* [OE-core][hardknott][PATCH 1/2] curl: fix CVE-2021-22890
@ 2021-06-01 15:09 Trevor Gamblin
2021-06-01 15:09 ` [OE-core][hardknott][PATCH 2/2] curl: fix CVE-2021-22876 Trevor Gamblin
2021-06-15 22:12 ` [OE-core][hardknott][PATCH 1/2] curl: fix CVE-2021-22890 Alejandro Hernandez Samaniego
0 siblings, 2 replies; 4+ messages in thread
From: Trevor Gamblin @ 2021-06-01 15:09 UTC (permalink / raw)
To: openembedded-core
Backport and modify the patch for CVE-2021-22890 from curl 7.76 to make
it apply cleanly on 7.75.
CVE: CVE-2021-22890
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
---
...-argument-to-Curl_ssl_get-addsession.patch | 517 ++++++++++++++++++
meta/recipes-support/curl/curl_7.75.0.bb | 1 +
2 files changed, 518 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch
diff --git a/meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch b/meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch
new file mode 100644
index 0000000000..a0c7d68f33
--- /dev/null
+++ b/meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch
@@ -0,0 +1,517 @@
+From a2d3885223db9616283bfe33435fbe9b3140eac7 Mon Sep 17 00:00:00 2001
+From: Trevor Gamblin <trevor.gamblin@windriver.com>
+Date: Tue, 1 Jun 2021 09:50:20 -0400
+Subject: [PATCH 1/2] vtls: add 'isproxy' argument to
+ Curl_ssl_get/addsessionid()
+
+To make sure we set and extract the correct session.
+
+Reported-by: Mingtao Yang
+Bug: https://curl.se/docs/CVE-2021-22890.html
+
+CVE-2021-22890
+
+Upstream-Status: Backport
+(https://github.com/curl/curl/commit/b09c8ee15771c614c4bf3ddac893cdb12187c844)
+
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+---
+ lib/vtls/bearssl.c | 8 +++++--
+ lib/vtls/gtls.c | 12 ++++++----
+ lib/vtls/mbedtls.c | 12 ++++++----
+ lib/vtls/mesalink.c | 14 ++++++++----
+ lib/vtls/openssl.c | 54 +++++++++++++++++++++++++++++++++-----------
+ lib/vtls/schannel.c | 10 ++++----
+ lib/vtls/sectransp.c | 10 ++++----
+ lib/vtls/vtls.c | 12 +++++++---
+ lib/vtls/vtls.h | 2 ++
+ lib/vtls/wolfssl.c | 28 +++++++++++++----------
+ 10 files changed, 111 insertions(+), 51 deletions(-)
+
+diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c
+index 29b08c0e6..0432dfadc 100644
+--- a/lib/vtls/bearssl.c
++++ b/lib/vtls/bearssl.c
+@@ -375,7 +375,8 @@ static CURLcode bearssl_connect_step1(struct Curl_easy *data,
+ void *session;
+
+ Curl_ssl_sessionid_lock(data);
+- if(!Curl_ssl_getsessionid(data, conn, &session, NULL, sockindex)) {
++ if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE,
++ &session, NULL, sockindex)) {
+ br_ssl_engine_set_session_parameters(&backend->ctx.eng, session);
+ infof(data, "BearSSL: re-using session ID\n");
+ }
+@@ -571,10 +572,13 @@ static CURLcode bearssl_connect_step3(struct Curl_easy *data,
+ br_ssl_engine_get_session_parameters(&backend->ctx.eng, session);
+ Curl_ssl_sessionid_lock(data);
+ incache = !(Curl_ssl_getsessionid(data, conn,
++ SSL_IS_PROXY() ? TRUE : FALSE,
+ &oldsession, NULL, sockindex));
+ if(incache)
+ Curl_ssl_delsessionid(data, oldsession);
+- ret = Curl_ssl_addsessionid(data, conn, session, 0, sockindex);
++ ret = Curl_ssl_addsessionid(data, conn,
++ SSL_IS_PROXY() ? TRUE : FALSE,
++ session, 0, sockindex);
+ Curl_ssl_sessionid_unlock(data);
+ if(ret) {
+ free(session);
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index 3ddee1974..28ca528a6 100644
+--- a/lib/vtls/gtls.c
++++ b/lib/vtls/gtls.c
+@@ -733,6 +733,7 @@ gtls_connect_step1(struct Curl_easy *data,
+
+ Curl_ssl_sessionid_lock(data);
+ if(!Curl_ssl_getsessionid(data, conn,
++ SSL_IS_PROXY() ? TRUE : FALSE,
+ &ssl_sessionid, &ssl_idsize, sockindex)) {
+ /* we got a session id, use it! */
+ gnutls_session_set_data(session, ssl_sessionid, ssl_idsize);
+@@ -1292,8 +1293,9 @@ gtls_connect_step3(struct Curl_easy *data,
+ gnutls_session_get_data(session, connect_sessionid, &connect_idsize);
+
+ Curl_ssl_sessionid_lock(data);
+- incache = !(Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL,
+- sockindex));
++ incache = !(Curl_ssl_getsessionid(data, conn,
++ SSL_IS_PROXY() ? TRUE : FALSE,
++ &ssl_sessionid, NULL, sockindex));
+ if(incache) {
+ /* there was one before in the cache, so instead of risking that the
+ previous one was rejected, we just kill that and store the new */
+@@ -1301,8 +1303,10 @@ gtls_connect_step3(struct Curl_easy *data,
+ }
+
+ /* store this session id */
+- result = Curl_ssl_addsessionid(data, conn, connect_sessionid,
+- connect_idsize, sockindex);
++ result = Curl_ssl_addsessionid(data, conn,
++ SSL_IS_PROXY() ? TRUE : FALSE,
++ connect_sessionid, connect_idsize,
++ sockindex);
+ Curl_ssl_sessionid_unlock(data);
+ if(result) {
+ free(connect_sessionid);
+diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
+index fc3a948d1..bd0e0802e 100644
+--- a/lib/vtls/mbedtls.c
++++ b/lib/vtls/mbedtls.c
+@@ -463,7 +463,9 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn,
+ void *old_session = NULL;
+
+ Curl_ssl_sessionid_lock(data);
+- if(!Curl_ssl_getsessionid(data, conn, &old_session, NULL, sockindex)) {
++ if(!Curl_ssl_getsessionid(data, conn,
++ SSL_IS_PROXY() ? TRUE : FALSE,
++ &old_session, NULL, sockindex)) {
+ ret = mbedtls_ssl_set_session(&backend->ssl, old_session);
+ if(ret) {
+ Curl_ssl_sessionid_unlock(data);
+@@ -724,6 +726,7 @@ mbed_connect_step3(struct Curl_easy *data, struct connectdata *conn,
+ int ret;
+ mbedtls_ssl_session *our_ssl_sessionid;
+ void *old_ssl_sessionid = NULL;
++ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
+
+ our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session));
+ if(!our_ssl_sessionid)
+@@ -742,11 +745,12 @@ mbed_connect_step3(struct Curl_easy *data, struct connectdata *conn,
+
+ /* If there's already a matching session in the cache, delete it */
+ Curl_ssl_sessionid_lock(data);
+- if(!Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL, sockindex))
++ if(!Curl_ssl_getsessionid(data, conn, isproxy, &old_ssl_sessionid, NULL,
++ sockindex))
+ Curl_ssl_delsessionid(data, old_ssl_sessionid);
+
+- retcode = Curl_ssl_addsessionid(data, conn,
+- our_ssl_sessionid, 0, sockindex);
++ retcode = Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid,
++ 0, sockindex);
+ Curl_ssl_sessionid_unlock(data);
+ if(retcode) {
+ mbedtls_ssl_session_free(our_ssl_sessionid);
+diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c
+index b6d1005ec..ad807d3ba 100644
+--- a/lib/vtls/mesalink.c
++++ b/lib/vtls/mesalink.c
+@@ -261,7 +261,9 @@ mesalink_connect_step1(struct Curl_easy *data,
+ void *ssl_sessionid = NULL;
+
+ Curl_ssl_sessionid_lock(data);
+- if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) {
++ if(!Curl_ssl_getsessionid(data, conn,
++ SSL_IS_PROXY() ? TRUE : FALSE,
++ &ssl_sessionid, NULL, sockindex)) {
+ /* we got a session id, use it! */
+ if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
+ Curl_ssl_sessionid_unlock(data);
+@@ -345,13 +347,14 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex)
+ bool incache;
+ SSL_SESSION *our_ssl_sessionid;
+ void *old_ssl_sessionid = NULL;
++ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
+
+ our_ssl_sessionid = SSL_get_session(BACKEND->handle);
+
+ Curl_ssl_sessionid_lock(data);
+ incache =
+- !(Curl_ssl_getsessionid(data, conn,
+- &old_ssl_sessionid, NULL, sockindex));
++ !(Curl_ssl_getsessionid(data, conn, isproxy, &old_ssl_sessionid, NULL,
++ sockindex));
+ if(incache) {
+ if(old_ssl_sessionid != our_ssl_sessionid) {
+ infof(data, "old SSL session ID is stale, removing\n");
+@@ -361,8 +364,9 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex)
+ }
+
+ if(!incache) {
+- result = Curl_ssl_addsessionid(
+- data, conn, our_ssl_sessionid, 0 /* unknown size */, sockindex);
++ result =
++ Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid, 0,
++ sockindex);
+ if(result) {
+ Curl_ssl_sessionid_unlock(data);
+ failf(data, "failed to store ssl session");
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 784d9f70e..8304264d3 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -391,12 +391,23 @@ static int ossl_get_ssl_conn_index(void)
+ */
+ static int ossl_get_ssl_sockindex_index(void)
+ {
+- static int ssl_ex_data_sockindex_index = -1;
+- if(ssl_ex_data_sockindex_index < 0) {
+- ssl_ex_data_sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL,
+- NULL);
++ static int sockindex_index = -1;
++ if(sockindex_index < 0) {
++ sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
+ }
+- return ssl_ex_data_sockindex_index;
++ return sockindex_index;
++}
++
++/* Return an extra data index for proxy boolean.
++ * This index can be used with SSL_get_ex_data() and SSL_set_ex_data().
