| From acee9eb38639b35af9047521d71333423657de0d Mon Sep 17 00:00:00 2001 |
| From: Daniel Stenberg <daniel@haxx.se> |
| Date: Mon, 9 May 2022 23:13:53 +0200 |
| Subject: [PATCH] tls: check more TLS details for connection reuse |
| |
| CVE-2022-27782 |
| |
| Reported-by: Harry Sintonen |
| Bug: https://curl.se/docs/CVE-2022-27782.html |
| Closes #8825 |
| |
| Upstream-Status: Backport [https://github.com/curl/curl/commit/f18af4f874cecab82a9797e8c7541e0990c7a64c] |
| Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> |
| --- |
| lib/setopt.c | 29 +++++++++++++++++------------ |
| lib/url.c | 23 ++++++++++++++++------- |
| lib/urldata.h | 13 +++++++------ |
| lib/vtls/gtls.c | 32 +++++++++++++++++--------------- |
| lib/vtls/mbedtls.c | 2 +- |
| lib/vtls/nss.c | 6 +++--- |
| lib/vtls/openssl.c | 10 +++++----- |
| lib/vtls/vtls.c | 21 +++++++++++++++++++++ |
| 8 files changed, 87 insertions(+), 49 deletions(-) |
| |
| diff --git a/lib/setopt.c b/lib/setopt.c |
| index 8e1bf12..7aa6fdb 100644 |
| --- a/lib/setopt.c |
| +++ b/lib/setopt.c |
| @@ -2294,6 +2294,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) |
| |
| case CURLOPT_SSL_OPTIONS: |
| arg = va_arg(param, long); |
| + data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff); |
| data->set.ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST); |
| data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); |
| data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN); |
| @@ -2307,6 +2308,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) |
| #ifndef CURL_DISABLE_PROXY |
| case CURLOPT_PROXY_SSL_OPTIONS: |
| arg = va_arg(param, long); |
| + data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff); |
| data->set.proxy_ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST); |
| data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); |
| data->set.proxy_ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN); |
| @@ -2745,49 +2747,52 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) |
| case CURLOPT_TLSAUTH_USERNAME: |
| result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME], |
| va_arg(param, char *)); |
| - if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) |
| - data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ |
| + if(data->set.str[STRING_TLSAUTH_USERNAME] && |
| + !data->set.ssl.primary.authtype) |
| + data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ |
| break; |
| #ifndef CURL_DISABLE_PROXY |
| case CURLOPT_PROXY_TLSAUTH_USERNAME: |
| result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY], |
| va_arg(param, char *)); |
| if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && |
| - !data->set.proxy_ssl.authtype) |
| - data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ |
| + !data->set.proxy_ssl.primary.authtype) |
| + data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to |
| + SRP */ |
| break; |
| #endif |
| case CURLOPT_TLSAUTH_PASSWORD: |
| result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD], |
| va_arg(param, char *)); |
| - if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) |
| - data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ |
| + if(data->set.str[STRING_TLSAUTH_USERNAME] && |
| + !data->set.ssl.primary.authtype) |
| + data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ |
| break; |
| #ifndef CURL_DISABLE_PROXY |
| case CURLOPT_PROXY_TLSAUTH_PASSWORD: |
| result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY], |
| va_arg(param, char *)); |
| if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && |
| - !data->set.proxy_ssl.authtype) |
| - data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ |
| + !data->set.proxy_ssl.primary.authtype) |
| + data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ |
| break; |
| #endif |
| case CURLOPT_TLSAUTH_TYPE: |
| argptr = va_arg(param, char *); |
| if(!argptr || |
| strncasecompare(argptr, "SRP", strlen("SRP"))) |
| - data->set.ssl.authtype = CURL_TLSAUTH_SRP; |
