git-market/curl-curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-04-11 12:01:42 +08:00
Code Issues Actions 14 Packages Projects Releases Wiki Activity

vtls_scache: include cert_blob independently of verifypeer

Browse Source 
The making of the TLS session cache key should use the cert blob
independently of verifypeer on/off.

Follow-up to fa0ccd9f1f

Spotted by Codex Security

Closes #21222
This commit is contained in:
Daniel Stenberg 2026-04-04 18:20:41 +02:00
parent 283db12e05
commit 698eee1b95
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 12 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
lib/vtls/vtls_scache.c
View File

@ -238,11 +238,6 @@ CURLcode Curl_ssl_peer_key_make(struct Curl_cfilter *cf,
r = cf_ssl_peer_key_add_path(&buf, "Issuer", ssl->issuercert, &is_local);
if(r)
goto out;
if(ssl->cert_blob) {
r = cf_ssl_peer_key_add_hash(&buf, "CertBlob", ssl->cert_blob);
if(r)
goto out;
}
if(ssl->ca_info_blob) {
r = cf_ssl_peer_key_add_hash(&buf, "CAInfoBlob", ssl->ca_info_blob);
if(r)
@ -254,6 +249,11 @@ CURLcode Curl_ssl_peer_key_make(struct Curl_cfilter *cf,
goto out;
}
}
if(ssl->cert_blob) {
r = cf_ssl_peer_key_add_hash(&buf, "CertBlob", ssl->cert_blob);
if(r)
goto out;
}
if(ssl->pinned_key && ssl->pinned_key[0]) {
r = curlx_dyn_addf(&buf, ":Pinned-%s", ssl->pinned_key);
if(r)
@ -734,12 +734,19 @@ static CURLcode cf_ssl_add_peer(struct Curl_easy *data,
peer = cf_ssl_get_free_peer(scache);
if(peer) {
char buffer[64];
const char *ccert = conn_config ? conn_config->clientcert : NULL;
const char *username = NULL, *password = NULL;
#ifdef USE_TLS_SRP
username = conn_config ? conn_config->username : NULL;
password = conn_config ? conn_config->password : NULL;
#endif
if(!ccert && conn_config && conn_config->cert_blob) {
/* when using a client cert blob, create a name for it */
curl_msnprintf(buffer, sizeof(buffer),
"cert-%p", conn_config->cert_blob->data);
ccert = buffer; /* data is strduped by cf_ssl_scache_peer_init */
}
result = cf_ssl_scache_peer_init(peer, ssl_peer_key, ccert,
username, password, NULL, NULL);
if(result)