diff options
Diffstat (limited to 'main/curl/CVE-2017-7468.patch')
| -rw-r--r-- | main/curl/CVE-2017-7468.patch | 264 |
1 files changed, 0 insertions, 264 deletions
diff --git a/main/curl/CVE-2017-7468.patch b/main/curl/CVE-2017-7468.patch deleted file mode 100644 index 3135ec3fe5..0000000000 --- a/main/curl/CVE-2017-7468.patch +++ /dev/null @@ -1,264 +0,0 @@ -From 8166b637bce299f4ac64d371c20cd5afea72c364 Mon Sep 17 00:00:00 2001 -From: Jay Satiro <raysatiro@yahoo.com> -Date: Wed, 22 Mar 2017 01:59:49 -0400 -Subject: [PATCH] TLS: Fix switching off SSL session id when client cert is - used - -- Move the sessionid flag to ssl_primary_config so that ssl and - proxy_ssl will each have their own sessionid flag. - -Regression since HTTPS-Proxy support was added in cb4e2be. Prior to that -this issue had been fixed in 247d890, CVE-2016-5419. - -Bug: https://github.com/curl/curl/issues/1341 -Reported-by: lijian996@users.noreply.github.com ---- - lib/url.c | 5 +++-- - lib/urldata.h | 2 +- - lib/vtls/axtls.c | 4 ++-- - lib/vtls/cyassl.c | 4 ++-- - lib/vtls/darwinssl.c | 2 +- - lib/vtls/gtls.c | 4 ++-- - lib/vtls/mbedtls.c | 4 ++-- - lib/vtls/nss.c | 2 +- - lib/vtls/openssl.c | 4 ++-- - lib/vtls/polarssl.c | 4 ++-- - lib/vtls/schannel.c | 4 ++-- - lib/vtls/vtls.c | 9 ++++++--- - 12 files changed, 26 insertions(+), 22 deletions(-) - ---- a/lib/url.c -+++ b/lib/url.c -@@ -548,7 +548,7 @@ - #endif - set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth - type */ -- set->general_ssl.sessionid = TRUE; /* session ID caching enabled by -+ set->ssl.primary.sessionid = TRUE; /* session ID caching enabled by - default */ - set->proxy_ssl = set->ssl; - -@@ -2470,8 +2470,9 @@ - break; - - case CURLOPT_SSL_SESSIONID_CACHE: -- data->set.general_ssl.sessionid = (0 != va_arg(param, long)) ? -+ data->set.ssl.primary.sessionid = (0 != va_arg(param, long)) ? - TRUE : FALSE; -+ data->set.proxy_ssl.primary.sessionid = data->set.ssl.primary.sessionid; - break; - - #ifdef USE_LIBSSH2 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -354,6 +354,7 @@ - char *random_file; /* path to file containing "random" data */ - char *egdsocket; /* path to file containing the EGD daemon socket */ - char *cipher_list; /* list of ciphers to use */ -+ bool sessionid; /* cache session IDs or not */ - }; - - struct ssl_config_data { -@@ -383,7 +384,6 @@ - }; - - struct ssl_general_config { -- bool sessionid; /* cache session IDs or not */ - size_t max_ssl_sessions; /* SSL session id cache size */ - }; - ---- a/lib/vtls/axtls.c -+++ b/lib/vtls/axtls.c -@@ -256,7 +256,7 @@ - * 2) setting up callbacks. these seem gnutls specific - */ - -- if(data->set.general_ssl.sessionid) { -+ if(SSL_SET_OPTION(primary.sessionid)) { - const uint8_t *ssl_sessionid; - size_t ssl_idsize; - -@@ -386,7 +386,7 @@ - conn->send[sockindex] = axtls_send; - - /* Put our freshly minted SSL session in cache */ -- if(data->set.general_ssl.sessionid) { -+ if(SSL_SET_OPTION(primary.sessionid)) { - const uint8_t *ssl_sessionid = ssl_get_session_id_size(ssl); - size_t ssl_idsize = ssl_get_session_id(ssl); - Curl_ssl_sessionid_lock(conn); ---- a/lib/vtls/cyassl.c -+++ b/lib/vtls/cyassl.c -@@ -383,7 +383,7 @@ - #endif /* HAVE_ALPN */ - - /* Check if there's a cached ID we can/should use here! */ -- if(data->set.general_ssl.sessionid) { -+ if(SSL_SET_OPTION(primary.sessionid)) { - void *ssl_sessionid = NULL; - - Curl_ssl_sessionid_lock(conn); -@@ -597,7 +597,7 @@ - - DEBUGASSERT(ssl_connect_3 == connssl->connecting_state); - -- if(data->set.general_ssl.sessionid) { -+ if(SSL_SET_OPTION(primary.sessionid)) { - bool incache; - SSL_SESSION *our_ssl_sessionid; - void *old_ssl_sessionid = NULL; ---- a/lib/vtls/darwinssl.c -+++ b/lib/vtls/darwinssl.c -@@ -1541,7 +1541,7 @@ - #endif /* CURL_BUILD_MAC_10_9 || CURL_BUILD_IOS_7 */ - - /* Check if there's a cached ID we can/should use here! */ -- if(data->set.general_ssl.sessionid) { -+ if(SSL_SET_OPTION(primary.sessionid)) { - char *ssl_sessionid; - size_t ssl_sessionid_len; - ---- a/lib/vtls/gtls.c -+++ b/lib/vtls/gtls.c -@@ -782,7 +782,7 @@ - - /* This might be a reconnect, so we check for a session ID in the cache - to speed up things */ -- if(data->set.general_ssl.sessionid) { -+ if(SSL_SET_OPTION(primary.sessionid)) { - void *ssl_sessionid; - size_t ssl_idsize; - -@@ -1311,7 +1311,7 @@ - conn->recv[sockindex] = gtls_recv; - conn->send[sockindex] = gtls_send; - -- if(data->set.general_ssl.sessionid) { -+ if(SSL_SET_OPTION(primary.sessionid)) { - /* we always unconditionally get the session id here, as even if we - already got it from the cache and asked to use it in the connection, it - might've been rejected and then a new one is in use now and we need to ---- a/lib/vtls/mbedtls.c -+++ b/lib/vtls/mbedtls.c -@@ -374,7 +374,7 @@ - mbedtls_ssl_list_ciphersuites()); - - /* Check if there's a cached ID we can/should use here! */ -- if(data->set.general_ssl.sessionid) { -+ if(SSL_SET_OPTION(primary.sessionid)) { - void *old_session = NULL; - - Curl_ssl_sessionid_lock(conn); -@@ -618,7 +618,7 @@ - - DEBUGASSERT(ssl_connect_3 == connssl->connecting_state); - -- if(data->set.general_ssl.sessionid) { -+ if(SSL_SET_OPTION(primary.sessionid)) { - int ret; - mbedtls_ssl_session *our_ssl_sessionid; - void *old_ssl_sessionid = NULL; ---- a/lib/vtls/nss.c -+++ b/lib/vtls/nss.c -@@ -1696,7 +1696,7 @@ - goto error; - - /* do not use SSL cache if disabled or we are not going to verify peer */ -- ssl_no_cache = (data->set.general_ssl.sessionid -+ ssl_no_cache = (SSL_SET_OPTION(primary.sessionid) - && SSL_CONN_CONFIG(verifypeer)) ? PR_FALSE : PR_TRUE; - if(SSL_OptionSet(model, SSL_NO_CACHE, ssl_no_cache) != SECSuccess) - goto error; ---- a/lib/vtls/openssl.c -+++ b/lib/vtls/openssl.c -@@ -2161,7 +2161,7 @@ - #endif - - /* Check if there's a cached ID we can/should use here! */ -- if(data->set.general_ssl.sessionid) { -+ if(SSL_SET_OPTION(primary.sessionid)) { - void *ssl_sessionid = NULL; - - Curl_ssl_sessionid_lock(conn); -@@ -2915,7 +2915,7 @@ - - DEBUGASSERT(ssl_connect_3 == connssl->connecting_state); - -- if(data->set.general_ssl.sessionid) { -+ if(SSL_SET_OPTION(primary.sessionid)) { - bool incache; - SSL_SESSION *our_ssl_sessionid; - void *old_ssl_sessionid = NULL; ---- a/lib/vtls/polarssl.c -+++ b/lib/vtls/polarssl.c -@@ -327,7 +327,7 @@ - ssl_set_ciphersuites(&connssl->ssl, ssl_list_ciphersuites()); - - /* Check if there's a cached ID we can/should use here! */ -- if(data->set.general_ssl.sessionid) { -+ if(SSL_SET_OPTION(primary.sessionid)) { - void *old_session = NULL; - - Curl_ssl_sessionid_lock(conn); -@@ -555,7 +555,7 @@ - - DEBUGASSERT(ssl_connect_3 == connssl->connecting_state); - -- if(data->set.general_ssl.sessionid) { -+ if(SSL_SET_OPTION(primary.sessionid)) { - int ret; - ssl_session *our_ssl_sessionid; - void *old_ssl_sessionid = NULL; ---- a/lib/vtls/schannel.c -+++ b/lib/vtls/schannel.c -@@ -145,7 +145,7 @@ - connssl->cred = NULL; - - /* check for an existing re-usable credential handle */ -- if(data->set.general_ssl.sessionid) { -+ if(SSL_SET_OPTION(primary.sessionid)) { - Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, sockindex)) { - connssl->cred = old_cred; -@@ -714,7 +714,7 @@ - #endif - - /* save the current session data for possible re-use */ -- if(data->set.general_ssl.sessionid) { -+ if(SSL_SET_OPTION(primary.sessionid)) { - bool incache; - struct curl_schannel_cred *old_cred = NULL; - ---- a/lib/vtls/vtls.c -+++ b/lib/vtls/vtls.c -@@ -120,6 +120,9 @@ - CLONE_STRING(egdsocket); - CLONE_STRING(random_file); - CLONE_STRING(clientcert); -+ -+ /* Disable dest sessionid cache if a client cert is used, CVE-2016-5419. */ -+ dest->sessionid = (dest->clientcert ? false : source->sessionid); - return TRUE; - } - -@@ -293,9 +296,9 @@ - int port = isProxy ? (int)conn->port : conn->remote_port; - *ssl_sessionid = NULL; - -- DEBUGASSERT(data->set.general_ssl.sessionid); -+ DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); - -- if(!data->set.general_ssl.sessionid) -+ if(!SSL_SET_OPTION(primary.sessionid)) - /* session ID re-use is disabled */ - return TRUE; - -@@ -397,7 +400,7 @@ - &conn->proxy_ssl_config : - &conn->ssl_config; - -- DEBUGASSERT(data->set.general_ssl.sessionid); -+ DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); - - clone_host = strdup(isProxy ? conn->http_proxy.host.name : conn->host.name); - if(!clone_host) |