Commit 33cfcfd9 authored by Jay Satiro's avatar Jay Satiro Committed by Daniel Stenberg
Browse files

TLS: Fix switching off SSL session id when client cert is used 

Move the sessionid flag to ssl_primary_config so that ssl and proxy_ssl
will each have their own sessionid flag.

Regression since HTTPS-Proxy support was added in cb4e2be7. Prior to that
this issue had been fixed in 247d890d, CVE-2016-5419.

Bug: https://github.com/curl/curl/issues/1341


Reported-by: default avatar <lijian996@users.noreply.github.com>

The new incarnation of this bug is called CVE-2017-7468 and is documented
here: https://curl.haxx.se/docs/adv_20170419.html
parent 997504ea

lib/url.c

+3 −2
Original line number Diff line number Diff line
@@ -546,7 +546,7 @@ CURLcode Curl_init_userdefined(struct UserDefined *set) 
#endif

  set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth

                                                      type */

  set->general_ssl.sessionid = TRUE; /* session ID caching enabled by

  set->ssl.primary.sessionid = TRUE; /* session ID caching enabled by

                                        default */

  set->proxy_ssl = set->ssl;
@@ -2499,8 +2499,9 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option, 
    break;



  case CURLOPT_SSL_SESSIONID_CACHE:

    data->set.general_ssl.sessionid = (0 != va_arg(param, long)) ?

    data->set.ssl.primary.sessionid = (0 != va_arg(param, long)) ?

                                      TRUE : FALSE;

    data->set.proxy_ssl.primary.sessionid = data->set.ssl.primary.sessionid;

    break;



#ifdef USE_LIBSSH2

lib/urldata.h

+1 −1
Original line number Diff line number Diff line
@@ -360,6 +360,7 @@ struct ssl_primary_config { 
  char *random_file;     /* path to file containing "random" data */

  char *egdsocket;       /* path to file containing the EGD daemon socket */

  char *cipher_list;     /* list of ciphers to use */

  bool sessionid;        /* cache session IDs or not */

};



struct ssl_config_data {
@@ -389,7 +390,6 @@ struct ssl_config_data { 
};



struct ssl_general_config {

  bool sessionid; /* cache session IDs or not */

  size_t max_ssl_sessions; /* SSL session id cache size */

};

lib/vtls/axtls.c

+2 −2
Original line number Diff line number Diff line
@@ -262,7 +262,7 @@ static CURLcode connect_prep(struct connectdata *conn, int sockindex) 
   * 2) setting up callbacks.  these seem gnutls specific

   */



  if(data->set.general_ssl.sessionid) {

  if(SSL_SET_OPTION(primary.sessionid)) {

    const uint8_t *ssl_sessionid;

    size_t ssl_idsize;
@@ -392,7 +392,7 @@ static CURLcode connect_finish(struct connectdata *conn, int sockindex) 
  conn->send[sockindex] = axtls_send;



  /* Put our freshly minted SSL session in cache */

  if(data->set.general_ssl.sessionid) {

  if(SSL_SET_OPTION(primary.sessionid)) {

    const uint8_t *ssl_sessionid = ssl_get_session_id(ssl);

    size_t ssl_idsize = ssl_get_session_id_size(ssl);

    Curl_ssl_sessionid_lock(conn);

lib/vtls/cyassl.c

+2 −2
Original line number Diff line number Diff line
@@ -398,7 +398,7 @@ cyassl_connect_step1(struct connectdata *conn, 
#endif /* HAVE_ALPN */



  /* Check if there's a cached ID we can/should use here! */

  if(data->set.general_ssl.sessionid) {

  if(SSL_SET_OPTION(primary.sessionid)) {

    void *ssl_sessionid = NULL;



    Curl_ssl_sessionid_lock(conn);
@@ -618,7 +618,7 @@ cyassl_connect_step3(struct connectdata *conn, 


  DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);



  if(data->set.general_ssl.sessionid) {

  if(SSL_SET_OPTION(primary.sessionid)) {

    bool incache;

    SSL_SESSION *our_ssl_sessionid;

    void *old_ssl_sessionid = NULL;

lib/vtls/darwinssl.c

+1 −1
Original line number Diff line number Diff line
@@ -1644,7 +1644,7 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, 
#endif /* CURL_BUILD_MAC_10_9 || CURL_BUILD_IOS_7 */



  /* Check if there's a cached ID we can/should use here! */

  if(data->set.general_ssl.sessionid) {

  if(SSL_SET_OPTION(primary.sessionid)) {

    char *ssl_sessionid;

    size_t ssl_sessionid_len;