romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-05-14 02:46:19 +03:00
Code Issues Projects Releases Packages Wiki Activity

TLS: check connection for SSL use, not handler

Browse source 
Protocol handler option PROTOPT_SSL is used to setup a connection
filters. Once that is done, used `Curl_conn_is_ssl()` to check if
a connection uses SSL.

There may be other reasons to add SSL to a connection, e.g. starttls.

Closes #16034
This commit is contained in:
Stefan Eissing 2025-01-17 11:57:00 +01:00 committed by Daniel Stenberg
parent ef3d7877d5
commit 25b445e479
No known key found for this signature in database
GPG key ID: 5CC908FDB71E12C2
11 changed files with 21 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

2
lib/cf-socket.c
View file

@ -1298,7 +1298,7 @@ static int do_connect(struct Curl_cfilter *cf, struct Curl_easy *data,
rc = connect(ctx->sock, &ctx->addr.curl_sa_addr, ctx->addr.addrlen); rc = connect(ctx->sock, &ctx->addr.curl_sa_addr, ctx->addr.addrlen);
#elif defined(MSG_FASTOPEN) /* old Linux */ #elif defined(MSG_FASTOPEN) /* old Linux */
if(cf->conn->given->flags & PROTOPT_SSL) if(Curl_conn_is_ssl(cf->conn, cf->sockindex))
rc = connect(ctx->sock, &ctx->addr.curl_sa_addr, ctx->addr.addrlen); rc = connect(ctx->sock, &ctx->addr.curl_sa_addr, ctx->addr.addrlen);
else else
rc = 0; /* Do nothing */ rc = 0; /* Do nothing */

2
lib/ftp.c
View file

@ -3163,7 +3163,7 @@ static CURLcode ftp_connect(struct Curl_easy *data,
PINGPONG_SETUP(pp, ftp_statemachine, ftp_endofresp); PINGPONG_SETUP(pp, ftp_statemachine, ftp_endofresp);
if(conn->handler->flags & PROTOPT_SSL) { if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) {
/* BLOCKING */ /* BLOCKING */
result = Curl_conn_connect(data, FIRSTSOCKET, TRUE, done); result = Curl_conn_connect(data, FIRSTSOCKET, TRUE, done);
if(result) if(result)

8
lib/http.c
View file

@ -2526,7 +2526,7 @@ CURLcode Curl_http(struct Curl_easy *data, bool *done)
goto fail; goto fail;
} }
if(!(conn->handler->flags&PROTOPT_SSL) && if(!Curl_conn_is_ssl(conn, FIRSTSOCKET) &&
conn->httpversion < 20 && conn->httpversion < 20 &&
(data->state.httpwant == CURL_HTTP_VERSION_2)) { (data->state.httpwant == CURL_HTTP_VERSION_2)) {
/* append HTTP2 upgrade magic stuff to the HTTP request if it is not done /* append HTTP2 upgrade magic stuff to the HTTP request if it is not done
@ -2670,7 +2670,7 @@ static CURLcode http_header(struct Curl_easy *data,
case 'A': case 'A':
#ifndef CURL_DISABLE_ALTSVC #ifndef CURL_DISABLE_ALTSVC
v = (data->asi && v = (data->asi &&
((data->conn->handler->flags & PROTOPT_SSL) || (Curl_conn_is_ssl(data->conn, FIRSTSOCKET) ||
#ifdef DEBUGBUILD #ifdef DEBUGBUILD
/* allow debug builds to circumvent the HTTPS restriction */ /* allow debug builds to circumvent the HTTPS restriction */
getenv("CURL_ALTSVC_HTTP") getenv("CURL_ALTSVC_HTTP")
@ -2944,7 +2944,7 @@ static CURLcode http_header(struct Curl_easy *data,
#ifndef CURL_DISABLE_HSTS #ifndef CURL_DISABLE_HSTS
/* If enabled, the header is incoming and this is over HTTPS */ /* If enabled, the header is incoming and this is over HTTPS */
v = (data->hsts && v = (data->hsts &&
((conn->handler->flags & PROTOPT_SSL) || (Curl_conn_is_ssl(conn, FIRSTSOCKET) ||
#ifdef DEBUGBUILD #ifdef DEBUGBUILD
/* allow debug builds to circumvent the HTTPS restriction */ /* allow debug builds to circumvent the HTTPS restriction */
getenv("CURL_HSTS_HTTP") getenv("CURL_HSTS_HTTP")
@ -4168,7 +4168,7 @@ CURLcode Curl_http_req_to_h2(struct dynhds *h2_headers,
infof(data, "set pseudo header %s to %s", HTTP_PSEUDO_SCHEME, scheme); infof(data, "set pseudo header %s to %s", HTTP_PSEUDO_SCHEME, scheme);
} }
else { else {
scheme = (data->conn && data->conn->handler->flags & PROTOPT_SSL) ? scheme = Curl_conn_is_ssl(data->conn, FIRSTSOCKET) ?
"https" : "http"; "https" : "http";
} }
} }

