diff options
author | Mike Crowe <mac@mcrowe.com> | 2021-04-06 13:53:42 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-04-23 10:41:15 +0100 |
commit | 7115641813edcc5ff5c055e7c06889f93b4a46e7 (patch) | |
tree | 4a28db83b2d53d47f4a9a3c83451f14c5dce9498 /meta/recipes-support | |
parent | f8c3d7aeb3ee105c41520490bd2edf4eb41c6384 (diff) | |
download | poky-7115641813edcc5ff5c055e7c06889f93b4a46e7.tar.gz |
curl: Patch CVE-2021-22876 & CVE-2021-22890
Take patches from Ubuntu 20.04 7.68.0-1ubuntu2.5, which is close enough
that they apply without conflicts.
(From OE-Core rev: 134a27d05f06791b738bb801e68b6916477add04)
Signed-off-by: Mike Crowe <mac@mcrowe.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-support')
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2021-22876.patch | 59 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2021-22890.patch | 464 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl_7.69.1.bb | 2 |
3 files changed, 525 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22876.patch b/meta/recipes-support/curl/curl/CVE-2021-22876.patch new file mode 100644 index 0000000000..fc396aabef --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22876.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | transfer: strip credentials from the auto-referer header field | ||
2 | |||
3 | CVE-2021-22876 | ||
4 | |||
5 | Patch taken from Ubuntu curl 7.68.0-1ubuntu2.5. | ||
6 | |||
7 | Bug: https://curl.se/docs/CVE-2021-22876.html | ||
8 | Upstream-Status: backport | ||
9 | --- | ||
10 | lib/transfer.c | 25 +++++++++++++++++++++++-- | ||
11 | 1 file changed, 23 insertions(+), 2 deletions(-) | ||
12 | |||
13 | diff --git a/lib/transfer.c b/lib/transfer.c | ||
14 | index e76834eb3..744e1c00b 100644 | ||
15 | --- a/lib/transfer.c | ||
16 | +++ b/lib/transfer.c | ||
17 | @@ -1570,6 +1570,9 @@ CURLcode Curl_follow(struct Curl_easy *data, | ||
18 | data->set.followlocation++; /* count location-followers */ | ||
19 | |||
20 | if(data->set.http_auto_referer) { | ||
21 | + CURLU *u; | ||
22 | + char *referer; | ||
23 | + | ||
24 | /* We are asked to automatically set the previous URL as the referer | ||
25 | when we get the next URL. We pick the ->url field, which may or may | ||
26 | not be 100% correct */ | ||
27 | @@ -1579,9 +1582,27 @@ CURLcode Curl_follow(struct Curl_easy *data, | ||
28 | data->change.referer_alloc = FALSE; | ||
29 | } | ||
30 | |||
31 | - data->change.referer = strdup(data->change.url); | ||
32 | - if(!data->change.referer) | ||
33 | + /* Make a copy of the URL without crenditals and fragment */ | ||
34 | + u = curl_url(); | ||
35 | + if(!u) | ||
36 | + return CURLE_OUT_OF_MEMORY; | ||
37 | + | ||
38 | + uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0); | ||
39 | + if(!uc) | ||
40 | + uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0); | ||
41 | + if(!uc) | ||
42 | + uc = curl_url_set(u, CURLUPART_USER, NULL, 0); | ||
43 | + if(!uc) | ||
44 | + uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0); | ||
45 | + if(!uc) | ||
46 | + uc = curl_url_get(u, CURLUPART_URL, &referer, 0); | ||
47 | + | ||
48 | + curl_url_cleanup(u); | ||
49 | + | ||
50 | + if(uc || referer == NULL) | ||
51 | return CURLE_OUT_OF_MEMORY; | ||
52 | + | ||
53 | + data->change.referer = referer; | ||
54 | data->change.referer_alloc = TRUE; /* yes, free this later */ | ||
55 | } | ||
56 | } | ||
57 | -- | ||
58 | 2.20.1 | ||
59 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22890.patch b/meta/recipes-support/curl/curl/CVE-2021-22890.patch new file mode 100644 index 0000000000..8c0ecbfe7f --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22890.patch | |||
@@ -0,0 +1,464 @@ | |||
1 | vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid() | ||
