1 files changed, 464 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22890.patch b/meta/recipes-support/curl/curl/CVE-2021-22890.patch
new file mode 100644
index 0000000000..8c0ecbfe7f
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22890.patch
@@ -0,0 +1,464 @@
+vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
+To make sure we set and extract the correct session.
+Patch taken from Ubuntu curl 7.68.0-1ubuntu2.5.
+CVE-2021-22890
+Reported-by: Mingtao Yang
+Bug: https://curl.se/docs/CVE-2021-22890.html
+Upstream-Status: backport
+---
+ lib/vtls/bearssl.c   |  9 +++++---
+ lib/vtls/gtls.c      |  9 +++++---
+ lib/vtls/mbedtls.c   |  8 ++++---
+ lib/vtls/mesalink.c  |  9 +++++---
+ lib/vtls/openssl.c   | 52 ++++++++++++++++++++++++++++++++++----------
+ lib/vtls/schannel.c  | 10 +++++----
+ lib/vtls/sectransp.c |  9 ++++----
+ lib/vtls/vtls.c      |  9 ++++++--
+ lib/vtls/vtls.h      |  2 ++
+ lib/vtls/wolfssl.c   |  8 ++++---
+ 10 files changed, 88 insertions(+), 37 deletions(-)
+diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c
+index 67f945831..32cb0a4c2 100644
+--- a/lib/vtls/bearssl.c
+++ b/lib/vtls/bearssl.c
+@@ -372,7 +372,8 @@ static CURLcode bearssl_connect_step1(struct connectdata *conn, int sockindex)
+     void *session;
+ 
+     Curl_ssl_sessionid_lock(conn);
+-    if(!Curl_ssl_getsessionid(conn, &session, NULL, sockindex)) {
+    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
+                              &session, NULL, sockindex)) {
+       br_ssl_engine_set_session_parameters(&BACKEND->ctx.eng, session);
+       infof(data, "BearSSL: re-using session ID\n");
+     }
+@@ -560,10 +561,12 @@ static CURLcode bearssl_connect_step3(struct connectdata *conn, int sockindex)
+       return CURLE_OUT_OF_MEMORY;
+     br_ssl_engine_get_session_parameters(&BACKEND->ctx.eng, session);
+     Curl_ssl_sessionid_lock(conn);
+-    incache = !(Curl_ssl_getsessionid(conn, &oldsession, NULL, sockindex));
+    incache = !(Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
+                                      &oldsession, NULL, sockindex));
+     if(incache)
+       Curl_ssl_delsessionid(conn, oldsession);
+-    ret = Curl_ssl_addsessionid(conn, session, 0, sockindex);
+    ret = Curl_ssl_addsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
+                                session, 0, sockindex);
+     Curl_ssl_sessionid_unlock(conn);
+     if(ret) {
+       free(session);
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index 5f740eeba..46e149c7d 100644
+--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
+@@ -937,7 +937,8 @@ gtls_connect_step1(struct connectdata *conn,
+     size_t ssl_idsize;
+ 
+     Curl_ssl_sessionid_lock(conn);
+-    if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, &ssl_idsize, sockindex)) {
+    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
+                              &ssl_sessionid, &ssl_idsize, sockindex)) {
+       /* we got a session id, use it! */
+       gnutls_session_set_data(session, ssl_sessionid, ssl_idsize);
+ 
+@@ -1485,7 +1486,8 @@ gtls_connect_step3(struct connectdata *conn,
+       gnutls_session_get_data(session, connect_sessionid, &connect_idsize);
+ 
+       Curl_ssl_sessionid_lock(conn);
+-      incache = !(Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL,
+      incache = !(Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
+                                        &ssl_sessionid, NULL,
+                                         sockindex));
+       if(incache) {
+         /* there was one before in the cache, so instead of risking that the
+@@ -1494,7 +1496,8 @@ gtls_connect_step3(struct connectdata *conn,
+       }
+ 
+       /* store this session id */
+-      result = Curl_ssl_addsessionid(conn, connect_sessionid, connect_idsize,
+      result = Curl_ssl_addsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
+                                     connect_sessionid, connect_idsize,
+                                      sockindex);
+       Curl_ssl_sessionid_unlock(conn);
+       if(result) {
+diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
+index f057315f3..19df8478e 100644
+--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
+@@ -453,7 +453,8 @@ mbed_connect_step1(struct connectdata *conn,
+     void *old_session = NULL;
+ 
+     Curl_ssl_sessionid_lock(conn);
+-    if(!Curl_ssl_getsessionid(conn, &old_session, NULL, sockindex)) {
+    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
+                              &old_session, NULL, sockindex)) {
+       ret = mbedtls_ssl_set_session(&BACKEND->ssl, old_session);
+       if(ret) {
+         Curl_ssl_sessionid_unlock(conn);
+@@ -709,6 +710,7 @@ mbed_connect_step3(struct connectdata *conn,
+     int ret;
+     mbedtls_ssl_session *our_ssl_sessionid;
+     void *old_ssl_sessionid = NULL;
+    bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
+ 
+     our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session));
+     if(!our_ssl_sessionid)
+@@ -727,10 +729,10 @@ mbed_connect_step3(struct connectdata *conn,
+ 
+     /* If there's already a matching session in the cache, delete it */
+     Curl_ssl_sessionid_lock(conn);
+-    if(!Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex))
+    if(!Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, NULL, sockindex))
+       Curl_ssl_delsessionid(conn, old_ssl_sessionid);
+ 
+-    retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid, 0, sockindex);
+    retcode = Curl_ssl_addsessionid(conn, isproxy, our_ssl_sessionid, 0, sockindex);
+     Curl_ssl_sessionid_unlock(conn);
+     if(retcode) {
+       mbedtls_ssl_session_free(our_ssl_sessionid);
+diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c
+index cab1e390b..79d1e3dfa 100644
+--- a/lib/vtls/mesalink.c
+++ b/lib/vtls/mesalink.c
+@@ -263,7 +263,8 @@ mesalink_connect_step1(struct connectdata *conn, int sockindex)
+     void *ssl_sessionid = NULL;
+ 
+     Curl_ssl_sessionid_lock(conn);
+-    if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
+    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
+                              &ssl_sessionid, NULL, sockindex)) {
+       /* we got a session id, use it! */
+       if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
+         Curl_ssl_sessionid_unlock(conn);
+@@ -347,12 +348,14 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex)
+     bool incache;
+     SSL_SESSION *our_ssl_sessionid;
+     void *old_ssl_sessionid = NULL;
+    bool inproxy = SSL_IS_PROXY() ? TRUE : FALSE;
+ 
+     our_ssl_sessionid = SSL_get_session(BACKEND->handle);
+ 
+     Curl_ssl_sessionid_lock(conn);
+     incache =
+-      !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex));
+      !(Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid,
+                              NULL, sockindex));
+     if(incache) {
+       if(old_ssl_sessionid != our_ssl_sessionid) {
+         infof(data, "old SSL session ID is stale, removing\n");
+@@ -363,7 +366,7 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex)
+ 
+     if(!incache) {
+       result = Curl_ssl_addsessionid(
+-        conn, our_ssl_sessionid, 0 /* unknown size */, sockindex);
+        conn, isproxy, our_ssl_sessionid, 0 /* unknown size */, sockindex);
+       if(result) {
+         Curl_ssl_sessionid_unlock(conn);
+         failf(data, "failed to store ssl session");
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 1d09cadca..64f43605a 100644
+--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
+@@ -422,12 +422,23 @@ static int ossl_get_ssl_conn_index(void)
+  */
+ static int ossl_get_ssl_sockindex_index(void)
+ {
+-  static int ssl_ex_data_sockindex_index = -1;
+-  if(ssl_ex_data_sockindex_index < 0) {
+-    ssl_ex_data_sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL,
+-        NULL);
+  static int sockindex_index = -1;
+  if(sockindex_index < 0) {
+    sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
+   }
+-  return ssl_ex_data_sockindex_index;
+  return sockindex_index;
+}
+
+/* Return an extra data index for proxy boolean.
+ * This index can be used with SSL_get_ex_data() and SSL_set_ex_data().
+ */
+static int ossl_get_proxy_index(void)
+{
+  static int proxy_index = -1;
+  if(proxy_index < 0) {
+    proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
+  }
+  return proxy_index;
+ }
+ 
+ static int passwd_callback(char *buf, int num, int encrypting,
+@@ -1079,7 +1090,8 @@ static int Curl_ossl_init(void)
+ #endif
+ 
+   /* Initialize the extra data indexes */
+-  if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0)
+  if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0 ||
+     ossl_get_proxy_index() < 0)
+     return 0;
+ 
+   return 1;
+@@ -2341,8 +2353,10 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
+   curl_socket_t *sockindex_ptr;
+   int connectdata_idx = ossl_get_ssl_conn_index();
+   int sockindex_idx = ossl_get_ssl_sockindex_index();
+  int proxy_idx = ossl_get_proxy_index();
+  bool isproxy;
+ 
+-  if(connectdata_idx < 0 || sockindex_idx < 0)
+  if(connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0)
+     return 0;
+ 
+   conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx);
+@@ -2355,13 +2369,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
+   sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx);
+   sockindex = (int)(sockindex_ptr - conn->sock);
+ 
+  isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE;
+
+   if(SSL_SET_OPTION(primary.sessionid)) {
+     bool incache;
+     void *old_ssl_sessionid = NULL;
+ 
+     Curl_ssl_sessionid_lock(conn);
+-    incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL,
+-                                      sockindex));
+    if(isproxy)
+      incache = FALSE;
+    else
+      incache = !(Curl_ssl_getsessionid(conn, isproxy,
+                                        &old_ssl_sessionid, NULL, sockindex));
+     if(incache) {
+       if(old_ssl_sessionid != ssl_sessionid) {
+         infof(data, "old SSL session ID is stale, removing\n");
+@@ -2371,7 +2390,7 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
+     }
+ 
+     if(!incache) {
+-      if(!Curl_ssl_addsessionid(conn, ssl_sessionid,
+      if(!Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid,
+                                       0 /* unknown size */, sockindex)) {
+         /* the session has been put into the session cache */
+         res = 1;
+@@ -2868,16 +2887,25 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
+     void *ssl_sessionid = NULL;
+     int connectdata_idx = ossl_get_ssl_conn_index();
+     int sockindex_idx = ossl_get_ssl_sockindex_index();
+    int proxy_idx = ossl_get_proxy_index();
+ 
+-    if(connectdata_idx >= 0 && sockindex_idx >= 0) {
+    if(connectdata_idx >= 0 && sockindex_idx >= 0 && proxy_idx >= 0) {
+       /* Store the data needed for the "new session" callback.
