1 files changed, 363 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch b/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch
new file mode 100644
index 0000000000..6b6d0e1938
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch
@@ -0,0 +1,363 @@
+From 907a16c832d9ce0ffa7e9b2297548063095a7242 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 9 May 2022 23:13:53 +0200
+Subject: [PATCH] tls: check more TLS details for connection reuse
+CVE-2022-27782
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2022-27782.html
+Closes #8825
+Upstream-Status: Backport [https://github.com/curl/curl/commit/f18af4f874cecab82a9797e8c7541e0990c7a64c]
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ lib/setopt.c       | 29 +++++++++++++++++------------
+ lib/url.c          | 17 ++++++++++-------
+ lib/urldata.h      | 13 +++++++------
+ lib/vtls/gtls.c    | 30 ++++++++++++++++--------------
+ lib/vtls/mbedtls.c |  2 +-
+ lib/vtls/nss.c     |  6 +++---
+ lib/vtls/openssl.c | 10 +++++-----
+ lib/vtls/vtls.c    |  1 +
+ 8 files changed, 60 insertions(+), 48 deletions(-)
+diff --git a/lib/setopt.c b/lib/setopt.c
+index 4648c87..bebb2e4 100644
+--- a/lib/setopt.c
+++ b/lib/setopt.c
+@@ -2130,6 +2130,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+ 
+   case CURLOPT_SSL_OPTIONS:
+     arg = va_arg(param, long);
+    data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
+     data->set.ssl.enable_beast =
+       (bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE);
+     data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
+@@ -2139,6 +2140,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+ #ifndef CURL_DISABLE_PROXY
+   case CURLOPT_PROXY_SSL_OPTIONS:
+     arg = va_arg(param, long);
+    data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
+     data->set.proxy_ssl.enable_beast =
+       (bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE);
+     data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
+@@ -2541,44 +2543,47 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+   case CURLOPT_TLSAUTH_USERNAME:
+     result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_ORIG],
+                             va_arg(param, char *));
+-    if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype)
+-      data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+    if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] &&
+       !data->set.ssl.primary.authtype)
+      data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+     break;
+   case CURLOPT_PROXY_TLSAUTH_USERNAME:
+     result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY],
+                             va_arg(param, char *));
+     if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
+-       !data->set.proxy_ssl.authtype)
+-      data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+       !data->set.proxy_ssl.primary.authtype)
+      data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to
+                                                                  SRP */
+     break;
+   case CURLOPT_TLSAUTH_PASSWORD:
+     result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_ORIG],
+                             va_arg(param, char *));
+-    if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype)
+-      data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+    if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] &&
+       !data->set.ssl.primary.authtype)
+      data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+     break;
+   case CURLOPT_PROXY_TLSAUTH_PASSWORD:
+     result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY],
+                             va_arg(param, char *));
+     if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
+-       !data->set.proxy_ssl.authtype)
+-      data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+       !data->set.proxy_ssl.primary.authtype)
+      data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */
+     break;
+   case CURLOPT_TLSAUTH_TYPE:
+     argptr = va_arg(param, char *);
+     if(!argptr ||
+        strncasecompare(argptr, "SRP", strlen("SRP")))
