CVE: CVE-2021-22946 Upstream-Status: Backport Signed-off-by: Ross Burton From 089e18aefcee9b5093a96e9e1aa92751dde1f991 Mon Sep 17 00:00:00 2001 From: Patrick Monnerat Date: Wed, 8 Sep 2021 11:56:22 +0200 Subject: [PATCH 2/3] ftp,imap,pop3: do not ignore --ssl-reqd In imap and pop3, check if TLS is required even when capabilities request has failed. In ftp, ignore preauthentication (230 status of server greeting) if TLS is required. Bug: https://curl.se/docs/CVE-2021-22946.html CVE-2021-22946 --- lib/ftp.c | 9 ++++--- lib/imap.c | 24 ++++++++---------- lib/pop3.c | 33 +++++++++++------------- tests/data/Makefile.inc | 2 ++ tests/data/test984 | 56 +++++++++++++++++++++++++++++++++++++++++ tests/data/test985 | 54 +++++++++++++++++++++++++++++++++++++++ tests/data/test986 | 53 ++++++++++++++++++++++++++++++++++++++ 7 files changed, 195 insertions(+), 36 deletions(-) create mode 100644 tests/data/test984 create mode 100644 tests/data/test985 create mode 100644 tests/data/test986 diff --git a/lib/ftp.c b/lib/ftp.c index 1a699de59..08d18ca74 100644 --- a/lib/ftp.c +++ b/lib/ftp.c @@ -2681,9 +2681,12 @@ static CURLcode ftp_statemachine(struct Curl_easy *data, /* we have now received a full FTP server response */ switch(ftpc->state) { case FTP_WAIT220: - if(ftpcode == 230) - /* 230 User logged in - already! */ - return ftp_state_user_resp(data, ftpcode, ftpc->state); + if(ftpcode == 230) { + /* 230 User logged in - already! Take as 220 if TLS required. */ + if(data->set.use_ssl <= CURLUSESSL_TRY || + conn->bits.ftp_use_control_ssl) + return ftp_state_user_resp(data, ftpcode, ftpc->state); + } else if(ftpcode != 220) { failf(data, "Got a %03d ftp-server response when 220 was expected", ftpcode); diff --git a/lib/imap.c b/lib/imap.c index ab4d412ee..efc0420ce 100644 --- a/lib/imap.c +++ b/lib/imap.c @@ -935,22 +935,18 @@ static CURLcode imap_state_capability_resp(struct Curl_easy *data, line += wordlen; } } - else if(imapcode == IMAP_RESP_OK) { - if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { - /* We don't have a SSL/TLS connection yet, but SSL is requested */ - if(imapc->tls_supported) - /* Switch to TLS connection now */ - result = imap_perform_starttls(data, conn); - else if(data->set.use_ssl == CURLUSESSL_TRY) - /* Fallback and carry on with authentication */ - result = imap_perform_authentication(data, conn); - else { - failf(data, "STARTTLS not supported."); - result = CURLE_USE_SSL_FAILED; - } + else if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { + /* PREAUTH is not compatible with STARTTLS. */ + if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) { + /* Switch to TLS connection now */ + result = imap_perform_starttls(data, conn); } - else + else if(data->set.use_ssl <= CURLUSESSL_TRY) result = imap_perform_authentication(data, conn); + else { + failf(data, "STARTTLS not available."); + result = CURLE_USE_SSL_FAILED; + } } else result = imap_perform_authentication(data, conn); diff --git a/lib/pop3.c b/lib/pop3.c index 5fdd6f3e0..f97e10eab 100644 --- a/lib/pop3.c +++ b/lib/pop3.c @@ -741,28 +741,23 @@ static CURLcode pop3_state_capa_resp(struct Curl_easy *data, int pop3code, } } } - else if(pop3code == '+') { - if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { - /* We don't have a SSL/TLS connection yet, but SSL is requested */ - if(pop3c->tls_supported) - /* Switch to TLS connection now */ - result = pop3_perform_starttls(data, conn); - else if(data->set.use_ssl == CURLUSESSL_TRY) - /* Fallback and