Hi Alessandro,
Attached is proposed debdiff for curl in unstable fixing
CVE-2021-22876 and CVE-2021-22890 as already done in stable.
MR as well done on salsa at
https://salsa.debian.org/debian/curl/-/merge_requests/10
Regards,
Salvatore
diff -Nru curl-7.74.0/debian/changelog curl-7.74.0/debian/changelog
--- curl-7.74.0/debian/changelog 2021-02-10 01:42:40.000000000 +0100
+++ curl-7.74.0/debian/changelog 2021-04-03 14:43:39.000000000 +0200
@@ -1,3 +1,13 @@
+curl (7.74.0-1.2) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * transfer: strip credentials from the auto-referer header field
+ (CVE-2021-22876) (Closes: #986269)
+ * vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
+ (CVE-2021-22890) (Closes: #986270)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Sat, 03 Apr 2021 14:43:39 +0200
+
curl (7.74.0-1.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru
curl-7.74.0/debian/patches/14_transfer-strip-credentials-from-the-auto-referer-hea.patch
curl-7.74.0/debian/patches/14_transfer-strip-credentials-from-the-auto-referer-hea.patch
---
curl-7.74.0/debian/patches/14_transfer-strip-credentials-from-the-auto-referer-hea.patch
1970-01-01 01:00:00.000000000 +0100
+++
curl-7.74.0/debian/patches/14_transfer-strip-credentials-from-the-auto-referer-hea.patch
2021-04-03 14:43:39.000000000 +0200
@@ -0,0 +1,140 @@
+From: Viktor Szakats <com...@vsz.me>
+Date: Tue, 23 Feb 2021 14:54:46 +0100
+Subject: transfer: strip credentials from the auto-referer header field
+Origin:
https://github.com/curl/curl/commit/7214288898f5625a6cc196e22a74232eada7861c
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-22876
+
+Added test 2081 to verify.
+
+CVE-2021-22876
+
+Bug: https://curl.se/docs/CVE-2021-22876.html
+---
+ lib/transfer.c | 25 ++++++++++++++--
+ tests/data/Makefile.inc | 2 +-
+ tests/data/test2081 | 66 +++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 90 insertions(+), 3 deletions(-)
+ create mode 100644 tests/data/test2081
+
+--- a/lib/transfer.c
++++ b/lib/transfer.c
+@@ -1588,6 +1588,9 @@ CURLcode Curl_follow(struct Curl_easy *d
+ data->set.followlocation++; /* count location-followers */
+
+ if(data->set.http_auto_referer) {
++ CURLU *u;
++ char *referer;
++
+ /* We are asked to automatically set the previous URL as the referer
+ when we get the next URL. We pick the ->url field, which may or may
+ not be 100% correct */
+@@ -1597,9 +1600,27 @@ CURLcode Curl_follow(struct Curl_easy *d
+ data->change.referer_alloc = FALSE;
+ }
+
+- data->change.referer = strdup(data->change.url);
+- if(!data->change.referer)
++ /* Make a copy of the URL without crenditals and fragment */
++ u = curl_url();
++ if(!u)
++ return CURLE_OUT_OF_MEMORY;
++
++ uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0);
++ if(!uc)
++ uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0);
++ if(!uc)
++ uc = curl_url_set(u, CURLUPART_USER, NULL, 0);
++ if(!uc)
++ uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0);
++ if(!uc)
++ uc = curl_url_get(u, CURLUPART_URL, &referer, 0);
++
++ curl_url_cleanup(u);
++
++ if(uc || referer == NULL)
+ return CURLE_OUT_OF_MEMORY;
++
++ data->change.referer = referer;
