mirror of
https://github.com/moparisthebest/curl
synced 2024-08-13 17:03:50 -04:00
vtls: Only call add/getsession if session id is enabled
Prior to this change we called Curl_ssl_getsessionid and Curl_ssl_addsessionid regardless of whether session ID reusing was enabled. According to comments that is in case session ID reuse was disabled but then later enabled. The old way was not intuitive and probably not something users expected. When a user disables session ID caching I'd guess they don't expect the session ID to be cached anyway in case the caching is later enabled.
This commit is contained in:
Jay Satiro
parent
046c2c85c4
commit
04b4ee5498
@ -143,8 +143,6 @@ static CURLcode connect_prep(struct connectdata *conn, int sockindex)
|
|||||||
int cert_types[] = {SSL_OBJ_X509_CERT, SSL_OBJ_PKCS12, 0};
|
int cert_types[] = {SSL_OBJ_X509_CERT, SSL_OBJ_PKCS12, 0};
|
||||||
int key_types[] = {SSL_OBJ_RSA_KEY, SSL_OBJ_PKCS8, SSL_OBJ_PKCS12, 0};
|
int key_types[] = {SSL_OBJ_RSA_KEY, SSL_OBJ_PKCS8, SSL_OBJ_PKCS12, 0};
|
||||||
int i, ssl_fcn_return;
|
int i, ssl_fcn_return;
|
||||||
const uint8_t *ssl_sessionid;
|
|
||||||
size_t ssl_idsize;
|
|
||||||
|
|
||||||
/* Assuming users will not compile in custom key/cert to axTLS.
|
/* Assuming users will not compile in custom key/cert to axTLS.
|
||||||
* Also, even for blocking connects, use axTLS non-blocking feature.
|
* Also, even for blocking connects, use axTLS non-blocking feature.
|
||||||
@ -258,6 +256,10 @@ static CURLcode connect_prep(struct connectdata *conn, int sockindex)
|
|||||||
* 2) setting up callbacks. these seem gnutls specific
|
* 2) setting up callbacks. these seem gnutls specific
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
if(conn->ssl_config.sessionid) {
|
||||||
|
const uint8_t *ssl_sessionid;
|
||||||
|
size_t ssl_idsize;
|
||||||
|
|
||||||
/* In axTLS, handshaking happens inside ssl_client_new. */
|
/* In axTLS, handshaking happens inside ssl_client_new. */
|
||||||
Curl_ssl_sessionid_lock(conn);
|
Curl_ssl_sessionid_lock(conn);
|
||||||
if(!Curl_ssl_getsessionid(conn, (void **) &ssl_sessionid, &ssl_idsize)) {
|
if(!Curl_ssl_getsessionid(conn, (void **) &ssl_sessionid, &ssl_idsize)) {
|
||||||
@ -265,12 +267,12 @@ static CURLcode connect_prep(struct connectdata *conn, int sockindex)
|
|||||||
infof (data, "SSL re-using session ID\n");
|
infof (data, "SSL re-using session ID\n");
|
||||||
ssl = ssl_client_new(ssl_ctx, conn->sock[sockindex],
|
ssl = ssl_client_new(ssl_ctx, conn->sock[sockindex],
|
||||||
ssl_sessionid, (uint8_t)ssl_idsize);
|
ssl_sessionid, (uint8_t)ssl_idsize);
|
||||||
|
}
|
||||||
Curl_ssl_sessionid_unlock(conn);
|
Curl_ssl_sessionid_unlock(conn);
|
||||||
}
|
}
|
||||||
else {
|
|
||||||
Curl_ssl_sessionid_unlock(conn);
|
if(!ssl)
|
||||||
ssl = ssl_client_new(ssl_ctx, conn->sock[sockindex], NULL, 0);
|
ssl = ssl_client_new(ssl_ctx, conn->sock[sockindex], NULL, 0);
|
||||||
}
|
|
||||||
|
|
||||||
conn->ssl[sockindex].ssl = ssl;
|
conn->ssl[sockindex].ssl = ssl;
|
||||||
return CURLE_OK;
|
return CURLE_OK;
|
||||||
@ -284,8 +286,6 @@ static CURLcode connect_finish(struct connectdata *conn, int sockindex)
|
|||||||
{
|
{
|
||||||
struct SessionHandle *data = conn->data;
|
struct SessionHandle *data = conn->data;
|
||||||
SSL *ssl = conn->ssl[sockindex].ssl;
|
SSL *ssl = conn->ssl[sockindex].ssl;
|
||||||
const uint8_t *ssl_sessionid;
|
|
||||||
size_t ssl_idsize;
|
|
