curl: CVE-2017-7468

TLS session resumption client cert bypass (again) References: https://curl.haxx.se/docs/adv_20170419.html https://curl.haxx.se/CVE-2017-7468.patch Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-09-21 13:57:04 +0200
committer: Adrian Dudau <adrian.dudau@enea.com> 2017-09-26 15:38:17 +0200
commit: a6c093cff598b0410e4bd9e9a3ba2905ebfb8cb2 (patch)
tree: 93cf2f03a7284485bd632366133f1c3ee35053cd
parent: fc56bc51ea79b613d64b0389bf7b4877d3e45cbb (diff)
download: meta-el-common-a6c093cff598b0410e4bd9e9a3ba2905ebfb8cb2.tar.gz
2 files changed, 304 insertions, 0 deletions
diff --git a/recipes-support/curl/curl/CVE-2017-7468.patch b/recipes-support/curl/curl/CVE-2017-7468.patch
new file mode 100644
index 0000000..184ed51
--- /dev/null
+++ b/recipes-support/curl/curl/CVE-2017-7468.patch
@@ -0,0 +1,299 @@
+From 33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26 Mon Sep 17 00:00:00 2001
+From: Jay Satiro <raysatiro@yahoo.com>
+Date: Wed, 22 Mar 2017 01:59:49 -0400
+Subject: [PATCH] TLS: Fix switching off SSL session id when client cert is
+ used
+Move the sessionid flag to ssl_primary_config so that ssl and proxy_ssl
+will each have their own sessionid flag.
+Regression since HTTPS-Proxy support was added in cb4e2be. Prior to that
+this issue had been fixed in 247d890, CVE-2016-5419.
+Bug: https://github.com/curl/curl/issues/1341
+Reported-by: lijian996@users.noreply.github.com
+CVE: CVE-2017-7468
+Upstream-Status: Backport [backport from curl-7_54_1]
+The new incarnation of this bug is called CVE-2017-7468 and is documented
+here: https://curl.haxx.se/docs/adv_20170419.html
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ lib/url.c            | 5 +++--
+ lib/urldata.h        | 2 +-
+ lib/vtls/axtls.c     | 4 ++--
+ lib/vtls/cyassl.c    | 4 ++--
+ lib/vtls/darwinssl.c | 2 +-
+ lib/vtls/gtls.c      | 4 ++--
+ lib/vtls/mbedtls.c   | 4 ++--
+ lib/vtls/nss.c       | 2 +-
+ lib/vtls/openssl.c   | 4 ++--
+ lib/vtls/polarssl.c  | 4 ++--
+ lib/vtls/schannel.c  | 4 ++--
+ lib/vtls/vtls.c      | 9 ++++++---
+ 12 files changed, 26 insertions(+), 22 deletions(-)
+diff --git a/lib/url.c b/lib/url.c
+index 4609f4f..caa28f5 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -546,7 +546,7 @@ CURLcode Curl_init_userdefined(struct UserDefined *set)
+ #endif
+   set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth
+                                                       type */
+-  set->general_ssl.sessionid = TRUE; /* session ID caching enabled by
+  set->ssl.primary.sessionid = TRUE; /* session ID caching enabled by
+                                         default */
+   set->proxy_ssl = set->ssl;
+ 
+@@ -2499,8 +2499,9 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option,
+     break;
+ 
+   case CURLOPT_SSL_SESSIONID_CACHE:
+-    data->set.general_ssl.sessionid = (0 != va_arg(param, long)) ?
+    data->set.ssl.primary.sessionid = (0 != va_arg(param, long)) ?