+-      data->set.ssl.authtype = CURL_TLSAUTH_SRP;
+      data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP;
+     else
+-      data->set.ssl.authtype = CURL_TLSAUTH_NONE;
+      data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE;
+     break;
+   case CURLOPT_PROXY_TLSAUTH_TYPE:
+     argptr = va_arg(param, char *);
+     if(!argptr ||
+        strncasecompare(argptr, "SRP", strlen("SRP")))
+-      data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP;
+      data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP;
+     else
+-      data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE;
+      data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE;
+     break;
+ #endif
+ #ifdef USE_ARES
+diff --git a/lib/url.c b/lib/url.c
+index efa3dc7..6518be9 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -482,7 +482,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
+   set->ssl.primary.verifypeer = TRUE;
+   set->ssl.primary.verifyhost = TRUE;
+ #ifdef USE_TLS_SRP
+-  set->ssl.authtype = CURL_TLSAUTH_NONE;
+  set->ssl.primary.authtype = CURL_TLSAUTH_NONE;
+ #endif
+   set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth
+                                                       type */
+@@ -3594,8 +3594,9 @@ static CURLcode create_conn(struct Curl_easy *data,
+   data->set.proxy_ssl.primary.pinned_key =
+     data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY];
+ 
+-  data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG];
+-  data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
+  data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG];
+  data->set.proxy_ssl.primary.CRLfile =
+    data->set.str[STRING_SSL_CRLFILE_PROXY];
+   data->set.ssl.cert = data->set.str[STRING_CERT_ORIG];
+   data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY];
+   data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG];
+@@ -3609,10 +3610,12 @@ static CURLcode create_conn(struct Curl_easy *data,
+   data->set.ssl.primary.clientcert = data->set.str[STRING_CERT_ORIG];
+   data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY];
+ #ifdef USE_TLS_SRP
+-  data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_ORIG];
+-  data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
+-  data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_ORIG];
+-  data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
+  data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME_ORIG];
+  data->set.proxy_ssl.primary.username =
+    data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
+  data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD_ORIG];
+  data->set.proxy_ssl.primary.password =
+    data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
+ #endif
+ 
+   if(!Curl_clone_primary_ssl_config(&data->set.ssl.primary,
+diff --git a/lib/urldata.h b/lib/urldata.h
+index ab1b267..ad0ef8f 100644
+--- a/lib/urldata.h
+++ b/lib/urldata.h
+@@ -231,6 +231,13 @@ struct ssl_primary_config {
+   char *cipher_list;     /* list of ciphers to use */
+   char *cipher_list13;   /* list of TLS 1.3 cipher suites to use */
+   char *pinned_key;
+  char *CRLfile;         /* CRL to check certificate revocation */
+  #ifdef USE_TLS_SRP
+    char *username; /* TLS username (for, e.g., SRP) */
+    char *password; /* TLS password (for, e.g., SRP) */
+    enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
+  #endif
+  unsigned char ssl_options;  /* the CURLOPT_SSL_OPTIONS bitmask */
+   BIT(verifypeer);       /* set TRUE if this is desired */
+   BIT(verifyhost);       /* set TRUE if CN/SAN must match hostname */
+   BIT(verifystatus);     /* set TRUE if certificate status must be checked */
+@@ -240,7 +247,6 @@ struct ssl_primary_config {
+ struct ssl_config_data {
+   struct ssl_primary_config primary;
+   long certverifyresult; /* result from the certificate verification */
+-  char *CRLfile;   /* CRL to check certificate revocation */
+   curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
+   void *fsslctxp;        /* parameter for call back */
+   char *cert; /* client certificate file name */
