cfilter: improve SSL connection checks

- fixes `Curl_ssl_cf_get_ssl()` to detect also the first filter instance
  as ssl (refs #10053)

- replaces `Curl_ssl_use()` with the correct `Curl_conn_is_ssl()`

Closes #10054
Fixes #10053

Reported-by: Patrick Monnerat

diff --git a/lib/connect.c b/lib/connect.c
index 6cb9459718ebf1301aedb13dad59cbfccfe5b18c..af0413836bad225424d558314f9cdc697ef03272 100644 (file)
--- a/lib/connect.c
+++ b/lib/connect.c
@@ -1437,7 +1437,7 @@ bool Curl_connalive(struct Curl_easy *data, struct connectdata *conn)
 {
   (void)data;
   /* First determine if ssl */
-  if(Curl_ssl_use(conn, FIRSTSOCKET)) {
+  if(Curl_conn_is_ssl(data, FIRSTSOCKET)) {
     /* use the SSL context */
     if(!Curl_ssl_check_cxn(data, conn))
       return false;   /* FIN received */
@@ -1695,7 +1695,7 @@ static CURLcode socket_cf_connect(struct Curl_cfilter *cf,
       result = is_connected(data, conn, sockindex, done);
       if(!result && *done) {
         Curl_pgrsTime(data, TIMER_CONNECT);    /* we're connected already */
-        if(Curl_ssl_use(conn, FIRSTSOCKET) ||
+        if(Curl_conn_is_ssl(data, FIRSTSOCKET) ||
            (conn->handler->protocol & PROTO_FAMILY_SSH))
           Curl_pgrsTime(data, TIMER_APPCONNECT); /* we're connected already */
         post_connect(data, conn, sockindex);

diff --git a/lib/imap.c b/lib/imap.c
index 95689c9d1580ec42ef02c7a80f2bad4739819b37..bd4c6f2203fe5fc5dd25e7c0ca7404cced120d11 100644 (file)
--- a/lib/imap.c
+++ b/lib/imap.c
@@ -952,7 +952,7 @@ static CURLcode imap_state_capability_resp(struct Curl_easy *data,
       line += wordlen;
     }
   }
-  else if(data->set.use_ssl && !Curl_ssl_use(conn, FIRSTSOCKET)) {
+  else if(data->set.use_ssl && !Curl_conn_is_ssl(data, FIRSTSOCKET)) {
     /* PREAUTH is not compatible with STARTTLS. */
     if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) {
       /* Switch to TLS connection now */

diff --git a/lib/pop3.c b/lib/pop3.c
index c5ad07aa0a9315fc06371eda0c26e9859546edb9..ce17f2ac729f037240650382df9170ef5d1d5fa6 100644 (file)
--- a/lib/pop3.c
+++ b/lib/pop3.c
@@ -769,7 +769,7 @@ static CURLcode pop3_state_capa_resp(struct Curl_easy *data, int pop3code,
     if(pop3code != '+')
       pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
 
-    if(!data->set.use_ssl || Curl_ssl_use(conn, FIRSTSOCKET))
+    if(!data->set.use_ssl || Curl_conn_is_ssl(data, FIRSTSOCKET))
       result = pop3_perform_authentication(data, conn);
     else if(pop3code == '+' && pop3c->tls_supported)
       /* Switch to TLS connection now */

diff --git a/lib/smtp.c b/lib/smtp.c
index 1c29fab37d51f59f7081a235c0c7a9ee82d0d8a4..cb066d70ecc6dc646fa8af578dcdd1d2b0e4abd5 100644 (file)
--- a/lib/smtp.c
+++ b/lib/smtp.c
@@ -889,7 +889,8 @@ static CURLcode smtp_state_ehlo_resp(struct Curl_easy *data,
   (void)instate; /* no use for this yet */
 
   if(smtpcode/100 != 2 && smtpcode != 1) {
-    if(data->set.use_ssl <= CURLUSESSL_TRY || Curl_ssl_use(conn, FIRSTSOCKET))
+    if(data->set.use_ssl <= CURLUSESSL_TRY
+       || Curl_conn_is_ssl(data, FIRSTSOCKET))
       result = smtp_perform_helo(data, conn);
     else {
       failf(data, "Remote access denied: %d", smtpcode);
@@ -954,7 +955,7 @@ static CURLcode smtp_state_ehlo_resp(struct Curl_easy *data,
     }
 
     if(smtpcode != 1) {
-      if(data->set.use_ssl && !Curl_ssl_use(conn, FIRSTSOCKET)) {
+      if(data->set.use_ssl && !Curl_conn_is_ssl(data, FIRSTSOCKET)) {
         /* We don't have a SSL/TLS connection yet, but SSL is requested */
         if(smtpc->tls_supported)
           /* Switch to TLS connection now */

diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
index e84c99346fd53c89ca88fe65d8b5e4db7647ffc8..873ee6bac759aaa3cc8a48f820c803a97c66dbb5 100644 (file)
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -1725,11 +1725,6 @@ void *Curl_ssl_get_internals(struct Curl_easy *data, int sockindex,
   return result;
 }
 
-bool Curl_ssl_use(struct connectdata *conn, int sockindex)
-{
-  return Curl_ssl_cf_get_ssl(conn->cfilter[sockindex]) != NULL;
-}
-
 CURLcode Curl_ssl_cfilter_remove(struct Curl_easy *data,
                                  int sockindex)
 {
@@ -1818,11 +1813,9 @@ Curl_ssl_get_primary_config(struct Curl_easy *data,
 
 struct Curl_cfilter *Curl_ssl_cf_get_ssl(struct Curl_cfilter *cf)
 {
-  struct Curl_cfilter *cfn;
-
-  for(cfn = cf->next; cfn; cfn = cfn->next) {
-    if(cfn->cft == &cft_ssl || cfn->cft == &cft_ssl_proxy)
-      return cfn;
+  for(; cf; cf = cf->next) {
+    if(cf->cft == &cft_ssl || cf->cft == &cft_ssl_proxy)
+      return cf;
   }
   return NULL;
 }

diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h
index ca7a96096907efc2cbba0c880f3fb9e584589385..5ad64fcf60913ca4afc09412307959eef604f7ae 100644 (file)
--- a/lib/vtls/vtls.h
+++ b/lib/vtls/vtls.h
@@ -208,8 +208,6 @@ bool Curl_ssl_supports(struct Curl_easy *data, int ssl_option);
 void *Curl_ssl_get_internals(struct Curl_easy *data, int sockindex,
                              CURLINFO info, int n);
 
-bool Curl_ssl_use(struct connectdata *conn, int sockindex);
-
 #else /* if not USE_SSL */
 
 /* When SSL support is not present, just define away these function calls */
@@ -228,7 +226,6 @@ bool Curl_ssl_use(struct connectdata *conn, int sockindex);
 #define Curl_ssl_false_start(a) FALSE
 #define Curl_ssl_get_internals(a,b,c,d) NULL
 #define Curl_ssl_supports(a,b) FALSE
-#define Curl_ssl_use(a,b) FALSE
 #define Curl_ssl_cfilter_add(a,b,c) CURLE_NOT_BUILT_IN
 #define Curl_ssl_cfilter_proxy_add(a,b,c) CURLE_NOT_BUILT_IN
 #define Curl_ssl_get_config(a,b) NULL