mirror of
https://github.com/moparisthebest/curl
synced 2024-12-22 08:08:50 -05:00
Fixup after talks with Richard Bramante. We should now make better
comparisons before re-using SSL connections and re-using SSL connection IDs.
This commit is contained in:
parent
7917bfb1c9
commit
9558f229db
@ -40,6 +40,7 @@
|
|||||||
#include "urldata.h"
|
#include "urldata.h"
|
||||||
#include "sendf.h"
|
#include "sendf.h"
|
||||||
#include "formdata.h" /* for the boundary function */
|
#include "formdata.h" /* for the boundary function */
|
||||||
|
#include "url.h" /* for the ssl config check function */
|
||||||
|
|
||||||
#ifdef USE_SSLEAY
|
#ifdef USE_SSLEAY
|
||||||
#include <openssl/rand.h>
|
#include <openssl/rand.h>
|
||||||
@ -522,7 +523,8 @@ static int Get_SSL_Session(struct connectdata *conn,
|
|||||||
/* not session ID means blank entry */
|
/* not session ID means blank entry */
|
||||||
continue;
|
continue;
|
||||||
if(curl_strequal(conn->name, check->name) &&
|
if(curl_strequal(conn->name, check->name) &&
|
||||||
(conn->remote_port == check->remote_port) ) {
|
(conn->remote_port == check->remote_port) &&
|
||||||
|
Curl_ssl_config_matches(&conn->ssl_config, &check->ssl_config)) {
|
||||||
/* yes, we have a session ID! */
|
/* yes, we have a session ID! */
|
||||||
data->state.sessionage++; /* increase general age */
|
data->state.sessionage++; /* increase general age */
|
||||||
check->age = data->state.sessionage; /* set this as used in this age */
|
check->age = data->state.sessionage; /* set this as used in this age */
|
||||||
@ -546,6 +548,9 @@ static int Kill_Single_Session(struct curl_ssl_session *session)
|
|||||||
SSL_SESSION_free(session->sessionid);
|
SSL_SESSION_free(session->sessionid);
|
||||||
session->sessionid=NULL;
|
session->sessionid=NULL;
|
||||||
session->age = 0; /* fresh */
|
session->age = 0; /* fresh */
|
||||||
|
|
||||||
|
Curl_free_ssl_config(&session->ssl_config);
|
||||||
|
|
||||||
free(session->name);
|
free(session->name);
|
||||||
session->name = NULL; /* no name */
|
session->name = NULL; /* no name */
|
||||||
|
|
||||||
@ -637,6 +642,8 @@ static int Store_SSL_Session(struct connectdata *conn)
|
|||||||
store->name = strdup(conn->name); /* clone host name */
|
store->name = strdup(conn->name); /* clone host name */
|
||||||
store->remote_port = conn->remote_port; /* port number */
|
store->remote_port = conn->remote_port; /* port number */
|
||||||
|
|
||||||
|
Curl_clone_ssl_config(&conn->ssl_config, &store->ssl_config);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
59
lib/url.c
59
lib/url.c
@ -143,12 +143,7 @@ static bool ConnectionExists(struct SessionHandle *data,
|
|||||||
struct connectdata **usethis);
|
struct connectdata **usethis);
|
||||||
static unsigned int ConnectionStore(struct SessionHandle *data,
|
static unsigned int ConnectionStore(struct SessionHandle *data,
|
||||||
struct connectdata *conn);
|
struct connectdata *conn);
|
||||||
static bool ssl_config_matches(struct ssl_config_data* data,
|
|
||||||
struct ssl_config_data* needle);
|
|
||||||
static bool init_ssl_config(struct SessionHandle* data,
|
|
||||||
struct connectdata* conn);
|
|
||||||
static bool safe_strequal(char* str1, char* str2);
|
static bool safe_strequal(char* str1, char* str2);
|
||||||
static void free_ssl_config(struct ssl_config_data* sslc);
|
|
||||||
|
|
||||||
#if !defined(WIN32)||defined(__CYGWIN32__)
|
#if !defined(WIN32)||defined(__CYGWIN32__)
|
||||||
#ifndef RETSIGTYPE
|
#ifndef RETSIGTYPE
|
||||||
@ -1224,7 +1219,7 @@ CURLcode Curl_disconnect(struct connectdata *conn)
