This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new baac872509 Code clean-up - formatting. No fucntional change.
baac872509 is described below
commit baac872509abd086d4e32546a0c59f6d14968011
Author: Mark Thomas <[email protected]>
AuthorDate: Thu May 22 11:56:57 2025 +0100
Code clean-up - formatting. No fucntional change.
---
java/org/apache/tomcat/jni/Buffer.java | 3 +-
.../org/apache/tomcat/jni/CertificateVerifier.java | 13 +-
java/org/apache/tomcat/jni/FileInfo.java | 7 +-
java/org/apache/tomcat/jni/Library.java | 46 +-
.../apache/tomcat/jni/LibraryNotFoundError.java | 10 +-
java/org/apache/tomcat/jni/Pool.java | 15 +-
java/org/apache/tomcat/jni/SSL.java | 515 ++++++++++++---------
java/org/apache/tomcat/jni/SSLConf.java | 38 +-
java/org/apache/tomcat/jni/SSLContext.java | 381 ++++++++-------
java/org/apache/tomcat/jni/Sockaddr.java | 7 +-
10 files changed, 541 insertions(+), 494 deletions(-)
diff --git a/java/org/apache/tomcat/jni/Buffer.java
b/java/org/apache/tomcat/jni/Buffer.java
index 15ce56968e..530021c5f5 100644
--- a/java/org/apache/tomcat/jni/Buffer.java
+++ b/java/org/apache/tomcat/jni/Buffer.java
@@ -19,8 +19,7 @@ package org.apache.tomcat.jni;
import java.nio.ByteBuffer;
/**
- * Provides utilities related to the use of directly allocated
- * {@link ByteBuffer} instances with native code.
+ * Provides utilities related to the use of directly allocated {@link
ByteBuffer} instances with native code.
*/
public class Buffer {
diff --git a/java/org/apache/tomcat/jni/CertificateVerifier.java
b/java/org/apache/tomcat/jni/CertificateVerifier.java
index b9b0d48290..d88fcde338 100644
--- a/java/org/apache/tomcat/jni/CertificateVerifier.java
+++ b/java/org/apache/tomcat/jni/CertificateVerifier.java
@@ -22,13 +22,14 @@ package org.apache.tomcat.jni;
public interface CertificateVerifier {
/**
- * Returns {@code true} if the passed in certificate chain could be
verified and so the handshake
- * should be successful, {@code false} otherwise.
+ * Returns {@code true} if the passed in certificate chain could be
verified and so the handshake should be
+ * successful, {@code false} otherwise.
*
- * @param ssl the SSL instance
- * @param x509 the {@code X509} certificate chain
- * @param authAlgorithm the auth algorithm
- * @return verified {@code true} if verified successful, {@code
false} otherwise
+ * @param ssl the SSL instance
+ * @param x509 the {@code X509} certificate chain
+ * @param authAlgorithm the auth algorithm
+ *
+ * @return verified {@code true} if verified successful, {@code false}
otherwise
*/
boolean verify(long ssl, byte[][] x509, String authAlgorithm);
}
diff --git a/java/org/apache/tomcat/jni/FileInfo.java
b/java/org/apache/tomcat/jni/FileInfo.java
index ff807e4a60..3ad4b53835 100644
--- a/java/org/apache/tomcat/jni/FileInfo.java
+++ b/java/org/apache/tomcat/jni/FileInfo.java
@@ -17,10 +17,9 @@
package org.apache.tomcat.jni;
/**
- * Tomcat Native 1.2.33 and earlier won't initialise unless this class is
- * present. This dummy class ensures initialisation gets as far as being able
to
- * check the version of the Tomcat Native library and reporting a version error
- * if 1.2.33 or earlier is present.
+ * Tomcat Native 1.2.33 and earlier won't initialise unless this class is
present. This dummy class ensures
+ * initialisation gets as far as being able to check the version of the Tomcat
Native library and reporting a version
+ * error if 1.2.33 or earlier is present.
*/
public class FileInfo {
diff --git a/java/org/apache/tomcat/jni/Library.java
b/java/org/apache/tomcat/jni/Library.java
index 72c4a7ec23..8b89ff73ac 100644
--- a/java/org/apache/tomcat/jni/Library.java
+++ b/java/org/apache/tomcat/jni/Library.java
@@ -21,7 +21,7 @@ import java.io.File;
public final class Library {
/* Default library names - use 2.x in preference to 1.x if both are
available */
- private static final String [] NAMES = {"tcnative-2", "libtcnative-2",
"tcnative-1", "libtcnative-1"};
+ private static final String[] NAMES = { "tcnative-2", "libtcnative-2",
"tcnative-1", "libtcnative-1" };
/* System property used to define CATALINA_HOME */
private static final String CATALINA_HOME_PROP = "catalina.home";
/*
@@ -56,7 +56,7 @@ public final class Library {
}
if (!loaded) {
String path = System.getProperty("java.library.path");
- String [] paths = path.split(File.pathSeparator);
+ String[] paths = path.split(File.pathSeparator);
for (String value : NAMES) {
try {
System.loadLibrary(value);
@@ -88,12 +88,11 @@ public final class Library {
names.append(name);
names.append(", ");
}
- throw new LibraryNotFoundError(names.substring(0, names.length()
-2), err.toString());
+ throw new LibraryNotFoundError(names.substring(0, names.length() -
2), err.toString());
}
}
- private Library(String libraryName)
- {
+ private Library(String libraryName) {
System.loadLibrary(libraryName);
}
@@ -101,43 +100,45 @@ public final class Library {
* Create Tomcat Native's global APR pool. This has to be the first call
to TCN library.
*/
private static native boolean initialize();
+
/**
* Destroys Tomcat Native's global APR pool. This has to be the last call
to TCN library. This will destroy any APR
* root pools that have not been explicitly destroyed.
*/
public static native void terminate();
+
/* Internal function for loading APR Features */
private static native int version(int what);
/* TCN_MAJOR_VERSION */
- public static int TCN_MAJOR_VERSION = 0;
+ public static int TCN_MAJOR_VERSION = 0;
/* TCN_MINOR_VERSION */
- public static int TCN_MINOR_VERSION = 0;
+ public static int TCN_MINOR_VERSION = 0;
/* TCN_PATCH_VERSION */
- public static int TCN_PATCH_VERSION = 0;
+ public static int TCN_PATCH_VERSION = 0;
/* TCN_IS_DEV_VERSION */
public static int TCN_IS_DEV_VERSION = 0;
/* APR_MAJOR_VERSION */
- public static int APR_MAJOR_VERSION = 0;
+ public static int APR_MAJOR_VERSION = 0;
/* APR_MINOR_VERSION */
- public static int APR_MINOR_VERSION = 0;
+ public static int APR_MINOR_VERSION = 0;
/* APR_PATCH_VERSION */
- public static int APR_PATCH_VERSION = 0;
+ public static int APR_PATCH_VERSION = 0;
/* APR_IS_DEV_VERSION */
public static int APR_IS_DEV_VERSION = 0;
/* TCN_VERSION_STRING */
public static native String versionString();
+
/* APR_VERSION_STRING */
public static native String aprVersionString();
/**
- * Setup any APR internal data structures. This MUST be the first function
- * called for any APR library.
+ * Setup any APR internal data structures. This MUST be the first function
called for any APR library.
+ *
* @param libraryName the name of the library to load
*
- * @return {@code true} if the native code was initialized successfully
- * otherwise {@code false}
+ * @return {@code true} if the native code was initialized successfully
otherwise {@code false}
*
* @throws Exception if a problem occurred during initialization
*/
@@ -148,18 +149,17 @@ public final class Library {
} else {
_instance = new Library(libraryName);
}
- TCN_MAJOR_VERSION = version(0x01);
- TCN_MINOR_VERSION = version(0x02);
- TCN_PATCH_VERSION = version(0x03);
+ TCN_MAJOR_VERSION = version(0x01);
+ TCN_MINOR_VERSION = version(0x02);
+ TCN_PATCH_VERSION = version(0x03);
TCN_IS_DEV_VERSION = version(0x04);
- APR_MAJOR_VERSION = version(0x11);
- APR_MINOR_VERSION = version(0x12);
- APR_PATCH_VERSION = version(0x13);
+ APR_MAJOR_VERSION = version(0x11);
+ APR_MINOR_VERSION = version(0x12);
+ APR_PATCH_VERSION = version(0x13);
APR_IS_DEV_VERSION = version(0x14);
if (APR_MAJOR_VERSION < 1) {
- throw new UnsatisfiedLinkError("Unsupported APR Version (" +
- aprVersionString() + ")");
+ throw new UnsatisfiedLinkError("Unsupported APR Version (" +
aprVersionString() + ")");
}
}
return initialize();
diff --git a/java/org/apache/tomcat/jni/LibraryNotFoundError.java
b/java/org/apache/tomcat/jni/LibraryNotFoundError.java
index a330394a91..3d0c160039 100644
--- a/java/org/apache/tomcat/jni/LibraryNotFoundError.java
+++ b/java/org/apache/tomcat/jni/LibraryNotFoundError.java
@@ -26,17 +26,15 @@ public class LibraryNotFoundError extends
UnsatisfiedLinkError {
private final String libraryNames;
/**
- * @param libraryNames A list of the file names of the native libraries
that
- * failed to load
- * @param errors A list of the error messages received when trying to load
- * each of the libraries
+ * @param libraryNames A list of the file names of the native libraries
that failed to load
+ * @param errors A list of the error messages received when trying
to load each of the libraries
*/
- public LibraryNotFoundError(String libraryNames, String errors){
+ public LibraryNotFoundError(String libraryNames, String errors) {
super(errors);
this.libraryNames = libraryNames;
}
- public String getLibraryNames(){
+ public String getLibraryNames() {
return libraryNames;
}
}
diff --git a/java/org/apache/tomcat/jni/Pool.java
b/java/org/apache/tomcat/jni/Pool.java
index 062c713bd8..628f99a5bd 100644
--- a/java/org/apache/tomcat/jni/Pool.java
+++ b/java/org/apache/tomcat/jni/Pool.java
@@ -17,26 +17,23 @@
package org.apache.tomcat.jni;
/**
- * Provides access to APR memory pools which are used to manage memory
- * allocations for natively created instances.
