poky/meta/recipes-support/curl/curl/CVE-2022-27774-3.patch - openbmc/openbmc - Gitiles

 From 8af08ebf94bc6448dbc7da59845f5b78964689d9 Mon Sep 17 00:00:00 2001
 From: Daniel Stenberg <daniel@haxx.se>
 Date: Mon, 25 Apr 2022 17:59:15 +0200
 Subject: [PATCH] openssl: don't leak the SRP credentials in redirects either

 Follow-up to 620ea21410030

 Reported-by: Harry Sintonen
 Closes #8751

 Upstream-Status: Backport [https://github.com/curl/curl/commit/139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08]
 Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
 ---
  lib/http.c         | 10 +++++-----
  lib/http.h         |  6 ++++++
  lib/vtls/openssl.c |  3 ++-
  3 files changed, 13 insertions(+), 6 deletions(-)

 diff --git a/lib/http.c b/lib/http.c
 index 0791dcf..4433824 100644
 --- a/lib/http.c
 +++ b/lib/http.c
 @@ -776,10 +776,10 @@ output_auth_headers(struct Curl_easy *data,
  }

  /*
 - * allow_auth_to_host() tells if autentication, cookies or other "sensitive
 - * data" can (still) be sent to this host.
 + * Curl_allow_auth_to_host() tells if authentication, cookies or other
 + * "sensitive data" can (still) be sent to this host.
   */
 -static bool allow_auth_to_host(struct Curl_easy *data)
 +bool Curl_allow_auth_to_host(struct Curl_easy *data)
  {
    struct connectdata *conn = data->conn;
    return (!data->state.this_is_a_follow ||
 @@ -864,7 +864,7 @@ Curl_http_output_auth(struct Curl_easy *data,

    /* To prevent the user+password to get sent to other than the original host
       due to a location-follow */
 -  if(allow_auth_to_host(data)
 +  if(Curl_allow_auth_to_host(data)
  #ifndef CURL_DISABLE_NETRC
       || conn->bits.netrc
  #endif
 @@ -1917,7 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data,
                     checkprefix("Cookie:", compare)) &&
                    /* be careful of sending this potentially sensitive header to
                       other hosts */
 -                  !allow_auth_to_host(data))
 +                  !Curl_allow_auth_to_host(data))
              ;
            else {
  #ifdef USE_HYPER
 diff --git a/lib/http.h b/lib/http.h
 index 07e963d..9000bae 100644
 --- a/lib/http.h
 +++ b/lib/http.h
 @@ -320,4 +320,10 @@ Curl_http_output_auth(struct Curl_easy *data,
                        bool proxytunnel); /* TRUE if this is the request setting
                                              up the proxy tunnel */

 +/*
 + * Curl_allow_auth_to_host() tells if authentication, cookies or other
 + * "sensitive data" can (still) be sent to this host.
 + */
 +bool Curl_allow_auth_to_host(struct Curl_easy *data);
 +
  #endif /* HEADER_CURL_HTTP_H */
 diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
 index 616a510..e8633f4 100644
 --- a/lib/vtls/openssl.c
 +++ b/lib/vtls/openssl.c
 @@ -2893,7 +2893,8 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
  #endif

  #ifdef USE_OPENSSL_SRP
 -  if(ssl_authtype == CURL_TLSAUTH_SRP) {
 +  if((ssl_authtype == CURL_TLSAUTH_SRP) &&
 +     Curl_allow_auth_to_host(data)) {
      char * const ssl_username = SSL_SET_OPTION(username);

      infof(data, "Using TLS-SRP username: %s", ssl_username);
	From 8af08ebf94bc6448dbc7da59845f5b78964689d9 Mon Sep 17 00:00:00 2001
	From: Daniel Stenberg <daniel@haxx.se>
	Date: Mon, 25 Apr 2022 17:59:15 +0200
	Subject: [PATCH] openssl: don't leak the SRP credentials in redirects either

	Follow-up to 620ea21410030

	Reported-by: Harry Sintonen
	Closes #8751

	Upstream-Status: Backport [https://github.com/curl/curl/commit/139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08]
	Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
	---
	lib/http.c \| 10 +++++-----
	lib/http.h \| 6 ++++++
	lib/vtls/openssl.c \| 3 ++-
	3 files changed, 13 insertions(+), 6 deletions(-)

	diff --git a/lib/http.c b/lib/http.c
	index 0791dcf..4433824 100644
	--- a/lib/http.c
	+++ b/lib/http.c
	@@ -776,10 +776,10 @@ output_auth_headers(struct Curl_easy *data,
	}

	/*
	- * allow_auth_to_host() tells if autentication, cookies or other "sensitive
	- * data" can (still) be sent to this host.
	+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
	+ * "sensitive data" can (still) be sent to this host.
	*/
	-static bool allow_auth_to_host(struct Curl_easy *data)
	+bool Curl_allow_auth_to_host(struct Curl_easy *data)
	{
	struct connectdata *conn = data->conn;
	return (!data->state.this_is_a_follow \|\|
	@@ -864,7 +864,7 @@ Curl_http_output_auth(struct Curl_easy *data,

	/* To prevent the user+password to get sent to other than the original host
	due to a location-follow */
	- if(allow_auth_to_host(data)
	+ if(Curl_allow_auth_to_host(data)
	#ifndef CURL_DISABLE_NETRC
	\|\| conn->bits.netrc
	#endif
	@@ -1917,7 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data,
	checkprefix("Cookie:", compare)) &&
	/* be careful of sending this potentially sensitive header to
	other hosts */
	- !allow_auth_to_host(data))
	+ !Curl_allow_auth_to_host(data))
	;
	else {
	#ifdef USE_HYPER
	diff --git a/lib/http.h b/lib/http.h
	index 07e963d..9000bae 100644
	--- a/lib/http.h
	+++ b/lib/http.h
	@@ -320,4 +320,10 @@ Curl_http_output_auth(struct Curl_easy *data,
	bool proxytunnel); /* TRUE if this is the request setting
	up the proxy tunnel */

	+/*
	+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
	+ * "sensitive data" can (still) be sent to this host.
	+ */
	+bool Curl_allow_auth_to_host(struct Curl_easy *data);
	+
	#endif /* HEADER_CURL_HTTP_H */
	diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
	index 616a510..e8633f4 100644
	--- a/lib/vtls/openssl.c
	+++ b/lib/vtls/openssl.c
	@@ -2893,7 +2893,8 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
	#endif

	#ifdef USE_OPENSSL_SRP
	- if(ssl_authtype == CURL_TLSAUTH_SRP) {
	+ if((ssl_authtype == CURL_TLSAUTH_SRP) &&
	+ Curl_allow_auth_to_host(data)) {
	char * const ssl_username = SSL_SET_OPTION(username);

	infof(data, "Using TLS-SRP username: %s", ssl_username);