cvs commit: jakarta-tomcat-connectors/jni/native/src sslcontext.c sslutils.c
mturk 2005/06/07 01:15:32
Modified:jni/native/include ssl_private.h
jni/native/src sslcontext.c sslutils.c
Log:
Implement password handling.
The supplied password can be pass:real_password or
exec:path_to_the executable
Revision ChangesPath
1.16 +4 -12
jakarta-tomcat-connectors/jni/native/include/ssl_private.h
Index: ssl_private.h
===
RCS file:
/home/cvs/jakarta-tomcat-connectors/jni/native/include/ssl_private.h,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- ssl_private.h 7 Jun 2005 07:22:06 - 1.15
+++ ssl_private.h 7 Jun 2005 08:15:32 - 1.16
@@ -118,16 +118,6 @@
#define SSL_CVERIFY_OPTIONAL_NO_CA (3)
#define SSL_VERIFY_PEER_STRICT
(SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
-#define SSL_PASSWORD_PROMPT (0)
-#define SSL_PASSWORD_FILE (1)
-#define SSL_PASSWORD_EXEC (2)
-#define SSL_PASSWORD_ENGINE (3)
-
-#define STR_PASSWORD_PROMPT (pass:)
-#define STR_PASSWORD_FILE (file:)
-#define STR_PASSWORD_EXEC (exec:)
-#define STR_PASSWORD_ENGINE (engine:)
-
extern void *SSL_temp_keys[SSL_TMP_KEY_MAX];
typedef struct {
@@ -141,9 +131,11 @@
typedef struct {
charpassword[SSL_MAX_PASSWORD_LEN];
+const char *pass;
const char *prompt;
-int mode;
tcn_ssl_ctxt_t *ctx;
+apr_file_t *wrtty;
+apr_file_t *rdtty;
} tcn_pass_cb_t;
struct tcn_ssl_ctxt_t {
1.22 +3 -7 jakarta-tomcat-connectors/jni/native/src/sslcontext.c
Index: sslcontext.c
===
RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslcontext.c,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- sslcontext.c 6 Jun 2005 15:13:26 - 1.21
+++ sslcontext.c 7 Jun 2005 08:15:32 - 1.22
@@ -467,7 +467,6 @@
jboolean rv = JNI_TRUE;
TCN_ALLOC_CSTRING(cert);
TCN_ALLOC_CSTRING(key);
-TCN_ALLOC_CSTRING(password);
const char *key_file, *cert_file;
char err[256];
@@ -479,10 +478,8 @@
rv = JNI_FALSE;
goto cleanup;
}
-if (J2S(password)) {
-strncpy(c-password.password, J2S(password), SSL_MAX_PASSWORD_LEN);
-c-password.password[SSL_MAX_PASSWORD_LEN - 1] = '\0';
-}
+if (password)
+c-password.pass = tcn_pstrdup(e, password, c-pool);
key_file = J2S(key);
cert_file = J2S(cert);
if (!key_file)
@@ -523,7 +520,6 @@
cleanup:
TCN_FREE_CSTRING(cert);
TCN_FREE_CSTRING(key);
-TCN_FREE_CSTRING(password);
return rv;
}
1.17 +88 -11jakarta-tomcat-connectors/jni/native/src/sslutils.c
Index: sslutils.c
===
RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslutils.c,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- sslutils.c7 Jun 2005 07:22:06 - 1.16
+++ sslutils.c7 Jun 2005 08:15:32 - 1.17
@@ -100,14 +100,71 @@
return APR_SUCCESS;
}
+static apr_status_t ssl_pipe_child_create(tcn_pass_cb_t *data, apr_pool_t
*p, const char *progname)
+{
+/* Child process code for 'ErrorLog |...';
+ * may want a common framework for this, since I expect it will
+ * be common for other foo-loggers to want this sort of thing...
