diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2008-02-20 09:56:26 +0000 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2008-02-20 09:56:26 +0000 |
| commit | 53a549000c3634f6b0a5ed262d5834c3145885d7 (patch) | |
| tree | 53ed658f9b454a41bf4f1a4c62573f2f0db8e667 /lib | |
| parent | 55700cb01f4a01b8187f387e1655371e6fe0703a (diff) | |
- Based on initial work done by Gautam Kachroo to address a bug, we now keep
better control at the exact state of the connection's SSL status so that we
know exactly when it has completed the SSL negotiation or not so that there
won't be accidental re-uses of connections that are wrongly believed to be
in SSL-completed-negotiate state.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/gtls.c | 2 | ||||
| -rw-r--r-- | lib/nss.c | 2 | ||||
| -rw-r--r-- | lib/qssl.c | 3 | ||||
| -rw-r--r-- | lib/sendf.c | 4 | ||||
| -rw-r--r-- | lib/sslgen.c | 4 | ||||
| -rw-r--r-- | lib/ssluse.c | 7 | ||||
| -rw-r--r-- | lib/url.c | 15 | ||||
| -rw-r--r-- | lib/urldata.h | 14 |
8 files changed, 38 insertions, 13 deletions
diff --git a/lib/gtls.c b/lib/gtls.c index 2364c2778..3bf988194 100644 --- a/lib/gtls.c +++ b/lib/gtls.c @@ -501,6 +501,8 @@ Curl_gtls_connect(struct connectdata *conn, ptr = gnutls_mac_get_name(gnutls_mac_get(session)); infof(data, "\t MAC: %s\n", ptr); + connssl->state = ssl_connection_complete; + if(!ssl_sessionid) { /* this session was not previously in the cache, add it now */ @@ -1022,6 +1022,8 @@ CURLcode Curl_nss_connect(struct connectdata * conn, int sockindex) goto error; } + connssl->state = ssl_connection_complete; + display_conn_info(conn, connssl->handle); return CURLE_OK; diff --git a/lib/qssl.c b/lib/qssl.c index 0252b465e..ad04cc7b3 100644 --- a/lib/qssl.c +++ b/lib/qssl.c @@ -258,8 +258,11 @@ CURLcode Curl_qsossl_connect(struct connectdata * conn, int sockindex) SSL_Destroy(connssl->handle); connssl->handle = NULL; connssl->use = FALSE; + connssl->state = ssl_connection_none; } } + if (rc == CURLE_OK) + connssl->state = ssl_connection_complete; return rc; } diff --git a/lib/sendf.c b/lib/sendf.c index fe340236f..6aa4d8613 100644 --- a/lib/sendf.c +++ b/lib/sendf.c @@ -355,7 +355,7 @@ CURLcode Curl_write(struct connectdata *conn, CURLcode retcode; int num = (sockfd == conn->sock[SECONDARYSOCKET]); - if(conn->ssl[num].use) + if(conn->ssl[num].state == ssl_connection_complete) /* only TRUE if SSL enabled */ bytes_written = Curl_ssl_send(conn, num, mem, len); #ifdef USE_LIBSSH2 @@ -567,7 +567,7 @@ int Curl_read(struct connectdata *conn, /* connection data */ buffertofill = buf; } - if(conn->ssl[num].use) { + if(conn->ssl[num].state == ssl_connection_complete) { nread = Curl_ssl_recv(conn, num, buffertofill, bytesfromsocket); if(nread == -1) { diff --git a/lib/sslgen.c b/lib/sslgen.c index 5719c0bf2..bbcc8c56d 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2007, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2008, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -207,6 +207,7 @@ Curl_ssl_connect(struct connectdata *conn, int sockindex) #ifdef USE_SSL /* mark this is being ssl enabled from here on. */ conn->ssl[sockindex].use = TRUE; + conn->ssl[sockindex].state = ssl_connection_negotiating; #ifdef USE_SSLEAY return Curl_ossl_connect(conn, sockindex); @@ -473,6 +474,7 @@ CURLcode Curl_ssl_shutdown(struct connectdata *conn, int sockindex) #endif /* USE_SSLEAY */ conn->ssl[sockindex].use = FALSE; /* get back to ordinary socket usage */ + conn->ssl[sockindex].state = ssl_connection_none; return CURLE_OK; } diff --git a/lib/ssluse.c b/lib/ssluse.c index 1e9b48a49..ac6b057cb 100644 --- a/lib/ssluse.c +++ b/lib/ssluse.c @@ -1737,7 +1737,8 @@ ossl_connect_common(struct connectdata *conn, connssl->connecting_state?sockfd:CURL_SOCKET_BAD; while(1) { - int what = Curl_socket_ready(readfd, writefd, nonblocking?0:(int)timeout_ms); + int what = Curl_socket_ready(readfd, writefd, + nonblocking?0:(int)timeout_ms); if(what > 0) /* readable or writable, go loop in the outer loop */ break; @@ -1775,11 +1776,11 @@ ossl_connect_common(struct connectdata *conn, } if(ssl_connect_done==connssl->connecting_state) { + connssl->state = ssl_connection_complete; *done = TRUE; } - else { + else *done = FALSE; - } /* Reset our connect state machine */ connssl->connecting_state = ssl_connect_1; @@ -2439,10 +2439,17 @@ ConnectionExists(struct SessionHandle *data, ssl options as well */ if(!Curl_ssl_config_matches(&needle->ssl_config, &check->ssl_config)) { - infof(data, - "Connection #%ld has different SSL parameters, " - "can't reuse\n", - check->connectindex ); + DEBUGF(infof(data, + "Connection #%ld has different SSL parameters, " + "can't reuse\n", + check->connectindex)); + continue; + } + else if(check->ssl[FIRSTSOCKET].state != ssl_connection_complete) { + DEBUGF(infof(data, + "Connection #%ld has not started ssl connect, " + "can't reuse\n", + check->connectindex)); continue; } } diff --git a/lib/urldata.h b/lib/urldata.h index 2eeb08c20..95ef36b82 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -168,11 +168,19 @@ typedef enum { ssl_connect_done } ssl_connect_state; +typedef enum { + ssl_connection_none, + ssl_connection_negotiating, + ssl_connection_complete +} ssl_connection_state; + /* struct for data related to each SSL connection */ struct ssl_connect_data { - bool use; /* use ssl encrypted communications TRUE/FALSE, not - necessarily using it atm but at least asked to or - meaning to use it */ + /* Use ssl encrypted communications TRUE/FALSE, not necessarily using it atm + but at least asked to or meaning to use it. See 'state' for the exact + current state of the connection. */ + bool use; + ssl_connection_state state; #ifdef USE_SSLEAY /* these ones requires specific SSL-types */ SSL_CTX* ctx; |