Coverage Report

Created: 2025-06-09 08:44

/src/gdal/curl/lib/vtls/vtls_scache.c
Line
Count
Source (jump to first uncovered line)
1
/***************************************************************************
2
 *                                  _   _ ____  _
3
 *  Project                     ___| | | |  _ \| |
4
 *                             / __| | | | |_) | |
5
 *                            | (__| |_| |  _ <| |___
6
 *                             \___|\___/|_| \_\_____|
7
 *
8
 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
9
 *
10
 * This software is licensed as described in the file COPYING, which
11
 * you should have received as part of this distribution. The terms
12
 * are also available at https://curl.se/docs/copyright.html.
13
 *
14
 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15
 * copies of the Software, and permit persons to whom the Software is
16
 * furnished to do so, under the terms of the COPYING file.
17
 *
18
 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19
 * KIND, either express or implied.
20
 *
21
 * SPDX-License-Identifier: curl
22
 *
23
 ***************************************************************************/
24
25
#include "../curl_setup.h"
26
27
#ifdef USE_SSL
28
29
#ifdef HAVE_SYS_TYPES_H
30
#include <sys/types.h>
31
#endif
32
#ifdef HAVE_SYS_STAT_H
33
#include <sys/stat.h>
34
#endif
35
#ifdef HAVE_FCNTL_H
36
#include <fcntl.h>
37
#endif
38
39
#include "../urldata.h"
40
#include "../cfilters.h"
41
42
#include "vtls.h" /* generic SSL protos etc */
43
#include "vtls_int.h"
44
#include "vtls_scache.h"
45
#include "vtls_spack.h"
46
47
#include "../strcase.h"
48
#include "../url.h"
49
#include "../llist.h"
50
#include "../share.h"
51
#include "../curl_trc.h"
52
#include "../curl_sha256.h"
53
#include "../rand.h"
54
#include "../curlx/warnless.h"
55
#include "../curl_printf.h"
56
#include "../strdup.h"
57
58
/* The last #include files should be: */
59
#include "../curl_memory.h"
60
#include "../memdebug.h"
61
62
63
static bool cf_ssl_peer_key_is_global(const char *peer_key);
64
65
/* a peer+tls-config we cache sessions for */
66
struct Curl_ssl_scache_peer {
67
  char *ssl_peer_key;      /* id for peer + relevant TLS configuration */
68
  char *clientcert;
69
  char *srp_username;
70
  char *srp_password;
71
  struct Curl_llist sessions;
72
  void *sobj;              /* object instance or NULL */
73
  Curl_ssl_scache_obj_dtor *sobj_free; /* free `sobj` callback */
74
  unsigned char key_salt[CURL_SHA256_DIGEST_LENGTH]; /* for entry export */
75
  unsigned char key_hmac[CURL_SHA256_DIGEST_LENGTH]; /* for entry export */
76
  size_t max_sessions;
77
  long age;                /* just a number, the higher the more recent */
78
  BIT(hmac_set);           /* if key_salt and key_hmac are present */
79
  BIT(exportable);         /* sessions for this peer can be exported */
80
};
81
82
382k
#define CURL_SCACHE_MAGIC 0x000e1551
83
84
192k
#define GOOD_SCACHE(x) ((x) && (x)->magic == CURL_SCACHE_MAGIC)
85
86
struct Curl_ssl_scache {
87
  unsigned int magic;
88
  struct Curl_ssl_scache_peer *peers;
89
  size_t peer_count;
90
  int default_lifetime_secs;
91
  long age;
92
};
93
94
static struct Curl_ssl_scache *cf_ssl_scache_get(struct Curl_easy *data)
95
1.09k
{
96
1.09k
  struct Curl_ssl_scache *scache = NULL;
97
  /* If a share is present, its ssl_scache has preference over the multi */
98
1.09k
  if(data->share && data->share->ssl_scache)
99
0
    scache = data->share->ssl_scache;
100
1.09k
  else if(data->multi && data->multi->ssl_scache)
101
1.09k
    scache = data->multi->ssl_scache;
102
1.09k
  if(scache && !GOOD_SCACHE(scache)) {
103
0
    failf(data, "transfer would use an invalid scache at %p, denied",
104
0
          (void *)scache);
105
0
    DEBUGASSERT(0);
106
0
    return NULL;
107
0
  }
108
1.09k
  return scache;
109
1.09k
}
110
111
static void cf_ssl_scache_session_ldestroy(void *udata, void *obj)
112
414
{
113
414
  struct Curl_ssl_session *s = obj;
114
414
  (void)udata;
115
414
  free(CURL_UNCONST(s->sdata));
116
414
  free(CURL_UNCONST(s->quic_tp));
117
414
  free((void *)s->alpn);
118
414
  free(s);
119
414
}
120
121
CURLcode
122
Curl_ssl_session_create(void *sdata, size_t sdata_len,
123
                        int ietf_tls_id, const char *alpn,
124
                        curl_off_t valid_until, size_t earlydata_max,
125
                        struct Curl_ssl_session **psession)
126
0
{
127
0
  return Curl_ssl_session_create2(sdata, sdata_len, ietf_tls_id, alpn,
128
0
                                  valid_until, earlydata_max,
129
0
                                  NULL, 0, psession);
130
0
}
131
132
CURLcode
133
Curl_ssl_session_create2(void *sdata, size_t sdata_len,
134
                         int ietf_tls_id, const char *alpn,
135
                         curl_off_t valid_until, size_t earlydata_max,
136
                         unsigned char *quic_tp, size_t quic_tp_len,
137
                         struct Curl_ssl_session **psession)
