diff options
author | Trevor Gamblin <trevor.gamblin@windriver.com> | 2021-06-01 11:09:27 -0400 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-06-02 23:32:44 +0100 |
commit | fd5a86fa80290fe7bf21817c43f34d39db33d525 (patch) | |
tree | 2cef894073e22cac4b1d5b6e7a938aaf96b84854 | |
parent | e86a1ca689b80355dd852ae9a7a4511b14b929de (diff) | |
download | poky-fd5a86fa80290fe7bf21817c43f34d39db33d525.tar.gz |
curl: fix CVE-2021-22890
Backport and modify the patch for CVE-2021-22890 from curl 7.76 to make
it apply cleanly on 7.75.
CVE: CVE-2021-22890
(From OE-Core rev: b11dc35cce0449623182ecf044c4a49664119b9c)
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch | 517 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl_7.75.0.bb | 1 |
2 files changed, 518 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch b/meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch new file mode 100644 index 0000000000..a0c7d68f33 --- /dev/null +++ b/meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch | |||
@@ -0,0 +1,517 @@ | |||
1 | From a2d3885223db9616283bfe33435fbe9b3140eac7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Trevor Gamblin <trevor.gamblin@windriver.com> | ||
3 | Date: Tue, 1 Jun 2021 09:50:20 -0400 | ||
4 | Subject: [PATCH 1/2] vtls: add 'isproxy' argument to | ||
5 | Curl_ssl_get/addsessionid() | ||
6 | |||
7 | To make sure we set and extract the correct session. | ||
8 | |||
9 | Reported-by: Mingtao Yang | ||
10 | Bug: https://curl.se/docs/CVE-2021-22890.html | ||
11 | |||
12 | CVE-2021-22890 | ||
13 | |||
14 | Upstream-Status: Backport | ||
15 | (https://github.com/curl/curl/commit/b09c8ee15771c614c4bf3ddac893cdb12187c844) | ||
16 | |||
17 | Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> | ||
18 | --- | ||
19 | lib/vtls/bearssl.c | 8 +++++-- | ||
20 | lib/vtls/gtls.c | 12 ++++++---- | ||
21 | lib/vtls/mbedtls.c | 12 ++++++---- | ||
22 | lib/vtls/mesalink.c | 14 ++++++++---- | ||
23 | lib/vtls/openssl.c | 54 +++++++++++++++++++++++++++++++++----------- | ||
24 | lib/vtls/schannel.c | 10 ++++---- | ||
25 | lib/vtls/sectransp.c | 10 ++++---- | ||
26 | lib/vtls/vtls.c | 12 +++++++--- | ||
27 | lib/vtls/vtls.h | 2 ++ | ||
28 | lib/vtls/wolfssl.c | 28 +++++++++++++---------- | ||
29 | 10 files changed, 111 insertions(+), 51 deletions(-) | ||
30 | |||
31 | diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c | ||
32 | index 29b08c0e6..0432dfadc 100644 | ||
33 | --- a/lib/vtls/bearssl.c | ||
34 | +++ b/lib/vtls/bearssl.c | ||
35 | @@ -375,7 +375,8 @@ static CURLcode bearssl_connect_step1(struct Curl_easy *data, | ||
36 | void *session; | ||
37 | |||
38 | Curl_ssl_sessionid_lock(data); | ||
39 | - if(!Curl_ssl_getsessionid(data, conn, &session, NULL, sockindex)) { | ||
40 | + if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE, | ||
41 | + &session, NULL, sockindex)) { | ||
42 | br_ssl_engine_set_session_parameters(&backend->ctx.eng, session); | ||
43 | infof(data, "BearSSL: re-using session ID\n"); | ||
44 | } | ||
45 | @@ -571,10 +572,13 @@ static CURLcode bearssl_connect_step3(struct Curl_easy *data, | ||
46 | br_ssl_engine_get_session_parameters(&backend->ctx.eng, session); | ||
47 | Curl_ssl_sessionid_lock(data); | ||
48 | incache = !(Curl_ssl_getsessionid(data, conn, | ||
49 | + SSL_IS_PROXY() ? TRUE : FALSE, | ||
50 | &oldsession, NULL, sockindex)); | ||
51 | if(incache) | ||
52 | Curl_ssl_delsessionid(data, oldsession); | ||
53 | - ret = Curl_ssl_addsessionid(data, conn, session, 0, sockindex); | ||
54 | + ret = Curl_ssl_addsessionid(data, conn, | ||
55 | + SSL_IS_PROXY() ? TRUE : FALSE, | ||
56 | + session, 0, sockindex); | ||
57 | Curl_ssl_sessionid_unlock(data); | ||
