CVE-2014-8151.patch

From fafbab1a3a52a383d92d2b5b1fb63785a15f2d73 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 19 Dec 2014 08:50:00 +0100
Subject: [PATCH] darwinssl: fix session ID keys to only reuse identical
 sessions

...to avoid a session ID getting cached without certificate checking and
then after a subsequent _enabling_ of the check libcurl could still
re-use the session done without cert checks.

Bug: https://curl.haxx.se/docs/adv_20150108A.html
Reported-by: Marc Hesse
---
 lib/vtls/curl_darwinssl.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib/vtls/curl_darwinssl.c b/lib/vtls/curl_darwinssl.c
index 2fb57b2..b325ba1 100644
--- a/lib/vtls/curl_darwinssl.c
+++ b/lib/vtls/curl_darwinssl.c
@@ -1480,12 +1480,14 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
   }
   /* If there isn't one, then let's make one up! This has to be done prior
      to starting the handshake. */
   else {
     CURLcode retcode;
-    ssl_sessionid = aprintf("curl:%s:%hu",
-                            conn->host.name, conn->remote_port);
+    ssl_sessionid =
+      aprintf("%s:%d:%d:%s:%hu", data->set.str[STRING_SSL_CAFILE],
+              data->set.ssl.verifypeer, data->set.ssl.verifyhost,
+              conn->host.name, conn->remote_port);
     ssl_sessionid_len = strlen(ssl_sessionid);
     err = SSLSetPeerID(connssl->ssl_ctx, ssl_sessionid, ssl_sessionid_len);
     if(err != noErr) {
       failf(data, "SSL: SSLSetPeerID() failed: OSStatus %d", err);
       return CURLE_SSL_CONNECT_ERROR;
-- 
2.1.4