138
414
{
139
414
  struct Curl_ssl_session *s;
140
141
414
  if(!sdata || !sdata_len) {
142
0
    free(sdata);
143
0
    return CURLE_BAD_FUNCTION_ARGUMENT;
144
0
  }
145
146
414
  *psession = NULL;
147
414
  s = calloc(1, sizeof(*s));
148
414
  if(!s) {
149
0
    free(sdata);
150
0
    free(quic_tp);
151
0
    return CURLE_OUT_OF_MEMORY;
152
0
  }
153
154
414
  s->ietf_tls_id = ietf_tls_id;
155
414
  s->valid_until = valid_until;
156
414
  s->earlydata_max = earlydata_max;
157
414
  s->sdata = sdata;
158
414
  s->sdata_len = sdata_len;
159
414
  s->quic_tp = quic_tp;
160
414
  s->quic_tp_len = quic_tp_len;
161
414
  if(alpn) {
162
414
    s->alpn = strdup(alpn);
163
414
    if(!s->alpn) {
164
0
      cf_ssl_scache_session_ldestroy(NULL, s);
165
0
      return CURLE_OUT_OF_MEMORY;
166
0
    }
167
414
  }
168
414
  *psession = s;
169
414
  return CURLE_OK;
170
414
}
171
172
void Curl_ssl_session_destroy(struct Curl_ssl_session *s)
173
683
{
174
683
  if(s) {
175
    /* if in the list, the list destructor takes care of it */
176
0
    if(Curl_node_llist(&s->list))
177
0
      Curl_node_remove(&s->list);
178
0
    else {
179
0
      cf_ssl_scache_session_ldestroy(NULL, s);
180
0
    }
181
0
  }
182
683
}
183
184
static void cf_ssl_scache_clear_peer(struct Curl_ssl_scache_peer *peer)
185
624k
{
186
624k
  Curl_llist_destroy(&peer->sessions, NULL);
187
624k
  if(peer->sobj) {
188
0
    DEBUGASSERT(peer->sobj_free);
189
0
    if(peer->sobj_free)
190
0
      peer->sobj_free(peer->sobj);
191
0
    peer->sobj = NULL;
192
0
  }
193
624k
  peer->sobj_free = NULL;
194
624k
  Curl_safefree(peer->clientcert);
195
624k
#ifdef USE_TLS_SRP
196
624k
  Curl_safefree(peer->srp_username);
197
624k
  Curl_safefree(peer->srp_password);
198
624k
#endif
199
624k
  Curl_safefree(peer->ssl_peer_key);
200
624k
  peer->age = 0;
201
624k
  peer->hmac_set = FALSE;
202
624k
}
203
204
static void cf_ssl_scache_peer_set_obj(struct Curl_ssl_scache_peer *peer,
205
                                       void *sobj,
206
                                       Curl_ssl_scache_obj_dtor *sobj_free)
207
0
{
208
0
  DEBUGASSERT(peer);
209
0
  if(peer->sobj_free) {
210
0
    peer->sobj_free(peer->sobj);
211
0
  }
212
0
  peer->sobj = sobj;
213
0
  peer->sobj_free = sobj_free;
214
0
}
215
216
static void cf_ssl_cache_peer_update(struct Curl_ssl_scache_peer *peer)
217
258
{
218
  /* The sessions of this peer are exportable if
219
   * - it has no confidential information
220
   * - its peer key is not yet known, because sessions were
221
   *   imported using only the salt+hmac
222
   * - the peer key is global, e.g. carrying no relative paths */
223
258
  peer->exportable = (!peer->clientcert && !peer->srp_username &&
224
258
                      !peer->srp_password &&
225
258
                      (!peer->ssl_peer_key ||
226
258
                       cf_ssl_peer_key_is_global(peer->ssl_peer_key)));
227
258
}
228
229
static CURLcode
230
cf_ssl_scache_peer_init(struct Curl_ssl_scache_peer *peer,
231
                        const char *ssl_peer_key,
232
                        const char *clientcert,
233
                        const char *srp_username,
234
                        const char *srp_password,
235
                        const unsigned char *salt,
236
                        const unsigned char *hmac)
237
258
{
238
258
  CURLcode result = CURLE_OUT_OF_MEMORY;
239
240
258
  DEBUGASSERT(!peer->ssl_peer_key);
241
258
  if(ssl_peer_key) {
242
258
    peer->ssl_peer_key = strdup(ssl_peer_key);
243
258
    if(!peer->ssl_peer_key)
244
0
      goto out;
245
258
    peer->hmac_set = FALSE;
246
258
  }
247
0
  else if(salt && hmac) {
248
0
    memcpy(peer->key_salt, salt, sizeof(peer->key_salt));
249
0
    memcpy(peer->key_hmac, hmac, sizeof(peer->key_hmac));
250
0
    peer->hmac_set = TRUE;
251
0
  }
252
0
  else {
253
0
    result = CURLE_BAD_FUNCTION_ARGUMENT;
254
0
    goto out;
255
0
  }
256
258
  if(clientcert) {
257
0
    peer->clientcert = strdup(clientcert);
258
0
    if(!peer->clientcert)
259
0
      goto out;
260
0
  }
261
258
  if(srp_username) {
262
0
    peer->srp_username = strdup(srp_username);
263
0
    if(!peer->srp_username)
264
0
      goto out;
265
0
  }
266
258
  if(srp_password) {
267
0
    peer->srp_password = strdup(srp_password);
268
0
    if(!peer->srp_password)
269
0
      goto out;
270
0
  }
271
272
258
  cf_ssl_cache_peer_update(peer);
273
258
  result = CURLE_OK;
274
258
out:
275
258
  if(result)
276
0
    cf_ssl_scache_clear_peer(peer);
277
258
  return result;
278
258
}
279
280
static void cf_scache_session_remove(struct Curl_ssl_scache_peer *peer,
281
                                     struct Curl_ssl_session *s)
282
0
{
283
0
  (void)peer;
284
0
  DEBUGASSERT(Curl_node_llist(&s->list) == &peer->sessions);
285
0
  Curl_ssl_session_destroy(s);
286
0
}
287
288
static bool cf_scache_session_expired(struct Curl_ssl_session *s,
289
                                      curl_off_t now)
290
580
{
291
580
