Author: mturk Date: Tue Sep 13 19:59:36 2011 New Revision: 1170326 URL: http://svn.apache.org/viewvc?rev=1170326&view=rev Log: Create almost complete ssl context
Modified: commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLProtocolMethod.java commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h commons/sandbox/runtime/trunk/src/main/native/modules/openssl/api.c commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c commons/sandbox/runtime/trunk/src/main/native/modules/openssl/init.c commons/sandbox/runtime/trunk/src/main/native/modules/openssl/password.c commons/sandbox/runtime/trunk/src/main/native/modules/openssl/util.c Modified: commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java?rev=1170326&r1=1170325&r2=1170326&view=diff ============================================================================== --- commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java (original) +++ commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java Tue Sep 13 19:59:36 2011 @@ -33,13 +33,19 @@ public final class SSLContext extends Na // Hide NativePointer private final long pointer = 0L; - private static native long new0(); + private static native long new0(int protocol, int mode); + + private SSLContext() + { + // No instance + } + /** * Creates a new object instance. */ - public SSLContext() + public SSLContext(SSLProtocolMethod method, SSLProtocolMode mode) { - super.pointer = new0(); + super.pointer = new0(method.valueOf(), mode.valueOf()); } } Modified: commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLProtocolMethod.java URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLProtocolMethod.java?rev=1170326&r1=1170325&r2=1170326&view=diff ============================================================================== --- commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLProtocolMethod.java (original) +++ commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLProtocolMethod.java Tue Sep 13 19:59:36 2011 @@ -42,9 +42,17 @@ public enum SSLProtocolMethod */ TLSv1( 4), /** + * TLSv1.1. + */ + TLSv11( 5), + /** + * TLSv1.2. + */ + TLSv12( 6), + /** * DTLSv1.0. */ - DTLSv1( 5); + DTLSv1( 7); private int value; private SSLProtocolMethod(int v) Modified: commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h?rev=1170326&r1=1170325&r2=1170326&view=diff ============================================================================== --- commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h (original) +++ commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h Tue Sep 13 19:59:36 2011 @@ -157,7 +157,9 @@ #define SSL_PROTOCOL_SSLV3 2 #define SSL_PROTOCOL_SSLV23 3 #define SSL_PROTOCOL_TLSV1 4 -#define SSL_PROTOCOL_DTLSV1 5 +#define SSL_PROTOCOL_TLSV11 5 +#define SSL_PROTOCOL_TLSV12 6 +#define SSL_PROTOCOL_DTLSV1 7 #define SSL_MODE_CLIENT 0 #define SSL_MODE_SERVER 1 @@ -166,6 +168,7 @@ #define SSL_BIO_FLAG_RDONLY 1 #define SSL_BIO_FLAG_CALLBACK 2 #define SSL_DEFAULT_CACHE_SIZE 256 +#define SSL_DEFAULT_VHOST_NAME "unknown:443" #define SSL_MAX_STR_LEN 2048 #define SSL_CVERIFY_UNSET (-1) @@ -361,6 +364,7 @@ void ssl_init_app_data2_idx(void) void *ssl_get_app_data2(SSL *); void ssl_set_app_data2(SSL *, void *); int ssl_password_callback(char *, int, int, void *); +int