++ */
++static int ossl_get_proxy_index(void)
++{
++ static int proxy_index = -1;
++ if(proxy_index < 0) {
++ proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
++ }
++ return proxy_index;
+ }
+
+ static int passwd_callback(char *buf, int num, int encrypting,
+@@ -1172,7 +1183,7 @@ static int ossl_init(void)
+
+ /* Initialize the extra data indexes */
+ if(ossl_get_ssl_data_index() < 0 || ossl_get_ssl_conn_index() < 0 ||
+- ossl_get_ssl_sockindex_index() < 0)
++ ossl_get_ssl_sockindex_index() < 0 || ossl_get_proxy_index() < 0)
+ return 0;
+
+ return 1;
+@@ -2455,8 +2466,10 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
+ int data_idx = ossl_get_ssl_data_index();
+ int connectdata_idx = ossl_get_ssl_conn_index();
+ int sockindex_idx = ossl_get_ssl_sockindex_index();
++ int proxy_idx = ossl_get_proxy_index();
++ bool isproxy;
+
+- if(data_idx < 0 || connectdata_idx < 0 || sockindex_idx < 0)
++ if(data_idx < 0 || connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0)
+ return 0;
+
+ conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx);
+@@ -2469,13 +2482,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
+ sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx);
+ sockindex = (int)(sockindex_ptr - conn->sock);
+
++ isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE;
++
+ if(SSL_SET_OPTION(primary.sessionid)) {
+ bool incache;
+ void *old_ssl_sessionid = NULL;
+
+ Curl_ssl_sessionid_lock(data);
+- incache = !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL,
+- sockindex));
++ if(isproxy)
++ incache = FALSE;
++ else
++ incache = !(Curl_ssl_getsessionid(data, conn, isproxy,
++ &old_ssl_sessionid, NULL, sockindex));
+ if(incache) {
+ if(old_ssl_sessionid != ssl_sessionid) {
+ infof(data, "old SSL session ID is stale, removing\n");
+@@ -2485,8 +2503,8 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
+ }
+
+ if(!incache) {
+- if(!Curl_ssl_addsessionid(data, conn, ssl_sessionid,
+- 0 /* unknown size */, sockindex)) {
++ if(!Curl_ssl_addsessionid(data, conn, isproxy, ssl_sessionid,
++ 0 /* unknown size */, sockindex)) {
+ /* the session has been put into the session cache */
+ res = 1;
+ }
+@@ -3212,17 +3230,27 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
+ int data_idx = ossl_get_ssl_data_index();
+ int connectdata_idx = ossl_get_ssl_conn_index();
+ int sockindex_idx = ossl_get_ssl_sockindex_index();
++ int proxy_idx = ossl_get_proxy_index();
+
+- if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0) {
++ if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 &&
++ proxy_idx >= 0) {
+ /* Store the data needed for the "new session" callback.
+ * The sockindex is stored as a pointer to an array element. */
+ SSL_set_ex_data(backend->handle, data_idx, data);
+ SSL_set_ex_data(backend->handle, connectdata_idx, conn);
+ SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex);
++#ifndef CURL_DISABLE_PROXY
++ SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1:
++ NULL);
++#else
++ SSL_set_ex_data(backend->handle, proxy_idx, NULL);
++#endif
++
+ }
+
+ Curl_ssl_sessionid_lock(data);
+- if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) {
++ if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE,
++ &ssl_sessionid, NULL, sockindex)) {
+ /* we got a session id, use it! */
+ if(!SSL_set_session(backend->handle, ssl_sessionid)) {
+ Curl_ssl_sessionid_unlock(data);
+diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
+index 0668f98f2..bd27ba0bf 100644
+--- a/lib/vtls/schannel.c
++++ b/lib/vtls/schannel.c
+@@ -496,6 +496,7 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn,
+ if(SSL_SET_OPTION(primary.sessionid)) {
+ Curl_ssl_sessionid_lock(data);
+ if(!Curl_ssl_getsessionid(data, conn,
++ SSL_IS_PROXY() ? TRUE : FALSE,
+ (void **)&old_cred, NULL, sockindex)) {
+ BACKEND->cred = old_cred;
+ DEBUGF(infof(data, "schannel: re-using existing credential handle\n"));
+@@ -1337,8 +1338,9 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn,
+ struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+ SECURITY_STATUS sspi_status = SEC_E_OK;
+ CERT_CONTEXT *ccert_context = NULL;
++ bool isproxy = SSL_IS_PROXY();
+ #ifdef DEBUGBUILD
+- const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
++ const char * const hostname = isproxy ? conn->http_proxy.host.name :
+ conn->host.name;
+ #endif
+ #ifdef HAS_ALPN
+@@ -1414,8 +1416,8 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn,
+ struct Curl_schannel_cred *old_cred = NULL;
+
+ Curl_ssl_sessionid_lock(data);
+- incache = !(Curl_ssl_getsessionid(data, conn, (void **)&old_cred, NULL,
+- sockindex));
++ incache = !(Curl_ssl_getsessionid(data, conn, isproxy, (void **)&old_cred,
++ NULL, sockindex));
+ if(incache) {
+ if(old_cred != BACKEND->cred) {
+ DEBUGF(infof(data,
+@@ -1426,7 +1428,7 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn,
+ }
+ }
+ if(!incache) {
+- result = Curl_ssl_addsessionid(data, conn, (void *)BACKEND->cred,
++ result = Curl_ssl_addsessionid(data, conn, isproxy, BACKEND->cred,
+ sizeof(struct Curl_schannel_cred),
+ sockindex);
+ if(result) {
+diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c
+index 9a8f7de8d..6d1ea7e7b 100644
+--- a/lib/vtls/sectransp.c
++++ b/lib/vtls/sectransp.c
+@@ -1400,10 +1400,12 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
+ char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
+ const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
+ #ifndef CURL_DISABLE_PROXY
+- const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
++ bool isproxy = SSL_IS_PROXY();
++ const char * const hostname = isproxy ? conn->http_proxy.host.name :
+ conn->host.name;
+ const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
+ #else
++ const isproxy = FALSE;
+ const char * const hostname = conn->host.name;
+ const long int port = conn->remote_port;
+ #endif
+@@ -1613,7 +1615,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
+ #ifdef USE_NGHTTP2
+ if(data->set.httpversion >= CURL_HTTP_VERSION_2
+ #ifndef CURL_DISABLE_PROXY
+- && (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy)
++ && (!isproxy || !conn->bits.tunnel_proxy)
+ #endif
+ ) {
+ CFArrayAppendValue(alpnArr, CFSTR(NGHTTP2_PROTO_VERSION_ID));
+@@ -1953,7 +1955,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
+ size_t ssl_sessionid_len;
+
+ Curl_ssl_sessionid_lock(data);
+- if(!Curl_ssl_getsessionid(data, conn, (void **)&ssl_sessionid,
++ if(!Curl_ssl_getsessionid(data, conn, isproxy, (void **)&ssl_sessionid,
+ &ssl_sessionid_len, sockindex)) {
+ /* we got a session id, use it! */
+ err = SSLSetPeerID(backend->ssl_ctx, ssl_sessionid, ssl_sessionid_len);
+@@ -1981,7 +1983,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+
+- result = Curl_ssl_addsessionid(data, conn, ssl_sessionid,
++ result = Curl_ssl_addsessionid(data, conn, isproxy, ssl_sessionid,
+ ssl_sessionid_len, sockindex);
+ Curl_ssl_sessionid_unlock(data);
+ if(result) {
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index b8ab7494f..8ccc1f2e4 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -367,6 +367,7 @@ void Curl_ssl_sessionid_unlock(struct Curl_easy *data)
+ */
+ bool Curl_ssl_getsessionid(struct Curl_easy *data,
+ struct connectdata *conn,
++ const bool isProxy,
+ void **ssl_sessionid,
+ size_t *idsize, /* set 0 if unknown */
+ int sockindex)
+@@ -377,7 +378,6 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data,
+ bool no_match = TRUE;
+
+ #ifndef CURL_DISABLE_PROXY
+- const bool isProxy = CONNECT_PROXY_SSL();
+ struct ssl_primary_config * const ssl_config = isProxy ?
+ &conn->proxy_ssl_config :
+ &conn->ssl_config;
+@@ -389,10 +389,15 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data,
+ struct ssl_primary_config * const ssl_config = &conn->ssl_config;
+ const char * const name = conn->host.name;
+ int port = conn->remote_port;
+- (void)sockindex;
+ #endif
++ (void)sockindex;
+ *ssl_sessionid = NULL;
+
++#ifdef CURL_DISABLE_PROXY
++ if(isProxy)
++ return TRUE;
++#endif
++
+ DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
+
+ if(!SSL_SET_OPTION(primary.sessionid))
+@@ -480,6 +485,7 @@ void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid)
+ */
+ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
+ struct connectdata *conn,
++ bool isProxy,
+ void *ssl_sessionid,
+ size_t idsize,
+ int sockindex)
+@@ -492,7 +498,6 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
+ int conn_to_port;
+ long *general_age;
+ #ifndef CURL_DISABLE_PROXY
+- const bool isProxy = CONNECT_PROXY_SSL();
+ struct ssl_primary_config * const ssl_config = isProxy ?
+ &conn->proxy_ssl_config :
+ &conn->ssl_config;
+@@ -505,6 +510,7 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
+ const char *hostname = conn->host.name;
+ (void)sockindex;
+ #endif
++ (void)sockindex;
+ DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
+
+ clone_host = strdup(hostname);
+diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h
+index 9666682ec..4dc29794c 100644
+--- a/lib/vtls/vtls.h
++++ b/lib/vtls/vtls.h
+@@ -222,6 +222,7 @@ void Curl_ssl_sessionid_unlock(struct Curl_easy *data);
+ */
+ bool Curl_ssl_getsessionid(struct Curl_easy *data,
+ struct connectdata *conn,
++ const bool isproxy,
+ void **ssl_sessionid,
+ size_t *idsize, /* set 0 if unknown */
+ int sockindex);
+@@ -232,6 +233,7 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data,
+ */
+ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
+ struct connectdata *conn,
++ const bool isProxy,
+ void *ssl_sessionid,
+ size_t idsize,
+ int sockindex);
+diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
+index e1fa45926..e4c70877f 100644
+--- a/lib/vtls/wolfssl.c
++++ b/lib/vtls/wolfssl.c
+@@ -516,7 +516,9 @@ wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn,
+ void *ssl_sessionid = NULL;
+
+ Curl_ssl_sessionid_lock(data);
+- if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) {
++ if(!Curl_ssl_getsessionid(data, conn,
++ SSL_IS_PROXY() ? TRUE : FALSE,
++ &ssl_sessionid, NULL, sockindex)) {
+ /* we got a session id, use it! */
+ if(!SSL_set_session(backend->handle, ssl_sessionid)) {
+ char error_buffer[WOLFSSL_MAX_ERROR_SZ];
+@@ -774,21 +776,23 @@ wolfssl_connect_step3(struct Curl_easy *data, struct connectdata *conn,
+ void *old_ssl_sessionid = NULL;
+
+ our_ssl_sessionid = SSL_get_session(backend->handle);
+-
+- Curl_ssl_sessionid_lock(data);
+- incache = !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL,
+- sockindex));
+- if(incache) {
+- if(old_ssl_sessionid != our_ssl_sessionid) {
+- infof(data, "old SSL session ID is stale, removing\n");
+- Curl_ssl_delsessionid(data, old_ssl_sessionid);
+- incache = FALSE;
++ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
++
++ if(our_ssl_sessionid) {
++ Curl_ssl_sessionid_lock(data);
++ incache = !(Curl_ssl_getsessionid(data, conn, isproxy,
++ &old_ssl_sessionid, NULL, sockindex));
++ if(incache) {
++ if(old_ssl_sessionid != our_ssl_sessionid) {
++ infof(data, "old SSL session ID is stale, removing\n");
++ Curl_ssl_delsessionid(data, old_ssl_sessionid);
++ incache = FALSE;
+ }
+ }
+
+ if(!incache) {
+- result = Curl_ssl_addsessionid(data, conn, our_ssl_sessionid,
+- 0 /* unknown size */, sockindex);
++ result = Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid,
++ 0, sockindex);
+ if(result) {
+ Curl_ssl_sessionid_unlock(data);
+ failf(data, "failed to store ssl session");
+--
+2.31.1
+
diff --git a/meta/recipes-support/curl/curl_7.75.0.bb b/meta/recipes-support/curl/curl_7.75.0.bb
index 7666c7b608..428b8cd9e3 100644
--- a/meta/recipes-support/curl/curl_7.75.0.bb
+++ b/meta/recipes-support/curl/curl_7.75.0.bb
@@ -11,6 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=425f6fdc767cc067518eef9bbdf4ab7b"
SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
file://0001-replace-krb5-config-with-pkg-config.patch \
+ file://0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch \
"
SRC_URI[sha256sum] = "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb316d026"
--
2.31.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [OE-core][hardknott][PATCH 2/2] curl: fix CVE-2021-22876
2021-06-01 15:09 [OE-core][hardknott][PATCH 1/2] curl: fix CVE-2021-22890 Trevor Gamblin
@ 2021-06-01 15:09 ` Trevor Gamblin
2021-06-15 22:12 ` [OE-core][hardknott][PATCH 1/2] curl: fix CVE-2021-22890 Alejandro Hernandez Samaniego
1 sibling, 0 replies; 4+ messages in thread
From: Trevor Gamblin @ 2021-06-01 15:09 UTC (permalink / raw)
To: openembedded-core
Backport and modify the patch for CVE-2021-22876 from curl 7.76 to
make it apply cleanly on 7.75.
