mirror of
https://github.com/moparisthebest/curl
synced 2025-01-13 06:58:01 -05:00
vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
To make sure we set and extract the correct session. Reported-by: Mingtao Yang Bug: https://curl.se/docs/CVE-2021-22890.html CVE-2021-22890
This commit is contained in:
parent
7214288898
commit
b09c8ee157
@ -375,7 +375,8 @@ static CURLcode bearssl_connect_step1(struct Curl_easy *data,
|
|||||||
void *session;
|
void *session;
|
||||||
|
|
||||||
Curl_ssl_sessionid_lock(data);
|
Curl_ssl_sessionid_lock(data);
|
||||||
if(!Curl_ssl_getsessionid(data, conn, &session, NULL, sockindex)) {
|
if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE,
|
||||||
|
&session, NULL, sockindex)) {
|
||||||
br_ssl_engine_set_session_parameters(&backend->ctx.eng, session);
|
br_ssl_engine_set_session_parameters(&backend->ctx.eng, session);
|
||||||
infof(data, "BearSSL: re-using session ID\n");
|
infof(data, "BearSSL: re-using session ID\n");
|
||||||
}
|
}
|
||||||
@ -571,10 +572,13 @@ static CURLcode bearssl_connect_step3(struct Curl_easy *data,
|
|||||||
br_ssl_engine_get_session_parameters(&backend->ctx.eng, session);
|
br_ssl_engine_get_session_parameters(&backend->ctx.eng, session);
|
||||||
Curl_ssl_sessionid_lock(data);
|
Curl_ssl_sessionid_lock(data);
|
||||||
incache = !(Curl_ssl_getsessionid(data, conn,
|
incache = !(Curl_ssl_getsessionid(data, conn,
|
||||||
|
SSL_IS_PROXY() ? TRUE : FALSE,
|
||||||
&oldsession, NULL, sockindex));
|
&oldsession, NULL, sockindex));
|
||||||
if(incache)
|
if(incache)
|
||||||
Curl_ssl_delsessionid(data, oldsession);
|
Curl_ssl_delsessionid(data, oldsession);
|
||||||
ret = Curl_ssl_addsessionid(data, conn, session, 0, sockindex);
|
ret = Curl_ssl_addsessionid(data, conn,
|
||||||
|
SSL_IS_PROXY() ? TRUE : FALSE,
|
||||||
|
session, 0, sockindex);
|
||||||
Curl_ssl_sessionid_unlock(data);
|
Curl_ssl_sessionid_unlock(data);
|
||||||
if(ret) {
|
if(ret) {
|
||||||
free(session);
|
free(session);
|
||||||
|
@ -727,6 +727,7 @@ gtls_connect_step1(struct Curl_easy *data,
|
|||||||
|
|
||||||
Curl_ssl_sessionid_lock(data);
|
Curl_ssl_sessionid_lock(data);
|
||||||
if(!Curl_ssl_getsessionid(data, conn,
|
if(!Curl_ssl_getsessionid(data, conn,
|
||||||
|
SSL_IS_PROXY() ? TRUE : FALSE,
|
||||||
&ssl_sessionid, &ssl_idsize, sockindex)) {
|
&ssl_sessionid, &ssl_idsize, sockindex)) {
|
||||||
/* we got a session id, use it! */
|
/* we got a session id, use it! */
|
||||||
gnutls_session_set_data(session, ssl_sessionid, ssl_idsize);
|
gnutls_session_set_data(session, ssl_sessionid, ssl_idsize);
|
||||||
@ -1286,8 +1287,9 @@ gtls_connect_step3(struct Curl_easy *data,
|
|||||||
gnutls_session_get_data(session, connect_sessionid, &connect_idsize);
|
gnutls_session_get_data(session, connect_sessionid, &connect_idsize);
|
||||||
|
|
||||||
Curl_ssl_sessionid_lock(data);
|
Curl_ssl_sessionid_lock(data);
|
||||||
incache = !(Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL,
|
incache = !(Curl_ssl_getsessionid(data, conn,
|
||||||
sockindex));
|
SSL_IS_PROXY() ? TRUE : FALSE,
|
||||||
|
&ssl_sessionid, NULL, sockindex));
|
||||||
if(incache) {
|