+@@ -248,11 +254,6 @@ struct ssl_config_data {
+   char *key; /* private key file name */
+   char *key_type; /* format for private key (default: PEM) */
+   char *key_passwd; /* plain text private key password */
+-#ifdef USE_TLS_SRP
+-  char *username; /* TLS username (for, e.g., SRP) */
+-  char *password; /* TLS password (for, e.g., SRP) */
+-  enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
+-#endif
+   BIT(certinfo);     /* gather lots of certificate info */
+   BIT(falsestart);
+   BIT(enable_beast); /* allow this flaw for interoperability's sake*/
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index 3d0758d..92c301c 100644
+--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
+@@ -581,9 +581,10 @@ gtls_connect_step1(struct connectdata *conn,
+   }
+ 
+ #ifdef USE_TLS_SRP
+-  if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) &&
+  if((SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) &&
+      Curl_allow_auth_to_host(data)) {
+-    infof(data, "Using TLS-SRP username: %s\n", SSL_SET_OPTION(username));
+    infof(data, "Using TLS-SRP username: %s\n",
+          SSL_SET_OPTION(primary.username));
+ 
+     rc = gnutls_srp_allocate_client_credentials(&BACKEND->srp_client_cred);
+     if(rc != GNUTLS_E_SUCCESS) {
+@@ -593,8 +594,8 @@ gtls_connect_step1(struct connectdata *conn,
+     }
+ 
+     rc = gnutls_srp_set_client_credentials(BACKEND->srp_client_cred,
+-                                           SSL_SET_OPTION(username),
+-                                           SSL_SET_OPTION(password));
+                                           SSL_SET_OPTION(primary.username),
+                                           SSL_SET_OPTION(primary.password));
+     if(rc != GNUTLS_E_SUCCESS) {
+       failf(data, "gnutls_srp_set_client_cred() failed: %s",
+             gnutls_strerror(rc));
+@@ -648,19 +649,19 @@ gtls_connect_step1(struct connectdata *conn,
+   }
+ #endif
+ 
+-  if(SSL_SET_OPTION(CRLfile)) {
+  if(SSL_SET_OPTION(primary.CRLfile)) {
+     /* set the CRL list file */
+     rc = gnutls_certificate_set_x509_crl_file(BACKEND->cred,
+-                                              SSL_SET_OPTION(CRLfile),
+                                              SSL_SET_OPTION(primary.CRLfile),
+                                               GNUTLS_X509_FMT_PEM);
+     if(rc < 0) {
+       failf(data, "error reading crl file %s (%s)",
+-            SSL_SET_OPTION(CRLfile), gnutls_strerror(rc));
+            SSL_SET_OPTION(primary.CRLfile), gnutls_strerror(rc));
+       return CURLE_SSL_CRL_BADFILE;
+     }
+     else
+       infof(data, "found %d CRL in %s\n",
+-            rc, SSL_SET_OPTION(CRLfile));
+            rc, SSL_SET_OPTION(primary.CRLfile));
+   }
+ 
+   /* Initialize TLS session as a client */
+@@ -879,7 +880,7 @@ gtls_connect_step1(struct connectdata *conn,
+ 
+ #ifdef USE_TLS_SRP
+   /* put the credentials to the current session */
+-  if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
+  if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) {
+     rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP,
+                                 BACKEND->srp_client_cred);
+     if(rc != GNUTLS_E_SUCCESS) {
+@@ -1061,8 +1062,8 @@ gtls_connect_step3(struct connectdata *conn,
+        SSL_CONN_CONFIG(verifyhost) ||
+        SSL_CONN_CONFIG(issuercert)) {
+ #ifdef USE_TLS_SRP
+-      if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
+-         && SSL_SET_OPTION(username) != NULL
+      if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP
+         && SSL_SET_OPTION(primary.username) != NULL
+          && !SSL_CONN_CONFIG(verifypeer)
+          && gnutls_cipher_get(session)) {
+         /* no peer cert, but auth is ok if we have SRP user and cipher and no
+@@ -1116,7 +1117,8 @@ gtls_connect_step3(struct connectdata *conn,
+         failf(data, "server certificate verification failed. CAfile: %s "
+               "CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile):
+               "none",
+-              SSL_SET_OPTION(CRLfile)?SSL_SET_OPTION(CRLfile):"none");
+              SSL_SET_OPTION(primary.CRLfile) ?
