fix CVE-2021-22876 CVE-2021-22890

2021-04-19 17:02:34 +08:00 · 2021-04-19 17:02:34 +08:00 · 8fd361ddb1
commit 8fd361ddb1
parent 4f35ce7887
3 changed files with 614 additions and 1 deletions
--- a/backport-CVE-2021-22876.patch
+++ b/backport-CVE-2021-22876.patch
@ -0,0 +1,150 @@
 From 7214288898f5625a6cc196e22a74232eada7861c Mon Sep 17 00:00:00 2001
 From: Viktor Szakats <commit@vsz.me>
 Date: Tue, 23 Feb 2021 14:54:46 +0100
 Subject: [PATCH] transfer: strip credentials from the auto-referer header
 field
 Added test 2081 to verify.
 CVE-2021-22876
 Bug: https://curl.se/docs/CVE-2021-22876.html
 ---
 lib/transfer.c          | 25 ++++++++++++++--
 tests/data/Makefile.inc |  2 +-
 tests/data/test2081     | 66 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 90 insertions(+), 3 deletions(-)
 create mode 100644 tests/data/test2081
 diff --git a/lib/transfer.c b/lib/transfer.c
 index 1976bc033..a68c021c8 100644
 --- a/lib/transfer.c
 +++ b/lib/transfer.c
@@ -1582,6 +1582,9 @@ CURLcode Curl_follow(struct Curl_easy *data,
       data->set.followlocation++; /* count location-followers */
       if(data->set.http_auto_referer) {
 +        CURLU *u;
 +        char *referer;
 +
         /* We are asked to automatically set the previous URL as the referer
            when we get the next URL. We pick the ->url field, which may or may
            not be 100% correct */
@@ -1591,9 +1594,27 @@ CURLcode Curl_follow(struct Curl_easy *data,
           data->change.referer_alloc = FALSE;
         }
 -        data->change.referer = strdup(data->change.url);
 -        if(!data->change.referer)
 +        /* Make a copy of the URL without crenditals and fragment */
 +        u = curl_url();
 +        if(!u)
 +          return CURLE_OUT_OF_MEMORY;
 +
 +        uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0);
 +        if(!uc)
 +          uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0);
 +        if(!uc)
 +          uc = curl_url_set(u, CURLUPART_USER, NULL, 0);
 +        if(!uc)
 +          uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0);
 +        if(!uc)
 +          uc = curl_url_get(u, CURLUPART_URL, &referer, 0);
 +
 +        curl_url_cleanup(u);
 +
 +        if(uc || referer == NULL)
           return CURLE_OUT_OF_MEMORY;
 +
 +        data->change.referer = referer;
         data->change.referer_alloc = TRUE; /* yes, free this later */
       }
     }
 diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
 index 2c7a0ca89..ea52683d2 100644
 --- a/tests/data/Makefile.inc
 +++ b/tests/data/Makefile.inc
@@ -221,7 +221,7 @@ test2064 test2065 test2066 test2067 test2068 test2069 \
 test2064 test2065 test2066 test2067 test2068 test2069 test2070 \
          test2071 test2072 test2073 test2074 test2075 test2076 test2077 \
 test2078 \
 -test2080 \
 +test2080 test2081 \
 test2100 \
 \
 test3000 test3001 \
 diff --git a/tests/data/test2081 b/tests/data/test2081
 new file mode 100644
 index 000000000..a6733e737
 --- /dev/null
 +++ b/tests/data/test2081
@@ -0,0 +1,66 @@
 +<testcase>
 +<info>
 +<keywords>
 +HTTP
 +HTTP GET
 +referer
 +followlocation
 +--write-out
 +</keywords>
 +</info>
 +
 +# Server-side
 +<reply>
 +<data nocheck="yes">
 +HTTP/1.1 301 This is a weirdo text message swsclose
 +Location: data/%TESTNUMBER0002.txt?coolsite=yes
 +Content-Length: 62
 +Connection: close
 +
 +This server reply is for testing a simple Location: following
 +</data>
 +</reply>
 +
 +# Client-side
 +<client>
 +<server>
 +http
 +</server>
 + <name>
 +Automatic referrer credential and anchor stripping check
 + </name>
 + <command>
 +http://user:pass@%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER#anchor --location --referer ';auto' --write-out '%{referer}\n'
 +</command>
 +</client>
 +
 +# Verify data after the test has been "shot"
 +<verify>
 +<errorcode>
 +52
 +</errorcode>
 +<protocol>
 +GET /we/want/our/%TESTNUMBER HTTP/1.1
 +Host: %HOSTIP:%HTTPPORT
 +Authorization: Basic dXNlcjpwYXNz
 +User-Agent: curl/%VERSION
