Author: mturk
Date: Mon Sep 19 18:17:22 2011
New Revision: 1172737
URL: http://svn.apache.org/viewvc?rev=1172737&view=rev
Log:
Initial support for TLS extensions
Modified:
commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java
commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLServer.java
commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h
commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c
commons/sandbox/runtime/trunk/src/main/native/modules/openssl/server.c
Modified:
commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java
URL:
http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java?rev=1172737&r1=1172736&r2=1172737&view=diff
==============================================================================
---
commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java
(original)
+++
commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java
Mon Sep 19 18:17:22 2011
@@ -37,35 +37,36 @@ public final class SSLContext extends Na
{
// Hide NativePointer
- private final long pointer = 0L;
+ private final long pointer = 0L;
+ private SSLKey[] keys;
+ private SSLCertificate[] cert;
+ private boolean has_crlset = false;
- private SSLKey[] keys;
- private SSLCertificate[] cert;
- private boolean has_crlset = false;
-
- private static native long new0(int protocol, int mode)
+ private static native long new0(int protocol, int mode)
throws OperationNotImplementedException;
- private static native void free0(long key);
- private static native void setsprefix0(long ctx, String prefix);
- private static native void setid0(long ctx, String id);
- private static native void setscachesize0(long ctx, int size);
- private static native void setpasscb0(long ctx, long cb);
- private static native void setcrlcheck0(long ctx, int mode);
- private static native void setcafile0(long ctx, String caPath)
+ private static native void free0(long key);
+ private static native void setsprefix0(long ctx, String prefix);
+ private static native void setid0(long ctx, String id);
+ private static native void setscachesize0(long ctx, int size);
+ private static native void setpasscb0(long ctx, long cb);
+ private static native void setcrlcheck0(long ctx, int mode);
+ private static native void setcafile0(long ctx, String caPath)
throws SSLException;
- private static native void setcapath0(long ctx, String caPath)
+ private static native void setcapath0(long ctx, String caPath)
throws SSLException;
- private static native void setcacrlfile0(long ctx, String caPath)
+ private static native void setcacrlfile0(long ctx, String caPath)
throws SSLException;
- private static native void setcacrlpath0(long ctx, String caPath)
+ private static native void setcacrlpath0(long ctx, String caPath)
throws SSLException;
- private static native void setvmode0(long ctx, int mode, int depth)
+ private static native void setvmode0(long ctx, int mode, int depth)
throws SSLException;
- private static native void setoption0(long ctx, int opt);
- private static native void clroption0(long ctx, int opt);
+ private static native void setoption0(long ctx, int opt);
+ private static native void clroption0(long ctx, int opt);
- private static final int SSL_COPT_NO_COMPRESSION = 1;
+ private static final int SSL_COPT_NO_COMPRESSION = 1;
+ private static final int SSL_COPT_NO_TICKET = 2;
+ private static final int SSL_COPT_ALLOW_UNSAFE_RENEG = 3;
private SSLContext()
{
@@ -324,5 +325,29 @@ public final class SSLContext extends Na
else
clroption0(super.pointer, SSL_COPT_NO_COMPRESSION);
}
+
+ /**
+ * Disable use of RFC4507bis session tickets.
+ */
+ public void setNoTicket(boolean on)
+ {
+ if (on)
+ setoption0(super.pointer, SSL_COPT_NO_TICKET);
+ else
+ clroption0(super.pointer, SSL_COPT_NO_TICKET);
+ }
+
+ /**
+ * Enable use of legacy renegotiation (dangerous).
+ *
+ * @param on if {@code true} legacy renegotiation will be enabled.
+ */
+ public void allowLegacyRenegotiation(boolean on)
+ {
+ if (on)
+ setoption0(super.pointer, SSL_COPT_ALLOW_UNSAFE_RENEG);
+ else
+ clroption0(super.pointer, SSL_COPT_ALLOW_UNSAFE_RENEG);
+ }
}
Modified:
commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLServer.java
URL:
http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLServer.java?rev=1172737&r1=1172736&r2=1172737&view=diff
==============================================================================
---
commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLServer.java
(original)
+++
commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLServer.java
Mon Sep 19 18:17:22 2011
@@ -38,11 +38,12 @@ public final class SSLServer extends Nat
private static native long new0(String name);
private static native void close0(long srv);
private static native void setctx0(long srv, long ctx);
-
+ private static native void setopt0(long src, int opt, boolean on);
+ private static native void setservname0(long src, String name);
private SSLContext ctx1 = null;
private SSLContext ctx2 = null;
-
+ private String serverName;
private SSLServer()
{
hostId = null;
@@ -111,14 +112,50 @@ public final class SSLServer extends Nat
* @param ctx the context to set
* @return previous context or {@code null} if the context
* was not set already.