+ */
+apr_status_t rc;
+apr_procattr_t *procattr;
+apr_proc_t *procnew;
+
+if (((rc = apr_procattr_create(procattr, p)) == APR_SUCCESS)
+((rc = apr_procattr_io_set(procattr,
+ APR_FULL_BLOCK,
+ APR_FULL_BLOCK,
+ APR_NO_PIPE)) == APR_SUCCESS)) {
+char **args;
+const char *pname;
+
+apr_tokenize_to_argv(progname, args, p);
+pname = apr_pstrdup(p, args[0]);
+procnew = (apr_proc_t *)apr_pcalloc(p, sizeof(*procnew));
+rc = apr_proc_create(procnew, pname, (const char * const *)args,
+ NULL, procattr, p);
+if (rc == APR_SUCCESS) {
+/* XXX: not sure if we aught to...
+ * apr_pool_note_subprocess(p, procnew, APR_KILL_AFTER_TIMEOUT);
+ */
+data-wrtty = procnew-in;
+data-rdtty = procnew-out;
+}
+}
+return rc;
+}
+
+static int pipe_get_passwd_cb(tcn_pass_cb_t *data, char *buf, int length,
+ const char *prompt)
+{
+apr_status_t rc;
+char *p;
cvs commit: jakarta-tomcat-connectors/jni/native/src sslcontext.c sslutils.c
mturk 2005/06/07 02:13:22
Modified:jni/native/include ssl_private.h
jni/native/src sslcontext.c sslutils.c
Log:
Remove all pass: and exec: pipe handling.
This is not the responsibility of native, but rather the Java that
uses the API. Higher level API has to provide a way to obtain
a valid password if needed.
Revision ChangesPath
1.17 +1 -4
jakarta-tomcat-connectors/jni/native/include/ssl_private.h
Index: ssl_private.h
===
RCS file:
/home/cvs/jakarta-tomcat-connectors/jni/native/include/ssl_private.h,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- ssl_private.h 7 Jun 2005 08:15:32 - 1.16
+++ ssl_private.h 7 Jun 2005 09:13:22 - 1.17
@@ -131,11 +131,8 @@
typedef struct {
charpassword[SSL_MAX_PASSWORD_LEN];
-const char *pass;
const char *prompt;
tcn_ssl_ctxt_t *ctx;
-apr_file_t *wrtty;
-apr_file_t *rdtty;
} tcn_pass_cb_t;
struct tcn_ssl_ctxt_t {
1.25 +6 -3 jakarta-tomcat-connectors/jni/native/src/sslcontext.c
Index: sslcontext.c
===
RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslcontext.c,v
retrieving revision 1.24
retrieving revision 1.25
diff -u -r1.24 -r1.25
--- sslcontext.c 7 Jun 2005 09:01:00 - 1.24
+++ sslcontext.c 7 Jun 2005 09:13:22 - 1.25
@@ -468,6 +468,7 @@
jboolean rv = JNI_TRUE;
TCN_ALLOC_CSTRING(cert);
TCN_ALLOC_CSTRING(key);
+TCN_ALLOC_CSTRING(password);
const char *key_file, *cert_file;
char err[256];
@@ -479,8 +480,10 @@
rv = JNI_FALSE;
goto cleanup;
}
-if (password)
-c-password.pass = tcn_pstrdup(e, password, c-pool);
+if (J2S(password)) {
+strncpy(c-password.password, J2S(password), SSL_MAX_PASSWORD_LEN);
+c-password.password[SSL_MAX_PASSWORD_LEN-1] = '\0';
+}
key_file = J2S(key);
cert_file = J2S(cert);
if (!key_file)
1.18 +3 -116jakarta-tomcat-connectors/jni/native/src/sslutils.c
Index: sslutils.c
===
RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslutils.c,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- sslutils.c7 Jun 2005 08:15:32 - 1.17
+++ sslutils.c7 Jun 2005 09:13:22 - 1.18
@@ -73,92 +73,6 @@
return;
}
-/*
- * Return APR_SUCCESS if the named file exists and is readable
- */
-static apr_status_t exists_and_readable(const char *fname, apr_pool_t *pool,
-apr_time_t *mtime)
-{
-apr_status_t stat;
-apr_finfo_t sbuf;
-apr_file_t *fd;
-
-if ((stat = apr_stat(sbuf, fname, APR_FINFO_MIN, pool)) != APR_SUCCESS)
-return stat;
-
-if (sbuf.filetype != APR_REG)
-return APR_EGENERAL;
-
-if ((stat = apr_file_open(fd, fname, APR_READ, 0, pool)) != APR_SUCCESS)
-return stat;
-
-if (mtime) {
-*mtime = sbuf.mtime;
-}
-
-apr_file_close(fd);
-return APR_SUCCESS;
-}
-
-static apr_status_t ssl_pipe_child_create(tcn_pass_cb_t *data, apr_pool_t
*p, const char *progname)
-{
-/* Child process code for 'ErrorLog |...';
- * may want a common framework for this, since I expect it will
- * be common for other foo-loggers to want this sort of thing...
