From ba3452cafc9920d133cb8f38ade2377be21acf0d Mon Sep 17 00:00:00 2001 From: Joel Depooter Date: Tue, 11 May 2021 19:45:59 -0700 Subject: [PATCH] schannel: Ensure the security context request flags are always set As of commit 54e7475, these flags would only be set when using a new credential handle. When re-using an existing credential handle, the flags would not be set. Closes https://github.com/curl/curl/pull/7051 --- lib/vtls/schannel.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c index d3fb642d1..8c25ac5dd 100644 --- a/lib/vtls/schannel.c +++ b/lib/vtls/schannel.c @@ -562,15 +562,9 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn, "names in server certificates.\n")); } - /* security request flags */ - BACKEND->req_flags = ISC_REQ_SEQUENCE_DETECT | ISC_REQ_REPLAY_DETECT | - ISC_REQ_CONFIDENTIALITY | ISC_REQ_ALLOCATE_MEMORY | - ISC_REQ_STREAM; - if(!SSL_SET_OPTION(auto_client_cert)) { schannel_cred.dwFlags &= ~SCH_CRED_USE_DEFAULT_CREDS; schannel_cred.dwFlags |= SCH_CRED_NO_DEFAULT_CREDS; - BACKEND->req_flags |= ISC_REQ_USE_SUPPLIED_CREDS; infof(data, "schannel: disabled automatic use of client certificate\n"); } else @@ -909,6 +903,15 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn, InitSecBuffer(&outbuf, SECBUFFER_EMPTY, NULL, 0); InitSecBufferDesc(&outbuf_desc, &outbuf, 1); + /* security request flags */ + BACKEND->req_flags = ISC_REQ_SEQUENCE_DETECT | ISC_REQ_REPLAY_DETECT | + ISC_REQ_CONFIDENTIALITY | ISC_REQ_ALLOCATE_MEMORY | + ISC_REQ_STREAM; + + if(!SSL_SET_OPTION(auto_client_cert)) { + BACKEND->req_flags |= ISC_REQ_USE_SUPPLIED_CREDS; + } + /* allocate memory for the security context handle */ BACKEND->ctxt = (struct Curl_schannel_ctxt *) calloc(1, sizeof(struct Curl_schannel_ctxt));