From e64d332e7909ea9ba76f241a0fdf9cfe4b6b1236 Mon Sep 17 00:00:00 2001 From: Yang Tse Date: Thu, 19 Jan 2012 22:28:04 +0100 Subject: OpenSSL: follow-up for commit a20daf90e3 avoid checking preprocessor definition official value --- lib/ssluse.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/ssluse.c b/lib/ssluse.c index ec1a149c8..3754904f4 100644 --- a/lib/ssluse.c +++ b/lib/ssluse.c @@ -1553,8 +1553,7 @@ ossl_connect_step1(struct connectdata *conn, ctx_options |= SSL_OP_NO_TICKET; #endif -#if defined(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && \ - (SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG == 0x00000008L) +#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG /* mitigate CVE-2010-4180 */ ctx_options &= ~SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG; #endif -- cgit v1.2.3 From a7e8f4aabcb7f5b46e0dd94a9645c5cd2744f9da Mon Sep 17 00:00:00 2001 From: Yang Tse Date: Thu, 19 Jan 2012 22:54:57 +0100 Subject: testtrace.c: fix compiler warning --- tests/libtest/testtrace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/libtest/testtrace.c b/tests/libtest/testtrace.c index 9c082394e..5cb5fec5e 100644 --- a/tests/libtest/testtrace.c +++ b/tests/libtest/testtrace.c @@ -111,7 +111,7 @@ int libtest_debug_cb(CURL *handle, curl_infotype type, switch (type) { case CURLINFO_TEXT: - fprintf(stderr, "%s== Info: %s", timebuf, data); + fprintf(stderr, "%s== Info: %s", &timebuf[0], data); default: /* in case a new one is introduced to shock us */ return 0; -- cgit v1.2.3 From d7af7de5b2d9aee7e41fc45d502c082918abd4bd Mon Sep 17 00:00:00 2001 From: Yang Tse Date: Fri, 20 Jan 2012 00:11:15 +0100 Subject: telnet.c: fix OOM triggered segfault --- lib/telnet.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/lib/telnet.c b/lib/telnet.c index e7cb295d8..0be795435 100644 --- a/lib/telnet.c +++ b/lib/telnet.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2011, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2012, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -1273,11 +1273,13 @@ static CURLcode telnet_done(struct connectdata *conn, (void)status; /* unused */ (void)premature; /* not used */ + if(!tn) + return CURLE_OK; + curl_slist_free_all(tn->telnet_vars); tn->telnet_vars = NULL; - free(conn->data->state.proto.telnet); - conn->data->state.proto.telnet = NULL; + Curl_safefree(conn->data->state.proto.telnet); return CURLE_OK; } -- cgit v1.2.3 From 7883cd5af38a824e41b42c94890ea94bf4356fd3 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 20 Jan 2012 23:32:43 +0100 Subject: URL parse: user name with ipv6 numerical address Using a URL with embedded user name and password didn't work if the host was given as a numerical IPv6 string, like ftp://user:password@[::1]/ Reported by: Brandon Wang Bug: http://curl.haxx.se/mail/archive-2012-01/0047.html --- lib/url.c | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/lib/url.c b/lib/url.c index fd46a7e03..466748bfc 100644 --- a/lib/url.c +++ b/lib/url.c @@ -137,7 +137,9 @@ static long ConnectionKillOne(struct SessionHandle *data); static void conn_free(struct connectdata *conn); static void signalPipeClose(struct curl_llist *pipeline, bool pipe_broke); static CURLcode do_init(struct connectdata *conn); - +static CURLcode parse_url_userpass(struct SessionHandle *data, + struct connectdata *conn, + char *user, char *passwd); /* * Protocol table. */ @@ -3666,7 +3668,9 @@ static CURLcode findprotocol(struct SessionHandle *data, */ static CURLcode parseurlandfillconn(struct SessionHandle *data, struct connectdata *conn, - bool *prot_missing) + bool *prot_missing, + char *user, + char *passwd) { char *at; char *fragment; @@ -3675,6 +3679,7 @@ static CURLcode parseurlandfillconn(struct SessionHandle *data, int rc; char protobuf[16]; const char *protop; + CURLcode result; *prot_missing = FALSE; @@ -3841,6 +3846,14 @@ static CURLcode parseurlandfillconn(struct SessionHandle *data, path[0] = '/'; } + /************************************************************* + * Parse a user name and password in the URL and strip it out + * of the host name + *************************************************************/ + result = parse_url_userpass(data, conn, user, passwd); + if(result != CURLE_OK) + return result; + if(conn->host.name[0] == '[') { /* This looks like an IPv6 address literal. See if there is an address scope. */ @@ -4783,7 +4796,7 @@ static CURLcode create_conn(struct SessionHandle *data, conn->host.name = conn->host.rawalloc; conn->host.name[0] = 0; - result = parseurlandfillconn(data, conn, &prot_missing); + result = parseurlandfillconn(data, conn, &prot_missing, user, passwd); if(result != CURLE_OK) return result; @@ -4812,15 +4825,6 @@ static CURLcode create_conn(struct SessionHandle *data, data->change.url_alloc = TRUE; /* free this later */ } - /************************************************************* - * Parse a user name and password in the URL and