58 | if(ret) { | ||
59 | free(session); | ||
60 | diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c | ||
61 | index 3ddee1974..28ca528a6 100644 | ||
62 | --- a/lib/vtls/gtls.c | ||
63 | +++ b/lib/vtls/gtls.c | ||
64 | @@ -733,6 +733,7 @@ gtls_connect_step1(struct Curl_easy *data, | ||
65 | |||
66 | Curl_ssl_sessionid_lock(data); | ||
67 | if(!Curl_ssl_getsessionid(data, conn, | ||
68 | + SSL_IS_PROXY() ? TRUE : FALSE, | ||
69 | &ssl_sessionid, &ssl_idsize, sockindex)) { | ||
70 | /* we got a session id, use it! */ | ||
71 | gnutls_session_set_data(session, ssl_sessionid, ssl_idsize); | ||
72 | @@ -1292,8 +1293,9 @@ gtls_connect_step3(struct Curl_easy *data, | ||
73 | gnutls_session_get_data(session, connect_sessionid, &connect_idsize); | ||
74 | |||
75 | Curl_ssl_sessionid_lock(data); | ||
76 | - incache = !(Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, | ||
77 | - sockindex)); | ||
78 | + incache = !(Curl_ssl_getsessionid(data, conn, | ||
79 | + SSL_IS_PROXY() ? TRUE : FALSE, | ||
80 | + &ssl_sessionid, NULL, sockindex)); | ||
81 | if(incache) { | ||
82 | /* there was one before in the cache, so instead of risking that the | ||
83 | previous one was rejected, we just kill that and store the new */ | ||
84 | @@ -1301,8 +1303,10 @@ gtls_connect_step3(struct Curl_easy *data, | ||
85 | } | ||
86 | |||
87 | /* store this session id */ | ||
88 | - result = Curl_ssl_addsessionid(data, conn, connect_sessionid, | ||
89 | - connect_idsize, sockindex); | ||
90 | + result = Curl_ssl_addsessionid(data, conn, | ||
91 | + SSL_IS_PROXY() ? TRUE : FALSE, | ||
92 | + connect_sessionid, connect_idsize, | ||
93 | + sockindex); | ||
94 | Curl_ssl_sessionid_unlock(data); | ||
95 | if(result) { | ||
96 | free(connect_sessionid); | ||
97 | diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c | ||
98 | index fc3a948d1..bd0e0802e 100644 | ||
99 | --- a/lib/vtls/mbedtls.c | ||
100 | +++ b/lib/vtls/mbedtls.c | ||
101 | @@ -463,7 +463,9 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, | ||
102 | void *old_session = NULL; | ||
103 | |||
104 | Curl_ssl_sessionid_lock(data); | ||
105 | - if(!Curl_ssl_getsessionid(data, conn, &old_session, NULL, sockindex)) { | ||
106 | + if(!Curl_ssl_getsessionid(data, conn, | ||
107 | + SSL_IS_PROXY() ? TRUE : FALSE, | ||
108 | + &old_session, NULL, sockindex)) { | ||
109 | ret = mbedtls_ssl_set_session(&backend->ssl, old_session); | ||
110 | if(ret) { | ||
111 | Curl_ssl_sessionid_unlock(data); | ||
112 | @@ -724,6 +726,7 @@ mbed_connect_step3(struct Curl_easy *data, struct connectdata *conn, | ||
113 | int ret; | ||
114 | mbedtls_ssl_session *our_ssl_sessionid; | ||
115 | void *old_ssl_sessionid = NULL; | ||
116 | + bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE; | ||
117 | |||
118 | our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session)); | ||
119 | if(!our_ssl_sessionid) | ||
120 | @@ -742,11 +745,12 @@ mbed_connect_step3(struct Curl_easy *data, struct connectdata *conn, | ||
121 | |||
122 | /* If there's already a matching session in the cache, delete it */ | ||
123 | Curl_ssl_sessionid_lock(data); | ||
124 | - if(!Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL, sockindex)) | ||
125 | + if(!Curl_ssl_getsessionid(data, conn, isproxy, &old_ssl_sessionid, NULL, | ||
126 | + sockindex)) | ||
127 | Curl_ssl_delsessionid(data, old_ssl_sessionid); | ||
128 | |||
129 | - retcode = Curl_ssl_addsessionid(data, conn, | ||
130 | - our_ssl_sessionid, 0, sockindex); | ||
131 | + retcode = Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid, | ||
132 | + 0, sockindex); | ||
133 | Curl_ssl_sessionid_unlock(data); | ||
134 | if(retcode) { | ||