+ data->change.referer_alloc = TRUE; /* yes, free this later */
+ }
+ }
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -218,7 +218,7 @@ test2064 test2065 test2066 test2067 test
+ test2064 test2065 test2066 test2067 test2068 test2069 test2070 \
+ test2071 test2072 test2073 test2074 test2075 test2076 test2077 \
+ test2078 \
+-test2080 \
++test2080 test2081 \
+ test2100 \
+ \
+ test3000 test3001 test3002 test3003 test3004 test3005 test3006 test3007 \
+--- /dev/null
++++ b/tests/data/test2081
+@@ -0,0 +1,66 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP GET
++referer
++followlocation
++--write-out
++</keywords>
++</info>
++
++# Server-side
++<reply>
++<data nocheck="yes">
++HTTP/1.1 301 This is a weirdo text message swsclose
++Location: data/%TESTNUMBER0002.txt?coolsite=yes
++Content-Length: 62
++Connection: close
++
++This server reply is for testing a simple Location: following
++</data>
++</reply>
++
++# Client-side
++<client>
++<server>
++http
++</server>
++ <name>
++Automatic referrer credential and anchor stripping check
++ </name>
++ <command>
++http://user:pass@%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER#anchor --location
--referer ';auto' --write-out '%{referer}\n'
++</command>
++</client>
++
++# Verify data after the test has been "shot"
++<verify>
++<errorcode>
++52
++</errorcode>
++<protocol>
++GET /we/want/our/%TESTNUMBER HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++Authorization: Basic dXNlcjpwYXNz
++User-Agent: curl/%VERSION
++Accept: */*
++
++GET /we/want/our/data/%TESTNUMBER0002.txt?coolsite=yes HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++Authorization: Basic dXNlcjpwYXNz
++User-Agent: curl/%VERSION
++Accept: */*
++Referer: http://%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER
++
++</protocol>
++<stdout>
++HTTP/1.1 301 This is a weirdo text message swsclose
++Location: data/%TESTNUMBER0002.txt?coolsite=yes
++Content-Length: 62
++Connection: close
++
++http://%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER
++</stdout>
++</verify>
++</testcase>
diff -Nru
curl-7.74.0/debian/patches/15_vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch
curl-7.74.0/debian/patches/15_vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch
---
curl-7.74.0/debian/patches/15_vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch
1970-01-01 01:00:00.000000000 +0100
+++
curl-7.74.0/debian/patches/15_vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch
2021-04-03 14:43:39.000000000 +0200
@@ -0,0 +1,480 @@
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Fri, 19 Mar 2021 12:38:49 +0100
+Subject: vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
+Origin:
https://github.com/curl/curl/commit/b09c8ee15771c614c4bf3ddac893cdb12187c844
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-22890
+
+To make sure we set and extract the correct session.
+
+Reported-by: Mingtao Yang
+Bug: https://curl.se/docs/CVE-2021-22890.html
+
+CVE-2021-22890
+
+[Salvatore Bonaccorso: Backport to 7.74.0 for context changes]
+---
+ lib/vtls/bearssl.c | 8 +++++--
+ lib/vtls/gtls.c | 12 ++++++----
+ lib/vtls/mbedtls.c | 12 ++++++----
