summaryrefslogtreecommitdiff
path: root/poky/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch
diff options
context:
space:
mode:
Diffstat (limited to 'poky/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch')
-rw-r--r--poky/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch458
1 files changed, 458 insertions, 0 deletions
diff --git a/poky/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch b/poky/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch
new file mode 100644
index 0000000000..ce2599be81
--- /dev/null
+++ b/poky/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch
@@ -0,0 +1,458 @@
+From acee9eb38639b35af9047521d71333423657de0d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 9 May 2022 23:13:53 +0200
+Subject: [PATCH] tls: check more TLS details for connection reuse
+
+CVE-2022-27782
+
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2022-27782.html
+Closes #8825
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/f18af4f874cecab82a9797e8c7541e0990c7a64c]
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ lib/setopt.c | 29 +++++++++++++++++------------
+ lib/url.c | 23 ++++++++++++++++-------
+ lib/urldata.h | 13 +++++++------
+ lib/vtls/gtls.c | 32 +++++++++++++++++---------------
+ lib/vtls/mbedtls.c | 2 +-
+ lib/vtls/nss.c | 6 +++---
+ lib/vtls/openssl.c | 10 +++++-----
+ lib/vtls/vtls.c | 21 +++++++++++++++++++++
+ 8 files changed, 87 insertions(+), 49 deletions(-)
+
+diff --git a/lib/setopt.c b/lib/setopt.c
+index 8e1bf12..7aa6fdb 100644
+--- a/lib/setopt.c
++++ b/lib/setopt.c
+@@ -2294,6 +2294,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+
+ case CURLOPT_SSL_OPTIONS:
+ arg = va_arg(param, long);
++ data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
+ data->set.ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST);
+ data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
+ data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN);
+@@ -2307,6 +2308,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+ #ifndef CURL_DISABLE_PROXY
+ case CURLOPT_PROXY_SSL_OPTIONS:
+ arg = va_arg(param, long);
++ data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
+ data->set.proxy_ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST);
+ data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
+ data->set.proxy_ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN);
+@@ -2745,49 +2747,52 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+ case CURLOPT_TLSAUTH_USERNAME:
+ result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME],
+ va_arg(param, char *));
+- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
+- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
++ if(data->set.str[STRING_TLSAUTH_USERNAME] &&
++ !data->set.ssl.primary.authtype)
++ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+ break;
+ #ifndef CURL_DISABLE_PROXY
+ case CURLOPT_PROXY_TLSAUTH_USERNAME:
+ result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY],
+ va_arg(param, char *));
+ if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
+- !data->set.proxy_ssl.authtype)
+- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
++ !data->set.proxy_ssl.primary.authtype)
++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to
++ SRP */
+ break;
+ #endif
+ case CURLOPT_TLSAUTH_PASSWORD:
+ result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD],
+ va_arg(param, char *));
+- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
+- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
++ if(data->set.str[STRING_TLSAUTH_USERNAME] &&
++ !data->set.ssl.primary.authtype)
++ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */
+ break;
+ #ifndef CURL_DISABLE_PROXY
+ case CURLOPT_PROXY_TLSAUTH_PASSWORD:
+ result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY],
+ va_arg(param, char *));
+ if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
+- !data->set.proxy_ssl.authtype)
+- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
++ !data->set.proxy_ssl.primary.authtype)
++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */
+ break;
+ #endif
+ case CURLOPT_TLSAUTH_TYPE:
+ argptr = va_arg(param, char *);
+ if(!argptr ||
+ strncasecompare(argptr, "SRP", strlen("SRP")))
+- data->set.ssl.authtype = CURL_TLSAUTH_SRP;
++ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP;
+ else
+- data->set.ssl.authtype = CURL_TLSAUTH_NONE;