||||||
const char *peer_CN;
|
const char *peer_CN;
|
||||||
uint32_t dns_altname_index;
|
uint32_t dns_altname_index;
|
||||||
const char *dns_altname;
|
const char *dns_altname;
|
||||||
@ -383,13 +383,15 @@ static CURLcode connect_finish(struct connectdata *conn, int sockindex)
|
|||||||
conn->send[sockindex] = axtls_send;
|
conn->send[sockindex] = axtls_send;
|
||||||
|
|
||||||
/* Put our freshly minted SSL session in cache */
|
/* Put our freshly minted SSL session in cache */
|
||||||
ssl_idsize = ssl_get_session_id_size(ssl);
|
if(conn->ssl_config.sessionid) {
|
||||||
ssl_sessionid = ssl_get_session_id(ssl);
|
const uint8_t *ssl_sessionid = ssl_get_session_id_size(ssl);
|
||||||
|
size_t ssl_idsize = ssl_get_session_id(ssl);
|
||||||
Curl_ssl_sessionid_lock(conn);
|
Curl_ssl_sessionid_lock(conn);
|
||||||
if(Curl_ssl_addsessionid(conn, (void *) ssl_sessionid, ssl_idsize)
|
if(Curl_ssl_addsessionid(conn, (void *) ssl_sessionid, ssl_idsize)
|
||||||
!= CURLE_OK)
|
!= CURLE_OK)
|
||||||
infof (data, "failed to add session to cache\n");
|
infof (data, "failed to add session to cache\n");
|
||||||
Curl_ssl_sessionid_unlock(conn);
|
Curl_ssl_sessionid_unlock(conn);
|
||||||
|
}
|
||||||
|
|
||||||
return CURLE_OK;
|
return CURLE_OK;
|
||||||
}
|
}
|
||||||
|
|||||||
@ -137,7 +137,6 @@ cyassl_connect_step1(struct connectdata *conn,
|
|||||||
struct SessionHandle *data = conn->data;
|
struct SessionHandle *data = conn->data;
|
||||||
struct ssl_connect_data* conssl = &conn->ssl[sockindex];
|
struct ssl_connect_data* conssl = &conn->ssl[sockindex];
|
||||||
SSL_METHOD* req_method = NULL;
|
SSL_METHOD* req_method = NULL;
|
||||||
void* ssl_sessionid = NULL;
|
|
||||||
curl_socket_t sockfd = conn->sock[sockindex];
|
curl_socket_t sockfd = conn->sock[sockindex];
|
||||||
#ifdef HAVE_SNI
|
#ifdef HAVE_SNI
|
||||||
bool sni = FALSE;
|
bool sni = FALSE;
|
||||||
@ -378,19 +377,24 @@ cyassl_connect_step1(struct connectdata *conn,
|
|||||||
#endif /* HAVE_ALPN */
|
#endif /* HAVE_ALPN */
|
||||||
|
|
||||||
/* Check if there's a cached ID we can/should use here! */
|
/* Check if there's a cached ID we can/should use here! */
|
||||||
|
if(conn->ssl_config.sessionid) {
|
||||||
|
void *ssl_sessionid = NULL;
|
||||||
|
|
||||||
Curl_ssl_sessionid_lock(conn);
|
Curl_ssl_sessionid_lock(conn);
|
||||||
if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL)) {
|
if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL)) {
|
||||||
/* we got a session id, use it! */
|
/* we got a session id, use it! */
|
||||||
if(!SSL_set_session(conssl->handle, ssl_sessionid)) {
|
if(!SSL_set_session(conssl->handle, ssl_sessionid)) {
|
||||||
Curl_ssl_sessionid_unlock(conn);
|
Curl_ssl_sessionid_unlock(conn);
|
||||||
failf(data, "SSL: SSL_set_session failed: %s",
|
failf(data, "SSL: SSL_set_session failed: %s",
|
||||||
ERR_error_string(SSL_get_error(conssl->handle, 0), error_buffer));
|
ERR_error_string(SSL_get_error(conssl->handle, 0),
|
||||||
|
error_buffer));
|
||||||
return CURLE_SSL_CONNECT_ERROR;
|
return CURLE_SSL_CONNECT_ERROR;
|
||||||
}
|
}
|
||||||
/* Informational message */
|
/* Informational message */
|
||||||
infof (data, "SSL re-using session ID\n");
|
infof (data, "SSL re-using session ID\n");
|
||||||
}
|
}
|
||||||
Curl_ssl_sessionid_unlock(conn);
|
Curl_ssl_sessionid_unlock(conn);
|
||||||
|
}
|
||||||
|
|
||||||
/* pass the raw socket into the SSL layer */
|