+ lib/vtls/mesalink.c | 14 ++++++++----
+ lib/vtls/openssl.c | 54 +++++++++++++++++++++++++++++++++-----------
+ lib/vtls/schannel.c | 10 ++++----
+ lib/vtls/sectransp.c | 10 ++++----
+ lib/vtls/vtls.c | 12 +++++++---
+ lib/vtls/vtls.h | 2 ++
+ lib/vtls/wolfssl.c | 13 +++++++----
+ 10 files changed, 103 insertions(+), 44 deletions(-)
+
+--- a/lib/vtls/bearssl.c
++++ b/lib/vtls/bearssl.c
+@@ -375,7 +375,8 @@ static CURLcode bearssl_connect_step1(st
+ void *session;
+
+ Curl_ssl_sessionid_lock(conn);
+- if(!Curl_ssl_getsessionid(conn, &session, NULL, sockindex)) {
++ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
++ &session, NULL, sockindex)) {
+ br_ssl_engine_set_session_parameters(&backend->ctx.eng, session);
+ infof(data, "BearSSL: re-using session ID\n");
+ }
+@@ -569,10 +570,14 @@ static CURLcode bearssl_connect_step3(st
+ return CURLE_OUT_OF_MEMORY;
+ br_ssl_engine_get_session_parameters(&backend->ctx.eng, session);
+ Curl_ssl_sessionid_lock(conn);
+- incache = !(Curl_ssl_getsessionid(conn, &oldsession, NULL, sockindex));
++ incache = !(Curl_ssl_getsessionid(conn,
++ SSL_IS_PROXY() ? TRUE : FALSE,
++ &oldsession, NULL, sockindex));
+ if(incache)
+ Curl_ssl_delsessionid(conn, oldsession);
+- ret = Curl_ssl_addsessionid(conn, session, 0, sockindex);
++ ret = Curl_ssl_addsessionid(conn,
++ SSL_IS_PROXY() ? TRUE : FALSE,
++ session, 0, sockindex);
+ Curl_ssl_sessionid_unlock(conn);
+ if(ret) {
+ free(session);
+--- a/lib/vtls/gtls.c
++++ b/lib/vtls/gtls.c
+@@ -732,7 +732,9 @@ gtls_connect_step1(struct connectdata *c
+ size_t ssl_idsize;
+
+ Curl_ssl_sessionid_lock(conn);
+- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, &ssl_idsize, sockindex)) {
++ if(!Curl_ssl_getsessionid(conn,
++ SSL_IS_PROXY() ? TRUE : FALSE,
++ &ssl_sessionid, &ssl_idsize, sockindex)) {
+ /* we got a session id, use it! */
+ gnutls_session_set_data(session, ssl_sessionid, ssl_idsize);
+
+@@ -1291,8 +1293,9 @@ gtls_connect_step3(struct connectdata *c
+ gnutls_session_get_data(session, connect_sessionid, &connect_idsize);
+
+ Curl_ssl_sessionid_lock(conn);
+- incache = !(Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL,
+- sockindex));
++ incache = !(Curl_ssl_getsessionid(conn,
++ SSL_IS_PROXY() ? TRUE : FALSE,
++ &ssl_sessionid, NULL, sockindex));
+ if(incache) {
+ /* there was one before in the cache, so instead of risking that the
+ previous one was rejected, we just kill that and store the new */
+@@ -1300,7 +1303,9 @@ gtls_connect_step3(struct connectdata *c
+ }
+
+ /* store this session id */
+- result = Curl_ssl_addsessionid(conn, connect_sessionid, connect_idsize,
++ result = Curl_ssl_addsessionid(conn,
++ SSL_IS_PROXY() ? TRUE : FALSE,
++ connect_sessionid, connect_idsize,
+ sockindex);
+ Curl_ssl_sessionid_unlock(conn);
+ if(result) {
+--- a/lib/vtls/mbedtls.c
++++ b/lib/vtls/mbedtls.c
+@@ -464,7 +464,9 @@ mbed_connect_step1(struct connectdata *c
+ void *old_session = NULL;
+
+ Curl_ssl_sessionid_lock(conn);
+- if(!Curl_ssl_getsessionid(conn, &old_session, NULL, sockindex)) {
++ if(!Curl_ssl_getsessionid(conn,
++ SSL_IS_PROXY() ? TRUE : FALSE,
++ &old_session, NULL, sockindex)) {
