tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From schu...@apache.org
Subject svn commit: r1394342 - /tomcat/native/trunk/native/src/ssl.c
Date Fri, 05 Oct 2012 01:00:11 GMT
Author: schultz
Date: Fri Oct  5 01:00:10 2012
New Revision: 1394342

URL: http://svn.apache.org/viewvc?rev=1394342&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=53969

Reverted r1394339 and replaced with a much simpler, faster, and correct (returns JNI_FALSE
instead of throwing an exception) implementation.

Modified:
    tomcat/native/trunk/native/src/ssl.c

Modified: tomcat/native/trunk/native/src/ssl.c
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/ssl.c?rev=1394342&r1=1394341&r2=1394342&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/ssl.c (original)
+++ tomcat/native/trunk/native/src/ssl.c Fri Oct  5 01:00:10 2012
@@ -81,33 +81,127 @@ struct CRYPTO_dynlock_value {
     R |= SSL_TMP_KEY_INIT_DH(2048);             \
     R |= SSL_TMP_KEY_INIT_DH(4096)
 
-#ifdef DEBUG
-#define DEBUG_LOG(fmt, args...) printf(fmt, ##args)
-#define DEBUG_FLUSH()           fflush(stdout)
-#else
-#define DEBUG_LOG(fmr, args...)
-#define DEBUG_FLUSH()
-#endif
-
 /*
- * Tests for support of a particular SSL_OP_* option.
+ * supported_ssl_opts is a bitmask that contains all supported SSL_OP_*
+ * options at compile-time. This is used in hasOp to determine which
+ * SSL_OP_* options are available at runtime.
  *
- * This is used in the hasOp JNI function defined below.
+ * Note that at least up through OpenSSL 0.9.8o, checking SSL_OP_ALL will
+ * return JNI_FALSE because SSL_OP_ALL is a mask that covers all bug
+ * workarounds for OpenSSL including future workarounds that are defined
+ * to be in the least-significant 3 nibbles of the SSL_OP_* bit space.
+ *
+ * This implementation has chosen NOT to simply set all those lower bits
+ * so that the return value for SSL_OP_FUTURE_WORKAROUND will only be
+ * reported by versions that actually support that specific workaround.
  */
-#define TCN_SSL_TEST_OP_SUPPORT(option, options, supported)             \
-  DEBUG_LOG("= Checking for "  #option ", which is %#08lx:\n", option); \
-  if (option == (options & option)) {                                   \
-    DEBUG_LOG("  supported |= %#08lx\n", option);                       \
-    supported |= (options & option);                                    \
-    DEBUG_LOG("  options ^= %#08lx\n", option);                         \
-    options ^= option;                                                  \
-    DEBUG_LOG("  supported now = %#08lx\n", supported);                 \
-    DEBUG_LOG("  options now = %#08lx\n", options);                     \
-  }                                                                     \
-  DEBUG_FLUSH();                                                        \
-  /* we can bail out immediately if our work is done */                 \
-  if(!options) return JNI_TRUE;
+static const jint supported_ssl_opts = 0
+/*
+  Specifically skip SSL_OP_ALL
+#ifdef SSL_OP_ALL
+     | SSL_OP_ALL
+#endif
+*/
+#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+     | SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+#endif
+
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+     | SSL_OP_CIPHER_SERVER_PREFERENCE
+#endif
+
+#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
+     | SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
+#endif
+
+#ifdef SSL_OP_EPHEMERAL_RSA
+     | SSL_OP_EPHEMERAL_RSA
+#endif
+
+#ifdef SSL_OP_LEGACY_SERVER_CONNECT
+     | SSL_OP_LEGACY_SERVER_CONNECT
+#endif
+
+#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
+     | SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
+#endif
+
+#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
+     | SSL_OP_MICROSOFT_SESS_ID_BUG
+#endif
+
+#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
+     | SSL_OP_MSIE_SSLV2_RSA_PADDING
+#endif
+
+#ifdef SSL_OP_NETSCAPE_CA_DN_BUG
+     | SSL_OP_NETSCAPE_CA_DN_BUG
+#endif
+
+#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
+     | SSL_OP_NETSCAPE_CHALLENGE_BUG
+#endif
+
+#ifdef SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
+     | SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
+#endif
+
+#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
+     | SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
+#endif
+
+#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+     | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+#endif
 
