vtls: late clone of connection ssl config

author Stefan Eissing <stefan@eissing.org>

Tue, 31 Oct 2023 14:25:08 +0000 (15:25 +0100)

committer Daniel Stenberg <daniel@haxx.se>

Thu, 2 Nov 2023 13:30:42 +0000 (14:30 +0100)
author Stefan Eissing <stefan@eissing.org>
Tue, 31 Oct 2023 14:25:08 +0000 (15:25 +0100)
committer Daniel Stenberg <daniel@haxx.se>
Thu, 2 Nov 2023 13:30:42 +0000 (14:30 +0100)
diff --git a/lib/url.c b/lib/url.c

index c0e726a7eb6150a6c63d2f6c89cffa4338156237..7002b942498c60449cec8c3f5aacfa8ee878701a 100644 (file)
--- a/lib/url.c
+++ b/lib/url.c
@@ -1209,10 +1209,10 @@ ConnectionExists(struct Curl_easy *data,
              continue;
            else if(needle->handler->flags&PROTOPT_SSL) {
              /* use double layer ssl */
-            if(!Curl_ssl_conn_config_match(data, needle, check, TRUE))
+            if(!Curl_ssl_conn_config_match(data, check, TRUE))
                continue;
            }
-          else if(!Curl_ssl_conn_config_match(data, needle, check, FALSE))
+          else if(!Curl_ssl_conn_config_match(data, check, FALSE))
              continue;
          }
        }
@@ -1330,7 +1330,7 @@ ConnectionExists(struct Curl_easy *data,
            if(needle->handler->flags & PROTOPT_SSL) {
              /* This is a SSL connection so verify that we're using the same
                 SSL options as well */
-            if(!Curl_ssl_conn_config_match(data, needle, check, FALSE)) {
+            if(!Curl_ssl_conn_config_match(data, check, FALSE)) {
                DEBUGF(infof(data,
                             "Connection #%" CURL_FORMAT_CURL_OFF_T
                             " has different SSL parameters, can't reuse",
@@ -3562,8 +3562,8 @@ static CURLcode create_conn(struct Curl_easy *data,
    conn->send[SECONDARYSOCKET] = Curl_conn_send;
    conn->bits.tcp_fastopen = data->set.tcp_fastopen;
  
-  /* Init the SSL configuration for the connection from settings in data */
-  result = Curl_ssl_conn_config_init(data, conn);
+  /* Complete the easy's SSL configuration for connection cache matching */
+  result = Curl_ssl_easy_config_complete(data);
    if(result)
      goto out;
  
@@ -3680,6 +3680,12 @@ static CURLcode create_conn(struct Curl_easy *data,
         * This is a brand new connection, so let's store it in the connection
         * cache of ours!
         */
+      result = Curl_ssl_conn_config_init(data, conn);
+      if(result) {
+        DEBUGF(fprintf(stderr, "Error: init connection ssl config\n"));
+        goto out;
+      }
+
        result = Curl_resolver_init(data, &conn->resolve_async.resolver);
        if(result) {
          DEBUGF(fprintf(stderr, "Error: resolver_init failed\n"));
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c

index 813a709888b11d3de6b248a0be4981b00be24335..7104995ac16b36d0343dafede562641b7d66b2e3 100644 (file)
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -206,18 +206,17 @@ match_ssl_primary_config(struct Curl_easy *data,
  }
  
  bool Curl_ssl_conn_config_match(struct Curl_easy *data,
-                                struct connectdata *conn,
                                  struct connectdata *candidate,
                                  bool proxy)
  {
  #ifndef CURL_DISABLE_PROXY
    if(proxy)
-    return match_ssl_primary_config(data, &conn->proxy_ssl_config,
+    return match_ssl_primary_config(data, &data->set.proxy_ssl.primary,
                                      &candidate->proxy_ssl_config);
  #else
    (void)proxy;
  #endif
-  return match_ssl_primary_config(data, &conn->ssl_config,
+  return match_ssl_primary_config(data, &data->set.ssl.primary,
                                    &candidate->ssl_config);
  }
  
@@ -272,8 +271,7 @@ static void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
  #endif
  }
  
