You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by sc...@apache.org on 2012/10/05 03:09:57 UTC

svn commit: r1394343 - in /tomcat/native/branches/1.1.x: ./ native/src/ssl.c xdocs/miscellaneous/changelog.xml

Author: schultz
Date: Fri Oct  5 01:09:57 2012
New Revision: 1394343

URL: http://svn.apache.org/viewvc?rev=1394343&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=53969

Back-ported r1394258 and r1394342r to implement ssl.c:hasOp checking for all SSL_OP_* options supported by OpenSSL.


Modified:
    tomcat/native/branches/1.1.x/   (props changed)
    tomcat/native/branches/1.1.x/native/src/ssl.c
    tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml

Propchange: tomcat/native/branches/1.1.x/
------------------------------------------------------------------------------
  Merged /tomcat/native/trunk:r1394258,1394342

Modified: tomcat/native/branches/1.1.x/native/src/ssl.c
URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/native/src/ssl.c?rev=1394343&r1=1394342&r2=1394343&view=diff
==============================================================================
--- tomcat/native/branches/1.1.x/native/src/ssl.c (original)
+++ tomcat/native/branches/1.1.x/native/src/ssl.c Fri Oct  5 01:09:57 2012
@@ -81,6 +81,128 @@ struct CRYPTO_dynlock_value {
     R |= SSL_TMP_KEY_INIT_DH(2048);             \
     R |= SSL_TMP_KEY_INIT_DH(4096)
 
+/*
+ * supported_ssl_opts is a bitmask that contains all supported SSL_OP_*
+ * options at compile-time. This is used in hasOp to determine which
+ * SSL_OP_* options are available at runtime.
+ *
+ * Note that at least up through OpenSSL 0.9.8o, checking SSL_OP_ALL will
+ * return JNI_FALSE because SSL_OP_ALL is a mask that covers all bug
+ * workarounds for OpenSSL including future workarounds that are defined
+ * to be in the least-significant 3 nibbles of the SSL_OP_* bit space.
+ *
+ * This implementation has chosen NOT to simply set all those lower bits
+ * so that the return value for SSL_OP_FUTURE_WORKAROUND will only be
+ * reported by versions that actually support that specific workaround.
+ */
+static const jint supported_ssl_opts = 0
+/*
+  Specifically skip SSL_OP_ALL
+#ifdef SSL_OP_ALL
+     | SSL_OP_ALL
+#endif
+*/
+#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+     | SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+#endif
+
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+     | SSL_OP_CIPHER_SERVER_PREFERENCE
+#endif
+
+#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
+     | SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
+#endif
+
+#ifdef SSL_OP_EPHEMERAL_RSA
+     | SSL_OP_EPHEMERAL_RSA
+#endif
+
+#ifdef SSL_OP_LEGACY_SERVER_CONNECT
+     | SSL_OP_LEGACY_SERVER_CONNECT
+#endif
+
+#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
+     | SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
+#endif
+
+#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
+     | SSL_OP_MICROSOFT_SESS_ID_BUG
+#endif
+
+#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
+     | SSL_OP_MSIE_SSLV2_RSA_PADDING
+#endif
+
+#ifdef SSL_OP_NETSCAPE_CA_DN_BUG
+     | SSL_OP_NETSCAPE_CA_DN_BUG
+#endif
+
+#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
+     | SSL_OP_NETSCAPE_CHALLENGE_BUG
+#endif
+
+#ifdef SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
+     | SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
+#endif
+
+#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
+     | SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
+#endif
+
+#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+     | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+#endif
+
+#ifdef SSL_OP_NO_SSLv2
+     | SSL_OP_NO_SSLv2
+#endif
+
+#ifdef SSL_OP_NO_SSLv3
+     | SSL_OP_NO_SSLv3
+#endif
+
+#ifdef SSL_OP_NO_TICKET
+     | SSL_OP_NO_TICKET
+#endif
+
+#ifdef SSL_OP_NO_TLSv1
+     | SSL_OP_NO_TLSv1
+#endif
+
+#ifdef SSL_OP_PKCS1_CHECK_1
+     | SSL_OP_PKCS1_CHECK_1
+#endif
+
+#ifdef SSL_OP_PKCS1_CHECK_2
+     | SSL_OP_PKCS1_CHECK_2
+#endif
+
+#ifdef SSL_OP_SINGLE_DH_USE
+     | SSL_OP_SINGLE_DH_USE
+#endif
+
+#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
+     | SSL_OP_SSLEAY_080_CLIENT_DH_BUG
+#endif
+
+#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
+     | SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
+#endif
+
+#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
+     | SSL_OP_TLS_BLOCK_PADDING_BUG
+#endif
+
+#ifdef SSL_OP_TLS_D5_BUG
+     | SSL_OP_TLS_D5_BUG
+#endif
+
+#ifdef SSL_OP_TLS_ROLLBACK_BUG
+     | SSL_OP_TLS_ROLLBACK_BUG
+#endif
+     | 0;
+
 static int ssl_tmp_key_init_rsa(int bits, int idx)
 {
     if (!(SSL_temp_keys[idx] =
@@ -946,11 +1068,7 @@ TCN_IMPLEMENT_CALL(jstring, SSL, getLast
 
 TCN_IMPLEMENT_CALL(jboolean, SSL, hasOp)(TCN_STDARGS, jint op)
 {
-#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
-    if (op & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
-        return JNI_TRUE;
-#endif
-    return JNI_FALSE;
+    return op == (op & supported_ssl_opts) ? JNI_TRUE : JNI_FALSE;
 }
 
 #else

Modified: tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml?rev=1394343&r1=1394342&r2=1394343&view=diff
==============================================================================
--- tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml (original)
+++ tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml Fri Oct  5 01:09:57 2012
@@ -42,6 +42,11 @@
       Add CPU information to OS info for Linux.
       This was already available under Windows and Solaris. (rjung)
     </update>
+    <fix>
+      <bug>53969</bug>: ssl.c::hasOp could only check for
+      SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION. Now it can check
+      for any SSL_OP_* available at compile-time.
+    </fix>
   </changelog>
 </section>
 <section name="Changes between 1.1.23 and 1.1.24">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org