commons-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mt...@apache.org
Subject svn commit: r1166147 - in /commons/sandbox/runtime/trunk/src/main: java/org/apache/commons/runtime/ssl/ native/ native/include/acr/ native/modules/openssl/
Date Wed, 07 Sep 2011 12:15:41 GMT
Author: mturk
Date: Wed Sep  7 12:15:40 2011
New Revision: 1166147

URL: http://svn.apache.org/viewvc?rev=1166147&view=rev
Log:
Start adding SSL api

Added:
    commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/
    commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/Local.java
  (with props)
    commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/LocalStrings.properties
  (with props)
    commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSL.java  
(with props)
    commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/ShutdownType.java
  (with props)
    commons/sandbox/runtime/trunk/src/main/native/modules/openssl/init.c   (with props)
    commons/sandbox/runtime/trunk/src/main/native/modules/openssl/util.c   (with props)
Modified:
    commons/sandbox/runtime/trunk/src/main/native/Makefile.unx.in
    commons/sandbox/runtime/trunk/src/main/native/include/acr/jnidefs.h
    commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h

Added: commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/Local.java
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/Local.java?rev=1166147&view=auto
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/Local.java
(added)
+++ commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/Local.java
Wed Sep  7 12:15:40 2011
@@ -0,0 +1,35 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+package org.apache.commons.runtime.ssl;
+
+import org.apache.commons.runtime.util.StringManager;
+
+/** SSL package private constants
+ */
+class Local
+{
+
+    public static final String Package = "org.apache.commons.runtime.ssl";
+    public static final StringManager sm;
+
+    static {
+        sm = StringManager.getManager(Package);
+    }
+
+}

Propchange: commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/Local.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/LocalStrings.properties
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/LocalStrings.properties?rev=1166147&view=auto
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/LocalStrings.properties
(added)
+++ commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/LocalStrings.properties
Wed Sep  7 12:15:40 2011
@@ -0,0 +1,14 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.

Propchange: commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/LocalStrings.properties
------------------------------------------------------------------------------
    svn:eol-style = native

Added: commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSL.java
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSL.java?rev=1166147&view=auto
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSL.java (added)
+++ commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSL.java Wed
Sep  7 12:15:40 2011
@@ -0,0 +1,89 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.commons.runtime.ssl;
+
+import org.apache.commons.runtime.InvalidArgumentException;
+import org.apache.commons.runtime.Status;
+import org.apache.commons.runtime.SystemException;
+
+import java.io.File;
+
+/**
+ * SSL library
+ */
+public final class SSL
+{
+    private static boolean inited = false;
+    private static Object  lock;
+    private SSL()
+    {
+        // No instance
+    }
+
+    static {
+        lock = new Object();
+
+    }
+
+
+    private static native int           init0();
+    private static native void          fipsmode0(int mode)
+        throws UnsupportedOperationException;
+
+    private static native void          rndfile0(String path);
+    private static native void          engine0(String name);
+
+    public static void setFipsMode(int mode)
+        throws IllegalStateException,
+               UnsupportedOperationException
+    {
+        if (!inited)
+            throw new IllegalStateException();
+        fipsmode0(mode);
+    }
+
+    public static void initialize()
+        throws SystemException
+    {
+        synchronized(lock) {
+            if (!inited) {
+                int rc = init0();
+                if (rc != 0)
+                    throw new SystemException(Status.describe(rc));
+                inited = true;
+            }
+        }
+    }
+
+    public static void setRandomFile(File path)
+        throws IllegalArgumentException
+    {
+        String fpath = path.getPath();
+        if (fpath == null || fpath.length() < 1)
+            throw new IllegalArgumentException();
+        rndfile0(fpath);
+    }
+
+    public static void setCryptoEngine(String name)
+        throws IllegalArgumentException
+    {
+        if (name == null || name.length() < 1)
+            throw new IllegalArgumentException();
+        engine0(name);
+    }
+}
+

Propchange: commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSL.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/ShutdownType.java
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/ShutdownType.java?rev=1166147&view=auto
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/ShutdownType.java
(added)
+++ commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/ShutdownType.java
Wed Sep  7 12:15:40 2011
@@ -0,0 +1,66 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.commons.runtime.ssl;
+
+/**
+ * Represents the SSL endpoint's shutdown type.
+ */
+public enum ShutdownType
+{
+    /**
+     * Unset shutdown type.
+     */
+    UNSET(      0),
+    /**
+     * Stanard shutdown.
+     */
+    STANDARD(   1),
+    /**
+     * Unclean chutdown.
+     */
+    UNCLEAN(    2),
+    /**
+     * Accurate shutdown.
+     */
+    ACCURATE(   3);
+
+    private int value;
+    private ShutdownType(int v)
+    {
+        value = v;
+    }
+
+    public int valueOf()
+    {
+        return value;
+    }
+
+    public boolean isLocal()
+    {
+        return value > 1;
+    }
+
+    public static ShutdownType valueOf(int value)
+    {
+        for (ShutdownType e : values()) {
+            if (e.value == value)
+                return e;
+        }
+        return UNSET;
+    }
+
+}

Propchange: commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/ShutdownType.java
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: commons/sandbox/runtime/trunk/src/main/native/Makefile.unx.in
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/Makefile.unx.in?rev=1166147&r1=1166146&r2=1166147&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/Makefile.unx.in (original)
+++ commons/sandbox/runtime/trunk/src/main/native/Makefile.unx.in Wed Sep  7 12:15:40 2011
@@ -149,7 +149,9 @@ LIBSOURCES=\
 	$(TOPDIR)/shared/buildmark.c
 
 SSLSOURCES=\
-	$(TOPDIR)/modules/openssl/api.c
+	$(TOPDIR)/modules/openssl/api.c \
+	$(TOPDIR)/modules/openssl/init.c \
+	$(TOPDIR)/modules/openssl/util.c
 