2 | |||
3 | To make sure we set and extract the correct session. | ||
4 | |||
5 | Patch taken from Ubuntu curl 7.68.0-1ubuntu2.5. | ||
6 | |||
7 | CVE-2021-22890 | ||
8 | |||
9 | Reported-by: Mingtao Yang | ||
10 | Bug: https://curl.se/docs/CVE-2021-22890.html | ||
11 | Upstream-Status: backport | ||
12 | --- | ||
13 | lib/vtls/bearssl.c | 9 +++++--- | ||
14 | lib/vtls/gtls.c | 9 +++++--- | ||
15 | lib/vtls/mbedtls.c | 8 ++++--- | ||
16 | lib/vtls/mesalink.c | 9 +++++--- | ||
17 | lib/vtls/openssl.c | 52 ++++++++++++++++++++++++++++++++++---------- | ||
18 | lib/vtls/schannel.c | 10 +++++---- | ||
19 | lib/vtls/sectransp.c | 9 ++++---- | ||
20 | lib/vtls/vtls.c | 9 ++++++-- | ||
21 | lib/vtls/vtls.h | 2 ++ | ||
22 | lib/vtls/wolfssl.c | 8 ++++--- | ||
23 | 10 files changed, 88 insertions(+), 37 deletions(-) | ||
24 | |||
25 | diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c | ||
26 | index 67f945831..32cb0a4c2 100644 | ||
27 | --- a/lib/vtls/bearssl.c | ||
28 | +++ b/lib/vtls/bearssl.c | ||
29 | @@ -372,7 +372,8 @@ static CURLcode bearssl_connect_step1(struct connectdata *conn, int sockindex) | ||
30 | void *session; | ||
31 | |||
32 | Curl_ssl_sessionid_lock(conn); | ||
33 | - if(!Curl_ssl_getsessionid(conn, &session, NULL, sockindex)) { | ||
34 | + if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, | ||
35 | + &session, NULL, sockindex)) { | ||
36 | br_ssl_engine_set_session_parameters(&BACKEND->ctx.eng, session); | ||
37 | infof(data, "BearSSL: re-using session ID\n"); | ||
38 | } | ||
39 | @@ -560,10 +561,12 @@ static CURLcode bearssl_connect_step3(struct connectdata *conn, int sockindex) | ||
40 | return CURLE_OUT_OF_MEMORY; | ||
41 | br_ssl_engine_get_session_parameters(&BACKEND->ctx.eng, session); | ||
42 | Curl_ssl_sessionid_lock(conn); | ||
43 | - incache = !(Curl_ssl_getsessionid(conn, &oldsession, NULL, sockindex)); | ||
44 | + incache = !(Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, | ||
45 | + &oldsession, NULL, sockindex)); | ||
46 | if(incache) | ||
47 | Curl_ssl_delsessionid(conn, oldsession); | ||
48 | - ret = Curl_ssl_addsessionid(conn, session, 0, sockindex); | ||
49 | + ret = Curl_ssl_addsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, | ||
50 | + session, 0, sockindex); | ||
51 | Curl_ssl_sessionid_unlock(conn); | ||
52 | if(ret) { | ||
53 | free(session); | ||
54 | diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c | ||
55 | index 5f740eeba..46e149c7d 100644 | ||
56 | --- a/lib/vtls/gtls.c | ||
57 | +++ b/lib/vtls/gtls.c | ||
58 | @@ -937,7 +937,8 @@ gtls_connect_step1(struct connectdata *conn, | ||
59 | size_t ssl_idsize; | ||
60 | |||
61 | Curl_ssl_sessionid_lock(conn); | ||
62 | - if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, &ssl_idsize, sockindex)) { | ||
63 | + if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, | ||
64 | + &ssl_sessionid, &ssl_idsize, sockindex)) { | ||
65 | /* we got a session id, use it! */ | ||
66 | gnutls_session_set_data(session, ssl_sessionid, ssl_idsize); | ||
67 | |||
68 | @@ -1485,7 +1486,8 @@ gtls_connect_step3(struct connectdata *conn, | ||
69 | gnutls_session_get_data(session, connect_sessionid, &connect_idsize); | ||
70 | |||
71 | Curl_ssl_sessionid_lock(conn); | ||
72 | - incache = !(Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, | ||
73 | + incache = !(Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, | ||
74 | + &ssl_sessionid, NULL, | ||
75 | sockindex)); | ||
76 | if(incache) { | ||
77 | /* there was one before in the cache, so instead of risking that the | ||
78 | @@ -1494,7 +1496,8 @@ gtls_connect_step3(struct connectdata *conn, | ||
79 | } | ||
80 | |||
81 | /* store this session id */ | ||
82 | - result = Curl_ssl_addsessionid(conn, connect_sessionid, connect_idsize, | ||