+        * The sockindex is stored as a pointer to an array element. */
+       SSL_set_ex_data(BACKEND->handle, connectdata_idx, conn);
+       SSL_set_ex_data(BACKEND->handle, sockindex_idx, conn->sock + sockindex);
+#ifndef CURL_DISABLE_PROXY
+      SSL_set_ex_data(BACKEND->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1:
+                      NULL);
+#else
+      SSL_set_ex_data(BACKEND->handle, proxy_idx, NULL);
+#endif
+
+     }
+ 
+     Curl_ssl_sessionid_lock(conn);
+-    if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
+    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
+                              &ssl_sessionid, NULL, sockindex)) {
+       /* we got a session id, use it! */
+       if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
+         Curl_ssl_sessionid_unlock(conn);
+diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
+index f665ee340..a354ce95d 100644
+--- a/lib/vtls/schannel.c
+++ b/lib/vtls/schannel.c
+@@ -487,7 +487,8 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
+   /* check for an existing re-usable credential handle */
+   if(SSL_SET_OPTION(primary.sessionid)) {
+     Curl_ssl_sessionid_lock(conn);
+-    if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, sockindex)) {
+    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
+                              (void **)&old_cred, NULL, sockindex)) {
+       BACKEND->cred = old_cred;
+       DEBUGF(infof(data, "schannel: re-using existing credential handle\n"));
+ 
+@@ -1193,8 +1194,9 @@ schannel_connect_step3(struct connectdata *conn, int sockindex)
+   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+   SECURITY_STATUS sspi_status = SEC_E_OK;
+   CERT_CONTEXT *ccert_context = NULL;
+  bool isproxy = SSL_IS_PROXY();
+ #ifdef DEBUGBUILD
+-  const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
+  const char * const hostname = isproxy ? conn->http_proxy.host.name :
+     conn->host.name;
+ #endif
+ #ifdef HAS_ALPN
+@@ -1268,7 +1270,7 @@ schannel_connect_step3(struct connectdata *conn, int sockindex)
+     struct curl_schannel_cred *old_cred = NULL;
+ 
+     Curl_ssl_sessionid_lock(conn);
+-    incache = !(Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL,
+    incache = !(Curl_ssl_getsessionid(conn, isproxy, (void **)&old_cred, NULL,
+                                       sockindex));
+     if(incache) {
+       if(old_cred != BACKEND->cred) {
+@@ -1280,7 +1282,7 @@ schannel_connect_step3(struct connectdata *conn, int sockindex)
+       }
+     }
+     if(!incache) {
+-      result = Curl_ssl_addsessionid(conn, (void *)BACKEND->cred,
+      result = Curl_ssl_addsessionid(conn, isproxy, (void *)BACKEND->cred,
+                                      sizeof(struct curl_schannel_cred),
+                                      sockindex);
+       if(result) {
+diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c
+index 7dd028fb7..9c67d465a 100644
+--- a/lib/vtls/sectransp.c
+++ b/lib/vtls/sectransp.c
+@@ -1376,7 +1376,8 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
+   const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
+   const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
+   char * const ssl_cert = SSL_SET_OPTION(cert);
+-  const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
+  bool isproxy = SSL_IS_PROXY();
+  const char * const hostname = isproxy ? conn->http_proxy.host.name :
+     conn->host.name;
+   const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
+ #ifdef ENABLE_IPV6
+@@ -1584,7 +1585,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
+ 
+ #ifdef USE_NGHTTP2
+       if(data->set.httpversion >= CURL_HTTP_VERSION_2 &&
+-         (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy)) {
+         (!isproxy || !conn->bits.tunnel_proxy)) {
+         CFArrayAppendValue(alpnArr, CFSTR(NGHTTP2_PROTO_VERSION_ID));
+         infof(data, "ALPN, offering %s\n", NGHTTP2_PROTO_VERSION_ID);
+       }
+@@ -1916,7 +1917,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
+     size_t ssl_sessionid_len;
+ 
+     Curl_ssl_sessionid_lock(conn);
+-    if(!Curl_ssl_getsessionid(conn, (void **)&ssl_sessionid,
+    if(!Curl_ssl_getsessionid(conn, isproxy, (void **)&ssl_sessionid,
+                               &ssl_sessionid_len, sockindex)) {
+       /* we got a session id, use it! */
+       err = SSLSetPeerID(BACKEND->ssl_ctx, ssl_sessionid, ssl_sessionid_len);
+@@ -1944,7 +1945,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
+         return CURLE_SSL_CONNECT_ERROR;
+       }
+ 
+-      result = Curl_ssl_addsessionid(conn, ssl_sessionid, ssl_sessionid_len,
+      result = Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid, ssl_sessionid_len,
+                                      sockindex);
+       Curl_ssl_sessionid_unlock(conn);
+       if(result) {
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index dfefa1bd5..aaf73ef8f 100644
+--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
+@@ -305,6 +305,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn)
+  * there's one suitable, it is provided. Returns TRUE when no entry matched.
