vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()

Origin: https://github.com/curl/curl/commit/b09c8ee15771c614c4bf3ddac893cdb12187c844 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-22890 To make sure we set and extract the correct session. Reported-by: Mingtao Yang Bug: https://curl.se/docs/CVE-2021-22890.html CVE-2021-22890 [Salvatore Bonaccorso: Backport to 7.74.0 for context changes] Gbp-Pq: Name 15_vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch
author: Daniel Stenberg <daniel@haxx.se> 2021-03-19 12:38:49 +0100
committer: Paul Gevers <elbrus@debian.org> 2021-06-25 20:59:54 +0200
commit: 62039b2528d3cdd62070148aba746091b4ecb3d4 (patch)
tree: cd9456f1acf840bf9fcf47610318f344b812bc03 /lib/vtls/vtls.c
parent: 66cc4260f03022284068105bb0198658398d8a8b (diff)
1 files changed, 9 insertions, 3 deletions
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
index 3bd51fda..0881cb73 100644
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -361,6 +361,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn)
  * there's one suitable, it is provided. Returns TRUE when no entry matched.
  */
 bool Curl_ssl_getsessionid(struct connectdata *conn,
+                           const bool isProxy,
                            void **ssl_sessionid,
                            size_t *idsize, /* set 0 if unknown */
                            int sockindex)
@@ -372,7 +373,6 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
   bool no_match = TRUE;
 
 #ifndef CURL_DISABLE_PROXY
-  const bool isProxy = CONNECT_PROXY_SSL();
   struct ssl_primary_config * const ssl_config = isProxy ?
     &conn->proxy_ssl_config :
     &conn->ssl_config;
@@ -384,10 +384,15 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
   struct ssl_primary_config * const ssl_config = &conn->ssl_config;
   const char * const name = conn->host.name;
   int port = conn->remote_port;
-  (void)sockindex;
 #endif
+  (void)sockindex;
   *ssl_sessionid = NULL;
 
+#ifdef CURL_DISABLE_PROXY
+  if(isProxy)
+    return TRUE;
+#endif
+
   DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
 
   if(!SSL_SET_OPTION(primary.sessionid))
@@ -475,6 +480,7 @@ void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid)
  * later on.
  */
 CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
+                               bool isProxy,
                                void *ssl_sessionid,
                                size_t idsize,
                                int sockindex)
@@ -488,7 +494,6 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
   int conn_to_port;
   long *general_age;
 #ifndef CURL_DISABLE_PROXY
-  const bool isProxy = CONNECT_PROXY_SSL();
   struct ssl_primary_config * const ssl_config = isProxy ?
     &conn->proxy_ssl_config :
     &conn->ssl_config;
@@ -501,6 +506,7 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
   const char *hostname = conn->host.name;
   (void)sockindex;
 #endif
+  (void)sockindex;
   DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
 
   clone_host = strdup(hostname);
author	Daniel Stenberg <daniel@haxx.se>	2021-03-19 12:38:49 +0100
committer	Paul Gevers <elbrus@debian.org>	2021-06-25 20:59:54 +0200
commit	62039b2528d3cdd62070148aba746091b4ecb3d4 (patch)
tree	cd9456f1acf840bf9fcf47610318f344b812bc03 /lib/vtls/vtls.c
parent	66cc4260f03022284068105bb0198658398d8a8b (diff)