1 files changed, 226 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22924.patch b/meta/recipes-support/curl/curl/CVE-2021-22924.patch
new file mode 100644
index 0000000000..68fde45ddf
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22924.patch
@@ -0,0 +1,226 @@
+Subject: [PATCH] vtls: fix connection reuse checks for issuer cert and
+ case sensitivity CVE-2021-22924
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2021-22924.html
+CVE: CVE-2021-22924
+Upstream-Status: backport from Ubuntu curl_7.68.0-1ubuntu2.6
+Signed-off-by: Mike Crowe <mac@mcrowe.com>
+---
+ lib/url.c          |  5 +++--
+ lib/urldata.h      |  2 +-
+ lib/vtls/gtls.c    | 10 +++++-----
+ lib/vtls/nss.c     |  4 ++--
+ lib/vtls/openssl.c | 12 ++++++------
+ lib/vtls/vtls.c    | 23 ++++++++++++++++++-----
+ 6 files changed, 35 insertions(+), 21 deletions(-)
+diff --git a/lib/url.c b/lib/url.c
+index 47fc66aed..eebad8d32 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -3555,6 +3555,9 @@ static CURLcode create_conn(struct Curl_easy *data,
+   data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY];
+   data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_ORIG];
+   data->set.proxy_ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY];
+  data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG];
+  data->set.proxy_ssl.primary.issuercert =
+    data->set.str[STRING_SSL_ISSUERCERT_PROXY];
+   data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE];
+   data->set.proxy_ssl.primary.random_file =
+     data->set.str[STRING_SSL_RANDOM_FILE];
+@@ -3575,8 +3578,6 @@ static CURLcode create_conn(struct Curl_easy *data,
+ 
+   data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG];
+   data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
+-  data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG];
+-  data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY];
+   data->set.ssl.cert = data->set.str[STRING_CERT_ORIG];
+   data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY];
+   data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG];
+diff --git a/lib/urldata.h b/lib/urldata.h
+index fbb8b645e..615fbf369 100644
+--- a/lib/urldata.h
+++ b/lib/urldata.h
+@@ -224,6 +224,7 @@ struct ssl_primary_config {
+   long version_max;      /* max supported version the client wants to use*/
+   char *CApath;          /* certificate dir (doesn't work on windows) */
+   char *CAfile;          /* certificate to verify peer against */
+  char *issuercert;      /* optional issuer certificate filename */
+   char *clientcert;
+   char *random_file;     /* path to file containing "random" data */
+   char *egdsocket;       /* path to file containing the EGD daemon socket */
+@@ -240,7 +241,6 @@ struct ssl_config_data {
+   struct ssl_primary_config primary;
+   long certverifyresult; /* result from the certificate verification */
+   char *CRLfile;   /* CRL to check certificate revocation */
+-  char *issuercert;/* optional issuer certificate filename */
+   curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
+   void *fsslctxp;        /* parameter for call back */
+   char *cert; /* client certificate file name */
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index 46e149c7d..8c051024f 100644
+--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
+@@ -1059,7 +1059,7 @@ gtls_connect_step3(struct connectdata *conn,
+   if(!chainp) {
+     if(SSL_CONN_CONFIG(verifypeer) ||
+        SSL_CONN_CONFIG(verifyhost) ||
+-       SSL_SET_OPTION(issuercert)) {
+       SSL_CONN_CONFIG(issuercert)) {
+ #ifdef USE_TLS_SRP
+       if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
+          && SSL_SET_OPTION(username) != NULL
+@@ -1241,21 +1241,21 @@ gtls_connect_step3(struct connectdata *conn,
+        gnutls_x509_crt_t format */
+     gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER);
+ 
+-  if(SSL_SET_OPTION(issuercert)) {
