Unity-Technologies
/
curl
зеркало из https://github.com/Unity-Technologies/curl.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

vtls: late clone of connection ssl config 

- perform connection cache matching against `data->set.ssl.primary`
  and proxy counterpart
- fully clone connection ssl config only when connection is used

Closes #12237
This commit is contained in:
Stefan Eissing 2023-10-31 15:25:08 +01:00 коммит произвёл Daniel Stenberg
Родитель 5d0b3eda43
Коммит bbdbd4b025
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 5CC908FDB71E12C2
3 изменённых файлов: 30 добавлений и 32 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

16
lib/url.c
Просмотреть файл

@ -1209,10 +1209,10 @@ ConnectionExists(struct Curl_easy *data,
continue;
else if(needle->handler->flags&PROTOPT_SSL) {
/* use double layer ssl */
if(!Curl_ssl_conn_config_match(data, needle, check, TRUE))
if(!Curl_ssl_conn_config_match(data, check, TRUE))
continue;
}
else if(!Curl_ssl_conn_config_match(data, needle, check, FALSE))
else if(!Curl_ssl_conn_config_match(data, check, FALSE))
continue;
}
}
@ -1330,7 +1330,7 @@ ConnectionExists(struct Curl_easy *data,
if(needle->handler->flags & PROTOPT_SSL) {
/* This is a SSL connection so verify that we're using the same
SSL options as well */
if(!Curl_ssl_conn_config_match(data, needle, check, FALSE)) {
if(!Curl_ssl_conn_config_match(data, check, FALSE)) {
DEBUGF(infof(data,
"Connection #%" CURL_FORMAT_CURL_OFF_T
" has different SSL parameters, can't reuse",
@ -3562,8 +3562,8 @@ static CURLcode create_conn(struct Curl_easy *data,
conn->send[SECONDARYSOCKET] = Curl_conn_send;
conn->bits.tcp_fastopen = data->set.tcp_fastopen;
/* Init the SSL configuration for the connection from settings in data */
result = Curl_ssl_conn_config_init(data, conn);
/* Complete the easy's SSL configuration for connection cache matching */
result = Curl_ssl_easy_config_complete(data);
if(result)
goto out;
@ -3680,6 +3680,12 @@ static CURLcode create_conn(struct Curl_easy *data,
* This is a brand new connection, so let's store it in the connection
* cache of ours!
*/
result = Curl_ssl_conn_config_init(data, conn);
if(result) {
DEBUGF(fprintf(stderr, "Error: init connection ssl config\n"));
goto out;
}
result = Curl_resolver_init(data, &conn->resolve_async.resolver);
if(result) {
DEBUGF(fprintf(stderr, "Error: resolver_init failed\n"));

39
lib/vtls/vtls.c
Просмотреть файл

@ -206,18 +206,17 @@ match_ssl_primary_config(struct Curl_easy *data,
}
bool Curl_ssl_conn_config_match(struct Curl_easy *data,
struct connectdata *conn,
struct connectdata *candidate,
bool proxy)
{
#ifndef CURL_DISABLE_PROXY
if(proxy)
return match_ssl_primary_config(data, &conn->proxy_ssl_config,
return match_ssl_primary_config(data, &data->set.proxy_ssl.primary,
&candidate->proxy_ssl_config);
#else
(void)proxy;
#endif
return match_ssl_primary_config(data, &conn->ssl_config,
return match_ssl_primary_config(data, &data->set.ssl.primary,
&candidate->ssl_config);
}
@ -272,8 +271,7 @@ static void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
#endif
}
static CURLcode Curl_ssl_init_ssl_config(struct Curl_easy *data,
struct ssl_primary_config *config)
CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data)
{
data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH];
data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE];
@ -300,16 +298,7 @@ static CURLcode Curl_ssl_init_ssl_config(struct Curl_easy *data,
data->set.ssl.primary.clientcert = data->set.str[STRING_CERT];
data->set.ssl.key_blob = data->set.blobs[BLOB_KEY];
if(!clone_ssl_primary_config(&data->set.ssl.primary, config))
return CURLE_OUT_OF_MEMORY;
return CURLE_OK;
}
#ifndef CURL_DISABLE_PROXY
static CURLcode
Curl_ssl_init_proxy_ssl_config(struct Curl_easy *data,
struct ssl_primary_config *config)
{
data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY];
data->set.proxy_ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY];
data->set.proxy_ssl.primary.cipher_list =
@ -339,27 +328,25 @@ Curl_ssl_init_proxy_ssl_config(struct Curl_easy *data,
data->set.proxy_ssl.primary.password =
data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
#endif
#endif /* CURL_DISABLE_PROXY */
if(!clone_ssl_primary_config(&data->set.proxy_ssl.primary, config))
return CURLE_OUT_OF_MEMORY;
return CURLE_OK;
}
#endif /* !CURL_DISABLE_PROXY */
CURLcode Curl_ssl_conn_config_init(struct Curl_easy *data,
struct connectdata *conn)
{
CURLcode result;
/* Get a cloned copy of the SSL config situation for use in
* the connection. `data` might have a shorter lifetime than `conn`*/
result = Curl_ssl_init_ssl_config(data, &conn->ssl_config);
if(result)
goto out;
/* Clone "primary" SSL configurations from the esay handle to
* the connection. They are used for connection cache matching and
* probably outlive the easy handle */
if(!clone_ssl_primary_config(&data->set.ssl.primary, &conn->ssl_config))
return CURLE_OUT_OF_MEMORY;
#ifndef CURL_DISABLE_PROXY
result = Curl_ssl_init_proxy_ssl_config(data, &conn->proxy_ssl_config);
if(!clone_ssl_primary_config(&data->set.proxy_ssl.primary,
&conn->proxy_ssl_config))
return CURLE_OUT_OF_MEMORY;
#endif
out:
return result;
return CURLE_OK;
}
void Curl_ssl_conn_config_cleanup(struct connectdata *conn)

7
lib/vtls/vtls.h
Просмотреть файл

@ -74,6 +74,12 @@ curl_sslbackend Curl_ssl_backend(void);
*/
void Curl_ssl_easy_config_init(struct Curl_easy *data);
/**
* Init the `data->set.ssl` and `data->set.proxy_ssl` for
* connection matching use.
*/
CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data);
/**
* Init SSL configs (main + proxy) for a new connection from the easy handle.
*/
@ -92,7 +98,6 @@ void Curl_ssl_conn_config_cleanup(struct connectdata *conn);
* @param proxy match the proxy SSL config or the main one
*/
bool Curl_ssl_conn_config_match(struct Curl_easy *data,
struct connectdata *conn,
struct connectdata *candidate,
bool proxy);