From 90bc6ee8f38eec0dd6c7c8dbea22b0cba2998ee2 Mon Sep 17 00:00:00 2001 From: Yang Tse Date: Sat, 14 Nov 2009 02:30:30 +0000 Subject: [PATCH] - Constantine Sapuntzakis provided the fix that ensures that an SSL connection won't be reused unless protection level for peer and host verification match. --- CHANGES | 4 ++++ RELEASE-NOTES | 1 + lib/url.c | 9 +++++++++ lib/urldata.h | 3 +++ 4 files changed, 17 insertions(+) diff --git a/CHANGES b/CHANGES index 47ee50d..0c7f7c1 100644 --- a/CHANGES +++ b/CHANGES @@ -6,6 +6,10 @@ Changelog +Yang Tse (14 Nov 2009) +- Constantine Sapuntzakis provided the fix that ensures that an SSL connection + won't be reused unless protection level for peer and host verification match. + Kamil Dudka (12 Nov 2009) - Kevin Baughman provided a fix preventing libcurl-NSS from crash on doubly closed NSPR descriptor. The issue was hard to find, reported several times diff --git a/RELEASE-NOTES b/RELEASE-NOTES index f68e579..25daa43 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -18,6 +18,7 @@ This release includes the following bugfixes: o progress meter/callback during FTP connection o DNS cache timeout while transfer in progress o compilation when configured --with-gssapi having GNU GSS installed + o SSL connection reused with mismatched protection level This release includes the following known bugs: diff --git a/lib/url.c b/lib/url.c index 8f425d4..d3ec1c0 100644 --- a/lib/url.c +++ b/lib/url.c @@ -2689,6 +2689,12 @@ ConnectionExists(struct SessionHandle *data, /* don't do mixed SSL and non-SSL connections */ continue; + if(needle->protocol&PROT_SSL) { + if((data->set.ssl.verifypeer != check->verifypeer) || + (data->set.ssl.verifyhost != check->verifyhost)) + continue; + } + if(needle->bits.proxy != check->bits.proxy) /* don't do mixed proxy and non-proxy connections */ continue; @@ -4326,6 +4332,9 @@ static CURLcode create_conn(struct SessionHandle *data, conn->bits.ftp_use_epsv = data->set.ftp_use_epsv; conn->bits.ftp_use_eprt = data->set.ftp_use_eprt; + conn->verifypeer = data->set.ssl.verifypeer; + conn->verifyhost = data->set.ssl.verifyhost; + if(data->multi && Curl_multi_canPipeline(data->multi) && !conn->master_buffer) { /* Allocate master_buffer to be used for pipelining */ diff --git a/lib/urldata.h b/lib/urldata.h index d3101c0..40ed828 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -1083,6 +1083,9 @@ struct connectdata { #if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI) int socks5_gssapi_enctype; #endif + + long verifypeer; + long verifyhost; }; /* The end of connectdata. */ -- 2.7.4