bearssl: improved session handling, test exceptions

Add length to session saves, making it clear that we are storing a byte
blob and allowing memcmp() on sameness check.

Remove some pytest skips for bearssl to see if they now work properly in
CI.

Closes #15395
This commit is contained in:
Stefan Eissing 2024-10-24 12:36:41 +02:00 committed by Daniel Stenberg
parent 30f66c8ba4
commit 358eae42a4
No known key found for this signature in database
GPG key ID: 5CC908FDB71E12C2
3 changed files with 8 additions and 11 deletions

View file

@ -609,12 +609,15 @@ static CURLcode bearssl_connect_step1(struct Curl_cfilter *cf,
br_ssl_engine_set_x509(&backend->ctx.eng, &backend->x509.vtable);
if(ssl_config->primary.cache_session) {
void *session;
void *sdata;
size_t slen;
const br_ssl_session_parameters *session;
CURL_TRC_CF(data, cf, "connect_step1, check session cache");
Curl_ssl_sessionid_lock(data);
if(!Curl_ssl_getsessionid(cf, data, &connssl->peer,
&session, NULL, NULL)) {
if(!Curl_ssl_getsessionid(cf, data, &connssl->peer, &sdata, &slen, NULL) &&
slen == sizeof(*session)) {
session = sdata;
br_ssl_engine_set_session_parameters(&backend->ctx.eng, session);
session_set = 1;
infof(data, "BearSSL: reusing session ID");
@ -836,7 +839,8 @@ static CURLcode bearssl_connect_step3(struct Curl_cfilter *cf,
return CURLE_OUT_OF_MEMORY;
br_ssl_engine_get_session_parameters(&backend->ctx.eng, session);
Curl_ssl_sessionid_lock(data);
ret = Curl_ssl_set_sessionid(cf, data, &connssl->peer, NULL, session, 0,
ret = Curl_ssl_set_sessionid(cf, data, &connssl->peer, NULL,
session, sizeof(*session),
bearssl_session_free);
Curl_ssl_sessionid_unlock(data);
if(ret)

View file

@ -474,12 +474,6 @@ class TestDownload:
# make extreme parallel h2 upgrades, check invalid conn reuse
# before protocol switch has happened
def test_02_25_h2_upgrade_x(self, env: Env, httpd, repeat):
# not locally reproducible timeouts with certain SSL libs
# Since this test is about connection reuse handling, we skip
# it on these builds. Although we would certainly like to understand
# why this happens.
if env.curl_uses_lib('bearssl'):
pytest.skip('CI workflows timeout on bearssl build')
url = f'http://localhost:{env.http_port}/data-100k'
client = LocalClient(name='h2-upgrade-extreme', env=env, timeout=15)
if not client.exists():

View file

@ -35,7 +35,6 @@ from testenv import Env, CurlClient
log = logging.getLogger(__name__)
@pytest.mark.skipif(condition=Env.curl_uses_lib('bearssl'), reason='BearSSL too slow')
@pytest.mark.skipif(condition=not Env.have_ssl_curl(), reason="curl without SSL")
class TestReuse: