svn commit: r917921 - in /tomcat/native/branches/1.1.x: java/org/apache/tomcat/jni/SSL.java native/include/ssl_private.h native/src/ssl.c native/src/sslcontext.c xdocs/miscellaneous/changelog.xml

Tue, 02 Mar 2010 00:52:10 -0800 

Author: mturk
Date: Tue Mar  2 08:51:46 2010
New Revision: 917921

URL: http://svn.apache.org/viewvc?rev=917921&view=rev
Log:
Add unafe legacy renegotiation support

Modified:
    tomcat/native/branches/1.1.x/java/org/apache/tomcat/jni/SSL.java
    tomcat/native/branches/1.1.x/native/include/ssl_private.h
    tomcat/native/branches/1.1.x/native/src/ssl.c
    tomcat/native/branches/1.1.x/native/src/sslcontext.c
    tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml

Modified: tomcat/native/branches/1.1.x/java/org/apache/tomcat/jni/SSL.java
URL: 
http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/java/org/apache/tomcat/jni/SSL.java?rev=917921&r1=917920&r2=917921&view=diff
==============================================================================
--- tomcat/native/branches/1.1.x/java/org/apache/tomcat/jni/SSL.java (original)
+++ tomcat/native/branches/1.1.x/java/org/apache/tomcat/jni/SSL.java Tue Mar  2 
08:51:46 2010
@@ -113,9 +113,12 @@
     /* SSL_OP_ALL: various bug workarounds that should be rather harmless.
      *             This used to be 0x000FFFFFL before 0.9.7. */
     public static final int SSL_OP_ALL                              = 
0x00000FFF;
-
     /* As server, disallow session resumption on renegotiation */
     public static final int SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION = 
0x00010000;
+    /* Permit unsafe legacy renegotiation */
+    public static final int SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION      = 
0x00040000;
+    /* If set, always create a new key when using tmp_eddh parameters */
+    public static final int SSL_OP_SINGLE_ECDH_USE                  = 
0x00080000;
     /* If set, always create a new key when using tmp_dh parameters */
     public static final int SSL_OP_SINGLE_DH_USE                    = 
0x00100000;
     /* Set to always use the tmp_rsa key when doing RSA operations,
@@ -325,4 +328,17 @@
      * Return last SSL error string
      */
     public static native String getLastError();
+
+    /**
+     * Return true if SSL_OP_ if defined.
+     * <p>
+     * Currently used for testing weather the
+     * SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION is supported by OpenSSL.
+     * <p>
+     * @param op SSL_OP to test.
+     * @return true if SSL_OP is supported by OpenSSL library.
+     */
+    public static native boolean hasOp(int op);
+
 }
+

Modified: tomcat/native/branches/1.1.x/native/include/ssl_private.h
URL: 
http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/native/include/ssl_private.h?rev=917921&r1=917920&r2=917921&view=diff
==============================================================================
--- tomcat/native/branches/1.1.x/native/include/ssl_private.h (original)
+++ tomcat/native/branches/1.1.x/native/include/ssl_private.h Tue Mar  2 
08:51:46 2010
@@ -199,8 +199,6 @@
     || (errnum == X509_V_ERR_CERT_UNTRUSTED) \
     || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
 
-
-
 #define SSL_DEFAULT_PASS_PROMPT "Some of your private key files are encrypted 
for security reasons.\n"  \
                                 "In order to read them you have to provide the 
pass phrases.\n"         \
                                 "Enter password :"

Modified: tomcat/native/branches/1.1.x/native/src/ssl.c
URL: 
http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/native/src/ssl.c?rev=917921&r1=917920&r2=917921&view=diff
==============================================================================
--- tomcat/native/branches/1.1.x/native/src/ssl.c (original)
+++ tomcat/native/branches/1.1.x/native/src/ssl.c Tue Mar  2 08:51:46 2010
@@ -813,6 +813,15 @@
     return tcn_new_string(e, buf);
 }
 
+TCN_IMPLEMENT_CALL(jboolean, SSL, hasOp)(TCN_STDARGS, jint op)
+{
+#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+    if (op & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
+        return JNI_TRUE;
+#endif
+    return JNI_FALSE;
+}
+
 #else
 /* OpenSSL is not supported.
  * Create empty stubs.
@@ -918,4 +927,10 @@
     return NULL;
 }
 
+TCN_IMPLEMENT_CALL(jboolean, SSL, hasOp)(TCN_STDARGS, jint op)
+{
+    UNREFERENCED_STDARGS;
+    UNREFERENCED(op);
+    return JNI_FALSE;
+}
 #endif

Modified: tomcat/native/branches/1.1.x/native/src/sslcontext.c
URL: 
http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/native/src/sslcontext.c?rev=917921&r1=917920&r2=917921&view=diff
==============================================================================
--- tomcat/native/branches/1.1.x/native/src/sslcontext.c (original)
+++ tomcat/native/branches/1.1.x/native/src/sslcontext.c Tue Mar  2 08:51:46 
2010
@@ -230,6 +230,11 @@
 
     UNREFERENCED_STDARGS;
     TCN_ASSERT(ctx != 0);
+#ifndef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+    /* Clear the flag if not supported */
+    if (opt & 0x00040000)
+        opt &= ~0x00040000;
+#endif
     SSL_CTX_set_options(c->ctx, opt);
 }
 

Modified: tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml?rev=917921&r1=917920&r2=917921&view=diff
==============================================================================
--- tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml (original)
+++ tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml Tue Mar  2 
08:51:46 2010
@@ -36,6 +36,13 @@
   new documentation project for Tomcat Native was started.
   </p>
 </section>
+<section name="Changes between 1.1.20 and 1.1.21">
+  <changelog>
+    <update>
+      Add support for unsafe legacy renegotiation. (mturk)
+    </update>
+  </changelog>
+</section>
 <section name="Changes between 1.1.19 and 1.1.20">
   <changelog>
     <fix>



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to