From 2c28dfb93245f4b8657c26afd8c89ccb0e5e5ac6 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 19 Aug 2020 13:58:19 +0200 Subject: [PATCH 01/16] Resolves: CVE-2020-8231 - libcurl: wrong connect-only connection --- 0004-curl-7.71.1-CVE-2020-8231.patch | 281 +++++++++++++++++++++++++++ curl.spec | 9 +- 2 files changed, 289 insertions(+), 1 deletion(-) create mode 100644 0004-curl-7.71.1-CVE-2020-8231.patch diff --git a/0004-curl-7.71.1-CVE-2020-8231.patch b/0004-curl-7.71.1-CVE-2020-8231.patch new file mode 100644 index 0000000..1a09b84 --- /dev/null +++ b/0004-curl-7.71.1-CVE-2020-8231.patch @@ -0,0 +1,281 @@ +From 6830828c9eecd9ab14404f2f49f19b56dec62130 Mon Sep 17 00:00:00 2001 +From: Marc Aldorasi +Date: Thu, 30 Jul 2020 14:16:17 -0400 +Subject: [PATCH 1/2] multi_remove_handle: close unused connect-only + connections + +Previously any connect-only connections in a multi handle would be kept +alive until the multi handle was closed. Since these connections cannot +be re-used, they can be marked for closure when the associated easy +handle is removed from the multi handle. + +Closes #5749 + +Upstream-commit: d5bb459ccf1fc5980ae4b95c05b4ecf6454a7599 +Signed-off-by: Kamil Dudka +--- + lib/multi.c | 34 ++++++++++++++++++++++++++++++---- + tests/data/test1554 | 6 ++++++ + 2 files changed, 36 insertions(+), 4 deletions(-) + +diff --git a/lib/multi.c b/lib/multi.c +index 249e360..f1371bd 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -689,6 +689,26 @@ static CURLcode multi_done(struct Curl_easy *data, + return result; + } + ++static int close_connect_only(struct connectdata *conn, void *param) ++{ ++ struct Curl_easy *data = param; ++ ++ if(data->state.lastconnect != conn) ++ return 0; ++ ++ if(conn->data != data) ++ return 1; ++ conn->data = NULL; ++ ++ if(!conn->bits.connect_only) ++ return 1; ++ ++ connclose(conn, "Removing connect-only easy handle"); ++ conn->bits.connect_only = FALSE; ++ ++ return 1; ++} ++ + CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, + struct Curl_easy *data) + { +@@ -776,10 +796,6 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, + multi_done() as that may actually call Curl_expire that uses this */ + Curl_llist_destroy(&data->state.timeoutlist, NULL); + +- /* as this was using a shared connection cache we clear the pointer to that +- since we're not part of that multi handle anymore */ +- data->state.conn_cache = NULL; +- + /* change state without using multistate(), only to make singlesocket() do + what we want */ + data->mstate = CURLM_STATE_COMPLETED; +@@ -789,12 +805,22 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, + /* Remove the association between the connection and the handle */ + Curl_detach_connnection(data); + ++ if(data->state.lastconnect) { ++ /* Mark any connect-only connection for closure */ ++ Curl_conncache_foreach(data, data->state.conn_cache, ++ data, &close_connect_only); ++ } ++ + #ifdef USE_LIBPSL + /* Remove the PSL association. */ + if(data->psl == &multi->psl) + data->psl = NULL; + #endif + ++ /* as this was using a shared connection cache we clear the pointer to that ++ since we're not part of that multi handle anymore */ ++ data->state.conn_cache = NULL; ++ + data->multi = NULL; /* clear the association to this multi handle */ + + /* make sure there's no pending message in the queue sent from this easy +diff --git a/tests/data/test1554 b/tests/data/test1554 +index d3926d9..fffa6ad 100644 +--- a/tests/data/test1554 ++++ b/tests/data/test1554 +@@ -50,6 +50,8 @@ run 1: foobar and so on fun! + <- Mutex unlock + -> Mutex lock + <- Mutex unlock ++-> Mutex lock ++<- Mutex unlock + run 1: foobar and so on fun! + -> Mutex lock + <- Mutex unlock +@@ -65,6 +67,8 @@ run 1: foobar and so on fun! + <- Mutex unlock + -> Mutex lock + <- Mutex unlock ++-> Mutex lock ++<- Mutex unlock + run 1: foobar and so on fun! + -> Mutex lock + <- Mutex unlock +@@ -74,6 +78,8 @@ run 1: foobar and so on fun! + <- Mutex unlock + -> Mutex lock + <- Mutex unlock ++-> Mutex lock ++<- Mutex unlock + + + +-- +2.25.4 + + +From 01148ee40dd913a169435b0f9ea90e6393821e70 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 16 Aug 2020 11:34:35 +0200 +Subject: [PATCH 2/2] Curl_easy: remember last connection by id, not by pointer + +CVE-2020-8231 + +Bug: https://curl.haxx.se/docs/CVE-2020-8231.html + +Reported-by: Marc Aldorasi +Closes #5824 + +Upstream-commit: 3c9e021f86872baae412a427e807fbfa2f3e8a22 +Signed-off-by: Kamil Dudka +--- + lib/connect.c | 19 ++++++++++--------- + lib/easy.c | 3 +-- + lib/multi.c | 9 +++++---- + lib/url.c | 2 +- + lib/urldata.h | 2 +- + 5 files changed, 18 insertions(+), 17 deletions(-) + +diff --git a/lib/connect.c b/lib/connect.c +index 29293f0..e1c5662 100644 +--- a/lib/connect.c ++++ b/lib/connect.c +@@ -1363,15 +1363,15 @@ CURLcode Curl_connecthost(struct connectdata *conn, /* context */ + } + + struct connfind { +- struct connectdata *tofind; +- bool found; ++ long id_tofind; ++ struct connectdata *found; + }; + + static int conn_is_conn(struct connectdata *conn, void *param) + { + struct connfind *f = (struct connfind *)param; +- if(conn == f->tofind) { +- f->found = TRUE; ++ if(conn->connection_id == f->id_tofind) { ++ f->found = conn; + return 1; + } + return 0; +@@ -1393,21 +1393,22 @@ curl_socket_t Curl_getconnectinfo(struct Curl_easy *data, + * - that is associated with a multi handle, and whose connection + * was detached with CURLOPT_CONNECT_ONLY + */ +- if(data->state.lastconnect && (data->multi_easy || data->multi)) { +- struct connectdata *c = data->state.lastconnect; ++ if((data->state.lastconnect_id != -1) && (data->multi_easy || data->multi)) { ++ struct connectdata *c; + struct connfind find; +- find.tofind = data->state.lastconnect; +- find.found = FALSE; ++ find.id_tofind = data->state.lastconnect_id; ++ find.found = NULL; + + Curl_conncache_foreach(data, data->multi_easy? + &data->multi_easy->conn_cache: + &data->multi->conn_cache, &find, conn_is_conn); + + if(!find.found) { +- data->state.lastconnect = NULL; ++ data->state.lastconnect_id = -1; + return CURL_SOCKET_BAD; + } + ++ c = find.found; + if(connp) { + /* only store this if the caller cares for it */ + *connp = c; +diff --git a/lib/easy.c b/lib/easy.c +index 292cca7..a69eb9e 100644 +--- a/lib/easy.c ++++ b/lib/easy.c +@@ -838,8 +838,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data) + + /* the connection cache is setup on demand */ + outcurl->state.conn_cache = NULL; +- +- outcurl->state.lastconnect = NULL; ++ outcurl->state.lastconnect_id = -1; + + outcurl->progress.flags = data->progress.flags; + outcurl->progress.callback = data->progress.callback; +diff --git a/lib/multi.c b/lib/multi.c +index f1371bd..778c537 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -455,6 +455,7 @@ CURLMcode curl_multi_add_handle(struct Curl_multi *multi, + data->state.conn_cache = &data->share->conn_cache; + else + data->state.conn_cache = &multi->conn_cache; ++ data->state.lastconnect_id = -1; + + #ifdef USE_LIBPSL + /* Do the same for PSL. */ +@@ -677,11 +678,11 @@ static CURLcode multi_done(struct Curl_easy *data, + CONNCACHE_UNLOCK(data); + if(Curl_conncache_return_conn(data, conn)) { + /* remember the most recently used connection */ +- data->state.lastconnect = conn; ++ data->state.lastconnect_id = conn->connection_id; + infof(data, "%s\n", buffer); + } + else +- data->state.lastconnect = NULL; ++ data->state.lastconnect_id = -1; + } + + Curl_safefree(data->state.buffer); +@@ -693,7 +694,7 @@ static int close_connect_only(struct connectdata *conn, void *param) + { + struct Curl_easy *data = param; + +- if(data->state.lastconnect != conn) ++ if(data->state.lastconnect_id != conn->connection_id) + return 0; + + if(conn->data != data) +@@ -805,7 +806,7 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, + /* Remove the association between the connection and the handle */ + Curl_detach_connnection(data); + +- if(data->state.lastconnect) { ++ if(data->state.lastconnect_id != -1) { + /* Mark any connect-only connection for closure */ + Curl_conncache_foreach(data, data->state.conn_cache, + data, &close_connect_only); +diff --git a/lib/url.c b/lib/url.c +index a1a6b69..2919a3d 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -630,7 +630,7 @@ CURLcode Curl_open(struct Curl_easy **curl) + Curl_initinfo(data); + + /* most recent connection is not yet defined */ +- data->state.lastconnect = NULL; ++ data->state.lastconnect_id = -1; + + data->progress.flags |= PGRS_HIDE; + data->state.current_speed = -1; /* init to negative == impossible */ +diff --git a/lib/urldata.h b/lib/urldata.h +index f80a02d..6d8eb69 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1300,7 +1300,7 @@ struct UrlState { + /* buffers to store authentication data in, as parsed from input options */ + struct curltime keeps_speed; /* for the progress meter really */ + +- struct connectdata *lastconnect; /* The last connection, NULL if undefined */ ++ long lastconnect_id; /* The last connection, -1 if undefined */ + struct dynbuf headerb; /* buffer to store headers in */ + + char *buffer; /* download buffer */ +-- +2.25.4 + diff --git a/curl.spec b/curl.spec index dcde2a2..f2f9da7 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.71.1 -Release: 5%{?dist} +Release: 6%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -11,6 +11,9 @@ Patch1: 0001-curl-7.71.1-tool-krb-opt.patch # setopt: unset NOBODY switches to GET if still HEAD Patch2: 0002-curl-7.71.1-unset-nobody.patch +# libcurl: wrong connect-only connection (CVE-2020-8231) +Patch4: 0004-curl-7.71.1-CVE-2020-8231.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -180,6 +183,7 @@ be installed. # upstream patches %patch1 -p1 %patch2 -p1 +%patch4 -p1 # Fedora patches %patch101 -p1 @@ -358,6 +362,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Aug 19 2020 Kamil Dudka - 7.71.1-6 +- libcurl: wrong connect-only connection (CVE-2020-8231) + * Thu Aug 06 2020 Kamil Dudka - 7.71.1-5 - setopt: unset NOBODY switches to GET if still HEAD From 5470570402ab57e866d3e3dc7d6b76103ed0fc10 Mon Sep 17 00:00:00 2001 From: Jinoh Kang Date: Thu, 10 Sep 2020 09:17:00 +0200 Subject: [PATCH 02/16] Resolves: #1877671O - fix multiarch conflicts in libcurl-minimal --- curl.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index f2f9da7..bc08952 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.71.1 -Release: 6%{?dist} +Release: 7%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -166,7 +166,7 @@ Summary: Conservatively configured build of libcurl for minimal installations Requires: openssl-libs%{?_isa} >= 1:%{openssl_version} Provides: libcurl = %{version}-%{release} Provides: libcurl%{?_isa} = %{version}-%{release} -Conflicts: libcurl +Conflicts: libcurl%{?_isa} RemovePathPostfixes: .minimal # needed for RemovePathPostfixes to work with shared libraries %undefine __brp_ldconfig @@ -362,6 +362,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Sep 10 2020 Jinoh Kang - 7.71.1-7 +- fix multiarch conflicts in libcurl-minimal (#1877671O) + * Wed Aug 19 2020 Kamil Dudka - 7.71.1-6 - libcurl: wrong connect-only connection (CVE-2020-8231) From 89e3fb5767e1d64fed128b0aae46a3c24e77a438 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Sun, 20 Sep 2020 11:49:49 +0100 Subject: [PATCH 03/16] Fix bug reference in changelog --- curl.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index bc08952..9d70373 100644 --- a/curl.spec +++ b/curl.spec @@ -363,7 +363,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Thu Sep 10 2020 Jinoh Kang - 7.71.1-7 -- fix multiarch conflicts in libcurl-minimal (#1877671O) +- fix multiarch conflicts in libcurl-minimal (#1877671) * Wed Aug 19 2020 Kamil Dudka - 7.71.1-6 - libcurl: wrong connect-only connection (CVE-2020-8231) From aa87f54d8705e19f914fe86030dffc8304e6b1b3 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 9 Dec 2020 11:41:07 +0100 Subject: [PATCH 04/16] Resolves: CVE-2020-8284 - curl: trusting FTP PASV responses --- 0005-curl-7.71.1-CVE-2020-8284.patch | 208 +++++++++++++++++++++++++++ curl.spec | 9 +- 2 files changed, 216 insertions(+), 1 deletion(-) create mode 100644 0005-curl-7.71.1-CVE-2020-8284.patch diff --git a/0005-curl-7.71.1-CVE-2020-8284.patch b/0005-curl-7.71.1-CVE-2020-8284.patch new file mode 100644 index 0000000..f5677e3 --- /dev/null +++ b/0005-curl-7.71.1-CVE-2020-8284.patch @@ -0,0 +1,208 @@ +From c7cc15980d50a51857de66b701b7762789139b46 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 24 Nov 2020 14:56:57 +0100 +Subject: [PATCH] ftp: CURLOPT_FTP_SKIP_PASV_IP by default + +The command line tool also independently sets --ftp-skip-pasv-ip by +default. + +Ten test cases updated to adapt the modified --libcurl output. + +Bug: https://curl.se/docs/CVE-2020-8284.html +CVE-2020-8284 + +Reported-by: Varnavas Papaioannou + +Upstream-commit: ec9cc725d598ac77de7b6df8afeec292b3c8ad46 +Signed-off-by: Kamil Dudka +--- + docs/cmdline-opts/ftp-skip-pasv-ip.d | 2 ++ + docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 | 8 +++++--- + lib/url.c | 1 + + src/tool_cfgable.c | 1 + + tests/data/test1400 | 1 + + tests/data/test1401 | 1 + + tests/data/test1402 | 1 + + tests/data/test1403 | 1 + + tests/data/test1404 | 1 + + tests/data/test1405 | 1 + + tests/data/test1406 | 1 + + tests/data/test1407 | 1 + + tests/data/test1420 | 1 + + 13 files changed, 18 insertions(+), 3 deletions(-) + +diff --git a/docs/cmdline-opts/ftp-skip-pasv-ip.d b/docs/cmdline-opts/ftp-skip-pasv-ip.d +index da6ab11..4be8b43 100644 +--- a/docs/cmdline-opts/ftp-skip-pasv-ip.d ++++ b/docs/cmdline-opts/ftp-skip-pasv-ip.d +@@ -9,4 +9,6 @@ to curl's PASV command when curl connects the data connection. Instead curl + will re-use the same IP address it already uses for the control + connection. + ++Since curl 7.74.0 this option is enabled by default. ++ + This option has no effect if PORT, EPRT or EPSV is used instead of PASV. +diff --git a/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 b/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 +index e68d2e7..29bc672 100644 +--- a/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 ++++ b/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 +@@ -5,7 +5,7 @@ + .\" * | (__| |_| | _ <| |___ + .\" * \___|\___/|_| \_\_____| + .\" * +-.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, , et al. ++.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, , et al. + .\" * + .\" * This software is licensed as described in the file COPYING, which + .\" * you should have received as part of this distribution. The terms +@@ -36,11 +36,13 @@ address it already uses for the control connection. But it will use the port + number from the 227-response. + + This option thus allows libcurl to work around broken server installations +-that due to NATs, firewalls or incompetence report the wrong IP address back. ++that due to NATs, firewalls or incompetence report the wrong IP address ++back. Setting the option also reduces the risk for various sorts of client ++abuse by malicious servers. + + This option has no effect if PORT, EPRT or EPSV is used instead of PASV. + .SH DEFAULT +-0 ++1 since 7.74.0, was 0 before then. + .SH PROTOCOLS + FTP + .SH EXAMPLE +diff --git a/lib/url.c b/lib/url.c +index 2919a3d..41029d6 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -480,6 +480,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) + set->ftp_use_eprt = TRUE; /* FTP defaults to EPRT operations */ + set->ftp_use_pret = FALSE; /* mainly useful for drftpd servers */ + set->ftp_filemethod = FTPFILE_MULTICWD; ++ set->ftp_skip_ip = TRUE; /* skip PASV IP by default */ + #endif + set->dns_cache_timeout = 60; /* Timeout every 60 seconds by default */ + +diff --git a/src/tool_cfgable.c b/src/tool_cfgable.c +index 63bdeaa..22770c4 100644 +--- a/src/tool_cfgable.c ++++ b/src/tool_cfgable.c +@@ -44,6 +44,7 @@ void config_init(struct OperationConfig *config) + config->tcp_nodelay = TRUE; /* enabled by default */ + config->happy_eyeballs_timeout_ms = CURL_HET_DEFAULT; + config->http09_allowed = FALSE; ++ config->ftp_skip_ip = TRUE; + } + + static void free_config_fields(struct OperationConfig *config) +diff --git a/tests/data/test1400 b/tests/data/test1400 +index c0d409b..ade50d4 100644 +--- a/tests/data/test1400 ++++ b/tests/data/test1400 +@@ -76,6 +76,7 @@ int main(int argc, char *argv[]) + curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped"); + curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); + curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); ++ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); + curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); + + /* Here is a list of options the curl code used that cannot get generated +diff --git a/tests/data/test1401 b/tests/data/test1401 +index ec3b25c..a2e9ef2 100644 +--- a/tests/data/test1401 ++++ b/tests/data/test1401 +@@ -90,6 +90,7 @@ int main(int argc, char *argv[]) + curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); + curl_easy_setopt(hnd, CURLOPT_COOKIE, "chocolate=chip"); + curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); ++ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); + curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); + curl_easy_setopt(hnd, CURLOPT_PROTOCOLS, (long)CURLPROTO_FILE | + (long)CURLPROTO_FTP | +diff --git a/tests/data/test1402 b/tests/data/test1402 +index bf7eb7b..99d4b70 100644 +--- a/tests/data/test1402 ++++ b/tests/data/test1402 +@@ -81,6 +81,7 @@ int main(int argc, char *argv[]) + curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped"); + curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); + curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); ++ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); + curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); + + /* Here is a list of options the curl code used that cannot get generated +diff --git a/tests/data/test1403 b/tests/data/test1403 +index 731d274..90f9b4e 100644 +--- a/tests/data/test1403 ++++ b/tests/data/test1403 +@@ -76,6 +76,7 @@ int main(int argc, char *argv[]) + curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped"); + curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); + curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); ++ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); + curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); + + /* Here is a list of options the curl code used that cannot get generated +diff --git a/tests/data/test1404 b/tests/data/test1404 +index d3c66a9..d351c3e 100644 +--- a/tests/data/test1404 ++++ b/tests/data/test1404 +@@ -147,6 +147,7 @@ int main(int argc, char *argv[]) + curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped"); + curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); + curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); ++ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); + curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); + + /* Here is a list of options the curl code used that cannot get generated +diff --git a/tests/data/test1405 b/tests/data/test1405 +index dcc8f80..d1ebb7c 100644 +--- a/tests/data/test1405 ++++ b/tests/data/test1405 +@@ -89,6 +89,7 @@ int main(int argc, char *argv[]) + curl_easy_setopt(hnd, CURLOPT_POSTQUOTE, slist2); + curl_easy_setopt(hnd, CURLOPT_PREQUOTE, slist3); + curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); ++ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); + curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); + + /* Here is a list of options the curl code used that cannot get generated +diff --git a/tests/data/test1406 b/tests/data/test1406 +index 8803c84..31db82a 100644 +--- a/tests/data/test1406 ++++ b/tests/data/test1406 +@@ -79,6 +79,7 @@ int main(int argc, char *argv[]) + curl_easy_setopt(hnd, CURLOPT_URL, "smtp://%HOSTIP:%SMTPPORT/1406"); + curl_easy_setopt(hnd, CURLOPT_UPLOAD, 1L); + curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); ++ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); + curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); + curl_easy_setopt(hnd, CURLOPT_MAIL_FROM, "sender@example.com"); + curl_easy_setopt(hnd, CURLOPT_MAIL_RCPT, slist1); +diff --git a/tests/data/test1407 b/tests/data/test1407 +index 917a5de..d329509 100644 +--- a/tests/data/test1407 ++++ b/tests/data/test1407 +@@ -62,6 +62,7 @@ int main(int argc, char *argv[]) + curl_easy_setopt(hnd, CURLOPT_DIRLISTONLY, 1L); + curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret"); + curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); ++ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); + curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); + + /* Here is a list of options the curl code used that cannot get generated +diff --git a/tests/data/test1420 b/tests/data/test1420 +index 03c4584..c1ba190 100644 +--- a/tests/data/test1420 ++++ b/tests/data/test1420 +@@ -67,6 +67,7 @@ int main(int argc, char *argv[]) + curl_easy_setopt(hnd, CURLOPT_URL, "imap://%HOSTIP:%IMAPPORT/1420/;MAILINDEX=1"); + curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret"); + curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); ++ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); + curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); + + /* Here is a list of options the curl code used that cannot get generated +-- +2.26.2 + diff --git a/curl.spec b/curl.spec index 9d70373..71dd5b0 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.71.1 -Release: 7%{?dist} +Release: 8%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -14,6 +14,9 @@ Patch2: 0002-curl-7.71.1-unset-nobody.patch # libcurl: wrong connect-only connection (CVE-2020-8231) Patch4: 0004-curl-7.71.1-CVE-2020-8231.patch +# curl: trusting FTP PASV responses (CVE-2020-8284) +Patch5: 0005-curl-7.71.1-CVE-2020-8284.