mirror of
https://github.com/curl/curl.git
synced 2026-07-10 23:57:15 +03:00
FTP servers using SSL can be configured to check TLS session reuse on the DATA connection. They hand out a new session on every CONTROL connect and require to see the client using exactly that one when up-/downloading on DATA. This means: 1. We have to configure the SSL filter on the DATA connection with exactly the same peers. 2. We have to remember the SSL session on the CONTROL connection - separately from the session cache. The SSL filter on the DATA connection then looks for a session at the CONTROL filter and, if present, uses that. Tests: Enable `require_ssl_reuse` in our pytest setup for vsftpd. This reproduces the problem reported in #22225 and verifies the fix. Skip ftp+SSL pytests for rustls, as we have no possibility to reuse sessions in that backend. Schannel: we do not run these tests with the backend. I expect it has similar problems but am not able to verify. Reported-by: Laurent Sabourin Fixes #22225 Closes #22246
102 lines
3.9 KiB
C
102 lines
3.9 KiB
C
#ifndef HEADER_CURL_WOLFSSL_H
|
|
#define HEADER_CURL_WOLFSSL_H
|
|
/***************************************************************************
|
|
* _ _ ____ _
|
|
* Project ___| | | | _ \| |
|
|
* / __| | | | |_) | |
|
|
* | (__| |_| | _ <| |___
|
|
* \___|\___/|_| \_\_____|
|
|
*
|
|
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
*
|
|
* This software is licensed as described in the file COPYING, which
|
|
* you should have received as part of this distribution. The terms
|
|
* are also available at https://curl.se/docs/copyright.html.
|
|
*
|
|
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
|
|
* copies of the Software, and permit persons to whom the Software is
|
|
* furnished to do so, under the terms of the COPYING file.
|
|
*
|
|
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
|
|
* KIND, either express or implied.
|
|
*
|
|
* SPDX-License-Identifier: curl
|
|
*
|
|
***************************************************************************/
|
|
#include "curl_setup.h"
|
|
|
|
#ifdef USE_WOLFSSL
|
|
|
|
#include "urldata.h"
|
|
|
|
#include <wolfssl/options.h>
|
|
|
|
struct alpn_spec;
|
|
struct ssl_peer;
|
|
struct Curl_ssl_session;
|
|
|
|
struct WOLFSSL;
|
|
struct WOLFSSL_CTX;
|
|
struct WOLFSSL_SESSION;
|
|
|
|
extern const struct Curl_ssl Curl_ssl_wolfssl;
|
|
|
|
struct wssl_ctx {
|
|
struct WOLFSSL_CTX *ssl_ctx;
|
|
struct WOLFSSL *ssl;
|
|
CURLcode io_result; /* result of last BIO cfilter operation */
|
|
CURLcode hs_result; /* result of handshake */
|
|
int io_send_blocked_len; /* length of last BIO write that EAGAIN-ed */
|
|
BIT(x509_store_setup); /* x509 store has been set up */
|
|
BIT(shutting_down); /* TLS is being shut down */
|
|
};
|
|
|
|
size_t Curl_wssl_version(char *buffer, size_t size);
|
|
|
|
typedef CURLcode Curl_wssl_ctx_setup_cb(struct Curl_cfilter *cf,
|
|
struct Curl_easy *data,
|
|
void *user_data);
|
|
|
|
typedef CURLcode Curl_wssl_init_session_reuse_cb(struct Curl_cfilter *cf,
|
|
struct Curl_easy *data,
|
|
struct alpn_spec *alpns,
|
|
struct Curl_ssl_session *scs,
|
|
bool *do_early_data);
|
|
|
|
CURLcode Curl_wssl_ctx_init(struct wssl_ctx *wctx,
|
|
struct Curl_cfilter *cf,
|
|
struct Curl_easy *data,
|
|
struct ssl_peer *peer,
|
|
const struct alpn_spec *alpns_requested,
|
|
Curl_wssl_ctx_setup_cb *cb_setup,
|
|
void *cb_user_data,
|
|
void *ssl_user_data,
|
|
Curl_wssl_init_session_reuse_cb *sess_reuse_cb);
|
|
|
|
/* Is a resolved HTTPS-RR needed for initializing wolfSSL? */
|
|
bool Curl_wssl_need_httpsrr(struct Curl_easy *data);
|
|
|
|
CURLcode Curl_wssl_setup_x509_store(struct Curl_cfilter *cf,
|
|
struct Curl_easy *data,
|
|
struct wssl_ctx *wssl);
|
|
|
|
#ifdef HAVE_EX_DATA
|
|
CURLcode Curl_wssl_cache_session(struct Curl_cfilter *cf,
|
|
struct Curl_easy *data,
|
|
const char *ssl_peer_key,
|
|
struct WOLFSSL_SESSION *session,
|
|
int ietf_tls_id,
|
|
const char *alpn,
|
|
unsigned char *quic_tp,
|
|
size_t quic_tp_len,
|
|
struct Curl_ssl_session **pscs);
|
|
#endif
|
|
|
|
CURLcode Curl_wssl_verify_pinned(struct Curl_cfilter *cf,
|
|
struct Curl_easy *data,
|
|
struct wssl_ctx *wssl);
|
|
|
|
void Curl_wssl_report_handshake(struct Curl_easy *data, struct wssl_ctx *wssl);
|
|
|
|
#endif /* USE_WOLFSSL */
|
|
#endif /* HEADER_CURL_WOLFSSL_H */
|