+                                       TRUE : FALSE;
+    data->set.proxy_ssl.primary.sessionid = data->set.ssl.primary.sessionid;
+     break;
+ 
+ #ifdef USE_LIBSSH2
+diff --git a/lib/urldata.h b/lib/urldata.h
+index bd7d25d..3c94553 100644
+--- a/lib/urldata.h
+++ b/lib/urldata.h
+@@ -360,6 +360,7 @@ struct ssl_primary_config {
+   char *random_file;     /* path to file containing "random" data */
+   char *egdsocket;       /* path to file containing the EGD daemon socket */
+   char *cipher_list;     /* list of ciphers to use */
+  bool sessionid;        /* cache session IDs or not */
+ };
+ 
+ struct ssl_config_data {
+@@ -389,7 +390,6 @@ struct ssl_config_data {
+ };
+ 
+ struct ssl_general_config {
+-  bool sessionid; /* cache session IDs or not */
+   size_t max_ssl_sessions; /* SSL session id cache size */
+ };
+ 
+diff --git a/lib/vtls/axtls.c b/lib/vtls/axtls.c
+index af01fe3..f0e3766 100644
+--- a/lib/vtls/axtls.c
+++ b/lib/vtls/axtls.c
+@@ -262,7 +262,7 @@ static CURLcode connect_prep(struct connectdata *conn, int sockindex)
+    * 2) setting up callbacks.  these seem gnutls specific
+    */
+ 
+-  if(data->set.general_ssl.sessionid) {
+  if(SSL_SET_OPTION(primary.sessionid)) {
+     const uint8_t *ssl_sessionid;
+     size_t ssl_idsize;
+ 
+@@ -392,7 +392,7 @@ static CURLcode connect_finish(struct connectdata *conn, int sockindex)
+   conn->send[sockindex] = axtls_send;
+ 
+   /* Put our freshly minted SSL session in cache */
+-  if(data->set.general_ssl.sessionid) {
+  if(SSL_SET_OPTION(primary.sessionid)) {
+     const uint8_t *ssl_sessionid = ssl_get_session_id(ssl);
+     size_t ssl_idsize = ssl_get_session_id_size(ssl);
+     Curl_ssl_sessionid_lock(conn);
+diff --git a/lib/vtls/cyassl.c b/lib/vtls/cyassl.c
+index 2dfd79d..5f51ad5 100644
+--- a/lib/vtls/cyassl.c
+++ b/lib/vtls/cyassl.c
+@@ -398,7 +398,7 @@ cyassl_connect_step1(struct connectdata *conn,
+ #endif /* HAVE_ALPN */
+ 
+   /* Check if there's a cached ID we can/should use here! */
+-  if(data->set.general_ssl.sessionid) {
+  if(SSL_SET_OPTION(primary.sessionid)) {
+     void *ssl_sessionid = NULL;
+ 
+     Curl_ssl_sessionid_lock(conn);
+@@ -618,7 +618,7 @@ cyassl_connect_step3(struct connectdata *conn,
+ 
+   DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
+ 
+-  if(data->set.general_ssl.sessionid) {
+  if(SSL_SET_OPTION(primary.sessionid)) {
+     bool incache;
+     SSL_SESSION *our_ssl_sessionid;
+     void *old_ssl_sessionid = NULL;
+diff --git a/lib/vtls/darwinssl.c b/lib/vtls/darwinssl.c
+index f8697cc..5533dfe 100644
+--- a/lib/vtls/darwinssl.c
+++ b/lib/vtls/darwinssl.c
+@@ -1644,7 +1644,7 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
+ #endif /* CURL_BUILD_MAC_10_9 || CURL_BUILD_IOS_7 */
+ 
+   /* Check if there's a cached ID we can/should use here! */
+-  if(data->set.general_ssl.sessionid) {
+  if(SSL_SET_OPTION(primary.sessionid)) {
+     char *ssl_sessionid;
+     size_t ssl_sessionid_len;
+ 
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index 51a5aa8..0230778 100644
+--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
+@@ -873,7 +873,7 @@ gtls_connect_step1(struct connectdata *conn,
+ 
+   /* This might be a reconnect, so we check for a session ID in the cache
+      to speed up things */
+-  if(data->set.general_ssl.sessionid) {
+  if(SSL_SET_OPTION(primary.sessionid)) {
+     void *ssl_sessionid;
+     size_t ssl_idsize;
+ 
+@@ -1404,7 +1404,7 @@ gtls_connect_step3(struct connectdata *conn,
+   conn->recv[sockindex] = gtls_recv;
+   conn->send[sockindex] = gtls_send;
+ 
+-  if(data->set.general_ssl.sessionid) {
+  if(SSL_SET_OPTION(primary.sessionid)) {
+     /* we always unconditionally get the session id here, as even if we
+        already got it from the cache and asked to use it in the connection, it
+        might've been rejected and then a new one is in use now and we need to
+diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
+index edf30db..3ffa957 100644