- */
-apr_status_t rc;
-apr_procattr_t *procattr;
-apr_proc_t *procnew;
-
-if (((rc = apr_procattr_create(procattr, p)) == APR_SUCCESS)
-((rc = apr_procattr_io_set(procattr,
- APR_FULL_BLOCK,
- APR_FULL_BLOCK,
- APR_NO_PIPE)) == APR_SUCCESS)) {
-char **args;
-const char *pname;
-
-apr_tokenize_to_argv(progname, args, p);
-pname = apr_pstrdup(p, args[0]);
-procnew = (apr_proc_t *)apr_pcalloc(p, sizeof(*procnew));
-rc = apr_proc_create(procnew, pname, (const char * const *)args,
- NULL, procattr, p);
-if (rc == APR_SUCCESS) {
-/* XXX: not sure if we aught to...
- * apr_pool_note_subprocess(p, procnew, APR_KILL_AFTER_TIMEOUT);
- */
-data-wrtty = procnew-in;
-data-rdtty = procnew-out;
-}
-}
-return rc;
-}
-
-static int pipe_get_passwd_cb(tcn_pass_cb_t *data, char *buf, int length,
- const char *prompt)
-{
-apr_status_t rc;
-
cvs commit: jakarta-tomcat-connectors/jni/native/src sslcontext.c sslutils.c
mturk 2005/06/02 04:07:07
Modified:jni/native/include ssl_private.h
jni/native/src sslcontext.c sslutils.c
Log:
Implement Client Authentication verify callback and CA initialization.
Revision ChangesPath
1.11 +12 -1
jakarta-tomcat-connectors/jni/native/include/ssl_private.h
Index: ssl_private.h
===
RCS file:
/home/cvs/jakarta-tomcat-connectors/jni/native/include/ssl_private.h,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- ssl_private.h 2 Jun 2005 07:44:38 - 1.10
+++ ssl_private.h 2 Jun 2005 11:07:06 - 1.11
@@ -88,6 +88,14 @@
#define SSL_DEFAULT_CACHE_SIZE (256)
#define SSL_DEFAULT_VHOST_NAME (_default_:443)
#define SSL_MAX_STR_LEN 2048
+
+#define SSL_CVERIFY_UNSET (-1)
+#define SSL_CVERIFY_NONE(0)
+#define SSL_CVERIFY_OPTIONAL(1)
+#define SSL_CVERIFY_REQUIRE (2)
+#define SSL_CVERIFY_OPTIONAL_NO_CA (3)
+#define SSL_VERIFY_PEER_STRICT
(SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
+
/* public cert/private key */
typedef struct {
/*
@@ -167,5 +175,8 @@
RSA*SSL_callback_tmp_RSA(SSL *, int, int);
DH *SSL_callback_tmp_DH(SSL *, int, int);
voidSSL_vhost_algo_id(const unsigned char *, unsigned char *, int);
+int SSL_callback_SSL_verify(int, X509_STORE_CTX *);
+STACK_OF(X509_NAME)
+*SSL_init_findCAList(tcn_ssl_ctxt_t *, const char *, const char
*);
#endif /* SSL_PRIVATE_H */
1.18 +66 -4 jakarta-tomcat-connectors/jni/native/src/sslcontext.c
Index: sslcontext.c
===
RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslcontext.c,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- sslcontext.c 2 Jun 2005 10:19:32 - 1.17
+++ sslcontext.c 2 Jun 2005 11:07:06 - 1.18
@@ -183,8 +183,8 @@
SSL_CTX_set_tmp_rsa_callback(c-ctx, SSL_callback_tmp_RSA);
SSL_CTX_set_tmp_dh_callback(c-ctx, SSL_callback_tmp_DH);
-
-/* Set default Certificate verification level
+
+/* Set default Certificate verification level
* and depth for the Client Authentication
*/
c-verify_depth = 1;
@@ -565,11 +565,73 @@
