File curl-CVE-2021-22890.patch of Package curl.27751
From 9b95b5ecd48d15860da58ef5748da37da242baed Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 19 Mar 2021 12:38:49 +0100
Subject: [PATCH] vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
To make sure we set and extract the correct session.
Reported-by: Mingtao Yang
Bug: https://curl.se/docs/CVE-2021-22890.html
CVE-2021-22890
Index: curl-7.66.0/lib/vtls/gtls.c
===================================================================
--- curl-7.66.0.orig/lib/vtls/gtls.c
+++ curl-7.66.0/lib/vtls/gtls.c
@@ -933,7 +933,8 @@ gtls_connect_step1(struct connectdata *c
size_t ssl_idsize;
Curl_ssl_sessionid_lock(conn);
- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, &ssl_idsize, sockindex)) {
+ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
+ &ssl_sessionid, &ssl_idsize, sockindex)) {
/* we got a session id, use it! */
gnutls_session_set_data(session, ssl_sessionid, ssl_idsize);
@@ -1481,8 +1482,8 @@ gtls_connect_step3(struct connectdata *c
gnutls_session_get_data(session, connect_sessionid, &connect_idsize);
Curl_ssl_sessionid_lock(conn);
- incache = !(Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL,
- sockindex));
+ incache = !(Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
+ &ssl_sessionid, NULL, sockindex));
if(incache) {
/* there was one before in the cache, so instead of risking that the
previous one was rejected, we just kill that and store the new */
@@ -1490,7 +1491,8 @@ gtls_connect_step3(struct connectdata *c
}
/* store this session id */
- result = Curl_ssl_addsessionid(conn, connect_sessionid, connect_idsize,
+ result = Curl_ssl_addsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
+ connect_sessionid, connect_idsize,
sockindex);
Curl_ssl_sessionid_unlock(conn);
if(result) {
Index: curl-7.66.0/lib/vtls/mbedtls.c
===================================================================
--- curl-7.66.0.orig/lib/vtls/mbedtls.c
+++ curl-7.66.0/lib/vtls/mbedtls.c
@@ -453,7 +453,8 @@ mbed_connect_step1(struct connectdata *c
void *old_session = NULL;
Curl_ssl_sessionid_lock(conn);
- if(!Curl_ssl_getsessionid(conn, &old_session, NULL, sockindex)) {
+ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
+ &old_session, NULL, sockindex)) {
ret = mbedtls_ssl_set_session(&BACKEND->ssl, old_session);
if(ret) {
Curl_ssl_sessionid_unlock(conn);
@@ -706,6 +707,7 @@ mbed_connect_step3(struct connectdata *c
int ret;
mbedtls_ssl_session *our_ssl_sessionid;
void *old_ssl_sessionid = NULL;
+ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session));
if(!our_ssl_sessionid)
@@ -724,10 +726,12 @@ mbed_connect_step3(struct connectdata *c
/* If there's already a matching session in the cache, delete it */
Curl_ssl_sessionid_lock(conn);
- if(!Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex))
+ if(!Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, NULL,
+ sockindex))
Curl_ssl_delsessionid(conn, old_ssl_sessionid);
- retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid, 0, sockindex);
+ retcode = Curl_ssl_addsessionid(conn, isproxy, our_ssl_sessionid, 0,
+ sockindex);
Curl_ssl_sessionid_unlock(conn);
if(retcode) {
mbedtls_ssl_session_free(our_ssl_sessionid);
Index: curl-7.66.0/lib/vtls/mesalink.c
===================================================================
--- curl-7.66.0.orig/lib/vtls/mesalink.c
+++ curl-7.66.0/lib/vtls/mesalink.c
@@ -263,7 +263,8 @@ mesalink_connect_step1(struct connectdat
void *ssl_sessionid = NULL;
Curl_ssl_sessionid_lock(conn);
- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
+ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
+ &ssl_sessionid, NULL, sockindex)) {
/* we got a session id, use it! */
if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
Curl_ssl_sessionid_unlock(conn);
@@ -347,12 +348,13 @@ mesalink_connect_step3(struct connectdat
bool incache;
SSL_SESSION *our_ssl_sessionid;
void *old_ssl_sessionid = NULL;
+ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
our_ssl_sessionid = SSL_get_session(BACKEND->handle);
Curl_ssl_sessionid_lock(conn);
incache =
- !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex));
+ !(Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, NULL, sockindex));
if(incache) {
if(old_ssl_sessionid != our_ssl_sessionid) {
infof(data, "old SSL session ID is stale, removing\n");
@@ -363,7 +365,7 @@ mesalink_connect_step3(struct connectdat
if(!incache) {
result = Curl_ssl_addsessionid(
- conn, our_ssl_sessionid, 0 /* unknown size */, sockindex);
+ conn, isproxy, our_ssl_sessionid, 0 /* unknown size */, sockindex);
if(result) {
Curl_ssl_sessionid_unlock(conn);
failf(data, "failed to store ssl session");
Index: curl-7.66.0/lib/vtls/openssl.c
===================================================================
--- curl-7.66.0.orig/lib/vtls/openssl.c
+++ curl-7.66.0/lib/vtls/openssl.c
@@ -424,6 +424,18 @@ static int ossl_get_ssl_sockindex_index(
return ssl_ex_data_sockindex_index;
}
+/* Return an extra data index for proxy boolean.