+--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
+@@ -430,7 +430,7 @@ mbed_connect_step1(struct connectdata *conn,
+ #endif
+ 
+   /* Check if there's a cached ID we can/should use here! */
+-  if(data->set.general_ssl.sessionid) {
+  if(SSL_SET_OPTION(primary.sessionid)) {
+     void *old_session = NULL;
+ 
+     Curl_ssl_sessionid_lock(conn);
+@@ -684,7 +684,7 @@ mbed_connect_step3(struct connectdata *conn,
+ 
+   DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
+ 
+-  if(data->set.general_ssl.sessionid) {
+  if(SSL_SET_OPTION(primary.sessionid)) {
+     int ret;
+     mbedtls_ssl_session *our_ssl_sessionid;
+     void *old_ssl_sessionid = NULL;
+diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
+index 1d7047a..4898511 100644
+--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
+@@ -1720,7 +1720,7 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
+     goto error;
+ 
+   /* do not use SSL cache if disabled or we are not going to verify peer */
+-  ssl_no_cache = (data->set.general_ssl.sessionid
+  ssl_no_cache = (SSL_SET_OPTION(primary.sessionid)
+                   && SSL_CONN_CONFIG(verifypeer)) ? PR_FALSE : PR_TRUE;
+   if(SSL_OptionSet(model, SSL_NO_CACHE, ssl_no_cache) != SECSuccess)
+     goto error;
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index ee07615..58a014a 100644
+--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
+@@ -2235,7 +2235,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
+ #endif
+ 
+   /* Check if there's a cached ID we can/should use here! */
+-  if(data->set.general_ssl.sessionid) {
+  if(SSL_SET_OPTION(primary.sessionid)) {
+     void *ssl_sessionid = NULL;
+ 
+     Curl_ssl_sessionid_lock(conn);
+@@ -2965,7 +2965,7 @@ static CURLcode ossl_connect_step3(struct connectdata *conn, int sockindex)
+ 
+   DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
+ 
+-  if(data->set.general_ssl.sessionid) {
+  if(SSL_SET_OPTION(primary.sessionid)) {
+     bool incache;
+     SSL_SESSION *our_ssl_sessionid;
+     void *old_ssl_sessionid = NULL;
+diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c
+index e6ad525..669091c 100644
+--- a/lib/vtls/polarssl.c
+++ b/lib/vtls/polarssl.c
+@@ -375,7 +375,7 @@ polarssl_connect_step1(struct connectdata *conn,
+   ssl_set_ciphersuites(&connssl->ssl, ssl_list_ciphersuites());
+ 
+   /* Check if there's a cached ID we can/should use here! */
+-  if(data->set.general_ssl.sessionid) {
+  if(SSL_SET_OPTION(primary.sessionid)) {
+     void *old_session = NULL;
+ 
+     Curl_ssl_sessionid_lock(conn);
+@@ -603,7 +603,7 @@ polarssl_connect_step3(struct connectdata *conn,
+ 
+   DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
+ 
+-  if(data->set.general_ssl.sessionid) {
+  if(SSL_SET_OPTION(primary.sessionid)) {
+     int ret;
+     ssl_session *our_ssl_sessionid;
+     void *old_ssl_sessionid = NULL;
+diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
+index e0fb2d5..c9b5132 100644
+--- a/lib/vtls/schannel.c
+++ b/lib/vtls/schannel.c
+@@ -188,7 +188,7 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
+   connssl->cred = NULL;
+ 
+   /* check for an existing re-usable credential handle */
+-  if(data->set.general_ssl.sessionid) {
+  if(SSL_SET_OPTION(primary.sessionid)) {
+     Curl_ssl_sessionid_lock(conn);
+     if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, sockindex)) {
+       connssl->cred = old_cred;
+@@ -757,7 +757,7 @@ schannel_connect_step3(struct connectdata *conn, int sockindex)
+ #endif
+ 
+   /* save the current session data for possible re-use */
+-  if(data->set.general_ssl.sessionid) {
+  if(SSL_SET_OPTION(primary.sessionid)) {
+     bool incache;
+     struct curl_schannel_cred *old_cred = NULL;
+ 
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index c6935b5..d5d0971 100644
+--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
+@@ -122,6 +122,9 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
+   CLONE_STRING(egdsocket);
+   CLONE_STRING(random_file);