| + data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; |
| else |
| - data->set.ssl.authtype = CURL_TLSAUTH_NONE; |
| + data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE; |
| break; |
| #ifndef CURL_DISABLE_PROXY |
| case CURLOPT_PROXY_TLSAUTH_TYPE: |
| argptr = va_arg(param, char *); |
| if(!argptr || |
| strncasecompare(argptr, "SRP", strlen("SRP"))) |
| - data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; |
| + data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; |
| else |
| - data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE; |
| + data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE; |
| break; |
| #endif |
| #endif |
| diff --git a/lib/url.c b/lib/url.c |
| index 94e3406..5ebf5e2 100644 |
| --- a/lib/url.c |
| +++ b/lib/url.c |
| @@ -540,7 +540,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) |
| set->ssl.primary.verifypeer = TRUE; |
| set->ssl.primary.verifyhost = TRUE; |
| #ifdef USE_TLS_SRP |
| - set->ssl.authtype = CURL_TLSAUTH_NONE; |
| + set->ssl.primary.authtype = CURL_TLSAUTH_NONE; |
| #endif |
| set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth |
| type */ |
| @@ -1758,11 +1758,17 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) |
| conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus; |
| conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer; |
| conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost; |
| + conn->ssl_config.ssl_options = data->set.ssl.primary.ssl_options; |
| +#ifdef USE_TLS_SRP |
| +#endif |
| #ifndef CURL_DISABLE_PROXY |
| conn->proxy_ssl_config.verifystatus = |
| data->set.proxy_ssl.primary.verifystatus; |
| conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer; |
| conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost; |
| + conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options; |
| +#ifdef USE_TLS_SRP |
| +#endif |
| #endif |
| conn->ip_version = data->set.ipver; |
| conn->bits.connect_only = data->set.connect_only; |
| @@ -3848,7 +3854,8 @@ static CURLcode create_conn(struct Curl_easy *data, |
| data->set.str[STRING_SSL_ISSUERCERT_PROXY]; |
| data->set.proxy_ssl.primary.issuercert_blob = |
| data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY]; |
| - data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; |
| + data->set.proxy_ssl.primary.CRLfile = |
| + data->set.str[STRING_SSL_CRLFILE_PROXY]; |
| data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY]; |
| data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY]; |
| data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY]; |
| @@ -3856,18 +3863,20 @@ static CURLcode create_conn(struct Curl_easy *data, |
| data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY]; |
| data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY]; |
| #endif |
| - data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE]; |
| + data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE]; |
| data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE]; |
| data->set.ssl.key = data->set.str[STRING_KEY]; |
| data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE]; |
| data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD]; |
| data->set.ssl.primary.clientcert = data->set.str[STRING_CERT]; |
| #ifdef USE_TLS_SRP |
| - data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME]; |
| - data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD]; |
| + data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME]; |
| + data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD]; |
| #ifndef CURL_DISABLE_PROXY |
| - data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; |
| - data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; |
| + data->set.proxy_ssl.primary.username = |
| + data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; |
| + data->set.proxy_ssl.primary.password = |
| + data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; |
| #endif |
| #endif |