|
|||||||
if(conn->proxyhost)
|
if(conn->proxyhost)
|
||||||
free(conn->proxyhost);
|
free(conn->proxyhost);
|
||||||
|
|
||||||
free_ssl_config(&conn->ssl_config);
|
Curl_free_ssl_config(&conn->ssl_config);
|
||||||
|
|
||||||
free(conn); /* free all the connection oriented data */
|
free(conn); /* free all the connection oriented data */
|
||||||
|
|
||||||
@ -1300,7 +1295,8 @@ ConnectionExists(struct SessionHandle *data,
|
|||||||
if(needle->protocol & PROT_SSL) {
|
if(needle->protocol & PROT_SSL) {
|
||||||
/* This is SSL, verify that we're using the same
|
/* This is SSL, verify that we're using the same
|
||||||
ssl options as well */
|
ssl options as well */
|
||||||
if(!ssl_config_matches(&needle->ssl_config, &check->ssl_config)) {
|
if(!Curl_ssl_config_matches(&needle->ssl_config,
|
||||||
|
&check->ssl_config)) {
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -2713,7 +2709,7 @@ static CURLcode CreateConnection(struct SessionHandle *data,
|
|||||||
ConnectionStore(data, conn);
|
ConnectionStore(data, conn);
|
||||||
}
|
}
|
||||||
|
|
||||||
if(!init_ssl_config(data, conn))
|
if(!Curl_clone_ssl_config(&data->set.ssl, &conn->ssl_config))
|
||||||
return CURLE_OUT_OF_MEMORY;
|
return CURLE_OUT_OF_MEMORY;
|
||||||
|
|
||||||
/* Continue connectdata initialization here.
|
/* Continue connectdata initialization here.
|
||||||
@ -3066,8 +3062,8 @@ static bool safe_strequal(char* str1, char* str2)
|
|||||||
return (!str1 && !str2);
|
return (!str1 && !str2);
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool
|
bool
|
||||||
ssl_config_matches(struct ssl_config_data* data,
|
Curl_ssl_config_matches(struct ssl_config_data* data,
|
||||||
struct ssl_config_data* needle)
|
struct ssl_config_data* needle)
|
||||||
{
|
{
|
||||||
if((data->version == needle->version) &&
|
if((data->version == needle->version) &&
|
||||||
@ -3083,47 +3079,48 @@ ssl_config_matches(struct ssl_config_data* data,
|
|||||||
return FALSE;
|
return FALSE;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool
|
bool
|
||||||
init_ssl_config(struct SessionHandle* data, struct connectdata* conn)
|
Curl_clone_ssl_config(struct ssl_config_data *source,
|
||||||
|
struct ssl_config_data *dest)
|
||||||
{
|
{
|
||||||
conn->ssl_config.verifyhost = data->set.ssl.verifyhost;
|
dest->verifyhost = source->verifyhost;
|
||||||
conn->ssl_config.verifypeer = data->set.ssl.verifypeer;
|
dest->verifypeer = source->verifypeer;
|
||||||
conn->ssl_config.version = data->set.ssl.version;
|
dest->version = source->version;
|
||||||
|
|
||||||
if(data->set.ssl.CAfile) {
|
if(source->CAfile) {
|
||||||
conn->ssl_config.CAfile = strdup(data->set.ssl.CAfile);
|
dest->CAfile = strdup(source->CAfile);
|
||||||
if(!conn->ssl_config.CAfile)
|
if(!dest->CAfile)
|
||||||
return FALSE;
|
return FALSE;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(data->set.ssl.CApath) {
|
if(source->CApath) {
|
||||||
conn->ssl_config.CApath = strdup(data->set.ssl.CApath);
|
dest->CApath = strdup(source->CApath);
|
||||||
if(!conn->ssl_config.CApath)
|
if(!dest->CApath)
|
||||||
return FALSE;
|
return FALSE;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(data->set.ssl.cipher_list) {
|
if(source->cipher_list) {
|
||||||
conn->ssl_config.cipher_list = strdup(data->set.ssl.cipher_list);
|
dest->cipher_list = strdup(source->cipher_list);
|
||||||
if(!conn->ssl_config.cipher_list)
|
if(!dest->cipher_list)
|
||||||
return FALSE;
|
return FALSE;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(data->set.ssl.egdsocket) {
|
if(source->egdsocket) {
|