+   CLONE_STRING(clientcert);
+
+  /* Disable dest sessionid cache if a client cert is used, CVE-2016-5419. */
+  dest->sessionid = (dest->clientcert ? false : source->sessionid);
+   return TRUE;
+ }
+ 
+@@ -308,9 +311,9 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
+   int port = isProxy ? (int)conn->port : conn->remote_port;
+   *ssl_sessionid = NULL;
+ 
+-  DEBUGASSERT(data->set.general_ssl.sessionid);
+  DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
+ 
+-  if(!data->set.general_ssl.sessionid)
+  if(!SSL_SET_OPTION(primary.sessionid))
+     /* session ID re-use is disabled */
+     return TRUE;
+ 
+@@ -412,7 +415,7 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
+     &conn->proxy_ssl_config :
+     &conn->ssl_config;
+ 
+-  DEBUGASSERT(data->set.general_ssl.sessionid);
+  DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
+ 
+   clone_host = strdup(isProxy ? conn->http_proxy.host.name : conn->host.name);
+   if(!clone_host)
+-- 
+1.9.1
diff --git a/recipes-support/curl/curl_%.bbappend b/recipes-support/curl/curl_%.bbappend
new file mode 100644
index 0000000..ec4f997
--- /dev/null
+++ b/recipes-support/curl/curl_%.bbappend
@@ -0,0 +1,5 @@
+# look for files in the layer first
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+SRC_URI += "file://CVE-2017-7468.patch \
+           "
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-09-21 13:57:04 +0200
committer	Adrian Dudau <adrian.dudau@enea.com>	2017-09-26 15:38:17 +0200
commit	a6c093cff598b0410e4bd9e9a3ba2905ebfb8cb2 (patch)
tree	93cf2f03a7284485bd632366133f1c3ee35053cd
parent	fc56bc51ea79b613d64b0389bf7b4877d3e45cbb (diff)
download	meta-el-common-a6c093cff598b0410e4bd9e9a3ba2905ebfb8cb2.tar.gz

diff --git a/recipes-support/curl/curl/CVE-2017-7468.patch b/recipes-support/curl/curl/CVE-2017-7468.patch new file mode 100644 index 0000000..184ed51 --- /dev/null +++ b/recipes-support/curl/curl/CVE-2017-7468.patch
@@ -0,0 +1,299 @@
	1	From 33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26 Mon Sep 17 00:00:00 2001
	2	From: Jay Satiro <raysatiro@yahoo.com>
	3	Date: Wed, 22 Mar 2017 01:59:49 -0400
	4	Subject: [PATCH] TLS: Fix switching off SSL session id when client cert is
	5	used
	6
	7	Move the sessionid flag to ssl_primary_config so that ssl and proxy_ssl
	8	will each have their own sessionid flag.
	9
	10	Regression since HTTPS-Proxy support was added in cb4e2be. Prior to that
	11	this issue had been fixed in 247d890, CVE-2016-5419.
	12
	13	Bug: https://github.com/curl/curl/issues/1341
	14	Reported-by: lijian996@users.noreply.github.com
	15
	16	CVE: CVE-2017-7468
	17	Upstream-Status: Backport [backport from curl-7_54_1]
	18
	19	The new incarnation of this bug is called CVE-2017-7468 and is documented
	20	here: https://curl.haxx.se/docs/adv_20170419.html
	21
	22	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	23	---
	24	lib/url.c \| 5 +++--
	25	lib/urldata.h \| 2 +-
	26	lib/vtls/axtls.c \| 4 ++--
	27	lib/vtls/cyassl.c \| 4 ++--
	28	lib/vtls/darwinssl.c \| 2 +-
	29	lib/vtls/gtls.c \| 4 ++--
	30	lib/vtls/mbedtls.c \| 4 ++--
	31	lib/vtls/nss.c \| 2 +-
	32	lib/vtls/openssl.c \| 4 ++--
	33	lib/vtls/polarssl.c \| 4 ++--
	34	lib/vtls/schannel.c \| 4 ++--
	35	lib/vtls/vtls.c \| 9 ++++++---
	36	12 files changed, 26 insertions(+), 22 deletions(-)
	37
	38	diff --git a/lib/url.c b/lib/url.c
	39	index 4609f4f..caa28f5 100644
	40	--- a/lib/url.c
	41	+++ b/lib/url.c
	42	@@ -546,7 +546,7 @@ CURLcode Curl_init_userdefined(struct UserDefined *set)
	43	#endif
	44	set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth
	45	type */
	46	- set->general_ssl.sessionid = TRUE; /* session ID caching enabled by
	47	+ set->ssl.primary.sessionid = TRUE; /* session ID caching enabled by
	48	default */
	49	set->proxy_ssl = set->ssl;
	50
	51	@@ -2499,8 +2499,9 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option,
	52	break;
	53
	54	case CURLOPT_SSL_SESSIONID_CACHE:
	55	- data->set.general_ssl.sessionid = (0 != va_arg(param, long)) ?
