You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
331 lines
8.4 KiB
331 lines
8.4 KiB
From 64f8bdbf7da9e6b65716ce0d020c6c01d0aba77d Mon Sep 17 00:00:00 2001 |
|
From: Patrick Monnerat <patrick@monnerat.net> |
|
Date: Wed, 8 Sep 2021 11:56:22 +0200 |
|
Subject: [PATCH] ftp,imap,pop3: do not ignore --ssl-reqd |
|
|
|
In imap and pop3, check if TLS is required even when capabilities |
|
request has failed. |
|
|
|
In ftp, ignore preauthentication (230 status of server greeting) if TLS |
|
is required. |
|
|
|
Bug: https://curl.se/docs/CVE-2021-22946.html |
|
|
|
CVE-2021-22946 |
|
|
|
Upstream-commit: 364f174724ef115c63d5e5dc1d3342c8a43b1cca |
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com> |
|
--- |
|
lib/ftp.c | 9 ++++--- |
|
lib/imap.c | 24 ++++++++---------- |
|
lib/pop3.c | 33 +++++++++++------------- |
|
tests/data/Makefile.inc | 2 ++ |
|
tests/data/test984 | 56 +++++++++++++++++++++++++++++++++++++++++ |
|
tests/data/test985 | 54 +++++++++++++++++++++++++++++++++++++++ |
|
tests/data/test986 | 53 ++++++++++++++++++++++++++++++++++++++ |
|
7 files changed, 195 insertions(+), 36 deletions(-) |
|
create mode 100644 tests/data/test984 |
|
create mode 100644 tests/data/test985 |
|
create mode 100644 tests/data/test986 |
|
|
|
diff --git a/lib/ftp.c b/lib/ftp.c |
|
index 5ef1e2e..71f998e 100644 |
|
--- a/lib/ftp.c |
|
+++ b/lib/ftp.c |
|
@@ -2678,9 +2678,12 @@ static CURLcode ftp_statemachine(struct Curl_easy *data, |
|
/* we have now received a full FTP server response */ |
|
switch(ftpc->state) { |
|
case FTP_WAIT220: |
|
- if(ftpcode == 230) |
|
- /* 230 User logged in - already! */ |
|
- return ftp_state_user_resp(data, ftpcode, ftpc->state); |
|
+ if(ftpcode == 230) { |
|
+ /* 230 User logged in - already! Take as 220 if TLS required. */ |
|
+ if(data->set.use_ssl <= CURLUSESSL_TRY || |
|
+ conn->bits.ftp_use_control_ssl) |
|
+ return ftp_state_user_resp(data, ftpcode, ftpc->state); |
|
+ } |
|
else if(ftpcode != 220) { |
|
failf(data, "Got a %03d ftp-server response when 220 was expected", |
|
ftpcode); |
|
diff --git a/lib/imap.c b/lib/imap.c |
|
index e50d7fd..feb7445 100644 |
|
--- a/lib/imap.c |
|
+++ b/lib/imap.c |
|
@@ -935,22 +935,18 @@ static CURLcode imap_state_capability_resp(struct Curl_easy *data, |
|
line += wordlen; |
|
} |
|
} |
|
- else if(imapcode == IMAP_RESP_OK) { |
|
- if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { |
|
- /* We don't have a SSL/TLS connection yet, but SSL is requested */ |
|
- if(imapc->tls_supported) |
|
- /* Switch to TLS connection now */ |
|
- result = imap_perform_starttls(data, conn); |
|
- else if(data->set.use_ssl == CURLUSESSL_TRY) |
|
- /* Fallback and carry on with authentication */ |
|
- result = imap_perform_authentication(data, conn); |
|
- else { |
|
- failf(data, "STARTTLS not supported."); |
|
- result = CURLE_USE_SSL_FAILED; |
|
- } |
|
+ else if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { |
|
+ /* PREAUTH is not compatible with STARTTLS. */ |
|
+ if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) { |
|
+ /* Switch to TLS connection now */ |
|
+ result = imap_perform_starttls(data, conn); |
