File curl-CVE-2022-27782.patch of Package curl.27750
From c3f8e4e2b4a334697e7ce3168495f20a46b398bd Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 3 May 2022 09:31:11 +0200
Subject: [PATCH 1/2] tls: check more TLS details for connection reuse
CVE-2022-27782
Reported-by: Harry Sintonen
Bug: https://curl.se/docs/CVE-2022-27782.html
---
lib/setopt.c | 29 +++++++++++++++++------------
lib/url.c | 23 ++++++++++++++++-------
lib/urldata.h | 13 +++++++------
lib/vtls/gtls.c | 32 +++++++++++++++++---------------
lib/vtls/openssl.c | 10 +++++-----
lib/vtls/vtls.c | 20 ++++++++++++++++++++
6 files changed, 82 insertions(+), 45 deletions(-)
Index: curl-7.79.1/lib/setopt.c
===================================================================
--- curl-7.79.1.orig/lib/setopt.c
+++ curl-7.79.1/lib/setopt.c
@@ -2311,6 +2311,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *
case CURLOPT_SSL_OPTIONS:
arg = va_arg(param, long);
+ data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
data->set.ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST);
data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN);
@@ -2324,6 +2325,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *
#ifndef CURL_DISABLE_PROXY
case CURLOPT_PROXY_SSL_OPTIONS:
arg = va_arg(param, long);
+ data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
data->set.proxy_ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST);
data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
data->set.proxy_ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN);
@@ -2740,49 +2742,52 @@ CURLcode Curl_vsetopt(struct Curl_easy *
case CURLOPT_TLSAUTH_USERNAME:
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME],
va_arg(param, char *));
- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+ if(data->set.str[STRING_TLSAUTH_USERNAME] &&
+ !data->set.ssl.primary.authtype)
+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
break;
case CURLOPT_PROXY_TLSAUTH_USERNAME:
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY],
va_arg(param, char *));
#ifndef CURL_DISABLE_PROXY
if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
- !data->set.proxy_ssl.authtype)
- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+ !data->set.proxy_ssl.primary.authtype)
+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to
+ SRP */
#endif
break;
case CURLOPT_TLSAUTH_PASSWORD:
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD],
va_arg(param, char *));
- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+ if(data->set.str[STRING_TLSAUTH_USERNAME] &&
+ !data->set.ssl.primary.authtype)
+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */
break;
case CURLOPT_PROXY_TLSAUTH_PASSWORD:
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY],
va_arg(param, char *));
#ifndef CURL_DISABLE_PROXY
if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
- !data->set.proxy_ssl.authtype)
- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+ !data->set.proxy_ssl.primary.authtype)
+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */
#endif
break;
case CURLOPT_TLSAUTH_TYPE:
argptr = va_arg(param, char *);
if(!argptr ||
strncasecompare(argptr, "SRP", strlen("SRP")))
- data->set.ssl.authtype = CURL_TLSAUTH_SRP;
+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP;
else
- data->set.ssl.authtype = CURL_TLSAUTH_NONE;
+ data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE;
break;
#ifndef CURL_DISABLE_PROXY
case CURLOPT_PROXY_TLSAUTH_TYPE:
argptr = va_arg(param, char *);
if(!argptr ||
strncasecompare(argptr, "SRP", strlen("SRP")))
- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP;
+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP;
else
- data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE;
+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE;
break;
#endif
#endif
Index: curl-7.79.1/lib/url.c
===================================================================
--- curl-7.79.1.orig/lib/url.c
+++ curl-7.79.1/lib/url.c
@@ -547,7 +547,7 @@ CURLcode Curl_init_userdefined(struct Cu
set->ssl.primary.verifypeer = TRUE;
set->ssl.primary.verifyhost = TRUE;
#ifdef USE_TLS_SRP
- set->ssl.authtype = CURL_TLSAUTH_NONE;
+ set->ssl.primary.authtype = CURL_TLSAUTH_NONE;