/* pass the raw socket into the SSL layer */
|
||||||
if(!SSL_set_fd(conssl->handle, (int)sockfd)) {
|
if(!SSL_set_fd(conssl->handle, (int)sockfd)) {
|
||||||
@ -574,14 +578,16 @@ cyassl_connect_step3(struct connectdata *conn,
|
|||||||
int sockindex)
|
int sockindex)
|
||||||
{
|
{
|
||||||
CURLcode result = CURLE_OK;
|
CURLcode result = CURLE_OK;
|
||||||
void *old_ssl_sessionid=NULL;
|
|
||||||
struct SessionHandle *data = conn->data;
|
struct SessionHandle *data = conn->data;
|
||||||
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
||||||
bool incache;
|
|
||||||
SSL_SESSION *our_ssl_sessionid;
|
|
||||||
|
|
||||||
DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
|
DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
|
||||||
|
|
||||||
|
if(conn->ssl_config.sessionid) {
|
||||||
|
bool incache;
|
||||||
|
SSL_SESSION *our_ssl_sessionid;
|
||||||
|
void *old_ssl_sessionid = NULL;
|
||||||
|
|
||||||
our_ssl_sessionid = SSL_get_session(connssl->handle);
|
our_ssl_sessionid = SSL_get_session(connssl->handle);
|
||||||
|
|
||||||
Curl_ssl_sessionid_lock(conn);
|
Curl_ssl_sessionid_lock(conn);
|
||||||
@ -604,6 +610,7 @@ cyassl_connect_step3(struct connectdata *conn,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
Curl_ssl_sessionid_unlock(conn);
|
Curl_ssl_sessionid_unlock(conn);
|
||||||
|
}
|
||||||
|
|
||||||
connssl->connecting_state = ssl_connect_done;
|
connssl->connecting_state = ssl_connect_done;
|
||||||
|
|
||||||
|
|||||||
@ -1009,8 +1009,6 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
|
|||||||
#endif /* ENABLE_IPV6 */
|
#endif /* ENABLE_IPV6 */
|
||||||
size_t all_ciphers_count = 0UL, allowed_ciphers_count = 0UL, i;
|
size_t all_ciphers_count = 0UL, allowed_ciphers_count = 0UL, i;
|
||||||
SSLCipherSuite *all_ciphers = NULL, *allowed_ciphers = NULL;
|
SSLCipherSuite *all_ciphers = NULL, *allowed_ciphers = NULL;
|
||||||
char *ssl_sessionid;
|
|
||||||
size_t ssl_sessionid_len;
|
|
||||||
OSStatus err = noErr;
|
OSStatus err = noErr;
|
||||||
#if CURL_BUILD_MAC
|
#if CURL_BUILD_MAC
|
||||||
int darwinver_maj = 0, darwinver_min = 0;
|
int darwinver_maj = 0, darwinver_min = 0;
|
||||||
@ -1474,6 +1472,10 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
|
|||||||
#endif /* CURL_BUILD_MAC_10_9 || CURL_BUILD_IOS_7 */
|
#endif /* CURL_BUILD_MAC_10_9 || CURL_BUILD_IOS_7 */
|
||||||
|
|
||||||
/* Check if there's a cached ID we can/should use here! */
|
/* Check if there's a cached ID we can/should use here! */
|
||||||
|
if(conn->ssl_config.sessionid) {
|
||||||
|
char *ssl_sessionid;
|
||||||
|
size_t ssl_sessionid_len;
|
||||||
|
|
||||||
Curl_ssl_sessionid_lock(conn);
|
Curl_ssl_sessionid_lock(conn);
|
||||||
if(!Curl_ssl_getsessionid(conn, (void **)&ssl_sessionid,
|
if(!Curl_ssl_getsessionid(conn, (void **)&ssl_sessionid,
|
||||||
&ssl_sessionid_len)) {
|
&ssl_sessionid_len)) {
|
||||||
@ -1511,6 +1513,7 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
|
|||||||
return result;
|
return result;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
err = SSLSetIOFuncs(connssl->ssl_ctx, SocketRead, SocketWrite);
|
err = SSLSetIOFuncs(connssl->ssl_ctx, SocketRead, SocketWrite);
|
||||||
if(err != noErr) {
|
if(err != noErr) {
|
||||||
|
|||||||
@ -370,8 +370,6 @@ gtls_connect_step1(struct connectdata *conn,
|
|||||||
struct SessionHandle *data = conn->data;
|
struct SessionHandle *data = conn->data;
|
||||||
gnutls_session_t session;
