From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id qLXGMMQlZ2A3NQAAgWs5BA (envelope-from ) for ; Fri, 02 Apr 2021 16:10:12 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id mBWWKsQlZ2B6OwAAB5/wlQ (envelope-from ) for ; Fri, 02 Apr 2021 14:10:12 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id CC4D514BC7 for ; Fri, 2 Apr 2021 16:10:11 +0200 (CEST) Received: from localhost ([::1]:39130 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lSKV0-0005Uf-Rb for larch@yhetil.org; Fri, 02 Apr 2021 10:10:10 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57896) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSKUs-0005UZ-O7 for bug-guix@gnu.org; Fri, 02 Apr 2021 10:10:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:49269) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lSKUs-0004hk-H0 for bug-guix@gnu.org; Fri, 02 Apr 2021 10:10:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lSKUs-0006F7-AM for bug-guix@gnu.org; Fri, 02 Apr 2021 10:10:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47563: [PATCH 1/1] gnu: curl: Fix CVE-2021-22876 and CVE-2021-22890. Resent-From: =?UTF-8?Q?L=C3=A9o?= Le Bouter Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 02 Apr 2021 14:10:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47563 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: 47563@debbugs.gnu.org Cc: =?UTF-8?Q?L=C3=A9o?= Le Bouter Received: via spool by 47563-submit@debbugs.gnu.org id=B47563.161737260023978 (code B ref 47563); Fri, 02 Apr 2021 14:10:02 +0000 Received: (at 47563) by debbugs.gnu.org; 2 Apr 2021 14:10:00 +0000 Received: from localhost ([127.0.0.1]:60814 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSKUm-0006Ed-8Z for submit@debbugs.gnu.org; Fri, 02 Apr 2021 10:09:59 -0400 Received: from mail.zaclys.net ([178.33.93.72]:33573) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSKUg-0006E8-Is for 47563@debbugs.gnu.org; Fri, 02 Apr 2021 10:09:55 -0400 Received: from localhost.localdomain (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 132E9gmY038303 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Fri, 2 Apr 2021 16:09:45 +0200 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 132E9gmY038303 Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1617372585; bh=81gxLnV1C2N03VEVls3ckfejXR9+uSAXKzkeyQ7iS2U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Pjr8jcH0vol6Tq1MS9KJOvSCPTXsLE9LAUpTTIZ1TK9qzyT2pF8X8LK4owCA1E4Cv nFercXpGw5CWQQBYwB0yH5Zieq+cDoIdgKIxZQ9ex0xMNaZ+YxRUvFCiTBdh3hDkPp Ui6gc2ov5cnQp9xb5sD01a+cWFWURIXgVUHeObCo= Date: Fri, 2 Apr 2021 16:09:40 +0200 Message-Id: <20210402140940.28300-2-lle-bout@zaclys.net> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210402140940.28300-1-lle-bout@zaclys.net> References: <20210402140940.28300-1-lle-bout@zaclys.net> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" Reply-to: =?UTF-8?Q?L=C3=A9o?= Le Bouter From: =?UTF-8?Q?L=C3=A9o?= Le Bouter via Bug reports for GNU Guix X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1617372612; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=81gxLnV1C2N03VEVls3ckfejXR9+uSAXKzkeyQ7iS2U=; b=AIsYRhWWcMzb7VkNsNS+qrPTOSDypi4/+aIJJkzm3pgZm5fHPLyV0MiUm1Us6WfeiOfdFW GX89piGIfzUOvzQ44M1KC8Ipub4eYdL+G4+WM4lUnWCwuR5awMkciqD+3gOI4X/0T8ALWa isxiBLXYXzL6PKi60ps5x9N0z7cBpGFz2NicHMXanrMJrWDcZmnCNWWWm5hoCbegldm5WV KL+Qz6t0yYMJf89pS20KNZ1JcVTwy60chBWOvtUmGjJ02LzfLdns/K1nZnfc6qBuGGjYEL kfWgZjPwan+rNdrRV1G/sa3hZ/UQ9AZvtV1aLegvbdt4Xq6Xwhdf4D5ti6vfMw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1617372612; a=rsa-sha256; cv=none; b=PfHgtKaloGPXdnHGEqScPrLWKm99MXUw1P4+MsAYROh5Wm4NPPymj1A2EbMTaYH47dlRhk OVXnhlhQjdQY7VlG9QrMkt2/w7CkaWzvhigFXuKMb60x0ytqf7QFCWHTNHc59wgU+OpIhV