1From acee9eb38639b35af9047521d71333423657de0d Mon Sep 17 00:00:00 2001 2From: Daniel Stenberg <daniel@haxx.se> 3Date: Mon, 9 May 2022 23:13:53 +0200 4Subject: [PATCH] tls: check more TLS details for connection reuse 5 6CVE-2022-27782 7 8Reported-by: Harry Sintonen 9Bug: https://curl.se/docs/CVE-2022-27782.html 10Closes #8825 11 12Upstream-Status: Backport [https://github.com/curl/curl/commit/f18af4f874cecab82a9797e8c7541e0990c7a64c] 13Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> 14--- 15 lib/setopt.c | 29 +++++++++++++++++------------ 16 lib/url.c | 23 ++++++++++++++++------- 17 lib/urldata.h | 13 +++++++------ 18 lib/vtls/gtls.c | 32 +++++++++++++++++--------------- 19 lib/vtls/mbedtls.c | 2 +- 20 lib/vtls/nss.c | 6 +++--- 21 lib/vtls/openssl.c | 10 +++++----- 22 lib/vtls/vtls.c | 21 +++++++++++++++++++++ 23 8 files changed, 87 insertions(+), 49 deletions(-) 24 25diff --git a/lib/setopt.c b/lib/setopt.c 26index 8e1bf12..7aa6fdb 100644 27--- a/lib/setopt.c 28+++ b/lib/setopt.c 29@@ -2294,6 +2294,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) 30 31 case CURLOPT_SSL_OPTIONS: 32 arg = va_arg(param, long); 33+ data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff); 34 data->set.ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST); 35 data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); 36 data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN); 37@@ -2307,6 +2308,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) 38 #ifndef CURL_DISABLE_PROXY 39 case CURLOPT_PROXY_SSL_OPTIONS: 40 arg = va_arg(param, long); 41+ data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff); 42 data->set.proxy_ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST); 43 data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); 44 data->set.proxy_ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN); 45@@ -2745,49 +2747,52 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) 46 case CURLOPT_TLSAUTH_USERNAME: 47 result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME], 48 va_arg(param, char *)); 49- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) 50- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ 51+ if(data->set.str[STRING_TLSAUTH_USERNAME] && 52+ !data->set.ssl.primary.authtype) 53+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ 54 break; 55 #ifndef CURL_DISABLE_PROXY 56 case CURLOPT_PROXY_TLSAUTH_USERNAME: 57 result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY], 58 va_arg(param, char *)); 59 if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && 60- !data->set.proxy_ssl.authtype) 61- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ 62+ !data->set.proxy_ssl.primary.authtype) 63+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to 64+ SRP */ 65 break; 66 #endif 67 case CURLOPT_TLSAUTH_PASSWORD: 68 result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD], 69 va_arg(param, char *)); 70- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) 71- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ 72+ if(data->set.str[STRING_TLSAUTH_USERNAME] && 73+ !data->set.ssl.primary.authtype) 74+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ 75 break; 76 #ifndef CURL_DISABLE_PROXY 77 case CURLOPT_PROXY_TLSAUTH_PASSWORD: 78 result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY], 79 va_arg(param, char *)); 80 if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && 81- !data->set.proxy_ssl.authtype) 82- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ 83+ !data->set.proxy_ssl.primary.authtype) 84+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ 85 break; 86 #endif 87 case CURLOPT_TLSAUTH_TYPE: 88 argptr = va_arg(param, char *); 89 if(!argptr || 90 strncasecompare(argptr, "SRP", strlen("SRP"))) 91- data->set.ssl.authtype = CURL_TLSAUTH_SRP; 92+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; 93 else 94- data->set.ssl.authtype = CURL_TLSAUTH_NONE; 95+ data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE; 96 break; 97 #ifndef CURL_DISABLE_PROXY 98 case CURLOPT_PROXY_TLSAUTH_TYPE: 99 argptr = va_arg(param, char *); 100 if(!argptr || 101 strncasecompare(argptr, "SRP", strlen("SRP"))) 102- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; 103+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; 104 else 105- data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE; 106+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE; 107 break; 108 #endif 109 #endif 110diff --git a/lib/url.c b/lib/url.c 111index 94e3406..5ebf5e2 100644 112--- a/lib/url.c 113+++ b/lib/url.c 114@@ -540,7 +540,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) 115 set->ssl.primary.verifypeer = TRUE; 116 set->ssl.primary.verifyhost = TRUE; 117 #ifdef USE_TLS_SRP 118- set->ssl.authtype = CURL_TLSAUTH_NONE; 119+ set->ssl.primary.authtype = CURL_TLSAUTH_NONE; 120 #endif 121 