mirror of
https://abf.rosa.ru/djam/curl.git
synced 2025-02-23 15:52:59 +00:00
157 lines
7 KiB
Diff
157 lines
7 KiB
Diff
From 2a699bc6e94b8223d900e8880ad628aebf17ab6d Mon Sep 17 00:00:00 2001
|
|
From: Daniel Stenberg <daniel@haxx.se>
|
|
Date: Mon, 6 Feb 2012 22:12:06 +0100
|
|
Subject: [PATCH 1/2] CURLOPT_SSL_OPTIONS: added
|
|
|
|
Allow an appliction to set libcurl specific SSL options. The first and
|
|
only options supported right now is CURLSSLOPT_ALLOW_BEAST.
|
|
|
|
It will make libcurl to disable any work-arounds the underlying SSL
|
|
library may have to address a known security flaw in the SSL3 and TLS1.0
|
|
protocol versions.
|
|
|
|
This is a reaction to us unconditionally removing that behavior after
|
|
this security advisory:
|
|
|
|
http://curl.haxx.se/docs/adv_20120124B.html
|
|
|
|
... it did however cause a lot of programs to fail because of old
|
|
servers not liking this work-around. Now programs can opt to decrease
|
|
the security in order to interoperate with old servers better.
|
|
|
|
|
|
diff -Naurp curl-7.21.7/docs/libcurl/curl_easy_setopt.3 curl-7.21.7.oden/docs/libcurl/curl_easy_setopt.3
|
|
--- curl-7.21.7/docs/libcurl/curl_easy_setopt.3 2011-06-13 21:09:52.000000000 +0000
|
|
+++ curl-7.21.7.oden/docs/libcurl/curl_easy_setopt.3 2012-04-13 08:03:54.000000000 +0000
|
|
@@ -2097,6 +2097,16 @@ this to 1 to enable it. By default all t
|
|
cache. While nothing ever should get hurt by attempting to reuse SSL
|
|
session-IDs, there seem to be broken SSL implementations in the wild that may
|
|
require you to disable this in order for you to succeed. (Added in 7.16.0)
|
|
+.IP CURLOPT_SSL_OPTIONS
|
|
+Pass a long with a bitmask to tell libcurl about specific SSL behaviors.
|
|
+
|
|
+CURLSSLOPT_ALLOW_BEAST is the only supported bit and by setting this the user
|
|
+will tell libcurl to not attempt to use any work-arounds for a security flaw
|
|
+in the SSL3 and TLS1.0 protocols. If this option isn't used or this bit is
|
|
+set to 0, the SSL layer libcurl uses may use a work-around for this flaw
|
|
+although it might cause interoperability problems with some (older) SSL
|
|
+implementations. WARNING: avoiding this work-around loosens the security, and
|
|
+by setting this option to 1 you ask for exactly that. (Added in 7.25.0)
|
|
.IP CURLOPT_KRBLEVEL
|
|
Pass a char * as parameter. Set the kerberos security level for FTP; this also
|
|
enables kerberos awareness. This is a string, \&'clear', \&'safe',
|
|
diff -Naurp curl-7.21.7/docs/libcurl/symbols-in-versions curl-7.21.7.oden/docs/libcurl/symbols-in-versions
|
|
--- curl-7.21.7/docs/libcurl/symbols-in-versions 2011-05-18 20:56:46.000000000 +0000
|
|
+++ curl-7.21.7.oden/docs/libcurl/symbols-in-versions 2012-04-13 08:03:54.000000000 +0000
|
|
@@ -473,6 +473,7 @@ CURLOPT_SSLVERSION 7.1
|
|
CURLOPT_SSL_CIPHER_LIST 7.9
|
|
CURLOPT_SSL_CTX_DATA 7.10.6
|
|
CURLOPT_SSL_CTX_FUNCTION 7.10.6
|
|
+CURLOPT_SSL_OPTIONS 7.25.0
|
|
CURLOPT_SSL_SESSIONID_CACHE 7.16.0
|
|
CURLOPT_SSL_VERIFYHOST 7.8.1
|
|
CURLOPT_SSL_VERIFYPEER 7.4.2
|
|
@@ -560,6 +561,7 @@ CURLSSH_AUTH_KEYBOARD 7.16.1
|
|
CURLSSH_AUTH_NONE 7.16.1
|
|
CURLSSH_AUTH_PASSWORD 7.16.1
|
|
CURLSSH_AUTH_PUBLICKEY 7.16.1
|
|
+CURLSSLOPT_ALLOW_BEAST 7.25.0
|
|
CURLUSESSL_ALL 7.17.0
|
|
CURLUSESSL_CONTROL 7.17.0
|
|
CURLUSESSL_NONE 7.17.0
|
|
diff -Naurp curl-7.21.7/include/curl/curl.h curl-7.21.7.oden/include/curl/curl.h
|
|
--- curl-7.21.7/include/curl/curl.h 2011-05-18 20:56:46.000000000 +0000
|
|
+++ curl-7.21.7.oden/include/curl/curl.h 2012-04-13 08:03:54.000000000 +0000
|
|
@@ -664,6 +664,15 @@ typedef enum {
|
|
CURLUSESSL_LAST /* not an option, never use */
|
|
} curl_usessl;
|
|
|
|
+/* Definition of bits for the CURLOPT_SSL_OPTIONS argument: */