 CXXSOURCES=
 

Modified: commons/sandbox/runtime/trunk/src/main/native/include/acr/jnidefs.h
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/include/acr/jnidefs.h?rev=1166147&r1=1166146&r2=1166147&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/include/acr/jnidefs.h (original)
+++ commons/sandbox/runtime/trunk/src/main/native/include/acr/jnidefs.h Wed Sep  7 12:15:40
2011
@@ -28,6 +28,7 @@
 #define ACR_IO_CP               ACR_CLASS_PATH "io/"
 #define ACR_NET_CP              ACR_CLASS_PATH "net/"
 #define ACR_UTIL_CP             ACR_CLASS_PATH "util/"
+#define ACR_SSL_CP              ACR_CLASS_PATH "ssl/"
 #define ACR_UNX_CP              ACR_CLASS_PATH "platform/unix/"
 #define ACR_WIN_CP              ACR_CLASS_PATH "platform/windows/"
 
@@ -45,6 +46,8 @@
     ACR_JNIEXPORT RT JNICALL Java_org_apache_commons_runtime_io_##CL##_##MN
 #define ACR_NET_EXPORT(RT, CL, MN)  \
     ACR_JNIEXPORT RT JNICALL Java_org_apache_commons_runtime_net_##CL##_##MN
+#define ACR_SSL_EXPORT(RT, CL, MN)  \
+    ACR_JNIEXPORT RT JNICALL Java_org_apache_commons_runtime_ssl_##CL##_##MN
 #define ACR_UTIL_EXPORT(RT, CL, MN)  \
     ACR_JNIEXPORT RT JNICALL Java_org_apache_commons_runtime_util_##CL##_##MN
 

Modified: commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h?rev=1166147&r1=1166146&r2=1166147&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h (original)
+++ commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h Wed Sep  7 12:15:40 2011
@@ -18,6 +18,7 @@
 #define _ACR_SSL_H_
 
 #include "acr/stdtypes.h"
+#include "acr/callback.h"
 #if HAVE_OPENSSL
 
 /* Exclude unused OpenSSL features
@@ -137,7 +138,7 @@
 #define SSL_SHUTDOWN_TYPE_UNCLEAN   (2)
 #define SSL_SHUTDOWN_TYPE_ACCURATE  (3)
 
-#define SSL_TO_APR_ERROR(X)         (APR_OS_START_USERERR + 1000 + X)
+#define SSL_TO_ACR_ERROR(X)         (ACR_OS_START_USERERR + 1000 + X)
 
 #define SSL_INFO_SESSION_ID                 (0x0001)
 #define SSL_INFO_CIPHER                     (0x0002)
@@ -199,7 +200,7 @@
                                 "In order to read them you have to provide the pass phrases.\n"
        \
                                 "Enter password :"
 
-extern void *SSL_temp_keys[SSL_TMP_KEY_MAX];
+extern void *ACRSSL_temp_keys[SSL_TMP_KEY_MAX];
 
 typedef struct ssl_pkc_t {
     /* client can have any number of cert/key pairs */
@@ -208,6 +209,14 @@ typedef struct ssl_pkc_t {
     STACK_OF(X509_INFO) *certs;
 } ssl_pkc_t;
 
+typedef struct ssl_pass_cb_t {
+    char            password[SSL_MAX_PASSWORD_LEN];
+    const char     *prompt;
+    acr_callback_t  cb;
+} ssl_pass_cb_t;
+
+extern ssl_pass_cb_t ACRSSL_password_cb;
+
 typedef struct acr_ssl_ctxt_t {
     SSL_CTX         *ctx;
     BIO             *bio_os;
@@ -245,5 +254,25 @@ typedef struct acr_ssl_ctxt_t {
     } while (0)
 
 
+/**
+ *  Additional Functions
+ */
+void        ACRSSL_init_app_data2_idx(void);
+void       *ACRSSL_get_app_data2(SSL *);
+void        ACRSSL_set_app_data2(SSL *, void *);
+int         ACRSSL_password_prompt(ssl_pass_cb_t *);
+int         ACRSSL_password_callback(char *, int, int, void *);
+void        ACRSSL_BIO_close(BIO *);
+void        ACRSSL_BIO_doref(BIO *);
+DH         *ACRSSL_dh_get_tmp_param(int);
+DH         *ACRSSL_dh_get_param_from_file(const char *);
+RSA        *ACRSSL_callback_tmp_RSA(SSL *, int, int);
+DH         *ACRSSL_callback_tmp_DH(SSL *, int, int);
+void        ACRSSL_callback_handshake(const SSL *, int, int);
+void        ACRSSL_vhost_algo_id(const unsigned char *, unsigned char *, int);
+int         ACRSSL_CTX_use_certificate_chain(SSL_CTX *, const char *, int);
+int         ACRSSL_callback_SSL_verify(int, X509_STORE_CTX *);
+int         ACRSSL_rand_seed(const char *file);
+
 #endif
 #endif /* _ACR_SSL_H_ */

