1Backport of: 2 3From 222b896a07ed1e183e7eacd6df10fc23264bd820 Mon Sep 17 00:00:00 2001 4From: Daniel Stenberg <daniel@haxx.se> 5Date: Fri, 6 May 2022 10:48:58 +0200 6Subject: [PATCH 1/2] tls: check more TLS details for connection reuse 7 8CVE-2022-27782 9 10Reported-by: Harry Sintonen 11Bug: https://curl.se/docs/CVE-2022-27782.html 12--- 13 lib/setopt.c | 29 +++++++++++++++++------------ 14 lib/url.c | 23 ++++++++++++++++------- 15 lib/urldata.h | 13 +++++++------ 16 lib/vtls/gtls.c | 32 +++++++++++++++++--------------- 17 lib/vtls/mbedtls.c | 2 +- 18 lib/vtls/nss.c | 6 +++--- 19 lib/vtls/openssl.c | 10 +++++----- 20 lib/vtls/vtls.c | 21 +++++++++++++++++++++ 21 8 files changed, 87 insertions(+), 49 deletions(-) 22 23--- a/lib/setopt.c 24+++ b/lib/setopt.c 25@@ -2317,6 +2317,7 @@ CURLcode Curl_vsetopt(struct Curl_easy * 26 27 case CURLOPT_SSL_OPTIONS: 28 arg = va_arg(param, long); 29+ data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff); 30 data->set.ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST); 31 data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); 32 data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN); 33@@ -2330,6 +2331,7 @@ CURLcode Curl_vsetopt(struct Curl_easy * 34 #ifndef CURL_DISABLE_PROXY 35 case CURLOPT_PROXY_SSL_OPTIONS: 36 arg = va_arg(param, long); 37+ data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff); 38 data->set.proxy_ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST); 39 data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); 40 data->set.proxy_ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN); 41@@ -2766,49 +2768,52 @@ CURLcode Curl_vsetopt(struct Curl_easy * 42 case CURLOPT_TLSAUTH_USERNAME: 43 result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME], 44 va_arg(param, char *)); 45- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) 46- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ 47+ if(data->set.str[STRING_TLSAUTH_USERNAME] && 48+ !data->set.ssl.primary.authtype) 49+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ 50 break; 51 case CURLOPT_PROXY_TLSAUTH_USERNAME: 52 result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY], 53 va_arg(param, char *)); 54 #ifndef CURL_DISABLE_PROXY 55 if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && 56- !data->set.proxy_ssl.authtype) 57- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ 58+ !data->set.proxy_ssl.primary.authtype) 59+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to 60+ SRP */ 61 #endif 62 break; 63 case CURLOPT_TLSAUTH_PASSWORD: 64 result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD], 65 va_arg(param, char *)); 66- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) 67- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ 68+ if(data->set.str[STRING_TLSAUTH_USERNAME] && 69+ !data->set.ssl.primary.authtype) 70+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ 71 break; 72 case CURLOPT_PROXY_TLSAUTH_PASSWORD: 73 result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY], 74 va_arg(param, char *)); 75 #ifndef CURL_DISABLE_PROXY 76 if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && 77- !data->set.proxy_ssl.authtype) 78- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ 79+ !data->set.proxy_ssl.primary.authtype) 80+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ 81 #endif 82 break; 83 case CURLOPT_TLSAUTH_TYPE: 84 argptr = va_arg(param, char *); 85 if(!argptr || 86 strncasecompare(argptr, "SRP", strlen("SRP"))) 87- data->set.ssl.authtype = CURL_TLSAUTH_SRP; 88+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; 89 else 90- data->set.ssl.authtype = CURL_TLSAUTH_NONE; 91+ data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE; 92 break; 93 #ifndef CURL_DISABLE_PROXY 94 case CURLOPT_PROXY_TLSAUTH_TYPE: 95 argptr = va_arg(param, char *); 96 if(!argptr || 97 strncasecompare(argptr, "SRP", strlen("SRP"))) 98- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; 99+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; 100 else 