+  */
+ bool Curl_ssl_getsessionid(struct connectdata *conn,
+                           const bool isProxy,
+                            void **ssl_sessionid,
+                            size_t *idsize, /* set 0 if unknown */
+                            int sockindex)
+@@ -315,7 +316,6 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
+   long *general_age;
+   bool no_match = TRUE;
+ 
+-  const bool isProxy = CONNECT_PROXY_SSL();
+   struct ssl_primary_config * const ssl_config = isProxy ?
+     &conn->proxy_ssl_config :
+     &conn->ssl_config;
+@@ -324,6 +324,11 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
+   int port = isProxy ? (int)conn->port : conn->remote_port;
+   *ssl_sessionid = NULL;
+ 
+#ifdef CURL_DISABLE_PROXY
+  if(isProxy)
+    return TRUE;
+#endif
+
+   DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
+ 
+   if(!SSL_SET_OPTION(primary.sessionid))
+@@ -411,6 +416,7 @@ void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid)
+  * later on.
+  */
+ CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
+                               bool isProxy,
+                                void *ssl_sessionid,
+                                size_t idsize,
+                                int sockindex)
+@@ -423,7 +429,6 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
+   char *clone_conn_to_host;
+   int conn_to_port;
+   long *general_age;
+-  const bool isProxy = CONNECT_PROXY_SSL();
+   struct ssl_primary_config * const ssl_config = isProxy ?
+     &conn->proxy_ssl_config :
+     &conn->ssl_config;
+diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h
+index a81b2f22d..a5e348752 100644
+--- a/lib/vtls/vtls.h
+++ b/lib/vtls/vtls.h
+@@ -202,6 +202,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn);
+  * under sessionid mutex).
+  */
+ bool Curl_ssl_getsessionid(struct connectdata *conn,
+                           const bool isproxy,
+                            void **ssl_sessionid,
+                            size_t *idsize, /* set 0 if unknown */
+                            int sockindex);
+@@ -211,6 +212,7 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
+  * object with cache (e.g. incrementing refcount on success)
+  */
+ CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
+                               const bool isProxy,
+                                void *ssl_sessionid,
+                                size_t idsize,
+                                int sockindex);
+diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
+index 8c2d3f4a2..dd9f907ff 100644
+--- a/lib/vtls/wolfssl.c
+++ b/lib/vtls/wolfssl.c
+@@ -392,7 +392,8 @@ wolfssl_connect_step1(struct connectdata *conn,
+     void *ssl_sessionid = NULL;
+ 
+     Curl_ssl_sessionid_lock(conn);
+-    if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
+    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
+                              &ssl_sessionid, NULL, sockindex)) {
+       /* we got a session id, use it! */
+       if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
+         char error_buffer[WOLFSSL_MAX_ERROR_SZ];
+@@ -618,9 +619,10 @@ wolfssl_connect_step3(struct connectdata *conn,
+     void *old_ssl_sessionid = NULL;
+ 
+     our_ssl_sessionid = SSL_get_session(BACKEND->handle);
+    bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
+ 
+     Curl_ssl_sessionid_lock(conn);
+-    incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL,
+    incache = !(Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, NULL,
+                                       sockindex));
+     if(incache) {
+       if(old_ssl_sessionid != our_ssl_sessionid) {
+@@ -631,7 +633,7 @@ wolfssl_connect_step3(struct connectdata *conn,
+     }
+ 
+     if(!incache) {
+-      result = Curl_ssl_addsessionid(conn, our_ssl_sessionid,
+      result = Curl_ssl_addsessionid(conn, isproxy, our_ssl_sessionid,
+                                      0 /* unknown size */, sockindex);
+       if(result) {
+         Curl_ssl_sessionid_unlock(conn);
+-- 
+2.20.1

diff --git a/meta/recipes-support/curl/curl/CVE-2021-22890.patch b/meta/recipes-support/curl/curl/CVE-2021-22890.patch new file mode 100644 index 0000000000..8c0ecbfe7f --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22890.patch
