diff options
Diffstat (limited to 'meta/recipes-support/curl/curl/CVE-2022-27782-1.patch')
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2022-27782-1.patch | 363 |
1 files changed, 363 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch b/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch new file mode 100644 index 0000000000..6b6d0e1938 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch | |||
@@ -0,0 +1,363 @@ | |||
1 | From 907a16c832d9ce0ffa7e9b2297548063095a7242 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Mon, 9 May 2022 23:13:53 +0200 | ||
4 | Subject: [PATCH] tls: check more TLS details for connection reuse | ||
5 | |||
6 | CVE-2022-27782 | ||
7 | |||
8 | Reported-by: Harry Sintonen | ||
9 | Bug: https://curl.se/docs/CVE-2022-27782.html | ||
10 | Closes #8825 | ||
11 | |||
12 | Upstream-Status: Backport [https://github.com/curl/curl/commit/f18af4f874cecab82a9797e8c7541e0990c7a64c] | ||
13 | Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> | ||
14 | --- | ||
15 | lib/setopt.c | 29 +++++++++++++++++------------ | ||
16 | lib/url.c | 17 ++++++++++------- | ||
17 | lib/urldata.h | 13 +++++++------ | ||
18 | lib/vtls/gtls.c | 30 ++++++++++++++++-------------- | ||
19 | lib/vtls/mbedtls.c | 2 +- | ||
20 | lib/vtls/nss.c | 6 +++--- | ||
21 | lib/vtls/openssl.c | 10 +++++----- | ||
22 | lib/vtls/vtls.c | 1 + | ||
23 | 8 files changed, 60 insertions(+), 48 deletions(-) | ||
24 | |||
25 | diff --git a/lib/setopt.c b/lib/setopt.c | ||
26 | index 4648c87..bebb2e4 100644 | ||
27 | --- a/lib/setopt.c | ||
28 | +++ b/lib/setopt.c | ||
29 | @@ -2130,6 +2130,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) | ||
30 | |||
31 | case CURLOPT_SSL_OPTIONS: | ||
32 | arg = va_arg(param, long); | ||
33 | + data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff); | ||
34 | data->set.ssl.enable_beast = | ||
35 | (bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE); | ||
36 | data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); | ||
37 | @@ -2139,6 +2140,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) | ||
38 | #ifndef CURL_DISABLE_PROXY | ||
39 | case CURLOPT_PROXY_SSL_OPTIONS: | ||
40 | arg = va_arg(param, long); | ||
41 | + data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff); | ||
42 | data->set.proxy_ssl.enable_beast = | ||
43 | (bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE); | ||
44 | data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); | ||
45 | @@ -2541,44 +2543,47 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) | ||
46 | case CURLOPT_TLSAUTH_USERNAME: | ||
47 | result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_ORIG], | ||
48 | va_arg(param, char *)); | ||
49 | - if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype) | ||
50 | - data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ | ||
51 | + if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && | ||
52 | + !data->set.ssl.primary.authtype) | ||
53 | + data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ | ||
54 | break; | ||
55 | case CURLOPT_PROXY_TLSAUTH_USERNAME: | ||
56 | result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY], | ||
57 | va_arg(param, char *)); | ||
58 | if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && | ||
59 | - !data->set.proxy_ssl.authtype) | ||
60 | - data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ | ||
61 | + !data->set.proxy_ssl.primary.authtype) | ||
62 | + data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to | ||
63 | + SRP */ | ||
64 | break; | ||
65 | case CURLOPT_TLSAUTH_PASSWORD: | ||
66 | result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_ORIG], | ||
67 | va_arg(param, char *)); | ||
68 | - if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype) | ||
