commons-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mt...@apache.org
Subject svn commit: r1172022 - in /commons/sandbox/runtime/trunk/src/main: java/org/apache/commons/runtime/ssl/SSLContext.java native/include/acr/ssl.h native/modules/openssl/api.c native/modules/openssl/ctx.c
Date Sat, 17 Sep 2011 17:17:45 GMT
Author: mturk
Date: Sat Sep 17 17:17:45 2011
New Revision: 1172022

URL: http://svn.apache.org/viewvc?rev=1172022&view=rev
Log:
Add support for session id prefix

Modified:
    commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java
    commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h
    commons/sandbox/runtime/trunk/src/main/native/modules/openssl/api.c
    commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c

Modified: commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java?rev=1172022&r1=1172021&r2=1172022&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java
(original)
+++ commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java
Sat Sep 17 17:17:45 2011
@@ -17,6 +17,7 @@
 package org.apache.commons.runtime.ssl;
 
 import org.apache.commons.runtime.InvalidArgumentException;
+import org.apache.commons.runtime.InvalidRangeException;
 import org.apache.commons.runtime.OperationNotImplementedException;
 import org.apache.commons.runtime.Status;
 import org.apache.commons.runtime.SystemException;
@@ -39,6 +40,7 @@ public final class SSLContext extends Na
 
     private static native long         new0(int protocol, int mode)
         throws OperationNotImplementedException;
+    private static native void         setsprefix0(long ctx, String prefix);
     private static native void         setid0(long ctx, String id);
     private static native void         setscachesize0(long ctx, int size);
     private static native void         setpasscb0(long ctx, long cb);
@@ -97,5 +99,33 @@ public final class SSLContext extends Na
         if (super.pointer != 0L)
             setverify0(super.pointer, mode.valueOf(), depth);
     }
+
+    /**
+     * Set session id prefix.
+     * <p>
+     * When a new session is established between client and server, the server
+     * generates a session id. The session id is an arbitrary sequence of bytes.
+     * The length of the session id is 16 bytes for {@code SSLv2}
+     * sessions and between 1 and 32 bytes for {@code SSLv3/TLSv1}.
+     * The session id is not security critical but must be unique for
+     * the server. Additionally, the session id is transmitted in the clear
+     * when reusing the session so it must not contain sensitive information.
+     * </p>
+     * <p>
+     * Using the prefix, the session id can be changed to contain
+     * additional information like e.g. a host id in order to improve load
+     * balancing or external caching techniques.
+     * </p>
+     *
+     * @param prefix session id prefix.
+     * @throws InvalidRangeException if the length of the prefix is too large.
+     */
+    public void setSessionIdPrefix(String prefix)
+        throws InvalidRangeException
+    {
+        if (prefix.length() > 31)
+            throw new InvalidRangeException();
+        setsprefix0(super.pointer, prefix);
+    }
 }
 

Modified: commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h?rev=1172022&r1=1172021&r2=1172022&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h (original)
+++ commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h Sat Sep 17 17:17:45 2011
@@ -318,6 +318,9 @@ typedef struct acr_ssl_ctxt_t {
     /* for client or downstream server authentication */
     int              verify_depth;
     int              verify_mode;
+    char             session_id_prefix[32];
+    unsigned int     session_id_prefix_len;
+
 #ifdef HAVE_OCSP_STAPLING
     /** OCSP stapling options */
     BOOL             stapling_enabled;

Modified: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/api.c
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/modules/openssl/api.c?rev=1172022&r1=1172021&r2=1172022&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/modules/openssl/api.c (original)
+++ commons/sandbox/runtime/trunk/src/main/native/modules/openssl/api.c Sat Sep 17 17:17:45
2011
@@ -155,6 +155,7 @@ struct SSLAPIst {
     int                 (*fpRAND_egd)(const char *);
     const char*         (*fpRAND_file_name)(char *, size_t);
     int                 (*fpRAND_load_file)(const char *, long);
+    int                 (*fpRAND_pseudo_bytes)(unsigned char *, int);    
     void                (*fpRAND_seed)(const void *, int);
     int                 (*fpRAND_status)(void);
 
@@ -170,10 +171,12 @@ struct SSLAPIst {
     X509_STORE*         (*fpSSL_CTX_get_cert_store)(const SSL_CTX *);
     int                 (*fpSSL_CTX_set_default_verify_paths)(SSL_CTX *);
     void                (*fpSSL_CTX_set_verify)(SSL_CTX *, int, int (*)(int, X509_STORE_CTX
*));
+    int                 (*fpSSL_CTX_set_generate_session_id)(SSL_CTX *, GEN_SESSION_CB);
 