135 | mbedtls_ssl_session_free(our_ssl_sessionid); | ||
136 | diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c | ||
137 | index b6d1005ec..ad807d3ba 100644 | ||
138 | --- a/lib/vtls/mesalink.c | ||
139 | +++ b/lib/vtls/mesalink.c | ||
140 | @@ -261,7 +261,9 @@ mesalink_connect_step1(struct Curl_easy *data, | ||
141 | void *ssl_sessionid = NULL; | ||
142 | |||
143 | Curl_ssl_sessionid_lock(data); | ||
144 | - if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) { | ||
145 | + if(!Curl_ssl_getsessionid(data, conn, | ||
146 | + SSL_IS_PROXY() ? TRUE : FALSE, | ||
147 | + &ssl_sessionid, NULL, sockindex)) { | ||
148 | /* we got a session id, use it! */ | ||
149 | if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) { | ||
150 | Curl_ssl_sessionid_unlock(data); | ||
151 | @@ -345,13 +347,14 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex) | ||
152 | bool incache; | ||
153 | SSL_SESSION *our_ssl_sessionid; | ||
154 | void *old_ssl_sessionid = NULL; | ||
155 | + bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE; | ||
156 | |||
157 | our_ssl_sessionid = SSL_get_session(BACKEND->handle); | ||
158 | |||
159 | Curl_ssl_sessionid_lock(data); | ||
160 | incache = | ||
161 | - !(Curl_ssl_getsessionid(data, conn, | ||
162 | - &old_ssl_sessionid, NULL, sockindex)); | ||
163 | + !(Curl_ssl_getsessionid(data, conn, isproxy, &old_ssl_sessionid, NULL, | ||
164 | + sockindex)); | ||
165 | if(incache) { | ||
166 | if(old_ssl_sessionid != our_ssl_sessionid) { | ||
167 | infof(data, "old SSL session ID is stale, removing\n"); | ||
168 | @@ -361,8 +364,9 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex) | ||
169 | } | ||
170 | |||
171 | if(!incache) { | ||
172 | - result = Curl_ssl_addsessionid( | ||
173 | - data, conn, our_ssl_sessionid, 0 /* unknown size */, sockindex); | ||
174 | + result = | ||
175 | + Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid, 0, | ||
176 | + sockindex); | ||
177 | if(result) { | ||
178 | Curl_ssl_sessionid_unlock(data); | ||
179 | failf(data, "failed to store ssl session"); | ||
180 | diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c | ||
181 | index 784d9f70e..8304264d3 100644 | ||
182 | --- a/lib/vtls/openssl.c | ||
183 | +++ b/lib/vtls/openssl.c | ||
184 | @@ -391,12 +391,23 @@ static int ossl_get_ssl_conn_index(void) | ||
185 | */ | ||
186 | static int ossl_get_ssl_sockindex_index(void) | ||
187 | { | ||
188 | - static int ssl_ex_data_sockindex_index = -1; | ||
189 | - if(ssl_ex_data_sockindex_index < 0) { | ||
190 | - ssl_ex_data_sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, | ||
191 | - NULL); | ||
192 | + static int sockindex_index = -1; | ||
193 | + if(sockindex_index < 0) { | ||
194 | + sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); | ||
195 | } | ||
196 | - return ssl_ex_data_sockindex_index; | ||
197 | + return sockindex_index; | ||
198 | +} | ||
199 | + | ||
200 | +/* Return an extra data index for proxy boolean. | ||
201 | + * This index can be used with SSL_get_ex_data() and SSL_set_ex_data(). | ||
202 | + */ | ||
203 | +static int ossl_get_proxy_index(void) | ||
204 | +{ | ||
205 | + static int proxy_index = -1; | ||
206 | + if(proxy_index < 0) { | ||
207 | + proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); | ||
208 | + } | ||
209 | + return proxy_index; | ||
210 | } | ||
211 | |||
212 | static int passwd_callback(char *buf, int num, int encrypting, | ||
213 | @@ -1172,7 +1183,7 @@ static int ossl_init(void) | ||
214 | |||
215 | /* Initialize the extra data indexes */ | ||
216 | if(ossl_get_ssl_data_index() < 0 || ossl_get_ssl_conn_index() < 0 || | ||
217 | - ossl_get_ssl_sockindex_index() < 0) | ||