if(incache) {
|
||||||
/* there was one before in the cache, so instead of risking that the
|
/* there was one before in the cache, so instead of risking that the
|
||||||
previous one was rejected, we just kill that and store the new */
|
previous one was rejected, we just kill that and store the new */
|
||||||
@ -1295,8 +1297,10 @@ gtls_connect_step3(struct Curl_easy *data,
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* store this session id */
|
/* store this session id */
|
||||||
result = Curl_ssl_addsessionid(data, conn, connect_sessionid,
|
result = Curl_ssl_addsessionid(data, conn,
|
||||||
connect_idsize, sockindex);
|
SSL_IS_PROXY() ? TRUE : FALSE,
|
||||||
|
connect_sessionid, connect_idsize,
|
||||||
|
sockindex);
|
||||||
Curl_ssl_sessionid_unlock(data);
|
Curl_ssl_sessionid_unlock(data);
|
||||||
if(result) {
|
if(result) {
|
||||||
free(connect_sessionid);
|
free(connect_sessionid);
|
||||||
|
@ -463,7 +463,9 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn,
|
|||||||
void *old_session = NULL;
|
void *old_session = NULL;
|
||||||
|
|
||||||
Curl_ssl_sessionid_lock(data);
|
Curl_ssl_sessionid_lock(data);
|
||||||
if(!Curl_ssl_getsessionid(data, conn, &old_session, NULL, sockindex)) {
|
if(!Curl_ssl_getsessionid(data, conn,
|
||||||
|
SSL_IS_PROXY() ? TRUE : FALSE,
|
||||||
|
&old_session, NULL, sockindex)) {
|
||||||
ret = mbedtls_ssl_set_session(&backend->ssl, old_session);
|
ret = mbedtls_ssl_set_session(&backend->ssl, old_session);
|
||||||
if(ret) {
|
if(ret) {
|
||||||
Curl_ssl_sessionid_unlock(data);
|
Curl_ssl_sessionid_unlock(data);
|
||||||
@ -724,6 +726,7 @@ mbed_connect_step3(struct Curl_easy *data, struct connectdata *conn,
|
|||||||
int ret;
|
int ret;
|
||||||
mbedtls_ssl_session *our_ssl_sessionid;
|
mbedtls_ssl_session *our_ssl_sessionid;
|
||||||
void *old_ssl_sessionid = NULL;
|
void *old_ssl_sessionid = NULL;
|
||||||
|
bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
|
||||||
|
|
||||||
our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session));
|
our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session));
|
||||||
if(!our_ssl_sessionid)
|
if(!our_ssl_sessionid)
|
||||||
@ -742,11 +745,12 @@ mbed_connect_step3(struct Curl_easy *data, struct connectdata *conn,
|
|||||||
|
|
||||||
/* If there's already a matching session in the cache, delete it */
|
/* If there's already a matching session in the cache, delete it */
|
||||||
Curl_ssl_sessionid_lock(data);
|
Curl_ssl_sessionid_lock(data);
|
||||||
if(!Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL, sockindex))
|
if(!Curl_ssl_getsessionid(data, conn, isproxy, &old_ssl_sessionid, NULL,
|
||||||
|
sockindex))
|
||||||
Curl_ssl_delsessionid(data, old_ssl_sessionid);
|
Curl_ssl_delsessionid(data, old_ssl_sessionid);
|
||||||
|
|
||||||
retcode = Curl_ssl_addsessionid(data, conn,
|
retcode = Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid,
|
||||||
our_ssl_sessionid, 0, sockindex);
|
0, sockindex);
|
||||||
Curl_ssl_sessionid_unlock(data);
|
Curl_ssl_sessionid_unlock(data);
|
||||||
if(retcode) {
|
if(retcode) {
|
||||||
mbedtls_ssl_session_free(our_ssl_sessionid);
|