Added: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/init.c
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/modules/openssl/init.c?rev=1166147&view=auto
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/modules/openssl/init.c (added)
+++ commons/sandbox/runtime/trunk/src/main/native/modules/openssl/init.c Wed Sep  7 12:15:40
2011
@@ -0,0 +1,385 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "acr/clazz.h"
+#include "acr/error.h"
+#include "acr/misc.h"
+#include "acr/dso.h"
+#include "acr/string.h"
+#include "acr/time.h"
+#include "acr/port.h"
+#include "arch_sync.h"
+#include "acr/ssl.h"
+
+#if !HAVE_OPENSSL
+#error "Cannot compile this file without HAVE_OPENSSL defined"
+#endif
+
+void *ACRSSL_temp_keys[SSL_TMP_KEY_MAX];
+static char ssl_global_rand_file[PATH_MAX] = { 0 };
+static char ssl_global_engine[64]          = { 0 };
+ssl_pass_cb_t ACRSSL_password_cb;
+
+/* Dynamic lock structure */
+struct CRYPTO_dynlock_value {
+    const char *file;
+    int         line;
+    acr_mutex_t mutex;
+};
+
+/*
+ * Handle the Temporary RSA Keys and DH Params
+ */
+
+#define SSL_TMP_KEY_FREE(type, idx)                     \
+    if (ACRSSL_temp_keys[idx]) {                        \
+        type##_free((type *)ACRSSL_temp_keys[idx]);     \
+        ACRSSL_temp_keys[idx] = 0;                      \
+    } else (void)(0)
+
+#define SSL_TMP_KEYS_FREE(type) \
+    SSL_TMP_KEY_FREE(type, SSL_TMP_KEY_##type##_512);   \
+    SSL_TMP_KEY_FREE(type, SSL_TMP_KEY_##type##_1024);  \
+    SSL_TMP_KEY_FREE(type, SSL_TMP_KEY_##type##_2048);  \
+    SSL_TMP_KEY_FREE(type, SSL_TMP_KEY_##type##_4096)
+
+#define SSL_TMP_KEY_INIT_RSA(bits) \
+    ssl_tmp_key_init_rsa(bits, SSL_TMP_KEY_RSA_##bits)
+
+#define SSL_TMP_KEY_INIT_DH(bits)  \
+    ssl_tmp_key_init_dh(bits, SSL_TMP_KEY_DH_##bits)
+
+#define SSL_TMP_KEYS_INIT(R)                            \
+    ACRSSL_temp_keys[SSL_TMP_KEY_RSA_2048] = 0;         \
+    ACRSSL_temp_keys[SSL_TMP_KEY_RSA_4096] = 0;         \
+    R |= SSL_TMP_KEY_INIT_RSA(512);                     \
+    R |= SSL_TMP_KEY_INIT_RSA(1024);                    \
+    R |= SSL_TMP_KEY_INIT_DH(512);                      \
+    R |= SSL_TMP_KEY_INIT_DH(1024);                     \
+    R |= SSL_TMP_KEY_INIT_DH(2048);                     \
+    R |= SSL_TMP_KEY_INIT_DH(4096)
+
+static int ssl_tmp_key_init_rsa(int bits, int idx)
+{
+    if ((ACRSSL_temp_keys[idx] = RSA_generate_key(bits, RSA_F4, 0, 0)) != 0)
+        return 1;
+    else
+        return 0;
+}
+
+static int ssl_tmp_key_init_dh(int bits, int idx)
+{
+    if ((ACRSSL_temp_keys[idx] = ACRSSL_dh_get_tmp_param(bits)) != 0)
+        return 1;
+    else
+        return 0;
+}
+
+#ifndef OPENSSL_NO_ENGINE
+/* Try to load an engine in a shareable library */
+static ENGINE *ssl_try_load_engine(const char *engine)
+{
+    ENGINE *e = ENGINE_by_id("dynamic");
+    if (e != 0) {
+        if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine, 0) ||
+            !ENGINE_ctrl_cmd_string(e, "LOAD", 0, 0)) {
+            ENGINE_free(e);
+            e = 0;
+        }
+    }
+    return e;
+}
+#endif
+
+/*
+ * To ensure thread-safetyness in OpenSSL
+ */
+
+static acr_mutex_t **ssl_lock_mutex;
+static int           ssl_num_mutexes;
+
+static void ssl_thread_lock(int mode, int type,
+                            const char *file, int line)
+{
+    if (type >= 0 && type < ssl_num_mutexes) {
+        if (mode & CRYPTO_LOCK)
+            AcrTreadMutexLock(ssl_lock_mutex[type]);
+        else
+            AcrTreadMutexUnlock(ssl_lock_mutex[type]);
+    }
+}
+
+static unsigned long ssl_thread_id(void)
+{
+    /* OpenSSL needs this to return an unsigned long.  On OS/390, the pthread
+     * id is a structure twice that big.  Use the TCB pointer instead as a
+     * unique unsigned long.
+     */
+#ifdef __MVS__
+    struct PSA {
+        char unmapped[540];
+        unsigned long PSATOLD;
+    } *psaptr = 0;
+
+    return psaptr->PSATOLD;
+#elif defined(WIN32)
+    return (unsigned long)GetCurrentThreadId();
+#else
+    return (unsigned long)(pthread_self());
+#endif
+}
+
+/*
+ * Dynamic lock creation callback
+ */
+static struct CRYPTO_dynlock_value *ssl_dynlock_create(const char *file, int line)
+{
+    struct CRYPTO_dynlock_value *value;
+    int rc;
+
+    value = (struct CRYPTO_dynlock_value *)malloc(sizeof(struct CRYPTO_dynlock_value));
+    if (value == 0) {
+        /* TODO log that fprintf(stderr, "Failed to allocate dynamic lock structure"); */
+        return 0;
+    }
+
+    /* Keep our own copy of the place from which we were created,
+       using our own pool. */
+    value->file = file;
+    value->line = line;
+    rc = AcrThreadMutexInit(&value->mutex);
+    if (rc != 0) {
+        /* TODO log that fprintf(stderr, "Failed to create thread mutex for dynamic lock");
*/
+        return 0;
+    }
+    return value;
+}
+
+/*
+ * Dynamic locking and unlocking function
+ */
+static void ssl_dynlock_lock(int mode, struct CRYPTO_dynlock_value *l,
+                             const char *file, int line)
+{
+    if (mode & CRYPTO_LOCK)
+        AcrTreadMutexLock(&l->mutex);
+    else
+        AcrTreadMutexUnlock(&l->mutex);
+}
+
+/*
+ * Dynamic lock destruction callback
+ */
+static void ssl_dynlock_destroy(struct CRYPTO_dynlock_value *l,
+                                const char *file, int line)
+{
+    AcrTreadMutexDestroy(&l->mutex);
