cvs commit: jakarta-tomcat-connectors/jni/native/src sslcontext.c sslutils.c
mturk 2005/06/07 01:15:32 Modified:jni/native/include ssl_private.h jni/native/src sslcontext.c sslutils.c Log: Implement password handling. The supplied password can be pass:real_password or exec:path_to_the executable Revision ChangesPath 1.16 +4 -12 jakarta-tomcat-connectors/jni/native/include/ssl_private.h Index: ssl_private.h === RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/include/ssl_private.h,v retrieving revision 1.15 retrieving revision 1.16 diff -u -r1.15 -r1.16 --- ssl_private.h 7 Jun 2005 07:22:06 - 1.15 +++ ssl_private.h 7 Jun 2005 08:15:32 - 1.16 @@ -118,16 +118,6 @@ #define SSL_CVERIFY_OPTIONAL_NO_CA (3) #define SSL_VERIFY_PEER_STRICT (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT) -#define SSL_PASSWORD_PROMPT (0) -#define SSL_PASSWORD_FILE (1) -#define SSL_PASSWORD_EXEC (2) -#define SSL_PASSWORD_ENGINE (3) - -#define STR_PASSWORD_PROMPT (pass:) -#define STR_PASSWORD_FILE (file:) -#define STR_PASSWORD_EXEC (exec:) -#define STR_PASSWORD_ENGINE (engine:) - extern void *SSL_temp_keys[SSL_TMP_KEY_MAX]; typedef struct { @@ -141,9 +131,11 @@ typedef struct { charpassword[SSL_MAX_PASSWORD_LEN]; +const char *pass; const char *prompt; -int mode; tcn_ssl_ctxt_t *ctx; +apr_file_t *wrtty; +apr_file_t *rdtty; } tcn_pass_cb_t; struct tcn_ssl_ctxt_t { 1.22 +3 -7 jakarta-tomcat-connectors/jni/native/src/sslcontext.c Index: sslcontext.c === RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslcontext.c,v retrieving revision 1.21 retrieving revision 1.22 diff -u -r1.21 -r1.22 --- sslcontext.c 6 Jun 2005 15:13:26 - 1.21 +++ sslcontext.c 7 Jun 2005 08:15:32 - 1.22 @@ -467,7 +467,6 @@ jboolean rv = JNI_TRUE; TCN_ALLOC_CSTRING(cert); TCN_ALLOC_CSTRING(key); -TCN_ALLOC_CSTRING(password); const char *key_file, *cert_file; char err[256]; @@ -479,10 +478,8 @@ rv = JNI_FALSE; goto cleanup; } -if (J2S(password)) { -strncpy(c-password.password, J2S(password), SSL_MAX_PASSWORD_LEN); -c-password.password[SSL_MAX_PASSWORD_LEN - 1] = '\0'; -} +if (password) +c-password.pass = tcn_pstrdup(e, password, c-pool); key_file = J2S(key); cert_file = J2S(cert); if (!key_file) @@ -523,7 +520,6 @@ cleanup: TCN_FREE_CSTRING(cert); TCN_FREE_CSTRING(key); -TCN_FREE_CSTRING(password); return rv; } 1.17 +88 -11jakarta-tomcat-connectors/jni/native/src/sslutils.c Index: sslutils.c === RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslutils.c,v retrieving revision 1.16 retrieving revision 1.17 diff -u -r1.16 -r1.17 --- sslutils.c7 Jun 2005 07:22:06 - 1.16 +++ sslutils.c7 Jun 2005 08:15:32 - 1.17 @@ -100,14 +100,71 @@ return APR_SUCCESS; } +static apr_status_t ssl_pipe_child_create(tcn_pass_cb_t *data, apr_pool_t *p, const char *progname) +{ +/* Child process code for 'ErrorLog |...'; + * may want a common framework for this, since I expect it will + * be common for other foo-loggers to want this sort of thing... + */ +apr_status_t rc; +apr_procattr_t *procattr; +apr_proc_t *procnew; + +if (((rc = apr_procattr_create(procattr, p)) == APR_SUCCESS) +((rc = apr_procattr_io_set(procattr, + APR_FULL_BLOCK, + APR_FULL_BLOCK, + APR_NO_PIPE)) == APR_SUCCESS)) { +char **args; +const char *pname; + +apr_tokenize_to_argv(progname, args, p); +pname = apr_pstrdup(p, args[0]); +procnew = (apr_proc_t *)apr_pcalloc(p, sizeof(*procnew)); +rc = apr_proc_create(procnew, pname, (const char * const *)args, + NULL, procattr, p); +if (rc == APR_SUCCESS) { +/* XXX: not sure if we aught to... + * apr_pool_note_subprocess(p, procnew, APR_KILL_AFTER_TIMEOUT); + */ +data-wrtty = procnew-in; +data-rdtty = procnew-out; +} +} +return rc; +} + +static int pipe_get_passwd_cb(tcn_pass_cb_t *data, char *buf, int length, + const char *prompt) +{ +apr_status_t rc; +char *p;
cvs commit: jakarta-tomcat-connectors/jni/native/src sslcontext.c sslutils.c
mturk 2005/06/07 02:13:22 Modified:jni/native/include ssl_private.h jni/native/src sslcontext.c sslutils.c Log: Remove all pass: and exec: pipe handling. This is not the responsibility of native, but rather the Java that uses the API. Higher level API has to provide a way to obtain a valid password if needed. Revision ChangesPath 1.17 +1 -4 jakarta-tomcat-connectors/jni/native/include/ssl_private.h Index: ssl_private.h === RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/include/ssl_private.h,v retrieving revision 1.16 retrieving revision 1.17 diff -u -r1.16 -r1.17 --- ssl_private.h 7 Jun 2005 08:15:32 - 1.16 +++ ssl_private.h 7 Jun 2005 09:13:22 - 1.17 @@ -131,11 +131,8 @@ typedef struct { charpassword[SSL_MAX_PASSWORD_LEN]; -const char *pass; const char *prompt; tcn_ssl_ctxt_t *ctx; -apr_file_t *wrtty; -apr_file_t *rdtty; } tcn_pass_cb_t; struct tcn_ssl_ctxt_t { 1.25 +6 -3 jakarta-tomcat-connectors/jni/native/src/sslcontext.c Index: sslcontext.c === RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslcontext.c,v retrieving revision 1.24 retrieving revision 1.25 diff -u -r1.24 -r1.25 --- sslcontext.c 7 Jun 2005 09:01:00 - 1.24 +++ sslcontext.c 7 Jun 2005 09:13:22 - 1.25 @@ -468,6 +468,7 @@ jboolean rv = JNI_TRUE; TCN_ALLOC_CSTRING(cert); TCN_ALLOC_CSTRING(key); +TCN_ALLOC_CSTRING(password); const char *key_file, *cert_file; char err[256]; @@ -479,8 +480,10 @@ rv = JNI_FALSE; goto cleanup; } -if (password) -c-password.pass = tcn_pstrdup(e, password, c-pool); +if (J2S(password)) { +strncpy(c-password.password, J2S(password), SSL_MAX_PASSWORD_LEN); +c-password.password[SSL_MAX_PASSWORD_LEN-1] = '\0'; +} key_file = J2S(key); cert_file = J2S(cert); if (!key_file) 1.18 +3 -116jakarta-tomcat-connectors/jni/native/src/sslutils.c Index: sslutils.c === RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslutils.c,v retrieving revision 1.17 retrieving revision 1.18 diff -u -r1.17 -r1.18 --- sslutils.c7 Jun 2005 08:15:32 - 1.17 +++ sslutils.c7 Jun 2005 09:13:22 - 1.18 @@ -73,92 +73,6 @@ return; } -/* - * Return APR_SUCCESS if the named file exists and is readable - */ -static apr_status_t exists_and_readable(const char *fname, apr_pool_t *pool, -apr_time_t *mtime) -{ -apr_status_t