You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by rj...@apache.org on 2018/10/12 09:51:42 UTC
svn commit: r1843636 - /tomcat/native/trunk/native/src/sslnetwork.c
Author: rjung
Date: Fri Oct 12 09:51:42 2018
New Revision: 1843636
URL: http://svn.apache.org/viewvc?rev=1843636&view=rev
Log:
Tab polica.
No functional change.
Modified:
tomcat/native/trunk/native/src/sslnetwork.c
Modified: tomcat/native/trunk/native/src/sslnetwork.c
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslnetwork.c?rev=1843636&r1=1843635&r2=1843636&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/sslnetwork.c (original)
+++ tomcat/native/trunk/native/src/sslnetwork.c Fri Oct 12 09:51:42 2018
@@ -631,121 +631,121 @@ TCN_IMPLEMENT_CALL(jint, SSLSocket, rene
TCN_ASSERT(sock != 0);
con = (tcn_ssl_conn_t *)s->opaque;
session = SSL_get_session(con->ssl);
- apr_socket_timeout_get(con->sock, &timeout);
+ apr_socket_timeout_get(con->sock, &timeout);
#if defined(SSL_OP_NO_TLSv1_3)
if (SSL_SESSION_get_protocol_version(session) == TLS1_3_VERSION) {
- // TLS 1.3 renegotiation
- retVal = SSL_verify_client_post_handshake(con->ssl);
- if (retVal <= 0) {
- return APR_EGENERAL;
- }
-
- con->pha_state = PHA_STARTED;
-
- // Need to trigger a write operation to sent the cert request to the
- // client. As per OpenSSL docs, use SSL_do_handshake() for this.
- retVal = SSL_do_handshake(con->ssl);
- if (retVal <= 0) {
- return APR_EGENERAL;
- }
-
- // Trigger reading of the certs from the client
- retVal = SSL_peek(con->ssl, peekbuf, 0);
- if (retVal < 1) {
- error = SSL_get_error(con->ssl, retVal);
- }
-
- // If the certs have not been received, then need to wait for I/O
- while (con->pha_state == PHA_STARTED) {
- // SSL_ERROR_WANT_READ is expected. Anything else is an error.
- if (error == SSL_ERROR_WANT_READ) {
- retVal = wait_for_io_or_timeout(con, error, timeout);
- /*
- * Since this is blocking I/O, anything other than APR_SUCCESS is an
- * error.
- */
- if (retVal != APR_SUCCESS) {
- con->shutdown_type = SSL_SHUTDOWN_TYPE_UNCLEAN;
- return retVal;
- }
- } else {
- return APR_EGENERAL;
- }
-
- // Re-try SSL_peek after I/O
- retVal = SSL_peek(con->ssl, peekbuf, 0);
- if (retVal < 1) {
- error = SSL_get_error(con->ssl, retVal);
- } else {
- /*
- * Reset error to handle case where SSL_Peek returns 0 but
- * con->pha_state has not changed. This will trigger an error
- * to be returned.
- */
- error = 0;
- }
- }
+ // TLS 1.3 renegotiation
+ retVal = SSL_verify_client_post_handshake(con->ssl);
+ if (retVal <= 0) {
+ return APR_EGENERAL;
+ }
+
+ con->pha_state = PHA_STARTED;
+
+ // Need to trigger a write operation to sent the cert request to the
+ // client. As per OpenSSL docs, use SSL_do_handshake() for this.
+ retVal = SSL_do_handshake(con->ssl);
+ if (retVal <= 0) {
+ return APR_EGENERAL;
+ }
+
+ // Trigger reading of the certs from the client
+ retVal = SSL_peek(con->ssl, peekbuf, 0);
+ if (retVal < 1) {
+ error = SSL_get_error(con->ssl, retVal);
+ }
+
+ // If the certs have not been received, then need to wait for I/O
+ while (con->pha_state == PHA_STARTED) {
+ // SSL_ERROR_WANT_READ is expected. Anything else is an error.
+ if (error == SSL_ERROR_WANT_READ) {
+ retVal = wait_for_io_or_timeout(con, error, timeout);
+ /*
+ * Since this is blocking I/O, anything other than APR_SUCCESS is an
+ * error.
+ */
+ if (retVal != APR_SUCCESS) {
+ con->shutdown_type = SSL_SHUTDOWN_TYPE_UNCLEAN;
+ return retVal;
+ }
+ } else {
+ return APR_EGENERAL;
+ }
+
+ // Re-try SSL_peek after I/O
+ retVal = SSL_peek(con->ssl, peekbuf, 0);
+ if (retVal < 1) {
+ error = SSL_get_error(con->ssl, retVal);
+ } else {
+ /*
+ * Reset error to handle case where SSL_Peek returns 0 but
+ * con->pha_state has not changed. This will trigger an error
+ * to be returned.