  return (s->valid_until > 0) && (s->valid_until < now);
292
580
}
293
294
static void cf_scache_peer_remove_expired(struct Curl_ssl_scache_peer *peer,
295
                                          curl_off_t now)
296
414
{
297
414
  struct Curl_llist_node *n = Curl_llist_head(&peer->sessions);
298
580
  while(n) {
299
166
    struct Curl_ssl_session *s = Curl_node_elem(n);
300
166
    n = Curl_node_next(n);
301
166
    if(cf_scache_session_expired(s, now))
302
0
      cf_scache_session_remove(peer, s);
303
166
  }
304
414
}
305
306
static void cf_scache_peer_remove_non13(struct Curl_ssl_scache_peer *peer)
307
414
{
308
414
  struct Curl_llist_node *n = Curl_llist_head(&peer->sessions);
309
580
  while(n) {
310
166
    struct Curl_ssl_session *s = Curl_node_elem(n);
311
166
    n = Curl_node_next(n);
312
166
    if(s->ietf_tls_id != CURL_IETF_PROTO_TLS1_3)
313
0
      cf_scache_session_remove(peer, s);
314
166
  }
315
414
}
316
317
CURLcode Curl_ssl_scache_create(size_t max_peers,
318
                                size_t max_sessions_per_peer,
319
                                struct Curl_ssl_scache **pscache)
320
190k
{
321
190k
  struct Curl_ssl_scache *scache;
322
190k
  struct Curl_ssl_scache_peer *peers;
323
190k
  size_t i;
324
325
190k
  *pscache = NULL;
326
190k
  peers = calloc(max_peers, sizeof(*peers));
327
190k
  if(!peers)
328
0
    return CURLE_OUT_OF_MEMORY;
329
330
190k
  scache = calloc(1, sizeof(*scache));
331
190k
  if(!scache) {
332
0
    free(peers);
333
0
    return CURLE_OUT_OF_MEMORY;
334
0
  }
335
336
190k
  scache->magic = CURL_SCACHE_MAGIC;
337
190k
  scache->default_lifetime_secs = (24*60*60); /* 1 day */
338
190k
  scache->peer_count = max_peers;
339
190k
  scache->peers = peers;
340
190k
  scache->age = 1;
341
814k
  for(i = 0; i < scache->peer_count; ++i) {
342
624k
    scache->peers[i].max_sessions = max_sessions_per_peer;
343
624k
    Curl_llist_init(&scache->peers[i].sessions,
344
624k
                    cf_ssl_scache_session_ldestroy);
345
624k
  }
346
347
190k
  *pscache = scache;
348
190k
  return CURLE_OK;
349
190k
}
350
351
void Curl_ssl_scache_destroy(struct Curl_ssl_scache *scache)
352
190k
{
353
190k
  if(scache && GOOD_SCACHE(scache)) {
354
190k
    size_t i;
355
190k
    scache->magic = 0;
356
814k
    for(i = 0; i < scache->peer_count; ++i) {
357
624k
      cf_ssl_scache_clear_peer(&scache->peers[i]);
358
624k
    }
359
190k
    free(scache->peers);
360
190k
    free(scache);
361
190k
  }
362
190k
}
363
364
/* Lock shared SSL session data */
365
void Curl_ssl_scache_lock(struct Curl_easy *data)
366
1.09k
{
367
1.09k
  if(CURL_SHARE_ssl_scache(data))
368
0
    Curl_share_lock(data, CURL_LOCK_DATA_SSL_SESSION, CURL_LOCK_ACCESS_SINGLE);
369
1.09k
}
370
371
/* Unlock shared SSL session data */
372
void Curl_ssl_scache_unlock(struct Curl_easy *data)
373
1.09k
{
374
1.09k
  if(CURL_SHARE_ssl_scache(data))
375
0
    Curl_share_unlock(data, CURL_LOCK_DATA_SSL_SESSION);
376
1.09k
}
377
378
static CURLcode cf_ssl_peer_key_add_path(struct dynbuf *buf,
379
                                          const char *name,
380
                                          char *path,
381
                                          bool *is_local)
382
2.59k
{
383
2.59k
  if(path && path[0]) {
384
    /* We try to add absolute paths, so that the session key can stay
385
     * valid when used in another process with different CWD. However,
386
     * when a path does not exist, this does not work. Then, we add
387
     * the path as is. */
388
#ifdef UNDER_CE
389
    (void)is_local;
390
    return curlx_dyn_addf(buf, ":%s-%s", name, path);
391
#elif defined(_WIN32)
392
    char abspath[_MAX_PATH];
393
    if(_fullpath(abspath, path, _MAX_PATH))
394
      return curlx_dyn_addf(buf, ":%s-%s", name, abspath);
395
    *is_local = TRUE;
396
#elif defined(HAVE_REALPATH)
397
1.29k
    if(path[0] != '/') {
398
0
      char *abspath = realpath(path, NULL);
399
0
      if(abspath) {
400
0
        CURLcode r = curlx_dyn_addf(buf, ":%s-%s", name, abspath);
401
0
        (free)(abspath); /* allocated by libc, free without memdebug */
402
0
        return r;
403
0
      }
404
0
      *is_local = TRUE;
405
0
    }
406
1.29k
#endif
407
1.29k
    return curlx_dyn_addf(buf, ":%s-%s", name, path);
408
1.29k
  }
409
1.29k
  return CURLE_OK;
410
2.59k
}
411
412
static CURLcode cf_ssl_peer_key_add_hash(struct dynbuf *buf,
413
                                          const char *name,
414
                                          struct curl_blob *blob)
415
0
{
416
0
  CURLcode r = CURLE_OK;
417
0
  if(blob && blob->len) {
418
0
    unsigned char hash[CURL_SHA256_DIGEST_LENGTH];
419
0
    size_t i;
420
421
0
    r = curlx_dyn_addf(buf, ":%s-", name);
422
0
    if(r)
423
0
      goto out;
424
0
    r = Curl_sha256it(hash, blob->data, blob->len);
425
0
    if(r)
426
0
      goto out;
427
0
    for(i = 0; i < CURL_SHA256_DIGEST_LENGTH; ++i) {
428
0
      r = curlx_dyn_addf(buf, "%02x", hash[i]);
429
0
      if(r)
430
0
