curl/SOURCES/0005-curl-7.76.1-CVE-2021-22924.patch

From 30c7b4dd01734b6ba20bfc7790b9fe8bc0500214 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sat, 19 Jun 2021 00:42:28 +0200
Subject: [PATCH] vtls: fix connection reuse checks for issuer cert and case
 sensitivity

CVE-2021-22924

Reported-by: Harry Sintonen
Bug: https://curl.se/docs/CVE-2021-22924.html

Upstream-commit: 5ea3145850ebff1dc2b13d17440300a01ca38161
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
 lib/url.c          | 10 ++++++----
 lib/urldata.h      |  4 ++--
 lib/vtls/gtls.c    | 10 +++++-----
 lib/vtls/nss.c     |  4 ++--
 lib/vtls/openssl.c | 18 +++++++++---------
 lib/vtls/vtls.c    | 26 +++++++++++++++++++++-----
 6 files changed, 45 insertions(+), 27 deletions(-)

diff --git a/lib/url.c b/lib/url.c
index 9f2c9f2..bdcb095 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -3723,6 +3723,8 @@ static CURLcode create_conn(struct Curl_easy *data,
   */
   data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH];
   data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE];
+  data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
+  data->set.ssl.primary.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT];
   data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE];
   data->set.ssl.primary.egdsocket = data->set.str[STRING_SSL_EGDSOCKET];
   data->set.ssl.primary.cipher_list =
@@ -3747,8 +3749,11 @@ static CURLcode create_conn(struct Curl_easy *data,
   data->set.proxy_ssl.primary.pinned_key =
     data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY];
   data->set.proxy_ssl.primary.cert_blob = data->set.blobs[BLOB_CERT_PROXY];
+  data->set.proxy_ssl.primary.issuercert =
+    data->set.str[STRING_SSL_ISSUERCERT_PROXY];
+  data->set.proxy_ssl.primary.issuercert_blob =
+    data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY];
   data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
-  data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY];
   data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];
   data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];
   data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY];
@@ -3757,7 +3762,6 @@ static CURLcode create_conn(struct Curl_easy *data,
   data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
 #endif
   data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];
-  data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
   data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
   data->set.ssl.key = data->set.str[STRING_KEY];
   data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE];
@@ -3771,9 +3775,7 @@ static CURLcode create_conn(struct Curl_easy *data,
   data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
 #endif
 #endif
-
   data->set.ssl.key_blob = data->set.blobs[BLOB_KEY];
-  data->set.ssl.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT];
 
   if(!Curl_clone_primary_ssl_config(&data->set.ssl.primary,
                                     &conn->ssl_config)) {
diff --git a/lib/urldata.h b/lib/urldata.h
index 2bb7d81..7cf63d0 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -246,6 +246,7 @@ struct ssl_primary_config {
   long version_max;      /* max supported version the client wants to use*/
   char *CApath;          /* certificate dir (doesn't work on windows) */
   char *CAfile;          /* certificate to verify peer against */
+  char *issuercert;      /* optional issuer certificate filename */
   char *clientcert;
   char *random_file;     /* path to file containing "random" data */
   char *egdsocket;       /* path to file containing the EGD daemon socket */
@@ -253,6 +254,7 @@ struct ssl_primary_config {
   char *cipher_list13;   /* list of TLS 1.3 cipher suites to use */
   char *pinned_key;
   struct curl_blob *cert_blob;
+  struct curl_blob *issuercert_blob;
   char *curves;          /* list of curves to use */
   BIT(verifypeer);       /* set TRUE if this is desired */
   BIT(verifyhost);       /* set TRUE if CN/SAN must match hostname */
@@ -264,8 +266,6 @@ struct ssl_config_data {
   struct ssl_primary_config primary;
   long certverifyresult; /* result from the certificate verification */
   char *CRLfile;   /* CRL to check certificate revocation */
-  char *issuercert;/* optional issuer certificate filename */
-  struct curl_blob *issuercert_blob;
   curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
   void *fsslctxp;        /* parameter for call back */
   char *cert_type; /* format for certificate (default: PEM)*/
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index ea54fe3..ccc5ce8 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -849,7 +849,7 @@ gtls_connect_step3(struct Curl_easy *data,
   if(!chainp) {
     if(SSL_CONN_CONFIG(verifypeer) ||
        SSL_CONN_CONFIG(verifyhost) ||
-       SSL_SET_OPTION(issuercert)) {
+       SSL_CONN_CONFIG(issuercert)) {
 #ifdef HAVE_GNUTLS_SRP
       if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
          && SSL_SET_OPTION(username) != NULL
@@ -1033,21 +1033,21 @@ gtls_connect_step3(struct Curl_easy *data,
        gnutls_x509_crt_t format */
     gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER);
 