101- data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE; 102+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE; 103 break; 104 #endif 105 #endif 106--- a/lib/url.c 107+++ b/lib/url.c 108@@ -556,7 +556,7 @@ CURLcode Curl_init_userdefined(struct Cu 109 set->ssl.primary.verifypeer = TRUE; 110 set->ssl.primary.verifyhost = TRUE; 111 #ifdef USE_TLS_SRP 112- set->ssl.authtype = CURL_TLSAUTH_NONE; 113+ set->ssl.primary.authtype = CURL_TLSAUTH_NONE; 114 #endif 115 set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth 116 type */ 117@@ -1114,6 +1114,12 @@ static void prune_dead_connections(struc 118 } 119 } 120 121+static bool ssh_config_matches(struct connectdata *one, 122+ struct connectdata *two) 123+{ 124+ return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) && 125+ Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub)); 126+} 127 /* 128 * Given one filled in connection struct (named needle), this function should 129 * detect if there already is one that has all the significant details 130@@ -1372,6 +1378,11 @@ ConnectionExists(struct Curl_easy *data, 131 (data->state.httpwant < CURL_HTTP_VERSION_2_0)) 132 continue; 133 134+ if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { 135+ if(!ssh_config_matches(needle, check)) 136+ continue; 137+ } 138+ 139 if((needle->handler->flags&PROTOPT_SSL) 140 #ifndef CURL_DISABLE_PROXY 141 || !needle->bits.httpproxy || needle->bits.tunnel_proxy 142@@ -1772,11 +1783,17 @@ static struct connectdata *allocate_conn 143 conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus; 144 conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer; 145 conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost; 146+ conn->ssl_config.ssl_options = data->set.ssl.primary.ssl_options; 147+#ifdef USE_TLS_SRP 148+#endif 149 #ifndef CURL_DISABLE_PROXY 150 conn->proxy_ssl_config.verifystatus = 151 data->set.proxy_ssl.primary.verifystatus; 152 conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer; 153 conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost; 154+ conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options; 155+#ifdef USE_TLS_SRP 156+#endif 157 #endif 158 conn->ip_version = data->set.ipver; 159 conn->bits.connect_only = data->set.connect_only; 160@@ -3839,7 +3856,8 @@ static CURLcode create_conn(struct Curl_ 161 data->set.str[STRING_SSL_ISSUERCERT_PROXY]; 162 data->set.proxy_ssl.primary.issuercert_blob = 163 data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY]; 164- data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; 165+ data->set.proxy_ssl.primary.CRLfile = 166+ data->set.str[STRING_SSL_CRLFILE_PROXY]; 167 data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY]; 168 data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY]; 169 data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY]; 170@@ -3847,18 +3865,20 @@ static CURLcode create_conn(struct Curl_ 171 data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY]; 172 data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY]; 173 #endif 174- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE]; 175+ data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE]; 176 data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE]; 177 data->set.ssl.key = data->set.str[STRING_KEY]; 178 data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE]; 179 data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD]; 180 data->set.ssl.primary.clientcert = data->set.str[STRING_CERT]; 181 #ifdef USE_TLS_SRP 182- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME]; 183- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD]; 184+ data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME]; 185+ data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD]; 186 #ifndef CURL_DISABLE_PROXY 187- data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; 188- data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; 189+ data->set.proxy_ssl.primary.username = 190+ data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; 191+ data->set.proxy_ssl.primary.password = 192+ data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; 193 #endif 194 #endif 195 data->set.ssl.key_blob = data->set.blobs[BLOB_KEY]; 196--- a/lib/urldata.h 197+++ b/lib/urldata.h 198@@ -253,10 +253,17 @@ struct ssl_primary_config { 199 char *cipher_list; /* list of ciphers to use */ 200 char *cipher_list13; /* list of TLS 1.3 cipher suites to use */ 201 char *pinned_key; 202+ char *CRLfile; /* CRL to check certificate revocation */ 203 struct curl_blob *cert_blob; 204 struct curl_blob *ca_info_blob; 205 struct curl_blob *issuercert_blob; 206+#ifdef USE_TLS_SRP 207+ char *username; /* TLS username (for, e.g., SRP) */ 208+ char *password; /* TLS password (for, e.g., SRP) */ 209+ enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ 210+#endif 211 char *curves; /* list of curves to use */ 212+ unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */ 213 BIT(verifypeer); /* set TRUE if this is desired */ 214 BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */ 215 BIT(verifystatus); /* set TRUE if certificate status must be checked */ 216@@ -266,7 +273,6 @@ struct ssl_primary_config { 217 struct ssl_config_data { 218 struct ssl_primary_config primary; 219 long certverifyresult; /* result from the certificate verification */ 220- char *CRLfile; /* CRL to check certificate revocation */ 221 curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ 222 void *fsslctxp; /* parameter for call back */ 223 char *cert_type; /* format for certificate (default: PEM)*/ 224@@ -274,11 +280,6 @@ struct ssl_config_data { 225 struct curl_blob *key_blob; 226 char *key_type; /* format for private key (default: PEM) */ 227 char *key_passwd; /* plain text private key password */ 228-#ifdef USE_TLS_SRP 229- char *username; /* TLS username (for, e.g., SRP) */ 230- char *password; /* TLS password (for, e.g., SRP) */ 231- enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ 232-#endif 233 BIT(certinfo); /* gather lots of certificate info */ 234 BIT(falsestart); 235 BIT(enable_beast); /* allow this flaw for interoperability's sake*/ 236--- a/lib/vtls/gtls.c 237+++ b/lib/vtls/gtls.c 238@@ -432,9 +432,10 @@ gtls_connect_step1(struct Curl_easy *dat 239 } 240 241 #ifdef HAVE_GNUTLS_SRP 242- if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) && 243+ if((SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) && 244 Curl_allow_auth_to_host(data)) { 245- infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username)); 246+ infof(data, "Using TLS-SRP username: %s", 247+ SSL_SET_OPTION(primary.username)); 248 249 rc = gnutls_srp_allocate_client_credentials(&backend->srp_client_cred); 250 if(rc != GNUTLS_E_SUCCESS) { 251@@ -444,8 +445,8 @@ gtls_connect_step1(struct Curl_easy *dat 252 } 253 254 rc = gnutls_srp_set_client_credentials(backend->srp_client_cred, 255- SSL_SET_OPTION(username), 256- SSL_SET_OPTION(password)); 257+ SSL_SET_OPTION(primary.username), 258+ SSL_SET_OPTION(primary.password)); 259 if(rc != GNUTLS_E_SUCCESS) { 260 failf(data, "gnutls_srp_set_client_cred() failed: %s", 261 gnutls_strerror(rc)); 262@@ -502,19 +503,19 @@ gtls_connect_step1(struct Curl_easy *dat 263 } 264 #endif 265 266- if(SSL_SET_OPTION(CRLfile)) { 267+ if(SSL_SET_OPTION(primary.CRLfile)) { 268 /* set the CRL list file */ 269 rc = gnutls_certificate_set_x509_crl_file(backend->cred, 270- SSL_SET_OPTION(CRLfile), 271+ SSL_SET_OPTION(primary.CRLfile), 272 GNUTLS_X509_FMT_PEM); 273 if(rc < 0) { 274 failf(data, "error reading crl file %s (%s)", 275- SSL_SET_OPTION(CRLfile), gnutls_strerror(rc)); 276+ SSL_SET_OPTION(primary.CRLfile), gnutls_strerror(rc)); 277 return CURLE_SSL_CRL_BADFILE; 278 } 279 else 280 infof(data, "found %d CRL in %s", 281- rc, SSL_SET_OPTION(CRLfile)); 282+ rc, SSL_SET_OPTION(primary.CRLfile)); 283 } 284 285 /* Initialize TLS session as a client */ 286@@ -581,7 +582,7 @@ gtls_connect_step1(struct Curl_easy *dat 287 #ifdef HAVE_GNUTLS_SRP 288 /* Only add SRP to the cipher list if SRP is requested. Otherwise 289 * GnuTLS will disable TLS 1.3 support. */ 290- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { 291+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { 292 size_t len = strlen(prioritylist); 293 294 char *prioritysrp = malloc(len + sizeof(GNUTLS_SRP) + 1); 295@@ -676,7 +677,7 @@ gtls_connect_step1(struct Curl_easy *dat 296 297 #ifdef HAVE_GNUTLS_SRP 298 /* put the credentials to the current session */ 299- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { 300+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { 301 rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP, 302 backend->srp_client_cred); 303 if(rc != GNUTLS_E_SUCCESS) { 304@@ -855,8 +856,8 @@ Curl_gtls_verifyserver(struct Curl_easy 305 SSL_CONN_CONFIG(verifyhost) || 306 SSL_CONN_CONFIG(issuercert)) { 307 #ifdef HAVE_GNUTLS_SRP 308- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP 309- && SSL_SET_OPTION(username) != NULL 310+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP 311+ && SSL_SET_OPTION(primary.username) 312 && !SSL_CONN_CONFIG(verifypeer) 313 && gnutls_cipher_get(session)) { 314 /* no peer cert, but auth is ok if we have SRP user and cipher and no 315@@ -914,7 +915,8 @@ Curl_gtls_verifyserver(struct Curl_easy 316 failf(data, "server certificate verification failed. CAfile: %s " 317 "CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile): 318 "none", 319- SSL_SET_OPTION(CRLfile)?SSL_SET_OPTION(CRLfile):"none"); 320+ SSL_SET_OPTION(primary.CRLfile) ? 321+ SSL_SET_OPTION(primary.CRLfile) : "none"); 322 return CURLE_PEER_FAILED_VERIFICATION; 323 } 324 else 325@@ -1531,8 +1533,8 @@ static int gtls_shutdown(struct Curl_eas 326 gnutls_certificate_free_credentials(backend->cred); 327 328 #ifdef HAVE_GNUTLS_SRP 329- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP 330- && SSL_SET_OPTION(username) != NULL) 331+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP 332+ && SSL_SET_OPTION(primary.username) != NULL) 333 gnutls_srp_free_client_credentials(backend->srp_client_cred); 334 #endif 335 336--- a/lib/vtls/openssl.c 337+++ b/lib/vtls/openssl.c 338@@ -2653,7 +2653,7 @@ static CURLcode ossl_connect_step1(struc 339 #endif 340 const long int ssl_version = SSL_CONN_CONFIG(version); 341 #ifdef USE_OPENSSL_SRP 342- const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype); 343+ const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype); 344 #endif 345 char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); 346 const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); 347@@ -2664,7 +2664,7 @@ static CURLcode ossl_connect_step1(struc 348 (ca_info_blob ? NULL : SSL_CONN_CONFIG(CAfile)); 349 const char * const ssl_capath = SSL_CONN_CONFIG(CApath); 350 const bool verifypeer = SSL_CONN_CONFIG(verifypeer); 351- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); 352+ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); 353 char error_buffer[256]; 354 struct ssl_backend_data *backend = connssl->backend; 355 bool imported_native_ca = false; 356@@ -2914,15 +2914,15 @@ static CURLcode ossl_connect_step1(struc 357 #ifdef USE_OPENSSL_SRP 358 if((ssl_authtype == CURL_TLSAUTH_SRP) && 359 Curl_allow_auth_to_host(data)) { 360- char * const ssl_username = SSL_SET_OPTION(username); 361- 362+ char * const ssl_username = SSL_SET_OPTION(primary.username); 363+ char * const ssl_password = SSL_SET_OPTION(primary.password); 364 infof(data, "Using TLS-SRP username: %s", ssl_username); 365 366 if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) { 367 failf(data, "Unable to set SRP user name"); 368 return CURLE_BAD_FUNCTION_ARGUMENT; 369 } 370- if(!SSL_CTX_set_srp_password(backend->ctx, SSL_SET_OPTION(password))) { 371+ if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) { 372 failf(data, "failed setting SRP password"); 373 return CURLE_BAD_FUNCTION_ARGUMENT; 374 } 375--- a/lib/vtls/vtls.c 376+++ b/lib/vtls/vtls.c 377@@ -132,6 +132,7 @@ Curl_ssl_config_matches(struct ssl_prima 378 { 379 if((data->version == needle->version) && 380 (data->version_max == needle->version_max) && 381+ (data->ssl_options == needle->ssl_options) && 