ssl_no_password_callback(char *buf, int bufsiz, int verify, void *cb); void ssl_bio_close(BIO *); void ssl_bio_doref(BIO *); DH *ssl_dh_get_tmp_param(int); @@ -372,6 +376,7 @@ void ssl_vhost_algo_id(const unsi int ssl_ctx_use_certificate_chain(SSL_CTX *, const char *, int); int ssl_callback_ssl_verify(int, X509_STORE_CTX *); int ssl_rand_seed(const char *file); +void ssl_throw_errno(JNI_STDENV, int cls); #endif #endif /* _ACR_SSL_H_ */ Modified: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/api.c URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/modules/openssl/api.c?rev=1170326&r1=1170325&r2=1170326&view=diff ============================================================================== --- commons/sandbox/runtime/trunk/src/main/native/modules/openssl/api.c (original) +++ commons/sandbox/runtime/trunk/src/main/native/modules/openssl/api.c Tue Sep 13 19:59:36 2011 @@ -122,11 +122,13 @@ struct SSLAPIst { unsigned long (*fpERR_get_error)(void); void (*fpERR_load_crypto_strings)(void); unsigned long (*fpERR_peek_error)(void); + void (*fpERR_put_error)(int, int, int, const char *, int); /*** EVP ***/ void (*fpEVP_PKEY_free)(EVP_PKEY *); /*** MD5 ***/ + unsigned char* (*fpMD5)(const unsigned char *, size_t, unsigned char *); int (*fpMD5_Final)(unsigned char *, MD5_CTX *); int (*fpMD5_Init)(MD5_CTX *); int (*fpMD5_Update)(MD5_CTX *, const void *, size_t); @@ -153,6 +155,8 @@ struct SSLAPIst { long (*fpSSL_CTX_ctrl)(SSL_CTX *, int, long, void *); SSL_CTX* (*fpSSL_CTX_new)(CONST_SSL_METHOD *); void (*fpSSL_CTX_free)(SSL_CTX *); + void (*fpSSL_CTX_set_tmp_rsa_callback)(SSL_CTX *, RSA *(*)(SSL *, int, int)); + void (*fpSSL_CTX_set_tmp_dh_callback)(SSL_CTX *, DH *(*)(SSL *, int, int)); /*** SSL ***/ void* (*fpSSL_get_ex_data)(const SSL *, int); @@ -172,6 +176,12 @@ struct SSLAPIst { CONST_SSL_METHOD* (*fpTLSv1_method)(void); /* TLSv1.0 */ CONST_SSL_METHOD* (*fpTLSv1_server_method)(void); /* TLSv1.0 */ CONST_SSL_METHOD* (*fpTLSv1_client_method)(void); /* TLSv1.0 */ + CONST_SSL_METHOD* (*fpTLSv1_1_method)(void); /* TLSv1.1 */ + CONST_SSL_METHOD* (*fpTLSv1_1_server_method)(void); /* TLSv1.1 */ + CONST_SSL_METHOD* (*fpTLSv1_1_client_method)(void); /* TLSv1.1 */ + CONST_SSL_METHOD* (*fpTLSv1_2_method)(void); /* TLSv1.2 */ + CONST_SSL_METHOD* (*fpTLSv1_2_server_method)(void); /* TLSv1.2 */ + CONST_SSL_METHOD* (*fpTLSv1_2_client_method)(void); /* TLSv1.2 */ CONST_SSL_METHOD* (*fpDTLSv1_method)(void); /* DTLSv1.0 */ CONST_SSL_METHOD* (*fpDTLSv1_server_method)(void); /* DTLSv1.0 */ @@ -277,6 +287,8 @@ ACR_JNI_EXPORT(jboolean, Native, ldopens LIBSSL_FPLOAD(SSL_CTX_free); LIBSSL_FPLOAD(SSL_CTX_set_default_passwd_cb); LIBSSL_FPLOAD(SSL_CTX_set_default_passwd_cb_userdata); + LIBSSL_FPLOAD(SSL_CTX_set_tmp_dh_callback); + LIBSSL_FPLOAD(SSL_CTX_set_tmp_rsa_callback); /*** BIO ***/ @@ -315,11 +327,13 @@ ACR_JNI_EXPORT(jboolean, Native, ldopens CRYPTO_FPLOAD(ERR_get_error); CRYPTO_FPLOAD(ERR_load_crypto_strings); CRYPTO_FPLOAD(ERR_peek_error); + CRYPTO_FPLOAD(ERR_put_error); /*** EVP ***/ CRYPTO_FPLOAD(EVP_PKEY_free); /*** MD5 ***/ + CRYPTO_FPLOAD(MD5); CRYPTO_FPLOAD(MD5_Final); CRYPTO_FPLOAD(MD5_Init); CRYPTO_FPLOAD(MD5_Update); @@ -373,7 +387,16 @@ ACR_JNI_EXPORT(jboolean, Native, ldopens LIBSSL_LDDOPT(SSLv2_server_method); LIBSSL_LDDOPT(SSLv2_client_method); #endif - +#ifdef TLS1_1_VERSION + LIBSSL_LDDOPT(TLSv1_1_method); + LIBSSL_LDDOPT(TLSv1_1_server_method); + LIBSSL_LDDOPT(TLSv1_1_client_method); +#endif +#ifdef TLS1_2_VERSION + LIBSSL_LDDOPT(TLSv1_2_method); + LIBSSL_LDDOPT(TLSv1_2_server_method); + LIBSSL_LDDOPT(TLSv1_2_client_method); +#endif return JNI_TRUE; failed: AcrThrowEx(env, ACR_EX_ENOENT, "Cannot find %s::%s()", dname, fname); @@ -626,11 +649,21 @@ unsigned long ERR_peek_error(void) return SSLAPI_CALL(ERR_peek_error)(); } +void ERR_put_error(int lib, int func, int reason, const char *file, int line) +{ + SSLAPI_CALL(ERR_put_error)(lib, func, reason, file, line); +} + void EVP_PKEY_free(EVP_PKEY *pkey) { SSLAPI_CALL(EVP_PKEY_free)(pkey); } +unsigned char *MD5(const unsigned char *d, size_t n, unsigned char *md) +{ + return SSLAPI_CALL(MD5)(d, n, md); +} + int MD5_Init(MD5_CTX *c) { return SSLAPI_CALL(MD5_Init)(c); @@ -712,6 +745,16 @@ void SSL_CTX_free(SSL_CTX *ctx) SSLAPI_CALL(SSL_CTX_free)(ctx); } +void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx, RSA *(*cb)(SSL *, int, int)) +{ + SSLAPI_CALL(SSL_CTX_set_tmp_rsa_callback)(ctx, cb); +} + +void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, DH *(*cb)(SSL *, int, int)) +{ + SSLAPI_CALL(SSL_CTX_set_tmp_dh_callback)(ctx, cb); +} + void *SSL_get_ex_data(const SSL *ssl, int idx) { return SSLAPI_CALL(SSL_get_ex_data)(ssl, idx); @@ -755,6 +798,16 @@ IMPLEMENT_SSLOPT_METHOD(SSLv2) IMPLEMENT_SSLOPT_METHOD(SSLv2_server) IMPLEMENT_SSLOPT_METHOD(SSLv2_client) #endif +#ifdef TLS1_1_VERSION +IMPLEMENT_SSLOPT_METHOD(TLSv1_1_method) +IMPLEMENT_SSLOPT_METHOD(TLSv1_1_server_method) +IMPLEMENT_SSLOPT_METHOD(TLSv1_1_client_method) +#endif +#ifdef TLS1_2_VERSION +IMPLEMENT_SSLOPT_METHOD(TLSv1_2_method) +IMPLEMENT_SSLOPT_METHOD(TLSv1_2_server_method) +IMPLEMENT_SSLOPT_METHOD(TLSv1_2_client_method) +#endif IMPLEMENT_SSLAPI_METHOD(SSLv3) IMPLEMENT_SSLAPI_METHOD(SSLv3_server) Modified: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c?rev=1170326&r1=1170325&r2=1170326&view=diff ============================================================================== --- commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c (original) +++ commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c Tue Sep 13 19:59:36 2011 @@ -27,14 +27,160 @@ #endif -ACR_SSL_EXPORT(jlong, SSLContext, new0)(JNI_STDARGS) +ACR_SSL_EXPORT(jlong, SSLContext, new0)(JNI_STDARGS, jint protocol, jint mode) { - acr_ssl_ctxt_t *ctx; + acr_ssl_ctxt_t *c; + CONST_SSL_METHOD *m = 0; - ctx = ACR_TALLOC(acr_ssl_ctxt_t); - if (ctx == 0) + c = ACR_TALLOC(acr_ssl_ctxt_t); + if (c == 0) return 0; - return P2J(ctx); + switch (mode) { + case SSL_MODE_CLIENT: + switch (protocol) { + case SSL_PROTOCOL_SSLV2: +#ifndef OPENSSL_NO_SSL2 + m = SSLv2_client_method(); +#endif + break; + case SSL_PROTOCOL_SSLV3: + m = SSLv3_client_method(); + break; + case SSL_PROTOCOL_SSLV23: + m = SSLv23_client_method(); + break; + case SSL_PROTOCOL_TLSV1: + m = TLSv1_client_method(); + break; + case SSL_PROTOCOL_DTLSV1: + m = DTLSv1_client_method(); + break; + case SSL_PROTOCOL_TLSV11: +#ifdef TLS1_1_VERSION + m = TLSv1_1_client_method(); +#endif + break; + case SSL_PROTOCOL_TLSV12: +#ifdef TLS1_2_VERSION + m = TLSv1_2_client_method(); +#endif + break; + } + break; + case