CVE: CVE-2021-22876
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
---
...redentials-from-the-auto-referer-hea.patch | 152 ++++++++++++++++++
meta/recipes-support/curl/curl_7.75.0.bb | 1 +
2 files changed, 153 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/0002-transfer-strip-credentials-from-the-auto-referer-hea.patch
diff --git a/meta/recipes-support/curl/curl/0002-transfer-strip-credentials-from-the-auto-referer-hea.patch b/meta/recipes-support/curl/curl/0002-transfer-strip-credentials-from-the-auto-referer-hea.patch
new file mode 100644
index 0000000000..6c4f6f2f48
--- /dev/null
+++ b/meta/recipes-support/curl/curl/0002-transfer-strip-credentials-from-the-auto-referer-hea.patch
@@ -0,0 +1,152 @@
+From 21f6cf63939111d8d76d3a4c07f2cd2fe6cb78f8 Mon Sep 17 00:00:00 2001
+From: Trevor Gamblin <trevor.gamblin@windriver.com>
+Date: Tue, 1 Jun 2021 09:59:20 -0400
+Subject: [PATCH 2/2] transfer: strip credentials from the auto-referer header
+ field
+
+Added test 2081 to verify.
+
+CVE-2021-22876
+
+Bug: https://curl.se/docs/CVE-2021-22876.html
+
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+---
+ lib/transfer.c | 25 ++++++++++++++--
+ tests/data/Makefile.inc | 2 +-
+ tests/data/test2081 | 66 +++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 90 insertions(+), 3 deletions(-)
+ create mode 100644 tests/data/test2081
+
+diff --git a/lib/transfer.c b/lib/transfer.c
+index 2f29b29d8..c641a1d47 100644
+--- a/lib/transfer.c
++++ b/lib/transfer.c
+@@ -1565,6 +1565,9 @@ CURLcode Curl_follow(struct Curl_easy *data,
+ data->set.followlocation++; /* count location-followers */
+
+ if(data->set.http_auto_referer) {
++ CURLU *u;
++ char *referer;
++
+ /* We are asked to automatically set the previous URL as the referer
+ when we get the next URL. We pick the ->url field, which may or may
+ not be 100% correct */
+@@ -1574,9 +1577,27 @@ CURLcode Curl_follow(struct Curl_easy *data,
+ data->change.referer_alloc = FALSE;
+ }
+
+- data->change.referer = strdup(data->change.url);
+- if(!data->change.referer)
++ /* Make a copy of the URL without crenditals and fragment */
++ u = curl_url();
++ if(!u)
++ return CURLE_OUT_OF_MEMORY;
++
++ uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0);
++ if(!uc)
++ uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0);
++ if(!uc)
++ uc = curl_url_set(u, CURLUPART_USER, NULL, 0);
++ if(!uc)
++ uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0);
++ if(!uc)
++ uc = curl_url_get(u, CURLUPART_URL, &referer, 0);
++
++ curl_url_cleanup(u);
++
++ if(uc || referer == NULL)
+ return CURLE_OUT_OF_MEMORY;
++
++ data->change.referer = referer;
+ data->change.referer_alloc = TRUE; /* yes, free this later */
+ }
+ }
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 5ebf049b8..e08cfc7ee 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -223,7 +223,7 @@ test2064 test2065 test2066 test2067 test2068 test2069 \
+ test2064 test2065 test2066 test2067 test2068 test2069 test2070 \
+ test2071 test2072 test2073 test2074 test2075 test2076 test2077 \
+ test2078 \
+-test2080 \
++test2080 test2081\
+ test2100 \
+ \
+ test3000 test3001 test3002 test3003 test3004 test3005 test3006 test3007 \
+diff --git a/tests/data/test2081 b/tests/data/test2081
+new file mode 100644
+index 000000000..7e74f5766
+--- /dev/null
++++ b/tests/data/test2081
+@@ -0,0 +1,66 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP GET
++referer
++followlocation
++--write-out
++</keywords>
++</info>
++
++# Server-side
++<reply>
++<data nocheck="yes">
++HTTP/1.1 301 This is a weirdo text message swsclose
++Location: data/%TESTNUMBER0002.txt?coolsite=yes
++Content-Length: 62
++Connection: close
++
++This server reply is for testing a simple Location: following
++</data>
++</reply>
++
++# Client-side
++<client>
++<server>
++http
++</server>
++ <name>
++Automatic referrer credential and anchor stripping check
++ </name>
++ <command>
++http://user:pass@%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER#anchor --location --referer ';auto' --write-out '%{referer}\n'
++</command>
++</client>
++
++# Verify data after the test has been "shot"
++<verify>
++<errorcode>
++52
++</errorcode>
++<protocol>
++GET /we/want/our/%TESTNUMBER HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++Authorization: Basic dXNlcjpwYXNz
++User-Agent: curl/%VERSION
++Accept: */*
++
++GET /we/want/our/data/%TESTNUMBER0002.txt?coolsite=yes HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++Authorization: Basic dXNlcjpwYXNz
++User-Agent: curl/%VERSION
++Accept: */*
++Referer: http://%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER
++
++</protocol>
++<stdout>
++HTTP/1.1 301 This is a weirdo text message swsclose
++Location: data/%TESTNUMBER0002.txt?coolsite=yes
++Content-Length: 62
++Connection: close
++
++http://%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER
++</stdout>
++</verify>
++</testcase>
+--
+2.31.1
+
diff --git a/meta/recipes-support/curl/curl_7.75.0.bb b/meta/recipes-support/curl/curl_7.75.0.bb
index 428b8cd9e3..7c7b363ae3 100644
--- a/meta/recipes-support/curl/curl_7.75.0.bb
+++ b/meta/recipes-support/curl/curl_7.75.0.bb
@@ -12,6 +12,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=425f6fdc767cc067518eef9bbdf4ab7b"
SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
file://0001-replace-krb5-config-with-pkg-config.patch \
file://0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch \
+ file://0002-transfer-strip-credentials-from-the-auto-referer-hea.patch \
"
SRC_URI[sha256sum] = "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb316d026"
--
2.31.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [OE-core][hardknott][PATCH 1/2] curl: fix CVE-2021-22890
2021-06-01 15:09 [OE-core][hardknott][PATCH 1/2] curl: fix CVE-2021-22890 Trevor Gamblin
2021-06-01 15:09 ` [OE-core][hardknott][PATCH 2/2] curl: fix CVE-2021-22876 Trevor Gamblin
@ 2021-06-15 22:12 ` Alejandro Hernandez Samaniego
2021-06-16 12:11 ` Trevor Gamblin
1 sibling, 1 reply; 4+ messages in thread
From: Alejandro Hernandez Samaniego @ 2021-06-15 22:12 UTC (permalink / raw)
To: Trevor Gamblin, openembedded-core
[-- Attachment #1: Type: text/plain, Size: 26028 bytes --]
On 6/1/21 9:09 AM, Trevor Gamblin wrote:
> Backport and modify the patch for CVE-2021-22890 from curl 7.76 to make
> it apply cleanly on 7.75.
>
> CVE: CVE-2021-22890
>
> Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
> ---
> ...-argument-to-Curl_ssl_get-addsession.patch | 517 ++++++++++++++++++
> meta/recipes-support/curl/curl_7.75.0.bb | 1 +
> 2 files changed, 518 insertions(+)
> create mode 100644 meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch
>
> diff --git a/meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch b/meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch
> new file mode 100644
> index 0000000000..a0c7d68f33
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch
> @@ -0,0 +1,517 @@
> +From a2d3885223db9616283bfe33435fbe9b3140eac7 Mon Sep 17 00:00:00 2001
> +From: Trevor Gamblin <trevor.gamblin@windriver.com>
> +Date: Tue, 1 Jun 2021 09:50:20 -0400
> +Subject: [PATCH 1/2] vtls: add 'isproxy' argument to
> + Curl_ssl_get/addsessionid()
> +
> +To make sure we set and extract the correct session.
