From 04b4ee5498b14d320e3b375c64d0162cc2b53c99 Mon Sep 17 00:00:00 2001 From: Jay Satiro Date: Sun, 12 Jun 2016 23:47:12 -0400 Subject: vtls: Only call add/getsession if session id is enabled Prior to this change we called Curl_ssl_getsessionid and Curl_ssl_addsessionid regardless of whether session ID reusing was enabled. According to comments that is in case session ID reuse was disabled but then later enabled. The old way was not intuitive and probably not something users expected. When a user disables session ID caching I'd guess they don't expect the session ID to be cached anyway in case the caching is later enabled. --- lib/vtls/mbedtls.c | 72 ++++++++++++++++++++++++++++++------------------------ 1 file changed, 40 insertions(+), 32 deletions(-) (limited to 'lib/vtls/mbedtls.c') diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c index 2992d8834..33f10182b 100644 --- a/lib/vtls/mbedtls.c +++ b/lib/vtls/mbedtls.c @@ -162,7 +162,6 @@ mbed_connect_step1(struct connectdata *conn, struct ssl_connect_data* connssl = &conn->ssl[sockindex]; int ret = -1; - void *old_session = NULL; char errorbuf[128]; errorbuf[0]=0; @@ -365,17 +364,23 @@ mbed_connect_step1(struct connectdata *conn, mbedtls_ssl_conf_ciphersuites(&connssl->config, mbedtls_ssl_list_ciphersuites()); - Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &old_session, NULL)) { - ret = mbedtls_ssl_set_session(&connssl->ssl, old_session); - if(ret) { - Curl_ssl_sessionid_unlock(conn); - failf(data, "mbedtls_ssl_set_session returned -0x%x", -ret); - return CURLE_SSL_CONNECT_ERROR; + + /* Check if there's a cached ID we can/should use here! */ + if(conn->ssl_config.sessionid) { + void *old_session = NULL; + + Curl_ssl_sessionid_lock(conn); + if(!Curl_ssl_getsessionid(conn, &old_session, NULL)) { + ret = mbedtls_ssl_set_session(&connssl->ssl, old_session); + if(ret) { + Curl_ssl_sessionid_unlock(conn); + failf(data, "mbedtls_ssl_set_session returned -0x%x", -ret); + return CURLE_SSL_CONNECT_ERROR; + } + infof(data, "mbedTLS re-using session\n"); } - infof(data, "mbedTLS re-using session\n"); + Curl_ssl_sessionid_unlock(conn); } - Curl_ssl_sessionid_unlock(conn); mbedtls_ssl_conf_ca_chain(&connssl->config, &connssl->cacert, @@ -591,35 +596,38 @@ mbed_connect_step3(struct connectdata *conn, CURLcode retcode = CURLE_OK; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct SessionHandle *data = conn->data; - void *old_ssl_sessionid = NULL; - mbedtls_ssl_session *our_ssl_sessionid; - int ret; DEBUGASSERT(ssl_connect_3 == connssl->connecting_state); - our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session)); - if(!our_ssl_sessionid) - return CURLE_OUT_OF_MEMORY; + if(conn->ssl_config.sessionid) { + int ret; + mbedtls_ssl_session *our_ssl_sessionid; + void *old_ssl_sessionid = NULL; - mbedtls_ssl_session_init(our_ssl_sessionid); + our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session)); + if(!our_ssl_sessionid) + return CURLE_OUT_OF_MEMORY; - ret = mbedtls_ssl_get_session(&connssl->ssl, our_ssl_sessionid); - if(ret) { - failf(data, "mbedtls_ssl_get_session returned -0x%x", -ret); - return CURLE_SSL_CONNECT_ERROR; - } + mbedtls_ssl_session_init(our_ssl_sessionid); - /* If there's already a matching session in the cache, delete it */ - Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL)) - Curl_ssl_delsessionid(conn, old_ssl_sessionid); + ret = mbedtls_ssl_get_session(&connssl->ssl, our_ssl_sessionid); + if(ret) { + failf(data, "mbedtls_ssl_get_session returned -0x%x", -ret); + return CURLE_SSL_CONNECT_ERROR; + } - retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid, 0); - Curl_ssl_sessionid_unlock(conn); - if(retcode) { - free(our_ssl_sessionid); - failf(data, "failed to store ssl session"); - return retcode; + /* If there's already a matching session in the cache, delete it */ + Curl_ssl_sessionid_lock(conn); + if(!Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL)) + Curl_ssl_delsessionid(conn, old_ssl_sessionid); + + retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid, 0); + Curl_ssl_sessionid_unlock(conn); + if(retcode) { + free(our_ssl_sessionid); + failf(data, "failed to store ssl session"); + return retcode; + } } connssl->connecting_state = ssl_connect_done; -- cgit v1.2.3