strip it out - * of the host name - *************************************************************/ - result = parse_url_userpass(data, conn, user, passwd); - if(result != CURLE_OK) - return result; - - /************************************************************* * If the protocol can't handle url query strings, then cut * of the unhandable part -- cgit v1.2.3 From 5d7a319a55d07ee95b99e412e1d086857da093c4 Mon Sep 17 00:00:00 2001 From: Dan Fandrich Date: Fri, 20 Jan 2012 22:44:47 -0800 Subject: examples: updated README with two new example programs --- docs/examples/README | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/examples/README b/docs/examples/README index da04d2886..270048a6c 100644 --- a/docs/examples/README +++ b/docs/examples/README @@ -55,6 +55,7 @@ htmltitle.cc - download a HTML file and extract the tag from a HTML http-post.c - HTTP POST httpput.c - HTTP PUT a local file https.c - simple HTTPS transfer +imap.c - simple IMAP transfer multi-app.c - a multi-interface app multi-debugcallback.c - a multi-interface app using the debug callback multi-double.c - a multi-interface app doing two simultaneous transfers @@ -75,4 +76,5 @@ simple.c - the most simple download a URL source simplepost.c - HTTP POST simplessl.c - HTTPS example with certificates many options set synctime.c - Sync local time by extracting date from remote HTTP servers +url2file.c - download a document and store it in a file 10-at-a-time.c - Download many files simultaneously, 10 at a time. -- cgit v1.2.3 From 6e2fd2c9eac2d55fbe2119c377d608dc698c5c85 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <daniel@haxx.se> Date: Sun, 22 Jan 2012 00:00:55 +0100 Subject: CURLOPT_ACCEPTTIMEOUT_MS: spellfix --- docs/libcurl/curl_easy_setopt.3 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 index 9dcce8770..1a20cb9d6 100644 --- a/docs/libcurl/curl_easy_setopt.3 +++ b/docs/libcurl/curl_easy_setopt.3 @@ -2070,7 +2070,7 @@ This option requires that libcurl was built with a resolver backend that supports this operation. The c-ares backend is the only such one. (Added in 7.24.0) -.IP CURLOPT_ACCEPTTIMOUT_MS +.IP CURLOPT_ACCEPTTIMEOUT_MS Pass a long telling libcurl the maximum number of milliseconds to wait for a server to connect back to libcurl when an active FTP connection is used. If no timeout is set, the internal default of 60000 will be used. (Added in 7.24.0) -- cgit v1.2.3 From ee57e9dea63c3706c3679ff77426680bc1a327bf Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <daniel@haxx.se> Date: Sun, 22 Jan 2012 23:44:51 +0100 Subject: RELEASE-NOTES: synced with 6e2fd2c9ea 3 more bugfixes, 3 more contributors --- RELEASE-NOTES | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/RELEASE-NOTES b/RELEASE-NOTES index e7d4f3c97..af4f2c464 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -66,6 +66,11 @@ This release includes the following bugfixes: o OpenLDAP: fix LDAP connection phase memory leak [42] o Telnet: Use correct file descriptor for telnet upload o Telnet: Remove bogus optimisation of telnet upload + o URL parse: user name with ipv6 numerical address + o polarssl: show cipher suite name correctly with 1.1.0 + o polarssl: havege_rand is not present in version 1.1.0 WARNING, we still + use the old API which is said to be insecure. See + http://polarssl.org/trac/wiki/SecurityAdvisory201102 This release includes the following known bugs: @@ -81,7 +86,7 @@ advice from friends like these: Alessandro Ghedini, Cedric Deltheil, Toni Moreno, Bernhard Reutner-Fischer, Sven Wegener, Alex Vinnik, Kamil Dudka, Mamoru Tasaka, Patrice Guerin, Armel Asselin, Arthur Murray, Steve H Truong, Peter Sylvester, - Johannes Bauer + Johannes Bauer, Brandon Wang, Pierre Joye, Robert Schumann Thanks! (and sorry if I forgot to mention someone) -- cgit v1.2.3 From db1a856b4f7cf6ae334fb0656b26a18eea317000 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <daniel@haxx.se> Date: Thu, 19 Jan 2012 10:38:14 +0100 Subject: OpenSSL: don't disable security work-around OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability (http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to SSL_OP_ALL that _disables_ that work-around despite the fact that SSL_OP_ALL is documented to do "rather harmless" workarounds. The libcurl code uses the SSL_OP_ALL define and thus logically always disables the OpenSSL fix. In order to keep the secure work-around workding, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit must not be set and this change makes sure of this. Reported by: product-security at Apple --- lib/ssluse.