From bc33f2200d12cc2c79920e85f94da23a27b62502 Mon Sep 17 00:00:00 2001 From: Nick Zitzmann Date: Fri, 12 Apr 2013 12:20:10 -0600 Subject: [PATCH] darwinssl: add TLS session resumption This ought to speed up additional TLS handshakes, at least in theory. --- lib/curl_darwinssl.c | 45 ++++++++++++++++++++++++++++++++++++++++++++ lib/curl_darwinssl.h | 3 ++- 2 files changed, 47 insertions(+), 1 deletion(-) diff --git a/lib/curl_darwinssl.c b/lib/curl_darwinssl.c index 1b186f8d3..949a1b224 100644 --- a/lib/curl_darwinssl.c +++ b/lib/curl_darwinssl.c @@ -704,6 +704,8 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, #endif size_t all_ciphers_count = 0UL, allowed_ciphers_count = 0UL, i; SSLCipherSuite *all_ciphers = NULL, *allowed_ciphers = NULL; + char *ssl_sessionid; + size_t ssl_sessionid_len; OSStatus err = noErr; #if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE)) int darwinver_maj = 0, darwinver_min = 0; @@ -990,6 +992,38 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, Curl_safefree(all_ciphers); Curl_safefree(allowed_ciphers); + /* Check if there's a cached ID we can/should use here! */ + if(!Curl_ssl_getsessionid(conn, (void **)&ssl_sessionid, + &ssl_sessionid_len)) { + /* we got a session id, use it! */ + err = SSLSetPeerID(connssl->ssl_ctx, ssl_sessionid, ssl_sessionid_len); + if(err != noErr) { + failf(data, "SSL: SSLSetPeerID() failed: OSStatus %d", err); + return CURLE_SSL_CONNECT_ERROR; + } + /* Informational message */ + infof(data, "SSL re-using session ID\n"); + } + /* If there isn't one, then let's make one up! This has to be done prior + to starting the handshake. */ + else { + CURLcode retcode; + + ssl_sessionid = malloc(256*sizeof(char)); + ssl_sessionid_len = snprintf(ssl_sessionid, 256, "curl:%s:%hu", + conn->host.name, conn->remote_port); + err = SSLSetPeerID(connssl->ssl_ctx, ssl_sessionid, ssl_sessionid_len); + if(err != noErr) { + failf(data, "SSL: SSLSetPeerID() failed: OSStatus %d", err); + return CURLE_SSL_CONNECT_ERROR; + } + retcode = Curl_ssl_addsessionid(conn, ssl_sessionid, ssl_sessionid_len); + if(retcode!= CURLE_OK) { + failf(data, "failed to store ssl session"); + return retcode; + } + } + err = SSLSetIOFuncs(connssl->ssl_ctx, SocketRead, SocketWrite); if(err != noErr) { failf(data, "SSL: SSLSetIOFuncs() failed: OSStatus %d", err); @@ -1462,6 +1496,17 @@ int Curl_darwinssl_shutdown(struct connectdata *conn, int sockindex) return rc; } +void Curl_darwinssl_session_free(void *ptr) +{ + /* ST, as of iOS 5 and Mountain Lion, has no public method of deleting a + cached session ID inside the Security framework. There is a private + function that does this, but I don't want to have to explain to you why I + got your application rejected from the App Store due to the use of a + private API, so the best we can do is free up our own char array that we + created way back in darwinssl_connect_step1... */ + Curl_safefree(ptr); +} + size_t Curl_darwinssl_version(char *buffer, size_t size) { return snprintf(buffer, size, "SecureTransport"); diff --git a/lib/curl_darwinssl.h b/lib/curl_darwinssl.h index 183d9371c..4c0e53ff1 100644 --- a/lib/curl_darwinssl.h +++ b/lib/curl_darwinssl.h @@ -37,6 +37,7 @@ void Curl_darwinssl_close_all(struct SessionHandle *data); /* close a SSL connection */ void Curl_darwinssl_close(struct connectdata *conn, int sockindex); +void Curl_darwinssl_session_free(void *ptr); size_t Curl_darwinssl_version(char *buffer, size_t size); int Curl_darwinssl_shutdown(struct connectdata *conn, int sockindex); int Curl_darwinssl_check_cxn(struct connectdata *conn); @@ -56,7 +57,7 @@ void Curl_darwinssl_md5sum(unsigned char *tmp, /* input */ #define curlssl_cleanup() Curl_nop_stmt #define curlssl_connect Curl_darwinssl_connect #define curlssl_connect_nonblocking Curl_darwinssl_connect_nonblocking -#define curlssl_session_free(x) Curl_nop_stmt +#define curlssl_session_free(x) Curl_darwinssl_session_free(x) #define curlssl_close_all Curl_darwinssl_close_all #define curlssl_close Curl_darwinssl_close #define curlssl_shutdown(x,y) 0