carry on with authentication */ - result = pop3_perform_authentication(data, conn); - else { - failf(data, "STLS not supported."); - result = CURLE_USE_SSL_FAILED; - } - } - else - result = pop3_perform_authentication(data, conn); - } else { /* Clear text is supported when CAPA isn't recognised */ - pop3c->authtypes |= POP3_TYPE_CLEARTEXT; + if(pop3code != '+') + pop3c->authtypes |= POP3_TYPE_CLEARTEXT; - result = pop3_perform_authentication(data, conn); + if(!data->set.use_ssl || conn->ssl[FIRSTSOCKET].use) + result = pop3_perform_authentication(data, conn); + else if(pop3code == '+' && pop3c->tls_supported) + /* Switch to TLS connection now */ + result = pop3_perform_starttls(data, conn); + else if(data->set.use_ssl <= CURLUSESSL_TRY) + /* Fallback and carry on with authentication */ + result = pop3_perform_authentication(data, conn); + else { + failf(data, "STLS not supported."); + result = CURLE_USE_SSL_FAILED; + } } return result; diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc index 163696962..5cd092192 100644 --- a/tests/data/Makefile.inc +++ b/tests/data/Makefile.inc @@ -118,6 +118,8 @@ test954 test955 test956 test957 test958 test959 test960 test961 test962 \ test963 test964 test965 test966 test967 test968 test969 test970 test971 \ test972 \ \ +test984 test985 test986 \ +\ test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \ test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \ test1016 test1017 test1018 test1019 test1020 test1021 test1022 test1023 \ diff --git a/tests/data/test984 b/tests/data/test984 new file mode 100644 index 000000000..e573f23c1 --- /dev/null +++ b/tests/data/test984 @@ -0,0 +1,56 @@ + + + +IMAP +STARTTLS + + + +# +# Server-side + + +REPLY CAPABILITY A001 BAD Not implemented + + + +# +# Client-side + + +SSL + + +imap + + +IMAP require STARTTLS with failing capabilities + + +imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl-reqd + + +Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST) +From: Fred Foobar +Subject: afternoon meeting +To: joe@example.com +Message-Id: +MIME-Version: 1.0 +Content-Type: TEXT/PLAIN; CHARSET=US-ASCII + +Hello Joe, do you think we can meet at 3:30 tomorrow? + + + +# +# Verify data after the test has been "shot" + +# 64 is CURLE_USE_SSL_FAILED + +64 + + +A001 CAPABILITY + + + diff --git a/tests/data/test985 b/tests/data/test985 new file mode 100644 index 000000000..d0db4aadf --- /dev/null +++ b/tests/data/test985 @@ -0,0 +1,54 @@ + + + +POP3 +STARTTLS + + + +# +# Server-side + + +REPLY CAPA -ERR Not implemented + + +From: me@somewhere +To: fake@nowhere + +body + +-- + yours sincerely + + + +# +# Client-side + + +SSL + + +pop3 + + +POP3 require STARTTLS with failing capabilities + + +pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl-reqd + + + +# +# Verify data after the test has been "shot" + +# 64 is CURLE_USE_SSL_FAILED + +64 + + +CAPA + + + diff --git a/tests/data/test986 b/tests/data/test986 new file mode 100644 index 000000000..a709437a4 --- /dev/null +++ b/tests/data/test986 @@ -0,0 +1,53 @@ + + + +FTP +STARTTLS + + + +# +# Server-side + + +REPLY welcome 230 Welcome +REPLY AUTH 500 unknown command + + + +# Client-side + + +SSL + + +ftp + + +FTP require STARTTLS while preauthenticated + + +data + to + see +that FTPS +works + so does it? + + +--ssl-reqd --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret + + + +# Verify data after the test has been "shot" + +# 64 is CURLE_USE_SSL_FAILED + +64 + + +AUTH SSL +AUTH TLS + + + -- 2.25.1