projects / platform / upstream / curl.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
[CVE-2017-7468] TLS: Fix switching off SSL session id when client cert is used
[platform/upstream/curl.git] / lib / vtls / vtls.c
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
index f40a977..40d681c 100644 (file)
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -120,6 +120,9 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
   CLONE_STRING(egdsocket);
   CLONE_STRING(random_file);
   CLONE_STRING(clientcert);
+
+  /* Disable dest sessionid cache if a client cert is used, CVE-2016-5419. */
+  dest->sessionid = (dest->clientcert ? false : source->sessionid);
   return TRUE;
 }
 
@@ -293,9 +296,9 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
   int port = isProxy ? (int)conn->port : conn->remote_port;
   *ssl_sessionid = NULL;
 
-  DEBUGASSERT(data->set.general_ssl.sessionid);
+  DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
 
-  if(!data->set.general_ssl.sessionid)
+  if(!SSL_SET_OPTION(primary.sessionid))
     /* session ID re-use is disabled */
     return TRUE;
 
@@ -397,7 +400,7 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
     &conn->proxy_ssl_config :
     &conn->ssl_config;
 
-  DEBUGASSERT(data->set.general_ssl.sessionid);
+  DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
 
   clone_host = strdup(isProxy ? conn->http_proxy.host.name : conn->host.name);
   if(!clone_host)
Domain: Network & Connectivity / Data Network;