlen) ? ++ CURL_HOST_MATCH : CURL_HOST_NOMATCH; ++} ++ + /* + * Match a hostname against a wildcard pattern. + * E.g. +@@ -65,26 +76,27 @@ + + static int hostmatch(char *hostname, char *pattern) + { +- const char *pattern_label_end, *pattern_wildcard, *hostname_label_end; +- int wildcard_enabled; +- size_t prefixlen, suffixlen; ++ size_t hostlen, patternlen; ++ const char *pattern_label_end; + struct in_addr ignored; + #ifdef ENABLE_IPV6 + struct sockaddr_in6 si6; + #endif + ++ DEBUGASSERT(pattern); ++ DEBUGASSERT(hostname); ++ ++ hostlen = strlen(hostname); ++ patternlen = strlen(pattern); ++ + /* normalize pattern and hostname by stripping off trailing dots */ +- size_t len = strlen(hostname); +- if(hostname[len-1]=='.') +- hostname[len-1] = 0; +- len = strlen(pattern); +- if(pattern[len-1]=='.') +- pattern[len-1] = 0; +- +- pattern_wildcard = strchr(pattern, '*'); +- if(pattern_wildcard == NULL) +- return strcasecompare(pattern, hostname) ? +- CURL_HOST_MATCH : CURL_HOST_NOMATCH; ++ if(hostname[hostlen-1]=='.') ++ hostname[hostlen-1] = 0; ++ if(pattern[patternlen-1]=='.') ++ pattern[patternlen-1] = 0; ++ ++ if(strncmp(pattern, "*.", 2)) ++ return pmatch(hostname, hostlen, pattern, patternlen); + + /* detect IP address as hostname and fail the match if so */ + if(Curl_inet_pton(AF_INET, hostname, &ignored) > 0) +@@ -96,34 +108,20 @@ static int hostmatch(char *hostname, char *pattern) + + /* We require at least 2 dots in pattern to avoid too wide wildcard + match. */ +- wildcard_enabled = 1; + pattern_label_end = strchr(pattern, '.'); +- if(pattern_label_end == NULL || strchr(pattern_label_end + 1, '.') == NULL || +- pattern_wildcard > pattern_label_end || +- strncasecompare(pattern, "xn--", 4)) { +- wildcard_enabled = 0; ++ if(pattern_label_end == NULL || ++ (strrchr(pattern, '.') == pattern_label_end)) ++ return pmatch(pattern, patternlen, hostname, hostlen); ++ ++ const char *hostname_label_end = strchr(hostname, '.'); ++ if(hostname_label_end != NULL) { ++ size_t skiphost = hostname_label_end - hostname; ++ size_t skiplen = pattern_label_end - pattern; ++ return pmatch(hostname_label_end, hostlen - skiphost, ++ pattern_label_end, patternlen - skiplen); + } +- if(!wildcard_enabled) +- return strcasecompare(pattern, hostname) ? +- CURL_HOST_MATCH : CURL_HOST_NOMATCH; +- +- hostname_label_end = strchr(hostname, '.'); +- if(hostname_label_end == NULL || +- !strcasecompare(pattern_label_end, hostname_label_end)) +- return CURL_HOST_NOMATCH; + +- /* The wildcard must match at least one character, so the left-most +- label of the hostname is at least as large as the left-most label +- of the pattern. */ +- if(hostname_label_end - hostname < pattern_label_end - pattern) +- return CURL_HOST_NOMATCH; +- +- prefixlen = pattern_wildcard - pattern; +- suffixlen = pattern_label_end - (pattern_wildcard + 1); +- return strncasecompare(pattern, hostname, prefixlen) && +- strncasecompare(pattern_wildcard + 1, hostname_label_end - suffixlen, +- suffixlen) ? +- CURL_HOST_MATCH : CURL_HOST_NOMATCH; ++ return CURL_HOST_NOMATCH; + } + + int Curl_cert_hostcheck(const char *match_pattern, const char *hostname) +diff --git a/tests/data/test1397 b/tests/data/test1397 +index 84f962abebee3..f31b2c2a3f330 100644 +--- a/tests/data/test1397 ++++ b/tests/data/test1397 +@@ -2,8 +2,7 @@ + + + unittest +-ssl +-wildcard ++Curl_cert_hostcheck + + + +@@ -15,9 +14,9 @@ none + + unittest + +- +-Check wildcard certificate matching function Curl_cert_hostcheck +- ++ ++Curl_cert_hostcheck unit tests ++ + + + +diff --git a/tests/unit/unit1397.c b/tests/unit/unit1397.c +index 2f3d3aa4d09e1..3ae75618d5d10 100644 +--- a/tests/unit/unit1397.c ++++ b/tests/unit/unit1397.c +@@ -21,8 +21,6 @@ + ***************************************************************************/ + #include "curlcheck.h" + +-#include "hostcheck.h" /* from the lib dir */ +- + static CURLcode unit_setup(void) + { + return CURLE_OK; +@@ -30,50 +28,93 @@ static CURLcode unit_setup(void) + + static void unit_stop(void) + { +- /* done before shutting down and exiting */ + } + +-UNITTEST_START +- + /* only these backends define the tested functions */ +-#if defined(USE_OPENSSL) || defined(USE_GSKIT) +- +- /* here you start doing things and checking that the results are good */ ++#if defined(USE_OPENSSL) || defined(USE_GSKIT) || defined(USE_SCHANNEL) ++#include "hostcheck.h" ++struct testcase { ++ const char *host; ++ const char *pattern; ++ bool match; ++}; + +-fail_unless(Curl_cert_hostcheck("www.example.com", "www.example.com"), +- "good 1"); +-fail_unless(Curl_cert_hostcheck("*.example.com", "www.example.com"), +- "good 2"); +-fail_unless(Curl_cert_hostcheck("xxx*.example.com", "xxxwww.example.com"), +- "good 3"); +-fail_unless(Curl_cert_hostcheck("f*.example.com", "foo.example.com"), +- "good 4"); +-fail_unless(Curl_cert_hostcheck("192.168.0.0", "192.168.0.0"), +- "good 5"); +- +-fail_if(Curl_cert_hostcheck("xxx.example.com", "www.example.com"), "bad 1"); +-fail_if(Curl_cert_hostcheck("*", "www.example.com"), "bad 2"); +-fail_if(Curl_cert_hostcheck("*.*.com", "www.example.com"), "bad 3"); +-fail_if(Curl_cert_hostcheck("*.example.com", "baa.foo.example.com"), "bad 4"); +-fail_if(Curl_cert_hostcheck("f*.example.com", "baa.example.com"), "bad 5"); +-fail_if(Curl_cert_hostcheck("*.com", "example.com"), "bad 6"); +-fail_if(Curl_cert_hostcheck("*fail.com", "example.com"), "bad 7"); +-fail_if(Curl_cert_hostcheck("*.example.", "www.example."), "bad 8"); +-fail_if(Curl_cert_hostcheck("*.example.", "www.example"), "bad 9"); +-fail_if(Curl_cert_hostcheck("", "www"), "bad 10"); +-fail_if(Curl_cert_hostcheck("*", "www"), "bad 11"); +-fail_if(Curl_cert_hostcheck("*.168.0.0", "192.168.0.0"), "bad 12"); +-fail_if(Curl_cert_hostcheck("www.example.com", "192.168.0.0"), "bad 13"); +- +-#ifdef ENABLE_IPV6 +-fail_if(Curl_cert_hostcheck("*::3285:a9ff:fe46:b619", +- "fe80::3285:a9ff:fe46:b619"), "bad 14"); +-fail_unless(Curl_cert_hostcheck("fe80::3285:a9ff:fe46:b619", +- "fe80::3285:a9ff:fe46:b619"), "good 6"); +-#endif ++static struct testcase tests[] = { ++ {"", "", FALSE}, ++ {"a", "", FALSE}, ++ {"", "b", FALSE}, ++ {"a", "b", FALSE}, ++ {"aa", "bb", FALSE}, ++ {"\xff", "\xff", TRUE}, ++ {"aa.aa.aa", "aa.aa.bb", FALSE}, ++ {"aa.aa.aa", "aa.aa.aa", TRUE}, ++ {"aa.aa.aa", "*.aa.bb", FALSE}, ++ {"aa.aa.aa", "*.aa.aa", TRUE}, ++ {"192.168.0.1", "192.168.0.1", TRUE}, ++ {"192.168.0.1", "*.168.0.1", FALSE}, ++ {"192.168.0.1", "*.0.1", FALSE}, ++ {"h.ello", "*.ello", FALSE}, ++ {"h.ello.", "*.ello", FALSE}, ++ {"h.ello", "*.ello.", FALSE}, ++ {"h.e.llo", "*.e.llo", TRUE}, ++ {"h.e.llo", " *.e.llo", FALSE}, ++ {" h.e.llo", "*.e.llo", TRUE}, ++ {"h.e.llo.", "*.e.llo", TRUE}, ++ {"*.e.llo.", "*.e.llo", TRUE}, ++ {"************.e.llo.", "*.e.llo", TRUE}, ++ {"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" ++ "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" ++ "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC" ++ "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD" ++ "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" ++ ".e.llo.", "*.e.llo", TRUE}, ++ {"\xfe\xfe.e.llo.", "*.e.llo", TRUE}, ++ {"h.e.llo.", "*.e.llo.", TRUE}, ++ {"h.e.llo", "*.e.llo.", TRUE}, ++ {".h.e.llo", "*.e.llo.", FALSE}, ++ {"h.e.llo", "*.*.llo.", FALSE}, ++ {"h.e.llo", "h.*.llo", FALSE}, ++ {"h.e.llo", "h.e.*", FALSE}, ++ {"hello", "*.ello", FALSE}, ++ {"hello", "**llo", FALSE}, ++ {"bar.foo.example.com", "*.example.com", FALSE}, ++ {"foo.example.com", "*.example.com", TRUE}, ++ {"baz.example.net", "b*z.example.net", FALSE}, ++ {"foobaz.example.net", "*baz.example.net", FALSE}, ++ {"xn--l8j.example.local", "x*.example.local", FALSE}, ++ {"xn--l8j.example.net", "*.example.net", TRUE}, ++ {"xn--l8j.example.net", "*j.example.net", FALSE}, ++ {"xn--l8j.example.net", "xn--l8j.example.net", TRUE}, ++ {"xn--l8j.example.net", "xn--l8j.*.net", FALSE}, ++ {"xl8j.example.net", "*.example.net", TRUE}, ++ {"fe80::3285:a9ff:fe46:b619", "*::3285:a9ff:fe46:b619", FALSE}, ++ {"fe80::3285:a9ff:fe46:b619", "fe80::3285:a9ff:fe46:b619", TRUE}, ++ {NULL, NULL, FALSE} ++}; + +-#endif ++UNITTEST_START ++{ ++ int i; ++ for(i = 0; tests[i].host; i++) { ++ if(tests[i].match != Curl_cert_hostcheck(tests[i].pattern, ++ strlen(tests[i].pattern), ++ tests[i].host, ++ strlen(tests[i].host))) { ++ fprintf(stderr, ++ "HOST: %s\n" ++ "PTRN: %s\n" ++ "did %sMATCH\n", ++ tests[i].host, ++ tests[i].pattern, ++ tests[i].match ? "NOT ": ""); ++ unitfail++; ++ } ++ } ++} ++UNITTEST_STOP ++#else + +- /* you end the test code like this: */ ++UNITTEST_START + + UNITTEST_STOP ++#endif diff --git a/curl.spec b/curl.spec index 568c772..7d29f90 100644 --- a/curl.spec +++ b/curl.spec @@ -92,6 +92,9 @@ Patch29: 0029-curl-7.76.1-CVE-2023-27538.patch # unify the upload/method handling (CVE-2023-28322) Patch30: 0030-curl-7.76.1-CVE-2023-28322.patch +# fix host name wildcard checking +Patch31: 0031-curl-7.76.1-CVE-2023-28321.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -296,6 +299,7 @@ be installed. %patch28 -p1 %patch29 -p1 %patch30 -p1 +%patch31 -p1 # Fedora patches %patch101 -p1 @@ -523,6 +527,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Mon Jun 12 2023 Jacek Migacz - 7.76.1-26 - unify the upload/method handling (CVE-2023-28322) +- fix host name wildcard checking (CVE-2023-28321) * Wed Apr 12 2023 Kamil Dudka - 7.76.1-25 - adapt the fix of CVE-2023-27535 for RHEL 9 curl