+ * Provides access to APR memory pools which are used to manage memory
allocations for natively created instances.
*/
public class Pool {
/**
* Create a new pool.
*
- * @param parent The parent pool. If this is 0, the new pool is a root
pool.
- * If it is non-zero, the new pool will inherit all of its
- * parent pool's attributes, except the apr_pool_t will be a
- * sub-pool.
+ * @param parent The parent pool. If this is 0, the new pool is a root
pool. If it is non-zero, the new pool will
+ * inherit all of its parent pool's attributes, except
the apr_pool_t will be a sub-pool.
*
* @return The pool we have just created.
- */
+ */
public static native long create(long parent);
/**
- * Destroy the pool. This takes similar action as apr_pool_clear() and then
- * frees all the memory. This will actually free the memory.
+ * Destroy the pool. This takes similar action as apr_pool_clear() and
then frees all the memory. This will actually
+ * free the memory.
*
* @param pool The pool to destroy
*/
diff --git a/java/org/apache/tomcat/jni/SSL.java
b/java/org/apache/tomcat/jni/SSL.java
index c047f11ec2..85d8799deb 100644
--- a/java/org/apache/tomcat/jni/SSL.java
+++ b/java/org/apache/tomcat/jni/SSL.java
@@ -21,55 +21,56 @@ public final class SSL {
/*
* Type definitions mostly from mod_ssl
*/
- public static final int UNSET = -1;
+ public static final int UNSET = -1;
/*
* Define the certificate algorithm types
*/
public static final int SSL_ALGO_UNKNOWN = 0;
- public static final int SSL_ALGO_RSA = (1<<0);
- public static final int SSL_ALGO_DSA = (1<<1);
- public static final int SSL_ALGO_ALL = (SSL_ALGO_RSA|SSL_ALGO_DSA);
-
- public static final int SSL_AIDX_RSA = 0;
- public static final int SSL_AIDX_DSA = 1;
- public static final int SSL_AIDX_ECC = 3;
- public static final int SSL_AIDX_MAX = 4;
+ public static final int SSL_ALGO_RSA = (1 << 0);
+ public static final int SSL_ALGO_DSA = (1 << 1);
+ public static final int SSL_ALGO_ALL = (SSL_ALGO_RSA | SSL_ALGO_DSA);
+
+ public static final int SSL_AIDX_RSA = 0;
+ public static final int SSL_AIDX_DSA = 1;
+ public static final int SSL_AIDX_ECC = 3;
+ public static final int SSL_AIDX_MAX = 4;
/*
* Define IDs for the temporary RSA keys and DH params
*/
- public static final int SSL_TMP_KEY_RSA_512 = 0;
+ public static final int SSL_TMP_KEY_RSA_512 = 0;
public static final int SSL_TMP_KEY_RSA_1024 = 1;
public static final int SSL_TMP_KEY_RSA_2048 = 2;
public static final int SSL_TMP_KEY_RSA_4096 = 3;
- public static final int SSL_TMP_KEY_DH_512 = 4;
- public static final int SSL_TMP_KEY_DH_1024 = 5;
- public static final int SSL_TMP_KEY_DH_2048 = 6;
- public static final int SSL_TMP_KEY_DH_4096 = 7;
- public static final int SSL_TMP_KEY_MAX = 8;
+ public static final int SSL_TMP_KEY_DH_512 = 4;
+ public static final int SSL_TMP_KEY_DH_1024 = 5;
+ public static final int SSL_TMP_KEY_DH_2048 = 6;
+ public static final int SSL_TMP_KEY_DH_4096 = 7;
+ public static final int SSL_TMP_KEY_MAX = 8;
/*
* Define the SSL options
*/
- public static final int SSL_OPT_NONE = 0;
- public static final int SSL_OPT_RELSET = (1<<0);
- public static final int SSL_OPT_STDENVVARS = (1<<1);
- public static final int SSL_OPT_EXPORTCERTDATA = (1<<3);
- public static final int SSL_OPT_FAKEBASICAUTH = (1<<4);
- public static final int SSL_OPT_STRICTREQUIRE = (1<<5);
- public static final int SSL_OPT_OPTRENEGOTIATE = (1<<6);
- public static final int SSL_OPT_ALL =
(SSL_OPT_STDENVVARS|SSL_OPT_EXPORTCERTDATA|SSL_OPT_FAKEBASICAUTH|SSL_OPT_STRICTREQUIRE|SSL_OPT_OPTRENEGOTIATE);
+ public static final int SSL_OPT_NONE = 0;
+ public static final int SSL_OPT_RELSET = (1 << 0);
+ public static final int SSL_OPT_STDENVVARS = (1 << 1);
+ public static final int SSL_OPT_EXPORTCERTDATA = (1 << 3);
+ public static final int SSL_OPT_FAKEBASICAUTH = (1 << 4);
+ public static final int SSL_OPT_STRICTREQUIRE = (1 << 5);
+ public static final int SSL_OPT_OPTRENEGOTIATE = (1 << 6);
+ public static final int SSL_OPT_ALL = (SSL_OPT_STDENVVARS |
SSL_OPT_EXPORTCERTDATA | SSL_OPT_FAKEBASICAUTH |
+ SSL_OPT_STRICTREQUIRE | SSL_OPT_OPTRENEGOTIATE);
/*
* Define the SSL Protocol options
*/
- public static final int SSL_PROTOCOL_NONE = 0;
- public static final int SSL_PROTOCOL_SSLV2 = (1<<0);
- public static final int SSL_PROTOCOL_SSLV3 = (1<<1);
- public static final int SSL_PROTOCOL_TLSV1 = (1<<2);
- public static final int SSL_PROTOCOL_TLSV1_1 = (1<<3);
- public static final int SSL_PROTOCOL_TLSV1_2 = (1<<4);
- public static final int SSL_PROTOCOL_TLSV1_3 = (1<<5);
+ public static final int SSL_PROTOCOL_NONE = 0;
+ public static final int SSL_PROTOCOL_SSLV2 = (1 << 0);
+ public static final int SSL_PROTOCOL_SSLV3 = (1 << 1);
+ public static final int SSL_PROTOCOL_TLSV1 = (1 << 2);
+ public static final int SSL_PROTOCOL_TLSV1_1 = (1 << 3);
+ public static final int SSL_PROTOCOL_TLSV1_2 = (1 << 4);
+ public static final int SSL_PROTOCOL_TLSV1_3 = (1 << 5);
public static final int SSL_PROTOCOL_ALL =
(SSL_PROTOCOL_TLSV1 | SSL_PROTOCOL_TLSV1_1 | SSL_PROTOCOL_TLSV1_2
| SSL_PROTOCOL_TLSV1_3);
@@ -77,154 +78,159 @@ public final class SSL {
/*
* Define the SSL verify levels
*/
- public static final int SSL_CVERIFY_UNSET = UNSET;
- public static final int SSL_CVERIFY_NONE = 0;
- public static final int SSL_CVERIFY_OPTIONAL = 1;
- public static final int SSL_CVERIFY_REQUIRE = 2;
+ public static final int SSL_CVERIFY_UNSET = UNSET;
+ public static final int SSL_CVERIFY_NONE = 0;
+ public static final int SSL_CVERIFY_OPTIONAL = 1;
+ public static final int SSL_CVERIFY_REQUIRE = 2;
public static final int SSL_CVERIFY_OPTIONAL_NO_CA = 3;
- /* Use either SSL_VERIFY_NONE or SSL_VERIFY_PEER, the last 2 options
- * are 'ored' with SSL_VERIFY_PEER if they are desired
+ /*
+ * Use either SSL_VERIFY_NONE or SSL_VERIFY_PEER, the last 2 options are
'ored' with SSL_VERIFY_PEER if they are
+ * desired
*/
- public static final int SSL_VERIFY_NONE = 0;
- public static final int SSL_VERIFY_PEER = 1;
+ public static final int SSL_VERIFY_NONE = 0;
+ public static final int SSL_VERIFY_PEER = 1;
public static final int SSL_VERIFY_FAIL_IF_NO_PEER_CERT = 2;
- public static final int SSL_VERIFY_CLIENT_ONCE = 4;
- public static final int SSL_VERIFY_PEER_STRICT =
(SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT);
+ public static final int SSL_VERIFY_CLIENT_ONCE = 4;
+ public static final int SSL_VERIFY_PEER_STRICT = (SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT);
- public static final int SSL_OP_MICROSOFT_SESS_ID_BUG =
0x00000001;
- public static final int SSL_OP_NETSCAPE_CHALLENGE_BUG =
0x00000002;
+ public static final int SSL_OP_MICROSOFT_SESS_ID_BUG = 0x00000001;
+ public static final int SSL_OP_NETSCAPE_CHALLENGE_BUG = 0x00000002;
public static final int SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG =
0x00000008;
- public static final int SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG =
0x00000010;
- public static final int SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER =
0x00000020;
- public static final int SSL_OP_MSIE_SSLV2_RSA_PADDING =
0x00000040;
- public static final int SSL_OP_SSLEAY_080_CLIENT_DH_BUG =
0x00000080;
- public static final int SSL_OP_TLS_D5_BUG =
0x00000100;
- public static final int SSL_OP_TLS_BLOCK_PADDING_BUG =
0x00000200;
-
- /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
- * in OpenSSL 0.9.6d. Usually (depending on the application protocol)
- * the workaround is not needed. Unfortunately some broken SSL/TLS
- * implementations cannot handle it at all, which is why we include
- * it in SSL_OP_ALL. */
- public static final int SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS =
0x00000800;
-
- /* SSL_OP_ALL: various bug workarounds that should be rather harmless.
- * This used to be 0x000FFFFFL before 0.9.7. */
- public static final int SSL_OP_ALL =
0x00000FFF;
+ public static final int SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG = 0x00000010;
+ public static final int SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER = 0x00000020;
+ public static final int SSL_OP_MSIE_SSLV2_RSA_PADDING = 0x00000040;
+ public static final int SSL_OP_SSLEAY_080_CLIENT_DH_BUG = 0x00000080;
+ public static final int SSL_OP_TLS_D5_BUG = 0x00000100;
+ public static final int SSL_OP_TLS_BLOCK_PADDING_BUG = 0x00000200;
+
+ /*
+ * Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added in
OpenSSL 0.9.6d. Usually (depending on the
+ * application protocol) the workaround is not needed. Unfortunately some
broken SSL/TLS implementations cannot
+ * handle it at all, which is why we include it in SSL_OP_ALL.