-static CURLcode Curl_ssl_init_ssl_config(struct Curl_easy *data,
-                                         struct ssl_primary_config *config)
+CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data)
  {
    data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH];
    data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE];
@@ -300,16 +298,7 @@ static CURLcode Curl_ssl_init_ssl_config(struct Curl_easy *data,
    data->set.ssl.primary.clientcert = data->set.str[STRING_CERT];
    data->set.ssl.key_blob = data->set.blobs[BLOB_KEY];
  
-  if(!clone_ssl_primary_config(&data->set.ssl.primary, config))
-    return CURLE_OUT_OF_MEMORY;
-  return CURLE_OK;
-}
-
  #ifndef CURL_DISABLE_PROXY
-static CURLcode
-Curl_ssl_init_proxy_ssl_config(struct Curl_easy *data,
-                               struct ssl_primary_config *config)
-{
    data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY];
    data->set.proxy_ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY];
    data->set.proxy_ssl.primary.cipher_list =
@@ -339,27 +328,25 @@ Curl_ssl_init_proxy_ssl_config(struct Curl_easy *data,
    data->set.proxy_ssl.primary.password =
      data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
  #endif
+#endif /* CURL_DISABLE_PROXY */
  
-  if(!clone_ssl_primary_config(&data->set.proxy_ssl.primary, config))
-    return CURLE_OUT_OF_MEMORY;
    return CURLE_OK;
  }
-#endif /* !CURL_DISABLE_PROXY */
  
  CURLcode Curl_ssl_conn_config_init(struct Curl_easy *data,
                                     struct connectdata *conn)
  {
-  CURLcode result;
- /* Get a cloned copy of the SSL config situation for use in
-   * the connection. `data` might have a shorter lifetime than `conn`*/
-  result = Curl_ssl_init_ssl_config(data, &conn->ssl_config);
-  if(result)
-    goto out;
+  /* Clone "primary" SSL configurations from the esay handle to
+   * the connection. They are used for connection cache matching and
+   * probably outlive the easy handle */
+  if(!clone_ssl_primary_config(&data->set.ssl.primary, &conn->ssl_config))
+    return CURLE_OUT_OF_MEMORY;
  #ifndef CURL_DISABLE_PROXY
-  result = Curl_ssl_init_proxy_ssl_config(data, &conn->proxy_ssl_config);
+  if(!clone_ssl_primary_config(&data->set.proxy_ssl.primary,
+                               &conn->proxy_ssl_config))
+    return CURLE_OUT_OF_MEMORY;
  #endif
-out:
-  return result;
+  return CURLE_OK;
  }
  
  void Curl_ssl_conn_config_cleanup(struct connectdata *conn)
diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h

index 5cedf4730c9f8ac3f42596decb81a4056eaddfe1..a12c469da3142938dac8fe442b6a2e82d9ec6783 100644 (file)
--- a/lib/vtls/vtls.h
+++ b/lib/vtls/vtls.h
@@ -74,6 +74,12 @@ curl_sslbackend Curl_ssl_backend(void);
   */
  void Curl_ssl_easy_config_init(struct Curl_easy *data);
  
+/**
+ * Init the `data->set.ssl` and `data->set.proxy_ssl` for
+ * connection matching use.
+ */
+CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data);
+
  /**
   * Init SSL configs (main + proxy) for a new connection from the easy handle.
   */
@@ -92,7 +98,6 @@ void Curl_ssl_conn_config_cleanup(struct connectdata *conn);
   * @param proxy   match the proxy SSL config or the main one
   */
  bool Curl_ssl_conn_config_match(struct Curl_easy *data,
-                                struct connectdata *conn,
                                  struct connectdata *candidate,
                                  bool proxy);
author	Stefan Eissing <stefan@eissing.org>
	Tue, 31 Oct 2023 14:25:08 +0000 (15:25 +0100)
committer	Daniel Stenberg <daniel@haxx.se>
	Thu, 2 Nov 2023 13:30:42 +0000 (14:30 +0100)
lib/url.c		patch \| blob \| blame \| history
lib/vtls/vtls.c		patch \| blob \| blame \| history
lib/vtls/vtls.h		patch \| blob \| blame \| history