+#ifdef SSL_OP_NO_SSLv2
+     | SSL_OP_NO_SSLv2
+#endif
+
+#ifdef SSL_OP_NO_SSLv3
+     | SSL_OP_NO_SSLv3
+#endif
+
+#ifdef SSL_OP_NO_TICKET
+     | SSL_OP_NO_TICKET
+#endif
+
+#ifdef SSL_OP_NO_TLSv1
+     | SSL_OP_NO_TLSv1
+#endif
+
+#ifdef SSL_OP_PKCS1_CHECK_1
+     | SSL_OP_PKCS1_CHECK_1
+#endif
+
+#ifdef SSL_OP_PKCS1_CHECK_2
+     | SSL_OP_PKCS1_CHECK_2
+#endif
+
+#ifdef SSL_OP_SINGLE_DH_USE
+     | SSL_OP_SINGLE_DH_USE
+#endif
+
+#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
+     | SSL_OP_SSLEAY_080_CLIENT_DH_BUG
+#endif
+
+#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
+     | SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
+#endif
+
+#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
+     | SSL_OP_TLS_BLOCK_PADDING_BUG
+#endif
+
+#ifdef SSL_OP_TLS_D5_BUG
+     | SSL_OP_TLS_D5_BUG
+#endif
+
+#ifdef SSL_OP_TLS_ROLLBACK_BUG
+     | SSL_OP_TLS_ROLLBACK_BUG
+#endif
+     | 0;
 
 static int ssl_tmp_key_init_rsa(int bits, int idx)
 {
@@ -972,130 +1066,7 @@ TCN_IMPLEMENT_CALL(jstring, SSL, getLast
 
 TCN_IMPLEMENT_CALL(jboolean, SSL, hasOp)(TCN_STDARGS, jint op)
 {
-    jint options   = op;
-    jint supported = 0;
-    /*
-      TCN_SSL_TEST_OP_SUPPORT moves bits from 'options' to 'supported'
-      as they are tested. After all checks, 'options' should be 0x00
-      and 'supported' should be == op. If options != 0x00 then we failed
-      to test an option. If supported != op then we don't support all
-      requested options.
-    */
-
-    DEBUG_LOG("=== Starting hasOp: support=%d, options=%#08lx, op=%#08lx\n", supported, options,
op);
-
-#ifdef SSL_OP_ALL
-     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_ALL, options, supported)
-#endif
-
-#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
-     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, options, supported)
-#endif
-
-#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
-     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_CIPHER_SERVER_PREFERENCE, options, supported)
-#endif
-
-#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
-     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, options, supported)
-#endif
-
-#ifdef SSL_OP_EPHEMERAL_RSA
-     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_EPHEMERAL_RSA, options, supported)
-#endif
-
-#ifdef SSL_OP_LEGACY_SERVER_CONNECT
-     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_LEGACY_SERVER_CONNECT, options, supported)
-#endif
-
-#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
-     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER, options, supported)
-#endif
-
-#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
-     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_MICROSOFT_SESS_ID_BUG, options, supported)
-#endif
-
-#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
-     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_MSIE_SSLV2_RSA_PADDING, options, supported)
-#endif
-
-#ifdef SSL_OP_NETSCAPE_CA_DN_BUG
-     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_NETSCAPE_CA_DN_BUG, options, supported)
-#endif
-
-#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
-     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_NETSCAPE_CHALLENGE_BUG, options, supported)
-#endif
-
-#ifdef SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
-     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG, options, supported)
-#endif
-
-#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
-     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG, options, supported)
-#endif
-
-#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
-     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION, options, supported)
-#endif
-
-#ifdef SSL_OP_NO_SSLv2
-     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_NO_SSLv2, options, supported)
-#endif
-
-#ifdef SSL_OP_NO_SSLv3
-     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_NO_SSLv3, options, supported)
-#endif
-
-#ifdef SSL_OP_NO_TICKET
-     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_NO_TICKET, options, supported)
-#endif
-
-#ifdef SSL_OP_NO_TLSv1
-     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_NO_TLSv1, options, supported)
-#endif
-
-#ifdef SSL_OP_PKCS1_CHECK_1
-     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_PKCS1_CHECK_1, options, supported)
-#endif
-
-#ifdef SSL_OP_PKCS1_CHECK_2
-     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_PKCS1_CHECK_2, options, supported)
-#endif
-
-#ifdef SSL_OP_SINGLE_DH_USE
-     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_SINGLE_DH_USE, options, supported)
-#endif
-
-#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
-     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_SSLEAY_080_CLIENT_DH_BUG, options, supported)
-#endif
-
-#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
-     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG, options, supported)
-#endif
-
-#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
-     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_TLS_BLOCK_PADDING_BUG, options, supported)
-#endif
-
-#ifdef SSL_OP_TLS_D5_BUG
-     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_TLS_D5_BUG, options, supported)
-#endif
-
-#ifdef SSL_OP_TLS_ROLLBACK_BUG
-     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_TLS_ROLLBACK_BUG, options, supported)
-#endif
-
-    DEBUG_LOG("req=%#08lx left=%#08lx discovered=%#08lx\n", op, options, supported);
-    DEBUG_FLUSH();
-    if(options) {
-        tcn_Throw(e, "Unsupported OpenSSL options to check: %#08lx", options);
-        return (jint)APR_EINVAL;
-    }
-
-    return supported == op ? JNI_TRUE : JNI_FALSE;
+    return op == (op & supported_ssl_opts) ? JNI_TRUE : JNI_FALSE;
 }
 
 #else



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message