+ */
+ public static final int SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS = 0x00000800;
+
+ /*
+ * SSL_OP_ALL: various bug workarounds that should be rather harmless.
This used to be 0x000FFFFFL before 0.9.7.
+ */
+ public static final int SSL_OP_ALL = 0x00000FFF;
/* As server, disallow session resumption on renegotiation */
public static final int SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION =
0x00010000;
/* Don't use compression even if supported */
- public static final int SSL_OP_NO_COMPRESSION =
0x00020000;
+ public static final int SSL_OP_NO_COMPRESSION = 0x00020000;
/* Permit unsafe legacy renegotiation */
- public static final int SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION =
0x00040000;
+ public static final int SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION =
0x00040000;
/* If set, always create a new key when using tmp_eddh parameters */
- public static final int SSL_OP_SINGLE_ECDH_USE =
0x00080000;
+ public static final int SSL_OP_SINGLE_ECDH_USE = 0x00080000;
/* If set, always create a new key when using tmp_dh parameters */
- public static final int SSL_OP_SINGLE_DH_USE =
0x00100000;
- /* Set to always use the tmp_rsa key when doing RSA operations,
- * even when this violates protocol specs */
- public static final int SSL_OP_EPHEMERAL_RSA =
0x00200000;
- /* Set on servers to choose the cipher according to the server's
- * preferences */
- public static final int SSL_OP_CIPHER_SERVER_PREFERENCE =
0x00400000;
- /* If set, a server will allow a client to issue an SSLv3.0 version number
- * as latest version supported in the premaster secret, even when TLSv1.0
- * (version 3.1) was announced in the client hello. Normally this is
- * forbidden to prevent version rollback attacks. */
- public static final int SSL_OP_TLS_ROLLBACK_BUG =
0x00800000;
-
- public static final int SSL_OP_NO_SSLv2 =
0x01000000;
- public static final int SSL_OP_NO_SSLv3 =
0x02000000;
- public static final int SSL_OP_NO_TLSv1 =
0x04000000;
- public static final int SSL_OP_NO_TLSv1_2 =
0x08000000;
- public static final int SSL_OP_NO_TLSv1_1 =
0x10000000;
-
- public static final int SSL_OP_NO_TICKET =
0x00004000;
-
- public static final int SSL_OP_NETSCAPE_CA_DN_BUG =
0x20000000;
- public static final int SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG =
0x40000000;
-
- public static final int SSL_CRT_FORMAT_UNDEF = 0;
- public static final int SSL_CRT_FORMAT_ASN1 = 1;
- public static final int SSL_CRT_FORMAT_TEXT = 2;
- public static final int SSL_CRT_FORMAT_PEM = 3;
+ public static final int SSL_OP_SINGLE_DH_USE = 0x00100000;
+ /*
+ * Set to always use the tmp_rsa key when doing RSA operations, even when
this violates protocol specs
+ */
+ public static final int SSL_OP_EPHEMERAL_RSA = 0x00200000;
+ /*
+ * Set on servers to choose the cipher according to the server's
preferences
+ */
+ public static final int SSL_OP_CIPHER_SERVER_PREFERENCE = 0x00400000;
+ /*
+ * If set, a server will allow a client to issue an SSLv3.0 version number
as latest version supported in the
+ * premaster secret, even when TLSv1.0 (version 3.1) was announced in the
client hello. Normally this is forbidden
+ * to prevent version rollback attacks.
+ */
+ public static final int SSL_OP_TLS_ROLLBACK_BUG = 0x00800000;
+
+ public static final int SSL_OP_NO_SSLv2 = 0x01000000;
+ public static final int SSL_OP_NO_SSLv3 = 0x02000000;
+ public static final int SSL_OP_NO_TLSv1 = 0x04000000;
+ public static final int SSL_OP_NO_TLSv1_2 = 0x08000000;
+ public static final int SSL_OP_NO_TLSv1_1 = 0x10000000;
+
+ public static final int SSL_OP_NO_TICKET = 0x00004000;
+
+ public static final int SSL_OP_NETSCAPE_CA_DN_BUG = 0x20000000;
+ public static final int SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG =
0x40000000;
+
+ public static final int SSL_CRT_FORMAT_UNDEF = 0;
+ public static final int SSL_CRT_FORMAT_ASN1 = 1;
+ public static final int SSL_CRT_FORMAT_TEXT = 2;
+ public static final int SSL_CRT_FORMAT_PEM = 3;
public static final int SSL_CRT_FORMAT_NETSCAPE = 4;
- public static final int SSL_CRT_FORMAT_PKCS12 = 5;
- public static final int SSL_CRT_FORMAT_SMIME = 6;
- public static final int SSL_CRT_FORMAT_ENGINE = 7;
-
- public static final int SSL_MODE_CLIENT = 0;
- public static final int SSL_MODE_SERVER = 1;
- public static final int SSL_MODE_COMBINED = 2;
-
- public static final int SSL_CONF_FLAG_CMDLINE = 0x0001;
- public static final int SSL_CONF_FLAG_FILE = 0x0002;
- public static final int SSL_CONF_FLAG_CLIENT = 0x0004;
- public static final int SSL_CONF_FLAG_SERVER = 0x0008;
- public static final int SSL_CONF_FLAG_SHOW_ERRORS = 0x0010;
- public static final int SSL_CONF_FLAG_CERTIFICATE = 0x0020;
-
- public static final int SSL_CONF_TYPE_UNKNOWN = 0x0000;
- public static final int SSL_CONF_TYPE_STRING = 0x0001;
- public static final int SSL_CONF_TYPE_FILE = 0x0002;
- public static final int SSL_CONF_TYPE_DIR = 0x0003;
-
- public static final int SSL_SHUTDOWN_TYPE_UNSET = 0;
+ public static final int SSL_CRT_FORMAT_PKCS12 = 5;
+ public static final int SSL_CRT_FORMAT_SMIME = 6;
+ public static final int SSL_CRT_FORMAT_ENGINE = 7;
+
+ public static final int SSL_MODE_CLIENT = 0;
+ public static final int SSL_MODE_SERVER = 1;
+ public static final int SSL_MODE_COMBINED = 2;
+
+ public static final int SSL_CONF_FLAG_CMDLINE = 0x0001;
+ public static final int SSL_CONF_FLAG_FILE = 0x0002;
+ public static final int SSL_CONF_FLAG_CLIENT = 0x0004;
+ public static final int SSL_CONF_FLAG_SERVER = 0x0008;
+ public static final int SSL_CONF_FLAG_SHOW_ERRORS = 0x0010;
+ public static final int SSL_CONF_FLAG_CERTIFICATE = 0x0020;
+
+ public static final int SSL_CONF_TYPE_UNKNOWN = 0x0000;
+ public static final int SSL_CONF_TYPE_STRING = 0x0001;
+ public static final int SSL_CONF_TYPE_FILE = 0x0002;
+ public static final int SSL_CONF_TYPE_DIR = 0x0003;
+
+ public static final int SSL_SHUTDOWN_TYPE_UNSET = 0;
public static final int SSL_SHUTDOWN_TYPE_STANDARD = 1;
- public static final int SSL_SHUTDOWN_TYPE_UNCLEAN = 2;
+ public static final int SSL_SHUTDOWN_TYPE_UNCLEAN = 2;
public static final int SSL_SHUTDOWN_TYPE_ACCURATE = 3;
- public static final int SSL_INFO_SESSION_ID = 0x0001;
- public static final int SSL_INFO_CIPHER = 0x0002;
- public static final int SSL_INFO_CIPHER_USEKEYSIZE = 0x0003;
- public static final int SSL_INFO_CIPHER_ALGKEYSIZE = 0x0004;
- public static final int SSL_INFO_CIPHER_VERSION = 0x0005;
- public static final int SSL_INFO_CIPHER_DESCRIPTION = 0x0006;
- public static final int SSL_INFO_PROTOCOL = 0x0007;
-
- /* To obtain the CountryName of the Client Certificate Issuer
- * use the SSL_INFO_CLIENT_I_DN + SSL_INFO_DN_COUNTRYNAME
- */
- public static final int SSL_INFO_CLIENT_S_DN = 0x0010;
- public static final int SSL_INFO_CLIENT_I_DN = 0x0020;
- public static final int SSL_INFO_SERVER_S_DN = 0x0040;
- public static final int SSL_INFO_SERVER_I_DN = 0x0080;
-
- public static final int SSL_INFO_DN_COUNTRYNAME = 0x0001;
- public static final int SSL_INFO_DN_STATEORPROVINCENAME = 0x0002;
- public static final int SSL_INFO_DN_LOCALITYNAME = 0x0003;
- public static final int SSL_INFO_DN_ORGANIZATIONNAME = 0x0004;
+ public static final int SSL_INFO_SESSION_ID = 0x0001;
+ public static final int SSL_INFO_CIPHER = 0x0002;
+ public static final int SSL_INFO_CIPHER_USEKEYSIZE = 0x0003;
+ public static final int SSL_INFO_CIPHER_ALGKEYSIZE = 0x0004;
+ public static final int SSL_INFO_CIPHER_VERSION = 0x0005;
+ public static final int SSL_INFO_CIPHER_DESCRIPTION = 0x0006;
+ public static final int SSL_INFO_PROTOCOL = 0x0007;
+
+ /*
+ * To obtain the CountryName of the Client Certificate Issuer use the
SSL_INFO_CLIENT_I_DN + SSL_INFO_DN_COUNTRYNAME
+ */
+ public static final int SSL_INFO_CLIENT_S_DN = 0x0010;
+ public static final int SSL_INFO_CLIENT_I_DN = 0x0020;
+ public static final int SSL_INFO_SERVER_S_DN = 0x0040;
+ public static final int SSL_INFO_SERVER_I_DN = 0x0080;
+
+ public static final int SSL_INFO_DN_COUNTRYNAME = 0x0001;
+ public static final int SSL_INFO_DN_STATEORPROVINCENAME = 0x0002;
+ public static final int SSL_INFO_DN_LOCALITYNAME = 0x0003;
+ public static final int SSL_INFO_DN_ORGANIZATIONNAME = 0x0004;
public static final int SSL_INFO_DN_ORGANIZATIONALUNITNAME = 0x0005;
- public static final int SSL_INFO_DN_COMMONNAME = 0x0006;
- public static final int SSL_INFO_DN_TITLE = 0x0007;
- public static final int SSL_INFO_DN_INITIALS = 0x0008;
- public static final int SSL_INFO_DN_GIVENNAME = 0x0009;
- public static final int SSL_INFO_DN_SURNAME = 0x000A;
- public static final int SSL_INFO_DN_DESCRIPTION = 0x000B;
- public static final int SSL_INFO_DN_UNIQUEIDENTIFIER = 0x000C;
- public static final int SSL_INFO_DN_EMAILADDRESS = 0x000D;
-
- public static final int SSL_INFO_CLIENT_M_VERSION = 0x0101;
- public static final int SSL_INFO_CLIENT_M_SERIAL = 0x0102;
- public static final int SSL_INFO_CLIENT_V_START = 0x0103;
- public static final int SSL_INFO_CLIENT_V_END = 0x0104;
- public static final int SSL_INFO_CLIENT_A_SIG = 0x0105;
- public static final int SSL_INFO_CLIENT_A_KEY = 0x0106;
- public static final int SSL_INFO_CLIENT_CERT = 0x0107;
- public static final int SSL_INFO_CLIENT_V_REMAIN = 0x0108;
-
- public static final int SSL_INFO_SERVER_M_VERSION = 0x0201;
- public static final int SSL_INFO_SERVER_M_SERIAL = 0x0202;
- public static final int SSL_INFO_SERVER_V_START = 0x0203;
- public static final int SSL_INFO_SERVER_V_END = 0x0204;
- public static final int SSL_INFO_SERVER_A_SIG = 0x0205;
- public static final int SSL_INFO_SERVER_A_KEY = 0x0206;
- public static final int SSL_INFO_SERVER_CERT = 0x0207;
- /* Return client certificate chain.