|
} |
|
- else |
|
+ else if(data->set.use_ssl <= CURLUSESSL_TRY) |
|
result = imap_perform_authentication(data, conn); |
|
+ else { |
|
+ failf(data, "STARTTLS not available."); |
|
+ result = CURLE_USE_SSL_FAILED; |
|
+ } |
|
} |
|
else |
|
result = imap_perform_authentication(data, conn); |
|
diff --git a/lib/pop3.c b/lib/pop3.c |
|
index 6168b12..7698d1c 100644 |
|
--- a/lib/pop3.c |
|
+++ b/lib/pop3.c |
|
@@ -740,28 +740,23 @@ static CURLcode pop3_state_capa_resp(struct Curl_easy *data, int pop3code, |
|
} |
|
} |
|
} |
|
- else if(pop3code == '+') { |
|
- if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { |
|
- /* We don't have a SSL/TLS connection yet, but SSL is requested */ |
|
- if(pop3c->tls_supported) |
|
- /* Switch to TLS connection now */ |
|
- result = pop3_perform_starttls(data, conn); |
|
- else if(data->set.use_ssl == CURLUSESSL_TRY) |
|
- /* Fallback and carry on with authentication */ |
|
- result = pop3_perform_authentication(data, conn); |
|
- else { |
|
- failf(data, "STLS not supported."); |
|
- result = CURLE_USE_SSL_FAILED; |
|
- } |
|
- } |
|
- else |
|
- result = pop3_perform_authentication(data, conn); |
|
- } |
|
else { |
|
/* Clear text is supported when CAPA isn't recognised */ |
|
- pop3c->authtypes |= POP3_TYPE_CLEARTEXT; |
|
+ if(pop3code != '+') |
|
+ pop3c->authtypes |= POP3_TYPE_CLEARTEXT; |
|
|
|
- result = pop3_perform_authentication(data, conn); |
|
+ if(!data->set.use_ssl || conn->ssl[FIRSTSOCKET].use) |
|
+ result = pop3_perform_authentication(data, conn); |
|
+ else if(pop3code == '+' && pop3c->tls_supported) |
|
+ /* Switch to TLS connection now */ |
|
+ result = pop3_perform_starttls(data, conn); |
|
+ else if(data->set.use_ssl <= CURLUSESSL_TRY) |
|
+ /* Fallback and carry on with authentication */ |
|
+ result = pop3_perform_authentication(data, conn); |
|
+ else { |
|
+ failf(data, "STLS not supported."); |
|
+ result = CURLE_USE_SSL_FAILED; |
|
+ } |
|
} |
|
|
|
return result; |
|
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc |
|
index d083baf..163ce59 100644 |
|
--- a/tests/data/Makefile.inc |
|
+++ b/tests/data/Makefile.inc |
|
@@ -117,6 +117,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \ |
|
test954 test955 test956 test957 test958 test959 test960 test961 test962 \ |
|
test963 test964 test965 test966 test967 test968 test969 test970 test971 \ |
|
\ |
|
+test984 test985 test986 \ |
|
+\ |
|
test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \ |
|
test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \ |
|
test1016 test1017 test1018 test1019 test1020 test1021 test1022 test1023 \ |
|
diff --git a/tests/data/test984 b/tests/data/test984 |
|
new file mode 100644 |
|
index 0000000..e573f23 |
|
--- /dev/null |
|
+++ b/tests/data/test984 |
|
@@ -0,0 +1,56 @@ |
|
+<testcase> |
|
+<info> |
|
+<keywords> |
|
+IMAP |
|
+STARTTLS |
|
+</keywords> |
|
+</info> |
|
+ |
|
+# |
|
+# Server-side |
|
+<reply> |
|
+<servercmd> |
|
+REPLY CAPABILITY A001 BAD Not implemented |
|
+</servercmd> |
|
+</reply> |
|
+ |
|
+# |
|
+# Client-side |
|
+<client> |
|
+<features> |
|
+SSL |
|