69 | - data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ | ||
70 | + if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && | ||
71 | + !data->set.ssl.primary.authtype) | ||
72 | + data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ | ||
73 | break; | ||
74 | case CURLOPT_PROXY_TLSAUTH_PASSWORD: | ||
75 | result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY], | ||
76 | va_arg(param, char *)); | ||
77 | if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && | ||
78 | - !data->set.proxy_ssl.authtype) | ||
79 | - data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ | ||
80 | + !data->set.proxy_ssl.primary.authtype) | ||
81 | + data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ | ||
82 | break; | ||
83 | case CURLOPT_TLSAUTH_TYPE: | ||
84 | argptr = va_arg(param, char *); | ||
85 | if(!argptr || | ||
86 | strncasecompare(argptr, "SRP", strlen("SRP"))) | ||
87 | - data->set.ssl.authtype = CURL_TLSAUTH_SRP; | ||
88 | + data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; | ||
89 | else | ||
90 | - data->set.ssl.authtype = CURL_TLSAUTH_NONE; | ||
91 | + data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE; | ||
92 | break; | ||
93 | case CURLOPT_PROXY_TLSAUTH_TYPE: | ||
94 | argptr = va_arg(param, char *); | ||
95 | if(!argptr || | ||
96 | strncasecompare(argptr, "SRP", strlen("SRP"))) | ||
97 | - data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; | ||
98 | + data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; | ||
99 | else | ||
100 | - data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE; | ||
101 | + data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE; | ||
102 | break; | ||
103 | #endif | ||
104 | #ifdef USE_ARES | ||
105 | diff --git a/lib/url.c b/lib/url.c | ||
106 | index efa3dc7..6518be9 100644 | ||
107 | --- a/lib/url.c | ||
108 | +++ b/lib/url.c | ||
109 | @@ -482,7 +482,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) | ||
110 | set->ssl.primary.verifypeer = TRUE; | ||
111 | set->ssl.primary.verifyhost = TRUE; | ||
112 | #ifdef USE_TLS_SRP | ||
113 | - set->ssl.authtype = CURL_TLSAUTH_NONE; | ||
114 | + set->ssl.primary.authtype = CURL_TLSAUTH_NONE; | ||
115 | #endif | ||
116 | set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth | ||
117 | type */ | ||
118 | @@ -3594,8 +3594,9 @@ static CURLcode create_conn(struct Curl_easy *data, | ||
119 | data->set.proxy_ssl.primary.pinned_key = | ||
120 | data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY]; | ||
121 | |||
122 | - data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG]; | ||
123 | - data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; | ||
124 | + data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG]; | ||
125 | + data->set.proxy_ssl.primary.CRLfile = | ||
126 | + data->set.str[STRING_SSL_CRLFILE_PROXY]; | ||
127 | data->set.ssl.cert = data->set.str[STRING_CERT_ORIG]; | ||
128 | data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY]; | ||
129 | data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG]; | ||
130 | @@ -3609,10 +3610,12 @@ static CURLcode create_conn(struct Curl_easy *data, | ||
131 | data->set.ssl.primary.clientcert = data->set.str[STRING_CERT_ORIG]; | ||
132 | data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY]; | ||
133 | #ifdef USE_TLS_SRP | ||
134 | - data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_ORIG]; | ||
135 | - data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; | ||
136 | - data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_ORIG]; | ||
137 | - data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; | ||
138 | + data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME_ORIG]; | ||
139 | + data->set.proxy_ssl.primary.username = | ||