- * Add certificate chain number to that flag (0 ... verify depth)
- */
- public static final int SSL_INFO_CLIENT_CERT_CHAIN = 0x0400;
+ public static final int SSL_INFO_DN_COMMONNAME = 0x0006;
+ public static final int SSL_INFO_DN_TITLE = 0x0007;
+ public static final int SSL_INFO_DN_INITIALS = 0x0008;
+ public static final int SSL_INFO_DN_GIVENNAME = 0x0009;
+ public static final int SSL_INFO_DN_SURNAME = 0x000A;
+ public static final int SSL_INFO_DN_DESCRIPTION = 0x000B;
+ public static final int SSL_INFO_DN_UNIQUEIDENTIFIER = 0x000C;
+ public static final int SSL_INFO_DN_EMAILADDRESS = 0x000D;
+
+ public static final int SSL_INFO_CLIENT_M_VERSION = 0x0101;
+ public static final int SSL_INFO_CLIENT_M_SERIAL = 0x0102;
+ public static final int SSL_INFO_CLIENT_V_START = 0x0103;
+ public static final int SSL_INFO_CLIENT_V_END = 0x0104;
+ public static final int SSL_INFO_CLIENT_A_SIG = 0x0105;
+ public static final int SSL_INFO_CLIENT_A_KEY = 0x0106;
+ public static final int SSL_INFO_CLIENT_CERT = 0x0107;
+ public static final int SSL_INFO_CLIENT_V_REMAIN = 0x0108;
+
+ public static final int SSL_INFO_SERVER_M_VERSION = 0x0201;
+ public static final int SSL_INFO_SERVER_M_SERIAL = 0x0202;
+ public static final int SSL_INFO_SERVER_V_START = 0x0203;
+ public static final int SSL_INFO_SERVER_V_END = 0x0204;
+ public static final int SSL_INFO_SERVER_A_SIG = 0x0205;
+ public static final int SSL_INFO_SERVER_A_KEY = 0x0206;
+ public static final int SSL_INFO_SERVER_CERT = 0x0207;
+ /*
+ * Return client certificate chain. Add certificate chain number to that
flag (0 ... verify depth)
+ */
+ public static final int SSL_INFO_CLIENT_CERT_CHAIN = 0x0400;
/* Only support OFF and SERVER for now */
public static final long SSL_SESS_CACHE_OFF = 0x0000;
@@ -240,12 +246,12 @@ public final class SSL {
public static native String versionString();
/**
- * Initialize OpenSSL support.
- * This function needs to be called once for the
- * lifetime of JVM. Library.init() has to be called before.
- * @param engine Support for external a Crypto Device ("engine"),
- * usually
- * a hardware accelerator card for crypto operations.
+ * Initialize OpenSSL support. This function needs to be called once for
the lifetime of JVM. Library.init() has to
+ * be called before.
+ *
+ * @param engine Support for external a Crypto Device ("engine"), usually
a hardware accelerator card for crypto
+ * operations.
+ *
* @return APR status code
*/
public static native int initialize(String engine);
@@ -253,9 +259,11 @@ public final class SSL {
/**
* Get the status of FIPS Mode.
*
- * @return FIPS_mode return code. It is <code>0</code> if OpenSSL is not
- * in FIPS mode, <code>1</code> if OpenSSL is in FIPS Mode.
+ * @return FIPS_mode return code. It is <code>0</code> if OpenSSL is not
in FIPS mode, <code>1</code> if OpenSSL is
+ * in FIPS Mode.
+ *
* @throws Exception If tcnative was not compiled with FIPS Mode available.
+ *
* @see <a
href="http://wiki.openssl.org/index.php/FIPS_mode%28%29";>OpenSSL method
FIPS_mode()</a>
*/
public static native int fipsModeGet() throws Exception;
@@ -266,8 +274,10 @@ public final class SSL {
* @param mode 1 - enable, 0 - disable
*
* @return FIPS_mode_set return code
- * @throws Exception If tcnative was not compiled with FIPS Mode available,
- * or if {@code FIPS_mode_set()} call returned an error value.
+ *
+ * @throws Exception If tcnative was not compiled with FIPS Mode
available, or if {@code FIPS_mode_set()} call
+ * returned an error value.
+ *
* @see <a
href="http://wiki.openssl.org/index.php/FIPS_mode_set%28%29";>OpenSSL method
FIPS_mode_set()</a>
*/
public static native int fipsModeSet(int mode) throws Exception;
@@ -275,15 +285,16 @@ public final class SSL {
/**
* Sets global random filename.
*
- * @param filename Filename to use.
- * If set it will be used for SSL initialization
- * and all contexts where explicitly not set.
+ * @param filename Filename to use. If set it will be used for SSL
initialization and all contexts where explicitly
+ * not set.
*/
public static native void randSet(String filename);
/**
* Return the handshake completed count.
+ *
* @param ssl SSL pointer
+ *
* @return the count
*/
public static native int getHandshakeCount(long ssl);
@@ -295,84 +306,101 @@ public final class SSL {
public static final int SSL_SENT_SHUTDOWN = 1;
public static final int SSL_RECEIVED_SHUTDOWN = 2;
- public static final int SSL_ERROR_NONE = 0;
- public static final int SSL_ERROR_SSL = 1;
- public static final int SSL_ERROR_WANT_READ = 2;
- public static final int SSL_ERROR_WANT_WRITE = 3;
+ public static final int SSL_ERROR_NONE = 0;
+ public static final int SSL_ERROR_SSL = 1;
+ public static final int SSL_ERROR_WANT_READ = 2;
+ public static final int SSL_ERROR_WANT_WRITE = 3;
public static final int SSL_ERROR_WANT_X509_LOOKUP = 4;
- public static final int SSL_ERROR_SYSCALL = 5; /* look at error
stack/return value/errno */
- public static final int SSL_ERROR_ZERO_RETURN = 6;
- public static final int SSL_ERROR_WANT_CONNECT = 7;
- public static final int SSL_ERROR_WANT_ACCEPT = 8;
+ public static final int SSL_ERROR_SYSCALL = 5; /* look at error
stack/return value/errno */
+ public static final int SSL_ERROR_ZERO_RETURN = 6;
+ public static final int SSL_ERROR_WANT_CONNECT = 7;
+ public static final int SSL_ERROR_WANT_ACCEPT = 8;
/**
* SSL_new
- * @param ctx Server or Client context to use.
- * @param server if true configure SSL instance to use accept handshake
routines
- * if false configure SSL instance to use connect handshake
routines
+ *
+ * @param ctx Server or Client context to use.
+ * @param server if true configure SSL instance to use accept handshake
routines if false configure SSL instance to
+ * use connect handshake routines
+ *
* @return pointer to SSL instance (SSL *)
*/
public static native long newSSL(long ctx, boolean server);
/**
* BIO_ctrl_pending.
+ *
* @param bio BIO pointer (BIO *)
+ *
* @return the pending bytes count
*/
public static native int pendingWrittenBytesInBIO(long bio);
/**
* SSL_pending.
+ *
* @param ssl SSL pointer (SSL *)
+ *
* @return the pending bytes count
*/
public static native int pendingReadableBytesInSSL(long ssl);
/**
* BIO_write.
- * @param bio BIO pointer
+ *
+ * @param bio BIO pointer
* @param wbuf Buffer pointer
* @param wlen Write length
+ *
* @return the bytes count written
*/
public static native int writeToBIO(long bio, long wbuf, int wlen);
/**
* BIO_read.
- * @param bio BIO pointer
+ *
+ * @param bio BIO pointer
* @param rbuf Buffer pointer
* @param rlen Read length
+ *
* @return the bytes count read
*/
public static native int readFromBIO(long bio, long rbuf, int rlen);
/**
* SSL_write.
