You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2009/09/15 19:41:28 UTC
svn commit: r815411 - /tomcat/native/trunk/native/src/sslnetwork.c
Author: markt
Date: Tue Sep 15 17:41:28 2009
New Revision: 815411
URL: http://svn.apache.org/viewvc?rev=815411&view=rev
Log:
Part of fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=46950
This patch fixes two issues:
- renegotiate now does a full renegotiation rather than just setting the 'need to renegotiate' flag
- a new method is provided that allows clients to set the certificate verification level per connection - this is required when switching from unauthenticated to authenticated eg because of a security constraint
Modified:
tomcat/native/trunk/native/src/sslnetwork.c
Modified: tomcat/native/trunk/native/src/sslnetwork.c
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslnetwork.c?rev=815411&r1=815410&r2=815411&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/sslnetwork.c (original)
+++ tomcat/native/trunk/native/src/sslnetwork.c Tue Sep 15 17:41:28 2009
@@ -562,11 +562,60 @@
{
tcn_socket_t *s = J2P(sock, tcn_socket_t *);
tcn_ssl_conn_t *con;
+ int retVal;
UNREFERENCED_STDARGS;
TCN_ASSERT(sock != 0);
con = (tcn_ssl_conn_t *)s->opaque;
- return SSL_renegotiate(con->ssl);
+
+ /* Sequence to renegotiate is
+ * SSL_renegotiate()
+ * SSL_do_handshake()
+ * ssl->state = SSL_ST_ACCEPT
+ * SSL_do_handshake()
+ */
+ retVal = SSL_renegotiate(con->ssl);
+ if (retVal <= 0)
+ return APR_EGENERAL;
+
+ retVal = SSL_do_handshake(con->ssl);
+ if (retVal <= 0)
+ return APR_EGENERAL;
+
+ con->ssl->state = SSL_ST_ACCEPT;
+
+ retVal = SSL_do_handshake(con->ssl);
+ if (retVal <= 0)
+ return APR_EGENERAL;
+
+ return APR_SUCCESS;
+}
+
+TCN_IMPLEMENT_CALL(void, SSLSocket, setVerify)(TCN_STDARGS,
+ jlong sock,
+ jint cverify,
+ jint depth)
+{
+ tcn_socket_t *s = J2P(sock, tcn_socket_t *);
+ tcn_ssl_conn_t *con;
+ int verify = SSL_VERIFY_NONE;
+
+ UNREFERENCED_STDARGS;
+ TCN_ASSERT(sock != 0);
+ con = (tcn_ssl_conn_t *)s->opaque;
+
+ if (cverify == SSL_CVERIFY_UNSET)
+ cverify = SSL_CVERIFY_NONE;
+ if (depth > 0)
+ SSL_set_verify_depth(con->ssl, depth);
+
+ if (cverify == SSL_CVERIFY_REQUIRE)
+ verify |= SSL_VERIFY_PEER_STRICT;
+ if ((cverify == SSL_CVERIFY_OPTIONAL) ||
+ (cverify == SSL_CVERIFY_OPTIONAL_NO_CA))
+ verify |= SSL_VERIFY_PEER;
+
+ SSL_set_verify(con->ssl, verify, NULL);
}
#else
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r815411 - /tomcat/native/trunk/native/src/sslnetwork.c
Posted by Mark Thomas <ma...@apache.org>.
markt@apache.org wrote:
> Author: markt
> Date: Tue Sep 15 17:41:28 2009
> New Revision: 815411
C isn't my strong point so this is worth folks who know C better than I
do taking a close look.
Mark
>
> URL: http://svn.apache.org/viewvc?rev=815411&view=rev
> Log:
> Part of fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=46950
> This patch fixes two issues:
> - renegotiate now does a full renegotiation rather than just setting the 'need to renegotiate' flag
> - a new method is provided that allows clients to set the certificate verification level per connection - this is required when switching from unauthenticated to authenticated eg because of a security constraint
>
> Modified:
> tomcat/native/trunk/native/src/sslnetwork.c
>
> Modified: tomcat/native/trunk/native/src/sslnetwork.c
> URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslnetwork.c?rev=815411&r1=815410&r2=815411&view=diff
> ==============================================================================
> --- tomcat/native/trunk/native/src/sslnetwork.c (original)
> +++ tomcat/native/trunk/native/src/sslnetwork.c Tue Sep 15 17:41:28 2009
> @@ -562,11 +562,60 @@
> {
> tcn_socket_t *s = J2P(sock, tcn_socket_t *);
> tcn_ssl_conn_t *con;
> + int retVal;
>
> UNREFERENCED_STDARGS;
> TCN_ASSERT(sock != 0);
> con = (tcn_ssl_conn_t *)s->opaque;
> - return SSL_renegotiate(con->ssl);
> +
> + /* Sequence to renegotiate is
> + * SSL_renegotiate()
> + * SSL_do_handshake()
> + * ssl->state = SSL_ST_ACCEPT
> + * SSL_do_handshake()
> + */
> + retVal = SSL_renegotiate(con->ssl);
> + if (retVal <= 0)
> + return APR_EGENERAL;
> +
> + retVal = SSL_do_handshake(con->ssl);
> + if (retVal <= 0)
> + return APR_EGENERAL;
> +
> + con->ssl->state = SSL_ST_ACCEPT;
> +
> + retVal = SSL_do_handshake(con->ssl);
> + if (retVal <= 0)
> + return APR_EGENERAL;
> +
> + return APR_SUCCESS;
> +}
> +
> +TCN_IMPLEMENT_CALL(void, SSLSocket, setVerify)(TCN_STDARGS,
> + jlong sock,
> + jint cverify,
> + jint depth)
> +{
> + tcn_socket_t *s = J2P(sock, tcn_socket_t *);
> + tcn_ssl_conn_t *con;
> + int verify = SSL_VERIFY_NONE;
> +
> + UNREFERENCED_STDARGS;
> + TCN_ASSERT(sock != 0);
> + con = (tcn_ssl_conn_t *)s->opaque;
> +
> + if (cverify == SSL_CVERIFY_UNSET)
> + cverify = SSL_CVERIFY_NONE;
> + if (depth > 0)
> + SSL_set_verify_depth(con->ssl, depth);
> +
> + if (cverify == SSL_CVERIFY_REQUIRE)
> + verify |= SSL_VERIFY_PEER_STRICT;
> + if ((cverify == SSL_CVERIFY_OPTIONAL) ||
> + (cverify == SSL_CVERIFY_OPTIONAL_NO_CA))
> + verify |= SSL_VERIFY_PEER;
> +
> + SSL_set_verify(con->ssl, verify, NULL);
> }
>
> #else
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org