curl.h: add CURLOPT_CA_CACHE_TIMEOUT option

Adds a new option to control the maximum time that a cached certificate store may be retained for. Currently only the OpenSSL backend implements support for caching certificate stores. Closes #9620
2025-02-17 14:59:45 +08:00 · 2022-10-12 12:12:08 +01:00 · 2022-10-12 12:12:08 +01:00 · 1fdca35ddd
commit 1fdca35ddd
parent 3c16697ebd
10 changed files with 116 additions and 11 deletions
--- a/docs/libcurl/curl_easy_setopt.3
+++ b/docs/libcurl/curl_easy_setopt.3
@ -629,6 +629,8 @@ Path to proxy CA cert bundle. See \fICURLOPT_PROXY_CAPATH(3)\fP
 Certificate Revocation List. See \fICURLOPT_CRLFILE(3)\fP
 .IP CURLOPT_PROXY_CRLFILE
 Proxy Certificate Revocation List. See \fICURLOPT_PROXY_CRLFILE(3)\fP
 .IP CURLOPT_CA_CACHE_TIMEOUT
 Timeout for CA cache. See \fICURLOPT_CA_CACHE_TIMEOUT(3)\fP
 .IP CURLOPT_CERTINFO
 Extract certificate info. See \fICURLOPT_CERTINFO(3)\fP
 .IP CURLOPT_PINNEDPUBLICKEY
--- a/docs/libcurl/opts/CURLOPT_CA_CACHE_TIMEOUT.3
+++ b/docs/libcurl/opts/CURLOPT_CA_CACHE_TIMEOUT.3
@ -0,0 +1,76 @@
 .\" **************************************************************************
 .\" *                                  _   _ ____  _
 .\" *  Project                     ___| | | |  _ \| |
 .\" *                             / __| | | | |_) | |
 .\" *                            | (__| |_| |  _ <| |___
 .\" *                             \___|\___/|_| \_\_____|
 .\" *
 .\" * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
 .\" *
 .\" * This software is licensed as described in the file COPYING, which
 .\" * you should have received as part of this distribution. The terms
 .\" * are also available at https://curl.se/docs/copyright.html.
 .\" *
 .\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
 .\" * copies of the Software, and permit persons to whom the Software is
 .\" * furnished to do so, under the terms of the COPYING file.
 .\" *
 .\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
 .\" * KIND, either express or implied.
 .\" *
 .\" * SPDX-License-Identifier: curl
 .\" *
 .\" **************************************************************************
 .\"
 .TH CURLOPT_CA_CACHE_TIMEOUT 3 "21 Dec 2022" "libcurl 7.87.0" "curl_easy_setopt options"
 .SH NAME
 CURLOPT_CA_CACHE_TIMEOUT \- life-time for cached certificate stores
 .SH SYNOPSIS
 .nf
 #include <curl/curl.h>
 CURLcode curl_easy_setopt(CURL *handle, CURLOPT_CA_CACHE_TIMEOUT, long age);
 .fi
 .SH DESCRIPTION
 Pass a long, this sets the timeout in seconds. This tells libcurl the maximum
 time any cached certificate store it has in memory may be kept and reused for
 new connections. Once the timeout has expired, a subsequent fetch requiring a
 certificate store will have to build a new one.
 Building a certificate store from a \fICURLOPT_CAINFO\fP file is a slow
 operation so curl may cache the generated certificate store internally to speed
 up future connections.
 Set to zero to completely disable caching, or set to -1 to retain the cached
 store remain forever. By default, libcurl caches this info for 24 hours.
 .SH DEFAULT
 86400 (24 hours)
 .SH PROTOCOLS
 All
 .SH EXAMPLE
 .nf
 CURL *curl = curl_easy_init();
 if(curl) {
  curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/foo.bin");
  /* only reuse certificate stores for a short time */
  curl_easy_setopt(curl, CURLOPT_CA_CACHE_TIMEOUT, 60L);
  ret = curl_easy_perform(curl);
  /* in this second request, the cache will not be used if more than
     sixty seconds have passed since the previous connection */
  ret = curl_easy_perform(curl);
  curl_easy_cleanup(curl);
 }
 .fi
 .SH AVAILABILITY
 This option was added in curl 7.87.0.
