From 62039b2528d3cdd62070148aba746091b4ecb3d4 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 19 Mar 2021 12:38:49 +0100
Subject: vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()

Origin: https://github.com/curl/curl/commit/b09c8ee15771c614c4bf3ddac893cdb12187c844
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-22890

To make sure we set and extract the correct session.

Reported-by: Mingtao Yang
Bug: https://curl.se/docs/CVE-2021-22890.html

CVE-2021-22890

[Salvatore Bonaccorso: Backport to 7.74.0 for context changes]

Gbp-Pq: Name 15_vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch
---
 lib/vtls/schannel.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

(limited to 'lib/vtls/schannel.c')

diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
index d7bc3891..c1a454e7 100644
--- a/lib/vtls/schannel.c
+++ b/lib/vtls/schannel.c
@@ -494,7 +494,9 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
   /* check for an existing re-usable credential handle */
   if(SSL_SET_OPTION(primary.sessionid)) {
     Curl_ssl_sessionid_lock(conn);
-    if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, sockindex)) {
+    if(!Curl_ssl_getsessionid(conn,
+                              SSL_IS_PROXY() ? TRUE : FALSE,
+                              (void **)&old_cred, NULL, sockindex)) {
       BACKEND->cred = old_cred;
       DEBUGF(infof(data, "schannel: re-using existing credential handle\n"));
 
@@ -1334,8 +1336,9 @@ schannel_connect_step3(struct connectdata *conn, int sockindex)
   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
   SECURITY_STATUS sspi_status = SEC_E_OK;
   CERT_CONTEXT *ccert_context = NULL;
+  bool isproxy = SSL_IS_PROXY();
 #ifdef DEBUGBUILD
-  const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
+  const char * const hostname = isproxy ? conn->http_proxy.host.name :
     conn->host.name;
 #endif
 #ifdef HAS_ALPN
@@ -1411,7 +1414,7 @@ schannel_connect_step3(struct connectdata *conn, int sockindex)
     struct Curl_schannel_cred *old_cred = NULL;
 
     Curl_ssl_sessionid_lock(conn);
-    incache = !(Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL,
+    incache = !(Curl_ssl_getsessionid(conn, isproxy, (void **)&old_cred, NULL,
                                       sockindex));
     if(incache) {
       if(old_cred != BACKEND->cred) {
@@ -1423,7 +1426,7 @@ schannel_connect_step3(struct connectdata *conn, int sockindex)
       }
     }
     if(!incache) {
-      result = Curl_ssl_addsessionid(conn, (void *)BACKEND->cred,
+      result = Curl_ssl_addsessionid(conn, isproxy, (void *)BACKEND->cred,
                                      sizeof(struct Curl_schannel_cred),
                                      sockindex);
       if(result) {
-- 
cgit v1.2.3