218 | + ossl_get_ssl_sockindex_index() < 0 || ossl_get_proxy_index() < 0) | ||
219 | return 0; | ||
220 | |||
221 | return 1; | ||
222 | @@ -2455,8 +2466,10 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) | ||
223 | int data_idx = ossl_get_ssl_data_index(); | ||
224 | int connectdata_idx = ossl_get_ssl_conn_index(); | ||
225 | int sockindex_idx = ossl_get_ssl_sockindex_index(); | ||
226 | + int proxy_idx = ossl_get_proxy_index(); | ||
227 | + bool isproxy; | ||
228 | |||
229 | - if(data_idx < 0 || connectdata_idx < 0 || sockindex_idx < 0) | ||
230 | + if(data_idx < 0 || connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0) | ||
231 | return 0; | ||
232 | |||
233 | conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx); | ||
234 | @@ -2469,13 +2482,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) | ||
235 | sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx); | ||
236 | sockindex = (int)(sockindex_ptr - conn->sock); | ||
237 | |||
238 | + isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE; | ||
239 | + | ||
240 | if(SSL_SET_OPTION(primary.sessionid)) { | ||
241 | bool incache; | ||
242 | void *old_ssl_sessionid = NULL; | ||
243 | |||
244 | Curl_ssl_sessionid_lock(data); | ||
245 | - incache = !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL, | ||
246 | - sockindex)); | ||
247 | + if(isproxy) | ||
248 | + incache = FALSE; | ||
249 | + else | ||
250 | + incache = !(Curl_ssl_getsessionid(data, conn, isproxy, | ||
251 | + &old_ssl_sessionid, NULL, sockindex)); | ||
252 | if(incache) { | ||
253 | if(old_ssl_sessionid != ssl_sessionid) { | ||
254 | infof(data, "old SSL session ID is stale, removing\n"); | ||
255 | @@ -2485,8 +2503,8 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) | ||
256 | } | ||
257 | |||
258 | if(!incache) { | ||
259 | - if(!Curl_ssl_addsessionid(data, conn, ssl_sessionid, | ||
260 | - 0 /* unknown size */, sockindex)) { | ||
261 | + if(!Curl_ssl_addsessionid(data, conn, isproxy, ssl_sessionid, | ||
262 | + 0 /* unknown size */, sockindex)) { | ||
263 | /* the session has been put into the session cache */ | ||
264 | res = 1; | ||
265 | } | ||
266 | @@ -3212,17 +3230,27 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, | ||
267 | int data_idx = ossl_get_ssl_data_index(); | ||
268 | int connectdata_idx = ossl_get_ssl_conn_index(); | ||
269 | int sockindex_idx = ossl_get_ssl_sockindex_index(); | ||
270 | + int proxy_idx = ossl_get_proxy_index(); | ||
271 | |||
272 | - if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0) { | ||
273 | + if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 && | ||
274 | + proxy_idx >= 0) { | ||
275 | /* Store the data needed for the "new session" callback. | ||
276 | * The sockindex is stored as a pointer to an array element. */ | ||
277 | SSL_set_ex_data(backend->handle, data_idx, data); | ||
278 | SSL_set_ex_data(backend->handle, connectdata_idx, conn); | ||
279 | SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex); | ||
280 | +#ifndef CURL_DISABLE_PROXY | ||
281 | + SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1: | ||
282 | + NULL); | ||
283 | +#else | ||
284 | + SSL_set_ex_data(backend->handle, proxy_idx, NULL); | ||
285 | +#endif | ||
286 | + | ||
287 | } | ||
288 | |||
289 | Curl_ssl_sessionid_lock(data); | ||
290 | - if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) { | ||
291 | + if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE, | ||
292 | + &ssl_sessionid, NULL, sockindex)) { | ||
293 | /* we got a session id, use it! */ | ||
294 | if(!SSL_set_session(backend->handle, ssl_sessionid)) { | ||
295 | Curl_ssl_sessionid_unlock(data); | ||
296 | diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c | ||
297 | index 0668f98f2..bd27ba0bf 100644 | ||
298 | --- a/lib/vtls/schannel.c | ||
299 | +++ b/lib/vtls/schannel.c | ||
300 | @@ -496,6 +496,7 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn, | ||
301 | if(SSL_SET_OPTION(primary.sessionid)) { | ||
302 | Curl_ssl_sessionid_lock(data); | ||
303 | if(!Curl_ssl_getsessionid(data, conn, | ||
304 | + SSL_IS_PROXY() ? TRUE : FALSE, | ||
305 | (void **)&old_cred, NULL, sockindex)) { | ||
306 | BACKEND->cred = old_cred; | ||
307 | DEBUGF(infof(data, "schannel: re-using existing credential handle\n")); | ||
308 | @@ -1337,8 +1338,9 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn, | ||
309 | struct ssl_connect_data *connssl = &conn->ssl[sockindex]; | ||
310 | SECURITY_STATUS sspi_status = SEC_E_OK; | ||
311 | CERT_CONTEXT *ccert_context = NULL; | ||
312 | + bool isproxy = SSL_IS_PROXY(); | ||
313 | #ifdef DEBUGBUILD | ||
314 | - const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : | ||
315 | + const char * const hostname = isproxy ? conn->http_proxy.host.name : | ||
316 | conn->host.name; | ||
317 | #endif | ||
318 | #ifdef HAS_ALPN | ||
319 | @@ -1414,8 +1416,8 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn, | ||
320 | struct Curl_schannel_cred *old_cred = NULL; | ||
321 | |||
322 | Curl_ssl_sessionid_lock(data); | ||
323 | - incache = !(Curl_ssl_getsessionid(data, conn, (void **)&old_cred, NULL, | ||
324 | - sockindex)); | ||
325 | + incache = !(Curl_ssl_getsessionid(data, conn, isproxy, (void **)&old_cred, | ||
326 | + NULL, sockindex)); | ||
327 | if(incache) { | ||
328 | if(old_cred != BACKEND->cred) { | ||
329 | DEBUGF(infof(data, | ||
330 | @@ -1426,7 +1428,7 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn, | ||
331 | } | ||
332 | } | ||
333 | if(!incache) { | ||
334 | - result = Curl_ssl_addsessionid(data, conn, (void *)BACKEND->cred, | ||
335 | + result = Curl_ssl_addsessionid(data, conn, isproxy, BACKEND->cred, | ||
336 | sizeof(struct Curl_schannel_cred), | ||
337 | sockindex); | ||
338 | if(result) { | ||
339 | diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c | ||
340 | index 9a8f7de8d..6d1ea7e7b 100644 | ||
341 | --- a/lib/vtls/sectransp.c | ||
342 | +++ b/lib/vtls/sectransp.c | ||
343 | @@ -1400,10 +1400,12 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, | ||
344 | char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); | ||
345 | const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); | ||
346 | #ifndef CURL_DISABLE_PROXY | ||
347 | - const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : | ||
348 | + bool isproxy = SSL_IS_PROXY(); | ||
349 | + const char * const hostname = isproxy ? conn->http_proxy.host.name : | ||
350 | conn->host.name; | ||
351 | const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port; | ||
352 | #else | ||
353 | + const isproxy = FALSE; | ||
354 | const char * const hostname = conn->host.name; | ||
355 | const long int port = conn->remote_port; | ||
356 | #endif | ||
357 | @@ -1613,7 +1615,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, | ||
358 | #ifdef USE_NGHTTP2 | ||
359 | if(data->set.httpversion >= CURL_HTTP_VERSION_2 | ||
360 | #ifndef CURL_DISABLE_PROXY | ||
361 | - && (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy) | ||
362 | + && (!isproxy || !conn->bits.tunnel_proxy) | ||
363 | #endif | ||
364 | ) { | ||
365 | CFArrayAppendValue(alpnArr, CFSTR(NGHTTP2_PROTO_VERSION_ID)); | ||
366 | @@ -1953,7 +1955,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, | ||
367 | size_t ssl_sessionid_len; | ||
368 | |||
369 | Curl_ssl_sessionid_lock(data); | ||