+              SSL_SET_OPTION(primary.CRLfile) : "none");
+         return CURLE_PEER_FAILED_VERIFICATION;
+       }
+       else
+@@ -1703,8 +1705,8 @@ static int Curl_gtls_shutdown(struct connectdata *conn, int sockindex)
+   gnutls_certificate_free_credentials(BACKEND->cred);
+ 
+ #ifdef USE_TLS_SRP
+-  if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
+-     && SSL_SET_OPTION(username) != NULL)
+  if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP
+     && SSL_SET_OPTION(primary.username) != NULL)
+     gnutls_srp_free_client_credentials(BACKEND->srp_client_cred);
+ #endif
+ 
+diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
+index 19df847..62d2b00 100644
+--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
+@@ -245,7 +245,7 @@ mbed_connect_step1(struct connectdata *conn,
+   const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
+   const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
+   char * const ssl_cert = SSL_SET_OPTION(cert);
+-  const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
+  const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile);
+   const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
+     conn->host.name;
+   const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
+diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
+index 86102f7..62fd7a2 100644
+--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
+@@ -1955,13 +1955,13 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
+     }
+   }
+ 
+-  if(SSL_SET_OPTION(CRLfile)) {
+-    const CURLcode rv = nss_load_crl(SSL_SET_OPTION(CRLfile));
+  if(SSL_SET_OPTION(primary.CRLfile)) {
+    const CURLcode rv = nss_load_crl(SSL_SET_OPTION(primary.CRLfile));
+     if(rv) {
+       result = rv;
+       goto error;
+     }
+-    infof(data, "  CRLfile: %s\n", SSL_SET_OPTION(CRLfile));
+    infof(data, "  CRLfile: %s\n", SSL_SET_OPTION(primary.CRLfile));
+   }
+ 
+   if(SSL_SET_OPTION(cert)) {
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index a14cecc..ec5a8f5 100644
+--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
+@@ -2454,14 +2454,14 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
+     &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
+   const long int ssl_version = SSL_CONN_CONFIG(version);
+ #ifdef USE_TLS_SRP
+-  const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype);
+  const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype);
+ #endif
+   char * const ssl_cert = SSL_SET_OPTION(cert);
+   const char * const ssl_cert_type = SSL_SET_OPTION(cert_type);
+   const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
+   const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
+   const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
+-  const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
+  const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile);
+   char error_buffer[256];
+ 
+   DEBUGASSERT(ssl_connect_1 == connssl->connecting_state);
+@@ -2741,15 +2741,15 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
+ #ifdef USE_TLS_SRP
+   if((ssl_authtype == CURL_TLSAUTH_SRP) &&
+      Curl_allow_auth_to_host(data)) {
+-    char * const ssl_username = SSL_SET_OPTION(username);
+-
+    char * const ssl_username = SSL_SET_OPTION(primary.username);
+    char * const ssl_password = SSL_SET_OPTION(primary.password);
+     infof(data, "Using TLS-SRP username: %s\n", ssl_username);
+ 
+     if(!SSL_CTX_set_srp_username(BACKEND->ctx, ssl_username)) {
+       failf(data, "Unable to set SRP user name");
+       return CURLE_BAD_FUNCTION_ARGUMENT;
+     }
+-    if(!SSL_CTX_set_srp_password(BACKEND->ctx, SSL_SET_OPTION(password))) {
+    if(!SSL_CTX_set_srp_password(BACKEND->ctx, ssl_password)) {
+       failf(data, "failed setting SRP password");
+       return CURLE_BAD_FUNCTION_ARGUMENT;
+     }
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index e38f74e..e8cb70f 100644
+--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
+@@ -89,6 +89,7 @@ Curl_ssl_config_matches(struct ssl_primary_config* data,