+ ret = mbedtls_ssl_set_session(&backend->ssl, old_session);
+ if(ret) {
+ Curl_ssl_sessionid_unlock(conn);
+@@ -727,6 +729,7 @@ mbed_connect_step3(struct connectdata *c
+ int ret;
+ mbedtls_ssl_session *our_ssl_sessionid;
+ void *old_ssl_sessionid = NULL;
++ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
+
+ our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session));
+ if(!our_ssl_sessionid)
+@@ -745,10 +748,12 @@ mbed_connect_step3(struct connectdata *c
+
+ /* If there's already a matching session in the cache, delete it */
+ Curl_ssl_sessionid_lock(conn);
+- if(!Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex))
++ if(!Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, NULL,
++ sockindex))
+ Curl_ssl_delsessionid(conn, old_ssl_sessionid);
+
+- retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid, 0, sockindex);
++ retcode = Curl_ssl_addsessionid(conn, isproxy, our_ssl_sessionid, 0,
++ sockindex);
+ Curl_ssl_sessionid_unlock(conn);
+ if(retcode) {
+ mbedtls_ssl_session_free(our_ssl_sessionid);
+--- a/lib/vtls/mesalink.c
++++ b/lib/vtls/mesalink.c
+@@ -261,7 +261,9 @@ mesalink_connect_step1(struct connectdat
+ void *ssl_sessionid = NULL;
+
+ Curl_ssl_sessionid_lock(conn);
+- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
++ if(!Curl_ssl_getsessionid(conn,
++ SSL_IS_PROXY() ? TRUE : FALSE,
++ &ssl_sessionid, NULL, sockindex)) {
+ /* we got a session id, use it! */
+ if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
+ Curl_ssl_sessionid_unlock(conn);
+@@ -345,12 +347,14 @@ mesalink_connect_step3(struct connectdat
+ bool incache;
+ SSL_SESSION *our_ssl_sessionid;
+ void *old_ssl_sessionid = NULL;
++ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
+
+ our_ssl_sessionid = SSL_get_session(BACKEND->handle);
+
+ Curl_ssl_sessionid_lock(conn);
+ incache =
+- !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex));
++ !(Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, NULL,
++ sockindex));
+ if(incache) {
+ if(old_ssl_sessionid != our_ssl_sessionid) {
+ infof(data, "old SSL session ID is stale, removing\n");
+@@ -360,8 +364,8 @@ mesalink_connect_step3(struct connectdat
+ }
+
+ if(!incache) {
+- result = Curl_ssl_addsessionid(
+- conn, our_ssl_sessionid, 0 /* unknown size */, sockindex);
++ result = Curl_ssl_addsessionid(conn, isproxy, our_ssl_sessionid, 0,
++ sockindex);
+ if(result) {
+ Curl_ssl_sessionid_unlock(conn);
+ failf(data, "failed to store ssl session");
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -379,12 +379,23 @@ static int ossl_get_ssl_conn_index(void)
+ */
+ static int ossl_get_ssl_sockindex_index(void)
+ {
+- static int ssl_ex_data_sockindex_index = -1;
+- if(ssl_ex_data_sockindex_index < 0) {
+- ssl_ex_data_sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL,
+- NULL);
++ static int sockindex_index = -1;
++ if(sockindex_index < 0) {
++ sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
+ }
+- return ssl_ex_data_sockindex_index;
++ return sockindex_index;
++}
++
++/* Return an extra data index for proxy boolean.
++ * This index can be used with SSL_get_ex_data() and SSL_set_ex_data().
