10 files changed, 46 insertions, 14 deletions

diff --git a/CHANGES b/CHANGES
index 4dd0b7dde..54485bea8 100644
--- a/CHANGES
+++ b/CHANGES
@@ -7,6 +7,12 @@
                                   Changelog
 
 Daniel S (20 Feb 2008)
+- Based on initial work done by Gautam Kachroo to address a bug, we now keep
+  better control at the exact state of the connection's SSL status so that we
+  know exactly when it has completed the SSL negotiation or not so that there
+  won't be accidental re-uses of connections that are wrongly believed to be
+  in SSL-completed-negotiate state.
+
 - We no longer support setting the CURLOPT_URL option from inside a callback
   such as the CURLOPT_SSL_CTX_FUNCTION one treat that as if it was a Location:
   following. The patch that introduced this feature was done for 7.11.0, but
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 9279ea1fc..44b31da8c 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -27,6 +27,7 @@ This release includes the following bugfixes:
    problems with the cert
  o when using the multi interface and a handle is removed while still having
    a transfer going on, the connection is now closed by force
+ o bad re-use of SSL connections in non-complete state
 
 This release includes the following known bugs:
 
@@ -45,6 +46,6 @@ advice from friends like these:
 
  Michal Marek, Dmitry Kurochkin, Niklas Angebrand, Günter Knauf, Yang Tse,
  Dan Fandrich, Mike Hommey, Pooyan McSporran, Jerome Muffat-Meridol,
- Kaspar Brand
+ Kaspar Brand, Gautam Kachroo
 
         Thanks! (and sorry if I forgot to mention someone)
diff --git a/lib/gtls.c b/lib/gtls.c
index 2364c2778..3bf988194 100644
--- a/lib/gtls.c
+++ b/lib/gtls.c
@@ -501,6 +501,8 @@ Curl_gtls_connect(struct connectdata *conn,
   ptr = gnutls_mac_get_name(gnutls_mac_get(session));
   infof(data, "\t MAC: %s\n", ptr);
 
+  connssl->state = ssl_connection_complete;
+
   if(!ssl_sessionid) {
     /* this session was not previously in the cache, add it now */
 
diff --git a/lib/nss.c b/lib/nss.c
index 6e3ee8604..c8d728d3e 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -1022,6 +1022,8 @@ CURLcode Curl_nss_connect(struct connectdata * conn, int sockindex)
     goto error;
   }
 
+  connssl->state = ssl_connection_complete;
+
   display_conn_info(conn, connssl->handle);
 
   return CURLE_OK;
diff --git a/lib/qssl.c b/lib/qssl.c
index 0252b465e..ad04cc7b3 100644
--- a/lib/qssl.c
+++ b/lib/qssl.c
@@ -258,8 +258,11 @@ CURLcode Curl_qsossl_connect(struct connectdata * conn, int sockindex)
       SSL_Destroy(connssl->handle);
       connssl->handle = NULL;
       connssl->use = FALSE;
+      connssl->state = ssl_connection_none;
     }
   }
+  if (rc == CURLE_OK)
+    connssl->state = ssl_connection_complete;
 
   return rc;
 }
diff --git a/lib/sendf.c b/lib/sendf.c
index fe340236f..6aa4d8613 100644
--- a/lib/sendf.c
+++ b/lib/sendf.c
@@ -355,7 +355,7 @@ CURLcode Curl_write(struct connectdata *conn,
   CURLcode retcode;
   int num = (sockfd == conn->sock[SECONDARYSOCKET]);
 
-  if(conn->ssl[num].use)
+  if(conn->ssl[num].state == ssl_connection_complete)
     /* only TRUE if SSL enabled */
     bytes_written = Curl_ssl_send(conn, num, mem, len);
 #ifdef USE_LIBSSH2
@@ -567,7 +567,7 @@ int Curl_read(struct connectdata *conn, /* connection data */
     buffertofill = buf;
   }
 