        goto out;
431
0
    }
432
0
  }
433
0
out:
434
0
  return r;
435
0
}
436
437
0
#define CURL_SSLS_LOCAL_SUFFIX     ":L"
438
1.36k
#define CURL_SSLS_GLOBAL_SUFFIX    ":G"
439
440
static bool cf_ssl_peer_key_is_global(const char *peer_key)
441
258
{
442
258
  size_t len = peer_key ? strlen(peer_key) : 0;
443
258
  return (len > 2) &&
444
258
         (peer_key[len - 1] == 'G') &&
445
258
         (peer_key[len - 2] == ':');
446
258
}
447
448
CURLcode Curl_ssl_peer_key_make(struct Curl_cfilter *cf,
449
                                const struct ssl_peer *peer,
450
                                const char *tls_id,
451
                                char **ppeer_key)
452
683
{
453
683
  struct ssl_primary_config *ssl = Curl_ssl_cf_get_primary_config(cf);
454
683
  struct dynbuf buf;
455
683
  size_t key_len;
456
683
  bool is_local = FALSE;
457
683
  CURLcode r;
458
459
683
  *ppeer_key = NULL;
460
683
  curlx_dyn_init(&buf, 10 * 1024);
461
462
683
  r = curlx_dyn_addf(&buf, "%s:%d", peer->hostname, peer->port);
463
683
  if(r)
464
0
    goto out;
465
466
683
  switch(peer->transport) {
467
683
  case TRNSPRT_TCP:
468
683
    break;
469
0
  case TRNSPRT_UDP:
470
0
    r = curlx_dyn_add(&buf, ":UDP");
471
0
    break;
472
0
  case TRNSPRT_QUIC:
473
0
    r = curlx_dyn_add(&buf, ":QUIC");
474
0
    break;
475
0
  case TRNSPRT_UNIX:
476
0
    r = curlx_dyn_add(&buf, ":UNIX");
477
0
    break;
478
0
  default:
479
0
    r = curlx_dyn_addf(&buf, ":TRNSPRT-%d", peer->transport);
480
0
    break;
481
683
  }
482
683
  if(r)
483
0
    goto out;
484
485
683
  if(!ssl->verifypeer) {
486
34
    r = curlx_dyn_add(&buf, ":NO-VRFY-PEER");
487
34
    if(r)
488
0
      goto out;
489
34
  }
490
683
  if(!ssl->verifyhost) {
491
34
    r = curlx_dyn_add(&buf, ":NO-VRFY-HOST");
492
34
    if(r)
493
0
      goto out;
494
34
  }
495
683
  if(ssl->verifystatus) {
496
0
    r = curlx_dyn_add(&buf, ":VRFY-STATUS");
497
0
    if(r)
498
0
      goto out;
499
0
  }
500
683
  if(!ssl->verifypeer || !ssl->verifyhost) {
501
34
    if(cf->conn->bits.conn_to_host) {
502
0
      r = curlx_dyn_addf(&buf, ":CHOST-%s", cf->conn->conn_to_host.name);
503
0
      if(r)
504
0
        goto out;
505
0
    }
506
34
    if(cf->conn->bits.conn_to_port) {
507
0
      r = curlx_dyn_addf(&buf, ":CPORT-%d", cf->conn->conn_to_port);
508
0
      if(r)
509
0
        goto out;
510
0
    }
511
34
  }
512
513
683
  if(ssl->version || ssl->version_max) {
514
0
    r = curlx_dyn_addf(&buf, ":TLSVER-%d-%d", ssl->version,
515
0
                      (ssl->version_max >> 16));
516
0
    if(r)
517
0
      goto out;
518
0
  }
519
683
  if(ssl->ssl_options) {
520
0
    r = curlx_dyn_addf(&buf, ":TLSOPT-%x", ssl->ssl_options);
521
0
    if(r)
522
0
      goto out;
523
0
  }
524
683
  if(ssl->cipher_list) {
525
0
    r = curlx_dyn_addf(&buf, ":CIPHER-%s", ssl->cipher_list);
526
0
    if(r)
527
0
      goto out;
528
0
  }
529
683
  if(ssl->cipher_list13) {
530
0
    r = curlx_dyn_addf(&buf, ":CIPHER13-%s", ssl->cipher_list13);
531
0
    if(r)
532
0
      goto out;
533
0
  }
534
683
  if(ssl->curves) {
535
0
    r = curlx_dyn_addf(&buf, ":CURVES-%s", ssl->curves);
536
0
    if(r)
537
0
      goto out;
538
0
  }
539
683
  if(ssl->verifypeer) {
540
649
    r = cf_ssl_peer_key_add_path(&buf, "CA", ssl->CAfile, &is_local);
541
649
    if(r)
542
0
      goto out;
543
649
    r = cf_ssl_peer_key_add_path(&buf, "CApath", ssl->CApath, &is_local);
544
649
    if(r)
545
0
      goto out;
546
649
    r = cf_ssl_peer_key_add_path(&buf, "CRL", ssl->CRLfile, &is_local);
547
649
    if(r)
548
0
      goto out;
549
649
    r = cf_ssl_peer_key_add_path(&buf, "Issuer", ssl->issuercert, &is_local);
550
649
    if(r)
551
0
      goto out;
552
649
    if(ssl->cert_blob) {
553
0
      r = cf_ssl_peer_key_add_hash(&buf, "CertBlob", ssl->cert_blob);
554
0
      if(r)
555
0
        goto out;
556
0
    }
557
649
    if(ssl->ca_info_blob) {
558
0
      r = cf_ssl_peer_key_add_hash(&buf, "CAInfoBlob", ssl->ca_info_blob);
559
0
      if(r)
560
0
        goto out;
561
0
    }
562
649
    if(ssl->issuercert_blob) {
563
0
      r = cf_ssl_peer_key_add_hash(&buf, "IssuerBlob", ssl->issuercert_blob);
564
0
      if(r)
565
0
        goto out;
566
0
    }
567
649
  }
568
683
  if(ssl->pinned_key && ssl->pinned_key[0]) {
569
0
    r = curlx_dyn_addf(&buf, ":Pinned-%s", ssl->pinned_key);
570
0
    if(r)
571
0
      goto out;
572
0
  }
573
574
683
  if(ssl->clientcert && ssl->clientcert[0]) {
575
0
    r = curlx_dyn_add(&buf, ":CCERT");
576
0
    if(r)
577
0
      goto out;
578
0
  }
579
683
#ifdef USE_TLS_SRP
580
683
  if(ssl->username || ssl->password) {
581
0
    r = curlx_dyn_add(&buf, ":SRP-AUTH");
582
0
    if(r)
583
0
      goto out;
584
0
  }
585
683
#endif
586
587
683
  if(!tls_id || !tls_id[0]) {
588
0
    r = CURLE_FAILED_INIT;
589
0
    goto out;
590
0
  }
591
683
  r = curlx_dyn_addf(&buf, ":IMPL-%s", tls_id);
592
683
  if(r)
593
0
    goto out;
594
595
683
  r = curlx_dyn_addf(&buf, is_local ?