++ data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE;
+ break;
+ #ifndef CURL_DISABLE_PROXY
+ case CURLOPT_PROXY_TLSAUTH_TYPE:
+ argptr = va_arg(param, char *);
+ if(!argptr ||
+ strncasecompare(argptr, "SRP", strlen("SRP")))
+- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP;
++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP;
+ else
+- data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE;
++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE;
+ break;
+ #endif
+ #endif
+diff --git a/lib/url.c b/lib/url.c
+index 94e3406..5ebf5e2 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -540,7 +540,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
+ set->ssl.primary.verifypeer = TRUE;
+ set->ssl.primary.verifyhost = TRUE;
+ #ifdef USE_TLS_SRP
+- set->ssl.authtype = CURL_TLSAUTH_NONE;
++ set->ssl.primary.authtype = CURL_TLSAUTH_NONE;
+ #endif
+ set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth
+ type */
+@@ -1758,11 +1758,17 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
+ conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus;
+ conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer;
+ conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost;
++ conn->ssl_config.ssl_options = data->set.ssl.primary.ssl_options;
++#ifdef USE_TLS_SRP
++#endif
+ #ifndef CURL_DISABLE_PROXY
+ conn->proxy_ssl_config.verifystatus =
+ data->set.proxy_ssl.primary.verifystatus;
+ conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer;
+ conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost;
++ conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options;
++#ifdef USE_TLS_SRP
++#endif
+ #endif
+ conn->ip_version = data->set.ipver;
+ conn->bits.connect_only = data->set.connect_only;
+@@ -3848,7 +3854,8 @@ static CURLcode create_conn(struct Curl_easy *data,
+ data->set.str[STRING_SSL_ISSUERCERT_PROXY];
+ data->set.proxy_ssl.primary.issuercert_blob =
+ data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY];
+- data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
++ data->set.proxy_ssl.primary.CRLfile =
++ data->set.str[STRING_SSL_CRLFILE_PROXY];
+ data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];
+ data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];
+ data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY];
+@@ -3856,18 +3863,20 @@ static CURLcode create_conn(struct Curl_easy *data,
+ data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY];
+ data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
+ #endif
+- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];
++ data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE];
+ data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
+ data->set.ssl.key = data->set.str[STRING_KEY];
+ data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE];
+ data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD];
+ data->set.ssl.primary.clientcert = data->set.str[STRING_CERT];
+ #ifdef USE_TLS_SRP
+- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME];
+- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD];
++ data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME];
++ data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD];
+ #ifndef CURL_DISABLE_PROXY
+- data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
+- data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
++ data->set.proxy_ssl.primary.username =
++ data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
++ data->set.proxy_ssl.primary.password =
++ data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
+ #endif
+ #endif
+ data->set.ssl.key_blob = data->set.blobs[BLOB_KEY];
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 5218f76..e006495 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -253,10 +253,17 @@ struct ssl_primary_config {
+ char *cipher_list; /* list of ciphers to use */
+ char *cipher_list13; /* list of TLS 1.3 cipher suites to use */
+ char *pinned_key;
++ char *CRLfile; /* CRL to check certificate revocation */
+ struct curl_blob *cert_blob;
+ struct curl_blob *ca_info_blob;
+ struct curl_blob *issuercert_blob;
++#ifdef USE_TLS_SRP
++ char *username; /* TLS username (for, e.g., SRP) */
++ char *password; /* TLS password (for, e.g., SRP) */
++ enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
++#endif
+ char *curves; /* list of curves to use */
++ unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */
+ BIT(verifypeer); /* set TRUE if this is desired */
+ BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */
+ BIT(verifystatus); /* set TRUE if certificate status must be checked */
+@@ -266,7 +273,6 @@ struct ssl_primary_config {
+ struct ssl_config_data {
+ struct ssl_primary_config primary;
+ long certverifyresult; /* result from the certificate verification */
+- char *CRLfile; /* CRL to check certificate revocation */
+ curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
+ void *fsslctxp; /* parameter for call back */
+ char *cert_type; /* format for certificate (default: PEM)*/
+@@ -274,11 +280,6 @@ struct ssl_config_data {
+ struct curl_blob *key_blob;
+ char *key_type; /* format for private key (default: PEM) */
+ char *key_passwd; /* plain text private key password */
+-#ifdef USE_TLS_SRP
+- char *username; /* TLS username (for, e.g., SRP) */
+- char *password; /* TLS password (for, e.g., SRP) */
+- enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
+-#endif
+ BIT(certinfo); /* gather lots of certificate info */
+ BIT(falsestart);
+ BIT(enable_beast); /* allow this flaw for interoperability's sake*/
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index fe45b3a..3c31782 100644
+--- a/lib/vtls/gtls.c
++++ b/lib/vtls/gtls.c
+@@ -437,9 +437,10 @@ gtls_connect_step1(struct Curl_easy *data,
+ }
+
+ #ifdef HAVE_GNUTLS_SRP
+- if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) &&
++ if((SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) &&
+ Curl_allow_auth_to_host(data)) {
+- infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username));
++ infof(data, "Using TLS-SRP username: %s",
++ SSL_SET_OPTION(primary.username));
+
+ rc = gnutls_srp_allocate_client_credentials(&backend->srp_client_cred);
+ if(rc != GNUTLS_E_SUCCESS) {
+@@ -449,8 +450,8 @@ gtls_connect_step1(struct Curl_easy *data,
+ }
+
+ rc = gnutls_srp_set_client_credentials(backend->srp_client_cred,
+- SSL_SET_OPTION(username),
+- SSL_SET_OPTION(password));
++ SSL_SET_OPTION(primary.username),
++ SSL_SET_OPTION(primary.password));
+ if(rc != GNUTLS_E_SUCCESS) {
+ failf(data, "gnutls_srp_set_client_cred() failed: %s",
+ gnutls_strerror(rc));
+@@ -507,19 +508,19 @@ gtls_connect_step1(struct Curl_easy *data,
+ }
+ #endif
+
+- if(SSL_SET_OPTION(CRLfile)) {
++ if(SSL_SET_OPTION(primary.CRLfile)) {
+ /* set the CRL list file */
+ rc = gnutls_certificate_set_x509_crl_file(backend->cred,
+- SSL_SET_OPTION(CRLfile),
++ SSL_SET_OPTION(primary.CRLfile),
+ GNUTLS_X509_FMT_PEM);
+ if(rc < 0) {
+ failf(data, "error reading crl file %s (%s)",
+- SSL_SET_OPTION(CRLfile), gnutls_strerror(rc));
++ SSL_SET_OPTION(primary.CRLfile), gnutls_strerror(rc));
+ return CURLE_SSL_CRL_BADFILE;
+ }
+ else
+ infof(data, "found %d CRL in %s",
+- rc, SSL_SET_OPTION(CRLfile));
++ rc, SSL_SET_OPTION(primary.CRLfile));
+ }
+
+ /* Initialize TLS session as a client */
+@@ -590,7 +591,7 @@ gtls_connect_step1(struct Curl_easy *data,
+ #ifdef HAVE_GNUTLS_SRP
+ /* Only add SRP to the cipher list if SRP is requested. Otherwise
+ * GnuTLS will disable TLS 1.3 support. */
+- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) {
+ size_t len = strlen(prioritylist);
+
+ char *prioritysrp = malloc(len + sizeof(GNUTLS_SRP) + 1);
+@@ -685,7 +686,7 @@ gtls_connect_step1(struct Curl_easy *data,
+
+ #ifdef HAVE_GNUTLS_SRP
+ /* put the credentials to the current session */
+- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) {
+ rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP,
+ backend->srp_client_cred);
+ if(rc != GNUTLS_E_SUCCESS) {
+@@ -867,8 +868,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
+ SSL_CONN_CONFIG(verifyhost) ||
+ SSL_CONN_CONFIG(issuercert)) {
+ #ifdef HAVE_GNUTLS_SRP
+- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
+- && SSL_SET_OPTION(username) != NULL
++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP
++ && SSL_SET_OPTION(primary.username)
+ && !SSL_CONN_CONFIG(verifypeer)
+ && gnutls_cipher_get(session)) {
+ /* no peer cert, but auth is ok if we have SRP user and cipher and no
+@@ -926,7 +927,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
+ failf(data, "server certificate verification failed. CAfile: %s "
+ "CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile):
+ "none",
+- SSL_SET_OPTION(CRLfile)?SSL_SET_OPTION(CRLfile):"none");
++ SSL_SET_OPTION(primary.CRLfile) ?