	56	+ data->set.ssl.primary.sessionid = (0 != va_arg(param, long)) ?
	57	TRUE : FALSE;
	58	+ data->set.proxy_ssl.primary.sessionid = data->set.ssl.primary.sessionid;
	59	break;
	60
	61	#ifdef USE_LIBSSH2
	62	diff --git a/lib/urldata.h b/lib/urldata.h
	63	index bd7d25d..3c94553 100644
	64	--- a/lib/urldata.h
	65	+++ b/lib/urldata.h
	66	@@ -360,6 +360,7 @@ struct ssl_primary_config {
	67	char random_file; / path to file containing "random" data */
	68	char egdsocket; / path to file containing the EGD daemon socket */
	69	char cipher_list; / list of ciphers to use */
	70	+ bool sessionid; /* cache session IDs or not */
	71	};
	72
	73	struct ssl_config_data {
	74	@@ -389,7 +390,6 @@ struct ssl_config_data {
	75	};
	76
	77	struct ssl_general_config {
	78	- bool sessionid; /* cache session IDs or not */
	79	size_t max_ssl_sessions; /* SSL session id cache size */
	80	};
	81
	82	diff --git a/lib/vtls/axtls.c b/lib/vtls/axtls.c
	83	index af01fe3..f0e3766 100644
	84	--- a/lib/vtls/axtls.c
	85	+++ b/lib/vtls/axtls.c
	86	@@ -262,7 +262,7 @@ static CURLcode connect_prep(struct connectdata *conn, int sockindex)
	87	* 2) setting up callbacks. these seem gnutls specific
	88	*/
	89
	90	- if(data->set.general_ssl.sessionid) {
	91	+ if(SSL_SET_OPTION(primary.sessionid)) {
	92	const uint8_t *ssl_sessionid;
	93	size_t ssl_idsize;
	94
	95	@@ -392,7 +392,7 @@ static CURLcode connect_finish(struct connectdata *conn, int sockindex)
	96	conn->send[sockindex] = axtls_send;
	97
	98	/* Put our freshly minted SSL session in cache */
	99	- if(data->set.general_ssl.sessionid) {
	100	+ if(SSL_SET_OPTION(primary.sessionid)) {
	101	const uint8_t *ssl_sessionid = ssl_get_session_id(ssl);
	102	size_t ssl_idsize = ssl_get_session_id_size(ssl);
	103	Curl_ssl_sessionid_lock(conn);
	104	diff --git a/lib/vtls/cyassl.c b/lib/vtls/cyassl.c
	105	index 2dfd79d..5f51ad5 100644
	106	--- a/lib/vtls/cyassl.c
	107	+++ b/lib/vtls/cyassl.c
	108	@@ -398,7 +398,7 @@ cyassl_connect_step1(struct connectdata *conn,
	109	#endif /* HAVE_ALPN */
	110
	111	/* Check if there's a cached ID we can/should use here! */
	112	- if(data->set.general_ssl.sessionid) {
	113	+ if(SSL_SET_OPTION(primary.sessionid)) {
	114	void *ssl_sessionid = NULL;
	115
	116	Curl_ssl_sessionid_lock(conn);
	117	@@ -618,7 +618,7 @@ cyassl_connect_step3(struct connectdata *conn,
	118
	119	DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
	120
	121	- if(data->set.general_ssl.sessionid) {
	122	+ if(SSL_SET_OPTION(primary.sessionid)) {
	123	bool incache;
	124	SSL_SESSION *our_ssl_sessionid;
	125	void *old_ssl_sessionid = NULL;
	126	diff --git a/lib/vtls/darwinssl.c b/lib/vtls/darwinssl.c
	127	index f8697cc..5533dfe 100644
	128	--- a/lib/vtls/darwinssl.c
	129	+++ b/lib/vtls/darwinssl.c
	130	@@ -1644,7 +1644,7 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
	131	#endif /* CURL_BUILD_MAC_10_9 \|\| CURL_BUILD_IOS_7 */
	132
	133	/* Check if there's a cached ID we can/should use here! */
	134	- if(data->set.general_ssl.sessionid) {
	135	+ if(SSL_SET_OPTION(primary.sessionid)) {
	136	char *ssl_sessionid;
	137	size_t ssl_sessionid_len;
	138
	139	diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
	140	index 51a5aa8..0230778 100644
	141	--- a/lib/vtls/gtls.c
	142	+++ b/lib/vtls/gtls.c
