commons-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mt...@apache.org
Subject svn commit: r1172737 - in /commons/sandbox/runtime/trunk/src/main: java/org/apache/commons/runtime/ssl/SSLContext.java java/org/apache/commons/runtime/ssl/SSLServer.java native/include/acr/ssl.h native/modules/openssl/ctx.c native/modules/openssl/server.c
Date Mon, 19 Sep 2011 18:17:22 GMT
Author: mturk
Date: Mon Sep 19 18:17:22 2011
New Revision: 1172737

URL: http://svn.apache.org/viewvc?rev=1172737&view=rev
Log:
Initial support for TLS extensions

Modified:
    commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java
    commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLServer.java
    commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h
    commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c
    commons/sandbox/runtime/trunk/src/main/native/modules/openssl/server.c

Modified: commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java?rev=1172737&r1=1172736&r2=1172737&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java
(original)
+++ commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java
Mon Sep 19 18:17:22 2011
@@ -37,35 +37,36 @@ public final class SSLContext extends Na
 {
 
     // Hide NativePointer
-    private final long  pointer = 0L;
+    private final long            pointer = 0L;
+    private SSLKey[]              keys;
+    private SSLCertificate[]      cert;
+    private boolean               has_crlset = false;
 
-    private SSLKey[]             keys;
-    private SSLCertificate[]     cert;
-    private boolean              has_crlset = false;
-
-    private static native long         new0(int protocol, int mode)
+    private static native long    new0(int protocol, int mode)
         throws OperationNotImplementedException;
-    private static native void         free0(long key);
-    private static native void         setsprefix0(long ctx, String prefix);
-    private static native void         setid0(long ctx, String id);
-    private static native void         setscachesize0(long ctx, int size);
-    private static native void         setpasscb0(long ctx, long cb);
-    private static native void         setcrlcheck0(long ctx, int mode);
-    private static native void         setcafile0(long ctx, String caPath)
+    private static native void    free0(long key);
+    private static native void    setsprefix0(long ctx, String prefix);
+    private static native void    setid0(long ctx, String id);
+    private static native void    setscachesize0(long ctx, int size);
+    private static native void    setpasscb0(long ctx, long cb);
+    private static native void    setcrlcheck0(long ctx, int mode);
+    private static native void    setcafile0(long ctx, String caPath)
         throws SSLException;
-    private static native void         setcapath0(long ctx, String caPath)
+    private static native void    setcapath0(long ctx, String caPath)
         throws SSLException;
-    private static native void         setcacrlfile0(long ctx, String caPath)
+    private static native void    setcacrlfile0(long ctx, String caPath)
         throws SSLException;
-    private static native void         setcacrlpath0(long ctx, String caPath)
+    private static native void    setcacrlpath0(long ctx, String caPath)
         throws SSLException;
-    private static native void         setvmode0(long ctx, int mode, int depth)
+    private static native void    setvmode0(long ctx, int mode, int depth)
         throws SSLException;
-    private static native void         setoption0(long ctx, int opt);
-    private static native void         clroption0(long ctx, int opt);
+    private static native void    setoption0(long ctx, int opt);
+    private static native void    clroption0(long ctx, int opt);
 
 
-    private static final int           SSL_COPT_NO_COMPRESSION = 1;
+    private static final int      SSL_COPT_NO_COMPRESSION       = 1;
+    private static final int      SSL_COPT_NO_TICKET            = 2;
+    private static final int      SSL_COPT_ALLOW_UNSAFE_RENEG   = 3;
 
     private SSLContext()
     {
@@ -324,5 +325,29 @@ public final class SSLContext extends Na
         else
             clroption0(super.pointer, SSL_COPT_NO_COMPRESSION);       
     }
+
+    /**
+     * Disable use of RFC4507bis session tickets.
+     */
+    public void setNoTicket(boolean on)
+    {
+        if (on)
+            setoption0(super.pointer, SSL_COPT_NO_TICKET);
+        else
+            clroption0(super.pointer, SSL_COPT_NO_TICKET);
+    }
+
+    /**
+     * Enable use of legacy renegotiation (dangerous).
+     *
+     * @param on if {@code true} legacy renegotiation will be enabled.
+     */
+    public void allowLegacyRenegotiation(boolean on)
+    {
+        if (on)
+            setoption0(super.pointer, SSL_COPT_ALLOW_UNSAFE_RENEG);
+        else
+            clroption0(super.pointer, SSL_COPT_ALLOW_UNSAFE_RENEG);
+    }
 }
 

Modified: commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLServer.java
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLServer.java?rev=1172737&r1=1172736&r2=1172737&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLServer.java
(original)
+++ commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLServer.java
Mon Sep 19 18:17:22 2011
@@ -38,11 +38,12 @@ public final class SSLServer extends Nat
     private static native long         new0(String name);
     private static native void         close0(long srv);
     private static native void         setctx0(long srv, long ctx);
-
+    private static native void         setopt0(long src, int opt, boolean on);
+    private static native void         setservname0(long src, String name);
 