 +Accept: */*
 +
 +GET /we/want/our/data/%TESTNUMBER0002.txt?coolsite=yes HTTP/1.1
 +Host: %HOSTIP:%HTTPPORT
 +Authorization: Basic dXNlcjpwYXNz
 +User-Agent: curl/%VERSION
 +Accept: */*
 +Referer: http://%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER
 +
 +</protocol>
 +<stdout>
 +HTTP/1.1 301 This is a weirdo text message swsclose
 +Location: data/%TESTNUMBER0002.txt?coolsite=yes
 +Content-Length: 62
 +Connection: close
 +
 +http://%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER
 +</stdout>
 +</verify>
 +</testcase>
 -- 
 2.23.0
--- a/backport-CVE-2021-22890.patch
+++ b/backport-CVE-2021-22890.patch
@ -0,0 +1,455 @@
 Backport of:
 From e9c835dbd51f482f5d572e6fb33a0e8ef60c846b Mon Sep 17 00:00:00 2001
 From: Daniel Stenberg <daniel@haxx.se>
 Date: Fri, 19 Mar 2021 12:38:49 +0100
 Subject: [PATCH] vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
 To make sure we set and extract the correct session.
 Reported-by: Mingtao Yang
 Bug: https://curl.se/docs/CVE-2021-22890.html
 CVE-2021-22890
 ---
 lib/vtls/bearssl.c   |  8 +++++--
 lib/vtls/gtls.c      | 12 ++++++----
 lib/vtls/mbedtls.c   | 12 ++++++----
 lib/vtls/mesalink.c  | 14 ++++++++----
 lib/vtls/openssl.c   | 54 +++++++++++++++++++++++++++++++++-----------
 lib/vtls/schannel.c  | 10 ++++----
 lib/vtls/sectransp.c | 10 ++++----
 lib/vtls/vtls.c      | 12 +++++++---
 lib/vtls/vtls.h      |  2 ++
 lib/vtls/wolfssl.c   | 13 +++++++----
 10 files changed, 103 insertions(+), 44 deletions(-)
 --- a/lib/vtls/bearssl.c
 +++ b/lib/vtls/bearssl.c
@@ -375,7 +375,8 @@ static CURLcode bearssl_connect_step1(st
     void *session;
     Curl_ssl_sessionid_lock(conn);
 -    if(!Curl_ssl_getsessionid(conn, &session, NULL, sockindex)) {
 +    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
 +                              &session, NULL, sockindex)) {
       br_ssl_engine_set_session_parameters(&backend->ctx.eng, session);
       infof(data, "BearSSL: re-using session ID\n");
     }
@@ -569,10 +570,12 @@ static CURLcode bearssl_connect_step3(st
       return CURLE_OUT_OF_MEMORY;
     br_ssl_engine_get_session_parameters(&backend->ctx.eng, session);
     Curl_ssl_sessionid_lock(conn);
 -    incache = !(Curl_ssl_getsessionid(conn, &oldsession, NULL, sockindex));
 +    incache = !(Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
 +                                      &oldsession, NULL, sockindex));
     if(incache)
       Curl_ssl_delsessionid(conn, oldsession);
 -    ret = Curl_ssl_addsessionid(conn, session, 0, sockindex);
 +    ret = Curl_ssl_addsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
 +                                session, 0, sockindex);
     Curl_ssl_sessionid_unlock(conn);
     if(ret) {
       free(session);
 --- a/lib/vtls/gtls.c
 +++ b/lib/vtls/gtls.c
@@ -732,7 +732,8 @@ gtls_connect_step1(struct connectdata *c
     size_t ssl_idsize;
     Curl_ssl_sessionid_lock(conn);
 -    if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, &ssl_idsize, sockindex)) {
 +    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
 +                              &ssl_sessionid, &ssl_idsize, sockindex)) {
       /* we got a session id, use it! */
       gnutls_session_set_data(session, ssl_sessionid, ssl_idsize);
@@ -1291,7 +1292,8 @@ gtls_connect_step3(struct connectdata *c
       gnutls_session_get_data(session, connect_sessionid, &connect_idsize);
       Curl_ssl_sessionid_lock(conn);
 -      incache = !(Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL,
 +      incache = !(Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
 +                                        &ssl_sessionid, NULL,
                                         sockindex));
       if(incache) {
         /* there was one before in the cache, so instead of risking that the
@@ -1300,7 +1302,8 @@ gtls_connect_step3(struct connectdata *c
       }
       /* store this session id */
 -      result = Curl_ssl_addsessionid(conn, connect_sessionid, connect_idsize,