370 | - if(!Curl_ssl_getsessionid(data, conn, (void **)&ssl_sessionid, | ||
371 | + if(!Curl_ssl_getsessionid(data, conn, isproxy, (void **)&ssl_sessionid, | ||
372 | &ssl_sessionid_len, sockindex)) { | ||
373 | /* we got a session id, use it! */ | ||
374 | err = SSLSetPeerID(backend->ssl_ctx, ssl_sessionid, ssl_sessionid_len); | ||
375 | @@ -1981,7 +1983,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, | ||
376 | return CURLE_SSL_CONNECT_ERROR; | ||
377 | } | ||
378 | |||
379 | - result = Curl_ssl_addsessionid(data, conn, ssl_sessionid, | ||
380 | + result = Curl_ssl_addsessionid(data, conn, isproxy, ssl_sessionid, | ||
381 | ssl_sessionid_len, sockindex); | ||
382 | Curl_ssl_sessionid_unlock(data); | ||
383 | if(result) { | ||
384 | diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c | ||
385 | index b8ab7494f..8ccc1f2e4 100644 | ||
386 | --- a/lib/vtls/vtls.c | ||
387 | +++ b/lib/vtls/vtls.c | ||
388 | @@ -367,6 +367,7 @@ void Curl_ssl_sessionid_unlock(struct Curl_easy *data) | ||
389 | */ | ||
390 | bool Curl_ssl_getsessionid(struct Curl_easy *data, | ||
391 | struct connectdata *conn, | ||
392 | + const bool isProxy, | ||
393 | void **ssl_sessionid, | ||
394 | size_t *idsize, /* set 0 if unknown */ | ||
395 | int sockindex) | ||
396 | @@ -377,7 +378,6 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data, | ||
397 | bool no_match = TRUE; | ||
398 | |||
399 | #ifndef CURL_DISABLE_PROXY | ||
400 | - const bool isProxy = CONNECT_PROXY_SSL(); | ||
401 | struct ssl_primary_config * const ssl_config = isProxy ? | ||
402 | &conn->proxy_ssl_config : | ||
403 | &conn->ssl_config; | ||
404 | @@ -389,10 +389,15 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data, | ||
405 | struct ssl_primary_config * const ssl_config = &conn->ssl_config; | ||
406 | const char * const name = conn->host.name; | ||
407 | int port = conn->remote_port; | ||
408 | - (void)sockindex; | ||
409 | #endif | ||
410 | + (void)sockindex; | ||
411 | *ssl_sessionid = NULL; | ||
412 | |||
413 | +#ifdef CURL_DISABLE_PROXY | ||
414 | + if(isProxy) | ||
415 | + return TRUE; | ||
416 | +#endif | ||
417 | + | ||
418 | DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); | ||
419 | |||
420 | if(!SSL_SET_OPTION(primary.sessionid)) | ||
421 | @@ -480,6 +485,7 @@ void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid) | ||
422 | */ | ||
423 | CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, | ||
424 | struct connectdata *conn, | ||
425 | + bool isProxy, | ||
426 | void *ssl_sessionid, | ||
427 | size_t idsize, | ||
428 | int sockindex) | ||
429 | @@ -492,7 +498,6 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, | ||
430 | int conn_to_port; | ||
431 | long *general_age; | ||
432 | #ifndef CURL_DISABLE_PROXY | ||
433 | - const bool isProxy = CONNECT_PROXY_SSL(); | ||
434 | struct ssl_primary_config * const ssl_config = isProxy ? | ||
435 | &conn->proxy_ssl_config : | ||
436 | &conn->ssl_config; | ||
437 | @@ -505,6 +510,7 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, | ||
438 | const char *hostname = conn->host.name; | ||
439 | (void)sockindex; | ||
440 | #endif | ||
441 | + (void)sockindex; | ||
442 | DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); | ||
443 | |||
444 | clone_host = strdup(hostname); | ||
445 | diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h | ||
446 | index 9666682ec..4dc29794c 100644 | ||
447 | --- a/lib/vtls/vtls.h | ||
448 | +++ b/lib/vtls/vtls.h | ||
449 | @@ -222,6 +222,7 @@ void Curl_ssl_sessionid_unlock(struct Curl_easy *data); | ||
450 | */ | ||
451 | bool Curl_ssl_getsessionid(struct Curl_easy *data, | ||
452 | struct connectdata *conn, | ||
453 | + const bool isproxy, | ||