83 | + result = Curl_ssl_addsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, | ||
84 | + connect_sessionid, connect_idsize, | ||
85 | sockindex); | ||
86 | Curl_ssl_sessionid_unlock(conn); | ||
87 | if(result) { | ||
88 | diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c | ||
89 | index f057315f3..19df8478e 100644 | ||
90 | --- a/lib/vtls/mbedtls.c | ||
91 | +++ b/lib/vtls/mbedtls.c | ||
92 | @@ -453,7 +453,8 @@ mbed_connect_step1(struct connectdata *conn, | ||
93 | void *old_session = NULL; | ||
94 | |||
95 | Curl_ssl_sessionid_lock(conn); | ||
96 | - if(!Curl_ssl_getsessionid(conn, &old_session, NULL, sockindex)) { | ||
97 | + if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, | ||
98 | + &old_session, NULL, sockindex)) { | ||
99 | ret = mbedtls_ssl_set_session(&BACKEND->ssl, old_session); | ||
100 | if(ret) { | ||
101 | Curl_ssl_sessionid_unlock(conn); | ||
102 | @@ -709,6 +710,7 @@ mbed_connect_step3(struct connectdata *conn, | ||
103 | int ret; | ||
104 | mbedtls_ssl_session *our_ssl_sessionid; | ||
105 | void *old_ssl_sessionid = NULL; | ||
106 | + bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE; | ||
107 | |||
108 | our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session)); | ||
109 | if(!our_ssl_sessionid) | ||
110 | @@ -727,10 +729,10 @@ mbed_connect_step3(struct connectdata *conn, | ||
111 | |||
112 | /* If there's already a matching session in the cache, delete it */ | ||
113 | Curl_ssl_sessionid_lock(conn); | ||
114 | - if(!Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex)) | ||
115 | + if(!Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, NULL, sockindex)) | ||
116 | Curl_ssl_delsessionid(conn, old_ssl_sessionid); | ||
117 | |||
118 | - retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid, 0, sockindex); | ||
119 | + retcode = Curl_ssl_addsessionid(conn, isproxy, our_ssl_sessionid, 0, sockindex); | ||
120 | Curl_ssl_sessionid_unlock(conn); | ||
121 | if(retcode) { | ||
122 | mbedtls_ssl_session_free(our_ssl_sessionid); | ||
123 | diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c | ||
124 | index cab1e390b..79d1e3dfa 100644 | ||
125 | --- a/lib/vtls/mesalink.c | ||
126 | +++ b/lib/vtls/mesalink.c | ||
127 | @@ -263,7 +263,8 @@ mesalink_connect_step1(struct connectdata *conn, int sockindex) | ||
128 | void *ssl_sessionid = NULL; | ||
129 | |||
130 | Curl_ssl_sessionid_lock(conn); | ||
131 | - if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) { | ||
132 | + if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, | ||
133 | + &ssl_sessionid, NULL, sockindex)) { | ||
134 | /* we got a session id, use it! */ | ||
135 | if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) { | ||
136 | Curl_ssl_sessionid_unlock(conn); | ||
137 | @@ -347,12 +348,14 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex) | ||
138 | bool incache; | ||
139 | SSL_SESSION *our_ssl_sessionid; | ||
140 | void *old_ssl_sessionid = NULL; | ||
141 | + bool inproxy = SSL_IS_PROXY() ? TRUE : FALSE; | ||
142 | |||
143 | our_ssl_sessionid = SSL_get_session(BACKEND->handle); | ||
144 | |||
145 | Curl_ssl_sessionid_lock(conn); | ||
146 | incache = | ||
147 | - !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex)); | ||
148 | + !(Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, | ||
149 | + NULL, sockindex)); | ||
150 | if(incache) { | ||
151 | if(old_ssl_sessionid != our_ssl_sessionid) { | ||
152 | infof(data, "old SSL session ID is stale, removing\n"); | ||
153 | @@ -363,7 +366,7 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex) | ||
154 | |||
155 | if(!incache) { | ||
156 | result = Curl_ssl_addsessionid( | ||
157 | - conn, our_ssl_sessionid, 0 /* unknown size */, sockindex); | ||
