aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2009-05-04 22:20:09 +0000
committerDaniel Stenberg <daniel@haxx.se>2009-05-04 22:20:09 +0000
commit915dfb494ec0be89724e81af1b050c49d9d13cac (patch)
tree6e7625b339dfe2595bc928bac69d1a99de823860
parenta16cca768051ae7c2020426fef00bb0ec537477a (diff)
- Inspired by Michael Smith's session id fix for OpenSSL, I did the
corresponding fix in the GnuTLS code: make sure to store the new session id in case the re-used one is rejected.
-rw-r--r--CHANGES5
-rw-r--r--RELEASE-NOTES2
-rw-r--r--lib/gtls.c33
3 files changed, 32 insertions, 8 deletions
diff --git a/CHANGES b/CHANGES
index e1bea9fc8..db8191351 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,11 @@
Changelog
+Daniel Stenberg (5 May 2009)
+- Inspired by Michael Smith's session id fix for OpenSSL, I did the
+ corresponding fix in the GnuTLS code: make sure to store the new session id
+ in case the previous re-used one is rejected.
+
Daniel Stenberg (4 May 2009)
- Michael Smith posted bug report #2786255
(http://curl.haxx.se/bug/view.cgi?id=2786255) with a patch, identifying how
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index af2197c8e..1d4dee3eb 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -39,7 +39,7 @@ This release includes the following bugfixes:
o TFTP problems after a failed transfer to the same host
o improved out of the box TPF compatibility
o HTTP PUT protocol line endings portions mangled from CRLF to CRCRLF
- o Rejected SSL session ids are killed properly (for OpenSSL builds)
+ o Rejected SSL session ids are killed properly (for OpenSSL and GnuTLS builds)
This release includes the following known bugs:
diff --git a/lib/gtls.c b/lib/gtls.c
index 70b1b2510..f07854245 100644
--- a/lib/gtls.c
+++ b/lib/gtls.c
@@ -588,20 +588,39 @@ Curl_gtls_connect(struct connectdata *conn,
conn->ssl[sockindex].state = ssl_connection_complete;
- if(!ssl_sessionid) {
- /* this session was not previously in the cache, add it now */
+ {
+ /* we always unconditionally get the session id here, as even if we
+ already got it from the cache and asked to use it in the connection, it
+ might've been rejected and then a new one is in use now and we need to
+ detect that. */
+ void *connect_sessionid;
+ size_t connect_idsize;
/* get the session ID data size */
- gnutls_session_get_data(session, NULL, &ssl_idsize);
- ssl_sessionid = malloc(ssl_idsize); /* get a buffer for it */
+ gnutls_session_get_data(session, NULL, &connect_idsize);
+ connect_sessionid = malloc(connect_idsize); /* get a buffer for it */
- if(ssl_sessionid) {
+ if(connect_sessionid) {
/* extract session ID to the allocated buffer */
- gnutls_session_get_data(session, ssl_sessionid, &ssl_idsize);
+ gnutls_session_get_data(session, connect_sessionid, &connect_idsize);
+
+ if(ssl_sessionid &&
+ ((connect_idsize != ssl_idsize) ||
+ memcmp(connect_sessionid, ssl_sessionid, ssl_idsize)))
+ /* there was one before in the cache, but without the same size or
+ with different contents so delete the old one */
+ Curl_ssl_delsessionid(conn, ssl_sessionid);
+ else if(ssl_sessionid) {
+ /* it was in the cache and its the same one now, just leave it */
+ free(connect_sessionid);
+ return CURLE_OK;
+ }
+
/* store this session id */
- return Curl_ssl_addsessionid(conn, ssl_sessionid, ssl_idsize);
+ return Curl_ssl_addsessionid(conn, connect_sessionid, connect_idsize);
}
+
}
return CURLE_OK;