+ {
+   if((data->version == needle->version) &&
+      (data->version_max == needle->version_max) &&
+     (data->ssl_options == needle->ssl_options) &&
+      (data->verifypeer == needle->verifypeer) &&
+      (data->verifyhost == needle->verifyhost) &&
+      (data->verifystatus == needle->verifystatus) &&

diff --git a/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch b/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch new file mode 100644 index 0000000000..6b6d0e1938 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch
@@ -0,0 +1,363 @@
	1	From 907a16c832d9ce0ffa7e9b2297548063095a7242 Mon Sep 17 00:00:00 2001
	2	From: Daniel Stenberg <daniel@haxx.se>
	3	Date: Mon, 9 May 2022 23:13:53 +0200
	4	Subject: [PATCH] tls: check more TLS details for connection reuse
	5
	6	CVE-2022-27782
	7
	8	Reported-by: Harry Sintonen
	9	Bug: https://curl.se/docs/CVE-2022-27782.html
	10	Closes #8825
	11
	12	Upstream-Status: Backport [https://github.com/curl/curl/commit/f18af4f874cecab82a9797e8c7541e0990c7a64c]
	13	Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
	14	---
	15	lib/setopt.c \| 29 +++++++++++++++++------------
	16	lib/url.c \| 17 ++++++++++-------
	17	lib/urldata.h \| 13 +++++++------
	18	lib/vtls/gtls.c \| 30 ++++++++++++++++--------------
	19	lib/vtls/mbedtls.c \| 2 +-
	20	lib/vtls/nss.c \| 6 +++---
	21	lib/vtls/openssl.c \| 10 +++++-----
	22	lib/vtls/vtls.c \| 1 +
	23	8 files changed, 60 insertions(+), 48 deletions(-)
	24
	25	diff --git a/lib/setopt.c b/lib/setopt.c
	26	index 4648c87..bebb2e4 100644
	27	--- a/lib/setopt.c
	28	+++ b/lib/setopt.c
	29	@@ -2130,6 +2130,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
	30
	31	case CURLOPT_SSL_OPTIONS:
	32	arg = va_arg(param, long);
	33	+ data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
	34	data->set.ssl.enable_beast =
	35	(bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE);
	36	data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
	37	@@ -2139,6 +2140,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
	38	#ifndef CURL_DISABLE_PROXY
	39	case CURLOPT_PROXY_SSL_OPTIONS:
	40	arg = va_arg(param, long);
	41	+ data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
	42	data->set.proxy_ssl.enable_beast =
	43	(bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE);
	44	data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
	45	@@ -2541,44 +2543,47 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
	46	case CURLOPT_TLSAUTH_USERNAME:
	47	result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_ORIG],
	48	va_arg(param, char *));
	49	- if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype)
	50	- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
	51	+ if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] &&
	52	+ !data->set.ssl.primary.authtype)
	53	+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
	54	break;
	55	case CURLOPT_PROXY_TLSAUTH_USERNAME:
	56	result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY],
	57	va_arg(param, char *));
	58	if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
	59	- !data->set.proxy_ssl.authtype)
	60	- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
	61	+ !data->set.proxy_ssl.primary.authtype)
	62	+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to
	63	+ SRP */
	64	break;
	65	case CURLOPT_TLSAUTH_PASSWORD:
	66	result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_ORIG],
	67	va_arg(param, char *));
	68	- if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype)
	69	- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
	70	+ if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] &&
	71	+ !data->set.ssl.primary.authtype)
	72	+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
	73	break;
	74	case CURLOPT_PROXY_TLSAUTH_PASSWORD:
	75	result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY],
	76	va_arg(param, char *));
	77	if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
	78	- !data->set.proxy_ssl.authtype)
	79	- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
	80	+ !data->set.proxy_ssl.primary.authtype)