|
gnutls_session_t session;
|
||||||
int rc;
|
int rc;
|
||||||
void *ssl_sessionid;
|
|
||||||
size_t ssl_idsize;
|
|
||||||
bool sni = TRUE; /* default is SNI enabled */
|
bool sni = TRUE; /* default is SNI enabled */
|
||||||
#ifdef ENABLE_IPV6
|
#ifdef ENABLE_IPV6
|
||||||
struct in6_addr addr;
|
struct in6_addr addr;
|
||||||
@ -749,6 +747,9 @@ gtls_connect_step1(struct connectdata *conn,
|
|||||||
|
|
||||||
/* This might be a reconnect, so we check for a session ID in the cache
|
/* This might be a reconnect, so we check for a session ID in the cache
|
||||||
to speed up things */
|
to speed up things */
|
||||||
|
if(conn->ssl_config.sessionid) {
|
||||||
|
void *ssl_sessionid;
|
||||||
|
size_t ssl_idsize;
|
||||||
|
|
||||||
Curl_ssl_sessionid_lock(conn);
|
Curl_ssl_sessionid_lock(conn);
|
||||||
if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, &ssl_idsize)) {
|
if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, &ssl_idsize)) {
|
||||||
@ -759,6 +760,7 @@ gtls_connect_step1(struct connectdata *conn,
|
|||||||
infof (data, "SSL re-using session ID\n");
|
infof (data, "SSL re-using session ID\n");
|
||||||
}
|
}
|
||||||
Curl_ssl_sessionid_unlock(conn);
|
Curl_ssl_sessionid_unlock(conn);
|
||||||
|
}
|
||||||
|
|
||||||
return CURLE_OK;
|
return CURLE_OK;
|
||||||
}
|
}
|
||||||
@ -841,8 +843,6 @@ gtls_connect_step3(struct connectdata *conn,
|
|||||||
struct SessionHandle *data = conn->data;
|
struct SessionHandle *data = conn->data;
|
||||||
gnutls_session_t session = conn->ssl[sockindex].session;
|
gnutls_session_t session = conn->ssl[sockindex].session;
|
||||||
int rc;
|
int rc;
|
||||||
bool incache;
|
|
||||||
void *ssl_sessionid;
|
|
||||||
#ifdef HAS_ALPN
|
#ifdef HAS_ALPN
|
||||||
gnutls_datum_t proto;
|
gnutls_datum_t proto;
|
||||||
#endif
|
#endif
|
||||||
@ -1270,11 +1270,13 @@ gtls_connect_step3(struct connectdata *conn,
|
|||||||
conn->recv[sockindex] = gtls_recv;
|
conn->recv[sockindex] = gtls_recv;
|
||||||
conn->send[sockindex] = gtls_send;
|
conn->send[sockindex] = gtls_send;
|
||||||
|
|
||||||
{
|
if(conn->ssl_config.sessionid) {
|
||||||
/* we always unconditionally get the session id here, as even if we
|
/* we always unconditionally get the session id here, as even if we
|
||||||
already got it from the cache and asked to use it in the connection, it
|
already got it from the cache and asked to use it in the connection, it
|
||||||
might've been rejected and then a new one is in use now and we need to
|
might've been rejected and then a new one is in use now and we need to
|
||||||
detect that. */
|
detect that. */
|
||||||
|
bool incache;
|
||||||
|
void *ssl_sessionid;
|
||||||
void *connect_sessionid;
|
void *connect_sessionid;
|
||||||
size_t connect_idsize = 0;
|
size_t connect_idsize = 0;
|
||||||
|
|
||||||
|
|||||||
@ -162,7 +162,6 @@ mbed_connect_step1(struct connectdata *conn,
|
|||||||
struct ssl_connect_data* connssl = &conn->ssl[sockindex];
|
struct ssl_connect_data* connssl = &conn->ssl[sockindex];
|
||||||
|
|
||||||
int ret = -1;
|
int ret = -1;
|
||||||
void *old_session = NULL;
|
|
||||||
char errorbuf[128];
|
char errorbuf[128];
|
||||||
errorbuf[0]=0;
|
errorbuf[0]=0;
|
||||||
|
|
||||||
@ -365,6 +364,11 @@ mbed_connect_step1(struct connectdata *conn,
|
|||||||
|
|
||||||
mbedtls_ssl_conf_ciphersuites(&connssl->config,
|
mbedtls_ssl_conf_ciphersuites(&connssl->config,
|
||||||
mbedtls_ssl_list_ciphersuites());
