mirror of
https://github.com/moparisthebest/curl
synced 2024-12-22 08:08:50 -05:00
- Michael Smith posted bug report #2786255
(http://curl.haxx.se/bug/view.cgi?id=2786255) with a patch, identifying how libcurl did not deal with SSL session ids properly if the server rejected a re-use of one. Starting now, it will forget the rejected one and remember the new. This change was for OpenSSL only, it is likely that other SSL lib code needs similar fixes.
This commit is contained in:
parent
644482fc99
commit
a16cca7680
8
CHANGES
8
CHANGES
@ -6,6 +6,14 @@
|
|||||||
|
|
||||||
Changelog
|
Changelog
|
||||||
|
|
||||||
|
Daniel Stenberg (4 May 2009)
|
||||||
|
- Michael Smith posted bug report #2786255
|
||||||
|
(http://curl.haxx.se/bug/view.cgi?id=2786255) with a patch, identifying how
|
||||||
|
libcurl did not deal with SSL session ids properly if the server rejected a
|
||||||
|
re-use of one. Starting now, it will forget the rejected one and remember
|
||||||
|
the new. This change was for OpenSSL only, it is likely that other SSL lib
|
||||||
|
code needs similar fixes.
|
||||||
|
|
||||||
Yang Tse (4 May 2009)
|
Yang Tse (4 May 2009)
|
||||||
- Applied David McCreedy's "transfer.c fixes for CURL_DO_LINEEND_CONV and
|
- Applied David McCreedy's "transfer.c fixes for CURL_DO_LINEEND_CONV and
|
||||||
non-ASCII platform HTTP requests" patch addressing two HTTP PUT problems:
|
non-ASCII platform HTTP requests" patch addressing two HTTP PUT problems:
|
||||||
|
@ -39,6 +39,7 @@ This release includes the following bugfixes:
|
|||||||
o TFTP problems after a failed transfer to the same host
|
o TFTP problems after a failed transfer to the same host
|
||||||
o improved out of the box TPF compatibility
|
o improved out of the box TPF compatibility
|
||||||
o HTTP PUT protocol line endings portions mangled from CRLF to CRCRLF
|
o HTTP PUT protocol line endings portions mangled from CRLF to CRCRLF
|
||||||
|
o Rejected SSL session ids are killed properly (for OpenSSL builds)
|
||||||
|
|
||||||
This release includes the following known bugs:
|
This release includes the following known bugs:
|
||||||
|
|
||||||
@ -51,6 +52,6 @@ advice from friends like these:
|
|||||||
Andre Guibert de Bruet, Andreas Farber, Frank Hempel, Pierre Brico,
|
Andre Guibert de Bruet, Andreas Farber, Frank Hempel, Pierre Brico,
|
||||||
Kamil Dudka, Jim Freeman, Daniel Johnson, Toshio Kuratomi, Martin Storsjo,
|
Kamil Dudka, Jim Freeman, Daniel Johnson, Toshio Kuratomi, Martin Storsjo,
|
||||||
Pramod Sharma, Gisle Vanem, Leanic Lefever, Rainer Koenig, Sven Wegener,
|
Pramod Sharma, Gisle Vanem, Leanic Lefever, Rainer Koenig, Sven Wegener,
|
||||||
Tim Chen, Constantine Sapuntzakis, David McCreedy
|
Tim Chen, Constantine Sapuntzakis, David McCreedy, Michael Smith
|
||||||
|
|
||||||
Thanks! (and sorry if I forgot to mention someone)
|
Thanks! (and sorry if I forgot to mention someone)
|
||||||
|
16
lib/sslgen.c
16
lib/sslgen.c
@ -271,6 +271,22 @@ static int kill_session(struct curl_ssl_session *session)
|
|||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Delete the given session ID from the cache.