	81	+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */
	82	break;
	83	case CURLOPT_TLSAUTH_TYPE:
	84	argptr = va_arg(param, char *);
	85	if(!argptr \|\|
	86	strncasecompare(argptr, "SRP", strlen("SRP")))
	87	- data->set.ssl.authtype = CURL_TLSAUTH_SRP;
	88	+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP;
	89	else
	90	- data->set.ssl.authtype = CURL_TLSAUTH_NONE;
	91	+ data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE;
	92	break;
	93	case CURLOPT_PROXY_TLSAUTH_TYPE:
	94	argptr = va_arg(param, char *);
	95	if(!argptr \|\|
	96	strncasecompare(argptr, "SRP", strlen("SRP")))
	97	- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP;
	98	+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP;
	99	else
	100	- data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE;
	101	+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE;
	102	break;
	103	#endif
	104	#ifdef USE_ARES
	105	diff --git a/lib/url.c b/lib/url.c
	106	index efa3dc7..6518be9 100644
	107	--- a/lib/url.c
	108	+++ b/lib/url.c
	109	@@ -482,7 +482,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
	110	set->ssl.primary.verifypeer = TRUE;
	111	set->ssl.primary.verifyhost = TRUE;
	112	#ifdef USE_TLS_SRP
	113	- set->ssl.authtype = CURL_TLSAUTH_NONE;
	114	+ set->ssl.primary.authtype = CURL_TLSAUTH_NONE;
	115	#endif
	116	set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth
	117	type */
	118	@@ -3594,8 +3594,9 @@ static CURLcode create_conn(struct Curl_easy *data,
	119	data->set.proxy_ssl.primary.pinned_key =
	120	data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY];
	121
	122	- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG];
	123	- data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
	124	+ data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG];
	125	+ data->set.proxy_ssl.primary.CRLfile =
	126	+ data->set.str[STRING_SSL_CRLFILE_PROXY];
	127	data->set.ssl.cert = data->set.str[STRING_CERT_ORIG];
	128	data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY];
	129	data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG];
	130	@@ -3609,10 +3610,12 @@ static CURLcode create_conn(struct Curl_easy *data,
	131	data->set.ssl.primary.clientcert = data->set.str[STRING_CERT_ORIG];
	132	data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY];
	133	#ifdef USE_TLS_SRP
	134	- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_ORIG];
	135	- data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
	136	- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_ORIG];
	137	- data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
	138	+ data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME_ORIG];
	139	+ data->set.proxy_ssl.primary.username =
	140	+ data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
	141	+ data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD_ORIG];
	142	+ data->set.proxy_ssl.primary.password =
	143	+ data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
	144	#endif
	145
	146	if(!Curl_clone_primary_ssl_config(&data->set.ssl.primary,
	147	diff --git a/lib/urldata.h b/lib/urldata.h
	148	index ab1b267..ad0ef8f 100644
	149	--- a/lib/urldata.h
	150	+++ b/lib/urldata.h
	151	@@ -231,6 +231,13 @@ struct ssl_primary_config {
	152	char cipher_list; / list of ciphers to use */
	153	char cipher_list13; / list of TLS 1.3 cipher suites to use */
	154	char *pinned_key;
	155	+ char CRLfile; / CRL to check certificate revocation */
	156	+ #ifdef USE_TLS_SRP
	157	+ char username; / TLS username (for, e.g., SRP) */
	158	+ char password; / TLS password (for, e.g., SRP) */
	159	+ enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
	160	+ #endif
	161	+ unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */
	162	BIT(verifypeer); /* set TRUE if this is desired */
	163	BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */
	164	BIT(verifystatus); /* set TRUE if certificate status must be checked */
	165	@@ -240,7 +247,6 @@ struct ssl_primary_config {
	166	struct ssl_config_data {
	167	struct ssl_primary_config primary;