|
mbedtls_ssl_list_ciphersuites());
|
||||||
|
|
||||||
|
/* Check if there's a cached ID we can/should use here! */
|
||||||
|
if(conn->ssl_config.sessionid) {
|
||||||
|
void *old_session = NULL;
|
||||||
|
|
||||||
Curl_ssl_sessionid_lock(conn);
|
Curl_ssl_sessionid_lock(conn);
|
||||||
if(!Curl_ssl_getsessionid(conn, &old_session, NULL)) {
|
if(!Curl_ssl_getsessionid(conn, &old_session, NULL)) {
|
||||||
ret = mbedtls_ssl_set_session(&connssl->ssl, old_session);
|
ret = mbedtls_ssl_set_session(&connssl->ssl, old_session);
|
||||||
@ -376,6 +380,7 @@ mbed_connect_step1(struct connectdata *conn,
|
|||||||
infof(data, "mbedTLS re-using session\n");
|
infof(data, "mbedTLS re-using session\n");
|
||||||
}
|
}
|
||||||
Curl_ssl_sessionid_unlock(conn);
|
Curl_ssl_sessionid_unlock(conn);
|
||||||
|
}
|
||||||
|
|
||||||
mbedtls_ssl_conf_ca_chain(&connssl->config,
|
mbedtls_ssl_conf_ca_chain(&connssl->config,
|
||||||
&connssl->cacert,
|
&connssl->cacert,
|
||||||
@ -591,12 +596,14 @@ mbed_connect_step3(struct connectdata *conn,
|
|||||||
CURLcode retcode = CURLE_OK;
|
CURLcode retcode = CURLE_OK;
|
||||||
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
||||||
struct SessionHandle *data = conn->data;
|
struct SessionHandle *data = conn->data;
|
||||||
void *old_ssl_sessionid = NULL;
|
|
||||||
mbedtls_ssl_session *our_ssl_sessionid;
|
|
||||||
int ret;
|
|
||||||
|
|
||||||
DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
|
DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
|
||||||
|
|
||||||
|
if(conn->ssl_config.sessionid) {
|
||||||
|
int ret;
|
||||||
|
mbedtls_ssl_session *our_ssl_sessionid;
|
||||||
|
void *old_ssl_sessionid = NULL;
|
||||||
|
|
||||||
our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session));
|
our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session));
|
||||||
if(!our_ssl_sessionid)
|
if(!our_ssl_sessionid)
|
||||||
return CURLE_OUT_OF_MEMORY;
|
return CURLE_OUT_OF_MEMORY;
|
||||||
@ -621,6 +628,7 @@ mbed_connect_step3(struct connectdata *conn,
|
|||||||
failf(data, "failed to store ssl session");
|
failf(data, "failed to store ssl session");
|
||||||
return retcode;
|
return retcode;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
connssl->connecting_state = ssl_connect_done;
|
connssl->connecting_state = ssl_connect_done;
|
||||||
|
|
||||||
|
|||||||
@ -1679,7 +1679,6 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
|
|||||||
char *ciphers;
|
char *ciphers;
|
||||||
struct SessionHandle *data = conn->data;
|
struct SessionHandle *data = conn->data;
|
||||||
SSL_METHOD_QUAL SSL_METHOD *req_method = NULL;
|
SSL_METHOD_QUAL SSL_METHOD *req_method = NULL;
|
||||||
void *ssl_sessionid = NULL;
|
|
||||||
X509_LOOKUP *lookup = NULL;
|
X509_LOOKUP *lookup = NULL;
|
||||||
curl_socket_t sockfd = conn->sock[sockindex];
|
curl_socket_t sockfd = conn->sock[sockindex];
|
||||||
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
||||||
@ -2095,6 +2094,9 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* Check if there's a cached ID we can/should use here! */
|
/* Check if there's a cached ID we can/should use here! */
|
||||||
|
if(conn->ssl_config.sessionid) {
|
||||||
|
void *ssl_sessionid = NULL;
|
||||||
|
|
||||||
Curl_ssl_sessionid_lock(conn);
|
Curl_ssl_sessionid_lock(conn);
|
||||||
if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL)) {
|
if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL)) {
