Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP3:GA
curl.27751
curl-CVE-2021-22890.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File curl-CVE-2021-22890.patch of Package curl.27751
From 9b95b5ecd48d15860da58ef5748da37da242baed Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <daniel@haxx.se> Date: Fri, 19 Mar 2021 12:38:49 +0100 Subject: [PATCH] vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid() To make sure we set and extract the correct session. Reported-by: Mingtao Yang Bug: https://curl.se/docs/CVE-2021-22890.html CVE-2021-22890 Index: curl-7.66.0/lib/vtls/gtls.c =================================================================== --- curl-7.66.0.orig/lib/vtls/gtls.c +++ curl-7.66.0/lib/vtls/gtls.c @@ -933,7 +933,8 @@ gtls_connect_step1(struct connectdata *c size_t ssl_idsize; Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, &ssl_idsize, sockindex)) { + if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, + &ssl_sessionid, &ssl_idsize, sockindex)) { /* we got a session id, use it! */ gnutls_session_set_data(session, ssl_sessionid, ssl_idsize); @@ -1481,8 +1482,8 @@ gtls_connect_step3(struct connectdata *c gnutls_session_get_data(session, connect_sessionid, &connect_idsize); Curl_ssl_sessionid_lock(conn); - incache = !(Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, - sockindex)); + incache = !(Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, + &ssl_sessionid, NULL, sockindex)); if(incache) { /* there was one before in the cache, so instead of risking that the previous one was rejected, we just kill that and store the new */ @@ -1490,7 +1491,8 @@ gtls_connect_step3(struct connectdata *c } /* store this session id */ - result = Curl_ssl_addsessionid(conn, connect_sessionid, connect_idsize, + result = Curl_ssl_addsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, + connect_sessionid, connect_idsize, sockindex); Curl_ssl_sessionid_unlock(conn); if(result) { Index: curl-7.66.0/lib/vtls/mbedtls.c =================================================================== --- curl-7.66.0.orig/lib/vtls/mbedtls.c +++ curl-7.66.0/lib/vtls/mbedtls.c @@ -453,7 +453,8 @@ mbed_connect_step1(struct connectdata *c void *old_session = NULL; Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &old_session, NULL, sockindex)) { + if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, + &old_session, NULL, sockindex)) { ret = mbedtls_ssl_set_session(&BACKEND->ssl, old_session); if(ret) { Curl_ssl_sessionid_unlock(conn); @@ -706,6 +707,7 @@ mbed_connect_step3(struct connectdata *c int ret; mbedtls_ssl_session *our_ssl_sessionid; void *old_ssl_sessionid = NULL; + bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE; our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session)); if(!our_ssl_sessionid) @@ -724,10 +726,12 @@ mbed_connect_step3(struct connectdata *c /* If there's already a matching session in the cache, delete it */ Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex)) + if(!Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, NULL, + sockindex)) Curl_ssl_delsessionid(conn, old_ssl_sessionid); - retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid, 0, sockindex); + retcode = Curl_ssl_addsessionid(conn, isproxy, our_ssl_sessionid, 0, + sockindex); Curl_ssl_sessionid_unlock(conn); if(retcode) { mbedtls_ssl_session_free(our_ssl_sessionid); Index: curl-7.66.0/lib/vtls/mesalink.c =================================================================== --- curl-7.66.0.orig/lib/vtls/mesalink.c +++ curl-7.66.0/lib/vtls/mesalink.c @@ -263,7 +263,8 @@ mesalink_connect_step1(struct connectdat void *ssl_sessionid = NULL; Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) { + if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, + &ssl_sessionid, NULL, sockindex)) { /* we got a session id, use it! */ if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) { Curl_ssl_sessionid_unlock(conn); @@ -347,12 +348,13 @@ mesalink_connect_step3(struct connectdat bool incache; SSL_SESSION *our_ssl_sessionid; void *old_ssl_sessionid = NULL; + bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE; our_ssl_sessionid = SSL_get_session(BACKEND->handle); Curl_ssl_sessionid_lock(conn); incache = - !