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -184,6 +187,7 @@ be installed. %patch1 -p1 %patch2 -p1 %patch4 -p1 +%patch5 -p1 # Fedora patches %patch101 -p1 @@ -362,6 +366,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Dec 09 2020 Kamil Dudka - 7.71.1-8 +- curl: trusting FTP PASV responses (CVE-2020-8284) + * Thu Sep 10 2020 Jinoh Kang - 7.71.1-7 - fix multiarch conflicts in libcurl-minimal (#1877671) From a52387704a3d469e38d108929b596838ecf79ac5 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 9 Dec 2020 11:42:53 +0100 Subject: [PATCH 05/16] Resolves: CVE-2020-8285 - libcurl: FTP wildcard stack overflow --- 0006-curl-7.71.1-CVE-2020-8285.patch | 1864 ++++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 1869 insertions(+) create mode 100644 0006-curl-7.71.1-CVE-2020-8285.patch diff --git a/0006-curl-7.71.1-CVE-2020-8285.patch b/0006-curl-7.71.1-CVE-2020-8285.patch new file mode 100644 index 0000000..6bb47f7 --- /dev/null +++ b/0006-curl-7.71.1-CVE-2020-8285.patch @@ -0,0 +1,1864 @@ +From 95b64952b958215972a2e4e193b5104bc91b5927 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 23 Nov 2020 08:32:41 +0100 +Subject: [PATCH 1/2] urldata: remove 'void *protop' and create the union 'p' + +... to avoid the use of 'void *' for the protocol specific structs done +per transfer. + +Closes #6238 + +Upstream-commit: a95a6ce6b809693a1195e3b4347a6cfa0fbc2ee7 +Signed-off-by: Kamil Dudka +--- + docs/INTERNALS.md | 4 ++-- + lib/file.c | 14 ++++++------- + lib/ftp.c | 36 ++++++++++++++++----------------- + lib/http.c | 14 ++++++------- + lib/http2.c | 50 +++++++++++++++++++++++----------------------- + lib/http_proxy.c | 6 +++--- + lib/imap.c | 26 ++++++++++++------------ + lib/mqtt.c | 10 +++++----- + lib/openldap.c | 8 ++++---- + lib/pop3.c | 14 ++++++------- + lib/rtsp.c | 8 ++++---- + lib/smb.c | 20 +++++++++---------- + lib/smtp.c | 22 ++++++++++---------- + lib/telnet.c | 30 ++++++++++++++-------------- + lib/transfer.c | 8 ++++---- + lib/url.c | 2 +- + lib/urldata.h | 19 ++++++++++++++++-- + lib/vquic/ngtcp2.c | 24 +++++++++++----------- + lib/vquic/quiche.c | 10 +++++----- + lib/vssh/libssh.c | 10 +++++----- + lib/vssh/libssh2.c | 8 ++++---- + lib/vssh/wolfssh.c | 8 ++++---- + 22 files changed, 183 insertions(+), 168 deletions(-) + +diff --git a/docs/INTERNALS.md b/docs/INTERNALS.md +index 635e7b2..ca8988e 100644 +--- a/docs/INTERNALS.md ++++ b/docs/INTERNALS.md +@@ -980,8 +980,8 @@ for older and later versions as things don't change drastically that often. + protocol specific data that then gets associated with that `Curl_easy` for + the rest of this transfer. It gets freed again at the end of the transfer. + It will be called before the `connectdata` for the transfer has been +- selected/created. Most protocols will allocate its private +- `struct [PROTOCOL]` here and assign `Curl_easy->req.protop` to point to it. ++ selected/created. Most protocols will allocate its private `struct ++ [PROTOCOL]` here and assign `Curl_easy->req.p.[protocol]` to it. + + `->connect_it` allows a protocol to do some specific actions after the TCP + connect is done, that can still be considered part of the connection phase. +diff --git a/lib/file.c b/lib/file.c +index cd3e49c..110e5c2 100644 +--- a/lib/file.c ++++ b/lib/file.c +@@ -119,8 +119,8 @@ const struct Curl_handler Curl_handler_file = { + static CURLcode file_setup_connection(struct connectdata *conn) + { + /* allocate the FILE specific struct */ +- conn->data->req.protop = calloc(1, sizeof(struct FILEPROTO)); +- if(!conn->data->req.protop) ++ conn->data->req.p.file = calloc(1, sizeof(struct FILEPROTO)); ++ if(!conn->data->req.p.file) + return CURLE_OUT_OF_MEMORY; + + return CURLE_OK; +@@ -135,7 +135,7 @@ static CURLcode file_connect(struct connectdata *conn, bool *done) + { + struct Curl_easy *data = conn->data; + char *real_path; +- struct FILEPROTO *file = data->req.protop; ++ struct FILEPROTO *file = data->req.p.file; + int fd; + #ifdef DOS_FILESYSTEM + size_t i; +@@ -209,7 +209,7 @@ static CURLcode file_connect(struct connectdata *conn, bool *done) + static CURLcode file_done(struct connectdata *conn, + CURLcode status, bool premature) + { +- struct FILEPROTO *file = conn->data->req.protop; ++ struct FILEPROTO *file = conn->data->req.p.file; + (void)status; /* not used */ + (void)premature; /* not used */ + +@@ -227,7 +227,7 @@ static CURLcode file_done(struct connectdata *conn, + static CURLcode file_disconnect(struct connectdata *conn, + bool dead_connection) + { +- struct FILEPROTO *file = conn->data->req.protop; ++ struct FILEPROTO *file = conn->data->req.p.file; + (void)dead_connection; /* not used */ + + if(file) { +@@ -249,7 +249,7 @@ static CURLcode file_disconnect(struct connectdata *conn, + + static CURLcode file_upload(struct connectdata *conn) + { +- struct FILEPROTO *file = conn->data->req.protop; ++ struct FILEPROTO *file = conn->data->req.p.file; + const char *dir = strchr(file->path, DIRSEP); + int fd; + int mode; +@@ -391,7 +391,7 @@ static CURLcode file_do(struct connectdata *conn, bool *done) + if(data->set.upload) + return file_upload(conn); + +- file = conn->data->req.protop; ++ file = conn->data->req.p.file; + + /* get the fd from the connection phase */ + fd = file->fd; +diff --git a/lib/ftp.c b/lib/ftp.c +index 20351ff..5195b67 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -1345,7 +1345,7 @@ static CURLcode ftp_state_use_pasv(struct connectdata *conn) + static CURLcode ftp_state_prepare_transfer(struct connectdata *conn) + { + CURLcode result = CURLE_OK; +- struct FTP *ftp = conn->data->req.protop; ++ struct FTP *ftp = conn->data->req.p.ftp; + struct Curl_easy *data = conn->data; + + if(ftp->transfer != FTPTRANSFER_BODY) { +@@ -1388,7 +1388,7 @@ static CURLcode ftp_state_prepare_transfer(struct connectdata *conn) + static CURLcode ftp_state_rest(struct connectdata *conn) + { + CURLcode result = CURLE_OK; +- struct FTP *ftp = conn->data->req.protop; ++ struct FTP *ftp = conn->data->req.p.ftp; + struct ftp_conn *ftpc = &conn->proto.ftpc; + + if((ftp->transfer != FTPTRANSFER_BODY) && ftpc->file) { +@@ -1409,7 +1409,7 @@ static CURLcode ftp_state_rest(struct connectdata *conn) + static CURLcode ftp_state_size(struct connectdata *conn) + { + CURLcode result = CURLE_OK; +- struct FTP *ftp = conn->data->req.protop; ++ struct FTP *ftp = conn->data->req.p.ftp; + struct ftp_conn *ftpc = &conn->proto.ftpc; + + if((ftp->transfer == FTPTRANSFER_INFO) && ftpc->file) { +@@ -1430,7 +1430,7 @@ static CURLcode ftp_state_list(struct connectdata *conn) + { + CURLcode result = CURLE_OK; + struct Curl_easy *data = conn->data; +- struct FTP *ftp = data->req.protop; ++ struct FTP *ftp = data->req.p.ftp; + + /* If this output is to be machine-parsed, the NLST command might be better + to use, since the LIST command output is not specified or standard in any +@@ -1508,7 +1508,7 @@ static CURLcode ftp_state_stor_prequote(struct connectdata *conn) + static CURLcode ftp_state_type(struct connectdata *conn) + { + CURLcode result = CURLE_OK; +- struct FTP *ftp = conn->data->req.protop; ++ struct FTP *ftp = conn->data->req.p.ftp; + struct Curl_easy *data = conn->data; + struct ftp_conn *ftpc = &conn->proto.ftpc; + +@@ -1565,7 +1565,7 @@ static CURLcode ftp_state_ul_setup(struct connectdata *conn, + bool sizechecked) + { + CURLcode result = CURLE_OK; +- struct FTP *ftp = conn->data->req.protop; ++ struct FTP *ftp = conn->data->req.p.ftp; + struct Curl_easy *data = conn->data; + struct ftp_conn *ftpc = &conn->proto.ftpc; + +@@ -1664,7 +1664,7 @@ static CURLcode ftp_state_quote(struct connectdata *conn, + { + CURLcode result = CURLE_OK; + struct Curl_easy *data = conn->data; +- struct FTP *ftp = data->req.protop; ++ struct FTP *ftp = data->req.p.ftp; + struct ftp_conn *ftpc = &conn->proto.ftpc; + bool quote = FALSE; + struct curl_slist *item; +@@ -2033,7 +2033,7 @@ static CURLcode ftp_state_mdtm_resp(struct connectdata *conn, + { + CURLcode result = CURLE_OK; + struct Curl_easy *data = conn->data; +- struct FTP *ftp = data->req.protop; ++ struct FTP *ftp = data->req.p.ftp; + struct ftp_conn *ftpc = &conn->proto.ftpc; + + switch(ftpcode) { +@@ -2166,7 +2166,7 @@ static CURLcode ftp_state_retr(struct connectdata *conn, + { + CURLcode result = CURLE_OK; + struct Curl_easy *data = conn->data; +- struct FTP *ftp = data->req.protop; ++ struct FTP *ftp = data->req.p.ftp; + struct ftp_conn *ftpc = &conn->proto.ftpc; + + if(data->set.max_filesize && (filesize > data->set.max_filesize)) { +@@ -2378,7 +2378,7 @@ static CURLcode ftp_state_get_resp(struct connectdata *conn, + { + CURLcode result = CURLE_OK; + struct Curl_easy *data = conn->data; +- struct FTP *ftp = data->req.protop; ++ struct FTP *ftp = data->req.p.ftp; + + if((ftpcode == 150) || (ftpcode == 125)) { + +@@ -3138,7 +3138,7 @@ static CURLcode ftp_done(struct connectdata *conn, CURLcode status, + bool premature) + { + struct Curl_easy *data = conn->data; +- struct FTP *ftp = data->req.protop; ++ struct FTP *ftp = data->req.p.ftp; + struct ftp_conn *ftpc = &conn->proto.ftpc; + struct pingpong *pp = &ftpc->pp; + ssize_t nread; +@@ -3492,7 +3492,7 @@ static CURLcode ftp_do_more(struct connectdata *conn, int *completep) + bool complete = FALSE; + + /* the ftp struct is inited in ftp_connect() */ +- struct FTP *ftp = data->req.protop; ++ struct FTP *ftp = data->req.p.ftp; + + /* if the second connection isn't done yet, wait for it */ + if(!conn->bits.tcpconnect[SECONDARYSOCKET]) { +@@ -3657,7 +3657,7 @@ CURLcode ftp_perform(struct connectdata *conn, + + if(conn->data->set.opt_no_body) { + /* requested no body means no transfer... */ +- struct FTP *ftp = conn->data->req.protop; ++ struct FTP *ftp = conn->data->req.p.ftp; + ftp->transfer = FTPTRANSFER_INFO; + } + +@@ -3692,7 +3692,7 @@ static void wc_data_dtor(void *ptr) + static CURLcode init_wc_data(struct connectdata *conn) + { + char *last_slash; +- struct FTP *ftp = conn->data->req.protop; ++ struct FTP *ftp = conn->data->req.p.ftp; + char *path = ftp->path; + struct WildcardData *wildcard = &(conn->data->wildcard); + CURLcode result = CURLE_OK; +@@ -3826,7 +3826,7 @@ static CURLcode wc_statemach(struct connectdata *conn) + /* filelist has at least one file, lets get first one */ + struct ftp_conn *ftpc = &conn->proto.ftpc; + struct curl_fileinfo *finfo = wildcard->filelist.head->ptr; +- struct FTP *ftp = conn->data->req.protop; ++ struct FTP *ftp = conn->data->req.p.ftp; + + char *tmp_path = aprintf("%s%s", wildcard->path, finfo->filename); + if(!tmp_path) +@@ -4099,7 +4099,7 @@ CURLcode ftp_parse_url_path(struct connectdata *conn) + { + struct Curl_easy *data = conn->data; + /* the ftp struct is already inited in ftp_connect() */ +- struct FTP *ftp = data->req.protop; ++ struct FTP *ftp = data->req.p.ftp; + struct ftp_conn *ftpc = &conn->proto.ftpc; + const char *slashPos = NULL; + const char *fileName = NULL; +@@ -4244,7 +4244,7 @@ CURLcode ftp_parse_url_path(struct connectdata *conn) + static CURLcode ftp_dophase_done(struct connectdata *conn, + bool connected) + { +- struct FTP *ftp = conn->data->req.protop; ++ struct FTP *ftp = conn->data->req.p.ftp; + struct ftp_conn *ftpc = &conn->proto.ftpc; + + if(connected) { +@@ -4341,7 +4341,7 @@ static CURLcode ftp_setup_connection(struct connectdata *conn) + char *type; + struct FTP *ftp; + +- conn->data->req.protop = ftp = calloc(sizeof(struct FTP), 1); ++ conn->data->req.p.ftp = ftp = calloc(sizeof(struct FTP), 1); + if(NULL == ftp) + return CURLE_OUT_OF_MEMORY; + +diff --git a/lib/http.c b/lib/http.c +index 28d66c2..8cf4b61 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -162,14 +162,14 @@ static CURLcode http_setup_conn(struct connectdata *conn) + during this request */ + struct HTTP *http; + struct Curl_easy *data = conn->data; +- DEBUGASSERT(data->req.protop == NULL); ++ DEBUGASSERT(data->req.p.http == NULL); + + http = calloc(1, sizeof(struct HTTP)); + if(!http) + return CURLE_OUT_OF_MEMORY; + + Curl_mime_initpart(&http->form, conn->data); +- data->req.protop = http; ++ data->req.p.http = http; + + if(data->set.httpversion == CURL_HTTP_VERSION_3) { + if(conn->handler->flags & PROTOPT_SSL) +@@ -425,7 +425,7 @@ static bool pickoneauth(struct auth *pick, unsigned long mask) + static CURLcode http_perhapsrewind(struct connectdata *conn) + { + struct Curl_easy *data = conn->data; +- struct HTTP *http = data->req.protop; ++ struct HTTP *http = data->req.p.http; + curl_off_t bytessent; + curl_off_t expectsend = -1; /* default is unknown */ + +@@ -1109,7 +1109,7 @@ static size_t readmoredata(char *buffer, + void *userp) + { + struct connectdata *conn = (struct connectdata *)userp; +- struct HTTP *http = conn->data->req.protop; ++ struct HTTP *http = conn->data->req.p.http; + size_t fullsize = size * nitems; + + if(!http->postsize) +@@ -1167,7 +1167,7 @@ CURLcode Curl_buffer_send(struct dynbuf *in, + char *ptr; + size_t size; + struct Curl_easy *data = conn->data; +- struct HTTP *http = data->req.protop; ++ struct HTTP *http = data->req.p.http; + size_t sendsize; + curl_socket_t sockfd; + size_t headersize; +@@ -1517,7 +1517,7 @@ CURLcode Curl_http_done(struct connectdata *conn, + CURLcode status, bool premature) + { + struct Curl_easy *data = conn->data; +- struct HTTP *http = data->req.protop; ++ struct HTTP *http = data->req.p.http; + + /* Clear multipass flag. If authentication isn't done yet, then it will get + * a chance to be set back to true when we output the next auth header */ +@@ -1978,7 +1978,7 @@ CURLcode Curl_http(struct connectdata *conn, bool *done) + return result; + } + } +- http = data->req.protop; ++ http = data->req.p.http; + DEBUGASSERT(http); + + if(!data->state.this_is_a_follow) { +diff --git a/lib/http2.c b/lib/http2.c +index 6cf651f..4f3a5bf 100644 +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -257,7 +257,7 @@ static unsigned int http2_conncheck(struct connectdata *check, + /* called from http_setup_conn */ + void Curl_http2_setup_req(struct Curl_easy *data) + { +- struct HTTP *http = data->req.protop; ++ struct HTTP *http = data->req.p.http; + http->bodystarted = FALSE; + http->status_code = -1; + http->pausedata = NULL; +@@ -391,7 +391,7 @@ char *curl_pushheader_bynum(struct curl_pushheaders *h, size_t num) + if(!h || !GOOD_EASY_HANDLE(h->data)) + return NULL; + else { +- struct HTTP *stream = h->data->req.protop; ++ struct HTTP *stream = h->data->req.p.http; + if(num < stream->push_headers_used) + return stream->push_headers[num]; + } +@@ -413,7 +413,7 @@ char *curl_pushheader_byname(struct curl_pushheaders *h, const char *header) + !strcmp(header, ":") || strchr(header + 1, ':')) + return NULL; + else { +- struct HTTP *stream = h->data->req.protop; ++ struct HTTP *stream = h->data->req.p.http; + size_t len = strlen(header); + size_t i; + for(i = 0; ipush_headers_used; i++) { +@@ -460,7 +460,7 @@ static struct Curl_easy *duphandle(struct Curl_easy *data) + (void)Curl_close(&second); + } + else { +- second->req.protop = http; ++ second->req.p.http = http; + Curl_dyn_init(&http->header_recvbuf, DYN_H2_HEADERS); + Curl_http2_setup_req(second); + second->state.stream_weight = data->state.stream_weight; +@@ -537,7 +537,7 @@ static int push_promise(struct Curl_easy *data, + /* ask the application */ + H2BUGF(infof(data, "Got PUSH_PROMISE, ask application!\n")); + +- stream = data->req.protop; ++ stream = data->req.p.http; + if(!stream) { + failf(data, "Internal NULL stream!\n"); + (void)Curl_close(&newhandle); +@@ -564,13 +564,13 @@ static int push_promise(struct Curl_easy *data, + + if(rv) { + /* denied, kill off the new handle again */ +- http2_stream_free(newhandle->req.protop); +- newhandle->req.protop = NULL; ++ http2_stream_free(newhandle->req.p.http); ++ newhandle->req.p.http = NULL; + (void)Curl_close(&newhandle); + goto fail; + } + +- newstream = newhandle->req.protop; ++ newstream = newhandle->req.p.http; + newstream->stream_id = frame->promised_stream_id; + newhandle->req.maxdownload = -1; + newhandle->req.size = -1; +@@ -580,8 +580,8 @@ static int push_promise(struct Curl_easy *data, + rc = Curl_multi_add_perform(data->multi, newhandle, conn); + if(rc) { + infof(data, "failed to add handle to multi\n"); +- http2_stream_free(newhandle->req.protop); +- newhandle->req.protop = NULL; ++ http2_stream_free(newhandle->req.p.http); ++ newhandle->req.p.http = NULL; + Curl_close(&newhandle); + rv = 1; + goto fail; +@@ -663,7 +663,7 @@ static int on_frame_recv(nghttp2_session *session, const nghttp2_frame *frame, + return 0; + } + +- stream = data_s->req.protop; ++ stream = data_s->req.p.http; + if(!stream) { + H2BUGF(infof(data_s, "No proto pointer for stream: %x\n", + stream_id)); +@@ -774,7 +774,7 @@ static int on_data_chunk_recv(nghttp2_session *session, uint8_t flags, + internal error more than anything else! */ + return NGHTTP2_ERR_CALLBACK_FAILURE; + +- stream = data_s->req.protop; ++ stream = data_s->req.p.http; + if(!stream) + return NGHTTP2_ERR_CALLBACK_FAILURE; + +@@ -840,7 +840,7 @@ static int on_stream_close(nghttp2_session *session, int32_t stream_id, + } + H2BUGF(infof(data_s, "on_stream_close(), %s (err %d), stream %u\n", + nghttp2_strerror(error_code), error_code, stream_id)); +- stream = data_s->req.protop; ++ stream = data_s->req.p.http; + if(!stream) + return NGHTTP2_ERR_CALLBACK_FAILURE; + +@@ -885,7 +885,7 @@ static int on_begin_headers(nghttp2_session *session, + return 0; + } + +- stream = data_s->req.protop; ++ stream = data_s->req.p.http; + if(!stream || !stream->bodystarted) { + return 0; + } +@@ -943,7 +943,7 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame, + internal error more than anything else! */ + return NGHTTP2_ERR_CALLBACK_FAILURE; + +- stream = data_s->req.protop; ++ stream = data_s->req.p.http; + if(!stream) { + failf(data_s, "Internal NULL stream! 