On Tuesday 06 April 2021 at 13:53:42 +0100, Mike Crowe via lists.openembedded.org wrote: > Take patches from Ubuntu 20.04 7.68.0-1ubuntu2.5, which is close enough > that they apply without conflicts. > > Signed-off-by: Mike Crowe <m...@mcrowe.com> > --- > .../curl/curl/CVE-2021-22876.patch | 59 +++ > .../curl/curl/CVE-2021-22890.patch | 464 ++++++++++++++++++ > meta/recipes-support/curl/curl_7.69.1.bb | 2 + > 3 files changed, 525 insertions(+) > create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22876.patch > create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22890.patch > > diff --git a/meta/recipes-support/curl/curl/CVE-2021-22876.patch > b/meta/recipes-support/curl/curl/CVE-2021-22876.patch > new file mode 100644 > index 0000000000..fc396aabef > --- /dev/null > +++ b/meta/recipes-support/curl/curl/CVE-2021-22876.patch > @@ -0,0 +1,59 @@ > +transfer: strip credentials from the auto-referer header field > + > +CVE-2021-22876 > + > +Patch taken from Ubuntu curl 7.68.0-1ubuntu2.5. > + > +Bug: https://curl.se/docs/CVE-2021-22876.html > +Upstream-Status: backport > +--- > + lib/transfer.c | 25 +++++++++++++++++++++++-- > + 1 file changed, 23 insertions(+), 2 deletions(-) > + > +diff --git a/lib/transfer.c b/lib/transfer.c > +index e76834eb3..744e1c00b 100644 > +--- a/lib/transfer.c > ++++ b/lib/transfer.c > +@@ -1570,6 +1570,9 @@ CURLcode Curl_follow(struct Curl_easy *data, > + data->set.followlocation++; /* count location-followers */ > + > + if(data->set.http_auto_referer) { > ++ CURLU *u; > ++ char *referer; > ++ > + /* We are asked to automatically set the previous URL as the referer > + when we get the next URL. We pick the ->url field, which may or > may > + not be 100% correct */ > +@@ -1579,9 +1582,27 @@ CURLcode Curl_follow(struct Curl_easy *data, > + data->change.referer_alloc = FALSE; > + } > + > +- data->change.referer = strdup(data->change.url); > +- if(!data->change.referer) > ++ /* Make a copy of the URL without crenditals and fragment */ > ++ u = curl_url(); > ++ if(!u) > ++ return CURLE_OUT_OF_MEMORY; > ++ > ++ uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0); > ++ if(!uc) > ++ uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0); > ++ if(!uc) > ++ uc = curl_url_set(u, CURLUPART_USER, NULL, 0); > ++ if(!uc) > ++ uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0); > ++ if(!uc) > ++ uc = curl_url_get(u, CURLUPART_URL, &referer, 0); > ++ > ++ curl_url_cleanup(u); > ++ > ++ if(uc || referer == NULL) > + return CURLE_OUT_OF_MEMORY; > ++ > ++ data->change.referer = referer; > + data->change.referer_alloc = TRUE; /* yes, free this later */ > + } > + } > +-- > +2.20.1 > + > diff --git a/meta/recipes-support/curl/curl/CVE-2021-22890.patch > b/meta/recipes-support/curl/curl/CVE-2021-22890.patch > new file mode 100644 > index 0000000000..8c0ecbfe7f > --- /dev/null > +++ b/meta/recipes-support/curl/curl/CVE-2021-22890.patch > @@ -0,0 +1,464 @@ > +vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid() > + > +To make sure we set and extract the correct session. > + > +Patch taken from Ubuntu curl 7.68.0-1ubuntu2.5. > + > +CVE-2021-22890 > + > +Reported-by: Mingtao Yang > +Bug: https://curl.se/docs/CVE-2021-22890.html > +Upstream-Status: backport > +--- > + lib/vtls/bearssl.c | 9 +++++--- > + lib/vtls/gtls.c | 9 +++++--- > + lib/vtls/mbedtls.c | 8 ++++--- > + lib/vtls/mesalink.c | 9 +++++--- > + lib/vtls/openssl.c | 52 ++++++++++++++++++++++++++++++++++---------- > + lib/vtls/schannel.c | 10 +++++---- > + lib/vtls/sectransp.c | 9 ++++---- > + lib/vtls/vtls.c | 9 ++++++-- > + lib/vtls/vtls.h | 2 ++ > + lib/vtls/wolfssl.c | 8 ++++--- > + 10 files changed, 88 insertions(+), 37 deletions(-) > + > +diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c > +index 67f945831..32cb0a4c2 100644 > +--- a/lib/vtls/bearssl.c > ++++ b/lib/vtls/bearssl.c > +@@ -372,7 +372,8 @@ static CURLcode bearssl_connect_step1(struct connectdata > *conn, int sockindex) > + void *session; > + > + Curl_ssl_sessionid_lock(conn); > +- if(!Curl_ssl_getsessionid(conn, &session, NULL, sockindex)) { > ++ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, > ++ &session, NULL, sockindex)) { > + br_ssl_engine_set_session_parameters(&BACKEND->ctx.eng, session); > + infof(data, "BearSSL: re-using session ID\n"); > + } > +@@ -560,10 +561,12 @@ static CURLcode bearssl_connect_step3(struct > connectdata *conn, int sockindex) > + return CURLE_OUT_OF_MEMORY; > + br_ssl_engine_get_session_parameters(&BACKEND->ctx.eng, session); > + Curl_ssl_sessionid_lock(conn); > +- incache = !(Curl_ssl_getsessionid(conn, &oldsession, NULL, sockindex)); > ++ incache = !(Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, > ++ &oldsession, NULL, sockindex)); > + if(incache) > + Curl_ssl_delsessionid(conn, oldsession); > +- ret = Curl_ssl_addsessionid(conn, session, 0, sockindex); > ++ ret = Curl_ssl_addsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, > ++ session, 0, sockindex); > + Curl_ssl_sessionid_unlock(conn); > + if(ret) { > + free(session); > +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c > +index 5f740eeba..46e149c7d 100644 > +--- a/lib/vtls/gtls.c > ++++ b/lib/vtls/gtls.c > +@@ -937,7 +937,8 @@ gtls_connect_step1(struct connectdata *conn, > + size_t ssl_idsize; > + > + Curl_ssl_sessionid_lock(conn); > +- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, &ssl_idsize, > sockindex)) { > ++ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, > ++ &ssl_sessionid, &ssl_idsize, sockindex)) { > + /* we got a session id, use it! */ > + gnutls_session_set_data(session, ssl_sessionid, ssl_idsize); > + > +@@ -1485,7 +1486,8 @@ gtls_connect_step3(struct connectdata *conn, > + gnutls_session_get_data(session, connect_sessionid, &connect_idsize); > + > + Curl_ssl_sessionid_lock(conn); > +- incache = !(Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, > ++ incache = !(Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, > ++ &ssl_sessionid, NULL, > + sockindex)); > + if(incache) { > + /* there was one before in the cache, so instead of risking that the > +@@ -1494,7 +1496,8 @@ gtls_connect_step3(struct connectdata *conn, > + } > + > + /* store this session id */ > +- result = Curl_ssl_addsessionid(conn, connect_sessionid, > connect_idsize, > ++ result = Curl_ssl_addsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, > ++ connect_sessionid, connect_idsize, > + sockindex); > + Curl_ssl_sessionid_unlock(conn); > + if(result) { > +diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c > +index f057315f3..19df8478e 100644 > +--- a/lib/vtls/mbedtls.c > ++++ b/lib/vtls/mbedtls.c > +@@ -453,7 +453,8 @@ mbed_connect_step1(struct connectdata *conn, > + void *old_session = NULL; > + > + Curl_ssl_sessionid_lock(conn); > +- if(!Curl_ssl_getsessionid(conn, &old_session, NULL, sockindex)) { > ++ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, > ++ &old_session, NULL, sockindex)) { > + ret = mbedtls_ssl_set_session(&BACKEND->ssl, old_session); > + if(ret) { > + Curl_ssl_sessionid_unlock(conn); > +@@ -709,6 +710,7 @@ mbed_connect_step3(struct connectdata *conn, > + int ret; > + mbedtls_ssl_session *our_ssl_sessionid; > + void *old_ssl_sessionid = NULL; > ++ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE; > + > + our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session)); > + if(!our_ssl_sessionid) > +@@ -727,10 +729,10 @@ mbed_connect_step3(struct connectdata *conn, > + > + /* If there's already a matching session in the cache, delete it */ > + Curl_ssl_sessionid_lock(conn); > +- if(!Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex)) > ++ if(!Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, NULL, > sockindex)) > + Curl_ssl_delsessionid(conn, old_ssl_sessionid); > + > +- retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid, 0, sockindex); > ++ retcode = Curl_ssl_addsessionid(conn, isproxy, our_ssl_sessionid, 0, > sockindex); > + Curl_ssl_sessionid_unlock(conn); > + if(retcode) { > + mbedtls_ssl_session_free(our_ssl_sessionid); > +diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c > +index cab1e390b..79d1e3dfa 100644 > +--- a/lib/vtls/mesalink.c > ++++ b/lib/vtls/mesalink.c > +@@ -263,7 +263,8 @@ mesalink_connect_step1(struct connectdata *conn, int > sockindex) > + void *ssl_sessionid = NULL; > + > + Curl_ssl_sessionid_lock(conn); > +- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) { > ++ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, > ++ &ssl_sessionid, NULL, sockindex)) { > + /* we got a session id, use it! */ > + if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) { > + Curl_ssl_sessionid_unlock(conn); > +@@ -347,12 +348,14 @@ mesalink_connect_step3(struct connectdata *conn, int > sockindex) > + bool incache; > + SSL_SESSION *our_ssl_sessionid; > + void *old_ssl_sessionid = NULL; > ++ bool inproxy = SSL_IS_PROXY() ? TRUE : FALSE; > + > + our_ssl_sessionid = SSL_get_session(BACKEND->handle); > + > + Curl_ssl_sessionid_lock(conn); > + incache = > +- !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex)); > ++ !(Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, > ++ NULL, sockindex)); > + if(incache) { > + if(old_ssl_sessionid != our_ssl_sessionid) { > + infof(data, "old SSL session ID is stale, removing\n"); > +@@ -363,7 +366,7 @@ mesalink_connect_step3(struct connectdata *conn, int > sockindex) > + > + if(!incache) { > + result = Curl_ssl_addsessionid( > +- conn, our_ssl_sessionid, 0 /* unknown size */, sockindex); > ++ conn, isproxy, our_ssl_sessionid, 0 /* unknown size */, sockindex); > + if(result) { > + Curl_ssl_sessionid_unlock(conn); > + failf(data, "failed to store ssl session"); > +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c > +index 1d09cadca..64f43605a 100644 > +--- a/lib/vtls/openssl.c > ++++ b/lib/vtls/openssl.c > +@@ -422,12 +422,23 @@ static int ossl_get_ssl_conn_index(void) > + */ > + static int ossl_get_ssl_sockindex_index(void) > + { > +- static int ssl_ex_data_sockindex_index = -1; > +- if(ssl_ex_data_sockindex_index < 0) { > +- ssl_ex_data_sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, > +- NULL); > ++ static int sockindex_index = -1; > ++ if(sockindex_index < 0) { > ++ sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); > + } > +- return ssl_ex_data_sockindex_index; > ++ return sockindex_index; > ++} > ++ > ++/* Return an extra data index for proxy boolean. > ++ * This index can be used with SSL_get_ex_data() and SSL_set_ex_data(). > ++ */ > ++static int ossl_get_proxy_index(void) > ++{ > ++ static int proxy_index = -1; > ++ if(proxy_index < 0) { > ++ proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); > ++ } > ++ return proxy_index; > + } > + > + static int passwd_callback(char *buf, int num, int encrypting, > +@@ -1079,7 +1090,8 @@ static int Curl_ossl_init(void) > + #endif > + > + /* Initialize the extra data indexes */ > +- if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0) > ++ if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0 || > ++ ossl_get_proxy_index() < 0) > + return 0; > + > + return 1; > +@@ -2341,8 +2353,10 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION > *ssl_sessionid) > + curl_socket_t *sockindex_ptr; > + int connectdata_idx = ossl_get_ssl_conn_index(); > + int