From: Stefan Eissing <stefan@eissing.org>
Date: Thu, 24 Oct 2024 10:36:41 +0000 (+0200)
Subject: bearssl: improved session handling, test exceptions
X-Git-Tag: curl-8_11_0~70
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=358eae42a4de2f6594f6230721d2639a60fc44d3;p=thirdparty%2Fcurl.git

bearssl: improved session handling, test exceptions

Add length to session saves, making it clear that we are storing a byte
blob and allowing memcmp() on sameness check.

Remove some pytest skips for bearssl to see if they now work properly in
CI.

Closes #15395
---

diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c
index c7291b49f8..53fd4a6bc1 100644
--- a/lib/vtls/bearssl.c
+++ b/lib/vtls/bearssl.c
@@ -609,12 +609,15 @@ static CURLcode bearssl_connect_step1(struct Curl_cfilter *cf,
   br_ssl_engine_set_x509(&backend->ctx.eng, &backend->x509.vtable);
 
   if(ssl_config->primary.cache_session) {
-    void *session;
+    void *sdata;
+    size_t slen;
+    const br_ssl_session_parameters *session;
 
     CURL_TRC_CF(data, cf, "connect_step1, check session cache");
     Curl_ssl_sessionid_lock(data);
-    if(!Curl_ssl_getsessionid(cf, data, &connssl->peer,
-                              &session, NULL, NULL)) {
+    if(!Curl_ssl_getsessionid(cf, data, &connssl->peer, &sdata, &slen, NULL) &&
+       slen == sizeof(*session)) {
+      session = sdata;
       br_ssl_engine_set_session_parameters(&backend->ctx.eng, session);
       session_set = 1;
       infof(data, "BearSSL: reusing session ID");
@@ -836,7 +839,8 @@ static CURLcode bearssl_connect_step3(struct Curl_cfilter *cf,
       return CURLE_OUT_OF_MEMORY;
     br_ssl_engine_get_session_parameters(&backend->ctx.eng, session);
     Curl_ssl_sessionid_lock(data);
-    ret = Curl_ssl_set_sessionid(cf, data, &connssl->peer, NULL, session, 0,
+    ret = Curl_ssl_set_sessionid(cf, data, &connssl->peer, NULL,
+                                 session, sizeof(*session),
                                  bearssl_session_free);
     Curl_ssl_sessionid_unlock(data);
     if(ret)
diff --git a/tests/http/test_02_download.py b/tests/http/test_02_download.py
index 7c5b5fb8aa..149919625e 100644
--- a/tests/http/test_02_download.py
+++ b/tests/http/test_02_download.py
@@ -474,12 +474,6 @@ class TestDownload:
     # make extreme parallel h2 upgrades, check invalid conn reuse
     # before protocol switch has happened
     def test_02_25_h2_upgrade_x(self, env: Env, httpd, repeat):
-        # not locally reproducible timeouts with certain SSL libs
-        # Since this test is about connection reuse handling, we skip
-        # it on these builds. Although we would certainly like to understand
-        # why this happens.
-        if env.curl_uses_lib('bearssl'):
-            pytest.skip('CI workflows timeout on bearssl build')
         url = f'http://localhost:{env.http_port}/data-100k'
         client = LocalClient(name='h2-upgrade-extreme', env=env, timeout=15)
         if not client.exists():
diff --git a/tests/http/test_12_reuse.py b/tests/http/test_12_reuse.py
index 12564df180..9252f24745 100644
--- a/tests/http/test_12_reuse.py
+++ b/tests/http/test_12_reuse.py
@@ -35,7 +35,6 @@ from testenv import Env, CurlClient
 log = logging.getLogger(__name__)
 
 
-@pytest.mark.skipif(condition=Env.curl_uses_lib('bearssl'), reason='BearSSL too slow')
 @pytest.mark.skipif(condition=not Env.have_ssl_curl(), reason="curl without SSL")
 class TestReuse: