svn commit: r1681189 - in /tomcat/native/trunk/native: include/ssl_private.h src/ssl.c src/sslcontext.c src/sslutils.c

Fri, 22 May 2015 12:06:06 -0700 

Author: rjung
Date: Fri May 22 19:05:38 2015
New Revision: 1681189

URL: http://svn.apache.org/r1681189
Log:
Port mod_ssl improvements to tcnative/ssl:

Partial backport of r1527295 from httpd/mod_ssl:

Improve ephemeral key handling (companion to r1526168):

- allow to configure custom DHE or ECDHE parameters via the
  SSLCertificateFile directive.

- add ssl_ec_GetParamFromFile()

Sync name SSL_dh_GetParamFromFile with mod_ssl.

Modified:
    tomcat/native/trunk/native/include/ssl_private.h
    tomcat/native/trunk/native/src/ssl.c
    tomcat/native/trunk/native/src/sslcontext.c
    tomcat/native/trunk/native/src/sslutils.c

Modified: tomcat/native/trunk/native/include/ssl_private.h
URL: 
http://svn.apache.org/viewvc/tomcat/native/trunk/native/include/ssl_private.h?rev=1681189&r1=1681188&r2=1681189&view=diff
==============================================================================
--- tomcat/native/trunk/native/include/ssl_private.h (original)
+++ tomcat/native/trunk/native/include/ssl_private.h Fri May 22 19:05:38 2015
@@ -333,7 +333,10 @@ int         SSL_password_prompt(tcn_pass
 int         SSL_password_callback(char *, int, int, void *);
 void        SSL_BIO_close(BIO *);
 void        SSL_BIO_doref(BIO *);
-DH         *SSL_dh_get_param_from_file(const char *);
+DH         *SSL_dh_GetParamFromFile(const char *);
+#ifdef HAVE_ECC
+EC_GROUP   *SSL_ec_GetParamFromFile(const char *);
+#endif
 DH         *SSL_callback_tmp_DH(SSL *, int, int);
 void        SSL_callback_handshake(const SSL *, int, int);
 int         SSL_CTX_use_certificate_chain(SSL_CTX *, const char *, int);

Modified: tomcat/native/trunk/native/src/ssl.c
URL: 
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/ssl.c?rev=1681189&r1=1681188&r2=1681189&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/ssl.c (original)
+++ tomcat/native/trunk/native/src/ssl.c Fri May 22 19:05:38 2015
@@ -995,30 +995,6 @@ TCN_IMPLEMENT_CALL(void, SSL, setPasswor
     TCN_FREE_CSTRING(password);
 }
 
-// Commented out but might get reused later
-#if 0
-TCN_IMPLEMENT_CALL(jboolean, SSL, loadDSATempKey)(TCN_STDARGS, jint idx,
-                                                  jstring file)
-{
-    jboolean r = JNI_FALSE;
-    TCN_ALLOC_CSTRING(file);
-    DH *dh;
-    UNREFERENCED(o);
-
-    if (!J2S(file))
-        return JNI_FALSE;
-    /* Removed */
-    SSL_TMP_KEY_FREE(DSA, idx);
-    if ((dh = SSL_dh_get_param_from_file(J2S(file)))) {
-        /* Removed */
-        SSL_temp_keys[idx] = dh;
-        r = JNI_TRUE;
-    }
-    TCN_FREE_CSTRING(file);
-    return r;
-}
-#endif
-
 TCN_IMPLEMENT_CALL(jstring, SSL, getLastError)(TCN_STDARGS)
 {
     char buf[256];

