* [OE-core][hardknott][PATCH 1/2] curl: fix CVE-2021-22890 @ 2021-06-01 15:09 Trevor Gamblin 2021-06-01 15:09 ` [OE-core][hardknott][PATCH 2/2] curl: fix CVE-2021-22876 Trevor Gamblin 2021-06-15 22:12 ` [OE-core][hardknott][PATCH 1/2] curl: fix CVE-2021-22890 Alejandro Hernandez Samaniego 0 siblings, 2 replies; 4+ messages in thread From: Trevor Gamblin @ 2021-06-01 15:09 UTC (permalink / raw) To: openembedded-core Backport and modify the patch for CVE-2021-22890 from curl 7.76 to make it apply cleanly on 7.75. CVE: CVE-2021-22890 Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> --- ...-argument-to-Curl_ssl_get-addsession.patch | 517 ++++++++++++++++++ meta/recipes-support/curl/curl_7.75.0.bb | 1 + 2 files changed, 518 insertions(+) create mode 100644 meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch diff --git a/meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch b/meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch new file mode 100644 index 0000000000..a0c7d68f33 --- /dev/null +++ b/meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch @@ -0,0 +1,517 @@ +From a2d3885223db9616283bfe33435fbe9b3140eac7 Mon Sep 17 00:00:00 2001 +From: Trevor Gamblin <trevor.gamblin@windriver.com> +Date: Tue, 1 Jun 2021 09:50:20 -0400 +Subject: [PATCH 1/2] vtls: add 'isproxy' argument to + Curl_ssl_get/addsessionid() + +To make sure we set and extract the correct session. + +Reported-by: Mingtao Yang +Bug: https://curl.se/docs/CVE-2021-22890.html + +CVE-2021-22890 + +Upstream-Status: Backport +(https://github.com/curl/curl/commit/b09c8ee15771c614c4bf3ddac893cdb12187c844) + +Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> +--- + lib/vtls/bearssl.c | 8 +++++-- + lib/vtls/gtls.c | 12 ++++++---- + lib/vtls/mbedtls.c | 12 ++++++---- + lib/vtls/mesalink.c | 14 ++++++++---- + lib/vtls/openssl.c | 54 +++++++++++++++++++++++++++++++++----------- + lib/vtls/schannel.c | 10 ++++---- + lib/vtls/sectransp.c | 10 ++++---- + lib/vtls/vtls.c | 12 +++++++--- + lib/vtls/vtls.h | 2 ++ + lib/vtls/wolfssl.c | 28 +++++++++++++---------- + 10 files changed, 111 insertions(+), 51 deletions(-) + +diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c +index 29b08c0e6..0432dfadc 100644 +--- a/lib/vtls/bearssl.c ++++ b/lib/vtls/bearssl.c +@@ -375,7 +375,8 @@ static CURLcode bearssl_connect_step1(struct Curl_easy *data, + void *session; + + Curl_ssl_sessionid_lock(data); +- if(!Curl_ssl_getsessionid(data, conn, &session, NULL, sockindex)) { ++ if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE, ++ &session, NULL, sockindex)) { + br_ssl_engine_set_session_parameters(&backend->ctx.eng, session); + infof(data, "BearSSL: re-using session ID\n"); + } +@@ -571,10 +572,13 @@ static CURLcode bearssl_connect_step3(struct Curl_easy *data, + br_ssl_engine_get_session_parameters(&backend->ctx.eng, session); + Curl_ssl_sessionid_lock(data); + incache = !(Curl_ssl_getsessionid(data, conn, ++ SSL_IS_PROXY() ? TRUE : FALSE, + &oldsession, NULL, sockindex)); + if(incache) + Curl_ssl_delsessionid(data, oldsession); +- ret = Curl_ssl_addsessionid(data, conn, session, 0, sockindex); ++ ret = Curl_ssl_addsessionid(data, conn, ++ SSL_IS_PROXY() ? TRUE : FALSE, ++ session, 0, sockindex); + Curl_ssl_sessionid_unlock(data); + if(ret) { + free(session); +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index 3ddee1974..28ca528a6 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -733,6 +733,7 @@ gtls_connect_step1(struct Curl_easy *data, + + Curl_ssl_sessionid_lock(data); + if(!Curl_ssl_getsessionid(data, conn, ++ SSL_IS_PROXY() ? TRUE : FALSE, + &ssl_sessionid, &ssl_idsize, sockindex)) { + /* we got a session id, use it! */ + gnutls_session_set_data(session, ssl_sessionid, ssl_idsize); +@@ -1292,8 +1293,9 @@ gtls_connect_step3(struct Curl_easy *data, + gnutls_session_get_data(session, connect_sessionid, &connect_idsize); + + Curl_ssl_sessionid_lock(data); +- incache = !(Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, +- sockindex)); ++ incache = !(Curl_ssl_getsessionid(data, conn, ++ SSL_IS_PROXY() ? TRUE : FALSE, ++ &ssl_sessionid, NULL, sockindex)); + if(incache) { + /* there was one before in the cache, so instead of risking that the + previous one was rejected, we just kill that and store the new */ +@@ -1301,8 +1303,10 @@ gtls_connect_step3(struct Curl_easy *data, + } + + /* store this session id */ +- result = Curl_ssl_addsessionid(data, conn, connect_sessionid, +- connect_idsize, sockindex); ++ result = Curl_ssl_addsessionid(data, conn, ++ SSL_IS_PROXY() ? TRUE : FALSE, ++ connect_sessionid, connect_idsize, ++ sockindex); + Curl_ssl_sessionid_unlock(data); + if(result) { + free(connect_sessionid); +diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c +index fc3a948d1..bd0e0802e 100644 +--- a/lib/vtls/mbedtls.c ++++ b/lib/vtls/mbedtls.c +@@ -463,7 +463,9 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, + void *old_session = NULL; + + Curl_ssl_sessionid_lock(data); +- if(!Curl_ssl_getsessionid(data, conn, &old_session, NULL, sockindex)) { ++ if(!Curl_ssl_getsessionid(data, conn, ++ SSL_IS_PROXY() ? TRUE : FALSE, ++ &old_session, NULL, sockindex)) { + ret = mbedtls_ssl_set_session(&backend->ssl, old_session); + if(ret) { + Curl_ssl_sessionid_unlock(data); +@@ -724,6 +726,7 @@ mbed_connect_step3(struct Curl_easy *data, struct connectdata *conn, + int ret; + mbedtls_ssl_session *our_ssl_sessionid; + void *old_ssl_sessionid = NULL; ++ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE; + + our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session)); + if(!our_ssl_sessionid) +@@ -742,11 +745,12 @@ mbed_connect_step3(struct Curl_easy *data, struct connectdata *conn, + + /* If there's already a matching session in the cache, delete it */ + Curl_ssl_sessionid_lock(data); +- if(!Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL, sockindex)) ++ if(!Curl_ssl_getsessionid(data, conn, isproxy, &old_ssl_sessionid, NULL, ++ sockindex)) + Curl_ssl_delsessionid(data, old_ssl_sessionid); + +- retcode = Curl_ssl_addsessionid(data, conn, +- our_ssl_sessionid, 0, sockindex); ++ retcode = Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid, ++ 0, sockindex); + Curl_ssl_sessionid_unlock(data); + if(retcode) { + mbedtls_ssl_session_free(our_ssl_sessionid); +diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c +index b6d1005ec..ad807d3ba 100644 +--- a/lib/vtls/mesalink.c ++++ b/lib/vtls/mesalink.c +@@ -261,7 +261,9 @@ mesalink_connect_step1(struct Curl_easy *data, + void *ssl_sessionid = NULL; + + Curl_ssl_sessionid_lock(data); +- if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) { ++ if(!Curl_ssl_getsessionid(data, conn, ++ SSL_IS_PROXY() ? TRUE : FALSE, ++ &ssl_sessionid, NULL, sockindex)) { + /* we got a session id, use it! */ + if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) { + Curl_ssl_sessionid_unlock(data); +@@ -345,13 +347,14 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex) + bool incache; + SSL_SESSION *our_ssl_sessionid; + void *old_ssl_sessionid = NULL; ++ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE; + + our_ssl_sessionid = SSL_get_session(BACKEND->handle); + + Curl_ssl_sessionid_lock(data); + incache = +- !(Curl_ssl_getsessionid(data, conn, +- &old_ssl_sessionid, NULL, sockindex)); ++ !(Curl_ssl_getsessionid(data, conn, isproxy, &old_ssl_sessionid, NULL, ++ sockindex)); + if(incache) { + if(old_ssl_sessionid != our_ssl_sessionid) { + infof(data, "old SSL session ID is stale, removing\n"); +@@ -361,8 +364,9 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex) + } + + if(!incache) { +- result = Curl_ssl_addsessionid( +- data, conn, our_ssl_sessionid, 0 /* unknown size */, sockindex); ++ result = ++ Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid, 0, ++ sockindex); + if(result) { + Curl_ssl_sessionid_unlock(data); + failf(data, "failed to store ssl session"); +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 784d9f70e..8304264d3 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -391,12 +391,23 @@ static int ossl_get_ssl_conn_index(void) + */ + static int ossl_get_ssl_sockindex_index(void) + { +- static int ssl_ex_data_sockindex_index = -1; +- if(ssl_ex_data_sockindex_index < 0) { +- ssl_ex_data_sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, +- NULL); ++ static int sockindex_index = -1; ++ if(sockindex_index < 0) { ++ sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); + } +- return ssl_ex_data_sockindex_index; ++ return sockindex_index; ++} ++ ++/* Return an extra data index for proxy boolean. ++ * This index can be used with SSL_get_ex_data() and SSL_set_ex_data(). ++ */ ++static int ossl_get_proxy_index(void) ++{ ++ static int proxy_index = -1; ++ if(proxy_index < 0) { ++ proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); ++ } ++ return proxy_index; + } + + static int passwd_callback(char *buf, int num, int encrypting, +@@ -1172,7 +1183,7 @@ static int ossl_init(void) + + /* Initialize the extra data indexes */ + if(ossl_get_ssl_data_index() < 0 || ossl_get_ssl_conn_index() < 0 || +- ossl_get_ssl_sockindex_index() < 0) ++ ossl_get_ssl_sockindex_index() < 0 || ossl_get_proxy_index() < 0) + return 0; + + return 1; +@@ -2455,8 +2466,10 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) + int data_idx = ossl_get_ssl_data_index(); + int connectdata_idx = ossl_get_ssl_conn_index(); + int sockindex_idx = ossl_get_ssl_sockindex_index(); ++ int proxy_idx = ossl_get_proxy_index(); ++ bool isproxy; + +- if(data_idx < 0 || connectdata_idx < 0 || sockindex_idx < 0) ++ if(data_idx < 0 || connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0) + return 0; + + conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx); +@@ -2469,13 +2482,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) + sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx); + sockindex = (int)(sockindex_ptr - conn->sock); + ++ isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE; ++ + if(SSL_SET_OPTION(primary.sessionid)) { + bool incache; + void *old_ssl_sessionid = NULL; + + Curl_ssl_sessionid_lock(data); +- incache = !