| data->set.ssl.key_blob = data->set.blobs[BLOB_KEY]; |
| diff --git a/lib/urldata.h b/lib/urldata.h |
| index 5218f76..e006495 100644 |
| --- a/lib/urldata.h |
| +++ b/lib/urldata.h |
| @@ -253,10 +253,17 @@ struct ssl_primary_config { |
| char *cipher_list; /* list of ciphers to use */ |
| char *cipher_list13; /* list of TLS 1.3 cipher suites to use */ |
| char *pinned_key; |
| + char *CRLfile; /* CRL to check certificate revocation */ |
| struct curl_blob *cert_blob; |
| struct curl_blob *ca_info_blob; |
| struct curl_blob *issuercert_blob; |
| +#ifdef USE_TLS_SRP |
| + char *username; /* TLS username (for, e.g., SRP) */ |
| + char *password; /* TLS password (for, e.g., SRP) */ |
| + enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ |
| +#endif |
| char *curves; /* list of curves to use */ |
| + unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */ |
| BIT(verifypeer); /* set TRUE if this is desired */ |
| BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */ |
| BIT(verifystatus); /* set TRUE if certificate status must be checked */ |
| @@ -266,7 +273,6 @@ struct ssl_primary_config { |
| struct ssl_config_data { |
| struct ssl_primary_config primary; |
| long certverifyresult; /* result from the certificate verification */ |
| - char *CRLfile; /* CRL to check certificate revocation */ |
| curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ |
| void *fsslctxp; /* parameter for call back */ |
| char *cert_type; /* format for certificate (default: PEM)*/ |
| @@ -274,11 +280,6 @@ struct ssl_config_data { |
| struct curl_blob *key_blob; |
| char *key_type; /* format for private key (default: PEM) */ |
| char *key_passwd; /* plain text private key password */ |
| -#ifdef USE_TLS_SRP |
| - char *username; /* TLS username (for, e.g., SRP) */ |
| - char *password; /* TLS password (for, e.g., SRP) */ |
| - enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ |
| -#endif |
| BIT(certinfo); /* gather lots of certificate info */ |
| BIT(falsestart); |
| BIT(enable_beast); /* allow this flaw for interoperability's sake*/ |
| diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c |
| index fe45b3a..3c31782 100644 |
| --- a/lib/vtls/gtls.c |
| +++ b/lib/vtls/gtls.c |
| @@ -437,9 +437,10 @@ gtls_connect_step1(struct Curl_easy *data, |
| } |
| |
| #ifdef HAVE_GNUTLS_SRP |
| - if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) && |
| + if((SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) && |
| Curl_allow_auth_to_host(data)) { |
| - infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username)); |
| + infof(data, "Using TLS-SRP username: %s", |
| + SSL_SET_OPTION(primary.username)); |
| |
| rc = gnutls_srp_allocate_client_credentials(&backend->srp_client_cred); |
| if(rc != GNUTLS_E_SUCCESS) { |
| @@ -449,8 +450,8 @@ gtls_connect_step1(struct Curl_easy *data, |
| } |
| |
| rc = gnutls_srp_set_client_credentials(backend->srp_client_cred, |
| - SSL_SET_OPTION(username), |
| - SSL_SET_OPTION(password)); |
| + SSL_SET_OPTION(primary.username), |
| + SSL_SET_OPTION(primary.password)); |
| if(rc != GNUTLS_E_SUCCESS) { |
| failf(data, "gnutls_srp_set_client_cred() failed: %s", |
| gnutls_strerror(rc)); |
| @@ -507,19 +508,19 @@ gtls_connect_step1(struct Curl_easy *data, |
| } |
| #endif |
| |
| - if(SSL_SET_OPTION(CRLfile)) { |
| + if(SSL_SET_OPTION(primary.CRLfile)) { |
| /* set the CRL list file */ |
| rc = gnutls_certificate_set_x509_crl_file(backend->cred, |
| - SSL_SET_OPTION(CRLfile), |
| + SSL_SET_OPTION(primary.CRLfile), |
| GNUTLS_X509_FMT_PEM); |
| if(rc < 0) { |
| failf(data, "error reading crl file %s (%s)", |
| - SSL_SET_OPTION(CRLfile), gnutls_strerror(rc)); |
| + SSL_SET_OPTION(primary.CRLfile), gnutls_strerror(rc)); |
| return CURLE_SSL_CRL_BADFILE; |
| } |
| else |
| infof(data, "found %d CRL in %s", |
| - rc, SSL_SET_OPTION(CRLfile)); |
| + rc, SSL_SET_OPTION(primary.CRLfile)); |
| } |
| |
| /* Initialize TLS session as a client */ |
| @@ -590,7 +591,7 @@ gtls_connect_step1(struct Curl_easy *data, |