 +      result = Curl_ssl_addsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
 +                                     connect_sessionid, connect_idsize,
                                      sockindex);
       Curl_ssl_sessionid_unlock(conn);
       if(result) {
 --- a/lib/vtls/mbedtls.c
 +++ b/lib/vtls/mbedtls.c
@@ -464,7 +464,8 @@ mbed_connect_step1(struct connectdata *c
     void *old_session = NULL;
     Curl_ssl_sessionid_lock(conn);
 -    if(!Curl_ssl_getsessionid(conn, &old_session, NULL, sockindex)) {
 +    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
 +                              &old_session, NULL, sockindex)) {
       ret = mbedtls_ssl_set_session(&backend->ssl, old_session);
       if(ret) {
         Curl_ssl_sessionid_unlock(conn);
@@ -727,6 +728,7 @@ mbed_connect_step3(struct connectdata *c
     int ret;
     mbedtls_ssl_session *our_ssl_sessionid;
     void *old_ssl_sessionid = NULL;
 +    bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
     our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session));
     if(!our_ssl_sessionid)
@@ -745,10 +747,10 @@ mbed_connect_step3(struct connectdata *c
     /* If there's already a matching session in the cache, delete it */
     Curl_ssl_sessionid_lock(conn);
 -    if(!Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex))
 +    if(!Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, NULL, sockindex))
       Curl_ssl_delsessionid(conn, old_ssl_sessionid);
 -    retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid, 0, sockindex);
 +    retcode = Curl_ssl_addsessionid(conn, isproxy, our_ssl_sessionid, 0, sockindex);
     Curl_ssl_sessionid_unlock(conn);
     if(retcode) {
       mbedtls_ssl_session_free(our_ssl_sessionid);
 --- a/lib/vtls/mesalink.c
 +++ b/lib/vtls/mesalink.c
@@ -261,7 +261,8 @@ mesalink_connect_step1(struct connectdat
     void *ssl_sessionid = NULL;
     Curl_ssl_sessionid_lock(conn);
 -    if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
 +    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
 +                              &ssl_sessionid, NULL, sockindex)) {
       /* we got a session id, use it! */
       if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
         Curl_ssl_sessionid_unlock(conn);
@@ -345,12 +346,14 @@ mesalink_connect_step3(struct connectdat
     bool incache;
     SSL_SESSION *our_ssl_sessionid;
     void *old_ssl_sessionid = NULL;
 +    bool inproxy = SSL_IS_PROXY() ? TRUE : FALSE;
     our_ssl_sessionid = SSL_get_session(BACKEND->handle);
     Curl_ssl_sessionid_lock(conn);
     incache =
 -      !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex));
 +      !(Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid,
 +                              NULL, sockindex));
     if(incache) {
       if(old_ssl_sessionid != our_ssl_sessionid) {
         infof(data, "old SSL session ID is stale, removing\n");
@@ -361,7 +364,7 @@ mesalink_connect_step3(struct connectdat
     if(!incache) {
       result = Curl_ssl_addsessionid(
 -        conn, our_ssl_sessionid, 0 /* unknown size */, sockindex);
 +        conn, isproxy, our_ssl_sessionid, 0 /* unknown size */, sockindex);
       if(result) {
         Curl_ssl_sessionid_unlock(conn);
         failf(data, "failed to store ssl session");
 --- a/lib/vtls/openssl.c
 +++ b/lib/vtls/openssl.c
@@ -379,12 +379,23 @@ static int ossl_get_ssl_conn_index(void)
  */
 static int ossl_get_ssl_sockindex_index(void)
 {
 -  static int ssl_ex_data_sockindex_index = -1;
 -  if(ssl_ex_data_sockindex_index < 0) {
 -    ssl_ex_data_sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL,
 -        NULL);
 +  static int sockindex_index = -1;
 +  if(sockindex_index < 0) {
 +    sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
   }
 -  return ssl_ex_data_sockindex_index;
 +  return sockindex_index;
 +}
 +
 +/* Return an extra data index for proxy boolean.
 + * This index can be used with SSL_get_ex_data() and SSL_set_ex_data().
