Domovská stránka Prehľadávať Pomoc
Prihlásiť sa
OWEALs
/
curl
zrkadlo https://github.com/curl/curl.git
2
0
Fork 0
Súbory Issues 8 Wiki
Strom: 68bd759c2b
Branche Tagy
curl
/
lib
/
vtls
/
vtls_scache.c

vtls_scache.c 26 KB
História Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913 
  1. /***************************************************************************
    2. 

  2.  *                                  _   _ ____  _
    3. 

  3.  *  Project                     ___| | | |  _ \| |
    4. 

  4.  *                             / __| | | | |_) | |
    5. 

  5.  *                            | (__| |_| |  _ <| |___
    6. 

  6.  *                             \___|\___/|_| \_\_____|
    7. 

  7.  *
    8. 

  8.  * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
    9. 

  9.  *
    10. 

  10.  * This software is licensed as described in the file COPYING, which
    11. 

  11.  * you should have received as part of this distribution. The terms
    12. 

  12.  * are also available at https://curl.se/docs/copyright.html.
    13. 

  13.  *
    14. 

  14.  * You may opt to use, copy, modify, merge, publish, distribute and/or sell
    15. 

  15.  * copies of the Software, and permit persons to whom the Software is
    16. 

  16.  * furnished to do so, under the terms of the COPYING file.
    17. 

  17.  *
    18. 

  18.  * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
    19. 

  19.  * KIND, either express or implied.
    20. 

  20.  *
    21. 

  21.  * SPDX-License-Identifier: curl
    22. 

  22.  *
    23. 

  23.  ***************************************************************************/
    24. 

  24. 

  25. /* This file is for implementing all "generic" SSL functions that all libcurl
    26. 

  26.    internals should use. It is then responsible for calling the proper
    27. 

  27.    "backend" function.
    28. 

  28. 

  29.    SSL-functions in libcurl should call functions in this source file, and not
    30. 

  30.    to any specific SSL-layer.
    31. 

  31. 

  32.    Curl_ssl_ - prefix for generic ones
    33. 

  33. 

  34.    Note that this source code uses the functions of the configured SSL
    35. 

  35.    backend via the global Curl_ssl instance.
    36. 

  36. 

  37.    "SSL/TLS Strong Encryption: An Introduction"
    38. 

  38.    https://httpd.apache.org/docs/2.0/ssl/ssl_intro.html
    39. 

  39. */
    40. 

  40. 

  41. #include "curl_setup.h"
    42. 

  42. 

  43. #ifdef USE_SSL
    44. 

  44. 

  45. #ifdef HAVE_SYS_TYPES_H
    46. 

  46. #include <sys/types.h>
    47. 

  47. #endif
    48. 

  48. #ifdef HAVE_SYS_STAT_H
    49. 

  49. #include <sys/stat.h>
    50. 

  50. #endif
    51. 

  51. #ifdef HAVE_FCNTL_H
    52. 

  52. #include <fcntl.h>
    53. 

  53. #endif
    54. 

  54. 

  55. #include "urldata.h"
    56. 

  56. #include "cfilters.h"
    57. 

  57. 

  58. #include "vtls.h" /* generic SSL protos etc */
    59. 

  59. #include "vtls_int.h"
    60. 

  60. #include "vtls_scache.h"
    61. 

  61. 

  62. #include "strcase.h"
    63. 

  63. #include "url.h"
    64. 

  64. #include "llist.h"
    65. 

  65. #include "share.h"
    66. 

  66. #include "curl_trc.h"
    67. 

  67. #include "curl_sha256.h"
    68. 

  68. #include "warnless.h"
    69. 

  69. #include "curl_printf.h"
    70. 

  70. #include "strdup.h"
    71. 

  71. 

  72. /* The last #include files should be: */
    73. 

  73. #include "curl_memory.h"
    74. 

  74. #include "memdebug.h"
    75. 

  75. 

  76. /* a peer+tls-config we cache sessions for */
    77. 

  77. struct Curl_ssl_scache_peer {
    78. 

  78.   char *ssl_peer_key;      /* id for peer + relevant TLS configuration */
    79. 

  79.   char *clientcert;
    80. 

  80.   char *srp_username;
    81. 

  81.   char *srp_password;
    82. 

  82.   struct Curl_llist sessions;
    83. 

  83.   void *sobj;              /* object instance or NULL */
    84. 

  84.   Curl_ssl_scache_obj_dtor *sobj_free; /* free `sobj` callback */
    85. 

  85.   unsigned char key_salt[CURL_SHA256_DIGEST_LENGTH]; /* for entry export */
    86. 

  86.   unsigned char key_hmac[CURL_SHA256_DIGEST_LENGTH]; /* for entry export */
    87. 

  87.   size_t max_sessions;
    88. 

  88.   long age;                /* just a number, the higher the more recent */
    89. 

  89.   BIT(hmac_set);           /* if key_salt and key_hmac are present */
    90. 

  90. };
    91. 

  91. 

  92. struct Curl_ssl_scache {
    93. 

  93.   struct Curl_ssl_scache_peer *peers;
    94. 

  94.   size_t peer_count;
    95. 

  95.   int default_lifetime_secs;
    96. 

  96.   long age;
    97. 

  97. };
    98. 

  98. 

  99. static void cf_ssl_scache_clear_session(struct Curl_ssl_session *s)
    100. 

  100. {
    101. 

  101.   if(s->sdata) {
    102. 

  102.     free((void *)s->sdata);
    103. 

  103.     s->sdata = NULL;
    104. 

  104.   }
    105. 

  105.   s->sdata_len = 0;
    106. 

  106.   if(s->quic_tp) {
    107. 

  107.     free((void *)s->quic_tp);
    108. 

  108.     s->quic_tp = NULL;
    109. 

  109.   }
    110. 

  110.   s->quic_tp_len = 0;
    111. 

  111.   s->ietf_tls_id = 0;
    112. 

  112.   s->time_received = 0;
    113. 

  113.   s->lifetime_secs = 0;
    114. 

  114.   Curl_safefree(s->alpn);
    115. 

  115. }
    116. 

  116. 