+    AcrFree(l);
+}
+
+static int ssl_thread_setup(void)
+{
+    int i;
+
+    ssl_num_mutexes = CRYPTO_num_locks();
+    if (ssl_num_mutexes < 1)
+        return ACR_ENOSYS;
+    ssl_lock_mutex = malloc(ssl_num_mutexes * sizeof(acr_mutex_t *));
+    if (ssl_lock_mutex == 0)
+        return ACR_ENOMEM;
+    for (i = 0; i < ssl_num_mutexes; i++) {
+        int rc = AcrThreadMutexCreate(&ssl_lock_mutex[i]);
+        if (rc != 0)
+            return rc;
+    }
+
+    CRYPTO_set_id_callback(ssl_thread_id);
+    CRYPTO_set_locking_callback(ssl_thread_lock);
+
+    /* Set up dynamic locking scaffolding for OpenSSL to use at its
+     * convenience.
+     */
+    CRYPTO_set_dynlock_create_callback(ssl_dynlock_create);
+    CRYPTO_set_dynlock_lock_callback(ssl_dynlock_lock);
+    CRYPTO_set_dynlock_destroy_callback(ssl_dynlock_destroy);
+    return 0;
+}
+
+static int ssl_rand_choosenum(int l, int h)
+{
+    int i;
+    char buf[50];
+
+    snprintf(buf, sizeof(buf), "%.0f", (((double)(_bsd_arc4random() % RAND_MAX) / RAND_MAX)
* (h - l)));
+    i = atoi(buf) + 1;
+    if (i < l) i = l;
+    if (i > h) i = h;
+    return i;
+}
+
+static int ssl_rand_load_file(const char *file)
+{
+    char buffer[PATH_MAX];
+    int n;
+
+    if (file == 0)
+        file = ssl_global_rand_file;
+    if (strcmp(file, "builtin") == 0)
+        return -1;
+    if (*file == '\0')
+        file = RAND_file_name(buffer, sizeof(buffer));
+    if (file != 0) {
+        if (strncmp(file, "egd:", 4) == 0) {
+            if ((n = RAND_egd(file + 4)) > 0)
+                return n;
+            else
+                return -1;
+        }
+        if ((n = RAND_load_file(file, -1)) > 0)
+            return n;
+    }
+    return -1;
+}
+
+int ACRSSL_rand_seed(const char *file)
+{
+    unsigned char stackdata[256];
+    static volatile int counter = 0;
+
+    if (ssl_rand_load_file(file) < 0) {
+        int n;
+        struct {
+            acr_time_t    t;
+            pid_t         p;
+            unsigned long i;
+            unsigned int  u;
+        } _ssl_seed;
+        if (counter == 0) {
+            unsigned int *p = (unsigned int *)stackdata;
+            for (n = 0; n < 64; n++)
+                p[n] = _bsd_arc4random();
+            RAND_seed(stackdata, 128);
+        }
+        _ssl_seed.t = AcrTimeNow();
+        _ssl_seed.p = getpid();
+        _ssl_seed.i = ssl_thread_id();
+        counter++;
+        _ssl_seed.u = counter;
+        RAND_seed((unsigned char *)&_ssl_seed, sizeof(_ssl_seed));
+        /*
+         * seed in some current state of the run-time stack (128 bytes)
+         */
+        n = ssl_rand_choosenum(0, sizeof(stackdata)-128-1);
+        RAND_seed(stackdata + n, 128);
+    }
+    return RAND_status();
+}
+
+static int ssl_initialized = 0;
+
+ACR_SSL_EXPORT(jint, SSL, init0)(JNI_STDARGS)
+{
+    int rc;
+
+    if (ssl_initialized != 0)
+        return 0;
+    /* We must register the library in full, to ensure our configuration
+     * code can successfully test the SSL environment.
+     */
+    CRYPTO_malloc_init();
+    ERR_load_crypto_strings();
+    SSL_load_error_strings();
+    SSL_library_init();
+#ifndef OPENSSL_NO_ENGINE
+    ENGINE_load_builtin_engines();
+#endif
+    OPENSSL_load_builtin_modules();
+    rc = ssl_thread_setup();
+    if (rc != 0)
+        return rc;
+
+#ifndef OPENSSL_NO_ENGINE
+    if (ssl_global_engine[0] != 0) {
+        ENGINE *ee = 0;
+        if (strcmp(ssl_global_engine, "auto") == 0) {
+            ENGINE_register_all_complete();
+        }
+        else {
+            if ((ee = ENGINE_by_id(ssl_global_engine)) == 0 &&
+                (ee = ssl_try_load_engine(ssl_global_engine)) == 0)
+                rc = ACR_ENOTIMPL;
+            else {
+                if (strcmp(ssl_global_engine, "chil") == 0)
+                    ENGINE_ctrl(ee, ENGINE_CTRL_CHIL_SET_FORKCHECK, 1, 0, 0);
+                if (!ENGINE_set_default(ee, ENGINE_METHOD_ALL))
+                    rc = ACR_ENOTIMPL;
+            }
+            /* Free our "structural" reference. */
+            if (ee != 0)
+                ENGINE_free(ee);
+        }
+    }
+#endif
+    if (rc != 0) {
+
+        return rc;
+    }
+    memset(&ACRSSL_password_cb, 0, sizeof(ssl_pass_cb_t));
+    /* Initialize PRNG
+     * This will in most cases call the builtin
+     * low entropy seed.
+     */
+    ACRSSL_rand_seed(0);
+    /* For SSL_get_app_data2() at request time */
+    ACRSSL_init_app_data2_idx();
+
+    SSL_TMP_KEYS_INIT(rc);
+    if (rc != 0) {
+
+        return ACR_EINIT;
+    }
+    ssl_initialized = 1;
+    return 0;
+}
+
+ACR_SSL_EXPORT(void, SSL, rndfile0)(JNI_STDARGS, jstring path)
+{
+    WITH_CSTR(path) {
+        strlcpy(ssl_global_rand_file, J2S(path), PATH_MAX);
+    } DONE_WITH_STR(path);
+}
+
+ACR_SSL_EXPORT(void, SSL, engine0)(JNI_STDARGS, jstring name)
+{
+    WITH_CSTR(name) {
+        strlcpy(ssl_global_engine, J2S(name), 64);
+    } DONE_WITH_STR(name);
+}
+
+ACR_SSL_EXPORT(void, SSL, fipsmode0)(JNI_STDARGS, jint mode)
+{
+#if defined(OPENSSL_FIPS)
+    if(FIPS_mode_set((int)mode) == 0) {
+      unsigned long err = ERR_get_error();
+      char msg[256];
+
+      ERR_error_string_n(err, msg, 256);
+      ACR_THROW_MSG(ACR_EX_ENOSYS, msg);
+    }
+#else
+    ACR_THROW_MSG(ACR_EX_ENOSYS, "FIPS was not available at build time. You will need an
OpenSSL with FIPS support.");
+#endif
+}

