[glib-networking/mcatanzaro/openssl-session-id: 2/2] openssl: remove unused session ID generation
- From: Ignacio Casal Quinteiro <icq src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [glib-networking/mcatanzaro/openssl-session-id: 2/2] openssl: remove unused session ID generation
- Date: Thu, 2 Jan 2020 08:42:37 +0000 (UTC)
commit 3d9dc35e9f7da17527d12ca3368c8fec97d48122
Author: Michael Catanzaro <mcatanzaro gnome org>
Date: Wed Jan 1 09:18:07 2020 -0600
openssl: remove unused session ID generation
Only OpenSSL servers are permitted to set session IDs, so having this
code in GTlsClientConnectionOpenssl is not accomplishing anything. Also,
session_data and session_data_override are plainly unused. The OpenSSL
backend doesn't seem to support session resumption anyway, so it's
unclear what the history or goal here was.
P.S. This is a copypaste of buggy GnuTLS session resumption code, which
was fixed in 8da92fd6, but that fix never made it to the OpenSSL
portion. Remember this if trying to resurrect this code or if ever in
the future you consider duplicating code that ought to be shared. :)
tls/openssl/gtlsclientconnection-openssl.c | 69 ------------------------------
1 file changed, 69 deletions(-)
---
diff --git a/tls/openssl/gtlsclientconnection-openssl.c b/tls/openssl/gtlsclientconnection-openssl.c
index 7252cc2..d5fc955 100644
--- a/tls/openssl/gtlsclientconnection-openssl.c
+++ b/tls/openssl/gtlsclientconnection-openssl.c
@@ -46,10 +46,6 @@ struct _GTlsClientConnectionOpenssl
GTlsCertificateFlags validation_flags;
GSocketConnectable *server_identity;
gboolean use_ssl3;
- gboolean session_data_override;
-
- GBytes *session_id;
- GBytes *session_data;
STACK_OF (X509_NAME) *ca_list;
@@ -85,8 +81,6 @@ g_tls_client_connection_openssl_finalize (GObject *object)
GTlsClientConnectionOpenssl *openssl = G_TLS_CLIENT_CONNECTION_OPENSSL (object);
g_clear_object (&openssl->server_identity);
- g_clear_pointer (&openssl->session_id, g_bytes_unref);
- g_clear_pointer (&openssl->session_data, g_bytes_unref);
SSL_free (openssl->ssl);
SSL_CTX_free (openssl->ssl_ctx);
@@ -191,50 +185,6 @@ g_tls_client_connection_openssl_set_property (GObject *object,
}
}
-static void
-g_tls_client_connection_openssl_constructed (GObject *object)
-{
- GTlsClientConnectionOpenssl *openssl = G_TLS_CLIENT_CONNECTION_OPENSSL (object);
- GSocketConnection *base_conn;
- GSocketAddress *remote_addr;
- GInetAddress *iaddr;
- guint port;
-
- /* Create a TLS session ID. We base it on the IP address since
- * different hosts serving the same hostname/service will probably
- * not share the same session cache. We base it on the
- * server-identity because at least some servers will fail (rather
- * than just failing to resume the session) if we don't.
- * (https://bugs.launchpad.net/bugs/823325)
- */
- g_object_get (G_OBJECT (openssl), "base-io-stream", &base_conn, NULL);
- if (G_IS_SOCKET_CONNECTION (base_conn))
- {
- remote_addr = g_socket_connection_get_remote_address (base_conn, NULL);
- if (G_IS_INET_SOCKET_ADDRESS (remote_addr))
- {
- GInetSocketAddress *isaddr = G_INET_SOCKET_ADDRESS (remote_addr);
- const gchar *server_hostname;
- gchar *addrstr, *session_id;
-
- iaddr = g_inet_socket_address_get_address (isaddr);
- port = g_inet_socket_address_get_port (isaddr);
-
- addrstr = g_inet_address_to_string (iaddr);
- server_hostname = get_server_identity (openssl);
- session_id = g_strdup_printf ("%s/%s/%d", addrstr,
- server_hostname ? server_hostname : "",
- port);
- openssl->session_id = g_bytes_new_take (session_id, strlen (session_id));
- g_free (addrstr);
- }
- g_object_unref (remote_addr);
- }
- g_object_unref (base_conn);
-
- G_OBJECT_CLASS (g_tls_client_connection_openssl_parent_class)->constructed (object);
-}
-
static void
g_tls_client_connection_openssl_complete_handshake (GTlsConnectionBase *tls,
gchar **negotiated_protocol,
@@ -317,7 +267,6 @@ g_tls_client_connection_openssl_class_init (GTlsClientConnectionOpensslClass *kl
gobject_class->finalize = g_tls_client_connection_openssl_finalize;
gobject_class->get_property = g_tls_client_connection_openssl_get_property;
gobject_class->set_property = g_tls_client_connection_openssl_set_property;
- gobject_class->constructed = g_tls_client_connection_openssl_constructed;
base_class->complete_handshake = g_tls_client_connection_openssl_complete_handshake;
base_class->verify_peer_certificate = g_tls_client_connection_openssl_verify_peer_certificate;
@@ -394,22 +343,6 @@ handshake_thread_retrieve_certificate (SSL *ssl,
return 0;
}
-static int
-generate_session_id (SSL *ssl,
- unsigned char *id,
- unsigned int *id_len)
-{
- GTlsClientConnectionOpenssl *client;
- int len;
-
- client = SSL_get_ex_data (ssl, data_index);
-
- len = MIN (*id_len, g_bytes_get_size (client->session_id));
- memcpy (id, g_bytes_get_data (client->session_id, NULL), len);
-
- return 1;
-}
-
static gboolean
set_cipher_list (GTlsClientConnectionOpenssl *client,
GError **error)
@@ -515,8 +448,6 @@ g_tls_client_connection_openssl_initable_init (GInitable *initable,
}
#endif
- SSL_CTX_set_generate_session_id (client->ssl_ctx, (GEN_SESSION_CB)generate_session_id);
-
SSL_CTX_add_session (client->ssl_ctx, client->session);
SSL_CTX_set_client_cert_cb (client->ssl_ctx, handshake_thread_retrieve_certificate);
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]