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL, +- sockindex)); ++ if(isproxy) ++ incache = FALSE; ++ else ++ incache = !(Curl_ssl_getsessionid(data, conn, isproxy, ++ &old_ssl_sessionid, NULL, sockindex)); + if(incache) { + if(old_ssl_sessionid != ssl_sessionid) { + infof(data, "old SSL session ID is stale, removing\n"); +@@ -2485,8 +2503,8 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) + } + + if(!incache) { +- if(!Curl_ssl_addsessionid(data, conn, ssl_sessionid, +- 0 /* unknown size */, sockindex)) { ++ if(!Curl_ssl_addsessionid(data, conn, isproxy, ssl_sessionid, ++ 0 /* unknown size */, sockindex)) { + /* the session has been put into the session cache */ + res = 1; + } +@@ -3212,17 +3230,27 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, + int data_idx = ossl_get_ssl_data_index(); + int connectdata_idx = ossl_get_ssl_conn_index(); + int sockindex_idx = ossl_get_ssl_sockindex_index(); ++ int proxy_idx = ossl_get_proxy_index(); + +- if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0) { ++ if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 && ++ proxy_idx >= 0) { + /* Store the data needed for the "new session" callback. + * The sockindex is stored as a pointer to an array element. */ + SSL_set_ex_data(backend->handle, data_idx, data); + SSL_set_ex_data(backend->handle, connectdata_idx, conn); + SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex); ++#ifndef CURL_DISABLE_PROXY ++ SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1: ++ NULL); ++#else ++ SSL_set_ex_data(backend->handle, proxy_idx, NULL); ++#endif ++ + } + + Curl_ssl_sessionid_lock(data); +- if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) { ++ if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE, ++ &ssl_sessionid, NULL, sockindex)) { + /* we got a session id, use it! */ + if(!SSL_set_session(backend->handle, ssl_sessionid)) { + Curl_ssl_sessionid_unlock(data); +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c +index 0668f98f2..bd27ba0bf 100644 +--- a/lib/vtls/schannel.c ++++ b/lib/vtls/schannel.c +@@ -496,6 +496,7 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn, + if(SSL_SET_OPTION(primary.sessionid)) { + Curl_ssl_sessionid_lock(data); + if(!Curl_ssl_getsessionid(data, conn, ++ SSL_IS_PROXY() ? TRUE : FALSE, + (void **)&old_cred, NULL, sockindex)) { + BACKEND->cred = old_cred; + DEBUGF(infof(data, "schannel: re-using existing credential handle\n")); +@@ -1337,8 +1338,9 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn, + struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + SECURITY_STATUS sspi_status = SEC_E_OK; + CERT_CONTEXT *ccert_context = NULL; ++ bool isproxy = SSL_IS_PROXY(); + #ifdef DEBUGBUILD +- const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : ++ const char * const hostname = isproxy ? conn->http_proxy.host.name : + conn->host.name; + #endif + #ifdef HAS_ALPN +@@ -1414,8 +1416,8 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn, + struct Curl_schannel_cred *old_cred = NULL; + + Curl_ssl_sessionid_lock(data); +- incache = !(Curl_ssl_getsessionid(data, conn, (void **)&old_cred, NULL, +- sockindex)); ++ incache = !(Curl_ssl_getsessionid(data, conn, isproxy, (void **)&old_cred, ++ NULL, sockindex)); + if(incache) { + if(old_cred != BACKEND->cred) { + DEBUGF(infof(data, +@@ -1426,7 +1428,7 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn, + } + } + if(!incache) { +- result = Curl_ssl_addsessionid(data, conn, (void *)BACKEND->cred, ++ result = Curl_ssl_addsessionid(data, conn, isproxy, BACKEND->cred, + sizeof(struct Curl_schannel_cred), + sockindex); + if(result) { +diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c +index 9a8f7de8d..6d1ea7e7b 100644 +--- a/lib/vtls/sectransp.c ++++ b/lib/vtls/sectransp.c +@@ -1400,10 +1400,12 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, + char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); + const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); + #ifndef CURL_DISABLE_PROXY +- const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : ++ bool isproxy = SSL_IS_PROXY(); ++ const char * const hostname = isproxy ? conn->http_proxy.host.name : + conn->host.name; + const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port; + #else ++ const isproxy = FALSE; + const char * const hostname = conn->host.name; + const long int port = conn->remote_port; + #endif +@@ -1613,7 +1615,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, + #ifdef USE_NGHTTP2 + if(data->set.httpversion >= CURL_HTTP_VERSION_2 + #ifndef CURL_DISABLE_PROXY +- && (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy) ++ && (!isproxy || !conn->bits.tunnel_proxy) + #endif + ) { + CFArrayAppendValue(alpnArr, CFSTR(NGHTTP2_PROTO_VERSION_ID)); +@@ -1953,7 +1955,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, + size_t ssl_sessionid_len; + + Curl_ssl_sessionid_lock(data); +- if(!Curl_ssl_getsessionid(data, conn, (void **)&ssl_sessionid, ++ if(!Curl_ssl_getsessionid(data, conn, isproxy, (void **)&ssl_sessionid, + &ssl_sessionid_len, sockindex)) { + /* we got a session id, use it! */ + err = SSLSetPeerID(backend->ssl_ctx, ssl_sessionid, ssl_sessionid_len); +@@ -1981,7 +1983,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, + return CURLE_SSL_CONNECT_ERROR; + } + +- result = Curl_ssl_addsessionid(data, conn, ssl_sessionid, ++ result = Curl_ssl_addsessionid(data, conn, isproxy, ssl_sessionid, + ssl_sessionid_len, sockindex); + Curl_ssl_sessionid_unlock(data); + if(result) { +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index b8ab7494f..8ccc1f2e4 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -367,6 +367,7 @@ void Curl_ssl_sessionid_unlock(struct Curl_easy *data) + */ + bool Curl_ssl_getsessionid(struct Curl_easy *data, + struct connectdata *conn, ++ const bool isProxy, + void **ssl_sessionid, + size_t *idsize, /* set 0 if unknown */ + int sockindex) +@@ -377,7 +378,6 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data, + bool no_match = TRUE; + + #ifndef CURL_DISABLE_PROXY +- const bool isProxy = CONNECT_PROXY_SSL(); + struct ssl_primary_config * const ssl_config = isProxy ? + &conn->proxy_ssl_config : + &conn->ssl_config; +@@ -389,10 +389,15 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data, + struct ssl_primary_config * const ssl_config = &conn->ssl_config; + const char * const name = conn->host.name; + int port = conn->remote_port; +- (void)sockindex; + #endif ++ (void)sockindex; + *ssl_sessionid = NULL; + ++#ifdef CURL_DISABLE_PROXY ++ if(isProxy) ++ return TRUE; ++#endif ++ + DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); + + if(!SSL_SET_OPTION(primary.sessionid)) +@@ -480,6 +485,7 @@ void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid) + */ + CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, + struct connectdata *conn, ++ bool isProxy, + void *ssl_sessionid, + size_t idsize, + int sockindex) +@@ -492,7 +498,6 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, + int conn_to_port; + long *general_age; + #ifndef CURL_DISABLE_PROXY +- const bool isProxy = CONNECT_PROXY_SSL(); + struct ssl_primary_config * const ssl_config = isProxy ? + &conn->proxy_ssl_config : + &conn->ssl_config; +@@ -505,6 +510,7 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, + const char *hostname = conn->host.name; + (void)sockindex; + #endif ++ (void)sockindex; + DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); + + clone_host = strdup(hostname); +diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h +index 9666682ec..4dc29794c 100644 +--- a/lib/vtls/vtls.h ++++ b/lib/vtls/vtls.h +@@ -222,6 +222,7 @@ void Curl_ssl_sessionid_unlock(struct Curl_easy *data); + */ + bool Curl_ssl_getsessionid(struct Curl_easy *data, + struct connectdata *conn, ++ const bool isproxy, + void **ssl_sessionid, + size_t *idsize, /* set 0 if unknown */ + int sockindex); +@@ -232,6 +233,7 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data, + */ + CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, + struct connectdata *conn, ++ const bool isProxy, + void *ssl_sessionid, + size_t idsize, + int sockindex); +diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c +index e1fa45926..e4c70877f 100644 +--- a/lib/vtls/wolfssl.c ++++ b/lib/vtls/wolfssl.c +@@ -516,7 +516,9 @@ wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn, + void *ssl_sessionid = NULL; + + Curl_ssl_sessionid_lock(data); +- if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) { ++ if(!Curl_ssl_getsessionid(data, conn, ++ SSL_IS_PROXY() ? TRUE : FALSE, ++ &ssl_sessionid, NULL, sockindex)) { + /* we got a session id, use it! */ + if(!SSL_set_session(backend->handle, ssl_sessionid)) { + char error_buffer[WOLFSSL_MAX_ERROR_SZ]; +@@ -774,21 +776,23 @@ wolfssl_connect_step3(struct Curl_easy *data, struct connectdata *conn, + void *old_ssl_sessionid = NULL; + + our_ssl_sessionid = SSL_get_session(backend->handle); +- +- Curl_ssl_sessionid_lock(data); +- incache = !