596
683
                     CURL_SSLS_LOCAL_SUFFIX : CURL_SSLS_GLOBAL_SUFFIX);
597
683
  if(r)
598
0
    goto out;
599
600
683
  *ppeer_key = curlx_dyn_take(&buf, &key_len);
601
  /* we just added printable char, and dynbuf always null-terminates, no need
602
   * to track length */
603
604
683
out:
605
683
  curlx_dyn_free(&buf);
606
683
  return r;
607
683
}
608
609
static bool cf_ssl_scache_match_auth(struct Curl_ssl_scache_peer *peer,
610
                                     struct ssl_primary_config *conn_config)
611
156
{
612
156
  if(!conn_config) {
613
0
    if(peer->clientcert)
614
0
      return FALSE;
615
0
#ifdef USE_TLS_SRP
616
0
    if(peer->srp_username || peer->srp_password)
617
0
      return FALSE;
618
0
#endif
619
0
    return TRUE;
620
0
  }
621
156
  else if(!Curl_safecmp(peer->clientcert, conn_config->clientcert))
622
0
    return FALSE;
623
156
#ifdef USE_TLS_SRP
624
156
   if(Curl_timestrcmp(peer->srp_username, conn_config->username) ||
625
156
      Curl_timestrcmp(peer->srp_password, conn_config->password))
626
0
     return FALSE;
627
156
#endif
628
156
  return TRUE;
629
156
}
630
631
static CURLcode
632
cf_ssl_find_peer_by_key(struct Curl_easy *data,
633
                        struct Curl_ssl_scache *scache,
634
                        const char *ssl_peer_key,
635
                        struct ssl_primary_config *conn_config,
636
                        struct Curl_ssl_scache_peer **ppeer)
637
1.09k
{
638
1.09k
  size_t i, peer_key_len = 0;
639
1.09k
  CURLcode result = CURLE_OK;
640
641
1.09k
  *ppeer = NULL;
642
1.09k
  if(!GOOD_SCACHE(scache)) {
643
0
    return CURLE_BAD_FUNCTION_ARGUMENT;
644
0
  }
645
646
1.09k
  CURL_TRC_SSLS(data, "find peer slot for %s among %zu slots",
647
1.09k
                ssl_peer_key, scache->peer_count);
648
649
  /* check for entries with known peer_key */
650
10.6k
  for(i = 0; scache && i < scache->peer_count; i++) {
651
9.71k
    if(scache->peers[i].ssl_peer_key &&
652
9.71k
       strcasecompare(ssl_peer_key, scache->peers[i].ssl_peer_key) &&
653
9.71k
       cf_ssl_scache_match_auth(&scache->peers[i], conn_config)) {
654
      /* yes, we have a cached session for this! */
655
156
      *ppeer = &scache->peers[i];
656
156
      goto out;
657
156
    }
658
9.71k
  }
659
  /* check for entries with HMAC set but no known peer_key */
660
10.4k
  for(i = 0; scache && i < scache->peer_count; i++) {
661
9.55k
    if(!scache->peers[i].ssl_peer_key &&
662
9.55k
       scache->peers[i].hmac_set &&
663
9.55k
       cf_ssl_scache_match_auth(&scache->peers[i], conn_config)) {
664
      /* possible entry with unknown peer_key, check hmac */
665
0
      unsigned char my_hmac[CURL_SHA256_DIGEST_LENGTH];
666
0
      if(!peer_key_len) /* we are lazy */
667
0
        peer_key_len = strlen(ssl_peer_key);
668
0
      result = Curl_hmacit(&Curl_HMAC_SHA256,
669
0
                           scache->peers[i].key_salt,
670
0
                           sizeof(scache->peers[i].key_salt),
671
0
                           (const unsigned char *)ssl_peer_key,
672
0
                           peer_key_len,
673
0
                           my_hmac);
674
0
      if(result)
675
0
        goto out;
676
0
      if(!memcmp(scache->peers[i].key_hmac, my_hmac, sizeof(my_hmac))) {
677
        /* remember peer_key for future lookups */
678
0
        CURL_TRC_SSLS(data, "peer entry %zu key recovered: %s",
679
0
                      i, ssl_peer_key);
680
0
        scache->peers[i].ssl_peer_key = strdup(ssl_peer_key);
681
0
        if(!scache->peers[i].ssl_peer_key) {
682
0
          result = CURLE_OUT_OF_MEMORY;
683
0
          goto out;
684
0
        }
685
0
        cf_ssl_cache_peer_update(&scache->peers[i]);
686
0
        *ppeer = &scache->peers[i];
687
0
        goto out;
688
0
      }
689
0
    }
690
9.55k
  }
691
941
  CURL_TRC_SSLS(data, "peer not found for %s", ssl_peer_key);
692
1.09k
out:
693
1.09k
  return result;
694
941
}
695
696
static struct Curl_ssl_scache_peer *
697
cf_ssl_get_free_peer(struct Curl_ssl_scache *scache)
698
258
{
699
258
  struct Curl_ssl_scache_peer *peer = NULL;
700
258
  size_t i;
701
702
  /* find empty or oldest peer */
703
308
  for(i = 0; i < scache->peer_count; ++i) {
704
    /* free peer entry? */
705
308
    if(!scache->peers[i].ssl_peer_key && !scache->peers[i].hmac_set) {
706
258
      peer = &scache->peers[i];
707
258
      break;
708
258
    }
709
    /* peer without sessions and obj */
710
50
    if(!scache->peers[i].sobj &&
711
50
       !Curl_llist_count(&scache->peers[i].sessions)) {
712
0
      peer = &scache->peers[i];
713
0
      break;
714
0
    }
715
    /* remember "oldest" peer */
716
50
    if(!peer || (scache->peers[i].age < peer->age)) {
717
50
      peer = &scache->peers[i];
718
50
    }
719
50
  }
720
258
  DEBUGASSERT(peer);
721
258
  if(peer)
722
258
    cf_ssl_scache_clear_peer(peer);
723
258
  return peer;
724
258
}
725
726
static CURLcode
727
cf_ssl_add_peer(struct Curl_easy *data,
728
                struct Curl_ssl_scache *scache,
729
                const char *ssl_peer_key,
730
                struct ssl_primary_config *conn_config,
731
                struct Curl_ssl_scache_peer **ppeer)
732
414
{
733
414
  struct Curl_ssl_scache_peer *peer = NULL;
734
414
  CURLcode result = CURLE_OK;
735
736
414
  *ppeer = NULL;
737
414
  if(ssl_peer_key) {
738
414
    result = cf_ssl_find_peer_by_key(data, scache, ssl_peer_key, conn_config,
739
414
                                     &peer);
740
414
    if(result || !scache->peer_count)
741
0
      return result;
742
414
  }
743
744
414
  if(peer) {
745
156
    *ppeer = peer;
746
156
    return CURLE_OK;
747
156
  }
748
749
258
  peer = cf_ssl_get_free_peer(scache);
750
258
  if(peer) {
751
258
    const char *ccert = conn_config ? conn_config->clientcert : NULL;
752
258
    const char *username = NULL, *password = NULL;
753
258
#ifdef USE_TLS_SRP
754
258
    username = conn_config ? conn_config->username : NULL;
755
258
    password = conn_config ? conn_config->password : NULL;
756
258
#endif
757
258
    result = cf_ssl_scache_peer_init(peer, ssl_peer_key, ccert,
758
258
                                     username, password, NULL, NULL);
759
258
    if(result)
760
0
      goto out;
761
    /* all ready */
762
258
    *ppeer = peer;
763
258
    result = CURLE_OK;
764
258
  }
765
766
258
out:
767
258
  if(result) {
768
0
    cf_ssl_scache_clear_peer(peer);
769
0
  }
770
258
  return result;
771
258
}
772
773
static void cf_scache_peer_add_session(struct Curl_ssl_scache_peer *peer,
774
                                       struct Curl_ssl_session *s,
775
                                       curl_off_t now)
776
414
{
777
  /* A session not from TLSv1.3 replaces all other. */
778
414
  if(s->ietf_tls_id != CURL_IETF_PROTO_TLS1_3) {
779
0
    Curl_llist_destroy(&peer->sessions, NULL);
780
0
    Curl_llist_append(&peer->sessions, s, &s->list);
781
0
  }
782
414
  else {
783
    /* Expire existing, append, trim from head to obey max_sessions */
784
414
    cf_scache_peer_remove_expired(peer, now);
785
414
    cf_scache_peer_remove_non13(peer);
786
414
    Curl_llist_append(&peer->sessions, s, &s->list);
787
424
    while(Curl_llist_count(&peer->sessions) > peer->max_sessions) {
788
10
      Curl_node_remove(Curl_llist_head(&peer->sessions));
789
10
    }
790
414
  }
791
414
}
792
793
static CURLcode cf_scache_add_session(struct Curl_cfilter *cf,
794
                                      struct Curl_easy *data,
795
                                      struct Curl_ssl_scache *scache,
796
                                      const char *ssl_peer_key,
797
                                      struct Curl_ssl_session *s)
798
414
{
799
414
  struct Curl_ssl_scache_peer *peer = NULL;
800
414
  struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
801
414
  CURLcode result = CURLE_OUT_OF_MEMORY;
802
414
  curl_off_t now = (curl_off_t)time(NULL);
803
414
  curl_off_t max_lifetime;
804
805
414
  if(!scache || !scache->peer_count) {
806
0
    Curl_ssl_session_destroy(s);
807
0
    return CURLE_OK;
808
0
  }
809
810
414
  if(s->valid_until <= 0)
811
0
    s->valid_until = now + scache->default_lifetime_secs;
812
813
414
  max_lifetime = (s->ietf_tls_id == CURL_IETF_PROTO_TLS1_3) ?
