vtls: localization of state data in filters

 - almost all backend calls pass the Curl_cfilter intance instead of
   connectdata+sockindex
 - ssl_connect_data is remove from struct connectdata and made internal
   to vtls
 - ssl_connect_data is allocated in the added filter, kept at cf->ctx

 - added function to let a ssl filter access its ssl_primary_config and
   ssl_config_data this selects the propert subfields in conn and data,
   for filters added as plain or proxy
 - adjusted all backends to use the changed api
 - adjusted all backends to access config data via the exposed
   functions, no longer using conn or data directly

cfilter renames for clear purpose:

 - methods `Curl_conn_*(data, conn, sockindex)` work on the complete
   filter chain at `sockindex` and connection `conn`.
 - methods `Curl_cf_*(cf, ...)` work on a specific Curl_cfilter
   instance.
 - methods `Curl_conn_cf()` work on/with filter instances at a
   connection.
 - rebased and resolved some naming conflicts
 - hostname validation (und session lookup) on SECONDARY use the same
   name as on FIRST (again).

new debug macros and removing connectdata from function signatures where not
needed.

adapting schannel for new Curl_read_plain paramter.

Closes #9919

1 files changed, 44 insertions, 71 deletions

diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h
index 8fd77b159..17c377095 100644
--- a/lib/vtls/vtls.h
+++ b/lib/vtls/vtls.h
@@ -26,6 +26,7 @@
 #include "curl_setup.h"
 
 struct connectdata;
+struct ssl_config_data;
 struct ssl_connect_data;
 struct ssl_primary_config;
 struct Curl_ssl_session;
@@ -70,40 +71,6 @@ CURLsslset Curl_init_sslset_nolock(curl_sslbackend id, const char *name,
 #define ALPN_H2_LENGTH 2
 #define ALPN_H2 "h2"
 
-/* set of helper macros for the backends to access the correct fields. For the
-   proxy or for the remote host - to properly support HTTPS proxy */
-#ifndef CURL_DISABLE_PROXY
-#define SSL_IS_PROXY()                                                  \
-  (CURLPROXY_HTTPS == conn->http_proxy.proxytype &&                     \
-   ssl_connection_complete !=                                           \
-   conn->proxy_ssl[conn->sock[SECONDARYSOCKET] ==                       \
-                   CURL_SOCKET_BAD ? FIRSTSOCKET : SECONDARYSOCKET].state)
-#define SSL_SET_OPTION(var)                                             \
-  (SSL_IS_PROXY() ? data->set.proxy_ssl.var : data->set.ssl.var)
-#define SSL_SET_OPTION_LVALUE(var)                                      \
-  (*(SSL_IS_PROXY() ? &data->set.proxy_ssl.var : &data->set.ssl.var))
-#define SSL_CONN_CONFIG(var)                                            \
-  (SSL_IS_PROXY() ? conn->proxy_ssl_config.var : conn->ssl_config.var)
-#define SSL_HOST_NAME()                                                 \
-  (SSL_IS_PROXY() ? conn->http_proxy.host.name : conn->host.name)
-#define SSL_HOST_DISPNAME()                                             \
-  (SSL_IS_PROXY() ? conn->http_proxy.host.dispname : conn->host.dispname)
-#define SSL_HOST_PORT()                                                 \
-  (SSL_IS_PROXY() ? conn->port : conn->remote_port)
-#define SSL_PINNED_PUB_KEY() (SSL_IS_PROXY()                            \
-  ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY]                     \
-  : data->set.str[STRING_SSL_PINNEDPUBLICKEY])
-#else
-#define SSL_IS_PROXY() FALSE
-#define SSL_SET_OPTION(var) data->set.ssl.var
-#define SSL_SET_OPTION_LVALUE(var) data->set.ssl.var
-#define SSL_CONN_CONFIG(var) conn->ssl_config.var
-#define SSL_HOST_NAME() conn->host.name
-#define SSL_HOST_DISPNAME() conn->host.dispname
-#define SSL_HOST_PORT() conn->remote_port
-#define SSL_PINNED_PUB_KEY()                                            \
-  data->set.str[STRING_SSL_PINNEDPUBLICKEY]
-#endif
 
 char *Curl_ssl_snihost(struct Curl_easy *data, const char *host, size_t *olen);
 bool Curl_ssl_config_matches(struct ssl_primary_config *data,
@@ -120,8 +87,6 @@ void Curl_ssl_cleanup(void);
 /* tell the SSL stuff to close down all open information regarding
    connections (and thus session ID caching etc) */
 void Curl_ssl_close_all(struct Curl_easy *data);
-CURLcode Curl_ssl_shutdown(struct Curl_easy *data, struct connectdata *conn,
-                           int sockindex);
 CURLcode Curl_ssl_set_engine(struct Curl_easy *data, const char *engine);
 /* Sets engine as default for all SSL operations */
 CURLcode Curl_ssl_set_engine_default(struct Curl_easy *data);
@@ -130,7 +95,7 @@ struct curl_slist *Curl_ssl_engines_list(struct Curl_easy *data);
 /* init the SSL session ID cache */
 CURLcode Curl_ssl_initsessions(struct Curl_easy *, size_t);
 void Curl_ssl_version(char *buffer, size_t size);
-int Curl_ssl_check_cxn(struct connectdata *conn);
+int Curl_ssl_check_cxn(struct Curl_easy *data, struct connectdata *conn);
 
 /* Certificate information list handling. */
 
@@ -156,30 +121,6 @@ void Curl_ssl_sessionid_lock(struct Curl_easy *data);
 /* Unlock session cache mutex */
 void Curl_ssl_sessionid_unlock(struct Curl_easy *data);
 