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/lib/ssluse.c b/lib/ssluse.c index 3754904f4..014d5b56a 100644 --- a/lib/ssluse.c +++ b/lib/ssluse.c @@ -1545,6 +1545,13 @@ ossl_connect_step1(struct connectdata *conn, become ineffective as of OpenSSL 0.9.8q and 1.0.0c. In order to mitigate CVE-2010-4180 when using previous OpenSSL versions we no longer enable this option regardless of OpenSSL version and SSL_OP_ALL definition. + + OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability + (http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to + SSL_OP_ALL that _disables_ that work-around despite the fact that + SSL_OP_ALL is documented to do "rather harmless" workarounds. In order to + keep the secure work-around, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit + must not be set. */ ctx_options = SSL_OP_ALL; @@ -1558,6 +1565,10 @@ ossl_connect_step1(struct connectdata *conn, ctx_options &= ~SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG; #endif +#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS + ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; +#endif + /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */ if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT) ctx_options |= SSL_OP_NO_SSLv2; -- cgit v1.2.3 From 75ca568fa1c19de4c5358fed246686de8467c238 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <daniel@haxx.se> Date: Fri, 23 Dec 2011 13:24:16 +0100 Subject: URL sanitize: reject URLs containing bad data Protocols (IMAP, POP3 and SMTP) that use the path part of a URL in a decoded manner now use the new Curl_urldecode() function to reject URLs with embedded control codes (anything that is or decodes to a byte value less than 32). URLs containing such codes could easily otherwise be used to do harm and allow users to do unintended actions with otherwise innocent tools and applications. Like for example using a URL like pop3://pop3.example.com/1%0d%0aDELE%201 when the app wants a URL to get a mail and instead this would delete one. This flaw is considered a security vulnerability: CVE-2012-0036 Security advisory at: http://curl.haxx.se/docs/adv_20120124.html Reported by: Dan Fandrich --- lib/escape.c | 63 +++++++++++++++++++++++++++++++++++++++++++++++------------- lib/escape.h | 10 +++++++--- lib/imap.c | 7 +------ lib/pop3.c | 6 +----- lib/smtp.c | 7 +++---- 5 files changed, 62 insertions(+), 31 deletions(-) diff --git a/lib/escape.c b/lib/escape.c index b0922bc93..0dd5a1d0a 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -31,6 +31,7 @@ #include "urldata.h" #include "warnless.h" #include "non-ascii.h" +#include "escape.h" #define _MPRINTF_REPLACE /* use our functions only */ #include <curl/mprintf.h> @@ -84,7 +85,7 @@ char *curl_easy_escape(CURL *handle, const char *string, int inlength) char *testing_ptr = NULL; unsigned char in; /* we need to treat the characters unsigned */ size_t newlen = alloc; - int strindex=0; + size_t strindex=0; size_t length; CURLcode res; @@ -132,23 +133,29 @@ char *curl_easy_escape(CURL *handle, const char *string, int inlength) } /* - * Unescapes the given URL escaped string of given length. Returns a - * pointer to a malloced string with length given in *olen. - * If length == 0, the length is assumed to be strlen(string). - * If olen == NULL, no output length is stored. + * Curl_urldecode() URL decodes the given string. + * + * Optionally detects control characters (byte codes lower than 32) in the + * data and rejects such data. + * + * Returns a pointer to a malloced string in *ostring with length given in + * *olen. If length == 0, the length is assumed to be strlen(string). + * */ -char *curl_easy_unescape(CURL *handle, const char *string, int length, - int *olen) +CURLcode Curl_urldecode(struct SessionHandle *data, + const char *string, size_t length, + char **ostring, size_t *olen, + bool reject_ctrl) { - int alloc = (length?length:(int)strlen(string))+1; + size_t alloc = (length?length:strlen(string))+1; char *ns = malloc(alloc); unsigned char in; - int strindex=0; + size_t strindex=0; unsigned long hex; CURLcode res; if(!ns) - return NULL; + return CURLE_OUT_OF_MEMORY; while(--alloc > 0) { in = *string; @@ -164,16 +171,20 @@ char *curl_easy_unescape(CURL *handle, const char *string, int length, in = curlx_ultouc(hex); /* this long is never bigger than 255 anyway */ - res = Curl_convert_from_network(handle, &in, 1); + res = Curl_convert_from_network(data, &in, 1); if(res) { /* Curl_convert_from_network calls failf if unsuccessful */ free(ns); - return NULL; + return res; } string+=2; alloc-=2; } + if(reject_ctrl && (in < 0x20)) { + free(ns); + return CURLE_URL_MALFORMAT; + } ns[strindex++] = in; string++; @@ -183,7 +194,33 @@ char *curl_easy_unescape(CURL *handle, const char *string, int length, if(olen) /* store output size */ *olen = strindex; - return ns; + + if(ostring) + /* store output string */ + *ostring = ns; + + return CURLE_OK; +} + +/* + * Unescapes the given URL escaped string of given length. Returns a + * pointer to a malloced string with length given in *olen. + * If length == 0, the length is assumed to be strlen(string). + * If olen == NULL, no output length is stored. + */ +char *curl_easy_unescape(CURL *handle, const char *string, int length, + int *olen) +{ + char *str = NULL; + size_t inputlen = length; + size_t outputlen; + CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen, + FALSE); + if(res) + return NULL; + if(olen) + *olen = curlx_uztosi(outputlen); + return str; } /* For operating systems/environments that use different malloc/free diff --git a/lib/escape.h b/lib/escape.h index 04b06a973..4c7f84133 100644 --- a/lib/escape.h +++ b/lib/escape.h @@ -1,5 +1,5 @@ -#ifndef __ESCAPE_H -#define __ESCAPE_H +#ifndef HEADER_CURL_ESCAPE_H +#define HEADER_CURL_ESCAPE_H /*************************************************************************** * _ _ ____ _ @@ -8,7 +8,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2006, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -25,5 +25,9 @@ /* Escape and unescape URL encoding in strings. The functions return a new * allocated string or NULL if an error occurred. */ +CURLcode Curl_urldecode(struct SessionHandle *data, + const char *string, size_t length, + char **ostring, size_t *olen, + bool reject_crlf); #endif diff --git a/lib/imap.c b/lib/imap.c index c39664d86..c6701417d 100644 --- a/lib/imap.c +++ b/lib/imap.c @@ -953,17 +953,12 @@ static CURLcode imap_parse_url_path(struct connectdata *conn) struct imap_conn *imapc = &conn->proto.imapc; struct SessionHandle *data = conn->data; const char *path = data->state.path; - int len; if(!*path) path = "INBOX"; /* url decode the path and use this mailbox */ - imapc->mailbox = curl_easy_unescape(data, path, 0, &len); - if(!imapc->mailbox) - return CURLE_OUT_OF_MEMORY; - - return CURLE_OK; + return Curl_urldecode(data, path, 0, &imapc->mailbox, NULL, TRUE); } /* call this when the DO phase has completed */ diff --git a/lib/pop3.c b/lib/pop3.c index b7781109b..cc360b8b9 100644 --- a/lib/pop3.c +++ b/lib/pop3.c @@ -914,11 +914,7 @@ static CURLcode pop3_parse_url_path(struct connectdata *conn) const char *path = data->state.path; /* url decode the path and use this mailbox */ - pop3c->mailbox = curl_easy_unescape(data, path, 0, NULL); - if(!pop3c->mailbox) - return CURLE_OUT_OF_MEMORY; - - return CURLE_OK; + return Curl_urldecode(data, path, 0, &pop3c->mailbox, NULL, TRUE); } /* call this when the DO phase has completed */ diff --git a/lib/smtp.c b/lib/smtp.c index 4cb25efca..553c697d0 100644 --- a/lib/smtp.c +++ b/lib/smtp.c @@ -1244,7 +1244,6 @@ static CURLcode smtp_connect(struct connectdata *conn, struct SessionHandle *data = conn->data; struct pingpong *pp = &smtpc->pp; const char *path = conn->data->state.path; - int len; char localhost[HOSTNAME_MAX + 1]; *done = FALSE; /* default to not done yet */ @@ -1316,9 +1315,9 @@ static CURLcode smtp_connect(struct connectdata *conn, } /* url decode the path and use it as domain with EHLO */ - smtpc->domain = curl_easy_unescape(conn->data, path, 0, &len); - if(!smtpc->domain) - return CURLE_OUT_OF_MEMORY; + result = Curl_urldecode(conn->data, path, 0, &smtpc->domain, NULL, TRUE); + if(result) + return result; /* When we connect, we start in the state where we await the server greeting */ -- cgit v1.2.3 From c11c30a8c8d727dcf5634fa0cc6ee0b4b77ddc3d Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <daniel@haxx.se> Date: Wed, 11 Jan 2012 15:46:19 +0100 Subject: tests: test CRLF in URLs Related to the security vulnerability: CVE-2012-0036 Bug: http://curl.haxx.se/docs/adv_20120124.html --- tests/data/Makefile.am | 2 +- tests/data/test1322 | 29 +++++++++++++++++++++++++++++ tests/data/test1323 | 29 +++++++++++++++++++++++++++++ tests/data/test1324 | 29 +++++++++++++++++++++++++++++ 4 files changed, 88 insertions(+), 1 deletion(-) create mode 100644 tests/data/test1322 create mode 100644 tests/data/test1323 create mode 100644 tests/data/test1324 diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am index 85a6e4b2f..610243c24 100644 --- a/tests/data/Makefile.am +++ b/tests/data/Makefile.am @@ -82,7 +82,7 @@ test1220 \ test1300 test1301 test1302 test1303 test1304 test1305 \ test1306 test1307 test1308 test1309 test1310 test1311 test1312 test1313 \ test1314 test1315 test1316 test1317 test1318 test1319 test1320 test1321 \ -test1325 test1326 test1327 \ +test1322 test1323 test1324 test1325 test1326 test1327 \ test2000 test2001 test2002 test2003 test2004 EXTRA_DIST = $(TESTCASES) DISABLED diff --git a/tests/data/test1322 b/tests/data/test1322 new file mode 100644 index 000000000..996727e94 --- /dev/null +++ b/tests/data/test1322 @@ -0,0 +1,29 @@ +<testcase> +<info> +<keywords> +POP3 +CRLF-in-URL +</keywords> +</info> + +# Client-side +<client> +<server> +pop3 +</server> + <name> +POP3 with URL-encoded CR LF in the URL + </name> + <command> +pop3://%HOSTIP:%POP3PORT/%0d%0a/1322 +</command> +</client> + +# +<verify> +# 3 - CURLE_URL_MALFORMAT +<errorcode> +3 +</errorcode> +</verify> +</testcase> diff --git a/tests/data/test1323 b/tests/data/test1323 new file mode 100644 index 000000000..90eb88b7d --- /dev/null +++ b/tests/data/test1323 @@ -0,0 +1,29 @@ +<testcase> +<info> +<keywords> +SMTP +CRLF-in-URL +</keywords> +</info> + +# Client-side +<client> +<server> +smtp +</server> + <name> +SMTP with URL-encoded CR LF in the URL + </name> + <command> +smtp://%HOSTIP:%SMTPPORT/%0d%0a/1323 +</command> +</client> + +# +<verify> +# 3 - CURLE_URL_MALFORMAT +<errorcode> +3 +</errorcode> +</verify> +</testcase> diff --git a/tests/data/test1324 b/tests/data/test1324 new file mode 100644 index 000000000..c9835efea --- /dev/null +++ b/tests/data/test1324 @@ -0,0 +1,29 @@ +<testcase> +<info> +<keywords> +IMAP +CRLF-in-URL +</keywords> +</info> + +# Client-side +<client> +<server> +imap +</server> + <name> +IMAP with URL-encoded CR LF in the URL + </name> + <command> +imap://%HOSTIP:%IMAPPORT/%0d%0a/1322 +</command> +</client> + +# +<verify> +# 3 - CURLE_URL_MALFORMAT +<errorcode> +3 +</errorcode> +</verify> +</testcase> -- cgit v1.2.3 From 70f71bb99f7ed9f4164430507c0b03b84c7e0258 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <daniel@haxx.se> Date: Mon, 23 Jan 2012 23:53:06 +0100 Subject: gnutls: enforced use of SSLv3 With advice from Nikos Mavrogiannopoulos, changed the priority string to add "actual priorities" and favour ARCFOUR. This makes libcurl work better when enforcing SSLv3 with GnuTLS. Both in the sense that the libmicrohttpd test is now working again but also that it mitigates a weakness in the older SSL/TLS protocols. Bug: http://curl.haxx.se/mail/lib-2012-01/0225.html Reported by: Christian Grothoff --- lib/gtls.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/gtls.c b/lib/gtls.c index f44fd7748..e24e7a81e 100644 --- a/lib/gtls.c +++ b/lib/gtls.c @@ -453,7 +453,13 @@ gtls_connect_step1(struct connectdata *conn, rc = gnutls_protocol_set_priority(session, protocol_priority); #else const char *err; - rc = gnutls_priority_set_direct(session, "-VERS-TLS-ALL:+VERS-SSL3.0", + /* the combination of the cipher ARCFOUR with SSL 3.0 and TLS 1.0 is not + vulnerable to attacks such as the BEAST, why this code now explicitly + asks for that + */ + rc = gnutls_priority_set_direct(session, + "NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0:" + "-CIPHER-ALL:+ARCFOUR-128", &err); #endif if(rc != GNUTLS_E_SUCCESS) -- cgit v1.2.3 From a8e063b0877da005342b3445c5535a5bce0d5bc5 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <daniel@haxx.se> Date: Tue, 24 Jan 2012 08:37:40 +0100 Subject: RELEASE-NOTES: synced with 70f71bb99f7ed9 Synced and prepared for 7.24.0 release. Two security problems, one bug fix, two more contributors. --- RELEASE-NOTES | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/RELEASE-NOTES b/RELEASE-NOTES index af4f2c464..62f12e5f4 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -7,6 +7,13 @@ Curl and libcurl 7.24.0 Known libcurl bindings: 39 Contributors: 907 +This release includes the following security fixes: + + o curl was vulnerable to a data injection attack for certain protocols + http://curl.haxx.se/docs/adv_20120124.html + o curl was vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL + http://curl.haxx.se/docs/adv_20120124B.html + This release includes the following changes: o CURLOPT_QUOTE: SFTP supports the '*'-prefix now [24] @@ -71,6 +78,7 @@ This release includes the following bugfixes: o polarssl: havege_rand is not present in version 1.1.0 WARNING, we still use the old API which is said to be insecure. See http://polarssl.org/trac/wiki/SecurityAdvisory201102 + o gnutls: enforced use of SSLv3 [43] This release includes the following known bugs: @@ -86,7 +94,8 @@ advice from friends like these: Alessandro Ghedini, Cedric Deltheil, Toni Moreno, Bernhard Reutner-Fischer, Sven Wegener, Alex Vinnik, Kamil Dudka, Mamoru Tasaka, Patrice Guerin, Armel Asselin, Arthur Murray, Steve H Truong, Peter Sylvester, - Johannes Bauer, Brandon Wang, Pierre Joye, Robert Schumann + Johannes Bauer, Brandon Wang, Pierre Joye, Robert Schumann, + Christian Grothoff, Nikos Mavrogiannopoulos Thanks! (and sorry if I forgot to mention someone) @@ -134,3 +143,4 @@ References to bug reports and discussions on issues: [40] = http://curl.haxx.se/mail/lib-2012-01/0096.html [41] = http://curl.haxx.se/mail/lib-2012-01/0049.html [42] = http://curl.haxx.se/bug/view.cgi?id=3474308 + [43] = http://curl.haxx.se/mail/lib-2012-01/0225.html -- cgit v1.2.3 From 75b6f7d9efae9f952f32e73625c1b6fab963f7ad Mon Sep 17 00:00:00 2001 From: Dan Fandrich <dan@coneharvesters.com> Date: Tue, 24 Jan 2012 21:31:57 -0800 Subject: curl_easy_setopt.3: Fixed SEEKDATA & CLOSESOCKETDATA descriptions --- docs/libcurl/curl_easy_setopt.3 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 index 1a20cb9d6..d94a84b78 100644 --- a/docs/libcurl/curl_easy_setopt.3 +++ b/docs/libcurl/curl_easy_setopt.3 @@ -266,7 +266,7 @@ If you forward the input arguments directly to "fseek" or "lseek", note that the data type for \fIoffset\fP is not the same as defined for curl_off_t on many systems! (Option added in 7.18.0) .IP CURLOPT_SEEKDATA -Data pointer to pass to the file read function. If you use the +Data pointer to pass to the file seek function. If you use the \fICURLOPT_SEEKFUNCTION\fP option, this is the pointer you'll get as input. If you don't specify a seek callback, NULL is passed. (Option added in 7.18.0) .IP CURLOPT_SOCKOPTFUNCTION @@ -322,7 +322,7 @@ to the \fICURLOPT_OPENSOCKETFUNCTION\fP option. Return 0 to signal success and 1 if there was an error. (Option added in 7.21.7) .IP CURLOPT_CLOSESOCKETDATA Pass a pointer that will be untouched by libcurl and passed as the first -argument in the opensocket callback set with +argument in the closesocket callback set with \fICURLOPT_CLOSESOCKETFUNCTION\fP. (Option added in 7.21.7) .IP CURLOPT_PROGRESSFUNCTION Function pointer that should match the \fIcurl_progress_callback\fP prototype -- cgit v1.2.3 From 93e344bbf49a970d5c0a4d6d7393e44e6e4f3e5b Mon Sep 17 00:00:00 2001 From: Yang Tse <yangsita@gmail.com> Date: Wed, 25 Jan 2012 11:27:39 +0100 Subject: version: start working on 7.24.1-DEV --- RELEASE-NOTES | 123 +++---------------------------------------------- include/curl/curlver.h | 8 ++-- 2 files changed, 10 insertions(+), 121 deletions(-) diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 62f12e5f4..6bea290a4 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -1,4 +1,4 @@ -Curl and libcurl 7.24.0 +Curl and libcurl 7.24.1 Public curl releases: 127 Command line options: 149 @@ -9,76 +9,15 @@ Curl and libcurl 7.24.0 This release includes the following security fixes: - o curl was vulnerable to a data injection attack for certain protocols - http://curl.haxx.se/docs/adv_20120124.html - o curl was vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL - http://curl.haxx.se/docs/adv_20120124B.html + o This release includes the following changes: - o CURLOPT_QUOTE: SFTP supports the '*'-prefix now [24] - o CURLOPT_DNS_SERVERS: set name servers if possible [23] - o Add support for using nettle instead of gcrypt as gnutls backend [22] - o CURLOPT_INTERFACE: avoid resolving interfaces names with magic prefixes [21] - o Added CURLOPT_ACCEPTTIMEOUT_MS [30] - o configure: add symbols versioning option --enable-versioned-symbols [31] + o This release includes the following bugfixes: - o SSL session share: move the age counter to the share object [1] - o -J -O: use -O name if no Content-Disposition header comes! [2] - o protocol_connect: show verbose connect and set connect time [3] - o query-part: ignore the URI part for given protocols [4] - o gnutls: only translate winsock errors for old versions [5] - o POP3: fix end of body detection [6] - o POP3: detect when LIST returns no mails - o TELNET: improved treatment of options [7] - o configure: add support for pkg-config detection of libidn [8] - o CyaSSL 2.0+ library initialization adjustment [9] - o multi interface: only use non-NULL socker function pointer - o call opensocket callback properly for active FTP - o don't call close socket callback for sockets created with accept() [10] - o differentiate better between host/proxy errors [11] - o SSH: fix CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 and --hostpubmd5 [12] - o multi: handle timeouts on DNS servers by checking for new sockets [13] - o CURLOPT_DNS_SERVERS: fix return code - o POP3: fixed escaped dot not being stripped out [14] - o OpenSSL: check for the SSLv2 function in configure [15] - o MakefileBuild: fix the static build [16] - o create_conn: don't switch to HTTP protocol if tunneling is enabled [17] - o multi interface: fix block when CONNECT_ONLY option is used [18] - o Fix connection reuse for TLS upgraded connections [19] - o multiple file upload with -F and custom type [20] - o multi interface: active FTP connections are no longer blocking [25] - o Android build fix [26] - o timer: restore PRETRANSFER timing [27] - o libcurl.m4: Fix quoting arguments of AC_LANG_PROGRAM [28] - o appconnect time fixed for non-blocking connect ssl backends [29] - o do not include SSL handshake into time spent waiting for 100-continue [32] - o handle dns cache case insensitive - o use new host name casing for subsequent HTTP requests [33] - o CURLOPT_RESOLVE: avoid adding already present host names - o SFTP mkdir: use correct permission [34] - o resolve: don't leak pre-populated dns entries [35] - o --retry: Retry transfers on timeout and DNS errors - o negotiate with SSPI backend: use the correct buffer for input [36] - o SFTP dir: increase buffer size counter to avoid cut off file names [37] - o TFTP: fix resending (again) [38] - o c-ares: don't include getaddrinfo-using code [39] - o FTP: CURLE_PARTIAL_FILE will not close the control channel [40] - o win32-threaded-resolver: stop using a dummy socket - o OpenSSL: remove reference to openssl internal struct [41] - o OpenSSL: SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option no longer enabled - o OpenSSL: fix PKCS#12 certificate parsing