814
414
                 CURL_SCACHE_MAX_13_LIFETIME_SEC :
815
414
                 CURL_SCACHE_MAX_12_LIFETIME_SEC;
816
414
  if(s->valid_until > (now + max_lifetime))
817
0
    s->valid_until = now + max_lifetime;
818
819
414
  if(cf_scache_session_expired(s, now)) {
820
0
    CURL_TRC_SSLS(data, "add, session already expired");
821
0
    Curl_ssl_session_destroy(s);
822
0
    return CURLE_OK;
823
0
  }
824
825
414
  result = cf_ssl_add_peer(data, scache, ssl_peer_key, conn_config, &peer);
826
414
  if(result || !peer) {
827
0
    CURL_TRC_SSLS(data, "unable to add scache peer: %d", result);
828
0
    Curl_ssl_session_destroy(s);
829
0
    goto out;
830
0
  }
831
832
414
  cf_scache_peer_add_session(peer, s, now);
833
834
414
out:
835
414
  if(result) {
836
0
    failf(data, "[SCACHE] failed to add session for %s, error=%d",
837
0
          ssl_peer_key, result);
838
0
  }
839
414
  else
840
414
    CURL_TRC_SSLS(data, "added session for %s [proto=0x%x, "
841
414
                  "valid_secs=%" FMT_OFF_T ", alpn=%s, earlydata=%zu, "
842
414
                  "quic_tp=%s], peer has %zu sessions now",
843
414
                  ssl_peer_key, s->ietf_tls_id, s->valid_until - now,
844
414
                  s->alpn, s->earlydata_max, s->quic_tp ? "yes" : "no",
845
414
                  peer ? Curl_llist_count(&peer->sessions) : 0);
846
414
  return result;
847
414
}
848
849
CURLcode Curl_ssl_scache_put(struct Curl_cfilter *cf,
850
                             struct Curl_easy *data,
851
                             const char *ssl_peer_key,
852
                             struct Curl_ssl_session *s)
853
414
{
854
414
  struct Curl_ssl_scache *scache = cf_ssl_scache_get(data);
855
414
  struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
856
414
  CURLcode result;
857
414
  DEBUGASSERT(ssl_config);
858
859
414
  if(!scache || !ssl_config->primary.cache_session) {
860
0
    Curl_ssl_session_destroy(s);
861
0
    return CURLE_OK;
862
0
  }
863
864
414
  Curl_ssl_scache_lock(data);
865
414
  result = cf_scache_add_session(cf, data, scache, ssl_peer_key, s);
866
414
  Curl_ssl_scache_unlock(data);
867
414
  return result;
868
414
}
869
870
void Curl_ssl_scache_return(struct Curl_cfilter *cf,
871
                           struct Curl_easy *data,
872
                           const char *ssl_peer_key,
873
                           struct Curl_ssl_session *s)
874
683
{
875
  /* See RFC 8446 C.4:
876
   * "Clients SHOULD NOT reuse a ticket for multiple connections." */
877
683
  if(s && s->ietf_tls_id < 0x304)
878
0
    (void)Curl_ssl_scache_put(cf, data, ssl_peer_key, s);
879
683
  else
880
683
    Curl_ssl_session_destroy(s);
881
683
}
882
883
CURLcode Curl_ssl_scache_take(struct Curl_cfilter *cf,
884
                              struct Curl_easy *data,
885
                              const char *ssl_peer_key,
886
                              struct Curl_ssl_session **ps)
887
683
{
888
683
  struct Curl_ssl_scache *scache = cf_ssl_scache_get(data);
889
683
  struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
890
683
  struct Curl_ssl_scache_peer *peer = NULL;
891
683
  struct Curl_llist_node *n;
892
683
  struct Curl_ssl_session *s = NULL;
893
683
  CURLcode result;
894
895
683
  *ps = NULL;
896
683
  if(!scache)
897
0
    return CURLE_OK;
898
899
683
  Curl_ssl_scache_lock(data);
900
683
  result = cf_ssl_find_peer_by_key(data, scache, ssl_peer_key, conn_config,
901
683
                                   &peer);
902
683
  if(!result && peer) {
903
0
    cf_scache_peer_remove_expired(peer, (curl_off_t)time(NULL));
904
0
    n = Curl_llist_head(&peer->sessions);
905
0
    if(n) {
906
0
      s = Curl_node_take_elem(n);
907
0
      (scache->age)++;            /* increase general age */
908
0
      peer->age = scache->age; /* set this as used in this age */
909
0
    }
910
0
  }
911
683
  Curl_ssl_scache_unlock(data);
912
683
  if(s) {
913
0
    *ps = s;
914
0
    CURL_TRC_SSLS(data, "took session for %s [proto=0x%x, "
915
0
                  "alpn=%s, earlydata=%zu, quic_tp=%s], %zu sessions remain",
916
0
                  ssl_peer_key, s->ietf_tls_id, s->alpn,
917
0
                  s->earlydata_max, s->quic_tp ? "yes" : "no",
918
0
                  Curl_llist_count(&peer->sessions));
919
0
  }
920
683
  else {
921
683
    CURL_TRC_SSLS(data, "no cached session for %s", ssl_peer_key);
922
683
  }
923
683
  return result;
924
683
}
925
926
CURLcode Curl_ssl_scache_add_obj(struct Curl_cfilter *cf,
927
                                 struct Curl_easy *data,
928
                                 const char *ssl_peer_key,
929
                                 void *sobj,
930
                                 Curl_ssl_scache_obj_dtor *sobj_free)
931
0
{
932
0
  struct Curl_ssl_scache *scache = cf_ssl_scache_get(data);
933
0
  struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
934
0
  struct Curl_ssl_scache_peer *peer = NULL;
935
0
  CURLcode result;
936
937
0
