httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: svn commit: r1729927 - in /httpd/httpd/trunk/modules/ssl: ssl_engine_kernel.c ssl_private.h
Date Fri, 12 Feb 2016 11:31:31 GMT
Yes, thanks for the review!

Wrong checked version in "#if" (copy&paste typo) fixed with r1729998.

Regards,

Rainer

Am 12.02.2016 um 11:25 schrieb Ruediger Pluem:
>
>
> On 02/12/2016 01:44 AM, rjung@apache.org wrote:
>> Author: rjung
>> Date: Fri Feb 12 00:44:22 2016
>> New Revision: 1729927
>>
>> URL: http://svn.apache.org/viewvc?rev=1729927&view=rev
>> Log:
>> Support for OpenSSL 1.1.0:
>> - further improvements for renegotiation
>> No more test suite failures for reneg,
>> but still using not so nice polling.
>>
>> Modified:
>>      httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
>>      httpd/httpd/trunk/modules/ssl/ssl_private.h
>>
>> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
>> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1729927&r1=1729926&r2=1729927&view=diff
>> ==============================================================================
>> --- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
>> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Fri Feb 12 00:44:22 2016
>> @@ -1040,16 +1040,20 @@ int ssl_hook_Access(request_rec *r)
>>               /* XXX: Polling is bad, alternatives? */
>>               for (i = 0; i < SSL_HANDSHAKE_MAX_POLLS; i++) {
>>                   has_buffered_data(r);
>> -                if (sslconn->ssl == NULL || SSL_is_init_finished(ssl)) {
>> +                if (sslconn->ssl == NULL ||
>> +                    sslconn->reneg_state == RENEG_DONE ||
>> +                    sslconn->reneg_state == RENEG_ALLOW) {
>>                       break;
>>                   }
>>                   apr_sleep(SSL_HANDSHAKE_POLL_MS);
>>               }
>>               ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, APLOGNO()
>>                             "Renegotiation loop %d iterations, "
>> +                          "reneg_state=%d, "
>>                             "in_init=%d, init_finished=%d, "
>>                             "state=%s, sslconn->ssl=%s, peer_certs=%s",
>> -                          i, SSL_in_init(ssl), SSL_is_init_finished(ssl),
>> +                          i, sslconn->reneg_state,
>> +                          SSL_in_init(ssl), SSL_is_init_finished(ssl),
>>                             SSL_state_string_long(ssl),
>>                             sslconn->ssl != NULL ? "yes" : "no",
>>                             SSL_get_peer_certificate(ssl) != NULL ? "yes" : "no");
>> @@ -2142,6 +2146,18 @@ void ssl_callback_Info(const SSL *ssl, i
>>           }
>>   #endif
>>       }
>> +#if OPENSSL_VERSION_NUMBER >= 0x10000000L
>
> Is this correct or should it be 0x10100000L instead?
>
> Regards
>
> RĂ¼diger
>
>> +    else if ((where & SSL_CB_HANDSHAKE_START) && scr->reneg_state
== RENEG_ALLOW) {
>> +        scr->reneg_state = RENEG_STARTED;
>> +    }
>> +    else if ((where & SSL_CB_HANDSHAKE_DONE) && scr->reneg_state
== RENEG_STARTED) {
>> +        scr->reneg_state = RENEG_DONE;
>> +    }
>> +    else if ((where & SSL_CB_ALERT) &&
>> +             (scr->reneg_state == RENEG_ALLOW || scr->reneg_state == RENEG_STARTED))
{
>> +        scr->reneg_state = RENEG_ALERT;
>> +    }
>> +#endif
>>       /* If the first handshake is complete, change state to reject any
>>        * subsequent client-initiated renegotiation. */
>>       else if ((where & SSL_CB_HANDSHAKE_DONE) && scr->reneg_state
== RENEG_INIT) {
>>
>> Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
>> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1729927&r1=1729926&r2=1729927&view=diff
>> ==============================================================================
>> --- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
>> +++ httpd/httpd/trunk/modules/ssl/ssl_private.h Fri Feb 12 00:44:22 2016
>> @@ -444,12 +444,17 @@ typedef struct {
>>        * partial fix for CVE-2009-3555. */
>>       enum {
>>           RENEG_INIT = 0, /* Before initial handshake */
>> -        RENEG_REJECT, /* After initial handshake; any client-initiated
>> -                       * renegotiation should be rejected */
>> -        RENEG_ALLOW, /* A server-initiated renegotiation is taking
>> -                      * place (as dictated by configuration) */
>> -        RENEG_ABORT /* Renegotiation initiated by client, abort the
>> -                     * connection */
>> +        RENEG_REJECT,   /* After initial handshake; any client-initiated
>> +                         * renegotiation should be rejected */
>> +        RENEG_ALLOW,    /* A server-initiated renegotiation is taking
>> +                         * place (as dictated by configuration) */
>> +#if OPENSSL_VERSION_NUMBER >= 0x10000000L
>
> Same question as above
>
>> +        RENEG_STARTED,  /* A renegotiation has started after RENEG_ALLOW */
>> +        RENEG_DONE,     /* A renegotiation has finished after RENEG_STARTED */
>> +        RENEG_ALERT,    /* A renegotiation has finished with an SSL Alert */
>> +#endif
>> +        RENEG_ABORT     /* Renegotiation initiated by client, abort the
>> +                         * connection */
>>       } reneg_state;
>>
>>       server_rec *server;
>>
>>
>>
>
> Regards
>
> RĂ¼diger

Mime
View raw message