  117. static void cf_ssl_scache_sesssion_ldestroy(void *udata, void *s)
    118. 

  118. {
    119. 

  119.   (void)udata;
    120. 

  120.   cf_ssl_scache_clear_session(s);
    121. 

  121.   free(s);
    122. 

  122. }
    123. 

  123. 

  124. CURLcode
    125. 

  125. Curl_ssl_session_create(unsigned char *sdata, size_t sdata_len,
    126. 

  126.                         int ietf_tls_id, const char *alpn,
    127. 

  127.                         curl_off_t time_received, long lifetime_secs,
    128. 

  128.                         size_t earlydata_max,
    129. 

  129.                         struct Curl_ssl_session **psession)
    130. 

  130. {
    131. 

  131.   return Curl_ssl_session_create2(sdata, sdata_len, ietf_tls_id, alpn,
    132. 

  132.                                   time_received, lifetime_secs,
    133. 

  133.                                   earlydata_max, NULL, 0, psession);
    134. 

  134. }
    135. 

  135. 

  136. CURLcode
    137. 

  137. Curl_ssl_session_create2(unsigned char *sdata, size_t sdata_len,
    138. 

  138.                          int ietf_tls_id, const char *alpn,
    139. 

  139.                          curl_off_t time_received, long lifetime_secs,
    140. 

  140.                          size_t earlydata_max,
    141. 

  141.                          unsigned char *quic_tp, size_t quic_tp_len,
    142. 

  142.                          struct Curl_ssl_session **psession)
    143. 

  143. {
    144. 

  144.   struct Curl_ssl_session *s;
    145. 

  145. 

  146.   if(!sdata || !sdata_len) {
    147. 

  147.     free(sdata);
    148. 

  148.     return CURLE_BAD_FUNCTION_ARGUMENT;
    149. 

  149.   }
    150. 

  150. 

  151.   *psession = NULL;
    152. 

  152.   s = calloc(1, sizeof(*s));
    153. 

  153.   if(!s) {
    154. 

  154.     free(sdata);
    155. 

  155.     free(quic_tp);
    156. 

  156.     return CURLE_OUT_OF_MEMORY;
    157. 

  157.   }
    158. 

  158. 

  159.   s->ietf_tls_id = ietf_tls_id;
    160. 

  160.   s->time_received = time_received;
    161. 

  161.   if(lifetime_secs < 0)
    162. 

  162.     lifetime_secs = -1; /* unknown */
    163. 

  163.   else if((s->ietf_tls_id == CURL_IETF_PROTO_TLS1_3) &&
    164. 

  164.           (lifetime_secs > CURL_SCACHE_MAX_13_LIFETIME_SEC))
    165. 

  165.     lifetime_secs = CURL_SCACHE_MAX_13_LIFETIME_SEC;
    166. 

  166.   else if(lifetime_secs > CURL_SCACHE_MAX_12_LIFETIME_SEC)
    167. 

  167.     lifetime_secs = CURL_SCACHE_MAX_12_LIFETIME_SEC;
    168. 

  168. 

  169.   s->lifetime_secs = (int)lifetime_secs;
    170. 

  170.   s->earlydata_max = earlydata_max;
    171. 

  171.   s->sdata = sdata;
    172. 

  172.   s->sdata_len = sdata_len;
    173. 

  173.   s->quic_tp = quic_tp;
    174. 

  174.   s->quic_tp_len = quic_tp_len;
    175. 

  175.   if(alpn) {
    176. 

  176.     s->alpn = strdup(alpn);
    177. 

  177.     if(!s->alpn) {
    178. 

  178.       cf_ssl_scache_sesssion_ldestroy(NULL, s);
    179. 

  179.       return CURLE_OUT_OF_MEMORY;
    180. 

  180.     }
    181. 

  181.   }
    182. 

  182.   *psession = s;
    183. 

  183.   return CURLE_OK;
    184. 

  184. }
    185. 

  185. 

  186. void Curl_ssl_session_destroy(struct Curl_ssl_session *s)
    187. 

  187. {
    188. 

  188.   if(s) {
    189. 

  189.     /* if in the list, the list destructor takes care of it */
    190. 

  190.     if(Curl_node_llist(&s->list))
    191. 

  191.       Curl_node_remove(&s->list);
    192. 

  192.     else {
    193. 

  193.       cf_ssl_scache_sesssion_ldestroy(NULL, s);
    194. 

  194.     }
    195. 

  195.   }
    196. 

  196. }
    197. 

  197. 

  198. static void cf_ssl_scache_clear_peer(struct Curl_ssl_scache_peer *peer)
    199. 

  199. {
    200. 

  200.   Curl_llist_destroy(&peer->sessions, NULL);
    201. 

  201.   if(peer->sobj) {
    202. 

  202.     DEBUGASSERT(peer->sobj_free);
    203. 

  203.     if(peer->sobj_free)
    204. 

  204.       peer->sobj_free(peer->sobj);
    205. 

  205.     peer->sobj = NULL;
    206. 

  206.   }
    207. 

  207.   peer->sobj_free = NULL;
    208. 

  208.   Curl_safefree(peer->clientcert);
    209. 

  209. #ifdef USE_TLS_SRP
    210. 

  210.   Curl_safefree(peer->srp_username);
    211. 

  211.   Curl_safefree(peer->srp_password);
    212. 

  212. #endif
    213. 

  213.   Curl_safefree(peer->ssl_peer_key);
    214. 

  214.   peer->age = 0;
    215. 

  215.   peer->hmac_set = FALSE;
    216. 

  216. }
    217. 

  217. 

  218. static void cf_ssl_scache_peer_set_obj(struct Curl_ssl_scache_peer *peer,
    219. 

  219.                                        void *sobj,
    220. 

  220.                                        Curl_ssl_scache_obj_dtor *sobj_free)
    221. 

  221. {
    222. 

  222.   DEBUGASSERT(peer);
    223. 

  223.   if(peer->sobj_free) {
    224. 

  224.     peer->sobj_free(peer->sobj);
    225. 

  225.   }
    226. 

  226.   peer->sobj = sobj;
    227. 

  227.   peer->sobj_free = sobj_free;
    228. 

  228. }
    229. 

  229. 