3
lib/http_negotiate.c
View file

@ -27,6 +27,7 @@
#if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO) #if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO)
#include "urldata.h" #include "urldata.h"
#include "cfilters.h"
#include "sendf.h" #include "sendf.h"
#include "http_negotiate.h" #include "http_negotiate.h"
#include "vauth/vauth.h" #include "vauth/vauth.h"
@ -109,7 +110,7 @@ CURLcode Curl_input_negotiate(struct Curl_easy *data, struct connectdata *conn,
#endif #endif
/* Check if the connection is using SSL and get the channel binding data */ /* Check if the connection is using SSL and get the channel binding data */
#if defined(USE_SSL) && defined(HAVE_GSSAPI) #if defined(USE_SSL) && defined(HAVE_GSSAPI)
if(conn->handler->flags & PROTOPT_SSL) { if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) {
Curl_dyn_init(&neg_ctx->channel_binding_data, SSL_CB_MAX_SIZE + 1); Curl_dyn_init(&neg_ctx->channel_binding_data, SSL_CB_MAX_SIZE + 1);
result = Curl_ssl_get_channel_binding( result = Curl_ssl_get_channel_binding(
data, FIRSTSOCKET, &neg_ctx->channel_binding_data); data, FIRSTSOCKET, &neg_ctx->channel_binding_data);

2
lib/imap.c
View file

@ -1390,7 +1390,7 @@ static CURLcode imap_multi_statemach(struct Curl_easy *data, bool *done)
struct connectdata *conn = data->conn; struct connectdata *conn = data->conn;
struct imap_conn *imapc = &conn->proto.imapc; struct imap_conn *imapc = &conn->proto.imapc;
if((conn->handler->flags & PROTOPT_SSL) && !imapc->ssldone) { if(Curl_conn_is_ssl(conn, FIRSTSOCKET) && !imapc->ssldone) {
bool ssldone = FALSE; bool ssldone = FALSE;
result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone); result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone);
imapc->ssldone = ssldone; imapc->ssldone = ssldone;

3
lib/ldap.c
View file

@ -83,6 +83,7 @@
#include "urldata.h" #include "urldata.h"
#include <curl/curl.h> #include <curl/curl.h>
#include "cfilters.h"
#include "sendf.h" #include "sendf.h"
#include "escape.h" #include "escape.h"
#include "progress.h" #include "progress.h"
@ -351,7 +352,7 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done)
} }
/* Get the URL scheme (either ldap or ldaps) */ /* Get the URL scheme (either ldap or ldaps) */
if(conn->given->flags & PROTOPT_SSL) if(Curl_conn_is_ssl(conn, FIRSTSOCKET))
ldap_ssl = 1; ldap_ssl = 1;
infof(data, "LDAP local: trying to establish %s connection", infof(data, "LDAP local: trying to establish %s connection",
ldap_ssl ? "encrypted" : "cleartext"); ldap_ssl ? "encrypted" : "cleartext");

