File curl-CVE-2021-22890.patch of Package curl.27751

From 9b95b5ecd48d15860da58ef5748da37da242baed Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 19 Mar 2021 12:38:49 +0100
Subject: [PATCH] vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()

To make sure we set and extract the correct session.

Reported-by: Mingtao Yang
Bug: https://curl.se/docs/CVE-2021-22890.html

CVE-2021-22890

Index: curl-7.66.0/lib/vtls/gtls.c
===================================================================
--- curl-7.66.0.orig/lib/vtls/gtls.c
+++ curl-7.66.0/lib/vtls/gtls.c
@@ -933,7 +933,8 @@ gtls_connect_step1(struct connectdata *c
     size_t ssl_idsize;
 
     Curl_ssl_sessionid_lock(conn);
-    if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, &ssl_idsize, sockindex)) {
+    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
+                              &ssl_sessionid, &ssl_idsize, sockindex)) {
       /* we got a session id, use it! */
       gnutls_session_set_data(session, ssl_sessionid, ssl_idsize);
 
@@ -1481,8 +1482,8 @@ gtls_connect_step3(struct connectdata *c
       gnutls_session_get_data(session, connect_sessionid, &connect_idsize);
 
       Curl_ssl_sessionid_lock(conn);
-      incache = !(Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL,
-                                        sockindex));
+      incache = !(Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
+                                        &ssl_sessionid, NULL, sockindex));
       if(incache) {
         /* there was one before in the cache, so instead of risking that the
            previous one was rejected, we just kill that and store the new */
@@ -1490,7 +1491,8 @@ gtls_connect_step3(struct connectdata *c
       }
 
       /* store this session id */
-      result = Curl_ssl_addsessionid(conn, connect_sessionid, connect_idsize,
+      result = Curl_ssl_addsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
+                                     connect_sessionid, connect_idsize,
                                      sockindex);
       Curl_ssl_sessionid_unlock(conn);
       if(result) {
Index: curl-7.66.0/lib/vtls/mbedtls.c
===================================================================
--- curl-7.66.0.orig/lib/vtls/mbedtls.c
+++ curl-7.66.0/lib/vtls/mbedtls.c
@@ -453,7 +453,8 @@ mbed_connect_step1(struct connectdata *c
     void *old_session = NULL;
 
     Curl_ssl_sessionid_lock(conn);
-    if(!Curl_ssl_getsessionid(conn, &old_session, NULL, sockindex)) {
+    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
+                              &old_session, NULL, sockindex)) {
       ret = mbedtls_ssl_set_session(&BACKEND->ssl, old_session);
       if(ret) {
         Curl_ssl_sessionid_unlock(conn);
@@ -706,6 +707,7 @@ mbed_connect_step3(struct connectdata *c
     int ret;
     mbedtls_ssl_session *our_ssl_sessionid;
     void *old_ssl_sessionid = NULL;
+    bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
 
     our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session));
     if(!our_ssl_sessionid)
@@ -724,10 +726,12 @@ mbed_connect_step3(struct connectdata *c
 
     /* If there's already a matching session in the cache, delete it */
     Curl_ssl_sessionid_lock(conn);
-    if(!Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex))
+    if(!Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, NULL,
+                              sockindex))
       Curl_ssl_delsessionid(conn, old_ssl_sessionid);
 
-    retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid, 0, sockindex);
+    retcode = Curl_ssl_addsessionid(conn, isproxy, our_ssl_sessionid, 0,
+                                    sockindex);
     Curl_ssl_sessionid_unlock(conn);
     if(retcode) {
       mbedtls_ssl_session_free(our_ssl_sessionid);
Index: curl-7.66.0/lib/vtls/mesalink.c
===================================================================
--- curl-7.66.0.orig/lib/vtls/mesalink.c
+++ curl-7.66.0/lib/vtls/mesalink.c
@@ -263,7 +263,8 @@ mesalink_connect_step1(struct connectdat
     void *ssl_sessionid = NULL;
 
     Curl_ssl_sessionid_lock(conn);
-    if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
+    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
+                              &ssl_sessionid, NULL, sockindex)) {
       /* we got a session id, use it! */
       if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
         Curl_ssl_sessionid_unlock(conn);
@@ -347,12 +348,13 @@ mesalink_connect_step3(struct connectdat
     bool incache;
     SSL_SESSION *our_ssl_sessionid;
     void *old_ssl_sessionid = NULL;
+    bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
 
     our_ssl_sessionid = SSL_get_session(BACKEND->handle);
 
