- Based on initial work done by Gautam Kachroo to address a bug, we now keep

better control at the exact state of the connection's SSL status so that we know exactly when it has completed the SSL negotiation or not so that there won't be accidental re-uses of connections that are wrongly believed to be in SSL-completed-negotiate state.
2024-12-21 23:58:49 -05:00 · 2008-02-20 09:56:26 +00:00 · 2008-02-20 09:56:26 +00:00 · 53a549000c
commit 53a549000c
parent 55700cb01f
10 changed files with 46 additions and 14 deletions
--- a/6
+++ b/6
@ -7,6 +7,12 @@
                                  Changelog

 Daniel S (20 Feb 2008)
+- Based on initial work done by Gautam Kachroo to address a bug, we now keep
+  better control at the exact state of the connection's SSL status so that we
+  know exactly when it has completed the SSL negotiation or not so that there
+  won't be accidental re-uses of connections that are wrongly believed to be
+  in SSL-completed-negotiate state.
+
 - We no longer support setting the CURLOPT_URL option from inside a callback
  such as the CURLOPT_SSL_CTX_FUNCTION one treat that as if it was a Location:
  following. The patch that introduced this feature was done for 7.11.0, but
--- a/3
+++ b/3
@ -27,6 +27,7 @@ This release includes the following bugfixes:
   problems with the cert
 o when using the multi interface and a handle is removed while still having
   a transfer going on, the connection is now closed by force
+ o bad re-use of SSL connections in non-complete state

 This release includes the following known bugs:

@ -45,6 +46,6 @@ advice from friends like these:

 Michal Marek, Dmitry Kurochkin, Niklas Angebrand, Günter Knauf, Yang Tse,
 Dan Fandrich, Mike Hommey, Pooyan McSporran, Jerome Muffat-Meridol,
- Kaspar Brand
+ Kaspar Brand, Gautam Kachroo

        Thanks! (and sorry if I forgot to mention someone)
--- a/lib/gtls.c
+++ b/lib/gtls.c
@ -501,6 +501,8 @@ Curl_gtls_connect(struct connectdata *conn,
  ptr = gnutls_mac_get_name(gnutls_mac_get(session));
  infof(data, "\t MAC: %s\n", ptr);

+  connssl->state = ssl_connection_complete;
+
  if(!ssl_sessionid) {
    /* this session was not previously in the cache, add it now */

--- a/lib/nss.c
+++ b/lib/nss.c
@ -1022,6 +1022,8 @@ CURLcode Curl_nss_connect(struct connectdata * conn, int sockindex)
    goto error;
  }

+  connssl->state = ssl_connection_complete;
+
  display_conn_info(conn, connssl->handle);

  return CURLE_OK;
--- a/lib/qssl.c
+++ b/lib/qssl.c
@ -258,8 +258,11 @@ CURLcode Curl_qsossl_connect(struct connectdata * conn, int sockindex)
      SSL_Destroy(connssl->handle);
      connssl->handle = NULL;
      connssl->use = FALSE;
+      connssl->state = ssl_connection_none;
    }
  }
+  if (rc == CURLE_OK)
+    connssl->state = ssl_connection_complete;

  return rc;
 }
--- a/lib/sendf.c
+++ b/lib/sendf.c
@ -355,7 +355,7 @@ CURLcode Curl_write(struct connectdata *conn,
  CURLcode retcode;
  int num = (sockfd == conn->sock[SECONDARYSOCKET]);

-  if(conn->ssl[num].use)
+  if(conn->ssl[num].state == ssl_connection_complete)
    /* only TRUE if SSL enabled */
    bytes_written = Curl_ssl_send(conn, num, mem, len);
 #ifdef USE_LIBSSH2
@ -567,7 +567,7 @@ int Curl_read(struct connectdata *conn, /* connection data */
    buffertofill = buf;
  }

-  if(conn->ssl[num].use) {
+  if(conn->ssl[num].state == ssl_connection_complete) {
    nread = Curl_ssl_recv(conn, num, buffertofill, bytesfromsocket);

    if(nread == -1) {
--- a/lib/sslgen.c
+++ b/lib/sslgen.c
@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2007, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2008, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@ -207,6 +207,7 @@ Curl_ssl_connect(struct connectdata *conn, int sockindex)
 #ifdef USE_SSL
  /* mark this is being ssl enabled from here on. */
  conn->ssl[sockindex].use = TRUE;
+  conn->ssl[sockindex].state = ssl_connection_negotiating;

 #ifdef USE_SSLEAY
  return Curl_ossl_connect(conn, sockindex);
@ -473,6 +474,7 @@ CURLcode Curl_ssl_shutdown(struct connectdata *conn, int sockindex)
 #endif /* USE_SSLEAY */

  conn->ssl[sockindex].use = FALSE; /* get back to ordinary socket usage */
+  conn->ssl[sockindex].state = ssl_connection_none;

  return CURLE_OK;
 }
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@ -1737,7 +1737,8 @@ ossl_connect_common(struct connectdata *conn,
        connssl->connecting_state?sockfd:CURL_SOCKET_BAD;

      while(1) {
-        int what = Curl_socket_ready(readfd, writefd, nonblocking?0:(int)timeout_ms);
+        int what = Curl_socket_ready(readfd, writefd,
+                                     nonblocking?0:(int)timeout_ms);
        if(what > 0)
          /* readable or writable, go loop in the outer loop */
          break;
@ -1775,11 +1776,11 @@ ossl_connect_common(struct connectdata *conn,
  }

  if(ssl_connect_done==connssl->connecting_state) {
+    connssl->state = ssl_connection_complete;
    *done = TRUE;
  }
-  else {
+  else
    *done = FALSE;
-  }

  /* Reset our connect state machine */
  connssl->connecting_state = ssl_connect_1;
--- a/lib/url.c
+++ b/lib/url.c
@ -2439,10 +2439,17 @@ ConnectionExists(struct SessionHandle *data,
             ssl options as well */
          if(!Curl_ssl_config_matches(&needle->ssl_config,
                                      &check->ssl_config)) {
-            infof(data,
-                  "Connection #%ld has different SSL parameters, "
-                  "can't reuse\n",
-                  check->connectindex );
+            DEBUGF(infof(data,
+                         "Connection #%ld has different SSL parameters, "
+                         "can't reuse\n",
+                         check->connectindex));
+            continue;
+          }
+          else if(check->ssl[FIRSTSOCKET].state != ssl_connection_complete) {
+            DEBUGF(infof(data,
+                         "Connection #%ld has not started ssl connect, "
+                         "can't reuse\n",
+                         check->connectindex));
            continue;
          }
        }
--- a/lib/urldata.h
+++ b/lib/urldata.h
@ -168,11 +168,19 @@ typedef enum {
  ssl_connect_done
 } ssl_connect_state;

+typedef enum {
+  ssl_connection_none,
+  ssl_connection_negotiating,
+  ssl_connection_complete
+} ssl_connection_state;
+
 /* struct for data related to each SSL connection */
 struct ssl_connect_data {
-  bool use;        /* use ssl encrypted communications TRUE/FALSE, not
-                      necessarily using it atm but at least asked to or
-                      meaning to use it */
+  /* Use ssl encrypted communications TRUE/FALSE, not necessarily using it atm
+     but at least asked to or meaning to use it. See 'state' for the exact
+     current state of the connection. */
+  bool use;
+  ssl_connection_state state;
 #ifdef USE_SSLEAY
  /* these ones requires specific SSL-types */
  SSL_CTX* ctx;