5\n"); + return NGHTTP2_ERR_CALLBACK_FAILURE; +@@ -1098,7 +1098,7 @@ static ssize_t data_source_read_callback(nghttp2_session *session, + internal error more than anything else! */ + return NGHTTP2_ERR_CALLBACK_FAILURE; + +- stream = data_s->req.protop; ++ stream = data_s->req.p.http; + if(!stream) + return NGHTTP2_ERR_CALLBACK_FAILURE; + } +@@ -1159,7 +1159,7 @@ static void populate_settings(struct connectdata *conn, + + void Curl_http2_done(struct Curl_easy *data, bool premature) + { +- struct HTTP *http = data->req.protop; ++ struct HTTP *http = data->req.p.http; + struct http_conn *httpc = &data->conn->proto.httpc; + + /* there might be allocated resources done before this got the 'h2' pointer +@@ -1387,7 +1387,7 @@ CURLcode Curl_http2_done_sending(struct connectdata *conn) + (conn->handler == &Curl_handler_http2)) { + /* make sure this is only attempted for HTTP/2 transfers */ + +- struct HTTP *stream = conn->data->req.protop; ++ struct HTTP *stream = conn->data->req.p.http; + + struct http_conn *httpc = &conn->proto.httpc; + nghttp2_session *h2 = httpc->h2; +@@ -1486,7 +1486,7 @@ static void h2_pri_spec(struct Curl_easy *data, + nghttp2_priority_spec *pri_spec) + { + struct HTTP *depstream = (data->set.stream_depends_on? +- data->set.stream_depends_on->req.protop:NULL); ++ data->set.stream_depends_on->req.p.http:NULL); + int32_t depstream_id = depstream? depstream->stream_id:0; + nghttp2_priority_spec_init(pri_spec, depstream_id, data->set.stream_weight, + data->set.stream_depends_e); +@@ -1503,7 +1503,7 @@ static void h2_pri_spec(struct Curl_easy *data, + static int h2_session_send(struct Curl_easy *data, + nghttp2_session *h2) + { +- struct HTTP *stream = data->req.protop; ++ struct HTTP *stream = data->req.p.http; + if((data->set.stream_weight != data->state.stream_weight) || + (data->set.stream_depends_e != data->state.stream_depends_e) || + (data->set.stream_depends_on != data->state.stream_depends_on) ) { +@@ -1533,7 +1533,7 @@ static ssize_t http2_recv(struct connectdata *conn, int sockindex, + ssize_t nread; + struct http_conn *httpc = &conn->proto.httpc; + struct Curl_easy *data = conn->data; +- struct HTTP *stream = data->req.protop; ++ struct HTTP *stream = data->req.p.http; + + (void)sockindex; /* we always do HTTP2 on sockindex 0 */ + +@@ -1838,7 +1838,7 @@ static ssize_t http2_send(struct connectdata *conn, int sockindex, + */ + int rv; + struct http_conn *httpc = &conn->proto.httpc; +- struct HTTP *stream = conn->data->req.protop; ++ struct HTTP *stream = conn->data->req.p.http; + nghttp2_nv *nva = NULL; + size_t nheader; + size_t i; +@@ -2144,7 +2144,7 @@ CURLcode Curl_http2_setup(struct connectdata *conn) + { + CURLcode result; + struct http_conn *httpc = &conn->proto.httpc; +- struct HTTP *stream = conn->data->req.protop; ++ struct HTTP *stream = conn->data->req.p.http; + + DEBUGASSERT(conn->data->state.buffer); + +@@ -2198,7 +2198,7 @@ CURLcode Curl_http2_switched(struct connectdata *conn, + int rv; + ssize_t nproc; + struct Curl_easy *data = conn->data; +- struct HTTP *stream = conn->data->req.protop; ++ struct HTTP *stream = conn->data->req.p.http; + + result = Curl_http2_setup(conn); + if(result) +@@ -2318,7 +2318,7 @@ CURLcode Curl_http2_stream_pause(struct Curl_easy *data, bool pause) + return CURLE_OK; + #ifdef NGHTTP2_HAS_SET_LOCAL_WINDOW_SIZE + else { +- struct HTTP *stream = data->req.protop; ++ struct HTTP *stream = data->req.p.http; + struct http_conn *httpc = &data->conn->proto.httpc; + uint32_t window = !pause * HTTP2_HUGE_WINDOW_SIZE; + int rv = nghttp2_session_set_local_window_size(httpc->h2, +diff --git a/lib/http_proxy.c b/lib/http_proxy.c +index f188cbf..69aacb4 100644 +--- a/lib/http_proxy.c ++++ b/lib/http_proxy.c +@@ -102,9 +102,9 @@ CURLcode Curl_proxy_connect(struct connectdata *conn, int sockindex) + * This function might be called several times in the multi interface case + * if the proxy's CONNECT response is not instant. + */ +- prot_save = conn->data->req.protop; ++ prot_save = conn->data->req.p.http; + memset(&http_proxy, 0, sizeof(http_proxy)); +- conn->data->req.protop = &http_proxy; ++ conn->data->req.p.http = &http_proxy; + connkeep(conn, "HTTP proxy CONNECT"); + + /* for the secondary socket (FTP), use the "connect to host" +@@ -125,7 +125,7 @@ CURLcode Curl_proxy_connect(struct connectdata *conn, int sockindex) + else + remote_port = conn->remote_port; + result = Curl_proxyCONNECT(conn, sockindex, hostname, remote_port); +- conn->data->req.protop = prot_save; ++ conn->data->req.p.http = prot_save; + if(CURLE_OK != result) + return result; + Curl_safefree(data->state.aptr.proxyuserpwd); +diff --git a/lib/imap.c b/lib/imap.c +index cad0e59..bda23a5 100644 +--- a/lib/imap.c ++++ b/lib/imap.c +@@ -244,7 +244,7 @@ static bool imap_matchresp(const char *line, size_t len, const char *cmd) + static bool imap_endofresp(struct connectdata *conn, char *line, size_t len, + int *resp) + { +- struct IMAP *imap = conn->data->req.protop; ++ struct IMAP *imap = conn->data->req.p.imap; + struct imap_conn *imapc = &conn->proto.imapc; + const char *id = imapc->resptag; + size_t id_len = strlen(id); +@@ -605,7 +605,7 @@ static CURLcode imap_perform_list(struct connectdata *conn) + { + CURLcode result = CURLE_OK; + struct Curl_easy *data = conn->data; +- struct IMAP *imap = data->req.protop; ++ struct IMAP *imap = data->req.p.imap; + + if(imap->custom) + /* Send the custom request */ +@@ -640,7 +640,7 @@ static CURLcode imap_perform_select(struct connectdata *conn) + { + CURLcode result = CURLE_OK; + struct Curl_easy *data = conn->data; +- struct IMAP *imap = data->req.protop; ++ struct IMAP *imap = data->req.p.imap; + struct imap_conn *imapc = &conn->proto.imapc; + char *mailbox; + +@@ -679,7 +679,7 @@ static CURLcode imap_perform_select(struct connectdata *conn) + static CURLcode imap_perform_fetch(struct connectdata *conn) + { + CURLcode result = CURLE_OK; +- struct IMAP *imap = conn->data->req.protop; ++ struct IMAP *imap = conn->data->req.p.imap; + /* Check we have a UID */ + if(imap->uid) { + +@@ -727,7 +727,7 @@ static CURLcode imap_perform_append(struct connectdata *conn) + { + CURLcode result = CURLE_OK; + struct Curl_easy *data = conn->data; +- struct IMAP *imap = data->req.protop; ++ struct IMAP *imap = data->req.p.imap; + char *mailbox; + + /* Check we have a mailbox */ +@@ -797,7 +797,7 @@ static CURLcode imap_perform_append(struct connectdata *conn) + static CURLcode imap_perform_search(struct connectdata *conn) + { + CURLcode result = CURLE_OK; +- struct IMAP *imap = conn->data->req.protop; ++ struct IMAP *imap = conn->data->req.p.imap; + + /* Check we have a query string */ + if(!imap->query) { +@@ -1051,7 +1051,7 @@ static CURLcode imap_state_select_resp(struct connectdata *conn, int imapcode, + { + CURLcode result = CURLE_OK; + struct Curl_easy *data = conn->data; +- struct IMAP *imap = conn->data->req.protop; ++ struct IMAP *imap = conn->data->req.p.imap; + struct imap_conn *imapc = &conn->proto.imapc; + const char *line = data->state.buffer; + +@@ -1380,7 +1380,7 @@ static CURLcode imap_init(struct connectdata *conn) + struct Curl_easy *data = conn->data; + struct IMAP *imap; + +- imap = data->req.protop = calloc(sizeof(struct IMAP), 1); ++ imap = data->req.p.imap = calloc(sizeof(struct IMAP), 1); + if(!imap) + result = CURLE_OUT_OF_MEMORY; + +@@ -1457,7 +1457,7 @@ static CURLcode imap_done(struct connectdata *conn, CURLcode status, + { + CURLcode result = CURLE_OK; + struct Curl_easy *data = conn->data; +- struct IMAP *imap = data->req.protop; ++ struct IMAP *imap = data->req.p.imap; + + (void)premature; + +@@ -1517,7 +1517,7 @@ static CURLcode imap_perform(struct connectdata *conn, bool *connected, + /* This is IMAP and no proxy */ + CURLcode result = CURLE_OK; + struct Curl_easy *data = conn->data; +- struct IMAP *imap = data->req.protop; ++ struct IMAP *imap = data->req.p.imap; + struct imap_conn *imapc = &conn->proto.imapc; + bool selected = FALSE; + +@@ -1640,7 +1640,7 @@ static CURLcode imap_disconnect(struct connectdata *conn, bool dead_connection) + /* Call this when the DO phase has completed */ + static CURLcode imap_dophase_done(struct connectdata *conn, bool connected) + { +- struct IMAP *imap = conn->data->req.protop; ++ struct IMAP *imap = conn->data->req.p.imap; + + (void)connected; + +@@ -1942,7 +1942,7 @@ static CURLcode imap_parse_url_path(struct connectdata *conn) + /* The imap struct is already initialised in imap_connect() */ + CURLcode result = CURLE_OK; + struct Curl_easy *data = conn->data; +- struct IMAP *imap = data->req.protop; ++ struct IMAP *imap = data->req.p.imap; + const char *begin = &data->state.up.path[1]; /* skip leading slash */ + const char *ptr = begin; + +@@ -2074,7 +2074,7 @@ static CURLcode imap_parse_custom_request(struct connectdata *conn) + { + CURLcode result = CURLE_OK; + struct Curl_easy *data = conn->data; +- struct IMAP *imap = data->req.protop; ++ struct IMAP *imap = data->req.p.imap; + const char *custom = data->set.str[STRING_CUSTOMREQUEST]; + + if(custom) { +diff --git a/lib/mqtt.c b/lib/mqtt.c +index f6f4416..86b22b8 100644 +--- a/lib/mqtt.c ++++ b/lib/mqtt.c +@@ -95,12 +95,12 @@ static CURLcode mqtt_setup_conn(struct connectdata *conn) + during this request */ + struct MQTT *mq; + struct Curl_easy *data = conn->data; +- DEBUGASSERT(data->req.protop == NULL); ++ DEBUGASSERT(data->req.p.mqtt == NULL); + + mq = calloc(1, sizeof(struct MQTT)); + if(!mq) + return CURLE_OUT_OF_MEMORY; +- data->req.protop = mq; ++ data->req.p.mqtt = mq; + return CURLE_OK; + } + +@@ -110,7 +110,7 @@ static CURLcode mqtt_send(struct connectdata *conn, + CURLcode result = CURLE_OK; + curl_socket_t sockfd = conn->sock[FIRSTSOCKET]; + struct Curl_easy *data = conn->data; +- struct MQTT *mq = data->req.protop; ++ struct MQTT *mq = data->req.p.mqtt; + ssize_t n; + result = Curl_write(conn, sockfd, buf, len, &n); + if(!result && data->set.verbose) +@@ -426,7 +426,7 @@ static CURLcode mqtt_read_publish(struct connectdata *conn, + unsigned char *pkt = (unsigned char *)data->state.buffer; + size_t remlen; + struct mqtt_conn *mqtt = &conn->proto.mqtt; +- struct MQTT *mq = data->req.protop; ++ struct MQTT *mq = data->req.p.mqtt; + unsigned char packet; + + switch(mqtt->state) { +@@ -533,7 +533,7 @@ static CURLcode mqtt_doing(struct connectdata *conn, bool *done) + CURLcode result = CURLE_OK; + struct mqtt_conn *mqtt = &conn->proto.mqtt; + struct Curl_easy *data = conn->data; +- struct MQTT *mq = data->req.protop; ++ struct MQTT *mq = data->req.p.mqtt; + ssize_t nread; + curl_socket_t sockfd = conn->sock[FIRSTSOCKET]; + unsigned char *pkt = (unsigned char *)data->state.buffer; +diff --git a/lib/openldap.c b/lib/openldap.c +index 782d6a0..c955df6 100644 +--- a/lib/openldap.c ++++ b/lib/openldap.c +@@ -410,7 +410,7 @@ static CURLcode ldap_do(struct connectdata *conn, bool *done) + if(!lr) + return CURLE_OUT_OF_MEMORY; + lr->msgid = msgid; +- data->req.protop = lr; ++ data->req.p.ldap = lr; + Curl_setup_transfer(data, FIRSTSOCKET, -1, FALSE, -1); + *done = TRUE; + return CURLE_OK; +@@ -419,7 +419,7 @@ static CURLcode ldap_do(struct connectdata *conn, bool *done) + static CURLcode ldap_done(struct connectdata *conn, CURLcode res, + bool premature) + { +- struct ldapreqinfo *lr = conn->data->req.protop; ++ struct ldapreqinfo *lr = conn->data->req.p.ldap; + + (void)res; + (void)premature; +@@ -431,7 +431,7 @@ static CURLcode ldap_done(struct connectdata *conn, CURLcode res, + ldap_abandon_ext(li->ld, lr->msgid, NULL, NULL); + lr->msgid = 0; + } +- conn->data->req.protop = NULL; ++ conn->data->req.p.ldap = NULL; + free(lr); + } + +@@ -443,7 +443,7 @@ static ssize_t ldap_recv(struct connectdata *conn, int sockindex, char *buf, + { + struct ldapconninfo *li = conn->proto.ldapc; + struct Curl_easy *data = conn->data; +- struct ldapreqinfo *lr = data->req.protop; ++ struct ldapreqinfo *lr = data->req.p.ldap; + int rc, ret; + LDAPMessage *msg = NULL; + LDAPMessage *ent; +diff --git a/lib/pop3.c b/lib/pop3.c +index 9ff5c78..04cc887 100644 +--- a/lib/pop3.c ++++ b/lib/pop3.c +@@ -551,7 +551,7 @@ static CURLcode pop3_perform_command(struct connectdata *conn) + { + CURLcode result = CURLE_OK; + struct Curl_easy *data = conn->data; +- struct POP3 *pop3 = data->req.protop; ++ struct POP3 *pop3 = data->req.p.pop3; + const char *command = NULL; + + /* Calculate the default command */ +@@ -884,7 +884,7 @@ static CURLcode pop3_state_command_resp(struct connectdata *conn, + { + CURLcode result = CURLE_OK; + struct Curl_easy *data = conn->data; +- struct POP3 *pop3 = data->req.protop; ++ struct POP3 *pop3 = data->req.p.pop3; + struct pop3_conn *pop3c = &conn->proto.pop3c; + struct pingpong *pp = &pop3c->pp; + +@@ -1046,7 +1046,7 @@ static CURLcode pop3_init(struct connectdata *conn) + struct Curl_easy *data = conn->data; + struct POP3 *pop3; + +- pop3 = data->req.protop = calloc(sizeof(struct POP3), 1); ++ pop3 = data->req.p.pop3 = calloc(sizeof(struct POP3), 1); + if(!pop3) + result = CURLE_OUT_OF_MEMORY; + +@@ -1120,7 +1120,7 @@ static CURLcode pop3_done(struct connectdata *conn, CURLcode status, + { + CURLcode result = CURLE_OK; + struct Curl_easy *data = conn->data; +- struct POP3 *pop3 = data->req.protop; ++ struct POP3 *pop3 = data->req.p.pop3; + + (void)premature; + +@@ -1154,7 +1154,7 @@ static CURLcode pop3_perform(struct connectdata *conn, bool *connected, + { + /* This is POP3 and no proxy */ + CURLcode result = CURLE_OK; +- struct POP3 *pop3 = conn->data->req.protop; ++ struct POP3 *pop3 = conn->data->req.p.pop3; + + DEBUGF(infof(conn->data, "DO phase starts\n")); + +@@ -1386,7 +1386,7 @@ static CURLcode pop3_parse_url_path(struct connectdata *conn) + { + /* The POP3 struct is already initialised in pop3_connect() */ + struct Curl_easy *data = conn->data; +- struct POP3 *pop3 = data->req.protop; ++ struct POP3 *pop3 = data->req.p.pop3; + const char *path = &data->state.up.path[1]; /* skip leading path */ + + /* URL decode the path for the message ID */ +@@ -1403,7 +1403,7 @@ static CURLcode pop3_parse_custom_request(struct connectdata *conn) + { + CURLcode result = CURLE_OK; + struct Curl_easy *data = conn->data; +- struct POP3 *pop3 = data->req.protop; ++ struct POP3 *pop3 = data->req.p.pop3; + const char *custom = data->set.str[STRING_CUSTOMREQUEST]; + + /* URL decode the custom request */ +diff --git a/lib/rtsp.c b/lib/rtsp.c +index dbd7dc6..29e6d58 100644 +--- a/lib/rtsp.c ++++ b/lib/rtsp.c +@@ -114,7 +114,7 @@ static CURLcode rtsp_setup_connection(struct connectdata *conn) + { + struct RTSP *rtsp; + +- conn->data->req.protop = rtsp = calloc(1, sizeof(struct RTSP)); ++ conn->data->req.p.rtsp = rtsp = calloc(1, sizeof(struct RTSP)); + if(!rtsp) + return CURLE_OUT_OF_MEMORY; + +@@ -199,7 +199,7 @@ static CURLcode rtsp_done(struct connectdata *conn, + CURLcode status, bool premature) + { + struct Curl_easy *data = conn->data; +- struct RTSP *rtsp = data->req.protop; ++ struct RTSP *rtsp = data->req.p.rtsp; + CURLcode httpStatus; + + /* Bypass HTTP empty-reply checks on receive */ +@@ -232,7 +232,7 @@ static CURLcode rtsp_do(struct connectdata *conn, bool *done) + struct Curl_easy *data = conn->data; + CURLcode result = CURLE_OK; + Curl_RtspReq rtspreq = data->set.rtspreq; +- struct RTSP *rtsp = data->req.protop; ++ struct RTSP *rtsp = data->req.p.rtsp; + struct dynbuf req_buffer; + curl_off_t postsize = 0; /* for ANNOUNCE and SET_PARAMETER */ + curl_off_t putsize = 0; /* for ANNOUNCE and SET_PARAMETER */ +@@ -764,7 +764,7 @@ CURLcode Curl_rtsp_parseheader(struct connectdata *conn, + /* Store the received CSeq. Match is verified in rtsp_done */ + int nc = sscanf(&header[4], ": %ld", &CSeq); + if(nc == 1) { +- struct RTSP *rtsp = data->req.protop; ++ struct RTSP *rtsp = data->req.p.rtsp; + rtsp->CSeq_recv = CSeq; /* mark the request */ + data->state.rtsp_CSeq_recv = CSeq; /* update the handle */ + } +diff --git a/lib/smb.c b/lib/smb.c +index d493adc..9eba7ab 100644 +--- a/lib/smb.c ++++ b/lib/smb.c +@@ -204,7 +204,7 @@ static void conn_state(struct connectdata *conn, enum smb_conn_state newstate) + static void request_state(struct connectdata *conn, + enum smb_req_state newstate) + { +- struct smb_request *req = conn->data->req.protop; ++ struct smb_request *req = conn->data->req.p.smb; + #if defined(DEBUGBUILD) && !defined(CURL_DISABLE_VERBOSE_STRINGS) + /* For debug purposes */ + static const char * const names[] = { +@@ -234,7 +234,7 @@ static CURLcode smb_setup_connection(struct connectdata *conn) + struct smb_request *req; + + /* Initialize the request state */ +- conn->data->req.protop = req = calloc(1, sizeof(struct smb_request)); ++ conn->data->req.p.smb = req = calloc(1, sizeof(struct smb_request)); + if(!req) + return CURLE_OUT_OF_MEMORY; + +@@ -342,7 +342,7 @@ static void smb_format_message(struct connectdata *conn, struct smb_header *h, + unsigned char cmd, size_t len) + { + struct smb_conn *smbc = &conn->proto.smbc; +- struct smb_request *req = conn->data->req.protop; ++ struct smb_request *req = conn->data->req.p.smb; + unsigned int pid; + + memset(h, 0, sizeof(*h)); +@@ -505,7 +505,7 @@ static CURLcode smb_send_tree_connect(struct connectdata *conn) + + static CURLcode smb_send_open(struct connectdata *conn) + { +- struct smb_request *req = conn->data->req.protop; ++ struct smb_request *req = conn->data->req.p.smb; + struct smb_nt_create msg; + size_t byte_count; + +@@ -535,7 +535,7 @@ static CURLcode smb_send_open(struct connectdata *conn) + + static CURLcode smb_send_close(struct connectdata *conn) + { +- struct smb_request *req = conn->data->req.protop; ++ struct smb_request *req = conn->data->req.p.smb; + struct smb_close msg; + + memset(&msg, 0, sizeof(msg)); +@@ -556,7 +556,7 @@ static CURLcode smb_send_tree_disconnect(struct connectdata *conn) + + static CURLcode smb_send_read(struct connectdata *conn) + { +- struct smb_request *req = conn->data->req.protop; ++ struct smb_request *req = conn->data->req.p.smb; + curl_off_t offset = conn->data->req.offset; + struct smb_read msg; + +@@ -575,7 +575,7 @@ static CURLcode smb_send_read(struct connectdata *conn) + static CURLcode smb_send_write(struct connectdata *conn) + { + struct smb_write *msg; +- struct smb_request *req = conn->data->req.protop; ++ struct smb_request *req = conn->data->req.p.smb; + curl_off_t offset = conn->data->req.offset; + curl_off_t upload_size = conn->data->req.size - conn->data->req.bytecount; + CURLcode result = Curl_get_upload_buffer(conn->data); +@@ -738,7 +738,7 @@ static void get_posix_time(time_t *out, curl_off_t timestamp) + + static CURLcode smb_request_state(struct connectdata *conn, bool *done) + { +- struct smb_request *req = conn->data->req.protop; ++ struct smb_request *req = conn->data->req.p.smb; + struct smb_header *h; + struct smb_conn *smbc = &conn->proto.smbc; + enum smb_req_state next_state = SMB_DONE; +@@ -923,7 +923,7 @@ static CURLcode smb_done(struct connectdata *conn, CURLcode status, + bool premature) + { + (void) premature; +- Curl_safefree(conn->data->req.protop); ++ Curl_safefree(conn->data->req.p.smb); + return status; + } + +@@ -957,7 +957,7 @@ static CURLcode smb_do(struct connectdata *conn, bool *done) + static CURLcode smb_parse_url_path(struct connectdata *conn) + { + struct Curl_easy *data = conn->data; +- struct smb_request *req = data->req.protop; ++ struct smb_request *req = data->req.p.smb; + struct smb_conn *smbc = &conn->proto.smbc; + char *path; + char *slash; +diff --git a/lib/smtp.c b/lib/smtp.c +index 685513b..e4f91c2 100644 +--- a/lib/smtp.c ++++ b/lib/smtp.c +@@ -484,7 +484,7 @@ static CURLcode smtp_perform_command(struct connectdata *conn) + { + CURLcode result = CURLE_OK; + struct Curl_easy *data = conn->data; +- struct SMTP *smtp = data->req.protop; ++ struct SMTP *smtp = data->req.p.smtp; + + if(smtp->rcpt) { + /* We notify the server we are sending UTF-8 data if a) it supports the +@@ -697,7 +697,7 @@ static CURLcode smtp_perform_mail(struct connectdata *conn) + any there do, as we need to correctly identify our support for SMTPUTF8 + in the envelope, as per RFC-6531 sect. 3.4 */ + if(conn->proto.smtpc.utf8_supported && !utf8) { +- struct SMTP *smtp = data->req.protop; ++ struct SMTP *smtp = data->req.p.smtp; + struct curl_slist *rcpt = smtp->rcpt; + + while(rcpt && !utf8) { +@@ -741,7 +741,7 @@ static CURLcode smtp_perform_rcpt_to(struct connectdata *conn) + { + CURLcode result = CURLE_OK; + struct Curl_easy *data = conn->data; +- struct SMTP *smtp = data->req.protop; ++ struct SMTP *smtp = data->req.p.smtp; + char *address = NULL; + struct hostname host = { NULL, NULL, NULL, NULL }; + +@@ -989,7 +989,7 @@ static CURLcode smtp_state_command_resp(struct connectdata *conn, int smtpcode, + { + CURLcode result = CURLE_OK; + struct Curl_easy *data = conn->data; +- struct SMTP *smtp = data->req.protop; ++ struct SMTP *smtp = data->req.p.smtp; + char *line = data->state.buffer; + size_t len = strlen(line); + +@@ -1055,7 +1055,7 @@ static CURLcode smtp_state_rcpt_resp(struct connectdata *conn, int smtpcode, + { + CURLcode result = CURLE_OK; + struct Curl_easy *data = conn->data; +- struct SMTP *smtp = data->req.protop; ++ struct SMTP *smtp = data->req.p.smtp; + bool is_smtp_err = FALSE; + bool is_smtp_blocking_err = FALSE; + +@@ -1278,7 +1278,7 @@ static CURLcode smtp_init(struct connectdata *conn) + struct Curl_easy *data = conn->data; + struct SMTP *smtp; + +- smtp = data->req.protop = calloc(sizeof(struct SMTP), 1); ++ smtp = data->req.p.smtp = calloc(sizeof(struct SMTP), 1); + if(!smtp) + result = CURLE_OUT_OF_MEMORY; + +@@ -1356,7 +1356,7 @@ static CURLcode smtp_done(struct connectdata *conn, CURLcode status, + { + CURLcode result = CURLE_OK; + struct Curl_easy *data = conn->data; +- struct SMTP *smtp = data->req.protop; ++ struct SMTP *smtp = data->req.p.smtp; + struct pingpong *pp = &conn->proto.smtpc.pp; + char *eob; + ssize_t len; +@@ -1442,7 +1442,7 @@ static CURLcode smtp_perform(struct connectdata *conn, bool *connected, + /* This is SMTP and no proxy */ + CURLcode result = CURLE_OK; + struct Curl_easy *data = conn->data; +- struct SMTP *smtp = data->req.protop; ++ struct SMTP *smtp = data->req.p.smtp; + + DEBUGF(infof(conn->data, "DO phase starts\n")); + +@@ -1550,7 +1550,7 @@ static CURLcode smtp_disconnect(struct connectdata *conn, bool dead_connection) + /* Call this when the DO phase has completed */ + static CURLcode smtp_dophase_done(struct connectdata *conn, bool connected) + { +- struct SMTP *smtp = conn->data->req.protop; ++ struct SMTP *smtp = conn->data->req.p.smtp; + + (void)connected; + +@@ -1703,7 +1703,7 @@ static CURLcode smtp_parse_custom_request(struct connectdata *conn) + { + CURLcode result = CURLE_OK; + struct Curl_easy *data = conn->data; +- struct SMTP *smtp = data->req.protop; ++ struct SMTP *smtp = data->req.p.smtp; + const char *custom = data->set.str[STRING_CUSTOMREQUEST]; + + /* URL decode the custom request */ +@@ -1794,7 +1794,7 @@ CURLcode Curl_smtp_escape_eob(struct connectdata *conn, const ssize_t nread) + ssize_t i; + ssize_t si; + struct Curl_easy *data = conn->data; +- struct SMTP *smtp = data->req.protop; ++ struct SMTP *smtp = data->req.p.smtp; + char *scratch = data->state.scratch; + char *newscratch = NULL; + char *oldscratch = NULL; +diff --git a/lib/telnet.c b/lib/telnet.c +index c3b58e5..1fc5af1 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -247,7 +247,7 @@ CURLcode init_telnet(struct connectdata *conn) + if(!tn) + return CURLE_OUT_OF_MEMORY; + +- conn->data->req.protop = tn; /* make us known */ ++ conn->data->req.p.telnet = tn; /* make us known */ + + tn->telrcv_state = CURL_TS_DATA; + +@@ -292,7 +292,7 @@ CURLcode init_telnet(struct connectdata *conn) + static