  DEBUGASSERT(sobj);
938
0
  DEBUGASSERT(sobj_free);
939
940
0
  if(!scache) {
941
0
    result = CURLE_BAD_FUNCTION_ARGUMENT;
942
0
    goto out;
943
0
  }
944
945
0
  result = cf_ssl_add_peer(data, scache, ssl_peer_key, conn_config, &peer);
946
0
  if(result || !peer) {
947
0
    CURL_TRC_SSLS(data, "unable to add scache peer: %d", result);
948
0
    goto out;
949
0
  }
950
951
0
  cf_ssl_scache_peer_set_obj(peer, sobj, sobj_free);
952
0
  sobj = NULL;  /* peer took ownership */
953
954
0
out:
955
0
  if(sobj && sobj_free)
956
0
    sobj_free(sobj);
957
0
  return result;
958
0
}
959
960
void *Curl_ssl_scache_get_obj(struct Curl_cfilter *cf,
961
                              struct Curl_easy *data,
962
                              const char *ssl_peer_key)
963
0
{
964
0
  struct Curl_ssl_scache *scache = cf_ssl_scache_get(data);
965
0
  struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
966
0
  struct Curl_ssl_scache_peer *peer = NULL;
967
0
  CURLcode result;
968
0
  void *sobj;
969
970
0
  if(!scache)
971
0
    return NULL;
972
973
0
  result = cf_ssl_find_peer_by_key(data, scache, ssl_peer_key, conn_config,
974
0
                                   &peer);
975
0
  if(result)
976
0
    return NULL;
977
978
0
  sobj = peer ? peer->sobj : NULL;
979
980
0
  CURL_TRC_SSLS(data, "%s cached session for '%s'",
981
0
                sobj ? "Found" : "No", ssl_peer_key);
982
0
  return sobj;
983
0
}
984
985
void Curl_ssl_scache_remove_all(struct Curl_cfilter *cf,
986
                                struct Curl_easy *data,
987
                                const char *ssl_peer_key)
988
0
{
989
0
  struct Curl_ssl_scache *scache = cf_ssl_scache_get(data);
990
0
  struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
991
0
  struct Curl_ssl_scache_peer *peer = NULL;
992
0
  CURLcode result;
993
994
0
  (void)cf;
995
0
  if(!scache)
996
0
    return;
997
998
0
  Curl_ssl_scache_lock(data);
999
0
  result = cf_ssl_find_peer_by_key(data, scache, ssl_peer_key, conn_config,
1000
0
                                   &peer);
1001
0
  if(!result && peer)
1002
0
    cf_ssl_scache_clear_peer(peer);
1003
0
  Curl_ssl_scache_unlock(data);
1004
0
}
1005
1006
#ifdef USE_SSLS_EXPORT
1007
1008
#define CURL_SSL_TICKET_MAX   (16*1024)
1009
1010
static CURLcode cf_ssl_scache_peer_set_hmac(struct Curl_ssl_scache_peer *peer)
1011
{
1012
  CURLcode result;
1013
1014
  DEBUGASSERT(peer);
1015
  if(!peer->ssl_peer_key)
1016
    return CURLE_BAD_FUNCTION_ARGUMENT;
1017
1018
  result = Curl_rand(NULL, peer->key_salt, sizeof(peer->key_salt));
1019
  if(result)
1020
    return result;
1021
1022
  result = Curl_hmacit(&Curl_HMAC_SHA256,
1023
                       peer->key_salt, sizeof(peer->key_salt),
1024
                       (const unsigned char *)peer->ssl_peer_key,
1025
                       strlen(peer->ssl_peer_key),
1026
                       peer->key_hmac);
1027
  if(!result)
1028
    peer->hmac_set = TRUE;
1029
  return result;
1030
}
1031
1032
static CURLcode
1033
cf_ssl_find_peer_by_hmac(struct Curl_ssl_scache *scache,
1034
                         const unsigned char *salt,
1035
                         const unsigned char *hmac,
1036
                         struct Curl_ssl_scache_peer **ppeer)
1037
{
1038
  size_t i;
1039
  CURLcode result = CURLE_OK;
1040
1041
  *ppeer = NULL;
1042
  if(!GOOD_SCACHE(scache))
1043
    return CURLE_BAD_FUNCTION_ARGUMENT;
1044
1045
  /* look for an entry that matches salt+hmac exactly or has a known
1046
   * ssl_peer_key which salt+hmac's to the same. */
1047
  for(i = 0; scache && i < scache->peer_count; i++) {
1048
    struct Curl_ssl_scache_peer *peer = &scache->peers[i];
1049
    if(!cf_ssl_scache_match_auth(peer, NULL))
1050
      continue;
1051
    if(scache->peers[i].hmac_set &&
1052
       !memcmp(peer->key_salt, salt, sizeof(peer->key_salt)) &&
1053
       !memcmp(peer->key_hmac, hmac, sizeof(peer->key_hmac))) {
1054
      /* found exact match, return */
1055
      *ppeer = peer;
1056
      goto out;
1057
    }
1058
    else if(peer->ssl_peer_key) {
1059
      unsigned char my_hmac[CURL_SHA256_DIGEST_LENGTH];
1060
      /* compute hmac for the passed salt */
1061
      result = Curl_hmacit(&Curl_HMAC_SHA256,
1062
                           salt, sizeof(peer->key_salt),
1063
                           (const unsigned char *)peer->ssl_peer_key,
1064
                           strlen(peer->ssl_peer_key),
1065
                           my_hmac);
1066
      if(result)
1067
        goto out;
1068
      if(!memcmp(my_hmac, hmac, sizeof(my_hmac))) {
1069
        /* cryptohash match, take over salt+hmac if no set and return */
1070
        if(!peer->hmac_set) {
1071
          memcpy(peer->key_salt, salt, sizeof(peer->key_salt));
1072
          memcpy(peer->key_hmac, hmac, sizeof(peer->key_hmac));
1073
          peer->hmac_set = TRUE;
1074
        }
1075
        *ppeer = peer;
1076
        goto out;
1077
      }
1078
    }
1079
  }
1080
out:
1081
  return result;