++ */
++static int ossl_get_proxy_index(void)
++{
++ static int proxy_index = -1;
++ if(proxy_index < 0) {
++ proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
++ }
++ return proxy_index;
+ }
+
+ static int passwd_callback(char *buf, int num, int encrypting,
+@@ -1161,7 +1172,8 @@ static int Curl_ossl_init(void)
+ Curl_tls_keylog_open();
+
+ /* Initialize the extra data indexes */
+- if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0)
++ if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0 ||
++ ossl_get_proxy_index() < 0)
+ return 0;
+
+ return 1;
+@@ -2445,8 +2457,10 @@ static int ossl_new_session_cb(SSL *ssl,
+ curl_socket_t *sockindex_ptr;
+ int connectdata_idx = ossl_get_ssl_conn_index();
+ int sockindex_idx = ossl_get_ssl_sockindex_index();
++ int proxy_idx = ossl_get_proxy_index();
++ bool isproxy;
+
+- if(connectdata_idx < 0 || sockindex_idx < 0)
++ if(connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0)
+ return 0;
+
+ conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx);
+@@ -2459,13 +2473,18 @@ static int ossl_new_session_cb(SSL *ssl,
+ sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx);
+ sockindex = (int)(sockindex_ptr - conn->sock);
+
++ isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE;
++
+ if(SSL_SET_OPTION(primary.sessionid)) {
+ bool incache;
+ void *old_ssl_sessionid = NULL;
+
+ Curl_ssl_sessionid_lock(conn);
+- incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL,
+- sockindex));
++ if(isproxy)
++ incache = FALSE;
++ else
++ incache = !(Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid,
++ NULL, sockindex));
+ if(incache) {
+ if(old_ssl_sessionid != ssl_sessionid) {
+ infof(data, "old SSL session ID is stale, removing\n");
+@@ -2475,8 +2494,8 @@ static int ossl_new_session_cb(SSL *ssl,
+ }
+
+ if(!incache) {
+- if(!Curl_ssl_addsessionid(conn, ssl_sessionid,
+- 0 /* unknown size */, sockindex)) {
++ if(!Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid,
++ 0 /* unknown size */, sockindex)) {
+ /* the session has been put into the session cache */
+ res = 1;
+ }
+@@ -3189,16 +3208,24 @@ static CURLcode ossl_connect_step1(struc
+ void *ssl_sessionid = NULL;
+ int connectdata_idx = ossl_get_ssl_conn_index();
+ int sockindex_idx = ossl_get_ssl_sockindex_index();
++ int proxy_idx = ossl_get_proxy_index();
+
+- if(connectdata_idx >= 0 && sockindex_idx >= 0) {
++ if(connectdata_idx >= 0 && sockindex_idx >= 0 && proxy_idx >= 0) {
+ /* Store the data needed for the "new session" callback.
+ * The sockindex is stored as a pointer to an array element. */
+ SSL_set_ex_data(backend->handle, connectdata_idx, conn);
+ SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex);
++#ifndef CURL_DISABLE_PROXY
++ SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1:
++ NULL);
++#else
++ SSL_set_ex_data(backend->handle, proxy_idx, NULL);
++#endif
+ }
+
+ Curl_ssl_sessionid_lock(conn);
+- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
++ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
++ &ssl_sessionid, NULL, sockindex)) {
+ /* we got a session id, use it! */
+ if(!SSL_set_session(backend->handle, ssl_sessionid)) {
+ Curl_ssl_sessionid_unlock(conn);
+--- a/lib/vtls/schannel.c
++++ b/lib/vtls/schannel.c
+@@ -494,7 +494,9 @@ schannel_connect_step1(struct connectdat
+ /* check for an existing re-usable credential handle */
+ if(SSL_SET_OPTION(primary.sessionid)) {
+ Curl_ssl_sessionid_lock(conn);
+- if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, sockindex)) {
++ if(!Curl_ssl_getsessionid(conn,
++ SSL_IS_PROXY() ? TRUE : FALSE,
++ (void **)&old_cred, NULL, sockindex)) {
+ BACKEND->cred = old_cred;
+ DEBUGF(infof(data, "schannel: re-using existing credential handle\n"));
+
+@@ -1334,8 +1336,9 @@ schannel_connect_step3(struct connectdat
+ struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+ SECURITY_STATUS sspi_status = SEC_E_OK;