set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth 122 type */ 123@@ -1758,11 +1758,17 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) 124 conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus; 125 conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer; 126 conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost; 127+ conn->ssl_config.ssl_options = data->set.ssl.primary.ssl_options; 128+#ifdef USE_TLS_SRP 129+#endif 130 #ifndef CURL_DISABLE_PROXY 131 conn->proxy_ssl_config.verifystatus = 132 data->set.proxy_ssl.primary.verifystatus; 133 conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer; 134 conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost; 135+ conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options; 136+#ifdef USE_TLS_SRP 137+#endif 138 #endif 139 conn->ip_version = data->set.ipver; 140 conn->bits.connect_only = data->set.connect_only; 141@@ -3848,7 +3854,8 @@ static CURLcode create_conn(struct Curl_easy *data, 142 data->set.str[STRING_SSL_ISSUERCERT_PROXY]; 143 data->set.proxy_ssl.primary.issuercert_blob = 144 data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY]; 145- data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; 146+ data->set.proxy_ssl.primary.CRLfile = 147+ data->set.str[STRING_SSL_CRLFILE_PROXY]; 148 data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY]; 149 data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY]; 150 data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY]; 151@@ -3856,18 +3863,20 @@ static CURLcode create_conn(struct Curl_easy *data, 152 data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY]; 153 data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY]; 154 #endif 155- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE]; 156+ data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE]; 157 data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE]; 158 data->set.ssl.key = data->set.str[STRING_KEY]; 159 data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE]; 160 data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD]; 161 data->set.ssl.primary.clientcert = data->set.str[STRING_CERT]; 162 #ifdef USE_TLS_SRP 163- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME]; 164- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD]; 165+ data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME]; 166+ data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD]; 167 #ifndef CURL_DISABLE_PROXY 168- data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; 169- data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; 170+ data->set.proxy_ssl.primary.username = 171+ data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; 172+ data->set.proxy_ssl.primary.password = 173+ data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; 174 #endif 175 #endif 176 data->set.ssl.key_blob = data->set.blobs[BLOB_KEY]; 177diff --git a/lib/urldata.h b/lib/urldata.h 178index 5218f76..e006495 100644 179--- a/lib/urldata.h 180+++ b/lib/urldata.h 181@@ -253,10 +253,17 @@ struct ssl_primary_config { 182 char *cipher_list; /* list of ciphers to use */ 183 char *cipher_list13; /* list of TLS 1.3 cipher suites to use */ 184 char *pinned_key; 185+ char *CRLfile; /* CRL to check certificate revocation */ 186 struct curl_blob *cert_blob; 187 struct curl_blob *ca_info_blob; 188 struct curl_blob *issuercert_blob; 189+#ifdef USE_TLS_SRP 190+ char *username; /* TLS username (for, e.g., SRP) */ 191+ char *password; /* TLS password (for, e.g., SRP) */ 192+ enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ 193+#endif 194 char *curves; /* list of curves to use */ 195+ unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */ 196 BIT(verifypeer); /* set TRUE if this is desired */ 197 BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */ 198 BIT(verifystatus); /* set TRUE if certificate status must be checked */ 199@@ -266,7 +273,6 @@ struct ssl_primary_config { 200 struct ssl_config_data { 201 struct ssl_primary_config primary; 202 long certverifyresult; /* result from the certificate verification */ 203- char *CRLfile; /* CRL to check certificate revocation */ 204 curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ 205 void *fsslctxp; /* parameter for call back */ 206 char *cert_type; /* format for certificate (default: PEM)*/ 207@@ -274,11 +280,6 @@ struct ssl_config_data { 208 struct curl_blob *key_blob; 209 char *key_type; /* format for private key (default: PEM) */ 210 char *key_passwd; /* plain text private key password */ 211-#ifdef USE_TLS_SRP 212- char *username; /* TLS username (for, e.g., SRP) */ 213- char *password; /* TLS password (for, e.g., SRP) */ 214- enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ 215-#endif 216 BIT(certinfo); /* gather lots of certificate info */ 217 BIT(falsestart); 218 BIT(enable_beast); /* allow this flaw for interoperability's sake*/ 219diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c 220index fe45b3a..3c31782 100644 221--- a/lib/vtls/gtls.c 222+++ b/lib/vtls/gtls.c 223@@ -437,9 +437,10 @@ gtls_connect_step1(struct Curl_easy *data, 224 } 225 226 #ifdef HAVE_GNUTLS_SRP 227- if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) && 228+ if((SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) && 229 Curl_allow_auth_to_host(data)) { 230- infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username)); 231+ infof(data, "Using TLS-SRP username: %s", 232+ SSL_SET_OPTION(primary.username)); 233 234 rc = gnutls_srp_allocate_client_credentials(&backend->srp_client_cred); 235 if(rc != GNUTLS_E_SUCCESS) { 236@@ -449,8 +450,8 @@ gtls_connect_step1(struct Curl_easy *data, 237 } 238 239 rc = gnutls_srp_set_client_credentials(backend->srp_client_cred, 240- SSL_SET_OPTION(username), 241- SSL_SET_OPTION(password)); 242+ SSL_SET_OPTION(primary.username), 243+ SSL_SET_OPTION(primary.password)); 244 if(rc != GNUTLS_E_SUCCESS) { 245 failf(data, "gnutls_srp_set_client_cred() failed: %s", 246 gnutls_strerror(rc)); 247@@ -507,19 +508,19 @@ gtls_connect_step1(struct Curl_easy *data, 248 } 249 #endif 250 251- if(SSL_SET_OPTION(CRLfile)) { 252+ if(SSL_SET_OPTION(primary.CRLfile)) { 253 /* set the CRL list file */ 254 rc = gnutls_certificate_set_x509_crl_file(backend->cred, 255- SSL_SET_OPTION(CRLfile), 256+ SSL_SET_OPTION(primary.CRLfile), 257 GNUTLS_X509_FMT_PEM); 258 if(rc < 0) { 259 failf(data, "error reading crl file %s (%s)", 260- SSL_SET_OPTION(CRLfile), gnutls_strerror(rc)); 261+ SSL_SET_OPTION(primary.CRLfile), gnutls_strerror(rc)); 262 return CURLE_SSL_CRL_BADFILE; 263 } 264 else 265 infof(data, "found %d CRL in %s", 266- rc, SSL_SET_OPTION(CRLfile)); 267+ rc, SSL_SET_OPTION(primary.CRLfile)); 268 } 269 270 /* Initialize TLS session as a client */ 271@@ -590,7 +591,7 @@ gtls_connect_step1(struct Curl_easy *data, 272 #ifdef HAVE_GNUTLS_SRP 273 /* Only add SRP to the cipher list if SRP is requested. Otherwise 274 * GnuTLS will disable TLS 1.3 support. */ 275- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { 276+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { 277 size_t len = strlen(prioritylist); 278 279 char *prioritysrp = malloc(len + sizeof(GNUTLS_SRP) + 1); 280@@ -685,7 +686,7 @@ gtls_connect_step1(struct Curl_easy *data, 281 282 #ifdef HAVE_GNUTLS_SRP 283 /* put the credentials to the current session */ 284- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { 285+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { 286 rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP, 287 backend->srp_client_cred); 288 if(rc != GNUTLS_E_SUCCESS) { 289@@ -867,8 +868,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data, 290 SSL_CONN_CONFIG(verifyhost) || 291 SSL_CONN_CONFIG(issuercert)) { 292 #ifdef HAVE_GNUTLS_SRP 293- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP 294- && SSL_SET_OPTION(username) != NULL 295+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP 296+ && SSL_SET_OPTION(primary.username) 297 && !SSL_CONN_CONFIG(verifypeer) 298 && gnutls_cipher_get(session)) { 299 /* no peer cert, but auth is ok if we have SRP user and cipher and no 300@@ -926,7 +927,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data, 301 failf(data, "server certificate verification failed. CAfile: %s " 302 "CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile): 303 "none", 304- SSL_SET_OPTION(CRLfile)?SSL_SET_OPTION(CRLfile):"none"); 305+ SSL_SET_OPTION(primary.CRLfile) ? 306+ SSL_SET_OPTION(primary.CRLfile) : "none"); 307 return CURLE_PEER_FAILED_VERIFICATION; 308 } 309 else 310@@ -1556,8 +1558,8 @@ static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn, 311 gnutls_certificate_free_credentials(backend->cred); 312 313 #ifdef HAVE_GNUTLS_SRP 314- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP 315- && SSL_SET_OPTION(username) != NULL) 316+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP 317+ && SSL_SET_OPTION(primary.username) != NULL) 318 gnutls_srp_free_client_credentials(backend->srp_client_cred); 319 #endif 320 321diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c 322index b9fd26a..bd4ad8f 100644 323--- a/lib/vtls/mbedtls.c 324+++ b/lib/vtls/mbedtls.c 325@@ -279,7 +279,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, 326 const char * const ssl_capath = SSL_CONN_CONFIG(CApath); 327 char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); 328 const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); 329- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); 330+ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); 331 const char * const hostname = SSL_HOST_NAME(); 332 #ifndef CURL_DISABLE_VERBOSE_STRINGS 333 const long int port = SSL_HOST_PORT(); 334diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c 335index 52f2060..959e23e 100644 