140 | + data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; | ||
141 | + data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD_ORIG]; | ||
142 | + data->set.proxy_ssl.primary.password = | ||
143 | + data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; | ||
144 | #endif | ||
145 | |||
146 | if(!Curl_clone_primary_ssl_config(&data->set.ssl.primary, | ||
147 | diff --git a/lib/urldata.h b/lib/urldata.h | ||
148 | index ab1b267..ad0ef8f 100644 | ||
149 | --- a/lib/urldata.h | ||
150 | +++ b/lib/urldata.h | ||
151 | @@ -231,6 +231,13 @@ struct ssl_primary_config { | ||
152 | char *cipher_list; /* list of ciphers to use */ | ||
153 | char *cipher_list13; /* list of TLS 1.3 cipher suites to use */ | ||
154 | char *pinned_key; | ||
155 | + char *CRLfile; /* CRL to check certificate revocation */ | ||
156 | + #ifdef USE_TLS_SRP | ||
157 | + char *username; /* TLS username (for, e.g., SRP) */ | ||
158 | + char *password; /* TLS password (for, e.g., SRP) */ | ||
159 | + enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ | ||
160 | + #endif | ||
161 | + unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */ | ||
162 | BIT(verifypeer); /* set TRUE if this is desired */ | ||
163 | BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */ | ||
164 | BIT(verifystatus); /* set TRUE if certificate status must be checked */ | ||
165 | @@ -240,7 +247,6 @@ struct ssl_primary_config { | ||
166 | struct ssl_config_data { | ||
167 | struct ssl_primary_config primary; | ||
168 | long certverifyresult; /* result from the certificate verification */ | ||
169 | - char *CRLfile; /* CRL to check certificate revocation */ | ||
170 | curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ | ||
171 | void *fsslctxp; /* parameter for call back */ | ||
172 | char *cert; /* client certificate file name */ | ||
173 | @@ -248,11 +254,6 @@ struct ssl_config_data { | ||
174 | char *key; /* private key file name */ | ||
175 | char *key_type; /* format for private key (default: PEM) */ | ||
176 | char *key_passwd; /* plain text private key password */ | ||
177 | -#ifdef USE_TLS_SRP | ||
178 | - char *username; /* TLS username (for, e.g., SRP) */ | ||
179 | - char *password; /* TLS password (for, e.g., SRP) */ | ||
180 | - enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ | ||
181 | -#endif | ||
182 | BIT(certinfo); /* gather lots of certificate info */ | ||
183 | BIT(falsestart); | ||
184 | BIT(enable_beast); /* allow this flaw for interoperability's sake*/ | ||
185 | diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c | ||
186 | index 3d0758d..92c301c 100644 | ||
187 | --- a/lib/vtls/gtls.c | ||
188 | +++ b/lib/vtls/gtls.c | ||
189 | @@ -581,9 +581,10 @@ gtls_connect_step1(struct connectdata *conn, | ||
190 | } | ||
191 | |||
192 | #ifdef USE_TLS_SRP | ||
193 | - if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) && | ||
194 | + if((SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) && | ||
195 | Curl_allow_auth_to_host(data)) { | ||
196 | - infof(data, "Using TLS-SRP username: %s\n", SSL_SET_OPTION(username)); | ||
197 | + infof(data, "Using TLS-SRP username: %s\n", | ||
198 | + SSL_SET_OPTION(primary.username)); | ||
199 | |||
200 | rc = gnutls_srp_allocate_client_credentials(&BACKEND->srp_client_cred); | ||
201 | if(rc != GNUTLS_E_SUCCESS) { | ||
202 | @@ -593,8 +594,8 @@ gtls_connect_step1(struct connectdata *conn, | ||
203 | } | ||
204 | |||
205 | rc = gnutls_srp_set_client_credentials(BACKEND->srp_client_cred, | ||
206 | - SSL_SET_OPTION(username), | ||
207 | - SSL_SET_OPTION(password)); | ||
208 | + SSL_SET_OPTION(primary.username), | ||
209 | + SSL_SET_OPTION(primary.password)); | ||
210 | if(rc != GNUTLS_E_SUCCESS) { | ||
211 | failf(data, "gnutls_srp_set_client_cred() failed: %s", | ||