> +
> +Reported-by: Mingtao Yang
> +Bug: https://curl.se/docs/CVE-2021-22890.html
> +
> +CVE-2021-22890
> +
> +Upstream-Status: Backport
> +(https://github.com/curl/curl/commit/b09c8ee15771c614c4bf3ddac893cdb12187c844)
> +
> +Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
> +---
> + lib/vtls/bearssl.c | 8 +++++--
> + lib/vtls/gtls.c | 12 ++++++----
> + lib/vtls/mbedtls.c | 12 ++++++----
> + lib/vtls/mesalink.c | 14 ++++++++----
> + lib/vtls/openssl.c | 54 +++++++++++++++++++++++++++++++++-----------
> + lib/vtls/schannel.c | 10 ++++----
> + lib/vtls/sectransp.c | 10 ++++----
> + lib/vtls/vtls.c | 12 +++++++---
> + lib/vtls/vtls.h | 2 ++
> + lib/vtls/wolfssl.c | 28 +++++++++++++----------
> + 10 files changed, 111 insertions(+), 51 deletions(-)
> +
> +diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c
> +index 29b08c0e6..0432dfadc 100644
> +--- a/lib/vtls/bearssl.c
> ++++ b/lib/vtls/bearssl.c
> +@@ -375,7 +375,8 @@ static CURLcode bearssl_connect_step1(struct Curl_easy *data,
> + void *session;
> +
> + Curl_ssl_sessionid_lock(data);
> +- if(!Curl_ssl_getsessionid(data, conn, &session, NULL, sockindex)) {
> ++ if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE,
> ++ &session, NULL, sockindex)) {
> + br_ssl_engine_set_session_parameters(&backend->ctx.eng, session);
> + infof(data, "BearSSL: re-using session ID\n");
> + }
> +@@ -571,10 +572,13 @@ static CURLcode bearssl_connect_step3(struct Curl_easy *data,
> + br_ssl_engine_get_session_parameters(&backend->ctx.eng, session);
> + Curl_ssl_sessionid_lock(data);
> + incache = !(Curl_ssl_getsessionid(data, conn,
> ++ SSL_IS_PROXY() ? TRUE : FALSE,
> + &oldsession, NULL, sockindex));
> + if(incache)
> + Curl_ssl_delsessionid(data, oldsession);
> +- ret = Curl_ssl_addsessionid(data, conn, session, 0, sockindex);
> ++ ret = Curl_ssl_addsessionid(data, conn,
> ++ SSL_IS_PROXY() ? TRUE : FALSE,
> ++ session, 0, sockindex);
> + Curl_ssl_sessionid_unlock(data);
> + if(ret) {
> + free(session);
> +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
> +index 3ddee1974..28ca528a6 100644
> +--- a/lib/vtls/gtls.c
> ++++ b/lib/vtls/gtls.c
> +@@ -733,6 +733,7 @@ gtls_connect_step1(struct Curl_easy *data,
> +
> + Curl_ssl_sessionid_lock(data);
> + if(!Curl_ssl_getsessionid(data, conn,
> ++ SSL_IS_PROXY() ? TRUE : FALSE,
> + &ssl_sessionid, &ssl_idsize, sockindex)) {
> + /* we got a session id, use it! */
> + gnutls_session_set_data(session, ssl_sessionid, ssl_idsize);
> +@@ -1292,8 +1293,9 @@ gtls_connect_step3(struct Curl_easy *data,
> + gnutls_session_get_data(session, connect_sessionid, &connect_idsize);
> +
> + Curl_ssl_sessionid_lock(data);
> +- incache = !(Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL,
> +- sockindex));
> ++ incache = !(Curl_ssl_getsessionid(data, conn,
> ++ SSL_IS_PROXY() ? TRUE : FALSE,
> ++ &ssl_sessionid, NULL, sockindex));
> + if(incache) {
> + /* there was one before in the cache, so instead of risking that the
> + previous one was rejected, we just kill that and store the new */
> +@@ -1301,8 +1303,10 @@ gtls_connect_step3(struct Curl_easy *data,
> + }
> +
> + /* store this session id */
> +- result = Curl_ssl_addsessionid(data, conn, connect_sessionid,
> +- connect_idsize, sockindex);
> ++ result = Curl_ssl_addsessionid(data, conn,
> ++ SSL_IS_PROXY() ? TRUE : FALSE,
> ++ connect_sessionid, connect_idsize,
> ++ sockindex);
> + Curl_ssl_sessionid_unlock(data);
> + if(result) {
> + free(connect_sessionid);
> +diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
> +index fc3a948d1..bd0e0802e 100644
> +--- a/lib/vtls/mbedtls.c
> ++++ b/lib/vtls/mbedtls.c
> +@@ -463,7 +463,9 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn,
> + void *old_session = NULL;
> +
> + Curl_ssl_sessionid_lock(data);
> +- if(!Curl_ssl_getsessionid(data, conn, &old_session, NULL, sockindex)) {
> ++ if(!Curl_ssl_getsessionid(data, conn,
> ++ SSL_IS_PROXY() ? TRUE : FALSE,
> ++ &old_session, NULL, sockindex)) {
> + ret = mbedtls_ssl_set_session(&backend->ssl, old_session);
> + if(ret) {
> + Curl_ssl_sessionid_unlock(data);
> +@@ -724,6 +726,7 @@ mbed_connect_step3(struct Curl_easy *data, struct connectdata *conn,
> + int ret;
> + mbedtls_ssl_session *our_ssl_sessionid;
> + void *old_ssl_sessionid = NULL;
> ++ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
> +
> + our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session));
> + if(!our_ssl_sessionid)
> +@@ -742,11 +745,12 @@ mbed_connect_step3(struct Curl_easy *data, struct connectdata *conn,
> +
> + /* If there's already a matching session in the cache, delete it */
> + Curl_ssl_sessionid_lock(data);
> +- if(!Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL, sockindex))
> ++ if(!Curl_ssl_getsessionid(data, conn, isproxy, &old_ssl_sessionid, NULL,
> ++ sockindex))
> + Curl_ssl_delsessionid(data, old_ssl_sessionid);
> +
> +- retcode = Curl_ssl_addsessionid(data, conn,
> +- our_ssl_sessionid, 0, sockindex);
> ++ retcode = Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid,
> ++ 0, sockindex);
> + Curl_ssl_sessionid_unlock(data);
> + if(retcode) {
> + mbedtls_ssl_session_free(our_ssl_sessionid);
> +diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c
> +index b6d1005ec..ad807d3ba 100644
> +--- a/lib/vtls/mesalink.c
> ++++ b/lib/vtls/mesalink.c
> +@@ -261,7 +261,9 @@ mesalink_connect_step1(struct Curl_easy *data,
> + void *ssl_sessionid = NULL;
> +
> + Curl_ssl_sessionid_lock(data);
> +- if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) {
> ++ if(!Curl_ssl_getsessionid(data, conn,
> ++ SSL_IS_PROXY() ? TRUE : FALSE,
> ++ &ssl_sessionid, NULL, sockindex)) {
> + /* we got a session id, use it! */
> + if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
> + Curl_ssl_sessionid_unlock(data);
> +@@ -345,13 +347,14 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex)
> + bool incache;
> + SSL_SESSION *our_ssl_sessionid;
> + void *old_ssl_sessionid = NULL;
> ++ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
> +
> + our_ssl_sessionid = SSL_get_session(BACKEND->handle);
> +
> + Curl_ssl_sessionid_lock(data);
> + incache =
> +- !(Curl_ssl_getsessionid(data, conn,
> +- &old_ssl_sessionid, NULL, sockindex));
> ++ !(Curl_ssl_getsessionid(data, conn, isproxy, &old_ssl_sessionid, NULL,
> ++ sockindex));
> + if(incache) {
> + if(old_ssl_sessionid != our_ssl_sessionid) {
> + infof(data, "old SSL session ID is stale, removing\n");
> +@@ -361,8 +364,9 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex)
> + }
> +
> + if(!incache) {
> +- result = Curl_ssl_addsessionid(
> +- data, conn, our_ssl_sessionid, 0 /* unknown size */, sockindex);
> ++ result =
> ++ Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid, 0,
> ++ sockindex);
> + if(result) {
> + Curl_ssl_sessionid_unlock(data);
> + failf(data, "failed to store ssl session");
> +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
> +index 784d9f70e..8304264d3 100644
> +--- a/lib/vtls/openssl.c
> ++++ b/lib/vtls/openssl.c
> +@@ -391,12 +391,23 @@ static int ossl_get_ssl_conn_index(void)
> + */
> + static int ossl_get_ssl_sockindex_index(void)
> + {
> +- static int ssl_ex_data_sockindex_index = -1;
> +- if(ssl_ex_data_sockindex_index < 0) {
> +- ssl_ex_data_sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL,
> +- NULL);
> ++ static int sockindex_index = -1;
> ++ if(sockindex_index < 0) {
> ++ sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
> + }
> +- return ssl_ex_data_sockindex_index;
> ++ return sockindex_index;
> ++}
> ++
> ++/* Return an extra data index for proxy boolean.
> ++ * This index can be used with SSL_get_ex_data() and SSL_set_ex_data().
> ++ */
> ++static int ossl_get_proxy_index(void)
> ++{
> ++ static int proxy_index = -1;
> ++ if(proxy_index < 0) {
> ++ proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
> ++ }
> ++ return proxy_index;
> + }
> +
> + static int passwd_callback(char *buf, int num, int encrypting,
> +@@ -1172,7 +1183,7 @@ static int ossl_init(void)
> +
> + /* Initialize the extra data indexes */
> + if(ossl_get_ssl_data_index() < 0 || ossl_get_ssl_conn_index() < 0 ||
> +- ossl_get_ssl_sockindex_index() < 0)
> ++ ossl_get_ssl_sockindex_index() < 0 || ossl_get_proxy_index() < 0)
> + return 0;
> +
> + return 1;
> +@@ -2455,8 +2466,10 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
> + int data_idx = ossl_get_ssl_data_index();
> + int connectdata_idx = ossl_get_ssl_conn_index();
> + int sockindex_idx = ossl_get_ssl_sockindex_index();
> ++ int proxy_idx = ossl_get_proxy_index();
> ++ bool isproxy;
> +
> +- if(data_idx < 0 || connectdata_idx < 0 || sockindex_idx < 0)
> ++ if(data_idx < 0 || connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0)
> + return 0;
> +
> + conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx);
> +@@ -2469,13 +2482,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
> + sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx);
> + sockindex = (int)(sockindex_ptr - conn->sock);
> +
> ++ isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE;
> ++
> + if(SSL_SET_OPTION(primary.sessionid)) {
> + bool incache;
> + void *old_ssl_sessionid = NULL;
> +
> + Curl_ssl_sessionid_lock(data);
> +- incache = !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL,
> +- sockindex));
> ++ if(isproxy)
> ++ incache = FALSE;
> ++ else
> ++ incache = !(Curl_ssl_getsessionid(data, conn, isproxy,
> ++ &old_ssl_sessionid, NULL, sockindex));
> + if(incache) {
> + if(old_ssl_sessionid != ssl_sessionid) {
> + infof(data, "old SSL session ID is stale, removing\n");
> +@@ -2485,8 +2503,8 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
> + }
> +
> + if(!incache) {
> +- if(!Curl_ssl_addsessionid(data, conn, ssl_sessionid,
> +- 0 /* unknown size */, sockindex)) {
> ++ if(!Curl_ssl_addsessionid(data, conn, isproxy, ssl_sessionid,
> ++ 0 /* unknown size */, sockindex)) {
> + /* the session has been put into the session cache */
> + res = 1;
> + }
> +@@ -3212,17 +3230,27 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
> + int data_idx = ossl_get_ssl_data_index();
> + int connectdata_idx = ossl_get_ssl_conn_index();
> + int sockindex_idx = ossl_get_ssl_sockindex_index();
> ++ int proxy_idx = ossl_get_proxy_index();
> +
> +- if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0) {
> ++ if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 &&
> ++ proxy_idx >= 0) {
> + /* Store the data needed for the "new session" callback.