mbedtls_ssl_session_free(our_ssl_sessionid);
|
||||||
|
@ -261,7 +261,9 @@ mesalink_connect_step1(struct Curl_easy *data,
|
|||||||
void *ssl_sessionid = NULL;
|
void *ssl_sessionid = NULL;
|
||||||
|
|
||||||
Curl_ssl_sessionid_lock(data);
|
Curl_ssl_sessionid_lock(data);
|
||||||
if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) {
|
if(!Curl_ssl_getsessionid(data, conn,
|
||||||
|
SSL_IS_PROXY() ? TRUE : FALSE,
|
||||||
|
&ssl_sessionid, NULL, sockindex)) {
|
||||||
/* we got a session id, use it! */
|
/* we got a session id, use it! */
|
||||||
if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
|
if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
|
||||||
Curl_ssl_sessionid_unlock(data);
|
Curl_ssl_sessionid_unlock(data);
|
||||||
@ -345,13 +347,14 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex)
|
|||||||
bool incache;
|
bool incache;
|
||||||
SSL_SESSION *our_ssl_sessionid;
|
SSL_SESSION *our_ssl_sessionid;
|
||||||
void *old_ssl_sessionid = NULL;
|
void *old_ssl_sessionid = NULL;
|
||||||
|
bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
|
||||||
|
|
||||||
our_ssl_sessionid = SSL_get_session(BACKEND->handle);
|
our_ssl_sessionid = SSL_get_session(BACKEND->handle);
|
||||||
|
|
||||||
Curl_ssl_sessionid_lock(data);
|
Curl_ssl_sessionid_lock(data);
|
||||||
incache =
|
incache =
|
||||||
!(Curl_ssl_getsessionid(data, conn,
|
!(Curl_ssl_getsessionid(data, conn, isproxy, &old_ssl_sessionid, NULL,
|
||||||
&old_ssl_sessionid, NULL, sockindex));
|
sockindex));
|
||||||
if(incache) {
|
if(incache) {
|
||||||
if(old_ssl_sessionid != our_ssl_sessionid) {
|
if(old_ssl_sessionid != our_ssl_sessionid) {
|
||||||
infof(data, "old SSL session ID is stale, removing\n");
|
infof(data, "old SSL session ID is stale, removing\n");
|
||||||
@ -361,8 +364,9 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex)
|
|||||||
}
|
}
|
||||||
|
|
||||||
if(!incache) {
|
if(!incache) {
|
||||||
result = Curl_ssl_addsessionid(
|
result =
|
||||||
data, conn, our_ssl_sessionid, 0 /* unknown size */, sockindex);
|
Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid, 0,
|
||||||
|
sockindex);
|
||||||
if(result) {
|
if(result) {
|
||||||
Curl_ssl_sessionid_unlock(data);
|
Curl_ssl_sessionid_unlock(data);
|
||||||
failf(data, "failed to store ssl session");
|
failf(data, "failed to store ssl session");
|
||||||
|
@ -393,12 +393,23 @@ static int ossl_get_ssl_conn_index(void)
|
|||||||
*/
|
*/
|
||||||
static int ossl_get_ssl_sockindex_index(void)
|
static int ossl_get_ssl_sockindex_index(void)
|
||||||
{
|
{
|
||||||
static int ssl_ex_data_sockindex_index = -1;
|
static int sockindex_index = -1;
|
||||||
if(ssl_ex_data_sockindex_index < 0) {
|
if(sockindex_index < 0) {
|
||||||
ssl_ex_data_sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL,
|
sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
|
||||||
NULL);
|
|
||||||
}
|
}
|
||||||
return ssl_ex_data_sockindex_index;
|
return sockindex_index;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Return an extra data index for proxy boolean.
|
||||||
|
* This index can be used with SSL_get_ex_data() and SSL_set_ex_data().
