From 5598b99fb324ab97e5ea196d5eacddaed0e054c6 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Sun, 24 Jan 2010 13:50:57 +0000
Subject: [PATCH] The fix for PR#1949 unfortunately broke cases where the
 BIO_CTRL_WPENDING ctrl is incorrectly implemented (e.g. some versions of
 Apache). As a workaround call both BIO_CTRL_INFO and BIO_CTRL_WPENDING if it
 returns zero. This should both address the original bug and retain
 compatibility with the old behaviour.

---
 apps/s_server.c | 14 ++++++++++++++
 ssl/s3_pkt.c    |  1 -
 ssl/s3_srvr.c   | 16 +++++++++++++++-
 3 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/apps/s_server.c b/apps/s_server.c
index 88b308ca38..f44bf5e840 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -1836,6 +1836,20 @@ static int sv_body(char *hostname, int s, unsigned char *context)
 					continue;
 					/* strcpy(buf,"server side RE-NEGOTIATE\n"); */
 					}
+				if ((buf[0] == 'X') &&
+					((buf[1] == '\n') || (buf[1] == '\r')))
+					{
+					SSL_renegotiate(con);
+					i=SSL_do_handshake(con);
+					printf("SSL_do_handshake1 -> %d\n",i);
+					if (SSL_get_state(con) != SSL_ST_OK)
+						printf("Bad State\n");
+					con->state = SSL_ST_ACCEPT;
+					i=SSL_do_handshake(con);
+					printf("SSL_do_handshake2 -> %d\n",i);
+					i=0; /*13; */
+					continue;
+					}
 				if ((buf[0] == 'R') &&
 					((buf[1] == '\n') || (buf[1] == '\r')))
 					{
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index a2ba5748d5..66ff3fdb54 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -979,7 +979,6 @@ start:
 		(s->session != NULL) && (s->session->cipher != NULL))
 		{
 		s->s3->handshake_fragment_len = 0;
-
 		if ((s->s3->handshake_fragment[1] != 0) ||
 			(s->s3->handshake_fragment[2] != 0) ||
 			(s->s3->handshake_fragment[3] != 0))
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 789447e115..700d972239 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -448,7 +448,21 @@ int ssl3_accept(SSL *s)
 		
 		case SSL3_ST_SW_FLUSH:
 			/* number of bytes to be flushed */
-			num1=BIO_ctrl(s->wbio,BIO_CTRL_WPENDING,0,NULL);
+			/* This originally and incorrectly called BIO_CTRL_INFO
+			 * The reason why this is wrong is mentioned in PR#1949.
+			 * Unfortunately, as suggested in that bug some
+			 * versions of Apache unconditionally return 0
+			 * for BIO_CTRL_WPENDING meaning we don't correctly
+			 * flush data and some operations, like renegotiation,
+			 * don't work. Other software may also be affected so
+			 * call BIO_CTRL_INFO to retain compatibility with
+			 * previous behaviour and BIO_CTRL_WPENDING if we
+			 * get zero to address the PR#1949 case.
+			 */
+
+			num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
+			if (num1 == 0)
+				num1=BIO_ctrl(s->wbio,BIO_CTRL_WPENDING,0,NULL);
 			if (num1 > 0)
 				{
 				s->rwstate=SSL_WRITING;
-- 
2.25.1