diff options
author | Daniel Stenberg <daniel@haxx.se> | 2021-03-19 12:38:49 +0100 |
---|---|---|
committer | Paul Gevers <elbrus@debian.org> | 2021-06-25 20:59:54 +0200 |
commit | 62039b2528d3cdd62070148aba746091b4ecb3d4 (patch) | |
tree | cd9456f1acf840bf9fcf47610318f344b812bc03 | |
parent | 66cc4260f03022284068105bb0198658398d8a8b (diff) |
vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
Origin: https://github.com/curl/curl/commit/b09c8ee15771c614c4bf3ddac893cdb12187c844
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-22890
To make sure we set and extract the correct session.
Reported-by: Mingtao Yang
Bug: https://curl.se/docs/CVE-2021-22890.html
CVE-2021-22890
[Salvatore Bonaccorso: Backport to 7.74.0 for context changes]
Gbp-Pq: Name 15_vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch
-rw-r--r-- | lib/vtls/bearssl.c | 11 | ||||
-rw-r--r-- | lib/vtls/gtls.c | 13 | ||||
-rw-r--r-- | lib/vtls/mbedtls.c | 11 | ||||
-rw-r--r-- | lib/vtls/mesalink.c | 12 | ||||
-rw-r--r-- | lib/vtls/openssl.c | 53 | ||||
-rw-r--r-- | lib/vtls/schannel.c | 11 | ||||
-rw-r--r-- | lib/vtls/sectransp.c | 12 | ||||
-rw-r--r-- | lib/vtls/vtls.c | 12 | ||||
-rw-r--r-- | lib/vtls/vtls.h | 2 | ||||
-rw-r--r-- | lib/vtls/wolfssl.c | 13 |
10 files changed, 107 insertions, 43 deletions
diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c index b0c3dc2f..46fd7e73 100644 --- a/lib/vtls/bearssl.c +++ b/lib/vtls/bearssl.c @@ -375,7 +375,8 @@ static CURLcode bearssl_connect_step1(struct connectdata *conn, int sockindex) void *session; Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &session, NULL, sockindex)) { + if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, + &session, NULL, sockindex)) { br_ssl_engine_set_session_parameters(&backend->ctx.eng, session); infof(data, "BearSSL: re-using session ID\n"); } @@ -569,10 +570,14 @@ static CURLcode bearssl_connect_step3(struct connectdata *conn, int sockindex) return CURLE_OUT_OF_MEMORY; br_ssl_engine_get_session_parameters(&backend->ctx.eng, session); Curl_ssl_sessionid_lock(conn); - incache = !(Curl_ssl_getsessionid(conn, &oldsession, NULL, sockindex)); + incache = !(Curl_ssl_getsessionid(conn, + SSL_IS_PROXY() ? TRUE : FALSE, + &oldsession, NULL, sockindex)); if(incache) Curl_ssl_delsessionid(conn, oldsession); - ret = Curl_ssl_addsessionid(conn, session, 0, sockindex); + ret = Curl_ssl_addsessionid(conn, + SSL_IS_PROXY() ? TRUE : FALSE, + session, 0, sockindex); Curl_ssl_sessionid_unlock(conn); if(ret) { free(session); diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index e848c3f0..6b931423 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c @@ -732,7 +732,9 @@ gtls_connect_step1(struct connectdata *conn, size_t ssl_idsize; Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, &ssl_idsize, sockindex)) { + if(!Curl_ssl_getsessionid(conn, + SSL_IS_PROXY() ? TRUE : FALSE, + &ssl_sessionid, &ssl_idsize, sockindex)) { /* we got a session id, use it! */ gnutls_session_set_data(session, ssl_sessionid, ssl_idsize); @@ -1291,8 +1293,9 @@ gtls_connect_step3(struct connectdata *conn, gnutls_session_get_data(session, connect_sessionid, &connect_idsize); Curl_ssl_sessionid_lock(conn); - incache = !(Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, - sockindex)); + incache = !(Curl_ssl_getsessionid(conn, + SSL_IS_PROXY() ? TRUE : FALSE, + &ssl_sessionid, NULL, sockindex)); if(incache) { /* there was one before in the cache, so instead of risking that the previous one was rejected, we just kill that and store the new */ @@ -1300,7 +1303,9 @@ gtls_connect_step3(struct connectdata *conn, } /* store this session id */ - result = Curl_ssl_addsessionid(conn, connect_sessionid, connect_idsize, + result = Curl_ssl_addsessionid(conn, + SSL_IS_PROXY() ? TRUE : FALSE, + connect_sessionid, connect_idsize, sockindex); Curl_ssl_sessionid_unlock(conn); if(result) { diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c index 191315df..3985bc3c 100644 --- a/lib/vtls/mbedtls.c +++ b/lib/vtls/mbedtls.c @@ -464,7 +464,9 @@ mbed_connect_step1(struct connectdata *conn, void *old_session = NULL; Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &old_session, NULL, sockindex)) { + if(!Curl_ssl_getsessionid(conn, + SSL_IS_PROXY() ? TRUE : FALSE, + &old_session, NULL, sockindex)) { ret = mbedtls_ssl_set_session(&backend->ssl, old_session); if(ret) { Curl_ssl_sessionid_unlock(conn); @@ -727,6 +729,7 @@ mbed_connect_step3(struct connectdata *conn, int ret; mbedtls_ssl_session *our_ssl_sessionid; void *old_ssl_sessionid = NULL; + bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE; our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session)); if(!our_ssl_sessionid) @@ -745,10 +748,12 @@ mbed_connect_step3(struct connectdata *conn, /* If there's already a matching session in the cache, delete it */ Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex)) + if(!Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, NULL, + sockindex)) Curl_ssl_delsessionid(conn, old_ssl_sessionid); - retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid, 0, sockindex); + retcode = Curl_ssl_addsessionid(conn, isproxy, our_ssl_sessionid, 0, + sockindex); Curl_ssl_sessionid_unlock(conn); if(retcode) { mbedtls_ssl_session_free(our_ssl_sessionid); diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c index 309786cf..75e0b45d 100644 --- a/lib/vtls/mesalink.c +++ b/lib/vtls/mesalink.c @@ -261,7 +261,9 @@ mesalink_connect_step1(struct connectdata *conn, int sockindex) void *ssl_sessionid = NULL; Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) { + if(!Curl_ssl_getsessionid(conn, + SSL_IS_PROXY() ? TRUE : FALSE, + &ssl_sessionid, NULL, sockindex)) { /* we got a session id, use it! */ if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) { Curl_ssl_sessionid_unlock(conn); @@ -345,12 +347,14 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex) bool incache; SSL_SESSION *our_ssl_sessionid; void *old_ssl_sessionid = NULL; + bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE; our_ssl_sessionid = SSL_get_session(BACKEND->handle); Curl_ssl_sessionid_lock(conn); incache = - !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex)); + !(Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, NULL, + sockindex)); if(incache) { if(old_ssl_sessionid != our_ssl_sessionid) { infof(data, "old SSL session ID is stale, removing\n"); @@ -360,8 +364,8 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex) } if(!incache) { - result = Curl_ssl_addsessionid( - conn, our_ssl_sessionid, 0 /* unknown size */, sockindex); + result = Curl_ssl_addsessionid(conn, isproxy, our_ssl_sessionid, 0, + sockindex); if(result) { Curl_ssl_sessionid_unlock(conn); failf(data, "failed to store ssl session"); diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index e9c535f8..f26b2ff3 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -379,12 +379,23 @@ static int ossl_get_ssl_conn_index(void) */ static int ossl_get_ssl_sockindex_index(void) { - static int ssl_ex_data_sockindex_index = -1; - if(ssl_ex_data_sockindex_index < 0) { - ssl_ex_data_sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, - NULL); + static int sockindex_index = -1; + if(sockindex_index < 0) { + sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); } - return ssl_ex_data_sockindex_index; + return sockindex_index; +} + +/* Return an extra data index for proxy boolean. + * This index can be used with SSL_get_ex_data() and SSL_set_ex_data(). + */ +static int ossl_get_proxy_index(void) +{ + static int proxy_index = -1; + if(proxy_index < 0) { + proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); + } + return proxy_index; } static int passwd_callback(char *buf, int num, int encrypting, @@ -1161,7 +1172,8 @@ static int Curl_ossl_init(void) Curl_tls_keylog_open(); /* Initialize the extra data indexes */ - if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0) + if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0 || + ossl_get_proxy_index() < 0) return 0; return 1; @@ -2445,8 +2457,10 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) curl_socket_t *sockindex_ptr; int connectdata_idx = ossl_get_ssl_conn_index(); int sockindex_idx = ossl_get_ssl_sockindex_index(); + int proxy_idx = ossl_get_proxy_index(); + bool isproxy; - if(connectdata_idx < 0 || sockindex_idx < 0) + if(connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0) return 0; conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx); @@ -2459,13 +2473,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx); sockindex = (int)(sockindex_ptr - conn->sock); + isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE; + if(SSL_SET_OPTION(primary.sessionid)) { bool incache; void *old_ssl_sessionid = NULL; Curl_ssl_sessionid_lock(conn); - incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, - sockindex)); + if(isproxy) + incache = FALSE; + else + incache = !(Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, + NULL, sockindex)); if(incache) { if(old_ssl_sessionid != ssl_sessionid) { infof(data, "old SSL session ID is stale, removing\n"); @@ -2475,8 +2494,8 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) } if(!incache) { - if(!Curl_ssl_addsessionid(conn, ssl_sessionid, - 0 /* unknown size */, sockindex)) { + if(!Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid, + 0 /* unknown size */, sockindex)) { /* the session has been put into the session cache */ res = 1; } @@ -3189,16 +3208,24 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) void *ssl_sessionid = NULL; int connectdata_idx = ossl_get_ssl_conn_index(); int sockindex_idx = ossl_get_ssl_sockindex_index(); + int proxy_idx = ossl_get_proxy_index(); - if(connectdata_idx >= 0 && sockindex_idx >= 0) { + if(connectdata_idx >= 0 && sockindex_idx >= 0 && proxy_idx >= 0) { /* Store the data needed for the "new session" callback. * The sockindex is stored as a pointer to an array element. */ SSL_set_ex_data(backend->handle, connectdata_idx, conn); SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex); +#ifndef CURL_DISABLE_PROXY + SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1: + NULL); +#else + SSL_set_ex_data(backend->handle, proxy_idx, NULL); +#endif } Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) { + if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, + &ssl_sessionid, NULL, sockindex)) { /* we got a session id, use it! */ if(!SSL_set_session(backend->handle, ssl_sessionid)) { Curl_ssl_sessionid_unlock(conn); diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c index d7bc3891..c1a454e7 100644 --- a/lib/vtls/schannel.c +++ b/lib/vtls/schannel.c @@ -494,7 +494,9 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) /* check for an existing re-usable credential handle */ if(SSL_SET_OPTION(primary.sessionid)) { Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, sockindex)) { + if(!Curl_ssl_getsessionid(conn, + SSL_IS_PROXY() ? TRUE : FALSE, + (void **)&old_cred, NULL, sockindex)) { BACKEND->cred = old_cred; DEBUGF(infof(data, "schannel: re-using existing credential handle\n")); @@ -1334,8 +1336,9 @@ schannel_connect_step3(struct connectdata *conn, int sockindex) struct ssl_connect_data *connssl = &conn->ssl[sockindex]; SECURITY_STATUS sspi_status = SEC_E_OK; CERT_CONTEXT *ccert_context = NULL; + bool isproxy = SSL_IS_PROXY(); #ifdef DEBUGBUILD - const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : + const char * const hostname = isproxy ? conn->http_proxy.host.name : conn->host.name; #endif #ifdef HAS_ALPN @@ -1411,7 +1414,7 @@ schannel_connect_step3(struct connectdata *conn, int sockindex) struct Curl_schannel_cred *old_cred = NULL; Curl_ssl_sessionid_lock(conn); - incache = !(Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, + incache = !(Curl_ssl_getsessionid(conn, isproxy, (void **)&old_cred, NULL, sockindex)); if(incache) { if(old_cred != BACKEND->cred) { @@ -1423,7 +1426,7 @@ schannel_connect_step3(struct connectdata *conn, int sockindex) } } if(!incache) { - result = Curl_ssl_addsessionid(conn, (void *)BACKEND->cred, + result = Curl_ssl_addsessionid(conn, isproxy, (void *)BACKEND->cred, sizeof(struct Curl_schannel_cred), sockindex); if(result) { diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c index 8ef60cb1..36582c58 100644 --- a/lib/vtls/sectransp.c +++ b/lib/vtls/sectransp.c @@ -1400,10 +1400,12 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn, char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); #ifndef CURL_DISABLE_PROXY - const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : + bool isproxy = SSL_IS_PROXY(); + const char * const hostname = isproxy ? conn->http_proxy.host.name : conn->host.name; const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port; #else + const isproxy = FALSE; const char * const hostname = conn->host.name; const long int port = conn->remote_port; #endif @@ -1613,7 +1615,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn, #ifdef USE_NGHTTP2 if(data->set.httpversion >= CURL_HTTP_VERSION_2 #ifndef CURL_DISABLE_PROXY - && (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy) + && (!isproxy || !conn->bits.tunnel_proxy) #endif ) { CFArrayAppendValue(alpnArr, CFSTR(NGHTTP2_PROTO_VERSION_ID)); @@ -1953,7 +1955,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn, size_t ssl_sessionid_len; Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, (void **)&ssl_sessionid, + if(!Curl_ssl_getsessionid(conn, isproxy, (void **)&ssl_sessionid, &ssl_sessionid_len, sockindex)) { /* we got a session id, use it! */ err = SSLSetPeerID(backend->ssl_ctx, ssl_sessionid, ssl_sessionid_len); @@ -1981,8 +1983,8 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn, return CURLE_SSL_CONNECT_ERROR; } - result = Curl_ssl_addsessionid(conn, ssl_sessionid, ssl_sessionid_len, - sockindex); + result = Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid, + ssl_sessionid_len, sockindex); Curl_ssl_sessionid_unlock(conn); if(result) { failf(data, "failed to store ssl session"); diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c index 3bd51fda..0881cb73 100644 --- a/lib/vtls/vtls.c +++ b/lib/vtls/vtls.c @@ -361,6 +361,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn) * there's one suitable, it is provided. Returns TRUE when no entry matched. */ bool Curl_ssl_getsessionid(struct connectdata *conn, + const bool isProxy, void **ssl_sessionid, size_t *idsize, /* set 0 if unknown */ int sockindex) @@ -372,7 +373,6 @@ bool Curl_ssl_getsessionid(struct connectdata *conn, bool no_match = TRUE; #ifndef CURL_DISABLE_PROXY - const bool isProxy = CONNECT_PROXY_SSL(); struct ssl_primary_config * const ssl_config = isProxy ? &conn->proxy_ssl_config : &conn->ssl_config; @@ -384,10 +384,15 @@ bool Curl_ssl_getsessionid(struct connectdata *conn, struct ssl_primary_config * const ssl_config = &conn->ssl_config; const char * const name = conn->host.name; int port = conn->remote_port; - (void)sockindex; #endif + (void)sockindex; *ssl_sessionid = NULL; +#ifdef CURL_DISABLE_PROXY + if(isProxy) + return TRUE; +#endif + DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); if(!SSL_SET_OPTION(primary.sessionid)) @@ -475,6 +480,7 @@ void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid) * later on. */ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, + bool isProxy, void *ssl_sessionid, size_t idsize, int sockindex) @@ -488,7 +494,6 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, int conn_to_port; long *general_age; #ifndef CURL_DISABLE_PROXY - const bool isProxy = CONNECT_PROXY_SSL(); struct ssl_primary_config * const ssl_config = isProxy ? &conn->proxy_ssl_config : &conn->ssl_config; @@ -501,6 +506,7 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, const char *hostname = conn->host.name; (void)sockindex; #endif + (void)sockindex; DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); clone_host = strdup(hostname); diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h index f4cab998..5514f945 100644 --- a/lib/vtls/vtls.h +++ b/lib/vtls/vtls.h @@ -217,6 +217,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn); * under sessionid mutex). */ bool Curl_ssl_getsessionid(struct connectdata *conn, + const bool isproxy, void **ssl_sessionid, size_t *idsize, /* set 0 if unknown */ int sockindex); @@ -226,6 +227,7 @@ bool Curl_ssl_getsessionid(struct connectdata *conn, * object with cache (e.g. incrementing refcount on success) */ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, + const bool isProxy, void *ssl_sessionid, size_t idsize, int sockindex); diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c index 44ee2d9e..7cc23e2b 100644 --- a/lib/vtls/wolfssl.c +++ b/lib/vtls/wolfssl.c @@ -505,7 +505,9 @@ wolfssl_connect_step1(struct connectdata *conn, void *ssl_sessionid = NULL; Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) { + if(!Curl_ssl_getsessionid(conn, + SSL_IS_PROXY() ? TRUE : FALSE, + &ssl_sessionid, NULL, sockindex)) { /* we got a session id, use it! */ if(!SSL_set_session(backend->handle, ssl_sessionid)) { char error_buffer[WOLFSSL_MAX_ERROR_SZ]; @@ -767,7 +769,9 @@ wolfssl_connect_step3(struct connectdata *conn, our_ssl_sessionid = SSL_get_session(backend->handle); Curl_ssl_sessionid_lock(conn); - incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, + incache = !(Curl_ssl_getsessionid(conn, + SSL_IS_PROXY() ? TRUE : FALSE, + &old_ssl_sessionid, NULL, sockindex)); if(incache) { if(old_ssl_sessionid != our_ssl_sessionid) { @@ -778,8 +782,9 @@ wolfssl_connect_step3(struct connectdata *conn, } if(!incache) { - result = Curl_ssl_addsessionid(conn, our_ssl_sessionid, - 0 /* unknown size */, sockindex); + result = Curl_ssl_addsessionid(conn, + SSL_IS_PROXY() ? TRUE : FALSE, + our_ssl_sessionid, 0, sockindex); if(result) { Curl_ssl_sessionid_unlock(conn); failf(data, "failed to store ssl session"); |