-  if(SSL_SET_OPTION(issuercert)) {
+  if(SSL_CONN_CONFIG(issuercert)) {
     gnutls_x509_crt_init(&x509_issuer);
-    issuerp = load_file(SSL_SET_OPTION(issuercert));
+    issuerp = load_file(SSL_CONN_CONFIG(issuercert));
     gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM);
     rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer);
     gnutls_x509_crt_deinit(x509_issuer);
     unload_file(issuerp);
     if(rc <= 0) {
       failf(data, "server certificate issuer check failed (IssuerCert: %s)",
-            SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
+            SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
       gnutls_x509_crt_deinit(x509_cert);
       return CURLE_SSL_ISSUER_ERROR;
     }
     infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n",
-          SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
+          SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
   }
 
   size = sizeof(certname);
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index ae3945c..b0b1e8c 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -2156,9 +2156,9 @@ static CURLcode nss_do_connect(struct Curl_easy *data,
   if(result)
     goto error;
 
-  if(SSL_SET_OPTION(issuercert)) {
+  if(SSL_CONN_CONFIG(issuercert)) {
     SECStatus ret = SECFailure;
-    char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert));
+    char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert));
     if(nickname) {
       /* we support only nicknames in case of issuercert for now */
       ret = check_issuer_cert(backend->handle, nickname);
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 2404393..be7b811 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -3872,10 +3872,10 @@ static CURLcode servercert(struct Curl_easy *data,
        deallocating the certificate. */
 
     /* e.g. match issuer name with provided issuer certificate */
-    if(SSL_SET_OPTION(issuercert) || SSL_SET_OPTION(issuercert_blob)) {
-      if(SSL_SET_OPTION(issuercert_blob))
-        fp = BIO_new_mem_buf(SSL_SET_OPTION(issuercert_blob)->data,
-                             (int)SSL_SET_OPTION(issuercert_blob)->len);
+    if(SSL_CONN_CONFIG(issuercert) || SSL_CONN_CONFIG(issuercert_blob)) {
+      if(SSL_CONN_CONFIG(issuercert_blob))
+        fp = BIO_new_mem_buf(SSL_CONN_CONFIG(issuercert_blob)->data,
+                             (int)SSL_CONN_CONFIG(issuercert_blob)->len);
       else {
         fp = BIO_new(BIO_s_file());
         if(fp == NULL) {
@@ -3889,10 +3889,10 @@ static CURLcode servercert(struct Curl_easy *data,
           return CURLE_OUT_OF_MEMORY;
         }
 
-        if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) {
+        if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) {
           if(strict)
             failf(data, "SSL: Unable to open issuer cert (%s)",
-                  SSL_SET_OPTION(issuercert));
+                  SSL_CONN_CONFIG(issuercert));
           BIO_free(fp);
           X509_free(backend->server_cert);
           backend->server_cert = NULL;
@@ -3904,7 +3904,7 @@ static CURLcode servercert(struct Curl_easy *data,
       if(!issuer) {
         if(strict)
           failf(data, "SSL: Unable to read issuer cert (%s)",
-                SSL_SET_OPTION(issuercert));
+                SSL_CONN_CONFIG(issuercert));
         BIO_free(fp);
         X509_free(issuer);
         X509_free(backend->server_cert);
@@ -3915,7 +3915,7 @@ static CURLcode servercert(struct Curl_easy *data,
       if(X509_check_issued(issuer, backend->server_cert) != X509_V_OK) {
         if(strict)
           failf(data, "SSL: Certificate issuer check failed (%s)",
-                SSL_SET_OPTION(issuercert));
+                SSL_CONN_CONFIG(issuercert));
         BIO_free(fp);
         X509_free(issuer);
         X509_free(backend->server_cert);
@@ -3924,7 +3924,7 @@ static CURLcode servercert(struct Curl_easy *data,
       }
 
       infof(data, " SSL certificate issuer check ok (%s)\n",
-            SSL_SET_OPTION(issuercert));
+            SSL_CONN_CONFIG(issuercert));
       BIO_free(fp);
       X509_free(issuer);
     }
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
index fa8a6fa..1aa6fc8 100644
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -125,6 +125,16 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second)
   return !memcmp(first->data, second->data, first->len); /* same data */
 }
 