| #ifdef HAVE_GNUTLS_SRP |
| /* Only add SRP to the cipher list if SRP is requested. Otherwise |
| * GnuTLS will disable TLS 1.3 support. */ |
| - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { |
| + if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { |
| size_t len = strlen(prioritylist); |
| |
| char *prioritysrp = malloc(len + sizeof(GNUTLS_SRP) + 1); |
| @@ -685,7 +686,7 @@ gtls_connect_step1(struct Curl_easy *data, |
| |
| #ifdef HAVE_GNUTLS_SRP |
| /* put the credentials to the current session */ |
| - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { |
| + if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { |
| rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP, |
| backend->srp_client_cred); |
| if(rc != GNUTLS_E_SUCCESS) { |
| @@ -867,8 +868,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data, |
| SSL_CONN_CONFIG(verifyhost) || |
| SSL_CONN_CONFIG(issuercert)) { |
| #ifdef HAVE_GNUTLS_SRP |
| - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP |
| - && SSL_SET_OPTION(username) != NULL |
| + if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP |
| + && SSL_SET_OPTION(primary.username) |
| && !SSL_CONN_CONFIG(verifypeer) |
| && gnutls_cipher_get(session)) { |
| /* no peer cert, but auth is ok if we have SRP user and cipher and no |
| @@ -926,7 +927,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data, |
| failf(data, "server certificate verification failed. CAfile: %s " |
| "CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile): |
| "none", |
| - SSL_SET_OPTION(CRLfile)?SSL_SET_OPTION(CRLfile):"none"); |
| + SSL_SET_OPTION(primary.CRLfile) ? |
| + SSL_SET_OPTION(primary.CRLfile) : "none"); |
| return CURLE_PEER_FAILED_VERIFICATION; |
| } |
| else |
| @@ -1556,8 +1558,8 @@ static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn, |
| gnutls_certificate_free_credentials(backend->cred); |
| |
| #ifdef HAVE_GNUTLS_SRP |
| - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP |
| - && SSL_SET_OPTION(username) != NULL) |
| + if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP |
| + && SSL_SET_OPTION(primary.username) != NULL) |
| gnutls_srp_free_client_credentials(backend->srp_client_cred); |
| #endif |
| |
| diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c |
| index b9fd26a..bd4ad8f 100644 |
| --- a/lib/vtls/mbedtls.c |
| +++ b/lib/vtls/mbedtls.c |
| @@ -279,7 +279,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, |
| const char * const ssl_capath = SSL_CONN_CONFIG(CApath); |
| char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); |
| const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); |
| - const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); |
| + const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); |
| const char * const hostname = SSL_HOST_NAME(); |
| #ifndef CURL_DISABLE_VERBOSE_STRINGS |
| const long int port = SSL_HOST_PORT(); |
| diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c |
| index 52f2060..959e23e 100644 |
| --- a/lib/vtls/nss.c |
| +++ b/lib/vtls/nss.c |
| @@ -2035,13 +2035,13 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, |
| } |
| } |
| |
| - if(SSL_SET_OPTION(CRLfile)) { |
| - const CURLcode rv = nss_load_crl(SSL_SET_OPTION(CRLfile)); |
| + if(SSL_SET_OPTION(primary.CRLfile)) { |
| + const CURLcode rv = nss_load_crl(SSL_SET_OPTION(primary.CRLfile)); |
| if(rv) { |
| result = rv; |
| goto error; |
| } |
| - infof(data, " CRLfile: %s", SSL_SET_OPTION(CRLfile)); |
| + infof(data, " CRLfile: %s", SSL_SET_OPTION(primary.CRLfile)); |
| } |
| |
| if(SSL_SET_OPTION(primary.clientcert)) { |
| diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c |
| index e8633f4..d98bbcb 100644 |
| --- a/lib/vtls/openssl.c |
| +++ b/lib/vtls/openssl.c |
| @@ -2632,7 +2632,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, |
| #endif |
| const long int ssl_version = SSL_CONN_CONFIG(version); |
| #ifdef USE_OPENSSL_SRP |