+ CERT_CONTEXT *ccert_context = NULL;
++ bool isproxy = SSL_IS_PROXY();
+ #ifdef DEBUGBUILD
+- const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
++ const char * const hostname = isproxy ? conn->http_proxy.host.name :
+ conn->host.name;
+ #endif
+ #ifdef HAS_ALPN
+@@ -1411,7 +1414,7 @@ schannel_connect_step3(struct connectdat
+ struct Curl_schannel_cred *old_cred = NULL;
+
+ Curl_ssl_sessionid_lock(conn);
+- incache = !(Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL,
++ incache = !(Curl_ssl_getsessionid(conn, isproxy, (void **)&old_cred, NULL,
+ sockindex));
+ if(incache) {
+ if(old_cred != BACKEND->cred) {
+@@ -1423,7 +1426,7 @@ schannel_connect_step3(struct connectdat
+ }
+ }
+ if(!incache) {
+- result = Curl_ssl_addsessionid(conn, (void *)BACKEND->cred,
++ result = Curl_ssl_addsessionid(conn, isproxy, (void *)BACKEND->cred,
+ sizeof(struct Curl_schannel_cred),
+ sockindex);
+ if(result) {
+--- a/lib/vtls/sectransp.c
++++ b/lib/vtls/sectransp.c
+@@ -1400,10 +1400,12 @@ static CURLcode sectransp_connect_step1(
+ char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
+ const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
+ #ifndef CURL_DISABLE_PROXY
+- const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
++ bool isproxy = SSL_IS_PROXY();
++ const char * const hostname = isproxy ? conn->http_proxy.host.name :
+ conn->host.name;
+ const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
+ #else
++ const isproxy = FALSE;
+ const char * const hostname = conn->host.name;
+ const long int port = conn->remote_port;
+ #endif
+@@ -1613,7 +1615,7 @@ static CURLcode sectransp_connect_step1(
+ #ifdef USE_NGHTTP2
+ if(data->set.httpversion >= CURL_HTTP_VERSION_2
+ #ifndef CURL_DISABLE_PROXY
+- && (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy)
++ && (!isproxy || !conn->bits.tunnel_proxy)
+ #endif
+ ) {
+ CFArrayAppendValue(alpnArr, CFSTR(NGHTTP2_PROTO_VERSION_ID));
+@@ -1953,7 +1955,7 @@ static CURLcode sectransp_connect_step1(
+ size_t ssl_sessionid_len;
+
+ Curl_ssl_sessionid_lock(conn);
+- if(!Curl_ssl_getsessionid(conn, (void **)&ssl_sessionid,
++ if(!Curl_ssl_getsessionid(conn, isproxy, (void **)&ssl_sessionid,
+ &ssl_sessionid_len, sockindex)) {
+ /* we got a session id, use it! */
+ err = SSLSetPeerID(backend->ssl_ctx, ssl_sessionid, ssl_sessionid_len);
+@@ -1981,8 +1983,8 @@ static CURLcode sectransp_connect_step1(
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+
+- result = Curl_ssl_addsessionid(conn, ssl_sessionid, ssl_sessionid_len,
+- sockindex);
++ result = Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid,
++ ssl_sessionid_len, sockindex);
+ Curl_ssl_sessionid_unlock(conn);
+ if(result) {
+ failf(data, "failed to store ssl session");
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -361,6 +361,7 @@ void Curl_ssl_sessionid_unlock(struct co
+ * there's one suitable, it is provided. Returns TRUE when no entry matched.
+ */
+ bool Curl_ssl_getsessionid(struct connectdata *conn,
++ const bool isProxy,
+ void **ssl_sessionid,
+ size_t *idsize, /* set 0 if unknown */
+ int sockindex)
+@@ -372,7 +373,6 @@ bool Curl_ssl_getsessionid(struct connec
+ bool no_match = TRUE;
+
+ #ifndef CURL_DISABLE_PROXY
+- const bool isProxy = CONNECT_PROXY_SSL();
+ struct ssl_primary_config * const ssl_config = isProxy ?
+ &conn->proxy_ssl_config :
+ &conn->ssl_config;
+@@ -384,10 +384,15 @@ bool Curl_ssl_getsessionid(struct connec
+ struct ssl_primary_config * const ssl_config = &conn->ssl_config;
+ const char * const name = conn->host.name;
+ int port = conn->remote_port;
+- (void)sockindex;
+ #endif
++ (void)sockindex;
+ *ssl_sessionid = NULL;
+
++#ifdef CURL_DISABLE_PROXY
++ if(isProxy)
++ return TRUE;
++#endif
++
+ DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
+
+ if(!SSL_SET_OPTION(primary.sessionid))
+@@ -475,6 +480,7 @@ void Curl_ssl_delsessionid(struct connec
+ * later on.