158 | + conn, isproxy, our_ssl_sessionid, 0 /* unknown size */, sockindex); | ||
159 | if(result) { | ||
160 | Curl_ssl_sessionid_unlock(conn); | ||
161 | failf(data, "failed to store ssl session"); | ||
162 | diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c | ||
163 | index 1d09cadca..64f43605a 100644 | ||
164 | --- a/lib/vtls/openssl.c | ||
165 | +++ b/lib/vtls/openssl.c | ||
166 | @@ -422,12 +422,23 @@ static int ossl_get_ssl_conn_index(void) | ||
167 | */ | ||
168 | static int ossl_get_ssl_sockindex_index(void) | ||
169 | { | ||
170 | - static int ssl_ex_data_sockindex_index = -1; | ||
171 | - if(ssl_ex_data_sockindex_index < 0) { | ||
172 | - ssl_ex_data_sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, | ||
173 | - NULL); | ||
174 | + static int sockindex_index = -1; | ||
175 | + if(sockindex_index < 0) { | ||
176 | + sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); | ||
177 | } | ||
178 | - return ssl_ex_data_sockindex_index; | ||
179 | + return sockindex_index; | ||
180 | +} | ||
181 | + | ||
182 | +/* Return an extra data index for proxy boolean. | ||
183 | + * This index can be used with SSL_get_ex_data() and SSL_set_ex_data(). | ||
184 | + */ | ||
185 | +static int ossl_get_proxy_index(void) | ||
186 | +{ | ||
187 | + static int proxy_index = -1; | ||
188 | + if(proxy_index < 0) { | ||
189 | + proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); | ||
190 | + } | ||
191 | + return proxy_index; | ||
192 | } | ||
193 | |||
194 | static int passwd_callback(char *buf, int num, int encrypting, | ||
195 | @@ -1079,7 +1090,8 @@ static int Curl_ossl_init(void) | ||
196 | #endif | ||
197 | |||
198 | /* Initialize the extra data indexes */ | ||
199 | - if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0) | ||
200 | + if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0 || | ||
201 | + ossl_get_proxy_index() < 0) | ||
202 | return 0; | ||
203 | |||
204 | return 1; | ||
205 | @@ -2341,8 +2353,10 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) | ||
206 | curl_socket_t *sockindex_ptr; | ||
207 | int connectdata_idx = ossl_get_ssl_conn_index(); | ||
208 | int sockindex_idx = ossl_get_ssl_sockindex_index(); | ||
209 | + int proxy_idx = ossl_get_proxy_index(); | ||
210 | + bool isproxy; | ||
211 | |||
212 | - if(connectdata_idx < 0 || sockindex_idx < 0) | ||
213 | + if(connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0) | ||
214 | return 0; | ||
215 | |||
216 | conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx); | ||
217 | @@ -2355,13 +2369,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) | ||
218 | sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx); | ||
219 | sockindex = (int)(sockindex_ptr - conn->sock); | ||
220 | |||
221 | + isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE; | ||
222 | + | ||
223 | if(SSL_SET_OPTION(primary.sessionid)) { | ||
224 | bool incache; | ||
225 | void *old_ssl_sessionid = NULL; | ||
226 | |||
227 | Curl_ssl_sessionid_lock(conn); | ||
228 | - incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, | ||
229 | - sockindex)); | ||
230 | + if(isproxy) | ||
231 | + incache = FALSE; | ||
232 | + else | ||
233 | + incache = !(Curl_ssl_getsessionid(conn, isproxy, | ||
234 | + &old_ssl_sessionid, NULL, sockindex)); | ||
235 | if(incache) { | ||
236 | if(old_ssl_sessionid != ssl_sessionid) { | ||
237 | infof(data, "old SSL session ID is stale, removing\n"); | ||
238 | @@ -2371,7 +2390,7 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) | ||
239 | } | ||
240 | |||
241 | if(!incache) { | ||
242 | - if(!Curl_ssl_addsessionid(conn, ssl_sessionid, | ||
243 | + if(!Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid, | ||
244 | 0 /* unknown size */, sockindex)) { | ||
