tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: svn commit: r1394258 - /tomcat/native/trunk/native/src/ssl.c
Date Thu, 04 Oct 2012 21:25:37 GMT
On 04.10.2012 22:50, schultz@apache.org wrote:
> Author: schultz
> Date: Thu Oct  4 20:50:42 2012
> New Revision: 1394258
>
> URL: http://svn.apache.org/viewvc?rev=1394258&view=rev
> Log:
> Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=53969
>
> Add checking of other SSL_OPT_* options to ssl.c::hasOp
>
> Modified:
>      tomcat/native/trunk/native/src/ssl.c
>
> Modified: tomcat/native/trunk/native/src/ssl.c
> URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/ssl.c?rev=1394258&r1=1394257&r2=1394258&view=diff
> ==============================================================================
> --- tomcat/native/trunk/native/src/ssl.c (original)
> +++ tomcat/native/trunk/native/src/ssl.c Thu Oct  4 20:50:42 2012
...

> @@ -944,11 +972,130 @@ TCN_IMPLEMENT_CALL(jstring, SSL, getLast
>
>   TCN_IMPLEMENT_CALL(jboolean, SSL, hasOp)(TCN_STDARGS, jint op)
>   {
> +    jint options   = op;
> +    jint supported = 0;
> +    /*
> +      TCN_SSL_TEST_OP_SUPPORT moves bits from 'options' to 'supported'
> +      as they are tested. After all checks, 'options' should be 0x00
> +      and 'supported' should be == op. If options != 0x00 then we failed
> +      to test an option. If supported != op then we don't support all
> +      requested options.
> +    */
> +
> +    DEBUG_LOG("=== Starting hasOp: support=%d, options=%#08lx, op=%#08lx\n", supported,
options, op);
> +
> +#ifdef SSL_OP_ALL
> +     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_ALL, options, supported)
> +#endif

I think you should exclude SSL_OP_ALL. It is not a single bit option but 
a combination of other options.

>   #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
> -    if (op & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
> -        return JNI_TRUE;
> +     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, options, supported)
>   #endif
> -    return JNI_FALSE;
> +
> +#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
> +     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_CIPHER_SERVER_PREFERENCE, options, supported)
> +#endif
> +
> +#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
> +     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, options, supported)
> +#endif
> +
> +#ifdef SSL_OP_EPHEMERAL_RSA
> +     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_EPHEMERAL_RSA, options, supported)
> +#endif
> +
> +#ifdef SSL_OP_LEGACY_SERVER_CONNECT
> +     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_LEGACY_SERVER_CONNECT, options, supported)
> +#endif
> +
> +#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
> +     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER, options, supported)
> +#endif
> +
> +#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
> +     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_MICROSOFT_SESS_ID_BUG, options, supported)
> +#endif
> +
> +#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
> +     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_MSIE_SSLV2_RSA_PADDING, options, supported)
> +#endif
> +
> +#ifdef SSL_OP_NETSCAPE_CA_DN_BUG
> +     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_NETSCAPE_CA_DN_BUG, options, supported)
> +#endif
> +
> +#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
> +     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_NETSCAPE_CHALLENGE_BUG, options, supported)
> +#endif
> +
> +#ifdef SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
> +     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG, options, supported)
> +#endif
> +
> +#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
> +     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG, options, supported)
> +#endif
> +
> +#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
> +     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION, options,
supported)
> +#endif
> +
> +#ifdef SSL_OP_NO_SSLv2
> +     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_NO_SSLv2, options, supported)
> +#endif
> +
> +#ifdef SSL_OP_NO_SSLv3
> +     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_NO_SSLv3, options, supported)
> +#endif
> +
> +#ifdef SSL_OP_NO_TICKET
> +     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_NO_TICKET, options, supported)
> +#endif
> +
> +#ifdef SSL_OP_NO_TLSv1
> +     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_NO_TLSv1, options, supported)
> +#endif

The next two do not yet have real option bits assigned in ssl.h (value 
is "0".

> +#ifdef SSL_OP_PKCS1_CHECK_1
> +     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_PKCS1_CHECK_1, options, supported)
> +#endif
> +
> +#ifdef SSL_OP_PKCS1_CHECK_2
> +     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_PKCS1_CHECK_2, options, supported)
> +#endif

Haven't checked the ones below here.

> +#ifdef SSL_OP_SINGLE_DH_USE
> +     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_SINGLE_DH_USE, options, supported)
> +#endif
> +
> +#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
> +     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_SSLEAY_080_CLIENT_DH_BUG, options, supported)
> +#endif
> +
> +#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
> +     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG, options, supported)
> +#endif
> +
> +#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
> +     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_TLS_BLOCK_PADDING_BUG, options, supported)
> +#endif
> +
> +#ifdef SSL_OP_TLS_D5_BUG
> +     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_TLS_D5_BUG, options, supported)
> +#endif
> +
> +#ifdef SSL_OP_TLS_ROLLBACK_BUG
> +     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_TLS_ROLLBACK_BUG, options, supported)
> +#endif
> +
> +    DEBUG_LOG("req=%#08lx left=%#08lx discovered=%#08lx\n", op, options, supported);
> +    DEBUG_FLUSH();
> +    if(options) {
> +        tcn_Throw(e, "Unsupported OpenSSL options to check: %#08lx", options);
> +        return (jint)APR_EINVAL;
> +    }
> +
> +    return supported == op ? JNI_TRUE : JNI_FALSE;
>   }
>
>   #else

Regards,

Rainer


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message