++ SSL_SET_OPTION(primary.CRLfile) : "none");
+ return CURLE_PEER_FAILED_VERIFICATION;
+ }
+ else
+@@ -1556,8 +1558,8 @@ static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn,
+ gnutls_certificate_free_credentials(backend->cred);
+
+ #ifdef HAVE_GNUTLS_SRP
+- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
+- && SSL_SET_OPTION(username) != NULL)
++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP
++ && SSL_SET_OPTION(primary.username) != NULL)
+ gnutls_srp_free_client_credentials(backend->srp_client_cred);
+ #endif
+
+diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
+index b9fd26a..bd4ad8f 100644
+--- a/lib/vtls/mbedtls.c
++++ b/lib/vtls/mbedtls.c
+@@ -279,7 +279,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn,
+ const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
+ char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
+ const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
+- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
++ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile);
+ const char * const hostname = SSL_HOST_NAME();
+ #ifndef CURL_DISABLE_VERBOSE_STRINGS
+ const long int port = SSL_HOST_PORT();
+diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
+index 52f2060..959e23e 100644
+--- a/lib/vtls/nss.c
++++ b/lib/vtls/nss.c
+@@ -2035,13 +2035,13 @@ static CURLcode nss_setup_connect(struct Curl_easy *data,
+ }
+ }
+
+- if(SSL_SET_OPTION(CRLfile)) {
+- const CURLcode rv = nss_load_crl(SSL_SET_OPTION(CRLfile));
++ if(SSL_SET_OPTION(primary.CRLfile)) {
++ const CURLcode rv = nss_load_crl(SSL_SET_OPTION(primary.CRLfile));
+ if(rv) {
+ result = rv;
+ goto error;
+ }
+- infof(data, " CRLfile: %s", SSL_SET_OPTION(CRLfile));
++ infof(data, " CRLfile: %s", SSL_SET_OPTION(primary.CRLfile));
+ }
+
+ if(SSL_SET_OPTION(primary.clientcert)) {
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index e8633f4..d98bbcb 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -2632,7 +2632,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
+ #endif
+ const long int ssl_version = SSL_CONN_CONFIG(version);
+ #ifdef USE_OPENSSL_SRP
+- const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype);
++ const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype);
+ #endif
+ char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
+ const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
+@@ -2643,7 +2643,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
+ (ca_info_blob ? NULL : SSL_CONN_CONFIG(CAfile));
+ const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
+ const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
+- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
++ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile);
+ char error_buffer[256];
+ struct ssl_backend_data *backend = connssl->backend;
+ bool imported_native_ca = false;
+@@ -2895,15 +2895,15 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
+ #ifdef USE_OPENSSL_SRP
+ if((ssl_authtype == CURL_TLSAUTH_SRP) &&
+ Curl_allow_auth_to_host(data)) {
+- char * const ssl_username = SSL_SET_OPTION(username);
+-
++ char * const ssl_username = SSL_SET_OPTION(primary.username);
++ char * const ssl_password = SSL_SET_OPTION(primary.password);
+ infof(data, "Using TLS-SRP username: %s", ssl_username);
+
+ if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) {
+ failf(data, "Unable to set SRP user name");
+ return CURLE_BAD_FUNCTION_ARGUMENT;
+ }
+- if(!SSL_CTX_set_srp_password(backend->ctx, SSL_SET_OPTION(password))) {
++ if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) {
+ failf(data, "failed setting SRP password");
+ return CURLE_BAD_FUNCTION_ARGUMENT;
+ }
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index a40ac06..e2d3438 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -132,6 +132,7 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
+ {
+ if((data->version == needle->version) &&
+ (data->version_max == needle->version_max) &&
++ (data->ssl_options == needle->ssl_options) &&
+ (data->verifypeer == needle->verifypeer) &&
+ (data->verifyhost == needle->verifyhost) &&
+ (data->verifystatus == needle->verifystatus) &&
+@@ -144,9 +145,15 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
+ Curl_safecmp(data->clientcert, needle->clientcert) &&
+ Curl_safecmp(data->random_file, needle->random_file) &&
+ Curl_safecmp(data->egdsocket, needle->egdsocket) &&
++#ifdef USE_TLS_SRP
++ Curl_safecmp(data->username, needle->username) &&
++ Curl_safecmp(data->password, needle->password) &&
++ (data->authtype == needle->authtype) &&
++#endif
+ Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
+ Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
+ Curl_safe_strcasecompare(data->curves, needle->curves) &&
++ Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) &&
+ Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key))
+ return TRUE;
+
+@@ -163,6 +170,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
+ dest->verifyhost = source->verifyhost;
+ dest->verifystatus = source->verifystatus;
+ dest->sessionid = source->sessionid;
++ dest->ssl_options = source->ssl_options;
++#ifdef USE_TLS_SRP
++ dest->authtype = source->authtype;
++#endif
+
+ CLONE_BLOB(cert_blob);
+ CLONE_BLOB(ca_info_blob);
+@@ -177,6 +188,11 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
+ CLONE_STRING(cipher_list13);
+ CLONE_STRING(pinned_key);
+ CLONE_STRING(curves);
++ CLONE_STRING(CRLfile);
++#ifdef USE_TLS_SRP
++ CLONE_STRING(username);
++ CLONE_STRING(password);
++#endif
+
+ return TRUE;
+ }
+@@ -196,6 +212,11 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
+ Curl_safefree(sslc->ca_info_blob);
+ Curl_safefree(sslc->issuercert_blob);
+ Curl_safefree(sslc->curves);
++ Curl_safefree(sslc->CRLfile);
++#ifdef USE_TLS_SRP
++ Curl_safefree(sslc->username);
++ Curl_safefree(sslc->password);
++#endif
+ }
+
+ #ifdef USE_SSL
generated by cgit v1.2.3 (git 2.39.0) at 2024-06-02 17:32:49 +0300