382 (data->verifypeer == needle->verifypeer) && 383 (data->verifyhost == needle->verifyhost) && 384 (data->verifystatus == needle->verifystatus) && 385@@ -144,9 +145,15 @@ Curl_ssl_config_matches(struct ssl_prima 386 Curl_safecmp(data->clientcert, needle->clientcert) && 387 Curl_safecmp(data->random_file, needle->random_file) && 388 Curl_safecmp(data->egdsocket, needle->egdsocket) && 389+#ifdef USE_TLS_SRP 390+ Curl_safecmp(data->username, needle->username) && 391+ Curl_safecmp(data->password, needle->password) && 392+ (data->authtype == needle->authtype) && 393+#endif 394 Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && 395 Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && 396 Curl_safe_strcasecompare(data->curves, needle->curves) && 397+ Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) && 398 Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) 399 return TRUE; 400 401@@ -163,6 +170,10 @@ Curl_clone_primary_ssl_config(struct ssl 402 dest->verifyhost = source->verifyhost; 403 dest->verifystatus = source->verifystatus; 404 dest->sessionid = source->sessionid; 405+ dest->ssl_options = source->ssl_options; 406+#ifdef USE_TLS_SRP 407+ dest->authtype = source->authtype; 408+#endif 409 410 CLONE_BLOB(cert_blob); 411 CLONE_BLOB(ca_info_blob); 412@@ -177,6 +188,11 @@ Curl_clone_primary_ssl_config(struct ssl 413 CLONE_STRING(cipher_list13); 414 CLONE_STRING(pinned_key); 415 CLONE_STRING(curves); 416+ CLONE_STRING(CRLfile); 417+#ifdef USE_TLS_SRP 418+ CLONE_STRING(username); 419+ CLONE_STRING(password); 420+#endif 421 422 return TRUE; 423 } 424@@ -196,6 +212,11 @@ void Curl_free_primary_ssl_config(struct 425 Curl_safefree(sslc->ca_info_blob); 426 Curl_safefree(sslc->issuercert_blob); 427 Curl_safefree(sslc->curves); 428+ Curl_safefree(sslc->CRLfile); 429+#ifdef USE_TLS_SRP 430+ Curl_safefree(sslc->username); 431+ Curl_safefree(sslc->password); 432+#endif 433 } 434 435 #ifdef USE_SSL 436--- a/lib/vssh/ssh.h 437+++ b/lib/vssh/ssh.h 438@@ -7,7 +7,7 @@ 439 * | (__| |_| | _ <| |___ 440 * \___|\___/|_| \_\_____| 441 * 442- * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al. 443+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al. 444 * 445 * This software is licensed as described in the file COPYING, which 446 * you should have received as part of this distribution. The terms 447@@ -131,8 +131,8 @@ struct ssh_conn { 448 449 /* common */ 450 const char *passphrase; /* pass-phrase to use */ 451- char *rsa_pub; /* path name */ 452- char *rsa; /* path name */ 453+ char *rsa_pub; /* strdup'ed public key file */ 454+ char *rsa; /* strdup'ed private key file */ 455 bool authed; /* the connection has been authenticated fine */ 456 bool acceptfail; /* used by the SFTP_QUOTE (continue if 457 quote command fails) */ 458--- a/lib/vtls/nss.c 459+++ b/lib/vtls/nss.c 460@@ -1996,13 +1996,13 @@ static CURLcode nss_setup_connect(struct 461 } 462 } 463 464- if(SSL_SET_OPTION(CRLfile)) { 465- const CURLcode rv = nss_load_crl(SSL_SET_OPTION(CRLfile)); 466+ if(SSL_SET_OPTION(primary.CRLfile)) { 467+ const CURLcode rv = nss_load_crl(SSL_SET_OPTION(primary.CRLfile)); 468 if(rv) { 469 result = rv; 470 goto error; 471 } 472- infof(data, " CRLfile: %s", SSL_SET_OPTION(CRLfile)); 473+ infof(data, " CRLfile: %s", SSL_SET_OPTION(primary.CRLfile)); 474 } 475 476 if(SSL_SET_OPTION(primary.clientcert)) { 477diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c 478index 975094f4fa795..b60b9cac50d4f 100644 479--- a/lib/vtls/mbedtls.c 480+++ b/lib/vtls/mbedtls.c 481@@ -279,7 +279,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, 482 const char * const ssl_capath = SSL_CONN_CONFIG(CApath); 483 char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); 484 const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); 485- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); 486+ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); 487 const char * const hostname = SSL_HOST_NAME(); 488 #ifndef CURL_DISABLE_VERBOSE_STRINGS 489 const long int port = SSL_HOST_PORT(); 490