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex)); + !(Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, NULL, sockindex)); if(incache) { if(old_ssl_sessionid != our_ssl_sessionid) { infof(data, "old SSL session ID is stale, removing\n"); @@ -363,7 +365,7 @@ mesalink_connect_step3(struct connectdat if(!incache) { result = Curl_ssl_addsessionid( - conn, our_ssl_sessionid, 0 /* unknown size */, sockindex); + conn, isproxy, our_ssl_sessionid, 0 /* unknown size */, sockindex); if(result) { Curl_ssl_sessionid_unlock(conn); failf(data, "failed to store ssl session"); Index: curl-7.66.0/lib/vtls/openssl.c =================================================================== --- curl-7.66.0.orig/lib/vtls/openssl.c +++ curl-7.66.0/lib/vtls/openssl.c @@ -424,6 +424,18 @@ static int ossl_get_ssl_sockindex_index( return ssl_ex_data_sockindex_index; } +/* Return an extra data index for proxy boolean. + * This index can be used with SSL_get_ex_data() and SSL_set_ex_data(). + */ +static int ossl_get_proxy_index(void) +{ + static int proxy_index = -1; + if(proxy_index < 0) { + proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); + } + return proxy_index; +} + static int passwd_callback(char *buf, int num, int encrypting, void *global_passwd) { @@ -1063,7 +1075,8 @@ static int Curl_ossl_init(void) #endif /* Initialize the extra data indexes */ - if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0) + if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0 || + ossl_get_proxy_index() < 0) return 0; return 1; @@ -2348,8 +2361,10 @@ static int ossl_new_session_cb(SSL *ssl, curl_socket_t *sockindex_ptr; int connectdata_idx = ossl_get_ssl_conn_index(); int sockindex_idx = ossl_get_ssl_sockindex_index(); + int proxy_idx = ossl_get_proxy_index(); + bool isproxy; - if(connectdata_idx < 0 || sockindex_idx < 0) + if(connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0) return 0; conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx); @@ -2362,13 +2377,18 @@ static int ossl_new_session_cb(SSL *ssl, sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx); sockindex = (int)(sockindex_ptr - conn->sock); + isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE; + if(SSL_SET_OPTION(primary.sessionid)) { bool incache; void *old_ssl_sessionid = NULL; Curl_ssl_sessionid_lock(conn); - incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, - sockindex)); + if(isproxy) + incache = FALSE; + else + incache = !(Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, + NULL, sockindex)); if(incache) { if(old_ssl_sessionid != ssl_sessionid) { infof(data, "old SSL session ID is stale, removing\n"); @@ -2378,7 +2398,7 @@ static int ossl_new_session_cb(SSL *ssl, } if(!incache) { - if(!Curl_ssl_addsessionid(conn, ssl_sessionid, + if(!Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid, 0 /* unknown size */, sockindex)) { /* the session has been put into the session cache */ res = 1; @@ -2863,16 +2883,20 @@ static CURLcode ossl_connect_step1(struc void *ssl_sessionid = NULL; int connectdata_idx = ossl_get_ssl_conn_index(); int sockindex_idx = ossl_get_ssl_sockindex_index(); + int proxy_idx = ossl_get_proxy_index(); - if(connectdata_idx >= 0 && sockindex_idx >= 0) { + if(connectdata_idx >= 0 && sockindex_idx >= 0 && proxy_idx >= 0) { /* Store the data needed for the "new session" callback. * The sockindex is stored as a pointer to an array element. */ SSL_set_ex_data(BACKEND->handle, connectdata_idx, conn); SSL_set_ex_data(BACKEND->handle, sockindex_idx, conn->sock + sockindex); + SSL_set_ex_data(BACKEND->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1: + NULL); } Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) { + if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, + &ssl_sessionid, NULL, sockindex)) { /* we