 + */
 +static int ossl_get_proxy_index(void)
 +{
 +  static int proxy_index = -1;
 +  if(proxy_index < 0) {
 +    proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
 +  }
 +  return proxy_index;
 }
 static int passwd_callback(char *buf, int num, int encrypting,
@@ -1161,7 +1172,8 @@ static int Curl_ossl_init(void)
   Curl_tls_keylog_open();
   /* Initialize the extra data indexes */
 -  if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0)
 +  if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0 ||
 +     ossl_get_proxy_index() < 0)
     return 0;
   return 1;
@@ -2445,8 +2457,10 @@ static int ossl_new_session_cb(SSL *ssl,
   curl_socket_t *sockindex_ptr;
   int connectdata_idx = ossl_get_ssl_conn_index();
   int sockindex_idx = ossl_get_ssl_sockindex_index();
 +  int proxy_idx = ossl_get_proxy_index();
 +  bool isproxy;
 -  if(connectdata_idx < 0 || sockindex_idx < 0)
 +  if(connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0)
     return 0;
   conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx);
@@ -2459,13 +2473,18 @@ static int ossl_new_session_cb(SSL *ssl,
   sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx);
   sockindex = (int)(sockindex_ptr - conn->sock);
 +  isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE;
 +
   if(SSL_SET_OPTION(primary.sessionid)) {
     bool incache;
     void *old_ssl_sessionid = NULL;
     Curl_ssl_sessionid_lock(conn);
 -    incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL,
 -                                      sockindex));
 +    if(isproxy)
 +      incache = FALSE;
 +    else
 +      incache = !(Curl_ssl_getsessionid(conn, isproxy,
 +                                        &old_ssl_sessionid, NULL, sockindex));
     if(incache) {
       if(old_ssl_sessionid != ssl_sessionid) {
         infof(data, "old SSL session ID is stale, removing\n");
@@ -2475,7 +2494,7 @@ static int ossl_new_session_cb(SSL *ssl,
     }
     if(!incache) {
 -      if(!Curl_ssl_addsessionid(conn, ssl_sessionid,
 +      if(!Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid,
                                       0 /* unknown size */, sockindex)) {
         /* the session has been put into the session cache */
         res = 1;
@@ -3189,16 +3208,24 @@ static CURLcode ossl_connect_step1(struc
     void *ssl_sessionid = NULL;
     int connectdata_idx = ossl_get_ssl_conn_index();
     int sockindex_idx = ossl_get_ssl_sockindex_index();
 +    int proxy_idx = ossl_get_proxy_index();
 -    if(connectdata_idx >= 0 && sockindex_idx >= 0) {
 +    if(connectdata_idx >= 0 && sockindex_idx >= 0 && proxy_idx >= 0) {
       /* Store the data needed for the "new session" callback.
        * The sockindex is stored as a pointer to an array element. */
       SSL_set_ex_data(backend->handle, connectdata_idx, conn);
       SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex);
 +#ifndef CURL_DISABLE_PROXY
 +      SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1:
 +                      NULL);
 +#else
 +      SSL_set_ex_data(backend->handle, proxy_idx, NULL);
 +#endif
     }
     Curl_ssl_sessionid_lock(conn);
 -    if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
 +    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
 +                              &ssl_sessionid, NULL, sockindex)) {
       /* we got a session id, use it! */
       if(!SSL_set_session(backend->handle, ssl_sessionid)) {
         Curl_ssl_sessionid_unlock(conn);
 --- a/lib/vtls/schannel.c
 +++ b/lib/vtls/schannel.c
@@ -494,7 +494,8 @@ schannel_connect_step1(struct connectdat
   /* check for an existing re-usable credential handle */
   if(SSL_SET_OPTION(primary.sessionid)) {
     Curl_ssl_sessionid_lock(conn);
 -    if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, sockindex)) {
 +    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
 +                              (void **)&old_cred, NULL, sockindex)) {
       BACKEND->cred = old_cred;
       DEBUGF(infof(data, "schannel: re-using existing credential handle\n"));
@@ -1334,8 +1335,9 @@ schannel_connect_step3(struct connectdat
   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
   SECURITY_STATUS sspi_status = SEC_E_OK;