fBeAYTUVxtyf/SwFeirS8atF2jFV2Fkw4HTVP6mHu0Gpd/pGkhhIAwfLutBTrG5oGVfstW Zx+HC1gMZt3tiq1FcUPTo8zyQCcsDuRspy5iZZl2uYrLuZc9YZO6GDttrCAhRTr2AHVnoM nZLp2+NLl16qlcMASOjDrX+8XDyydr4B3tpw8fczuydjoPtRFjW8knPgz9S61g== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=zaclys.net header.s=default header.b=Pjr8jcH0; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: 1.07 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=zaclys.net header.s=default header.b=Pjr8jcH0; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: CC4D514BC7 X-Spam-Score: 1.07 X-Migadu-Scanner: scn0.migadu.com X-TUID: 7Z3b/v6St8tg * gnu/packages/patches/curl-CVE-2021-22876.patch, gnu/packages/patches/curl-CVE-2021-22890.patch: New patches. * gnu/local.mk (dist_patch_DATA): Register them. * gnu/packages/curl.scm (curl): Apply patches. --- gnu/local.mk | 2 + gnu/packages/curl.scm | 4 +- .../patches/curl-CVE-2021-22876.patch | 147 ++++++ .../patches/curl-CVE-2021-22890.patch | 499 ++++++++++++++++++ 4 files changed, 651 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/curl-CVE-2021-22876.patch create mode 100644 gnu/packages/patches/curl-CVE-2021-22890.patch diff --git a/gnu/local.mk b/gnu/local.mk index f2d595f2cc..cf6f35363f 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -919,6 +919,8 @@ dist_patch_DATA =3D \ %D%/packages/patches/crda-optional-gcrypt.patch \ %D%/packages/patches/clucene-contribs-lib.patch \ %D%/packages/patches/cube-nocheck.patch \ + %D%/packages/patches/curl-CVE-2021-22890.patch \ + %D%/packages/patches/curl-CVE-2021-22876.patch \ %D%/packages/patches/curl-use-ssl-cert-env.patch \ %D%/packages/patches/cursynth-wave-rand.patch \ %D%/packages/patches/cvs-CVE-2017-12836.patch \ diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm index 730676875c..fa02f281cf 100644 --- a/gnu/packages/curl.scm +++ b/gnu/packages/curl.scm @@ -61,7 +61,9 @@ (sha256 (base32 "12w7gskrglg6qrmp822j37fmbr0icrcxv7rib1fy5xiw80n5z7cr")) - (patches (search-patches "curl-use-ssl-cert-env.patch")))) + (patches (search-patches "curl-use-ssl-cert-env.patch" + "curl-CVE-2021-22876.patch" + "curl-CVE-2021-22890.patch")))) (build-system gnu-build-system) (outputs '("out" "doc")) ;1.2 MiB of man3 pages diff --git a/gnu/packages/patches/curl-CVE-2021-22876.patch b/gnu/packages/= patches/curl-CVE-2021-22876.patch new file mode 100644 index 0000000000..b67a1be16a --- /dev/null +++ b/gnu/packages/patches/curl-CVE-2021-22876.patch @@ -0,0 +1,147 @@ +From 7214288898f5625a6cc196e22a74232eada7861c Mon Sep 17 00:00:00 2001 +From: Viktor Szakats +Date: Tue, 23 Feb 2021 14:54:46 +0100 +Subject: [PATCH] transfer: strip credentials from the auto-referer header + field + +Added test 2081 to verify. + +CVE-2021-22876 + +Bug: https://curl.se/docs/CVE-2021-22876.html +--- + lib/transfer.c | 25 ++++++++++++++-- + tests/data/Makefile.inc | 2 +- + tests/data/test2081 | 66 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 90 insertions(+), 3 deletions(-) + create mode 100644 tests/data/test2081 + +diff --git a/lib/transfer.c b/lib/transfer.c +index 1976bc0338bc..a68c021c84d6 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1581,6 +1581,9 @@ CURLcode Curl_follow(struct Curl_easy *data, + data->state.followlocation++; /* count location-followers */ +=20 + if(data->set.http_auto_referer) { ++ CURLU *u; ++ char *referer; ++ + /* We are asked to automatically set the previous URL as the refe= rer + when we get the next URL. We pick the ->url field, which may o= r may + not be 100% correct */ +@@ -1590,9 +1593,27 @@ CURLcode Curl_follow(struct Curl_easy *data, + data->change.referer_alloc =3D FALSE; + } +=20 +- data->change.referer =3D strdup(data->change.url); +- if(!data->change.referer) ++ /* Make a copy of