 Currently the only SSL backend to implement this certificate store caching
 functionality is the OpenSSL (and forks) backend.
 .SH RETURN VALUE
 Returns CURLE_OK
 .SH "SEE ALSO"
 .BR CURLOPT_CAINFO "(3), "
--- a/docs/libcurl/opts/Makefile.inc
+++ b/docs/libcurl/opts/Makefile.inc
@ -122,6 +122,7 @@ man_MANS =                                      \
  CURLOPT_CAINFO.3                              \
  CURLOPT_CAINFO_BLOB.3                         \
  CURLOPT_CAPATH.3                              \
  CURLOPT_CA_CACHE_TIMEOUT.3                    \
  CURLOPT_CERTINFO.3                            \
  CURLOPT_CHUNK_BGN_FUNCTION.3                  \
  CURLOPT_CHUNK_DATA.3                          \
--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
@ -565,6 +565,7 @@ CURLOPT_BUFFERSIZE              7.10
 CURLOPT_CAINFO                  7.4.2
 CURLOPT_CAINFO_BLOB             7.77.0
 CURLOPT_CAPATH                  7.9.8
 CURLOPT_CA_CACHE_TIMEOUT        7.87.0
 CURLOPT_CERTINFO                7.19.1
 CURLOPT_CHUNK_BGN_FUNCTION      7.21.0
 CURLOPT_CHUNK_DATA              7.21.0
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@ -2157,6 +2157,9 @@ typedef enum {
  /* websockets options */
  CURLOPT(CURLOPT_WS_OPTIONS, CURLOPTTYPE_LONG, 320),
  /* CA cache timeout */
  CURLOPT(CURLOPT_CA_CACHE_TIMEOUT, CURLOPTTYPE_LONG, 321),
  CURLOPT_LASTENTRY /* the last unused */
 } CURLoption;
--- a/lib/easyoptions.c
+++ b/lib/easyoptions.c
@ -42,6 +42,7 @@ struct curl_easyoption Curl_easyopts[] = {
  {"CAINFO", CURLOPT_CAINFO, CURLOT_STRING, 0},
  {"CAINFO_BLOB", CURLOPT_CAINFO_BLOB, CURLOT_BLOB, 0},
  {"CAPATH", CURLOPT_CAPATH, CURLOT_STRING, 0},
  {"CA_CACHE_TIMEOUT", CURLOPT_CA_CACHE_TIMEOUT, CURLOT_LONG, 0},
  {"CERTINFO", CURLOPT_CERTINFO, CURLOT_LONG, 0},
  {"CHUNK_BGN_FUNCTION", CURLOPT_CHUNK_BGN_FUNCTION, CURLOT_FUNCTION, 0},
  {"CHUNK_DATA", CURLOPT_CHUNK_DATA, CURLOT_CBPTR, 0},
@ -368,6 +369,6 @@ struct curl_easyoption Curl_easyopts[] = {
 */
 int Curl_easyopts_check(void)
 {
-  return ((CURLOPT_LASTENTRY%10000) != (320 + 1));
+  return ((CURLOPT_LASTENTRY%10000) != (321 + 1));
 }
 #endif
--- a/lib/setopt.c
+++ b/lib/setopt.c
@ -204,6 +204,15 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
    data->set.dns_cache_timeout = (int)arg;
    break;
  case CURLOPT_CA_CACHE_TIMEOUT:
    arg = va_arg(param, long);
    if(arg < -1)
      return CURLE_BAD_FUNCTION_ARGUMENT;
    else if(arg > INT_MAX)
      arg = INT_MAX;
    data->set.general_ssl.ca_cache_timeout = (int)arg;
    break;
  case CURLOPT_DNS_USE_GLOBAL_CACHE:
    /* deprecated */
    break;
--- a/lib/url.c
+++ b/lib/url.c
@ -539,6 +539,8 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
  /* Set the default size of the SSL session ID cache */
  set->general_ssl.max_ssl_sessions = 5;
  /* Timeout every 24 hours by default */
  set->general_ssl.ca_cache_timeout = 24 * 60 * 60;
  set->proxyport = 0;
  set->proxytype = CURLPROXY_HTTP; /* defaults to HTTP proxy */