SSL_MODE_SERVER: + switch (protocol) { + case SSL_PROTOCOL_SSLV2: +#ifndef OPENSSL_NO_SSL2 + m = SSLv2_server_method(); +#endif + break; + case SSL_PROTOCOL_SSLV3: + m = SSLv3_server_method(); + break; + case SSL_PROTOCOL_SSLV23: + m = SSLv23_server_method(); + break; + case SSL_PROTOCOL_TLSV1: + m = TLSv1_server_method(); + break; + case SSL_PROTOCOL_DTLSV1: + m = DTLSv1_server_method(); + break; + case SSL_PROTOCOL_TLSV11: +#ifdef TLS1_1_VERSION + m = TLSv1_1_server_method(); +#endif + break; + case SSL_PROTOCOL_TLSV12: +#ifdef TLS1_2_VERSION + m = TLSv1_2_server_method(); +#endif + break; + } + break; + case SSL_MODE_COMBINED: + switch (protocol) { + case SSL_PROTOCOL_SSLV2: +#ifndef OPENSSL_NO_SSL2 + m = SSLv2_method(); +#endif + break; + case SSL_PROTOCOL_SSLV3: + m = SSLv3_method(); + break; + case SSL_PROTOCOL_SSLV23: + m = SSLv23_method(); + break; + case SSL_PROTOCOL_TLSV1: + m = TLSv1_method(); + break; + case SSL_PROTOCOL_DTLSV1: + m = DTLSv1_method(); + break; + case SSL_PROTOCOL_TLSV11: +#ifdef TLS1_1_VERSION + m = TLSv1_1_method(); +#endif + break; + case SSL_PROTOCOL_TLSV12: +#ifdef TLS1_2_VERSION + m = TLSv1_2_method(); +#endif + break; + } + break; + default: + break; + } + if (m == 0 || (c->ctx == SSL_CTX_new(m)) == 0) { + AcrFree(c); + ACR_THROW(ACR_EX_EINVAL, 0); + return 0; + } + if ((c->bio_os = BIO_new(BIO_s_file())) != 0) + BIO_set_fp(c->bio_os, stderr, BIO_NOCLOSE | BIO_FP_TEXT); + c->protocol = protocol; + c->mode = mode; + /* Set default Certificate verification level + * and depth for the Client Authentication + */ + c->verify_depth = 1; + c->verify_mode = SSL_CVERIFY_UNSET; + c->shutdown_type = SSL_SHUTDOWN_TYPE_UNSET; + + SSL_CTX_set_options(c->ctx, SSL_OP_ALL); + if (protocol != SSL_PROTOCOL_SSLV2) + SSL_CTX_set_options(c->ctx, SSL_OP_NO_SSLv2); + if (protocol != SSL_PROTOCOL_SSLV3) + SSL_CTX_set_options(c->ctx, SSL_OP_NO_SSLv3); + if (protocol != SSL_PROTOCOL_TLSV1) + SSL_CTX_set_options(c->ctx, SSL_OP_NO_TLSv1); + /* + * Configure additional context ingredients + */ + SSL_CTX_set_options(c->ctx, SSL_OP_SINGLE_DH_USE); +#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION + /* + * Disallow a session from being resumed during a renegotiation, + * so that an acceptable cipher suite can be negotiated. + */ + SSL_CTX_set_options(c->ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); +#endif + /* Default session context id and cache size */ + SSL_CTX_sess_set_cache_size(c->ctx, SSL_DEFAULT_CACHE_SIZE); + MD5((const unsigned char *)SSL_DEFAULT_VHOST_NAME, + (unsigned long)(sizeof(SSL_DEFAULT_VHOST_NAME) - 1), + c->context_id); + if (mode != SSL_MODE_CLIENT) { + SSL_CTX_set_tmp_rsa_callback(c->ctx, ssl_callback_tmp_rsa); + SSL_CTX_set_tmp_dh_callback(c->ctx, ssl_callback_tmp_dh); + } + + /* Set default password callback */ + SSL_CTX_set_default_passwd_cb(c->ctx, ssl_no_password_callback); + SSL_CTX_set_default_passwd_cb_userdata(c->ctx, 0); + + return P2J(c); } ACR_SSL_EXPORT(void, SSLContext, free0)(JNI_STDARGS, jlong ctx) @@ -64,3 +210,11 @@ ACR_SSL_EXPORT(void, SSLContext, free0)( AcrFree(c); } +ACR_SSL_EXPORT(void, SSLContext, setid0)(JNI_STDARGS, jlong ctx, jstring id) +{ + acr_ssl_ctxt_t *c = J2P(ctx, acr_ssl_ctxt_t *); + + WITH_CSTR(id) { + MD5((const unsigned char *)J2S(id), strlen(J2S(id)), c->context_id); + } DONE_WITH_STR(id); +} Modified: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/init.c URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/modules/openssl/init.c?rev=1170326&r1=1170325&r2=1170326&view=diff ============================================================================== --- commons/sandbox/runtime/trunk/src/main/native/modules/openssl/init.c (original) +++ commons/sandbox/runtime/trunk/src/main/native/modules/openssl/init.c Tue Sep 13 19:59:36 2011 @@ -239,18 +239,21 @@ ACR_SSL_EXPORT(jboolean, SSL, hasFipsMod #endif } +ACR_SSL_EXPORT(jstring, SSL, errstr0)(JNI_STDARGS, jint err) +{ + char buf[256] = ""; + ERR_error_string_n(err, buf, sizeof(buf)); + return AcrNewJavaStringA(env, buf); +} + ACR_SSL_EXPORT(void, SSL, fipsmode0)(JNI_STDARGS, jboolean on) { #if defined(OPENSSL_FIPS) - if(FIPS_mode_set(on ? 1 : 0) == 0) { - unsigned long err = ERR_get_error(); - char msg[256]; - - ERR_error_string_n(err, msg, 256); - ACR_THROW_MSG(ACR_EX_ENOSYS, msg); - } + if(FIPS_mode_set(on ? 1 : 0) == 0) + ssl_throw_errno(env, ACR_EX_ENOSYS); #else - ACR_THROW_MSG(ACR_EX_ENOSYS, "FIPS was not available at build time. You will need an OpenSSL with FIPS support."); + ACR_THROW_MSG(ACR_EX_ENOSYS, "FIPS was not available at build time. " + "You will need an OpenSSL with FIPS support."); #endif } Modified: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/password.c URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/modules/openssl/password.c?rev=1170326&r1=1170325&r2=1170326&view=diff ============================================================================== --- commons/sandbox/runtime/trunk/src/main/native/modules/openssl/password.c (original) +++ commons/sandbox/runtime/trunk/src/main/native/modules/openssl/password.c Tue Sep 13 19:59:36 2011 @@ -27,19 +27,24 @@ #endif /* Global password callback */ -ssl_pass_cb_t *acr_ssl_password_cb; +ssl_pass_cb_t *acr_ssl_password_cb = 0; + +int ssl_no_password_callback(char *buf, int bufsiz, int verify, void *cb) +{ + return -1; +} int ssl_password_callback(char *buf, int bufsiz, int verify, void *cb) { ssl_pass_cb_t *pcb = (ssl_pass_cb_t *)cb; if (buf == 0 || bufsiz < 0) - return 0; + return -1; buf[0] = '\0'; if (pcb == 0) pcb = acr_ssl_password_cb; if (pcb == 0) - return 0; + return -1; if (pcb->password == 0) { /* Call PasswordCallback.handler() */ @@ -50,7 +55,7 @@ int ssl_password_callback(char *buf, int strlcpy(buf, pcb->password, bufsiz); return (int)strlen(buf); } - return 0; + return -1; } ACR_SSL_EXPORT(jlong, PasswordCallback, new0)(JNI_STDARGS) Modified: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/util.c URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/modules/openssl/util.c?rev=1170326&r1=1170325&r2=1170326&view=diff ============================================================================== --- commons/sandbox/runtime/trunk/src/main/native/modules/openssl/util.c (original) +++ commons/sandbox/runtime/trunk/src/main/native/modules/openssl/util.c Tue Sep 13 19:59:36 2011 @@ -394,3 +394,9 @@ int ssl_ctx_use_certificate_chain(SSL_CT return n; } +void ssl_throw_errno(JNI_STDENV, int cls) +{ + char msg[256]; + ERR_error_string_n(ERR_get_error(), msg, sizeof(msg)); + AcrThrow(env, cls, msg); +}