+  if(SSL_CONN_CONFIG(issuercert)) {
+     gnutls_x509_crt_init(&x509_issuer);
+-    issuerp = load_file(SSL_SET_OPTION(issuercert));
+    issuerp = load_file(SSL_CONN_CONFIG(issuercert));
+     gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM);
+     rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer);
+     gnutls_x509_crt_deinit(x509_issuer);
+     unload_file(issuerp);
+     if(rc <= 0) {
+       failf(data, "server certificate issuer check failed (IssuerCert: %s)",
+-            SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
+            SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
+       gnutls_x509_crt_deinit(x509_cert);
+       return CURLE_SSL_ISSUER_ERROR;
+     }
+     infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n",
+-          SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
+          SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
+   }
+ 
+   size = sizeof(certbuf);
+diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
+index ef51b0d91..375c78b1b 100644
+--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
+@@ -2151,9 +2151,9 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
+   if(result)
+     goto error;
+ 
+-  if(SSL_SET_OPTION(issuercert)) {
+  if(SSL_CONN_CONFIG(issuercert)) {
+     SECStatus ret = SECFailure;
+-    char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert));
+    char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert));
+     if(nickname) {
+       /* we support only nicknames in case of issuercert for now */
+       ret = check_issuer_cert(BACKEND->handle, nickname);
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 64f43605a..7e81fd3a0 100644
+--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
+@@ -3547,7 +3547,7 @@ static CURLcode servercert(struct connectdata *conn,
+        deallocating the certificate. */
+ 
+     /* e.g. match issuer name with provided issuer certificate */
+-    if(SSL_SET_OPTION(issuercert)) {
+    if(SSL_CONN_CONFIG(issuercert)) {
+       fp = BIO_new(BIO_s_file());
+       if(fp == NULL) {
+         failf(data,
+@@ -3560,10 +3560,10 @@ static CURLcode servercert(struct connectdata *conn,
+         return CURLE_OUT_OF_MEMORY;
+       }
+ 
+-      if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) {
+      if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) {
+         if(strict)
+           failf(data, "SSL: Unable to open issuer cert (%s)",
+-                SSL_SET_OPTION(issuercert));
+                SSL_CONN_CONFIG(issuercert));
+         BIO_free(fp);
+         X509_free(BACKEND->server_cert);
+         BACKEND->server_cert = NULL;
+@@ -3574,7 +3574,7 @@ static CURLcode servercert(struct connectdata *conn,
+       if(!issuer) {
+         if(strict)
+           failf(data, "SSL: Unable to read issuer cert (%s)",
+-                SSL_SET_OPTION(issuercert));
+                SSL_CONN_CONFIG(issuercert));
+         BIO_free(fp);
+         X509_free(issuer);
+         X509_free(BACKEND->server_cert);
+@@ -3585,7 +3585,7 @@ static CURLcode servercert(struct connectdata *conn,
+       if(X509_check_issued(issuer, BACKEND->server_cert) != X509_V_OK) {
+         if(strict)
+           failf(data, "SSL: Certificate issuer check failed (%s)",
+-                SSL_SET_OPTION(issuercert));
+                SSL_CONN_CONFIG(issuercert));
+         BIO_free(fp);
+         X509_free(issuer);
+         X509_free(BACKEND->server_cert);
+@@ -3594,7 +3594,7 @@ static CURLcode servercert(struct connectdata *conn,
+       }
+ 
+       infof(data, " SSL certificate issuer check ok (%s)\n",
+-            SSL_SET_OPTION(issuercert));
+            SSL_CONN_CONFIG(issuercert));
+       BIO_free(fp);
+       X509_free(issuer);
+     }
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index aaf73ef8f..8c681da14 100644
+--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