void negotiate(struct connectdata *conn) + { + int i; +- struct TELNET *tn = (struct TELNET *) conn->data->req.protop; ++ struct TELNET *tn = (struct TELNET *) conn->data->req.p.telnet; + + for(i = 0; i < CURL_NTELOPTS; i++) { + if(i == CURL_TELOPT_ECHO) +@@ -365,7 +365,7 @@ static void send_negotiation(struct connectdata *conn, int cmd, int option) + static + void set_remote_option(struct connectdata *conn, int option, int newstate) + { +- struct TELNET *tn = (struct TELNET *)conn->data->req.protop; ++ struct TELNET *tn = (struct TELNET *)conn->data->req.p.telnet; + if(newstate == CURL_YES) { + switch(tn->him[option]) { + case CURL_NO: +@@ -439,7 +439,7 @@ void set_remote_option(struct connectdata *conn, int option, int newstate) + static + void rec_will(struct connectdata *conn, int option) + { +- struct TELNET *tn = (struct TELNET *)conn->data->req.protop; ++ struct TELNET *tn = (struct TELNET *)conn->data->req.p.telnet; + switch(tn->him[option]) { + case CURL_NO: + if(tn->him_preferred[option] == CURL_YES) { +@@ -487,7 +487,7 @@ void rec_will(struct connectdata *conn, int option) + static + void rec_wont(struct connectdata *conn, int option) + { +- struct TELNET *tn = (struct TELNET *)conn->data->req.protop; ++ struct TELNET *tn = (struct TELNET *)conn->data->req.p.telnet; + switch(tn->him[option]) { + case CURL_NO: + /* Already disabled */ +@@ -529,7 +529,7 @@ void rec_wont(struct connectdata *conn, int option) + static void + set_local_option(struct connectdata *conn, int option, int newstate) + { +- struct TELNET *tn = (struct TELNET *)conn->data->req.protop; ++ struct TELNET *tn = (struct TELNET *)conn->data->req.p.telnet; + if(newstate == CURL_YES) { + switch(tn->us[option]) { + case CURL_NO: +@@ -603,7 +603,7 @@ set_local_option(struct connectdata *conn, int option, int newstate) + static + void rec_do(struct connectdata *conn, int option) + { +- struct TELNET *tn = (struct TELNET *)conn->data->req.protop; ++ struct TELNET *tn = (struct TELNET *)conn->data->req.p.telnet; + switch(tn->us[option]) { + case CURL_NO: + if(tn->us_preferred[option] == CURL_YES) { +@@ -663,7 +663,7 @@ void rec_do(struct connectdata *conn, int option) + static + void rec_dont(struct connectdata *conn, int option) + { +- struct TELNET *tn = (struct TELNET *)conn->data->req.protop; ++ struct TELNET *tn = (struct TELNET *)conn->data->req.p.telnet; + switch(tn->us[option]) { + case CURL_NO: + /* Already disabled */ +@@ -822,7 +822,7 @@ static CURLcode check_telnet_options(struct connectdata *conn) + char option_keyword[128] = ""; + char option_arg[256] = ""; + struct Curl_easy *data = conn->data; +- struct TELNET *tn = (struct TELNET *)conn->data->req.protop; ++ struct TELNET *tn = (struct TELNET *)conn->data->req.p.telnet; + CURLcode result = CURLE_OK; + int binary_option; + +@@ -929,7 +929,7 @@ static void suboption(struct connectdata *conn) + char varname[128] = ""; + char varval[128] = ""; + struct Curl_easy *data = conn->data; +- struct TELNET *tn = (struct TELNET *)data->req.protop; ++ struct TELNET *tn = (struct TELNET *)data->req.p.telnet; + + printsub(data, '<', (unsigned char *)tn->subbuffer, CURL_SB_LEN(tn) + 2); + switch(CURL_SB_GET(tn)) { +@@ -1004,7 +1004,7 @@ static void sendsuboption(struct connectdata *conn, int option) + unsigned char *uc1, *uc2; + + struct Curl_easy *data = conn->data; +- struct TELNET *tn = (struct TELNET *)data->req.protop; ++ struct TELNET *tn = (struct TELNET *)data->req.p.telnet; + + switch(option) { + case CURL_TELOPT_NAWS: +@@ -1062,7 +1062,7 @@ CURLcode telrcv(struct connectdata *conn, + int in = 0; + int startwrite = -1; + struct Curl_easy *data = conn->data; +- struct TELNET *tn = (struct TELNET *)data->req.protop; ++ struct TELNET *tn = (struct TELNET *)data->req.p.telnet; + + #define startskipping() \ + if(startwrite >= 0) { \ +@@ -1280,7 +1280,7 @@ static CURLcode send_telnet_data(struct connectdata *conn, + static CURLcode telnet_done(struct connectdata *conn, + CURLcode status, bool premature) + { +- struct TELNET *tn = (struct TELNET *)conn->data->req.protop; ++ struct TELNET *tn = (struct TELNET *)conn->data->req.p.telnet; + (void)status; /* unused */ + (void)premature; /* not used */ + +@@ -1290,7 +1290,7 @@ static CURLcode telnet_done(struct connectdata *conn, + curl_slist_free_all(tn->telnet_vars); + tn->telnet_vars = NULL; + +- Curl_safefree(conn->data->req.protop); ++ Curl_safefree(conn->data->req.p.telnet); + + return CURLE_OK; + } +@@ -1333,7 +1333,7 @@ static CURLcode telnet_do(struct connectdata *conn, bool *done) + if(result) + return result; + +- tn = (struct TELNET *)data->req.protop; ++ tn = data->req.p.telnet; + + result = check_telnet_options(conn); + if(result) +diff --git a/lib/transfer.c b/lib/transfer.c +index 133a478..44104ab 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -167,7 +167,7 @@ CURLcode Curl_fillreadbuffer(struct connectdata *conn, size_t bytes, + bool sending_http_headers = FALSE; + + if(conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_RTSP)) { +- const struct HTTP *http = data->req.protop; ++ const struct HTTP *http = data->req.p.http; + + if(http->sending == HTTPSEND_REQUEST) + /* We're sending the HTTP request headers, not the data. +@@ -426,7 +426,7 @@ CURLcode Curl_readrewind(struct connectdata *conn) + CURLOPT_HTTPPOST, call app to rewind + */ + if(conn->handler->protocol & PROTO_FAMILY_HTTP) { +- struct HTTP *http = data->req.protop; ++ struct HTTP *http = data->req.p.http; + + if(http->sendit) + mimepart = http->sendit; +@@ -1024,7 +1024,7 @@ static CURLcode readwrite_upload(struct Curl_easy *data, + /* HTTP pollution, this should be written nicer to become more + protocol agnostic. */ + size_t fillcount; +- struct HTTP *http = k->protop; ++ struct HTTP *http = k->p.http; + + if((k->exp100 == EXP100_SENDING_REQUEST) && + (http->sending == HTTPSEND_BODY)) { +@@ -1846,7 +1846,7 @@ Curl_setup_transfer( + { + struct SingleRequest *k = &data->req; + struct connectdata *conn = data->conn; +- struct HTTP *http = data->req.protop; ++ struct HTTP *http = data->req.p.http; + bool httpsending = ((conn->handler->protocol&PROTO_FAMILY_HTTP) && + (http->sending == HTTPSEND_REQUEST)); + DEBUGASSERT(conn != NULL); +diff --git a/lib/url.c b/lib/url.c +index 41029d6..307b66e 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -2060,7 +2060,7 @@ static CURLcode setup_connection_internals(struct connectdata *conn) + + void Curl_free_request_state(struct Curl_easy *data) + { +- Curl_safefree(data->req.protop); ++ Curl_safefree(data->req.p.http); + Curl_safefree(data->req.newurl); + + #ifndef CURL_DISABLE_DOH +diff --git a/lib/urldata.h b/lib/urldata.h +index 6d8eb69..df9d998 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -645,8 +645,23 @@ struct SingleRequest { + and the 'upload_present' contains the number of bytes available at this + position */ + char *upload_fromhere; +- void *protop; /* Allocated protocol-specific data. Each protocol +- handler makes sure this points to data it needs. */ ++ ++ /* Allocated protocol-specific data. Each protocol handler makes sure this ++ points to data it needs. */ ++ union { ++ struct FILEPROTO *file; ++ struct FTP *ftp; ++ struct HTTP *http; ++ struct IMAP *imap; ++ struct ldapreqinfo *ldap; ++ struct MQTT *mqtt; ++ struct POP3 *pop3; ++ struct RTSP *rtsp; ++ struct smb_request *smb; ++ struct SMTP *smtp; ++ struct SSHPROTO *ssh; ++ struct TELNET *telnet; ++ } p; + #ifndef CURL_DISABLE_DOH + struct dohdata doh; /* DoH specific data for this request */ + #endif +diff --git a/lib/vquic/ngtcp2.c b/lib/vquic/ngtcp2.c +index d29cb37..117d667 100644 +--- a/lib/vquic/ngtcp2.c ++++ b/lib/vquic/ngtcp2.c +@@ -961,7 +961,7 @@ static int cb_h3_stream_close(nghttp3_conn *conn, int64_t stream_id, + void *stream_user_data) + { + struct Curl_easy *data = stream_user_data; +- struct HTTP *stream = data->req.protop; ++ struct HTTP *stream = data->req.p.http; + (void)conn; + (void)stream_id; + (void)app_error_code; +@@ -1007,7 +1007,7 @@ static int cb_h3_recv_data(nghttp3_conn *conn, int64_t stream_id, + void *user_data, void *stream_user_data) + { + struct Curl_easy *data = stream_user_data; +- struct HTTP *stream = data->req.protop; ++ struct HTTP *stream = data->req.p.http; + CURLcode result = CURLE_OK; + (void)conn; + +@@ -1066,7 +1066,7 @@ static int cb_h3_end_headers(nghttp3_conn *conn, int64_t stream_id, + void *user_data, void *stream_user_data) + { + struct Curl_easy *data = stream_user_data; +- struct HTTP *stream = data->req.protop; ++ struct HTTP *stream = data->req.p.http; + CURLcode result = CURLE_OK; + (void)conn; + (void)stream_id; +@@ -1090,7 +1090,7 @@ static int cb_h3_recv_header(nghttp3_conn *conn, int64_t stream_id, + nghttp3_vec h3name = nghttp3_rcbuf_get_buf(name); + nghttp3_vec h3val = nghttp3_rcbuf_get_buf(value); + struct Curl_easy *data = stream_user_data; +- struct HTTP *stream = data->req.protop; ++ struct HTTP *stream = data->req.p.http; + CURLcode result = CURLE_OK; + (void)conn; + (void)stream_id; +@@ -1254,7 +1254,7 @@ static ssize_t ngh3_stream_recv(struct connectdata *conn, + CURLcode *curlcode) + { + curl_socket_t sockfd = conn->sock[sockindex]; +- struct HTTP *stream = conn->data->req.protop; ++ struct HTTP *stream = conn->data->req.p.http; + struct quicsocket *qs = conn->quic; + + if(!stream->memlen) { +@@ -1312,7 +1312,7 @@ static int cb_h3_acked_stream_data(nghttp3_conn *conn, int64_t stream_id, + void *stream_user_data) + { + struct Curl_easy *data = stream_user_data; +- struct HTTP *stream = data->req.protop; ++ struct HTTP *stream = data->req.p.http; + (void)conn; + (void)stream_id; + (void)user_data; +@@ -1334,7 +1334,7 @@ static ssize_t cb_h3_readfunction(nghttp3_conn *conn, int64_t stream_id, + { + struct Curl_easy *data = stream_user_data; + size_t nread; +- struct HTTP *stream = data->req.protop; ++ struct HTTP *stream = data->req.p.http; + (void)conn; + (void)stream_id; + (void)user_data; +@@ -1397,7 +1397,7 @@ static ssize_t cb_h3_readfunction(nghttp3_conn *conn, int64_t stream_id, + static CURLcode http_request(struct connectdata *conn, const void *mem, + size_t len) + { +- struct HTTP *stream = conn->data->req.protop; ++ struct HTTP *stream = conn->data->req.p.http; + size_t nheader; + size_t i; + size_t authority_idx; +@@ -1640,7 +1640,7 @@ static ssize_t ngh3_stream_send(struct connectdata *conn, + ssize_t sent; + struct quicsocket *qs = conn->quic; + curl_socket_t sockfd = conn->sock[sockindex]; +- struct HTTP *stream = conn->data->req.protop; ++ struct HTTP *stream = conn->data->req.p.http; + + if(!stream->h3req) { + CURLcode result = http_request(conn, mem, len); +@@ -1908,7 +1908,7 @@ CURLcode Curl_quic_done_sending(struct connectdata *conn) + { + if(conn->handler == &Curl_handler_http3) { + /* only for HTTP/3 transfers */ +- struct HTTP *stream = conn->data->req.protop; ++ struct HTTP *stream = conn->data->req.p.http; + struct quicsocket *qs = conn->quic; + stream->upload_done = TRUE; + (void)nghttp3_conn_resume_stream(qs->h3conn, stream->stream3_id); +@@ -1925,7 +1925,7 @@ void Curl_quic_done(struct Curl_easy *data, bool premature) + (void)premature; + if(data->conn->handler == &Curl_handler_http3) { + /* only for HTTP/3 transfers */ +- struct HTTP *stream = data->req.protop; ++ struct HTTP *stream = data->req.p.http; + Curl_dyn_free(&stream->overflow); + } + } +@@ -1940,7 +1940,7 @@ bool Curl_quic_data_pending(const struct Curl_easy *data) + buffer and allocated an overflow buffer. Since it's possible that + there's no more data coming on the socket, we need to keep reading + until the overflow buffer is empty. */ +- const struct HTTP *stream = data->req.protop; ++ const struct HTTP *stream = data->req.p.http; + return Curl_dyn_len(&stream->overflow) > 0; + } + +diff --git a/lib/vquic/quiche.c b/lib/vquic/quiche.c +index be6f15c..de9f72b 100644 +--- a/lib/vquic/quiche.c ++++ b/lib/vquic/quiche.c +@@ -125,7 +125,7 @@ static unsigned int quiche_conncheck(struct connectdata *conn, + + static CURLcode quiche_do(struct connectdata *conn, bool *done) + { +- struct HTTP *stream = conn->data->req.protop; ++ struct HTTP *stream = conn->data->req.p.http; + stream->h3req = FALSE; /* not sent */ + return Curl_http(conn, done); + } +@@ -454,7 +454,7 @@ static ssize_t h3_stream_recv(struct connectdata *conn, + int rc; + struct h3h1header headers; + struct Curl_easy *data = conn->data; +- struct HTTP *stream = data->req.protop; ++ struct HTTP *stream = data->req.p.http; + headers.dest = buf; + headers.destlen = buffersize; + headers.nlen = 0; +@@ -542,7 +542,7 @@ static ssize_t h3_stream_send(struct connectdata *conn, + ssize_t sent; + struct quicsocket *qs = conn->quic; + curl_socket_t sockfd = conn->sock[sockindex]; +- struct HTTP *stream = conn->data->req.protop; ++ struct HTTP *stream = conn->data->req.p.http; + + if(!stream->h3req) { + CURLcode result = http_request(conn, mem, len); +@@ -590,7 +590,7 @@ static CURLcode http_request(struct connectdata *conn, const void *mem, + { + /* + */ +- struct HTTP *stream = conn->data->req.protop; ++ struct HTTP *stream = conn->data->req.p.http; + size_t nheader; + size_t i; + size_t authority_idx; +@@ -818,7 +818,7 @@ CURLcode Curl_quic_done_sending(struct connectdata *conn) + if(conn->handler == &Curl_handler_http3) { + /* only for HTTP/3 transfers */ + ssize_t sent; +- struct HTTP *stream = conn->data->req.protop; ++ struct HTTP *stream = conn->data->req.p.http; + struct quicsocket *qs = conn->quic; + fprintf(stderr, "!!! Curl_quic_done_sending\n"); + stream->upload_done = TRUE; +diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c +index 8988e23..a84e1bf 100644 +--- a/lib/vssh/libssh.c ++++ b/lib/vssh/libssh.c +@@ -662,7 +662,7 @@ static CURLcode myssh_statemach_act(struct connectdata *conn, bool *block) + { + CURLcode result = CURLE_OK; + struct Curl_easy *data = conn->data; +- struct SSHPROTO *protop = data->req.protop; ++ struct SSHPROTO *protop = data->req.p.ssh; + struct ssh_conn *sshc = &conn->proto.sshc; + curl_socket_t sock = conn->sock[FIRSTSOCKET]; + int rc = SSH_NO_ERROR, err; +@@ -2129,7 +2129,7 @@ static CURLcode myssh_setup_connection(struct connectdata *conn) + { + struct SSHPROTO *ssh; + +- conn->data->req.protop = ssh = calloc(1, sizeof(struct SSHPROTO)); ++ conn->data->req.p.ssh = ssh = calloc(1, sizeof(struct SSHPROTO)); + if(!ssh) + return CURLE_OUT_OF_MEMORY; + +@@ -2152,7 +2152,7 @@ static CURLcode myssh_connect(struct connectdata *conn, bool *done) + int rc; + + /* initialize per-handle data if not already */ +- if(!data->req.protop) ++ if(!data->req.p.ssh) + myssh_setup_connection(conn); + + /* We default to persistent connections. We set this already in this connect +@@ -2353,7 +2353,7 @@ static CURLcode scp_disconnect(struct connectdata *conn, + static CURLcode myssh_done(struct connectdata *conn, CURLcode status) + { + CURLcode result = CURLE_OK; +- struct SSHPROTO *protop = conn->data->req.protop; ++ struct SSHPROTO *protop = conn->data->req.p.ssh; + + if(!status) { + /* run the state-machine */ +@@ -2606,7 +2606,7 @@ static void sftp_quote(struct connectdata *conn) + { + const char *cp; + struct Curl_easy *data = conn->data; +- struct SSHPROTO *protop = data->req.protop; ++ struct SSHPROTO *protop = data->req.p.ssh; + struct ssh_conn *sshc = &conn->proto.sshc; + CURLcode result; + +diff --git a/lib/vssh/libssh2.c b/lib/vssh/libssh2.c +index 555afc9..f55db93 100644 +--- a/lib/vssh/libssh2.c ++++ b/lib/vssh/libssh2.c +@@ -789,7 +789,7 @@ static CURLcode ssh_statemach_act(struct connectdata *conn, bool *block) + { + CURLcode result = CURLE_OK; + struct Curl_easy *data = conn->data; +- struct SSHPROTO *sftp_scp = data->req.protop; ++ struct SSHPROTO *sftp_scp = data->req.p.ssh; + struct ssh_conn *sshc = &conn->proto.sshc; + curl_socket_t sock = conn->sock[FIRSTSOCKET]; + int rc = LIBSSH2_ERROR_NONE; +@@ -2989,7 +2989,7 @@ static CURLcode ssh_setup_connection(struct connectdata *conn) + { + struct SSHPROTO *ssh; + +- conn->data->req.protop = ssh = calloc(1, sizeof(struct SSHPROTO)); ++ conn->data->req.p.ssh = ssh = calloc(1, sizeof(struct SSHPROTO)); + if(!ssh) + return CURLE_OUT_OF_MEMORY; + +@@ -3013,7 +3013,7 @@ static CURLcode ssh_connect(struct connectdata *conn, bool *done) + struct Curl_easy *data = conn->data; + + /* initialize per-handle data if not already */ +- if(!data->req.protop) ++ if(!data->req.p.ssh) + ssh_setup_connection(conn); + + /* We default to persistent connections. We set this already in this connect +@@ -3192,7 +3192,7 @@ static CURLcode scp_disconnect(struct connectdata *conn, bool dead_connection) + static CURLcode ssh_done(struct connectdata *conn, CURLcode status) + { + CURLcode result = CURLE_OK; +- struct SSHPROTO *sftp_scp = conn->data->req.protop; ++ struct SSHPROTO *sftp_scp = conn->data->req.p.ssh; + + if(!status) { + /* run the state-machine */ +diff --git a/lib/vssh/wolfssh.c b/lib/vssh/wolfssh.c +index dcbbab6..1b990e3 100644 +--- a/lib/vssh/wolfssh.c ++++ b/lib/vssh/wolfssh.c +@@ -322,7 +322,7 @@ static CURLcode wssh_setup_connection(struct connectdata *conn) + { + struct SSHPROTO *ssh; + +- conn->data->req.protop = ssh = calloc(1, sizeof(struct SSHPROTO)); ++ conn->data->req.p.ssh = ssh = calloc(1, sizeof(struct SSHPROTO)); + if(!ssh) + return CURLE_OUT_OF_MEMORY; + +@@ -356,7 +356,7 @@ static CURLcode wssh_connect(struct connectdata *conn, bool *done) + int rc; + + /* initialize per-handle data if not already */ +- if(!data->req.protop) ++ if(!data->req.p.ssh) + wssh_setup_connection(conn); + + /* We default to persistent connections. We set this already in this connect +@@ -429,7 +429,7 @@ static CURLcode wssh_statemach_act(struct connectdata *conn, bool *block) + CURLcode result = CURLE_OK; + struct ssh_conn *sshc = &conn->proto.sshc; + struct Curl_easy *data = conn->data; +- struct SSHPROTO *sftp_scp = data->req.protop; ++ struct SSHPROTO *sftp_scp = data->req.p.ssh; + WS_SFTPNAME *name; + int rc = 0; + *block = FALSE; /* we're not blocking by default */ +@@ -1027,7 +1027,7 @@ static CURLcode wssh_block_statemach(struct connectdata *conn, + static CURLcode wssh_done(struct connectdata *conn, CURLcode status) + { + CURLcode result = CURLE_OK; +- struct SSHPROTO *sftp_scp = conn->data->req.protop; ++ struct SSHPROTO *sftp_scp = conn->data->req.p.ssh; + + if(!status) { + /* run the state-machine */ +-- +2.26.2 + + +From 1958c2008bbcde60e22bcd3bfc738c0dad70d71d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 28 Nov 2020 00:27:21 +0100 +Subject: [PATCH 2/2] ftp: make wc_statemach loop instead of recurse + +CVE-2020-8285 + +Fixes #6255 +Bug: https://curl.se/docs/CVE-2020-8285.html +Reported-by: xnynx on github + +Upstream-commit: 69a358f2186e04cf44698b5100332cbf1ee7f01d +Signed-off-by: Kamil Dudka +--- + lib/ftp.c | 202 +++++++++++++++++++++++++++--------------------------- + 1 file changed, 102 insertions(+), 100 deletions(-) + +diff --git a/lib/ftp.c b/lib/ftp.c +index 5195b67..71c9642 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -3784,129 +3784,131 @@ static CURLcode init_wc_data(struct connectdata *conn) + return result; + } + +-/* This is called recursively */ + static CURLcode wc_statemach(struct connectdata *conn) + { + struct WildcardData * const wildcard = &(conn->data->wildcard); + CURLcode result = CURLE_OK; + +- switch(wildcard->state) { +- case CURLWC_INIT: +- result = init_wc_data(conn); +- if(wildcard->state == CURLWC_CLEAN) +- /* only listing! */ +- break; +- wildcard->state = result ? CURLWC_ERROR : CURLWC_MATCHING; +- break; ++ for(;;) { ++ switch(wildcard->state) { ++ case CURLWC_INIT: ++ result = init_wc_data(conn); ++ if(wildcard->state == CURLWC_CLEAN) ++ /* only listing! */ ++ return result; ++ wildcard->state = result ? CURLWC_ERROR : CURLWC_MATCHING; ++ return result; + +- case CURLWC_MATCHING: { +- /* In this state is LIST response successfully parsed, so lets restore +- previous WRITEFUNCTION callback and WRITEDATA pointer */ +- struct ftp_wc *ftpwc = wildcard->protdata; +- conn->data->set.fwrite_func = ftpwc->backup.write_function; +- conn->data->set.out = ftpwc->backup.file_descriptor; +- ftpwc->backup.write_function = ZERO_NULL; +- ftpwc->backup.file_descriptor = NULL; +- wildcard->state = CURLWC_DOWNLOADING; +- +- if(Curl_ftp_parselist_geterror(ftpwc->parser)) { +- /* error found in LIST parsing */ +- wildcard->state = CURLWC_CLEAN; +- return wc_statemach(conn); +- } +- if(wildcard->filelist.size == 0) { +- /* no corresponding file */ +- wildcard->state = CURLWC_CLEAN; +- return CURLE_REMOTE_FILE_NOT_FOUND; ++ case CURLWC_MATCHING: { ++ /* In this state is LIST response successfully parsed, so lets restore ++ previous WRITEFUNCTION callback and WRITEDATA pointer */ ++ struct ftp_wc *ftpwc = wildcard->protdata; ++ conn->data->set.fwrite_func = ftpwc->backup.write_function; ++ conn->data->set.out = ftpwc->backup.file_descriptor; ++ ftpwc->backup.write_function = ZERO_NULL; ++ ftpwc->backup.file_descriptor = NULL; ++ wildcard->state = CURLWC_DOWNLOADING; ++ ++ if(Curl_ftp_parselist_geterror(ftpwc->parser)) { ++ /* error found in LIST parsing */ ++ wildcard->state = CURLWC_CLEAN; ++ continue; ++ } ++ if(wildcard->filelist.size == 0) { ++ /* no corresponding file */ ++ wildcard->state = CURLWC_CLEAN; ++ return CURLE_REMOTE_FILE_NOT_FOUND; ++ } ++ continue; + } +- return wc_statemach(conn); +- } + +- case CURLWC_DOWNLOADING: { +- /* filelist has at least one file, lets get first one */ +- struct ftp_conn *ftpc = &conn->proto.ftpc; +- struct curl_fileinfo *finfo = wildcard->filelist.head->ptr; +- struct FTP *ftp = conn->data->req.p.ftp; ++ case CURLWC_DOWNLOADING: { ++ /* filelist has at least one file, lets get first one */ ++ struct ftp_conn *ftpc = &conn->proto.ftpc; ++ struct curl_fileinfo *finfo = wildcard->filelist.head->ptr; ++ struct FTP *ftp = conn->data->req.p.ftp; + +- char *tmp_path = aprintf("%s%s", wildcard->path, finfo->filename); +- if(!tmp_path) +- return CURLE_OUT_OF_MEMORY; ++ char *tmp_path = aprintf("%s%s", wildcard->path, finfo->filename); ++ if(!tmp_path) ++ return CURLE_OUT_OF_MEMORY; + +- /* switch default ftp->path and tmp_path */ +- free(ftp->pathalloc); +- ftp->pathalloc = ftp->path = tmp_path; +- +- infof(conn->data, "Wildcard - START of \"%s\"\n", finfo->filename); +- if(conn->data->set.chunk_bgn) { +- long userresponse; +- Curl_set_in_callback(conn->data, true); +- userresponse = conn->data->set.chunk_bgn( +- finfo, wildcard->customptr, (int)wildcard->filelist.size); +- Curl_set_in_callback(conn->data, false); +- switch(userresponse) { +- case CURL_CHUNK_BGN_FUNC_SKIP: +- infof(conn->data, "Wildcard - \"%s\" skipped by user\n", +- finfo->filename); +- wildcard->state = CURLWC_SKIP; +- return wc_statemach(conn); +- case CURL_CHUNK_BGN_FUNC_FAIL: +- return CURLE_CHUNK_FAILED; ++ /* switch default ftp->path and tmp_path */ ++ free(ftp->pathalloc); ++ ftp->pathalloc = ftp->path = tmp_path; ++ ++ infof(conn->data, "Wildcard - START of \"%s\"\n", finfo->filename); ++ if(conn->data->set.chunk_bgn) { ++ long userresponse; ++ Curl_set_in_callback(conn->data, true); ++ userresponse = conn->data->set.chunk_bgn( ++ finfo, wildcard->customptr, (int)wildcard->filelist.size); ++ Curl_set_in_callback(conn->data, false); ++ switch(userresponse) { ++ case CURL_CHUNK_BGN_FUNC_SKIP: ++ infof(conn->data, "Wildcard - \"%s\" skipped by user\n", ++ finfo->filename); ++ wildcard->state = CURLWC_SKIP; ++ continue; ++ case CURL_CHUNK_BGN_FUNC_FAIL: ++ return CURLE_CHUNK_FAILED; ++ } + } +- } + +- if(finfo->filetype != CURLFILETYPE_FILE) { +- wildcard->state = CURLWC_SKIP; +- return wc_statemach(conn); +- } ++ if(finfo->filetype != CURLFILETYPE_FILE) { ++ wildcard->state = CURLWC_SKIP; ++ continue; ++ } + +- if(finfo->flags & CURLFINFOFLAG_KNOWN_SIZE) +- ftpc->known_filesize = finfo->size; ++ if(finfo->flags & CURLFINFOFLAG_KNOWN_SIZE) ++ ftpc->known_filesize = finfo->size; + +- result = ftp_parse_url_path(conn); +- if(result) +- return result; ++ result = ftp_parse_url_path(conn); ++ if(result) ++ return result; + +- /* we don't need the Curl_fileinfo of first file anymore */ +- Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL); ++ /* we don't need the Curl_fileinfo of first file anymore */ ++ Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL); + +- if(wildcard->filelist.size == 0) { /* remains only one file to down. */ +- wildcard->state = CURLWC_CLEAN; +- /* after that will be ftp_do called once again and no transfer +- will be done because of CURLWC_CLEAN state */ +- return CURLE_OK; ++ if(wildcard->filelist.size == 0) { /* remains only one file to down. */ ++ wildcard->state = CURLWC_CLEAN; ++ /* after that will be ftp_do called once again and no transfer ++ will be done because of CURLWC_CLEAN state */ ++ return CURLE_OK; ++ } ++ return result; + } +- } break; + +- case CURLWC_SKIP: { +- if(conn->data->set.chunk_end) { +- Curl_set_in_callback(conn->data, true); +- conn->data->set.chunk_end(conn->data->wildcard.customptr); +- Curl_set_in_callback(conn->data, false); ++ case CURLWC_SKIP: { ++ if(conn->data->set.chunk_end) { ++ Curl_set_in_callback(conn->data, true); ++ conn->data->set.chunk_end(conn->data->wildcard.customptr); ++ Curl_set_in_callback(conn->data, false); ++ } ++ Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL); ++ wildcard->state = (wildcard->filelist.size == 0) ? ++ CURLWC_CLEAN : CURLWC_DOWNLOADING; ++ continue; + } +- Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL); +- wildcard->state = (wildcard->filelist.size == 0) ? +- CURLWC_CLEAN : CURLWC_DOWNLOADING; +- return wc_statemach(conn); +- } + +- case CURLWC_CLEAN: { +- struct ftp_wc *ftpwc = wildcard->protdata; +- result = CURLE_OK; +- if(ftpwc) +- result = Curl_ftp_parselist_geterror(ftpwc->parser); ++ case CURLWC_CLEAN: { ++ struct ftp_wc *ftpwc = wildcard->protdata; ++ result = CURLE_OK; ++ if(ftpwc) ++ result = Curl_ftp_parselist_geterror(ftpwc->parser); + +- wildcard->state = result ? CURLWC_ERROR : CURLWC_DONE; +- } break; ++ wildcard->state = result ? CURLWC_ERROR : CURLWC_DONE; ++ return result; ++ } + +- case CURLWC_DONE: +- case CURLWC_ERROR: +- case CURLWC_CLEAR: +- if(wildcard->dtor) +- wildcard->dtor(wildcard->protdata); +- break; ++ case CURLWC_DONE: ++ case CURLWC_ERROR: ++ case CURLWC_CLEAR: ++ if(wildcard->dtor) ++ wildcard->dtor(wildcard->protdata); ++ return result; ++ } + } +- +- return result; ++ /* UNREACHABLE */ + } + + /*********************************************************************** +-- +2.26.2 + diff --git a/curl.spec b/curl.spec index 71dd5b0..1db4acf 100644 --- a/curl.spec +++ b/curl.spec @@ -17,6 +17,9 @@ Patch4: 0004-curl-7.71.1-CVE-2020-8231.patch # curl: trusting FTP PASV responses (CVE-2020-8284) Patch5: 0005-curl-7.71.1-CVE-2020-8284.patch +# libcurl: FTP wildcard stack overflow (CVE-2020-8285) +Patch6: 0006-curl-7.71.1-CVE-2020-8285.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -188,6 +191,7 @@ be installed. %patch2 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 # Fedora patches %patch101 -p1 @@ -367,6 +371,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed Dec 09 2020 Kamil Dudka - 7.71.1-8 +- libcurl: FTP wildcard stack overflow (CVE-2020-8285) - curl: trusting FTP PASV responses (CVE-2020-8284) * Thu Sep 10 2020 Jinoh Kang - 7.71.1-7 From 4c39814d7c2ac0b7af1cfda2a29785b891572ce5 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 9 Dec 2020 11:44:01 +0100 Subject: [PATCH 06/16] Resolves: CVE-2020-8286 - curl: Inferior OCSP verification --- 0007-curl-7.71.1-CVE-2020-8286.patch | 129 +++++++++++++++++++++++++++ curl.spec | 5 ++ 2 files changed, 134 insertions(+) create mode 100644 0007-curl-7.71.1-CVE-2020-8286.patch diff --git a/0007-curl-7.71.1-CVE-2020-8286.patch b/0007-curl-7.71.1-CVE-2020-8286.patch new file mode 100644 index 0000000..ecd9401 --- /dev/null +++ b/0007-curl-7.71.1-CVE-2020-8286.patch @@ -0,0 +1,129 @@ +From 2ad3b3d39e45a9eeaf6845f393928ef0095893e7 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 2 Dec 2020 23:01:11 +0100 +Subject: [PATCH] openssl: make the OCSP verification verify the certificate id + +CVE-2020-8286 + +Reported by anonymous + +Bug: https://curl.se/docs/CVE-2020-8286.html + +Upstream-commit: d9d01672785b8ac04aab1abb6de95fe3072ae199 +Signed-off-by: Kamil Dudka +--- + lib/vtls/openssl.c | 83 ++++++++++++++++++++++++++++++---------------- + 1 file changed, 54 insertions(+), 29 deletions(-) + +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 2e9f900..5803fd1 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -1775,6 +1775,11 @@ static CURLcode verifystatus(struct connectdata *conn, + X509_STORE *st = NULL; + STACK_OF(X509) *ch = NULL; + struct ssl_backend_data *backend = connssl->backend; ++ X509 *cert; ++ OCSP_CERTID *id = NULL; ++ int cert_status, crl_reason; ++ ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd; ++ int ret; + + long len = SSL_get_tlsext_status_ocsp_resp(backend->handle, &status); + +@@ -1843,43 +1848,63 @@ static CURLcode verifystatus(struct connectdata *conn, + goto end; + } + +- for(i = 0; i < OCSP_resp_count(br); i++) { +- int cert_status, crl_reason; +- OCSP_SINGLERESP *single = NULL; +- +- ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd; ++ /* Compute the certificate's ID */ ++ cert = SSL_get_peer_certificate(backend->handle); ++ if(!cert) { ++ failf(data, "Error getting peer certficate"); ++ result = CURLE_SSL_INVALIDCERTSTATUS; ++ goto end; ++ } + +- single = OCSP_resp_get0(br, i); +- if(!single) +- continue; ++ for(i = 0; i < sk_X509_num(ch); i++) { ++ X509 *issuer = sk_X509_value(ch, i); ++ if(X509_check_issued(issuer, cert) == X509_V_OK) { ++ id = OCSP_cert_to_id(EVP_sha1(), cert, issuer); ++ break; ++ } ++ } ++ X509_free(cert); + +- cert_status = OCSP_single_get0_status(single, &crl_reason, &rev, +- &thisupd, &nextupd); ++ if(!id) { ++ failf(data, "Error computing OCSP ID"); ++ result = CURLE_SSL_INVALIDCERTSTATUS; ++ goto end; ++ } + +- if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) { +- failf(data, "OCSP response has expired"); +- result = CURLE_SSL_INVALIDCERTSTATUS; +- goto end; +- } ++ /* Find the single OCSP response corresponding to the certificate ID */ ++ ret = OCSP_resp_find_status(br, id, &cert_status, &crl_reason, &rev, ++ &thisupd, &nextupd); ++ OCSP_CERTID_free(id); ++ if(ret != 1) { ++ failf(data, "Could not find certificate ID in OCSP response"); ++ result = CURLE_SSL_INVALIDCERTSTATUS; ++ goto end; ++ } + +- infof(data, "SSL certificate status: %s (%d)\n", +- OCSP_cert_status_str(cert_status), cert_status); ++ /* Validate the corresponding single OCSP response */ ++ if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) { ++ failf(data, "OCSP response has expired"); ++ result = CURLE_SSL_INVALIDCERTSTATUS; ++ goto end; ++ } + +- switch(cert_status) { +- case V_OCSP_CERTSTATUS_GOOD: +- break; ++ infof(data, "SSL certificate status: %s (%d)\n", ++ OCSP_cert_status_str(cert_status), cert_status); + +- case V_OCSP_CERTSTATUS_REVOKED: +- result = CURLE_SSL_INVALIDCERTSTATUS; ++ switch(cert_status) { ++ case V_OCSP_CERTSTATUS_GOOD: ++ break; + +- failf(data, "SSL certificate revocation reason: %s (%d)", +- OCSP_crl_reason_str(crl_reason), crl_reason); +- goto end; ++ case V_OCSP_CERTSTATUS_REVOKED: ++ result = CURLE_SSL_INVALIDCERTSTATUS; ++ failf(data, "SSL certificate revocation reason: %s (%d)", ++ OCSP_crl_reason_str(crl_reason), crl_reason); ++ goto end; + +- case V_OCSP_CERTSTATUS_UNKNOWN: +- result = CURLE_SSL_INVALIDCERTSTATUS; +- goto end; +- } ++ case V_OCSP_CERTSTATUS_UNKNOWN: ++ default: ++ result = CURLE_SSL_INVALIDCERTSTATUS; ++ goto end; + } + + end: +-- +2.26.2 + diff --git a/curl.spec b/curl.spec index 1db4acf..abe720f 100644 --- a/curl.spec +++ b/curl.spec @@ -20,6 +20,9 @@ Patch5: 0005-curl-7.71.1-CVE-2020-8284.patch # libcurl: FTP wildcard stack overflow (CVE-2020-8285) Patch6: 0006-curl-7.71.1-CVE-2020-8285.patch +# curl: Inferior OCSP verification (CVE-2020-8286) +Patch7: 0007-curl-7.71.1-CVE-2020-8286.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -192,6 +195,7 @@ be installed. %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 # Fedora patches %patch101 -p1 @@ -371,6 +375,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed Dec 09 2020 Kamil Dudka - 7.71.1-8 +- curl: Inferior OCSP verification (CVE-2020-8286) - libcurl: FTP wildcard stack overflow (CVE-2020-8285) - curl: trusting FTP PASV responses (CVE-2020-8284) From 1ee2417a7599c6f18e5c9e92823e28d44dc8793f Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 31 Mar 2021 16:00:34 +0200 Subject: [PATCH 07/16] Resolves: CVE-2021-22876 - prevent automatic referer from leaking credentials --- 0008-curl-7.71.1-CVE-2021-22876.patch | 64 +++++++++++++++++++++++++++ curl.spec | 9 +++- 2 files changed, 72 insertions(+), 1 deletion(-) create mode 100644 0008-curl-7.71.1-CVE-2021-22876.patch diff --git a/0008-curl-7.71.1-CVE-2021-22876.patch b/0008-curl-7.71.1-CVE-2021-22876.patch new file mode 100644 index 0000000..b2c66aa --- /dev/null +++ b/0008-curl-7.71.1-CVE-2021-22876.patch @@ -0,0 +1,64 @@ +From 1c875f3e08124c32205a7d33b5c10256ff9352cc Mon Sep 17 00:00:00 2001 +From: Viktor Szakats +Date: Tue, 23 Feb 2021 14:54:46 +0100 +Subject: [PATCH] transfer: strip credentials from the auto-referer header + field + +Added test 2081 to verify. + +CVE-2021-22876 + +Bug: https://curl.se/docs/CVE-2021-22876.html + +Upstream-commit: 7214288898f5625a6cc196e22a74232eada7861c +Signed-off-by: Kamil Dudka +--- + lib/transfer.c | 24 ++++++++++++++++++++++-- + 1 file changed, 22 insertions(+), 2 deletions(-) + +diff --git a/lib/transfer.c b/lib/transfer.c +index 44104ab..3325a0e 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1582,6 +1582,9 @@ CURLcode Curl_follow(struct Curl_easy *data, + data->set.followlocation++; /* count location-followers */ + + if(data->set.http_auto_referer) { ++ CURLU *u; ++ char *referer; ++ + /* We are asked to automatically set the previous URL as the referer + when we get the next URL. We pick the ->url field, which may or may + not be 100% correct */ +@@ -1591,9 +1594,26 @@ CURLcode Curl_follow(struct Curl_easy *data, + data->change.referer_alloc = FALSE; + } + +- data->change.referer = strdup(data->change.url); +- if(!data->change.referer) ++ /* Make a copy of the URL without crenditals and fragment */ ++ u = curl_url(); ++ if(!u) ++ return CURLE_OUT_OF_MEMORY; ++ ++ uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0); ++ if(!uc) ++ uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0); ++ if(!uc) ++ uc = curl_url_set(u, CURLUPART_USER, NULL, 0); ++ if(!uc) ++ uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0); ++ if(!uc) ++ uc = curl_url_get(u, CURLUPART_URL, &referer, 0); ++ ++ curl_url_cleanup(u); ++ ++ if(uc || referer == NULL) + return CURLE_OUT_OF_MEMORY; ++ data->change.referer = referer; + data->change.referer_alloc = TRUE; /* yes, free this later */ + } + } +-- +2.26.3 + diff --git a/curl.spec b/curl.spec index abe720f..6f7d9f7 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.71.1 -Release: 8%{?dist} +Release: 9%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -23,6 +23,9 @@ Patch6: 0006-curl-7.71.1-CVE-2020-8285.patch # curl: Inferior OCSP verification (CVE-2020-8286) Patch7: 0007-curl-7.71.1-CVE-2020-8286.patch +# prevent automatic referer from leaking credentials (CVE-2021-22876) +Patch8: 0008-curl-7.71.1-CVE-2021-22876.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -196,6 +199,7 @@ be installed. %patch5 -p1 %patch6 -p1 %patch7 -p1 +%patch8 -p1 # Fedora patches %patch101 -p1 @@ -374,6 +378,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Mar 31 2021 Kamil Dudka - 7.71.1-9 +- prevent automatic referer from leaking credentials (CVE-2021-22876) + * Wed Dec 09 2020 Kamil Dudka - 7.71.1-8 - curl: Inferior OCSP verification (CVE-2020-8286) - libcurl: FTP wildcard stack overflow (CVE-2020-8285) From 9aaddd4aa3ccccde469e1fceb3f0d21ffeaea4a2 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 31 Mar 2021 16:01:58 +0200 Subject: [PATCH 08/16] Resolves: CVE-2021-22890 - fix TLS 1.3 session ticket proxy host mixup --- 0009-curl-7.71.1-CVE-2021-22890.patch | 217 ++++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 222 insertions(+) create mode 100644 0009-curl-7.71.1-CVE-2021-22890.patch diff --git a/0009-curl-7.71.1-CVE-2021-22890.patch b/0009-curl-7.71.1-CVE-2021-22890.patch new file mode 100644 index 0000000..2d2b874 --- /dev/null +++ b/0009-curl-7.71.1-CVE-2021-22890.patch @@ -0,0 +1,217 @@ +From 840011af52fcdac15a749f14f19b00401a49dc51 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 19 Mar 2021 12:38:49 +0100 +Subject: [PATCH] vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid() + +To make sure we set and extract the correct session. + +Reported-by: Mingtao Yang +Bug: https://curl.se/docs/CVE-2021-22890.html + +CVE-2021-22890 + +Upstream-commit: b09c8ee15771c614c4bf3ddac893cdb12187c844 +Signed-off-by: Kamil Dudka +--- + lib/vtls/openssl.c | 52 +++++++++++++++++++++++++++++++++++----------- + lib/vtls/vtls.c | 12 ++++++++--- + lib/vtls/vtls.h | 2 ++ + 3 files changed, 51 insertions(+), 15 deletions(-) + +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 5803fd1..16276f3 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -360,12 +360,23 @@ static int ossl_get_ssl_conn_index(void) + */ + static int ossl_get_ssl_sockindex_index(void) + { +- static int ssl_ex_data_sockindex_index = -1; +- if(ssl_ex_data_sockindex_index < 0) { +- ssl_ex_data_sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, +- NULL); ++ static int sockindex_index = -1; ++ if(sockindex_index < 0) { ++ sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); + } +- return ssl_ex_data_sockindex_index; ++ return sockindex_index; ++} ++ ++/* Return an extra data index for proxy boolean. ++ * This index can be used with SSL_get_ex_data() and SSL_set_ex_data(). ++ */ ++static int ossl_get_proxy_index(void) ++{ ++ static int proxy_index = -1; ++ if(proxy_index < 0) { ++ proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); ++ } ++ return proxy_index; + } + + static int passwd_callback(char *buf, int num, int encrypting, +@@ -1133,7 +1144,8 @@ static int Curl_ossl_init(void) + Curl_tls_keylog_open(); + + /* Initialize the extra data indexes */ +- if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0) ++ if(ossl_get_ssl_conn_index() < 0 || ++ ossl_get_ssl_sockindex_index() < 0 || ossl_get_proxy_index() < 0) + return 0; + + return 1; +@@ -2425,8 +2437,10 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) + curl_socket_t *sockindex_ptr; + int connectdata_idx = ossl_get_ssl_conn_index(); + int sockindex_idx = ossl_get_ssl_sockindex_index(); ++ int proxy_idx = ossl_get_proxy_index(); ++ bool isproxy; + +- if(connectdata_idx < 0 || sockindex_idx < 0) ++ if(connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0) + return 0; + + conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx); +@@ -2439,13 +2453,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) + sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx); + sockindex = (int)(sockindex_ptr - conn->sock); + ++ isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE; ++ + if(SSL_SET_OPTION(primary.sessionid)) { + bool incache; + void *old_ssl_sessionid = NULL; + + Curl_ssl_sessionid_lock(conn); +- incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, +- sockindex)); ++ if(isproxy) ++ incache = FALSE; ++ else ++ incache = !(Curl_ssl_getsessionid(conn, isproxy, ++ &old_ssl_sessionid, NULL, sockindex)); + if(incache) { + if(old_ssl_sessionid != ssl_sessionid) { + infof(data, "old SSL session ID is stale, removing\n"); +@@ -2455,7 +2474,7 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) + } + + if(!incache) { +- if(!Curl_ssl_addsessionid(conn, ssl_sessionid, ++ if(!Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid, + 0 /* unknown size */, sockindex)) { + /* the session has been put into the session cache */ + res = 1; +@@ -3170,16 +3189,25 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) + void *ssl_sessionid = NULL; + int connectdata_idx = ossl_get_ssl_conn_index(); + int sockindex_idx = ossl_get_ssl_sockindex_index(); ++ int proxy_idx = ossl_get_proxy_index(); + +- if(connectdata_idx >= 0 && sockindex_idx >= 0) { ++ if(connectdata_idx >= 0 && sockindex_idx >= 0 && proxy_idx >= 0) { + /* Store the data needed for the "new session" callback. + * The sockindex is stored as a pointer to an array element. */ + SSL_set_ex_data(backend->handle, connectdata_idx, conn); + SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex); ++#ifndef CURL_DISABLE_PROXY ++ SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1: ++ NULL); ++#else ++ SSL_set_ex_data(backend->handle, proxy_idx, NULL); ++#endif ++ + } + + Curl_ssl_sessionid_lock(conn); +- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) { ++ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, ++ &ssl_sessionid, NULL, sockindex)) { + /* we got a session id, use it! */ + if(!SSL_set_session(backend->handle, ssl_sessionid)) { + Curl_ssl_sessionid_unlock(conn); +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index c3a55fb..e50fdd2 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -358,6 +358,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn) + * there's one suitable, it is provided. Returns TRUE when no entry matched. + */ + bool Curl_ssl_getsessionid(struct connectdata *conn, ++ const bool isProxy, + void **ssl_sessionid, + size_t *idsize, /* set 0 if unknown */ + int sockindex) +@@ -369,7 +370,6 @@ bool Curl_ssl_getsessionid(struct connectdata *conn, + bool no_match = TRUE; + + #ifndef CURL_DISABLE_PROXY +- const bool isProxy = CONNECT_PROXY_SSL(); + struct ssl_primary_config * const ssl_config = isProxy ? + &conn->proxy_ssl_config : + &conn->ssl_config; +@@ -381,10 +381,15 @@ bool Curl_ssl_getsessionid(struct connectdata *conn, + struct ssl_primary_config * const ssl_config = &conn->ssl_config; + const char * const name = conn->host.name; + int port = conn->remote_port; +- (void)sockindex; + #endif ++ (void)sockindex; + *ssl_sessionid = NULL; + ++#ifdef CURL_DISABLE_PROXY ++ if(isProxy) ++ return TRUE; ++#endif ++ + DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); + + if(!SSL_SET_OPTION(primary.sessionid)) +@@ -472,6 +477,7 @@ void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid) + * later on. + */ + CURLcode Curl_ssl_addsessionid(struct connectdata *conn, ++ bool isProxy, + void *ssl_sessionid, + size_t idsize, + int sockindex) +@@ -485,7 +491,6 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, + int conn_to_port; + long *general_age; + #ifndef CURL_DISABLE_PROXY +- const bool isProxy = CONNECT_PROXY_SSL(); + struct ssl_primary_config * const ssl_config = isProxy ? + &conn->proxy_ssl_config : + &conn->ssl_config; +@@ -498,6 +503,7 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, + const char *hostname = conn->host.name; + (void)sockindex; + #endif ++ (void)sockindex; + DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); + + clone_host = strdup(hostname); +diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h +index bcc8444..343cad0 100644 +--- a/lib/vtls/vtls.h ++++ b/lib/vtls/vtls.h +@@ -203,6 +203,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn); + * under sessionid mutex). + */ + bool Curl_ssl_getsessionid(struct connectdata *conn, ++ const bool isproxy, + void **ssl_sessionid, + size_t *idsize, /* set 0 if unknown */ + int sockindex); +@@ -212,6 +213,7 @@ bool Curl_ssl_getsessionid(struct connectdata *conn, + * object with cache (e.g. incrementing refcount on success) + */ + CURLcode Curl_ssl_addsessionid(struct connectdata *conn, ++ const bool isProxy, + void *ssl_sessionid, + size_t idsize, + int sockindex); +-- +2.26.3 + diff --git a/curl.spec b/curl.spec index 6f7d9f7..4565b2e 100644 --- a/curl.spec +++ b/curl.spec @@ -26,6 +26,9 @@ Patch7: 0007-curl-7.71.1-CVE-2020-8286.patch # prevent automatic referer from leaking credentials (CVE-2021-22876) Patch8: 0008-curl-7.71.1-CVE-2021-22876.patch +# fix TLS 1.3 session ticket proxy host mixup (CVE-2021-22890) +Patch9: 0009-curl-7.71.1-CVE-2021-22890.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -200,6 +203,7 @@ be installed. %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 # Fedora patches %patch101 -p1 @@ -379,6 +383,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed Mar 31 2021 Kamil Dudka - 7.71.1-9 +- fix TLS 1.3 session ticket proxy host mixup (CVE-2021-22890) - prevent automatic referer from leaking credentials (CVE-2021-22876) * Wed Dec 09 2020 Kamil Dudka - 7.71.1-8 From 22ead1eab2399670b5f33cc6051f77d6006f7fcd Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 2 Jun 2021 18:45:38 +0200 Subject: [PATCH 09/16] build the curl tool without metalink support Resolves: CVE-2021-22923 - metalink download sends credentials Resolves: CVE-2021-22922 - wrong content via metalink not discarded --- curl.spec | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/curl.spec b/curl.spec index 4565b2e..2577222 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.71.1 -Release: 9%{?dist} +Release: 10%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -51,7 +51,6 @@ BuildRequires: gcc BuildRequires: groff BuildRequires: krb5-devel BuildRequires: libidn2-devel -BuildRequires: libmetalink-devel BuildRequires: libnghttp2-devel BuildRequires: libpsl-devel BuildRequires: libssh-devel @@ -250,6 +249,7 @@ export common_configure_opts=" \ --enable-symbol-hiding \ --enable-ipv6 \ --enable-threaded-resolver \ + --without-libmetalink \ --with-gssapi \ --with-nghttp2 \ --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt" @@ -265,7 +265,6 @@ export common_configure_opts=" \ --disable-manual \ --without-brotli \ --without-libidn2 \ - --without-libmetalink \ --without-libpsl \ --without-libssh ) @@ -279,7 +278,6 @@ export common_configure_opts=" \ --enable-manual \ --with-brotli \ --with-libidn2 \ - --with-libmetalink \ --with-libpsl \ --with-libssh ) @@ -382,6 +380,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jun 02 2021 Kamil Dudka - 7.71.1-10 +- disable metalink support to fix the following vulnerabilities + CVE-2021-22923 - metalink download sends credentials + CVE-2021-22922 - wrong content via metalink not discarded + * Wed Mar 31 2021 Kamil Dudka - 7.71.1-9 - fix TLS 1.3 session ticket proxy host mixup (CVE-2021-22890) - prevent automatic referer from leaking credentials (CVE-2021-22876) From ff41f425b62e7c225bee3e9d079df6d3b84bb373 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 21 Jul 2021 17:47:08 +0200 Subject: [PATCH 10/16] Resolves: CVE-2021-22924 - fix bad connection reuse due to flawed path name checks --- 0010-curl-7.71.1-CVE-2021-22924.patch | 788 ++++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 793 insertions(+) create mode 100644 0010-curl-7.71.1-CVE-2021-22924.patch diff --git a/0010-curl-7.71.1-CVE-2021-22924.patch b/0010-curl-7.71.1-CVE-2021-22924.patch new file mode 100644 index 0000000..0ed70d9 --- /dev/null +++ b/0010-curl-7.71.1-CVE-2021-22924.patch @@ -0,0 +1,788 @@ +From c3e2c52593b94bd93775b50063e1d54bc7b1b911 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 18 Feb 2021 10:13:56 +0100 +Subject: [PATCH 1/2] urldata: remove the _ORIG suffix from string names + +It doesn't provide any useful info but only makes the names longer. + +Closes #6624 + +Upstream-commit: 70472a44deaff387cf8c8c197e04f3add2a96e2e +Signed-off-by: Kamil Dudka +--- + lib/doh.c | 12 ++++++------ + lib/setopt.c | 38 +++++++++++++++++++------------------- + lib/url.c | 42 +++++++++++++++++++++--------------------- + lib/urldata.h | 34 +++++++++++++++++----------------- + lib/vtls/gskit.c | 2 +- + lib/vtls/gtls.c | 2 +- + lib/vtls/mbedtls.c | 4 ++-- + lib/vtls/nss.c | 2 +- + lib/vtls/openssl.c | 2 +- + lib/vtls/schannel.c | 2 +- + lib/vtls/sectransp.c | 7 ++++--- + lib/vtls/wolfssl.c | 4 ++-- + 12 files changed, 76 insertions(+), 75 deletions(-) + +diff --git a/lib/doh.c b/lib/doh.c +index ebb2c24..cbd34f6 100644 +--- a/lib/doh.c ++++ b/lib/doh.c +@@ -318,17 +318,17 @@ static CURLcode dohprobe(struct Curl_easy *data, + ERROR_CHECK_SETOPT(CURLOPT_SSL_VERIFYPEER, 1L); + if(data->set.ssl.primary.verifystatus) + ERROR_CHECK_SETOPT(CURLOPT_SSL_VERIFYSTATUS, 1L); +- if(data->set.str[STRING_SSL_CAFILE_ORIG]) { ++ if(data->set.str[STRING_SSL_CAFILE]) { + ERROR_CHECK_SETOPT(CURLOPT_CAINFO, +- data->set.str[STRING_SSL_CAFILE_ORIG]); ++ data->set.str[STRING_SSL_CAFILE]); + } +- if(data->set.str[STRING_SSL_CAPATH_ORIG]) { ++ if(data->set.str[STRING_SSL_CAPATH]) { + ERROR_CHECK_SETOPT(CURLOPT_CAPATH, +- data->set.str[STRING_SSL_CAPATH_ORIG]); ++ data->set.str[STRING_SSL_CAPATH]); + } +- if(data->set.str[STRING_SSL_CRLFILE_ORIG]) { ++ if(data->set.str[STRING_SSL_CRLFILE]) { + ERROR_CHECK_SETOPT(CURLOPT_CRLFILE, +- data->set.str[STRING_SSL_CRLFILE_ORIG]); ++ data->set.str[STRING_SSL_CRLFILE]); + } + if(data->set.ssl.certinfo) + ERROR_CHECK_SETOPT(CURLOPT_CERTINFO, 1L); +diff --git a/lib/setopt.c b/lib/setopt.c +index d621335..58d92e2 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -174,7 +174,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + break; + case CURLOPT_SSL_CIPHER_LIST: + /* set a list of cipher we want to use in the SSL connection */ +- result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER_LIST_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER_LIST], + va_arg(param, char *)); + break; + #ifndef CURL_DISABLE_PROXY +@@ -187,7 +187,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + case CURLOPT_TLS13_CIPHERS: + if(Curl_ssl_tls13_ciphersuites()) { + /* set preferred list of TLS 1.3 cipher suites */ +- result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER13_LIST_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER13_LIST], + va_arg(param, char *)); + } + else +@@ -1643,14 +1643,14 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + /* + * String that holds file name of the SSL certificate to use + */ +- result = Curl_setstropt(&data->set.str[STRING_CERT_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_CERT], + va_arg(param, char *)); + break; + case CURLOPT_SSLCERT_BLOB: + /* + * Blob that holds file name of the SSL certificate to use + */ +- result = Curl_setblobopt(&data->set.blobs[BLOB_CERT_ORIG], ++ result = Curl_setblobopt(&data->set.blobs[BLOB_CERT], + va_arg(param, struct curl_blob *)); + break; + #ifndef CURL_DISABLE_PROXY +@@ -1673,7 +1673,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + /* + * String that holds file type of the SSL certificate to use + */ +- result = Curl_setstropt(&data->set.str[STRING_CERT_TYPE_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_CERT_TYPE], + va_arg(param, char *)); + break; + #ifndef CURL_DISABLE_PROXY +@@ -1689,14 +1689,14 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + /* + * String that holds file name of the SSL key to use + */ +- result = Curl_setstropt(&data->set.str[STRING_KEY_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_KEY], + va_arg(param, char *)); + break; + case CURLOPT_SSLKEY_BLOB: + /* + * Blob that holds file name of the SSL key to use + */ +- result = Curl_setblobopt(&data->set.blobs[BLOB_KEY_ORIG], ++ result = Curl_setblobopt(&data->set.blobs[BLOB_KEY], + va_arg(param, struct curl_blob *)); + break; + #ifndef CURL_DISABLE_PROXY +@@ -1719,7 +1719,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + /* + * String that holds file type of the SSL key to use + */ +- result = Curl_setstropt(&data->set.str[STRING_KEY_TYPE_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_KEY_TYPE], + va_arg(param, char *)); + break; + #ifndef CURL_DISABLE_PROXY +@@ -1735,7 +1735,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + /* + * String that holds the SSL or SSH private key password. + */ +- result = Curl_setstropt(&data->set.str[STRING_KEY_PASSWD_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_KEY_PASSWD], + va_arg(param, char *)); + break; + #ifndef CURL_DISABLE_PROXY +@@ -1944,7 +1944,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + */ + #ifdef USE_SSL + if(Curl_ssl->supports & SSLSUPP_PINNEDPUBKEY) +- result = Curl_setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY], + va_arg(param, char *)); + else + #endif +@@ -1969,7 +1969,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + /* + * Set CA info for SSL connection. Specify file name of the CA certificate + */ +- result = Curl_setstropt(&data->set.str[STRING_SSL_CAFILE_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_SSL_CAFILE], + va_arg(param, char *)); + break; + #ifndef CURL_DISABLE_PROXY +@@ -1990,7 +1990,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + #ifdef USE_SSL + if(Curl_ssl->supports & SSLSUPP_CA_PATH) + /* This does not work on windows. */ +- result = Curl_setstropt(&data->set.str[STRING_SSL_CAPATH_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_SSL_CAPATH], + va_arg(param, char *)); + else + #endif +@@ -2017,7 +2017,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + * Set CRL file info for SSL connection. Specify file name of the CRL + * to check certificates revocation + */ +- result = Curl_setstropt(&data->set.str[STRING_SSL_CRLFILE_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_SSL_CRLFILE], + va_arg(param, char *)); + break; + #ifndef CURL_DISABLE_PROXY +@@ -2035,14 +2035,14 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + * Set Issuer certificate file + * to check certificates issuer + */ +- result = Curl_setstropt(&data->set.str[STRING_SSL_ISSUERCERT_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_SSL_ISSUERCERT], + va_arg(param, char *)); + break; + case CURLOPT_ISSUERCERT_BLOB: + /* + * Blob that holds Issuer certificate to check certificates issuer + */ +- result = Curl_setblobopt(&data->set.blobs[BLOB_SSL_ISSUERCERT_ORIG], ++ result = Curl_setblobopt(&data->set.blobs[BLOB_SSL_ISSUERCERT], + va_arg(param, struct curl_blob *)); + break; + #ifndef CURL_DISABLE_PROXY +@@ -2638,9 +2638,9 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + #endif + #ifdef USE_TLS_SRP + case CURLOPT_TLSAUTH_USERNAME: +- result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME], + va_arg(param, char *)); +- if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype) ++ if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) + data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ + break; + case CURLOPT_PROXY_TLSAUTH_USERNAME: +@@ -2653,9 +2653,9 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + #endif + break; + case CURLOPT_TLSAUTH_PASSWORD: +- result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD], + va_arg(param, char *)); +- if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype) ++ if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) + data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ + break; + case CURLOPT_PROXY_TLSAUTH_PASSWORD: +diff --git a/lib/url.c b/lib/url.c +index 307b66e..dd18c63 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -543,7 +543,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) + */ + if(Curl_ssl_backend() != CURLSSLBACKEND_SCHANNEL) { + #if defined(CURL_CA_BUNDLE) +- result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_ORIG], CURL_CA_BUNDLE); ++ result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], CURL_CA_BUNDLE); + if(result) + return result; + +@@ -553,7 +553,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) + return result; + #endif + #if defined(CURL_CA_PATH) +- result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_ORIG], CURL_CA_PATH); ++ result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], CURL_CA_PATH); + if(result) + return result; + +@@ -3600,17 +3600,17 @@ static CURLcode create_conn(struct Curl_easy *data, + that will be freed as part of the Curl_easy struct, but all cloned + copies will be separately allocated. + */ +- data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_ORIG]; +- data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_ORIG]; ++ data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH]; ++ data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE]; + data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE]; + data->set.ssl.primary.egdsocket = data->set.str[STRING_SSL_EGDSOCKET]; + data->set.ssl.primary.cipher_list = +- data->set.str[STRING_SSL_CIPHER_LIST_ORIG]; ++ data->set.str[STRING_SSL_CIPHER_LIST]; + data->set.ssl.primary.cipher_list13 = +- data->set.str[STRING_SSL_CIPHER13_LIST_ORIG]; ++ data->set.str[STRING_SSL_CIPHER13_LIST]; + data->set.ssl.primary.pinned_key = +- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; +- data->set.ssl.primary.cert_blob = data->set.blobs[BLOB_CERT_ORIG]; ++ data->set.str[STRING_SSL_PINNEDPUBLICKEY]; ++ data->set.ssl.primary.cert_blob = data->set.blobs[BLOB_CERT]; + + #ifndef CURL_DISABLE_PROXY + data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY]; +@@ -3636,26 +3636,26 @@ static CURLcode create_conn(struct Curl_easy *data, + data->set.proxy_ssl.cert_blob = data->set.blobs[BLOB_CERT_PROXY]; + data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY]; + #endif +- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG]; +- data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG]; +- data->set.ssl.cert = data->set.str[STRING_CERT_ORIG]; +- data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG]; +- data->set.ssl.key = data->set.str[STRING_KEY_ORIG]; +- data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE_ORIG]; +- data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD_ORIG]; +- data->set.ssl.primary.clientcert = data->set.str[STRING_CERT_ORIG]; ++ data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE]; ++ data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT]; ++ data->set.ssl.cert = data->set.str[STRING_CERT]; ++ data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE]; ++ data->set.ssl.key = data->set.str[STRING_KEY]; ++ data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE]; ++ data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD]; ++ data->set.ssl.primary.clientcert = data->set.str[STRING_CERT]; + #ifdef USE_TLS_SRP +- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_ORIG]; +- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_ORIG]; ++ data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME]; ++ data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD]; + #ifndef CURL_DISABLE_PROXY + data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; + data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; + #endif + #endif + +- data->set.ssl.cert_blob = data->set.blobs[BLOB_CERT_ORIG]; +- data->set.ssl.key_blob = data->set.blobs[BLOB_KEY_ORIG]; +- data->set.ssl.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT_ORIG]; ++ data->set.ssl.cert_blob = data->set.blobs[BLOB_CERT]; ++ data->set.ssl.key_blob = data->set.blobs[BLOB_KEY]; ++ data->set.ssl.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT]; + + if(!Curl_clone_primary_ssl_config(&data->set.ssl.primary, + &conn->ssl_config)) { +diff --git a/lib/urldata.h b/lib/urldata.h +index df9d998..0fb046f 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1491,9 +1491,9 @@ struct Curl_multi; /* declared and used only in multi.c */ + * are catered for in curl_easy_setopt_ccsid() + */ + enum dupstring { +- STRING_CERT_ORIG, /* client certificate file name */ ++ STRING_CERT, /* client certificate file name */ + STRING_CERT_PROXY, /* client certificate file name */ +- STRING_CERT_TYPE_ORIG, /* format for certificate (default: PEM)*/ ++ STRING_CERT_TYPE, /* format for certificate (default: PEM)*/ + STRING_CERT_TYPE_PROXY, /* format for certificate (default: PEM)*/ + STRING_COOKIE, /* HTTP cookie string to send */ + STRING_COOKIEJAR, /* dump all cookies to this file */ +@@ -1504,11 +1504,11 @@ enum dupstring { + STRING_FTP_ACCOUNT, /* ftp account data */ + STRING_FTP_ALTERNATIVE_TO_USER, /* command to send if USER/PASS fails */ + STRING_FTPPORT, /* port to send with the FTP PORT command */ +- STRING_KEY_ORIG, /* private key file name */ ++ STRING_KEY, /* private key file name */ + STRING_KEY_PROXY, /* private key file name */ +- STRING_KEY_PASSWD_ORIG, /* plain text private key password */ ++ STRING_KEY_PASSWD, /* plain text private key password */ + STRING_KEY_PASSWD_PROXY, /* plain text private key password */ +- STRING_KEY_TYPE_ORIG, /* format for private key (default: PEM) */ ++ STRING_KEY_TYPE, /* format for private key (default: PEM) */ + STRING_KEY_TYPE_PROXY, /* format for private key (default: PEM) */ + STRING_KRB_LEVEL, /* krb security level */ + STRING_NETRC_FILE, /* if not NULL, use this instead of trying to find +@@ -1518,22 +1518,22 @@ enum dupstring { + STRING_SET_RANGE, /* range, if used */ + STRING_SET_REFERER, /* custom string for the HTTP referer field */ + STRING_SET_URL, /* what original URL to work on */ +- STRING_SSL_CAPATH_ORIG, /* CA directory name (doesn't work on windows) */ ++ STRING_SSL_CAPATH, /* CA directory name (doesn't work on windows) */ + STRING_SSL_CAPATH_PROXY, /* CA directory name (doesn't work on windows) */ +- STRING_SSL_CAFILE_ORIG, /* certificate file to verify peer against */ ++ STRING_SSL_CAFILE, /* certificate file to verify peer against */ + STRING_SSL_CAFILE_PROXY, /* certificate file to verify peer against */ +- STRING_SSL_PINNEDPUBLICKEY_ORIG, /* public key file to verify peer against */ ++ STRING_SSL_PINNEDPUBLICKEY, /* public key file to verify peer against */ + STRING_SSL_PINNEDPUBLICKEY_PROXY, /* public key file to verify proxy */ +- STRING_SSL_CIPHER_LIST_ORIG, /* list of ciphers to use */ ++ STRING_SSL_CIPHER_LIST, /* list of ciphers to use */ + STRING_SSL_CIPHER_LIST_PROXY, /* list of ciphers to use */ +- STRING_SSL_CIPHER13_LIST_ORIG, /* list of TLS 1.3 ciphers to use */ ++ STRING_SSL_CIPHER13_LIST, /* list of TLS 1.3 ciphers to use */ + STRING_SSL_CIPHER13_LIST_PROXY, /* list of TLS 1.3 ciphers to use */ + STRING_SSL_EGDSOCKET, /* path to file containing the EGD daemon socket */ + STRING_SSL_RANDOM_FILE, /* path to file containing "random" data */ + STRING_USERAGENT, /* User-Agent string */ +- STRING_SSL_CRLFILE_ORIG, /* crl file to check certificate */ ++ STRING_SSL_CRLFILE, /* crl file to check certificate */ + STRING_SSL_CRLFILE_PROXY, /* crl file to check certificate */ +- STRING_SSL_ISSUERCERT_ORIG, /* issuer cert file to check certificate */ ++ STRING_SSL_ISSUERCERT, /* issuer cert file to check certificate */ + STRING_SSL_ISSUERCERT_PROXY, /* issuer cert file to check certificate */ + STRING_SSL_ENGINE, /* name of ssl engine */ + STRING_USERNAME, /* , if used */ +@@ -1557,9 +1557,9 @@ enum dupstring { + STRING_MAIL_FROM, + STRING_MAIL_AUTH, + +- STRING_TLSAUTH_USERNAME_ORIG, /* TLS auth */ ++ STRING_TLSAUTH_USERNAME, /* TLS auth */ + STRING_TLSAUTH_USERNAME_PROXY, /* TLS auth */ +- STRING_TLSAUTH_PASSWORD_ORIG, /* TLS auth */ ++ STRING_TLSAUTH_PASSWORD, /* TLS auth */ + STRING_TLSAUTH_PASSWORD_PROXY, /* TLS auth */ + + STRING_BEARER, /* , if used */ +@@ -1593,11 +1593,11 @@ enum dupstring { + }; + + enum dupblob { +- BLOB_CERT_ORIG, ++ BLOB_CERT, + BLOB_CERT_PROXY, +- BLOB_KEY_ORIG, ++ BLOB_KEY, + BLOB_KEY_PROXY, +- BLOB_SSL_ISSUERCERT_ORIG, ++ BLOB_SSL_ISSUERCERT, + BLOB_SSL_ISSUERCERT_PROXY, + BLOB_LAST + }; +diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c +index 0538e4a..de9a9db 100644 +--- a/lib/vtls/gskit.c ++++ b/lib/vtls/gskit.c +@@ -1039,7 +1039,7 @@ static CURLcode