diff options
author | Daniel Stenberg <daniel@haxx.se> | 2009-05-04 22:20:09 +0000 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2009-05-04 22:20:09 +0000 |
commit | 915dfb494ec0be89724e81af1b050c49d9d13cac (patch) | |
tree | 6e7625b339dfe2595bc928bac69d1a99de823860 | |
parent | a16cca768051ae7c2020426fef00bb0ec537477a (diff) |
- Inspired by Michael Smith's session id fix for OpenSSL, I did the
corresponding fix in the GnuTLS code: make sure to store the new session id
in case the re-used one is rejected.
-rw-r--r-- | CHANGES | 5 | ||||
-rw-r--r-- | RELEASE-NOTES | 2 | ||||
-rw-r--r-- | lib/gtls.c | 33 |
3 files changed, 32 insertions, 8 deletions
@@ -6,6 +6,11 @@ Changelog +Daniel Stenberg (5 May 2009) +- Inspired by Michael Smith's session id fix for OpenSSL, I did the + corresponding fix in the GnuTLS code: make sure to store the new session id + in case the previous re-used one is rejected. + Daniel Stenberg (4 May 2009) - Michael Smith posted bug report #2786255 (http://curl.haxx.se/bug/view.cgi?id=2786255) with a patch, identifying how diff --git a/RELEASE-NOTES b/RELEASE-NOTES index af2197c8e..1d4dee3eb 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -39,7 +39,7 @@ This release includes the following bugfixes: o TFTP problems after a failed transfer to the same host o improved out of the box TPF compatibility o HTTP PUT protocol line endings portions mangled from CRLF to CRCRLF - o Rejected SSL session ids are killed properly (for OpenSSL builds) + o Rejected SSL session ids are killed properly (for OpenSSL and GnuTLS builds) This release includes the following known bugs: diff --git a/lib/gtls.c b/lib/gtls.c index 70b1b2510..f07854245 100644 --- a/lib/gtls.c +++ b/lib/gtls.c @@ -588,20 +588,39 @@ Curl_gtls_connect(struct connectdata *conn, conn->ssl[sockindex].state = ssl_connection_complete; - if(!ssl_sessionid) { - /* this session was not previously in the cache, add it now */ + { + /* we always unconditionally get the session id here, as even if we + already got it from the cache and asked to use it in the connection, it + might've been rejected and then a new one is in use now and we need to + detect that. */ + void *connect_sessionid; + size_t connect_idsize; /* get the session ID data size */ - gnutls_session_get_data(session, NULL, &ssl_idsize); - ssl_sessionid = malloc(ssl_idsize); /* get a buffer for it */ + gnutls_session_get_data(session, NULL, &connect_idsize); + connect_sessionid = malloc(connect_idsize); /* get a buffer for it */ - if(ssl_sessionid) { + if(connect_sessionid) { /* extract session ID to the allocated buffer */ - gnutls_session_get_data(session, ssl_sessionid, &ssl_idsize); + gnutls_session_get_data(session, connect_sessionid, &connect_idsize); + + if(ssl_sessionid && + ((connect_idsize != ssl_idsize) || + memcmp(connect_sessionid, ssl_sessionid, ssl_idsize))) + /* there was one before in the cache, but without the same size or + with different contents so delete the old one */ + Curl_ssl_delsessionid(conn, ssl_sessionid); + else if(ssl_sessionid) { + /* it was in the cache and its the same one now, just leave it */ + free(connect_sessionid); + return CURLE_OK; + } + /* store this session id */ - return Curl_ssl_addsessionid(conn, ssl_sessionid, ssl_idsize); + return Curl_ssl_addsessionid(conn, connect_sessionid, connect_idsize); } + } return CURLE_OK; |