mturk 2005/06/07 11:22:22
Modified: jni/java/org/apache/tomcat/jni SSL.java
jni/native/include ssl_private.h
jni/native/src ssl.c sslutils.c
Log:
Use global RSA and DSA temp keys.
Also do not initialize 2048 bit key at startup unless explicitly
asked by a new function for generating temp keys.
Revision Changes Path
1.11 +39 -4
jakarta-tomcat-connectors/jni/java/org/apache/tomcat/jni/SSL.java
Index: SSL.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-connectors/jni/java/org/apache/tomcat/jni/SSL.java,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- SSL.java 7 Jun 2005 11:14:21 -0000 1.10
+++ SSL.java 7 Jun 2005 18:22:21 -0000 1.11
@@ -45,9 +45,13 @@
public static final int SSL_TMP_KEY_RSA_512 = 0;
public static final int SSL_TMP_KEY_RSA_1024 = 1;
- public static final int SSL_TMP_KEY_DH_512 = 2;
- public static final int SSL_TMP_KEY_DH_1024 = 3;
- public static final int SSL_TMP_KEY_MAX = 4;
+ public static final int SSL_TMP_KEY_RSA_2048 = 2;
+ public static final int SSL_TMP_KEY_RSA_4096 = 3;
+ public static final int SSL_TMP_KEY_DH_512 = 4;
+ public static final int SSL_TMP_KEY_DH_1024 = 5;
+ public static final int SSL_TMP_KEY_DH_2048 = 6;
+ public static final int SSL_TMP_KEY_DH_4096 = 7;
+ public static final int SSL_TMP_KEY_MAX = 8;
/*
* Define the SSL options
@@ -217,4 +221,35 @@
*/
public static native void setPasswordBIO(long bio);
+ /**
+ * Generate temporary RSA key.
+ * <br />
+ * Index can be one of:
+ * <PRE>
+ * SSL_TMP_KEY_RSA_512
+ * SSL_TMP_KEY_RSA_1024
+ * SSL_TMP_KEY_RSA_2048
+ * SSL_TMP_KEY_RSA_4096
+ * </PRE>
+ * By default 512 and 1024 keys are generated on startup.
+ * You can use a low priority thread to generate them on the fly.
+ * @param idx temporary key index.
+ */
+ public static native boolean generateRSATempKey(int idx);
+
+ /**
+ * Load temporary DSA key from file
+ * <br />
+ * Index can be one of:
+ * <PRE>
+ * SSL_TMP_KEY_DSA_512
+ * SSL_TMP_KEY_DSA_1024
+ * SSL_TMP_KEY_DSA_2048
+ * SSL_TMP_KEY_DSA_4096
+ * </PRE>
+ * @param idx temporary key index.
+ * @param file File contatining DH params.
+ */
+ public static native boolean loadDSATempKey(int idx, String file);
+
}
1.19 +1 -2
jakarta-tomcat-connectors/jni/native/include/ssl_private.h
Index: ssl_private.h
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-connectors/jni/native/include/ssl_private.h,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- ssl_private.h 7 Jun 2005 11:05:07 -0000 1.18
+++ ssl_private.h 7 Jun 2005 18:22:21 -0000 1.19
@@ -167,7 +167,6 @@
/* for client or downstream server authentication */
int verify_depth;
int verify_mode;
- void *temp_keys[SSL_TMP_KEY_MAX];
tcn_pass_cb_t *cb_data;
};
1.23 +42 -2 jakarta-tomcat-connectors/jni/native/src/ssl.c
Index: ssl.c
===================================================================
RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/ssl.c,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -r1.22 -r1.23
--- ssl.c 7 Jun 2005 11:14:21 -0000 1.22
+++ ssl.c 7 Jun 2005 18:22:21 -0000 1.23
@@ -64,7 +64,6 @@
#define SSL_TMP_KEYS_INIT(R) \
R |= SSL_TMP_KEY_INIT_RSA(512); \
R |= SSL_TMP_KEY_INIT_RSA(1024); \
- R |= SSL_TMP_KEY_INIT_RSA(2048); \
R |= SSL_TMP_KEY_INIT_DH(512); \
R |= SSL_TMP_KEY_INIT_DH(1024); \
R |= SSL_TMP_KEY_INIT_DH(2048); \
@@ -702,6 +701,47 @@
SSL_BIO_doref(bio_handle);
}
+TCN_IMPLEMENT_CALL(jboolean, SSL, generateRSATempKey)(TCN_STDARGS, jint idx)
+{
+ int r = 1;
+ UNREFERENCED_STDARGS;
+ SSL_TMP_KEY_FREE(RSA, idx);
+ switch (idx) {
+ case SSL_TMP_KEY_RSA_512:
+ r = SSL_TMP_KEY_INIT_RSA(512);
+ break;
+ case SSL_TMP_KEY_RSA_1024:
+ r = SSL_TMP_KEY_INIT_RSA(1024);
+ break;
+ case SSL_TMP_KEY_RSA_2048:
+ r = SSL_TMP_KEY_INIT_RSA(2048);
+ break;
+ case SSL_TMP_KEY_RSA_4096:
+ r = SSL_TMP_KEY_INIT_RSA(4096);
+ break;
+ }
+ return r ? JNI_FALSE : JNI_TRUE;
+}
+
+TCN_IMPLEMENT_CALL(jboolean, SSL, loadDSATempKey)(TCN_STDARGS, jint idx,
+ jstring file)
+{
+ jboolean r = JNI_FALSE;
+ TCN_ALLOC_CSTRING(file);
+ DH *dh;
+ UNREFERENCED(o);
+
+ if (!J2S(file))
+ return JNI_FALSE;
+ SSL_TMP_KEY_FREE(DSA, idx);
+ if ((dh = SSL_dh_get_param_from_file(J2S(file)))) {
+ SSL_temp_keys[idx] = dh;
+ r = JNI_TRUE;
+ }
+ TCN_FREE_CSTRING(file);
+ return r;
+}
+
#else
/* OpenSSL is not supported
* If someday we make OpenSSL optional
1.22 +5 -5 jakarta-tomcat-connectors/jni/native/src/sslutils.c
Index: sslutils.c
===================================================================
RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslutils.c,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- sslutils.c 7 Jun 2005 12:41:44 -0000 1.21
+++ sslutils.c 7 Jun 2005 18:22:22 -0000 1.22
@@ -346,12 +346,12 @@
break;
case 2048:
idx = SSL_TMP_KEY_RSA_2048;
- if (conn->ctx->temp_keys[idx] == NULL)
+ if (SSL_temp_keys[idx] == NULL)
idx = SSL_TMP_KEY_RSA_1024;
break;
case 4096:
idx = SSL_TMP_KEY_RSA_4096;
- if (conn->ctx->temp_keys[idx] == NULL)
+ if (SSL_temp_keys[idx] == NULL)
idx = SSL_TMP_KEY_RSA_2048;
break;
case 1024:
@@ -359,7 +359,7 @@
idx = SSL_TMP_KEY_RSA_1024;
break;
}
- return (RSA *)conn->ctx->temp_keys[idx];
+ return (RSA *)SSL_temp_keys[idx];
}
/*
@@ -384,7 +384,7 @@
idx = SSL_TMP_KEY_DH_1024;
break;
}
- return (DH *)conn->ctx->temp_keys[idx];
+ return (DH *)SSL_temp_keys[idx];
}
void SSL_vhost_algo_id(const unsigned char *vhost_id, unsigned char *md, int
algo)
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
