Re: svn commit: r1394258 - /tomcat/native/trunk/native/src/ssl.c

Thu, 04 Oct 2012 14:26:18 -0700 

On 04.10.2012 22:50, schu...@apache.org wrote:

Author: schultz
Date: Thu Oct  4 20:50:42 2012
New Revision: 1394258

URL: http://svn.apache.org/viewvc?rev=1394258&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=53969

Add checking of other SSL_OPT_* options to ssl.c::hasOp

Modified:
     tomcat/native/trunk/native/src/ssl.c

Modified: tomcat/native/trunk/native/src/ssl.c
URL: 
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/ssl.c?rev=1394258&r1=1394257&r2=1394258&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/ssl.c (original)
+++ tomcat/native/trunk/native/src/ssl.c Thu Oct  4 20:50:42 2012

...


@@ -944,11 +972,130 @@ TCN_IMPLEMENT_CALL(jstring, SSL, getLast

  TCN_IMPLEMENT_CALL(jboolean, SSL, hasOp)(TCN_STDARGS, jint op)
  {
+    jint options   = op;
+    jint supported = 0;
+    /*
+      TCN_SSL_TEST_OP_SUPPORT moves bits from 'options' to 'supported'
+      as they are tested. After all checks, 'options' should be 0x00
+      and 'supported' should be == op. If options != 0x00 then we failed
+      to test an option. If supported != op then we don't support all
+      requested options.
+    */
+
+    DEBUG_LOG("=== Starting hasOp: support=%d, options=%#08lx, op=%#08lx\n", 
supported, options, op);
+
+#ifdef SSL_OP_ALL
+     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_ALL, options, supported)
+#endif
I think you should exclude SSL_OP_ALL. It is not a single bit option but a combination of other options. 


  #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
-    if (op & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
-        return JNI_TRUE;
+     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, 
options, supported)
  #endif
-    return JNI_FALSE;
+
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_CIPHER_SERVER_PREFERENCE, options, 
supported)
+#endif
+
+#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
+     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, options, 
supported)
+#endif
+
+#ifdef SSL_OP_EPHEMERAL_RSA
+     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_EPHEMERAL_RSA, options, supported)
+#endif
+
+#ifdef SSL_OP_LEGACY_SERVER_CONNECT
+     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_LEGACY_SERVER_CONNECT, options, supported)
+#endif
+
+#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
+     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER, options, 
supported)
+#endif
+
+#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
+     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_MICROSOFT_SESS_ID_BUG, options, supported)
+#endif
+
+#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
+     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_MSIE_SSLV2_RSA_PADDING, options, supported)
+#endif
+
+#ifdef SSL_OP_NETSCAPE_CA_DN_BUG
+     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_NETSCAPE_CA_DN_BUG, options, supported)
+#endif
+
+#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
+     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_NETSCAPE_CHALLENGE_BUG, options, supported)
+#endif
+
+#ifdef SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
+     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG, options, 
supported)
+#endif
+
+#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
+     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG, options, 
supported)
+#endif
+
+#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION, 
options, supported)
+#endif
+
+#ifdef SSL_OP_NO_SSLv2
+     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_NO_SSLv2, options, supported)
+#endif
+
+#ifdef SSL_OP_NO_SSLv3
+     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_NO_SSLv3, options, supported)
+#endif
+
+#ifdef SSL_OP_NO_TICKET
+     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_NO_TICKET, options, supported)
+#endif
+
+#ifdef SSL_OP_NO_TLSv1
+     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_NO_TLSv1, options, supported)
+#endif
The next two do not yet have real option bits assigned in ssl.h (value is "0". 


+#ifdef SSL_OP_PKCS1_CHECK_1
+     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_PKCS1_CHECK_1, options, supported)
+#endif
+
+#ifdef SSL_OP_PKCS1_CHECK_2
+     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_PKCS1_CHECK_2, options, supported)
+#endif


Haven't checked the ones below here.


+#ifdef SSL_OP_SINGLE_DH_USE
+     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_SINGLE_DH_USE, options, supported)
+#endif
+
+#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
+     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_SSLEAY_080_CLIENT_DH_BUG, options, 
supported)
+#endif
+
+#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
+     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG, options, 
supported)
+#endif
+
+#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
+     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_TLS_BLOCK_PADDING_BUG, options, supported)
+#endif
+
+#ifdef SSL_OP_TLS_D5_BUG
+     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_TLS_D5_BUG, options, supported)
+#endif
+
+#ifdef SSL_OP_TLS_ROLLBACK_BUG
+     TCN_SSL_TEST_OP_SUPPORT(SSL_OP_TLS_ROLLBACK_BUG, options, supported)
+#endif
+
+    DEBUG_LOG("req=%#08lx left=%#08lx discovered=%#08lx\n", op, options, 
supported);
+    DEBUG_FLUSH();
+    if(options) {
+        tcn_Throw(e, "Unsupported OpenSSL options to check: %#08lx", options);
+        return (jint)APR_EINVAL;
+    }
+
+    return supported == op ? JNI_TRUE : JNI_FALSE;
  }

  #else


Regards,

Rainer


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to