Propchange: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/init.c
------------------------------------------------------------------------------
    svn:eol-style = native

Added: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/util.c
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/modules/openssl/util.c?rev=1166147&view=auto
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/modules/openssl/util.c (added)
+++ commons/sandbox/runtime/trunk/src/main/native/modules/openssl/util.c Wed Sep  7 12:15:40
2011
@@ -0,0 +1,396 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "acr/clazz.h"
+#include "acr/error.h"
+#include "acr/misc.h"
+#include "acr/dso.h"
+#include "arch_sync.h"
+#include "acr/ssl.h"
+
+#if !HAVE_OPENSSL
+#error "Cannot compile this file without HAVE_OPENSSL defined"
+#endif
+
+/*  _________________________________________________________________
+**
+**  Additional High-Level Functions for OpenSSL
+**  _________________________________________________________________
+*/
+
+/* we initialize this index at startup time
+ * and never write to it at request time,
+ * so this static is thread safe.
+ * also note that OpenSSL increments at static variable when
+ * SSL_get_ex_new_index() is called, so we _must_ do this at startup.
+ */
+static int ssl_app_data2_idx = -1;
+
+void ACRSSL_init_app_data2_idx(void)
+{
+    int i;
+
+    if (ssl_app_data2_idx > -1) {
+        return;
+    }
+    /* we _do_ need to call this twice */
+    for (i = 0; i <= 1; i++) {
+        ssl_app_data2_idx = SSL_get_ex_new_index(0, "Second Application Data for SSL", 0,
0, 0);
+    }
+}
+
+void *ACRSSL_get_app_data2(SSL *ssl)
+{
+    return (void *)SSL_get_ex_data(ssl, ssl_app_data2_idx);
+}
+
+void ACRSSL_set_app_data2(SSL *ssl, void *arg)
+{
+    SSL_set_ex_data(ssl, ssl_app_data2_idx, (char *)arg);
+    return;
+}
+
+static unsigned char dh0512_p[]={
+    0xD9,0xBA,0xBF,0xFD,0x69,0x38,0xC9,0x51,0x2D,0x19,0x37,0x39,
+    0xD7,0x7D,0x7E,0x3E,0x25,0x58,0x55,0x94,0x90,0x60,0x93,0x7A,
+    0xF2,0xD5,0x61,0x5F,0x06,0xE8,0x08,0xB4,0x57,0xF4,0xCF,0xB4,
+    0x41,0xCC,0xC4,0xAC,0xD4,0xF0,0x45,0x88,0xC9,0xD1,0x21,0x4C,
+    0xB6,0x72,0x48,0xBD,0x73,0x80,0xE0,0xDD,0x88,0x41,0xA0,0xF1,
+    0xEA,0x4B,0x71,0x13
+};
+
+static unsigned char dh1024_p[]={
+    0xA2,0x95,0x7E,0x7C,0xA9,0xD5,0x55,0x1D,0x7C,0x77,0x11,0xAC,
+    0xFD,0x48,0x8C,0x3B,0x94,0x1B,0xC5,0xC0,0x99,0x93,0xB5,0xDC,
+    0xDC,0x06,0x76,0x9E,0xED,0x1E,0x3D,0xBB,0x9A,0x29,0xD6,0x8B,
+    0x1F,0xF6,0xDA,0xC9,0xDF,0xD5,0x02,0x4F,0x09,0xDE,0xEC,0x2C,
+    0x59,0x1E,0x82,0x32,0x80,0x9B,0xED,0x51,0x68,0xD2,0xFB,0x1E,
+    0x25,0xDB,0xDF,0x9C,0x11,0x70,0xDF,0xCA,0x19,0x03,0x3D,0x3D,
+    0xC1,0xAC,0x28,0x88,0x4F,0x13,0xAF,0x16,0x60,0x6B,0x5B,0x2F,
+    0x56,0xC7,0x5B,0x5D,0xDE,0x8F,0x50,0x08,0xEC,0xB1,0xB9,0x29,
+    0xAA,0x54,0xF4,0x05,0xC9,0xDF,0x95,0x9D,0x79,0xC6,0xEA,0x3F,
+    0xC9,0x70,0x42,0xDA,0x90,0xC7,0xCC,0x12,0xB9,0x87,0x86,0x39,
+    0x1E,0x1A,0xCE,0xF7,0x3F,0x15,0xB5,0x2B
+};
+
+static unsigned char dh2048_p[]={
+    0xF2,0x4A,0xFC,0x7E,0x73,0x48,0x21,0x03,0xD1,0x1D,0xA8,0x16,
+    0x87,0xD0,0xD2,0xDC,0x42,0xA8,0xD2,0x73,0xE3,0xA9,0x21,0x31,
+    0x70,0x5D,0x69,0xC7,0x8F,0x95,0x0C,0x9F,0xB8,0x0E,0x37,0xAE,
+    0xD1,0x6F,0x36,0x1C,0x26,0x63,0x2A,0x36,0xBA,0x0D,0x2A,0xF5,
+    0x1A,0x0F,0xE8,0xC0,0xEA,0xD1,0xB5,0x52,0x47,0x1F,0x9A,0x0C,
+    0x0F,0xED,0x71,0x51,0xED,0xE6,0x62,0xD5,0xF8,0x81,0x93,0x55,
+    0xC1,0x0F,0xB4,0x72,0x64,0xB3,0x73,0xAA,0x90,0x9A,0x81,0xCE,
+    0x03,0xFD,0x6D,0xB1,0x27,0x7D,0xE9,0x90,0x5E,0xE2,0x10,0x74,
+    0x4F,0x94,0xC3,0x05,0x21,0x73,0xA9,0x12,0x06,0x9B,0x0E,0x20,
+    0xD1,0x5F,0xF7,0xC9,0x4C,0x9D,0x4F,0xFA,0xCA,0x4D,0xFD,0xFF,