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL, +- sockindex)); +- if(incache) { +- if(old_ssl_sessionid != our_ssl_sessionid) { +- infof(data, "old SSL session ID is stale, removing\n"); +- Curl_ssl_delsessionid(data, old_ssl_sessionid); +- incache = FALSE; ++ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE; ++ ++ if(our_ssl_sessionid) { ++ Curl_ssl_sessionid_lock(data); ++ incache = !(Curl_ssl_getsessionid(data, conn, isproxy, ++ &old_ssl_sessionid, NULL, sockindex)); ++ if(incache) { ++ if(old_ssl_sessionid != our_ssl_sessionid) { ++ infof(data, "old SSL session ID is stale, removing\n"); ++ Curl_ssl_delsessionid(data, old_ssl_sessionid); ++ incache = FALSE; + } + } + + if(!incache) { +- result = Curl_ssl_addsessionid(data, conn, our_ssl_sessionid, +- 0 /* unknown size */, sockindex); ++ result = Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid, ++ 0, sockindex); + if(result) { + Curl_ssl_sessionid_unlock(data); + failf(data, "failed to store ssl session"); +-- +2.31.1 + diff --git a/meta/recipes-support/curl/curl_7.75.0.bb b/meta/recipes-support/curl/curl_7.75.0.bb index 7666c7b608..428b8cd9e3 100644 --- a/meta/recipes-support/curl/curl_7.75.0.bb +++ b/meta/recipes-support/curl/curl_7.75.0.bb @@ -11,6 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=425f6fdc767cc067518eef9bbdf4ab7b" SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ file://0001-replace-krb5-config-with-pkg-config.patch \ + file://0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch \ " SRC_URI[sha256sum] = "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb316d026" -- 2.31.1 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* [OE-core][hardknott][PATCH 2/2] curl: fix CVE-2021-22876 2021-06-01 15:09 [OE-core][hardknott][PATCH 1/2] curl: fix CVE-2021-22890 Trevor Gamblin @ 2021-06-01 15:09 ` Trevor Gamblin 2021-06-15 22:12 ` [OE-core][hardknott][PATCH 1/2] curl: fix CVE-2021-22890 Alejandro Hernandez Samaniego 1 sibling, 0 replies; 4+ messages in thread From: Trevor Gamblin @ 2021-06-01 15:09 UTC (permalink / raw) To: openembedded-core Backport and modify the patch for CVE-2021-22876 from curl 7.76 to make it apply cleanly on 7.75. CVE: CVE-2021-22876 Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> --- ...redentials-from-the-auto-referer-hea.patch | 152 ++++++++++++++++++ meta/recipes-support/curl/curl_7.75.0.bb | 1 + 2 files changed, 153 insertions(+) create mode 100644 meta/recipes-support/curl/curl/0002-transfer-strip-credentials-from-the-auto-referer-hea.patch diff --git a/meta/recipes-support/curl/curl/0002-transfer-strip-credentials-from-the-auto-referer-hea.patch b/meta/recipes-support/curl/curl/0002-transfer-strip-credentials-from-the-auto-referer-hea.patch new file mode 100644 index 0000000000..6c4f6f2f48 --- /dev/null +++ b/meta/recipes-support/curl/curl/0002-transfer-strip-credentials-from-the-auto-referer-hea.patch @@ -0,0 +1,152 @@ +From 21f6cf63939111d8d76d3a4c07f2cd2fe6cb78f8 Mon Sep 17 00:00:00 2001 +From: Trevor Gamblin <trevor.gamblin@windriver.com> +Date: Tue, 1 Jun 2021 09:59:20 -0400 +Subject: [PATCH 2/2] transfer: strip credentials from the auto-referer header + field + +Added test 2081 to verify. + +CVE-2021-22876 + +Bug: https://curl.se/docs/CVE-2021-22876.html + +Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> +--- + lib/transfer.c | 25 ++++++++++++++-- + tests/data/Makefile.inc | 2 +- + tests/data/test2081 | 66 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 90 insertions(+), 3 deletions(-) + create mode 100644 tests/data/test2081 + +diff --git a/lib/transfer.c b/lib/transfer.c +index 2f29b29d8..c641a1d47 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1565,6 +1565,9 @@ CURLcode Curl_follow(struct Curl_easy *data, + data->set.followlocation++; /* count location-followers */ + + if(data->set.http_auto_referer) { ++ CURLU *u; ++ char *referer; ++ + /* We are asked to automatically set the previous URL as the referer + when we get the next URL. We pick the ->url field, which may or may + not be 100% correct */ +@@ -1574,9 +1577,27 @@ CURLcode Curl_follow(struct Curl_easy *data, + data->change.referer_alloc = FALSE; + } + +- data->change.referer = strdup(data->change.url); +- if(!data->change.referer) ++ /* Make a copy of the URL without crenditals and fragment */ ++ u = curl_url(); ++ if(!u) ++ return CURLE_OUT_OF_MEMORY; ++ ++ uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0); ++ if(!uc) ++ uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0); ++ if(!uc) ++ uc = curl_url_set(u, CURLUPART_USER, NULL, 0); ++ if(!uc) ++ uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0); ++ if(!uc) ++ uc = curl_url_get(u, CURLUPART_URL, &referer, 0); ++ ++ curl_url_cleanup(u); ++ ++ if(uc || referer == NULL) + return CURLE_OUT_OF_MEMORY; ++ ++ data->change.referer = referer; + data->change.referer_alloc = TRUE; /* yes, free this later */ + } + } +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 5ebf049b8..e08cfc7ee 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -223,7 +223,7 @@ test2064 test2065 test2066 test2067 test2068 test2069 \ + test2064 test2065 test2066 test2067 test2068 test2069 test2070 \ + test2071 test2072 test2073 test2074 test2075 test2076 test2077 \ + test2078 \ +-test2080 \ ++test2080 test2081\ + test2100 \ + \ + test3000 test3001 test3002 test3003 test3004 test3005 test3006 test3007 \ +diff --git a/tests/data/test2081 b/tests/data/test2081 +new file mode 100644 +index 000000000..7e74f5766 +--- /dev/null ++++ b/tests/data/test2081 +@@ -0,0 +1,66 @@ ++<testcase> ++<info> ++<keywords> ++HTTP ++HTTP GET ++referer ++followlocation ++--write-out ++</keywords> ++</info> ++ ++# Server-side ++<reply> ++<data nocheck="yes"> ++HTTP/1.1 301 This is a weirdo text message swsclose ++Location: data/%TESTNUMBER0002.txt?coolsite=yes ++Content-Length: 62 ++Connection: close ++ ++This server reply is for testing a simple Location: following ++</data> ++</reply> ++ ++# Client-side ++<client> ++<server> ++http ++</server> ++ <name> ++Automatic referrer credential and anchor stripping check ++ </name> ++ <command> ++http://user:pass@%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER#anchor --location --referer ';auto' --write-out '%{referer}\n' ++</command> ++</client> ++ ++# Verify data after the test has been "shot" ++<verify> ++<errorcode> ++52 ++</errorcode> ++<protocol> ++GET /we/want/our/%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Authorization: Basic dXNlcjpwYXNz ++User-Agent: curl/%VERSION ++Accept: */* ++ ++GET /we/want/our/data/%TESTNUMBER0002.txt?coolsite=yes HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Authorization: Basic dXNlcjpwYXNz ++User-Agent: curl/%VERSION ++Accept: */* ++Referer: http://%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER ++ ++</protocol> ++<stdout> ++HTTP/1.1 301 This is a weirdo text message swsclose ++Location: data/%TESTNUMBER0002.txt?coolsite=yes ++Content-Length: 62 ++Connection: close ++ ++http://%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER ++</stdout> ++</verify> ++</testcase> +-- +2.31.1 + diff --git a/meta/recipes-support/curl/curl_7.75.0.bb b/meta/recipes-support/curl/curl_7.75.0.bb index 428b8cd9e3..7c7b363ae3 100644 --- a/meta/recipes-support/curl/curl_7.75.0.bb +++ b/meta/recipes-support/curl/curl_7.75.0.bb @@ -12,6 +12,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=425f6fdc767cc067518eef9bbdf4ab7b" SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ file://0001-replace-krb5-config-with-pkg-config.patch \ file://0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch \ + file://0002-transfer-strip-credentials-from-the-auto-referer-hea.patch \ " SRC_URI[sha256sum] = "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb316d026" -- 2.31.1 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [OE-core][hardknott][PATCH 1/2] curl: fix CVE-2021-22890 2021-06-01 15:09 [OE-core][hardknott][PATCH 1/2] curl: fix CVE-2021-22890 Trevor Gamblin 2021-06-01 15:09 ` [OE-core][hardknott][PATCH 2/2] curl: fix CVE-2021-22876 Trevor Gamblin @ 2021-06-15 22:12 ` Alejandro Hernandez Samaniego 2021-06-16 12:11 ` Trevor Gamblin 1 sibling, 1 reply; 4+ messages in thread From: Alejandro Hernandez Samaniego @ 2021-06-15 22:12 UTC (permalink / raw) To: Trevor Gamblin, openembedded-core [-- Attachment #1: Type: text/plain, Size: 26028 bytes --] On 6/1/21 9:09 AM, Trevor Gamblin wrote: > Backport and modify the patch for CVE-2021-22890 from curl 7.76 to make > it apply cleanly on 7.75. > > CVE: CVE-2021-22890 > > Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> > --- > ...