jint level)
{
tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
+int verify = SSL_VERIFY_NONE;
+STACK_OF(X509_NAME) *ca_list;
UNREFERENCED_STDARGS;
TCN_ASSERT(ctx != 0);
c-verify_mode = level;
-/* TODO: Add verification code callback */
+
+if (c-verify_mode == SSL_CVERIFY_UNSET)
+c-verify_mode = SSL_CVERIFY_NONE;
+
+/*
+ * Configure callbacks for SSL context
+ */
+if (c-verify_mode == SSL_CVERIFY_REQUIRE)
+verify |= SSL_VERIFY_PEER_STRICT;
+if ((c-verify_mode == SSL_CVERIFY_OPTIONAL) ||
+(c-verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
+verify |= SSL_VERIFY_PEER;
+
+SSL_CTX_set_verify(c-ctx, verify, SSL_callback_SSL_verify);
+ /*
+ * Configure Client Authentication details
+ */
+if (c-ca_cert_file || c-ca_cert_path) {
+if (!SSL_CTX_load_verify_locations(c-ctx,
+ c-ca_cert_file,
+ c-ca_cert_path)) {
+BIO_printf(c-bio_os, [ERROR]
+ Unable to configure verify locations
+ for client authentication);
+return JNI_FALSE;
+}
+
+if (c-mode (c-pk.s.ca_name_file || c-pk.s.ca_name_path)) {
+ca_list = SSL_init_findCAList(c,
+ c-pk.s.ca_name_file,
+ c-pk.s.ca_name_path);
+}
+else {
+ca_list = SSL_init_findCAList(c,
+ c-ca_cert_file,
+ c-ca_cert_path);
+}
+if (!ca_list) {
+BIO_printf(c-bio_os, [ERROR]
+ Unable to determine list of acceptable
+ CA certificates for client authentication);
+return JNI_FALSE;
+}
+SSL_CTX_set_client_CA_list(c-ctx, (STACK *)ca_list);
+}
+
+/*
+ * Give a warning when no CAs were configured but client authentication
+ * should take place. This cannot work.
+ */
+if (c-verify_mode == SSL_CVERIFY_REQUIRE) {
+ca_list = (STACK_OF(X509_NAME) *)SSL_CTX_get_client_CA_list(c-ctx);
+
+if (sk_X509_NAME_num(ca_list) == 0) {
+BIO_printf(c-bio_os,
+
cvs commit: jakarta-tomcat-connectors/jni/native/src sslcontext.c sslutils.c
mturk 2005/06/01 02:05:08
Modified:jni/native/include ssl_private.h
jni/native/src sslcontext.c sslutils.c
Log:
Rename BIO struct members and strip any CRLF from the prompted password.
Revision ChangesPath
1.7 +3 -3
jakarta-tomcat-connectors/jni/native/include/ssl_private.h
Index: ssl_private.h
===
RCS file:
/home/cvs/jakarta-tomcat-connectors/jni/native/include/ssl_private.h,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- ssl_private.h 1 Jun 2005 08:19:39 - 1.6
+++ ssl_private.h 1 Jun 2005 09:05:08 - 1.7
@@ -110,8 +110,8 @@
struct tcn_ssl_ctxt {
apr_pool_t *pool;
SSL_CTX *ctx;
-BIO *bio_err;
-BIO *pprompt;
+BIO *bio_os;
+BIO *bio_is;
unsigned char vhost_id[MD5_DIGEST_LENGTH];
int protocol;
1.6 +29 -29jakarta-tomcat-connectors/jni/native/src/sslcontext.c
Index: sslcontext.c
===
RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslcontext.c,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- sslcontext.c 1 Jun 2005 08:19:39 - 1.5
+++ sslcontext.c 1 Jun 2005 09:05:08 - 1.6
@@ -57,12 +57,12 @@
sk_X509_INFO_pop_free(c-pk.c.certs, X509_INFO_free);