+static bool safecmp(char *a, char *b)
+{
+  if(a && b)
+    return !strcmp(a, b);
+  else if(!a && !b)
+    return TRUE; /* match */
+  return FALSE; /* no match */
+}
+
+
 bool
 Curl_ssl_config_matches(struct ssl_primary_config *data,
                         struct ssl_primary_config *needle)
@@ -135,11 +145,13 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
      (data->verifyhost == needle->verifyhost) &&
      (data->verifystatus == needle->verifystatus) &&
      blobcmp(data->cert_blob, needle->cert_blob) &&
-     Curl_safe_strcasecompare(data->CApath, needle->CApath) &&
-     Curl_safe_strcasecompare(data->CAfile, needle->CAfile) &&
-     Curl_safe_strcasecompare(data->clientcert, needle->clientcert) &&
-     Curl_safe_strcasecompare(data->random_file, needle->random_file) &&
-     Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) &&
+     blobcmp(data->issuercert_blob, needle->issuercert_blob) &&
+     safecmp(data->CApath, needle->CApath) &&
+     safecmp(data->CAfile, needle->CAfile) &&
+     safecmp(data->issuercert, needle->issuercert) &&
+     safecmp(data->clientcert, needle->clientcert) &&
+     safecmp(data->random_file, needle->random_file) &&
+     safecmp(data->egdsocket, needle->egdsocket) &&
      Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
      Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
      Curl_safe_strcasecompare(data->curves, needle->curves) &&
@@ -161,8 +173,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
   dest->sessionid = source->sessionid;
 
   CLONE_BLOB(cert_blob);
+  CLONE_BLOB(issuercert_blob);
   CLONE_STRING(CApath);
   CLONE_STRING(CAfile);
+  CLONE_STRING(issuercert);
   CLONE_STRING(clientcert);
   CLONE_STRING(random_file);
   CLONE_STRING(egdsocket);
@@ -178,6 +192,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
 {
   Curl_safefree(sslc->CApath);
   Curl_safefree(sslc->CAfile);
+  Curl_safefree(sslc->issuercert);
   Curl_safefree(sslc->clientcert);
   Curl_safefree(sslc->random_file);
   Curl_safefree(sslc->egdsocket);
@@ -185,6 +200,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
   Curl_safefree(sslc->cipher_list13);
   Curl_safefree(sslc->pinned_key);
   Curl_safefree(sslc->cert_blob);
+  Curl_safefree(sslc->issuercert_blob);
   Curl_safefree(sslc->curves);
 }
 
-- 
2.31.1
import curl-7.76.1-11.el9 2021-11-04 02:42:56 +00:00			`From 30c7b4dd01734b6ba20bfc7790b9fe8bc0500214 Mon Sep 17 00:00:00 2001`
			`From: Daniel Stenberg <daniel@haxx.se>`
			`Date: Sat, 19 Jun 2021 00:42:28 +0200`
			`Subject: [PATCH] vtls: fix connection reuse checks for issuer cert and case`
			`sensitivity`

			`CVE-2021-22924`

			`Reported-by: Harry Sintonen`
			`Bug: https://curl.se/docs/CVE-2021-22924.html`

			`Upstream-commit: 5ea3145850ebff1dc2b13d17440300a01ca38161`
			`Signed-off-by: Kamil Dudka <kdudka@redhat.com>`
			`---`
			`lib/url.c \| 10 ++++++----`
			`lib/urldata.h \| 4 ++--`
			`lib/vtls/gtls.c \| 10 +++++-----`
			`lib/vtls/nss.c \| 4 ++--`
			`lib/vtls/openssl.c \| 18 +++++++++---------`
			`lib/vtls/vtls.c \| 26 +++++++++++++++++++++-----`
			`6 files changed, 45 insertions(+), 27 deletions(-)`

