From 97fd2384287db9349ef5ce7967a2e35c39cb5cac Mon Sep 17 00:00:00 2001
From: mturk <mturk@13f79535-47bb-0310-9956-ffa450edef68>
Date: Tue, 2 Mar 2010 09:14:44 +0000
Subject: [PATCH] Port SSLInsecureRenegotiation from mod_ssl

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@917928 13f79535-47bb-0310-9956-ffa450edef68
---
 java/org/apache/tomcat/jni/SSL.java                    | 18 +++++++++++++++++-
 java/org/apache/tomcat/util/net/AprEndpoint.java       | 17 +++++++++++++++++
 .../apache/tomcat/util/net/res/LocalStrings.properties |  1 +
 webapps/docs/changelog.xml                             |  5 +++++
 4 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/java/org/apache/tomcat/jni/SSL.java b/java/org/apache/tomcat/jni/SSL.java
index efbbf829c..3cc675130 100644
--- a/java/org/apache/tomcat/jni/SSL.java
+++ b/java/org/apache/tomcat/jni/SSL.java
@@ -113,9 +113,12 @@ public final class SSL {
     /* SSL_OP_ALL: various bug workarounds that should be rather harmless.
      *             This used to be 0x000FFFFFL before 0.9.7. */
     public static final int SSL_OP_ALL                              = 0x00000FFF;
-
     /* As server, disallow session resumption on renegotiation */
     public static final int SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION = 0x00010000;
+    /* Permit unsafe legacy renegotiation */
+    public static final int SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION      = 0x00040000;
+    /* If set, always create a new key when using tmp_eddh parameters */
+    public static final int SSL_OP_SINGLE_ECDH_USE                  = 0x00080000;
     /* If set, always create a new key when using tmp_dh parameters */
     public static final int SSL_OP_SINGLE_DH_USE                    = 0x00100000;
     /* Set to always use the tmp_rsa key when doing RSA operations,
@@ -325,4 +328,17 @@ public final class SSL {
      * Return last SSL error string
      */
     public static native String getLastError();
+
+    /**
+     * Return true if SSL_OP_ if defined.
+     * <p>
+     * Currently used for testing weather the
+     * SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION is supported by OpenSSL.
+     * <p>
+     * @param op SSL_OP to test.
+     * @return true if SSL_OP is supported by OpenSSL library.
+     */
+    public static native boolean hasOp(int op);
+
 }
+
diff --git a/java/org/apache/tomcat/util/net/AprEndpoint.java b/java/org/apache/tomcat/util/net/AprEndpoint.java
index 9232c98ad..82e5d4e6f 100644
--- a/java/org/apache/tomcat/util/net/AprEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AprEndpoint.java
@@ -309,6 +309,14 @@ public class AprEndpoint extends AbstractEndpoint {
     public void setSSLVerifyDepth(int SSLVerifyDepth) { this.SSLVerifyDepth = SSLVerifyDepth; }
 
 
+    /**
+     * SSL allow insecure renegotiation for the the client that does not
+     * support the secure renegotiation.
+     */
+    protected boolean SSLInsecureRenegotiation = false;
+    public void seSSLInsecureRenegotiation(boolean SSLInsecureRenegotiation) { this.SSLInsecureRenegotiation = SSLInsecureRenegotiation; }
+    public boolean getSSLInsecureRenegotiation() { return SSLInsecureRenegotiation; }
+
     // --------------------------------------------------------- Public Methods
 
 
@@ -460,6 +468,15 @@ public class AprEndpoint extends AbstractEndpoint {
             }
             // Create SSL Context
             sslContext = SSLContext.make(rootPool, value, SSL.SSL_MODE_SERVER);
+            if (SSLInsecureRenegotiation) {
+                if (SSL.hasOp(SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+                    SSLContext.setOptions(sslContext, SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+                else {
+                    // OpenSSL does not support unsafe legacy renegotiation.
+                    log.warn(sm.getString("endpoint.warn.noInsecureReneg",
+                                          SSL.versionString()));
+                }
+            }
             // List the ciphers that the client is permitted to negotiate
             SSLContext.setCipherSuite(sslContext, SSLCipherSuite);
             // Load Server key and certificate
diff --git a/java/org/apache/tomcat/util/net/res/LocalStrings.properties b/java/org/apache/tomcat/util/net/res/LocalStrings.properties
index 9b5e28fa2..4737f9958 100644
--- a/java/org/apache/tomcat/util/net/res/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/res/LocalStrings.properties
@@ -39,3 +39,4 @@ endpoint.process.fail=Error allocating socket processor
 endpoint.sendfile.error=Unexpected sendfile error
 endpoint.sendfile.addfail=Sednfile failure: [{0}] {1}
 endpoint.sendfile.nosupport=Disabling sendfile, since either the APR version or the system doesn't support it
+endpoint.warn.noInsecureReneg=Secure renegotation is not supported by the SSL library {0}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 70c89128e..491d648a7 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -114,6 +114,11 @@
   <subsection name="Coyote">
     <changelog>
       <update>
+        Port SSLInsecureRenegotiation from mod_ssl. This requires
+        to use tomcat-native 1.2.21 that have option to detect this
+        support from OpenSSL library. (mturk)
+      </update>
+      <update>
         Allow bigger AJP packets also for request bodies and responses
         using the packetSize attribute of the Connector. (rjung)
       </update>
-- 
2.11.0