mirror/curl
2
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2025-01-12 13:55:11 +08:00
Code Issues Packages Projects Releases Wiki Activity

openssl: when CURLOPT_SSL_CTX_FUNCTION is registered, init x509 store before

Browse Source 
- we delay loading the x509 store to shorten the handshake time.
  However an application callback installed via CURLOPT_SSL_CTX_FUNCTION
  may need to have the store loaded and try to manipulate it.
- load the x509 store before invoking the app callback

Fixes #11800
Reported-by: guoxinvmware on github
Cloes #11805
This commit is contained in:
Stefan Eissing 2023-09-06 08:35:42 +02:00 committed by Daniel Stenberg
parent 25907fd5ba
commit c849062677
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
2 changed files with 19 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
lib/vquic/curl_ngtcp2.c
View File

@ -396,6 +396,7 @@ static int init_ngh3_conn(struct Curl_cfilter *cf);
static CURLcode quic_ssl_ctx(SSL_CTX **pssl_ctx,
struct Curl_cfilter *cf, struct Curl_easy *data)
{
struct cf_ngtcp2_ctx *ctx = cf->ctx;
struct connectdata *conn = cf->conn;
CURLcode result = CURLE_FAILED_INIT;
SSL_CTX *ssl_ctx = SSL_CTX_new(TLS_method());
@ -453,6 +454,15 @@ static CURLcode quic_ssl_ctx(SSL_CTX **pssl_ctx,
/* give application a chance to interfere with SSL set up. */
if(data->set.ssl.fsslctx) {
/* When a user callback is installed to modify the SSL_CTX,
* we need to do the full initialization before calling it.
* See: #11800 */
if(!ctx->x509_store_setup) {
result = Curl_ssl_setup_x509_store(cf, data, ssl_ctx);
if(result)
goto out;
ctx->x509_store_setup = TRUE;
}
Curl_set_in_callback(data, true);
result = (*data->set.ssl.fsslctx)(data, ssl_ctx,
data->set.ssl.fsslctxp);

9
lib/vtls/openssl.c
View File

@ -3712,6 +3712,15 @@ static CURLcode ossl_connect_step1(struct Curl_cfilter *cf,
/* give application a chance to interfere with SSL set up. */
if(data->set.ssl.fsslctx) {
/* When a user callback is installed to modify the SSL_CTX,
* we need to do the full initialization before calling it.
* See: #11800 */
if(!backend->x509_store_setup) {
result = Curl_ssl_setup_x509_store(cf, data, backend->ctx);
if(result)
return result;
backend->x509_store_setup = TRUE;
}
Curl_set_in_callback(data, true);
result = (*data->set.ssl.fsslctx)(data, backend->ctx,
data->set.ssl.fsslctxp);