#endif
set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth
type */
@@ -1089,6 +1089,12 @@ static void prune_dead_connections(struc
}
}
+static bool ssh_config_matches(struct connectdata *one,
+ struct connectdata *two)
+{
+ return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) &&
+ Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub));
+}
/*
* Given one filled in connection struct (named needle), this function should
* detect if there already is one that has all the significant details
@@ -1348,6 +1354,11 @@ ConnectionExists(struct Curl_easy *data,
(data->state.httpwant < CURL_HTTP_VERSION_2_0))
continue;
+ if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
+ if(!ssh_config_matches(needle, check))
+ continue;
+ }
+
if((needle->handler->flags&PROTOPT_SSL)
#ifndef CURL_DISABLE_PROXY
|| !needle->bits.httpproxy || needle->bits.tunnel_proxy
@@ -1748,11 +1759,17 @@ static struct connectdata *allocate_conn
conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus;
conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer;
conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost;
+ conn->ssl_config.ssl_options = data->set.ssl.primary.ssl_options;
+#ifdef USE_TLS_SRP
+#endif
#ifndef CURL_DISABLE_PROXY
conn->proxy_ssl_config.verifystatus =
data->set.proxy_ssl.primary.verifystatus;
conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer;
conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost;
+ conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options;
+#ifdef USE_TLS_SRP
+#endif
#endif
conn->ip_version = data->set.ipver;
conn->bits.connect_only = data->set.connect_only;
@@ -3813,7 +3830,8 @@ static CURLcode create_conn(struct Curl_
data->set.str[STRING_SSL_ISSUERCERT_PROXY];
data->set.proxy_ssl.primary.issuercert_blob =
data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY];
- data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
+ data->set.proxy_ssl.primary.CRLfile =
+ data->set.str[STRING_SSL_CRLFILE_PROXY];
data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];
data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];
data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY];
@@ -3821,18 +3839,20 @@ static CURLcode create_conn(struct Curl_
data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY];
data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
#endif
- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];
+ data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE];
data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
data->set.ssl.key = data->set.str[STRING_KEY];
data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE];
data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD];
data->set.ssl.primary.clientcert = data->set.str[STRING_CERT];
#ifdef USE_TLS_SRP
- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME];
- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD];
+ data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME];
+ data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD];
#ifndef CURL_DISABLE_PROXY
- data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
- data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
+ data->set.proxy_ssl.primary.username =
+ data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
+ data->set.proxy_ssl.primary.password =
+ data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
#endif
#endif
data->set.ssl.key_blob = data->set.blobs[BLOB_KEY];
Index: curl-7.79.1/lib/urldata.h
===================================================================
--- curl-7.79.1.orig/lib/urldata.h
+++ curl-7.79.1/lib/urldata.h
@@ -253,10 +253,17 @@ struct ssl_primary_config {
char *cipher_list; /* list of ciphers to use */
char *cipher_list13; /* list of TLS 1.3 cipher suites to use */
char *pinned_key;
+ char *CRLfile; /* CRL to check certificate revocation */
struct curl_blob *cert_blob;
struct curl_blob *ca_info_blob;
struct curl_blob *issuercert_blob;
+#ifdef USE_TLS_SRP
+ char *username; /* TLS username (for, e.g., SRP) */
+ char *password; /* TLS password (for, e.g., SRP) */
+ enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
+#endif
char *curves; /* list of curves to use */
+ unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */
BIT(verifypeer); /* set TRUE if this is desired */
BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */
BIT(verifystatus); /* set TRUE if certificate status must be checked */
@@ -266,7 +273,6 @@ struct ssl_primary_config {
struct ssl_config_data {
struct ssl_primary_config primary;
long certverifyresult; /* result from the certificate verification */
- char *CRLfile; /* CRL to check certificate revocation */
curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
void *fsslctxp; /* parameter for call back */
char *cert_type; /* format for certificate (default: PEM)*/
@@ -274,11 +280,6 @@ struct ssl_config_data {
struct curl_blob *key_blob;
char *key_type; /* format for private key (default: PEM) */
char *key_passwd; /* plain text private key password */
-#ifdef USE_TLS_SRP
- char *username; /* TLS username (for, e.g., SRP) */
- char *password; /* TLS password (for, e.g., SRP) */
- enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
-#endif
BIT(certinfo); /* gather lots of certificate info */
BIT(falsestart);
BIT(enable_beast); /* allow this flaw for interoperability's sake*/
Index: curl-7.79.1/lib/vtls/gtls.c
===================================================================
--- curl-7.79.1.orig/lib/vtls/gtls.c
+++ curl-7.79.1/lib/vtls/gtls.c
@@ -431,8 +431,8 @@ gtls_connect_step1(struct Curl_easy *dat
}
#ifdef HAVE_GNUTLS_SRP
- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
- infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username));
+ if((SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP))
+ infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(primary.username));
rc = gnutls_srp_allocate_client_credentials(
&backend->srp_client_cred);
@@ -443,8 +443,8 @@ gtls_connect_step1(struct Curl_easy *dat
}
rc = gnutls_srp_set_client_credentials(backend->srp_client_cred,
- SSL_SET_OPTION(username),
- SSL_SET_OPTION(password));
+ SSL_SET_OPTION(primary.username),
+ SSL_SET_OPTION(primary.password));
if(rc != GNUTLS_E_SUCCESS) {
failf(data, "gnutls_srp_set_client_cred() failed: %s",
gnutls_strerror(rc));
@@ -500,19 +500,19 @@ gtls_connect_step1(struct Curl_easy *dat
}
#endif
- if(SSL_SET_OPTION(CRLfile)) {
+ if(SSL_SET_OPTION(primary.CRLfile)) {
/* set the CRL list file */
rc = gnutls_certificate_set_x509_crl_file(backend->cred,
- SSL_SET_OPTION(CRLfile),
+ SSL_SET_OPTION(primary.CRLfile),
GNUTLS_X509_FMT_PEM);
if(rc < 0) {
failf(data, "error reading crl file %s (%s)",
- SSL_SET_OPTION(CRLfile), gnutls_strerror(rc));
+ SSL_SET_OPTION(primary.CRLfile), gnutls_strerror(rc));
return CURLE_SSL_CRL_BADFILE;
}
else
infof(data, "found %d CRL in %s",
- rc, SSL_SET_OPTION(CRLfile));
+ rc, SSL_SET_OPTION(primary.CRLfile));
}
/* Initialize TLS session as a client */
@@ -585,7 +585,7 @@ gtls_connect_step1(struct Curl_easy *dat
#ifdef HAVE_GNUTLS_SRP
/* Only add SRP to the cipher list if SRP is requested. Otherwise
* GnuTLS will disable TLS 1.3 support. */
- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) {
size_t len = strlen(prioritylist);
char *prioritysrp = malloc(len + sizeof(GNUTLS_SRP) + 1);
@@ -677,7 +677,7 @@ gtls_connect_step1(struct Curl_easy *dat
#ifdef HAVE_GNUTLS_SRP
/* put the credentials to the current session */
- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) {
rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP,
backend->srp_client_cred);
if(rc != GNUTLS_E_SUCCESS) {
@@ -858,8 +858,8 @@ gtls_connect_step3(struct Curl_easy *dat
SSL_CONN_CONFIG(verifyhost) ||
SSL_CONN_CONFIG(issuercert)) {
#ifdef HAVE_GNUTLS_SRP
- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
- && SSL_SET_OPTION(username) != NULL
+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP
+ && SSL_SET_OPTION(primary.username)
&& !SSL_CONN_CONFIG(verifypeer)
&& gnutls_cipher_get(session)) {
/* no peer cert, but auth is ok if we have SRP user and cipher and no
@@ -917,7 +917,8 @@ gtls_connect_step3(struct Curl_easy *dat
failf(data, "server certificate verification failed. CAfile: %s "
"CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile):
"none",
- SSL_SET_OPTION(CRLfile)?SSL_SET_OPTION(CRLfile):"none");
+ SSL_SET_OPTION(primary.CRLfile) ?