got a session id, use it! */ if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) { Curl_ssl_sessionid_unlock(conn); Index: curl-7.66.0/lib/vtls/schannel.c =================================================================== --- curl-7.66.0.orig/lib/vtls/schannel.c +++ curl-7.66.0/lib/vtls/schannel.c @@ -497,7 +497,8 @@ schannel_connect_step1(struct connectdat /* check for an existing re-usable credential handle */ if(SSL_SET_OPTION(primary.sessionid)) { Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, sockindex)) { + if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, + (void **)&old_cred, NULL, sockindex)) { BACKEND->cred = old_cred; DEBUGF(infof(data, "schannel: re-using existing credential handle\n")); @@ -1204,8 +1205,9 @@ schannel_connect_step3(struct connectdat struct ssl_connect_data *connssl = &conn->ssl[sockindex]; SECURITY_STATUS sspi_status = SEC_E_OK; CERT_CONTEXT *ccert_context = NULL; + bool isproxy = SSL_IS_PROXY(); #ifdef DEBUGBUILD - const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : + const char * const hostname = isproxy ? conn->http_proxy.host.name : conn->host.name; #endif #ifdef HAS_ALPN @@ -1279,8 +1281,8 @@ schannel_connect_step3(struct connectdat struct curl_schannel_cred *old_cred = NULL; Curl_ssl_sessionid_lock(conn); - incache = !(Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, - sockindex)); + incache = !(Curl_ssl_getsessionid(conn, isproxy, (void **)&old_cred, + NULL, sockindex)); if(incache) { if(old_cred != BACKEND->cred) { DEBUGF(infof(data, @@ -1291,7 +1293,7 @@ schannel_connect_step3(struct connectdat } } if(!incache) { - result = Curl_ssl_addsessionid(conn, (void *)BACKEND->cred, + result = Curl_ssl_addsessionid(conn, isproxy, BACKEND->cred, sizeof(struct curl_schannel_cred), sockindex); if(result) { Index: curl-7.66.0/lib/vtls/sectransp.c =================================================================== --- curl-7.66.0.orig/lib/vtls/sectransp.c +++ curl-7.66.0/lib/vtls/sectransp.c @@ -1376,7 +1376,8 @@ static CURLcode sectransp_connect_step1( const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile); const bool verifypeer = SSL_CONN_CONFIG(verifypeer); char * const ssl_cert = SSL_SET_OPTION(cert); - const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : + bool isproxy = SSL_IS_PROXY(); + const char * const hostname = isproxy ? conn->http_proxy.host.name : conn->host.name; const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port; #ifdef ENABLE_IPV6 @@ -1584,7 +1585,7 @@ static CURLcode sectransp_connect_step1( #ifdef USE_NGHTTP2 if(data->set.httpversion >= CURL_HTTP_VERSION_2 && - (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy)) { + (!isproxy || !conn->bits.tunnel_proxy)) { CFArrayAppendValue(alpnArr, CFSTR(NGHTTP2_PROTO_VERSION_ID)); infof(data, "ALPN, offering %s\n", NGHTTP2_PROTO_VERSION_ID); } @@ -1916,7 +1917,7 @@ static CURLcode sectransp_connect_step1( size_t ssl_sessionid_len; Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, (void **)&ssl_sessionid, + if(!Curl_ssl_getsessionid(conn, isproxy, (void **)&ssl_sessionid, &ssl_sessionid_len, sockindex)) { /* we got a session id, use it! */ err = SSLSetPeerID(BACKEND->ssl_ctx, ssl_sessionid, ssl_sessionid_len); @@ -1944,8 +1945,8 @@ static CURLcode sectransp_connect_step1( return CURLE_SSL_CONNECT_ERROR; } - result = Curl_ssl_addsessionid(conn, ssl_sessionid, ssl_sessionid_len, - sockindex); + result = Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid, + ssl_sessionid_len, sockindex); Curl_ssl_sessionid_unlock(conn); if(result) { failf(data, "failed to store ssl session"); Index: curl-7.66.0/lib/vtls/vtls.c =================================================================== --- curl-7.66.0.orig/lib/vtls/vtls.c +++ curl-7.66.0/lib/vtls/vtls.c @@ -302,6 +302,7 @@ void Curl_ssl_sessionid_unlock(struct co * there's one suitable, it is provided. Returns TRUE when no entry matched. */ bool Curl_ssl_getsessionid(struct connectdata *conn, + const bool isProxy, void **ssl_sessionid, size_t *idsize, /* set 0 if unknown */ int sockindex) @@ -312,7 +313,6 @@ bool Curl_ssl_getsessionid(struct connec long *general_age; bool no_match = TRUE; - const bool isProxy = CONNECT_PROXY_SSL(); struct ssl_primary_config * const ssl_config = isProxy ? &conn->proxy_ssl_config : &conn->ssl_config; @@ -408,6 +408,7 @@ void Curl_ssl_delsessionid(struct connec * later on. */ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, + bool isProxy, void *ssl_sessionid, size_t idsize, int sockindex) @@ -420,7 +421,6 @@ CURLcode Curl_ssl_addsessionid(struct co char *clone_conn_to_host; int conn_to_port; long *general_age; - const bool isProxy = CONNECT_PROXY_SSL(); struct ssl_primary_config * const ssl_config = isProxy ? &conn->proxy_ssl_config : &conn->ssl_config; Index: curl-7.66.0/lib/vtls/vtls.h =================================================================== --- curl-7.66.0.orig/lib/vtls/vtls.h +++ curl-7.66.0/lib/vtls/vtls.h @@ -202,6 +202,7 @@ void Curl_ssl_sessionid_unlock(struct co * under sessionid mutex). */ bool Curl_ssl_getsessionid(struct connectdata *conn, + const bool isproxy, void **ssl_sessionid, size_t *idsize, /* set 0 if unknown */ int sockindex); @@ -211,6 +212,7 @@ bool Curl_ssl_getsessionid(struct connec * object with cache (e.g. incrementing refcount on success) */ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, + const bool isproxy, void *ssl_sessionid, size_t idsize, int sockindex); Index: curl-7.66.0/lib/vtls/wolfssl.c =================================================================== --- curl-7.66.0.orig/lib/vtls/wolfssl.c +++ curl-7.66.0/lib/vtls/wolfssl.c @@ -392,7 +392,8 @@ wolfssl_connect_step1(struct connectdata void *ssl_sessionid = NULL; Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) { + if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, + &ssl_sessionid, NULL, sockindex)) { /* we got a session id, use it! */ if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) { char error_buffer[WOLFSSL_MAX_ERROR_SZ]; @@ -616,11 +617,13 @@ wolfssl_connect_step3(struct connectdata bool incache; SSL_SESSION *our_ssl_sessionid; void *old_ssl_sessionid = NULL; + bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE; our_ssl_sessionid = SSL_get_session(BACKEND->handle); Curl_ssl_sessionid_lock(conn); - incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, + incache = !(Curl_ssl_getsessionid(conn, isproxy, + &old_ssl_sessionid, NULL, sockindex)); if(incache) { if(old_ssl_sessionid != our_ssl_sessionid) { @@ -631,7 +634,7 @@ wolfssl_connect_step3(struct connectdata } if(!incache) { - result = Curl_ssl_addsessionid(conn, our_ssl_sessionid, + result = Curl_ssl_addsessionid(conn, isproxy, our_ssl_sessionid, 0 /* unknown size */, sockindex); if(result) { Curl_ssl_sessionid_unlock(conn); Index: curl-7.66.0/lib/vtls/polarssl.c =================================================================== --- curl-7.66.0.orig/lib/vtls/polarssl.c +++ curl-7.66.0/lib/vtls/polarssl.c @@ -389,7 +389,8 @@ polarssl_connect_step1(struct connectdat void *old_session = NULL; Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &old_session, NULL, sockindex)) { + if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, + &old_session, NULL, sockindex)) { ret = ssl_set_session(&BACKEND->ssl, old_session); if(ret) { Curl_ssl_sessionid_unlock(conn); @@ -632,10 +633,12 @@ polarssl_connect_step3(struct connectdat /* If there's already a matching session in the cache, delete it */ Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex)) + if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, + &old_ssl_sessionid, NULL, sockindex)) Curl_ssl_delsessionid(conn, old_ssl_sessionid); - retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid, 0, sockindex); + retcode = Curl_ssl_addsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, + our_ssl_sessionid, 0, sockindex); Curl_ssl_sessionid_unlock(conn); if(retcode) { free(our_ssl_sessionid);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