-argument-to-Curl_ssl_get-addsession.patch | 517 ++++++++++++++++++ > meta/recipes-support/curl/curl_7.75.0.bb | 1 + > 2 files changed, 518 insertions(+) > create mode 100644 meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch > > diff --git a/meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch b/meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch > new file mode 100644 > index 0000000000..a0c7d68f33 > --- /dev/null > +++ b/meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch > @@ -0,0 +1,517 @@ > +From a2d3885223db9616283bfe33435fbe9b3140eac7 Mon Sep 17 00:00:00 2001 > +From: Trevor Gamblin <trevor.gamblin@windriver.com> > +Date: Tue, 1 Jun 2021 09:50:20 -0400 > +Subject: [PATCH 1/2] vtls: add 'isproxy' argument to > + Curl_ssl_get/addsessionid() > + > +To make sure we set and extract the correct session. > + > +Reported-by: Mingtao Yang > +Bug: https://curl.se/docs/CVE-2021-22890.html > + > +CVE-2021-22890 > + > +Upstream-Status: Backport > +(https://github.com/curl/curl/commit/b09c8ee15771c614c4bf3ddac893cdb12187c844) > + > +Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> > +--- > + lib/vtls/bearssl.c | 8 +++++-- > + lib/vtls/gtls.c | 12 ++++++---- > + lib/vtls/mbedtls.c | 12 ++++++---- > + lib/vtls/mesalink.c | 14 ++++++++---- > + lib/vtls/openssl.c | 54 +++++++++++++++++++++++++++++++++----------- > + lib/vtls/schannel.c | 10 ++++---- > + lib/vtls/sectransp.c | 10 ++++---- > + lib/vtls/vtls.c | 12 +++++++--- > + lib/vtls/vtls.h | 2 ++ > + lib/vtls/wolfssl.c | 28 +++++++++++++---------- > + 10 files changed, 111 insertions(+), 51 deletions(-) > + > +diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c > +index 29b08c0e6..0432dfadc 100644 > +--- a/lib/vtls/bearssl.c > ++++ b/lib/vtls/bearssl.c > +@@ -375,7 +375,8 @@ static CURLcode bearssl_connect_step1(struct Curl_easy *data, > + void *session; > + > + Curl_ssl_sessionid_lock(data); > +- if(!Curl_ssl_getsessionid(data, conn, &session, NULL, sockindex)) { > ++ if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE, > ++ &session, NULL, sockindex)) { > + br_ssl_engine_set_session_parameters(&backend->ctx.eng, session); > + infof(data, "BearSSL: re-using session ID\n"); > + } > +@@ -571,10 +572,13 @@ static CURLcode bearssl_connect_step3(struct Curl_easy *data, > + br_ssl_engine_get_session_parameters(&backend->ctx.eng, session); > + Curl_ssl_sessionid_lock(data); > + incache = !(Curl_ssl_getsessionid(data, conn, > ++ SSL_IS_PROXY() ? TRUE : FALSE, > + &oldsession, NULL, sockindex)); > + if(incache) > + Curl_ssl_delsessionid(data, oldsession); > +- ret = Curl_ssl_addsessionid(data, conn, session, 0, sockindex); > ++ ret = Curl_ssl_addsessionid(data, conn, > ++ SSL_IS_PROXY() ? TRUE : FALSE, > ++ session, 0, sockindex); > + Curl_ssl_sessionid_unlock(data); > + if(ret) { > + free(session); > +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c > +index 3ddee1974..28ca528a6 100644 > +--- a/lib/vtls/gtls.c > ++++ b/lib/vtls/gtls.c > +@@ -733,6 +733,7 @@ gtls_connect_step1(struct Curl_easy *data, > + > + Curl_ssl_sessionid_lock(data); > + if(!Curl_ssl_getsessionid(data, conn, > ++ SSL_IS_PROXY() ? TRUE : FALSE, > + &ssl_sessionid, &ssl_idsize, sockindex)) { > + /* we got a session id, use it! */ > + gnutls_session_set_data(session, ssl_sessionid, ssl_idsize); > +@@ -1292,8 +1293,9 @@ gtls_connect_step3(struct Curl_easy *data, > + gnutls_session_get_data(session, connect_sessionid, &connect_idsize); > + > + Curl_ssl_sessionid_lock(data); > +- incache = !(Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, > +- sockindex)); > ++ incache = !(Curl_ssl_getsessionid(data, conn, > ++ SSL_IS_PROXY() ? TRUE : FALSE, > ++ &ssl_sessionid, NULL, sockindex)); > + if(incache) { > + /* there was one before in the cache, so instead of risking that the > + previous one was rejected, we just kill that and store the new */ > +@@ -1301,8 +1303,10 @@ gtls_connect_step3(struct Curl_easy *data, > + } > + > + /* store this session id */ > +- result = Curl_ssl_addsessionid(data, conn, connect_sessionid, > +- connect_idsize, sockindex); > ++ result = Curl_ssl_addsessionid(data, conn, > ++ SSL_IS_PROXY() ? TRUE : FALSE, > ++ connect_sessionid, connect_idsize, > ++ sockindex); > + Curl_ssl_sessionid_unlock(data); > + if(result) { > + free(connect_sessionid); > +diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c > +index fc3a948d1..bd0e0802e 100644 > +--- a/lib/vtls/mbedtls.c > ++++ b/lib/vtls/mbedtls.c > +@@ -463,7 +463,9 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, > + void *old_session = NULL; > + > + Curl_ssl_sessionid_lock(data); > +- if(!Curl_ssl_getsessionid(data, conn, &old_session, NULL, sockindex)) { > ++ if(!Curl_ssl_getsessionid(data, conn, > ++ SSL_IS_PROXY() ? TRUE : FALSE, > ++ &old_session, NULL, sockindex)) { > + ret = mbedtls_ssl_set_session(&backend->ssl, old_session); > + if(ret) { > + Curl_ssl_sessionid_unlock(data); > +@@ -724,6 +726,7 @@ mbed_connect_step3(struct Curl_easy *data, struct connectdata *conn, > + int ret; > + mbedtls_ssl_session *our_ssl_sessionid; > + void *old_ssl_sessionid = NULL; > ++ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE; > + > + our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session)); > + if(!our_ssl_sessionid) > +@@ -742,11 +745,12 @@ mbed_connect_step3(struct Curl_easy *data, struct connectdata *conn, > + > + /* If there's already a matching session in the cache, delete it */ > + Curl_ssl_sessionid_lock(data); > +- if(!Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL, sockindex)) > ++ if(!Curl_ssl_getsessionid(data, conn, isproxy, &old_ssl_sessionid, NULL, > ++ sockindex)) > + Curl_ssl_delsessionid(data, old_ssl_sessionid); > + > +- retcode = Curl_ssl_addsessionid(data, conn, > +- our_ssl_sessionid, 0, sockindex); > ++ retcode = Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid, > ++ 0, sockindex); > + Curl_ssl_sessionid_unlock(data); > + if(retcode) { > + mbedtls_ssl_session_free(our_ssl_sessionid); > +diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c > +index b6d1005ec..ad807d3ba 100644 > +--- a/lib/vtls/mesalink.c > ++++ b/lib/vtls/mesalink.c > +@@ -261,7 +261,9 @@ mesalink_connect_step1(struct Curl_easy *data, > + void *ssl_sessionid = NULL; > + > + Curl_ssl_sessionid_lock(data); > +- if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) { > ++ if(!Curl_ssl_getsessionid(data, conn, > ++ SSL_IS_PROXY() ? TRUE : FALSE, > ++ &ssl_sessionid, NULL, sockindex)) { > + /* we got a session id, use it! */ > + if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) { > + Curl_ssl_sessionid_unlock(data); > +@@ -345,13 +347,14 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex) > + bool incache; > + SSL_SESSION *our_ssl_sessionid; > + void *old_ssl_sessionid = NULL; > ++ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE; > + > + our_ssl_sessionid = SSL_get_session(BACKEND->handle); > + > + Curl_ssl_sessionid_lock(data); > + incache = > +- !(Curl_ssl_getsessionid(data, conn, > +- &old_ssl_sessionid, NULL, sockindex)); > ++ !(Curl_ssl_getsessionid(data, conn, isproxy, &old_ssl_sessionid, NULL, > ++ sockindex)); > + if(incache) { > + if(old_ssl_sessionid != our_ssl_sessionid) { > + infof(data, "old SSL session ID is stale, removing\n"); > +@@ -361,8 +364,9 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex) > + } > + > + if(!incache) { > +- result = Curl_ssl_addsessionid( > +- data, conn, our_ssl_sessionid, 0 /* unknown size */, sockindex); > ++ result = > ++ Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid, 0, > ++ sockindex); > + if(result) { > + Curl_ssl_sessionid_unlock(data); > + failf(data, "failed to store ssl session"); > +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c > +index 784d9f70e..8304264d3 100644 > +--- a/lib/vtls/openssl.c > ++++ b/lib/vtls/openssl.c > +@@ -391,12 +391,23 @@ static int ossl_get_ssl_conn_index(void) > + */ > + static int ossl_get_ssl_sockindex_index(void) > + { > +- static int ssl_ex_data_sockindex_index = -1; > +- if(ssl_ex_data_sockindex_index < 0) { > +- ssl_ex_data_sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, > +- NULL); > ++ static int sockindex_index = -1; > ++ if(sockindex_index < 0) { > ++ sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); > + } > +- return ssl_ex_data_sockindex_index; > ++ return sockindex_index; > ++} > ++ > ++/* Return an extra data index for proxy boolean. > ++ * This index can be used with SSL_get_ex_data() and SSL_set_ex_data(). > ++ */ > ++static int ossl_get_proxy_index(void) > ++{ > ++ static int proxy_index = -1; > ++ if(proxy_index < 0) { > ++ proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); > ++ } > ++ return proxy_index; > + } > + > + static int passwd_callback(char *buf, int num, int encrypting, > +@@ -1172,7 +1183,7 @@ static int ossl_init(void) > + > + /* Initialize the extra data indexes */ > + if(ossl_get_ssl_data_index() < 0 || ossl_get_ssl_conn_index() < 0 || > +- ossl_get_ssl_sockindex_index() < 0) > ++ ossl_get_ssl_sockindex_index() < 0 || ossl_get_proxy_index() < 0) > + return 0; > + > + return 1; > +@@ -2455,8 +2466,10 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) > + int data_idx = ossl_get_ssl_data_index(); > + int connectdata_idx = ossl_get_ssl_conn_index(); > + int sockindex_idx = ossl_get_ssl_sockindex_index(); > ++ int proxy_idx = ossl_get_proxy_index(); > ++ bool isproxy; > + > +- if(data_idx < 0 || connectdata_idx < 0 || sockindex_idx < 0) > ++ if(data_idx < 0 || connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0) > + return 0; > + > + conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx); > +@@ -2469,13 +2482,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) > + sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx); > + sockindex = (int)(sockindex_ptr - conn->sock); > + > ++ isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE; > ++ > + if(SSL_SET_OPTION(primary.sessionid)) { > + bool incache; > + void *old_ssl_sessionid = NULL; > + > + Curl_ssl_sessionid_lock(data); > +- incache = !