+    0x6A,0x62,0x9F,0xF0,0x0F,0x3B,0xA9,0x1D,0xF2,0x69,0x29,0x00,
+    0xBD,0xE9,0xB0,0x9D,0x88,0xC7,0x4A,0xAE,0xB0,0x53,0xAC,0xA2,
+    0x27,0x40,0x88,0x58,0x8F,0x26,0xB2,0xC2,0x34,0x7D,0xA2,0xCF,
+    0x92,0x60,0x9B,0x35,0xF6,0xF3,0x3B,0xC3,0xAA,0xD8,0x58,0x9C,
+    0xCF,0x5D,0x9F,0xDB,0x14,0x93,0xFA,0xA3,0xFA,0x44,0xB1,0xB2,
+    0x4B,0x0F,0x08,0x70,0x44,0x71,0x3A,0x73,0x45,0x8E,0x6D,0x9C,
+    0x56,0xBC,0x9A,0xB5,0xB1,0x3D,0x8B,0x1F,0x1E,0x2B,0x0E,0x93,
+    0xC2,0x9B,0x84,0xE2,0xE8,0xFC,0x29,0x85,0x83,0x8D,0x2E,0x5C,
+    0xDD,0x9A,0xBB,0xFD,0xF0,0x87,0xBF,0xAF,0xC4,0xB6,0x1D,0xE7,
+    0xF9,0x46,0x50,0x7F,0xC3,0xAC,0xFD,0xC9,0x8C,0x9D,0x66,0x6B,
+    0x4C,0x6A,0xC9,0x3F,0x0C,0x0A,0x74,0x94,0x41,0x85,0x26,0x8F,
+    0x9F,0xF0,0x7C,0x0B
+};
+
+static unsigned char dh4096_p[] = {
+    0x8D,0xD3,0x8F,0x77,0x6F,0x6F,0xB0,0x74,0x3F,0x22,0xE9,0xD1,
+    0x17,0x15,0x69,0xD8,0x24,0x85,0xCD,0xC4,0xE4,0x0E,0xF6,0x52,
+    0x40,0xF7,0x1C,0x34,0xD0,0xA5,0x20,0x77,0xE2,0xFC,0x7D,0xA1,
+    0x82,0xF1,0xF3,0x78,0x95,0x05,0x5B,0xB8,0xDB,0xB3,0xE4,0x17,
+    0x93,0xD6,0x68,0xA7,0x0A,0x0C,0xC5,0xBB,0x9C,0x5E,0x1E,0x83,
+    0x72,0xB3,0x12,0x81,0xA2,0xF5,0xCD,0x44,0x67,0xAA,0xE8,0xAD,
+    0x1E,0x8F,0x26,0x25,0xF2,0x8A,0xA0,0xA5,0xF4,0xFB,0x95,0xAE,
+    0x06,0x50,0x4B,0xD0,0xE7,0x0C,0x55,0x88,0xAA,0xE6,0xB8,0xF6,
+    0xE9,0x2F,0x8D,0xA7,0xAD,0x84,0xBC,0x8D,0x4C,0xFE,0x76,0x60,
+    0xCD,0xC8,0xED,0x7C,0xBF,0xF3,0xC1,0xF8,0x6A,0xED,0xEC,0xE9,
+    0x13,0x7D,0x4E,0x72,0x20,0x77,0x06,0xA4,0x12,0xF8,0xD2,0x34,
+    0x6F,0xDC,0x97,0xAB,0xD3,0xA0,0x45,0x8E,0x7D,0x21,0xA9,0x35,
+    0x6E,0xE4,0xC9,0xC4,0x53,0xFF,0xE5,0xD9,0x72,0x61,0xC4,0x8A,
+    0x75,0x78,0x36,0x97,0x1A,0xAB,0x92,0x85,0x74,0x61,0x7B,0xE0,
+    0x92,0xB8,0xC6,0x12,0xA1,0x72,0xBB,0x5B,0x61,0xAA,0xE6,0x2C,
+    0x2D,0x9F,0x45,0x79,0x9E,0xF4,0x41,0x93,0x93,0xEF,0x8B,0xEF,
+    0xB7,0xBF,0x6D,0xF0,0x91,0x11,0x4F,0x7C,0x71,0x84,0xB5,0x88,
+    0xA3,0x8C,0x1A,0xD5,0xD0,0x81,0x9C,0x50,0xAC,0xA9,0x2B,0xE9,
+    0x92,0x2D,0x73,0x7C,0x0A,0xA3,0xFA,0xD3,0x6C,0x91,0x43,0xA6,
+    0x80,0x7F,0xD7,0xC4,0xD8,0x6F,0x85,0xF8,0x15,0xFD,0x08,0xA6,
+    0xF8,0x7B,0x3A,0xF4,0xD3,0x50,0xB4,0x2F,0x75,0xC8,0x48,0xB8,
+    0xA8,0xFD,0xCA,0x8F,0x62,0xF1,0x4C,0x89,0xB7,0x18,0x67,0xB2,
+    0x93,0x2C,0xC4,0xD4,0x71,0x29,0xA9,0x26,0x20,0xED,0x65,0x37,
+    0x06,0x87,0xFC,0xFB,0x65,0x02,0x1B,0x3C,0x52,0x03,0xA1,0xBB,
+    0xCF,0xE7,0x1B,0xA4,0x1A,0xE3,0x94,0x97,0x66,0x06,0xBF,0xA9,
+    0xCE,0x1B,0x07,0x10,0xBA,0xF8,0xD4,0xD4,0x05,0xCF,0x53,0x47,
+    0x16,0x2C,0xA1,0xFC,0x6B,0xEF,0xF8,0x6C,0x23,0x34,0xEF,0xB7,
+    0xD3,0x3F,0xC2,0x42,0x5C,0x53,0x9A,0x00,0x52,0xCF,0xAC,0x42,
+    0xD3,0x3B,0x2E,0xB6,0x04,0x32,0xE1,0x09,0xED,0x64,0xCD,0x6A,
+    0x63,0x58,0xB8,0x43,0x56,0x5A,0xBE,0xA4,0x9F,0x68,0xD4,0xF7,
+    0xC9,0x04,0xDF,0xCD,0xE5,0x93,0xB0,0x2F,0x06,0x19,0x3E,0xB8,
+    0xAB,0x7E,0xF8,0xE7,0xE7,0xC8,0x53,0xA2,0x06,0xC3,0xC7,0xF9,
+    0x18,0x3B,0x51,0xC3,0x9B,0xFF,0x8F,0x00,0x0E,0x87,0x19,0x68,
+    0x2F,0x40,0xC0,0x68,0xFA,0x12,0xAE,0x57,0xB5,0xF0,0x97,0xCA,
+    0x78,0x23,0x31,0xAB,0x67,0x7B,0x10,0x6B,0x59,0x32,0x9C,0x64,
+    0x20,0x38,0x1F,0xC5,0x07,0x84,0x9E,0xC4,0x49,0xB1,0xDF,0xED,
+    0x7A,0x8A,0xC3,0xE0,0xDD,0x30,0x55,0xFF,0x95,0x45,0xA6,0xEE,
+    0xCB,0xE4,0x26,0xB9,0x8E,0x89,0x37,0x63,0xD4,0x02,0x3D,0x5B,
+    0x4F,0xE5,0x90,0xF6,0x72,0xF8,0x10,0xEE,0x31,0x04,0x54,0x17,
+    0xE3,0xD5,0x63,0x84,0x80,0x62,0x54,0x46,0x85,0x6C,0xD2,0xC1,
+    0x3E,0x19,0xBD,0xE2,0x80,0x11,0x86,0xC7,0x4B,0x7F,0x67,0x86,
+    0x47,0xD2,0x38,0xCD,0x8F,0xFE,0x65,0x3C,0x11,0xCD,0x96,0x99,
+    0x4E,0x45,0xEB,0xEC,0x1D,0x94,0x8C,0x53,
+};
+