- * @param ssl the SSL instance (SSL *)
+ *
+ * @param ssl the SSL instance (SSL *)
* @param wbuf Buffer pointer
* @param wlen Write length
+ *
* @return the bytes count written
*/
public static native int writeToSSL(long ssl, long wbuf, int wlen);
/**
* SSL_read
- * @param ssl the SSL instance (SSL *)
+ *
+ * @param ssl the SSL instance (SSL *)
* @param rbuf Buffer pointer
* @param rlen Read length
+ *
* @return the bytes count read
*/
public static native int readFromSSL(long ssl, long rbuf, int rlen);
/**
* SSL_get_shutdown
+ *
* @param ssl the SSL instance (SSL *)
+ *
* @return the operation status
*/
public static native int getShutdown(long ssl);
/**
* SSL_free
+ *
* @param ssl the SSL instance (SSL *)
*/
public static native void freeSSL(long ssl);
@@ -382,86 +410,106 @@ public final class SSL {
* <p>
* <b>Warning: you must explicitly free this resource by calling
freeBIO</b>
* <p>
- * While the SSL's internal/application data BIO will be freed when
freeSSL is called on
- * the provided SSL instance, you must call freeBIO on the returned
network BIO.
+ * While the SSL's internal/application data BIO will be freed when
freeSSL is called on the provided SSL instance,
+ * you must call freeBIO on the returned network BIO.
*
* @param ssl the SSL instance (SSL *)
+ *
* @return pointer to the Network BIO (BIO *)
*/
public static native long makeNetworkBIO(long ssl);
/**
* BIO_free
+ *
* @param bio BIO pointer
*/
public static native void freeBIO(long bio);
/**
* SSL_shutdown
+ *
* @param ssl the SSL instance (SSL *)
+ *
* @return the operation status
*/
public static native int shutdownSSL(long ssl);
/**
- * Get the error number representing the last error OpenSSL encountered on
- * this thread.
+ * Get the error number representing the last error OpenSSL encountered on
this thread.
+ *
* @return the last error number
*/
public static native int getLastErrorNumber();
/**
* SSL_get_cipher.
+ *
* @param ssl the SSL instance (SSL *)
+ *
* @return the cipher name
*/
public static native String getCipherForSSL(long ssl);
/**
* SSL_get_version
+ *
* @param ssl the SSL instance (SSL *)
+ *
* @return the SSL version in use
*/
public static native String getVersion(long ssl);
/**
* SSL_do_handshake
+ *
* @param ssl the SSL instance (SSL *)
+ *
* @return the handshake status
*/
public static native int doHandshake(long ssl);
/**
* SSL_renegotiate
+ *
* @param ssl the SSL instance (SSL *)
+ *
* @return the operation status
*/
public static native int renegotiate(long ssl);
/**
* SSL_renegotiate_pending
+ *
* @param ssl the SSL instance (SSL *)
+ *
* @return the operation status
*/
public static native int renegotiatePending(long ssl);
/**
* SSL_verify_client_post_handshake
+ *
* @param ssl the SSL instance (SSL *)
+ *
* @return the operation status
*/
public static native int verifyClientPostHandshake(long ssl);
/**
* Is post handshake authentication in progress on this connection?
+ *
* @param ssl the SSL instance (SSL *)
+ *
* @return the operation status
*/
public static native int getPostHandshakeAuthInProgress(long ssl);
/**
* SSL_in_init.
+ *
* @param ssl the SSL instance (SSL *)
+ *
* @return the status
*/
public static native int isInInit(long ssl);
@@ -472,52 +520,59 @@ public final class SSL {
/**
* SSL_get0_alpn_selected
+ *
* @param ssl the SSL instance (SSL *)
+ *
* @return the ALPN protocol negotiated
*/
public static native String getAlpnSelected(long ssl);
/**
* Get the peer certificate chain or {@code null} if none was sent.
+ *
* @param ssl the SSL instance (SSL *)
+ *
* @return the certificate chain bytes
*/
public static native byte[][] getPeerCertChain(long ssl);
/**
* Get the peer certificate or {@code null} if none was sent.
+ *
* @param ssl the SSL instance (SSL *)
+ *
* @return the certificate bytes
*/
public static native byte[] getPeerCertificate(long ssl);
/**
* Get the error number representing for the given {@code errorNumber}.
+ *
* @param errorNumber The error code
+ *
* @return an error message
*/
public static native String getErrorString(long errorNumber);
/**
* SSL_get_time
+ *
* @param ssl the SSL instance (SSL *)
+ *
* @return returns the time at which the session ssl was established. The
time is given in seconds since the Epoch
*/
public static native long getTime(long ssl);
/**
- * Set Type of Client Certificate verification and Maximum depth of CA
Certificates
- * in Client Certificate verification.
- * <br>
- * This directive sets the Certificate verification level for the Client
- * Authentication. Notice that this directive can be used both in
per-server
- * and per-directory context. In per-server context it applies to the
client
- * authentication process used in the standard SSL handshake when a
connection
- * is established. In per-directory context it forces an SSL renegotiation
with
- * the reconfigured client verification level after the HTTP request was
read
- * but before the HTTP response is sent.
- * <br>
+ * Set Type of Client Certificate verification and Maximum depth of CA
Certificates in Client Certificate
+ * verification. <br>
+ * This directive sets the Certificate verification level for the Client
Authentication. Notice that this directive
+ * can be used both in per-server and per-directory context. In per-server
context it applies to the client
+ * authentication process used in the standard SSL handshake when a
connection is established. In per-directory
+ * context it forces an SSL renegotiation with the reconfigured client
verification level after the HTTP request was
+ * read but before the HTTP response is sent. <br>
* The following levels are available for level:
+ *
* <pre>
* SSL_CVERIFY_NONE - No client Certificate is required at all
* SSL_CVERIFY_OPTIONAL - The client may present a valid Certificate
@@ -525,66 +580,68 @@ public final class SSL {
* SSL_CVERIFY_OPTIONAL_NO_CA - The client may present a valid Certificate
* but it need not to be (successfully)
verifiable
* </pre>
+ *
* <br>
- * The depth actually is the maximum number of intermediate certificate
issuers,
- * i.e. the number of CA certificates which are max allowed to be followed
while
- * verifying the client certificate. A depth of 0 means that self-signed
client
- * certificates are accepted only, the default depth of 1 means the client
- * certificate can be self-signed or has to be signed by a CA which is
directly
- * known to the server (i.e. the CA's certificate is under
+ * The depth actually is the maximum number of intermediate certificate
issuers, i.e. the number of CA certificates
+ * which are max allowed to be followed while verifying the client
certificate. A depth of 0 means that self-signed
+ * client certificates are accepted only, the default depth of 1 means the
client certificate can be self-signed or
+ * has to be signed by a CA which is directly known to the server (i.e.
the CA's certificate is under
* {@code setCACertificatePath}, etc).
*
- * @param ssl the SSL instance (SSL *)
+ * @param ssl the SSL instance (SSL *)
* @param level Type of Client Certificate verification.
- * @param depth Maximum depth of CA Certificates in Client Certificate
- * verification.
+ * @param depth Maximum depth of CA Certificates in Client Certificate
verification.
*/
public static native void setVerify(long ssl, int level, int depth);
/**
* Set OpenSSL Option.
- * @param ssl the SSL instance (SSL *)
- * @param options See SSL.SSL_OP_* for option flags.
+ *
+ * @param ssl the SSL instance (SSL *)
+ * @param options See SSL.SSL_OP_* for option flags.
*/
public static native void setOptions(long ssl, int options);
/**
* Get OpenSSL Option.
+ *
* @param ssl the SSL instance (SSL *)
- * @return options See SSL.SSL_OP_* for option flags.
+ *
+ * @return options See SSL.SSL_OP_* for option flags.
*/
public static native int getOptions(long ssl);
/**
* Returns all cipher suites that are enabled for negotiation in an SSL
handshake.
+ *
* @param ssl the SSL instance (SSL *)
+ *
* @return ciphers
*/
public static native String[] getCiphers(long ssl);
/**
- * Returns the cipher suites available for negotiation in SSL handshake.
- * <br>
- * This complex directive uses a colon-separated cipher-spec string
consisting
- * of OpenSSL cipher specifications to configure the Cipher Suite the
client
- * is permitted to negotiate in the SSL handshake phase. Notice that this
- * directive can be used both in per-server and per-directory context.
- * In per-server context it applies to the standard SSL handshake when a
- * connection is established. In per-directory context it forces an SSL
- * renegotiation with the reconfigured Cipher Suite after the HTTP request
- * was read but before the HTTP response is sent.
- * @param ssl the SSL instance (SSL *)
+ * Returns the cipher suites available for negotiation in SSL handshake.
<br>
+ * This complex directive uses a colon-separated cipher-spec string
consisting of OpenSSL cipher specifications to
+ * configure the Cipher Suite the client is permitted to negotiate in the
SSL handshake phase. Notice that this
+ * directive can be used both in per-server and per-directory context. In
per-server context it applies to the
+ * standard SSL handshake when a connection is established. In
per-directory context it forces an SSL renegotiation
+ * with the reconfigured Cipher Suite after the HTTP request was read but
before the HTTP response is sent.
+ *
+ * @param ssl the SSL instance (SSL *)
* @param ciphers an SSL cipher specification
+ *
* @return <code>true</code> if the operation was successful
+ *
* @throws Exception An error occurred
*/
- public static native boolean setCipherSuites(long ssl, String ciphers)
- throws Exception;
+ public static native boolean setCipherSuites(long ssl, String ciphers)
throws Exception;
/**
* Returns the ID of the session as byte array representation.
*
* @param ssl the SSL instance (SSL *)
+ *
* @return the session as byte array representation obtained via
SSL_SESSION_get_id.
*/
public static native byte[] getSessionId(long ssl);
diff --git a/java/org/apache/tomcat/jni/SSLConf.java
b/java/org/apache/tomcat/jni/SSLConf.java
index 2e429a5cdc..0ba3f18195 100644
--- a/java/org/apache/tomcat/jni/SSLConf.java
+++ b/java/org/apache/tomcat/jni/SSLConf.java
@@ -21,10 +21,10 @@ public final class SSLConf {
/**
* Create a new SSL_CONF context.
*
- * @param pool The pool to use.