Modified: tomcat/native/trunk/native/src/sslcontext.c
URL: 
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1681189&r1=1681188&r2=1681189&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/sslcontext.c (original)
+++ tomcat/native/trunk/native/src/sslcontext.c Fri May 22 19:05:38 2015
@@ -241,15 +241,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
     EVP_Digest((const unsigned char *)SSL_DEFAULT_VHOST_NAME,
                (unsigned long)((sizeof SSL_DEFAULT_VHOST_NAME) - 1),
                &(c->context_id[0]), NULL, EVP_sha1(), NULL);
-    if (mode) {
-#ifdef HAVE_ECC
-        /* Set default (nistp256) elliptic curve for ephemeral ECDH keys */
-        EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
-        SSL_CTX_set_tmp_ecdh(c->ctx, ecdh);
-        EC_KEY_free(ecdh);
-#endif
-        SSL_CTX_set_tmp_dh_callback(c->ctx,  SSL_callback_tmp_DH);
-    }
+
     /* Set default Certificate verification level
      * and depth for the Client Authentication
      */
@@ -701,6 +693,12 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
     const char *key_file, *cert_file;
     const char *p;
     char err[256];
+#ifdef HAVE_ECC
+    EC_GROUP *ecparams;
+    int nid;
+    EC_KEY *eckey = NULL;
+#endif
+    DH *dhparams;
 
     UNREFERENCED(o);
     TCN_ASSERT(ctx != 0);
@@ -769,6 +767,42 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
         rv = JNI_FALSE;
         goto cleanup;
     }
+
+    /*
+     * Try to read DH parameters from the (first) SSLCertificateFile
+     */
+    /* XXX Does this also work for pkcs12 or only for PEM files?
+     * If only for PEM files move above to the PEM handling */
+    if ((dhparams = SSL_dh_GetParamFromFile(cert_file))) {
+        SSL_CTX_set_tmp_dh(c->ctx, dhparams);
+    }
+
+#ifdef HAVE_ECC
+    /*
+     * Similarly, try to read the ECDH curve name from SSLCertificateFile...
+     */
+    /* XXX Does this also work for pkcs12 or only for PEM files?
+     * If only for PEM files move above to the PEM handling */
+    if ((ecparams = SSL_ec_GetParamFromFile(cert_file)) &&
+        (nid = EC_GROUP_get_curve_name(ecparams)) &&
+        (eckey = EC_KEY_new_by_curve_name(nid))) {
+        SSL_CTX_set_tmp_ecdh(c->ctx, eckey);
+    }
+    /*
+     * ...otherwise, configure NIST P-256 (required to enable ECDHE)
+     */
+    else {
+#if defined(SSL_CTX_set_ecdh_auto)
+        SSL_CTX_set_ecdh_auto(c->ctx, 1);
+#else
+        eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+        SSL_CTX_set_tmp_ecdh(c->ctx, eckey);
+#endif
+    }
+    EC_KEY_free(eckey);
+#endif
+    SSL_CTX_set_tmp_dh_callback(c->ctx, SSL_callback_tmp_DH);
+
 cleanup:
     TCN_FREE_CSTRING(cert);
     TCN_FREE_CSTRING(key);

Modified: tomcat/native/trunk/native/src/sslutils.c
URL: 
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslutils.c?rev=1681189&r1=1681188&r2=1681189&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/sslutils.c (original)
+++ tomcat/native/trunk/native/src/sslutils.c Fri May 22 19:05:38 2015
@@ -157,7 +157,12 @@ int SSL_password_callback(char *buf, int
     return (int)strlen(buf);
 }
 
-DH *SSL_dh_get_param_from_file(const char *file)
+/*  _________________________________________________________________
+**
+**  Custom (EC)DH parameter support
+**  _________________________________________________________________
+*/
+DH *SSL_dh_GetParamFromFile(const char *file)
 {
     DH *dh = NULL;
     BIO *bio;
@@ -169,6 +174,20 @@ DH *SSL_dh_get_param_from_file(const cha
     return dh;
 }
 
+#ifdef HAVE_ECC
+EC_GROUP *SSL_ec_GetParamFromFile(const char *file)
+{
+    EC_GROUP *group = NULL;
+    BIO *bio;
+
+    if ((bio = BIO_new_file(file, "r")) == NULL)
+        return NULL;
+    group = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL);
+    BIO_free(bio);
+    return (group);
+}
+#endif
+
 /*
  * Grab well-defined DH parameters from OpenSSL, see <openssl/bn.h>
  * (get_rfc*) for all available primes.



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to