diff options
author | Jay Satiro <raysatiro@yahoo.com> | 2017-03-22 01:59:49 -0400 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2017-04-18 07:56:34 +0200 |
commit | 33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26 (patch) | |
tree | e5c65c7cafb11e9e0405bd14d923a035dc063eb6 /lib/vtls/vtls.c | |
parent | 997504ea50887c80a0f90b88bb1778aad75f7ee9 (diff) |
TLS: Fix switching off SSL session id when client cert is used
Move the sessionid flag to ssl_primary_config so that ssl and proxy_ssl
will each have their own sessionid flag.
Regression since HTTPS-Proxy support was added in cb4e2be. Prior to that
this issue had been fixed in 247d890, CVE-2016-5419.
Bug: https://github.com/curl/curl/issues/1341
Reported-by: lijian996@users.noreply.github.com
The new incarnation of this bug is called CVE-2017-7468 and is documented
here: https://curl.haxx.se/docs/adv_20170419.html
Diffstat (limited to 'lib/vtls/vtls.c')
-rw-r--r-- | lib/vtls/vtls.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c index c6935b5e6..d5d0971c4 100644 --- a/lib/vtls/vtls.c +++ b/lib/vtls/vtls.c @@ -122,6 +122,9 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, CLONE_STRING(egdsocket); CLONE_STRING(random_file); CLONE_STRING(clientcert); + + /* Disable dest sessionid cache if a client cert is used, CVE-2016-5419. */ + dest->sessionid = (dest->clientcert ? false : source->sessionid); return TRUE; } @@ -308,9 +311,9 @@ bool Curl_ssl_getsessionid(struct connectdata *conn, int port = isProxy ? (int)conn->port : conn->remote_port; *ssl_sessionid = NULL; - DEBUGASSERT(data->set.general_ssl.sessionid); + DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); - if(!data->set.general_ssl.sessionid) + if(!SSL_SET_OPTION(primary.sessionid)) /* session ID re-use is disabled */ return TRUE; @@ -412,7 +415,7 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, &conn->proxy_ssl_config : &conn->ssl_config; - DEBUGASSERT(data->set.general_ssl.sessionid); + DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); clone_host = strdup(isProxy ? conn->http_proxy.host.name : conn->host.name); if(!clone_host) |