svn commit: r815411 - /tomcat/native/trunk/native/src/sslnetwork.c

Tue, 15 Sep 2009 10:41:54 -0700 

Author: markt
Date: Tue Sep 15 17:41:28 2009
New Revision: 815411

URL: http://svn.apache.org/viewvc?rev=815411&view=rev
Log:
Part of fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=46950
This patch fixes two issues:
- renegotiate now does a full renegotiation rather than just setting the 'need 
to renegotiate' flag
- a new method is provided that allows clients to set the certificate 
verification level per connection - this is required when switching from 
unauthenticated to authenticated eg because of a security constraint

Modified:
    tomcat/native/trunk/native/src/sslnetwork.c

Modified: tomcat/native/trunk/native/src/sslnetwork.c
URL: 
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslnetwork.c?rev=815411&r1=815410&r2=815411&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/sslnetwork.c (original)
+++ tomcat/native/trunk/native/src/sslnetwork.c Tue Sep 15 17:41:28 2009
@@ -562,11 +562,60 @@
 {
     tcn_socket_t *s   = J2P(sock, tcn_socket_t *);
     tcn_ssl_conn_t *con;
+    int retVal;
 
     UNREFERENCED_STDARGS;
     TCN_ASSERT(sock != 0);
     con = (tcn_ssl_conn_t *)s->opaque;
-    return SSL_renegotiate(con->ssl);
+
+    /* Sequence to renegotiate is
+     *  SSL_renegotiate()
+     *  SSL_do_handshake()
+     *  ssl->state = SSL_ST_ACCEPT
+     *  SSL_do_handshake()
+     */
+    retVal = SSL_renegotiate(con->ssl);
+    if (retVal <= 0)
+        return APR_EGENERAL;
+    
+    retVal = SSL_do_handshake(con->ssl);
+    if (retVal <= 0)
+        return APR_EGENERAL;
+
+    con->ssl->state = SSL_ST_ACCEPT;
+
+    retVal = SSL_do_handshake(con->ssl);
+    if (retVal <= 0)
+        return APR_EGENERAL;
+
+    return APR_SUCCESS;
+}
+
+TCN_IMPLEMENT_CALL(void, SSLSocket, setVerify)(TCN_STDARGS,
+                                               jlong sock,
+                                               jint cverify,
+                                               jint depth)
+{
+    tcn_socket_t *s   = J2P(sock, tcn_socket_t *);
+    tcn_ssl_conn_t *con;
+    int verify = SSL_VERIFY_NONE;
+
+    UNREFERENCED_STDARGS;
+    TCN_ASSERT(sock != 0);
+    con = (tcn_ssl_conn_t *)s->opaque;
+
+    if (cverify == SSL_CVERIFY_UNSET)
+        cverify = SSL_CVERIFY_NONE;
+    if (depth > 0)
+        SSL_set_verify_depth(con->ssl, depth);
+
+    if (cverify == SSL_CVERIFY_REQUIRE)
+        verify |= SSL_VERIFY_PEER_STRICT;
+    if ((cverify == SSL_CVERIFY_OPTIONAL) ||
+        (cverify == SSL_CVERIFY_OPTIONAL_NO_CA))
+        verify |= SSL_VERIFY_PEER;
+
+    SSL_set_verify(con->ssl, verify, NULL);
 }
 
 #else



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to