  230. static CURLcode cf_ssl_scache_peer_init(struct Curl_ssl_scache_peer *peer,
    231. 

  231.                                         const char *ssl_peer_key,
    232. 

  232.                                         const char *clientcert,
    233. 

  233.                                         const char *srp_username,
    234. 

  234.                                         const char *srp_password)
    235. 

  235. {
    236. 

  236.   CURLcode result = CURLE_OUT_OF_MEMORY;
    237. 

  237. 

  238.   DEBUGASSERT(!peer->ssl_peer_key);
    239. 

  239.   peer->ssl_peer_key = strdup(ssl_peer_key);
    240. 

  240.   if(!peer->ssl_peer_key)
    241. 

  241.     goto out;
    242. 

  242.   if(clientcert) {
    243. 

  243.     peer->clientcert = strdup(clientcert);
    244. 

  244.     if(!peer->clientcert)
    245. 

  245.       goto out;
    246. 

  246.   }
    247. 

  247.   if(srp_username) {
    248. 

  248.     peer->srp_username = strdup(srp_username);
    249. 

  249.     if(!peer->srp_username)
    250. 

  250.       goto out;
    251. 

  251.   }
    252. 

  252.   if(srp_password) {
    253. 

  253.     peer->srp_password = strdup(srp_password);
    254. 

  254.     if(!peer->srp_password)
    255. 

  255.       goto out;
    256. 

  256.   }
    257. 

  257.   result = CURLE_OK;
    258. 

  258. out:
    259. 

  259.   if(result)
    260. 

  260.     cf_ssl_scache_clear_peer(peer);
    261. 

  261.   return result;
    262. 

  262. }
    263. 

  263. 

  264. static void cf_scache_session_remove(struct Curl_ssl_scache_peer *peer,
    265. 

  265.                                      struct Curl_ssl_session *s)
    266. 

  266. {
    267. 

  267.   (void)peer;
    268. 

  268.   DEBUGASSERT(Curl_node_llist(&s->list) == &peer->sessions);
    269. 

  269.   Curl_ssl_session_destroy(s);
    270. 

  270. }
    271. 

  271. 

  272. static bool cf_scache_session_expired(struct Curl_ssl_session *s,
    273. 

  273.                                       curl_off_t now)
    274. 

  274. {
    275. 

  275.   return (s->lifetime_secs > 0 &&
    276. 

  276.          (s->time_received + s->lifetime_secs) < now);
    277. 

  277. }
    278. 

  278. 

  279. static void cf_scache_peer_remove_expired(struct Curl_ssl_scache_peer *peer,
    280. 

  280.                                           curl_off_t now)
    281. 

  281. {
    282. 

  282.   struct Curl_llist_node *n = Curl_llist_head(&peer->sessions);
    283. 

  283.   while(n) {
    284. 

  284.     struct Curl_ssl_session *s = Curl_node_elem(n);
    285. 

  285.     n = Curl_node_next(n);
    286. 

  286.     if(cf_scache_session_expired(s, now))
    287. 

  287.       cf_scache_session_remove(peer, s);
    288. 

  288.   }
    289. 

  289. }
    290. 

  290. 

  291. static void cf_scache_peer_remove_non13(struct Curl_ssl_scache_peer *peer)
    292. 

  292. {
    293. 

  293.   struct Curl_llist_node *n = Curl_llist_head(&peer->sessions);
    294. 

  294.   while(n) {
    295. 

  295.     struct Curl_ssl_session *s = Curl_node_elem(n);
    296. 

  296.     n = Curl_node_next(n);
    297. 

  297.     if(s->ietf_tls_id != CURL_IETF_PROTO_TLS1_3)
    298. 

  298.       cf_scache_session_remove(peer, s);
    299. 

  299.   }
    300. 

  300. }
    301. 

  301. 

  302. CURLcode Curl_ssl_scache_create(size_t max_peers,
    303. 

  303.                                 size_t max_sessions_per_peer,
    304. 

  304.                                 struct Curl_ssl_scache **pscache)
    305. 

  305. {
    306. 

  306.   struct Curl_ssl_scache *scache;
    307. 

  307.   struct Curl_ssl_scache_peer *peers;
    308. 

  308.   size_t i;
    309. 

  309. 

  310.   *pscache = NULL;
    311. 

  311.   peers = calloc(max_peers, sizeof(*peers));
    312. 

  312.   if(!peers)
    313. 

  313.     return CURLE_OUT_OF_MEMORY;
    314. 

  314. 

  315.   scache = calloc(1, sizeof(*scache));
    316. 

  316.   if(!scache) {
    317. 

  317.     free(peers);
    318. 

  318.     return CURLE_OUT_OF_MEMORY;
    319. 

  319.   }
    320. 

  320. 

  321.   scache->default_lifetime_secs = (24*60*60); /* 1 day */
    322. 

  322.   scache->peer_count = max_peers;
    323. 

  323.   scache->peers = peers;
    324. 

  324.   scache->age = 1;
    325. 

  325.   for(i = 0; i < scache->peer_count; ++i) {
    326. 

  326.     scache->peers[i].max_sessions = max_sessions_per_peer;
    327. 

  327.     Curl_llist_init(&scache->peers[i].sessions,
    328. 

  328.                     cf_ssl_scache_sesssion_ldestroy);
    329. 

  329.   }
    330. 

  330. 

  331.   *pscache = scache;
    332. 

  332.   return CURLE_OK;
    333. 

  333. }
    334. 

  334. 

  335. void Curl_ssl_scache_destroy(struct Curl_ssl_scache *scache)
    336. 

  336. {
    337. 

  337.   if(scache) {
    338. 

  338.     size_t i;
    339. 

  339.     for(i = 0; i < scache->peer_count; ++i) {
    340. 

  340.       cf_ssl_scache_clear_peer(&scache->peers[i]);
    341. 

  341.     }
    342. 

  342.     free(scache->peers);
    343. 

  343.     free(scache);
    344. 

  344.   }
    345. 

  345. }
    346. 

  346. 

  347. /* Lock shared SSL session data */
    348. 

  348. void Curl_ssl_scache_lock(struct Curl_easy *data)
    349. 