	143	@@ -873,7 +873,7 @@ gtls_connect_step1(struct connectdata *conn,
	144
	145	/* This might be a reconnect, so we check for a session ID in the cache
	146	to speed up things */
	147	- if(data->set.general_ssl.sessionid) {
	148	+ if(SSL_SET_OPTION(primary.sessionid)) {
	149	void *ssl_sessionid;
	150	size_t ssl_idsize;
	151
	152	@@ -1404,7 +1404,7 @@ gtls_connect_step3(struct connectdata *conn,
	153	conn->recv[sockindex] = gtls_recv;
	154	conn->send[sockindex] = gtls_send;
	155
	156	- if(data->set.general_ssl.sessionid) {
	157	+ if(SSL_SET_OPTION(primary.sessionid)) {
	158	/* we always unconditionally get the session id here, as even if we
	159	already got it from the cache and asked to use it in the connection, it
	160	might've been rejected and then a new one is in use now and we need to
	161	diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
	162	index edf30db..3ffa957 100644
	163	--- a/lib/vtls/mbedtls.c
	164	+++ b/lib/vtls/mbedtls.c
	165	@@ -430,7 +430,7 @@ mbed_connect_step1(struct connectdata *conn,
	166	#endif
	167
	168	/* Check if there's a cached ID we can/should use here! */
	169	- if(data->set.general_ssl.sessionid) {
	170	+ if(SSL_SET_OPTION(primary.sessionid)) {
	171	void *old_session = NULL;
	172
	173	Curl_ssl_sessionid_lock(conn);
	174	@@ -684,7 +684,7 @@ mbed_connect_step3(struct connectdata *conn,
	175
	176	DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
	177
	178	- if(data->set.general_ssl.sessionid) {
	179	+ if(SSL_SET_OPTION(primary.sessionid)) {
	180	int ret;
	181	mbedtls_ssl_session *our_ssl_sessionid;
	182	void *old_ssl_sessionid = NULL;
	183	diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
	184	index 1d7047a..4898511 100644
	185	--- a/lib/vtls/nss.c
	186	+++ b/lib/vtls/nss.c
	187	@@ -1720,7 +1720,7 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
	188	goto error;
	189
	190	/* do not use SSL cache if disabled or we are not going to verify peer */
	191	- ssl_no_cache = (data->set.general_ssl.sessionid
	192	+ ssl_no_cache = (SSL_SET_OPTION(primary.sessionid)
	193	&& SSL_CONN_CONFIG(verifypeer)) ? PR_FALSE : PR_TRUE;
	194	if(SSL_OptionSet(model, SSL_NO_CACHE, ssl_no_cache) != SECSuccess)
	195	goto error;
	196	diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
	197	index ee07615..58a014a 100644
	198	--- a/lib/vtls/openssl.c
	199	+++ b/lib/vtls/openssl.c
	200	@@ -2235,7 +2235,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
	201	#endif
	202
	203	/* Check if there's a cached ID we can/should use here! */
	204	- if(data->set.general_ssl.sessionid) {
	205	+ if(SSL_SET_OPTION(primary.sessionid)) {
	206	void *ssl_sessionid = NULL;
	207
	208	Curl_ssl_sessionid_lock(conn);
	209	@@ -2965,7 +2965,7 @@ static CURLcode ossl_connect_step3(struct connectdata *conn, int sockindex)
	210
	211	DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
	212
	213	- if(data->set.general_ssl.sessionid) {
	214	+ if(SSL_SET_OPTION(primary.sessionid)) {
	215	bool incache;
	216	SSL_SESSION *our_ssl_sessionid;
	217	void *old_ssl_sessionid = NULL;
	218	diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c
	219	index e6ad525..669091c 100644
	220	--- a/lib/vtls/polarssl.c
	221	+++ b/lib/vtls/polarssl.c
	222	@@ -375,7 +375,7 @@ polarssl_connect_step1(struct connectdata *conn,
