From: Jay Satiro <raysatiro@yahoo.com>
Date: Sun, 20 Feb 2022 21:30:08 +0000 (-0500)
Subject: openssl: check if sessionid flag is enabled before retrieving session
X-Git-Tag: curl-7_82_0~36
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f7ba0eccf72dda3694a6ac14cfee4dfe051465fb;p=thirdparty%2Fcurl.git

openssl: check if sessionid flag is enabled before retrieving session

Ideally, Curl_ssl_getsessionid should not be called unless sessionid
caching is enabled. There is a debug assertion in the function to help
ensure that. Therefore, the pattern in all vtls is basically:

  if(primary.sessionid) {lock(); Curl_ssl_getsessionid(...); unlock();}

There was one instance in openssl.c where sessionid was not checked
beforehand and this change fixes that.

Prior to this change an assertion would occur in openssl debug builds
during connection stage if session caching was disabled.

Reported-by: Jim Beveridge

Fixes https://github.com/curl/curl/issues/8472
Closes https://github.com/curl/curl/pull/8484
---

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index fc35f784da..616a510b0a 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -3239,21 +3239,23 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
     return CURLE_SSL_CONNECT_ERROR;
   }
 
-  Curl_ssl_sessionid_lock(data);
-  if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE,
-                            &ssl_sessionid, NULL, sockindex)) {
-    /* we got a session id, use it! */
-    if(!SSL_set_session(backend->handle, ssl_sessionid)) {
-      Curl_ssl_sessionid_unlock(data);
-      failf(data, "SSL: SSL_set_session failed: %s",
-            ossl_strerror(ERR_get_error(), error_buffer,
-                          sizeof(error_buffer)));
-      return CURLE_SSL_CONNECT_ERROR;
+  if(SSL_SET_OPTION(primary.sessionid)) {
+    Curl_ssl_sessionid_lock(data);
+    if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE,
+                              &ssl_sessionid, NULL, sockindex)) {
+      /* we got a session id, use it! */
+      if(!SSL_set_session(backend->handle, ssl_sessionid)) {
+        Curl_ssl_sessionid_unlock(data);
+        failf(data, "SSL: SSL_set_session failed: %s",
+              ossl_strerror(ERR_get_error(), error_buffer,
+                            sizeof(error_buffer)));
+        return CURLE_SSL_CONNECT_ERROR;
+      }
+      /* Informational message */
+      infof(data, "SSL re-using session ID");
     }
-    /* Informational message */
-    infof(data, "SSL re-using session ID");
+    Curl_ssl_sessionid_unlock(data);
   }
-  Curl_ssl_sessionid_unlock(data);
 
 #ifndef CURL_DISABLE_PROXY
   if(conn->proxy_ssl[sockindex].use) {