||||||
conn->ssl_config.egdsocket = strdup(data->set.ssl.egdsocket);
|
dest->egdsocket = strdup(source->egdsocket);
|
||||||
if(!conn->ssl_config.egdsocket)
|
if(!dest->egdsocket)
|
||||||
return FALSE;
|
return FALSE;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(data->set.ssl.random_file) {
|
if(source->random_file) {
|
||||||
conn->ssl_config.random_file = strdup(data->set.ssl.random_file);
|
dest->random_file = strdup(source->random_file);
|
||||||
if(!conn->ssl_config.random_file)
|
if(!dest->random_file)
|
||||||
return FALSE;
|
return FALSE;
|
||||||
}
|
}
|
||||||
|
|
||||||
return TRUE;
|
return TRUE;
|
||||||
}
|
}
|
||||||
|
|
||||||
static void free_ssl_config(struct ssl_config_data* sslc)
|
void Curl_free_ssl_config(struct ssl_config_data* sslc)
|
||||||
{
|
{
|
||||||
if(sslc->CAfile)
|
if(sslc->CAfile)
|
||||||
free(sslc->CAfile);
|
free(sslc->CAfile);
|
||||||
|
@ -37,4 +37,9 @@ CURLcode Curl_done(struct connectdata *);
|
|||||||
CURLcode Curl_disconnect(struct connectdata *);
|
CURLcode Curl_disconnect(struct connectdata *);
|
||||||
CURLcode Curl_protocol_connect(struct connectdata *conn,
|
CURLcode Curl_protocol_connect(struct connectdata *conn,
|
||||||
struct Curl_dns_entry *dns);
|
struct Curl_dns_entry *dns);
|
||||||
|
bool Curl_ssl_config_matches(struct ssl_config_data* data,
|
||||||
|
struct ssl_config_data* needle);
|
||||||
|
bool Curl_clone_ssl_config(struct ssl_config_data* source,
|
||||||
|
struct ssl_config_data* dest);
|
||||||
|
void Curl_free_ssl_config(struct ssl_config_data* sslc);
|
||||||
#endif
|
#endif
|
||||||
|
@ -125,14 +125,6 @@ struct ssl_connect_data {
|
|||||||
#endif /* USE_SSLEAY */
|
#endif /* USE_SSLEAY */
|
||||||
};
|
};
|
||||||
|
|
||||||
/* information about one single SSL session */
|
|
||||||
struct curl_ssl_session {
|
|
||||||
char *name; /* host name for which this ID was used */
|
|
||||||
void *sessionid; /* as returned from the SSL layer */
|
|
||||||
long age; /* just a number, the higher the more recent */
|
|
||||||
unsigned short remote_port; /* remote port to connect to */
|
|
||||||
};
|
|
||||||
|
|
||||||
struct ssl_config_data {
|
struct ssl_config_data {
|
||||||
long version; /* what version the client wants to use */
|
long version; /* what version the client wants to use */
|
||||||
long certverifyresult; /* result from the certificate verification */
|
long certverifyresult; /* result from the certificate verification */
|
||||||
@ -148,6 +140,16 @@ struct ssl_config_data {
|
|||||||
long numsessions; /* SSL session id cache size */
|
long numsessions; /* SSL session id cache size */
|
||||||
};
|
};
|
||||||
|
|
||||||
|
/* information stored about one single SSL session */
|
||||||
|
struct curl_ssl_session {
|
||||||
|
char *name; /* host name for which this ID was used */
|
||||||
|
void *sessionid; /* as returned from the SSL layer */
|
||||||
|
long age; /* just a number, the higher the more recent */
|
||||||
|
unsigned short remote_port; /* remote port to connect to */
|
||||||
|
struct ssl_config_data ssl_config; /* setup for this session */
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
/****************************************************************************
|
/****************************************************************************
|
||||||
* HTTP unique setup
|
* HTTP unique setup
|
||||||
***************************************************************************/
|
***************************************************************************/
|
||||||
|
Loading…
Reference in New Issue
Block a user