stat; -apr_finfo_t sbuf; -apr_file_t *fd; - -if ((stat = apr_stat(sbuf, fname, APR_FINFO_MIN, pool)) != APR_SUCCESS) -return stat; - -if (sbuf.filetype != APR_REG) -return APR_EGENERAL; - -if ((stat = apr_file_open(fd, fname, APR_READ, 0, pool)) != APR_SUCCESS) -return stat; - -if (mtime) { -*mtime = sbuf.mtime; -} - -apr_file_close(fd); -return APR_SUCCESS; -} - -static apr_status_t ssl_pipe_child_create(tcn_pass_cb_t *data, apr_pool_t *p, const char *progname) -{ -/* Child process code for 'ErrorLog |...'; - * may want a common framework for this, since I expect it will - * be common for other foo-loggers to want this sort of thing... - */ -apr_status_t rc; -apr_procattr_t *procattr; -apr_proc_t *procnew; - -if (((rc = apr_procattr_create(procattr, p)) == APR_SUCCESS) -((rc = apr_procattr_io_set(procattr, - APR_FULL_BLOCK, - APR_FULL_BLOCK, - APR_NO_PIPE)) == APR_SUCCESS)) { -char **args; -const char *pname; - -apr_tokenize_to_argv(progname, args, p); -pname = apr_pstrdup(p, args[0]); -procnew = (apr_proc_t *)apr_pcalloc(p, sizeof(*procnew)); -rc = apr_proc_create(procnew, pname, (const char * const *)args, - NULL, procattr, p); -if (rc == APR_SUCCESS) { -/* XXX: not sure if we aught to... - * apr_pool_note_subprocess(p, procnew, APR_KILL_AFTER_TIMEOUT); - */ -data-wrtty = procnew-in; -data-rdtty = procnew-out; -} -} -return rc; -} - -static int pipe_get_passwd_cb(tcn_pass_cb_t *data, char *buf, int length, - const char *prompt) -{ -apr_status_t rc; -
cvs commit: jakarta-tomcat-connectors/jni/native/src sslcontext.c sslutils.c
mturk 2005/06/02 04:07:07 Modified:jni/native/include ssl_private.h jni/native/src sslcontext.c sslutils.c Log: Implement Client Authentication verify callback and CA initialization. Revision ChangesPath 1.11 +12 -1 jakarta-tomcat-connectors/jni/native/include/ssl_private.h Index: ssl_private.h === RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/include/ssl_private.h,v retrieving revision 1.10 retrieving revision 1.11 diff -u -r1.10 -r1.11 --- ssl_private.h 2 Jun 2005 07:44:38 - 1.10 +++ ssl_private.h 2 Jun 2005 11:07:06 - 1.11 @@ -88,6 +88,14 @@ #define SSL_DEFAULT_CACHE_SIZE (256) #define SSL_DEFAULT_VHOST_NAME (_default_:443) #define SSL_MAX_STR_LEN 2048 + +#define SSL_CVERIFY_UNSET (-1) +#define SSL_CVERIFY_NONE(0) +#define SSL_CVERIFY_OPTIONAL(1) +#define SSL_CVERIFY_REQUIRE (2) +#define SSL_CVERIFY_OPTIONAL_NO_CA (3) +#define SSL_VERIFY_PEER_STRICT (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT) + /* public cert/private key */ typedef struct { /* @@ -167,5 +175,8 @@ RSA*SSL_callback_tmp_RSA(SSL *, int, int); DH *SSL_callback_tmp_DH(SSL *, int, int); voidSSL_vhost_algo_id(const unsigned char *, unsigned char *, int); +int SSL_callback_SSL_verify(int, X509_STORE_CTX *); +STACK_OF(X509_NAME) +*SSL_init_findCAList(tcn_ssl_ctxt_t *, const char *, const char *); #endif /* SSL_PRIVATE_H */ 1.18 +66 -4 jakarta-tomcat-connectors/jni/native/src/sslcontext.c Index: sslcontext.c === RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslcontext.c,v