+static unsigned char dhxxx2_g[]={
+    0x02
+};
+
+static DH *get_dh(int idx)
+{
+    DH *dh;
+
+    if ((dh = DH_new()) == 0)
+        return 0;
+    switch (idx) {
+        case SSL_TMP_KEY_DH_512:
+            dh->p = BN_bin2bn(dh0512_p, sizeof(dh0512_p), 0);
+        break;
+        case SSL_TMP_KEY_DH_1024:
+            dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), 0);
+        break;
+        case SSL_TMP_KEY_DH_2048:
+            dh->p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), 0);
+        break;
+        case SSL_TMP_KEY_DH_4096:
+            dh->p = BN_bin2bn(dh4096_p, sizeof(dh2048_p), 0);
+        break;
+    }
+    dh->g = BN_bin2bn(dhxxx2_g, sizeof(dhxxx2_g), 0);
+    if ((dh->p == 0) || (dh->g == 0)) {
+        DH_free(dh);
+        return 0;
+    }
+    else
+        return dh;
+}
+
+DH *ACRSSL_dh_get_tmp_param(int key_len)
+{
+    DH *dh;
+
+    if (key_len == 512)
+        dh = get_dh(SSL_TMP_KEY_DH_512);
+    else if (key_len == 1024)
+        dh = get_dh(SSL_TMP_KEY_DH_1024);
+    else if (key_len == 2048)
+        dh = get_dh(SSL_TMP_KEY_DH_2048);
+    else if (key_len == 4096)
+        dh = get_dh(SSL_TMP_KEY_DH_4096);
+    else
+        dh = get_dh(SSL_TMP_KEY_DH_1024);
+    return dh;
+}
+
+DH *ACRSSL_dh_get_param_from_file(const char *file)
+{
+    DH *dh = 0;
+    BIO *bio;
+
+    if ((bio = BIO_new_file(file, "r")) == 0)
+        return 0;
+    dh = PEM_read_bio_DHparams(bio, 0, 0, 0);
+    BIO_free(bio);
+    return dh;
+}
+
+/*
+ * Handle out temporary RSA private keys on demand
+ *
+ * The background of this as the TLSv1 standard explains it:
+ *
+ * | D.1. Temporary RSA keys
+ * |
+ * |    US Export restrictions limit RSA keys used for encryption to 512
+ * |    bits, but do not place any limit on lengths of RSA keys used for
+ * |    signing operations. Certificates often need to be larger than 512
+ * |    bits, since 512-bit RSA keys are not secure enough for high-value
+ * |    transactions or for applications requiring long-term security. Some
+ * |    certificates are also designated signing-only, in which case they
+ * |    cannot be used for key exchange.
+ * |
+ * |    When the public key in the certificate cannot be used for encryption,
+ * |    the server signs a temporary RSA key, which is then exchanged. In
+ * |    exportable applications, the temporary RSA key should be the maximum
+ * |    allowable length (i.e., 512 bits). Because 512-bit RSA keys are
+ * |    relatively insecure, they should be changed often. For typical
+ * |    electronic commerce applications, it is suggested that keys be
+ * |    changed daily or every 500 transactions, and more often if possible.
+ * |    Note that while it is acceptable to use the same temporary key for
+ * |    multiple transactions, it must be signed each time it is used.
+ * |
+ * |    RSA key generation is a time-consuming process. In many cases, a
+ * |    low-priority process can be assigned the task of key generation.
+ * |    Whenever a new key is completed, the existing temporary key can be
+ * |    replaced with the new one.
+ *
+ * XXX: base on comment above, if thread support is enabled,
+ * we should spawn a low-priority thread to generate new keys
+ * on the fly.
+ *
+ * So we generated 512 and 1024 bit temporary keys on startup
+ * which we now just hand out on demand....
+ */
+
+RSA *ACRSSL_callback_tmp_RSA(SSL *ssl, int export, int keylen)
+{
+    int idx;
+
+    /* doesn't matter if export flag is on,
+     * we won't be asked for keylen > 512 in that case.
+     * if we are asked for a keylen > 1024, it is too expensive
+     * to generate on the fly.
+     */
+
+    switch (keylen) {