|
||||||
|
*/
|
||||||
|
void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid)
|
||||||
|
{
|
||||||
|
int i;
|
||||||
|
for(i=0; i< conn->data->set.ssl.numsessions; i++) {
|
||||||
|
struct curl_ssl_session *check = &conn->data->state.session[i];
|
||||||
|
|
||||||
|
if (check->sessionid == ssl_sessionid) {
|
||||||
|
kill_session(check);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Store session id in the session cache. The ID passed on to this function
|
* Store session id in the session cache. The ID passed on to this function
|
||||||
* must already have been extracted and allocated the proper way for the SSL
|
* must already have been extracted and allocated the proper way for the SSL
|
||||||
|
@ -71,6 +71,8 @@ int Curl_ssl_getsessionid(struct connectdata *conn,
|
|||||||
CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
|
CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
|
||||||
void *ssl_sessionid,
|
void *ssl_sessionid,
|
||||||
size_t idsize);
|
size_t idsize);
|
||||||
|
/* delete a session from the cache */
|
||||||
|
void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid);
|
||||||
|
|
||||||
#define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */
|
#define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */
|
||||||
|
|
||||||
|
44
lib/ssluse.c
44
lib/ssluse.c
@ -2177,35 +2177,43 @@ ossl_connect_step3(struct connectdata *conn,
|
|||||||
int sockindex)
|
int sockindex)
|
||||||
{
|
{
|
||||||
CURLcode retcode = CURLE_OK;
|
CURLcode retcode = CURLE_OK;
|
||||||
void *ssl_sessionid=NULL;
|
void *old_ssl_sessionid=NULL;
|
||||||
struct SessionHandle *data = conn->data;
|
struct SessionHandle *data = conn->data;
|
||||||
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
||||||
|
int incache;
|
||||||
|
SSL_SESSION *our_ssl_sessionid;
|
||||||
|
|
||||||
DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
|
DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
|
||||||
|
|
||||||
if(Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL)) {
|
|
||||||
/* Since this is not a cached session ID, then we want to stach this one
|
|
||||||
in the cache! */
|
|
||||||
SSL_SESSION *our_ssl_sessionid;
|
|
||||||
#ifdef HAVE_SSL_GET1_SESSION
|
#ifdef HAVE_SSL_GET1_SESSION
|
||||||
our_ssl_sessionid = SSL_get1_session(connssl->handle);
|
our_ssl_sessionid = SSL_get1_session(connssl->handle);
|
||||||
|
|
||||||
/* SSL_get1_session() will increment the reference
|
/* SSL_get1_session() will increment the reference
|
||||||
count and the session will stay in memory until explicitly freed with
|
count and the session will stay in memory until explicitly freed with
|
||||||
SSL_SESSION_free(3), regardless of its state.
|
SSL_SESSION_free(3), regardless of its state.
|
||||||
This function was introduced in openssl 0.9.5a. */
|
This function was introduced in openssl 0.9.5a. */
|
||||||
#else
|
#else
|
||||||
our_ssl_sessionid = SSL_get_session(connssl->handle);
|
our_ssl_sessionid = SSL_get_session(connssl->handle);
|
||||||
|
|
||||||
/* if SSL_get1_session() is unavailable, use SSL_get_session().
|
/* if SSL_get1_session() is unavailable, use SSL_get_session().
|
||||||
This is an inferior option because the session can be flushed
|
This is an inferior option because the session can be flushed
|
||||||
at any time by openssl. It is included only so curl compiles
|
at any time by openssl. It is included only so curl compiles
|
||||||
under versions of openssl < 0.9.5a.
|
under versions of openssl < 0.9.5a.
|
||||||
|
|
||||||
WARNING: How curl behaves if it's session is flushed is
|
WARNING: How curl behaves if it's session is flushed is
|
||||||
untested.
|
untested.
|
||||||
*/
|
*/
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL));
|
||||||
|
if (incache) {
|
||||||
|
if (old_ssl_sessionid != our_ssl_sessionid) {
|
||||||
|
infof(data, "old SSL session ID is stale, removing\n");
|
||||||
|
Curl_ssl_delsessionid(conn, old_ssl_sessionid);
|
||||||
|
incache = FALSE;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (!incache) {
|
||||||
retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid,
|
retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid,
|
||||||
0 /* unknown size */);
|
0 /* unknown size */);
|
||||||
if(retcode) {
|
if(retcode) {
|
||||||
|
Loading…
Reference in New Issue
Block a user