Changelog
Daniel S (20 Feb 2008)
+- Based on initial work done by Gautam Kachroo to address a bug, we now keep
+ better control at the exact state of the connection's SSL status so that we
+ know exactly when it has completed the SSL negotiation or not so that there
+ won't be accidental re-uses of connections that are wrongly believed to be
+ in SSL-completed-negotiate state.
+
- We no longer support setting the CURLOPT_URL option from inside a callback
such as the CURLOPT_SSL_CTX_FUNCTION one treat that as if it was a Location:
following. The patch that introduced this feature was done for 7.11.0, but
problems with the cert
o when using the multi interface and a handle is removed while still having
a transfer going on, the connection is now closed by force
+ o bad re-use of SSL connections in non-complete state
This release includes the following known bugs:
Michal Marek, Dmitry Kurochkin, Niklas Angebrand, Günter Knauf, Yang Tse,
Dan Fandrich, Mike Hommey, Pooyan McSporran, Jerome Muffat-Meridol,
- Kaspar Brand
+ Kaspar Brand, Gautam Kachroo
Thanks! (and sorry if I forgot to mention someone)
ptr = gnutls_mac_get_name(gnutls_mac_get(session));
infof(data, "\t MAC: %s\n", ptr);
+ connssl->state = ssl_connection_complete;
+
if(!ssl_sessionid) {
/* this session was not previously in the cache, add it now */
goto error;
}
+ connssl->state = ssl_connection_complete;
+
display_conn_info(conn, connssl->handle);
return CURLE_OK;
SSL_Destroy(connssl->handle);
connssl->handle = NULL;
connssl->use = FALSE;
+ connssl->state = ssl_connection_none;
}
}
+ if (rc == CURLE_OK)
+ connssl->state = ssl_connection_complete;
return rc;
}
CURLcode retcode;
int num = (sockfd == conn->sock[SECONDARYSOCKET]);
- if(conn->ssl[num].use)
+ if(conn->ssl[num].state == ssl_connection_complete)
/* only TRUE if SSL enabled */
bytes_written = Curl_ssl_send(conn, num, mem, len);
#ifdef USE_LIBSSH2
buffertofill = buf;
}
- if(conn->ssl[num].use) {
+ if(conn->ssl[num].state == ssl_connection_complete) {
nread = Curl_ssl_recv(conn, num, buffertofill, bytesfromsocket);
if(nread == -1) {
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
- * Copyright (C) 1998 - 2007, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2008, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
#ifdef USE_SSL
/* mark this is being ssl enabled from here on. */
conn->ssl[sockindex].use = TRUE;
+ conn->ssl[sockindex].state = ssl_connection_negotiating;
#ifdef USE_SSLEAY
return Curl_ossl_connect(conn, sockindex);
#endif /* USE_SSLEAY */
conn->ssl[sockindex].use = FALSE; /* get back to ordinary socket usage */
+ conn->ssl[sockindex].state = ssl_connection_none;
return CURLE_OK;
}
connssl->connecting_state?sockfd:CURL_SOCKET_BAD;
while(1) {
- int what = Curl_socket_ready(readfd, writefd, nonblocking?0:(int)timeout_ms);
+ int what = Curl_socket_ready(readfd, writefd,
+ nonblocking?0:(int)timeout_ms);
if(what > 0)
/* readable or writable, go loop in the outer loop */
break;
}
if(ssl_connect_done==connssl->connecting_state) {
+ connssl->state = ssl_connection_complete;
*done = TRUE;
}
- else {
+ else
*done = FALSE;
- }
/* Reset our connect state machine */
connssl->connecting_state = ssl_connect_1;
ssl options as well */
if(!Curl_ssl_config_matches(&needle->ssl_config,
&check->ssl_config)) {
- infof(data,
- "Connection #%ld has different SSL parameters, "
- "can't reuse\n",
- check->connectindex );
+ DEBUGF(infof(data,
+ "Connection #%ld has different SSL parameters, "
+ "can't reuse\n",
+ check->connectindex));
+ continue;
+ }
+ else if(check->ssl[FIRSTSOCKET].state != ssl_connection_complete) {
+ DEBUGF(infof(data,
+ "Connection #%ld has not started ssl connect, "
+ "can't reuse\n",
+ check->connectindex));
continue;
}
}
ssl_connect_done
} ssl_connect_state;
+typedef enum {
+ ssl_connection_none,
+ ssl_connection_negotiating,
+ ssl_connection_complete
+} ssl_connection_state;
+
/* struct for data related to each SSL connection */
struct ssl_connect_data {
- bool use; /* use ssl encrypted communications TRUE/FALSE, not
- necessarily using it atm but at least asked to or
- meaning to use it */
+ /* Use ssl encrypted communications TRUE/FALSE, not necessarily using it atm
+ but at least asked to or meaning to use it. See 'state' for the exact
+ current state of the connection. */
+ bool use;
+ ssl_connection_state state;
#ifdef USE_SSLEAY
/* these ones requires specific SSL-types */
SSL_CTX* ctx;
projects / thirdparty / curl.git / commitdiff