+ SSL_SET_OPTION(primary.CRLfile) : "none");
return CURLE_PEER_FAILED_VERIFICATION;
}
else
@@ -1530,8 +1531,8 @@ static int gtls_shutdown(struct Curl_eas
gnutls_certificate_free_credentials(backend->cred);
#ifdef HAVE_GNUTLS_SRP
- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
- && SSL_SET_OPTION(username) != NULL)
+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP
+ && SSL_SET_OPTION(primary.username) != NULL)
gnutls_srp_free_client_credentials(backend->srp_client_cred);
#endif
Index: curl-7.79.1/lib/vtls/openssl.c
===================================================================
--- curl-7.79.1.orig/lib/vtls/openssl.c
+++ curl-7.79.1/lib/vtls/openssl.c
@@ -2609,7 +2609,7 @@ static CURLcode ossl_connect_step1(struc
#endif
const long int ssl_version = SSL_CONN_CONFIG(version);
#ifdef USE_OPENSSL_SRP
- const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype);
+ const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype);
#endif
char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
@@ -2620,7 +2620,7 @@ static CURLcode ossl_connect_step1(struc
(ca_info_blob ? NULL : SSL_CONN_CONFIG(CAfile));
const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
+ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile);
char error_buffer[256];
struct ssl_backend_data *backend = connssl->backend;
bool imported_native_ca = false;
@@ -2871,15 +2871,15 @@ static CURLcode ossl_connect_step1(struc
#ifdef USE_OPENSSL_SRP
if((ssl_authtype == CURL_TLSAUTH_SRP) &&
Curl_allow_auth_to_host(data)) {
- char * const ssl_username = SSL_SET_OPTION(username);
-
+ char * const ssl_username = SSL_SET_OPTION(primary.username);
+ char * const ssl_password = SSL_SET_OPTION(primary.password);
infof(data, "Using TLS-SRP username: %s", ssl_username);
if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) {
failf(data, "Unable to set SRP user name");
return CURLE_BAD_FUNCTION_ARGUMENT;
}
- if(!SSL_CTX_set_srp_password(backend->ctx, SSL_SET_OPTION(password))) {
+ if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) {
failf(data, "failed setting SRP password");
return CURLE_BAD_FUNCTION_ARGUMENT;
}
Index: curl-7.79.1/lib/vtls/vtls.c
===================================================================
--- curl-7.79.1.orig/lib/vtls/vtls.c
+++ curl-7.79.1/lib/vtls/vtls.c
@@ -132,6 +132,7 @@ Curl_ssl_config_matches(struct ssl_prima
{
if((data->version == needle->version) &&
(data->version_max == needle->version_max) &&
+ (data->ssl_options == needle->ssl_options) &&
(data->verifypeer == needle->verifypeer) &&
(data->verifyhost == needle->verifyhost) &&
(data->verifystatus == needle->verifystatus) &&
@@ -144,9 +145,15 @@ Curl_ssl_config_matches(struct ssl_prima
Curl_safecmp(data->clientcert, needle->clientcert) &&
Curl_safecmp(data->random_file, needle->random_file) &&
Curl_safecmp(data->egdsocket, needle->egdsocket) &&
+#ifdef USE_TLS_SRP
+ Curl_safecmp(data->username, needle->username) &&
+ Curl_safecmp(data->password, needle->password) &&
+ (data->authtype == needle->authtype) &&
+#endif
Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
Curl_safe_strcasecompare(data->curves, needle->curves) &&
+ Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) &&
Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key))
return TRUE;
@@ -163,6 +170,10 @@ Curl_clone_primary_ssl_config(struct ssl
dest->verifyhost = source->verifyhost;
dest->verifystatus = source->verifystatus;
dest->sessionid = source->sessionid;
+ dest->ssl_options = source->ssl_options;
+#ifdef USE_TLS_SRP
+ dest->authtype = source->authtype;
+#endif
CLONE_BLOB(cert_blob);
CLONE_BLOB(ca_info_blob);
@@ -177,6 +188,11 @@ Curl_clone_primary_ssl_config(struct ssl
CLONE_STRING(cipher_list13);
CLONE_STRING(pinned_key);
CLONE_STRING(curves);
+ CLONE_STRING(CRLfile);
+#ifdef USE_TLS_SRP
+ CLONE_STRING(username);
+ CLONE_STRING(password);
+#endif
return TRUE;
}
@@ -196,6 +212,11 @@ void Curl_free_primary_ssl_config(struct
Curl_safefree(sslc->ca_info_blob);
Curl_safefree(sslc->issuercert_blob);
Curl_safefree(sslc->curves);
+ Curl_safefree(sslc->CRLfile);
+#ifdef USE_TLS_SRP
+ Curl_safefree(sslc->username);
+ Curl_safefree(sslc->password);
+#endif
}
#ifdef USE_SSL
Index: curl-7.79.1/lib/vssh/ssh.h
===================================================================
--- curl-7.79.1.orig/lib/vssh/ssh.h
+++ curl-7.79.1/lib/vssh/ssh.h
@@ -7,7 +7,7 @@
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
- * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@@ -131,8 +131,8 @@ struct ssh_conn {
/* common */
const char *passphrase; /* pass-phrase to use */
- char *rsa_pub; /* path name */
- char *rsa; /* path name */
+ char *rsa_pub; /* strdup'ed public key file */
+ char *rsa; /* strdup'ed private key file */
bool authed; /* the connection has been authenticated fine */
bool acceptfail; /* used by the SFTP_QUOTE (continue if
quote command fails) */