454 | void **ssl_sessionid, | ||
455 | size_t *idsize, /* set 0 if unknown */ | ||
456 | int sockindex); | ||
457 | @@ -232,6 +233,7 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data, | ||
458 | */ | ||
459 | CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, | ||
460 | struct connectdata *conn, | ||
461 | + const bool isProxy, | ||
462 | void *ssl_sessionid, | ||
463 | size_t idsize, | ||
464 | int sockindex); | ||
465 | diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c | ||
466 | index e1fa45926..e4c70877f 100644 | ||
467 | --- a/lib/vtls/wolfssl.c | ||
468 | +++ b/lib/vtls/wolfssl.c | ||
469 | @@ -516,7 +516,9 @@ wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn, | ||
470 | void *ssl_sessionid = NULL; | ||
471 | |||
472 | Curl_ssl_sessionid_lock(data); | ||
473 | - if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) { | ||
474 | + if(!Curl_ssl_getsessionid(data, conn, | ||
475 | + SSL_IS_PROXY() ? TRUE : FALSE, | ||
476 | + &ssl_sessionid, NULL, sockindex)) { | ||
477 | /* we got a session id, use it! */ | ||
478 | if(!SSL_set_session(backend->handle, ssl_sessionid)) { | ||
479 | char error_buffer[WOLFSSL_MAX_ERROR_SZ]; | ||
480 | @@ -774,21 +776,23 @@ wolfssl_connect_step3(struct Curl_easy *data, struct connectdata *conn, | ||
481 | void *old_ssl_sessionid = NULL; | ||
482 | |||
483 | our_ssl_sessionid = SSL_get_session(backend->handle); | ||
484 | - | ||
485 | - Curl_ssl_sessionid_lock(data); | ||
486 | - incache = !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL, | ||
487 | - sockindex)); | ||
488 | - if(incache) { | ||
489 | - if(old_ssl_sessionid != our_ssl_sessionid) { | ||
490 | - infof(data, "old SSL session ID is stale, removing\n"); | ||
491 | - Curl_ssl_delsessionid(data, old_ssl_sessionid); | ||
492 | - incache = FALSE; | ||
493 | + bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE; | ||
494 | + | ||
495 | + if(our_ssl_sessionid) { | ||
496 | + Curl_ssl_sessionid_lock(data); | ||
497 | + incache = !(Curl_ssl_getsessionid(data, conn, isproxy, | ||
498 | + &old_ssl_sessionid, NULL, sockindex)); | ||
499 | + if(incache) { | ||
500 | + if(old_ssl_sessionid != our_ssl_sessionid) { | ||
501 | + infof(data, "old SSL session ID is stale, removing\n"); | ||
502 | + Curl_ssl_delsessionid(data, old_ssl_sessionid); | ||
503 | + incache = FALSE; | ||
504 | } | ||
505 | } | ||
506 | |||
507 | if(!incache) { | ||
508 | - result = Curl_ssl_addsessionid(data, conn, our_ssl_sessionid, | ||
509 | - 0 /* unknown size */, sockindex); | ||
510 | + result = Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid, | ||
511 | + 0, sockindex); | ||
512 | if(result) { | ||
513 | Curl_ssl_sessionid_unlock(data); | ||
514 | failf(data, "failed to store ssl session"); | ||
515 | -- | ||
516 | 2.31.1 | ||
517 | |||
diff --git a/meta/recipes-support/curl/curl_7.75.0.bb b/meta/recipes-support/curl/curl_7.75.0.bb index 7666c7b608..428b8cd9e3 100644 --- a/meta/recipes-support/curl/curl_7.75.0.bb +++ b/meta/recipes-support/curl/curl_7.75.0.bb | |||
@@ -11,6 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=425f6fdc767cc067518eef9bbdf4ab7b" | |||
11 | 11 | ||
12 | SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ | 12 | SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ |
13 | file://0001-replace-krb5-config-with-pkg-config.patch \ | 13 | file://0001-replace-krb5-config-with-pkg-config.patch \ |
14 | file://0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch \ | ||
14 | " | 15 | " |
15 | 16 | ||
16 | SRC_URI[sha256sum] = "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb316d026" | 17 | SRC_URI[sha256sum] = "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb316d026" |