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL, > +- sockindex)); > ++ if(isproxy) > ++ incache = FALSE; > ++ else > ++ incache = !(Curl_ssl_getsessionid(data, conn, isproxy, > ++ &old_ssl_sessionid, NULL, sockindex)); > + if(incache) { > + if(old_ssl_sessionid != ssl_sessionid) { > + infof(data, "old SSL session ID is stale, removing\n"); > +@@ -2485,8 +2503,8 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) > + } > + > + if(!incache) { > +- if(!Curl_ssl_addsessionid(data, conn, ssl_sessionid, > +- 0 /* unknown size */, sockindex)) { > ++ if(!Curl_ssl_addsessionid(data, conn, isproxy, ssl_sessionid, > ++ 0 /* unknown size */, sockindex)) { > + /* the session has been put into the session cache */ > + res = 1; > + } > +@@ -3212,17 +3230,27 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, > + int data_idx = ossl_get_ssl_data_index(); > + int connectdata_idx = ossl_get_ssl_conn_index(); > + int sockindex_idx = ossl_get_ssl_sockindex_index(); > ++ int proxy_idx = ossl_get_proxy_index(); > + > +- if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0) { > ++ if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 && > ++ proxy_idx >= 0) { > + /* Store the data needed for the "new session" callback. > + * The sockindex is stored as a pointer to an array element. */ > + SSL_set_ex_data(backend->handle, data_idx, data); > + SSL_set_ex_data(backend->handle, connectdata_idx, conn); > + SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex); > ++#ifndef CURL_DISABLE_PROXY > ++ SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1: > ++ NULL); > ++#else > ++ SSL_set_ex_data(backend->handle, proxy_idx, NULL); > ++#endif > ++ > + } > + > + Curl_ssl_sessionid_lock(data); > +- if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) { > ++ if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE, > ++ &ssl_sessionid, NULL, sockindex)) { > + /* we got a session id, use it! */ > + if(!SSL_set_session(backend->handle, ssl_sessionid)) { > + Curl_ssl_sessionid_unlock(data); > +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c > +index 0668f98f2..bd27ba0bf 100644 > +--- a/lib/vtls/schannel.c > ++++ b/lib/vtls/schannel.c > +@@ -496,6 +496,7 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn, > + if(SSL_SET_OPTION(primary.sessionid)) { > + Curl_ssl_sessionid_lock(data); > + if(!Curl_ssl_getsessionid(data, conn, > ++ SSL_IS_PROXY() ? TRUE : FALSE, > + (void **)&old_cred, NULL, sockindex)) { > + BACKEND->cred = old_cred; > + DEBUGF(infof(data, "schannel: re-using existing credential handle\n")); > +@@ -1337,8 +1338,9 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn, > + struct ssl_connect_data *connssl = &conn->ssl[sockindex]; > + SECURITY_STATUS sspi_status = SEC_E_OK; > + CERT_CONTEXT *ccert_context = NULL; > ++ bool isproxy = SSL_IS_PROXY(); > + #ifdef DEBUGBUILD > +- const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : > ++ const char * const hostname = isproxy ? conn->http_proxy.host.name : > + conn->host.name; > + #endif > + #ifdef HAS_ALPN > +@@ -1414,8 +1416,8 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn, > + struct Curl_schannel_cred *old_cred = NULL; > + > + Curl_ssl_sessionid_lock(data); > +- incache = !(Curl_ssl_getsessionid(data, conn, (void **)&old_cred, NULL, > +- sockindex)); > ++ incache = !(Curl_ssl_getsessionid(data, conn, isproxy, (void **)&old_cred, > ++ NULL, sockindex)); > + if(incache) { > + if(old_cred != BACKEND->cred) { > + DEBUGF(infof(data, > +@@ -1426,7 +1428,7 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn, > + } > + } > + if(!incache) { > +- result = Curl_ssl_addsessionid(data, conn, (void *)BACKEND->cred, > ++ result = Curl_ssl_addsessionid(data, conn, isproxy, BACKEND->cred, > + sizeof(struct Curl_schannel_cred), > + sockindex); > + if(result) { > +diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c > +index 9a8f7de8d..6d1ea7e7b 100644 > +--- a/lib/vtls/sectransp.c > ++++ b/lib/vtls/sectransp.c > +@@ -1400,10 +1400,12 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, > + char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); > + const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); > + #ifndef CURL_DISABLE_PROXY > +- const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : > ++ bool isproxy = SSL_IS_PROXY(); > ++ const char * const hostname = isproxy ? conn->http_proxy.host.name : > + conn->host.name; > + const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port; > + #else > ++ const isproxy = FALSE; > + const char * const hostname = conn->host.name; > + const long int port = conn->remote_port; > + #endif > +@@ -1613,7 +1615,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, > + #ifdef USE_NGHTTP2 > + if(data->set.httpversion >= CURL_HTTP_VERSION_2 > + #ifndef CURL_DISABLE_PROXY > +- && (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy) > ++ && (!isproxy || !conn->bits.tunnel_proxy) > + #endif > + ) { > + CFArrayAppendValue(alpnArr, CFSTR(NGHTTP2_PROTO_VERSION_ID)); > +@@ -1953,7 +1955,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, > + size_t ssl_sessionid_len; > + > + Curl_ssl_sessionid_lock(data); > +- if(!Curl_ssl_getsessionid(data, conn, (void **)&ssl_sessionid, > ++ if(!Curl_ssl_getsessionid(data, conn, isproxy, (void **)&ssl_sessionid, > + &ssl_sessionid_len, sockindex)) { > + /* we got a session id, use it! */ > + err = SSLSetPeerID(backend->ssl_ctx, ssl_sessionid, ssl_sessionid_len); > +@@ -1981,7 +1983,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, > + return CURLE_SSL_CONNECT_ERROR; > + } > + > +- result = Curl_ssl_addsessionid(data, conn, ssl_sessionid, > ++ result = Curl_ssl_addsessionid(data, conn, isproxy, ssl_sessionid, > + ssl_sessionid_len, sockindex); > + Curl_ssl_sessionid_unlock(data); > + if(result) { > +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c > +index b8ab7494f..8ccc1f2e4 100644 > +--- a/lib/vtls/vtls.c > ++++ b/lib/vtls/vtls.c > +@@ -367,6 +367,7 @@ void Curl_ssl_sessionid_unlock(struct Curl_easy *data) > + */ > + bool Curl_ssl_getsessionid(struct Curl_easy *data, > + struct connectdata *conn, > ++ const bool isProxy, > + void **ssl_sessionid, > + size_t *idsize, /* set 0 if unknown */ > + int sockindex) > +@@ -377,7 +378,6 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data, > + bool no_match = TRUE; > + > + #ifndef CURL_DISABLE_PROXY > +- const bool isProxy = CONNECT_PROXY_SSL(); > + struct ssl_primary_config * const ssl_config = isProxy ? > + &conn->proxy_ssl_config : > + &conn->ssl_config; > +@@ -389,10 +389,15 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data, > + struct ssl_primary_config * const ssl_config = &conn->ssl_config; > + const char * const name = conn->host.name; > + int port = conn->remote_port; > +- (void)sockindex; > + #endif > ++ (void)sockindex; > + *ssl_sessionid = NULL; > + > ++#ifdef CURL_DISABLE_PROXY > ++ if(isProxy) > ++ return TRUE; > ++#endif > ++ > + DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); > + > + if(!SSL_SET_OPTION(primary.sessionid)) > +@@ -480,6 +485,7 @@ void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid) > + */ > + CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, > + struct connectdata *conn, > ++ bool isProxy, > + void *ssl_sessionid, > + size_t idsize, > + int sockindex) > +@@ -492,7 +498,6 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, > + int conn_to_port; > + long *general_age; > + #ifndef CURL_DISABLE_PROXY > +- const bool isProxy = CONNECT_PROXY_SSL(); > + struct ssl_primary_config * const ssl_config = isProxy ? > + &conn->proxy_ssl_config : > + &conn->ssl_config; > +@@ -505,6 +510,7 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, > + const char *hostname = conn->host.name; > + (void)sockindex; > + #endif > ++ (void)sockindex; > + DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); > + > + clone_host = strdup(hostname); > +diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h > +index 9666682ec..4dc29794c 100644 > +--- a/lib/vtls/vtls.h > ++++ b/lib/vtls/vtls.h > +@@ -222,6 +222,7 @@ void Curl_ssl_sessionid_unlock(struct Curl_easy *data); > + */ > + bool Curl_ssl_getsessionid(struct Curl_easy *data, > + struct connectdata *conn, > ++ const bool isproxy, > + void **ssl_sessionid, > + size_t *idsize, /* set 0 if unknown */ > + int sockindex); > +@@ -232,6 +233,7 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data, > + */ > + CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, > + struct connectdata *conn, > ++ const bool isProxy, > + void *ssl_sessionid, > + size_t idsize, > + int sockindex); > +diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c > +index e1fa45926..e4c70877f 100644 > +--- a/lib/vtls/wolfssl.c > ++++ b/lib/vtls/wolfssl.c > +@@ -516,7 +516,9 @@ wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn, > + void *ssl_sessionid = NULL; > + > + Curl_ssl_sessionid_lock(data); > +- if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) { > ++ if(!Curl_ssl_getsessionid(data, conn, > ++ SSL_IS_PROXY() ? TRUE : FALSE, > ++ &ssl_sessionid, NULL, sockindex)) { > + /* we got a session id, use it! */ > + if(!SSL_set_session(backend->handle, ssl_sessionid)) { > + char error_buffer[WOLFSSL_MAX_ERROR_SZ]; > +@@ -774,21 +776,23 @@ wolfssl_connect_step3(struct Curl_easy *data, struct connectdata *conn, > + void *old_ssl_sessionid = NULL; > + > + our_ssl_sessionid = SSL_get_session(backend->handle); > +- > +- Curl_ssl_sessionid_lock(data); > +- incache = !