     Curl_ssl_sessionid_lock(conn);
     incache =
-      !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex));
+      !(Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, NULL, sockindex));
     if(incache) {
       if(old_ssl_sessionid != our_ssl_sessionid) {
         infof(data, "old SSL session ID is stale, removing\n");
@@ -363,7 +365,7 @@ mesalink_connect_step3(struct connectdat
 
     if(!incache) {
       result = Curl_ssl_addsessionid(
-        conn, our_ssl_sessionid, 0 /* unknown size */, sockindex);
+        conn, isproxy, our_ssl_sessionid, 0 /* unknown size */, sockindex);
       if(result) {
         Curl_ssl_sessionid_unlock(conn);
         failf(data, "failed to store ssl session");
Index: curl-7.66.0/lib/vtls/openssl.c
===================================================================
--- curl-7.66.0.orig/lib/vtls/openssl.c
+++ curl-7.66.0/lib/vtls/openssl.c
@@ -424,6 +424,18 @@ static int ossl_get_ssl_sockindex_index(
   return ssl_ex_data_sockindex_index;
 }
 
+/* Return an extra data index for proxy boolean.
+ * This index can be used with SSL_get_ex_data() and SSL_set_ex_data().
+ */
+static int ossl_get_proxy_index(void)
+{
+  static int proxy_index = -1;
+  if(proxy_index < 0) {
+    proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
+  }
+  return proxy_index;
+}
+
 static int passwd_callback(char *buf, int num, int encrypting,
                            void *global_passwd)
 {
@@ -1063,7 +1075,8 @@ static int Curl_ossl_init(void)
 #endif
 
   /* Initialize the extra data indexes */
-  if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0)
+  if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0 ||
+     ossl_get_proxy_index() < 0)
     return 0;
 
   return 1;
@@ -2348,8 +2361,10 @@ static int ossl_new_session_cb(SSL *ssl,
   curl_socket_t *sockindex_ptr;
   int connectdata_idx = ossl_get_ssl_conn_index();
   int sockindex_idx = ossl_get_ssl_sockindex_index();
+  int proxy_idx = ossl_get_proxy_index();
+  bool isproxy;
 
-  if(connectdata_idx < 0 || sockindex_idx < 0)
+  if(connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0)
     return 0;
 
   conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx);
@@ -2362,13 +2377,18 @@ static int ossl_new_session_cb(SSL *ssl,
   sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx);
   sockindex = (int)(sockindex_ptr - conn->sock);
 
+  isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE;
+
   if(SSL_SET_OPTION(primary.sessionid)) {
     bool incache;
     void *old_ssl_sessionid = NULL;
 
     Curl_ssl_sessionid_lock(conn);
-    incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL,
-                                      sockindex));
+    if(isproxy)
+      incache = FALSE;
+    else
+      incache = !(Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid,
+                                        NULL, sockindex));
     if(incache) {
       if(old_ssl_sessionid != ssl_sessionid) {
         infof(data, "old SSL session ID is stale, removing\n");
@@ -2378,7 +2398,7 @@ static int ossl_new_session_cb(SSL *ssl,
     }
 
     if(!incache) {
-      if(!Curl_ssl_addsessionid(conn, ssl_sessionid,
+      if(!Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid,
                                       0 /* unknown size */, sockindex)) {
         /* the session has been put into the session cache */
         res = 1;
@@ -2863,16 +2883,20 @@ static CURLcode ossl_connect_step1(struc
     void *ssl_sessionid = NULL;
     int connectdata_idx = ossl_get_ssl_conn_index();
     int sockindex_idx = ossl_get_ssl_sockindex_index();
+    int proxy_idx = ossl_get_proxy_index();
 
-    if(connectdata_idx >= 0 && sockindex_idx >= 0) {
+    if(connectdata_idx >= 0 && sockindex_idx >= 0 && proxy_idx >= 0) {
       /* Store the data needed for the "new session" callback.
        * The sockindex is stored as a pointer to an array element. */
       SSL_set_ex_data(BACKEND->handle, connectdata_idx, conn);
       SSL_set_ex_data(BACKEND->handle, sockindex_idx, conn->sock + sockindex);
+      SSL_set_ex_data(BACKEND->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1:
+                      NULL);
     }
 
     Curl_ssl_sessionid_lock(conn);
-    if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
+    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
+                              &ssl_sessionid, NULL, sockindex)) {
       /* we got a session id, use it! */
       if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
         Curl_ssl_sessionid_unlock(conn);
Index: curl-7.66.0/lib/vtls/schannel.c
===================================================================
--- curl-7.66.0.orig/lib/vtls/schannel.c
+++ curl-7.66.0/lib/vtls/schannel.c
@@ -497,7 +497,8 @@ schannel_connect_step1(struct connectdat
   /* check for an existing re-usable credential handle */
   if(SSL_SET_OPTION(primary.sessionid)) {
     Curl_ssl_sessionid_lock(conn);
-    if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, sockindex)) {
+    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
+                              (void **)&old_cred, NULL, sockindex)) {
       BACKEND->cred = old_cred;
       DEBUGF(infof(data, "schannel: re-using existing credential handle\n"));
 