+</features> |
|
+<server> |
|
+imap |
|
+</server> |
|
+ <name> |
|
+IMAP require STARTTLS with failing capabilities |
|
+ </name> |
|
+ <command> |
|
+imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl-reqd |
|
+</command> |
|
+<file name="log/upload%TESTNUMBER"> |
|
+Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST) |
|
+From: Fred Foobar <foobar@example.COM> |
|
+Subject: afternoon meeting |
|
+To: joe@example.com |
|
+Message-Id: <B27397-0100000@example.COM> |
|
+MIME-Version: 1.0 |
|
+Content-Type: TEXT/PLAIN; CHARSET=US-ASCII |
|
+ |
|
+Hello Joe, do you think we can meet at 3:30 tomorrow? |
|
+</file> |
|
+</client> |
|
+ |
|
+# |
|
+# Verify data after the test has been "shot" |
|
+<verify> |
|
+# 64 is CURLE_USE_SSL_FAILED |
|
+<errorcode> |
|
+64 |
|
+</errorcode> |
|
+<protocol> |
|
+A001 CAPABILITY |
|
+</protocol> |
|
+</verify> |
|
+</testcase> |
|
diff --git a/tests/data/test985 b/tests/data/test985 |
|
new file mode 100644 |
|
index 0000000..d0db4aa |
|
--- /dev/null |
|
+++ b/tests/data/test985 |
|
@@ -0,0 +1,54 @@ |
|
+<testcase> |
|
+<info> |
|
+<keywords> |
|
+POP3 |
|
+STARTTLS |
|
+</keywords> |
|
+</info> |
|
+ |
|
+# |
|
+# Server-side |
|
+<reply> |
|
+<servercmd> |
|
+REPLY CAPA -ERR Not implemented |
|
+</servercmd> |
|
+<data nocheck="yes"> |
|
+From: me@somewhere |
|
+To: fake@nowhere |
|
+ |
|
+body |
|
+ |
|
+-- |
|
+ yours sincerely |
|
+</data> |
|
+</reply> |
|
+ |
|
+# |
|
+# Client-side |
|
+<client> |
|
+<features> |
|
+SSL |
|
+</features> |
|
+<server> |
|
+pop3 |
|
+</server> |
|
+ <name> |
|
+POP3 require STARTTLS with failing capabilities |
|
+ </name> |
|
+ <command> |
|
+pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl-reqd |
|
+ </command> |
|
+</client> |
|
+ |
|
+# |
|
+# Verify data after the test has been "shot" |
|
+<verify> |
|
+# 64 is CURLE_USE_SSL_FAILED |
|
+<errorcode> |
|
+64 |
|
+</errorcode> |
|
+<protocol> |
|
+CAPA |
|
+</protocol> |
|
+</verify> |
|
+</testcase> |
|
diff --git a/tests/data/test986 b/tests/data/test986 |
|
new file mode 100644 |
|
index 0000000..a709437 |
|
--- /dev/null |
|
+++ b/tests/data/test986 |
|
@@ -0,0 +1,53 @@ |
|
+<testcase> |
|
+<info> |
|
+<keywords> |
|
+FTP |
|
+STARTTLS |
|
+</keywords> |
|
+</info> |
|
+ |
|
+# |
|
+# Server-side |
|
+<reply> |
|
+<servercmd> |
|
+REPLY welcome 230 Welcome |
|
+REPLY AUTH 500 unknown command |
|
+</servercmd> |
|
+</reply> |
|
+ |
|
+# Client-side |
|
+<client> |
|
+<features> |
|
+SSL |
|
+</features> |
|
+<server> |
|
+ftp |
|
+</server> |
|
+ <name> |
|
+FTP require STARTTLS while preauthenticated |
|
+ </name> |
|
+<file name="log/test%TESTNUMBER.txt"> |
|
+data |
|
+ to |
|
+ see |
|
+that FTPS |
|
+works |
|
+ so does it? |
|
+</file> |
|
+ <command> |
|
+--ssl-reqd --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret |
|
+</command> |
|
+</client> |
|
+ |
|
+# Verify data after the test has been "shot" |
|
+<verify> |
|
+# 64 is CURLE_USE_SSL_FAILED |
|
+<errorcode> |
|
+64 |
|
+</errorcode> |
|
+<protocol> |
|
+AUTH SSL |
|
+AUTH TLS |
|
+</protocol> |
|
+</verify> |
|
+</testcase> |
|
-- |
|
2.31.1 |
|
|
|
|