diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2021-03-19 12:38:49 +0100 |
|---|---|---|
| committer | Paul Gevers <elbrus@debian.org> | 2021-06-25 20:59:54 +0200 |
| commit | 62039b2528d3cdd62070148aba746091b4ecb3d4 (patch) | |
| tree | cd9456f1acf840bf9fcf47610318f344b812bc03 /lib/vtls/sectransp.c | |
| parent | 66cc4260f03022284068105bb0198658398d8a8b (diff) | |
vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
Origin: https://github.com/curl/curl/commit/b09c8ee15771c614c4bf3ddac893cdb12187c844
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-22890
To make sure we set and extract the correct session.
Reported-by: Mingtao Yang
Bug: https://curl.se/docs/CVE-2021-22890.html
CVE-2021-22890
[Salvatore Bonaccorso: Backport to 7.74.0 for context changes]
Gbp-Pq: Name 15_vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch
Diffstat (limited to 'lib/vtls/sectransp.c')
| -rw-r--r-- | lib/vtls/sectransp.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c index 8ef60cb1..36582c58 100644 --- a/lib/vtls/sectransp.c +++ b/lib/vtls/sectransp.c @@ -1400,10 +1400,12 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn, char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); #ifndef CURL_DISABLE_PROXY - const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : + bool isproxy = SSL_IS_PROXY(); + const char * const hostname = isproxy ? conn->http_proxy.host.name : conn->host.name; const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port; #else + const isproxy = FALSE; const char * const hostname = conn->host.name; const long int port = conn->remote_port; #endif @@ -1613,7 +1615,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn, #ifdef USE_NGHTTP2 if(data->set.httpversion >= CURL_HTTP_VERSION_2 #ifndef CURL_DISABLE_PROXY - && (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy) + && (!isproxy || !conn->bits.tunnel_proxy) #endif ) { CFArrayAppendValue(alpnArr, CFSTR(NGHTTP2_PROTO_VERSION_ID)); @@ -1953,7 +1955,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn, size_t ssl_sessionid_len; Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, (void **)&ssl_sessionid, + if(!Curl_ssl_getsessionid(conn, isproxy, (void **)&ssl_sessionid, &ssl_sessionid_len, sockindex)) { /* we got a session id, use it! */ err = SSLSetPeerID(backend->ssl_ctx, ssl_sessionid, ssl_sessionid_len); @@ -1981,8 +1983,8 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn, return CURLE_SSL_CONNECT_ERROR; } - result = Curl_ssl_addsessionid(conn, ssl_sessionid, ssl_sessionid_len, - sockindex); + result = Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid, + ssl_sessionid_len, sockindex); Curl_ssl_sessionid_unlock(conn); if(result) { failf(data, "failed to store ssl session"); |