> + * The sockindex is stored as a pointer to an array element. */
> + SSL_set_ex_data(backend->handle, data_idx, data);
> + SSL_set_ex_data(backend->handle, connectdata_idx, conn);
> + SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex);
> ++#ifndef CURL_DISABLE_PROXY
> ++ SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1:
> ++ NULL);
> ++#else
> ++ SSL_set_ex_data(backend->handle, proxy_idx, NULL);
> ++#endif
> ++
> + }
> +
> + Curl_ssl_sessionid_lock(data);
> +- if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) {
> ++ if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE,
> ++ &ssl_sessionid, NULL, sockindex)) {
> + /* we got a session id, use it! */
> + if(!SSL_set_session(backend->handle, ssl_sessionid)) {
> + Curl_ssl_sessionid_unlock(data);
> +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
> +index 0668f98f2..bd27ba0bf 100644
> +--- a/lib/vtls/schannel.c
> ++++ b/lib/vtls/schannel.c
> +@@ -496,6 +496,7 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn,
> + if(SSL_SET_OPTION(primary.sessionid)) {
> + Curl_ssl_sessionid_lock(data);
> + if(!Curl_ssl_getsessionid(data, conn,
> ++ SSL_IS_PROXY() ? TRUE : FALSE,
> + (void **)&old_cred, NULL, sockindex)) {
> + BACKEND->cred = old_cred;
> + DEBUGF(infof(data, "schannel: re-using existing credential handle\n"));
> +@@ -1337,8 +1338,9 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn,
> + struct ssl_connect_data *connssl = &conn->ssl[sockindex];
> + SECURITY_STATUS sspi_status = SEC_E_OK;
> + CERT_CONTEXT *ccert_context = NULL;
> ++ bool isproxy = SSL_IS_PROXY();
> + #ifdef DEBUGBUILD
> +- const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
> ++ const char * const hostname = isproxy ? conn->http_proxy.host.name :
> + conn->host.name;
> + #endif
> + #ifdef HAS_ALPN
> +@@ -1414,8 +1416,8 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn,
> + struct Curl_schannel_cred *old_cred = NULL;
> +
> + Curl_ssl_sessionid_lock(data);
> +- incache = !(Curl_ssl_getsessionid(data, conn, (void **)&old_cred, NULL,
> +- sockindex));
> ++ incache = !(Curl_ssl_getsessionid(data, conn, isproxy, (void **)&old_cred,
> ++ NULL, sockindex));
> + if(incache) {
> + if(old_cred != BACKEND->cred) {
> + DEBUGF(infof(data,
> +@@ -1426,7 +1428,7 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn,
> + }
> + }
> + if(!incache) {
> +- result = Curl_ssl_addsessionid(data, conn, (void *)BACKEND->cred,
> ++ result = Curl_ssl_addsessionid(data, conn, isproxy, BACKEND->cred,
> + sizeof(struct Curl_schannel_cred),
> + sockindex);
> + if(result) {
> +diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c
> +index 9a8f7de8d..6d1ea7e7b 100644
> +--- a/lib/vtls/sectransp.c
> ++++ b/lib/vtls/sectransp.c
> +@@ -1400,10 +1400,12 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
> + char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
> + const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
> + #ifndef CURL_DISABLE_PROXY
> +- const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
> ++ bool isproxy = SSL_IS_PROXY();
> ++ const char * const hostname = isproxy ? conn->http_proxy.host.name :
> + conn->host.name;
> + const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
> + #else
> ++ const isproxy = FALSE;
> + const char * const hostname = conn->host.name;
> + const long int port = conn->remote_port;
> + #endif
> +@@ -1613,7 +1615,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
> + #ifdef USE_NGHTTP2
> + if(data->set.httpversion >= CURL_HTTP_VERSION_2
> + #ifndef CURL_DISABLE_PROXY
> +- && (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy)
> ++ && (!isproxy || !conn->bits.tunnel_proxy)
> + #endif
> + ) {
> + CFArrayAppendValue(alpnArr, CFSTR(NGHTTP2_PROTO_VERSION_ID));
> +@@ -1953,7 +1955,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
> + size_t ssl_sessionid_len;
> +
> + Curl_ssl_sessionid_lock(data);
> +- if(!Curl_ssl_getsessionid(data, conn, (void **)&ssl_sessionid,
> ++ if(!Curl_ssl_getsessionid(data, conn, isproxy, (void **)&ssl_sessionid,
> + &ssl_sessionid_len, sockindex)) {
> + /* we got a session id, use it! */
> + err = SSLSetPeerID(backend->ssl_ctx, ssl_sessionid, ssl_sessionid_len);
> +@@ -1981,7 +1983,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
> + return CURLE_SSL_CONNECT_ERROR;
> + }
> +
> +- result = Curl_ssl_addsessionid(data, conn, ssl_sessionid,
> ++ result = Curl_ssl_addsessionid(data, conn, isproxy, ssl_sessionid,
> + ssl_sessionid_len, sockindex);
> + Curl_ssl_sessionid_unlock(data);
> + if(result) {
> +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
> +index b8ab7494f..8ccc1f2e4 100644
> +--- a/lib/vtls/vtls.c
> ++++ b/lib/vtls/vtls.c
> +@@ -367,6 +367,7 @@ void Curl_ssl_sessionid_unlock(struct Curl_easy *data)
> + */
> + bool Curl_ssl_getsessionid(struct Curl_easy *data,
> + struct connectdata *conn,
> ++ const bool isProxy,
> + void **ssl_sessionid,
> + size_t *idsize, /* set 0 if unknown */
> + int sockindex)
> +@@ -377,7 +378,6 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data,
> + bool no_match = TRUE;
> +
> + #ifndef CURL_DISABLE_PROXY
> +- const bool isProxy = CONNECT_PROXY_SSL();
> + struct ssl_primary_config * const ssl_config = isProxy ?
> + &conn->proxy_ssl_config :
> + &conn->ssl_config;
> +@@ -389,10 +389,15 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data,
> + struct ssl_primary_config * const ssl_config = &conn->ssl_config;
> + const char * const name = conn->host.name;
> + int port = conn->remote_port;
> +- (void)sockindex;
> + #endif
> ++ (void)sockindex;
> + *ssl_sessionid = NULL;
> +
> ++#ifdef CURL_DISABLE_PROXY
> ++ if(isProxy)
> ++ return TRUE;
> ++#endif
> ++
> + DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
> +
> + if(!SSL_SET_OPTION(primary.sessionid))
> +@@ -480,6 +485,7 @@ void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid)
> + */
> + CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
> + struct connectdata *conn,
> ++ bool isProxy,
> + void *ssl_sessionid,
> + size_t idsize,
> + int sockindex)
> +@@ -492,7 +498,6 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
> + int conn_to_port;
> + long *general_age;
> + #ifndef CURL_DISABLE_PROXY
> +- const bool isProxy = CONNECT_PROXY_SSL();
> + struct ssl_primary_config * const ssl_config = isProxy ?
> + &conn->proxy_ssl_config :
> + &conn->ssl_config;
> +@@ -505,6 +510,7 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
> + const char *hostname = conn->host.name;
> + (void)sockindex;
> + #endif
> ++ (void)sockindex;
> + DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
> +
> + clone_host = strdup(hostname);
> +diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h
> +index 9666682ec..4dc29794c 100644
> +--- a/lib/vtls/vtls.h
> ++++ b/lib/vtls/vtls.h
> +@@ -222,6 +222,7 @@ void Curl_ssl_sessionid_unlock(struct Curl_easy *data);
> + */
> + bool Curl_ssl_getsessionid(struct Curl_easy *data,
> + struct connectdata *conn,
> ++ const bool isproxy,
> + void **ssl_sessionid,
> + size_t *idsize, /* set 0 if unknown */
> + int sockindex);
> +@@ -232,6 +233,7 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data,
> + */
> + CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
> + struct connectdata *conn,
> ++ const bool isProxy,
> + void *ssl_sessionid,
> + size_t idsize,
> + int sockindex);
> +diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
> +index e1fa45926..e4c70877f 100644
> +--- a/lib/vtls/wolfssl.c
> ++++ b/lib/vtls/wolfssl.c
> +@@ -516,7 +516,9 @@ wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn,
> + void *ssl_sessionid = NULL;
> +
> + Curl_ssl_sessionid_lock(data);
> +- if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) {
> ++ if(!Curl_ssl_getsessionid(data, conn,
> ++ SSL_IS_PROXY() ? TRUE : FALSE,
> ++ &ssl_sessionid, NULL, sockindex)) {
> + /* we got a session id, use it! */
> + if(!SSL_set_session(backend->handle, ssl_sessionid)) {
> + char error_buffer[WOLFSSL_MAX_ERROR_SZ];
> +@@ -774,21 +776,23 @@ wolfssl_connect_step3(struct Curl_easy *data, struct connectdata *conn,
> + void *old_ssl_sessionid = NULL;
> +
> + our_ssl_sessionid = SSL_get_session(backend->handle);
> +-
> +- Curl_ssl_sessionid_lock(data);
> +- incache = !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL,
> +- sockindex));
Hey Trevor,
If my eyes aren't deceiving me, I believe you took out two curly braces:
here:
> +- if(incache) {
and here:
> +- if(old_ssl_sessionid != our_ssl_sessionid) {
> +- infof(data, "old SSL session ID is stale, removing\n");
> +- Curl_ssl_delsessionid(data, old_ssl_sessionid);
> +- incache = FALSE;
> ++ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
> ++
Yet you added three,
here:
> ++ if(our_ssl_sessionid) {
> ++ Curl_ssl_sessionid_lock(data);
> ++ incache = !(Curl_ssl_getsessionid(data, conn, isproxy,
> ++ &old_ssl_sessionid, NULL, sockindex));
here
> ++ if(incache) {
and here
> ++ if(old_ssl_sessionid != our_ssl_sessionid) {
> ++ infof(data, "old SSL session ID is stale, removing\n");
> ++ Curl_ssl_delsessionid(data, old_ssl_sessionid);
> ++ incache = FALSE;
That's one extra curly brace for these two closing ones.
This has already been merged (and backported) can you check that?