245 | /* the session has been put into the session cache */ | ||
246 | res = 1; | ||
247 | @@ -2868,16 +2887,25 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) | ||
248 | void *ssl_sessionid = NULL; | ||
249 | int connectdata_idx = ossl_get_ssl_conn_index(); | ||
250 | int sockindex_idx = ossl_get_ssl_sockindex_index(); | ||
251 | + int proxy_idx = ossl_get_proxy_index(); | ||
252 | |||
253 | - if(connectdata_idx >= 0 && sockindex_idx >= 0) { | ||
254 | + if(connectdata_idx >= 0 && sockindex_idx >= 0 && proxy_idx >= 0) { | ||
255 | /* Store the data needed for the "new session" callback. | ||
256 | * The sockindex is stored as a pointer to an array element. */ | ||
257 | SSL_set_ex_data(BACKEND->handle, connectdata_idx, conn); | ||
258 | SSL_set_ex_data(BACKEND->handle, sockindex_idx, conn->sock + sockindex); | ||
259 | +#ifndef CURL_DISABLE_PROXY | ||
260 | + SSL_set_ex_data(BACKEND->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1: | ||
261 | + NULL); | ||
262 | +#else | ||
263 | + SSL_set_ex_data(BACKEND->handle, proxy_idx, NULL); | ||
264 | +#endif | ||
265 | + | ||
266 | } | ||
267 | |||
268 | Curl_ssl_sessionid_lock(conn); | ||
269 | - if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) { | ||
270 | + if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, | ||
271 | + &ssl_sessionid, NULL, sockindex)) { | ||
272 | /* we got a session id, use it! */ | ||
273 | if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) { | ||
274 | Curl_ssl_sessionid_unlock(conn); | ||
275 | diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c | ||
276 | index f665ee340..a354ce95d 100644 | ||
277 | --- a/lib/vtls/schannel.c | ||
278 | +++ b/lib/vtls/schannel.c | ||
279 | @@ -487,7 +487,8 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) | ||
280 | /* check for an existing re-usable credential handle */ | ||
281 | if(SSL_SET_OPTION(primary.sessionid)) { | ||
282 | Curl_ssl_sessionid_lock(conn); | ||
283 | - if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, sockindex)) { | ||
284 | + if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, | ||
285 | + (void **)&old_cred, NULL, sockindex)) { | ||
286 | BACKEND->cred = old_cred; | ||
287 | DEBUGF(infof(data, "schannel: re-using existing credential handle\n")); | ||
288 | |||
289 | @@ -1193,8 +1194,9 @@ schannel_connect_step3(struct connectdata *conn, int sockindex) | ||
290 | struct ssl_connect_data *connssl = &conn->ssl[sockindex]; | ||
291 | SECURITY_STATUS sspi_status = SEC_E_OK; | ||
292 | CERT_CONTEXT *ccert_context = NULL; | ||
293 | + bool isproxy = SSL_IS_PROXY(); | ||
294 | #ifdef DEBUGBUILD | ||
295 | - const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : | ||
296 | + const char * const hostname = isproxy ? conn->http_proxy.host.name : | ||
297 | conn->host.name; | ||
298 | #endif | ||
299 | #ifdef HAS_ALPN | ||
300 | @@ -1268,7 +1270,7 @@ schannel_connect_step3(struct connectdata *conn, int sockindex) | ||
301 | struct curl_schannel_cred *old_cred = NULL; | ||
302 | |||
303 | Curl_ssl_sessionid_lock(conn); | ||
304 | - incache = !(Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, | ||
305 | + incache = !(Curl_ssl_getsessionid(conn, isproxy, (void **)&old_cred, NULL, | ||
306 | sockindex)); | ||
307 | if(incache) { | ||
308 | if(old_cred != BACKEND->cred) { | ||
309 | @@ -1280,7 +1282,7 @@ schannel_connect_step3(struct connectdata *conn, int sockindex) | ||
310 | } | ||
311 | } | ||
312 | if(!incache) { | ||
313 | - result = Curl_ssl_addsessionid(conn, (void *)BACKEND->cred, | ||
314 | + result = Curl_ssl_addsessionid(conn, isproxy, (void *)BACKEND->cred, | ||
315 | sizeof(struct curl_schannel_cred), | ||
316 | sockindex); | ||
317 | if(result) { | ||
318 | diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c | ||