+@@ -82,6 +82,16 @@
+   else                                       \
+     dest->var = NULL;
+ 
+static bool safecmp(char *a, char *b)
+{
+  if(a && b)
+    return !strcmp(a, b);
+  else if(!a && !b)
+    return TRUE; /* match */
+  return FALSE; /* no match */
+}
+
+
+ bool
+ Curl_ssl_config_matches(struct ssl_primary_config* data,
+                         struct ssl_primary_config* needle)
+@@ -91,11 +101,12 @@ Curl_ssl_config_matches(struct ssl_primary_config* data,
+      (data->verifypeer == needle->verifypeer) &&
+      (data->verifyhost == needle->verifyhost) &&
+      (data->verifystatus == needle->verifystatus) &&
+-     Curl_safe_strcasecompare(data->CApath, needle->CApath) &&
+-     Curl_safe_strcasecompare(data->CAfile, needle->CAfile) &&
+-     Curl_safe_strcasecompare(data->clientcert, needle->clientcert) &&
+-     Curl_safe_strcasecompare(data->random_file, needle->random_file) &&
+-     Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) &&
+     safecmp(data->CApath, needle->CApath) &&
+     safecmp(data->CAfile, needle->CAfile) &&
+     safecmp(data->issuercert, needle->issuercert) &&
+     safecmp(data->clientcert, needle->clientcert) &&
+     safecmp(data->random_file, needle->random_file) &&
+     safecmp(data->egdsocket, needle->egdsocket) &&
+      Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
+      Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
+      Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key))
+@@ -117,6 +128,7 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
+ 
+   CLONE_STRING(CApath);
+   CLONE_STRING(CAfile);
+  CLONE_STRING(issuercert);
+   CLONE_STRING(clientcert);
+   CLONE_STRING(random_file);
+   CLONE_STRING(egdsocket);
+@@ -131,6 +143,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config* sslc)
+ {
+   Curl_safefree(sslc->CApath);
+   Curl_safefree(sslc->CAfile);
+  Curl_safefree(sslc->issuercert);
+   Curl_safefree(sslc->clientcert);
+   Curl_safefree(sslc->random_file);
+   Curl_safefree(sslc->egdsocket);
+-- 
+2.30.2

diff --git a/meta/recipes-support/curl/curl/CVE-2021-22924.patch b/meta/recipes-support/curl/curl/CVE-2021-22924.patch new file mode 100644 index 0000000000..68fde45ddf --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22924.patch
@@ -0,0 +1,226 @@
	1	Subject: [PATCH] vtls: fix connection reuse checks for issuer cert and
	2	case sensitivity CVE-2021-22924
	3
	4	Reported-by: Harry Sintonen
	5	Bug: https://curl.se/docs/CVE-2021-22924.html
	6	CVE: CVE-2021-22924
	7	Upstream-Status: backport from Ubuntu curl_7.68.0-1ubuntu2.6
	8	Signed-off-by: Mike Crowe <mac@mcrowe.com>
	9	---
	10	lib/url.c \| 5 +++--
	11	lib/urldata.h \| 2 +-
	12	lib/vtls/gtls.c \| 10 +++++-----
	13	lib/vtls/nss.c \| 4 ++--
	14	lib/vtls/openssl.c \| 12 ++++++------
	15	lib/vtls/vtls.c \| 23 ++++++++++++++++++-----
	16	6 files changed, 35 insertions(+), 21 deletions(-)
	17
	18	diff --git a/lib/url.c b/lib/url.c
	19	index 47fc66aed..eebad8d32 100644
	20	--- a/lib/url.c
	21	+++ b/lib/url.c
	22	@@ -3555,6 +3555,9 @@ static CURLcode create_conn(struct Curl_easy *data,
	23	data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY];
	24	data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_ORIG];
	25	data->set.proxy_ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY];
	26	+ data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG];
	27	+ data->set.proxy_ssl.primary.issuercert =
	28	+ data->set.str[STRING_SSL_ISSUERCERT_PROXY];
	29	data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE];
	30	data->set.proxy_ssl.primary.random_file =
	31	data->set.str[STRING_SSL_RANDOM_FILE];
	32	@@ -3575,8 +3578,6 @@ static CURLcode create_conn(struct Curl_easy *data,
	33
	34	data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG];
	35	data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
	36	- data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG];