- * @param flags The SSL_CONF flags to use. It can be any combination of
- * the following:
- * <PRE>
+ * @param pool The pool to use.
+ * @param flags The SSL_CONF flags to use. It can be any combination of
the following:
+ *
+ * <PRE>
* {@link SSL#SSL_CONF_FLAG_CMDLINE}
* {@link SSL#SSL_CONF_FLAG_FILE}
* {@link SSL#SSL_CONF_FLAG_CLIENT}
@@ -33,13 +33,13 @@ public final class SSLConf {
* {@link SSL#SSL_CONF_FLAG_CERTIFICATE}
* </PRE>
*
- * @return The Java representation of a pointer to the newly created
- * SSL_CONF Context
+ * @return The Java representation of a pointer to the newly created
SSL_CONF Context
*
* @throws Exception If the SSL_CONF context could not be created
*
* @see <a
href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CONF_CTX_new.html";>OpenSSL
SSL_CONF_CTX_new</a>
- * @see <a
href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CONF_CTX_set_flags.html";>OpenSSL
SSL_CONF_CTX_set_flags</a>
+ * @see <a
href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CONF_CTX_set_flags.html";>OpenSSL
+ * SSL_CONF_CTX_set_flags</a>
*/
public static native long make(long pool, int flags) throws Exception;
@@ -55,13 +55,12 @@ public final class SSLConf {
/**
* Check a command with an SSL_CONF context.
*
- * @param cctx SSL_CONF context to use.
- * @param name command name.
+ * @param cctx SSL_CONF context to use.
+ * @param name command name.
* @param value command value.
*
- * @return The result of the check based on the {@code
SSL_CONF_cmd_value_type}
- * call. Unknown types will result in an exception, as well as
- * file and directory types with invalid file or directory names.
+ * @return The result of the check based on the {@code
SSL_CONF_cmd_value_type} call. Unknown types will result in
+ * an exception, as well as file and directory types with
invalid file or directory names.
*
* @throws Exception If the check fails.
*
@@ -70,22 +69,22 @@ public final class SSLConf {
public static native int check(long cctx, String name, String value)
throws Exception;
/**
- * Assign an SSL context to an SSL_CONF context.
- * All following calls to {@link #apply(long, String, String)} will be
+ * Assign an SSL context to an SSL_CONF context. All following calls to
{@link #apply(long, String, String)} will be
* applied to this SSL context.
*
* @param cctx SSL_CONF context to use.
- * @param ctx SSL context to assign to the given SSL_CONF context.
+ * @param ctx SSL context to assign to the given SSL_CONF context.
*
- * @see <a
href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CONF_CTX_set_ssl_ctx.html";>OpenSSL
SSL_CONF_CTX_set_ssl_ctx</a>
+ * @see <a
href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CONF_CTX_set_ssl_ctx.html";>OpenSSL
+ * SSL_CONF_CTX_set_ssl_ctx</a>
*/
public static native void assign(long cctx, long ctx);
/**
* Apply a command to an SSL_CONF context.
*
- * @param cctx SSL_CONF context to use.
- * @param name command name.
+ * @param cctx SSL_CONF context to use.
+ * @param name command name.
* @param value command value.
*
* @return The result of the native {@code SSL_CONF_cmd} call
@@ -103,7 +102,8 @@ public final class SSLConf {
*
* @return The result of the native {@code SSL_CONF_CTX_finish} call
*
- * @see <a
href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CONF_CTX_set_flags.html";>OpenSSL
SSL_CONF_CTX_finish</a>
+ * @see <a
href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CONF_CTX_set_flags.html";>OpenSSL
+ * SSL_CONF_CTX_finish</a>
*/
public static native int finish(long cctx);
diff --git a/java/org/apache/tomcat/jni/SSLContext.java
b/java/org/apache/tomcat/jni/SSLContext.java
index e064d9272c..bb56d1afc1 100644
--- a/java/org/apache/tomcat/jni/SSLContext.java
+++ b/java/org/apache/tomcat/jni/SSLContext.java
@@ -22,16 +22,15 @@ import java.util.concurrent.ConcurrentHashMap;
public final class SSLContext {
- public static final byte[] DEFAULT_SESSION_ID_CONTEXT =
- new byte[] { 'd', 'e', 'f', 'a', 'u', 'l', 't' };
+ public static final byte[] DEFAULT_SESSION_ID_CONTEXT = new byte[] { 'd',
'e', 'f', 'a', 'u', 'l', 't' };
/**
* Create a new SSL context.
*
- * @param pool The pool to use.
- * @param protocol The SSL protocol to use. It can be any combination of
- * the following:
- * <PRE>
+ * @param pool The pool to use.
+ * @param protocol The SSL protocol to use. It can be any combination of
the following:
+ *
+ * <PRE>
* {@link SSL#SSL_PROTOCOL_SSLV2}
* {@link SSL#SSL_PROTOCOL_SSLV3}
* {@link SSL#SSL_PROTOCOL_TLSV1}
@@ -40,15 +39,16 @@ public final class SSLContext {
* {@link SSL#SSL_PROTOCOL_TLSV1_3}
* {@link SSL#SSL_PROTOCOL_ALL} ( == all TLS versions, no SSL)
* </PRE>
- * @param mode SSL mode to use
- * <PRE>
+ *
+ * @param mode SSL mode to use
+ *
+ * <PRE>
* SSL_MODE_CLIENT
* SSL_MODE_SERVER
* SSL_MODE_COMBINED
- * </PRE>
+ * </PRE>
*
- * @return The Java representation of a pointer to the newly created SSL
- * Context
+ * @return The Java representation of a pointer to the newly created SSL
Context
*
* @throws Exception If the SSL Context could not be created
*/
@@ -56,149 +56,140 @@ public final class SSLContext {
/**
* Free the resources used by the Context
+ *
* @param ctx Server or Client context to free.
+ *
* @return APR Status code.
*/
public static native int free(long ctx);
/**
* Set OpenSSL Option.
- * @param ctx Server or Client context to use.
- * @param options See SSL.SSL_OP_* for option flags.
+ *
+ * @param ctx Server or Client context to use.
+ * @param options See SSL.SSL_OP_* for option flags.
*/
public static native void setOptions(long ctx, int options);
/**
* Get OpenSSL Option.
+ *
* @param ctx Server or Client context to use.
- * @return options See SSL.SSL_OP_* for option flags.
+ *
+ * @return options See SSL.SSL_OP_* for option flags.
*/
public static native int getOptions(long ctx);
/**
* Clears OpenSSL Options.
- * @param ctx Server or Client context to use.
- * @param options See SSL.SSL_OP_* for option flags.
+ *
+ * @param ctx Server or Client context to use.
+ * @param options See SSL.SSL_OP_* for option flags.
*/
public static native void clearOptions(long ctx, int options);
/**
* Returns all cipher suites that are enabled for negotiation in an SSL
handshake.
+ *
* @param ctx Server or Client context to use.
+ *
* @return ciphers
*/
public static native String[] getCiphers(long ctx);
/**
- * Cipher Suite available for negotiation in SSL handshake.
- * <br>
- * This complex directive uses a colon-separated cipher-spec string
consisting
- * of OpenSSL cipher specifications to configure the Cipher Suite the
client
- * is permitted to negotiate in the SSL handshake phase. Notice that this
- * directive can be used both in per-server and per-directory context.
- * In per-server context it applies to the standard SSL handshake when a
- * connection is established. In per-directory context it forces an SSL
- * renegotiation with the reconfigured Cipher Suite after the HTTP request
- * was read but before the HTTP response is sent.
- * @param ctx Server or Client context to use.
+ * Cipher Suite available for negotiation in SSL handshake. <br>
+ * This complex directive uses a colon-separated cipher-spec string
consisting of OpenSSL cipher specifications to
+ * configure the Cipher Suite the client is permitted to negotiate in the
SSL handshake phase. Notice that this
+ * directive can be used both in per-server and per-directory context. In
per-server context it applies to the
+ * standard SSL handshake when a connection is established. In
per-directory context it forces an SSL renegotiation
+ * with the reconfigured Cipher Suite after the HTTP request was read but
before the HTTP response is sent.
+ *
+ * @param ctx Server or Client context to use.
* @param ciphers An OpenSSL cipher specification.
+ *
* @return <code>true</code> if the operation was successful
+ *
* @throws Exception An error occurred
*/
- public static native boolean setCipherSuite(long ctx, String ciphers)
- throws Exception;
+ public static native boolean setCipherSuite(long ctx, String ciphers)
throws Exception;
/**
- * Set File of concatenated PEM-encoded CA CRLs or
- * directory of PEM-encoded CA Certificates for Client Auth
- * <br>
- * This directive sets the all-in-one file where you can assemble the
- * Certificate Revocation Lists (CRL) of Certification Authorities (CA)
- * whose clients you deal with. These are used for Client Authentication.
- * Such a file is simply the concatenation of the various PEM-encoded CRL
- * files, in order of preference.
- * <br>
- * The files in this directory have to be PEM-encoded and are accessed
through
- * hash filenames. So usually you can't just place the Certificate files
there:
- * you also have to create symbolic links named hash-value.N. And you
should
- * always make sure this directory contains the appropriate symbolic links.
- * Use the Makefile which comes with mod_ssl to accomplish this task.
- * @param ctx Server or Client context to use.
+ * Set File of concatenated PEM-encoded CA CRLs or directory of
PEM-encoded CA Certificates for Client Auth <br>
+ * This directive sets the all-in-one file where you can assemble the
Certificate Revocation Lists (CRL) of
+ * Certification Authorities (CA) whose clients you deal with. These are
used for Client Authentication. Such a file
+ * is simply the concatenation of the various PEM-encoded CRL files, in
order of preference. <br>
+ * The files in this directory have to be PEM-encoded and are accessed
through hash filenames. So usually you can't
+ * just place the Certificate files there: you also have to create
symbolic links named hash-value.N. And you should
+ * always make sure this directory contains the appropriate symbolic
links. Use the Makefile which comes with
+ * mod_ssl to accomplish this task.
+ *
+ * @param ctx Server or Client context to use.
* @param file File of concatenated PEM-encoded CA CRLs for Client Auth.