the URL without crenditals and fragment */ ++ u =3D curl_url(); ++ if(!u) ++ return CURLE_OUT_OF_MEMORY; ++ ++ uc =3D curl_url_set(u, CURLUPART_URL, data->change.url, 0); ++ if(!uc) ++ uc =3D curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0); ++ if(!uc) ++ uc =3D curl_url_set(u, CURLUPART_USER, NULL, 0); ++ if(!uc) ++ uc =3D curl_url_set(u, CURLUPART_PASSWORD, NULL, 0); ++ if(!uc) ++ uc =3D curl_url_get(u, CURLUPART_URL, &referer, 0); ++ ++ curl_url_cleanup(u); ++ ++ if(uc || referer =3D=3D NULL) + return CURLE_OUT_OF_MEMORY; ++ ++ data->change.referer =3D referer; + data->change.referer_alloc =3D TRUE; /* yes, free this later */ + } + } +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 2c7a0ca89fd8..ea52683d2254 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -225,7 +225,7 @@ test2064 test2065 test2066 test2067 test2068 test2069 \ + test2064 test2065 test2066 test2067 test2068 test2069 test2070 \ + test2071 test2072 test2073 test2074 test2075 test2076 test2077 \ + test2078 \ +-test2080 \ ++test2080 test2081 \ + test2100 \ + \ + test3000 test3001 test3002 test3003 test3004 test3005 test3006 test3007 \ +diff --git a/tests/data/test2081 b/tests/data/test2081 +new file mode 100644 +index 000000000000..a6733e737beb +--- /dev/null ++++ b/tests/data/test2081 +@@ -0,0 +1,66 @@ ++ ++ ++ ++HTTP ++HTTP GET ++referer ++followlocation ++--write-out ++ ++ ++ ++# Server-side ++ ++ ++HTTP/1.1 301 This is a weirdo text message swsclose=0D ++Location: data/%TESTNUMBER0002.txt?coolsite=3Dyes=0D ++Content-Length: 62=0D ++Connection: close=0D ++=0D ++This server reply is for testing a simple Location: following ++ ++ ++ ++# Client-side ++ ++ ++http ++ ++ ++Automatic referrer credential and anchor stripping check ++ ++ ++http://user:pass@%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER#anchor --locat= ion --referer ';auto' --write-out '%{referer}\n' ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++52 ++ ++ ++GET /we/want/our/%TESTNUMBER HTTP/1.1=0D ++Host: %HOSTIP:%HTTPPORT=0D ++Authorization: Basic dXNlcjpwYXNz=0D ++User-Agent: curl/%VERSION=0D ++Accept: */*=0D ++=0D ++GET /we/want/our/data/%TESTNUMBER0002.txt?coolsite=3Dyes HTTP/1.1=0D ++Host: %HOSTIP:%HTTPPORT=0D ++Authorization: Basic dXNlcjpwYXNz=0D ++User-Agent: curl/%VERSION=0D ++Accept: */*=0D ++Referer: http://%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER=0D ++=0D ++ ++ ++HTTP/1.1 301 This is a weirdo text message swsclose=0D ++Location: data/%TESTNUMBER0002.txt?coolsite=3Dyes=0D ++Content-Length: 62=0D ++Connection: close=0D ++=0D ++http://%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER ++ ++ ++ diff --git a/gnu/packages/patches/curl-CVE-2021-22890.patch b/gnu/packages/= patches/curl-CVE-2021-22890.patch new file mode 100644 index 0000000000..f01bc20530 --- /dev/null +++ b/gnu/packages/patches/curl-CVE-2021-22890.patch @@ -0,0 +1,499 @@ +From b09c8ee15771c614c4bf3ddac893cdb12187c844 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 19 Mar 2021 12:38:49 +0100 +Subject: [PATCH] vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid= () + +To make sure we set and extract the correct session. + +Reported-by: Mingtao Yang +Bug: https://curl.se/docs/CVE-2021-22890.html + +CVE-2021-22890 +--- + lib/vtls/bearssl.c | 8 +++++-- + lib/vtls/gtls.c | 12 ++++++---- + lib/vtls/mbedtls.c | 12 ++++++---- + lib/vtls/mesalink.c | 14 ++++++++---- + lib/vtls/openssl.c | 54 +++++++++++++++++++++++++++++++++----------- + lib/vtls/schannel.c | 10 ++++---- + lib/vtls/sectransp.c | 10 ++++---- + lib/vtls/vtls.c | 12 +++++++--- + lib/vtls/vtls.h | 2 ++ + lib/vtls/wolfssl.c | 13 +++++++---- + 10 files changed, 103 insertions(+), 44 deletions(-) + +diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c +index 36c32d8d55be..39fc1a29209c 100644 +--- a/lib/vtls/bearssl.c ++++ b/lib/vtls/bearssl.c +@@ -375,7 +375,8 @@ static CURLcode bearssl_connect_step1(struct Curl_easy= *data, + void *session; +=20 + Curl_ssl_sessionid_lock(data); +- if(!Curl_ssl_getsessionid(data, conn, &session, NULL, sockindex)) { ++ if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE, ++ &session, NULL, sockindex)) { + br_ssl_engine_set_session_parameters(&backend->ctx.eng, session); + infof(data, "BearSSL: re-using session ID\n"); + } +@@ -571,10 +572,13 @@ static CURLcode bearssl_connect_step3(struct Curl_ea= sy *data, + br_ssl_engine_get_session_parameters(&backend->ctx.eng, session); + Curl_ssl_sessionid_lock(data); + incache =3D !(Curl_ssl_getsessionid(data, conn, ++ SSL_IS_PROXY() ? TRUE : FALSE, + &oldsession, NULL, sockindex)); + if(incache) + Curl_ssl_delsessionid(data, oldsession); +- ret =3D Curl_ssl_addsessionid(data, conn, session, 0, sockindex); ++ ret =3D Curl_ssl_addsessionid(data, conn, ++ SSL_IS_PROXY() ? TRUE : FALSE, ++ session, 0, sockindex); + Curl_ssl_sessionid_unlock(data); + if(ret) { + free(session); +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index a75937b4646c..3b0d940a60e1 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -727,6 +727,7 @@ gtls_connect_step1(struct Curl_easy *data, +=20 + Curl_ssl_sessionid_lock(data); + if(!Curl_ssl_getsessionid(data, conn, ++ SSL_IS_PROXY() ? TRUE : FALSE, + &ssl_sessionid, &ssl_idsize, sockindex)) { + /* we got a session id, use it! */ + gnutls_session_set_data(session, ssl_sessionid, ssl_idsize); +@@ -1286,8 +1287,9 @@ gtls_connect_step3(struct Curl_easy *data, + gnutls_session_get_data(session, connect_sessionid, &connect_idsize= ); +=20 + Curl_ssl_sessionid_lock(data); +- incache =3D !(Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NUL= L, +- sockindex)); ++ incache =3D !(Curl_ssl_getsessionid(data, conn, ++ SSL_IS_PROXY() ? TRUE : FALSE, ++ &ssl_sessionid, NULL, sockindex)); + if(incache) { + /* there was one before in the cache, so instead of risking that = the + previous one was rejected, we just kill that and store the new= */ +@@ -1295,8 +1297,10 @@ gtls_connect_step3(struct Curl_easy *data, + } +=20 + /* store this session id */ +- result =3D Curl_ssl_addsessionid(data, conn, connect_sessionid, +- connect_idsize, sockindex); ++ result =3D Curl_ssl_addsessionid(data, conn, ++ SSL_IS_PROXY() ? TRUE : FALSE, ++ connect_sessionid, connect_idsize, ++ sockindex); + Curl_ssl_sessionid_unlock(data); + if(result) { + free(connect_sessionid); +diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c +index 95cd4d99b665..93a7ac1fd87d 100644 +--- a/lib/vtls/mbedtls.c ++++ b/lib/vtls/mbedtls.c +@@ -463,7 +463,9 @@ mbed_connect_step1(struct Curl_easy *data, struct conn= ectdata *conn, + void *old_session =3D NULL; +=20 + Curl_ssl_sessionid_lock(data); +- if(!Curl_ssl_getsessionid(data, conn, &old_session, NULL, sockindex))= { ++ if(!Curl_ssl_getsessionid(data, conn, ++ SSL_IS_PROXY() ? TRUE : FALSE, ++ &old_session, NULL, sockindex)) { + ret =3D mbedtls_ssl_set_session(&backend->ssl, old_session); + if(ret) { + Curl_ssl_sessionid_unlock(data); +@@ -724,6 +726,7 @@ mbed_connect_step3(struct Curl_easy *data, struct conn= ectdata *conn, + int ret; + mbedtls_ssl_session *our_ssl_sessionid; + void *old_ssl_sessionid =3D NULL; ++ bool isproxy =3D SSL_IS_PROXY() ? TRUE : FALSE; +=20 + our_ssl_sessionid =3D malloc(sizeof(mbedtls_ssl_session)); + if(!our_ssl_sessionid) +@@ -742,11 +745,12 @@ mbed_connect_step3(struct Curl_easy *data, struct co= nnectdata *conn, +=20 + /* If there's already a matching session in the cache, delete it */ + Curl_ssl_sessionid_lock(data); +- if(!Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL, socki= ndex)) ++ if(!Curl_ssl_getsessionid(data, conn, isproxy, &old_ssl_sessionid, NU= LL, ++ sockindex)) + Curl_ssl_delsessionid(data, old_ssl_sessionid); +=20 +- retcode =3D Curl_ssl_addsessionid(data, conn, +- our_ssl_sessionid, 0, sockindex); ++ retcode =3D Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessio= nid, ++ 0, sockindex); + Curl_ssl_sessionid_unlock(data); + if(retcode) { + mbedtls_ssl_session_free(our_ssl_sessionid); +diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c +index 4f1ab8627f49..5d6a1495d790 100644 +--- a/lib/vtls/mesalink.c ++++ b/lib/vtls/mesalink.c +@@ -261,7 +261,9 @@ mesalink_connect_step1(struct Curl_easy *data, + void *ssl_sessionid =3D NULL; +=20 + Curl_ssl_sessionid_lock(data); +- if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex= )) { ++ if(!Curl_ssl_getsessionid(data, conn, ++ SSL_IS_PROXY() ? TRUE : FALSE, ++ &ssl_sessionid, NULL, sockindex)) { + /* we got a session id, use it! */ + if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) { + Curl_ssl_sessionid_unlock(data); +@@ -345,13 +347,14 @@ mesalink_connect_step3(struct connectdata *conn, int= sockindex) + bool incache; + SSL_SESSION *our_ssl_sessionid; + void *old_ssl_sessionid =3D NULL; ++ bool isproxy =3D SSL_IS_PROXY() ? TRUE : FALSE; +=20 + our_ssl_sessionid =3D SSL_get_session(BACKEND->handle); +=20 + Curl_ssl_sessionid_lock(data); + incache =3D +- !(Curl_ssl_getsessionid(data, conn, +- &old_ssl_sessionid, NULL, sockindex)); ++ !(Curl_ssl_getsessionid(data, conn, isproxy, &old_ssl_sessionid, NU= LL, ++ sockindex)); + if(incache) { + if(old_ssl_sessionid !=3D our_ssl_sessionid) { + infof(data, "old SSL session ID is stale, removing\n"); +@@ -361,8 +364,9 @@ mesalink_connect_step3(struct connectdata *conn, int s= ockindex) + } +=20 + if(!incache) { +- result =3D Curl_ssl_addsessionid( +- data, conn, our_ssl_sessionid, 0 /* unknown size */, sockindex); ++ result =3D ++ Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid, 0, ++ sockindex); + if(result) { + Curl_ssl_sessionid_unlock(data); + failf(data, "failed to store ssl session"); +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 498f8b9d1d08..68b98984b460 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -393,12 +393,23 @@ static int ossl_get_ssl_conn_index(void) + */ + static int ossl_get_ssl_sockindex_index(void) + { +- static int ssl_ex_data_sockindex_index =3D -1; +- if(ssl_ex_data_sockindex_index < 0) { +- ssl_ex_data_sockindex_index =3D SSL_get_ex_new_index(0, NULL, NULL, N= ULL, +- NULL); ++ static int sockindex_index =3D -1; ++ if(sockindex_index < 0) { ++ sockindex_index =3D SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); + } +- return ssl_ex_data_sockindex_index; ++ return sockindex_index; ++} ++ ++/* Return an extra data index for proxy boolean. ++ * This index can be used with SSL_get_ex_data() and SSL_set_ex_data(). ++ */ ++static int ossl_get_proxy_index(void) ++{ ++ static int proxy_index =3D -1; ++ if(proxy_index < 0) { ++ proxy_index =3D SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); ++ } ++ return proxy_index; + } +=20 + static int passwd_callback(char *buf, int num, int encrypting, +@@ -1174,7 +1185,7 @@ static int ossl_init(void) +=20 + /* Initialize the extra data indexes */ + if(ossl_get_ssl_data_index() < 0 || ossl_get_ssl_conn_index() < 0 || +- ossl_get_ssl_sockindex_index() < 0) ++ ossl_get_ssl_sockindex_index() < 0 || ossl_get_proxy_index() < 0) + return 0; +=20 + return 1; +@@ -2432,8 +2443,10 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSIO= N *ssl_sessionid) + int data_idx =3D ossl_get_ssl_data_index(); + int connectdata_idx =3D