GNOME.org
 

[glib-networking/mcatanzaro/openssl-session-id] openssl: remove unused session ID generation

commit 02bf6b50c3e13625432c07f7acea26468b6b8645
Author: Michael Catanzaro <mcatanzaro gnome org>
Date:   Wed Jan 1 09:18:07 2020 -0600

    openssl: remove unused session ID generation
    
    Only OpenSSL servers are permitted to set session IDs, so having this
    code in GTlsClientConnectionOpenssl is not accomplishing anything. Also,
    session_data and session_data_override are plainly unused. The OpenSSL
    backend doesn't seem to support session resumption anyway, so it's
    unclear what the history or goal here was.
    
    P.S. This is a copypaste of buggy GnuTLS session resumption code, which
    was fixed in 8da92fd6, but that fix never made it to the OpenSSL
    portion. Remember this if trying to resurrect this code or if ever in
    the future you consider duplicating code that ought to be shared. :)

 tls/openssl/gtlsclientconnection-openssl.c | 69 ------------------------------
 1 file changed, 69 deletions(-)
---
diff --git a/tls/openssl/gtlsclientconnection-openssl.c b/tls/openssl/gtlsclientconnection-openssl.c
index f14401a..808f918 100644
--- a/tls/openssl/gtlsclientconnection-openssl.c
+++ b/tls/openssl/gtlsclientconnection-openssl.c
@@ -46,10 +46,6 @@ struct _GTlsClientConnectionOpenssl
   GTlsCertificateFlags validation_flags;
   GSocketConnectable *server_identity;
   gboolean use_ssl3;
-  gboolean session_data_override;
-
-  GBytes *session_id;
-  GBytes *session_data;
 
   STACK_OF (X509_NAME) *ca_list;
   gboolean ca_list_changed;
@@ -86,8 +82,6 @@ g_tls_client_connection_openssl_finalize (GObject *object)
   GTlsClientConnectionOpenssl *openssl = G_TLS_CLIENT_CONNECTION_OPENSSL (object);
 
   g_clear_object (&openssl->server_identity);
-  g_clear_pointer (&openssl->session_id, g_bytes_unref);
-  g_clear_pointer (&openssl->session_data, g_bytes_unref);
 
   SSL_free (openssl->ssl);
   SSL_CTX_free (openssl->ssl_ctx);
@@ -192,50 +186,6 @@ g_tls_client_connection_openssl_set_property (GObject      *object,
     }
 }
 
-static void
-g_tls_client_connection_openssl_constructed (GObject *object)
-{
-  GTlsClientConnectionOpenssl *openssl = G_TLS_CLIENT_CONNECTION_OPENSSL (object);
-  GSocketConnection *base_conn;
-  GSocketAddress *remote_addr;
-  GInetAddress *iaddr;
-  guint port;
-
-  /* Create a TLS session ID. We base it on the IP address since
-   * different hosts serving the same hostname/service will probably
-   * not share the same session cache. We base it on the
-   * server-identity because at least some servers will fail (rather
-   * than just failing to resume the session) if we don't.
-   * (https://bugs.launchpad.net/bugs/823325)
-   */
-  g_object_get (G_OBJECT (openssl), "base-io-stream", &base_conn, NULL);
-  if (G_IS_SOCKET_CONNECTION (base_conn))
-    {
-      remote_addr = g_socket_connection_get_remote_address (base_conn, NULL);
-      if (G_IS_INET_SOCKET_ADDRESS (remote_addr))
-        {
-          GInetSocketAddress *isaddr = G_INET_SOCKET_ADDRESS (remote_addr);
-          const gchar *server_hostname;
-          gchar *addrstr, *session_id;
-
-          iaddr = g_inet_socket_address_get_address (isaddr);
-          port = g_inet_socket_address_get_port (isaddr);
-
-          addrstr = g_inet_address_to_string (iaddr);
-          server_hostname = get_server_identity (openssl);
-          session_id = g_strdup_printf ("%s/%s/%d", addrstr,
-                                        server_hostname ? server_hostname : "",
-                                        port);
-          openssl->session_id = g_bytes_new_take (session_id, strlen (session_id));
-          g_free (addrstr);
-        }
-      g_object_unref (remote_addr);
-    }
-  g_object_unref (base_conn);
-
-  G_OBJECT_CLASS (g_tls_client_connection_openssl_parent_class)->constructed (object);
-}
-
 static void
 g_tls_client_connection_openssl_complete_handshake (GTlsConnectionBase  *tls,
                                                     gchar              **negotiated_protocol,
@@ -318,7 +268,6 @@ g_tls_client_connection_openssl_class_init (GTlsClientConnectionOpensslClass *kl
   gobject_class->finalize             = g_tls_client_connection_openssl_finalize;
   gobject_class->get_property         = g_tls_client_connection_openssl_get_property;
   gobject_class->set_property         = g_tls_client_connection_openssl_set_property;
-  gobject_class->constructed          = g_tls_client_connection_openssl_constructed;
 
   base_class->complete_handshake      = g_tls_client_connection_openssl_complete_handshake;
   base_class->verify_peer_certificate = g_tls_client_connection_openssl_verify_peer_certificate;
@@ -398,22 +347,6 @@ handshake_thread_retrieve_certificate (SSL       *ssl,
   return 0;
 }
 
-static int
-generate_session_id (SSL           *ssl,
-                     unsigned char *id,
-                     unsigned int  *id_len)
-{
-  GTlsClientConnectionOpenssl *client;
-  int len;
-
-  client = SSL_get_ex_data (ssl, data_index);
-
-  len = MIN (*id_len, g_bytes_get_size (client->session_id));
-  memcpy (id, g_bytes_get_data (client->session_id, NULL), len);
-
-  return 1;
-}
-
 static gboolean
 set_cipher_list (GTlsClientConnectionOpenssl  *client,
                  GError                      **error)
@@ -519,8 +452,6 @@ g_tls_client_connection_openssl_initable_init (GInitable       *initable,
     }
 #endif
 
-  SSL_CTX_set_generate_session_id (client->ssl_ctx, (GEN_SESSION_CB)generate_session_id);
-
   SSL_CTX_add_session (client->ssl_ctx, client->session);
 
   SSL_CTX_set_client_cert_cb (client->ssl_ctx, handshake_thread_retrieve_certificate);
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]