rpms / curl

Clone
Source Code
GIT

Files

f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 http2 main metalink olpc2 private-kdudka-bisect-curl-7.78.0 private-kdudka-debug-scp private-kdudka-libcurl-minimal private-kdudka-libcurl-nss private-kdudka-libcurl-openssl private-kdudka-rebase rawhide
  1.   f32
  2.   0009-curl-7.71.1-CVE-2021-22890.patch
Blob Blame History Raw 
From 840011af52fcdac15a749f14f19b00401a49dc51 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 19 Mar 2021 12:38:49 +0100
Subject: [PATCH] vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()

To make sure we set and extract the correct session.

Reported-by: Mingtao Yang
Bug: https://curl.se/docs/CVE-2021-22890.html

CVE-2021-22890

Upstream-commit: b09c8ee15771c614c4bf3ddac893cdb12187c844
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
 lib/vtls/openssl.c | 52 +++++++++++++++++++++++++++++++++++-----------
 lib/vtls/vtls.c    |  4 ++--
 lib/vtls/vtls.h    |  2 ++
 3 files changed, 44 insertions(+), 14 deletions(-)

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 5803fd1..16276f3 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -422,12 +422,23 @@ static int ossl_get_ssl_conn_index(void)
  */
 static int ossl_get_ssl_sockindex_index(void)
 {
-  static int ssl_ex_data_sockindex_index = -1;
-  if(ssl_ex_data_sockindex_index < 0) {
-    ssl_ex_data_sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL,
-        NULL);
+  static int sockindex_index = -1;
+  if(sockindex_index < 0) {
+    sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
   }
-  return ssl_ex_data_sockindex_index;
+  return sockindex_index;
+}
+
+/* Return an extra data index for proxy boolean.
+ * This index can be used with SSL_get_ex_data() and SSL_set_ex_data().
+ */
+static int ossl_get_proxy_index(void)
+{
+  static int proxy_index = -1;
+  if(proxy_index < 0) {
+    proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
+  }
+  return proxy_index;
 }
 
 static int passwd_callback(char *buf, int num, int encrypting,
@@ -1079,7 +1090,8 @@ static int Curl_ossl_init(void)
 #endif
 
   /* Initialize the extra data indexes */
-  if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0)
+  if(ossl_get_ssl_conn_index() < 0 ||
+     ossl_get_ssl_sockindex_index() < 0 || ossl_get_proxy_index() < 0)
     return 0;
 
   return 1;
@@ -2366,8 +2378,10 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
   curl_socket_t *sockindex_ptr;
   int connectdata_idx = ossl_get_ssl_conn_index();
   int sockindex_idx = ossl_get_ssl_sockindex_index();
+  int proxy_idx = ossl_get_proxy_index();
+  bool isproxy;
 
-  if(connectdata_idx < 0 || sockindex_idx < 0)
+  if(connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0)
     return 0;
 
   conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx);
@@ -2380,13 +2394,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
   sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx);
   sockindex = (int)(sockindex_ptr - conn->sock);
 
+  isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE;
+
   if(SSL_SET_OPTION(primary.sessionid)) {
     bool incache;
     void *old_ssl_sessionid = NULL;
 
     Curl_ssl_sessionid_lock(conn);
-    incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL,
-                                      sockindex));
+    if(isproxy)
+      incache = FALSE;
+    else
+      incache = !(Curl_ssl_getsessionid(conn, isproxy,
+                                        &old_ssl_sessionid, NULL, sockindex));
     if(incache) {
       if(old_ssl_sessionid != ssl_sessionid) {
         infof(data, "old SSL session ID is stale, removing\n");
@@ -2396,7 +2415,7 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
     }
 
     if(!incache) {
-      if(!Curl_ssl_addsessionid(conn, ssl_sessionid,
+      if(!Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid,
                                       0 /* unknown size */, sockindex)) {
         /* the session has been put into the session cache */
         res = 1;
@@ -2893,16 +2912,25 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
     void *ssl_sessionid = NULL;
     int connectdata_idx = ossl_get_ssl_conn_index();
     int sockindex_idx = ossl_get_ssl_sockindex_index();
+    int proxy_idx = ossl_get_proxy_index();
 
-    if(connectdata_idx >= 0 && sockindex_idx >= 0) {
+    if(connectdata_idx >= 0 && sockindex_idx >= 0 && proxy_idx >= 0) {
       /* Store the data needed for the "new session" callback.
        * The sockindex is stored as a pointer to an array element. */
       SSL_set_ex_data(BACKEND->handle, connectdata_idx, conn);
       SSL_set_ex_data(BACKEND->handle, sockindex_idx, conn->sock + sockindex);
+#ifndef CURL_DISABLE_PROXY
+      SSL_set_ex_data(BACKEND->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1:
+                      NULL);
+#else
+      SSL_set_ex_data(BACKEND->handle, proxy_idx, NULL);
+#endif
+
     }
 
     Curl_ssl_sessionid_lock(conn);
-    if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
+    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
+                              &ssl_sessionid, NULL, sockindex)) {
       /* we got a session id, use it! */
       if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
         Curl_ssl_sessionid_unlock(conn);
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
index c3a55fb..e50fdd2 100644
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -305,6 +305,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn)
  * there's one suitable, it is provided. Returns TRUE when no entry matched.
  */
 bool Curl_ssl_getsessionid(struct connectdata *conn,
+                           const bool isProxy,
                            void **ssl_sessionid,
                            size_t *idsize, /* set 0 if unknown */
                            int sockindex)
@@ -315,7 +316,6 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
   long *general_age;
   bool no_match = TRUE;
 
-  const bool isProxy = CONNECT_PROXY_SSL();
   struct ssl_primary_config * const ssl_config = isProxy ?
     &conn->proxy_ssl_config :
     &conn->ssl_config;
@@ -411,6 +411,7 @@ void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid)
  * later on.
  */
 CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
+                               bool isProxy,
                                void *ssl_sessionid,
                                size_t idsize,
                                int sockindex)
@@ -423,7 +424,6 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
   char *clone_conn_to_host;
   int conn_to_port;
   long *general_age;
-  const bool isProxy = CONNECT_PROXY_SSL();
   struct ssl_primary_config * const ssl_config = isProxy ?
     &conn->proxy_ssl_config :
     &conn->ssl_config;
diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h
index bcc8444..343cad0 100644
--- a/lib/vtls/vtls.h
+++ b/lib/vtls/vtls.h
@@ -202,6 +202,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn);
  * under sessionid mutex).
  */
 bool Curl_ssl_getsessionid(struct connectdata *conn,
+                           const bool isproxy,
                            void **ssl_sessionid,
                            size_t *idsize, /* set 0 if unknown */
                            int sockindex);
@@ -211,6 +212,7 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
  * object with cache (e.g. incrementing refcount on success)
  */
 CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
+                               const bool isProxy,
                                void *ssl_sessionid,
                                size_t idsize,
                                int sockindex);
-- 
2.26.3
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.