|
||||||
|
*/
|
||||||
|
static int ossl_get_proxy_index(void)
|
||||||
|
{
|
||||||
|
static int proxy_index = -1;
|
||||||
|
if(proxy_index < 0) {
|
||||||
|
proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
|
||||||
|
}
|
||||||
|
return proxy_index;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int passwd_callback(char *buf, int num, int encrypting,
|
static int passwd_callback(char *buf, int num, int encrypting,
|
||||||
@ -1174,7 +1185,7 @@ static int ossl_init(void)
|
|||||||
|
|
||||||
/* Initialize the extra data indexes */
|
/* Initialize the extra data indexes */
|
||||||
if(ossl_get_ssl_data_index() < 0 || ossl_get_ssl_conn_index() < 0 ||
|
if(ossl_get_ssl_data_index() < 0 || ossl_get_ssl_conn_index() < 0 ||
|
||||||
ossl_get_ssl_sockindex_index() < 0)
|
ossl_get_ssl_sockindex_index() < 0 || ossl_get_proxy_index() < 0)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
return 1;
|
return 1;
|
||||||
@ -2432,8 +2443,10 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
|
|||||||
int data_idx = ossl_get_ssl_data_index();
|
int data_idx = ossl_get_ssl_data_index();
|
||||||
int connectdata_idx = ossl_get_ssl_conn_index();
|
int connectdata_idx = ossl_get_ssl_conn_index();
|
||||||
int sockindex_idx = ossl_get_ssl_sockindex_index();
|
int sockindex_idx = ossl_get_ssl_sockindex_index();
|
||||||
|
int proxy_idx = ossl_get_proxy_index();
|
||||||
|
bool isproxy;
|
||||||
|
|
||||||
if(data_idx < 0 || connectdata_idx < 0 || sockindex_idx < 0)
|
if(data_idx < 0 || connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx);
|
conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx);
|
||||||
@ -2446,13 +2459,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
|
|||||||
sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx);
|
sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx);
|
||||||
sockindex = (int)(sockindex_ptr - conn->sock);
|
sockindex = (int)(sockindex_ptr - conn->sock);
|
||||||
|
|
||||||
|
isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE;
|
||||||
|
|
||||||
if(SSL_SET_OPTION(primary.sessionid)) {
|
if(SSL_SET_OPTION(primary.sessionid)) {
|
||||||
bool incache;
|
bool incache;
|
||||||
void *old_ssl_sessionid = NULL;
|
void *old_ssl_sessionid = NULL;
|
||||||
|
|
||||||
Curl_ssl_sessionid_lock(data);
|
Curl_ssl_sessionid_lock(data);
|
||||||
incache = !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL,
|
if(isproxy)
|
||||||
sockindex));
|
incache = FALSE;
|
||||||
|
else
|
||||||
|
incache = !(Curl_ssl_getsessionid(data, conn, isproxy,
|
||||||
|
&old_ssl_sessionid, NULL, sockindex));
|
||||||
if(incache) {
|
if(incache) {
|
||||||
if(old_ssl_sessionid != ssl_sessionid) {
|
if(old_ssl_sessionid != ssl_sessionid) {
|
||||||
infof(data, "old SSL session ID is stale, removing\n");
|
infof(data, "old SSL session ID is stale, removing\n");
|
||||||
@ -2462,8 +2480,8 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
|
|||||||
}
|
}
|
||||||
|
|
||||||
if(!incache) {
|
if(!incache) {
|
||||||
if(!Curl_ssl_addsessionid(data, conn, ssl_sessionid,
|
if(!Curl_ssl_addsessionid(data, conn, isproxy, ssl_sessionid,
|
||||||
0 /* unknown size */, sockindex)) {
|
0 /* unknown size */, sockindex)) {
|
||||||
/* the session has been put into the session cache */
|
/* the session has been put into the session cache */
|
||||||
res = 1;
|
res = 1;
|
||||||
}
|
}
|
||||||
@ -3193,17 +3211,27 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
|
|||||||
int data_idx = ossl_get_ssl_data_index();
|
int data_idx = ossl_get_ssl_data_index();
|
||||||
int connectdata_idx = ossl_get_ssl_conn_index();
|
int connectdata_idx = ossl_get_ssl_conn_index();
|
||||||
int sockindex_idx = ossl_get_ssl_sockindex_index();
|
int sockindex_idx = ossl_get_ssl_sockindex_index();
|
||||||
|
int proxy_idx = ossl_get_proxy_index();
|
||||||
|
|
||||||
if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0) {
|
if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 &&
|
||||||
|
proxy_idx >= 0) {
|
||||||
/* Store the data needed for the "new session" callback.