	223	ssl_set_ciphersuites(&connssl->ssl, ssl_list_ciphersuites());
	224
	225	/* Check if there's a cached ID we can/should use here! */
	226	- if(data->set.general_ssl.sessionid) {
	227	+ if(SSL_SET_OPTION(primary.sessionid)) {
	228	void *old_session = NULL;
	229
	230	Curl_ssl_sessionid_lock(conn);
	231	@@ -603,7 +603,7 @@ polarssl_connect_step3(struct connectdata *conn,
	232
	233	DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
	234
	235	- if(data->set.general_ssl.sessionid) {
	236	+ if(SSL_SET_OPTION(primary.sessionid)) {
	237	int ret;
	238	ssl_session *our_ssl_sessionid;
	239	void *old_ssl_sessionid = NULL;
	240	diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
	241	index e0fb2d5..c9b5132 100644
	242	--- a/lib/vtls/schannel.c
	243	+++ b/lib/vtls/schannel.c
	244	@@ -188,7 +188,7 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
	245	connssl->cred = NULL;
	246
	247	/* check for an existing re-usable credential handle */
	248	- if(data->set.general_ssl.sessionid) {
	249	+ if(SSL_SET_OPTION(primary.sessionid)) {
	250	Curl_ssl_sessionid_lock(conn);
	251	if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, sockindex)) {
	252	connssl->cred = old_cred;
	253	@@ -757,7 +757,7 @@ schannel_connect_step3(struct connectdata *conn, int sockindex)
	254	#endif
	255
	256	/* save the current session data for possible re-use */
	257	- if(data->set.general_ssl.sessionid) {
	258	+ if(SSL_SET_OPTION(primary.sessionid)) {
	259	bool incache;
	260	struct curl_schannel_cred *old_cred = NULL;
	261
	262	diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
	263	index c6935b5..d5d0971 100644
	264	--- a/lib/vtls/vtls.c
	265	+++ b/lib/vtls/vtls.c
	266	@@ -122,6 +122,9 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
	267	CLONE_STRING(egdsocket);
	268	CLONE_STRING(random_file);
	269	CLONE_STRING(clientcert);
	270	+
	271	+ /* Disable dest sessionid cache if a client cert is used, CVE-2016-5419. */
	272	+ dest->sessionid = (dest->clientcert ? false : source->sessionid);
	273	return TRUE;
	274	}
	275
	276	@@ -308,9 +311,9 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
	277	int port = isProxy ? (int)conn->port : conn->remote_port;
	278	*ssl_sessionid = NULL;
	279
	280	- DEBUGASSERT(data->set.general_ssl.sessionid);
	281	+ DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
	282
	283	- if(!data->set.general_ssl.sessionid)
	284	+ if(!SSL_SET_OPTION(primary.sessionid))
	285	/* session ID re-use is disabled */
	286	return TRUE;
	287
	288	@@ -412,7 +415,7 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
	289	&conn->proxy_ssl_config :
	290	&conn->ssl_config;
	291
	292	- DEBUGASSERT(data->set.general_ssl.sessionid);
	293	+ DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
	294
	295	clone_host = strdup(isProxy ? conn->http_proxy.host.name : conn->host.name);
	296	if(!clone_host)
	297	--
	298	1.9.1
	299


diff --git a/recipes-support/curl/curl_%.bbappend b/recipes-support/curl/curl_%.bbappend new file mode 100644 index 0000000..ec4f997 --- /dev/null +++ b/recipes-support/curl/curl_%.bbappend
@@ -0,0 +1,5 @@
	1	# look for files in the layer first
	2	FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
	3
	4	SRC_URI += "file://CVE-2017-7468.patch \
	5	"