--- a/lib/urldata.h
+++ b/lib/urldata.h
@ -313,6 +313,7 @@ struct ssl_config_data {
 struct ssl_general_config {
  size_t max_ssl_sessions; /* SSL session id cache size */
  int ca_cache_timeout;  /* Certificate store cache timeout (seconds) */
 };
 /* information stored about one single SSL session */
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@ -3164,12 +3164,18 @@ static CURLcode populate_x509_store(struct Curl_easy *data,
 }
 #if defined(HAVE_SSL_X509_STORE_SHARE)
-#define X509_STORE_EXPIRY_MS (24 * 60 * 60 * 1000) /* 24 hours */
+static bool cached_x509_store_expired(const struct Curl_easy *data,
-static bool cached_x509_store_expired(const struct multi_ssl_backend_data *mb)
+                                      const struct multi_ssl_backend_data *mb)
 {
  const struct ssl_general_config *cfg = &data->set.general_ssl;
  struct curltime now = Curl_now();
  timediff_t elapsed_ms = Curl_timediff(now, mb->time);
  timediff_t timeout_ms = cfg->ca_cache_timeout * (timediff_t)1000;
-  return Curl_timediff(now, mb->time) >= X509_STORE_EXPIRY_MS;
+  if(timeout_ms < 0)
    return false;
  return elapsed_ms >= timeout_ms;
 }
 static bool cached_x509_store_different(
@ -3191,7 +3197,7 @@ static X509_STORE *get_cached_x509_store(const struct Curl_easy *data,
  if(multi &&
     multi->ssl_backend_data &&
     multi->ssl_backend_data->store &&
-     !cached_x509_store_expired(multi->ssl_backend_data) &&
+     !cached_x509_store_expired(data, multi->ssl_backend_data) &&
     !cached_x509_store_different(multi->ssl_backend_data, conn)) {
    store = multi->ssl_backend_data->store;
  }
@ -3244,17 +3250,20 @@ static CURLcode set_up_x509_store(struct Curl_easy *data,
                                  struct ssl_backend_data *backend)
 {
  CURLcode result = CURLE_OK;
-  X509_STORE *cached_store = get_cached_x509_store(data, conn);
+  X509_STORE *cached_store;
  bool cache_criteria_met;
  /* Consider the X509 store cacheable if it comes exclusively from a CAfile,
     or no source is provided and we are falling back to openssl's built-in
     default. */
-  bool cache_criteria_met = SSL_CONN_CONFIG(verifypeer) &&
+  cache_criteria_met = (data->set.general_ssl.ca_cache_timeout != 0) &&
-                            !SSL_CONN_CONFIG(CApath) &&
+                       SSL_CONN_CONFIG(verifypeer) &&
-                            !SSL_CONN_CONFIG(ca_info_blob) &&
+                       !SSL_CONN_CONFIG(CApath) &&
-                            !SSL_SET_OPTION(primary.CRLfile) &&
+                       !SSL_CONN_CONFIG(ca_info_blob) &&
-                            !SSL_SET_OPTION(native_ca_store);
+                       !SSL_SET_OPTION(primary.CRLfile) &&
                       !SSL_SET_OPTION(native_ca_store);
  cached_store = get_cached_x509_store(data, conn);
  if(cached_store && cache_criteria_met && X509_STORE_up_ref(cached_store)) {
    SSL_CTX_set_cert_store(backend->ctx, cached_store);
  }