212 | gnutls_strerror(rc)); | ||
213 | @@ -648,19 +649,19 @@ gtls_connect_step1(struct connectdata *conn, | ||
214 | } | ||
215 | #endif | ||
216 | |||
217 | - if(SSL_SET_OPTION(CRLfile)) { | ||
218 | + if(SSL_SET_OPTION(primary.CRLfile)) { | ||
219 | /* set the CRL list file */ | ||
220 | rc = gnutls_certificate_set_x509_crl_file(BACKEND->cred, | ||
221 | - SSL_SET_OPTION(CRLfile), | ||
222 | + SSL_SET_OPTION(primary.CRLfile), | ||
223 | GNUTLS_X509_FMT_PEM); | ||
224 | if(rc < 0) { | ||
225 | failf(data, "error reading crl file %s (%s)", | ||
226 | - SSL_SET_OPTION(CRLfile), gnutls_strerror(rc)); | ||
227 | + SSL_SET_OPTION(primary.CRLfile), gnutls_strerror(rc)); | ||
228 | return CURLE_SSL_CRL_BADFILE; | ||
229 | } | ||
230 | else | ||
231 | infof(data, "found %d CRL in %s\n", | ||
232 | - rc, SSL_SET_OPTION(CRLfile)); | ||
233 | + rc, SSL_SET_OPTION(primary.CRLfile)); | ||
234 | } | ||
235 | |||
236 | /* Initialize TLS session as a client */ | ||
237 | @@ -879,7 +880,7 @@ gtls_connect_step1(struct connectdata *conn, | ||
238 | |||
239 | #ifdef USE_TLS_SRP | ||
240 | /* put the credentials to the current session */ | ||
241 | - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { | ||
242 | + if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { | ||
243 | rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP, | ||
244 | BACKEND->srp_client_cred); | ||
245 | if(rc != GNUTLS_E_SUCCESS) { | ||
246 | @@ -1061,8 +1062,8 @@ gtls_connect_step3(struct connectdata *conn, | ||
247 | SSL_CONN_CONFIG(verifyhost) || | ||
248 | SSL_CONN_CONFIG(issuercert)) { | ||
249 | #ifdef USE_TLS_SRP | ||
250 | - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP | ||
251 | - && SSL_SET_OPTION(username) != NULL | ||
252 | + if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP | ||
253 | + && SSL_SET_OPTION(primary.username) != NULL | ||
254 | && !SSL_CONN_CONFIG(verifypeer) | ||
255 | && gnutls_cipher_get(session)) { | ||
256 | /* no peer cert, but auth is ok if we have SRP user and cipher and no | ||
257 | @@ -1116,7 +1117,8 @@ gtls_connect_step3(struct connectdata *conn, | ||
258 | failf(data, "server certificate verification failed. CAfile: %s " | ||
259 | "CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile): | ||
260 | "none", | ||
261 | - SSL_SET_OPTION(CRLfile)?SSL_SET_OPTION(CRLfile):"none"); | ||
262 | + SSL_SET_OPTION(primary.CRLfile) ? | ||
263 | + SSL_SET_OPTION(primary.CRLfile) : "none"); | ||
264 | return CURLE_PEER_FAILED_VERIFICATION; | ||
265 | } | ||
266 | else | ||
267 | @@ -1703,8 +1705,8 @@ static int Curl_gtls_shutdown(struct connectdata *conn, int sockindex) | ||
268 | gnutls_certificate_free_credentials(BACKEND->cred); | ||
269 | |||
270 | #ifdef USE_TLS_SRP | ||
271 | - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP | ||
272 | - && SSL_SET_OPTION(username) != NULL) | ||
273 | + if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP | ||
274 | + && SSL_SET_OPTION(primary.username) != NULL) | ||
275 | gnutls_srp_free_client_credentials(BACKEND->srp_client_cred); | ||
276 | #endif | ||
277 | |||
278 | diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c | ||
279 | index 19df847..62d2b00 100644 | ||
280 | --- a/lib/vtls/mbedtls.c | ||
281 | +++ b/lib/vtls/mbedtls.c | ||
282 | @@ -245,7 +245,7 @@ mbed_connect_step1(struct connectdata *conn, | ||
283 | const bool verifypeer = SSL_CONN_CONFIG(verifypeer); | ||
284 | const char * const ssl_capath = SSL_CONN_CONFIG(CApath); | ||
285 | char * const ssl_cert = SSL_SET_OPTION(cert); | ||
286 | - const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); | ||
287 | + const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); | ||
288 | const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : | ||