+ * @throws IllegalStateException if server instance is invalid.
*/
public synchronized final SSLContext setContext(SSLContext ctx)
+ throws IllegalStateException
{
+ if (super.pointer == 0L)
+ throw new IllegalStateException();
SSLContext org = ctx1;
ctx1 = ctx;
setctx0(super.pointer, ((NativePointer)ctx).pointer);
return org;
}
-
+
+ /**
+ * Set ServerName for HostName TLS extension.
+ *
+ * @param name name to set.
+ *
+ * @throws NullPointerException if name is {@code null}.
+ * @throws IllegalStateException if server instance is invalid.
+ */
+ public void setServerName(String name)
+ throws IllegalStateException
+ {
+ if (super.pointer == 0L)
+ throw new IllegalStateException();
+ if (name == null)
+ throw new NullPointerException();
+ serverName = name;
+ setservname0(super.pointer, name);
+ }
+ /**
+ * On mismatch send fatal alert (default warning alert).
+ *
+ * @param on if {@code true} server will respond with fatal
+ * alert on servername mismatch.
+ * @throws IllegalStateException if server instance is invalid.
+ */
+ public void setServerNameFatal(boolean on)
+ throws IllegalStateException
+ {
+ if (super.pointer == 0L)
+ throw new IllegalStateException();
+ setopt0(super.pointer, 1, on);
+ }
}
Modified: commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h
URL:
http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h?rev=1172737&r1=1172736&r2=1172737&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h (original)
+++ commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h Mon Sep 19
18:17:22 2011
@@ -78,6 +78,10 @@
#define SSLAPI_STACK STACK
#endif
+#ifndef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+#define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L
+#endif
+
/* Default setting for per-dir reneg buffer. */
#ifndef DEFAULT_RENEG_BUFFER_SIZE
#define DEFAULT_RENEG_BUFFER_SIZE (128 * 1024)
@@ -166,8 +170,9 @@
#define SSL_OPT_OPTRENEGOTIATE (1<<6)
#define SSL_OPT_ALL
(SSL_OPT_STDENVVARS|SSL_OPT_EXPORTCERTDATA|SSL_OPT_FAKEBASICAUTH|SSL_OPT_STRICTREQUIRE|SSL_OPT_OPTRENEGOTIATE)
-#define SSL_COPT_NO_COMPRESSION 1
-
+#define SSL_COPT_NO_COMPRESSION 1
+#define SSL_COPT_NO_TICKET 2
+#define SSL_COPT_ALLOW_UNSAFE_RENEG 3
/*
* Define the SSL Protocol options
@@ -293,10 +298,10 @@ typedef struct ssl_pass_cb_t {
*/
extern ssl_pass_cb_t *acr_ssl_password_cb;
-typedef struct acr_ssl_srv_t acr_ssl_srv_t;
-/* Server context */
+typedef struct acr_ssl_srv_t acr_ssl_srv_t;
+
+/* SSL context */
typedef struct acr_ssl_ctx_t {
- acr_ssl_srv_t *srv;
SSL_CTX *ctx;
int protocol;
int mode;
@@ -306,12 +311,16 @@ typedef struct acr_ssl_ctx_t {
BIO *bio_is;
unsigned char context_id[MD5_DIGEST_LENGTH];
- /* certificate revocation list */
+ /* Back pointer to the server/proxy/client context */
+ void *container;
+ /* Certificate revocation list */
X509_STORE *crls;
- /* pointer to the context verify store */
+ /* Pointer to the context verify store */
X509_STORE *store;
- X509 *cert;
+ X509 *cert; /* Main certificate */
EVP_PKEY *skey;
+ X509 *dcrt; /* Additional certificate */
+ EVP_PKEY *dkey;
int ca_certs;
