The second was that renegotiation was just plain broken. I can't

believe I didn't notice this before -- once 64k was sent to/from the server the client would crash. Basicly, in 7.3 the server SSL code set the initial state to "about to renegotiate" without actually starting the renegotiation. In addition, the server and client didn't properly handle the SSL_ERROR_WANT_(READ|WRITE) error. This is fixed in the second patch. Nathan Mueller

The second was that renegotiation was just plain broken. I can't
believe I didn't notice this before -- once 64k was sent to/from the server the client would crash. Basicly, in 7.3 the server SSL code set the initial state to "about to renegotiate" without actually starting the renegotiation. In addition, the server and client didn't properly handle the SSL_ERROR_WANT_(READ|WRITE) error. This is fixed in the second patch. Nathan Mueller
b56af498 · Bruce Momjian · 6ccb5aeb · b56af498 · b56af498
Commit b56af498 authored Jan 08, 2003 by Bruce Momjian
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 9 deletions

src/backend/libpq/be-secure.c src/backend/libpq/be-secure.c +12 -8

src/interfaces/libpq/fe-secure.c src/interfaces/libpq/fe-secure.c +3 -1

No files found.
--- a/src/backend/libpq/be-secure.c
+++ b/src/backend/libpq/be-secure.c
@@ -11,7 +11,7 @@
 *
 *
 * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.22 2003/01/08 22:56:58 momjian Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.23 2003/01/08 23:18:25 momjian Exp $
 *
 *	  Since the server static private key ($DataDir/server.key)
 *	  will normally be stored unencrypted so that the database
@@ -273,12 +273,6 @@ secure_read(Port *port, void *ptr, size_t len)
 #ifdef USE_SSL
 	if (port->ssl)
 	{
-		if (port->count > RENEGOTIATION_LIMIT)
-		{
-			SSL_renegotiate(port->ssl);
-			port->count = 0;
-		}
-
 		n = SSL_read(port->ssl, ptr, len);
 		switch (SSL_get_error(port->ssl, n))
 		{
@@ -286,6 +280,7 @@ secure_read(Port *port, void *ptr, size_t len)
 				port->count += n;
 				break;
 			case SSL_ERROR_WANT_READ:
+				n = secure_read(port, ptr, len);
 				break;
 			case SSL_ERROR_SYSCALL:
 				if (n == -1)
@@ -325,7 +320,15 @@ secure_write(Port *port, const void *ptr, size_t len)
 	{
 		if (port->count > RENEGOTIATION_LIMIT)
 		{
-			SSL_renegotiate(port->ssl);
+		        SSL_set_session_id_context(port->ssl, (void *)&SSL_context, sizeof(SSL_context));
+
+		        if (SSL_renegotiate(port->ssl) <= 0)
+			  elog(COMMERROR, "SSL renegotiation failure");
+			if (SSL_do_handshake(port->ssl) <= 0)
+			  elog(COMMERROR, "SSL renegotiation failure");
+			port->ssl->state=SSL_ST_ACCEPT;
+			if (SSL_do_handshake(port->ssl) <= 0)
+			  elog(COMMERROR, "SSL renegotiation failure");
 			port->count = 0;
 		}

@@ -336,6 +339,7 @@ secure_write(Port *port, const void *ptr, size_t len)
 				port->count += n;
 				break;
 			case SSL_ERROR_WANT_WRITE:
+				n = secure_read(port, ptr, len);
 				break;
 			case SSL_ERROR_SYSCALL:
 				if (n == -1)

--- a/src/interfaces/libpq/fe-secure.c
+++ b/src/interfaces/libpq/fe-secure.c
@@ -11,7 +11,7 @@
 *
 *
 * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v 1.19 2003/01/08 22:56:58 momjian Exp $
+ *	  $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v 1.20 2003/01/08 23:18:25 momjian Exp $
 *
 * NOTES
 *	  The client *requires* a valid server certificate.  Since
@@ -268,6 +268,7 @@ pqsecure_read(PGconn *conn, void *ptr, size_t len)
 			case SSL_ERROR_NONE:
 				break;
 			case SSL_ERROR_WANT_READ:
+			        n = pqsecure_read(conn, ptr, len);
 				break;
 			case SSL_ERROR_SYSCALL:
 				if (n == -1)
@@ -314,6 +315,7 @@ pqsecure_write(PGconn *conn, const void *ptr, size_t len)
 			case SSL_ERROR_NONE:
 				break;
 			case SSL_ERROR_WANT_WRITE:
+			        n = pqsecure_write(conn, ptr, len);
 				break;
 			case SSL_ERROR_SYSCALL:
 				if (n == -1)