  349. {
    350. 

  350.   if(CURL_SHARE_ssl_scache(data))
    351. 

  351.     Curl_share_lock(data, CURL_LOCK_DATA_SSL_SESSION, CURL_LOCK_ACCESS_SINGLE);
    352. 

  352. }
    353. 

  353. 

  354. /* Unlock shared SSL session data */
    355. 

  355. void Curl_ssl_scache_unlock(struct Curl_easy *data)
    356. 

  356. {
    357. 

  357.   if(CURL_SHARE_ssl_scache(data))
    358. 

  358.     Curl_share_unlock(data, CURL_LOCK_DATA_SSL_SESSION);
    359. 

  359. }
    360. 

  360. 

  361. static CURLcode cf_ssl_peer_key_add_path(struct dynbuf *buf,
    362. 

  362.                                           const char *name,
    363. 

  363.                                           char *path)
    364. 

  364. {
    365. 

  365.   if(path && path[0]) {
    366. 

  366.     /* We try to add absolute paths, so that the session key can stay
    367. 

  367.      * valid when used in another process with different CWD. However,
    368. 

  368.      * when a path does not exist, this does not work. Then, we add
    369. 

  369.      * the path as is. */
    370. 

  370. #ifdef _WIN32
    371. 

  371.     char abspath[_MAX_PATH];
    372. 

  372.     if(_fullpath(abspath, path, _MAX_PATH))
    373. 

  373.       return Curl_dyn_addf(buf, ":%s-%s", name, abspath);
    374. 

  374. #else
    375. 

  375.     if(path[0] != '/') {
    376. 

  376.       char *abspath = realpath(path, NULL);
    377. 

  377.       if(abspath) {
    378. 

  378.         CURLcode r = Curl_dyn_addf(buf, ":%s-%s", name, abspath);
    379. 

  379.         (free)(abspath); /* allocated by libc, free without memdebug */
    380. 

  380.         return r;
    381. 

  381.       }
    382. 

  382.     }
    383. 

  383. #endif
    384. 

  384.     return Curl_dyn_addf(buf, ":%s-%s", name, path);
    385. 

  385.   }
    386. 

  386.   return CURLE_OK;
    387. 

  387. }
    388. 

  388. 

  389. static CURLcode cf_ssl_peer_key_add_hash(struct dynbuf *buf,
    390. 

  390.                                           const char *name,
    391. 

  391.                                           struct curl_blob *blob)
    392. 

  392. {
    393. 

  393.   CURLcode r = CURLE_OK;
    394. 

  394.   if(blob && blob->len) {
    395. 

  395.     unsigned char hash[CURL_SHA256_DIGEST_LENGTH];
    396. 

  396.     size_t i;
    397. 

  397. 

  398.     r = Curl_dyn_addf(buf, ":%s-", name);
    399. 

  399.     if(r)
    400. 

  400.       goto out;
    401. 

  401.     r = Curl_sha256it(hash, blob->data, blob->len);
    402. 

  402.     if(r)
    403. 

  403.       goto out;
    404. 

  404.     for(i = 0; i < CURL_SHA256_DIGEST_LENGTH; ++i) {
    405. 

  405.       r = Curl_dyn_addf(buf, "%02x", hash[i]);
    406. 

  406.       if(r)
    407. 

  407.         goto out;
    408. 

  408.     }
    409. 

  409.   }
    410. 

  410. out:
    411. 

  411.   return r;
    412. 

  412. }
    413. 

  413. 

  414. CURLcode Curl_ssl_peer_key_make(struct Curl_cfilter *cf,
    415. 

  415.                                 const struct ssl_peer *peer,
    416. 

  416.                                 const char *tls_id,
    417. 

  417.                                 char **ppeer_key)
    418. 

  418. {
    419. 

  419.   struct ssl_primary_config *ssl = Curl_ssl_cf_get_primary_config(cf);
    420. 

  420.   struct dynbuf buf;
    421. 

  421.   size_t key_len;
    422. 

  422.   CURLcode r;
    423. 

  423. 

  424.   *ppeer_key = NULL;
    425. 

  425.   Curl_dyn_init(&buf, 10 * 1024);
    426. 

  426. 

  427.   r = Curl_dyn_addf(&buf, "%s:%d", peer->hostname, peer->port);
    428. 

  428.   if(r)
    429. 

  429.     goto out;
    430. 

  430. 

  431.   switch(peer->transport) {
    432. 

  432.   case TRNSPRT_TCP:
    433. 

  433.     break;
    434. 

  434.   case TRNSPRT_UDP:
    435. 

  435.     r = Curl_dyn_add(&buf, ":UDP");
    436. 

  436.     break;
    437. 

  437.   case TRNSPRT_QUIC:
    438. 

  438.     r = Curl_dyn_add(&buf, ":QUIC");
    439. 

  439.     break;
    440. 

  440.   case TRNSPRT_UNIX:
    441. 

  441.     r = Curl_dyn_add(&buf, ":UNIX");
    442. 

  442.     break;
    443. 

  443.   default:
    444. 

  444.     r = Curl_dyn_addf(&buf, ":TRNSPRT-%d", peer->transport);
    445. 

  445.     break;
    446. 

  446.   }
    447. 

  447.   if(r)
    448. 

  448.     goto out;
    449. 

  449. 

  450.   if(!ssl->verifypeer) {
    451. 

  451.     r = Curl_dyn_add(&buf, ":NO-VRFY-PEER");
    452. 

  452.     if(r)
    453. 

  453.       goto out;
    454. 

  454.   }
    455. 

  455.   if(!ssl->verifyhost) {
    456. 

  456.     r = Curl_dyn_add(&buf, ":NO-VRFY-HOST");
    457. 

  457.     if(r)
    458. 

  458.       goto out;
    459. 

  459.   }
    460. 

  460.   if(ssl->verifystatus) {
    461. 

  461.     r = Curl_dyn_add(&buf, ":VRFY-STATUS");
    462. 

  462.     if(r)
    463. 

  463.       goto out;
    464. 

  464.   }
    465. 

  465.   if(!ssl->verifypeer || !ssl->verifyhost) {
    466. 