* @param path Directory of PEM-encoded CA Certificates for Client Auth.
+ *
* @return <code>true</code> if the operation was successful
+ *
* @throws Exception An error occurred
*/
- public static native boolean setCARevocation(long ctx, String file,
- String path)
- throws Exception;
+ public static native boolean setCARevocation(long ctx, String file, String
path) throws Exception;
/**
- * Set File of PEM-encoded Server CA Certificates
- * <br>
- * This directive sets the optional all-in-one file where you can assemble
the
- * certificates of Certification Authorities (CA) which form the
certificate
- * chain of the server certificate. This starts with the issuing CA
certificate
- * of the server certificate and can range up to the root CA certificate.
- * Such a file is simply the concatenation of the various PEM-encoded CA
- * Certificate files, usually in certificate chain order.
- * <br>
- * But be careful: Providing the certificate chain works only if you are
using
- * a single (either RSA or DSA) based server certificate. If you are using
a
- * coupled RSA+DSA certificate pair, this will work only if actually both
- * certificates use the same certificate chain. Else the browsers will be
- * confused in this situation.
- * @param ctx Server or Client context to use.
- * @param file File of PEM-encoded Server CA Certificates.
- * @param skipfirst Skip first certificate if chain file is inside
- * certificate file.
+ * Set File of PEM-encoded Server CA Certificates <br>
+ * This directive sets the optional all-in-one file where you can assemble
the certificates of Certification
+ * Authorities (CA) which form the certificate chain of the server
certificate. This starts with the issuing CA
+ * certificate of the server certificate and can range up to the root CA
certificate. Such a file is simply the
+ * concatenation of the various PEM-encoded CA Certificate files, usually
in certificate chain order. <br>
+ * But be careful: Providing the certificate chain works only if you are
using a single (either RSA or DSA) based
+ * server certificate. If you are using a coupled RSA+DSA certificate
pair, this will work only if actually both
+ * certificates use the same certificate chain. Else the browsers will be
confused in this situation.
+ *
+ * @param ctx Server or Client context to use.
+ * @param file File of PEM-encoded Server CA Certificates.
+ * @param skipfirst Skip first certificate if chain file is inside
certificate file.
+ *
* @return <code>true</code> if the operation was successful
*/
- public static native boolean setCertificateChainFile(long ctx, String file,
- boolean skipfirst);
+ public static native boolean setCertificateChainFile(long ctx, String
file, boolean skipfirst);
/**
- * Set Certificate
- * <br>
- * Point setCertificateFile at a PEM encoded certificate. If
- * the certificate is encrypted, then you will be prompted for a
- * pass phrase. Note that a kill -HUP will prompt again. A test
- * certificate can be generated with 'make certificate' under
- * built time. Keep in mind that if you've both a RSA and a DSA
- * certificate you can configure both in parallel (to also allow
- * the use of DSA ciphers, etc.)
- * <br>
- * If the key is not combined with the certificate, use key param
- * to point at the key file. Keep in mind that if
- * you've both a RSA and a DSA private key you can configure
- * both in parallel (to also allow the use of DSA ciphers, etc.)
- * @param ctx Server or Client context to use.
- * @param cert Certificate file.
- * @param key Private Key file to use if not in cert.
- * @param password Certificate password. If null and certificate
- * is encrypted, password prompt will be displayed.
- * @param idx Certificate index SSL_AIDX_RSA or SSL_AIDX_DSA.
+ * Set Certificate <br>
+ * Point setCertificateFile at a PEM encoded certificate. If the
certificate is encrypted, then you will be prompted
+ * for a pass phrase. Note that a kill -HUP will prompt again. A test
certificate can be generated with 'make
+ * certificate' under built time. Keep in mind that if you've both a RSA
and a DSA certificate you can configure
+ * both in parallel (to also allow the use of DSA ciphers, etc.) <br>
+ * If the key is not combined with the certificate, use key param to point
at the key file. Keep in mind that if
+ * you've both a RSA and a DSA private key you can configure both in
parallel (to also allow the use of DSA ciphers,
+ * etc.)
+ *
+ * @param ctx Server or Client context to use.
+ * @param cert Certificate file.
+ * @param key Private Key file to use if not in cert.
+ * @param password Certificate password. If null and certificate is
encrypted, password prompt will be displayed.
+ * @param idx Certificate index SSL_AIDX_RSA or SSL_AIDX_DSA.
+ *
* @return <code>true</code> if the operation was successful
+ *
* @throws Exception An error occurred
*/
- public static native boolean setCertificate(long ctx, String cert,
- String key, String password,
- int idx)
- throws Exception;
+ public static native boolean setCertificate(long ctx, String cert, String
key, String password, int idx)
+ throws Exception;
/**
- * Set the size of the internal session cache.
- * http://www.openssl.org/docs/ssl/SSL_CTX_sess_set_cache_size.html
- * @param ctx Server or Client context to use.
+ * Set the size of the internal session cache.
http://www.openssl.org/docs/ssl/SSL_CTX_sess_set_cache_size.html
+ *
+ * @param ctx Server or Client context to use.
* @param size The cache size
+ *
* @return the value set
*/
public static native long setSessionCacheSize(long ctx, long size);
/**
- * Get the size of the internal session cache.
- * http://www.openssl.org/docs/ssl/SSL_CTX_sess_get_cache_size.html
+ * Get the size of the internal session cache.
http://www.openssl.org/docs/ssl/SSL_CTX_sess_get_cache_size.html
+ *
* @param ctx Server or Client context to use.
+ *
* @return the size
*/
public static native long getSessionCacheSize(long ctx);
@@ -206,8 +197,10 @@ public final class SSLContext {
/**
* Set the timeout for the internal session cache in seconds.
* http://www.openssl.org/docs/ssl/SSL_CTX_set_timeout.html
- * @param ctx Server or Client context to use.
+ *
+ * @param ctx Server or Client context to use.
* @param timeoutSeconds Timeout value
+ *
* @return the value set
*/
public static native long setSessionCacheTimeout(long ctx, long
timeoutSeconds);
@@ -215,90 +208,98 @@ public final class SSLContext {
/**
* Get the timeout for the internal session cache in seconds.
* http://www.openssl.org/docs/ssl/SSL_CTX_set_timeout.html
+ *
* @param ctx Server or Client context to use.
+ *
* @return the timeout
*/
public static native long getSessionCacheTimeout(long ctx);
/**
* Set the mode of the internal session cache and return the previous used
mode.
- * @param ctx Server or Client context to use.
+ *
+ * @param ctx Server or Client context to use.
* @param mode The mode to set
+ *
* @return the value set
*/
public static native long setSessionCacheMode(long ctx, long mode);
/**
* Get the mode of the current used internal session cache.
+ *
* @param ctx Server or Client context to use.
+ *
* @return the value set
*/
public static native long getSessionCacheMode(long ctx);
/*
- * Session resumption statistics methods.
- * http://www.openssl.org/docs/ssl/SSL_CTX_sess_number.html
+ * Session resumption statistics methods.
http://www.openssl.org/docs/ssl/SSL_CTX_sess_number.html
*/
public static native long sessionAccept(long ctx);
+
public static native long sessionAcceptGood(long ctx);
+
public static native long sessionAcceptRenegotiate(long ctx);
+
public static native long sessionCacheFull(long ctx);
+
public static native long sessionCbHits(long ctx);
+
public static native long sessionConnect(long ctx);
+
public static native long sessionConnectGood(long ctx);
+
public static native long sessionConnectRenegotiate(long ctx);
+
public static native long sessionHits(long ctx);
+
public static native long sessionMisses(long ctx);
+
public static native long sessionNumber(long ctx);
+
public static native long sessionTimeouts(long ctx);
/**
* Set TLS session keys. This allows us to share keys across TFEs.
- * @param ctx Server or Client context to use.
+ *
+ * @param ctx Server or Client context to use.
* @param keys Some session keys
*/
public static native void setSessionTicketKeys(long ctx, byte[] keys);
/**
- * Set File and Directory of concatenated PEM-encoded CA Certificates
- * for Client Auth
- * <br>
- * This directive sets the all-in-one file where you can assemble the
- * Certificates of Certification Authorities (CA) whose clients you deal
with.
- * These are used for Client Authentication. Such a file is simply the
- * concatenation of the various PEM-encoded Certificate files, in order of
- * preference. This can be used alternatively and/or additionally to
- * path.
- * <br>
- * The files in this directory have to be PEM-encoded and are accessed
through
- * hash filenames. So usually you can't just place the Certificate files
there:
- * you also have to create symbolic links named hash-value.N. And you
should
- * always make sure this directory contains the appropriate symbolic links.
- * Use the Makefile which comes with mod_ssl to accomplish this task.
- * @param ctx Server or Client context to use.
- * @param file File of concatenated PEM-encoded CA Certificates for
- * Client Auth.
+ * Set File and Directory of concatenated PEM-encoded CA Certificates for
Client Auth <br>
+ * This directive sets the all-in-one file where you can assemble the
Certificates of Certification Authorities (CA)
+ * whose clients you deal with. These are used for Client Authentication.
Such a file is simply the concatenation of
+ * the various PEM-encoded Certificate files, in order of preference. This
can be used alternatively and/or
+ * additionally to path. <br>
+ * The files in this directory have to be PEM-encoded and are accessed
through hash filenames. So usually you can't
+ * just place the Certificate files there: you also have to create
symbolic links named hash-value.N. And you should
+ * always make sure this directory contains the appropriate symbolic
links. Use the Makefile which comes with
+ * mod_ssl to accomplish this task.
+ *
+ * @param ctx Server or Client context to use.
+ * @param file File of concatenated PEM-encoded CA Certificates for Client
Auth.
* @param path Directory of PEM-encoded CA Certificates for Client Auth.
+ *
* @return <code>true</code> if the operation was successful
+ *
* @throws Exception An error occurred
*/
- public static native boolean setCACertificate(long ctx, String file,
- String path)
- throws Exception;
+ public static native boolean setCACertificate(long ctx, String file,
String path) throws Exception;
/**
- * Set Type of Client Certificate verification and Maximum depth of CA
Certificates
- * in Client Certificate verification.