1082
}
1083
1084
CURLcode Curl_ssl_session_import(struct Curl_easy *data,
1085
                                 const char *ssl_peer_key,
1086
                                 const unsigned char *shmac, size_t shmac_len,
1087
                                 const void *sdata, size_t sdata_len)
1088
{
1089
  struct Curl_ssl_scache *scache = cf_ssl_scache_get(data);
1090
  struct Curl_ssl_scache_peer *peer = NULL;
1091
  struct Curl_ssl_session *s = NULL;
1092
  bool locked = FALSE;
1093
  CURLcode r;
1094
1095
  if(!scache) {
1096
    r = CURLE_BAD_FUNCTION_ARGUMENT;
1097
    goto out;
1098
  }
1099
  if(!ssl_peer_key && (!shmac || !shmac_len)) {
1100
    r = CURLE_BAD_FUNCTION_ARGUMENT;
1101
    goto out;
1102
  }
1103
1104
  r = Curl_ssl_session_unpack(data, sdata, sdata_len, &s);
1105
  if(r)
1106
    goto out;
1107
1108
  Curl_ssl_scache_lock(data);
1109
  locked = TRUE;
1110
1111
  if(ssl_peer_key) {
1112
    r = cf_ssl_add_peer(data, scache, ssl_peer_key, NULL, &peer);
1113
    if(r)
1114
      goto out;
1115
  }
1116
  else if(shmac_len != (sizeof(peer->key_salt) + sizeof(peer->key_hmac))) {
1117
    /* Either salt+hmac was garbled by caller or is from a curl version
1118
     * that does things differently */
1119
    r = CURLE_BAD_FUNCTION_ARGUMENT;
1120
    goto out;
1121
  }
1122
  else {
1123
    const unsigned char *salt = shmac;
1124
    const unsigned char *hmac = shmac + sizeof(peer->key_salt);
1125
1126
    r = cf_ssl_find_peer_by_hmac(scache, salt, hmac, &peer);
1127
    if(r)
1128
      goto out;
1129
    if(!peer) {
1130
      peer = cf_ssl_get_free_peer(scache);
1131
      if(peer) {
1132
        r = cf_ssl_scache_peer_init(peer, ssl_peer_key, NULL,
1133
                                    NULL, NULL, salt, hmac);
1134
        if(r)
1135
          goto out;
1136
      }
1137
    }
1138
  }
1139
1140
  if(peer) {
1141
    cf_scache_peer_add_session(peer, s, time(NULL));
1142
    s = NULL; /* peer is now owner */
1143
    CURL_TRC_SSLS(data, "successfully imported ticket for peer %s, now "
1144
                  "with %zu tickets",
1145
                  peer->ssl_peer_key ? peer->ssl_peer_key : "without key",
1146
                  Curl_llist_count(&peer->sessions));
1147
  }
1148
1149
out:
1150
  if(locked)
1151
    Curl_ssl_scache_unlock(data);
1152
  Curl_ssl_session_destroy(s);
1153
  return r;
1154
}
1155
1156
CURLcode Curl_ssl_session_export(struct Curl_easy *data,
1157
                                 curl_ssls_export_cb *export_fn,
1158
                                 void *userptr)
1159
{
1160
  struct Curl_ssl_scache *scache = cf_ssl_scache_get(data);
1161
  struct Curl_ssl_scache_peer *peer;
1162
  struct dynbuf sbuf, hbuf;
1163
  struct Curl_llist_node *n;
1164
  size_t i, npeers = 0, ntickets = 0;
1165
  curl_off_t now = time(NULL);
1166
  CURLcode r = CURLE_OK;
1167
1168
  if(!export_fn)
1169
    return CURLE_BAD_FUNCTION_ARGUMENT;
1170
  if(!scache)
1171
    return CURLE_OK;
1172
1173
  Curl_ssl_scache_lock(data);
1174
1175
  curlx_dyn_init(&hbuf, (CURL_SHA256_DIGEST_LENGTH * 2) + 1);
1176
  curlx_dyn_init(&sbuf, CURL_SSL_TICKET_MAX);
1177
1178
  for(i = 0; scache && i < scache->peer_count; i++) {
1179
    peer = &scache->peers[i];
1180
    if(!peer->ssl_peer_key && !peer->hmac_set)
1181
      continue;  /* skip free entry */
1182
    if(!peer->exportable)
1183
      continue;
1184
1185
    curlx_dyn_reset(&hbuf);
1186
    cf_scache_peer_remove_expired(peer, now);
1187
    n = Curl_llist_head(&peer->sessions);
1188
    if(n)
1189
      ++npeers;
1190
    while(n) {
1191
      struct Curl_ssl_session *s = Curl_node_elem(n);
1192
      if(!peer->hmac_set) {
1193
        r = cf_ssl_scache_peer_set_hmac(peer);
1194
        if(r)
1195
          goto out;
1196
      }
1197
      if(!curlx_dyn_len(&hbuf)) {
1198
        r = curlx_dyn_addn(&hbuf, peer->key_salt, sizeof(peer->key_salt));
1199
        if(r)
1200
          goto out;
1201
        r = curlx_dyn_addn(&hbuf, peer->key_hmac, sizeof(peer->key_hmac));
1202
        if(r)
1203
          goto out;
1204
      }
1205
      curlx_dyn_reset(&sbuf);
1206
      r = Curl_ssl_session_pack(data, s, &sbuf);
1207
      if(r)
1208
        goto out;
1209
1210
      r = export_fn(data, userptr, peer->ssl_peer_key,
1211
                    curlx_dyn_uptr(&hbuf), curlx_dyn_len(&hbuf),
1212
                    curlx_dyn_uptr(&sbuf), curlx_dyn_len(&sbuf),
1213
                    s->valid_until, s->ietf_tls_id,
1214
                    s->alpn, s->earlydata_max);
1215
      if(r)
1216
        goto out;
1217
      ++ntickets;
1218
      n = Curl_node_next(n);
1219
    }
1220
1221
  }
1222
  r = CURLE_OK;
1223
  CURL_TRC_SSLS(data, "exported %zu session tickets for %zu peers",
1224
                ntickets, npeers);
1225
1226
out:
1227
  Curl_ssl_scache_unlock(data);
1228
  curlx_dyn_free(&hbuf);
1229
  curlx_dyn_free(&sbuf);
1230
  return r;
1231
}
1232
1233
#endif /* USE_SSLS_EXPORT */
1234
1235
#endif /* USE_SSL */