From: Stefan Eissing Date: Tue, 31 Oct 2023 14:25:08 +0000 (+0100) Subject: vtls: late clone of connection ssl config X-Git-Tag: curl-8_5_0~156 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bbdbd4b025d4d4ec684c02a569b950f98f23983c;p=thirdparty%2Fcurl.git vtls: late clone of connection ssl config - perform connection cache matching against `data->set.ssl.primary` and proxy counterpart - fully clone connection ssl config only when connection is used Closes #12237 --- diff --git a/lib/url.c b/lib/url.c index c0e726a7eb..7002b94249 100644 --- a/lib/url.c +++ b/lib/url.c @@ -1209,10 +1209,10 @@ ConnectionExists(struct Curl_easy *data, continue; else if(needle->handler->flags&PROTOPT_SSL) { /* use double layer ssl */ - if(!Curl_ssl_conn_config_match(data, needle, check, TRUE)) + if(!Curl_ssl_conn_config_match(data, check, TRUE)) continue; } - else if(!Curl_ssl_conn_config_match(data, needle, check, FALSE)) + else if(!Curl_ssl_conn_config_match(data, check, FALSE)) continue; } } @@ -1330,7 +1330,7 @@ ConnectionExists(struct Curl_easy *data, if(needle->handler->flags & PROTOPT_SSL) { /* This is a SSL connection so verify that we're using the same SSL options as well */ - if(!Curl_ssl_conn_config_match(data, needle, check, FALSE)) { + if(!Curl_ssl_conn_config_match(data, check, FALSE)) { DEBUGF(infof(data, "Connection #%" CURL_FORMAT_CURL_OFF_T " has different SSL parameters, can't reuse", @@ -3562,8 +3562,8 @@ static CURLcode create_conn(struct Curl_easy *data, conn->send[SECONDARYSOCKET] = Curl_conn_send; conn->bits.tcp_fastopen = data->set.tcp_fastopen; - /* Init the SSL configuration for the connection from settings in data */ - result = Curl_ssl_conn_config_init(data, conn); + /* Complete the easy's SSL configuration for connection cache matching */ + result = Curl_ssl_easy_config_complete(data); if(result) goto out; @@ -3680,6 +3680,12 @@ static CURLcode create_conn(struct Curl_easy *data, * This is a brand new connection, so let's store it in the connection * cache of ours! */ + result = Curl_ssl_conn_config_init(data, conn); + if(result) { + DEBUGF(fprintf(stderr, "Error: init connection ssl config\n")); + goto out; + } + result = Curl_resolver_init(data, &conn->resolve_async.resolver); if(result) { DEBUGF(fprintf(stderr, "Error: resolver_init failed\n")); diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c index 813a709888..7104995ac1 100644 --- a/lib/vtls/vtls.c +++ b/lib/vtls/vtls.c @@ -206,18 +206,17 @@ match_ssl_primary_config(struct Curl_easy *data, } bool Curl_ssl_conn_config_match(struct Curl_easy *data, - struct connectdata *conn, struct connectdata *candidate, bool proxy) { #ifndef CURL_DISABLE_PROXY if(proxy) - return match_ssl_primary_config(data, &conn->proxy_ssl_config, + return match_ssl_primary_config(data, &data->set.proxy_ssl.primary, &candidate->proxy_ssl_config); #else (void)proxy; #endif - return match_ssl_primary_config(data, &conn->ssl_config, + return match_ssl_primary_config(data, &data->set.ssl.primary, &candidate->ssl_config); } @@ -272,8 +271,7 @@ static void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc) #endif } -static CURLcode Curl_ssl_init_ssl_config(struct Curl_easy *data, - struct ssl_primary_config *config) +CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data) { data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH]; data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE]; @@ -300,16 +298,7 @@ static CURLcode Curl_ssl_init_ssl_config(struct Curl_easy *data, data->set.ssl.primary.clientcert = data->set.str[STRING_CERT]; data->set.ssl.key_blob = data->set.blobs[BLOB_KEY]; - if(!clone_ssl_primary_config(&data->set.ssl.primary, config)) - return CURLE_OUT_OF_MEMORY; - return CURLE_OK; -} - #ifndef CURL_DISABLE_PROXY -static CURLcode -Curl_ssl_init_proxy_ssl_config(struct Curl_easy *data, - struct ssl_primary_config *config) -{ data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY]; data->set.proxy_ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY]; data->set.proxy_ssl.primary.cipher_list = @@ -339,27 +328,25 @@ Curl_ssl_init_proxy_ssl_config(struct Curl_easy *data, data->set.proxy_ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; #endif +#endif /* CURL_DISABLE_PROXY */ - if(!clone_ssl_primary_config(&data->set.proxy_ssl.primary, config)) - return CURLE_OUT_OF_MEMORY; return CURLE_OK; } -#endif /* !CURL_DISABLE_PROXY */ CURLcode Curl_ssl_conn_config_init(struct Curl_easy *data, struct connectdata *conn) { - CURLcode result; - /* Get a cloned copy of the SSL config situation for use in - * the connection. `data` might have a shorter lifetime than `conn`*/ - result = Curl_ssl_init_ssl_config(data, &conn->ssl_config); - if(result) - goto out; + /* Clone "primary" SSL configurations from the esay handle to + * the connection. They are used for connection cache matching and + * probably outlive the easy handle */ + if(!clone_ssl_primary_config(&data->set.ssl.primary, &conn->ssl_config)) + return CURLE_OUT_OF_MEMORY; #ifndef CURL_DISABLE_PROXY - result = Curl_ssl_init_proxy_ssl_config(data, &conn->proxy_ssl_config); + if(!clone_ssl_primary_config(&data->set.proxy_ssl.primary, + &conn->proxy_ssl_config)) + return CURLE_OUT_OF_MEMORY; #endif -out: - return result; + return CURLE_OK; } void Curl_ssl_conn_config_cleanup(struct connectdata *conn) diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h index 5cedf4730c..a12c469da3 100644 --- a/lib/vtls/vtls.h +++ b/lib/vtls/vtls.h @@ -74,6 +74,12 @@ curl_sslbackend Curl_ssl_backend(void); */ void Curl_ssl_easy_config_init(struct Curl_easy *data); +/** + * Init the `data->set.ssl` and `data->set.proxy_ssl` for + * connection matching use. + */ +CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data); + /** * Init SSL configs (main + proxy) for a new connection from the easy handle. */ @@ -92,7 +98,6 @@ void Curl_ssl_conn_config_cleanup(struct connectdata *conn); * @param proxy match the proxy SSL config or the main one */ bool Curl_ssl_conn_config_match(struct Curl_easy *data, - struct connectdata *conn, struct connectdata *candidate, bool proxy);