+ * This index can be used with SSL_get_ex_data() and SSL_set_ex_data().
+ */
+static int ossl_get_proxy_index(void)
+{
+ static int proxy_index = -1;
+ if(proxy_index < 0) {
+ proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
+ }
+ return proxy_index;
+}
+
static int passwd_callback(char *buf, int num, int encrypting,
void *global_passwd)
{
@@ -1063,7 +1075,8 @@ static int Curl_ossl_init(void)
#endif
/* Initialize the extra data indexes */
- if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0)
+ if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0 ||
+ ossl_get_proxy_index() < 0)
return 0;
return 1;
@@ -2348,8 +2361,10 @@ static int ossl_new_session_cb(SSL *ssl,
curl_socket_t *sockindex_ptr;
int connectdata_idx = ossl_get_ssl_conn_index();
int sockindex_idx = ossl_get_ssl_sockindex_index();
+ int proxy_idx = ossl_get_proxy_index();
+ bool isproxy;
- if(connectdata_idx < 0 || sockindex_idx < 0)
+ if(connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0)
return 0;
conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx);
@@ -2362,13 +2377,18 @@ static int ossl_new_session_cb(SSL *ssl,
sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx);
sockindex = (int)(sockindex_ptr - conn->sock);
+ isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE;
+
if(SSL_SET_OPTION(primary.sessionid)) {
bool incache;
void *old_ssl_sessionid = NULL;
Curl_ssl_sessionid_lock(conn);
- incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL,
- sockindex));
+ if(isproxy)
+ incache = FALSE;
+ else
+ incache = !(Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid,
+ NULL, sockindex));
if(incache) {
if(old_ssl_sessionid != ssl_sessionid) {
infof(data, "old SSL session ID is stale, removing\n");
@@ -2378,7 +2398,7 @@ static int ossl_new_session_cb(SSL *ssl,
}
if(!incache) {
- if(!Curl_ssl_addsessionid(conn, ssl_sessionid,
+ if(!Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid,
0 /* unknown size */, sockindex)) {
/* the session has been put into the session cache */
res = 1;
@@ -2863,16 +2883,20 @@ static CURLcode ossl_connect_step1(struc
void *ssl_sessionid = NULL;
int connectdata_idx = ossl_get_ssl_conn_index();
int sockindex_idx = ossl_get_ssl_sockindex_index();
+ int proxy_idx = ossl_get_proxy_index();
- if(connectdata_idx >= 0 && sockindex_idx >= 0) {
+ if(connectdata_idx >= 0 && sockindex_idx >= 0 && proxy_idx >= 0) {
/* Store the data needed for the "new session" callback.