			`diff --git a/lib/url.c b/lib/url.c`
			`index 9f2c9f2..bdcb095 100644`
			`--- a/lib/url.c`
			`+++ b/lib/url.c`
			`@@ -3723,6 +3723,8 @@ static CURLcode create_conn(struct Curl_easy *data,`
			`*/`
			`data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH];`
			`data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE];`
			`+ data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT];`
			`+ data->set.ssl.primary.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT];`
			`data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE];`
			`data->set.ssl.primary.egdsocket = data->set.str[STRING_SSL_EGDSOCKET];`
			`data->set.ssl.primary.cipher_list =`
			`@@ -3747,8 +3749,11 @@ static CURLcode create_conn(struct Curl_easy *data,`
			`data->set.proxy_ssl.primary.pinned_key =`
			`data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY];`
			`data->set.proxy_ssl.primary.cert_blob = data->set.blobs[BLOB_CERT_PROXY];`
			`+ data->set.proxy_ssl.primary.issuercert =`
			`+ data->set.str[STRING_SSL_ISSUERCERT_PROXY];`
			`+ data->set.proxy_ssl.primary.issuercert_blob =`
			`+ data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY];`
			`data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];`
			`- data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY];`
			`data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];`
			`data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];`
			`data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY];`
			`@@ -3757,7 +3762,6 @@ static CURLcode create_conn(struct Curl_easy *data,`
			`data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];`
			`#endif`
			`data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];`
			`- data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT];`
			`data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];`
			`data->set.ssl.key = data->set.str[STRING_KEY];`
			`data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE];`
			`@@ -3771,9 +3775,7 @@ static CURLcode create_conn(struct Curl_easy *data,`
			`data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];`
			`#endif`
			`#endif`
			`-`
			`data->set.ssl.key_blob = data->set.blobs[BLOB_KEY];`
			`- data->set.ssl.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT];`

			`if(!Curl_clone_primary_ssl_config(&data->set.ssl.primary,`
			`&conn->ssl_config)) {`
			`diff --git a/lib/urldata.h b/lib/urldata.h`
			`index 2bb7d81..7cf63d0 100644`
			`--- a/lib/urldata.h`
			`+++ b/lib/urldata.h`
			`@@ -246,6 +246,7 @@ struct ssl_primary_config {`
			`long version_max; /* max supported version the client wants to use*/`
			`char CApath; / certificate dir (doesn't work on windows) */`
			`char CAfile; / certificate to verify peer against */`
			`+ char issuercert; / optional issuer certificate filename */`
			`char *clientcert;`
			`char random_file; / path to file containing "random" data */`
			`char egdsocket; / path to file containing the EGD daemon socket */`
			`@@ -253,6 +254,7 @@ struct ssl_primary_config {`
			`char cipher_list13; / list of TLS 1.3 cipher suites to use */`
			`char *pinned_key;`
			`struct curl_blob *cert_blob;`
			`+ struct curl_blob *issuercert_blob;`
			`char curves; / list of curves to use */`
			`BIT(verifypeer); /* set TRUE if this is desired */`
			`BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */`
			`@@ -264,8 +266,6 @@ struct ssl_config_data {`
			`struct ssl_primary_config primary;`
			`long certverifyresult; /* result from the certificate verification */`
			`char CRLfile; / CRL to check certificate revocation */`
			`- char issuercert;/ optional issuer certificate filename */`
			`- struct curl_blob *issuercert_blob;`
			`curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */`
			`void fsslctxp; / parameter for call back */`
			`char cert_type; / format for certificate (default: PEM)*/`
			`diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c`
			`index ea54fe3..ccc5ce8 100644`
			`--- a/lib/vtls/gtls.c`
			`+++ b/lib/vtls/gtls.c`
			`@@ -849,7 +849,7 @@ gtls_connect_step3(struct Curl_easy *data,`
			`if(!chainp) {`
			`if(SSL_CONN_CONFIG(verifypeer) \|\|`
			`SSL_CONN_CONFIG(verifyhost) \|\|`
			`- SSL_SET_OPTION(issuercert)) {`
			`+ SSL_CONN_CONFIG(issuercert)) {`
			`#ifdef HAVE_GNUTLS_SRP`
			`if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP`
			`&& SSL_SET_OPTION(username) != NULL`
			`@@ -1033,21 +1033,21 @@ gtls_connect_step3(struct Curl_easy *data,`
			`gnutls_x509_crt_t format */`
			`gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER);`