319 | index 7dd028fb7..9c67d465a 100644 | ||
320 | --- a/lib/vtls/sectransp.c | ||
321 | +++ b/lib/vtls/sectransp.c | ||
322 | @@ -1376,7 +1376,8 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn, | ||
323 | const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile); | ||
324 | const bool verifypeer = SSL_CONN_CONFIG(verifypeer); | ||
325 | char * const ssl_cert = SSL_SET_OPTION(cert); | ||
326 | - const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : | ||
327 | + bool isproxy = SSL_IS_PROXY(); | ||
328 | + const char * const hostname = isproxy ? conn->http_proxy.host.name : | ||
329 | conn->host.name; | ||
330 | const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port; | ||
331 | #ifdef ENABLE_IPV6 | ||
332 | @@ -1584,7 +1585,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn, | ||
333 | |||
334 | #ifdef USE_NGHTTP2 | ||
335 | if(data->set.httpversion >= CURL_HTTP_VERSION_2 && | ||
336 | - (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy)) { | ||
337 | + (!isproxy || !conn->bits.tunnel_proxy)) { | ||
338 | CFArrayAppendValue(alpnArr, CFSTR(NGHTTP2_PROTO_VERSION_ID)); | ||
339 | infof(data, "ALPN, offering %s\n", NGHTTP2_PROTO_VERSION_ID); | ||
340 | } | ||
341 | @@ -1916,7 +1917,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn, | ||
342 | size_t ssl_sessionid_len; | ||
343 | |||
344 | Curl_ssl_sessionid_lock(conn); | ||
345 | - if(!Curl_ssl_getsessionid(conn, (void **)&ssl_sessionid, | ||
346 | + if(!Curl_ssl_getsessionid(conn, isproxy, (void **)&ssl_sessionid, | ||
347 | &ssl_sessionid_len, sockindex)) { | ||
348 | /* we got a session id, use it! */ | ||
349 | err = SSLSetPeerID(BACKEND->ssl_ctx, ssl_sessionid, ssl_sessionid_len); | ||
350 | @@ -1944,7 +1945,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn, | ||
351 | return CURLE_SSL_CONNECT_ERROR; | ||
352 | } | ||
353 | |||
354 | - result = Curl_ssl_addsessionid(conn, ssl_sessionid, ssl_sessionid_len, | ||
355 | + result = Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid, ssl_sessionid_len, | ||
356 | sockindex); | ||
357 | Curl_ssl_sessionid_unlock(conn); | ||
358 | if(result) { | ||
359 | diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c | ||
360 | index dfefa1bd5..aaf73ef8f 100644 | ||
361 | --- a/lib/vtls/vtls.c | ||
362 | +++ b/lib/vtls/vtls.c | ||
363 | @@ -305,6 +305,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn) | ||
364 | * there's one suitable, it is provided. Returns TRUE when no entry matched. | ||
365 | */ | ||
366 | bool Curl_ssl_getsessionid(struct connectdata *conn, | ||
367 | + const bool isProxy, | ||
368 | void **ssl_sessionid, | ||
369 | size_t *idsize, /* set 0 if unknown */ | ||
370 | int sockindex) | ||
371 | @@ -315,7 +316,6 @@ bool Curl_ssl_getsessionid(struct connectdata *conn, | ||
372 | long *general_age; | ||
373 | bool no_match = TRUE; | ||
374 | |||
375 | - const bool isProxy = CONNECT_PROXY_SSL(); | ||
376 | struct ssl_primary_config * const ssl_config = isProxy ? | ||
377 | &conn->proxy_ssl_config : | ||
378 | &conn->ssl_config; | ||
379 | @@ -324,6 +324,11 @@ bool Curl_ssl_getsessionid(struct connectdata *conn, | ||
380 | int port = isProxy ? (int)conn->port : conn->remote_port; | ||
381 | *ssl_sessionid = NULL; | ||
382 | |||
383 | +#ifdef CURL_DISABLE_PROXY | ||
384 | + if(isProxy) | ||
385 | + return TRUE; | ||
386 | +#endif | ||
387 | + | ||
388 | DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); | ||
389 | |||
390 | if(!SSL_SET_OPTION(primary.sessionid)) | ||
391 | @@ -411,6 +416,7 @@ void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid) | ||
392 | * later on. | ||
393 | */ | ||
394 | CURLcode Curl_ssl_addsessionid(struct connectdata *conn, | ||
395 | + bool isProxy, | ||
396 | void *ssl_sessionid, | ||