ossl_get_ssl_conn_index(); + int sockindex_idx =3D ossl_get_ssl_sockindex_index(); ++ int proxy_idx =3D ossl_get_proxy_index(); ++ bool isproxy; +=20 +- if(data_idx < 0 || connectdata_idx < 0 || sockindex_idx < 0) ++ if(data_idx < 0 || connectdata_idx < 0 || sockindex_idx < 0 || proxy_id= x < 0) + return 0; +=20 + conn =3D (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx); +@@ -2446,13 +2459,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSI= ON *ssl_sessionid) + sockindex_ptr =3D (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx); + sockindex =3D (int)(sockindex_ptr - conn->sock); +=20 ++ isproxy =3D SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE; ++ + if(SSL_SET_OPTION(primary.sessionid)) { + bool incache; + void *old_ssl_sessionid =3D NULL; +=20 + Curl_ssl_sessionid_lock(data); +- incache =3D !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, N= ULL, +- sockindex)); ++ if(isproxy) ++ incache =3D FALSE; ++ else ++ incache =3D !(Curl_ssl_getsessionid(data, conn, isproxy, ++ &old_ssl_sessionid, NULL, sockind= ex)); + if(incache) { + if(old_ssl_sessionid !=3D ssl_sessionid) { + infof(data, "old SSL session ID is stale, removing\n"); +@@ -2462,8 +2480,8 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION= *ssl_sessionid) + } +=20 + if(!incache) { +- if(!Curl_ssl_addsessionid(data, conn, ssl_sessionid, +- 0 /* unknown size */, sockindex)) { ++ if(!Curl_ssl_addsessionid(data, conn, isproxy, ssl_sessionid, ++ 0 /* unknown size */, sockindex)) { + /* the session has been put into the session cache */ + res =3D 1; + } +@@ -3193,17 +3211,27 @@ static CURLcode ossl_connect_step1(struct Curl_eas= y *data, + int data_idx =3D ossl_get_ssl_data_index(); + int connectdata_idx =3D ossl_get_ssl_conn_index(); + int sockindex_idx =3D ossl_get_ssl_sockindex_index(); ++ int proxy_idx =3D ossl_get_proxy_index(); +=20 +- if(data_idx >=3D 0 && connectdata_idx >=3D 0 && sockindex_idx >=3D 0)= { ++ if(data_idx >=3D 0 && connectdata_idx >=3D 0 && sockindex_idx >=3D 0 = && ++ proxy_idx >=3D 0) { + /* Store the data needed for the "new session" callback. + * The sockindex is stored as a pointer to an array element. */ + SSL_set_ex_data(backend->handle, data_idx, data); + SSL_set_ex_data(backend->handle, connectdata_idx, conn); + SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockin= dex); ++#ifndef CURL_DISABLE_PROXY ++ SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void = *) 1: ++ NULL); ++#else ++ SSL_set_ex_data(backend->handle, proxy_idx, NULL); ++#endif ++ + } +=20 + Curl_ssl_sessionid_lock(data); +- if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex= )) { ++ if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE, ++ &ssl_sessionid, NULL, sockindex)) { + /* we got a session id, use it! */ + if(!SSL_set_session(backend->handle, ssl_sessionid)) { + Curl_ssl_sessionid_unlock(data); +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c +index d7b89d43f892..931bd853eb8e 100644 +--- a/lib/vtls/schannel.c ++++ b/lib/vtls/schannel.c +@@ -496,6 +496,7 @@ schannel_connect_step1(struct Curl_easy *data, struct = connectdata *conn, + if(SSL_SET_OPTION(primary.sessionid)) { + Curl_ssl_sessionid_lock(data); + if(!Curl_ssl_getsessionid(data, conn, ++ SSL_IS_PROXY() ? TRUE : FALSE, + (void **)&old_cred, NULL, sockindex)) { + BACKEND->cred =3D old_cred; + DEBUGF(infof(data, "schannel: re-using existing credential handle\n= ")); +@@ -1337,8 +1338,9 @@ schannel_connect_step3(struct Curl_easy *data, struc= t connectdata *conn, + struct ssl_connect_data *connssl =3D &conn->ssl[sockindex]; + SECURITY_STATUS sspi_status =3D SEC_E_OK; + CERT_CONTEXT *ccert_context =3D NULL; ++ bool isproxy =3D SSL_IS_PROXY(); + #ifdef DEBUGBUILD +- const char * const hostname =3D SSL_IS_PROXY() ? conn->http_proxy.host.