218 lines
8.0 KiB
Diff
218 lines
8.0 KiB
Diff
From 840011af52fcdac15a749f14f19b00401a49dc51 Mon Sep 17 00:00:00 2001
|
|
From: Daniel Stenberg <daniel@haxx.se>
|
|
Date: Fri, 19 Mar 2021 12:38:49 +0100
|
|
Subject: [PATCH] vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
|
|
|
|
To make sure we set and extract the correct session.
|
|
|
|
Reported-by: Mingtao Yang
|
|
Bug: https://curl.se/docs/CVE-2021-22890.html
|
|
|
|
CVE-2021-22890
|
|
|
|
Upstream-commit: b09c8ee15771c614c4bf3ddac893cdb12187c844
|
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
---
|
|
lib/vtls/openssl.c | 52 +++++++++++++++++++++++++++++++++++-----------
|
|
lib/vtls/vtls.c | 12 ++++++++---
|
|
lib/vtls/vtls.h | 2 ++
|
|
3 files changed, 51 insertions(+), 15 deletions(-)
|
|
|
|
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
|
index 5803fd1..16276f3 100644
|
|
--- a/lib/vtls/openssl.c
|
|
+++ b/lib/vtls/openssl.c
|
|
@@ -360,12 +360,23 @@ static int ossl_get_ssl_conn_index(void)
|
|
*/
|
|
static int ossl_get_ssl_sockindex_index(void)
|
|
{
|
|
- static int ssl_ex_data_sockindex_index = -1;
|
|
- if(ssl_ex_data_sockindex_index < 0) {
|
|
- ssl_ex_data_sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL,
|
|
- NULL);
|
|
+ static int sockindex_index = -1;
|
|
+ if(sockindex_index < 0) {
|
|
+ sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
|
|
}
|
|
- return ssl_ex_data_sockindex_index;
|
|
+ return sockindex_index;
|
|
+}
|
|
+
|
|
+/* Return an extra data index for proxy boolean.
|
|
+ * This index can be used with SSL_get_ex_data() and SSL_set_ex_data().
|
|
+ */
|
|
+static int ossl_get_proxy_index(void)
|
|
+{
|
|
+ static int proxy_index = -1;
|
|
+ if(proxy_index < 0) {
|
|
+ proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
|
|
+ }
|
|
+ return proxy_index;
|
|
}
|
|
|
|
static int passwd_callback(char *buf, int num, int encrypting,
|
|
@@ -1133,7 +1144,8 @@ static int Curl_ossl_init(void)
|
|
Curl_tls_keylog_open();
|
|
|
|
/* Initialize the extra data indexes */
|
|
- if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0)
|
|
+ if(ossl_get_ssl_conn_index() < 0 ||
|
|
+ ossl_get_ssl_sockindex_index() < 0 || ossl_get_proxy_index() < 0)
|
|
return 0;
|
|
|
|
return 1;
|
|
@@ -2425,8 +2437,10 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
|
|
curl_socket_t *sockindex_ptr;
|
|
int connectdata_idx = ossl_get_ssl_conn_index();
|
|
int sockindex_idx = ossl_get_ssl_sockindex_index();
|
|
+ int proxy_idx = ossl_get_proxy_index();
|
|
+ bool isproxy;
|
|
|
|
- if(connectdata_idx < 0 || sockindex_idx < 0)
|
|
+ if(connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0)
|
|
return 0;
|
|
|
|
conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx);
|
|
@@ -2439,13 +2453,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
|
|
sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx);
|
|
sockindex = (int)(sockindex_ptr - conn->sock);
|
|
|
|
+ isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE;
|
|
+
|
|
if(SSL_SET_OPTION(primary.sessionid)) {
|
|
bool incache;
|
|
void *old_ssl_sessionid = NULL;
|
|
|
|
Curl_ssl_sessionid_lock(conn);
|
|
- incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL,
|
|
- sockindex));
|
|
+ if(isproxy)
|
|
+ incache = FALSE;
|
|
+ else
|
|
+ incache = !(Curl_ssl_getsessionid(conn, isproxy,
|
|
+ &old_ssl_sessionid, NULL, sockindex));
|
|
if(incache) {
|
|
if(old_ssl_sessionid != ssl_sessionid) {
|
|
infof(data, "old SSL session ID is stale, removing\n");
|
|
@@ -2455,7 +2474,7 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
|
|
}
|
|
|
|
if(!incache) {
|
|
- if(!Curl_ssl_addsessionid(conn, ssl_sessionid,
|
|
+ if(!Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid,
|
|
0 /* unknown size */, sockindex)) {
|
|
/* the session has been put into the session cache */
|
|
res = 1;
|
|
@@ -3170,16 +3189,25 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
|
|
void *ssl_sessionid = NULL;
|
|
int connectdata_idx = ossl_get_ssl_conn_index();
|
|
int sockindex_idx = ossl_get_ssl_sockindex_index();
|
|
+ int proxy_idx = ossl_get_proxy_index();
|
|
|
|
- if(connectdata_idx >= 0 && sockindex_idx >= 0) {
|
|
+ if(connectdata_idx >= 0 && sockindex_idx >= 0 && proxy_idx >= 0) {
|
|
/* Store the data needed for the "new session" callback.