retrieving revision 1.17 retrieving revision 1.18 diff -u -r1.17 -r1.18 --- sslcontext.c 2 Jun 2005 10:19:32 - 1.17 +++ sslcontext.c 2 Jun 2005 11:07:06 - 1.18 @@ -183,8 +183,8 @@ SSL_CTX_set_tmp_rsa_callback(c-ctx, SSL_callback_tmp_RSA); SSL_CTX_set_tmp_dh_callback(c-ctx, SSL_callback_tmp_DH); - -/* Set default Certificate verification level + +/* Set default Certificate verification level * and depth for the Client Authentication */ c-verify_depth = 1; @@ -565,11 +565,73 @@ jint level) { tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *); +int verify = SSL_VERIFY_NONE; +STACK_OF(X509_NAME) *ca_list; UNREFERENCED_STDARGS; TCN_ASSERT(ctx != 0); c-verify_mode = level; -/* TODO: Add verification code callback */ + +if (c-verify_mode == SSL_CVERIFY_UNSET) +c-verify_mode = SSL_CVERIFY_NONE; + +/* + * Configure callbacks for SSL context + */ +if (c-verify_mode == SSL_CVERIFY_REQUIRE) +verify |= SSL_VERIFY_PEER_STRICT; +if ((c-verify_mode == SSL_CVERIFY_OPTIONAL) || +(c-verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA)) +verify |= SSL_VERIFY_PEER; + +SSL_CTX_set_verify(c-ctx, verify, SSL_callback_SSL_verify); + /* + * Configure Client Authentication details + */ +if (c-ca_cert_file || c-ca_cert_path) { +if (!SSL_CTX_load_verify_locations(c-ctx, + c-ca_cert_file, + c-ca_cert_path)) { +BIO_printf(c-bio_os, [ERROR] + Unable to configure verify locations + for client authentication); +return JNI_FALSE; +} + +if (c-mode (c-pk.s.ca_name_file || c-pk.s.ca_name_path)) { +ca_list = SSL_init_findCAList(c, + c-pk.s.ca_name_file, + c-pk.s.ca_name_path); +} +else { +ca_list = SSL_init_findCAList(c, + c-ca_cert_file, + c-ca_cert_path); +} +if (!ca_list) { +BIO_printf(c-bio_os, [ERROR] + Unable to determine list of acceptable + CA certificates for client authentication); +return JNI_FALSE; +} +SSL_CTX_set_client_CA_list(c-ctx, (STACK *)ca_list); +} + +/* + * Give a warning when no CAs were configured but client authentication + * should take place. This cannot work. + */ +if (c-verify_mode == SSL_CVERIFY_REQUIRE) { +ca_list = (STACK_OF(X509_NAME) *)SSL_CTX_get_client_CA_list(c-ctx); + +if (sk_X509_NAME_num(ca_list) == 0) { +BIO_printf(c-bio_os, +
cvs commit: jakarta-tomcat-connectors/jni/native/src sslcontext.c sslutils.c
mturk 2005/06/01 02:05:08 Modified:jni/native/include ssl_private.h jni/native/src sslcontext.c sslutils.c Log: Rename BIO struct members and strip any CRLF from the prompted password. Revision ChangesPath 1.7 +3 -3 jakarta-tomcat-connectors/jni/native/include/ssl_private.h Index: ssl_private.h === RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/include/ssl_private.h,v retrieving revision 1.6 retrieving revision 1.7 diff -u -r1.6 -r1.7 --- ssl_private.h 1 Jun 2005 08:19:39 - 1.6 +++ ssl_private.h 1 Jun 2005 09:05:08 - 1.7 @@ -110,8 +110,8 @@ struct tcn_ssl_ctxt { apr_pool_t *pool; SSL_CTX *ctx; -BIO *bio_err; -BIO *pprompt; +BIO *bio_os; +BIO *bio_is; unsigned char vhost_id[MD5_DIGEST_LENGTH]; int protocol; 1.6 +29 -29jakarta-tomcat-connectors/jni/native/src/sslcontext.c