* The sockindex is stored as a pointer to an array element. */
SSL_set_ex_data(BACKEND->handle, connectdata_idx, conn);
SSL_set_ex_data(BACKEND->handle, sockindex_idx, conn->sock + sockindex);
+ SSL_set_ex_data(BACKEND->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1:
+ NULL);
}
Curl_ssl_sessionid_lock(conn);
- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
+ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
+ &ssl_sessionid, NULL, sockindex)) {
/* we got a session id, use it! */
if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
Curl_ssl_sessionid_unlock(conn);
Index: curl-7.66.0/lib/vtls/schannel.c
===================================================================
--- curl-7.66.0.orig/lib/vtls/schannel.c
+++ curl-7.66.0/lib/vtls/schannel.c
@@ -497,7 +497,8 @@ schannel_connect_step1(struct connectdat
/* check for an existing re-usable credential handle */
if(SSL_SET_OPTION(primary.sessionid)) {
Curl_ssl_sessionid_lock(conn);
- if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, sockindex)) {
+ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
+ (void **)&old_cred, NULL, sockindex)) {
BACKEND->cred = old_cred;
DEBUGF(infof(data, "schannel: re-using existing credential handle\n"));
@@ -1204,8 +1205,9 @@ schannel_connect_step3(struct connectdat
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
SECURITY_STATUS sspi_status = SEC_E_OK;
CERT_CONTEXT *ccert_context = NULL;
+ bool isproxy = SSL_IS_PROXY();
#ifdef DEBUGBUILD
- const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
+ const char * const hostname = isproxy ? conn->http_proxy.host.name :
conn->host.name;
#endif
#ifdef HAS_ALPN
@@ -1279,8 +1281,8 @@ schannel_connect_step3(struct connectdat
struct curl_schannel_cred *old_cred = NULL;
Curl_ssl_sessionid_lock(conn);
- incache = !(Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL,
- sockindex));
+ incache = !(Curl_ssl_getsessionid(conn, isproxy, (void **)&old_cred,
+ NULL, sockindex));
if(incache) {
if(old_cred != BACKEND->cred) {
DEBUGF(infof(data,
@@ -1291,7 +1293,7 @@ schannel_connect_step3(struct connectdat
}
}
if(!incache) {
- result = Curl_ssl_addsessionid(conn, (void *)BACKEND->cred,
+ result = Curl_ssl_addsessionid(conn, isproxy, BACKEND->cred,
sizeof(struct curl_schannel_cred),
sockindex);
if(result) {
Index: curl-7.66.0/lib/vtls/sectransp.c
===================================================================
--- curl-7.66.0.orig/lib/vtls/sectransp.c
+++ curl-7.66.0/lib/vtls/sectransp.c
@@ -1376,7 +1376,8 @@ static CURLcode sectransp_connect_step1(
const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
char * const ssl_cert = SSL_SET_OPTION(cert);
- const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
+ bool isproxy = SSL_IS_PROXY();
+ const char * const hostname = isproxy ? conn->http_proxy.host.name :
conn->host.name;
const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
#ifdef ENABLE_IPV6
@@ -1584,7 +1585,7 @@ static CURLcode sectransp_connect_step1(
#ifdef USE_NGHTTP2
if(data->set.httpversion >= CURL_HTTP_VERSION_2 &&
- (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy)) {
+ (!isproxy || !conn->bits.tunnel_proxy)) {
CFArrayAppendValue(alpnArr, CFSTR(NGHTTP2_PROTO_VERSION_ID));
infof(data, "ALPN, offering %s\n", NGHTTP2_PROTO_VERSION_ID);
}
@@ -1916,7 +1917,7 @@ static CURLcode sectransp_connect_step1(
size_t ssl_sessionid_len;
Curl_ssl_sessionid_lock(conn);
- if(!Curl_ssl_getsessionid(conn, (void **)&ssl_sessionid,
+ if(!Curl_ssl_getsessionid(conn, isproxy, (void **)&ssl_sessionid,
&ssl_sessionid_len, sockindex)) {
/* we got a session id, use it! */
err = SSLSetPeerID(BACKEND->ssl_ctx, ssl_sessionid, ssl_sessionid_len);
@@ -1944,8 +1945,8 @@ static CURLcode sectransp_connect_step1(
return CURLE_SSL_CONNECT_ERROR;
}
- result = Curl_ssl_addsessionid(conn, ssl_sessionid, ssl_sessionid_len,
- sockindex);
+ result = Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid,
+ ssl_sessionid_len, sockindex);
Curl_ssl_sessionid_unlock(conn);
if(result) {
failf(data, "failed to store ssl session");
Index: curl-7.66.0/lib/vtls/vtls.c
===================================================================
--- curl-7.66.0.orig/lib/vtls/vtls.c
+++ curl-7.66.0/lib/vtls/vtls.c
@@ -302,6 +302,7 @@ void Curl_ssl_sessionid_unlock(struct co
* there's one suitable, it is provided. Returns TRUE when no entry matched.
*/
bool Curl_ssl_getsessionid(struct connectdata *conn,
+ const bool isProxy,
void **ssl_sessionid,
size_t *idsize, /* set 0 if unknown */
int sockindex)
@@ -312,7 +313,6 @@ bool Curl_ssl_getsessionid(struct connec
long *general_age;
bool no_match = TRUE;
- const bool isProxy = CONNECT_PROXY_SSL();
struct ssl_primary_config * const ssl_config = isProxy ?