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL, > +- sockindex)); Hey Trevor, If my eyes aren't deceiving me, I believe you took out two curly braces: here: > +- if(incache) { and here: > +- if(old_ssl_sessionid != our_ssl_sessionid) { > +- infof(data, "old SSL session ID is stale, removing\n"); > +- Curl_ssl_delsessionid(data, old_ssl_sessionid); > +- incache = FALSE; > ++ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE; > ++ Yet you added three, here: > ++ if(our_ssl_sessionid) { > ++ Curl_ssl_sessionid_lock(data); > ++ incache = !(Curl_ssl_getsessionid(data, conn, isproxy, > ++ &old_ssl_sessionid, NULL, sockindex)); here > ++ if(incache) { and here > ++ if(old_ssl_sessionid != our_ssl_sessionid) { > ++ infof(data, "old SSL session ID is stale, removing\n"); > ++ Curl_ssl_delsessionid(data, old_ssl_sessionid); > ++ incache = FALSE; That's one extra curly brace for these two closing ones. This has already been merged (and backported) can you check that? Cheers, Alejandro > + } > + } > + > + if(!incache) { > +- result = Curl_ssl_addsessionid(data, conn, our_ssl_sessionid, > +- 0 /* unknown size */, sockindex); > ++ result = Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid, > ++ 0, sockindex); > + if(result) { > + Curl_ssl_sessionid_unlock(data); > + failf(data, "failed to store ssl session"); > +-- > +2.31.1 > + > diff --git a/meta/recipes-support/curl/curl_7.75.0.bb b/meta/recipes-support/curl/curl_7.75.0.bb > index 7666c7b608..428b8cd9e3 100644 > --- a/meta/recipes-support/curl/curl_7.75.0.bb > +++ b/meta/recipes-support/curl/curl_7.75.0.bb > @@ -11,6 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=425f6fdc767cc067518eef9bbdf4ab7b" > > SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ > file://0001-replace-krb5-config-with-pkg-config.patch \ > + file://0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch \ > " > > SRC_URI[sha256sum] = "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb316d026" > > > [-- Attachment #2: Type: text/html, Size: 27859 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [OE-core][hardknott][PATCH 1/2] curl: fix CVE-2021-22890 2021-06-15 22:12 ` [OE-core][hardknott][PATCH 1/2] curl: fix CVE-2021-22890 Alejandro Hernandez Samaniego @ 2021-06-16 12:11 ` Trevor Gamblin 0 siblings, 0 replies; 4+ messages in thread From: Trevor Gamblin @ 2021-06-16 12:11 UTC (permalink / raw) To: Alejandro Enedino Hernandez Samaniego, openembedded-core [-- Attachment #1: Type: text/plain, Size: 28847 bytes --] On 2021-06-15 6:12 p.m., Alejandro Enedino Hernandez Samaniego wrote: > > **[Please note: This e-mail is from an EXTERNAL e-mail address] > > > On 6/1/21 9:09 AM, Trevor Gamblin wrote: >> Backport and modify the patch for CVE-2021-22890 from curl 7.76 to make >> it apply cleanly on 7.75. >> >> CVE: CVE-2021-22890 >> >> Signed-off-by: Trevor Gamblin<trevor.gamblin@windriver.com> >> --- >> ...-argument-to-Curl_ssl_get-addsession.patch | 517 ++++++++++++++++++ >> meta/recipes-support/curl/curl_7.75.0.bb <https://urldefense.com/v3/__http://curl_7.75.0.bb__;!!AjveYdw8EvQ!Kth8YheDEnSG4Aa5fzE6_1Y2Ai_p0hp7OoDwxk4dxsLG88c1JzIpGjSWEgaUC88Uov7Q9A$> | 1 + >> 2 files changed, 518 insertions(+) >> create mode 100644 meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch >> >> diff --git a/meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch b/meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch >> new file mode 100644 >> index 0000000000..a0c7d68f33 >> --- /dev/null >> +++ b/meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch >> @@ -0,0 +1,517 @@ >> +From a2d3885223db9616283bfe33435fbe9b3140eac7 Mon Sep 17 00:00:00 2001 >> +From: Trevor Gamblin<trevor.gamblin@windriver.com> >> +Date: Tue, 1 Jun 2021 09:50:20 -0400 >> +Subject: [PATCH 1/2] vtls: add 'isproxy' argument to >> + Curl_ssl_get/addsessionid() >> + >> +To make sure we set and extract the correct session. >> + >> +Reported-by: Mingtao Yang >> +Bug:https://curl.se/docs/CVE-2021-22890.html >> + >> +CVE-2021-22890 >> + >> +Upstream-Status: Backport >> +(https://github.com/curl/curl/commit/b09c8ee15771c614c4bf3ddac893cdb12187c844) >> + >> +Signed-off-by: Trevor Gamblin<trevor.gamblin@windriver.com> >> +--- >> + lib/vtls/bearssl.c | 8 +++++-- >> + lib/vtls/gtls.c | 12 ++++++---- >> + lib/vtls/mbedtls.c | 12 ++++++---- >> + lib/vtls/mesalink.c | 14 ++++++++---- >> + lib/vtls/openssl.c | 54 +++++++++++++++++++++++++++++++++----------- >> + lib/vtls/schannel.c | 10 ++++---- >> + lib/vtls/sectransp.c | 10 ++++---- >> + lib/vtls/vtls.c | 12 +++++++--- >> + lib/vtls/vtls.h | 2 ++ >> + lib/vtls/wolfssl.c | 28 +++++++++++++---------- >> + 10 files changed, 111 insertions(+), 51 deletions(-) >> + >> +diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c >> +index 29b08c0e6..0432dfadc 100644 >> +--- a/lib/vtls/bearssl.c >> ++++ b/lib/vtls/bearssl.c >> +@@ -375,7 +375,8 @@ static CURLcode bearssl_connect_step1(struct Curl_easy *data, >> + void *session; >> + >> + Curl_ssl_sessionid_lock(data); >> +- if(!Curl_ssl_getsessionid(data, conn, &session, NULL, sockindex)) { >> ++ if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE, >> ++ &session, NULL, sockindex)) { >> + br_ssl_engine_set_session_parameters(&backend->ctx.eng, session); >> + infof(data, "BearSSL: re-using session ID\n"); >> + } >> +@@ -571,10 +572,13 @@ static CURLcode bearssl_connect_step3(struct Curl_easy *data, >> + br_ssl_engine_get_session_parameters(&backend->ctx.eng, session); >> + Curl_ssl_sessionid_lock(data); >> + incache = !(Curl_ssl_getsessionid(data, conn, >> ++ SSL_IS_PROXY() ? TRUE : FALSE, >> + &oldsession, NULL, sockindex)); >> + if(incache) >> + Curl_ssl_delsessionid(data, oldsession); >> +- ret = Curl_ssl_addsessionid(data, conn, session, 0, sockindex); >> ++ ret = Curl_ssl_addsessionid(data, conn, >> ++ SSL_IS_PROXY() ? TRUE : FALSE, >> ++ session, 0, sockindex); >> + Curl_ssl_sessionid_unlock(data); >> + if(ret) { >> + free(session); >> +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c >> +index 3ddee1974..28ca528a6 100644 >> +--- a/lib/vtls/gtls.c >> ++++ b/lib/vtls/gtls.c >> +@@ -733,6 +733,7 @@ gtls_connect_step1(struct Curl_easy *data, >> + >> + Curl_ssl_sessionid_lock(data); >> + if(!Curl_ssl_getsessionid(data, conn, >> ++ SSL_IS_PROXY() ? TRUE : FALSE, >> + &ssl_sessionid, &ssl_idsize, sockindex)) { >> + /* we got a session id, use it! */ >> + gnutls_session_set_data(session, ssl_sessionid, ssl_idsize); >> +@@ -1292,8 +1293,9 @@ gtls_connect_step3(struct Curl_easy *data, >> + gnutls_session_get_data(session, connect_sessionid, &connect_idsize); >> + >> + Curl_ssl_sessionid_lock(data); >> +- incache = !(Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, >> +- sockindex)); >> ++ incache = !(Curl_ssl_getsessionid(data, conn, >> ++ SSL_IS_PROXY() ? TRUE : FALSE, >> ++ &ssl_sessionid, NULL, sockindex)); >> + if(incache) { >> + /* there was one before in the cache, so instead of risking that the >> + previous one was rejected, we just kill that and store the new */ >> +@@ -1301,8 +1303,10 @@ gtls_connect_step3(struct Curl_easy *data, >> + } >> + >> + /* store this session id */ >> +- result = Curl_ssl_addsessionid(data, conn, connect_sessionid, >> +- connect_idsize, sockindex); >> ++ result = Curl_ssl_addsessionid(data, conn, >> ++ SSL_IS_PROXY() ? TRUE : FALSE, >> ++ connect_sessionid, connect_idsize, >> ++ sockindex); >> + Curl_ssl_sessionid_unlock(data); >> + if(result) { >> + free(connect_sessionid); >> +diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c >> +index fc3a948d1..bd0e0802e 100644 >> +--- a/lib/vtls/mbedtls.c >> ++++ b/lib/vtls/mbedtls.c >> +@@ -463,7 +463,9 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, >> + void *old_session = NULL; >> + >> + Curl_ssl_sessionid_lock(data); >> +- if(!Curl_ssl_getsessionid(data, conn, &old_session, NULL, sockindex)) { >> ++ if(!Curl_ssl_getsessionid(data, conn, >> ++ SSL_IS_PROXY() ? TRUE : FALSE, >> ++ &old_session, NULL, sockindex)) { >> + ret = mbedtls_ssl_set_session(&backend->ssl, old_session); >> + if(ret) { >> + Curl_ssl_sessionid_unlock(data); >> +@@ -724,6 +726,7 @@ mbed_connect_step3(struct Curl_easy *data, struct connectdata *conn, >> + int ret; >> + mbedtls_ssl_session *our_ssl_sessionid; >> + void *old_ssl_sessionid = NULL; >> ++ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE; >> + >> + our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session)); >> + if(!our_ssl_sessionid) >> +@@ -742,11 +745,12 @@ mbed_connect_step3(struct Curl_easy *data, struct connectdata *conn, >> + >> + /* If there's already a matching session in the cache, delete it */ >> + Curl_ssl_sessionid_lock(data); >> +- if(!Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL, sockindex)) >> ++ if(!Curl_ssl_getsessionid(data, conn, isproxy, &old_ssl_sessionid, NULL, >> ++ sockindex)) >> + Curl_ssl_delsessionid(data, old_ssl_sessionid); >> + >> +- retcode = Curl_ssl_addsessionid(data, conn, >> +- our_ssl_sessionid, 0, sockindex); >> ++ retcode = Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid, >> ++ 0, sockindex); >> + Curl_ssl_sessionid_unlock(data); >> + if(retcode) { >> + mbedtls_ssl_session_free(our_ssl_sessionid); >> +diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c >> +index b6d1005ec..ad807d3ba 100644 >> +--- a/lib/vtls/mesalink.c >> ++++ b/lib/vtls/mesalink.c >> +@@ -261,7 +261,9 @@ mesalink_connect_step1(struct Curl_easy *data, >> + void *ssl_sessionid = NULL; >> + >> + Curl_ssl_sessionid_lock(data); >> +- if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) { >> ++ if(!Curl_ssl_getsessionid(data, conn, >> ++ SSL_IS_PROXY() ? TRUE : FALSE, >> ++ &ssl_sessionid, NULL, sockindex)) { >> + /* we got a session id, use it! */ >> + if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) { >> + Curl_ssl_sessionid_unlock(data); >> +@@ -345,13 +347,14 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex) >> + bool incache; >> + SSL_SESSION *our_ssl_sessionid; >> + void *old_ssl_sessionid = NULL; >> ++ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE; >> + >> + our_ssl_sessionid = SSL_get_session(BACKEND->handle); >> + >> + Curl_ssl_sessionid_lock(data); >> + incache = >> +- !(Curl_ssl_getsessionid(data, conn, >> +- &old_ssl_sessionid, NULL, sockindex)); >> ++ !(Curl_ssl_getsessionid(data, conn, isproxy, &old_ssl_sessionid, NULL, >> ++ sockindex)); >> + if(incache) { >> + if(old_ssl_sessionid != our_ssl_sessionid) { >> + infof(data, "old SSL session ID is stale, removing\n"); >> +@@ -361,8 +364,9 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex) >> + } >> + >> + if(!incache) { >> +- result = Curl_ssl_addsessionid( >> +- data, conn, our_ssl_sessionid, 0 /* unknown size */, sockindex); >> ++ result = >> ++ Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid, 0, >> ++ sockindex); >> + if(result) { >> + Curl_ssl_sessionid_unlock(data); >> + failf(data, "failed to store ssl session"); >> +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c >> +index 784d9f70e..8304264d3 100644 >> +--- a/lib/vtls/openssl.c >> ++++ b/lib/vtls/openssl.c >> +@@ -391,12 +391,23 @@ static int ossl_get_ssl_conn_index(void) >> + */ >> + static int ossl_get_ssl_sockindex_index(void) >> + { >> +- static int ssl_ex_data_sockindex_index = -1; >> +- if(ssl_ex_data_sockindex_index < 0) { >> +- ssl_ex_data_sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, >> +- NULL); >> ++ static int sockindex_index = -1; >> ++ if(sockindex_index < 0) { >> ++ sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); >> + } >> +- return ssl_ex_data_sockindex_index; >> ++ return sockindex_index; >> ++} >> ++ >> ++/* Return an extra data index for proxy boolean. >> ++ * This index can be used with SSL_get_ex_data() and SSL_set_ex_data(). >> ++ */ >> ++static int ossl_get_proxy_index(void) >> ++{ >> ++ static int proxy_index = -1; >> ++ if(proxy_index < 0) { >> ++ proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); >> ++ } >> ++ return proxy_index; >> + } >> + >> + static int passwd_callback(char *buf, int num, int encrypting, >> +@@ -1172,7 +1183,7 @@ static int ossl_init(void) >> + >> + /* Initialize the extra data indexes */ >> + if(ossl_get_ssl_data_index() < 0 || ossl_get_ssl_conn_index() < 0 || >> +- ossl_get_ssl_sockindex_index() < 0) >> ++ ossl_get_ssl_sockindex_index() < 0 || ossl_get_proxy_index() < 0) >> + return 0; >> + >> + return 1; >> +@@ -2455,8 +2466,10 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) >> + int data_idx = ossl_get_ssl_data_index(); >> + int connectdata_idx = ossl_get_ssl_conn_index(); >> + int sockindex_idx = ossl_get_ssl_sockindex_index(); >> ++ int proxy_idx = ossl_get_proxy_index(); >> ++ bool isproxy; >> + >> +- if(data_idx < 0 || connectdata_idx < 0 || sockindex_idx < 0) >> ++ if(data_idx < 0 || connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0) >> + return 0; >> + >> + conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx); >> +@@ -2469,13 +2482,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) >> + sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx); >> + sockindex = (int)(sockindex_ptr - conn->sock); >> + >> ++ isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE; >> ++ >> + if(SSL_SET_OPTION(primary.sessionid)) { >> + bool incache; >> + void *old_ssl_sessionid = NULL; >> + >> + Curl_ssl_sessionid_lock(data); >> +- incache = !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL, >> +- sockindex)); >> ++ if(isproxy) >> ++ incache = FALSE; >> ++ else >> ++ incache = !(Curl_ssl_getsessionid(data, conn, isproxy, >> ++ &old_ssl_sessionid, NULL, sockindex)); >> + if(incache) { >> + if(old_ssl_sessionid != ssl_sessionid) { >> + infof(data, "old SSL session ID is stale, removing\n"); >> +@@ -2485,8 +2503,8 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) >> + } >> + >> + if(!incache) { >> +- if(!Curl_ssl_addsessionid(data, conn, ssl_sessionid, >> +- 0 /* unknown size */, sockindex)) { >> ++ if(!Curl_ssl_addsessionid(data, conn, isproxy, ssl_sessionid, >> ++ 0 /* unknown size */, sockindex)) { >> + /* the session has been put into the session cache */ >> + res = 1; >> + } >> +@@ -3212,17 +3230,27 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, >> + int data_idx = ossl_get_ssl_data_index(); >> + int connectdata_idx = ossl_get_ssl_conn_index(); >> + int sockindex_idx = ossl_get_ssl_sockindex_index(); >> ++ int proxy_idx = ossl_get_proxy_index(); >> + >> +- if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0) { >> ++ if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 && >> ++ proxy_idx >= 0) { >> + /* Store the data needed for the "new session" callback. >> + * The sockindex is stored as a pointer to an array element. */ >> + SSL_set_ex_data(backend->handle, data_idx, data); >> + SSL_set_ex_data(backend->handle, connectdata_idx, conn); >> + SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex); >> ++#ifndef CURL_DISABLE_PROXY >> ++ SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1: >> ++ NULL); >> ++#else >> ++ SSL_set_ex_data(backend->handle, proxy_idx, NULL); >> ++#endif >> ++ >> + } >> + >> + Curl_ssl_sessionid_lock(data); >> +- if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) { >> ++ if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE, >> ++ &ssl_sessionid, NULL, sockindex)) { >> + /* we got a session id, use it! */ >> + if(!SSL_set_session(backend->handle, ssl_sessionid)) { >> + Curl_ssl_sessionid_unlock(data); >> +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c >> +index 0668f98f2..bd27ba0bf 100644 >> +--- a/lib/vtls/schannel.c >> ++++ b/lib/vtls/schannel.c >> +@@ -496,6 +496,7 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn, >> + if(SSL_SET_OPTION(primary.sessionid)) { >> + Curl_ssl_sessionid_lock(data); >> + if(!Curl_ssl_getsessionid(data, conn, >> ++ SSL_IS_PROXY() ? TRUE : FALSE, >> + (void **)&old_cred, NULL, sockindex)) { >> + BACKEND->cred = old_cred; >> + DEBUGF(infof(data, "schannel: re-using existing credential handle\n")); >> +@@ -1337,8 +1338,9 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn, >> + struct ssl_connect_data *connssl = &conn->ssl[sockindex]; >> + SECURITY_STATUS sspi_status = SEC_E_OK; >> + CERT_CONTEXT *ccert_context = NULL; >> ++ bool isproxy = SSL_IS_PROXY(); >> + #ifdef DEBUGBUILD >> +- const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name <https://urldefense.com/v3/__http://http_proxy.host.name__;!!AjveYdw8EvQ!Kth8YheDEnSG4Aa5fzE6_1Y2Ai_p0hp7OoDwxk4dxsLG88c1JzIpGjSWEgaUC88nopWktg$> : >> ++ const char * const hostname = isproxy ? conn->http_proxy.host.name <https://urldefense.com/v3/__http://http_proxy.host.name__;!!AjveYdw8EvQ!Kth8YheDEnSG4Aa5fzE6_1Y2Ai_p0hp7OoDwxk4dxsLG88c1JzIpGjSWEgaUC88nopWktg$> : >> + conn->host.name <https://urldefense.com/v3/__http://host.name__;!!AjveYdw8EvQ!Kth8YheDEnSG4Aa5fzE6_1Y2Ai_p0hp7OoDwxk4dxsLG88c1JzIpGjSWEgaUC8_pHpLLHg$>; >> + #endif >> + #ifdef HAS_ALPN >> +@@ -1414,8 +1416,8 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn, >> + struct Curl_schannel_cred *old_cred = NULL; >> + >> + Curl_ssl_sessionid_lock(data); >> +- incache = !(Curl_ssl_getsessionid(data, conn, (void **)&old_cred, NULL, >> +- sockindex)); >> ++ incache = !