related memory leak - o OpenLDAP: fix LDAP connection phase memory leak [42] - o Telnet: Use correct file descriptor for telnet upload - o Telnet: Remove bogus optimisation of telnet upload - o URL parse: user name with ipv6 numerical address - o polarssl: show cipher suite name correctly with 1.1.0 - o polarssl: havege_rand is not present in version 1.1.0 WARNING, we still - use the old API which is said to be insecure. See - http://polarssl.org/trac/wiki/SecurityAdvisory201102 - o gnutls: enforced use of SSLv3 [43] + o This release includes the following known bugs: @@ -87,60 +26,10 @@ This release includes the following known bugs: This release would not have looked like this without help, code, reports and advice from friends like these: - Alejandro Alvarez Ayllon, Jason Glasgow, Jonas Schnelli, Mark Brand, - Martin Storsjo, Yang Tse, Laurent Rabret, Jason Glasgow, Steve Holme, - Reza Arbab, Jason Liu, Gokhan Sengun, Rob Ward, Dan Fandrich, - Naveen Chandran, Ward Willats, Vladimir Grishchenko, Colin Hogben, - Alessandro Ghedini, Cedric Deltheil, Toni Moreno, Bernhard Reutner-Fischer, - Sven Wegener, Alex Vinnik, Kamil Dudka, Mamoru Tasaka, Patrice Guerin, - Armel Asselin, Arthur Murray, Steve H Truong, Peter Sylvester, - Johannes Bauer, Brandon Wang, Pierre Joye, Robert Schumann, - Christian Grothoff, Nikos Mavrogiannopoulos + Thanks! (and sorry if I forgot to mention someone) References to bug reports and discussions on issues: - [1] = http://curl.haxx.se/mail/lib-2011-11/0116.html - [2] = http://curl.haxx.se/mail/archive-2011-11/0030.htm - [3] = http://curl.haxx.se/mail/archive-2011-11/0035.html - [4] = http://curl.haxx.se/mail/lib-2011-11/0218.html - [5] = http://curl.haxx.se/mail/lib-2011-11/0267.html - [6] = http://curl.haxx.se/mail/lib-2011-11/0279.html - [7] = http://curl.haxx.se/mail/lib-2011-11/0247.html - [8] = http://curl.haxx.se/mail/lib-2011-11/0294.html - [9] = http://curl.haxx.se/bug/view.cgi?id=3442068 - [10] = http://curl.haxx.se/mail/lib-2011-12/0018.html - [11] = http://curl.haxx.se/mail/archive-2011-12/0010.html - [12] = http://curl.haxx.se/bug/view.cgi?id=3451592 - [13] = http://curl.haxx.se/mail/lib-2011-11/0371.html - [14] = http://curl.haxx.se/mail/lib-2011-11/0368.html - [15] = http://curl.haxx.se/mail/archive-2011-12/0012.html - [16] = http://curl.haxx.se/mail/lib-2011-12/0063.html - [17] = http://curl.haxx.se/mail/lib-2011-12/0010.html - [18] = http://curl.haxx.se/mail/lib-2011-12/0070.html - [19] = http://curl.haxx.se/mail/lib-2011-11/0022.html - [20] = http://curl.haxx.se/mail/lib-2011-12/0121.html - [21] = http://curl.haxx.se/mail/lib-2011-12/0107.html - [22] = http://curl.haxx.se/mail/lib-2011-11/0164.html - [23] = http://curl.haxx.se/mail/lib-2011-11/0067.html - [24] = http://curl.haxx.se/mail/lib-2011-11/0205.html - [25] = http://curl.haxx.se/mail/lib-2011-12/0179.html - [26] = http://curl.haxx.se/mail/lib-2011-12/0215.html - [27] = http://curl.haxx.se/mail/archive-2011-12/0022.html - [28] = http://curl.haxx.se/mail/lib-2011-12/0218.html - [29] = http://curl.haxx.se/mail/lib-2011-12/0211.html - [30] = http://curl.haxx.se/libcurl/c/curl_easy_setopt.html#CURLOPTACCEPTTIMOUTMS - [31] = http://curl.haxx.se/mail/lib-2011-12/0133.html - [32] = https://bugzilla.redhat.com/767490 - [33] = http://curl.haxx.se/mail/lib-2011-12/0314.html - [34] = http://curl.haxx.se/mail/lib-2011-12/0249.html - [35] = http://curl.haxx.se/bug/view.cgi?id=3463121 - [36] = http://curl.haxx.se/bug/view.cgi?id=3466497 - [37] = http://curl.haxx.se/mail/lib-2011-12/0249.html - [38] = http://curl.haxx.se/mail/lib-2012-01/0146.html - [39] = http://curl.haxx.se/mail/lib-2012-01/0160.html - [40] = http://curl.haxx.se/mail/lib-2012-01/0096.html - [41] = http://curl.haxx.se/mail/lib-2012-01/0049.html - [42] = http://curl.haxx.se/bug/view.cgi?id=3474308 - [43] = http://curl.haxx.se/mail/lib-2012-01/0225.html + diff --git a/include/curl/curlver.h b/include/curl/curlver.h index bc6ca64ca..0c0d9bd29 100644 --- a/include/curl/curlver.h +++ b/include/curl/curlver.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -30,13 +30,13 @@ /* This is the version number of the libcurl package from which this header file origins: */ -#define LIBCURL_VERSION "7.24.0-DEV" +#define LIBCURL_VERSION "7.24.1-DEV" /* The numeric version number is also available "in parts" by using these defines: */ #define LIBCURL_VERSION_MAJOR 7 #define LIBCURL_VERSION_MINOR 24 -#define LIBCURL_VERSION_PATCH 0 +#define LIBCURL_VERSION_PATCH 1 /* This is the numeric version of the libcurl version number, meant for easier parsing and comparions by programs. The LIBCURL_VERSION_NUM define will @@ -53,7 +53,7 @@ and it is always a greater number in a more recent release. It makes comparisons with greater than and less than work. */ -#define LIBCURL_VERSION_NUM 0x071800 +#define LIBCURL_VERSION_NUM 0x071801 /* * This is the date and time when the full source package was created. The -- cgit v1.2.3 From e277d3b52be73f390e3c806a0fa5185c2527e7be Mon Sep 17 00:00:00 2001 From: Yang Tse <yangsita@gmail.com> Date: Wed, 25 Jan 2012 11:50:44 +0100 Subject: test harness: update stunnel.pem Diffie-Hellman parameters from 512 to 1024 bit --- tests/stunnel.pem | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tests/stunnel.pem b/tests/stunnel.pem index 1b4d66993..6a3859b33 100644 --- a/tests/stunnel.pem +++ b/tests/stunnel.pem @@ -137,6 +137,7 @@ Ft896NmH4QFsDAetZcCFf24AM4DbUQo5jtG+dkanI/7IxxNYJ1PQ64/yscdQFvHW xhIX3Q6FqABjcN5nc80Rog+b6eS8QRX1BRnQqbGtocuptUgW5mWsSb+DR6pZbA== -----END CERTIFICATE----- -----BEGIN DH PARAMETERS----- -MEYCQQD+KCcagSasA1QSo8tRXpbaLJJ1Ezt3FJFEZ3RVplp4qZwXQpSZ+Vly3xWx -q3YvALe/enMbIq8F3OUmppq3UHwTAgEC +MIGHAoGBAMq/KFGh2oy16WzkFs1U71Uz7dIEKvSYfc+zo439pYyVzcD8MkcC15Zb +ayK3jPBYf07eKzc2TvI3/ZSducmECNP8gk2gAndP1P1rmpheN+owZJS7kQVfQmHl +UmT87U99NPaMHXMNOsFj/3mbAaANndKEnd8PM2r5fg16C4+2e5KzAgEC -----END DH PARAMETERS----- -- cgit v1.2.3 From 5a53409e2c8e56b87137ebfb84fb6ba9470cfc16 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <daniel@haxx.se> Date: Wed, 25 Jan 2012 13:52:38 +0100 Subject: THANKS: imported contributors from 7.24.0 RELEASE-NOTES --- docs/THANKS | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/docs/THANKS b/docs/THANKS index dd32c6a31..0b2fd3b4b 100644 --- a/docs/THANKS +++ b/docs/THANKS @@ -20,11 +20,13 @@ Albert Choy Ale Vesely Alejandro Alvarez Aleksandar Milivojevic +Alessandro Ghedini Alessandro Vesely Alex Bligh Alex Fishman Alex Neblett Alex Suykov +Alex Vinnik Alex aka WindEagle Alexander Beedie Alexander Kourakos @@ -74,6 +76,7 @@ Anton Kalmykov Arkadiusz Miskiewicz Armel Asselin Arnaud Ebalard +Arthur Murray Arve Knudsen Ates Goral Augustus Saunders @@ -91,6 +94,7 @@ Ben Winslow Benbuck Nason Benjamin Gerard Bernard Leak +Bernhard Reutner-Fischer Bertrand Demiddelaer Bill Egert Bill Hoffman @@ -105,6 +109,7 @@ Brad Burdick Brad Hards Brad King Bradford Bruce +Brandon Wang Brendan Jurd Brent Beardsley Brian Akins @@ -121,6 +126,7 @@ Camille Moncelier Caolan McNamara Carsten Lange Casey O'Donnell +Cedric Deltheil Chad Monroe Charles Kerr Chih-Chung Chang @@ -133,6 +139,7 @@ Chris Gaukroger Chris Maltby Chris Mumford Chris Smowton +Christian Grothoff Christian Hagele Christian Krause Christian Kurz @@ -382,6 +389,8 @@ Jan Kunder Jan Van Boghout Jared Lundell Jari Sundell +Jason Glasgow +Jason Liu Jason McDonald Jason S. Priebe Jay Austin @@ -418,6 +427,7 @@ Jofell Gallardo Johan Anderson Johan Nilsson Johan van Selst +Johannes Bauer John Bradshaw John Crow John Dennis @@ -437,6 +447,7 @@ Jon Sargeant Jon Travis Jon Turner Jonas Forsman +Jonas Schnelli Jonatan Lander Jonathan Hseu Jongki Suwandi @@ -524,6 +535,7 @@ Luke Call Luong Dinh Dung Maciej Karpiuk Maciej W. Rozycki +Mamoru Tasaka Mandy Wu Manfred Schwarb Manuel Massing @@ -614,6 +626,7 @@ Moonesamy Nathan Coulter Nathan O'Sullivan Nathanael Nerode +Naveen Chandran Naveen Noel Neil Dunbar Neil Spring @@ -631,6 +644,7 @@ Nikita Schmidt Nikitinskit Dmitriy Niklas Angebrand Nikolai Kondrashov +Nikos Mavrogiannopoulos Ning Dong Nir Soffer Nis Jorgensen @@ -647,6 +661,7 @@ Paolo Piacentini Pascal Terjan Pasha Kuznetsov Pat Ray +Patrice Guerin Patrick Bihan-Faou Patrick Monnerat Patrick Scott @@ -720,6 +735,7 @@ Renaud Duhaut Rene Bernhardt Rene Rebe Reuven Wachtfogel +Reza Arbab Ricardo Cadime Rich Gray Rich Rauenzahn @@ -736,11 +752,13 @@ Rick Richardson Rob Crittenden Rob Jones Rob Stanzel +Rob Ward Robert A. Monat Robert D. Young Robert Foreman Robert Iakobashvili Robert Olson +Robert Schumann Robert Weaver Robin Cornelius Robin Johnson @@ -809,6 +827,7 @@ Stephen Kick Stephen More Sterling Hughes Steve Green +Steve H Truong Steve Holme Steve Lhomme Steve Little @@ -864,6 +883,7 @@ Tomasz Lacki Tommie Gannert Tommy Tam Ton Voon +Toni Moreno Toon Verwaest Tor Arntsen Torsten Foertsch @@ -892,6 +912,7 @@ Vojtech Janota Vojtech Minarik Vsevolod Novikov Walter J. Mack +Ward Willats Wayne Haigh Werner Koch Wesley Laxton -- cgit v1.2.3 From cf9fb08ca4537d76afde44daf1e92307fe2882d3 Mon Sep 17 00:00:00 2001 From: Yang Tse <yangsita@gmail.com> Date: Wed, 25 Jan 2012 23:34:38 +0100 Subject: TODO-RELEASE: added item #308 --- TODO-RELEASE | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/TODO-RELEASE b/TODO-RELEASE index 6c94376fc..386cccf57 100644 --- a/TODO-RELEASE +++ b/TODO-RELEASE @@ -1,4 +1,4 @@ -To be addressed in 7.22.1 +To be addressed in 7.24.1 ========================= 295 - "RTSP Authentication (#22)" https://github.com/bagder/curl/pull/22 @@ -8,4 +8,8 @@ To be addressed in 7.22.1 300 - "Polling on stray socket on sequential transfers." Andrew S http://curl.haxx.se/mail/lib-2011-07/0053.html -308 - +308 - Revisit option --enable-threaded-resolver at least allow selection among + pthreads and Windows threads when building a Windows target. + http://curl.haxx.se/mail/lib-2012-01/0291.html + +309 - -- cgit v1.2.3