-  if(conn->ssl[num].use) {
+  if(conn->ssl[num].state == ssl_connection_complete) {
     nread = Curl_ssl_recv(conn, num, buffertofill, bytesfromsocket);
 
     if(nread == -1) {
diff --git a/lib/sslgen.c b/lib/sslgen.c
index 5719c0bf2..bbcc8c56d 100644
--- a/lib/sslgen.c
+++ b/lib/sslgen.c
@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2007, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2008, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -207,6 +207,7 @@ Curl_ssl_connect(struct connectdata *conn, int sockindex)
 #ifdef USE_SSL
   /* mark this is being ssl enabled from here on. */
   conn->ssl[sockindex].use = TRUE;
+  conn->ssl[sockindex].state = ssl_connection_negotiating;
 
 #ifdef USE_SSLEAY
   return Curl_ossl_connect(conn, sockindex);
@@ -473,6 +474,7 @@ CURLcode Curl_ssl_shutdown(struct connectdata *conn, int sockindex)
 #endif /* USE_SSLEAY */
 
   conn->ssl[sockindex].use = FALSE; /* get back to ordinary socket usage */
+  conn->ssl[sockindex].state = ssl_connection_none;
 
   return CURLE_OK;
 }
diff --git a/lib/ssluse.c b/lib/ssluse.c
index 1e9b48a49..ac6b057cb 100644
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -1737,7 +1737,8 @@ ossl_connect_common(struct connectdata *conn,
         connssl->connecting_state?sockfd:CURL_SOCKET_BAD;
 
       while(1) {
-        int what = Curl_socket_ready(readfd, writefd, nonblocking?0:(int)timeout_ms);
+        int what = Curl_socket_ready(readfd, writefd,
+                                     nonblocking?0:(int)timeout_ms);
         if(what > 0)
           /* readable or writable, go loop in the outer loop */
           break;
@@ -1775,11 +1776,11 @@ ossl_connect_common(struct connectdata *conn,
   }
 
   if(ssl_connect_done==connssl->connecting_state) {
+    connssl->state = ssl_connection_complete;
     *done = TRUE;
   }
-  else {
+  else
     *done = FALSE;
-  }
 
   /* Reset our connect state machine */
   connssl->connecting_state = ssl_connect_1;
diff --git a/lib/url.c b/lib/url.c
index 71a533d25..3c3605c1a 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -2439,10 +2439,17 @@ ConnectionExists(struct SessionHandle *data,
              ssl options as well */
           if(!Curl_ssl_config_matches(&needle->ssl_config,
                                       &check->ssl_config)) {
-            infof(data,
-                  "Connection #%ld has different SSL parameters, "
-                  "can't reuse\n",
-                  check->connectindex );
+            DEBUGF(infof(data,
+                         "Connection #%ld has different SSL parameters, "
+                         "can't reuse\n",
+                         check->connectindex));
+            continue;
+          }
+          else if(check->ssl[FIRSTSOCKET].state != ssl_connection_complete) {
+            DEBUGF(infof(data,
+                         "Connection #%ld has not started ssl connect, "
+                         "can't reuse\n",
+                         check->connectindex));
             continue;
           }
         }
diff --git a/lib/urldata.h b/lib/urldata.h
index 2eeb08c20..95ef36b82 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -168,11 +168,19 @@ typedef enum {
   ssl_connect_done
 } ssl_connect_state;
 
+typedef enum {
+  ssl_connection_none,
+  ssl_connection_negotiating,
+  ssl_connection_complete
+} ssl_connection_state;
+
 /* struct for data related to each SSL connection */
 struct ssl_connect_data {
-  bool use;        /* use ssl encrypted communications TRUE/FALSE, not
-                      necessarily using it atm but at least asked to or
-                      meaning to use it */
+  /* Use ssl encrypted communications TRUE/FALSE, not necessarily using it atm
+     but at least asked to or meaning to use it. See 'state' for the exact
+     current state of the connection. */
+  bool use;
+  ssl_connection_state state;
 #ifdef USE_SSLEAY
   /* these ones requires specific SSL-types */
   SSL_CTX* ctx;