(Curl_ssl_getsessionid(data, conn, isproxy, (void **)&old_cred, >> ++ NULL, sockindex)); >> + if(incache) { >> + if(old_cred != BACKEND->cred) { >> + DEBUGF(infof(data, >> +@@ -1426,7 +1428,7 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn, >> + } >> + } >> + if(!incache) { >> +- result = Curl_ssl_addsessionid(data, conn, (void *)BACKEND->cred, >> ++ result = Curl_ssl_addsessionid(data, conn, isproxy, BACKEND->cred, >> + sizeof(struct Curl_schannel_cred), >> + sockindex); >> + if(result) { >> +diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c >> +index 9a8f7de8d..6d1ea7e7b 100644 >> +--- a/lib/vtls/sectransp.c >> ++++ b/lib/vtls/sectransp.c >> +@@ -1400,10 +1400,12 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, >> + char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); >> + const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); >> + #ifndef CURL_DISABLE_PROXY >> +- const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name <https://urldefense.com/v3/__http://http_proxy.host.name__;!!AjveYdw8EvQ!Kth8YheDEnSG4Aa5fzE6_1Y2Ai_p0hp7OoDwxk4dxsLG88c1JzIpGjSWEgaUC88nopWktg$> : >> ++ bool isproxy = SSL_IS_PROXY(); >> ++ const char * const hostname = isproxy ? conn->http_proxy.host.name <https://urldefense.com/v3/__http://http_proxy.host.name__;!!AjveYdw8EvQ!Kth8YheDEnSG4Aa5fzE6_1Y2Ai_p0hp7OoDwxk4dxsLG88c1JzIpGjSWEgaUC88nopWktg$> : >> + conn->host.name <https://urldefense.com/v3/__http://host.name__;!!AjveYdw8EvQ!Kth8YheDEnSG4Aa5fzE6_1Y2Ai_p0hp7OoDwxk4dxsLG88c1JzIpGjSWEgaUC8_pHpLLHg$>; >> + const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port; >> + #else >> ++ const isproxy = FALSE; >> + const char * const hostname = conn->host.name <https://urldefense.com/v3/__http://host.name__;!!AjveYdw8EvQ!Kth8YheDEnSG4Aa5fzE6_1Y2Ai_p0hp7OoDwxk4dxsLG88c1JzIpGjSWEgaUC8_pHpLLHg$>; >> + const long int port = conn->remote_port; >> + #endif >> +@@ -1613,7 +1615,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, >> + #ifdef USE_NGHTTP2 >> + if(data->set.httpversion >= CURL_HTTP_VERSION_2 >> + #ifndef CURL_DISABLE_PROXY >> +- && (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy) >> ++ && (!isproxy || !conn->bits.tunnel_proxy) >> + #endif >> + ) { >> + CFArrayAppendValue(alpnArr, CFSTR(NGHTTP2_PROTO_VERSION_ID)); >> +@@ -1953,7 +1955,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, >> + size_t ssl_sessionid_len; >> + >> + Curl_ssl_sessionid_lock(data); >> +- if(!Curl_ssl_getsessionid(data, conn, (void **)&ssl_sessionid, >> ++ if(!Curl_ssl_getsessionid(data, conn, isproxy, (void **)&ssl_sessionid, >> + &ssl_sessionid_len, sockindex)) { >> + /* we got a session id, use it! */ >> + err = SSLSetPeerID(backend->ssl_ctx, ssl_sessionid, ssl_sessionid_len); >> +@@ -1981,7 +1983,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, >> + return CURLE_SSL_CONNECT_ERROR; >> + } >> + >> +- result = Curl_ssl_addsessionid(data, conn, ssl_sessionid, >> ++ result = Curl_ssl_addsessionid(data, conn, isproxy, ssl_sessionid, >> + ssl_sessionid_len, sockindex); >> + Curl_ssl_sessionid_unlock(data); >> + if(result) { >> +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c >> +index b8ab7494f..8ccc1f2e4 100644 >> +--- a/lib/vtls/vtls.c >> ++++ b/lib/vtls/vtls.c >> +@@ -367,6 +367,7 @@ void Curl_ssl_sessionid_unlock(struct Curl_easy *data) >> + */ >> + bool Curl_ssl_getsessionid(struct Curl_easy *data, >> + struct connectdata *conn, >> ++ const bool isProxy, >> + void **ssl_sessionid, >> + size_t *idsize, /* set 0 if unknown */ >> + int sockindex) >> +@@ -377,7 +378,6 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data, >> + bool no_match = TRUE; >> + >> + #ifndef CURL_DISABLE_PROXY >> +- const bool isProxy = CONNECT_PROXY_SSL(); >> + struct ssl_primary_config * const ssl_config = isProxy ? >> + &conn->proxy_ssl_config : >> + &conn->ssl_config; >> +@@ -389,10 +389,15 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data, >> + struct ssl_primary_config * const ssl_config = &conn->ssl_config; >> + const char * const name = conn->host.name <https://urldefense.com/v3/__http://host.name__;!!AjveYdw8EvQ!Kth8YheDEnSG4Aa5fzE6_1Y2Ai_p0hp7OoDwxk4dxsLG88c1JzIpGjSWEgaUC8_pHpLLHg$>; >> + int port = conn->remote_port; >> +- (void)sockindex; >> + #endif >> ++ (void)sockindex; >> + *ssl_sessionid = NULL; >> + >> ++#ifdef CURL_DISABLE_PROXY >> ++ if(isProxy) >> ++ return TRUE; >> ++#endif >> ++ >> + DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); >> + >> + if(!SSL_SET_OPTION(primary.sessionid)) >> +@@ -480,6 +485,7 @@ void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid) >> + */ >> + CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, >> + struct connectdata *conn, >> ++ bool isProxy, >> + void *ssl_sessionid, >> + size_t idsize, >> + int sockindex) >> +@@ -492,7 +498,6 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, >> + int conn_to_port; >> + long *general_age; >> + #ifndef CURL_DISABLE_PROXY >> +- const bool isProxy = CONNECT_PROXY_SSL(); >> + struct ssl_primary_config * const ssl_config = isProxy ? >> + &conn->proxy_ssl_config : >> + &conn->ssl_config; >> +@@ -505,6 +510,7 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, >> + const char *hostname = conn->host.name <https://urldefense.com/v3/__http://host.name__;!!AjveYdw8EvQ!Kth8YheDEnSG4Aa5fzE6_1Y2Ai_p0hp7OoDwxk4dxsLG88c1JzIpGjSWEgaUC8_pHpLLHg$>; >> + (void)sockindex; >> + #endif >> ++ (void)sockindex; >> + DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); >> + >> + clone_host = strdup(hostname); >> +diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h >> +index 9666682ec..4dc29794c 100644 >> +--- a/lib/vtls/vtls.h >> ++++ b/lib/vtls/vtls.h >> +@@ -222,6 +222,7 @@ void Curl_ssl_sessionid_unlock(struct Curl_easy *data); >> + */ >> + bool Curl_ssl_getsessionid(struct Curl_easy *data, >> + struct connectdata *conn, >> ++ const bool isproxy, >> + void **ssl_sessionid, >> + size_t *idsize, /* set 0 if unknown */ >> + int sockindex); >> +@@ -232,6 +233,7 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data, >> + */ >> + CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, >> + struct connectdata *conn, >> ++ const bool isProxy, >> + void *ssl_sessionid, >> + size_t idsize, >> + int sockindex); >> +diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c >> +index e1fa45926..e4c70877f 100644 >> +--- a/lib/vtls/wolfssl.c >> ++++ b/lib/vtls/wolfssl.c >> +@@ -516,7 +516,9 @@ wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn, >> + void *ssl_sessionid = NULL; >> + >> + Curl_ssl_sessionid_lock(data); >> +- if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) { >> ++ if(!Curl_ssl_getsessionid(data, conn, >> ++ SSL_IS_PROXY() ? TRUE : FALSE, >> ++ &ssl_sessionid, NULL, sockindex)) { >> + /* we got a session id, use it! */ >> + if(!SSL_set_session(backend->handle, ssl_sessionid)) { >> + char error_buffer[WOLFSSL_MAX_ERROR_SZ]; >> +@@ -774,21 +776,23 @@ wolfssl_connect_step3(struct Curl_easy *data, struct connectdata *conn, >> + void *old_ssl_sessionid = NULL; >> + >> + our_ssl_sessionid = SSL_get_session(backend->handle); >> +- >> +- Curl_ssl_sessionid_lock(data); >> +- incache = !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL, >> +- sockindex)); > > Hey Trevor, > > > If my eyes aren't deceiving me, I believe you took out two curly braces: > > here: > >> +- if(incache) { > and here: >> +- if(old_ssl_sessionid != our_ssl_sessionid) { >> +- infof(data, "old SSL session ID is stale, removing\n"); >> +- Curl_ssl_delsessionid(data, old_ssl_sessionid); >> +- incache = FALSE; >> ++ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE; >> ++ > > Yet you added three, > > here: > >> ++ if(our_ssl_sessionid) { >> ++ Curl_ssl_sessionid_lock(data); >> ++ incache = !(Curl_ssl_getsessionid(data, conn, isproxy, >> ++ &old_ssl_sessionid, NULL, sockindex)); > here >> ++ if(incache) { > and here >> ++ if(old_ssl_sessionid != our_ssl_sessionid) { >> ++ infof(data, "old SSL session ID is stale, removing\n"); >> ++ Curl_ssl_delsessionid(data, old_ssl_sessionid); >> ++ incache = FALSE; > > That's one extra curly brace for these two closing ones. > > > This has already been merged (and backported) can you check that? > You're right, I lost a bracket while sorting out the patch delta. Thanks for catching this. Patch coming shortly. - Trevor > Cheers, > > Alejandro > >> + } >> + } >> + >> + if(!incache) { >> +- result = Curl_ssl_addsessionid(data, conn, our_ssl_sessionid, >> +- 0 /* unknown size */, sockindex); >> ++ result = Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid, >> ++ 0, sockindex); >> + if(result) { >> + Curl_ssl_sessionid_unlock(data); >> + failf(data, "failed to store ssl session"); >> +-- >> +2.31.1 >> + >> diff --git a/meta/recipes-support/curl/curl_7.75.0.bb <https://urldefense.com/v3/__http://curl_7.75.0.bb__;!!AjveYdw8EvQ!Kth8YheDEnSG4Aa5fzE6_1Y2Ai_p0hp7OoDwxk4dxsLG88c1JzIpGjSWEgaUC88Uov7Q9A$> b/meta/recipes-support/curl/curl_7.75.0.bb <https://urldefense.com/v3/__http://curl_7.75.0.bb__;!!AjveYdw8EvQ!Kth8YheDEnSG4Aa5fzE6_1Y2Ai_p0hp7OoDwxk4dxsLG88c1JzIpGjSWEgaUC88Uov7Q9A$> >> index 7666c7b608..428b8cd9e3 100644 >> --- a/meta/recipes-support/curl/curl_7.75.0.bb <https://urldefense.com/v3/__http://curl_7.75.0.bb__;!!AjveYdw8EvQ!Kth8YheDEnSG4Aa5fzE6_1Y2Ai_p0hp7OoDwxk4dxsLG88c1JzIpGjSWEgaUC88Uov7Q9A$> >> +++ b/meta/recipes-support/curl/curl_7.75.0.bb <https://urldefense.com/v3/__http://curl_7.75.0.bb__;!!AjveYdw8EvQ!Kth8YheDEnSG4Aa5fzE6_1Y2Ai_p0hp7OoDwxk4dxsLG88c1JzIpGjSWEgaUC88Uov7Q9A$> >> @@ -11,6 +11,7 @@ LIC_FILES_CHKSUM ="file://COPYING;md5=425f6fdc767cc067518eef9bbdf4ab7b" >> >> SRC_URI ="https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ >> file://0001-replace-krb5-config-with-pkg-config.patch \ + >> file://0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch >> \ " >> >> SRC_URI[sha256sum] = "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb316d026" >> >> >> [-- Attachment #2: Type: text/html, Size: 32088 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-06-16 12:12 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-06-01 15:09 [OE-core][hardknott][PATCH 1/2] curl: fix CVE-2021-22890 Trevor Gamblin 2021-06-01 15:09 ` [OE-core][hardknott][PATCH 2/2] curl: fix CVE-2021-22876 Trevor Gamblin 2021-06-15 22:12 ` [OE-core][hardknott][PATCH 1/2] curl: fix CVE-2021-22890 Alejandro Hernandez Samaniego 2021-06-16 12:11 ` Trevor Gamblin
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.