= name : ++ const char * const hostname =3D isproxy ? conn->http_proxy.host.name : + conn->host.name; + #endif + #ifdef HAS_ALPN +@@ -1414,8 +1416,8 @@ schannel_connect_step3(struct Curl_easy *data, struc= t connectdata *conn, + struct Curl_schannel_cred *old_cred =3D NULL; +=20 + Curl_ssl_sessionid_lock(data); +- incache =3D !(Curl_ssl_getsessionid(data, conn, (void **)&old_cred, N= ULL, +- sockindex)); ++ incache =3D !(Curl_ssl_getsessionid(data, conn, isproxy, (void **)&ol= d_cred, ++ NULL, sockindex)); + if(incache) { + if(old_cred !=3D BACKEND->cred) { + DEBUGF(infof(data, +@@ -1426,7 +1428,7 @@ schannel_connect_step3(struct Curl_easy *data, struc= t connectdata *conn, + } + } + if(!incache) { +- result =3D Curl_ssl_addsessionid(data, conn, (void *)BACKEND->cred, ++ result =3D Curl_ssl_addsessionid(data, conn, isproxy, BACKEND->cred, + sizeof(struct Curl_schannel_cred), + sockindex); + if(result) { +diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c +index 05b57dfaad91..e69b99b72cd6 100644 +--- a/lib/vtls/sectransp.c ++++ b/lib/vtls/sectransp.c +@@ -1400,10 +1400,12 @@ static CURLcode sectransp_connect_step1(struct Cur= l_easy *data, + char * const ssl_cert =3D SSL_SET_OPTION(primary.clientcert); + const struct curl_blob *ssl_cert_blob =3D SSL_SET_OPTION(primary.cert_b= lob); + #ifndef CURL_DISABLE_PROXY +- const char * const hostname =3D SSL_IS_PROXY() ? conn->http_proxy.host.= name : ++ bool isproxy =3D SSL_IS_PROXY(); ++ const char * const hostname =3D isproxy ? conn->http_proxy.host.name : + conn->host.name; + const long int port =3D SSL_IS_PROXY() ? conn->port : conn->remote_port; + #else ++ const isproxy =3D FALSE; + const char * const hostname =3D conn->host.name; + const long int port =3D conn->remote_port; + #endif +@@ -1613,7 +1615,7 @@ static CURLcode sectransp_connect_step1(struct Curl_= easy *data, + #ifdef USE_NGHTTP2 + if(data->state.httpversion >=3D CURL_HTTP_VERSION_2 + #ifndef CURL_DISABLE_PROXY +- && (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy) ++ && (!isproxy || !conn->bits.tunnel_proxy) + #endif + ) { + CFArrayAppendValue(alpnArr, CFSTR(NGHTTP2_PROTO_VERSION_ID)); +@@ -1953,7 +1955,7 @@ static CURLcode sectransp_connect_step1(struct Curl_= easy *data, + size_t ssl_sessionid_len; +=20 + Curl_ssl_sessionid_lock(data); +- if(!Curl_ssl_getsessionid(data, conn, (void **)&ssl_sessionid, ++ if(!Curl_ssl_getsessionid(data, conn, isproxy, (void **)&ssl_sessioni= d, + &ssl_sessionid_len, sockindex)) { + /* we got a session id, use it! */ + err =3D SSLSetPeerID(backend->ssl_ctx, ssl_sessionid, ssl_sessionid= _len); +@@ -1981,7 +1983,7 @@ static CURLcode sectransp_connect_step1(struct Curl_= easy *data, + return CURLE_SSL_CONNECT_ERROR; + } +=20 +- result =3D Curl_ssl_addsessionid(data, conn, ssl_sessionid, ++ result =3D Curl_ssl_addsessionid(data, conn, isproxy, ssl_sessionid, + ssl_sessionid_len, sockindex); + Curl_ssl_sessionid_unlock(data); + if(result) { +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index 6a0069237fdb..95fd6356285f 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -367,6 +367,7 @@ void Curl_ssl_sessionid_unlock(struct Curl_easy *data) + */ + bool Curl_ssl_getsessionid(struct Curl_easy *data, + struct connectdata *conn, ++ const bool isProxy, + void **ssl_sessionid, + size_t *idsize, /* set 0 if unknown */ + int sockindex) +@@ -377,7 +378,6 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data, + bool no_match =3D TRUE; +=20 + #ifndef CURL_DISABLE_PROXY +- const bool isProxy =3D CONNECT_PROXY_SSL(); + struct ssl_primary_config * const ssl_config =3D isProxy ? + &conn->proxy_ssl_config : + &conn->ssl_config; +@@ -389,10 +389,15 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data, + struct ssl_primary_config * const ssl_config =3D &conn->ssl_config; + const char * const name =3D conn->host.name; + int port =3D conn->remote_port; +- (void)sockindex; + #endif ++ (void)sockindex; + *ssl_sessionid =3D NULL; +=20 ++#ifdef CURL_DISABLE_PROXY ++ if(isProxy) ++ return TRUE; ++#endif ++ + DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); +=20 + if(!SSL_SET_OPTION(primary.sessionid)) +@@ -480,6 +485,7 @@ void Curl_ssl_delsessionid(struct Curl_easy *data, voi= d *ssl_sessionid) + */ + CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, + struct connectdata *conn, ++ bool isProxy, + void *ssl_sessionid, + size_t idsize, + int sockindex) +@@ -492,7 +498,6 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, + int conn_to_port; + long *general_age; + #ifndef CURL_DISABLE_PROXY +- const bool isProxy =3D CONNECT_PROXY_SSL(); + struct ssl_primary_config * const ssl_config =3D isProxy ? + &conn->proxy_ssl_config : + &conn->ssl_config; +@@ -505,6 +510,7 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, + const char *hostname =3D conn->host.name; + (void)sockindex; + #endif ++ (void)sockindex; + DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); +=20 + clone_host =3D strdup(hostname); +diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h +index 273184f1894a..2b43e7744b19 100644 +--- a/lib/vtls/vtls.h ++++ b/lib/vtls/vtls.h +@@ -235,6 +235,7 @@ void Curl_ssl_sessionid_unlock(struct Curl_easy *data); + */ + bool Curl_ssl_getsessionid(struct Curl_easy *data, + struct connectdata *conn, ++ const bool isproxy, + void **ssl_sessionid, + size_t *idsize, /* set 0 if unknown */ + int sockindex); +@@ -245,6 +246,7 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data, + */ + CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, + struct connectdata *conn, ++ const bool isProxy, + void *ssl_sessionid, + size_t idsize, + int sockindex); +diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c +index 7159ac9d5e64..8fb2ea7acf31 100644 +--- a/lib/vtls/wolfssl.c ++++ b/lib/vtls/wolfssl.c +@@ -516,7 +516,9 @@ wolfssl_connect_step1(struct Curl_easy *data, struct c= onnectdata *conn, + void *ssl_sessionid =3D NULL; +=20 + Curl_ssl_sessionid_lock(data); +- if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex= )) { ++ if(!Curl_ssl_getsessionid(data, conn, ++ SSL_IS_PROXY() ? TRUE : FALSE, ++ &ssl_sessionid, NULL, sockindex)) { + /* we got a session id, use it! */ + if(!SSL_set_session(backend->handle, ssl_sessionid)) { + char error_buffer[WOLFSSL_MAX_ERROR_SZ]; +@@ -772,11 +774,12 @@ wolfssl_connect_step3(struct Curl_easy *data, struct= connectdata *conn, + bool incache; + void *old_ssl_sessionid =3D NULL; + SSL_SESSION *our_ssl_sessionid =3D SSL_get_session(backend->handle); ++ bool isproxy =3D SSL_IS_PROXY() ? TRUE : FALSE; +=20 + if(our_ssl_sessionid) { + Curl_ssl_sessionid_lock(data); +- incache =3D !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid,= NULL, +- sockindex)); ++ incache =3D !(Curl_ssl_getsessionid(data, conn, isproxy, ++ &old_ssl_sessionid, NULL, sockind= ex)); + if(incache) { + if(old_ssl_sessionid !=3D our_ssl_sessionid) { + infof(data, "old SSL session ID is stale, removing\n"); +@@ -786,8 +789,8 @@ wolfssl_connect_step3(struct Curl_easy *data, struct c= onnectdata *conn, + } +=20 + if(!incache) { +- result =3D Curl_ssl_addsessionid(data, conn, our_ssl_sessionid, +- 0 /* unknown size */, sockindex); ++ result =3D Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_ses= sionid, ++ 0, sockindex); + if(result) { + Curl_ssl_sessionid_unlock(data); + failf(data, "failed to store ssl session"); --=20 2.31.1