From dev-return-194026-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org Fri Oct 12 11:51:45 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id B3AE2180660 for ; Fri, 12 Oct 2018 11:51:44 +0200 (CEST) Received: (qmail 14373 invoked by uid 500); 12 Oct 2018 09:51:43 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 14363 invoked by uid 99); 12 Oct 2018 09:51:43 -0000 Received: from Unknown (HELO svn01-us-west.apache.org) (209.188.14.144) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 12 Oct 2018 09:51:43 +0000 Received: from svn01-us-west.apache.org (localhost [127.0.0.1]) by svn01-us-west.apache.org (ASF Mail Server at svn01-us-west.apache.org) with ESMTP id ED25C3A0189 for ; Fri, 12 Oct 2018 09:51:42 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1843636 - /tomcat/native/trunk/native/src/sslnetwork.c Date: Fri, 12 Oct 2018 09:51:42 -0000 To: dev@tomcat.apache.org From: rjung@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20181012095142.ED25C3A0189@svn01-us-west.apache.org> Author: rjung Date: Fri Oct 12 09:51:42 2018 New Revision: 1843636 URL: http://svn.apache.org/viewvc?rev=1843636&view=rev Log: Tab polica. No functional change. Modified: tomcat/native/trunk/native/src/sslnetwork.c Modified: tomcat/native/trunk/native/src/sslnetwork.c URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslnetwork.c?rev=1843636&r1=1843635&r2=1843636&view=diff ============================================================================== --- tomcat/native/trunk/native/src/sslnetwork.c (original) +++ tomcat/native/trunk/native/src/sslnetwork.c Fri Oct 12 09:51:42 2018 @@ -631,121 +631,121 @@ TCN_IMPLEMENT_CALL(jint, SSLSocket, rene TCN_ASSERT(sock != 0); con = (tcn_ssl_conn_t *)s->opaque; session = SSL_get_session(con->ssl); - apr_socket_timeout_get(con->sock, &timeout); + apr_socket_timeout_get(con->sock, &timeout); #if defined(SSL_OP_NO_TLSv1_3) if (SSL_SESSION_get_protocol_version(session) == TLS1_3_VERSION) { - // TLS 1.3 renegotiation - retVal = SSL_verify_client_post_handshake(con->ssl); - if (retVal <= 0) { - return APR_EGENERAL; - } - - con->pha_state = PHA_STARTED; - - // Need to trigger a write operation to sent the cert request to the - // client. As per OpenSSL docs, use SSL_do_handshake() for this. - retVal = SSL_do_handshake(con->ssl); - if (retVal <= 0) { - return APR_EGENERAL; - } - - // Trigger reading of the certs from the client - retVal = SSL_peek(con->ssl, peekbuf, 0); - if (retVal < 1) { - error = SSL_get_error(con->ssl, retVal); - } - - // If the certs have not been received, then need to wait for I/O - while (con->pha_state == PHA_STARTED) { - // SSL_ERROR_WANT_READ is expected. Anything else is an error. - if (error == SSL_ERROR_WANT_READ) { - retVal = wait_for_io_or_timeout(con, error, timeout); - /* - * Since this is blocking I/O, anything other than APR_SUCCESS is an - * error. - */ - if (retVal != APR_SUCCESS) { - con->shutdown_type = SSL_SHUTDOWN_TYPE_UNCLEAN; - return retVal; - } - } else { - return APR_EGENERAL; - } - - // Re-try SSL_peek after I/O - retVal = SSL_peek(con->ssl, peekbuf, 0); - if (retVal < 1) { - error = SSL_get_error(con->ssl, retVal); - } else { - /* - * Reset error to handle case where SSL_Peek returns 0 but - * con->pha_state has not changed. This will trigger an error - * to be returned. - */ - error = 0; - } - } + // TLS 1.3 renegotiation + retVal = SSL_verify_client_post_handshake(con->ssl); + if (retVal <= 0) { + return APR_EGENERAL; + } + + con->pha_state = PHA_STARTED; + + // Need to trigger a write operation to sent the cert request to the + // client. As per OpenSSL docs, use SSL_do_handshake() for this. + retVal = SSL_do_handshake(con->ssl); + if (retVal <= 0) { + return APR_EGENERAL; + } + + // Trigger reading of the certs from the client + retVal = SSL_peek(con->ssl, peekbuf, 0); + if (retVal < 1) { + error = SSL_get_error(con->ssl, retVal); + } + + // If the certs have not been received, then need to wait for I/O + while (con->pha_state == PHA_STARTED) { + // SSL_ERROR_WANT_READ is expected. Anything else is an error. + if (error == SSL_ERROR_WANT_READ) { + retVal = wait_for_io_or_timeout(con, error, timeout); + /* + * Since this is blocking I/O, anything other than APR_SUCCESS is an + * error. + */ + if (retVal != APR_SUCCESS) { + con->shutdown_type = SSL_SHUTDOWN_TYPE_UNCLEAN; + return retVal; + } + } else { + return APR_EGENERAL; + } + + // Re-try SSL_peek after I/O + retVal = SSL_peek(con->ssl, peekbuf, 0); + if (retVal < 1) { + error = SSL_get_error(con->ssl, retVal); + } else { + /* + * Reset error to handle case where SSL_Peek returns 0 but + * con->pha_state has not changed. This will trigger an error + * to be returned. + */ + error = 0; + } + } } else { #endif - // TLS 1.2 and earlier renegotiation + // TLS 1.2 and earlier renegotiation - /* Toggle the renegotiation state to allow the new - * handshake to proceed. - */ - con->reneg_state = RENEG_ALLOW; - - // Schedule a renegotiation request - retVal = SSL_renegotiate(con->ssl); - if (retVal <= 0) { - return APR_EGENERAL; - } - - /* Need to trigger the renegotiation handshake by reading. - * Peeking 0 bytes actually works. - * See: http://marc.info/?t=145493359200002&r=1&w=2 - * - * This will normally return SSL_ERROR_WANT_READ whether the renegotiation - * has been completed or not. Afterwards, need to determine if I/O needs to - * be triggered or not. - */ - retVal = SSL_peek(con->ssl, peekbuf, 0); - if (retVal < 1) { - error = SSL_get_error(con->ssl, retVal); - } - - // If the renegotiation is still pending, then I/O needs to be triggered - while (SSL_renegotiate_pending(con->ssl)) { - // SSL_ERROR_WANT_READ is expected. Anything else is an error. - if (error == SSL_ERROR_WANT_READ) { - retVal = wait_for_io_or_timeout(con, error, timeout); - /* - * Since this is blocking I/O, anything other than APR_SUCCESS is an - * error. - */ - if (retVal != APR_SUCCESS) { - con->shutdown_type = SSL_SHUTDOWN_TYPE_UNCLEAN; - return retVal; - } - } else { - return APR_EGENERAL; - } - - // Re-try SSL_peek after I/O - retVal = SSL_peek(con->ssl, peekbuf, 0); - if (retVal < 1) { - error = SSL_get_error(con->ssl, retVal); - } else { - /* - * Reset error to handle case where SSL_Peek returns 0 but - * SSL_renegotiate_pending returns true. This will trigger an error - * to be returned. - */ - error = 0; - } - } + /* Toggle the renegotiation state to allow the new + * handshake to proceed. + */ + con->reneg_state = RENEG_ALLOW; + + // Schedule a renegotiation request + retVal = SSL_renegotiate(con->ssl); + if (retVal <= 0) { + return APR_EGENERAL; + } + + /* Need to trigger the renegotiation handshake by reading. + * Peeking 0 bytes actually works. + * See: http://marc.info/?t=145493359200002&r=1&w=2 + * + * This will normally return SSL_ERROR_WANT_READ whether the renegotiation + * has been completed or not. Afterwards, need to determine if I/O needs to + * be triggered or not. + */ + retVal = SSL_peek(con->ssl, peekbuf, 0); + if (retVal < 1) { + error = SSL_get_error(con->ssl, retVal); + } + + // If the renegotiation is still pending, then I/O needs to be triggered + while (SSL_renegotiate_pending(con->ssl)) { + // SSL_ERROR_WANT_READ is expected. Anything else is an error. + if (error == SSL_ERROR_WANT_READ) { + retVal = wait_for_io_or_timeout(con, error, timeout); + /* + * Since this is blocking I/O, anything other than APR_SUCCESS is an + * error. + */ + if (retVal != APR_SUCCESS) { + con->shutdown_type = SSL_SHUTDOWN_TYPE_UNCLEAN; + return retVal; + } + } else { + return APR_EGENERAL; + } + + // Re-try SSL_peek after I/O + retVal = SSL_peek(con->ssl, peekbuf, 0); + if (retVal < 1) { + error = SSL_get_error(con->ssl, retVal); + } else { + /* + * Reset error to handle case where SSL_Peek returns 0 but + * SSL_renegotiate_pending returns true. This will trigger an error + * to be returned. + */ + error = 0; + } + } - con->reneg_state = RENEG_REJECT; + con->reneg_state = RENEG_REJECT; #if defined(SSL_OP_NO_TLSv1_3) } #endif --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org