  466.     if(cf->conn->bits.conn_to_host) {
    467. 

  467.       r = Curl_dyn_addf(&buf, ":CHOST-%s", cf->conn->conn_to_host.name);
    468. 

  468.       if(r)
    469. 

  469.         goto out;
    470. 

  470.     }
    471. 

  471.     if(cf->conn->bits.conn_to_port) {
    472. 

  472.       r = Curl_dyn_addf(&buf, ":CPORT-%d", cf->conn->conn_to_port);
    473. 

  473.       if(r)
    474. 

  474.         goto out;
    475. 

  475.     }
    476. 

  476.   }
    477. 

  477. 

  478.   if(ssl->version || ssl->version_max) {
    479. 

  479.     r = Curl_dyn_addf(&buf, ":TLSVER-%d-%d", ssl->version,
    480. 

  480.                       (ssl->version_max >> 16));
    481. 

  481.     if(r)
    482. 

  482.       goto out;
    483. 

  483.   }
    484. 

  484.   if(ssl->ssl_options) {
    485. 

  485.     r = Curl_dyn_addf(&buf, ":TLSOPT-%x", ssl->ssl_options);
    486. 

  486.     if(r)
    487. 

  487.       goto out;
    488. 

  488.   }
    489. 

  489.   if(ssl->cipher_list) {
    490. 

  490.     r = Curl_dyn_addf(&buf, ":CIPHER-%s", ssl->cipher_list);
    491. 

  491.     if(r)
    492. 

  492.       goto out;
    493. 

  493.   }
    494. 

  494.   if(ssl->cipher_list13) {
    495. 

  495.     r = Curl_dyn_addf(&buf, ":CIPHER13-%s", ssl->cipher_list13);
    496. 

  496.     if(r)
    497. 

  497.       goto out;
    498. 

  498.   }
    499. 

  499.   if(ssl->curves) {
    500. 

  500.     r = Curl_dyn_addf(&buf, ":CURVES-%s", ssl->curves);
    501. 

  501.     if(r)
    502. 

  502.       goto out;
    503. 

  503.   }
    504. 

  504.   if(ssl->verifypeer) {
    505. 

  505.     r = cf_ssl_peer_key_add_path(&buf, "CA", ssl->CAfile);
    506. 

  506.     if(r)
    507. 

  507.       goto out;
    508. 

  508.     r = cf_ssl_peer_key_add_path(&buf, "CApath", ssl->CApath);
    509. 

  509.     if(r)
    510. 

  510.       goto out;
    511. 

  511.     r = cf_ssl_peer_key_add_path(&buf, "CRL", ssl->CRLfile);
    512. 

  512.     if(r)
    513. 

  513.       goto out;
    514. 

  514.     r = cf_ssl_peer_key_add_path(&buf, "Issuer", ssl->issuercert);
    515. 

  515.     if(r)
    516. 

  516.       goto out;
    517. 

  517.     if(ssl->cert_blob) {
    518. 

  518.       r = cf_ssl_peer_key_add_hash(&buf, "CertBlob", ssl->cert_blob);
    519. 

  519.       if(r)
    520. 

  520.         goto out;
    521. 

  521.     }
    522. 

  522.     if(ssl->ca_info_blob) {
    523. 

  523.       r = cf_ssl_peer_key_add_hash(&buf, "CAInfoBlob", ssl->ca_info_blob);
    524. 

  524.       if(r)
    525. 

  525.         goto out;
    526. 

  526.     }
    527. 

  527.     if(ssl->issuercert_blob) {
    528. 

  528.       r = cf_ssl_peer_key_add_hash(&buf, "IssuerBlob", ssl->issuercert_blob);
    529. 

  529.       if(r)
    530. 

  530.         goto out;
    531. 

  531.     }
    532. 

  532.   }
    533. 

  533.   if(ssl->pinned_key && ssl->pinned_key[0]) {
    534. 

  534.     r = Curl_dyn_addf(&buf, ":Pinned-%s", ssl->pinned_key);
    535. 

  535.     if(r)
    536. 

  536.       goto out;
    537. 

  537.   }
    538. 

  538. 

  539.   if(ssl->clientcert && ssl->clientcert[0]) {
    540. 

  540.     r = Curl_dyn_add(&buf, ":CCERT");
    541. 

  541.     if(r)
    542. 

  542.       goto out;
    543. 

  543.   }
    544. 

  544. #ifdef USE_TLS_SRP
    545. 

  545.   if(ssl->username || ssl->password) {
    546. 

  546.     r = Curl_dyn_add(&buf, ":SRP-AUTH");
    547. 

  547.     if(r)
    548. 

  548.       goto out;
    549. 

  549.   }
    550. 

  550. #endif
    551. 

  551. 

  552.   if(!tls_id || !tls_id[0]) {
    553. 

  553.     r = CURLE_FAILED_INIT;
    554. 

  554.     goto out;
    555. 

  555.   }
    556. 

  556.   r = Curl_dyn_addf(&buf, ":IMPL-%s", tls_id);
    557. 

  557.   if(r)
    558. 

  558.     goto out;
    559. 

  559. 

  560.   *ppeer_key = Curl_dyn_take(&buf, &key_len);
    561. 

  561.   /* we just added printable char, and dynbuf always 0 terminates,
    562. 

  562.    * no need to track length */
    563. 

  563. 

  564. 

  565. out:
    566. 

  566.   Curl_dyn_free(&buf);
    567. 

  567.   return r;
    568. 

  568. }
    569. 

  569. 

  570. static bool cf_ssl_scache_match_auth(struct Curl_ssl_scache_peer *peer,
    571. 

  571.                                      struct ssl_primary_config *conn_config)
    572. 

  572. {
    573. 

  573.   if(!Curl_safecmp(peer->clientcert, conn_config->clientcert))
    574. 

  574.     return FALSE;
    575. 

  575. #ifdef USE_TLS_SRP
    576. 

  576.    if(Curl_timestrcmp(peer->srp_username, conn_config->username) ||
    577. 

  577.       Curl_timestrcmp(peer->srp_password, conn_config->password))
    578. 

  578.      return FALSE;
    579. 

  579. #endif
    580. 