|
/* Store the data needed for the "new session" callback.
|
||||||
* The sockindex is stored as a pointer to an array element. */
|
* The sockindex is stored as a pointer to an array element. */
|
||||||
SSL_set_ex_data(backend->handle, data_idx, data);
|
SSL_set_ex_data(backend->handle, data_idx, data);
|
||||||
SSL_set_ex_data(backend->handle, connectdata_idx, conn);
|
SSL_set_ex_data(backend->handle, connectdata_idx, conn);
|
||||||
SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex);
|
SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex);
|
||||||
|
#ifndef CURL_DISABLE_PROXY
|
||||||
|
SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1:
|
||||||
|
NULL);
|
||||||
|
#else
|
||||||
|
SSL_set_ex_data(backend->handle, proxy_idx, NULL);
|
||||||
|
#endif
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
Curl_ssl_sessionid_lock(data);
|
Curl_ssl_sessionid_lock(data);
|
||||||
if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) {
|
if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE,
|
||||||
|
&ssl_sessionid, NULL, sockindex)) {
|
||||||
/* we got a session id, use it! */
|
/* we got a session id, use it! */
|
||||||
if(!SSL_set_session(backend->handle, ssl_sessionid)) {
|
if(!SSL_set_session(backend->handle, ssl_sessionid)) {
|
||||||
Curl_ssl_sessionid_unlock(data);
|
Curl_ssl_sessionid_unlock(data);
|
||||||
|
@ -496,6 +496,7 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn,
|
|||||||
if(SSL_SET_OPTION(primary.sessionid)) {
|
if(SSL_SET_OPTION(primary.sessionid)) {
|
||||||
Curl_ssl_sessionid_lock(data);
|
Curl_ssl_sessionid_lock(data);
|
||||||
if(!Curl_ssl_getsessionid(data, conn,
|
if(!Curl_ssl_getsessionid(data, conn,
|
||||||
|
SSL_IS_PROXY() ? TRUE : FALSE,
|
||||||
(void **)&old_cred, NULL, sockindex)) {
|
(void **)&old_cred, NULL, sockindex)) {
|
||||||
BACKEND->cred = old_cred;
|
BACKEND->cred = old_cred;
|
||||||
DEBUGF(infof(data, "schannel: re-using existing credential handle\n"));
|
DEBUGF(infof(data, "schannel: re-using existing credential handle\n"));
|
||||||
@ -1337,8 +1338,9 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn,
|
|||||||
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
||||||
SECURITY_STATUS sspi_status = SEC_E_OK;
|
SECURITY_STATUS sspi_status = SEC_E_OK;
|
||||||
CERT_CONTEXT *ccert_context = NULL;
|
CERT_CONTEXT *ccert_context = NULL;
|
||||||
|
bool isproxy = SSL_IS_PROXY();
|
||||||
#ifdef DEBUGBUILD
|
#ifdef DEBUGBUILD
|
||||||
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
|
const char * const hostname = isproxy ? conn->http_proxy.host.name :
|
||||||
conn->host.name;
|
conn->host.name;
|
||||||
#endif
|
#endif
|
||||||
#ifdef HAS_ALPN
|
#ifdef HAS_ALPN
|
||||||
@ -1414,8 +1416,8 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn,
|
|||||||
struct Curl_schannel_cred *old_cred = NULL;
|
struct Curl_schannel_cred *old_cred = NULL;
|
||||||
|
|
||||||
Curl_ssl_sessionid_lock(data);
|
Curl_ssl_sessionid_lock(data);
|
||||||
incache = !(Curl_ssl_getsessionid(data, conn, (void **)&old_cred, NULL,
|
incache = !(Curl_ssl_getsessionid(data, conn, isproxy, (void **)&old_cred,
|
||||||
sockindex));
|
NULL, sockindex));
|
||||||
if(incache) {
|
if(incache) {
|
||||||
if(old_cred != BACKEND->cred) {
|
if(old_cred != BACKEND->cred) {
|
||||||
DEBUGF(infof(data,
|
DEBUGF(infof(data,
|
||||||
@ -1426,7 +1428,7 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
if(!incache) {
|
if(!incache) {
|
||||||
result = Curl_ssl_addsessionid(data, conn, (void *)BACKEND->cred,
|
result = Curl_ssl_addsessionid(data, conn, isproxy, BACKEND->cred,
|
||||||
sizeof(struct Curl_schannel_cred),
|
sizeof(struct Curl_schannel_cred),
|
||||||
sockindex);
|
sockindex);
|