+ */
+ error = 0;
+ }
+ }
} else {
#endif
- // TLS 1.2 and earlier renegotiation
+ // TLS 1.2 and earlier renegotiation
- /* Toggle the renegotiation state to allow the new
- * handshake to proceed.
- */
- con->reneg_state = RENEG_ALLOW;
-
- // Schedule a renegotiation request
- retVal = SSL_renegotiate(con->ssl);
- if (retVal <= 0) {
- return APR_EGENERAL;
- }
-
- /* Need to trigger the renegotiation handshake by reading.
- * Peeking 0 bytes actually works.
- * See: http://marc.info/?t=145493359200002&r=1&w=2
- *
- * This will normally return SSL_ERROR_WANT_READ whether the renegotiation
- * has been completed or not. Afterwards, need to determine if I/O needs to
- * be triggered or not.
- */
- retVal = SSL_peek(con->ssl, peekbuf, 0);
- if (retVal < 1) {
- error = SSL_get_error(con->ssl, retVal);
- }
-
- // If the renegotiation is still pending, then I/O needs to be triggered
- while (SSL_renegotiate_pending(con->ssl)) {
- // SSL_ERROR_WANT_READ is expected. Anything else is an error.
- if (error == SSL_ERROR_WANT_READ) {
- retVal = wait_for_io_or_timeout(con, error, timeout);
- /*
- * Since this is blocking I/O, anything other than APR_SUCCESS is an
- * error.
- */
- if (retVal != APR_SUCCESS) {
- con->shutdown_type = SSL_SHUTDOWN_TYPE_UNCLEAN;
- return retVal;
- }
- } else {
- return APR_EGENERAL;
- }
-
- // Re-try SSL_peek after I/O
- retVal = SSL_peek(con->ssl, peekbuf, 0);
- if (retVal < 1) {
- error = SSL_get_error(con->ssl, retVal);
- } else {
- /*
- * Reset error to handle case where SSL_Peek returns 0 but
- * SSL_renegotiate_pending returns true. This will trigger an error
- * to be returned.
- */
- error = 0;
- }
- }
+ /* Toggle the renegotiation state to allow the new
+ * handshake to proceed.
+ */
+ con->reneg_state = RENEG_ALLOW;
+
+ // Schedule a renegotiation request
+ retVal = SSL_renegotiate(con->ssl);
+ if (retVal <= 0) {
+ return APR_EGENERAL;
+ }
+
+ /* Need to trigger the renegotiation handshake by reading.
+ * Peeking 0 bytes actually works.
+ * See: http://marc.info/?t=145493359200002&r=1&w=2
+ *
+ * This will normally return SSL_ERROR_WANT_READ whether the renegotiation
+ * has been completed or not. Afterwards, need to determine if I/O needs to
+ * be triggered or not.
+ */
+ retVal = SSL_peek(con->ssl, peekbuf, 0);
+ if (retVal < 1) {
+ error = SSL_get_error(con->ssl, retVal);
+ }
+
+ // If the renegotiation is still pending, then I/O needs to be triggered
+ while (SSL_renegotiate_pending(con->ssl)) {
+ // SSL_ERROR_WANT_READ is expected. Anything else is an error.
+ if (error == SSL_ERROR_WANT_READ) {
+ retVal = wait_for_io_or_timeout(con, error, timeout);
+ /*
+ * Since this is blocking I/O, anything other than APR_SUCCESS is an
+ * error.
+ */
+ if (retVal != APR_SUCCESS) {
+ con->shutdown_type = SSL_SHUTDOWN_TYPE_UNCLEAN;
+ return retVal;
+ }
+ } else {
+ return APR_EGENERAL;
+ }
+
+ // Re-try SSL_peek after I/O
+ retVal = SSL_peek(con->ssl, peekbuf, 0);
+ if (retVal < 1) {
+ error = SSL_get_error(con->ssl, retVal);
+ } else {
+ /*
+ * Reset error to handle case where SSL_Peek returns 0 but
+ * SSL_renegotiate_pending returns true. This will trigger an error
+ * to be returned.
+ */
+ error = 0;
+ }
+ }
- con->reneg_state = RENEG_REJECT;
+ con->reneg_state = RENEG_REJECT;
#if defined(SSL_OP_NO_TLSv1_3)
}
#endif
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org