   CERT_CONTEXT *ccert_context = NULL;
 +  bool isproxy = SSL_IS_PROXY();
 #ifdef DEBUGBUILD
 -  const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
 +  const char * const hostname = isproxy ? conn->http_proxy.host.name :
     conn->host.name;
 #endif
 #ifdef HAS_ALPN
@@ -1411,7 +1413,7 @@ schannel_connect_step3(struct connectdat
     struct curl_schannel_cred *old_cred = NULL;
     Curl_ssl_sessionid_lock(conn);
 -    incache = !(Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL,
 +    incache = !(Curl_ssl_getsessionid(conn, isproxy, (void **)&old_cred, NULL,
                                       sockindex));
     if(incache) {
       if(old_cred != BACKEND->cred) {
@@ -1423,7 +1425,7 @@ schannel_connect_step3(struct connectdat
       }
     }
     if(!incache) {
 -      result = Curl_ssl_addsessionid(conn, (void *)BACKEND->cred,
 +      result = Curl_ssl_addsessionid(conn, isproxy, (void *)BACKEND->cred,
                                      sizeof(struct curl_schannel_cred),
                                      sockindex);
       if(result) {
 --- a/lib/vtls/sectransp.c
 +++ b/lib/vtls/sectransp.c
@@ -1400,7 +1400,8 @@ static CURLcode sectransp_connect_step1(
   const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
   char * const ssl_cert = SSL_SET_OPTION(cert);
   const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(cert_blob);
 -  const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
 +  bool isproxy = SSL_IS_PROXY();
 +  const char * const hostname = isproxy ? conn->http_proxy.host.name :
     conn->host.name;
   const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
 #ifdef ENABLE_IPV6
@@ -1613,7 +1615,7 @@ static CURLcode sectransp_connect_step1(
 #ifdef USE_NGHTTP2
       if(data->set.httpversion >= CURL_HTTP_VERSION_2 &&
 -         (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy)) {
 +         (!isproxy || !conn->bits.tunnel_proxy) {
         CFArrayAppendValue(alpnArr, CFSTR(NGHTTP2_PROTO_VERSION_ID));
         infof(data, "ALPN, offering %s\n", NGHTTP2_PROTO_VERSION_ID);
       }
@@ -1953,7 +1955,7 @@ static CURLcode sectransp_connect_step1(
     size_t ssl_sessionid_len;
     Curl_ssl_sessionid_lock(conn);
 -    if(!Curl_ssl_getsessionid(conn, (void **)&ssl_sessionid,
 +    if(!Curl_ssl_getsessionid(conn, isproxy, (void **)&ssl_sessionid,
                               &ssl_sessionid_len, sockindex)) {
       /* we got a session id, use it! */
       err = SSLSetPeerID(backend->ssl_ctx, ssl_sessionid, ssl_sessionid_len);
@@ -1981,7 +1983,7 @@ static CURLcode sectransp_connect_step1(
         return CURLE_SSL_CONNECT_ERROR;
       }
 -      result = Curl_ssl_addsessionid(conn, ssl_sessionid, ssl_sessionid_len,
 +      result = Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid, ssl_sessionid_len,
                                      sockindex);
       Curl_ssl_sessionid_unlock(conn);
       if(result) {
 --- a/lib/vtls/vtls.c
 +++ b/lib/vtls/vtls.c
@@ -361,6 +361,7 @@ void Curl_ssl_sessionid_unlock(struct co
  * there's one suitable, it is provided. Returns TRUE when no entry matched.
  */
 bool Curl_ssl_getsessionid(struct connectdata *conn,
 +                           const bool isProxy,
                            void **ssl_sessionid,
                            size_t *idsize, /* set 0 if unknown */
                            int sockindex)
@@ -372,7 +373,6 @@ bool Curl_ssl_getsessionid(struct connec
   bool no_match = TRUE;
 #ifndef CURL_DISABLE_PROXY
 -  const bool isProxy = CONNECT_PROXY_SSL();
   struct ssl_primary_config * const ssl_config = isProxy ?
     &conn->proxy_ssl_config :
     &conn->ssl_config;
@@ -384,10 +384,15 @@ bool Curl_ssl_getsessionid(struct connec
   struct ssl_primary_config * const ssl_config = &conn->ssl_config;
   const char * const name = conn->host.name;
   int port = conn->remote_port;
 -  (void)sockindex;
 #endif
 +  (void)sockindex;
   *ssl_sessionid = NULL;
 +#ifdef CURL_DISABLE_PROXY
 +  if(isProxy)
 +    return TRUE;
 +#endif
 +
   DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
   if(!SSL_SET_OPTION(primary.sessionid))
@@ -475,6 +480,7 @@ void Curl_ssl_delsessionid(struct connec
  * later on.