Cheers,
Alejandro
> + }
> + }
> +
> + if(!incache) {
> +- result = Curl_ssl_addsessionid(data, conn, our_ssl_sessionid,
> +- 0 /* unknown size */, sockindex);
> ++ result = Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid,
> ++ 0, sockindex);
> + if(result) {
> + Curl_ssl_sessionid_unlock(data);
> + failf(data, "failed to store ssl session");
> +--
> +2.31.1
> +
> diff --git a/meta/recipes-support/curl/curl_7.75.0.bb b/meta/recipes-support/curl/curl_7.75.0.bb
> index 7666c7b608..428b8cd9e3 100644
> --- a/meta/recipes-support/curl/curl_7.75.0.bb
> +++ b/meta/recipes-support/curl/curl_7.75.0.bb
> @@ -11,6 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=425f6fdc767cc067518eef9bbdf4ab7b"
>
> SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
> file://0001-replace-krb5-config-with-pkg-config.patch \
> + file://0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch \
> "
>
> SRC_URI[sha256sum] = "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb316d026"
>
>
>
[-- Attachment #2: Type: text/html, Size: 27859 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [OE-core][hardknott][PATCH 1/2] curl: fix CVE-2021-22890
2021-06-15 22:12 ` [OE-core][hardknott][PATCH 1/2] curl: fix CVE-2021-22890 Alejandro Hernandez Samaniego
@ 2021-06-16 12:11 ` Trevor Gamblin
0 siblings, 0 replies; 4+ messages in thread
From: Trevor Gamblin @ 2021-06-16 12:11 UTC (permalink / raw)
To: Alejandro Enedino Hernandez Samaniego, openembedded-core
[-- Attachment #1: Type: text/plain, Size: 28847 bytes --]
On 2021-06-15 6:12 p.m., Alejandro Enedino Hernandez Samaniego wrote:
>
> **[Please note: This e-mail is from an EXTERNAL e-mail address]
>
>
> On 6/1/21 9:09 AM, Trevor Gamblin wrote:
>> Backport and modify the patch for CVE-2021-22890 from curl 7.76 to make
>> it apply cleanly on 7.75.
>>
>> CVE: CVE-2021-22890
>>
>> Signed-off-by: Trevor Gamblin<trevor.gamblin@windriver.com>
>> ---
>> ...-argument-to-Curl_ssl_get-addsession.patch | 517 ++++++++++++++++++
>> meta/recipes-support/curl/curl_7.75.0.bb <https://urldefense.com/v3/__http://curl_7.75.0.bb__;!!AjveYdw8EvQ!Kth8YheDEnSG4Aa5fzE6_1Y2Ai_p0hp7OoDwxk4dxsLG88c1JzIpGjSWEgaUC88Uov7Q9A$> | 1 +
>> 2 files changed, 518 insertions(+)
>> create mode 100644 meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch
>>
>> diff --git a/meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch b/meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch
>> new file mode 100644
>> index 0000000000..a0c7d68f33
>> --- /dev/null
>> +++ b/meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch
>> @@ -0,0 +1,517 @@
>> +From a2d3885223db9616283bfe33435fbe9b3140eac7 Mon Sep 17 00:00:00 2001
>> +From: Trevor Gamblin<trevor.gamblin@windriver.com>
>> +Date: Tue, 1 Jun 2021 09:50:20 -0400
>> +Subject: [PATCH 1/2] vtls: add 'isproxy' argument to
>> + Curl_ssl_get/addsessionid()
>> +
>> +To make sure we set and extract the correct session.
>> +
>> +Reported-by: Mingtao Yang
>> +Bug:https://curl.se/docs/CVE-2021-22890.html
>> +
>> +CVE-2021-22890
>> +
>> +Upstream-Status: Backport
>> +(https://github.com/curl/curl/commit/b09c8ee15771c614c4bf3ddac893cdb12187c844)
>> +
>> +Signed-off-by: Trevor Gamblin<trevor.gamblin@windriver.com>
>> +---
>> + lib/vtls/bearssl.c | 8 +++++--
>> + lib/vtls/gtls.c | 12 ++++++----
>> + lib/vtls/mbedtls.c | 12 ++++++----
>> + lib/vtls/mesalink.c | 14 ++++++++----
>> + lib/vtls/openssl.c | 54 +++++++++++++++++++++++++++++++++-----------
>> + lib/vtls/schannel.c | 10 ++++----
>> + lib/vtls/sectransp.c | 10 ++++----
>> + lib/vtls/vtls.c | 12 +++++++---
>> + lib/vtls/vtls.h | 2 ++
>> + lib/vtls/wolfssl.c | 28 +++++++++++++----------
>> + 10 files changed, 111 insertions(+), 51 deletions(-)
>> +
>> +diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c
>> +index 29b08c0e6..0432dfadc 100644
>> +--- a/lib/vtls/bearssl.c
>> ++++ b/lib/vtls/bearssl.c
>> +@@ -375,7 +375,8 @@ static CURLcode bearssl_connect_step1(struct Curl_easy *data,
>> + void *session;
>> +
>> + Curl_ssl_sessionid_lock(data);
>> +- if(!Curl_ssl_getsessionid(data, conn, &session, NULL, sockindex)) {
>> ++ if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE,
>> ++ &session, NULL, sockindex)) {
>> + br_ssl_engine_set_session_parameters(&backend->ctx.eng, session);
>> + infof(data, "BearSSL: re-using session ID\n");
>> + }
>> +@@ -571,10 +572,13 @@ static CURLcode bearssl_connect_step3(struct Curl_easy *data,
>> + br_ssl_engine_get_session_parameters(&backend->ctx.eng, session);
>> + Curl_ssl_sessionid_lock(data);
>> + incache = !(Curl_ssl_getsessionid(data, conn,
>> ++ SSL_IS_PROXY() ? TRUE : FALSE,
>> + &oldsession, NULL, sockindex));
>> + if(incache)
>> + Curl_ssl_delsessionid(data, oldsession);
>> +- ret = Curl_ssl_addsessionid(data, conn, session, 0, sockindex);
>> ++ ret = Curl_ssl_addsessionid(data, conn,
>> ++ SSL_IS_PROXY() ? TRUE : FALSE,
>> ++ session, 0, sockindex);
>> + Curl_ssl_sessionid_unlock(data);
>> + if(ret) {
>> + free(session);
>> +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
>> +index 3ddee1974..28ca528a6 100644
>> +--- a/lib/vtls/gtls.c
>> ++++ b/lib/vtls/gtls.c
>> +@@ -733,6 +733,7 @@ gtls_connect_step1(struct Curl_easy *data,
>> +
>> + Curl_ssl_sessionid_lock(data);
>> + if(!Curl_ssl_getsessionid(data, conn,
>> ++ SSL_IS_PROXY() ? TRUE : FALSE,
>> + &ssl_sessionid, &ssl_idsize, sockindex)) {
>> + /* we got a session id, use it! */
>> + gnutls_session_set_data(session, ssl_sessionid, ssl_idsize);
>> +@@ -1292,8 +1293,9 @@ gtls_connect_step3(struct Curl_easy *data,
>> + gnutls_session_get_data(session, connect_sessionid, &connect_idsize);
>> +
>> + Curl_ssl_sessionid_lock(data);
>> +- incache = !(Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL,
>> +- sockindex));
>> ++ incache = !(Curl_ssl_getsessionid(data, conn,
>> ++ SSL_IS_PROXY() ? TRUE : FALSE,
>> ++ &ssl_sessionid, NULL, sockindex));
>> + if(incache) {
>> + /* there was one before in the cache, so instead of risking that the
>> + previous one was rejected, we just kill that and store the new */
>> +@@ -1301,8 +1303,10 @@ gtls_connect_step3(struct Curl_easy *data,
>> + }
>> +
>> + /* store this session id */
>> +- result = Curl_ssl_addsessionid(data, conn, connect_sessionid,
>> +- connect_idsize, sockindex);
>> ++ result = Curl_ssl_addsessionid(data, conn,
>> ++ SSL_IS_PROXY() ? TRUE : FALSE,
>> ++ connect_sessionid, connect_idsize,
>> ++ sockindex);
>> + Curl_ssl_sessionid_unlock(data);
>> + if(result) {
>> + free(connect_sessionid);
>> +diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
>> +index fc3a948d1..bd0e0802e 100644
>> +--- a/lib/vtls/mbedtls.c
>> ++++ b/lib/vtls/mbedtls.c
>> +@@ -463,7 +463,9 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn,
>> + void *old_session = NULL;
>> +
>> + Curl_ssl_sessionid_lock(data);
>> +- if(!Curl_ssl_getsessionid(data, conn, &old_session, NULL, sockindex)) {
>> ++ if(!Curl_ssl_getsessionid(data, conn,
>> ++ SSL_IS_PROXY() ? TRUE : FALSE,
>> ++ &old_session, NULL, sockindex)) {
>> + ret = mbedtls_ssl_set_session(&backend->ssl, old_session);
>> + if(ret) {
>> + Curl_ssl_sessionid_unlock(data);
>> +@@ -724,6 +726,7 @@ mbed_connect_step3(struct Curl_easy *data, struct connectdata *conn,
>> + int ret;
>> + mbedtls_ssl_session *our_ssl_sessionid;
>> + void *old_ssl_sessionid = NULL;
>> ++ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
>> +
>> + our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session));
>> + if(!our_ssl_sessionid)
>> +@@ -742,11 +745,12 @@ mbed_connect_step3(struct Curl_easy *data, struct connectdata *conn,
>> +
>> + /* If there's already a matching session in the cache, delete it */
>> + Curl_ssl_sessionid_lock(data);
>> +- if(!Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL, sockindex))
>> ++ if(!Curl_ssl_getsessionid(data, conn, isproxy, &old_ssl_sessionid, NULL,
>> ++ sockindex))
>> + Curl_ssl_delsessionid(data, old_ssl_sessionid);
>> +
>> +- retcode = Curl_ssl_addsessionid(data, conn,
>> +- our_ssl_sessionid, 0, sockindex);
>> ++ retcode = Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid,
>> ++ 0, sockindex);
>> + Curl_ssl_sessionid_unlock(data);
>> + if(retcode) {
>> + mbedtls_ssl_session_free(our_ssl_sessionid);
>> +diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c
>> +index b6d1005ec..ad807d3ba 100644
>> +--- a/lib/vtls/mesalink.c
>> ++++ b/lib/vtls/mesalink.c
>> +@@ -261,7 +261,9 @@ mesalink_connect_step1(struct Curl_easy *data,
>> + void *ssl_sessionid = NULL;
>> +
>> + Curl_ssl_sessionid_lock(data);
>> +- if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) {
>> ++ if(!Curl_ssl_getsessionid(data, conn,
>> ++ SSL_IS_PROXY() ? TRUE : FALSE,
>> ++ &ssl_sessionid, NULL, sockindex)) {
>> + /* we got a session id, use it! */
>> + if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
>> + Curl_ssl_sessionid_unlock(data);
>> +@@ -345,13 +347,14 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex)
>> + bool incache;
>> + SSL_SESSION *our_ssl_sessionid;
>> + void *old_ssl_sessionid = NULL;
>> ++ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
>> +
>> + our_ssl_sessionid = SSL_get_session(BACKEND->handle);
>> +
>> + Curl_ssl_sessionid_lock(data);
>> + incache =
>> +- !(Curl_ssl_getsessionid(data, conn,
>> +- &old_ssl_sessionid, NULL, sockindex));
>> ++ !(Curl_ssl_getsessionid(data, conn, isproxy, &old_ssl_sessionid, NULL,
>> ++ sockindex));
>> + if(incache) {
>> + if(old_ssl_sessionid != our_ssl_sessionid) {
>> + infof(data, "old SSL session ID is stale, removing\n");
>> +@@ -361,8 +364,9 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex)
>> + }
>> +
>> + if(!incache) {
>> +- result = Curl_ssl_addsessionid(
>> +- data, conn, our_ssl_sessionid, 0 /* unknown size */, sockindex);
>> ++ result =
>> ++ Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid, 0,
>> ++ sockindex);
>> + if(result) {
>> + Curl_ssl_sessionid_unlock(data);
>> + failf(data, "failed to store ssl session");
>> +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
>> +index 784d9f70e..8304264d3 100644
>> +--- a/lib/vtls/openssl.c
>> ++++ b/lib/vtls/openssl.c
>> +@@ -391,12 +391,23 @@ static int ossl_get_ssl_conn_index(void)
>> + */
>> + static int ossl_get_ssl_sockindex_index(void)
>> + {
>> +- static int ssl_ex_data_sockindex_index = -1;
>> +- if(ssl_ex_data_sockindex_index < 0) {
>> +- ssl_ex_data_sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL,
>> +- NULL);
>> ++ static int sockindex_index = -1;
>> ++ if(sockindex_index < 0) {
>> ++ sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
>> + }
>> +- return ssl_ex_data_sockindex_index;
>> ++ return sockindex_index;
>> ++}
>> ++
>> ++/* Return an extra data index for proxy boolean.