||||||
if(result) {
|
if(result) {
|
||||||
|
@ -1400,10 +1400,12 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
|
|||||||
char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
|
char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
|
||||||
const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
|
const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
|
||||||
#ifndef CURL_DISABLE_PROXY
|
#ifndef CURL_DISABLE_PROXY
|
||||||
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
|
bool isproxy = SSL_IS_PROXY();
|
||||||
|
const char * const hostname = isproxy ? conn->http_proxy.host.name :
|
||||||
conn->host.name;
|
conn->host.name;
|
||||||
const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
|
const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
|
||||||
#else
|
#else
|
||||||
|
const isproxy = FALSE;
|
||||||
const char * const hostname = conn->host.name;
|
const char * const hostname = conn->host.name;
|
||||||
const long int port = conn->remote_port;
|
const long int port = conn->remote_port;
|
||||||
#endif
|
#endif
|
||||||
@ -1613,7 +1615,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
|
|||||||
#ifdef USE_NGHTTP2
|
#ifdef USE_NGHTTP2
|
||||||
if(data->state.httpversion >= CURL_HTTP_VERSION_2
|
if(data->state.httpversion >= CURL_HTTP_VERSION_2
|
||||||
#ifndef CURL_DISABLE_PROXY
|
#ifndef CURL_DISABLE_PROXY
|
||||||
&& (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy)
|
&& (!isproxy || !conn->bits.tunnel_proxy)
|
||||||
#endif
|
#endif
|
||||||
) {
|
) {
|
||||||
CFArrayAppendValue(alpnArr, CFSTR(NGHTTP2_PROTO_VERSION_ID));
|
CFArrayAppendValue(alpnArr, CFSTR(NGHTTP2_PROTO_VERSION_ID));
|
||||||
@ -1953,7 +1955,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
|
|||||||
size_t ssl_sessionid_len;
|
size_t ssl_sessionid_len;
|
||||||
|
|
||||||
Curl_ssl_sessionid_lock(data);
|
Curl_ssl_sessionid_lock(data);
|
||||||
if(!Curl_ssl_getsessionid(data, conn, (void **)&ssl_sessionid,
|
if(!Curl_ssl_getsessionid(data, conn, isproxy, (void **)&ssl_sessionid,
|
||||||
&ssl_sessionid_len, sockindex)) {
|
&ssl_sessionid_len, sockindex)) {
|
||||||
/* we got a session id, use it! */
|
/* we got a session id, use it! */
|
||||||
err = SSLSetPeerID(backend->ssl_ctx, ssl_sessionid, ssl_sessionid_len);
|
err = SSLSetPeerID(backend->ssl_ctx, ssl_sessionid, ssl_sessionid_len);
|
||||||
@ -1981,7 +1983,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
|
|||||||
return CURLE_SSL_CONNECT_ERROR;
|
return CURLE_SSL_CONNECT_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
result = Curl_ssl_addsessionid(data, conn, ssl_sessionid,
|
result = Curl_ssl_addsessionid(data, conn, isproxy, ssl_sessionid,
|
||||||
ssl_sessionid_len, sockindex);
|
ssl_sessionid_len, sockindex);
|
||||||
Curl_ssl_sessionid_unlock(data);
|
Curl_ssl_sessionid_unlock(data);
|
||||||
if(result) {
|
if(result) {
|
||||||
|
@ -367,6 +367,7 @@ void Curl_ssl_sessionid_unlock(struct Curl_easy *data)
|
|||||||
*/
|
*/
|
||||||
bool Curl_ssl_getsessionid(struct Curl_easy *data,
|
bool Curl_ssl_getsessionid(struct Curl_easy *data,
|
||||||
struct connectdata *conn,
|
struct connectdata *conn,
|
||||||
|
const bool isProxy,
|
||||||
void **ssl_sessionid,
|
void **ssl_sessionid,
|
||||||
size_t *idsize, /* set 0 if unknown */
|
size_t *idsize, /* set 0 if unknown */
|
||||||
int sockindex)
|
int sockindex)
|
||||||
@ -377,7 +378,6 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data,
|
|||||||
bool no_match = TRUE;
|
bool no_match = TRUE;
|
||||||
|
|
||||||
#ifndef CURL_DISABLE_PROXY
|
#ifndef CURL_DISABLE_PROXY
|
||||||
const bool isProxy = CONNECT_PROXY_SSL();
|
|
||||||
struct ssl_primary_config * const ssl_config = isProxy ?