	168	long certverifyresult; /* result from the certificate verification */
	169	- char CRLfile; / CRL to check certificate revocation */
	170	curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
	171	void fsslctxp; / parameter for call back */
	172	char cert; / client certificate file name */
	173	@@ -248,11 +254,6 @@ struct ssl_config_data {
	174	char key; / private key file name */
	175	char key_type; / format for private key (default: PEM) */
	176	char key_passwd; / plain text private key password */
	177	-#ifdef USE_TLS_SRP
	178	- char username; / TLS username (for, e.g., SRP) */
	179	- char password; / TLS password (for, e.g., SRP) */
	180	- enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
	181	-#endif
	182	BIT(certinfo); /* gather lots of certificate info */
	183	BIT(falsestart);
	184	BIT(enable_beast); /* allow this flaw for interoperability's sake*/
	185	diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
	186	index 3d0758d..92c301c 100644
	187	--- a/lib/vtls/gtls.c
	188	+++ b/lib/vtls/gtls.c
	189	@@ -581,9 +581,10 @@ gtls_connect_step1(struct connectdata *conn,
	190	}
	191
	192	#ifdef USE_TLS_SRP
	193	- if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) &&
	194	+ if((SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) &&
	195	Curl_allow_auth_to_host(data)) {
	196	- infof(data, "Using TLS-SRP username: %s\n", SSL_SET_OPTION(username));
	197	+ infof(data, "Using TLS-SRP username: %s\n",
	198	+ SSL_SET_OPTION(primary.username));
	199
	200	rc = gnutls_srp_allocate_client_credentials(&BACKEND->srp_client_cred);
	201	if(rc != GNUTLS_E_SUCCESS) {
	202	@@ -593,8 +594,8 @@ gtls_connect_step1(struct connectdata *conn,
	203	}
	204
	205	rc = gnutls_srp_set_client_credentials(BACKEND->srp_client_cred,
	206	- SSL_SET_OPTION(username),
	207	- SSL_SET_OPTION(password));
	208	+ SSL_SET_OPTION(primary.username),
	209	+ SSL_SET_OPTION(primary.password));
	210	if(rc != GNUTLS_E_SUCCESS) {
	211	failf(data, "gnutls_srp_set_client_cred() failed: %s",
	212	gnutls_strerror(rc));
	213	@@ -648,19 +649,19 @@ gtls_connect_step1(struct connectdata *conn,
	214	}
	215	#endif
	216
	217	- if(SSL_SET_OPTION(CRLfile)) {
	218	+ if(SSL_SET_OPTION(primary.CRLfile)) {
	219	/* set the CRL list file */
	220	rc = gnutls_certificate_set_x509_crl_file(BACKEND->cred,
	221	- SSL_SET_OPTION(CRLfile),
	222	+ SSL_SET_OPTION(primary.CRLfile),
	223	GNUTLS_X509_FMT_PEM);
	224	if(rc < 0) {
	225	failf(data, "error reading crl file %s (%s)",
	226	- SSL_SET_OPTION(CRLfile), gnutls_strerror(rc));
	227	+ SSL_SET_OPTION(primary.CRLfile), gnutls_strerror(rc));
	228	return CURLE_SSL_CRL_BADFILE;
	229	}
	230	else
	231	infof(data, "found %d CRL in %s\n",
	232	- rc, SSL_SET_OPTION(CRLfile));
	233	+ rc, SSL_SET_OPTION(primary.CRLfile));
	234	}
	235
	236	/* Initialize TLS session as a client */
	237	@@ -879,7 +880,7 @@ gtls_connect_step1(struct connectdata *conn,
	238
	239	#ifdef USE_TLS_SRP
	240	/* put the credentials to the current session */
	241	- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
	242	+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) {
	243	rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP,
	244	BACKEND->srp_client_cred);
	245	if(rc != GNUTLS_E_SUCCESS) {
	246	@@ -1061,8 +1062,8 @@ gtls_connect_step3(struct connectdata *conn,
	247	SSL_CONN_CONFIG(verifyhost) \|\|
	248	SSL_CONN_CONFIG(issuercert)) {
	249	#ifdef USE_TLS_SRP
	250	- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
	251	- && SSL_SET_OPTION(username) != NULL
	252	+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP
	253	+ && SSL_SET_OPTION(primary.username) != NULL
	254	&& !SSL_CONN_CONFIG(verifypeer)
	255	&& gnutls_cipher_get(session)) {
	256	/* no peer cert, but auth is ok if we have SRP user and cipher and no
	257	@@ -1116,7 +1117,8 @@ gtls_connect_step3(struct connectdata *conn,
	258	failf(data, "server certificate verification failed. CAfile: %s "
	259	"CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile):
	260	"none",
	261	- SSL_SET_OPTION(CRLfile)?SSL_SET_OPTION(CRLfile):"none");
	262	+ SSL_SET_OPTION(primary.CRLfile) ?
