From: Bruce Momjian <bruce@momjian.us>
Date: Wed, 8 Jan 2003 23:18:35 +0000 (+0000)
Subject: The second was that renegotiation was just plain broken.  I can't
X-Git-Url: http://git.postgresql.org/gitweb/static/gitweb.js?a=commitdiff_plain;h=3e33ca2d08db8f6f72ff58ced865d3604817ec96;p=users%2Fbernd%2Fpostgres.git

The second was that renegotiation was just plain broken.  I can't
believe I didn't notice this before -- once 64k was sent to/from the
server the client would crash.  Basicly, in 7.3 the server SSL code set
the initial state to "about to renegotiate" without actually starting
the renegotiation.  In addition, the server and client didn't properly
handle the SSL_ERROR_WANT_(READ|WRITE) error.  This is fixed in the
second patch.

Nathan Mueller
---

diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c
index e88f709169..f0e7425be8 100644
--- a/src/backend/libpq/be-secure.c
+++ b/src/backend/libpq/be-secure.c
@@ -273,12 +273,6 @@ secure_read(Port *port, void *ptr, size_t len)
 #ifdef USE_SSL
 	if (port->ssl)
 	{
-		if (port->count > RENEGOTIATION_LIMIT)
-		{
-			SSL_renegotiate(port->ssl);
-			port->count = 0;
-		}
-
 		n = SSL_read(port->ssl, ptr, len);
 		switch (SSL_get_error(port->ssl, n))
 		{
@@ -286,6 +280,7 @@ secure_read(Port *port, void *ptr, size_t len)
 				port->count += n;
 				break;
 			case SSL_ERROR_WANT_READ:
+				n = secure_read(port, ptr, len);
 				break;
 			case SSL_ERROR_SYSCALL:
 				if (n == -1)
@@ -325,7 +320,15 @@ secure_write(Port *port, const void *ptr, size_t len)
 	{
 		if (port->count > RENEGOTIATION_LIMIT)
 		{
-			SSL_renegotiate(port->ssl);
+		        SSL_set_session_id_context(port->ssl, (void *)&SSL_context, sizeof(SSL_context));
+
+		        if (SSL_renegotiate(port->ssl) <= 0)
+			  elog(COMMERROR, "SSL renegotiation failure");
+			if (SSL_do_handshake(port->ssl) <= 0)
+			  elog(COMMERROR, "SSL renegotiation failure");
+			port->ssl->state=SSL_ST_ACCEPT;
+			if (SSL_do_handshake(port->ssl) <= 0)
+			  elog(COMMERROR, "SSL renegotiation failure");
 			port->count = 0;
 		}
 
@@ -336,6 +339,7 @@ secure_write(Port *port, const void *ptr, size_t len)
 				port->count += n;
 				break;
 			case SSL_ERROR_WANT_WRITE:
+				n = secure_read(port, ptr, len);
 				break;
 			case SSL_ERROR_SYSCALL:
 				if (n == -1)
diff --git a/src/interfaces/libpq/fe-secure.c b/src/interfaces/libpq/fe-secure.c
index ceae8a4ce0..0d81766e87 100644
--- a/src/interfaces/libpq/fe-secure.c
+++ b/src/interfaces/libpq/fe-secure.c
@@ -268,6 +268,7 @@ pqsecure_read(PGconn *conn, void *ptr, size_t len)
 			case SSL_ERROR_NONE:
 				break;
 			case SSL_ERROR_WANT_READ:
+			        n = pqsecure_read(conn, ptr, len);
 				break;
 			case SSL_ERROR_SYSCALL:
 				printfPQExpBuffer(&conn->errorMessage,
@@ -313,6 +314,7 @@ pqsecure_write(PGconn *conn, const void *ptr, size_t len)
 			case SSL_ERROR_NONE:
 				break;
 			case SSL_ERROR_WANT_WRITE:
+			        n = pqsecure_write(conn, ptr, len);
 				break;
 			case SSL_ERROR_SYSCALL:
 				printfPQExpBuffer(&conn->errorMessage,