-/* extract a session ID
- * Sessionid mutex must be locked (see Curl_ssl_sessionid_lock).
- * Caller must make sure that the ownership of returned sessionid object
- * is properly taken (e.g. its refcount is incremented
- * under sessionid mutex).
- */
-bool Curl_ssl_getsessionid(struct Curl_easy *data,
-                           struct connectdata *conn,
-                           const bool isProxy,
-                           void **ssl_sessionid,
-                           size_t *idsize, /* set 0 if unknown */
-                           int sockindex);
-/* add a new session ID
- * Sessionid mutex must be locked (see Curl_ssl_sessionid_lock).
- * Caller must ensure that it has properly shared ownership of this sessionid
- * object with cache (e.g. incrementing refcount on success)
- */
-CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
-                               struct connectdata *conn,
-                               const bool isProxy,
-                               void *ssl_sessionid,
-                               size_t idsize,
-                               int sockindex,
-                               bool *added);
 /* Kill a single session ID entry in the cache
  * Sessionid mutex must be locked (see Curl_ssl_sessionid_lock).
  * This will call engine-specific curlssl_session_free function, which must
@@ -211,17 +152,48 @@ void Curl_free_multi_ssl_backend_data(struct multi_ssl_backend_data *mbackend);
 
 #define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */
 
-CURLcode Curl_cfilter_ssl_add(struct Curl_easy *data,
-                              struct connectdata *conn,
+CURLcode Curl_ssl_cfilter_add(struct Curl_easy *data,
                               int sockindex);
 
+CURLcode Curl_ssl_cfilter_remove(struct Curl_easy *data,
+                                 int sockindex);
+
 #ifndef CURL_DISABLE_PROXY
-CURLcode Curl_cfilter_ssl_proxy_add(struct Curl_easy *data,
-                                    struct connectdata *conn,
+CURLcode Curl_ssl_cfilter_proxy_add(struct Curl_easy *data,
                                     int sockindex);
 #endif /* !CURL_DISABLE_PROXY */
 
-bool Curl_cfilter_ssl_added(struct Curl_easy *data,
+/**
+ * Return TRUE iff the filter chain `sockindex` at connection `conn`
+ * is using/prepared for SSL encryption. This tests the presence of the
+ * necessary filters and not their connectedness.
+ */
+bool Curl_ssl_conn_is_ssl(struct Curl_easy *data,
+                          int sockindex);
+
+/**
+ * Get the SSL configuration that is used on the connection.
+ * This returns NULL if no SSL is configured.
+ * Otherwise it returns the config of the first (highest) one that is
+ * either connected, in handshake or about to start
+ * (e.g. all filters below it are connected). If SSL filters are present,
+ * but neither can start operating, return the config of the lowest one
+ * that will first come into effect when connecting.
+ */
+struct ssl_config_data *Curl_ssl_get_config(struct Curl_easy *data,
+                                            int sockindex);
+
+/**
+ * Get the primary SSL configuration from the connection.
+ * This returns NULL if no SSL is configured.
+ * Otherwise it returns the config of the first (highest) one that is
+ * either connected, in handshake or about to start
+ * (e.g. all filters below it are connected). If SSL filters are present,
+ * but neither can start operating, return the config of the lowest one
+ * that will first come into effect when connecting.
+ */
+struct ssl_primary_config *
+Curl_ssl_get_primary_config(struct Curl_easy *data,
                             struct connectdata *conn,
                             int sockindex);
 
@@ -252,12 +224,11 @@ bool Curl_ssl_use(struct connectdata *conn, int sockindex);
 #define Curl_ssl_init() 1
 #define Curl_ssl_cleanup() Curl_nop_stmt
 #define Curl_ssl_close_all(x) Curl_nop_stmt
-#define Curl_ssl_shutdown(x,y,z) CURLE_NOT_BUILT_IN
 #define Curl_ssl_set_engine(x,y) CURLE_NOT_BUILT_IN
 #define Curl_ssl_set_engine_default(x) CURLE_NOT_BUILT_IN
 #define Curl_ssl_engines_list(x) NULL
 #define Curl_ssl_initsessions(x,y) CURLE_OK
-#define Curl_ssl_check_cxn(x) 0
+#define Curl_ssl_check_cxn(d,x) 0
 #define Curl_ssl_free_certinfo(x) Curl_nop_stmt
 #define Curl_ssl_kill_session(x) Curl_nop_stmt
 #define Curl_ssl_random(x,y,z) ((void)x, CURLE_NOT_BUILT_IN)
@@ -267,9 +238,11 @@ bool Curl_ssl_use(struct connectdata *conn, int sockindex);
 #define Curl_ssl_supports(a,b) FALSE
 #define Curl_ssl_get_backend_data_size(a) 0
 #define Curl_ssl_use(a,b) FALSE
-#define Curl_cfilter_ssl_added(a,b,c) FALSE
-#define Curl_cfilter_ssl_add(a,b,c) CURLE_NOT_BUILT_IN
-#define Curl_cfilter_ssl_proxy_add(a,b,c) CURLE_NOT_BUILT_IN
+#define Curl_ssl_conn_is_ssl(a,b) FALSE
+#define Curl_ssl_cfilter_add(a,b) CURLE_NOT_BUILT_IN
+#define Curl_ssl_cfilter_proxy_add(a,b) CURLE_NOT_BUILT_IN
+#define Curl_ssl_get_config(a,b) NULL
+#define Curl_ssl_cfilter_remove(a,b) CURLE_OK
 #endif
 
 #endif /* HEADER_CURL_VTLS_H */