Index: sslcontext.c === RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslcontext.c,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- sslcontext.c 1 Jun 2005 08:19:39 - 1.5 +++ sslcontext.c 1 Jun 2005 09:05:08 - 1.6 @@ -57,12 +57,12 @@ sk_X509_INFO_pop_free(c-pk.c.certs, X509_INFO_free); c-pk.c.certs = NULL; } -if (c-pprompt) -BIO_free(c-pprompt); -c-pprompt = NULL; -if (c-bio_err) -BIO_free(c-bio_err); -c-bio_err = NULL; +if (c-bio_is) +BIO_free(c-bio_is); +c-bio_is = NULL; +if (c-bio_os) +BIO_free(c-bio_os); +c-bio_os = NULL; } return APR_SUCCESS; } @@ -105,13 +105,13 @@ c-mode = 1; c-ctx = ctx; c-pool = p; -c-bio_err = BIO_new(BIO_s_file()); -c-pprompt = BIO_new(BIO_s_file()); -if (c-bio_err != NULL) -BIO_set_fp(c-bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); -if (c-pprompt != NULL) { -BIO_set_fp(c-bio_err, stdin, BIO_NOCLOSE | BIO_FP_TEXT); -c-pprompt-flags = BIO_FLAGS_MEM_RDONLY; +c-bio_os = BIO_new(BIO_s_file()); +c-bio_is = BIO_new(BIO_s_file()); +if (c-bio_os != NULL) +BIO_set_fp(c-bio_os, stderr, BIO_NOCLOSE | BIO_FP_TEXT); +if (c-bio_is != NULL) { +BIO_set_fp(c-bio_is, stdin, BIO_NOCLOSE | BIO_FP_TEXT); +c-bio_is-flags = BIO_FLAGS_MEM_RDONLY; } SSL_CTX_set_options(c-ctx, SSL_OP_ALL); if (!(protocol SSL_PROTOCOL_SSLV2)) @@ -182,13 +182,13 @@ c-mode = 0; c-ctx = ctx; c-pool = p; -c-bio_err = BIO_new(BIO_s_file()); -c-pprompt = BIO_new(BIO_s_file()); -if (c-bio_err != NULL) -BIO_set_fp(c-bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); -if (c-pprompt != NULL) { -BIO_set_fp(c-bio_err, stdin, BIO_NOCLOSE | BIO_FP_TEXT); -c-pprompt-flags = BIO_FLAGS_MEM_RDONLY; +c-bio_os = BIO_new(BIO_s_file()); +c-bio_is = BIO_new(BIO_s_file()); +if (c-bio_os != NULL) +BIO_set_fp(c-bio_os, stderr, BIO_NOCLOSE | BIO_FP_TEXT); +if (c-bio_is != NULL) { +BIO_set_fp(c-bio_is, stdin, BIO_NOCLOSE | BIO_FP_TEXT); +c-bio_is-flags = BIO_FLAGS_MEM_RDONLY; } SSL_CTX_set_options(c-ctx, SSL_OP_ALL); if (!(protocol SSL_PROTOCOL_SSLV2)) @@ -249,26 +249,26 @@ jlong bio) { tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *); -BIO *bio_err = J2P(bio, BIO *); +BIO *bio_os = J2P(bio, BIO *); UNREFERENCED_STDARGS; TCN_ASSERT(ctx != 0); -if (c-bio_err c-bio_err != bio_err) -BIO_free(c-bio_err); -c-bio_err = bio_err; +if (c-bio_os c-bio_os != bio_os) +BIO_free(c-bio_os); +c-bio_os = bio_os; } TCN_IMPLEMENT_CALL(void, SSLContext, setPPromptBIO)(TCN_STDARGS, jlong ctx, jlong bio) { tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *); -BIO *pprompt = J2P(bio, BIO *); +BIO *bio_is = J2P(bio, BIO *); UNREFERENCED_STDARGS; TCN_ASSERT(ctx != 0); -if (c-pprompt c-pprompt != pprompt) -BIO_free(c-pprompt); -c-pprompt = pprompt; +if (c-bio_is c-bio_is != bio_is) +BIO_free(c-bio_is); +c-bio_is = bio_is; } 1.5 +20 -6 jakarta-tomcat-connectors/jni/native/src/sslutils.c Index: sslutils.c === RCS file:
cvs commit: jakarta-tomcat-connectors/jni/native/src sslcontext.c sslutils.c
