tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: svn commit: r815411 - /tomcat/native/trunk/native/src/sslnetwork.c
Date Tue, 15 Sep 2009 17:44:10 GMT
markt@apache.org wrote:
> Author: markt
> Date: Tue Sep 15 17:41:28 2009
> New Revision: 815411

C isn't my strong point so this is worth folks who know C better than I
do taking a close look.

Mark

> 
> URL: http://svn.apache.org/viewvc?rev=815411&view=rev
> Log:
> Part of fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=46950
> This patch fixes two issues:
> - renegotiate now does a full renegotiation rather than just setting the 'need to renegotiate'
flag
> - a new method is provided that allows clients to set the certificate verification level
per connection - this is required when switching from unauthenticated to authenticated eg
because of a security constraint
> 
> Modified:
>     tomcat/native/trunk/native/src/sslnetwork.c
> 
> Modified: tomcat/native/trunk/native/src/sslnetwork.c
> URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslnetwork.c?rev=815411&r1=815410&r2=815411&view=diff
> ==============================================================================
> --- tomcat/native/trunk/native/src/sslnetwork.c (original)
> +++ tomcat/native/trunk/native/src/sslnetwork.c Tue Sep 15 17:41:28 2009
> @@ -562,11 +562,60 @@
>  {
>      tcn_socket_t *s   = J2P(sock, tcn_socket_t *);
>      tcn_ssl_conn_t *con;
> +    int retVal;
>  
>      UNREFERENCED_STDARGS;
>      TCN_ASSERT(sock != 0);
>      con = (tcn_ssl_conn_t *)s->opaque;
> -    return SSL_renegotiate(con->ssl);
> +
> +    /* Sequence to renegotiate is
> +     *  SSL_renegotiate()
> +     *  SSL_do_handshake()
> +     *  ssl->state = SSL_ST_ACCEPT
> +     *  SSL_do_handshake()
> +     */
> +    retVal = SSL_renegotiate(con->ssl);
> +    if (retVal <= 0)
> +        return APR_EGENERAL;
> +    
> +    retVal = SSL_do_handshake(con->ssl);
> +    if (retVal <= 0)
> +        return APR_EGENERAL;
> +
> +    con->ssl->state = SSL_ST_ACCEPT;
> +
> +    retVal = SSL_do_handshake(con->ssl);
> +    if (retVal <= 0)
> +        return APR_EGENERAL;
> +
> +    return APR_SUCCESS;
> +}
> +
> +TCN_IMPLEMENT_CALL(void, SSLSocket, setVerify)(TCN_STDARGS,
> +                                               jlong sock,
> +                                               jint cverify,
> +                                               jint depth)
> +{
> +    tcn_socket_t *s   = J2P(sock, tcn_socket_t *);
> +    tcn_ssl_conn_t *con;
> +    int verify = SSL_VERIFY_NONE;
> +
> +    UNREFERENCED_STDARGS;
> +    TCN_ASSERT(sock != 0);
> +    con = (tcn_ssl_conn_t *)s->opaque;
> +
> +    if (cverify == SSL_CVERIFY_UNSET)
> +        cverify = SSL_CVERIFY_NONE;
> +    if (depth > 0)
> +        SSL_set_verify_depth(con->ssl, depth);
> +
> +    if (cverify == SSL_CVERIFY_REQUIRE)
> +        verify |= SSL_VERIFY_PEER_STRICT;
> +    if ((cverify == SSL_CVERIFY_OPTIONAL) ||
> +        (cverify == SSL_CVERIFY_OPTIONAL_NO_CA))
> +        verify |= SSL_VERIFY_PEER;
> +
> +    SSL_set_verify(con->ssl, verify, NULL);
>  }
>  
>  #else
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
> 




---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message