@@ -0,0 +1,464 @@
	1	vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
	2
	3	To make sure we set and extract the correct session.
	4
	5	Patch taken from Ubuntu curl 7.68.0-1ubuntu2.5.
	6
	7	CVE-2021-22890
	8
	9	Reported-by: Mingtao Yang
	10	Bug: https://curl.se/docs/CVE-2021-22890.html
	11	Upstream-Status: backport
	12	---
	13	lib/vtls/bearssl.c \| 9 +++++---
	14	lib/vtls/gtls.c \| 9 +++++---
	15	lib/vtls/mbedtls.c \| 8 ++++---
	16	lib/vtls/mesalink.c \| 9 +++++---
	17	lib/vtls/openssl.c \| 52 ++++++++++++++++++++++++++++++++++----------
	18	lib/vtls/schannel.c \| 10 +++++----
	19	lib/vtls/sectransp.c \| 9 ++++----
	20	lib/vtls/vtls.c \| 9 ++++++--
	21	lib/vtls/vtls.h \| 2 ++
	22	lib/vtls/wolfssl.c \| 8 ++++---
	23	10 files changed, 88 insertions(+), 37 deletions(-)
	24
	25	diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c
	26	index 67f945831..32cb0a4c2 100644
	27	--- a/lib/vtls/bearssl.c
	28	+++ b/lib/vtls/bearssl.c
	29	@@ -372,7 +372,8 @@ static CURLcode bearssl_connect_step1(struct connectdata *conn, int sockindex)
	30	void *session;
	31
	32	Curl_ssl_sessionid_lock(conn);
	33	- if(!Curl_ssl_getsessionid(conn, &session, NULL, sockindex)) {
	34	+ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
	35	+ &session, NULL, sockindex)) {
	36	br_ssl_engine_set_session_parameters(&BACKEND->ctx.eng, session);
	37	infof(data, "BearSSL: re-using session ID\n");
	38	}
	39	@@ -560,10 +561,12 @@ static CURLcode bearssl_connect_step3(struct connectdata *conn, int sockindex)
	40	return CURLE_OUT_OF_MEMORY;
	41	br_ssl_engine_get_session_parameters(&BACKEND->ctx.eng, session);
	42	Curl_ssl_sessionid_lock(conn);
	43	- incache = !(Curl_ssl_getsessionid(conn, &oldsession, NULL, sockindex));
	44	+ incache = !(Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
	45	+ &oldsession, NULL, sockindex));
	46	if(incache)
	47	Curl_ssl_delsessionid(conn, oldsession);
	48	- ret = Curl_ssl_addsessionid(conn, session, 0, sockindex);
	49	+ ret = Curl_ssl_addsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
	50	+ session, 0, sockindex);
	51	Curl_ssl_sessionid_unlock(conn);
	52	if(ret) {
	53	free(session);
	54	diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
	55	index 5f740eeba..46e149c7d 100644
	56	--- a/lib/vtls/gtls.c
	57	+++ b/lib/vtls/gtls.c
	58	@@ -937,7 +937,8 @@ gtls_connect_step1(struct connectdata *conn,
	59	size_t ssl_idsize;
	60
	61	Curl_ssl_sessionid_lock(conn);
	62	- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, &ssl_idsize, sockindex)) {
	63	+ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
	64	+ &ssl_sessionid, &ssl_idsize, sockindex)) {
	65	/* we got a session id, use it! */
	66	gnutls_session_set_data(session, ssl_sessionid, ssl_idsize);
	67
	68	@@ -1485,7 +1486,8 @@ gtls_connect_step3(struct connectdata *conn,
	69	gnutls_session_get_data(session, connect_sessionid, &connect_idsize);
	70
	71	Curl_ssl_sessionid_lock(conn);
	72	- incache = !(Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL,
	73	+ incache = !(Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
	74	+ &ssl_sessionid, NULL,
	75	sockindex));
	76	if(incache) {
	77	/* there was one before in the cache, so instead of risking that the
	78	@@ -1494,7 +1496,8 @@ gtls_connect_step3(struct connectdata *conn,
	79	}
	80
	81	/* store this session id */
	82	- result = Curl_ssl_addsessionid(conn, connect_sessionid, connect_idsize,
	83	+ result = Curl_ssl_addsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
	84	+ connect_sessionid, connect_idsize,
	85	sockindex);
	86	Curl_ssl_sessionid_unlock(conn);
	87	if(result) {
	88	diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
	89	index f057315f3..19df8478e 100644
	90	--- a/lib/vtls/mbedtls.c
	91	+++ b/lib/vtls/mbedtls.c
	92	@@ -453,7 +453,8 @@ mbed_connect_step1(struct connectdata *conn,
	93	void *old_session = NULL;
	94
	95	Curl_ssl_sessionid_lock(conn);
	96	- if(!Curl_ssl_getsessionid(conn, &old_session, NULL, sockindex)) {
	97	+ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
	98	+ &old_session, NULL, sockindex)) {
	99	ret = mbedtls_ssl_set_session(&BACKEND->ssl, old_session);
	100	if(ret) {
	101	Curl_ssl_sessionid_unlock(conn);
	102	@@ -709,6 +710,7 @@ mbed_connect_step3(struct connectdata *conn,
	103	int ret;
	104	mbedtls_ssl_session *our_ssl_sessionid;
	105	void *old_ssl_sessionid = NULL;
	106	+ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
	107
	108	our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session));
	109	if(!our_ssl_sessionid)
	110	@@ -727,10 +729,10 @@ mbed_connect_step3(struct connectdata *conn,
	111
	112	/* If there's already a matching session in the cache, delete it */
	113	Curl_ssl_sessionid_lock(conn);
	114	- if(!Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex))
	115	+ if(!Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, NULL, sockindex))
	116	Curl_ssl_delsessionid(conn, old_ssl_sessionid);
	117
	118	- retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid, 0, sockindex);
	119	+ retcode = Curl_ssl_addsessionid(conn, isproxy, our_ssl_sessionid, 0, sockindex);
	120	Curl_ssl_sessionid_unlock(conn);
	121	if(retcode) {
	122	mbedtls_ssl_session_free(our_ssl_sessionid);
	123	diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c
	124	index cab1e390b..79d1e3dfa 100644