mturk 2005/06/01 04:22:16 Modified:jni/native/src sslcontext.c sslutils.c Log: Do not set 'stdin' as default BIO for password promt. Use conio for WIN32 (curses will be added for posix). Revision ChangesPath 1.8 +1 -11 jakarta-tomcat-connectors/jni/native/src/sslcontext.c Index: sslcontext.c === RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslcontext.c,v retrieving revision 1.7 retrieving revision 1.8 diff -u -r1.7 -r1.8 --- sslcontext.c 1 Jun 2005 10:45:03 - 1.7 +++ sslcontext.c 1 Jun 2005 11:22:16 - 1.8 @@ -107,13 +107,8 @@ c-ctx = ctx; c-pool = p; c-bio_os = BIO_new(BIO_s_file()); -c-bio_is = BIO_new(BIO_s_file()); if (c-bio_os != NULL) BIO_set_fp(c-bio_os, stderr, BIO_NOCLOSE | BIO_FP_TEXT); -if (c-bio_is != NULL) { -BIO_set_fp(c-bio_is, stdin, BIO_NOCLOSE | BIO_FP_TEXT); -c-bio_is-flags = SSL_BIO_FLAG_RDONLY; -} SSL_CTX_set_options(c-ctx, SSL_OP_ALL); if (!(protocol SSL_PROTOCOL_SSLV2)) SSL_CTX_set_options(c-ctx, SSL_OP_NO_SSLv2); @@ -184,13 +179,8 @@ c-ctx = ctx; c-pool = p; c-bio_os = BIO_new(BIO_s_file()); -c-bio_is = BIO_new(BIO_s_file()); if (c-bio_os != NULL) BIO_set_fp(c-bio_os, stderr, BIO_NOCLOSE | BIO_FP_TEXT); -if (c-bio_is != NULL) { -BIO_set_fp(c-bio_is, stdin, BIO_NOCLOSE | BIO_FP_TEXT); -c-bio_is-flags = SSL_BIO_FLAG_RDONLY; -} SSL_CTX_set_options(c-ctx, SSL_OP_ALL); if (!(protocol SSL_PROTOCOL_SSLV2)) SSL_CTX_set_options(c-ctx, SSL_OP_NO_SSLv2); 1.7 +23 -2 jakarta-tomcat-connectors/jni/native/src/sslutils.c Index: sslutils.c === RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslutils.c,v retrieving revision 1.6 retrieving revision 1.7 diff -u -r1.6 -r1.7 --- sslutils.c1 Jun 2005 10:45:03 - 1.6 +++ sslutils.c1 Jun 2005 11:22:16 - 1.7 @@ -104,7 +104,8 @@ int SSL_password_prompt(tcn_ssl_ctxt_t *c, char *buf, int len) { int rv = 0; -if (c c-bio_is) { +*buf = '\0'; +if (c-bio_is) { if (c-bio_is-flags SSL_BIO_FLAG_RDONLY) { /* Use error BIO in case of stdin */ BIO_printf(c-bio_os, Enter password: ); @@ -125,6 +126,26 @@ } } } +else { +#ifdef WIN32 +#include conio.h +int ch; +BIO_printf(c-bio_os, Enter password: ); +do { +ch = getch(); +if (ch == '\r') +break; +fputc('*', stdout); +buf[rv++] = ch; +if (rv + 1 len) +continue; +} while (ch != '\n'); +buf[rv] = '\0'; +fputc('\n', stdout); +fflush(stdout); +#endif + +} return rv; } - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-connectors/jni/native/src sslcontext.c sslutils.c
mturk 2005/06/01 08:20:14 Modified:jni/native/include ssl_private.h jni/native/src sslcontext.c sslutils.c Log: Handle the Temporary RSA Keys and DH Params. Revision ChangesPath 1.9 +15 -2 jakarta-tomcat-connectors/jni/native/include/ssl_private.h Index: ssl_private.h === RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/include/ssl_private.h,v retrieving revision 1.8 retrieving revision 1.9 diff -u -r1.8 -r1.9 --- ssl_private.h 1 Jun 2005 10:45:02 - 1.8 +++ ssl_private.h 1 Jun 2005 15:20:14 - 1.9 @@ -85,6 +85,7 @@ #define SSL_BIO_FLAG_RDONLY (10) #define SSL_BIO_FLAG_CALLBACK (11) +#define SSL_DEFAULT_CACHE_SIZE (256) /* public cert/private key */ typedef struct { @@ -138,11 +139,18 @@ /* for client or downstream server authentication */ int verify_depth; int verify_mode; - +void*temp_keys[SSL_TMP_KEY_MAX]; }; typedef struct tcn_ssl_ctxt tcn_ssl_ctxt_t; +struct tcn_ssl_conn { +tcn_ssl_ctxt_t *ctx; +SSL*ssl; +}; + +typedef struct tcn_ssl_conn tcn_ssl_conn_t; + /* * Additional Functions */ @@ -152,5 +160,10 @@ int SSL_password_prompt(tcn_ssl_ctxt_t *, char *, int); voidSSL_BIO_close(BIO *); voidSSL_BIO_doref(BIO *); +DH *SSL_dh_get_tmp_param(int); +DH *SSL_dh_get_param_from_file(const char *); +RSA*SSL_callback_tmp_RSA(SSL *, int, int); +DH *SSL_callback_tmp_DH(SSL *, int, int); + #endif /* SSL_PRIVATE_H */ 1.14 +55 -1 jakarta-tomcat-connectors/jni/native/src/sslcontext.c Index: sslcontext.c === RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslcontext.c,v retrieving revision 1.13 retrieving revision 1.14 diff -u -r1.13 -r1.14 --- sslcontext.c 1 Jun 2005 12:36:24 - 1.13 +++ sslcontext.c 1 Jun 2005 15:20:14 - 1.14 @@ -30,6 +30,53 @@ #ifdef HAVE_OPENSSL #include ssl_private.h +/* + * Handle the Temporary RSA Keys and DH Params + */ + +#define SSL_TMP_KEY_FREE(ctx, type, idx) \ +if (ctx-temp_keys[idx]) { \ +type##_free((type *)ctx-temp_keys[idx]); \ +ctx-temp_keys[idx] = NULL; \ +} + +#define SSL_TMP_KEYS_FREE(ctx, type) \ +SSL_TMP_KEY_FREE(ctx, type, SSL_TMP_KEY_##type##_512); \ +SSL_TMP_KEY_FREE(ctx, type, SSL_TMP_KEY_##type##_1024) + +static void ssl_tmp_keys_free(tcn_ssl_ctxt_t *ctx) +{ + +SSL_TMP_KEYS_FREE(ctx, RSA); +SSL_TMP_KEYS_FREE(ctx, DH); +} + +static int ssl_tmp_key_init_rsa(tcn_ssl_ctxt_t *ctx, +int bits, int idx) +{ +if (!(ctx-temp_keys[idx] = + RSA_generate_key(bits, RSA_F4, NULL, NULL))) { +BIO_printf(ctx-bio_os, [ERROR] + Init: Failed to generate temporary + %d bit RSA private key, bits); +return 0; +} +return 1; +} + +static int ssl_tmp_key_init_dh(tcn_ssl_ctxt_t *ctx, + int bits, int idx) +{ +if (!(ctx-temp_keys[idx] = + SSL_dh_get_tmp_param(bits))) { +BIO_printf(ctx-bio_os, [ERROR] + Init: Failed to generate temporary + %d bit DH parameters, bits); +return 0; +} +return 1; +} + static apr_status_t ssl_context_cleanup(void *data) { tcn_ssl_ctxt_t *c = (tcn_ssl_ctxt_t *)data; @@ -128,6 +175,11 @@ */ SSL_CTX_set_options(c-ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); #endif +SSL_CTX_sess_set_cache_size(c-ctx, SSL_DEFAULT_CACHE_SIZE); + +SSL_CTX_set_tmp_rsa_callback(c-ctx, SSL_callback_tmp_RSA); +SSL_CTX_set_tmp_dh_callback(c-ctx, SSL_callback_tmp_DH); + /* * Let us cleanup the ssl context when the pool is destroyed */ @@ -200,6 +252,8 @@ */ SSL_CTX_set_options(c-ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); #endif + +SSL_CTX_sess_set_cache_size(c-ctx, SSL_DEFAULT_CACHE_SIZE); /* * Let us cleanup the ssl context when the pool is destroyed */ 1.8 +203 -1jakarta-tomcat-connectors/jni/native/src/sslutils.c Index: sslutils.c === RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslutils.c,v retrieving revision 1.7 retrieving revision 1.8 diff -u -r1.7 -r1.8 --- sslutils.c1 Jun 2005 11:22:16 - 1.7 +++ sslutils.c1 Jun 2005 15:20:14 - 1.8 @@ -149,6 +149,208 @@ return rv; } + +/*