cf-dns: pass peer for result lookups

The DNS filter knows the peer it resolves and the code parts that want the results know the peer as well. Pass it to lookup methods to make sure results match. Background: when tunneling, the resolved peer is not always the one that other filters are looking for. Especially when HTTPS-RR results are accessed in TLS filters, those will differ. This prevents a HTTPS-RR for a proxy to be used for the origin when ECH is activated. To make ECH work through a tunnel, we need to start an additional resolve. Something to be fixed after 8.21. Closes #22042
2026-06-18 17:55:38 +03:00 · 2026-06-16 12:07:08 +02:00 · 2026-06-16 12:07:08 +02:00 · 92db819714
commit 92db819714
parent 73d060950e
11 changed files with 96 additions and 54 deletions
--- a/lib/cf-https-connect.c
+++ b/lib/cf-https-connect.c
@ -304,7 +304,8 @@ static enum alpnid cf_hc_get_httpsrr_alpn(struct Curl_cfilter *cf,
  size_t i;

  /* Do we have HTTPS-RR information? */
-  rr = Curl_conn_dns_get_https(data, cf->sockindex);
+  rr = Curl_conn_dns_get_https(
+    data, cf->sockindex, Curl_conn_get_destination(cf->conn, cf->sockindex));

  /* We do not support `rr->no_def_alpn`. */
  if(Curl_httpsrr_applicable(data, rr) && !rr->no_def_alpn) {
@ -493,7 +494,8 @@ static CURLcode cf_hc_connect(struct Curl_cfilter *cf,
  *done = FALSE;

  if(!ctx->httpsrr_resolved) {
-    ctx->httpsrr_resolved = Curl_conn_dns_resolved_https(data, cf->sockindex);
+    ctx->httpsrr_resolved = Curl_conn_dns_resolved_https(
+      data, cf->sockindex, Curl_conn_get_destination(cf->conn, cf->sockindex));
 #ifdef DEBUGBUILD
    if(!ctx->httpsrr_resolved && getenv("CURL_DBG_AWAIT_HTTPSRR")) {
      CURL_TRC_CF(data, cf, "awaiting HTTPS-RR");