sockindex_idx = ossl_get_ssl_sockindex_index(); > ++ int proxy_idx = ossl_get_proxy_index(); > ++ bool isproxy; > + > +- if(connectdata_idx < 0 || sockindex_idx < 0) > ++ if(connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0) > + return 0; > + > + conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx); > +@@ -2355,13 +2369,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION > *ssl_sessionid) > + sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx); > + sockindex = (int)(sockindex_ptr - conn->sock); > + > ++ isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE; > ++ > + if(SSL_SET_OPTION(primary.sessionid)) { > + bool incache; > + void *old_ssl_sessionid = NULL; > + > + Curl_ssl_sessionid_lock(conn); > +- incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, > +- sockindex)); > ++ if(isproxy) > ++ incache = FALSE; > ++ else > ++ incache = !(Curl_ssl_getsessionid(conn, isproxy, > ++ &old_ssl_sessionid, NULL, > sockindex)); > + if(incache) { > + if(old_ssl_sessionid != ssl_sessionid) { > + infof(data, "old SSL session ID is stale, removing\n"); > +@@ -2371,7 +2390,7 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION > *ssl_sessionid) > + } > + > + if(!incache) { > +- if(!Curl_ssl_addsessionid(conn, ssl_sessionid, > ++ if(!Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid, > + 0 /* unknown size */, sockindex)) { > + /* the session has been put into the session cache */ > + res = 1; > +@@ -2868,16 +2887,25 @@ static CURLcode ossl_connect_step1(struct > connectdata *conn, int sockindex) > + void *ssl_sessionid = NULL; > + int connectdata_idx = ossl_get_ssl_conn_index(); > + int sockindex_idx = ossl_get_ssl_sockindex_index(); > ++ int proxy_idx = ossl_get_proxy_index(); > + > +- if(connectdata_idx >= 0 && sockindex_idx >= 0) { > ++ if(connectdata_idx >= 0 && sockindex_idx >= 0 && proxy_idx >= 0) { > + /* Store the data needed for the "new session" callback. > + * The sockindex is stored as a pointer to an array element. */ > + SSL_set_ex_data(BACKEND->handle, connectdata_idx, conn); > + SSL_set_ex_data(BACKEND->handle, sockindex_idx, conn->sock + > sockindex); > ++#ifndef CURL_DISABLE_PROXY > ++ SSL_set_ex_data(BACKEND->handle, proxy_idx, SSL_IS_PROXY() ? (void *) > 1: > ++ NULL); > ++#else > ++ SSL_set_ex_data(BACKEND->handle, proxy_idx, NULL); > ++#endif > ++ > + } > + > + Curl_ssl_sessionid_lock(conn); > +- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) { > ++ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, > ++ &ssl_sessionid, NULL, sockindex)) { > + /* we got a session id, use it! */ > + if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) { > + Curl_ssl_sessionid_unlock(conn); > +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c > +index f665ee340..a354ce95d 100644 > +--- a/lib/vtls/schannel.c > ++++ b/lib/vtls/schannel.c > +@@ -487,7 +487,8 @@ schannel_connect_step1(struct connectdata *conn, int > sockindex) > + /* check for an existing re-usable credential handle */ > + if(SSL_SET_OPTION(primary.sessionid)) { > + Curl_ssl_sessionid_lock(conn); > +- if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, sockindex)) { > ++ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, > ++ (void **)&old_cred, NULL, sockindex)) { > + BACKEND->cred = old_cred; > + DEBUGF(infof(data, "schannel: re-using existing credential > handle\n")); > + > +@@ -1193,8 +1194,9 @@ schannel_connect_step3(struct connectdata *conn, int > sockindex) > + struct ssl_connect_data *connssl = &conn->ssl[sockindex]; > + SECURITY_STATUS sspi_status = SEC_E_OK; > + CERT_CONTEXT *ccert_context = NULL; > ++ bool isproxy = SSL_IS_PROXY(); > + #ifdef DEBUGBUILD > +- const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name > : > ++ const char * const hostname = isproxy ? conn->http_proxy.host.name : > + conn->host.name; > + #endif > + #ifdef HAS_ALPN > +@@ -1268,7 +1270,7 @@ schannel_connect_step3(struct connectdata *conn, int > sockindex) > + struct curl_schannel_cred *old_cred = NULL; > + > + Curl_ssl_sessionid_lock(conn); > +- incache = !(Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, > ++ incache = !(Curl_ssl_getsessionid(conn, isproxy, (void **)&old_cred, > NULL, > + sockindex)); > + if(incache) { > + if(old_cred != BACKEND->cred) { > +@@ -1280,7 +1282,7 @@ schannel_connect_step3(struct connectdata *conn, int > sockindex) > + } > + } > + if(!incache) { > +- result = Curl_ssl_addsessionid(conn, (void *)BACKEND->cred, > ++ result = Curl_ssl_addsessionid(conn, isproxy, (void *)BACKEND->cred, > + sizeof(struct curl_schannel_cred), > + sockindex); > + if(result) { > +diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c > +index 7dd028fb7..9c67d465a 100644 > +--- a/lib/vtls/sectransp.c > ++++ b/lib/vtls/sectransp.c > +@@ -1376,7 +1376,8 @@ static CURLcode sectransp_connect_step1(struct > connectdata *conn, > + const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile); > + const bool verifypeer = SSL_CONN_CONFIG(verifypeer); > + char * const ssl_cert = SSL_SET_OPTION(cert); > +- const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name > : > ++ bool isproxy = SSL_IS_PROXY(); > ++ const char * const hostname = isproxy ? conn->http_proxy.host.name : > + conn->host.name; > + const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port; > + #ifdef ENABLE_IPV6 > +@@ -1584,7 +1585,7 @@ static CURLcode sectransp_connect_step1(struct > connectdata *conn, > + > + #ifdef USE_NGHTTP2 > + if(data->set.httpversion >= CURL_HTTP_VERSION_2 && > +- (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy)) { > ++ (!isproxy || !conn->bits.tunnel_proxy)) { > + CFArrayAppendValue(alpnArr, CFSTR(NGHTTP2_PROTO_VERSION_ID)); > + infof(data, "ALPN, offering %s\n", NGHTTP2_PROTO_VERSION_ID); > + } > +@@ -1916,7 +1917,7 @@ static CURLcode sectransp_connect_step1(struct > connectdata *conn, > + size_t ssl_sessionid_len; > + > + Curl_ssl_sessionid_lock(conn); > +- if(!Curl_ssl_getsessionid(conn, (void **)&ssl_sessionid, > ++ if(!Curl_ssl_getsessionid(conn, isproxy, (void **)&ssl_sessionid, > + &ssl_sessionid_len, sockindex)) { > + /* we got a session id, use it! */ > + err = SSLSetPeerID(BACKEND->ssl_ctx, ssl_sessionid, > ssl_sessionid_len); > +@@ -1944,7 +1945,7 @@ static CURLcode sectransp_connect_step1(struct > connectdata *conn, > + return CURLE_SSL_CONNECT_ERROR; > + } > + > +- result = Curl_ssl_addsessionid(conn, ssl_sessionid, ssl_sessionid_len, > ++ result = Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid, > ssl_sessionid_len, > + sockindex); > + Curl_ssl_sessionid_unlock(conn); > + if(result) { > +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c > +index dfefa1bd5..aaf73ef8f 100644 > +--- a/lib/vtls/vtls.c > ++++ b/lib/vtls/vtls.c > +@@ -305,6 +305,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn) > + * there's one suitable, it is provided. Returns TRUE when no entry matched. > + */ > + bool Curl_ssl_getsessionid(struct connectdata *conn, > ++ const bool isProxy, > + void **ssl_sessionid, > + size_t *idsize, /* set 0 if unknown */ > + int sockindex) > +@@ -315,7 +316,6 @@ bool Curl_ssl_getsessionid(struct connectdata *conn, > + long *general_age; > + bool no_match = TRUE; > + > +- const bool isProxy = CONNECT_PROXY_SSL(); > + struct ssl_primary_config * const ssl_config = isProxy ? > + &conn->proxy_ssl_config : > + &conn->ssl_config; > +@@ -324,6 +324,11 @@ bool Curl_ssl_getsessionid(struct connectdata *conn, > + int port = isProxy ? (int)conn->port : conn->remote_port; > + *ssl_sessionid = NULL; > + > ++#ifdef CURL_DISABLE_PROXY > ++ if(isProxy) > ++ return TRUE; > ++#endif > ++ > + DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); > + > + if(!SSL_SET_OPTION(primary.sessionid)) > +@@ -411,6 +416,7 @@ void Curl_ssl_delsessionid(struct connectdata *conn, > void *ssl_sessionid) > + * later on. > + */ > + CURLcode Curl_ssl_addsessionid(struct connectdata *conn, > ++ bool isProxy, > + void *ssl_sessionid, > + size_t idsize, > + int sockindex) > +@@ -423,7 +429,6 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, > + char *clone_conn_to_host; > + int conn_to_port; > + long *general_age; > +- const bool isProxy = CONNECT_PROXY_SSL(); > + struct ssl_primary_config * const ssl_config = isProxy ? > + &conn->proxy_ssl_config : > + &conn->ssl_config; > +diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h > +index a81b2f22d..a5e348752 100644 > +--- a/lib/vtls/vtls.h > ++++ b/lib/vtls/vtls.h > +@@ -202,6 +202,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn); > + * under sessionid mutex). > + */ > + bool Curl_ssl_getsessionid(struct connectdata *conn, > ++ const bool isproxy, > + void **ssl_sessionid, > + size_t *idsize, /* set 0 if unknown */ > + int sockindex); > +@@ -211,6 +212,7 @@ bool Curl_ssl_getsessionid(struct connectdata *conn, > + * object with cache (e.g. incrementing refcount on success) > + */ > + CURLcode Curl_ssl_addsessionid(struct connectdata *conn, > ++ const bool isProxy, > + void *ssl_sessionid, > + size_t idsize, > + int sockindex); > +diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c > +index 8c2d3f4a2..dd9f907ff 100644 > +--- a/lib/vtls/wolfssl.c > ++++ b/lib/vtls/wolfssl.c > +@@ -392,7 +392,8 @@ wolfssl_connect_step1(struct connectdata *conn, > + void *ssl_sessionid = NULL; > + > + Curl_ssl_sessionid_lock(conn); > +- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) { > ++ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, > ++ &ssl_sessionid, NULL, sockindex)) { > + /* we got a session id, use it! */ > + if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) { > + char error_buffer[WOLFSSL_MAX_ERROR_SZ]; > +@@ -618,9 +619,10 @@ wolfssl_connect_step3(struct connectdata *conn, > + void *old_ssl_sessionid = NULL; > + > + our_ssl_sessionid = SSL_get_session(BACKEND->handle); > ++ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE; > + > + Curl_ssl_sessionid_lock(conn); > +- incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, > ++ incache = !(Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, > NULL, > + sockindex)); > + if(incache) { > + if(old_ssl_sessionid != our_ssl_sessionid) { > +@@ -631,7 +633,7 @@ wolfssl_connect_step3(struct connectdata *conn, > + } > + > + if(!incache) { > +- result = Curl_ssl_addsessionid(conn, our_ssl_sessionid, > ++ result = Curl_ssl_addsessionid(conn, isproxy, our_ssl_sessionid, > + 0 /* unknown size */, sockindex); > + if(result) { > + Curl_ssl_sessionid_unlock(conn); > +-- > +2.20.1 > + > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb > b/meta/recipes-support/curl/curl_7.69.1.bb > index 4cc35c2c51..13ab29cf69 100644 > --- a/meta/recipes-support/curl/curl_7.69.1.bb > +++ b/meta/recipes-support/curl/curl_7.69.1.bb > @@ -17,6 +17,8 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 > \ > file://CVE-2020-8284.patch \ > file://CVE-2020-8285.patch \ > file://CVE-2020-8286.patch \ > + file://CVE-2021-22876.patch \ > + file://CVE-2021-22890.patch \ > " > > SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42" > -- > 2.20.1 >
Ping... Mike.
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#150749): https://lists.openembedded.org/g/openembedded-core/message/150749 Mute This Topic: https://lists.openembedded.org/mt/81888391/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-