  */
 CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
 +                               bool isProxy,
                                void *ssl_sessionid,
                                size_t idsize,
                                int sockindex)
@@ -488,7 +494,6 @@ CURLcode Curl_ssl_addsessionid(struct co
   int conn_to_port;
   long *general_age;
 #ifndef CURL_DISABLE_PROXY
 -  const bool isProxy = CONNECT_PROXY_SSL();
   struct ssl_primary_config * const ssl_config = isProxy ?
     &conn->proxy_ssl_config :
     &conn->ssl_config;
@@ -501,6 +506,7 @@ CURLcode Curl_ssl_addsessionid(struct co
   const char *hostname = conn->host.name;
   (void)sockindex;
 #endif
 +  (void)sockindex;
   DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
   clone_host = strdup(hostname);
 --- a/lib/vtls/vtls.h
 +++ b/lib/vtls/vtls.h
@@ -217,6 +217,7 @@ void Curl_ssl_sessionid_unlock(struct co
  * under sessionid mutex).
  */
 bool Curl_ssl_getsessionid(struct connectdata *conn,
 +                           const bool isproxy,
                            void **ssl_sessionid,
                            size_t *idsize, /* set 0 if unknown */
                            int sockindex);
@@ -226,6 +227,7 @@ bool Curl_ssl_getsessionid(struct connec
  * object with cache (e.g. incrementing refcount on success)
  */
 CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
 +                               const bool isProxy,
                                void *ssl_sessionid,
                                size_t idsize,
                                int sockindex);
 --- a/lib/vtls/wolfssl.c
 +++ b/lib/vtls/wolfssl.c
@@ -505,7 +505,8 @@ wolfssl_connect_step1(struct connectdata
     void *ssl_sessionid = NULL;
     Curl_ssl_sessionid_lock(conn);
 -    if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
 +    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
 +                              &ssl_sessionid, NULL, sockindex)) {
       /* we got a session id, use it! */
       if(!SSL_set_session(backend->handle, ssl_sessionid)) {
         char error_buffer[WOLFSSL_MAX_ERROR_SZ];
@@ -765,9 +766,10 @@ wolfssl_connect_step3(struct connectdata
     void *old_ssl_sessionid = NULL;
     our_ssl_sessionid = SSL_get_session(backend->handle);
 +    bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
     Curl_ssl_sessionid_lock(conn);
 -    incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL,
 +    incache = !(Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, NULL,
                                       sockindex));
     if(incache) {
       if(old_ssl_sessionid != our_ssl_sessionid) {
@@ -778,7 +780,7 @@ wolfssl_connect_step3(struct connectdata
     }
     if(!incache) {
 -      result = Curl_ssl_addsessionid(conn, our_ssl_sessionid,
 +      result = Curl_ssl_addsessionid(conn, isproxy, our_ssl_sessionid,
                                      0 /* unknown size */, sockindex);
       if(result) {
         Curl_ssl_sessionid_unlock(conn);
--- a/curl.spec
+++ b/curl.spec
@ -6,7 +6,7 @@
 Name:           curl
 Version:        7.71.1
-Release:        5
+Release:        6
 Summary:        Curl is used in command lines or scripts to transfer data
 License:        MIT
 URL:            https://curl.haxx.se/
@ -22,6 +22,8 @@ Patch108:       0108-curl-fix-CVE-2020-8231.patch
 Patch109:       backport-CVE-2020-8284.patch
 Patch110:       backport-CVE-2020-8285.patch
 Patch111:       backport-CVE-2020-8286.patch
 Patch112:       backport-CVE-2021-22876.patch
 Patch113:       backport-CVE-2021-22890.patch
 BuildRequires:  automake brotli-devel coreutils gcc groff krb5-devel
 BuildRequires:  libidn2-devel libmetalink-devel libnghttp2-devel libpsl-devel
@ -163,6 +165,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_mandir}/man3/*
 %changelog
 * Mon Apr 19 2021 gaihuiying <gaihuiying1@huawei.com> - 7.71.1-6
 - Type:CVE
 - CVE:CVE-2021-22876 CVE-2021-22890
 - SUG:NA
 - DESC:fix CVE-2021-22876 CVE-2021-22890
 * Tue Jan 26 2021 kwb0523 <kwb0523@163.com> - 7.71.1-5
 - Type:CVE
 - CVE:CVE-2020-8285 CVE-2020-8286