>> ++ * This index can be used with SSL_get_ex_data() and SSL_set_ex_data().
>> ++ */
>> ++static int ossl_get_proxy_index(void)
>> ++{
>> ++ static int proxy_index = -1;
>> ++ if(proxy_index < 0) {
>> ++ proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
>> ++ }
>> ++ return proxy_index;
>> + }
>> +
>> + static int passwd_callback(char *buf, int num, int encrypting,
>> +@@ -1172,7 +1183,7 @@ static int ossl_init(void)
>> +
>> + /* Initialize the extra data indexes */
>> + if(ossl_get_ssl_data_index() < 0 || ossl_get_ssl_conn_index() < 0 ||
>> +- ossl_get_ssl_sockindex_index() < 0)
>> ++ ossl_get_ssl_sockindex_index() < 0 || ossl_get_proxy_index() < 0)
>> + return 0;
>> +
>> + return 1;
>> +@@ -2455,8 +2466,10 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
>> + int data_idx = ossl_get_ssl_data_index();
>> + int connectdata_idx = ossl_get_ssl_conn_index();
>> + int sockindex_idx = ossl_get_ssl_sockindex_index();
>> ++ int proxy_idx = ossl_get_proxy_index();
>> ++ bool isproxy;
>> +
>> +- if(data_idx < 0 || connectdata_idx < 0 || sockindex_idx < 0)
>> ++ if(data_idx < 0 || connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0)
>> + return 0;
>> +
>> + conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx);
>> +@@ -2469,13 +2482,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
>> + sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx);
>> + sockindex = (int)(sockindex_ptr - conn->sock);
>> +
>> ++ isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE;
>> ++
>> + if(SSL_SET_OPTION(primary.sessionid)) {
>> + bool incache;
>> + void *old_ssl_sessionid = NULL;
>> +
>> + Curl_ssl_sessionid_lock(data);
>> +- incache = !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL,
>> +- sockindex));
>> ++ if(isproxy)
>> ++ incache = FALSE;
>> ++ else
>> ++ incache = !(Curl_ssl_getsessionid(data, conn, isproxy,
>> ++ &old_ssl_sessionid, NULL, sockindex));
>> + if(incache) {
>> + if(old_ssl_sessionid != ssl_sessionid) {
>> + infof(data, "old SSL session ID is stale, removing\n");
>> +@@ -2485,8 +2503,8 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
>> + }
>> +
>> + if(!incache) {
>> +- if(!Curl_ssl_addsessionid(data, conn, ssl_sessionid,
>> +- 0 /* unknown size */, sockindex)) {
>> ++ if(!Curl_ssl_addsessionid(data, conn, isproxy, ssl_sessionid,
>> ++ 0 /* unknown size */, sockindex)) {
>> + /* the session has been put into the session cache */
>> + res = 1;
>> + }
>> +@@ -3212,17 +3230,27 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
>> + int data_idx = ossl_get_ssl_data_index();
>> + int connectdata_idx = ossl_get_ssl_conn_index();
>> + int sockindex_idx = ossl_get_ssl_sockindex_index();
>> ++ int proxy_idx = ossl_get_proxy_index();
>> +
>> +- if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0) {
>> ++ if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 &&
>> ++ proxy_idx >= 0) {
>> + /* Store the data needed for the "new session" callback.
>> + * The sockindex is stored as a pointer to an array element. */
>> + SSL_set_ex_data(backend->handle, data_idx, data);
>> + SSL_set_ex_data(backend->handle, connectdata_idx, conn);
>> + SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex);
>> ++#ifndef CURL_DISABLE_PROXY
>> ++ SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1:
>> ++ NULL);
>> ++#else
>> ++ SSL_set_ex_data(backend->handle, proxy_idx, NULL);
>> ++#endif
>> ++
>> + }
>> +
>> + Curl_ssl_sessionid_lock(data);
>> +- if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) {
>> ++ if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE,
>> ++ &ssl_sessionid, NULL, sockindex)) {
>> + /* we got a session id, use it! */
>> + if(!SSL_set_session(backend->handle, ssl_sessionid)) {
>> + Curl_ssl_sessionid_unlock(data);
>> +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
>> +index 0668f98f2..bd27ba0bf 100644
>> +--- a/lib/vtls/schannel.c
>> ++++ b/lib/vtls/schannel.c
>> +@@ -496,6 +496,7 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn,
>> + if(SSL_SET_OPTION(primary.sessionid)) {
>> + Curl_ssl_sessionid_lock(data);
>> + if(!Curl_ssl_getsessionid(data, conn,
>> ++ SSL_IS_PROXY() ? TRUE : FALSE,
>> + (void **)&old_cred, NULL, sockindex)) {
>> + BACKEND->cred = old_cred;
>> + DEBUGF(infof(data, "schannel: re-using existing credential handle\n"));
>> +@@ -1337,8 +1338,9 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn,
>> + struct ssl_connect_data *connssl = &conn->ssl[sockindex];
>> + SECURITY_STATUS sspi_status = SEC_E_OK;
>> + CERT_CONTEXT *ccert_context = NULL;
>> ++ bool isproxy = SSL_IS_PROXY();
>> + #ifdef DEBUGBUILD
>> +- const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name <https://urldefense.com/v3/__http://http_proxy.host.name__;!!AjveYdw8EvQ!Kth8YheDEnSG4Aa5fzE6_1Y2Ai_p0hp7OoDwxk4dxsLG88c1JzIpGjSWEgaUC88nopWktg$> :
>> ++ const char * const hostname = isproxy ? conn->http_proxy.host.name <https://urldefense.com/v3/__http://http_proxy.host.name__;!!AjveYdw8EvQ!Kth8YheDEnSG4Aa5fzE6_1Y2Ai_p0hp7OoDwxk4dxsLG88c1JzIpGjSWEgaUC88nopWktg$> :
>> + conn->host.name <https://urldefense.com/v3/__http://host.name__;!!AjveYdw8EvQ!Kth8YheDEnSG4Aa5fzE6_1Y2Ai_p0hp7OoDwxk4dxsLG88c1JzIpGjSWEgaUC8_pHpLLHg$>;
>> + #endif
>> + #ifdef HAS_ALPN
>> +@@ -1414,8 +1416,8 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn,
>> + struct Curl_schannel_cred *old_cred = NULL;
>> +
>> + Curl_ssl_sessionid_lock(data);
>> +- incache = !(Curl_ssl_getsessionid(data, conn, (void **)&old_cred, NULL,
>> +- sockindex));
>> ++ incache = !(Curl_ssl_getsessionid(data, conn, isproxy, (void **)&old_cred,
>> ++ NULL, sockindex));
>> + if(incache) {
>> + if(old_cred != BACKEND->cred) {
>> + DEBUGF(infof(data,
>> +@@ -1426,7 +1428,7 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn,
>> + }
>> + }
>> + if(!incache) {
>> +- result = Curl_ssl_addsessionid(data, conn, (void *)BACKEND->cred,
>> ++ result = Curl_ssl_addsessionid(data, conn, isproxy, BACKEND->cred,
>> + sizeof(struct Curl_schannel_cred),
>> + sockindex);
>> + if(result) {
>> +diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c
>> +index 9a8f7de8d..6d1ea7e7b 100644
>> +--- a/lib/vtls/sectransp.c
>> ++++ b/lib/vtls/sectransp.c
>> +@@ -1400,10 +1400,12 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
>> + char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
>> + const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
>> + #ifndef CURL_DISABLE_PROXY
>> +- const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name <https://urldefense.com/v3/__http://http_proxy.host.name__;!!AjveYdw8EvQ!Kth8YheDEnSG4Aa5fzE6_1Y2Ai_p0hp7OoDwxk4dxsLG88c1JzIpGjSWEgaUC88nopWktg$> :
>> ++ bool isproxy = SSL_IS_PROXY();
>> ++ const char * const hostname = isproxy ? conn->http_proxy.host.name <https://urldefense.com/v3/__http://http_proxy.host.name__;!!AjveYdw8EvQ!Kth8YheDEnSG4Aa5fzE6_1Y2Ai_p0hp7OoDwxk4dxsLG88c1JzIpGjSWEgaUC88nopWktg$> :
>> + conn->host.name <https://urldefense.com/v3/__http://host.name__;!!AjveYdw8EvQ!Kth8YheDEnSG4Aa5fzE6_1Y2Ai_p0hp7OoDwxk4dxsLG88c1JzIpGjSWEgaUC8_pHpLLHg$>;
>> + const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
>> + #else
>> ++ const isproxy = FALSE;
>> + const char * const hostname = conn->host.name <https://urldefense.com/v3/__http://host.name__;!!AjveYdw8EvQ!Kth8YheDEnSG4Aa5fzE6_1Y2Ai_p0hp7OoDwxk4dxsLG88c1JzIpGjSWEgaUC8_pHpLLHg$>;
>> + const long int port = conn->remote_port;
>> + #endif
>> +@@ -1613,7 +1615,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
>> + #ifdef USE_NGHTTP2
>> + if(data->set.httpversion >= CURL_HTTP_VERSION_2
>> + #ifndef CURL_DISABLE_PROXY
>> +- && (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy)
>> ++ && (!isproxy || !conn->bits.tunnel_proxy)
>> + #endif
>> + ) {
>> + CFArrayAppendValue(alpnArr, CFSTR(NGHTTP2_PROTO_VERSION_ID));
>> +@@ -1953,7 +1955,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
>> + size_t ssl_sessionid_len;
>> +
>> + Curl_ssl_sessionid_lock(data);
>> +- if(!Curl_ssl_getsessionid(data, conn, (void **)&ssl_sessionid,
>> ++ if(!Curl_ssl_getsessionid(data, conn, isproxy, (void **)&ssl_sessionid,
>> + &ssl_sessionid_len, sockindex)) {
>> + /* we got a session id, use it! */
>> + err = SSLSetPeerID(backend->ssl_ctx, ssl_sessionid, ssl_sessionid_len);
>> +@@ -1981,7 +1983,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
>> + return CURLE_SSL_CONNECT_ERROR;
>> + }
>> +
>> +- result = Curl_ssl_addsessionid(data, conn, ssl_sessionid,
>> ++ result = Curl_ssl_addsessionid(data, conn, isproxy, ssl_sessionid,
>> + ssl_sessionid_len, sockindex);
>> + Curl_ssl_sessionid_unlock(data);
>> + if(result) {
>> +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
>> +index b8ab7494f..8ccc1f2e4 100644
>> +--- a/lib/vtls/vtls.c
>> ++++ b/lib/vtls/vtls.c
>> +@@ -367,6 +367,7 @@ void Curl_ssl_sessionid_unlock(struct Curl_easy *data)
>> + */
>> + bool Curl_ssl_getsessionid(struct Curl_easy *data,
>> + struct connectdata *conn,
>> ++ const bool isProxy,
>> + void **ssl_sessionid,
>> + size_t *idsize, /* set 0 if unknown */
>> + int sockindex)
>> +@@ -377,7 +378,6 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data,
>> + bool no_match = TRUE;
>> +
>> + #ifndef CURL_DISABLE_PROXY
>> +- const bool isProxy = CONNECT_PROXY_SSL();
>> + struct ssl_primary_config * const ssl_config = isProxy ?