	125	--- a/lib/vtls/mesalink.c
	126	+++ b/lib/vtls/mesalink.c
	127	@@ -263,7 +263,8 @@ mesalink_connect_step1(struct connectdata *conn, int sockindex)
	128	void *ssl_sessionid = NULL;
	129
	130	Curl_ssl_sessionid_lock(conn);
	131	- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
	132	+ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
	133	+ &ssl_sessionid, NULL, sockindex)) {
	134	/* we got a session id, use it! */
	135	if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
	136	Curl_ssl_sessionid_unlock(conn);
	137	@@ -347,12 +348,14 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex)
	138	bool incache;
	139	SSL_SESSION *our_ssl_sessionid;
	140	void *old_ssl_sessionid = NULL;
	141	+ bool inproxy = SSL_IS_PROXY() ? TRUE : FALSE;
	142
	143	our_ssl_sessionid = SSL_get_session(BACKEND->handle);
	144
	145	Curl_ssl_sessionid_lock(conn);
	146	incache =
	147	- !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex));
	148	+ !(Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid,
	149	+ NULL, sockindex));
	150	if(incache) {
	151	if(old_ssl_sessionid != our_ssl_sessionid) {
	152	infof(data, "old SSL session ID is stale, removing\n");
	153	@@ -363,7 +366,7 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex)
	154
	155	if(!incache) {
	156	result = Curl_ssl_addsessionid(
	157	- conn, our_ssl_sessionid, 0 /* unknown size */, sockindex);
	158	+ conn, isproxy, our_ssl_sessionid, 0 /* unknown size */, sockindex);
	159	if(result) {
	160	Curl_ssl_sessionid_unlock(conn);
	161	failf(data, "failed to store ssl session");
	162	diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
	163	index 1d09cadca..64f43605a 100644
	164	--- a/lib/vtls/openssl.c
	165	+++ b/lib/vtls/openssl.c
	166	@@ -422,12 +422,23 @@ static int ossl_get_ssl_conn_index(void)
	167	*/
	168	static int ossl_get_ssl_sockindex_index(void)
	169	{
	170	- static int ssl_ex_data_sockindex_index = -1;
	171	- if(ssl_ex_data_sockindex_index < 0) {
	172	- ssl_ex_data_sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL,
	173	- NULL);
	174	+ static int sockindex_index = -1;
	175	+ if(sockindex_index < 0) {
	176	+ sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
	177	}
	178	- return ssl_ex_data_sockindex_index;
	179	+ return sockindex_index;
	180	+}
	181	+
	182	+/* Return an extra data index for proxy boolean.
	183	+ * This index can be used with SSL_get_ex_data() and SSL_set_ex_data().
	184	+ */
	185	+static int ossl_get_proxy_index(void)
	186	+{
	187	+ static int proxy_index = -1;
	188	+ if(proxy_index < 0) {
	189	+ proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
	190	+ }
	191	+ return proxy_index;
	192	}
	193
	194	static int passwd_callback(char *buf, int num, int encrypting,
	195	@@ -1079,7 +1090,8 @@ static int Curl_ossl_init(void)
	196	#endif
	197
	198	/* Initialize the extra data indexes */
	199	- if(ossl_get_ssl_conn_index() < 0 \|\| ossl_get_ssl_sockindex_index() < 0)
	200	+ if(ossl_get_ssl_conn_index() < 0 \|\| ossl_get_ssl_sockindex_index() < 0 \|\|
	201	+ ossl_get_proxy_index() < 0)
	202	return 0;
	203
	204	return 1;
	205	@@ -2341,8 +2353,10 @@ static int ossl_new_session_cb(SSL ssl, SSL_SESSION ssl_sessionid)
	206	curl_socket_t *sockindex_ptr;
	207	int connectdata_idx = ossl_get_ssl_conn_index();
	208	int sockindex_idx = ossl_get_ssl_sockindex_index();
	209	+ int proxy_idx = ossl_get_proxy_index();
	210	+ bool isproxy;
	211
	212	- if(connectdata_idx < 0 \|\| sockindex_idx < 0)
	213	+ if(connectdata_idx < 0 \|\| sockindex_idx < 0 \|\| proxy_idx < 0)
	214	return 0;
	215
	216	conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx);
	217	@@ -2355,13 +2369,18 @@ static int ossl_new_session_cb(SSL ssl, SSL_SESSION ssl_sessionid)
	218	sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx);
	219	sockindex = (int)(sockindex_ptr - conn->sock);
	220
	221	+ isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE;
	222	+
	223	if(SSL_SET_OPTION(primary.sessionid)) {
	224	bool incache;
	225	void *old_ssl_sessionid = NULL;
	226
	227	Curl_ssl_sessionid_lock(conn);
	228	- incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL,
	229	- sockindex));
	230	+ if(isproxy)
	231	+ incache = FALSE;
	232	+ else
	233	+ incache = !(Curl_ssl_getsessionid(conn, isproxy,
	234	+ &old_ssl_sessionid, NULL, sockindex));
	235	if(incache) {
	236	if(old_ssl_sessionid != ssl_sessionid) {
	237	infof(data, "old SSL session ID is stale, removing\n");
	238	@@ -2371,7 +2390,7 @@ static int ossl_new_session_cb(SSL ssl, SSL_SESSION ssl_sessionid)
	239	}
	240
	241	if(!incache) {
	242	- if(!Curl_ssl_addsessionid(conn, ssl_sessionid,
	243	+ if(!Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid,
	244	0 /* unknown size */, sockindex)) {
	245	/* the session has been put into the session cache */
	246	res = 1;
	247	@@ -2868,16 +2887,25 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
	248	void *ssl_sessionid = NULL;
	249	int connectdata_idx = ossl_get_ssl_conn_index();
	250	int sockindex_idx = ossl_get_ssl_sockindex_index();
	251	+ int proxy_idx = ossl_get_proxy_index();
	252
	253	- if(connectdata_idx >= 0 && sockindex_idx >= 0) {
	254	+ if(connectdata_idx >= 0 && sockindex_idx >= 0 && proxy_idx >= 0) {
	255	/* Store the data needed for the "new session" callback.