			`- if(SSL_SET_OPTION(issuercert)) {`
			`+ if(SSL_CONN_CONFIG(issuercert)) {`
			`gnutls_x509_crt_init(&x509_issuer);`
			`- issuerp = load_file(SSL_SET_OPTION(issuercert));`
			`+ issuerp = load_file(SSL_CONN_CONFIG(issuercert));`
			`gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM);`
			`rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer);`
			`gnutls_x509_crt_deinit(x509_issuer);`
			`unload_file(issuerp);`
			`if(rc <= 0) {`
			`failf(data, "server certificate issuer check failed (IssuerCert: %s)",`
			`- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");`
			`+ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");`
			`gnutls_x509_crt_deinit(x509_cert);`
			`return CURLE_SSL_ISSUER_ERROR;`
			`}`
			`infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n",`
			`- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");`
			`+ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");`
			`}`

			`size = sizeof(certname);`
			`diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c`
			`index ae3945c..b0b1e8c 100644`
			`--- a/lib/vtls/nss.c`
			`+++ b/lib/vtls/nss.c`
			`@@ -2156,9 +2156,9 @@ static CURLcode nss_do_connect(struct Curl_easy *data,`
			`if(result)`
			`goto error;`

			`- if(SSL_SET_OPTION(issuercert)) {`
			`+ if(SSL_CONN_CONFIG(issuercert)) {`
			`SECStatus ret = SECFailure;`
			`- char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert));`
			`+ char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert));`
			`if(nickname) {`
			`/* we support only nicknames in case of issuercert for now */`
			`ret = check_issuer_cert(backend->handle, nickname);`
			`diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c`
			`index 2404393..be7b811 100644`
			`--- a/lib/vtls/openssl.c`
			`+++ b/lib/vtls/openssl.c`
			`@@ -3872,10 +3872,10 @@ static CURLcode servercert(struct Curl_easy *data,`
			`deallocating the certificate. */`

			`/* e.g. match issuer name with provided issuer certificate */`
			`- if(SSL_SET_OPTION(issuercert) \|\| SSL_SET_OPTION(issuercert_blob)) {`
			`- if(SSL_SET_OPTION(issuercert_blob))`
			`- fp = BIO_new_mem_buf(SSL_SET_OPTION(issuercert_blob)->data,`
			`- (int)SSL_SET_OPTION(issuercert_blob)->len);`
			`+ if(SSL_CONN_CONFIG(issuercert) \|\| SSL_CONN_CONFIG(issuercert_blob)) {`
			`+ if(SSL_CONN_CONFIG(issuercert_blob))`
			`+ fp = BIO_new_mem_buf(SSL_CONN_CONFIG(issuercert_blob)->data,`
			`+ (int)SSL_CONN_CONFIG(issuercert_blob)->len);`
			`else {`
			`fp = BIO_new(BIO_s_file());`
			`if(fp == NULL) {`
			`@@ -3889,10 +3889,10 @@ static CURLcode servercert(struct Curl_easy *data,`
			`return CURLE_OUT_OF_MEMORY;`
			`}`

			`- if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) {`
			`+ if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) {`
			`if(strict)`
			`failf(data, "SSL: Unable to open issuer cert (%s)",`
			`- SSL_SET_OPTION(issuercert));`
			`+ SSL_CONN_CONFIG(issuercert));`
			`BIO_free(fp);`
			`X509_free(backend->server_cert);`
			`backend->server_cert = NULL;`
			`@@ -3904,7 +3904,7 @@ static CURLcode servercert(struct Curl_easy *data,`
			`if(!issuer) {`
			`if(strict)`
			`failf(data, "SSL: Unable to read issuer cert (%s)",`
			`- SSL_SET_OPTION(issuercert));`
			`+ SSL_CONN_CONFIG(issuercert));`
			`BIO_free(fp);`
			`X509_free(issuer);`
			`X509_free(backend->server_cert);`
			`@@ -3915,7 +3915,7 @@ static CURLcode servercert(struct Curl_easy *data,`
			`if(X509_check_issued(issuer, backend->server_cert) != X509_V_OK) {`
			`if(strict)`
			`failf(data, "SSL: Certificate issuer check failed (%s)",`
			`- SSL_SET_OPTION(issuercert));`
			`+ SSL_CONN_CONFIG(issuercert));`
			`BIO_free(fp);`
			`X509_free(issuer);`
			`X509_free(backend->server_cert);`
			`@@ -3924,7 +3924,7 @@ static CURLcode servercert(struct Curl_easy *data,`
			`}`