| - const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype); |
| + const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype); |
| #endif |
| char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); |
| const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); |
| @@ -2643,7 +2643,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, |
| (ca_info_blob ? NULL : SSL_CONN_CONFIG(CAfile)); |
| const char * const ssl_capath = SSL_CONN_CONFIG(CApath); |
| const bool verifypeer = SSL_CONN_CONFIG(verifypeer); |
| - const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); |
| + const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); |
| char error_buffer[256]; |
| struct ssl_backend_data *backend = connssl->backend; |
| bool imported_native_ca = false; |
| @@ -2895,15 +2895,15 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, |
| #ifdef USE_OPENSSL_SRP |
| if((ssl_authtype == CURL_TLSAUTH_SRP) && |
| Curl_allow_auth_to_host(data)) { |
| - char * const ssl_username = SSL_SET_OPTION(username); |
| - |
| + char * const ssl_username = SSL_SET_OPTION(primary.username); |
| + char * const ssl_password = SSL_SET_OPTION(primary.password); |
| infof(data, "Using TLS-SRP username: %s", ssl_username); |
| |
| if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) { |
| failf(data, "Unable to set SRP user name"); |
| return CURLE_BAD_FUNCTION_ARGUMENT; |
| } |
| - if(!SSL_CTX_set_srp_password(backend->ctx, SSL_SET_OPTION(password))) { |
| + if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) { |
| failf(data, "failed setting SRP password"); |
| return CURLE_BAD_FUNCTION_ARGUMENT; |
| } |
| diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c |
| index a40ac06..e2d3438 100644 |
| --- a/lib/vtls/vtls.c |
| +++ b/lib/vtls/vtls.c |
| @@ -132,6 +132,7 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, |
| { |
| if((data->version == needle->version) && |
| (data->version_max == needle->version_max) && |
| + (data->ssl_options == needle->ssl_options) && |
| (data->verifypeer == needle->verifypeer) && |
| (data->verifyhost == needle->verifyhost) && |
| (data->verifystatus == needle->verifystatus) && |
| @@ -144,9 +145,15 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, |
| Curl_safecmp(data->clientcert, needle->clientcert) && |
| Curl_safecmp(data->random_file, needle->random_file) && |
| Curl_safecmp(data->egdsocket, needle->egdsocket) && |
| +#ifdef USE_TLS_SRP |
| + Curl_safecmp(data->username, needle->username) && |
| + Curl_safecmp(data->password, needle->password) && |
| + (data->authtype == needle->authtype) && |
| +#endif |
| Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && |
| Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && |
| Curl_safe_strcasecompare(data->curves, needle->curves) && |
| + Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) && |
| Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) |
| return TRUE; |
| |
| @@ -163,6 +170,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, |
| dest->verifyhost = source->verifyhost; |
| dest->verifystatus = source->verifystatus; |
| dest->sessionid = source->sessionid; |
| + dest->ssl_options = source->ssl_options; |
| +#ifdef USE_TLS_SRP |
| + dest->authtype = source->authtype; |
| +#endif |
| |
| CLONE_BLOB(cert_blob); |
| CLONE_BLOB(ca_info_blob); |
| @@ -177,6 +188,11 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, |
| CLONE_STRING(cipher_list13); |
| CLONE_STRING(pinned_key); |
| CLONE_STRING(curves); |
| + CLONE_STRING(CRLfile); |
| +#ifdef USE_TLS_SRP |
| + CLONE_STRING(username); |
| + CLONE_STRING(password); |
| +#endif |
| |
| return TRUE; |
| } |
| @@ -196,6 +212,11 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc) |
| Curl_safefree(sslc->ca_info_blob); |
| Curl_safefree(sslc->issuercert_blob); |
| Curl_safefree(sslc->curves); |
| + Curl_safefree(sslc->CRLfile); |
| +#ifdef USE_TLS_SRP |
| + Curl_safefree(sslc->username); |
| + Curl_safefree(sslc->password); |
| +#endif |
| } |
| |
| #ifdef USE_SSL |