	256	* The sockindex is stored as a pointer to an array element. */
	257	SSL_set_ex_data(BACKEND->handle, connectdata_idx, conn);
	258	SSL_set_ex_data(BACKEND->handle, sockindex_idx, conn->sock + sockindex);
	259	+#ifndef CURL_DISABLE_PROXY
	260	+ SSL_set_ex_data(BACKEND->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1:
	261	+ NULL);
	262	+#else
	263	+ SSL_set_ex_data(BACKEND->handle, proxy_idx, NULL);
	264	+#endif
	265	+
	266	}
	267
	268	Curl_ssl_sessionid_lock(conn);
	269	- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
	270	+ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
	271	+ &ssl_sessionid, NULL, sockindex)) {
	272	/* we got a session id, use it! */
	273	if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
	274	Curl_ssl_sessionid_unlock(conn);
	275	diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
	276	index f665ee340..a354ce95d 100644
	277	--- a/lib/vtls/schannel.c
	278	+++ b/lib/vtls/schannel.c
	279	@@ -487,7 +487,8 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
	280	/* check for an existing re-usable credential handle */
	281	if(SSL_SET_OPTION(primary.sessionid)) {
	282	Curl_ssl_sessionid_lock(conn);
	283	- if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, sockindex)) {
	284	+ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
	285	+ (void **)&old_cred, NULL, sockindex)) {
	286	BACKEND->cred = old_cred;
	287	DEBUGF(infof(data, "schannel: re-using existing credential handle\n"));
	288
	289	@@ -1193,8 +1194,9 @@ schannel_connect_step3(struct connectdata *conn, int sockindex)
	290	struct ssl_connect_data *connssl = &conn->ssl[sockindex];
	291	SECURITY_STATUS sspi_status = SEC_E_OK;
	292	CERT_CONTEXT *ccert_context = NULL;
	293	+ bool isproxy = SSL_IS_PROXY();
	294	#ifdef DEBUGBUILD
	295	- const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
	296	+ const char * const hostname = isproxy ? conn->http_proxy.host.name :
	297	conn->host.name;
	298	#endif
	299	#ifdef HAS_ALPN
	300	@@ -1268,7 +1270,7 @@ schannel_connect_step3(struct connectdata *conn, int sockindex)
	301	struct curl_schannel_cred *old_cred = NULL;
	302
	303	Curl_ssl_sessionid_lock(conn);
	304	- incache = !(Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL,
	305	+ incache = !(Curl_ssl_getsessionid(conn, isproxy, (void **)&old_cred, NULL,
	306	sockindex));
	307	if(incache) {
	308	if(old_cred != BACKEND->cred) {
	309	@@ -1280,7 +1282,7 @@ schannel_connect_step3(struct connectdata *conn, int sockindex)
	310	}
	311	}
	312	if(!incache) {
	313	- result = Curl_ssl_addsessionid(conn, (void *)BACKEND->cred,
	314	+ result = Curl_ssl_addsessionid(conn, isproxy, (void *)BACKEND->cred,
	315	sizeof(struct curl_schannel_cred),
	316	sockindex);
	317	if(result) {
	318	diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c
	319	index 7dd028fb7..9c67d465a 100644
	320	--- a/lib/vtls/sectransp.c
	321	+++ b/lib/vtls/sectransp.c
	322	@@ -1376,7 +1376,8 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
	323	const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
	324	const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
	325	char * const ssl_cert = SSL_SET_OPTION(cert);
	326	- const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
	327	+ bool isproxy = SSL_IS_PROXY();
	328	+ const char * const hostname = isproxy ? conn->http_proxy.host.name :
	329	conn->host.name;
	330	const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
	331	#ifdef ENABLE_IPV6
	332	@@ -1584,7 +1585,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
	333
	334	#ifdef USE_NGHTTP2
	335	if(data->set.httpversion >= CURL_HTTP_VERSION_2 &&
	336	- (!SSL_IS_PROXY() \|\| !conn->bits.tunnel_proxy)) {
	337	+ (!isproxy \|\| !conn->bits.tunnel_proxy)) {
	338	CFArrayAppendValue(alpnArr, CFSTR(NGHTTP2_PROTO_VERSION_ID));
	339	infof(data, "ALPN, offering %s\n", NGHTTP2_PROTO_VERSION_ID);
	340	}
	341	@@ -1916,7 +1917,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
	342	size_t ssl_sessionid_len;
	343
	344	Curl_ssl_sessionid_lock(conn);
	345	- if(!Curl_ssl_getsessionid(conn, (void **)&ssl_sessionid,
	346	+ if(!Curl_ssl_getsessionid(conn, isproxy, (void **)&ssl_sessionid,
	347	&ssl_sessionid_len, sockindex)) {
	348	/* we got a session id, use it! */
	349	err = SSLSetPeerID(BACKEND->ssl_ctx, ssl_sessionid, ssl_sessionid_len);
	350	@@ -1944,7 +1945,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
	351	return CURLE_SSL_CONNECT_ERROR;
	352	}
	353
	354	- result = Curl_ssl_addsessionid(conn, ssl_sessionid, ssl_sessionid_len,
	355	+ result = Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid, ssl_sessionid_len,
	356	sockindex);
	357	Curl_ssl_sessionid_unlock(conn);
	358	if(result) {
	359	diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
	360	index dfefa1bd5..aaf73ef8f 100644
	361	--- a/lib/vtls/vtls.c
	362	+++ b/lib/vtls/vtls.c
	363	@@ -305,6 +305,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn)
	364	* there's one suitable, it is provided. Returns TRUE when no entry matched.