	263	+ SSL_SET_OPTION(primary.CRLfile) : "none");
	264	return CURLE_PEER_FAILED_VERIFICATION;
	265	}
	266	else
	267	@@ -1703,8 +1705,8 @@ static int Curl_gtls_shutdown(struct connectdata *conn, int sockindex)
	268	gnutls_certificate_free_credentials(BACKEND->cred);
	269
	270	#ifdef USE_TLS_SRP
	271	- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
	272	- && SSL_SET_OPTION(username) != NULL)
	273	+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP
	274	+ && SSL_SET_OPTION(primary.username) != NULL)
	275	gnutls_srp_free_client_credentials(BACKEND->srp_client_cred);
	276	#endif
	277
	278	diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
	279	index 19df847..62d2b00 100644
	280	--- a/lib/vtls/mbedtls.c
	281	+++ b/lib/vtls/mbedtls.c
	282	@@ -245,7 +245,7 @@ mbed_connect_step1(struct connectdata *conn,
	283	const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
	284	const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
	285	char * const ssl_cert = SSL_SET_OPTION(cert);
	286	- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
	287	+ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile);
	288	const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
	289	conn->host.name;
	290	const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
	291	diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
	292	index 86102f7..62fd7a2 100644
	293	--- a/lib/vtls/nss.c
	294	+++ b/lib/vtls/nss.c
	295	@@ -1955,13 +1955,13 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
	296	}
	297	}
	298
	299	- if(SSL_SET_OPTION(CRLfile)) {
	300	- const CURLcode rv = nss_load_crl(SSL_SET_OPTION(CRLfile));
	301	+ if(SSL_SET_OPTION(primary.CRLfile)) {
	302	+ const CURLcode rv = nss_load_crl(SSL_SET_OPTION(primary.CRLfile));
	303	if(rv) {
	304	result = rv;
	305	goto error;
	306	}
	307	- infof(data, " CRLfile: %s\n", SSL_SET_OPTION(CRLfile));
	308	+ infof(data, " CRLfile: %s\n", SSL_SET_OPTION(primary.CRLfile));
	309	}
	310
	311	if(SSL_SET_OPTION(cert)) {
	312	diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
	313	index a14cecc..ec5a8f5 100644
	314	--- a/lib/vtls/openssl.c
	315	+++ b/lib/vtls/openssl.c
	316	@@ -2454,14 +2454,14 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
	317	&data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
	318	const long int ssl_version = SSL_CONN_CONFIG(version);
	319	#ifdef USE_TLS_SRP
	320	- const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype);
	321	+ const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype);
	322	#endif
	323	char * const ssl_cert = SSL_SET_OPTION(cert);
	324	const char * const ssl_cert_type = SSL_SET_OPTION(cert_type);
	325	const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
	326	const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
	327	const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
	328	- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
	329	+ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile);
	330	char error_buffer[256];
	331
	332	DEBUGASSERT(ssl_connect_1 == connssl->connecting_state);
	333	@@ -2741,15 +2741,15 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
	334	#ifdef USE_TLS_SRP
	335	if((ssl_authtype == CURL_TLSAUTH_SRP) &&
	336	Curl_allow_auth_to_host(data)) {
	337	- char * const ssl_username = SSL_SET_OPTION(username);
	338	-
	339	+ char * const ssl_username = SSL_SET_OPTION(primary.username);
	340	+ char * const ssl_password = SSL_SET_OPTION(primary.password);
	341	infof(data, "Using TLS-SRP username: %s\n", ssl_username);
	342
	343	if(!SSL_CTX_set_srp_username(BACKEND->ctx, ssl_username)) {
	344	failf(data, "Unable to set SRP user name");
	345	return CURLE_BAD_FUNCTION_ARGUMENT;
	346	}
	347	- if(!SSL_CTX_set_srp_password(BACKEND->ctx, SSL_SET_OPTION(password))) {
	348	+ if(!SSL_CTX_set_srp_password(BACKEND->ctx, ssl_password)) {
	349	failf(data, "failed setting SRP password");
	350	return CURLE_BAD_FUNCTION_ARGUMENT;
	351	}
	352	diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
	353	index e38f74e..e8cb70f 100644
	354	--- a/lib/vtls/vtls.c
	355	+++ b/lib/vtls/vtls.c
	356	@@ -89,6 +89,7 @@ Curl_ssl_config_matches(struct ssl_primary_config* data,
	357	{
	358	if((data->version == needle->version) &&
	359	(data->version_max == needle->version_max) &&
	360	+ (data->ssl_options == needle->ssl_options) &&
	361	(data->verifypeer == needle->verifypeer) &&
	362	(data->verifyhost == needle->verifyhost) &&
	363	(data->verifystatus == needle->verifystatus) &&