|
struct ssl_primary_config * const ssl_config = isProxy ?
|
||||||
&conn->proxy_ssl_config :
|
&conn->proxy_ssl_config :
|
||||||
&conn->ssl_config;
|
&conn->ssl_config;
|
||||||
@ -389,10 +389,15 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data,
|
|||||||
struct ssl_primary_config * const ssl_config = &conn->ssl_config;
|
struct ssl_primary_config * const ssl_config = &conn->ssl_config;
|
||||||
const char * const name = conn->host.name;
|
const char * const name = conn->host.name;
|
||||||
int port = conn->remote_port;
|
int port = conn->remote_port;
|
||||||
(void)sockindex;
|
|
||||||
#endif
|
#endif
|
||||||
|
(void)sockindex;
|
||||||
*ssl_sessionid = NULL;
|
*ssl_sessionid = NULL;
|
||||||
|
|
||||||
|
#ifdef CURL_DISABLE_PROXY
|
||||||
|
if(isProxy)
|
||||||
|
return TRUE;
|
||||||
|
#endif
|
||||||
|
|
||||||
DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
|
DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
|
||||||
|
|
||||||
if(!SSL_SET_OPTION(primary.sessionid))
|
if(!SSL_SET_OPTION(primary.sessionid))
|
||||||
@ -480,6 +485,7 @@ void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid)
|
|||||||
*/
|
*/
|
||||||
CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
|
CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
|
||||||
struct connectdata *conn,
|
struct connectdata *conn,
|
||||||
|
bool isProxy,
|
||||||
void *ssl_sessionid,
|
void *ssl_sessionid,
|
||||||
size_t idsize,
|
size_t idsize,
|
||||||
int sockindex)
|
int sockindex)
|
||||||
@ -492,7 +498,6 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
|
|||||||
int conn_to_port;
|
int conn_to_port;
|
||||||
long *general_age;
|
long *general_age;
|
||||||
#ifndef CURL_DISABLE_PROXY
|
#ifndef CURL_DISABLE_PROXY
|
||||||
const bool isProxy = CONNECT_PROXY_SSL();
|
|
||||||
struct ssl_primary_config * const ssl_config = isProxy ?
|
struct ssl_primary_config * const ssl_config = isProxy ?