	365	*/
	366	bool Curl_ssl_getsessionid(struct connectdata *conn,
	367	+ const bool isProxy,
	368	void **ssl_sessionid,
	369	size_t idsize, / set 0 if unknown */
	370	int sockindex)
	371	@@ -315,7 +316,6 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
	372	long *general_age;
	373	bool no_match = TRUE;
	374
	375	- const bool isProxy = CONNECT_PROXY_SSL();
	376	struct ssl_primary_config * const ssl_config = isProxy ?
	377	&conn->proxy_ssl_config :
	378	&conn->ssl_config;
	379	@@ -324,6 +324,11 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
	380	int port = isProxy ? (int)conn->port : conn->remote_port;
	381	*ssl_sessionid = NULL;
	382
	383	+#ifdef CURL_DISABLE_PROXY
	384	+ if(isProxy)
	385	+ return TRUE;
	386	+#endif
	387	+
	388	DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
	389
	390	if(!SSL_SET_OPTION(primary.sessionid))
	391	@@ -411,6 +416,7 @@ void Curl_ssl_delsessionid(struct connectdata conn, void ssl_sessionid)
	392	* later on.
	393	*/
	394	CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
	395	+ bool isProxy,
	396	void *ssl_sessionid,
	397	size_t idsize,
	398	int sockindex)
	399	@@ -423,7 +429,6 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
	400	char *clone_conn_to_host;
	401	int conn_to_port;
	402	long *general_age;
	403	- const bool isProxy = CONNECT_PROXY_SSL();
	404	struct ssl_primary_config * const ssl_config = isProxy ?
	405	&conn->proxy_ssl_config :
	406	&conn->ssl_config;
	407	diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h
	408	index a81b2f22d..a5e348752 100644
	409	--- a/lib/vtls/vtls.h
	410	+++ b/lib/vtls/vtls.h
	411	@@ -202,6 +202,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn);
	412	* under sessionid mutex).
	413	*/
	414	bool Curl_ssl_getsessionid(struct connectdata *conn,
	415	+ const bool isproxy,
	416	void **ssl_sessionid,
	417	size_t idsize, / set 0 if unknown */
	418	int sockindex);
	419	@@ -211,6 +212,7 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
	420	* object with cache (e.g. incrementing refcount on success)
	421	*/
	422	CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
	423	+ const bool isProxy,
	424	void *ssl_sessionid,
	425	size_t idsize,
	426	int sockindex);
	427	diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
	428	index 8c2d3f4a2..dd9f907ff 100644
	429	--- a/lib/vtls/wolfssl.c
	430	+++ b/lib/vtls/wolfssl.c
	431	@@ -392,7 +392,8 @@ wolfssl_connect_step1(struct connectdata *conn,
	432	void *ssl_sessionid = NULL;
	433
	434	Curl_ssl_sessionid_lock(conn);
	435	- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
	436	+ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
	437	+ &ssl_sessionid, NULL, sockindex)) {
	438	/* we got a session id, use it! */
	439	if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
	440	char error_buffer[WOLFSSL_MAX_ERROR_SZ];
	441	@@ -618,9 +619,10 @@ wolfssl_connect_step3(struct connectdata *conn,
	442	void *old_ssl_sessionid = NULL;
	443
	444	our_ssl_sessionid = SSL_get_session(BACKEND->handle);
	445	+ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
	446
	447	Curl_ssl_sessionid_lock(conn);
	448	- incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL,
	449	+ incache = !(Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, NULL,
	450	sockindex));
	451	if(incache) {
	452	if(old_ssl_sessionid != our_ssl_sessionid) {
	453	@@ -631,7 +633,7 @@ wolfssl_connect_step3(struct connectdata *conn,
	454	}
	455
	456	if(!incache) {
	457	- result = Curl_ssl_addsessionid(conn, our_ssl_sessionid,
	458	+ result = Curl_ssl_addsessionid(conn, isproxy, our_ssl_sessionid,
	459	0 /* unknown size */, sockindex);
	460	if(result) {
	461	Curl_ssl_sessionid_unlock(conn);
	462	--
	463	2.20.1
	464