>> + &conn->proxy_ssl_config :
>> + &conn->ssl_config;
>> +@@ -389,10 +389,15 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data,
>> + struct ssl_primary_config * const ssl_config = &conn->ssl_config;
>> + const char * const name = conn->host.name <https://urldefense.com/v3/__http://host.name__;!!AjveYdw8EvQ!Kth8YheDEnSG4Aa5fzE6_1Y2Ai_p0hp7OoDwxk4dxsLG88c1JzIpGjSWEgaUC8_pHpLLHg$>;
>> + int port = conn->remote_port;
>> +- (void)sockindex;
>> + #endif
>> ++ (void)sockindex;
>> + *ssl_sessionid = NULL;
>> +
>> ++#ifdef CURL_DISABLE_PROXY
>> ++ if(isProxy)
>> ++ return TRUE;
>> ++#endif
>> ++
>> + DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
>> +
>> + if(!SSL_SET_OPTION(primary.sessionid))
>> +@@ -480,6 +485,7 @@ void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid)
>> + */
>> + CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
>> + struct connectdata *conn,
>> ++ bool isProxy,
>> + void *ssl_sessionid,
>> + size_t idsize,
>> + int sockindex)
>> +@@ -492,7 +498,6 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
>> + int conn_to_port;
>> + long *general_age;
>> + #ifndef CURL_DISABLE_PROXY
>> +- const bool isProxy = CONNECT_PROXY_SSL();
>> + struct ssl_primary_config * const ssl_config = isProxy ?
>> + &conn->proxy_ssl_config :
>> + &conn->ssl_config;
>> +@@ -505,6 +510,7 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
>> + const char *hostname = conn->host.name <https://urldefense.com/v3/__http://host.name__;!!AjveYdw8EvQ!Kth8YheDEnSG4Aa5fzE6_1Y2Ai_p0hp7OoDwxk4dxsLG88c1JzIpGjSWEgaUC8_pHpLLHg$>;
>> + (void)sockindex;
>> + #endif
>> ++ (void)sockindex;
>> + DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
>> +
>> + clone_host = strdup(hostname);
>> +diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h
>> +index 9666682ec..4dc29794c 100644
>> +--- a/lib/vtls/vtls.h
>> ++++ b/lib/vtls/vtls.h
>> +@@ -222,6 +222,7 @@ void Curl_ssl_sessionid_unlock(struct Curl_easy *data);
>> + */
>> + bool Curl_ssl_getsessionid(struct Curl_easy *data,
>> + struct connectdata *conn,
>> ++ const bool isproxy,
>> + void **ssl_sessionid,
>> + size_t *idsize, /* set 0 if unknown */
>> + int sockindex);
>> +@@ -232,6 +233,7 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data,
>> + */
>> + CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
>> + struct connectdata *conn,
>> ++ const bool isProxy,
>> + void *ssl_sessionid,
>> + size_t idsize,
>> + int sockindex);
>> +diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
>> +index e1fa45926..e4c70877f 100644
>> +--- a/lib/vtls/wolfssl.c
>> ++++ b/lib/vtls/wolfssl.c
>> +@@ -516,7 +516,9 @@ wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn,
>> + void *ssl_sessionid = NULL;
>> +
>> + Curl_ssl_sessionid_lock(data);
>> +- if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) {
>> ++ if(!Curl_ssl_getsessionid(data, conn,
>> ++ SSL_IS_PROXY() ? TRUE : FALSE,
>> ++ &ssl_sessionid, NULL, sockindex)) {
>> + /* we got a session id, use it! */
>> + if(!SSL_set_session(backend->handle, ssl_sessionid)) {
>> + char error_buffer[WOLFSSL_MAX_ERROR_SZ];
>> +@@ -774,21 +776,23 @@ wolfssl_connect_step3(struct Curl_easy *data, struct connectdata *conn,
>> + void *old_ssl_sessionid = NULL;
>> +
>> + our_ssl_sessionid = SSL_get_session(backend->handle);
>> +-
>> +- Curl_ssl_sessionid_lock(data);
>> +- incache = !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL,
>> +- sockindex));
>
> Hey Trevor,
>
>
> If my eyes aren't deceiving me, I believe you took out two curly braces:
>
> here:
>
>> +- if(incache) {
> and here:
>> +- if(old_ssl_sessionid != our_ssl_sessionid) {
>> +- infof(data, "old SSL session ID is stale, removing\n");
>> +- Curl_ssl_delsessionid(data, old_ssl_sessionid);
>> +- incache = FALSE;
>> ++ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
>> ++
>
> Yet you added three,
>
> here:
>
>> ++ if(our_ssl_sessionid) {
>> ++ Curl_ssl_sessionid_lock(data);
>> ++ incache = !(Curl_ssl_getsessionid(data, conn, isproxy,
>> ++ &old_ssl_sessionid, NULL, sockindex));
> here
>> ++ if(incache) {
> and here
>> ++ if(old_ssl_sessionid != our_ssl_sessionid) {
>> ++ infof(data, "old SSL session ID is stale, removing\n");
>> ++ Curl_ssl_delsessionid(data, old_ssl_sessionid);
>> ++ incache = FALSE;
>
> That's one extra curly brace for these two closing ones.
>
>
> This has already been merged (and backported) can you check that?
>
You're right, I lost a bracket while sorting out the patch delta. Thanks
for catching this. Patch coming shortly.
- Trevor
> Cheers,
>
> Alejandro
>
>> + }
>> + }
>> +
>> + if(!incache) {
>> +- result = Curl_ssl_addsessionid(data, conn, our_ssl_sessionid,
>> +- 0 /* unknown size */, sockindex);
>> ++ result = Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid,
>> ++ 0, sockindex);
>> + if(result) {
>> + Curl_ssl_sessionid_unlock(data);
>> + failf(data, "failed to store ssl session");
>> +--
>> +2.31.1
>> +
>> diff --git a/meta/recipes-support/curl/curl_7.75.0.bb <https://urldefense.com/v3/__http://curl_7.75.0.bb__;!!AjveYdw8EvQ!Kth8YheDEnSG4Aa5fzE6_1Y2Ai_p0hp7OoDwxk4dxsLG88c1JzIpGjSWEgaUC88Uov7Q9A$> b/meta/recipes-support/curl/curl_7.75.0.bb <https://urldefense.com/v3/__http://curl_7.75.0.bb__;!!AjveYdw8EvQ!Kth8YheDEnSG4Aa5fzE6_1Y2Ai_p0hp7OoDwxk4dxsLG88c1JzIpGjSWEgaUC88Uov7Q9A$>
>> index 7666c7b608..428b8cd9e3 100644
>> --- a/meta/recipes-support/curl/curl_7.75.0.bb <https://urldefense.com/v3/__http://curl_7.75.0.bb__;!!AjveYdw8EvQ!Kth8YheDEnSG4Aa5fzE6_1Y2Ai_p0hp7OoDwxk4dxsLG88c1JzIpGjSWEgaUC88Uov7Q9A$>
>> +++ b/meta/recipes-support/curl/curl_7.75.0.bb <https://urldefense.com/v3/__http://curl_7.75.0.bb__;!!AjveYdw8EvQ!Kth8YheDEnSG4Aa5fzE6_1Y2Ai_p0hp7OoDwxk4dxsLG88c1JzIpGjSWEgaUC88Uov7Q9A$>
>> @@ -11,6 +11,7 @@ LIC_FILES_CHKSUM ="file://COPYING;md5=425f6fdc767cc067518eef9bbdf4ab7b"
>>
>> SRC_URI ="https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
>> file://0001-replace-krb5-config-with-pkg-config.patch \ +
>> file://0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch
>> \ "
>>
>> SRC_URI[sha256sum] = "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb316d026"
>>
>>
>>
[-- Attachment #2: Type: text/html, Size: 32088 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-06-16 12:12 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-01 15:09 [OE-core][hardknott][PATCH 1/2] curl: fix CVE-2021-22890 Trevor Gamblin
2021-06-01 15:09 ` [OE-core][hardknott][PATCH 2/2] curl: fix CVE-2021-22876 Trevor Gamblin
2021-06-15 22:12 ` [OE-core][hardknott][PATCH 1/2] curl: fix CVE-2021-22890 Alejandro Hernandez Samaniego
2021-06-16 12:11 ` Trevor Gamblin
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.