&conn->proxy_ssl_config :
&conn->ssl_config;
@@ -408,6 +408,7 @@ void Curl_ssl_delsessionid(struct connec
* later on.
*/
CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
+ bool isProxy,
void *ssl_sessionid,
size_t idsize,
int sockindex)
@@ -420,7 +421,6 @@ CURLcode Curl_ssl_addsessionid(struct co
char *clone_conn_to_host;
int conn_to_port;
long *general_age;
- const bool isProxy = CONNECT_PROXY_SSL();
struct ssl_primary_config * const ssl_config = isProxy ?
&conn->proxy_ssl_config :
&conn->ssl_config;
Index: curl-7.66.0/lib/vtls/vtls.h
===================================================================
--- curl-7.66.0.orig/lib/vtls/vtls.h
+++ curl-7.66.0/lib/vtls/vtls.h
@@ -202,6 +202,7 @@ void Curl_ssl_sessionid_unlock(struct co
* under sessionid mutex).
*/
bool Curl_ssl_getsessionid(struct connectdata *conn,
+ const bool isproxy,
void **ssl_sessionid,
size_t *idsize, /* set 0 if unknown */
int sockindex);
@@ -211,6 +212,7 @@ bool Curl_ssl_getsessionid(struct connec
* object with cache (e.g. incrementing refcount on success)
*/
CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
+ const bool isproxy,
void *ssl_sessionid,
size_t idsize,
int sockindex);
Index: curl-7.66.0/lib/vtls/wolfssl.c
===================================================================
--- curl-7.66.0.orig/lib/vtls/wolfssl.c
+++ curl-7.66.0/lib/vtls/wolfssl.c
@@ -392,7 +392,8 @@ wolfssl_connect_step1(struct connectdata
void *ssl_sessionid = NULL;
Curl_ssl_sessionid_lock(conn);
- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
+ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
+ &ssl_sessionid, NULL, sockindex)) {
/* we got a session id, use it! */
if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
char error_buffer[WOLFSSL_MAX_ERROR_SZ];
@@ -616,11 +617,13 @@ wolfssl_connect_step3(struct connectdata
bool incache;
SSL_SESSION *our_ssl_sessionid;
void *old_ssl_sessionid = NULL;
+ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
our_ssl_sessionid = SSL_get_session(BACKEND->handle);
Curl_ssl_sessionid_lock(conn);
- incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL,
+ incache = !(Curl_ssl_getsessionid(conn, isproxy,
+ &old_ssl_sessionid, NULL,
sockindex));
if(incache) {
if(old_ssl_sessionid != our_ssl_sessionid) {
@@ -631,7 +634,7 @@ wolfssl_connect_step3(struct connectdata
}
if(!incache) {
- result = Curl_ssl_addsessionid(conn, our_ssl_sessionid,
+ result = Curl_ssl_addsessionid(conn, isproxy, our_ssl_sessionid,
0 /* unknown size */, sockindex);
if(result) {
Curl_ssl_sessionid_unlock(conn);
Index: curl-7.66.0/lib/vtls/polarssl.c
===================================================================
--- curl-7.66.0.orig/lib/vtls/polarssl.c
+++ curl-7.66.0/lib/vtls/polarssl.c
@@ -389,7 +389,8 @@ polarssl_connect_step1(struct connectdat
void *old_session = NULL;
Curl_ssl_sessionid_lock(conn);
- if(!Curl_ssl_getsessionid(conn, &old_session, NULL, sockindex)) {
+ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
+ &old_session, NULL, sockindex)) {
ret = ssl_set_session(&BACKEND->ssl, old_session);
if(ret) {
Curl_ssl_sessionid_unlock(conn);
@@ -632,10 +633,12 @@ polarssl_connect_step3(struct connectdat
/* If there's already a matching session in the cache, delete it */
Curl_ssl_sessionid_lock(conn);
- if(!Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex))
+ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
+ &old_ssl_sessionid, NULL, sockindex))
Curl_ssl_delsessionid(conn, old_ssl_sessionid);
- retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid, 0, sockindex);
+ retcode = Curl_ssl_addsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
+ our_ssl_sessionid, 0, sockindex);
Curl_ssl_sessionid_unlock(conn);
if(retcode) {
free(our_ssl_sessionid);