397 | size_t idsize, | ||
398 | int sockindex) | ||
399 | @@ -423,7 +429,6 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, | ||
400 | char *clone_conn_to_host; | ||
401 | int conn_to_port; | ||
402 | long *general_age; | ||
403 | - const bool isProxy = CONNECT_PROXY_SSL(); | ||
404 | struct ssl_primary_config * const ssl_config = isProxy ? | ||
405 | &conn->proxy_ssl_config : | ||
406 | &conn->ssl_config; | ||
407 | diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h | ||
408 | index a81b2f22d..a5e348752 100644 | ||
409 | --- a/lib/vtls/vtls.h | ||
410 | +++ b/lib/vtls/vtls.h | ||
411 | @@ -202,6 +202,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn); | ||
412 | * under sessionid mutex). | ||
413 | */ | ||
414 | bool Curl_ssl_getsessionid(struct connectdata *conn, | ||
415 | + const bool isproxy, | ||
416 | void **ssl_sessionid, | ||
417 | size_t *idsize, /* set 0 if unknown */ | ||
418 | int sockindex); | ||
419 | @@ -211,6 +212,7 @@ bool Curl_ssl_getsessionid(struct connectdata *conn, | ||
420 | * object with cache (e.g. incrementing refcount on success) | ||
421 | */ | ||
422 | CURLcode Curl_ssl_addsessionid(struct connectdata *conn, | ||
423 | + const bool isProxy, | ||
424 | void *ssl_sessionid, | ||
425 | size_t idsize, | ||
426 | int sockindex); | ||
427 | diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c | ||
428 | index 8c2d3f4a2..dd9f907ff 100644 | ||
429 | --- a/lib/vtls/wolfssl.c | ||
430 | +++ b/lib/vtls/wolfssl.c | ||
431 | @@ -392,7 +392,8 @@ wolfssl_connect_step1(struct connectdata *conn, | ||
432 | void *ssl_sessionid = NULL; | ||
433 | |||
434 | Curl_ssl_sessionid_lock(conn); | ||
435 | - if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) { | ||
436 | + if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, | ||
437 | + &ssl_sessionid, NULL, sockindex)) { | ||
438 | /* we got a session id, use it! */ | ||
439 | if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) { | ||
440 | char error_buffer[WOLFSSL_MAX_ERROR_SZ]; | ||
441 | @@ -618,9 +619,10 @@ wolfssl_connect_step3(struct connectdata *conn, | ||
442 | void *old_ssl_sessionid = NULL; | ||
443 | |||
444 | our_ssl_sessionid = SSL_get_session(BACKEND->handle); | ||
445 | + bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE; | ||
446 | |||
447 | Curl_ssl_sessionid_lock(conn); | ||
448 | - incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, | ||
449 | + incache = !(Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, NULL, | ||
450 | sockindex)); | ||
451 | if(incache) { | ||
452 | if(old_ssl_sessionid != our_ssl_sessionid) { | ||
453 | @@ -631,7 +633,7 @@ wolfssl_connect_step3(struct connectdata *conn, | ||
454 | } | ||
455 | |||
456 | if(!incache) { | ||
457 | - result = Curl_ssl_addsessionid(conn, our_ssl_sessionid, | ||
458 | + result = Curl_ssl_addsessionid(conn, isproxy, our_ssl_sessionid, | ||
459 | 0 /* unknown size */, sockindex); | ||
460 | if(result) { | ||
461 | Curl_ssl_sessionid_unlock(conn); | ||
462 | -- | ||
463 | 2.20.1 | ||
464 | |||
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb index 4cc35c2c51..13ab29cf69 100644 --- a/meta/recipes-support/curl/curl_7.69.1.bb +++ b/meta/recipes-support/curl/curl_7.69.1.bb | |||
@@ -17,6 +17,8 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ | |||
17 | file://CVE-2020-8284.patch \ | 17 | file://CVE-2020-8284.patch \ |
18 | file://CVE-2020-8285.patch \ | 18 | file://CVE-2020-8285.patch \ |
19 | file://CVE-2020-8286.patch \ | 19 | file://CVE-2020-8286.patch \ |
20 | file://CVE-2021-22876.patch \ | ||
21 | file://CVE-2021-22890.patch \ | ||
20 | " | 22 | " |
21 | 23 | ||
22 | SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42" | 24 | SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42" |