From 33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26 Mon Sep 17 00:00:00 2001 From: Jay Satiro Date: Wed, 22 Mar 2017 01:59:49 -0400 Subject: TLS: Fix switching off SSL session id when client cert is used Move the sessionid flag to ssl_primary_config so that ssl and proxy_ssl will each have their own sessionid flag. Regression since HTTPS-Proxy support was added in cb4e2be. Prior to that this issue had been fixed in 247d890, CVE-2016-5419. Bug: https://github.com/curl/curl/issues/1341 Reported-by: lijian996@users.noreply.github.com The new incarnation of this bug is called CVE-2017-7468 and is documented here: https://curl.haxx.se/docs/adv_20170419.html --- lib/vtls/vtls.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'lib/vtls/vtls.c') diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c index c6935b5e6..d5d0971c4 100644 --- a/lib/vtls/vtls.c +++ b/lib/vtls/vtls.c @@ -122,6 +122,9 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, CLONE_STRING(egdsocket); CLONE_STRING(random_file); CLONE_STRING(clientcert); + + /* Disable dest sessionid cache if a client cert is used, CVE-2016-5419. */ + dest->sessionid = (dest->clientcert ? false : source->sessionid); return TRUE; } @@ -308,9 +311,9 @@ bool Curl_ssl_getsessionid(struct connectdata *conn, int port = isProxy ? (int)conn->port : conn->remote_port; *ssl_sessionid = NULL; - DEBUGASSERT(data->set.general_ssl.sessionid); + DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); - if(!data->set.general_ssl.sessionid) + if(!SSL_SET_OPTION(primary.sessionid)) /* session ID re-use is disabled */ return TRUE; @@ -412,7 +415,7 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, &conn->proxy_ssl_config : &conn->ssl_config; - DEBUGASSERT(data->set.general_ssl.sessionid); + DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); clone_host = strdup(isProxy ? conn->http_proxy.host.name : conn->host.name); if(!clone_host) -- cgit v1.2.3