			`infof(data, " SSL certificate issuer check ok (%s)\n",`
			`- SSL_SET_OPTION(issuercert));`
			`+ SSL_CONN_CONFIG(issuercert));`
			`BIO_free(fp);`
			`X509_free(issuer);`
			`}`
			`diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c`
			`index fa8a6fa..1aa6fc8 100644`
			`--- a/lib/vtls/vtls.c`
			`+++ b/lib/vtls/vtls.c`
			`@@ -125,6 +125,16 @@ static bool blobcmp(struct curl_blob first, struct curl_blob second)`
			`return !memcmp(first->data, second->data, first->len); /* same data */`
			`}`

			`+static bool safecmp(char a, char b)`
			`+{`
			`+ if(a && b)`
			`+ return !strcmp(a, b);`
			`+ else if(!a && !b)`
			`+ return TRUE; /* match */`
			`+ return FALSE; /* no match */`
			`+}`
			`+`
			`+`
			`bool`
			`Curl_ssl_config_matches(struct ssl_primary_config *data,`
			`struct ssl_primary_config *needle)`
			`@@ -135,11 +145,13 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,`
			`(data->verifyhost == needle->verifyhost) &&`
			`(data->verifystatus == needle->verifystatus) &&`
			`blobcmp(data->cert_blob, needle->cert_blob) &&`
			`- Curl_safe_strcasecompare(data->CApath, needle->CApath) &&`
			`- Curl_safe_strcasecompare(data->CAfile, needle->CAfile) &&`
			`- Curl_safe_strcasecompare(data->clientcert, needle->clientcert) &&`
			`- Curl_safe_strcasecompare(data->random_file, needle->random_file) &&`
			`- Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) &&`
			`+ blobcmp(data->issuercert_blob, needle->issuercert_blob) &&`
			`+ safecmp(data->CApath, needle->CApath) &&`
			`+ safecmp(data->CAfile, needle->CAfile) &&`
			`+ safecmp(data->issuercert, needle->issuercert) &&`
			`+ safecmp(data->clientcert, needle->clientcert) &&`
			`+ safecmp(data->random_file, needle->random_file) &&`
			`+ safecmp(data->egdsocket, needle->egdsocket) &&`
			`Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&`
			`Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&`
			`Curl_safe_strcasecompare(data->curves, needle->curves) &&`
			`@@ -161,8 +173,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,`
			`dest->sessionid = source->sessionid;`

			`CLONE_BLOB(cert_blob);`
			`+ CLONE_BLOB(issuercert_blob);`
			`CLONE_STRING(CApath);`
			`CLONE_STRING(CAfile);`
			`+ CLONE_STRING(issuercert);`
			`CLONE_STRING(clientcert);`
			`CLONE_STRING(random_file);`
			`CLONE_STRING(egdsocket);`
			`@@ -178,6 +192,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)`
			`{`
			`Curl_safefree(sslc->CApath);`
			`Curl_safefree(sslc->CAfile);`
			`+ Curl_safefree(sslc->issuercert);`
			`Curl_safefree(sslc->clientcert);`
			`Curl_safefree(sslc->random_file);`
			`Curl_safefree(sslc->egdsocket);`
			`@@ -185,6 +200,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)`
			`Curl_safefree(sslc->cipher_list13);`
			`Curl_safefree(sslc->pinned_key);`
			`Curl_safefree(sslc->cert_blob);`
			`+ Curl_safefree(sslc->issuercert_blob);`
			`Curl_safefree(sslc->curves);`
			`}`

			`--`
			`2.31.1`