vtls_scache: include signature_algorithms in the SSL peer cache key

Curl_ssl_peer_key_make() omitted ssl->signature_algorithms, although
match_ssl_primary_config() compares the field. Two handles differing
only in CURLOPT_SSL_SIGNATURE_ALGORITHMS therefore shared a peer key and
could resume each other's sessions across a shared CURLSH SSL session
cache.

Add :SIGALGS-%s next to the other ssl_primary_config fields.

Closes #21651

diff --git a/lib/vtls/vtls_scache.c b/lib/vtls/vtls_scache.c
index 9efb8208ea4d065b894c60b83dbfbf6f280cd1fe..900a2b90a0379eac3c0cf0fbab1d82ca9a7b5033 100644 (file)
--- a/lib/vtls/vtls_scache.c
+++ b/lib/vtls/vtls_scache.c
@@ -223,6 +223,12 @@ CURLcode Curl_ssl_peer_key_make(struct Curl_cfilter *cf,
     if(r)
       goto out;
   }
+  if(ssl->signature_algorithms) {
+    r = curlx_dyn_addf(&buf, ":SIGALGS-%s",
+                       ssl->signature_algorithms);
+    if(r)
+      goto out;
+  }
   if(ssl->verifypeer) {
     r = cf_ssl_peer_key_add_path(&buf, "CA", ssl->CAfile, &is_local);
     if(r)