c-pk.c.certs = NULL;
}
-if (c-pprompt)
-BIO_free(c-pprompt);
-c-pprompt = NULL;
-if (c-bio_err)
-BIO_free(c-bio_err);
-c-bio_err = NULL;
+if (c-bio_is)
+BIO_free(c-bio_is);
+c-bio_is = NULL;
+if (c-bio_os)
+BIO_free(c-bio_os);
+c-bio_os = NULL;
}
return APR_SUCCESS;
}
@@ -105,13 +105,13 @@
c-mode = 1;
c-ctx = ctx;
c-pool = p;
-c-bio_err = BIO_new(BIO_s_file());
-c-pprompt = BIO_new(BIO_s_file());
-if (c-bio_err != NULL)
-BIO_set_fp(c-bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
-if (c-pprompt != NULL) {
-BIO_set_fp(c-bio_err, stdin, BIO_NOCLOSE | BIO_FP_TEXT);
-c-pprompt-flags = BIO_FLAGS_MEM_RDONLY;
+c-bio_os = BIO_new(BIO_s_file());
+c-bio_is = BIO_new(BIO_s_file());
+if (c-bio_os != NULL)
+BIO_set_fp(c-bio_os, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+if (c-bio_is != NULL) {
+BIO_set_fp(c-bio_is, stdin, BIO_NOCLOSE | BIO_FP_TEXT);
+c-bio_is-flags = BIO_FLAGS_MEM_RDONLY;
}
SSL_CTX_set_options(c-ctx, SSL_OP_ALL);
if (!(protocol SSL_PROTOCOL_SSLV2))
@@ -182,13 +182,13 @@
c-mode = 0;
c-ctx = ctx;
c-pool = p;
-c-bio_err = BIO_new(BIO_s_file());
-c-pprompt = BIO_new(BIO_s_file());
-if (c-bio_err != NULL)
-BIO_set_fp(c-bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
-if (c-pprompt != NULL) {
-BIO_set_fp(c-bio_err, stdin, BIO_NOCLOSE | BIO_FP_TEXT);
-c-pprompt-flags = BIO_FLAGS_MEM_RDONLY;
+c-bio_os = BIO_new(BIO_s_file());
+c-bio_is = BIO_new(BIO_s_file());
+if (c-bio_os != NULL)
+BIO_set_fp(c-bio_os, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+if (c-bio_is != NULL) {
+BIO_set_fp(c-bio_is, stdin, BIO_NOCLOSE | BIO_FP_TEXT);
+c-bio_is-flags = BIO_FLAGS_MEM_RDONLY;
}
SSL_CTX_set_options(c-ctx, SSL_OP_ALL);
if (!(protocol SSL_PROTOCOL_SSLV2))
@@ -249,26 +249,26 @@
jlong bio)
{
tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
-BIO *bio_err = J2P(bio, BIO *);
+BIO *bio_os = J2P(bio, BIO *);
UNREFERENCED_STDARGS;
TCN_ASSERT(ctx != 0);
-if (c-bio_err c-bio_err != bio_err)
-BIO_free(c-bio_err);
-c-bio_err = bio_err;
+if (c-bio_os c-bio_os != bio_os)
+BIO_free(c-bio_os);
+c-bio_os = bio_os;
}
TCN_IMPLEMENT_CALL(void, SSLContext, setPPromptBIO)(TCN_STDARGS, jlong ctx,
jlong bio)
{
tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
-BIO *pprompt = J2P(bio, BIO *);
+BIO *bio_is = J2P(bio, BIO *);
UNREFERENCED_STDARGS;
TCN_ASSERT(ctx != 0);
-if (c-pprompt c-pprompt != pprompt)
-BIO_free(c-pprompt);
-c-pprompt = pprompt;
+if (c-bio_is c-bio_is != bio_is)
+BIO_free(c-bio_is);
+c-bio_is = bio_is;
}
1.5 +20 -6 jakarta-tomcat-connectors/jni/native/src/sslutils.c
Index: sslutils.c
===
RCS file:
cvs commit: jakarta-tomcat-connectors/jni/native/src sslcontext.c sslutils.c
mturk 2005/06/01 04:22:16
Modified:jni/native/src sslcontext.c sslutils.c
Log:
Do not set 'stdin' as default BIO for password promt. Use conio for
WIN32 (curses will be added for posix).