|
||||||
/* we got a session id, use it! */
|
/* we got a session id, use it! */
|
||||||
@ -2108,6 +2110,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
|
|||||||
infof (data, "SSL re-using session ID\n");
|
infof (data, "SSL re-using session ID\n");
|
||||||
}
|
}
|
||||||
Curl_ssl_sessionid_unlock(conn);
|
Curl_ssl_sessionid_unlock(conn);
|
||||||
|
}
|
||||||
|
|
||||||
/* pass the raw socket into the SSL layers */
|
/* pass the raw socket into the SSL layers */
|
||||||
if(!SSL_set_fd(connssl->handle, (int)sockfd)) {
|
if(!SSL_set_fd(connssl->handle, (int)sockfd)) {
|
||||||
@ -2823,14 +2826,16 @@ static CURLcode servercert(struct connectdata *conn,
|
|||||||
static CURLcode ossl_connect_step3(struct connectdata *conn, int sockindex)
|
static CURLcode ossl_connect_step3(struct connectdata *conn, int sockindex)
|
||||||
{
|
{
|
||||||
CURLcode result = CURLE_OK;
|
CURLcode result = CURLE_OK;
|
||||||
void *old_ssl_sessionid = NULL;
|
|
||||||
struct SessionHandle *data = conn->data;
|
struct SessionHandle *data = conn->data;
|
||||||
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
||||||
bool incache;
|
|
||||||
SSL_SESSION *our_ssl_sessionid;
|
|
||||||
|
|
||||||
DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
|
DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
|
||||||
|
|
||||||
|
if(conn->ssl_config.sessionid) {
|
||||||
|
bool incache;
|
||||||
|
SSL_SESSION *our_ssl_sessionid;
|
||||||
|
void *old_ssl_sessionid = NULL;
|
||||||
|
|
||||||
our_ssl_sessionid = SSL_get1_session(connssl->handle);
|
our_ssl_sessionid = SSL_get1_session(connssl->handle);
|
||||||
|
|
||||||
/* SSL_get1_session() will increment the reference count and the session
|
/* SSL_get1_session() will increment the reference count and the session
|
||||||
@ -2864,6 +2869,7 @@ static CURLcode ossl_connect_step3(struct connectdata *conn, int sockindex)
|
|||||||
SSL_SESSION_free(our_ssl_sessionid);
|
SSL_SESSION_free(our_ssl_sessionid);
|
||||||
}
|
}
|
||||||
Curl_ssl_sessionid_unlock(conn);
|
Curl_ssl_sessionid_unlock(conn);
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* We check certificates to authenticate the server; otherwise we risk
|
* We check certificates to authenticate the server; otherwise we risk
|
||||||
|
|||||||
@ -150,7 +150,6 @@ polarssl_connect_step1(struct connectdata *conn,
|
|||||||
#else
|
#else
|
||||||
struct in_addr addr;
|
struct in_addr addr;
|
||||||
#endif
|
#endif
|
||||||
void *old_session = NULL;
|
|
||||||
char errorbuf[128];
|
char errorbuf[128];
|
||||||
errorbuf[0]=0;
|
errorbuf[0]=0;
|
||||||
|
|
||||||
@ -337,6 +336,11 @@ polarssl_connect_step1(struct connectdata *conn,
|
|||||||
net_send, &conn->sock[sockindex]);
|
net_send, &conn->sock[sockindex]);
|
||||||
|
|
||||||
ssl_set_ciphersuites(&connssl->ssl, ssl_list_ciphersuites());
|
ssl_set_ciphersuites(&connssl->ssl, ssl_list_ciphersuites());
|
||||||
|
|
||||||
|
/* Check if there's a cached ID we can/should use here! */
|
||||||
|
if(conn->ssl_config.sessionid) {
|
||||||
|
void *old_session = NULL;
|
||||||
|
|
||||||
Curl_ssl_sessionid_lock(conn);
|
Curl_ssl_sessionid_lock(conn);
|
||||||
if(!Curl_ssl_getsessionid(conn, &old_session, NULL)) {
|
if(!Curl_ssl_getsessionid(conn, &old_session, NULL)) {
|
||||||
ret = ssl_set_session(&connssl->ssl, old_session);
|
ret = ssl_set_session(&connssl->ssl, old_session);
|
||||||
