httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: svn commit: r1729927 - in /httpd/httpd/trunk/modules/ssl: ssl_engine_kernel.c ssl_private.h
Date Fri, 12 Feb 2016 10:25:41 GMT


On 02/12/2016 01:44 AM, rjung@apache.org wrote:
> Author: rjung
> Date: Fri Feb 12 00:44:22 2016
> New Revision: 1729927
> 
> URL: http://svn.apache.org/viewvc?rev=1729927&view=rev
> Log:
> Support for OpenSSL 1.1.0:
> - further improvements for renegotiation
> No more test suite failures for reneg,
> but still using not so nice polling.
> 
> Modified:
>     httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
>     httpd/httpd/trunk/modules/ssl/ssl_private.h
> 
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1729927&r1=1729926&r2=1729927&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Fri Feb 12 00:44:22 2016
> @@ -1040,16 +1040,20 @@ int ssl_hook_Access(request_rec *r)
>              /* XXX: Polling is bad, alternatives? */
>              for (i = 0; i < SSL_HANDSHAKE_MAX_POLLS; i++) {
>                  has_buffered_data(r);
> -                if (sslconn->ssl == NULL || SSL_is_init_finished(ssl)) {
> +                if (sslconn->ssl == NULL ||
> +                    sslconn->reneg_state == RENEG_DONE ||
> +                    sslconn->reneg_state == RENEG_ALLOW) {
>                      break;
>                  }
>                  apr_sleep(SSL_HANDSHAKE_POLL_MS);
>              }
>              ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, APLOGNO()
>                            "Renegotiation loop %d iterations, "
> +                          "reneg_state=%d, "
>                            "in_init=%d, init_finished=%d, "
>                            "state=%s, sslconn->ssl=%s, peer_certs=%s",
> -                          i, SSL_in_init(ssl), SSL_is_init_finished(ssl),
> +                          i, sslconn->reneg_state,
> +                          SSL_in_init(ssl), SSL_is_init_finished(ssl),
>                            SSL_state_string_long(ssl),
>                            sslconn->ssl != NULL ? "yes" : "no",
>                            SSL_get_peer_certificate(ssl) != NULL ? "yes" : "no");
> @@ -2142,6 +2146,18 @@ void ssl_callback_Info(const SSL *ssl, i
>          }
>  #endif
>      }
> +#if OPENSSL_VERSION_NUMBER >= 0x10000000L

Is this correct or should it be 0x10100000L instead?

Regards

RĂ¼diger

> +    else if ((where & SSL_CB_HANDSHAKE_START) && scr->reneg_state ==
RENEG_ALLOW) {
> +        scr->reneg_state = RENEG_STARTED;
> +    }
> +    else if ((where & SSL_CB_HANDSHAKE_DONE) && scr->reneg_state == RENEG_STARTED)
{
> +        scr->reneg_state = RENEG_DONE;
> +    }
> +    else if ((where & SSL_CB_ALERT) &&
> +             (scr->reneg_state == RENEG_ALLOW || scr->reneg_state == RENEG_STARTED))
{
> +        scr->reneg_state = RENEG_ALERT;
> +    }
> +#endif
>      /* If the first handshake is complete, change state to reject any
>       * subsequent client-initiated renegotiation. */
>      else if ((where & SSL_CB_HANDSHAKE_DONE) && scr->reneg_state == RENEG_INIT)
{
> 
> Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1729927&r1=1729926&r2=1729927&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_private.h Fri Feb 12 00:44:22 2016
> @@ -444,12 +444,17 @@ typedef struct {
>       * partial fix for CVE-2009-3555. */
>      enum {
>          RENEG_INIT = 0, /* Before initial handshake */
> -        RENEG_REJECT, /* After initial handshake; any client-initiated
> -                       * renegotiation should be rejected */
> -        RENEG_ALLOW, /* A server-initiated renegotiation is taking
> -                      * place (as dictated by configuration) */
> -        RENEG_ABORT /* Renegotiation initiated by client, abort the
> -                     * connection */
> +        RENEG_REJECT,   /* After initial handshake; any client-initiated
> +                         * renegotiation should be rejected */
> +        RENEG_ALLOW,    /* A server-initiated renegotiation is taking
> +                         * place (as dictated by configuration) */
> +#if OPENSSL_VERSION_NUMBER >= 0x10000000L

Same question as above

> +        RENEG_STARTED,  /* A renegotiation has started after RENEG_ALLOW */
> +        RENEG_DONE,     /* A renegotiation has finished after RENEG_STARTED */
> +        RENEG_ALERT,    /* A renegotiation has finished with an SSL Alert */
> +#endif
> +        RENEG_ABORT     /* Renegotiation initiated by client, abort the
> +                         * connection */
>      } reneg_state;
>  
>      server_rec *server;
> 
> 
> 

Regards

RĂ¼diger

Mime
View raw message