From c8490626779dfde3f59ff8d1d29301b1e5cedf0c Mon Sep 17 00:00:00 2001
From: Stefan Eissing <stefan@eissing.org>
Date: Wed, 6 Sep 2023 08:35:42 +0200
Subject: [PATCH] openssl: when CURLOPT_SSL_CTX_FUNCTION is registered, init
 x509 store before

- we delay loading the x509 store to shorten the handshake time.
  However an application callback installed via CURLOPT_SSL_CTX_FUNCTION
  may need to have the store loaded and try to manipulate it.
- load the x509 store before invoking the app callback

Fixes #11800
Reported-by: guoxinvmware on github
Cloes #11805
---
 lib/vquic/curl_ngtcp2.c | 10 ++++++++++
 lib/vtls/openssl.c      |  9 +++++++++
 2 files changed, 19 insertions(+)

diff --git a/lib/vquic/curl_ngtcp2.c b/lib/vquic/curl_ngtcp2.c
index f5328a4c52..ffdbb575c1 100644
--- a/lib/vquic/curl_ngtcp2.c
+++ b/lib/vquic/curl_ngtcp2.c
@@ -396,6 +396,7 @@ static int init_ngh3_conn(struct Curl_cfilter *cf);
 static CURLcode quic_ssl_ctx(SSL_CTX **pssl_ctx,
                              struct Curl_cfilter *cf, struct Curl_easy *data)
 {
+  struct cf_ngtcp2_ctx *ctx = cf->ctx;
   struct connectdata *conn = cf->conn;
   CURLcode result = CURLE_FAILED_INIT;
   SSL_CTX *ssl_ctx = SSL_CTX_new(TLS_method());
@@ -453,6 +454,15 @@ static CURLcode quic_ssl_ctx(SSL_CTX **pssl_ctx,
 
   /* give application a chance to interfere with SSL set up. */
   if(data->set.ssl.fsslctx) {
+    /* When a user callback is installed to modify the SSL_CTX,
+     * we need to do the full initialization before calling it.
+     * See: #11800 */
+    if(!ctx->x509_store_setup) {
+      result = Curl_ssl_setup_x509_store(cf, data, ssl_ctx);
+      if(result)
+        goto out;
+      ctx->x509_store_setup = TRUE;
+    }
     Curl_set_in_callback(data, true);
     result = (*data->set.ssl.fsslctx)(data, ssl_ctx,
                                       data->set.ssl.fsslctxp);
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index c7f3e770fe..a12e712b16 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -3712,6 +3712,15 @@ static CURLcode ossl_connect_step1(struct Curl_cfilter *cf,
 
   /* give application a chance to interfere with SSL set up. */
   if(data->set.ssl.fsslctx) {
+    /* When a user callback is installed to modify the SSL_CTX,
+     * we need to do the full initialization before calling it.
+     * See: #11800 */
+    if(!backend->x509_store_setup) {
+      result = Curl_ssl_setup_x509_store(cf, data, backend->ctx);
+      if(result)
+        return result;
+      backend->x509_store_setup = TRUE;
+    }
     Curl_set_in_callback(data, true);
     result = (*data->set.ssl.fsslctx)(data, backend->ctx,
                                       data->set.ssl.fsslctxp);
-- 
2.47.2