+        case 512:
+            idx = SSL_TMP_KEY_RSA_512;
+        break;
+        case 2048:
+            idx = SSL_TMP_KEY_RSA_2048;
+            if (ACRSSL_temp_keys[idx] == NULL)
+                idx = SSL_TMP_KEY_RSA_1024;
+        break;
+        case 4096:
+            idx = SSL_TMP_KEY_RSA_4096;
+            if (ACRSSL_temp_keys[idx] == NULL)
+                idx = SSL_TMP_KEY_RSA_2048;
+        break;
+        case 1024:
+        default:
+            idx = SSL_TMP_KEY_RSA_1024;
+        break;
+    }
+    return (RSA *)ACRSSL_temp_keys[idx];
+}
+
+/*
+ * Hand out the already generated DH parameters...
+ */
+DH *ACRSSL_callback_tmp_DH(SSL *ssl, int export, int keylen)
+{
+    int idx;
+    switch (keylen) {
+        case 512:
+            idx = SSL_TMP_KEY_DH_512;
+        break;
+        case 2048:
+            idx = SSL_TMP_KEY_DH_2048;
+        break;
+        case 4096:
+            idx = SSL_TMP_KEY_DH_4096;
+        break;
+        case 1024:
+        default:
+            idx = SSL_TMP_KEY_DH_1024;
+        break;
+    }
+    return (DH *)ACRSSL_temp_keys[idx];
+}
+
+void ACRSSL_vhost_algo_id(const unsigned char *vhost_id, unsigned char *md, int algo)
+{
+    MD5_CTX c;
+
+    MD5_Init(&c);
+    MD5_Update(&c, vhost_id, MD5_DIGEST_LENGTH);
+    switch (algo) {
+        case SSL_ALGO_UNKNOWN:
+            MD5_Update(&c, "UNKNOWN", 7);
+        break;
+        case SSL_ALGO_RSA:
+            MD5_Update(&c, "RSA", 3);
+        break;
+        case SSL_ALGO_DSA:
+            MD5_Update(&c, "DSA", 3);
+        break;
+#ifndef OPENSSL_NO_EC
+        case SSL_ALGO_ECC:
+            MD5_Update(&c, "ECC", 3);
+        break;
+#endif
+    }
+    MD5_Final(md, &c);
+}
+
+/*
+ * Read a file that optionally contains the server certificate in PEM
+ * format, possibly followed by a sequence of CA certificates that
+ * should be sent to the peer in the SSL Certificate message.
+ */
+int ACRSSL_CTX_use_certificate_chain(SSL_CTX *ctx, const char *file,
+                                     int skipfirst)
+{
+    BIO *bio;
+    X509 *x509;
+    unsigned long err;
+    int n;
+    STACK_OF(X509) *extra_certs;
+
+    if ((bio = BIO_new(BIO_s_file_internal())) == NULL)
+        return -1;
+    if (BIO_read_filename(bio, file) <= 0) {
+        BIO_free(bio);
+        return -1;
+    }
+    /* optionally skip a leading server certificate */
+    if (skipfirst) {
+        if ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL)) == NULL) {
+            BIO_free(bio);
+            return -1;
+        }
+        X509_free(x509);
+    }
+    /* free a perhaps already configured extra chain */
+    extra_certs = SSL_CTX_get_extra_certs(ctx);
+    if (extra_certs != NULL) {
+        sk_X509_pop_free(extra_certs, X509_free);
+        SSL_CTX_set_extra_certs(ctx,NULL);
+    }
+    /* create new extra chain by loading the certs */
+    n = 0;
+    while ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL)) != NULL) {
+        if (!SSL_CTX_add_extra_chain_cert(ctx, x509)) {
+            X509_free(x509);
+            BIO_free(bio);
+            return -1;
+        }
+        n++;
+    }
+    /* Make sure that only the error is just an EOF */
+    if ((err = ERR_peek_error()) > 0) {
+        if (!(ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE))
{
+            BIO_free(bio);
+            return -1;
+        }
+        while (ERR_get_error() > 0) ;
+    }
+    BIO_free(bio);
+    return n;
+}
+

Propchange: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/util.c
------------------------------------------------------------------------------
    svn:eol-style = native



Mime
View raw message