@ -347,6 +351,7 @@ polarssl_connect_step1(struct connectdata *conn,
|
|||||||
}
|
}
|
||||||
infof(data, "PolarSSL re-using session\n");
|
infof(data, "PolarSSL re-using session\n");
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
ssl_set_ca_chain(&connssl->ssl,
|
ssl_set_ca_chain(&connssl->ssl,
|
||||||
&connssl->cacert,
|
&connssl->cacert,
|
||||||
@ -555,12 +560,14 @@ polarssl_connect_step3(struct connectdata *conn,
|
|||||||
CURLcode retcode = CURLE_OK;
|
CURLcode retcode = CURLE_OK;
|
||||||
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
||||||
struct SessionHandle *data = conn->data;
|
struct SessionHandle *data = conn->data;
|
||||||
void *old_ssl_sessionid = NULL;
|
|
||||||
ssl_session *our_ssl_sessionid;
|
|
||||||
int ret;
|
|
||||||
|
|
||||||
DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
|
DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
|
||||||
|
|
||||||
|
if(conn->ssl_config.sessionid) {
|
||||||
|
int ret;
|
||||||
|
ssl_session *our_ssl_sessionid;
|
||||||
|
void *old_ssl_sessionid = NULL;
|
||||||
|
|
||||||
our_ssl_sessionid = malloc(sizeof(ssl_session));
|
our_ssl_sessionid = malloc(sizeof(ssl_session));
|
||||||
if(!our_ssl_sessionid)
|
if(!our_ssl_sessionid)
|
||||||
return CURLE_OUT_OF_MEMORY;
|
return CURLE_OUT_OF_MEMORY;
|
||||||
@ -585,6 +592,7 @@ polarssl_connect_step3(struct connectdata *conn,
|
|||||||
failf(data, "failed to store ssl session");
|
failf(data, "failed to store ssl session");
|
||||||
return retcode;
|
return retcode;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
connssl->connecting_state = ssl_connect_done;
|
connssl->connecting_state = ssl_connect_done;
|
||||||
|
|
||||||
|
|||||||
@ -127,7 +127,10 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
|
|||||||
infof(data, "schannel: SSL/TLS connection with %s port %hu (step 1/3)\n",
|
infof(data, "schannel: SSL/TLS connection with %s port %hu (step 1/3)\n",
|
||||||
conn->host.name, conn->remote_port);
|
conn->host.name, conn->remote_port);
|
||||||
|
|
||||||
|
connssl->cred = NULL;
|
||||||
|
|
||||||
/* check for an existing re-usable credential handle */
|
/* check for an existing re-usable credential handle */
|
||||||
|
if(conn->ssl_config.sessionid) {
|
||||||
Curl_ssl_sessionid_lock(conn);
|
Curl_ssl_sessionid_lock(conn);
|
||||||
if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL)) {
|
if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL)) {
|
||||||
connssl->cred = old_cred;
|
connssl->cred = old_cred;
|
||||||
@ -137,12 +140,11 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
|
|||||||
connssl->cred->refcount++;
|
connssl->cred->refcount++;
|
||||||
infof(data, "schannel: incremented credential handle refcount = %d\n",
|
infof(data, "schannel: incremented credential handle refcount = %d\n",
|
||||||
connssl->cred->refcount);
|
connssl->cred->refcount);
|
||||||
|
}
|
||||||
Curl_ssl_sessionid_unlock(conn);
|
Curl_ssl_sessionid_unlock(conn);
|
||||||
}
|
}
|
||||||
else {
|
|
||||||
Curl_ssl_sessionid_unlock(conn);
|
|
||||||
|
|
||||||
|
if(!connssl->cred) {
|
||||||
/* setup Schannel API options */
|
/* setup Schannel API options */
|
||||||
memset(&schannel_cred, 0, sizeof(schannel_cred));
|
memset(&schannel_cred, 0, sizeof(schannel_cred));
|
||||||
schannel_cred.dwVersion = SCHANNEL_CRED_VERSION;
|
schannel_cred.dwVersion = SCHANNEL_CRED_VERSION;
|
||||||
@ -619,13 +621,11 @@ schannel_connect_step3(struct connectdata *conn, int sockindex)