gskit_connect_step3(struct connectdata *conn, int sockindex) + + /* Check pinned public key. */ + ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : +- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; ++ data->set.str[STRING_SSL_PINNEDPUBLICKEY]; + if(!result && ptr) { + curl_X509certificate x509; + curl_asn1Element *p; +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index 9b4c365..2ce5749 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -1184,7 +1184,7 @@ gtls_connect_step3(struct connectdata *conn, + } + + ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : +- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; ++ data->set.str[STRING_SSL_PINNEDPUBLICKEY]; + if(ptr) { + result = pkp_pin_peer_pubkey(data, x509_cert, ptr); + if(result != CURLE_OK) { +diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c +index 545f824..bf3683d 100644 +--- a/lib/vtls/mbedtls.c ++++ b/lib/vtls/mbedtls.c +@@ -546,10 +546,10 @@ mbed_connect_step2(struct connectdata *conn, + #ifndef CURL_DISABLE_PROXY + const char * const pinnedpubkey = SSL_IS_PROXY() ? + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : +- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; ++ data->set.str[STRING_SSL_PINNEDPUBLICKEY]; + #else + const char * const pinnedpubkey = +- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; ++ data->set.str[STRING_SSL_PINNEDPUBLICKEY]; + #endif + + conn->recv[sockindex] = mbed_recv; +diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c +index fca2926..9dad33f 100644 +--- a/lib/vtls/nss.c ++++ b/lib/vtls/nss.c +@@ -2131,7 +2131,7 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex) + &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult; + const char * const pinnedpubkey = SSL_IS_PROXY() ? + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : +- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; ++ data->set.str[STRING_SSL_PINNEDPUBLICKEY]; + + + /* check timeout situation */ +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 16276f3..acf6577 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -3965,7 +3965,7 @@ static CURLcode servercert(struct connectdata *conn, + result = CURLE_OK; + + ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : +- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; ++ data->set.str[STRING_SSL_PINNEDPUBLICKEY]; + if(!result && ptr) { + result = pkp_pin_peer_pubkey(data, backend->server_cert, ptr); + if(result) +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c +index 1996526..ba82513 100644 +--- a/lib/vtls/schannel.c ++++ b/lib/vtls/schannel.c +@@ -1243,7 +1243,7 @@ schannel_connect_step2(struct connectdata *conn, int sockindex) + + pubkey_ptr = SSL_IS_PROXY() ? + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : +- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; ++ data->set.str[STRING_SSL_PINNEDPUBLICKEY]; + if(pubkey_ptr) { + result = pkp_pin_peer_pubkey(conn, sockindex, pubkey_ptr); + if(result) { +diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c +index 2627aff..120df3a 100644 +--- a/lib/vtls/sectransp.c ++++ b/lib/vtls/sectransp.c +@@ -2609,9 +2609,10 @@ sectransp_connect_step2(struct connectdata *conn, int sockindex) + connssl->connecting_state = ssl_connect_3; + + #ifdef SECTRANSP_PINNEDPUBKEY +- if(data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]) { +- CURLcode result = pkp_pin_peer_pubkey(data, backend->ssl_ctx, +- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]); ++ if(data->set.str[STRING_SSL_PINNEDPUBLICKEY]) { ++ CURLcode result = ++ pkp_pin_peer_pubkey(data, backend->ssl_ctx, ++ data->set.str[STRING_SSL_PINNEDPUBLICKEY]); + if(result) { + failf(data, "SSL: public key does not match pinned public key!"); + return result; +diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c +index 7b2a124..fc41748 100644 +--- a/lib/vtls/wolfssl.c ++++ b/lib/vtls/wolfssl.c +@@ -549,12 +549,12 @@ wolfssl_connect_step2(struct connectdata *conn, + conn->http_proxy.host.dispname : conn->host.dispname; + const char * const pinnedpubkey = SSL_IS_PROXY() ? + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : +- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; ++ data->set.str[STRING_SSL_PINNEDPUBLICKEY]; + #else + const char * const hostname = conn->host.name; + const char * const dispname = conn->host.dispname; + const char * const pinnedpubkey = +- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; ++ data->set.str[STRING_SSL_PINNEDPUBLICKEY]; + #endif + + conn->recv[sockindex] = wolfssl_recv; +-- +2.31.1 + + +From fea46e2ddc6050b0aa008033325afbb0606d2b55 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 19 Jun 2021 00:42:28 +0200 +Subject: [PATCH 2/2] vtls: fix connection reuse checks for issuer cert and + case sensitivity + +CVE-2021-22924 + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2021-22924.html + +Upstream-commit: 5ea3145850ebff1dc2b13d17440300a01ca38161 +Signed-off-by: Kamil Dudka +--- + lib/url.c | 9 ++++++--- + lib/urldata.h | 4 ++-- + lib/vtls/gtls.c | 10 +++++----- + lib/vtls/nss.c | 4 ++-- + lib/vtls/openssl.c | 18 +++++++++--------- + lib/vtls/vtls.c | 26 +++++++++++++++++++++----- + 6 files changed, 45 insertions(+), 26 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index dd18c63..71e226e 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -3602,6 +3602,8 @@ static CURLcode create_conn(struct Curl_easy *data, + */ + data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH]; + data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE]; ++ data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT]; ++ data->set.ssl.primary.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT]; + data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE]; + data->set.ssl.primary.egdsocket = data->set.str[STRING_SSL_EGDSOCKET]; + data->set.ssl.primary.cipher_list = +@@ -3625,8 +3627,11 @@ static CURLcode create_conn(struct Curl_easy *data, + data->set.proxy_ssl.primary.pinned_key = + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY]; + data->set.proxy_ssl.primary.cert_blob = data->set.blobs[BLOB_CERT_PROXY]; ++ data->set.proxy_ssl.primary.issuercert = ++ data->set.str[STRING_SSL_ISSUERCERT_PROXY]; ++ data->set.proxy_ssl.primary.issuercert_blob = ++ data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY]; + data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; +- data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY]; + data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY]; + data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY]; + data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY]; +@@ -3637,7 +3642,6 @@ static CURLcode create_conn(struct Curl_easy *data, + data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY]; + #endif + data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE]; +- data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT]; + data->set.ssl.cert = data->set.str[STRING_CERT]; + data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE]; + data->set.ssl.key = data->set.str[STRING_KEY]; +@@ -3655,7 +3659,6 @@ static CURLcode create_conn(struct Curl_easy *data, + + data->set.ssl.cert_blob = data->set.blobs[BLOB_CERT]; + data->set.ssl.key_blob = data->set.blobs[BLOB_KEY]; +- data->set.ssl.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT]; + + if(!Curl_clone_primary_ssl_config(&data->set.ssl.primary, + &conn->ssl_config)) { +diff --git a/lib/urldata.h b/lib/urldata.h +index 0fb046f..8b5b597 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -223,6 +223,7 @@ struct ssl_primary_config { + long version_max; /* max supported version the client wants to use*/ + char *CApath; /* certificate dir (doesn't work on windows) */ + char *CAfile; /* certificate to verify peer against */ ++ char *issuercert; /* optional issuer certificate filename */ + char *clientcert; + char *random_file; /* path to file containing "random" data */ + char *egdsocket; /* path to file containing the EGD daemon socket */ +@@ -230,6 +231,7 @@ struct ssl_primary_config { + char *cipher_list13; /* list of TLS 1.3 cipher suites to use */ + char *pinned_key; + struct curl_blob *cert_blob; ++ struct curl_blob *issuercert_blob; + BIT(verifypeer); /* set TRUE if this is desired */ + BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */ + BIT(verifystatus); /* set TRUE if certificate status must be checked */ +@@ -240,8 +242,6 @@ struct ssl_config_data { + struct ssl_primary_config primary; + long certverifyresult; /* result from the certificate verification */ + char *CRLfile; /* CRL to check certificate revocation */ +- char *issuercert;/* optional issuer certificate filename */ +- struct curl_blob *issuercert_blob; + curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ + void *fsslctxp; /* parameter for call back */ + char *cert; /* client certificate file name */ +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index 2ce5749..1b87085 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -851,7 +851,7 @@ gtls_connect_step3(struct connectdata *conn, + if(!chainp) { + if(SSL_CONN_CONFIG(verifypeer) || + SSL_CONN_CONFIG(verifyhost) || +- SSL_SET_OPTION(issuercert)) { ++ SSL_CONN_CONFIG(issuercert)) { + #ifdef USE_TLS_SRP + if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP + && SSL_SET_OPTION(username) != NULL +@@ -1035,21 +1035,21 @@ gtls_connect_step3(struct connectdata *conn, + gnutls_x509_crt_t format */ + gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER); + +- if(SSL_SET_OPTION(issuercert)) { ++ if(SSL_CONN_CONFIG(issuercert)) { + gnutls_x509_crt_init(&x509_issuer); +- issuerp = load_file(SSL_SET_OPTION(issuercert)); ++ issuerp = load_file(SSL_CONN_CONFIG(issuercert)); + gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM); + rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer); + gnutls_x509_crt_deinit(x509_issuer); + unload_file(issuerp); + if(rc <= 0) { + failf(data, "server certificate issuer check failed (IssuerCert: %s)", +- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none"); ++ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none"); + gnutls_x509_crt_deinit(x509_cert); + return CURLE_SSL_ISSUER_ERROR; + } + infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n", +- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none"); ++ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none"); + } + + size = sizeof(certname); +diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c +index 9dad33f..d1b0016 100644 +--- a/lib/vtls/nss.c ++++ b/lib/vtls/nss.c +@@ -2159,9 +2159,9 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex) + if(result) + goto error; + +- if(SSL_SET_OPTION(issuercert)) { ++ if(SSL_CONN_CONFIG(issuercert)) { + SECStatus ret = SECFailure; +- char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert)); ++ char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert)); + if(nickname) { + /* we support only nicknames in case of issuercert for now */ + ret = check_issuer_cert(backend->handle, nickname); +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index acf6577..56171ae 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -3871,10 +3871,10 @@ static CURLcode servercert(struct connectdata *conn, + deallocating the certificate. */ + + /* e.g. match issuer name with provided issuer certificate */ +- if(SSL_SET_OPTION(issuercert) || SSL_SET_OPTION(issuercert_blob)) { +- if(SSL_SET_OPTION(issuercert_blob)) +- fp = BIO_new_mem_buf(SSL_SET_OPTION(issuercert_blob)->data, +- (int)SSL_SET_OPTION(issuercert_blob)->len); ++ if(SSL_CONN_CONFIG(issuercert) || SSL_CONN_CONFIG(issuercert_blob)) { ++ if(SSL_CONN_CONFIG(issuercert_blob)) ++ fp = BIO_new_mem_buf(SSL_CONN_CONFIG(issuercert_blob)->data, ++ (int)SSL_CONN_CONFIG(issuercert_blob)->len); + else { + fp = BIO_new(BIO_s_file()); + if(fp == NULL) { +@@ -3888,10 +3888,10 @@ static CURLcode servercert(struct connectdata *conn, + return CURLE_OUT_OF_MEMORY; + } + +- if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) { ++ if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) { + if(strict) + failf(data, "SSL: Unable to open issuer cert (%s)", +- SSL_SET_OPTION(issuercert)); ++ SSL_CONN_CONFIG(issuercert)); + BIO_free(fp); + X509_free(backend->server_cert); + backend->server_cert = NULL; +@@ -3903,7 +3903,7 @@ static CURLcode servercert(struct connectdata *conn, + if(!issuer) { + if(strict) + failf(data, "SSL: Unable to read issuer cert (%s)", +- SSL_SET_OPTION(issuercert)); ++ SSL_CONN_CONFIG(issuercert)); + BIO_free(fp); + X509_free(issuer); + X509_free(backend->server_cert); +@@ -3914,7 +3914,7 @@ static CURLcode servercert(struct connectdata *conn, + if(X509_check_issued(issuer, backend->server_cert) != X509_V_OK) { + if(strict) + failf(data, "SSL: Certificate issuer check failed (%s)", +- SSL_SET_OPTION(issuercert)); ++ SSL_CONN_CONFIG(issuercert)); + BIO_free(fp); + X509_free(issuer); + X509_free(backend->server_cert); +@@ -3923,7 +3923,7 @@ static CURLcode servercert(struct connectdata *conn, + } + + infof(data, " SSL certificate issuer check ok (%s)\n", +- SSL_SET_OPTION(issuercert)); ++ SSL_CONN_CONFIG(issuercert)); + BIO_free(fp); + X509_free(issuer); + } +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index e50fdd2..855ee66 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -121,6 +121,16 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second) + return !memcmp(first->data, second->data, first->len); /* same data */ + } + ++static bool safecmp(char *a, char *b) ++{ ++ if(a && b) ++ return !strcmp(a, b); ++ else if(!a && !b) ++ return TRUE; /* match */ ++ return FALSE; /* no match */ ++} ++ ++ + bool + Curl_ssl_config_matches(struct ssl_primary_config *data, + struct ssl_primary_config *needle) +@@ -131,11 +141,13 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, + (data->verifyhost == needle->verifyhost) && + (data->verifystatus == needle->verifystatus) && + blobcmp(data->cert_blob, needle->cert_blob) && +- Curl_safe_strcasecompare(data->CApath, needle->CApath) && +- Curl_safe_strcasecompare(data->CAfile, needle->CAfile) && +- Curl_safe_strcasecompare(data->clientcert, needle->clientcert) && +- Curl_safe_strcasecompare(data->random_file, needle->random_file) && +- Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) && ++ blobcmp(data->issuercert_blob, needle->issuercert_blob) && ++ safecmp(data->CApath, needle->CApath) && ++ safecmp(data->CAfile, needle->CAfile) && ++ safecmp(data->issuercert, needle->issuercert) && ++ safecmp(data->clientcert, needle->clientcert) && ++ safecmp(data->random_file, needle->random_file) && ++ safecmp(data->egdsocket, needle->egdsocket) && + Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && + Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && + Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) +@@ -156,8 +168,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, + dest->sessionid = source->sessionid; + + CLONE_BLOB(cert_blob); ++ CLONE_BLOB(issuercert_blob); + CLONE_STRING(CApath); + CLONE_STRING(CAfile); ++ CLONE_STRING(issuercert); + CLONE_STRING(clientcert); + CLONE_STRING(random_file); + CLONE_STRING(egdsocket); +@@ -172,6 +186,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc) + { + Curl_safefree(sslc->CApath); + Curl_safefree(sslc->CAfile); ++ Curl_safefree(sslc->issuercert); + Curl_safefree(sslc->clientcert); + Curl_safefree(sslc->random_file); + Curl_safefree(sslc->egdsocket); +@@ -179,6 +194,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc) + Curl_safefree(sslc->cipher_list13); + Curl_safefree(sslc->pinned_key); + Curl_safefree(sslc->cert_blob); ++ Curl_safefree(sslc->issuercert_blob); + } + + #ifdef USE_SSL +-- +2.31.1 + diff --git a/curl.spec b/curl.spec index 2577222..be2da16 100644 --- a/curl.spec +++ b/curl.spec @@ -29,6 +29,9 @@ Patch8: 0008-curl-7.71.1-CVE-2021-22876.patch # fix TLS 1.3 session ticket proxy host mixup (CVE-2021-22890) Patch9: 0009-curl-7.71.1-CVE-2021-22890.patch +# fix bad connection reuse due to flawed path name checks (CVE-2021-22924) +Patch10: 0010-curl-7.71.1-CVE-2021-22924.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -203,6 +206,7 @@ be installed. %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 # Fedora patches %patch101 -p1 @@ -381,6 +385,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed Jun 02 2021 Kamil Dudka - 7.71.1-10 +- fix bad connection reuse due to flawed path name checks (CVE-2021-22924) - disable metalink support to fix the following vulnerabilities CVE-2021-22923 - metalink download sends credentials CVE-2021-22922 - wrong content via metalink not discarded From fa90718ce515e4c6af9535cf9c406948174111c6 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 26 May 2021 10:21:27 +0200 Subject: [PATCH 11/16] Resolves: CVE-2021-22898 - fix TELNET stack contents disclosure --- 0011-curl-7.71.1-CVE-2021-22898.patch | 31 +++++++++++++++++++++++++++ curl.spec | 5 +++++ 2 files changed, 36 insertions(+) create mode 100644 0011-curl-7.71.1-CVE-2021-22898.patch diff --git a/0011-curl-7.71.1-CVE-2021-22898.patch b/0011-curl-7.71.1-CVE-2021-22898.patch new file mode 100644 index 0000000..2609375 --- /dev/null +++ b/0011-curl-7.71.1-CVE-2021-22898.patch @@ -0,0 +1,31 @@ +From ae2dc830fb37e9243dbdaf8b92e41df91f43b3f2 Mon Sep 17 00:00:00 2001 +From: Harry Sintonen +Date: Fri, 7 May 2021 13:09:57 +0200 +Subject: [PATCH] telnet: check sscanf() for correct number of matches + +CVE-2021-22898 + +Bug: https://curl.se/docs/CVE-2021-22898.html + +Upstream-commit: 39ce47f219b09c380b81f89fe54ac586c8db6bde +Signed-off-by: Kamil Dudka +--- + lib/telnet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/telnet.c b/lib/telnet.c +index 1fc5af1..ea6bc71 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -967,7 +967,7 @@ static void suboption(struct connectdata *conn) + size_t tmplen = (strlen(v->data) + 1); + /* Add the variable only if it fits */ + if(len + tmplen < (int)sizeof(temp)-6) { +- if(sscanf(v->data, "%127[^,],%127s", varname, varval)) { ++ if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) { + msnprintf((char *)&temp[len], sizeof(temp) - len, + "%c%s%c%s", CURL_NEW_ENV_VAR, varname, + CURL_NEW_ENV_VALUE, varval); +-- +2.31.1 + diff --git a/curl.spec b/curl.spec index be2da16..83d5810 100644 --- a/curl.spec +++ b/curl.spec @@ -32,6 +32,9 @@ Patch9: 0009-curl-7.71.1-CVE-2021-22890.patch # fix bad connection reuse due to flawed path name checks (CVE-2021-22924) Patch10: 0010-curl-7.71.1-CVE-2021-22924.patch +# fix TELNET stack contents disclosure (CVE-2021-22898) +Patch11: 0011-curl-7.71.1-CVE-2021-22898.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -207,6 +210,7 @@ be installed. %patch8 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 # Fedora patches %patch101 -p1 @@ -385,6 +389,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed Jun 02 2021 Kamil Dudka - 7.71.1-10 +- fix TELNET stack contents disclosure (CVE-2021-22898) - fix bad connection reuse due to flawed path name checks (CVE-2021-22924) - disable metalink support to fix the following vulnerabilities CVE-2021-22923 - metalink download sends credentials From 1dc08c9d962bcdaa82cad948eecd789084ee3275 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 21 Jul 2021 17:49:46 +0200 Subject: [PATCH 12/16] Resolves: CVE-2021-22925 - fix TELNET stack contents disclosure again --- 0012-curl-7.71.1-CVE-2021-22925.patch | 47 +++++++++++++++++++++++++++ curl.spec | 5 +++ 2 files changed, 52 insertions(+) create mode 100644 0012-curl-7.71.1-CVE-2021-22925.patch diff --git a/0012-curl-7.71.1-CVE-2021-22925.patch b/0012-curl-7.71.1-CVE-2021-22925.patch new file mode 100644 index 0000000..330d9f7 --- /dev/null +++ b/0012-curl-7.71.1-CVE-2021-22925.patch @@ -0,0 +1,47 @@ +From 2fbbf282e42ae476459f7efe68a88dcb63dcc43b Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 12 Jun 2021 18:25:15 +0200 +Subject: [PATCH] telnet: fix option parser to not send uninitialized contents + +CVE-2021-22925 + +Reported-by: Red Hat Product Security +Bug: https://curl.se/docs/CVE-2021-22925.html + +Upstream-commit: 894f6ec730597eb243618d33cc84d71add8d6a8a +Signed-off-by: Kamil Dudka +--- + lib/telnet.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/lib/telnet.c b/lib/telnet.c +index ea6bc71..f8428b8 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -967,12 +967,17 @@ static void suboption(struct connectdata *conn) + size_t tmplen = (strlen(v->data) + 1); + /* Add the variable only if it fits */ + if(len + tmplen < (int)sizeof(temp)-6) { +- if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) { +- msnprintf((char *)&temp[len], sizeof(temp) - len, +- "%c%s%c%s", CURL_NEW_ENV_VAR, varname, +- CURL_NEW_ENV_VALUE, varval); +- len += tmplen; +- } ++ int rv; ++ char sep[2] = ""; ++ varval[0] = 0; ++ rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval); ++ if(rv == 1) ++ len += msnprintf((char *)&temp[len], sizeof(temp) - len, ++ "%c%s", CURL_NEW_ENV_VAR, varname); ++ else if(rv >= 2) ++ len += msnprintf((char *)&temp[len], sizeof(temp) - len, ++ "%c%s%c%s", CURL_NEW_ENV_VAR, varname, ++ CURL_NEW_ENV_VALUE, varval); + } + } + msnprintf((char *)&temp[len], sizeof(temp) - len, +-- +2.31.1 + diff --git a/curl.spec b/curl.spec index 83d5810..a9775f1 100644 --- a/curl.spec +++ b/curl.spec @@ -35,6 +35,9 @@ Patch10: 0010-curl-7.71.1-CVE-2021-22924.patch # fix TELNET stack contents disclosure (CVE-2021-22898) Patch11: 0011-curl-7.71.1-CVE-2021-22898.patch +# fix TELNET stack contents disclosure again (CVE-2021-22925) +Patch12: 0012-curl-7.71.1-CVE-2021-22925.