romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-04-14 18:21:40 +03:00
Code Issues Projects Releases Packages Wiki Activity

vtls_scache: include cert_blob independently of verifypeer

Browse source 
The making of the TLS session cache key should use the cert blob
independently of verifypeer on/off.

Follow-up to fa0ccd9f1f

Spotted by Codex Security

Closes #21222
This commit is contained in:
Daniel Stenberg 2026-04-04 18:20:41 +02:00
parent 283db12e05
commit 698eee1b95
No known key found for this signature in database
GPG key ID: 5CC908FDB71E12C2
1 changed files with 12 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

17
lib/vtls/vtls_scache.c
View file

@ -238,11 +238,6 @@ CURLcode Curl_ssl_peer_key_make(struct Curl_cfilter *cf,
r = cf_ssl_peer_key_add_path(&buf, "Issuer", ssl->issuercert, &is_local); r = cf_ssl_peer_key_add_path(&buf, "Issuer", ssl->issuercert, &is_local);
if(r) if(r)
goto out; goto out;
if(ssl->cert_blob) {
r = cf_ssl_peer_key_add_hash(&buf, "CertBlob", ssl->cert_blob);
if(r)
goto out;
}
if(ssl->ca_info_blob) { if(ssl->ca_info_blob) {
r = cf_ssl_peer_key_add_hash(&buf, "CAInfoBlob", ssl->ca_info_blob); r = cf_ssl_peer_key_add_hash(&buf, "CAInfoBlob", ssl->ca_info_blob);
if(r) if(r)
@ -254,6 +249,11 @@ CURLcode Curl_ssl_peer_key_make(struct Curl_cfilter *cf,
goto out; goto out;
} }
} }
if(ssl->cert_blob) {
r = cf_ssl_peer_key_add_hash(&buf, "CertBlob", ssl->cert_blob);
if(r)
goto out;
}
if(ssl->pinned_key && ssl->pinned_key[0]) { if(ssl->pinned_key && ssl->pinned_key[0]) {
r = curlx_dyn_addf(&buf, ":Pinned-%s", ssl->pinned_key); r = curlx_dyn_addf(&buf, ":Pinned-%s", ssl->pinned_key);
if(r) if(r)
@ -734,12 +734,19 @@ static CURLcode cf_ssl_add_peer(struct Curl_easy *data,
peer = cf_ssl_get_free_peer(scache); peer = cf_ssl_get_free_peer(scache);
if(peer) { if(peer) {
char buffer[64];
const char *ccert = conn_config ? conn_config->clientcert : NULL; const char *ccert = conn_config ? conn_config->clientcert : NULL;
const char *username = NULL, *password = NULL; const char *username = NULL, *password = NULL;
#ifdef USE_TLS_SRP #ifdef USE_TLS_SRP
username = conn_config ? conn_config->username : NULL; username = conn_config ? conn_config->username : NULL;
password = conn_config ? conn_config->password : NULL; password = conn_config ? conn_config->password : NULL;
#endif #endif
if(!ccert && conn_config && conn_config->cert_blob) {
/* when using a client cert blob, create a name for it */
curl_msnprintf(buffer, sizeof(buffer),
"cert-%p", conn_config->cert_blob->data);
ccert = buffer; /* data is strduped by cf_ssl_scache_peer_init */
}
result = cf_ssl_scache_peer_init(peer, ssl_peer_key, ccert, result = cf_ssl_scache_peer_init(peer, ssl_peer_key, ccert,
username, password, NULL, NULL); username, password, NULL, NULL);
if(result) if(result)