  580.   return TRUE;
    581. 

  581. }
    582. 

  582. 

  583. static CURLcode cf_ssl_find_peer(struct Curl_cfilter *cf,
    584. 

  584.                                  struct Curl_easy *data,
    585. 

  585.                                  struct Curl_ssl_scache *scache,
    586. 

  586.                                  const char *ssl_peer_key,
    587. 

  587.                                  struct Curl_ssl_scache_peer **ppeer)
    588. 

  588. {
    589. 

  589.   struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
    590. 

  590.   struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
    591. 

  591.   size_t i, peer_key_len = 0;
    592. 

  592.   CURLcode result = CURLE_OK;
    593. 

  593. 

  594.   *ppeer = NULL;
    595. 

  595.   if(!ssl_config || !ssl_config->primary.cache_session)
    596. 

  596.     goto out;
    597. 

  597. 

  598.   /* check for entries with known peer_key */
    599. 

  599.   for(i = 0; scache && i < scache->peer_count; i++) {
    600. 

  600.     if(scache->peers[i].ssl_peer_key &&
    601. 

  601.        strcasecompare(ssl_peer_key, scache->peers[i].ssl_peer_key) &&
    602. 

  602.        cf_ssl_scache_match_auth(&scache->peers[i], conn_config)) {
    603. 

  603.       /* yes, we have a cached session for this! */
    604. 

  604.       *ppeer = &scache->peers[i];
    605. 

  605.       goto out;
    606. 

  606.     }
    607. 

  607.   }
    608. 

  608.   /* check for entries with HMAC set but no known peer_key */
    609. 

  609.   for(i = 0; scache && i < scache->peer_count; i++) {
    610. 

  610.     if(!scache->peers[i].ssl_peer_key &&
    611. 

  611.        scache->peers[i].hmac_set &&
    612. 

  612.        cf_ssl_scache_match_auth(&scache->peers[i], conn_config)) {
    613. 

  613.       /* possible entry with unknown peer_key, check hmac */
    614. 

  614.       unsigned char my_hmac[CURL_SHA256_DIGEST_LENGTH];
    615. 

  615.       if(!peer_key_len) /* we are lazy */
    616. 

  616.         peer_key_len = strlen(ssl_peer_key);
    617. 

  617.       result = Curl_hmacit(&Curl_HMAC_SHA256,
    618. 

  618.                            scache->peers[i].key_salt,
    619. 

  619.                            sizeof(scache->peers[i].key_salt),
    620. 

  620.                            (const unsigned char *)ssl_peer_key,
    621. 

  621.                            peer_key_len,
    622. 

  622.                            my_hmac);
    623. 

  623.       if(result)
    624. 

  624.         goto out;
    625. 

  625.       if(!memcmp(scache->peers[i].key_hmac, my_hmac, sizeof(my_hmac))) {
    626. 

  626.         /* remember peer_key for future lookups */
    627. 

  627.         scache->peers[i].ssl_peer_key = strdup(ssl_peer_key);
    628. 

  628.         if(!scache->peers[i].ssl_peer_key) {
    629. 

  629.           result = CURLE_OUT_OF_MEMORY;
    630. 

  630.           goto out;
    631. 

  631.         }
    632. 

  632.         *ppeer = &scache->peers[i];
    633. 

  633.         goto out;
    634. 

  634.       }
    635. 

  635.     }
    636. 

  636.   }
    637. 

  637. out:
    638. 

  638.   if(result)
    639. 

  639.     CURL_TRC_CF(data, cf, "[SACHE] failure finding scache peer: %d", result);
    640. 

  640.   return result;
    641. 

  641. }
    642. 

  642. 

  643. static CURLcode cf_ssl_add_peer(struct Curl_cfilter *cf,
    644. 

  644.                                 struct Curl_easy *data,
    645. 

  645.                                 struct Curl_ssl_scache *scache,
    646. 

  646.                                 const char *ssl_peer_key,
    647. 

  647.                                 struct Curl_ssl_scache_peer **ppeer)
    648. 

  648. {
    649. 

  649.   struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
    650. 

  650.   struct Curl_ssl_scache_peer *peer = NULL;
    651. 

  651.   size_t i;
    652. 

  652.   CURLcode result;
    653. 

  653. 

  654.   *ppeer = NULL;
    655. 

  655.   result = cf_ssl_find_peer(cf, data, scache, ssl_peer_key, &peer);
    656. 

  656.   if(result || !scache->peer_count)
    657. 

  657.     return result;
    658. 

  658. 

  659.   if(peer) {
    660. 

  660.     *ppeer = peer;
    661. 

  661.     return CURLE_OK;
    662. 

  662.   }
    663. 

  663. 

  664.   /* not there, find empty or oldest peer */
    665. 

  665.   for(i = 0; i < scache->peer_count; ++i) {
    666. 

  666.     /* free peer entry? */
    667. 

  667.     if(!scache->peers[i].ssl_peer_key && !scache->peers[i].hmac_set) {
    668. 

  668.       peer = &scache->peers[i];
    669. 

  669.       break;
    670. 

  670.     }
    671. 

  671.     /* peer without sessions and obj */
    672. 

  672.     if(!scache->peers[i].sobj &&
    673. 

  673.        !Curl_llist_count(&scache->peers[i].sessions)) {
    674. 

  674.       peer = &scache->peers[i];
    675. 

  675.       break;
    676. 

  676.     }
    677. 

  677.     /* remember "oldest" peer */
    678. 

  678.     if(!peer || (scache->peers[i].age < peer->age)) {
    679. 

  679.       peer = &scache->peers[i];
    680. 

  680.     }
    681. 

  681.   }
    682. 

  682.   DEBUGASSERT(peer);
    683. 

  683.   if(!peer)
    684. 

  684.     return CURLE_OK;
    685. 

  685.   /* clear previous peer and reinit */
    686. 

  686.   cf_ssl_scache_clear_peer(peer);
    687. 

  687.   result = cf_ssl_scache_peer_init(peer, ssl_peer_key,
    688. 

  688.                                    conn_config->clientcert,
    689. 

  689. #ifdef USE_TLS_SRP
    690. 