+ */
+ CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
++ bool isProxy,
+ void *ssl_sessionid,
+ size_t idsize,
+ int sockindex)
+@@ -488,7 +494,6 @@ CURLcode Curl_ssl_addsessionid(struct co
+ int conn_to_port;
+ long *general_age;
+ #ifndef CURL_DISABLE_PROXY
+- const bool isProxy = CONNECT_PROXY_SSL();
+ struct ssl_primary_config * const ssl_config = isProxy ?
+ &conn->proxy_ssl_config :
+ &conn->ssl_config;
+@@ -501,6 +506,7 @@ CURLcode Curl_ssl_addsessionid(struct co
+ const char *hostname = conn->host.name;
+ (void)sockindex;
+ #endif
++ (void)sockindex;
+ DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
+
+ clone_host = strdup(hostname);
+--- a/lib/vtls/vtls.h
++++ b/lib/vtls/vtls.h
+@@ -217,6 +217,7 @@ void Curl_ssl_sessionid_unlock(struct co
+ * under sessionid mutex).
+ */
+ bool Curl_ssl_getsessionid(struct connectdata *conn,
++ const bool isproxy,
+ void **ssl_sessionid,
+ size_t *idsize, /* set 0 if unknown */
+ int sockindex);
+@@ -226,6 +227,7 @@ bool Curl_ssl_getsessionid(struct connec
+ * object with cache (e.g. incrementing refcount on success)
+ */
+ CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
++ const bool isProxy,
+ void *ssl_sessionid,
+ size_t idsize,
+ int sockindex);
+--- a/lib/vtls/wolfssl.c
++++ b/lib/vtls/wolfssl.c
+@@ -505,7 +505,9 @@ wolfssl_connect_step1(struct connectdata
+ void *ssl_sessionid = NULL;
+
+ Curl_ssl_sessionid_lock(conn);
+- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
++ if(!Curl_ssl_getsessionid(conn,
++ SSL_IS_PROXY() ? TRUE : FALSE,
++ &ssl_sessionid, NULL, sockindex)) {
+ /* we got a session id, use it! */
+ if(!SSL_set_session(backend->handle, ssl_sessionid)) {
+ char error_buffer[WOLFSSL_MAX_ERROR_SZ];
+@@ -767,7 +769,9 @@ wolfssl_connect_step3(struct connectdata
+ our_ssl_sessionid = SSL_get_session(backend->handle);
+
+ Curl_ssl_sessionid_lock(conn);
+- incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL,
++ incache = !(Curl_ssl_getsessionid(conn,
++ SSL_IS_PROXY() ? TRUE : FALSE,
++ &old_ssl_sessionid, NULL,
+ sockindex));
+ if(incache) {
+ if(old_ssl_sessionid != our_ssl_sessionid) {
+@@ -778,8 +782,9 @@ wolfssl_connect_step3(struct connectdata
+ }
+
+ if(!incache) {
+- result = Curl_ssl_addsessionid(conn, our_ssl_sessionid,
+- 0 /* unknown size */, sockindex);
++ result = Curl_ssl_addsessionid(conn,
++ SSL_IS_PROXY() ? TRUE : FALSE,
++ our_ssl_sessionid, 0, sockindex);
+ if(result) {
+ Curl_ssl_sessionid_unlock(conn);
+ failf(data, "failed to store ssl session");
diff -Nru curl-7.74.0/debian/patches/series curl-7.74.0/debian/patches/series
--- curl-7.74.0/debian/patches/series 2021-02-10 01:42:40.000000000 +0100
+++ curl-7.74.0/debian/patches/series 2021-04-03 14:43:39.000000000 +0200
@@ -5,6 +5,8 @@
11_omit-directories-from-config.patch
12_use-python3-in-tests.patch
13_fix-man-formatting.patch
+14_transfer-strip-credentials-from-the-auto-referer-hea.patch
+15_vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch
# do not add patches below
90_gnutls.patch