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -211,6 +214,7 @@ be installed. %patch9 -p1 %patch10 -p1 %patch11 -p1 +%patch12 -p1 # Fedora patches %patch101 -p1 @@ -389,6 +393,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed Jun 02 2021 Kamil Dudka - 7.71.1-10 +- fix TELNET stack contents disclosure again (CVE-2021-22925) - fix TELNET stack contents disclosure (CVE-2021-22898) - fix bad connection reuse due to flawed path name checks (CVE-2021-22924) - disable metalink support to fix the following vulnerabilities From f2473c9f842eee9fff88e3dbe6cb156bfaadb0e9 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 22 Jul 2021 09:28:13 +0200 Subject: [PATCH 13/16] changelog: fix date in the last entry --- curl.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index a9775f1..e76079a 100644 --- a/curl.spec +++ b/curl.spec @@ -392,7 +392,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog -* Wed Jun 02 2021 Kamil Dudka - 7.71.1-10 +* Wed Jul 21 2021 Kamil Dudka - 7.71.1-10 - fix TELNET stack contents disclosure again (CVE-2021-22925) - fix TELNET stack contents disclosure (CVE-2021-22898) - fix bad connection reuse due to flawed path name checks (CVE-2021-22924) From 8545535d63094c5dba0642b13f2fd23fa6c3e434 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 17 Sep 2021 09:10:21 +0200 Subject: [PATCH 14/16] Resolves: CVE-2021-22945 - fix use-after-free and double-free in MQTT sending --- 0013-curl-7.71.1-CVE-2021-22945.patch | 33 +++++++++++++++++++++++++++ curl.spec | 9 +++++++- 2 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 0013-curl-7.71.1-CVE-2021-22945.patch diff --git a/0013-curl-7.71.1-CVE-2021-22945.patch b/0013-curl-7.71.1-CVE-2021-22945.patch new file mode 100644 index 0000000..79dc9f8 --- /dev/null +++ b/0013-curl-7.71.1-CVE-2021-22945.patch @@ -0,0 +1,33 @@ +From bb7619897e53ed424e0712ca5a4c93d5fae99715 Mon Sep 17 00:00:00 2001 +From: z2_ on hackerone <> +Date: Tue, 24 Aug 2021 09:50:33 +0200 +Subject: [PATCH] mqtt: clear the leftovers pointer when sending succeeds + +CVE-2021-22945 + +Bug: https://curl.se/docs/CVE-2021-22945.html + +Upstream-commit: 43157490a5054bd24256fe12876931e8abc9df49 +Signed-off-by: Kamil Dudka +--- + lib/mqtt.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/lib/mqtt.c b/lib/mqtt.c +index d88fa73..f3fc045 100644 +--- a/lib/mqtt.c ++++ b/lib/mqtt.c +@@ -123,6 +123,10 @@ static CURLcode mqtt_send(struct connectdata *conn, + mq->sendleftovers = sendleftovers; + mq->nsend = nsend; + } ++ else { ++ mq->sendleftovers = NULL; ++ mq->nsend = 0; ++ } + return result; + } + +-- +2.31.1 + diff --git a/curl.spec b/curl.spec index e76079a..2e2a7d2 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.71.1 -Release: 10%{?dist} +Release: 11%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -38,6 +38,9 @@ Patch11: 0011-curl-7.71.1-CVE-2021-22898.patch # fix TELNET stack contents disclosure again (CVE-2021-22925) Patch12: 0012-curl-7.71.1-CVE-2021-22925.patch +# fix use-after-free and double-free in MQTT sending (CVE-2021-22945) +Patch13: 0013-curl-7.71.1-CVE-2021-22945.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -215,6 +218,7 @@ be installed. %patch10 -p1 %patch11 -p1 %patch12 -p1 +%patch13 -p1 # Fedora patches %patch101 -p1 @@ -392,6 +396,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Sep 17 2021 Kamil Dudka - 7.71.1-11 +- fix use-after-free and double-free in MQTT sending (CVE-2021-22945) + * Wed Jul 21 2021 Kamil Dudka - 7.71.1-10 - fix TELNET stack contents disclosure again (CVE-2021-22925) - fix TELNET stack contents disclosure (CVE-2021-22898) From 46b1c257386ecb0eb0e6f15a6cf14b0cc4f32a27 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 17 Sep 2021 09:14:46 +0200 Subject: [PATCH 15/16] Resolves: CVE-2021-22946 - fix protocol downgrade required TLS bypass --- 0014-curl-7.71.1-CVE-2021-22946.patch | 331 ++++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 336 insertions(+) create mode 100644 0014-curl-7.71.1-CVE-2021-22946.patch diff --git a/0014-curl-7.71.1-CVE-2021-22946.patch b/0014-curl-7.71.1-CVE-2021-22946.patch new file mode 100644 index 0000000..c408988 --- /dev/null +++ b/0014-curl-7.71.1-CVE-2021-22946.patch @@ -0,0 +1,331 @@ +From 03ca8c6faca7de6628f9cbec3001ec6466c88d07 Mon Sep 17 00:00:00 2001 +From: Patrick Monnerat +Date: Wed, 8 Sep 2021 11:56:22 +0200 +Subject: [PATCH] ftp,imap,pop3: do not ignore --ssl-reqd + +In imap and pop3, check if TLS is required even when capabilities +request has failed. + +In ftp, ignore preauthentication (230 status of server greeting) if TLS +is required. + +Bug: https://curl.se/docs/CVE-2021-22946.html + +CVE-2021-22946 + +Upstream-commit: 364f174724ef115c63d5e5dc1d3342c8a43b1cca +Signed-off-by: Kamil Dudka +--- + lib/ftp.c | 9 ++++--- + lib/imap.c | 24 ++++++++---------- + lib/pop3.c | 33 +++++++++++------------- + tests/data/Makefile.inc | 2 ++ + tests/data/test984 | 56 +++++++++++++++++++++++++++++++++++++++++ + tests/data/test985 | 54 +++++++++++++++++++++++++++++++++++++++ + tests/data/test986 | 53 ++++++++++++++++++++++++++++++++++++++ + 7 files changed, 195 insertions(+), 36 deletions(-) + create mode 100644 tests/data/test984 + create mode 100644 tests/data/test985 + create mode 100644 tests/data/test986 + +diff --git a/lib/ftp.c b/lib/ftp.c +index 71c9642..30ebeaa 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -2622,9 +2622,12 @@ static CURLcode ftp_statemach_act(struct connectdata *conn) + /* we have now received a full FTP server response */ + switch(ftpc->state) { + case FTP_WAIT220: +- if(ftpcode == 230) +- /* 230 User logged in - already! */ +- return ftp_state_user_resp(conn, ftpcode, ftpc->state); ++ if(ftpcode == 230) { ++ /* 230 User logged in - already! Take as 220 if TLS required. */ ++ if(data->set.use_ssl <= CURLUSESSL_TRY || ++ conn->ssl[FIRSTSOCKET].use) ++ return ftp_state_user_resp(conn, ftpcode, ftpc->state); ++ } + else if(ftpcode != 220) { + failf(data, "Got a %03d ftp-server response when 220 was expected", + ftpcode); +diff --git a/lib/imap.c b/lib/imap.c +index bda23a5..7e159d4 100644 +--- a/lib/imap.c ++++ b/lib/imap.c +@@ -917,22 +917,18 @@ static CURLcode imap_state_capability_resp(struct connectdata *conn, + line += wordlen; + } + } +- else if(imapcode == IMAP_RESP_OK) { +- if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { +- /* We don't have a SSL/TLS connection yet, but SSL is requested */ +- if(imapc->tls_supported) +- /* Switch to TLS connection now */ +- result = imap_perform_starttls(conn); +- else if(data->set.use_ssl == CURLUSESSL_TRY) +- /* Fallback and carry on with authentication */ +- result = imap_perform_authentication(conn); +- else { +- failf(data, "STARTTLS not supported."); +- result = CURLE_USE_SSL_FAILED; +- } ++ else if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { ++ /* PREAUTH is not compatible with STARTTLS. */ ++ if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) { ++ /* Switch to TLS connection now */ ++ result = imap_perform_starttls(conn); + } +- else ++ else if(data->set.use_ssl <= CURLUSESSL_TRY) + result = imap_perform_authentication(conn); ++ else { ++ failf(data, "STARTTLS not available."); ++ result = CURLE_USE_SSL_FAILED; ++ } + } + else + result = imap_perform_authentication(conn); +diff --git a/lib/pop3.c b/lib/pop3.c +index 04cc887..3e916ce 100644 +--- a/lib/pop3.c ++++ b/lib/pop3.c +@@ -721,28 +721,23 @@ static CURLcode pop3_state_capa_resp(struct connectdata *conn, int pop3code, + } + } + } +- else if(pop3code == '+') { +- if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { +- /* We don't have a SSL/TLS connection yet, but SSL is requested */ +- if(pop3c->tls_supported) +- /* Switch to TLS connection now */ +- result = pop3_perform_starttls(conn); +- else if(data->set.use_ssl == CURLUSESSL_TRY) +- /* Fallback and carry on with authentication */ +- result = pop3_perform_authentication(conn); +- else { +- failf(data, "STLS not supported."); +- result = CURLE_USE_SSL_FAILED; +- } +- } +- else +- result = pop3_perform_authentication(conn); +- } + else { + /* Clear text is supported when CAPA isn't recognised */ +- pop3c->authtypes |= POP3_TYPE_CLEARTEXT; ++ if(pop3code != '+') ++ pop3c->authtypes |= POP3_TYPE_CLEARTEXT; + +- result = pop3_perform_authentication(conn); ++ if(!data->set.use_ssl || conn->ssl[FIRSTSOCKET].use) ++ result = pop3_perform_authentication(conn); ++ else if(pop3code == '+' && pop3c->tls_supported) ++ /* Switch to TLS connection now */ ++ result = pop3_perform_starttls(conn); ++ else if(data->set.use_ssl <= CURLUSESSL_TRY) ++ /* Fallback and carry on with authentication */ ++ result = pop3_perform_authentication(conn); ++ else { ++ failf(data, "STLS not supported."); ++ result = CURLE_USE_SSL_FAILED; ++ } + } + + return result; +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index ef9252b..1ba482b 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -115,6 +115,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \ + test954 test955 test956 test957 test958 test959 test960 test961 test962 \ + test963 test964 test965 test966 test967 test968 test969 test970 test971 \ + \ ++test984 test985 test986 \ ++\ + test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \ + test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \ + test1016 test1017 test1018 test1019 test1020 test1021 test1022 test1023 \ +diff --git a/tests/data/test984 b/tests/data/test984 +new file mode 100644 +index 0000000..e573f23 +--- /dev/null ++++ b/tests/data/test984 +@@ -0,0 +1,56 @@ ++ ++ ++ ++IMAP ++STARTTLS ++ ++ ++ ++# ++# Server-side ++ ++ ++REPLY CAPABILITY A001 BAD Not implemented ++ ++ ++ ++# ++# Client-side ++ ++ ++SSL ++ ++ ++imap ++ ++ ++IMAP require STARTTLS with failing capabilities ++ ++ ++imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl-reqd ++ ++ ++Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST) ++From: Fred Foobar ++Subject: afternoon meeting ++To: joe@example.com ++Message-Id: ++MIME-Version: 1.0 ++Content-Type: TEXT/PLAIN; CHARSET=US-ASCII ++ ++Hello Joe, do you think we can meet at 3:30 tomorrow? ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++# 64 is CURLE_USE_SSL_FAILED ++ ++64 ++ ++ ++A001 CAPABILITY ++ ++ ++ +diff --git a/tests/data/test985 b/tests/data/test985 +new file mode 100644 +index 0000000..d0db4aa +--- /dev/null ++++ b/tests/data/test985 +@@ -0,0 +1,54 @@ ++ ++ ++ ++POP3 ++STARTTLS ++ ++ ++ ++# ++# Server-side ++ ++ ++REPLY CAPA -ERR Not implemented ++ ++ ++From: me@somewhere ++To: fake@nowhere ++ ++body ++ ++-- ++ yours sincerely ++ ++ ++ ++# ++# Client-side ++ ++ ++SSL ++ ++ ++pop3 ++ ++ ++POP3 require STARTTLS with failing capabilities ++ ++ ++pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl-reqd ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++# 64 is CURLE_USE_SSL_FAILED ++ ++64 ++ ++ ++CAPA ++ ++ ++ +diff --git a/tests/data/test986 b/tests/data/test986 +new file mode 100644 +index 0000000..a709437 +--- /dev/null ++++ b/tests/data/test986 +@@ -0,0 +1,53 @@ ++ ++ ++ ++FTP ++STARTTLS ++ ++ ++ ++# ++# Server-side ++ ++ ++REPLY welcome 230 Welcome ++REPLY AUTH 500 unknown command ++ ++ ++ ++# Client-side ++ ++ ++SSL ++ ++ ++ftp ++ ++ ++FTP require STARTTLS while preauthenticated ++ ++ ++data ++ to ++ see ++that FTPS ++works ++ so does it? ++ ++ ++--ssl-reqd --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++# 64 is CURLE_USE_SSL_FAILED ++ ++64 ++ ++ ++AUTH SSL ++AUTH TLS ++ ++ ++ +-- +2.31.1 + diff --git a/curl.spec b/curl.spec index 2e2a7d2..2f535f3 100644 --- a/curl.spec +++ b/curl.spec @@ -41,6 +41,9 @@ Patch12: 0012-curl-7.71.1-CVE-2021-22925.patch # fix use-after-free and double-free in MQTT sending (CVE-2021-22945) Patch13: 0013-curl-7.71.1-CVE-2021-22945.patch +# fix protocol downgrade required TLS bypass (CVE-2021-22946) +Patch14: 0014-curl-7.71.1-CVE-2021-22946.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -219,6 +222,7 @@ be installed. %patch11 -p1 %patch12 -p1 %patch13 -p1 +%patch14 -p1 # Fedora patches %patch101 -p1 @@ -397,6 +401,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Fri Sep 17 2021 Kamil Dudka - 7.71.1-11 +- fix protocol downgrade required TLS bypass (CVE-2021-22946) - fix use-after-free and double-free in MQTT sending (CVE-2021-22945) * Wed Jul 21 2021 Kamil Dudka - 7.71.1-10 From 4dd9624cd7322f56b11aefdb6845f49b66e003f7 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 17 Sep 2021 09:18:45 +0200 Subject: [PATCH 16/16] Resolves: CVE-2021-22947 - fix STARTTLS protocol injection via MITM --- 0015-curl-7.71.1-CVE-2021-22947.patch | 354 ++++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 359 insertions(+) create mode 100644 0015-curl-7.71.1-CVE-2021-22947.patch diff --git a/0015-curl-7.71.1-CVE-2021-22947.patch b/0015-curl-7.71.1-CVE-2021-22947.patch new file mode 100644 index 0000000..2d2c374 --- /dev/null +++ b/0015-curl-7.71.1-CVE-2021-22947.patch @@ -0,0 +1,354 @@ +From a1ec463c8207bde97b3575d12e396e999a55a8d0 Mon Sep 17 00:00:00 2001 +From: Patrick Monnerat +Date: Tue, 7 Sep 2021 13:26:42 +0200 +Subject: [PATCH] ftp,imap,pop3,smtp: reject STARTTLS server response + pipelining + +If a server pipelines future responses within the STARTTLS response, the +former are preserved in the pingpong cache across TLS negotiation and +used as responses to the encrypted commands. + +This fix detects pipelined STARTTLS responses and rejects them with an +error. + +CVE-2021-22947 + +Bug: https://curl.se/docs/CVE-2021-22947.html + +Upstream-commit: 8ef147c43646e91fdaad5d0e7b60351f842e5c68 +Signed-off-by: Kamil Dudka +--- + lib/ftp.c | 3 +++ + lib/imap.c | 4 +++ + lib/pop3.c | 4 +++ + lib/smtp.c | 4 +++ + tests/data/Makefile.inc | 2 +- + tests/data/test980 | 52 ++++++++++++++++++++++++++++++++++++ + tests/data/test981 | 59 +++++++++++++++++++++++++++++++++++++++++ + tests/data/test982 | 57 +++++++++++++++++++++++++++++++++++++++ + tests/data/test983 | 52 ++++++++++++++++++++++++++++++++++++ + 9 files changed, 236 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test980 + create mode 100644 tests/data/test981 + create mode 100644 tests/data/test982 + create mode 100644 tests/data/test983 + +diff --git a/lib/ftp.c b/lib/ftp.c +index 71f998e..e920138 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -2692,6 +2692,9 @@ static CURLcode ftp_statemach_act(struct connectdata *conn) + case FTP_AUTH: + /* we have gotten the response to a previous AUTH command */ + ++ if(pp->cache_size) ++ return CURLE_WEIRD_SERVER_REPLY; /* Forbid pipelining in response. */ ++ + /* RFC2228 (page 5) says: + * + * If the server is willing to accept the named security mechanism, +diff --git a/lib/imap.c b/lib/imap.c +index feb7445..09bc5d6 100644 +--- a/lib/imap.c ++++ b/lib/imap.c +@@ -946,6 +946,10 @@ static CURLcode imap_state_starttls_resp(struct connectdata *conn, + + (void)instate; /* no use for this yet */ + ++ /* Pipelining in response is forbidden. */ ++ if(data->conn->proto.imapc.pp.cache_size) ++ return CURLE_WEIRD_SERVER_REPLY; ++ + if(imapcode != IMAP_RESP_OK) { + if(data->set.use_ssl != CURLUSESSL_TRY) { + failf(data, "STARTTLS denied"); +diff --git a/lib/pop3.c b/lib/pop3.c +index 7698d1c..dccfced 100644 +--- a/lib/pop3.c ++++ b/lib/pop3.c +@@ -753,6 +753,10 @@ static CURLcode pop3_state_starttls_resp(struct connectdata *conn, + + (void)instate; /* no use for this yet */ + ++ /* Pipelining in response is forbidden. */ ++ if(data->conn->proto.pop3c.pp.cache_size) ++ return CURLE_WEIRD_SERVER_REPLY; ++ + if(pop3code != '+') { + if(data->set.use_ssl != CURLUSESSL_TRY) { + failf(data, "STARTTLS denied"); +diff --git a/lib/smtp.c b/lib/smtp.c +index 1defb25..1f89777 100644 +--- a/lib/smtp.c ++++ b/lib/smtp.c +@@ -817,6 +817,10 @@ static CURLcode smtp_state_starttls_resp(struct connectdata *conn, + + (void)instate; /* no use for this yet */ + ++ /* Pipelining in response is forbidden. */ ++ if(data->conn->proto.smtpc.pp.cache_size) ++ return CURLE_WEIRD_SERVER_REPLY; ++ + if(smtpcode != 220) { + if(data->set.use_ssl != CURLUSESSL_TRY) { + failf(data, "STARTTLS denied, code %d", smtpcode); +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 163ce59..42b0569 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -115,7 +115,7 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \ + test954 test955 test956 test957 test958 test959 test960 test961 test962 \ + test963 test964 test965 test966 test967 test968 test969 test970 test971 \ + \ +-test984 test985 test986 \ ++test980 test981 test982 test983 test984 test985 test986 \ + \ + test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \ + test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \ +diff --git a/tests/data/test980 b/tests/data/test980 +new file mode 100644 +index 0000000..97567f8 +--- /dev/null ++++ b/tests/data/test980 +@@ -0,0 +1,52 @@ ++ ++ ++ ++SMTP ++STARTTLS ++ ++ ++ ++# ++# Server-side ++ ++ ++CAPA STARTTLS ++AUTH PLAIN ++REPLY STARTTLS 454 currently unavailable\r\n235 Authenticated\r\n250 2.1.0 Sender ok\r\n250 2.1.5 Recipient ok\r\n354 Enter mail\r\n250 2.0.0 Accepted ++REPLY AUTH 535 5.7.8 Authentication credentials invalid ++ ++ ++ ++# ++# Client-side ++ ++ ++SSL ++ ++ ++smtp ++ ++ ++SMTP STARTTLS pipelined server response ++ ++ ++mail body ++ ++ ++smtp://%HOSTIP:%SMTPPORT/%TESTNUMBER --mail-rcpt recipient@example.com --mail-from sender@example.com -u user:secret --ssl --sasl-ir -T - ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++# 8 is CURLE_WEIRD_SERVER_REPLY ++ ++8 ++ ++ ++EHLO %TESTNUMBER ++STARTTLS ++ ++ ++ +diff --git a/tests/data/test981 b/tests/data/test981 +new file mode 100644 +index 0000000..2b98ce4 +--- /dev/null ++++ b/tests/data/test981 +@@ -0,0 +1,59 @@ ++ ++ ++ ++IMAP ++STARTTLS ++ ++ ++ ++# ++# Server-side ++ ++ ++CAPA STARTTLS ++REPLY STARTTLS A002 BAD currently unavailable\r\nA003 OK Authenticated\r\nA004 OK Accepted ++REPLY LOGIN A003 BAD Authentication credentials invalid ++ ++ ++ ++# ++# Client-side ++ ++ ++SSL ++ ++ ++imap ++ ++ ++IMAP STARTTLS pipelined server response ++ ++ ++imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl ++ ++ ++Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST) ++From: Fred Foobar ++Subject: afternoon meeting ++To: joe@example.com ++Message-Id: ++MIME-Version: 1.0 ++Content-Type: TEXT/PLAIN; CHARSET=US-ASCII ++ ++Hello Joe, do you think we can meet at 3:30 tomorrow? ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++# 8 is CURLE_WEIRD_SERVER_REPLY ++ ++8 ++ ++ ++A001 CAPABILITY ++A002 STARTTLS ++ ++ ++ +diff --git a/tests/data/test982 b/tests/data/test982 +new file mode 100644 +index 0000000..9e07cc0 +--- /dev/null ++++ b/tests/data/test982 +@@ -0,0 +1,57 @@ ++ ++ ++ ++POP3 ++STARTTLS ++ ++ ++ ++# ++# Server-side ++ ++ ++CAPA STLS USER ++REPLY STLS -ERR currently unavailable\r\n+OK user accepted\r\n+OK authenticated ++REPLY PASS -ERR Authentication credentials invalid ++ ++ ++From: me@somewhere ++To: fake@nowhere ++ ++body ++ ++-- ++ yours sincerely ++ ++ ++ ++# ++# Client-side ++ ++ ++SSL ++ ++ ++pop3 ++ ++ ++POP3 STARTTLS pipelined server response ++ ++ ++pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++# 8 is CURLE_WEIRD_SERVER_REPLY ++ ++8 ++ ++ ++CAPA ++STLS ++ ++ ++ +diff --git a/tests/data/test983 b/tests/data/test983 +new file mode 100644 +index 0000000..300ec45 +--- /dev/null ++++ b/tests/data/test983 +@@ -0,0 +1,52 @@ ++ ++ ++ ++FTP ++STARTTLS ++ ++ ++ ++# ++# Server-side ++ ++ ++REPLY AUTH 500 unknown command\r\n500 unknown command\r\n331 give password\r\n230 Authenticated\r\n257 "/"\r\n200 OK\r\n200 OK\r\n200 OK\r\n226 Transfer complete ++REPLY PASS 530 Login incorrect ++ ++ ++ ++# Client-side ++ ++ ++SSL ++ ++ ++ftp ++ ++ ++FTP STARTTLS pipelined server response ++ ++ ++data ++ to ++ see ++that FTPS ++works ++ so does it? ++ ++ ++--ssl --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret -P %CLIENTIP ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++# 8 is CURLE_WEIRD_SERVER_REPLY ++ ++8 ++ ++ ++AUTH SSL ++ ++ ++ +-- +2.31.1 + diff --git a/curl.spec b/curl.spec index 2f535f3..9291da5 100644 --- a/curl.spec +++ b/curl.spec @@ -44,6 +44,9 @@ Patch13: 0013-curl-7.71.1-CVE-2021-22945.patch # fix protocol downgrade required TLS bypass (CVE-2021-22946) Patch14: 0014-curl-7.71.1-CVE-2021-22946.patch +# fix STARTTLS protocol injection via MITM (CVE-2021-22947) +Patch15: 0015-curl-7.71.1-CVE-2021-22947.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -223,6 +226,7 @@ be installed. %patch12 -p1 %patch13 -p1 %patch14 -p1 +%patch15 -p1 # Fedora patches %patch101 -p1 @@ -401,6 +405,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Fri Sep 17 2021 Kamil Dudka - 7.71.1-11 +- fix STARTTLS protocol injection via MITM (CVE-2021-22947) - fix protocol downgrade required TLS bypass (CVE-2021-22946) - fix use-after-free and double-free in MQTT sending (CVE-2021-22945)