336--- a/lib/vtls/nss.c 337+++ b/lib/vtls/nss.c 338@@ -2035,13 +2035,13 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, 339 } 340 } 341 342- if(SSL_SET_OPTION(CRLfile)) { 343- const CURLcode rv = nss_load_crl(SSL_SET_OPTION(CRLfile)); 344+ if(SSL_SET_OPTION(primary.CRLfile)) { 345+ const CURLcode rv = nss_load_crl(SSL_SET_OPTION(primary.CRLfile)); 346 if(rv) { 347 result = rv; 348 goto error; 349 } 350- infof(data, " CRLfile: %s", SSL_SET_OPTION(CRLfile)); 351+ infof(data, " CRLfile: %s", SSL_SET_OPTION(primary.CRLfile)); 352 } 353 354 if(SSL_SET_OPTION(primary.clientcert)) { 355diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c 356index e8633f4..d98bbcb 100644 357--- a/lib/vtls/openssl.c 358+++ b/lib/vtls/openssl.c 359@@ -2632,7 +2632,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, 360 #endif 361 const long int ssl_version = SSL_CONN_CONFIG(version); 362 #ifdef USE_OPENSSL_SRP 363- const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype); 364+ const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype); 365 #endif 366 char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); 367 const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); 368@@ -2643,7 +2643,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, 369 (ca_info_blob ? NULL : SSL_CONN_CONFIG(CAfile)); 370 const char * const ssl_capath = SSL_CONN_CONFIG(CApath); 371 const bool verifypeer = SSL_CONN_CONFIG(verifypeer); 372- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); 373+ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); 374 char error_buffer[256]; 375 struct ssl_backend_data *backend = connssl->backend; 376 bool imported_native_ca = false; 377@@ -2895,15 +2895,15 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, 378 #ifdef USE_OPENSSL_SRP 379 if((ssl_authtype == CURL_TLSAUTH_SRP) && 380 Curl_allow_auth_to_host(data)) { 381- char * const ssl_username = SSL_SET_OPTION(username); 382- 383+ char * const ssl_username = SSL_SET_OPTION(primary.username); 384+ char * const ssl_password = SSL_SET_OPTION(primary.password); 385 infof(data, "Using TLS-SRP username: %s", ssl_username); 386 387 if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) { 388 failf(data, "Unable to set SRP user name"); 389 return CURLE_BAD_FUNCTION_ARGUMENT; 390 } 391- if(!SSL_CTX_set_srp_password(backend->ctx, SSL_SET_OPTION(password))) { 392+ if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) { 393 failf(data, "failed setting SRP password"); 394 return CURLE_BAD_FUNCTION_ARGUMENT; 395 } 396diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c 397index a40ac06..e2d3438 100644 398--- a/lib/vtls/vtls.c 399+++ b/lib/vtls/vtls.c 400@@ -132,6 +132,7 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, 401 { 402 if((data->version == needle->version) && 403 (data->version_max == needle->version_max) && 404+ (data->ssl_options == needle->ssl_options) && 405 (data->verifypeer == needle->verifypeer) && 406 (data->verifyhost == needle->verifyhost) && 407 (data->verifystatus == needle->verifystatus) && 408@@ -144,9 +145,15 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, 409 Curl_safecmp(data->clientcert, needle->clientcert) && 410 Curl_safecmp(data->random_file, needle->random_file) && 411 Curl_safecmp(data->egdsocket, needle->egdsocket) && 412+#ifdef USE_TLS_SRP 413+ Curl_safecmp(data->username, needle->username) && 414+ Curl_safecmp(data->password, needle->password) && 415+ (data->authtype == needle->authtype) && 416+#endif 417 Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && 418 Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && 419 Curl_safe_strcasecompare(data->curves, needle->curves) && 420+ Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) && 421 Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) 422 return TRUE; 423 424@@ -163,6 +170,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, 425 dest->verifyhost = source->verifyhost; 426 dest->verifystatus = source->verifystatus; 427 dest->sessionid = source->sessionid; 428+ dest->ssl_options = source->ssl_options; 429+#ifdef USE_TLS_SRP 430+ dest->authtype = source->authtype; 431+#endif 432 433 CLONE_BLOB(cert_blob); 434 CLONE_BLOB(ca_info_blob); 435@@ -177,6 +188,11 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, 436 CLONE_STRING(cipher_list13); 437 CLONE_STRING(pinned_key); 438 CLONE_STRING(curves); 439+ CLONE_STRING(CRLfile); 440+#ifdef USE_TLS_SRP 441+ CLONE_STRING(username); 442+ CLONE_STRING(password); 443+#endif 444 445 return TRUE; 446 } 447@@ -196,6 +212,11 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc) 448 Curl_safefree(sslc->ca_info_blob); 449 Curl_safefree(sslc->issuercert_blob); 450 Curl_safefree(sslc->curves); 451+ Curl_safefree(sslc->CRLfile); 452+#ifdef USE_TLS_SRP 453+ Curl_safefree(sslc->username); 454+ Curl_safefree(sslc->password); 455+#endif 456 } 457 458 #ifdef USE_SSL 459