- * <br>
- * This directive sets the Certificate verification level for the Client
- * Authentication. Notice that this directive can be used both in
per-server
- * and per-directory context. In per-server context it applies to the
client
- * authentication process used in the standard SSL handshake when a
connection
- * is established. In per-directory context it forces an SSL renegotiation
with
- * the reconfigured client verification level after the HTTP request was
read
- * but before the HTTP response is sent.
- * <br>
+ * Set Type of Client Certificate verification and Maximum depth of CA
Certificates in Client Certificate
+ * verification. <br>
+ * This directive sets the Certificate verification level for the Client
Authentication. Notice that this directive
+ * can be used both in per-server and per-directory context. In per-server
context it applies to the client
+ * authentication process used in the standard SSL handshake when a
connection is established. In per-directory
+ * context it forces an SSL renegotiation with the reconfigured client
verification level after the HTTP request was
+ * read but before the HTTP response is sent. <br>
* The following levels are available for level:
+ *
* <PRE>
* SSL_CVERIFY_NONE - No client Certificate is required at all
* SSL_CVERIFY_OPTIONAL - The client may present a valid Certificate
@@ -306,34 +307,30 @@ public final class SSLContext {
* SSL_CVERIFY_OPTIONAL_NO_CA - The client may present a valid Certificate
* but it need not to be (successfully)
verifiable
* </PRE>
+ *
* <br>
- * The depth actually is the maximum number of intermediate certificate
issuers,
- * i.e. the number of CA certificates which are max allowed to be followed
while
- * verifying the client certificate. A depth of 0 means that self-signed
client
- * certificates are accepted only, the default depth of 1 means the client
- * certificate can be self-signed or has to be signed by a CA which is
directly
- * known to the server (i.e. the CA's certificate is under
+ * The depth actually is the maximum number of intermediate certificate
issuers, i.e. the number of CA certificates
+ * which are max allowed to be followed while verifying the client
certificate. A depth of 0 means that self-signed
+ * client certificates are accepted only, the default depth of 1 means the
client certificate can be self-signed or
+ * has to be signed by a CA which is directly known to the server (i.e.
the CA's certificate is under
* <code>setCACertificatePath</code>), etc.
- * @param ctx Server or Client context to use.
+ *
+ * @param ctx Server or Client context to use.
* @param level Type of Client Certificate verification.
- * @param depth Maximum depth of CA Certificates in Client Certificate
- * verification.
+ * @param depth Maximum depth of CA Certificates in Client Certificate
verification.
*/
public static native void setVerify(long ctx, int level, int depth);
/**
- * When tc-native encounters a SNI extension in the TLS handshake it will
- * call this method to determine which OpenSSL SSLContext to use for the
- * connection.
- *
- * @param currentCtx The OpenSSL SSLContext that the handshake started to
- * use. This will be the default OpenSSL SSLContext for
- * the endpoint associated with the socket.
- * @param sniHostName The host name requested by the client
- *
- * @return The Java representation of the pointer to the OpenSSL SSLContext
- * to use for the given host or zero if no SSLContext could be
- * identified
+ * When tc-native encounters a SNI extension in the TLS handshake it will
call this method to determine which
+ * OpenSSL SSLContext to use for the connection.
+ *
+ * @param currentCtx The OpenSSL SSLContext that the handshake started to
use. This will be the default OpenSSL
+ * SSLContext for the endpoint associated with the
socket.
+ * @param sniHostName The host name requested by the client
+ *
+ * @return The Java representation of the pointer to the OpenSSL
SSLContext to use for the given host or zero if no
+ * SSLContext could be identified
*/
public static long sniCallBack(long currentCtx, String sniHostName) {
SNICallBack sniCallBack = sniCallBacks.get(Long.valueOf(currentCtx));
@@ -347,50 +344,47 @@ public final class SSLContext {
}
/**
- * A map of default SSL Contexts to SNICallBack instances (in Tomcat these
- * are instances of AprEndpoint) that will be used to determine the SSL
- * Context to use bases on the SNI host name. It is structured this way
- * since a Tomcat instance may have several TLS enabled endpoints that each
- * have different SSL Context mappings for the same host name.
+ * A map of default SSL Contexts to SNICallBack instances (in Tomcat these
are instances of AprEndpoint) that will
+ * be used to determine the SSL Context to use bases on the SNI host name.
It is structured this way since a Tomcat
+ * instance may have several TLS enabled endpoints that each have
different SSL Context mappings for the same host
+ * name.
*/
private static final Map<Long,SNICallBack> sniCallBacks = new
ConcurrentHashMap<>();
/**
- * Interface implemented by components that will receive the call back to
- * select an OpenSSL SSLContext based on the host name requested by the
- * client.
+ * Interface implemented by components that will receive the call back to
select an OpenSSL SSLContext based on the
+ * host name requested by the client.
*/
public interface SNICallBack {
/**
- * This callback is made during the TLS handshake when the client uses
- * the SNI extension to request a specific TLS host.
+ * This callback is made during the TLS handshake when the client uses
the SNI extension to request a specific
+ * TLS host.
*
- * @param sniHostName The host name requested by the client - must be
in
- * lower case
+ * @param sniHostName The host name requested by the client - must be
in lower case
*
- * @return The Java representation of the pointer to the OpenSSL
- * SSLContext to use for the given host or zero if no
SSLContext
- * could be identified
+ * @return The Java representation of the pointer to the OpenSSL
SSLContext to use for the given host or zero if
+ * no SSLContext could be identified
*/
long getSslContext(String sniHostName);
}
/**
- * Allow to hook {@link CertificateVerifier} into the handshake processing.
- * This will call {@code SSL_CTX_set_cert_verify_callback} and so replace
the default verification
- * callback used by openssl
- * @param ctx Server or Client context to use.
+ * Allow to hook {@link CertificateVerifier} into the handshake
processing. This will call
+ * {@code SSL_CTX_set_cert_verify_callback} and so replace the default
verification callback used by openssl
+ *
+ * @param ctx Server or Client context to use.
* @param verifier the verifier to call during handshake.
*/
public static native void setCertVerifyCallback(long ctx,
CertificateVerifier verifier);
/**
* Set application layer protocol for application layer protocol
negotiation extension
- * @param ctx Server context to use.
- * @param alpnProtos protocols in priority order
- * @param selectorFailureBehavior see {@link
SSL#SSL_SELECTOR_FAILURE_NO_ADVERTISE}
- * and {@link
SSL#SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL}
+ *
+ * @param ctx Server context to use.
+ * @param alpnProtos protocols in priority order
+ * @param selectorFailureBehavior see {@link
SSL#SSL_SELECTOR_FAILURE_NO_ADVERTISE} and
+ * {@link
SSL#SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL}
*/
public static native void setAlpnProtos(long ctx, String[] alpnProtos, int
selectorFailureBehavior);
@@ -398,42 +392,45 @@ public final class SSLContext {
* Set the context within which session be reused (server side only)
* http://www.openssl.org/docs/ssl/SSL_CTX_set_session_id_context.html
*
- * @param ctx Server context to use.
- * @param sidCtx can be any kind of binary data, it is therefore possible
to use e.g. the name
- * of the application and/or the hostname and/or service name
+ * @param ctx Server context to use.
+ * @param sidCtx can be any kind of binary data, it is therefore possible
to use e.g. the name of the application
+ * and/or the hostname and/or service name
+ *
* @return {@code true} if success, {@code false} otherwise.
*/
public static native boolean setSessionIdContext(long ctx, byte[] sidCtx);
/**
- * Set CertificateRaw
- * <br>
+ * Set CertificateRaw <br>
* Use keystore a certificate and key to fill the BIOP
- * @param ctx Server or Client context to use.
- * @param cert Byte array with the certificate in DER encoding.
- * @param key Byte array with the Private Key file in PEM format.
+ *
+ * @param ctx Server or Client context to use.
+ * @param cert Byte array with the certificate in DER encoding.
+ * @param key Byte array with the Private Key file in PEM format.
* @param sslAidxRsa Certificate index SSL_AIDX_RSA or SSL_AIDX_DSA.
+ *
* @return {@code true} if success, {@code false} otherwise.
*/
public static native boolean setCertificateRaw(long ctx, byte[] cert,
byte[] key, int sslAidxRsa);
/**
- * Add a certificate to the certificate chain. Certs should be added in
- * order starting with the issuer of the host certs and working up the
- * certificate chain to the CA.
- *
- * <br>
+ * Add a certificate to the certificate chain. Certs should be added in
order starting with the issuer of the host
+ * certs and working up the certificate chain to the CA. <br>
* Use keystore a certificate chain to fill the BIOP
- * @param ctx Server or Client context to use.
+ *
+ * @param ctx Server or Client context to use.
* @param cert Byte array with the certificate in DER encoding.
+ *
* @return {@code true} if success, {@code false} otherwise.
*/
public static native boolean addChainCertificateRaw(long ctx, byte[] cert);
/**
* Add a CA certificate we accept as issuer for peer certs
- * @param ctx Server or Client context to use.
+ *
+ * @param ctx Server or Client context to use.
* @param cert Byte array with the certificate in DER encoding.
+ *
* @return {@code true} if success, {@code false} otherwise.
*/
public static native boolean addClientCACertificateRaw(long ctx, byte[]
cert);
diff --git a/java/org/apache/tomcat/jni/Sockaddr.java
b/java/org/apache/tomcat/jni/Sockaddr.java
index 20e73c8ad2..b5594a4ba3 100644
--- a/java/org/apache/tomcat/jni/Sockaddr.java
+++ b/java/org/apache/tomcat/jni/Sockaddr.java
@@ -17,10 +17,9 @@
package org.apache.tomcat.jni;
/**
- * Tomcat Native 1.2.33 and earlier won't initialise unless this class is
- * present. This dummy class ensures initialisation gets as far as being able
to
- * check the version of the Tomcat Native library and reporting a version error
- * if 1.2.33 or earlier is present.
+ * Tomcat Native 1.2.33 and earlier won't initialise unless this class is
present. This dummy class ensures
+ * initialisation gets as far as being able to check the version of the Tomcat
Native library and reporting a version
+ * error if 1.2.33 or earlier is present.
*/
public class Sockaddr {
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