  690.                                    conn_config->username,
    691. 

  691.                                    conn_config->password);
    692. 

  692. #else
    693. 

  693.                                    NULL, NULL);
    694. 

  694. #endif
    695. 

  695.   if(result)
    696. 

  696.     goto out;
    697. 

  697.   /* all ready */
    698. 

  698.   *ppeer = peer;
    699. 

  699.   result = CURLE_OK;
    700. 

  700. 

  701. out:
    702. 

  702.   if(result) {
    703. 

  703.     cf_ssl_scache_clear_peer(peer);
    704. 

  704.     CURL_TRC_CF(data, cf, "[SACHE] failure adding peer: %d", result);
    705. 

  705.   }
    706. 

  706.   return result;
    707. 

  707. }
    708. 

  708. 

  709. static CURLcode cf_scache_peer_add_session(struct Curl_cfilter *cf,
    710. 

  710.                                            struct Curl_easy *data,
    711. 

  711.                                            struct Curl_ssl_scache *scache,
    712. 

  712.                                            const char *ssl_peer_key,
    713. 

  713.                                            struct Curl_ssl_session *s)
    714. 

  714. {
    715. 

  715.   struct Curl_ssl_scache_peer *peer = NULL;
    716. 

  716.   CURLcode result = CURLE_OUT_OF_MEMORY;
    717. 

  717.   curl_off_t now = (curl_off_t)time(NULL);
    718. 

  718. 

  719.   if(!scache || !scache->peer_count) {
    720. 

  720.     Curl_ssl_session_destroy(s);
    721. 

  721.     return CURLE_OK;
    722. 

  722.   }
    723. 

  723. 

  724.   if(!s->time_received)
    725. 

  725.     s->time_received = now;
    726. 

  726.   if(s->lifetime_secs < 0)
    727. 

  727.     s->lifetime_secs = scache->default_lifetime_secs;
    728. 

  728. 

  729.   if(cf_scache_session_expired(s, now)) {
    730. 

  730.     CURL_TRC_CF(data, cf, "[SCACHE] add, session already expired");
    731. 

  731.     Curl_ssl_session_destroy(s);
    732. 

  732.     return CURLE_OK;
    733. 

  733.   }
    734. 

  734. 

  735.   result = cf_ssl_add_peer(cf, data, scache, ssl_peer_key, &peer);
    736. 

  736.   if(result || !peer) {
    737. 

  737.     CURL_TRC_CF(data, cf, "[SCACHE] unable to add scache peer: %d", result);
    738. 

  738.     Curl_ssl_session_destroy(s);
    739. 

  739.     goto out;
    740. 

  740.   }
    741. 

  741. 

  742.   /* A session not from TLSv1.3 replaces all other. */
    743. 

  743.   if(s->ietf_tls_id != CURL_IETF_PROTO_TLS1_3) {
    744. 

  744.     Curl_llist_destroy(&peer->sessions, NULL);
    745. 

  745.     Curl_llist_append(&peer->sessions, s, &s->list);
    746. 

  746.   }
    747. 

  747.   else {
    748. 

  748.     /* Expire existing, append, trim from head to obey max_sessions */
    749. 

  749.     cf_scache_peer_remove_expired(peer, now);
    750. 

  750.     cf_scache_peer_remove_non13(peer);
    751. 

  751.     Curl_llist_append(&peer->sessions, s, &s->list);
    752. 

  752.     while(Curl_llist_count(&peer->sessions) > peer->max_sessions) {
    753. 

  753.       Curl_node_remove(Curl_llist_head(&peer->sessions));
    754. 

  754.     }
    755. 

  755.   }
    756. 

  756. 

  757. out:
    758. 

  758.   if(result) {
    759. 

  759.     failf(data, "[SCACHE] failed to add session for %s, error=%d",
    760. 

  760.           ssl_peer_key, result);
    761. 

  761.   }
    762. 

  762.   else
    763. 

  763.     CURL_TRC_CF(data, cf, "[SCACHE] added session for %s [proto=0x%x, "
    764. 

  764.                 "lifetime=%d, alpn=%s, earlydata=%zu, quic_tp=%s], "
    765. 

  765.                 "peer has %zu sessions now",
    766. 

  766.                 ssl_peer_key, s->ietf_tls_id, s->lifetime_secs, s->alpn,
    767. 

  767.                 s->earlydata_max, s->quic_tp ? "yes" : "no",
    768. 

  768.                 Curl_llist_count(&peer->sessions));
    769. 

  769.   return result;
    770. 

  770. }
    771. 

  771. 

  772. CURLcode Curl_ssl_scache_put(struct Curl_cfilter *cf,
    773. 

  773.                              struct Curl_easy *data,
    774. 

  774.                              const char *ssl_peer_key,
    775. 

  775.                              struct Curl_ssl_session *s)
    776. 

  776. {
    777. 

  777.   struct Curl_ssl_scache *scache = data->state.ssl_scache;
    778. 

  778.   CURLcode result;
    779. 

  779. 

  780.   Curl_ssl_scache_lock(data);
    781. 

  781.   result = cf_scache_peer_add_session(cf, data, scache, ssl_peer_key, s);
    782. 

  782.   Curl_ssl_scache_unlock(data);
    783. 

  783.   return result;
    784. 

  784. }
    785. 

  785. 

  786. void Curl_ssl_scache_return(struct Curl_cfilter *cf,
    787. 

  787.                            struct Curl_easy *data,
    788. 

  788.                            const char *ssl_peer_key,
    789. 

  789.                            struct Curl_ssl_session *s)
    790. 

  790. {
    791. 

  791.   /* See RFC 8446 C.4:
    792. 

  792.    * "Clients SHOULD NOT reuse a ticket for multiple connections." */
    793. 

  793.   if(s && s->ietf_tls_id < 0x304)
    794. 

  794.     (void)Curl_ssl_scache_put(cf, data, ssl_peer_key, s);
    795. 

  795.   else
    796. 

  796.     Curl_ssl_session_destroy(s);
    797. 

  797. }
    798. 

  798. 

  799. CURLcode Curl_ssl_scache_take(struct Curl_cfilter *cf,
    800. 

  800.                               struct Curl_easy *data,
    801. 