|
|||||||
CURLcode result = CURLE_OK;
|
CURLcode result = CURLE_OK;
|
||||||
struct SessionHandle *data = conn->data;
|
struct SessionHandle *data = conn->data;
|
||||||
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
||||||
struct curl_schannel_cred *old_cred = NULL;
|
|
||||||
SECURITY_STATUS sspi_status = SEC_E_OK;
|
SECURITY_STATUS sspi_status = SEC_E_OK;
|
||||||
CERT_CONTEXT *ccert_context = NULL;
|
CERT_CONTEXT *ccert_context = NULL;
|
||||||
#ifdef HAS_ALPN
|
#ifdef HAS_ALPN
|
||||||
SecPkgContext_ApplicationProtocol alpn_result;
|
SecPkgContext_ApplicationProtocol alpn_result;
|
||||||
#endif
|
#endif
|
||||||
bool incache;
|
|
||||||
|
|
||||||
DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
|
DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
|
||||||
|
|
||||||
@ -689,6 +689,10 @@ schannel_connect_step3(struct connectdata *conn, int sockindex)
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* save the current session data for possible re-use */
|
/* save the current session data for possible re-use */
|
||||||
|
if(conn->ssl_config.sessionid) {
|
||||||
|
bool incache;
|
||||||
|
struct curl_schannel_cred *old_cred = NULL;
|
||||||
|
|
||||||
Curl_ssl_sessionid_lock(conn);
|
Curl_ssl_sessionid_lock(conn);
|
||||||
incache = !(Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL));
|
incache = !(Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL));
|
||||||
if(incache) {
|
if(incache) {
|
||||||
@ -699,7 +703,6 @@ schannel_connect_step3(struct connectdata *conn, int sockindex)
|
|||||||
incache = FALSE;
|
incache = FALSE;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if(!incache) {
|
if(!incache) {
|
||||||
result = Curl_ssl_addsessionid(conn, (void *)connssl->cred,
|
result = Curl_ssl_addsessionid(conn, (void *)connssl->cred,
|
||||||
sizeof(struct curl_schannel_cred));
|
sizeof(struct curl_schannel_cred));
|
||||||
@ -715,6 +718,7 @@ schannel_connect_step3(struct connectdata *conn, int sockindex)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
Curl_ssl_sessionid_unlock(conn);
|
Curl_ssl_sessionid_unlock(conn);
|
||||||
|
}
|
||||||
|
|
||||||
if(data->set.ssl.certinfo) {
|
if(data->set.ssl.certinfo) {
|
||||||
sspi_status = s_pSecFn->QueryContextAttributes(&connssl->ctxt->ctxt_handle,
|
sspi_status = s_pSecFn->QueryContextAttributes(&connssl->ctxt->ctxt_handle,
|
||||||
|
|||||||
@ -364,6 +364,8 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
|
|||||||
|
|
||||||
*ssl_sessionid = NULL;
|
*ssl_sessionid = NULL;
|
||||||
|
|
||||||
|
DEBUGASSERT(conn->ssl_config.sessionid);
|
||||||
|
|
||||||
if(!conn->ssl_config.sessionid)
|
if(!conn->ssl_config.sessionid)
|
||||||
/* session ID re-use is disabled */
|
/* session ID re-use is disabled */
|
||||||
return TRUE;
|
return TRUE;
|
||||||
@ -460,9 +462,7 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
|
|||||||
int conn_to_port;
|
int conn_to_port;
|
||||||
long *general_age;
|
long *general_age;
|
||||||
|
|
||||||
/* Even though session ID re-use might be disabled, that only disables USING
|
DEBUGASSERT(conn->ssl_config.sessionid);
|
||||||
IT. We still store it here in case the re-using is again enabled for an
|
|
||||||
upcoming transfer */
|
|
||||||
|
|
||||||
clone_host = strdup(conn->host.name);
|
clone_host = strdup(conn->host.name);
|
||||||
if(!clone_host)
|
if(!clone_host)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user