curl/lib/vtls/wolfssl.h
Stefan Eissing 84ecfb3ecc
FTP: fix TLS session reuse on the data connection
FTP servers using SSL can be configured to check TLS session reuse on
the DATA connection. They hand out a new session on every CONTROL
connect and require to see the client using exactly that one when
up-/downloading on DATA.

This means:

1. We have to configure the SSL filter on the DATA connection with
   exactly the same peers.

2. We have to remember the SSL session on the CONTROL connection -
   separately from the session cache. The SSL filter on the DATA
   connection then looks for a session at the CONTROL filter and, if
   present, uses that.

Tests:

Enable `require_ssl_reuse` in our pytest setup for vsftpd. This
reproduces the problem reported in #22225 and verifies the fix.

Skip ftp+SSL pytests for rustls, as we have no possibility to reuse
sessions in that backend.

Schannel: we do not run these tests with the backend. I expect it has
similar problems but am not able to verify.

Reported-by: Laurent Sabourin
Fixes #22225
Closes #22246
2026-07-02 17:39:04 +02:00

102 lines
3.9 KiB
C

#ifndef HEADER_CURL_WOLFSSL_H
#define HEADER_CURL_WOLFSSL_H
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
#include "curl_setup.h"
#ifdef USE_WOLFSSL
#include "urldata.h"
#include <wolfssl/options.h>
struct alpn_spec;
struct ssl_peer;
struct Curl_ssl_session;
struct WOLFSSL;
struct WOLFSSL_CTX;
struct WOLFSSL_SESSION;
extern const struct Curl_ssl Curl_ssl_wolfssl;
struct wssl_ctx {
struct WOLFSSL_CTX *ssl_ctx;
struct WOLFSSL *ssl;
CURLcode io_result; /* result of last BIO cfilter operation */
CURLcode hs_result; /* result of handshake */
int io_send_blocked_len; /* length of last BIO write that EAGAIN-ed */
BIT(x509_store_setup); /* x509 store has been set up */
BIT(shutting_down); /* TLS is being shut down */
};
size_t Curl_wssl_version(char *buffer, size_t size);
typedef CURLcode Curl_wssl_ctx_setup_cb(struct Curl_cfilter *cf,
struct Curl_easy *data,
void *user_data);
typedef CURLcode Curl_wssl_init_session_reuse_cb(struct Curl_cfilter *cf,
struct Curl_easy *data,
struct alpn_spec *alpns,
struct Curl_ssl_session *scs,
bool *do_early_data);
CURLcode Curl_wssl_ctx_init(struct wssl_ctx *wctx,
struct Curl_cfilter *cf,
struct Curl_easy *data,
struct ssl_peer *peer,
const struct alpn_spec *alpns_requested,
Curl_wssl_ctx_setup_cb *cb_setup,
void *cb_user_data,
void *ssl_user_data,
Curl_wssl_init_session_reuse_cb *sess_reuse_cb);
/* Is a resolved HTTPS-RR needed for initializing wolfSSL? */
bool Curl_wssl_need_httpsrr(struct Curl_easy *data);
CURLcode Curl_wssl_setup_x509_store(struct Curl_cfilter *cf,
struct Curl_easy *data,
struct wssl_ctx *wssl);
#ifdef HAVE_EX_DATA
CURLcode Curl_wssl_cache_session(struct Curl_cfilter *cf,
struct Curl_easy *data,
const char *ssl_peer_key,
struct WOLFSSL_SESSION *session,
int ietf_tls_id,
const char *alpn,
unsigned char *quic_tp,
size_t quic_tp_len,
struct Curl_ssl_session **pscs);
#endif
CURLcode Curl_wssl_verify_pinned(struct Curl_cfilter *cf,
struct Curl_easy *data,
struct wssl_ctx *wssl);
void Curl_wssl_report_handshake(struct Curl_easy *data, struct wssl_ctx *wssl);
#endif /* USE_WOLFSSL */
#endif /* HEADER_CURL_WOLFSSL_H */