From 840011af52fcdac15a749f14f19b00401a49dc51 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <daniel@haxx.se> Date: Fri, 19 Mar 2021 12:38:49 +0100 Subject: [PATCH] vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid() To make sure we set and extract the correct session. Reported-by: Mingtao Yang Bug: https://curl.se/docs/CVE-2021-22890.html CVE-2021-22890 Upstream-commit: b09c8ee15771c614c4bf3ddac893cdb12187c844 Signed-off-by: Kamil Dudka <kdudka@redhat.com> --- lib/vtls/openssl.c | 52 +++++++++++++++++++++++++++++++++++----------- lib/vtls/vtls.c | 12 ++++++++--- lib/vtls/vtls.h | 2 ++ 3 files changed, 51 insertions(+), 15 deletions(-) diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 5803fd1..16276f3 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -360,12 +360,23 @@ static int ossl_get_ssl_conn_index(void) */ static int ossl_get_ssl_sockindex_index(void) { - static int ssl_ex_data_sockindex_index = -1; - if(ssl_ex_data_sockindex_index < 0) { - ssl_ex_data_sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, - NULL); + static int sockindex_index = -1; + if(sockindex_index < 0) { + sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); } - return ssl_ex_data_sockindex_index; + return sockindex_index; +} + +/* Return an extra data index for proxy boolean. + * This index can be used with SSL_get_ex_data() and SSL_set_ex_data(). + */ +static int ossl_get_proxy_index(void) +{ + static int proxy_index = -1; + if(proxy_index < 0) { + proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); + } + return proxy_index; } static int passwd_callback(char *buf, int num, int encrypting, @@ -1133,7 +1144,8 @@ static int Curl_ossl_init(void) Curl_tls_keylog_open(); /* Initialize the extra data indexes */ - if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0) + if(ossl_get_ssl_conn_index() < 0 || + ossl_get_ssl_sockindex_index() < 0 || ossl_get_proxy_index() < 0) return 0; return 1; @@ -2425,8 +2437,10 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) curl_socket_t *sockindex_ptr; int connectdata_idx = ossl_get_ssl_conn_index(); int sockindex_idx = ossl_get_ssl_sockindex_index(); + int proxy_idx = ossl_get_proxy_index(); + bool isproxy; - if(connectdata_idx < 0 || sockindex_idx < 0) + if(connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0) return 0; conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx); @@ -2439,13 +2453,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx); sockindex = (int)(sockindex_ptr - conn->sock); + isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE; + if(SSL_SET_OPTION(primary.sessionid)) { bool incache; void *old_ssl_sessionid = NULL; Curl_ssl_sessionid_lock(conn); - incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, - sockindex)); + if(isproxy) + incache = FALSE; + else + incache = !(Curl_ssl_getsessionid(conn, isproxy, + &old_ssl_sessionid, NULL, sockindex)); if(incache) { if(old_ssl_sessionid != ssl_sessionid) { infof(data, "old SSL session ID is stale, removing\n"); @@ -2455,7 +2474,7 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) } if(!incache) { - if(!Curl_ssl_addsessionid(conn, ssl_sessionid, + if(!Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid, 0 /* unknown size */, sockindex)) { /* the session has been put into the session cache */ res = 1; @@ -3170,16 +3189,25 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) void *ssl_sessionid = NULL; int connectdata_idx = ossl_get_ssl_conn_index(); int sockindex_idx = ossl_get_ssl_sockindex_index(); + int proxy_idx = ossl_get_proxy_index(); - if(connectdata_idx >= 0 && sockindex_idx >= 0) { + if(connectdata_idx >= 0 && sockindex_idx >= 0 && proxy_idx >= 0) { /* Store the data needed for the "new session" callback. * The sockindex is stored as a pointer to an array element. */ SSL_set_ex_data(backend->handle, connectdata_idx, conn); SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex); +#ifndef CURL_DISABLE_PROXY + SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1: + NULL); +#else + SSL_set_ex_data(backend->handle, proxy_idx, NULL); +#endif + } Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) { + if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, + &ssl_sessionid, NULL, sockindex)) { /* we got a session id, use it! */ if(!SSL_set_session(backend->handle, ssl_sessionid)) { Curl_ssl_sessionid_unlock(conn); diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c index c3a55fb..e50fdd2 100644 --- a/lib/vtls/vtls.c +++ b/lib/vtls/vtls.c @@ -358,6 +358,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn) * there's one suitable, it is provided. Returns TRUE when no entry matched. */ bool Curl_ssl_getsessionid(struct connectdata *conn, + const bool isProxy, void **ssl_sessionid, size_t *idsize, /* set 0 if unknown */ int sockindex) @@ -369,7 +370,6 @@ bool Curl_ssl_getsessionid(struct connectdata *conn, bool no_match = TRUE; #ifndef CURL_DISABLE_PROXY - const bool isProxy = CONNECT_PROXY_SSL(); struct ssl_primary_config * const ssl_config = isProxy ? &conn->proxy_ssl_config : &conn->ssl_config; @@ -381,10 +381,15 @@ bool Curl_ssl_getsessionid(struct connectdata *conn, struct ssl_primary_config * const ssl_config = &conn->ssl_config; const char * const name = conn->host.name; int port = conn->remote_port; - (void)sockindex; #endif + (void)sockindex; *ssl_sessionid = NULL; +#ifdef CURL_DISABLE_PROXY + if(isProxy) + return TRUE; +#endif + DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); if(!SSL_SET_OPTION(primary.sessionid)) @@ -472,6 +477,7 @@ void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid) * later on. */ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, + bool isProxy, void *ssl_sessionid, size_t idsize, int sockindex) @@ -485,7 +491,6 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, int conn_to_port; long *general_age; #ifndef CURL_DISABLE_PROXY - const bool isProxy = CONNECT_PROXY_SSL(); struct ssl_primary_config * const ssl_config = isProxy ? &conn->proxy_ssl_config : &conn->ssl_config; @@ -498,6 +503,7 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, const char *hostname = conn->host.name; (void)sockindex; #endif + (void)sockindex; DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); clone_host = strdup(hostname); diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h index bcc8444..343cad0 100644 --- a/lib/vtls/vtls.h +++ b/lib/vtls/vtls.h @@ -203,6 +203,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn); * under sessionid mutex). */ bool Curl_ssl_getsessionid(struct connectdata *conn, + const bool isproxy, void **ssl_sessionid, size_t *idsize, /* set 0 if unknown */ int sockindex); @@ -212,6 +213,7 @@ bool Curl_ssl_getsessionid(struct connectdata *conn, * object with cache (e.g. incrementing refcount on success) */ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, + const bool isProxy, void *ssl_sessionid, size_t idsize, int sockindex); -- 2.26.3