289 | conn->host.name; | ||
290 | const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port; | ||
291 | diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c | ||
292 | index 86102f7..62fd7a2 100644 | ||
293 | --- a/lib/vtls/nss.c | ||
294 | +++ b/lib/vtls/nss.c | ||
295 | @@ -1955,13 +1955,13 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) | ||
296 | } | ||
297 | } | ||
298 | |||
299 | - if(SSL_SET_OPTION(CRLfile)) { | ||
300 | - const CURLcode rv = nss_load_crl(SSL_SET_OPTION(CRLfile)); | ||
301 | + if(SSL_SET_OPTION(primary.CRLfile)) { | ||
302 | + const CURLcode rv = nss_load_crl(SSL_SET_OPTION(primary.CRLfile)); | ||
303 | if(rv) { | ||
304 | result = rv; | ||
305 | goto error; | ||
306 | } | ||
307 | - infof(data, " CRLfile: %s\n", SSL_SET_OPTION(CRLfile)); | ||
308 | + infof(data, " CRLfile: %s\n", SSL_SET_OPTION(primary.CRLfile)); | ||
309 | } | ||
310 | |||
311 | if(SSL_SET_OPTION(cert)) { | ||
312 | diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c | ||
313 | index a14cecc..ec5a8f5 100644 | ||
314 | --- a/lib/vtls/openssl.c | ||
315 | +++ b/lib/vtls/openssl.c | ||
316 | @@ -2454,14 +2454,14 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) | ||
317 | &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult; | ||
318 | const long int ssl_version = SSL_CONN_CONFIG(version); | ||
319 | #ifdef USE_TLS_SRP | ||
320 | - const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype); | ||
321 | + const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype); | ||
322 | #endif | ||
323 | char * const ssl_cert = SSL_SET_OPTION(cert); | ||
324 | const char * const ssl_cert_type = SSL_SET_OPTION(cert_type); | ||
325 | const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile); | ||
326 | const char * const ssl_capath = SSL_CONN_CONFIG(CApath); | ||
327 | const bool verifypeer = SSL_CONN_CONFIG(verifypeer); | ||
328 | - const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); | ||
329 | + const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); | ||
330 | char error_buffer[256]; | ||
331 | |||
332 | DEBUGASSERT(ssl_connect_1 == connssl->connecting_state); | ||
333 | @@ -2741,15 +2741,15 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) | ||
334 | #ifdef USE_TLS_SRP | ||
335 | if((ssl_authtype == CURL_TLSAUTH_SRP) && | ||
336 | Curl_allow_auth_to_host(data)) { | ||
337 | - char * const ssl_username = SSL_SET_OPTION(username); | ||
338 | - | ||
339 | + char * const ssl_username = SSL_SET_OPTION(primary.username); | ||
340 | + char * const ssl_password = SSL_SET_OPTION(primary.password); | ||
341 | infof(data, "Using TLS-SRP username: %s\n", ssl_username); | ||
342 | |||
343 | if(!SSL_CTX_set_srp_username(BACKEND->ctx, ssl_username)) { | ||
344 | failf(data, "Unable to set SRP user name"); | ||
345 | return CURLE_BAD_FUNCTION_ARGUMENT; | ||
346 | } | ||
347 | - if(!SSL_CTX_set_srp_password(BACKEND->ctx, SSL_SET_OPTION(password))) { | ||
348 | + if(!SSL_CTX_set_srp_password(BACKEND->ctx, ssl_password)) { | ||
349 | failf(data, "failed setting SRP password"); | ||
350 | return CURLE_BAD_FUNCTION_ARGUMENT; | ||
351 | } | ||
352 | diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c | ||
353 | index e38f74e..e8cb70f 100644 | ||
354 | --- a/lib/vtls/vtls.c | ||
355 | +++ b/lib/vtls/vtls.c | ||
356 | @@ -89,6 +89,7 @@ Curl_ssl_config_matches(struct ssl_primary_config* data, | ||
357 | { | ||
358 | if((data->version == needle->version) && | ||
359 | (data->version_max == needle->version_max) && | ||
360 | + (data->ssl_options == needle->ssl_options) && | ||
361 | (data->verifypeer == needle->verifypeer) && | ||
362 | (data->verifyhost == needle->verifyhost) && | ||
363 | (data->verifystatus == needle->verifystatus) && | ||