[email protected] wrote: > Author: markt > Date: Tue Sep 15 17:41:28 2009 > New Revision: 815411
C isn't my strong point so this is worth folks who know C better than I do taking a close look. Mark > > URL: http://svn.apache.org/viewvc?rev=815411&view=rev > Log: > Part of fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=46950 > This patch fixes two issues: > - renegotiate now does a full renegotiation rather than just setting the > 'need to renegotiate' flag > - a new method is provided that allows clients to set the certificate > verification level per connection - this is required when switching from > unauthenticated to authenticated eg because of a security constraint > > Modified: > tomcat/native/trunk/native/src/sslnetwork.c > > Modified: tomcat/native/trunk/native/src/sslnetwork.c > URL: > http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslnetwork.c?rev=815411&r1=815410&r2=815411&view=diff > ============================================================================== > --- tomcat/native/trunk/native/src/sslnetwork.c (original) > +++ tomcat/native/trunk/native/src/sslnetwork.c Tue Sep 15 17:41:28 2009 > @@ -562,11 +562,60 @@ > { > tcn_socket_t *s = J2P(sock, tcn_socket_t *); > tcn_ssl_conn_t *con; > + int retVal; > > UNREFERENCED_STDARGS; > TCN_ASSERT(sock != 0); > con = (tcn_ssl_conn_t *)s->opaque; > - return SSL_renegotiate(con->ssl); > + > + /* Sequence to renegotiate is > + * SSL_renegotiate() > + * SSL_do_handshake() > + * ssl->state = SSL_ST_ACCEPT > + * SSL_do_handshake() > + */ > + retVal = SSL_renegotiate(con->ssl); > + if (retVal <= 0) > + return APR_EGENERAL; > + > + retVal = SSL_do_handshake(con->ssl); > + if (retVal <= 0) > + return APR_EGENERAL; > + > + con->ssl->state = SSL_ST_ACCEPT; > + > + retVal = SSL_do_handshake(con->ssl); > + if (retVal <= 0) > + return APR_EGENERAL; > + > + return APR_SUCCESS; > +} > + > +TCN_IMPLEMENT_CALL(void, SSLSocket, setVerify)(TCN_STDARGS, > + jlong sock, > + jint cverify, > + jint depth) > +{ > + tcn_socket_t *s = J2P(sock, tcn_socket_t *); > + tcn_ssl_conn_t *con; > + int verify = SSL_VERIFY_NONE; > + > + UNREFERENCED_STDARGS; > + TCN_ASSERT(sock != 0); > + con = (tcn_ssl_conn_t *)s->opaque; > + > + if (cverify == SSL_CVERIFY_UNSET) > + cverify = SSL_CVERIFY_NONE; > + if (depth > 0) > + SSL_set_verify_depth(con->ssl, depth); > + > + if (cverify == SSL_CVERIFY_REQUIRE) > + verify |= SSL_VERIFY_PEER_STRICT; > + if ((cverify == SSL_CVERIFY_OPTIONAL) || > + (cverify == SSL_CVERIFY_OPTIONAL_NO_CA)) > + verify |= SSL_VERIFY_PEER; > + > + SSL_set_verify(con->ssl, verify, NULL); > } > > #else > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