	37	- data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY];
	38	data->set.ssl.cert = data->set.str[STRING_CERT_ORIG];
	39	data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY];
	40	data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG];
	41	diff --git a/lib/urldata.h b/lib/urldata.h
	42	index fbb8b645e..615fbf369 100644
	43	--- a/lib/urldata.h
	44	+++ b/lib/urldata.h
	45	@@ -224,6 +224,7 @@ struct ssl_primary_config {
	46	long version_max; /* max supported version the client wants to use*/
	47	char CApath; / certificate dir (doesn't work on windows) */
	48	char CAfile; / certificate to verify peer against */
	49	+ char issuercert; / optional issuer certificate filename */
	50	char *clientcert;
	51	char random_file; / path to file containing "random" data */
	52	char egdsocket; / path to file containing the EGD daemon socket */
	53	@@ -240,7 +241,6 @@ struct ssl_config_data {
	54	struct ssl_primary_config primary;
	55	long certverifyresult; /* result from the certificate verification */
	56	char CRLfile; / CRL to check certificate revocation */
	57	- char issuercert;/ optional issuer certificate filename */
	58	curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
	59	void fsslctxp; / parameter for call back */
	60	char cert; / client certificate file name */
	61	diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
	62	index 46e149c7d..8c051024f 100644
	63	--- a/lib/vtls/gtls.c
	64	+++ b/lib/vtls/gtls.c
	65	@@ -1059,7 +1059,7 @@ gtls_connect_step3(struct connectdata *conn,
	66	if(!chainp) {
	67	if(SSL_CONN_CONFIG(verifypeer) \|\|
	68	SSL_CONN_CONFIG(verifyhost) \|\|
	69	- SSL_SET_OPTION(issuercert)) {
	70	+ SSL_CONN_CONFIG(issuercert)) {
	71	#ifdef USE_TLS_SRP
	72	if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
	73	&& SSL_SET_OPTION(username) != NULL
	74	@@ -1241,21 +1241,21 @@ gtls_connect_step3(struct connectdata *conn,
	75	gnutls_x509_crt_t format */
	76	gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER);
	77
	78	- if(SSL_SET_OPTION(issuercert)) {
	79	+ if(SSL_CONN_CONFIG(issuercert)) {
	80	gnutls_x509_crt_init(&x509_issuer);
	81	- issuerp = load_file(SSL_SET_OPTION(issuercert));
	82	+ issuerp = load_file(SSL_CONN_CONFIG(issuercert));
	83	gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM);
	84	rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer);
	85	gnutls_x509_crt_deinit(x509_issuer);
	86	unload_file(issuerp);
	87	if(rc <= 0) {
	88	failf(data, "server certificate issuer check failed (IssuerCert: %s)",
	89	- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
	90	+ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
	91	gnutls_x509_crt_deinit(x509_cert);
	92	return CURLE_SSL_ISSUER_ERROR;
	93	}
	94	infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n",
	95	- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
	96	+ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
	97	}
	98
	99	size = sizeof(certbuf);
	100	diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
	101	index ef51b0d91..375c78b1b 100644
	102	--- a/lib/vtls/nss.c
	103	+++ b/lib/vtls/nss.c
	104	@@ -2151,9 +2151,9 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
	105	if(result)
	106	goto error;
	107
	108	- if(SSL_SET_OPTION(issuercert)) {
	109	+ if(SSL_CONN_CONFIG(issuercert)) {
	110	SECStatus ret = SECFailure;
	111	- char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert));
	112	+ char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert));
	113	if(nickname) {
	114	/* we support only nicknames in case of issuercert for now */
	115	ret = check_issuer_cert(BACKEND->handle, nickname);
	116	diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
	117	index 64f43605a..7e81fd3a0 100644
	118	--- a/lib/vtls/openssl.c
	119	+++ b/lib/vtls/openssl.c
	120	@@ -3547,7 +3547,7 @@ static CURLcode servercert(struct connectdata *conn,
	121	deallocating the certificate. */
	122
