From 840011af52fcdac15a749f14f19b00401a49dc51 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 19 Mar 2021 12:38:49 +0100
Subject: [PATCH] vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
To make sure we set and extract the correct session.
Reported-by: Mingtao Yang
Bug: https://curl.se/docs/CVE-2021-22890.html
CVE-2021-22890
Upstream-commit: b09c8ee15771c614c4bf3ddac893cdb12187c844
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/vtls/openssl.c | 52 +++++++++++++++++++++++++++++++++++-----------
lib/vtls/vtls.c | 12 ++++++++---
lib/vtls/vtls.h | 2 ++
3 files changed, 51 insertions(+), 15 deletions(-)
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 5803fd1..16276f3 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -360,12 +360,23 @@ static int ossl_get_ssl_conn_index(void)
*/
static int ossl_get_ssl_sockindex_index(void)
{
- static int ssl_ex_data_sockindex_index = -1;
- if(ssl_ex_data_sockindex_index < 0) {
- ssl_ex_data_sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL,
- NULL);
+ static int sockindex_index = -1;
+ if(sockindex_index < 0) {
+ sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
}
- return ssl_ex_data_sockindex_index;
+ return sockindex_index;
+}
+
+/* Return an extra data index for proxy boolean.
+ * This index can be used with SSL_get_ex_data() and SSL_set_ex_data().
+ */
+static int ossl_get_proxy_index(void)
+{
+ static int proxy_index = -1;
+ if(proxy_index < 0) {
+ proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
+ }
+ return proxy_index;
}
static int passwd_callback(char *buf, int num, int encrypting,
@@ -1133,7 +1144,8 @@ static int Curl_ossl_init(void)
Curl_tls_keylog_open();
/* Initialize the extra data indexes */
- if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0)
+ if(ossl_get_ssl_conn_index() < 0 ||
+ ossl_get_ssl_sockindex_index() < 0 || ossl_get_proxy_index() < 0)
return 0;
return 1;
@@ -2425,8 +2437,10 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
curl_socket_t *sockindex_ptr;
int connectdata_idx = ossl_get_ssl_conn_index();
int sockindex_idx = ossl_get_ssl_sockindex_index();
+ int proxy_idx = ossl_get_proxy_index();
+ bool isproxy;
- if(connectdata_idx < 0 || sockindex_idx < 0)
+ if(connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0)
return 0;
conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx);
@@ -2439,13 +2453,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx);
sockindex = (int)(sockindex_ptr - conn->sock);
+ isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE;
+
if(SSL_SET_OPTION(primary.sessionid)) {
bool incache;
void *old_ssl_sessionid = NULL;
Curl_ssl_sessionid_lock(conn);
- incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL,
- sockindex));
+ if(isproxy)
+ incache = FALSE;
+ else
+ incache = !(Curl_ssl_getsessionid(conn, isproxy,
+ &old_ssl_sessionid, NULL, sockindex));
if(incache) {
if(old_ssl_sessionid != ssl_sessionid) {
infof(data, "old SSL session ID is stale, removing\n");
@@ -2455,7 +2474,7 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
}
if(!incache) {
- if(!Curl_ssl_addsessionid(conn, ssl_sessionid,
+ if(!Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid,
0 /* unknown size */, sockindex)) {
/* the session has been put into the session cache */
res = 1;
@@ -3170,16 +3189,25 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
void *ssl_sessionid = NULL;
int connectdata_idx = ossl_get_ssl_conn_index();
int sockindex_idx = ossl_get_ssl_sockindex_index();
+ int proxy_idx = ossl_get_proxy_index();
- if(connectdata_idx >= 0 && sockindex_idx >= 0) {
+ if(connectdata_idx >= 0 && sockindex_idx >= 0 && proxy_idx >= 0) {
/* Store the data needed for the "new session" callback.
* The sockindex is stored as a pointer to an array element. */
SSL_set_ex_data(backend->handle, connectdata_idx, conn);
SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex);
+#ifndef CURL_DISABLE_PROXY
+ SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1:
+ NULL);
+#else
+ SSL_set_ex_data(backend->handle, proxy_idx, NULL);
+#endif
+
}
Curl_ssl_sessionid_lock(conn);
- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
+ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
+ &ssl_sessionid, NULL, sockindex)) {
/* we got a session id, use it! */
if(!SSL_set_session(backend->handle, ssl_sessionid)) {
Curl_ssl_sessionid_unlock(conn);
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
index c3a55fb..e50fdd2 100644
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -358,6 +358,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn)
* there's one suitable, it is provided. Returns TRUE when no entry matched.
*/
bool Curl_ssl_getsessionid(struct connectdata *conn,
+ const bool isProxy,
void **ssl_sessionid,
size_t *idsize, /* set 0 if unknown */
int sockindex)
@@ -369,7 +370,6 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
bool no_match = TRUE;
#ifndef CURL_DISABLE_PROXY
- const bool isProxy = CONNECT_PROXY_SSL();
struct ssl_primary_config * const ssl_config = isProxy ?
&conn->proxy_ssl_config :
&conn->ssl_config;
@@ -381,10 +381,15 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
struct ssl_primary_config * const ssl_config = &conn->ssl_config;
const char * const name = conn->host.name;
int port = conn->remote_port;
- (void)sockindex;
#endif
+ (void)sockindex;
*ssl_sessionid = NULL;
+#ifdef CURL_DISABLE_PROXY
+ if(isProxy)
+ return TRUE;
+#endif
+
DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
if(!SSL_SET_OPTION(primary.sessionid))
@@ -472,6 +477,7 @@ void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid)
* later on.
*/
CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
+ bool isProxy,
void *ssl_sessionid,
size_t idsize,
int sockindex)
@@ -485,7 +491,6 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
int conn_to_port;
long *general_age;
#ifndef CURL_DISABLE_PROXY
- const bool isProxy = CONNECT_PROXY_SSL();
struct ssl_primary_config * const ssl_config = isProxy ?
&conn->proxy_ssl_config :
&conn->ssl_config;
@@ -498,6 +503,7 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
const char *hostname = conn->host.name;
(void)sockindex;
#endif
+ (void)sockindex;
DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
clone_host = strdup(hostname);
diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h
index bcc8444..343cad0 100644
--- a/lib/vtls/vtls.h
+++ b/lib/vtls/vtls.h
@@ -203,6 +203,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn);
* under sessionid mutex).
*/
bool Curl_ssl_getsessionid(struct connectdata *conn,
+ const bool isproxy,
void **ssl_sessionid,
size_t *idsize, /* set 0 if unknown */
int sockindex);
@@ -212,6 +213,7 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
* object with cache (e.g. incrementing refcount on success)
*/
CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
+ const bool isProxy,
void *ssl_sessionid,
size_t idsize,
int sockindex);
--
2.26.3