|
|
+
|
|
+/* - ALLOW_BEAST tells libcurl to allow the BEAST SSL vulnerability in the
|
|
+ name of improving interoperability with older servers. Some SSL libraries
|
|
+ have introduced work-arounds for this flaw but those work-arounds sometimes
|
|
+ make the SSL communication fail. To regain functionality with those broken
|
|
+ servers, a user can this way allow the vulnerability back. */
|
|
+#define CURLSSLOPT_ALLOW_BEAST (1<<0)
|
|
+
|
|
#ifndef CURL_NO_OLDIES /* define this to test if your app builds with all
|
|
the obsolete stuff removed! */
|
|
|
|
@@ -1483,6 +1492,9 @@ typedef enum {
|
|
CINIT(CLOSESOCKETFUNCTION, FUNCTIONPOINT, 208),
|
|
CINIT(CLOSESOCKETDATA, OBJECTPOINT, 209),
|
|
|
|
+ /* Enable/disable specific SSL features with a bitmask, see CURLSSLOPT_* */
|
|
+ CINIT(SSL_OPTIONS, LONG, 216),
|
|
+
|
|
CURLOPT_LASTENTRY /* the last unused */
|
|
} CURLoption;
|
|
|
|
diff -Naurp curl-7.21.7/lib/ssluse.c curl-7.21.7.oden/lib/ssluse.c
|
|
--- curl-7.21.7/lib/ssluse.c 2012-04-13 08:04:20.000000000 +0000
|
|
+++ curl-7.21.7.oden/lib/ssluse.c 2012-04-13 08:03:54.000000000 +0000
|
|
@@ -1544,7 +1544,10 @@ ossl_connect_step1(struct connectdata *c
|
|
ctx_options |= SSL_OP_NO_TICKET;
|
|
#endif
|
|
#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
|
|
- ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
|
|
+ /* unless the user explicitly ask to allow the protocol vulnerability we
|
|
+ use the work-around */
|
|
+ if(!conn->data->set.ssl_enable_beast)
|
|
+ ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
|
|
#endif
|
|
|
|
SSL_CTX_set_options(connssl->ctx, ctx_options);
|
|
diff -Naurp curl-7.21.7/lib/url.c curl-7.21.7.oden/lib/url.c
|
|
--- curl-7.21.7/lib/url.c 2011-06-13 21:09:52.000000000 +0000
|
|
+++ curl-7.21.7.oden/lib/url.c 2012-04-13 08:03:54.000000000 +0000
|
|
@@ -832,6 +832,7 @@ CURLcode Curl_setopt(struct SessionHandl
|
|
{
|
|
char *argptr;
|
|
CURLcode result = CURLE_OK;
|
|
+ long arg;
|
|
#ifndef CURL_DISABLE_HTTP
|
|
curl_off_t bigsize;
|
|
#endif
|
|
@@ -841,12 +842,9 @@ CURLcode Curl_setopt(struct SessionHandl
|
|
data->set.dns_cache_timeout = va_arg(param, long);
|
|
break;
|
|
case CURLOPT_DNS_USE_GLOBAL_CACHE:
|
|
- {
|
|
- /* remember we want this enabled */
|
|
- long use_cache = va_arg(param, long);
|
|
- data->set.global_dns_cache = (bool)(0 != use_cache);
|
|
- }
|
|
- break;
|
|
+ arg = va_arg(param, long);
|
|
+ data->set.global_dns_cache = (0 != arg)?TRUE:FALSE;
|
|
+ break;
|
|
case CURLOPT_SSL_CIPHER_LIST:
|
|
/* set a list of cipher we want to use in the SSL connection */
|
|
result = setstropt(&data->set.str[STRING_SSL_CIPHER_LIST],
|
|
@@ -2017,6 +2015,12 @@ CURLcode Curl_setopt(struct SessionHandl
|
|
case CURLOPT_CERTINFO:
|
|
data->set.ssl.certinfo = (bool)(0 != va_arg(param, long));
|
|
break;
|
|
+
|
|
+ case CURLOPT_SSL_OPTIONS:
|
|
+ arg = va_arg(param, long);
|
|
+ data->set.ssl_enable_beast = arg&CURLSSLOPT_ALLOW_BEAST?TRUE:FALSE;
|
|
+ break;
|
|
+
|
|
#endif
|
|
case CURLOPT_CAINFO:
|
|
/*
|
|
diff -Naurp curl-7.21.7/lib/urldata.h curl-7.21.7.oden/lib/urldata.h
|
|
--- curl-7.21.7/lib/urldata.h 2011-06-07 17:31:53.000000000 +0000
|
|
+++ curl-7.21.7.oden/lib/urldata.h 2012-04-13 08:03:54.000000000 +0000
|
|
@@ -1489,6 +1489,8 @@ struct UserDefined {
|
|
bool ftp_skip_ip; /* skip the IP address the FTP server passes on to
|
|
us */
|
|
bool connect_only; /* make connection, let application use the socket */
|
|
+ bool ssl_enable_beast; /* especially allow this flaw for interoperability's
|
|
+ sake*/
|
|
long ssh_auth_types; /* allowed SSH auth types */
|
|
bool http_te_skip; /* pass the raw body data to the user, even when
|
|
transfer-encoded (chunked, compressed) */
|