aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls/mbedtls.c
diff options
context:
space:
mode:
authorJay Satiro <raysatiro@yahoo.com>2016-06-12 23:47:12 -0400
committerJay Satiro <raysatiro@yahoo.com>2016-06-22 02:33:29 -0400
commit04b4ee5498b14d320e3b375c64d0162cc2b53c99 (patch)
tree8b9c10dfced26473f014bd8bcf37296237f35e2a /lib/vtls/mbedtls.c
parent046c2c85c4c365d4ae8a621d7886caf96f51e0e7 (diff)
vtls: Only call add/getsession if session id is enabled
Prior to this change we called Curl_ssl_getsessionid and Curl_ssl_addsessionid regardless of whether session ID reusing was enabled. According to comments that is in case session ID reuse was disabled but then later enabled. The old way was not intuitive and probably not something users expected. When a user disables session ID caching I'd guess they don't expect the session ID to be cached anyway in case the caching is later enabled.
Diffstat (limited to 'lib/vtls/mbedtls.c')
-rw-r--r--lib/vtls/mbedtls.c72
1 files changed, 40 insertions, 32 deletions
diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index 2992d8834..33f10182b 100644
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -162,7 +162,6 @@ mbed_connect_step1(struct connectdata *conn,
struct ssl_connect_data* connssl = &conn->ssl[sockindex];
int ret = -1;
- void *old_session = NULL;
char errorbuf[128];
errorbuf[0]=0;
@@ -365,17 +364,23 @@ mbed_connect_step1(struct connectdata *conn,
mbedtls_ssl_conf_ciphersuites(&connssl->config,
mbedtls_ssl_list_ciphersuites());
- Curl_ssl_sessionid_lock(conn);
- if(!Curl_ssl_getsessionid(conn, &old_session, NULL)) {
- ret = mbedtls_ssl_set_session(&connssl->ssl, old_session);
- if(ret) {
- Curl_ssl_sessionid_unlock(conn);
- failf(data, "mbedtls_ssl_set_session returned -0x%x", -ret);
- return CURLE_SSL_CONNECT_ERROR;
+
+ /* Check if there's a cached ID we can/should use here! */
+ if(conn->ssl_config.sessionid) {
+ void *old_session = NULL;
+
+ Curl_ssl_sessionid_lock(conn);
+ if(!Curl_ssl_getsessionid(conn, &old_session, NULL)) {
+ ret = mbedtls_ssl_set_session(&connssl->ssl, old_session);
+ if(ret) {
+ Curl_ssl_sessionid_unlock(conn);
+ failf(data, "mbedtls_ssl_set_session returned -0x%x", -ret);
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+ infof(data, "mbedTLS re-using session\n");
}
- infof(data, "mbedTLS re-using session\n");
+ Curl_ssl_sessionid_unlock(conn);
}
- Curl_ssl_sessionid_unlock(conn);
mbedtls_ssl_conf_ca_chain(&connssl->config,
&connssl->cacert,
@@ -591,35 +596,38 @@ mbed_connect_step3(struct connectdata *conn,
CURLcode retcode = CURLE_OK;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct SessionHandle *data = conn->data;
- void *old_ssl_sessionid = NULL;
- mbedtls_ssl_session *our_ssl_sessionid;
- int ret;
DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
- our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session));
- if(!our_ssl_sessionid)
- return CURLE_OUT_OF_MEMORY;
+ if(conn->ssl_config.sessionid) {
+ int ret;
+ mbedtls_ssl_session *our_ssl_sessionid;
+ void *old_ssl_sessionid = NULL;
- mbedtls_ssl_session_init(our_ssl_sessionid);
+ our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session));
+ if(!our_ssl_sessionid)
+ return CURLE_OUT_OF_MEMORY;
- ret = mbedtls_ssl_get_session(&connssl->ssl, our_ssl_sessionid);
- if(ret) {
- failf(data, "mbedtls_ssl_get_session returned -0x%x", -ret);
- return CURLE_SSL_CONNECT_ERROR;
- }
+ mbedtls_ssl_session_init(our_ssl_sessionid);
- /* If there's already a matching session in the cache, delete it */
- Curl_ssl_sessionid_lock(conn);
- if(!Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL))
- Curl_ssl_delsessionid(conn, old_ssl_sessionid);
+ ret = mbedtls_ssl_get_session(&connssl->ssl, our_ssl_sessionid);
+ if(ret) {
+ failf(data, "mbedtls_ssl_get_session returned -0x%x", -ret);
+ return CURLE_SSL_CONNECT_ERROR;
+ }
- retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid, 0);
- Curl_ssl_sessionid_unlock(conn);
- if(retcode) {
- free(our_ssl_sessionid);
- failf(data, "failed to store ssl session");
- return retcode;
+ /* If there's already a matching session in the cache, delete it */
+ Curl_ssl_sessionid_lock(conn);
+ if(!Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL))
+ Curl_ssl_delsessionid(conn, old_ssl_sessionid);
+
+ retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid, 0);
+ Curl_ssl_sessionid_unlock(conn);
+ if(retcode) {
+ free(our_ssl_sessionid);
+ failf(data, "failed to store ssl session");
+ return retcode;
+ }
}
connssl->connecting_state = ssl_connect_done;
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-29 06:26:27 +0000