Revision ChangesPath
1.8 +1 -11 jakarta-tomcat-connectors/jni/native/src/sslcontext.c
Index: sslcontext.c
===
RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslcontext.c,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- sslcontext.c 1 Jun 2005 10:45:03 - 1.7
+++ sslcontext.c 1 Jun 2005 11:22:16 - 1.8
@@ -107,13 +107,8 @@
c-ctx = ctx;
c-pool = p;
c-bio_os = BIO_new(BIO_s_file());
-c-bio_is = BIO_new(BIO_s_file());
if (c-bio_os != NULL)
BIO_set_fp(c-bio_os, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
-if (c-bio_is != NULL) {
-BIO_set_fp(c-bio_is, stdin, BIO_NOCLOSE | BIO_FP_TEXT);
-c-bio_is-flags = SSL_BIO_FLAG_RDONLY;
-}
SSL_CTX_set_options(c-ctx, SSL_OP_ALL);
if (!(protocol SSL_PROTOCOL_SSLV2))
SSL_CTX_set_options(c-ctx, SSL_OP_NO_SSLv2);
@@ -184,13 +179,8 @@
c-ctx = ctx;
c-pool = p;
c-bio_os = BIO_new(BIO_s_file());
-c-bio_is = BIO_new(BIO_s_file());
if (c-bio_os != NULL)
BIO_set_fp(c-bio_os, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
-if (c-bio_is != NULL) {
-BIO_set_fp(c-bio_is, stdin, BIO_NOCLOSE | BIO_FP_TEXT);
-c-bio_is-flags = SSL_BIO_FLAG_RDONLY;
-}
SSL_CTX_set_options(c-ctx, SSL_OP_ALL);
if (!(protocol SSL_PROTOCOL_SSLV2))
SSL_CTX_set_options(c-ctx, SSL_OP_NO_SSLv2);
1.7 +23 -2 jakarta-tomcat-connectors/jni/native/src/sslutils.c
Index: sslutils.c
===
RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslutils.c,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- sslutils.c1 Jun 2005 10:45:03 - 1.6
+++ sslutils.c1 Jun 2005 11:22:16 - 1.7
@@ -104,7 +104,8 @@
int SSL_password_prompt(tcn_ssl_ctxt_t *c, char *buf, int len)
{
int rv = 0;
-if (c c-bio_is) {
+*buf = '\0';
+if (c-bio_is) {
if (c-bio_is-flags SSL_BIO_FLAG_RDONLY) {
/* Use error BIO in case of stdin */
BIO_printf(c-bio_os, Enter password: );
@@ -125,6 +126,26 @@
}
}
}
+else {
+#ifdef WIN32
+#include conio.h
+int ch;
+BIO_printf(c-bio_os, Enter password: );
+do {
+ch = getch();
+if (ch == '\r')
+break;
+fputc('*', stdout);
+buf[rv++] = ch;
+if (rv + 1 len)
+continue;
+} while (ch != '\n');
+buf[rv] = '\0';
+fputc('\n', stdout);
+fflush(stdout);
+#endif
+
+}
return rv;
}
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-connectors/jni/native/src sslcontext.c sslutils.c
mturk 2005/06/01 08:20:14
Modified:jni/native/include ssl_private.h
jni/native/src sslcontext.c sslutils.c
Log:
Handle the Temporary RSA Keys and DH Params.