     /*** SSL      ***/
     void*               (*fpSSL_get_ex_data)(const SSL *, int);
     int                 (*fpSSL_get_ex_new_index)(long, void *, CRYPTO_EX_new *, CRYPTO_EX_dup
*, CRYPTO_EX_free *);
+    int                 (*fpSSL_has_matching_session_id)(const SSL *, const unsigned char
*, unsigned int);    
     int                 (*fpSSL_library_init)(void);
     void                (*fpSSL_load_error_strings)(void);
     int                 (*fpSSL_set_ex_data)(SSL *, int, void *);
@@ -279,6 +282,7 @@ ACR_JNI_EXPORT(jboolean, Native, ldopens
     /*** SSL      ***/
     LIBSSL_FPLOAD(SSL_get_ex_data);
     LIBSSL_FPLOAD(SSL_get_ex_new_index);
+    LIBSSL_FPLOAD(SSL_has_matching_session_id);
     LIBSSL_FPLOAD(SSL_library_init);
     LIBSSL_FPLOAD(SSL_load_error_strings);
     LIBSSL_FPLOAD(SSL_set_ex_data);
@@ -307,6 +311,7 @@ ACR_JNI_EXPORT(jboolean, Native, ldopens
     LIBSSL_FPLOAD(SSL_CTX_get_cert_store);
     LIBSSL_FPLOAD(SSL_CTX_set_default_verify_paths);
     LIBSSL_FPLOAD(SSL_CTX_set_verify);
+    LIBSSL_FPLOAD(SSL_CTX_set_generate_session_id);
 
     /*** BIO      ***/
     CRYPTO_FPLOAD(BIO_ctrl);
@@ -377,6 +382,7 @@ ACR_JNI_EXPORT(jboolean, Native, ldopens
     CRYPTO_FPLOAD(RAND_egd);
     CRYPTO_FPLOAD(RAND_file_name);
     CRYPTO_FPLOAD(RAND_load_file);
+    CRYPTO_FPLOAD(RAND_pseudo_bytes);
     CRYPTO_FPLOAD(RAND_seed);
     CRYPTO_FPLOAD(RAND_status);
 
@@ -784,6 +790,11 @@ int RAND_load_file(const char *file, lon
     return SSLAPI_CALL(RAND_load_file)(file, max_bytes);
 }
 
+int RAND_pseudo_bytes(unsigned char *buf, int num)
+{
+    return SSLAPI_CALL(RAND_pseudo_bytes)(buf, num);
+}
+
 void RAND_seed(const void *buf, int num)
 {
     SSLAPI_CALL(RAND_seed)(buf, num);
@@ -841,6 +852,11 @@ void SSL_CTX_set_verify(SSL_CTX *ctx, in
     SSLAPI_CALL(SSL_CTX_set_verify)(ctx, mode, callback);
 }
 
+int  SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb)
+{
+    return SSLAPI_CALL(SSL_CTX_set_generate_session_id)(ctx, cb);
+}
+
 void *SSL_get_ex_data(const SSL *ssl, int idx)
 {
     return SSLAPI_CALL(SSL_get_ex_data)(ssl, idx);
@@ -852,6 +868,12 @@ int SSL_get_ex_new_index(long argl, void
     return SSLAPI_CALL(SSL_get_ex_new_index)(argl, argp, new_func, dup_func, free_func);
 }
 
+int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
+                                unsigned int id_len)
+{
+    return SSLAPI_CALL(SSL_has_matching_session_id)(ssl, id, id_len);
+}
+
 int SSL_library_init(void)
 {
     return SSLAPI_CALL(SSL_library_init)();

Modified: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c?rev=1172022&r1=1172021&r2=1172022&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c (original)
+++ commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c Sat Sep 17 17:17:45
2011
@@ -33,6 +33,33 @@ static struct {
     int mode;
 } context_id;
 
+#define MAX_SESSION_ID_ATTEMPTS 10
+static int generate_session_id(const SSL *ssl, unsigned char *id,
+                               unsigned int *id_len)
+{
+    unsigned int count = 0;
+    ssl_sd_t *sd = (ssl_sd_t *)SSL_get_app_data(ssl);    
+    do {
+        RAND_pseudo_bytes(id, *id_len);
+        if (sd == 0 || sd->ctx == 0)
+            break;
+        /* Prefix the session_id with the required prefix. NB: If our
+         * prefix is too long, clip it - but there will be worse effects
+         * anyway, eg. the server could only possibly create 1 session
+         * ID (ie. the prefix!) so all future session negotiations will
+         * fail due to conflicts.
+         */
+        memcpy(id, sd->ctx->session_id_prefix,
+               sd->ctx->session_id_prefix_len < *id_len ?
+               sd->ctx->session_id_prefix_len : *id_len);
+    } while (SSL_has_matching_session_id(ssl, id, *id_len) && (++count < MAX_SESSION_ID_ATTEMPTS));
+
+    if (count >= MAX_SESSION_ID_ATTEMPTS)
+        return 0;
+    else
+        return 1;
+}
+
 ACR_SSL_EXPORT(jlong, SSLContext, new0)(JNI_STDARGS, jint protocol, jint mode)
 {
     acr_ssl_ctxt_t   *c;
@@ -227,6 +254,17 @@ ACR_SSL_EXPORT(void, SSLContext, setid0)
     } DONE_WITH_STR(id);
 }
 
+ACR_SSL_EXPORT(void, SSLContext, setsprefix0)(JNI_STDARGS, jlong ctx,
+                                              jstring prefix)
+{
+    acr_ssl_ctxt_t *c = J2P(ctx, acr_ssl_ctxt_t *);
+
+    WITH_CSTR(prefix) {       
+        c->session_id_prefix_len = (unsigned int)strlcpy(c->session_id_prefix, J2S(prefix),
32);
+        SSL_CTX_set_generate_session_id(c->ctx, generate_session_id);
+    } DONE_WITH_STR(prefix);
+}
+
 ACR_SSL_EXPORT(void, SSLContext, setverify0)(JNI_STDARGS, jlong ctx,
                                              jint mode, jint depth)
 {



Mime
View raw message