|
|
* The sockindex is stored as a pointer to an array element. */
|
|
SSL_set_ex_data(backend->handle, connectdata_idx, conn);
|
|
SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex);
|
|
+#ifndef CURL_DISABLE_PROXY
|
|
+ SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1:
|
|
+ NULL);
|
|
+#else
|
|
+ SSL_set_ex_data(backend->handle, proxy_idx, NULL);
|
|
+#endif
|
|
+
|
|
}
|
|
|
|
Curl_ssl_sessionid_lock(conn);
|
|
- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
|
|
+ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
|
|
+ &ssl_sessionid, NULL, sockindex)) {
|
|
/* we got a session id, use it! */
|
|
if(!SSL_set_session(backend->handle, ssl_sessionid)) {
|
|
Curl_ssl_sessionid_unlock(conn);
|
|
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
|
|
index c3a55fb..e50fdd2 100644
|
|
--- a/lib/vtls/vtls.c
|
|
+++ b/lib/vtls/vtls.c
|
|
@@ -358,6 +358,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn)
|
|
* there's one suitable, it is provided. Returns TRUE when no entry matched.
|
|
*/
|
|
bool Curl_ssl_getsessionid(struct connectdata *conn,
|
|
+ const bool isProxy,
|
|
void **ssl_sessionid,
|
|
size_t *idsize, /* set 0 if unknown */
|
|
int sockindex)
|
|
@@ -369,7 +370,6 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
|
|
bool no_match = TRUE;
|
|
|
|
#ifndef CURL_DISABLE_PROXY
|
|
- const bool isProxy = CONNECT_PROXY_SSL();
|
|
struct ssl_primary_config * const ssl_config = isProxy ?
|
|
&conn->proxy_ssl_config :
|
|
&conn->ssl_config;
|
|
@@ -381,10 +381,15 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
|
|
struct ssl_primary_config * const ssl_config = &conn->ssl_config;
|
|
const char * const name = conn->host.name;
|
|
int port = conn->remote_port;
|
|
- (void)sockindex;
|
|
#endif
|
|
+ (void)sockindex;
|
|
*ssl_sessionid = NULL;
|
|
|
|
+#ifdef CURL_DISABLE_PROXY
|
|
+ if(isProxy)
|
|
+ return TRUE;
|
|
+#endif
|
|
+
|
|
DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
|
|
|
|
if(!SSL_SET_OPTION(primary.sessionid))
|
|
@@ -472,6 +477,7 @@ void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid)
|
|
* later on.
|
|
*/
|
|
CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
|
|
+ bool isProxy,
|
|
void *ssl_sessionid,
|
|
size_t idsize,
|
|
int sockindex)
|
|
@@ -485,7 +491,6 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
|
|
int conn_to_port;
|
|
long *general_age;
|
|
#ifndef CURL_DISABLE_PROXY
|
|
- const bool isProxy = CONNECT_PROXY_SSL();
|
|
struct ssl_primary_config * const ssl_config = isProxy ?
|
|
&conn->proxy_ssl_config :
|
|
&conn->ssl_config;
|
|
@@ -498,6 +503,7 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
|
|
const char *hostname = conn->host.name;
|
|
(void)sockindex;
|
|
#endif
|
|
+ (void)sockindex;
|
|
DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
|
|
|
|
clone_host = strdup(hostname);
|
|
diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h
|
|
index bcc8444..343cad0 100644
|
|
--- a/lib/vtls/vtls.h
|
|
+++ b/lib/vtls/vtls.h
|
|
@@ -203,6 +203,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn);
|
|
* under sessionid mutex).
|
|
*/
|
|
bool Curl_ssl_getsessionid(struct connectdata *conn,
|
|
+ const bool isproxy,
|
|
void **ssl_sessionid,
|
|
size_t *idsize, /* set 0 if unknown */
|
|
int sockindex);
|
|
@@ -212,6 +213,7 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
|
|
* object with cache (e.g. incrementing refcount on success)
|
|
*/
|
|
CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
|
|
+ const bool isProxy,
|
|
void *ssl_sessionid,
|
|
size_t idsize,
|
|
int sockindex);
|
|
--
|
|
2.26.3
|
|
|