  801.                               const char *ssl_peer_key,
    802. 

  802.                               struct Curl_ssl_session **ps)
    803. 

  803. {
    804. 

  804.   struct Curl_ssl_scache *scache = data->state.ssl_scache;
    805. 

  805.   struct Curl_ssl_scache_peer *peer = NULL;
    806. 

  806.   struct Curl_llist_node *n;
    807. 

  807.   struct Curl_ssl_session *s = NULL;
    808. 

  808.   CURLcode result;
    809. 

  809. 

  810.   *ps = NULL;
    811. 

  811.   if(!scache)
    812. 

  812.     return CURLE_OK;
    813. 

  813. 

  814.   Curl_ssl_scache_lock(data);
    815. 

  815.   result = cf_ssl_find_peer(cf, data, scache, ssl_peer_key, &peer);
    816. 

  816.   if(!result && peer) {
    817. 

  817.     cf_scache_peer_remove_expired(peer, (curl_off_t)time(NULL));
    818. 

  818.     n = Curl_llist_head(&peer->sessions);
    819. 

  819.     if(n) {
    820. 

  820.       s = Curl_node_take_elem(n);
    821. 

  821.       (scache->age)++;            /* increase general age */
    822. 

  822.       peer->age = scache->age; /* set this as used in this age */
    823. 

  823.     }
    824. 

  824.   }
    825. 

  825.   Curl_ssl_scache_unlock(data);
    826. 

  826.   if(s) {
    827. 

  827.     *ps = s;
    828. 

  828.     CURL_TRC_CF(data, cf, "[SCACHE] took session for %s [proto=0x%x, "
    829. 

  829.                 "lifetime=%d, alpn=%s, earlydata=%zu, quic_tp=%s], "
    830. 

  830.                 "%zu sessions remain",
    831. 

  831.                 ssl_peer_key, s->ietf_tls_id, s->lifetime_secs, s->alpn,
    832. 

  832.                 s->earlydata_max, s->quic_tp ? "yes" : "no",
    833. 

  833.                 Curl_llist_count(&peer->sessions));
    834. 

  834.   }
    835. 

  835.   else {
    836. 

  836.     CURL_TRC_CF(data, cf, "[SCACHE] no cached session for %s", ssl_peer_key);
    837. 

  837.   }
    838. 

  838.   return result;
    839. 

  839. }
    840. 

  840. 

  841. CURLcode Curl_ssl_scache_add_obj(struct Curl_cfilter *cf,
    842. 

  842.                                  struct Curl_easy *data,
    843. 

  843.                                  const char *ssl_peer_key,
    844. 

  844.                                  void *sobj,
    845. 

  845.                                  Curl_ssl_scache_obj_dtor *sobj_free)
    846. 

  846. {
    847. 

  847.   struct Curl_ssl_scache *scache = data->state.ssl_scache;
    848. 

  848.   struct Curl_ssl_scache_peer *peer = NULL;
    849. 

  849.   CURLcode result;
    850. 

  850. 

  851.   DEBUGASSERT(sobj);
    852. 

  852.   DEBUGASSERT(sobj_free);
    853. 

  853. 

  854.   result = cf_ssl_add_peer(cf, data, scache, ssl_peer_key, &peer);
    855. 

  855.   if(result || !peer) {
    856. 

  856.     CURL_TRC_CF(data, cf, "[SCACHE] unable to add scache peer: %d", result);
    857. 

  857.     goto out;
    858. 

  858.   }
    859. 

  859. 

  860.   cf_ssl_scache_peer_set_obj(peer, sobj, sobj_free);
    861. 

  861.   sobj = NULL;  /* peer took ownership */
    862. 

  862. 

  863. out:
    864. 

  864.   if(sobj && sobj_free)
    865. 

  865.     sobj_free(sobj);
    866. 

  866.   return result;
    867. 

  867. }
    868. 

  868. 

  869. bool Curl_ssl_scache_get_obj(struct Curl_cfilter *cf,
    870. 

  870.                              struct Curl_easy *data,
    871. 

  871.                              const char *ssl_peer_key,
    872. 

  872.                              void **sobj)
    873. 

  873. {
    874. 

  874.   struct Curl_ssl_scache *scache = data->state.ssl_scache;
    875. 

  875.   struct Curl_ssl_scache_peer *peer = NULL;
    876. 

  876.   CURLcode result;
    877. 

  877. 

  878.   *sobj = NULL;
    879. 

  879.   if(!scache)
    880. 

  880.     return FALSE;
    881. 

  881. 

  882.   result = cf_ssl_find_peer(cf, data, scache, ssl_peer_key, &peer);
    883. 

  883.   if(result)
    884. 

  884.     return FALSE;
    885. 

  885. 

  886.   if(peer)
    887. 

  887.     *sobj = peer->sobj;
    888. 

  888. 

  889.   CURL_TRC_CF(data, cf, "[SACHE] %s cached session for '%s'",
    890. 

  890.               *sobj ? "Found" : "No", ssl_peer_key);
    891. 

  891.   return !!*sobj;
    892. 

  892. }
    893. 

  893. 

  894. void Curl_ssl_scache_remove_all(struct Curl_cfilter *cf,
    895. 

  895.                                 struct Curl_easy *data,
    896. 

  896.                                 const char *ssl_peer_key)
    897. 

  897. {
    898. 

  898.   struct Curl_ssl_scache *scache = data->state.ssl_scache;
    899. 

  899.   struct Curl_ssl_scache_peer *peer = NULL;
    900. 

  900.   CURLcode result;
    901. 

  901. 

  902.   (void)cf;
    903. 

  903.   if(!scache)
    904. 

  904.     return;
    905. 

  905. 

  906.   Curl_ssl_scache_lock(data);
    907. 

  907.   result = cf_ssl_find_peer(cf, data, scache, ssl_peer_key, &peer);
    908. 

  908.   if(!result && peer)
    909. 

  909.     cf_ssl_scache_clear_peer(peer);
    910. 

  910.   Curl_ssl_scache_unlock(data);
    911. 

  911. }
    912. 

  912. 

  913. #endif /* USE_SSL */
    914.