	123	/* e.g. match issuer name with provided issuer certificate */
	124	- if(SSL_SET_OPTION(issuercert)) {
	125	+ if(SSL_CONN_CONFIG(issuercert)) {
	126	fp = BIO_new(BIO_s_file());
	127	if(fp == NULL) {
	128	failf(data,
	129	@@ -3560,10 +3560,10 @@ static CURLcode servercert(struct connectdata *conn,
	130	return CURLE_OUT_OF_MEMORY;
	131	}
	132
	133	- if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) {
	134	+ if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) {
	135	if(strict)
	136	failf(data, "SSL: Unable to open issuer cert (%s)",
	137	- SSL_SET_OPTION(issuercert));
	138	+ SSL_CONN_CONFIG(issuercert));
	139	BIO_free(fp);
	140	X509_free(BACKEND->server_cert);
	141	BACKEND->server_cert = NULL;
	142	@@ -3574,7 +3574,7 @@ static CURLcode servercert(struct connectdata *conn,
	143	if(!issuer) {
	144	if(strict)
	145	failf(data, "SSL: Unable to read issuer cert (%s)",
	146	- SSL_SET_OPTION(issuercert));
	147	+ SSL_CONN_CONFIG(issuercert));
	148	BIO_free(fp);
	149	X509_free(issuer);
	150	X509_free(BACKEND->server_cert);
	151	@@ -3585,7 +3585,7 @@ static CURLcode servercert(struct connectdata *conn,
	152	if(X509_check_issued(issuer, BACKEND->server_cert) != X509_V_OK) {
	153	if(strict)
	154	failf(data, "SSL: Certificate issuer check failed (%s)",
	155	- SSL_SET_OPTION(issuercert));
	156	+ SSL_CONN_CONFIG(issuercert));
	157	BIO_free(fp);
	158	X509_free(issuer);
	159	X509_free(BACKEND->server_cert);
	160	@@ -3594,7 +3594,7 @@ static CURLcode servercert(struct connectdata *conn,
	161	}
	162
	163	infof(data, " SSL certificate issuer check ok (%s)\n",
	164	- SSL_SET_OPTION(issuercert));
	165	+ SSL_CONN_CONFIG(issuercert));
	166	BIO_free(fp);
	167	X509_free(issuer);
	168	}
	169	diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
	170	index aaf73ef8f..8c681da14 100644
	171	--- a/lib/vtls/vtls.c
	172	+++ b/lib/vtls/vtls.c
	173	@@ -82,6 +82,16 @@
	174	else \
	175	dest->var = NULL;
	176
	177	+static bool safecmp(char a, char b)
	178	+{
	179	+ if(a && b)
	180	+ return !strcmp(a, b);
	181	+ else if(!a && !b)
	182	+ return TRUE; /* match */
	183	+ return FALSE; /* no match */
	184	+}
	185	+
	186	+
	187	bool
	188	Curl_ssl_config_matches(struct ssl_primary_config* data,
	189	struct ssl_primary_config* needle)
	190	@@ -91,11 +101,12 @@ Curl_ssl_config_matches(struct ssl_primary_config* data,
	191	(data->verifypeer == needle->verifypeer) &&
	192	(data->verifyhost == needle->verifyhost) &&
	193	(data->verifystatus == needle->verifystatus) &&
	194	- Curl_safe_strcasecompare(data->CApath, needle->CApath) &&
	195	- Curl_safe_strcasecompare(data->CAfile, needle->CAfile) &&
	196	- Curl_safe_strcasecompare(data->clientcert, needle->clientcert) &&
	197	- Curl_safe_strcasecompare(data->random_file, needle->random_file) &&
	198	- Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) &&
	199	+ safecmp(data->CApath, needle->CApath) &&
	200	+ safecmp(data->CAfile, needle->CAfile) &&
	201	+ safecmp(data->issuercert, needle->issuercert) &&
	202	+ safecmp(data->clientcert, needle->clientcert) &&
	203	+ safecmp(data->random_file, needle->random_file) &&
	204	+ safecmp(data->egdsocket, needle->egdsocket) &&
	205	Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
	206	Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
	207	Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key))
	208	@@ -117,6 +128,7 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
	209
	210	CLONE_STRING(CApath);
	211	CLONE_STRING(CAfile);
	212	+ CLONE_STRING(issuercert);
	213	CLONE_STRING(clientcert);
	214	CLONE_STRING(random_file);
	215	CLONE_STRING(egdsocket);
	216	@@ -131,6 +143,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config* sslc)
	217	{
	218	Curl_safefree(sslc->CApath);
	219	Curl_safefree(sslc->CAfile);
	220	+ Curl_safefree(sslc->issuercert);
	221	Curl_safefree(sslc->clientcert);
	222	Curl_safefree(sslc->random_file);
	223	Curl_safefree(sslc->egdsocket);
	224	--
	225	2.30.2
	226