Return-Path: X-Original-To: apmail-tomcat-dev-archive@www.apache.org Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id BCD1FD37C for ; Fri, 5 Oct 2012 01:00:56 +0000 (UTC) Received: (qmail 74763 invoked by uid 500); 5 Oct 2012 01:00:56 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 74673 invoked by uid 500); 5 Oct 2012 01:00:55 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 74662 invoked by uid 99); 5 Oct 2012 01:00:55 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 05 Oct 2012 01:00:55 +0000 X-ASF-Spam-Status: No, hits=-1999.2 required=5.0 tests=ALL_TRUSTED,UPPERCASE_50_75 X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 05 Oct 2012 01:00:54 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 67C6B2388A40 for ; Fri, 5 Oct 2012 01:00:11 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1394342 - /tomcat/native/trunk/native/src/ssl.c Date: Fri, 05 Oct 2012 01:00:11 -0000 To: dev@tomcat.apache.org From: schultz@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20121005010011.67C6B2388A40@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: schultz Date: Fri Oct 5 01:00:10 2012 New Revision: 1394342 URL: http://svn.apache.org/viewvc?rev=1394342&view=rev Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=53969 Reverted r1394339 and replaced with a much simpler, faster, and correct (returns JNI_FALSE instead of throwing an exception) implementation. Modified: tomcat/native/trunk/native/src/ssl.c Modified: tomcat/native/trunk/native/src/ssl.c URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/ssl.c?rev=1394342&r1=1394341&r2=1394342&view=diff ============================================================================== --- tomcat/native/trunk/native/src/ssl.c (original) +++ tomcat/native/trunk/native/src/ssl.c Fri Oct 5 01:00:10 2012 @@ -81,33 +81,127 @@ struct CRYPTO_dynlock_value { R |= SSL_TMP_KEY_INIT_DH(2048); \ R |= SSL_TMP_KEY_INIT_DH(4096) -#ifdef DEBUG -#define DEBUG_LOG(fmt, args...) printf(fmt, ##args) -#define DEBUG_FLUSH() fflush(stdout) -#else -#define DEBUG_LOG(fmr, args...) -#define DEBUG_FLUSH() -#endif - /* - * Tests for support of a particular SSL_OP_* option. + * supported_ssl_opts is a bitmask that contains all supported SSL_OP_* + * options at compile-time. This is used in hasOp to determine which + * SSL_OP_* options are available at runtime. * - * This is used in the hasOp JNI function defined below. + * Note that at least up through OpenSSL 0.9.8o, checking SSL_OP_ALL will + * return JNI_FALSE because SSL_OP_ALL is a mask that covers all bug + * workarounds for OpenSSL including future workarounds that are defined + * to be in the least-significant 3 nibbles of the SSL_OP_* bit space. + * + * This implementation has chosen NOT to simply set all those lower bits + * so that the return value for SSL_OP_FUTURE_WORKAROUND will only be + * reported by versions that actually support that specific workaround. */ -#define TCN_SSL_TEST_OP_SUPPORT(option, options, supported) \ - DEBUG_LOG("= Checking for " #option ", which is %#08lx:\n", option); \ - if (option == (options & option)) { \ - DEBUG_LOG(" supported |= %#08lx\n", option); \ - supported |= (options & option); \ - DEBUG_LOG(" options ^= %#08lx\n", option); \ - options ^= option; \ - DEBUG_LOG(" supported now = %#08lx\n", supported); \ - DEBUG_LOG(" options now = %#08lx\n", options); \ - } \ - DEBUG_FLUSH(); \ - /* we can bail out immediately if our work is done */ \ - if(!options) return JNI_TRUE; +static const jint supported_ssl_opts = 0 +/* + Specifically skip SSL_OP_ALL +#ifdef SSL_OP_ALL + | SSL_OP_ALL +#endif +*/ +#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION + | SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION +#endif + +#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE + | SSL_OP_CIPHER_SERVER_PREFERENCE +#endif + +#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS + | SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS +#endif + +#ifdef SSL_OP_EPHEMERAL_RSA + | SSL_OP_EPHEMERAL_RSA +#endif + +#ifdef SSL_OP_LEGACY_SERVER_CONNECT + | SSL_OP_LEGACY_SERVER_CONNECT +#endif + +#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER + | SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER +#endif + +#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG + | SSL_OP_MICROSOFT_SESS_ID_BUG +#endif + +#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING + | SSL_OP_MSIE_SSLV2_RSA_PADDING +#endif + +#ifdef SSL_OP_NETSCAPE_CA_DN_BUG + | SSL_OP_NETSCAPE_CA_DN_BUG +#endif + +#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG + | SSL_OP_NETSCAPE_CHALLENGE_BUG +#endif + +#ifdef SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG + | SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG +#endif + +#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG + | SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG +#endif + +#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION + | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION +#endif +#ifdef SSL_OP_NO_SSLv2 + | SSL_OP_NO_SSLv2 +#endif + +#ifdef SSL_OP_NO_SSLv3 + | SSL_OP_NO_SSLv3 +#endif + +#ifdef SSL_OP_NO_TICKET + | SSL_OP_NO_TICKET +#endif + +#ifdef SSL_OP_NO_TLSv1 + | SSL_OP_NO_TLSv1 +#endif + +#ifdef SSL_OP_PKCS1_CHECK_1 + | SSL_OP_PKCS1_CHECK_1 +#endif + +#ifdef SSL_OP_PKCS1_CHECK_2 + | SSL_OP_PKCS1_CHECK_2 +#endif + +#ifdef SSL_OP_SINGLE_DH_USE + | SSL_OP_SINGLE_DH_USE +#endif + +#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG + | SSL_OP_SSLEAY_080_CLIENT_DH_BUG +#endif + +#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG + | SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG +#endif + +#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG + | SSL_OP_TLS_BLOCK_PADDING_BUG +#endif + +#ifdef SSL_OP_TLS_D5_BUG + | SSL_OP_TLS_D5_BUG +#endif + +#ifdef SSL_OP_TLS_ROLLBACK_BUG + | SSL_OP_TLS_ROLLBACK_BUG +#endif + | 0; static int ssl_tmp_key_init_rsa(int bits, int idx) { @@ -972,130 +1066,7 @@ TCN_IMPLEMENT_CALL(jstring, SSL, getLast TCN_IMPLEMENT_CALL(jboolean, SSL, hasOp)(TCN_STDARGS, jint op) { - jint options = op; - jint supported = 0; - /* - TCN_SSL_TEST_OP_SUPPORT moves bits from 'options' to 'supported' - as they are tested. After all checks, 'options' should be 0x00 - and 'supported' should be == op. If options != 0x00 then we failed - to test an option. If supported != op then we don't support all - requested options. - */ - - DEBUG_LOG("=== Starting hasOp: support=%d, options=%#08lx, op=%#08lx\n", supported, options, op); - -#ifdef SSL_OP_ALL - TCN_SSL_TEST_OP_SUPPORT(SSL_OP_ALL, options, supported) -#endif - -#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION - TCN_SSL_TEST_OP_SUPPORT(SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, options, supported) -#endif - -#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE - TCN_SSL_TEST_OP_SUPPORT(SSL_OP_CIPHER_SERVER_PREFERENCE, options, supported) -#endif - -#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS - TCN_SSL_TEST_OP_SUPPORT(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, options, supported) -#endif - -#ifdef SSL_OP_EPHEMERAL_RSA - TCN_SSL_TEST_OP_SUPPORT(SSL_OP_EPHEMERAL_RSA, options, supported) -#endif - -#ifdef SSL_OP_LEGACY_SERVER_CONNECT - TCN_SSL_TEST_OP_SUPPORT(SSL_OP_LEGACY_SERVER_CONNECT, options, supported) -#endif - -#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER - TCN_SSL_TEST_OP_SUPPORT(SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER, options, supported) -#endif - -#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG - TCN_SSL_TEST_OP_SUPPORT(SSL_OP_MICROSOFT_SESS_ID_BUG, options, supported) -#endif - -#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING - TCN_SSL_TEST_OP_SUPPORT(SSL_OP_MSIE_SSLV2_RSA_PADDING, options, supported) -#endif - -#ifdef SSL_OP_NETSCAPE_CA_DN_BUG - TCN_SSL_TEST_OP_SUPPORT(SSL_OP_NETSCAPE_CA_DN_BUG, options, supported) -#endif - -#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG - TCN_SSL_TEST_OP_SUPPORT(SSL_OP_NETSCAPE_CHALLENGE_BUG, options, supported) -#endif - -#ifdef SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG - TCN_SSL_TEST_OP_SUPPORT(SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG, options, supported) -#endif - -#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG - TCN_SSL_TEST_OP_SUPPORT(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG, options, supported) -#endif - -#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION - TCN_SSL_TEST_OP_SUPPORT(SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION, options, supported) -#endif - -#ifdef SSL_OP_NO_SSLv2 - TCN_SSL_TEST_OP_SUPPORT(SSL_OP_NO_SSLv2, options, supported) -#endif - -#ifdef SSL_OP_NO_SSLv3 - TCN_SSL_TEST_OP_SUPPORT(SSL_OP_NO_SSLv3, options, supported) -#endif - -#ifdef SSL_OP_NO_TICKET - TCN_SSL_TEST_OP_SUPPORT(SSL_OP_NO_TICKET, options, supported) -#endif - -#ifdef SSL_OP_NO_TLSv1 - TCN_SSL_TEST_OP_SUPPORT(SSL_OP_NO_TLSv1, options, supported) -#endif - -#ifdef SSL_OP_PKCS1_CHECK_1 - TCN_SSL_TEST_OP_SUPPORT(SSL_OP_PKCS1_CHECK_1, options, supported) -#endif - -#ifdef SSL_OP_PKCS1_CHECK_2 - TCN_SSL_TEST_OP_SUPPORT(SSL_OP_PKCS1_CHECK_2, options, supported) -#endif - -#ifdef SSL_OP_SINGLE_DH_USE - TCN_SSL_TEST_OP_SUPPORT(SSL_OP_SINGLE_DH_USE, options, supported) -#endif - -#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG - TCN_SSL_TEST_OP_SUPPORT(SSL_OP_SSLEAY_080_CLIENT_DH_BUG, options, supported) -#endif - -#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG - TCN_SSL_TEST_OP_SUPPORT(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG, options, supported) -#endif - -#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG - TCN_SSL_TEST_OP_SUPPORT(SSL_OP_TLS_BLOCK_PADDING_BUG, options, supported) -#endif - -#ifdef SSL_OP_TLS_D5_BUG - TCN_SSL_TEST_OP_SUPPORT(SSL_OP_TLS_D5_BUG, options, supported) -#endif - -#ifdef SSL_OP_TLS_ROLLBACK_BUG - TCN_SSL_TEST_OP_SUPPORT(SSL_OP_TLS_ROLLBACK_BUG, options, supported) -#endif - - DEBUG_LOG("req=%#08lx left=%#08lx discovered=%#08lx\n", op, options, supported); - DEBUG_FLUSH(); - if(options) { - tcn_Throw(e, "Unsupported OpenSSL options to check: %#08lx", options); - return (jint)APR_EINVAL; - } - - return supported == op ? JNI_TRUE : JNI_FALSE; + return op == (op & supported_ssl_opts) ? JNI_TRUE : JNI_FALSE; } #else --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org