diff options
author | Jay Satiro <raysatiro@yahoo.com> | 2016-06-12 23:47:12 -0400 |
---|---|---|
committer | Jay Satiro <raysatiro@yahoo.com> | 2016-06-22 02:33:29 -0400 |
commit | 04b4ee5498b14d320e3b375c64d0162cc2b53c99 (patch) | |
tree | 8b9c10dfced26473f014bd8bcf37296237f35e2a /lib/vtls/mbedtls.c | |
parent | 046c2c85c4c365d4ae8a621d7886caf96f51e0e7 (diff) |
vtls: Only call add/getsession if session id is enabled
Prior to this change we called Curl_ssl_getsessionid and
Curl_ssl_addsessionid regardless of whether session ID reusing was
enabled. According to comments that is in case session ID reuse was
disabled but then later enabled.
The old way was not intuitive and probably not something users expected.
When a user disables session ID caching I'd guess they don't expect the
session ID to be cached anyway in case the caching is later enabled.
Diffstat (limited to 'lib/vtls/mbedtls.c')
-rw-r--r-- | lib/vtls/mbedtls.c | 72 |
1 files changed, 40 insertions, 32 deletions
diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c index 2992d8834..33f10182b 100644 --- a/lib/vtls/mbedtls.c +++ b/lib/vtls/mbedtls.c @@ -162,7 +162,6 @@ mbed_connect_step1(struct connectdata *conn, struct ssl_connect_data* connssl = &conn->ssl[sockindex]; int ret = -1; - void *old_session = NULL; char errorbuf[128]; errorbuf[0]=0; @@ -365,17 +364,23 @@ mbed_connect_step1(struct connectdata *conn, mbedtls_ssl_conf_ciphersuites(&connssl->config, mbedtls_ssl_list_ciphersuites()); - Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &old_session, NULL)) { - ret = mbedtls_ssl_set_session(&connssl->ssl, old_session); - if(ret) { - Curl_ssl_sessionid_unlock(conn); - failf(data, "mbedtls_ssl_set_session returned -0x%x", -ret); - return CURLE_SSL_CONNECT_ERROR; + + /* Check if there's a cached ID we can/should use here! */ + if(conn->ssl_config.sessionid) { + void *old_session = NULL; + + Curl_ssl_sessionid_lock(conn); + if(!Curl_ssl_getsessionid(conn, &old_session, NULL)) { + ret = mbedtls_ssl_set_session(&connssl->ssl, old_session); + if(ret) { + Curl_ssl_sessionid_unlock(conn); + failf(data, "mbedtls_ssl_set_session returned -0x%x", -ret); + return CURLE_SSL_CONNECT_ERROR; + } + infof(data, "mbedTLS re-using session\n"); } - infof(data, "mbedTLS re-using session\n"); + Curl_ssl_sessionid_unlock(conn); } - Curl_ssl_sessionid_unlock(conn); mbedtls_ssl_conf_ca_chain(&connssl->config, &connssl->cacert, @@ -591,35 +596,38 @@ mbed_connect_step3(struct connectdata *conn, CURLcode retcode = CURLE_OK; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct SessionHandle *data = conn->data; - void *old_ssl_sessionid = NULL; - mbedtls_ssl_session *our_ssl_sessionid; - int ret; DEBUGASSERT(ssl_connect_3 == connssl->connecting_state); - our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session)); - if(!our_ssl_sessionid) - return CURLE_OUT_OF_MEMORY; + if(conn->ssl_config.sessionid) { + int ret; + mbedtls_ssl_session *our_ssl_sessionid; + void *old_ssl_sessionid = NULL; - mbedtls_ssl_session_init(our_ssl_sessionid); + our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session)); + if(!our_ssl_sessionid) + return CURLE_OUT_OF_MEMORY; - ret = mbedtls_ssl_get_session(&connssl->ssl, our_ssl_sessionid); - if(ret) { - failf(data, "mbedtls_ssl_get_session returned -0x%x", -ret); - return CURLE_SSL_CONNECT_ERROR; - } + mbedtls_ssl_session_init(our_ssl_sessionid); - /* If there's already a matching session in the cache, delete it */ - Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL)) - Curl_ssl_delsessionid(conn, old_ssl_sessionid); + ret = mbedtls_ssl_get_session(&connssl->ssl, our_ssl_sessionid); + if(ret) { + failf(data, "mbedtls_ssl_get_session returned -0x%x", -ret); + return CURLE_SSL_CONNECT_ERROR; + } - retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid, 0); - Curl_ssl_sessionid_unlock(conn); - if(retcode) { - free(our_ssl_sessionid); - failf(data, "failed to store ssl session"); - return retcode; + /* If there's already a matching session in the cache, delete it */ + Curl_ssl_sessionid_lock(conn); + if(!Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL)) + Curl_ssl_delsessionid(conn, old_ssl_sessionid); + + retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid, 0); + Curl_ssl_sessionid_unlock(conn); + if(retcode) { + free(our_ssl_sessionid); + failf(data, "failed to store ssl session"); + return retcode; + } } connssl->connecting_state = ssl_connect_done; |