|
||||||
&conn->proxy_ssl_config :
|
&conn->proxy_ssl_config :
|
||||||
&conn->ssl_config;
|
&conn->ssl_config;
|
||||||
@ -505,6 +510,7 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
|
|||||||
const char *hostname = conn->host.name;
|
const char *hostname = conn->host.name;
|
||||||
(void)sockindex;
|
(void)sockindex;
|
||||||
#endif
|
#endif
|
||||||
|
(void)sockindex;
|
||||||
DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
|
DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
|
||||||
|
|
||||||
clone_host = strdup(hostname);
|
clone_host = strdup(hostname);
|
||||||
|
@ -235,6 +235,7 @@ void Curl_ssl_sessionid_unlock(struct Curl_easy *data);
|
|||||||
*/
|
*/
|
||||||
bool Curl_ssl_getsessionid(struct Curl_easy *data,
|
bool Curl_ssl_getsessionid(struct Curl_easy *data,
|
||||||
struct connectdata *conn,
|
struct connectdata *conn,
|
||||||
|
const bool isproxy,
|
||||||
void **ssl_sessionid,
|
void **ssl_sessionid,
|
||||||
size_t *idsize, /* set 0 if unknown */
|
size_t *idsize, /* set 0 if unknown */
|
||||||
int sockindex);
|
int sockindex);
|
||||||
@ -245,6 +246,7 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data,
|
|||||||
*/
|
*/
|
||||||
CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
|
CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
|
||||||
struct connectdata *conn,
|
struct connectdata *conn,
|
||||||
|
const bool isProxy,
|
||||||
void *ssl_sessionid,
|
void *ssl_sessionid,
|
||||||
size_t idsize,
|
size_t idsize,
|
||||||
int sockindex);
|
int sockindex);
|
||||||
|
@ -516,7 +516,9 @@ wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn,
|
|||||||
void *ssl_sessionid = NULL;
|
void *ssl_sessionid = NULL;
|
||||||
|
|
||||||
Curl_ssl_sessionid_lock(data);
|
Curl_ssl_sessionid_lock(data);
|
||||||
if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) {
|
if(!Curl_ssl_getsessionid(data, conn,
|
||||||
|
SSL_IS_PROXY() ? TRUE : FALSE,
|
||||||
|
&ssl_sessionid, NULL, sockindex)) {
|
||||||
/* we got a session id, use it! */
|
/* we got a session id, use it! */
|
||||||
if(!SSL_set_session(backend->handle, ssl_sessionid)) {
|
if(!SSL_set_session(backend->handle, ssl_sessionid)) {
|
||||||
char error_buffer[WOLFSSL_MAX_ERROR_SZ];
|
char error_buffer[WOLFSSL_MAX_ERROR_SZ];
|
||||||
@ -772,11 +774,12 @@ wolfssl_connect_step3(struct Curl_easy *data, struct connectdata *conn,
|
|||||||
bool incache;
|
bool incache;
|
||||||
void *old_ssl_sessionid = NULL;
|
void *old_ssl_sessionid = NULL;
|
||||||
SSL_SESSION *our_ssl_sessionid = SSL_get_session(backend->handle);
|
SSL_SESSION *our_ssl_sessionid = SSL_get_session(backend->handle);
|
||||||
|
bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
|
||||||
|
|
||||||
if(our_ssl_sessionid) {
|
if(our_ssl_sessionid) {
|
||||||
Curl_ssl_sessionid_lock(data);
|
Curl_ssl_sessionid_lock(data);
|
||||||
incache = !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL,
|
incache = !(Curl_ssl_getsessionid(data, conn, isproxy,
|
||||||
sockindex));
|
&old_ssl_sessionid, NULL, sockindex));
|
||||||
if(incache) {
|
if(incache) {
|
||||||
if(old_ssl_sessionid != our_ssl_sessionid) {
|
if(old_ssl_sessionid != our_ssl_sessionid) {
|
||||||
infof(data, "old SSL session ID is stale, removing\n");
|
infof(data, "old SSL session ID is stale, removing\n");
|
||||||
@ -786,8 +789,8 @@ wolfssl_connect_step3(struct Curl_easy *data, struct connectdata *conn,
|
|||||||
}
|
}
|
||||||
|
|
||||||
if(!incache) {
|
if(!incache) {
|
||||||
result = Curl_ssl_addsessionid(data, conn, our_ssl_sessionid,
|
result = Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid,
|
||||||
0 /* unknown size */, sockindex);
|
0, sockindex);
|
||||||
if(result) {
|
if(result) {
|
||||||
Curl_ssl_sessionid_unlock(data);
|
Curl_ssl_sessionid_unlock(data);
|
||||||
failf(data, "failed to store ssl session");
|
failf(data, "failed to store ssl session");
|
||||||
|
Loading…
Reference in New Issue
Block a user