@@ -1204,8 +1205,9 @@ schannel_connect_step3(struct connectdat
   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
   SECURITY_STATUS sspi_status = SEC_E_OK;
   CERT_CONTEXT *ccert_context = NULL;
+  bool isproxy = SSL_IS_PROXY();
 #ifdef DEBUGBUILD
-  const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
+  const char * const hostname = isproxy ? conn->http_proxy.host.name :
     conn->host.name;
 #endif
 #ifdef HAS_ALPN
@@ -1279,8 +1281,8 @@ schannel_connect_step3(struct connectdat
     struct curl_schannel_cred *old_cred = NULL;
 
     Curl_ssl_sessionid_lock(conn);
-    incache = !(Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL,
-                                      sockindex));
+    incache = !(Curl_ssl_getsessionid(conn, isproxy, (void **)&old_cred,
+                                      NULL, sockindex));
     if(incache) {
       if(old_cred != BACKEND->cred) {
         DEBUGF(infof(data,
@@ -1291,7 +1293,7 @@ schannel_connect_step3(struct connectdat
       }
     }
     if(!incache) {
-      result = Curl_ssl_addsessionid(conn, (void *)BACKEND->cred,
+      result = Curl_ssl_addsessionid(conn, isproxy, BACKEND->cred,
                                      sizeof(struct curl_schannel_cred),
                                      sockindex);
       if(result) {
Index: curl-7.66.0/lib/vtls/sectransp.c
===================================================================
--- curl-7.66.0.orig/lib/vtls/sectransp.c
+++ curl-7.66.0/lib/vtls/sectransp.c
@@ -1376,7 +1376,8 @@ static CURLcode sectransp_connect_step1(
   const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
   const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
   char * const ssl_cert = SSL_SET_OPTION(cert);
-  const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
+  bool isproxy = SSL_IS_PROXY();
+  const char * const hostname = isproxy ? conn->http_proxy.host.name :
     conn->host.name;
   const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
 #ifdef ENABLE_IPV6
@@ -1584,7 +1585,7 @@ static CURLcode sectransp_connect_step1(
 
 #ifdef USE_NGHTTP2
       if(data->set.httpversion >= CURL_HTTP_VERSION_2 &&
-         (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy)) {
+         (!isproxy || !conn->bits.tunnel_proxy)) {
         CFArrayAppendValue(alpnArr, CFSTR(NGHTTP2_PROTO_VERSION_ID));
         infof(data, "ALPN, offering %s\n", NGHTTP2_PROTO_VERSION_ID);
       }
@@ -1916,7 +1917,7 @@ static CURLcode sectransp_connect_step1(
     size_t ssl_sessionid_len;
 
     Curl_ssl_sessionid_lock(conn);
-    if(!Curl_ssl_getsessionid(conn, (void **)&ssl_sessionid,
+    if(!Curl_ssl_getsessionid(conn, isproxy, (void **)&ssl_sessionid,
                               &ssl_sessionid_len, sockindex)) {
       /* we got a session id, use it! */
       err = SSLSetPeerID(BACKEND->ssl_ctx, ssl_sessionid, ssl_sessionid_len);
@@ -1944,8 +1945,8 @@ static CURLcode sectransp_connect_step1(
         return CURLE_SSL_CONNECT_ERROR;
       }
 
-      result = Curl_ssl_addsessionid(conn, ssl_sessionid, ssl_sessionid_len,
-                                     sockindex);
+      result = Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid,
+                                     ssl_sessionid_len, sockindex);
       Curl_ssl_sessionid_unlock(conn);
       if(result) {
         failf(data, "failed to store ssl session");
Index: curl-7.66.0/lib/vtls/vtls.c
===================================================================
--- curl-7.66.0.orig/lib/vtls/vtls.c
+++ curl-7.66.0/lib/vtls/vtls.c
@@ -302,6 +302,7 @@ void Curl_ssl_sessionid_unlock(struct co
  * there's one suitable, it is provided. Returns TRUE when no entry matched.
  */
 bool Curl_ssl_getsessionid(struct connectdata *conn,
+                           const bool isProxy,
                            void **ssl_sessionid,
                            size_t *idsize, /* set 0 if unknown */
                            int sockindex)
@@ -312,7 +313,6 @@ bool Curl_ssl_getsessionid(struct connec
   long *general_age;
   bool no_match = TRUE;
 