Revision ChangesPath
1.9 +15 -2
jakarta-tomcat-connectors/jni/native/include/ssl_private.h
Index: ssl_private.h
===
RCS file:
/home/cvs/jakarta-tomcat-connectors/jni/native/include/ssl_private.h,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- ssl_private.h 1 Jun 2005 10:45:02 - 1.8
+++ ssl_private.h 1 Jun 2005 15:20:14 - 1.9
@@ -85,6 +85,7 @@
#define SSL_BIO_FLAG_RDONLY (10)
#define SSL_BIO_FLAG_CALLBACK (11)
+#define SSL_DEFAULT_CACHE_SIZE (256)
/* public cert/private key */
typedef struct {
@@ -138,11 +139,18 @@
/* for client or downstream server authentication */
int verify_depth;
int verify_mode;
-
+void*temp_keys[SSL_TMP_KEY_MAX];
};
typedef struct tcn_ssl_ctxt tcn_ssl_ctxt_t;
+struct tcn_ssl_conn {
+tcn_ssl_ctxt_t *ctx;
+SSL*ssl;
+};
+
+typedef struct tcn_ssl_conn tcn_ssl_conn_t;
+
/*
* Additional Functions
*/
@@ -152,5 +160,10 @@
int SSL_password_prompt(tcn_ssl_ctxt_t *, char *, int);
voidSSL_BIO_close(BIO *);
voidSSL_BIO_doref(BIO *);
+DH *SSL_dh_get_tmp_param(int);
+DH *SSL_dh_get_param_from_file(const char *);
+RSA*SSL_callback_tmp_RSA(SSL *, int, int);
+DH *SSL_callback_tmp_DH(SSL *, int, int);
+
#endif /* SSL_PRIVATE_H */
1.14 +55 -1 jakarta-tomcat-connectors/jni/native/src/sslcontext.c
Index: sslcontext.c
===
RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslcontext.c,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- sslcontext.c 1 Jun 2005 12:36:24 - 1.13
+++ sslcontext.c 1 Jun 2005 15:20:14 - 1.14
@@ -30,6 +30,53 @@
#ifdef HAVE_OPENSSL
#include ssl_private.h
+/*
+ * Handle the Temporary RSA Keys and DH Params
+ */
+
+#define SSL_TMP_KEY_FREE(ctx, type, idx) \
+if (ctx-temp_keys[idx]) { \
+type##_free((type *)ctx-temp_keys[idx]); \
+ctx-temp_keys[idx] = NULL; \
+}
+
+#define SSL_TMP_KEYS_FREE(ctx, type) \
+SSL_TMP_KEY_FREE(ctx, type, SSL_TMP_KEY_##type##_512); \
+SSL_TMP_KEY_FREE(ctx, type, SSL_TMP_KEY_##type##_1024)
+
+static void ssl_tmp_keys_free(tcn_ssl_ctxt_t *ctx)
+{
+
+SSL_TMP_KEYS_FREE(ctx, RSA);
+SSL_TMP_KEYS_FREE(ctx, DH);
+}
+
+static int ssl_tmp_key_init_rsa(tcn_ssl_ctxt_t *ctx,
+int bits, int idx)
+{
+if (!(ctx-temp_keys[idx] =
+ RSA_generate_key(bits, RSA_F4, NULL, NULL))) {
+BIO_printf(ctx-bio_os, [ERROR]
+ Init: Failed to generate temporary
+ %d bit RSA private key, bits);
+return 0;
+}
+return 1;
+}
+
+static int ssl_tmp_key_init_dh(tcn_ssl_ctxt_t *ctx,
+ int bits, int idx)
+{
+if (!(ctx-temp_keys[idx] =
+ SSL_dh_get_tmp_param(bits))) {
+BIO_printf(ctx-bio_os, [ERROR]
+ Init: Failed to generate temporary
+ %d bit DH parameters, bits);
+return 0;
+}
+return 1;
+}
+
static apr_status_t ssl_context_cleanup(void *data)
{
tcn_ssl_ctxt_t *c = (tcn_ssl_ctxt_t *)data;
@@ -128,6 +175,11 @@
*/
SSL_CTX_set_options(c-ctx,
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
#endif
+SSL_CTX_sess_set_cache_size(c-ctx, SSL_DEFAULT_CACHE_SIZE);
+
+SSL_CTX_set_tmp_rsa_callback(c-ctx, SSL_callback_tmp_RSA);
+SSL_CTX_set_tmp_dh_callback(c-ctx, SSL_callback_tmp_DH);
+
/*
* Let us cleanup the ssl context when the pool is destroyed
*/
@@ -200,6 +252,8 @@
*/
SSL_CTX_set_options(c-ctx,
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
#endif
+
+SSL_CTX_sess_set_cache_size(c-ctx, SSL_DEFAULT_CACHE_SIZE);
/*
* Let us cleanup the ssl context when the pool is destroyed
*/
1.8 +203 -1jakarta-tomcat-connectors/jni/native/src/sslutils.c
Index: sslutils.c
===
RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslutils.c,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- sslutils.c1 Jun 2005 11:22:16 - 1.7
+++ sslutils.c1 Jun 2005 15:20:14 - 1.8
@@ -149,6 +149,208 @@
return rv;
}
+
+/*