2
lib/openldap.c
View file

@ -571,7 +571,7 @@ static CURLcode oldap_connect(struct Curl_easy *data, bool *done)
ldap_set_option(li->ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF); ldap_set_option(li->ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
#ifdef USE_SSL #ifdef USE_SSL
if(conn->handler->flags & PROTOPT_SSL) if(Curl_conn_is_ssl(conn, FIRSTSOCKET))
return oldap_ssl_connect(data, OLDAP_SSL); return oldap_ssl_connect(data, OLDAP_SSL);
if(data->set.use_ssl) { if(data->set.use_ssl) {

2
lib/pop3.c
View file

@ -1110,7 +1110,7 @@ static CURLcode pop3_multi_statemach(struct Curl_easy *data, bool *done)
struct connectdata *conn = data->conn; struct connectdata *conn = data->conn;
struct pop3_conn *pop3c = &conn->proto.pop3c; struct pop3_conn *pop3c = &conn->proto.pop3c;
if((conn->handler->flags & PROTOPT_SSL) && !pop3c->ssldone) { if(Curl_conn_is_ssl(conn, FIRSTSOCKET) && !pop3c->ssldone) {
bool ssldone = FALSE; bool ssldone = FALSE;
result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone); result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone);
pop3c->ssldone = ssldone; pop3c->ssldone = ssldone;

2
lib/smb.c
View file

@ -840,7 +840,7 @@ static CURLcode smb_connection_state(struct Curl_easy *data, bool *done)
if(smbc->state == SMB_CONNECTING) { if(smbc->state == SMB_CONNECTING) {
#ifdef USE_SSL #ifdef USE_SSL
if((conn->handler->flags & PROTOPT_SSL)) { if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) {
bool ssl_done = FALSE; bool ssl_done = FALSE;
result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssl_done); result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssl_done);
if(result && result != CURLE_AGAIN) if(result && result != CURLE_AGAIN)

2
lib/smtp.c
View file

@ -1286,7 +1286,7 @@ static CURLcode smtp_multi_statemach(struct Curl_easy *data, bool *done)
struct connectdata *conn = data->conn; struct connectdata *conn = data->conn;
struct smtp_conn *smtpc = &conn->proto.smtpc; struct smtp_conn *smtpc = &conn->proto.smtpc;
if((conn->handler->flags & PROTOPT_SSL) && !smtpc->ssldone) { if(Curl_conn_is_ssl(conn, FIRSTSOCKET) && !smtpc->ssldone) {
bool ssldone = FALSE; bool ssldone = FALSE;
result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone); result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone);
smtpc->ssldone = ssldone; smtpc->ssldone = ssldone;

12
lib/url.c
View file

@ -956,12 +956,12 @@ static bool url_match_conn(struct connectdata *conn, void *userdata)
return FALSE; return FALSE;
#endif #endif
if((needle->handler->flags&PROTOPT_SSL) != if((!(needle->handler->flags&PROTOPT_SSL) !=
(conn->handler->flags&PROTOPT_SSL)) !Curl_conn_is_ssl(conn, FIRSTSOCKET)) &&
/* do not do mixed SSL and non-SSL connections */ !(get_protocol_family(conn->handler) == needle->handler->protocol &&
if(get_protocol_family(conn->handler) != conn->bits.tls_upgraded))
needle->handler->protocol || !conn->bits.tls_upgraded) /* Deny `conn` if it is not fit for `needle`'s SSL needs,
/* except protocols that have been upgraded via TLS */ * UNLESS `conn` is the same protocol family and was upgraded to SSL. */
return FALSE; return FALSE;
#ifndef CURL_DISABLE_PROXY #ifndef CURL_DISABLE_PROXY