int shutdown_type;
@@ -351,13 +360,15 @@ typedef struct acr_ssl_ctx_t {
} acr_ssl_ctx_t;
+/* Server context */
struct acr_ssl_srv_t {
char *hostid;
int hostid_len;
+ char *servname;
acr_ssl_ctx_t *ctx;
acr_ssl_ctx_t *ctx2;
int enabled;
-
+ int tlsext_extension_error;
};
#define ssl_ctx_get_extra_certs(ctx) ((ctx)->extra_certs)
Modified: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c
URL:
http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c?rev=1172737&r1=1172736&r2=1172737&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c
(original)
+++ commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c Mon Sep
19 18:17:22 2011
@@ -401,12 +401,20 @@ ACR_SSL_EXPORT(void, SSLContext, setopti
switch (opt) {
case SSL_COPT_NO_COMPRESSION:
#ifdef SSL_OP_NO_COMPRESSION
- if ((c->options & SSL_OP_NO_COMPRESSION) == 0)
- set = SSL_OP_NO_COMPRESSION;
+ set = SSL_OP_NO_COMPRESSION;
#endif
break;
+ case SSL_COPT_NO_TICKET:
+#ifndef OPENSSL_NO_TLSEXT
+ set = SSL_OP_NO_TICKET;
+#endif
+ break;
+ case SSL_COPT_ALLOW_UNSAFE_RENEG:
+ set = SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+ break;
+
}
- if (set != 0) {
+ if (set != 0 && (c->options & set) == 0) {
SSL_CTX_set_options(c->ctx, set);
c->options |= set;
}
@@ -421,12 +429,19 @@ ACR_SSL_EXPORT(void, SSLContext, clropti
switch (opt) {
case SSL_COPT_NO_COMPRESSION:
#ifdef SSL_OP_NO_COMPRESSION
- if ((c->options & SSL_OP_NO_COMPRESSION) != 0)
- clr = SSL_OP_NO_COMPRESSION;
+ clr = SSL_OP_NO_COMPRESSION;
#endif
break;
+ case SSL_COPT_NO_TICKET:
+#ifndef OPENSSL_NO_TLSEXT
+ clr = SSL_OP_NO_TICKET;
+#endif
+ break;
+ case SSL_COPT_ALLOW_UNSAFE_RENEG:
+ clr = SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+ break;
}
- if (clr != 0) {
+ if (clr != 0 && (c->options & clr) != 0) {
SSL_CTX_clear_options(c->ctx, clr);
c->options &= clr;
}
Modified: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/server.c
URL:
http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/modules/openssl/server.c?rev=1172737&r1=1172736&r2=1172737&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/modules/openssl/server.c
(original)
+++ commons/sandbox/runtime/trunk/src/main/native/modules/openssl/server.c Mon
Sep 19 18:17:22 2011
@@ -49,6 +49,7 @@ ACR_SSL_EXPORT(void, SSLServer, close0)(
acr_ssl_srv_t *s = J2P(srv, acr_ssl_srv_t *);
if (s != 0) {
AcrFree(s->hostid);
+ AcrFree(s->servname);
/* SSLServer cleanup */
AcrFree(s);
}
@@ -65,3 +66,27 @@ ACR_SSL_EXPORT(void, SSLServer, setctx2)
acr_ssl_srv_t *s = J2P(srv, acr_ssl_srv_t *);
s->ctx2 = J2P(ctx, acr_ssl_ctx_t *);
}
+
+ACR_SSL_EXPORT(void, SSLServer, setopt0)(JNI_STDARGS, jlong srv, jint opt,
jboolean on)
+{
+ acr_ssl_srv_t *s = J2P(srv, acr_ssl_srv_t *);
+
+ switch (opt) {
+ case 1:
+#ifndef OPENSSL_NO_TLSEXT
+ if (on)
+ s->tlsext_extension_error = SSL_TLSEXT_ERR_ALERT_FATAL;
+ else
+ s->tlsext_extension_error = 0;
+#endif
+ break;
+ }
+}
+
+ACR_SSL_EXPORT(void, SSLServer, setservname0)(JNI_STDARGS, jlong srv, jstring
name)
+{
+ acr_ssl_srv_t *s = J2P(srv, acr_ssl_srv_t *);
+
+ AcrFree(s->servname);
+ s->servname = AcrGetJavaStringA(env, name, 0);
+}