-  const bool isProxy = CONNECT_PROXY_SSL();
   struct ssl_primary_config * const ssl_config = isProxy ?
     &conn->proxy_ssl_config :
     &conn->ssl_config;
@@ -408,6 +408,7 @@ void Curl_ssl_delsessionid(struct connec
  * later on.
  */
 CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
+                               bool isProxy,
                                void *ssl_sessionid,
                                size_t idsize,
                                int sockindex)
@@ -420,7 +421,6 @@ CURLcode Curl_ssl_addsessionid(struct co
   char *clone_conn_to_host;
   int conn_to_port;
   long *general_age;
-  const bool isProxy = CONNECT_PROXY_SSL();
   struct ssl_primary_config * const ssl_config = isProxy ?
     &conn->proxy_ssl_config :
     &conn->ssl_config;
Index: curl-7.66.0/lib/vtls/vtls.h
===================================================================
--- curl-7.66.0.orig/lib/vtls/vtls.h
+++ curl-7.66.0/lib/vtls/vtls.h
@@ -202,6 +202,7 @@ void Curl_ssl_sessionid_unlock(struct co
  * under sessionid mutex).
  */
 bool Curl_ssl_getsessionid(struct connectdata *conn,
+                           const bool isproxy,
                            void **ssl_sessionid,
                            size_t *idsize, /* set 0 if unknown */
                            int sockindex);
@@ -211,6 +212,7 @@ bool Curl_ssl_getsessionid(struct connec
  * object with cache (e.g. incrementing refcount on success)
  */
 CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
+                               const bool isproxy,
                                void *ssl_sessionid,
                                size_t idsize,
                                int sockindex);
Index: curl-7.66.0/lib/vtls/wolfssl.c
===================================================================
--- curl-7.66.0.orig/lib/vtls/wolfssl.c
+++ curl-7.66.0/lib/vtls/wolfssl.c
@@ -392,7 +392,8 @@ wolfssl_connect_step1(struct connectdata
     void *ssl_sessionid = NULL;
 
     Curl_ssl_sessionid_lock(conn);
-    if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
+    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
+                              &ssl_sessionid, NULL, sockindex)) {
       /* we got a session id, use it! */
       if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
         char error_buffer[WOLFSSL_MAX_ERROR_SZ];
@@ -616,11 +617,13 @@ wolfssl_connect_step3(struct connectdata
     bool incache;
     SSL_SESSION *our_ssl_sessionid;
     void *old_ssl_sessionid = NULL;
+    bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
 
     our_ssl_sessionid = SSL_get_session(BACKEND->handle);
 
     Curl_ssl_sessionid_lock(conn);
-    incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL,
+    incache = !(Curl_ssl_getsessionid(conn, isproxy,
+                                      &old_ssl_sessionid, NULL,
                                       sockindex));
     if(incache) {
       if(old_ssl_sessionid != our_ssl_sessionid) {
@@ -631,7 +634,7 @@ wolfssl_connect_step3(struct connectdata
     }
 
     if(!incache) {
-      result = Curl_ssl_addsessionid(conn, our_ssl_sessionid,
+      result = Curl_ssl_addsessionid(conn, isproxy, our_ssl_sessionid,
                                      0 /* unknown size */, sockindex);
       if(result) {
         Curl_ssl_sessionid_unlock(conn);
Index: curl-7.66.0/lib/vtls/polarssl.c
===================================================================
--- curl-7.66.0.orig/lib/vtls/polarssl.c
+++ curl-7.66.0/lib/vtls/polarssl.c
@@ -389,7 +389,8 @@ polarssl_connect_step1(struct connectdat
     void *old_session = NULL;
 
     Curl_ssl_sessionid_lock(conn);
-    if(!Curl_ssl_getsessionid(conn, &old_session, NULL, sockindex)) {
+    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
+                              &old_session, NULL, sockindex)) {
       ret = ssl_set_session(&BACKEND->ssl, old_session);
       if(ret) {
         Curl_ssl_sessionid_unlock(conn);
@@ -632,10 +633,12 @@ polarssl_connect_step3(struct connectdat
 
     /* If there's already a matching session in the cache, delete it */
     Curl_ssl_sessionid_lock(conn);
-    if(!Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex))
+    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
+                              &old_ssl_sessionid, NULL, sockindex))
       Curl_ssl_delsessionid(conn, old_ssl_sessionid);
 
-    retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid, 0, sockindex);
+    retcode = Curl_ssl_addsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
+                                    our_ssl_sessionid, 0, sockindex);
     Curl_ssl_sessionid_unlock(conn);
     if(retcode) {
       free(our_ssl_sessionid);
openSUSE Build Service is sponsored by