     private SSLContext          ctx1 = null;
     private SSLContext          ctx2 = null;
-
+    private String              serverName;
     private SSLServer()
     {
         hostId = null;
@@ -111,14 +112,50 @@ public final class SSLServer extends Nat
      * @param ctx the context to set
      * @return previous context or {@code null} if the context
      *          was not set already.
+     * @throws IllegalStateException if server instance is invalid.
      */
     public synchronized final SSLContext setContext(SSLContext ctx)
+        throws IllegalStateException
     {
+        if (super.pointer == 0L)
+            throw new IllegalStateException();
         SSLContext org = ctx1;
         ctx1 = ctx;
         setctx0(super.pointer, ((NativePointer)ctx).pointer);
         return org;
     }
-    
+
+    /**
+     * Set ServerName for HostName TLS extension.
+     *
+     * @param name name to set.
+     *
+     * @throws NullPointerException if name is {@code null}.
+     * @throws IllegalStateException if server instance is invalid.
+     */
+    public void setServerName(String name)
+        throws IllegalStateException
+    {
+        if (super.pointer == 0L)
+            throw new IllegalStateException();
+        if (name == null)
+            throw new NullPointerException();
+        serverName = name;
+        setservname0(super.pointer, name);
+    }
+    /**
+     * On mismatch send fatal alert (default warning alert).
+     *
+     * @param on if {@code true} server will respond with fatal
+     *          alert on servername mismatch.
+     * @throws IllegalStateException if server instance is invalid.
+     */
+    public void setServerNameFatal(boolean on)
+        throws IllegalStateException
+    {
+        if (super.pointer == 0L)
+            throw new IllegalStateException();
+        setopt0(super.pointer, 1, on);
+    }
 }
 

Modified: commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h?rev=1172737&r1=1172736&r2=1172737&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h (original)
+++ commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h Mon Sep 19 18:17:22 2011
@@ -78,6 +78,10 @@
 #define SSLAPI_STACK            STACK
 #endif
 
+#ifndef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+#define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION        0x00040000L
+#endif
+
 /* Default setting for per-dir reneg buffer. */
 #ifndef DEFAULT_RENEG_BUFFER_SIZE
 #define DEFAULT_RENEG_BUFFER_SIZE (128 * 1024)
@@ -166,8 +170,9 @@
 #define SSL_OPT_OPTRENEGOTIATE  (1<<6)
 #define SSL_OPT_ALL             (SSL_OPT_STDENVVARS|SSL_OPT_EXPORTCERTDATA|SSL_OPT_FAKEBASICAUTH|SSL_OPT_STRICTREQUIRE|SSL_OPT_OPTRENEGOTIATE)
 
-#define SSL_COPT_NO_COMPRESSION 1
-
+#define SSL_COPT_NO_COMPRESSION         1
+#define SSL_COPT_NO_TICKET              2
+#define SSL_COPT_ALLOW_UNSAFE_RENEG     3
 
 /*
  * Define the SSL Protocol options
@@ -293,10 +298,10 @@ typedef struct ssl_pass_cb_t {
  */
 extern ssl_pass_cb_t *acr_ssl_password_cb;
 
-typedef struct acr_ssl_srv_t acr_ssl_srv_t;
-/* Server context */
+typedef struct acr_ssl_srv_t    acr_ssl_srv_t;
+
+/* SSL context */
 typedef struct acr_ssl_ctx_t {
-    acr_ssl_srv_t   *srv;
     SSL_CTX         *ctx;
     int              protocol;
     int              mode;
@@ -306,12 +311,16 @@ typedef struct acr_ssl_ctx_t {
     BIO             *bio_is;
     unsigned char    context_id[MD5_DIGEST_LENGTH];
 
-    /* certificate revocation list */
+    /* Back pointer to the server/proxy/client context */
+    void            *container;
+    /* Certificate revocation list */
     X509_STORE      *crls;
-    /* pointer to the context verify store */
+    /* Pointer to the context verify store */
     X509_STORE      *store;
-    X509            *cert;
+    X509            *cert;      /* Main certificate       */
     EVP_PKEY        *skey;
+    X509            *dcrt;      /* Additional certificate */
+    EVP_PKEY        *dkey;
 
     int              ca_certs;
     int              shutdown_type;
@@ -351,13 +360,15 @@ typedef struct acr_ssl_ctx_t {
     
 } acr_ssl_ctx_t;
 
+/* Server context */
 struct acr_ssl_srv_t {
     char            *hostid;
     int              hostid_len;
+    char            *servname;
     acr_ssl_ctx_t   *ctx;
     acr_ssl_ctx_t   *ctx2;
     int              enabled;
-
+    int              tlsext_extension_error;
 };
 
 #define ssl_ctx_get_extra_certs(ctx)        ((ctx)->extra_certs)

Modified: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c?rev=1172737&r1=1172736&r2=1172737&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c (original)
+++ commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c Mon Sep 19 18:17:22
2011
@@ -401,12 +401,20 @@ ACR_SSL_EXPORT(void, SSLContext, setopti
     switch (opt) {
         case SSL_COPT_NO_COMPRESSION:
 #ifdef SSL_OP_NO_COMPRESSION
-            if ((c->options & SSL_OP_NO_COMPRESSION) == 0)
-                set = SSL_OP_NO_COMPRESSION;
+            set = SSL_OP_NO_COMPRESSION;
 #endif
         break;
+        case SSL_COPT_NO_TICKET:
+#ifndef OPENSSL_NO_TLSEXT
+            set = SSL_OP_NO_TICKET;
+#endif
+        break;
+        case SSL_COPT_ALLOW_UNSAFE_RENEG:
+            set = SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+        break;
+            
     }
-    if (set != 0) {
+    if (set != 0 && (c->options & set) == 0) {
         SSL_CTX_set_options(c->ctx, set);
         c->options |= set;
     }
@@ -421,12 +429,19 @@ ACR_SSL_EXPORT(void, SSLContext, clropti
     switch (opt) {
         case SSL_COPT_NO_COMPRESSION:
 #ifdef SSL_OP_NO_COMPRESSION
-            if ((c->options & SSL_OP_NO_COMPRESSION) != 0)
-                clr = SSL_OP_NO_COMPRESSION;
+            clr = SSL_OP_NO_COMPRESSION;
 #endif
         break;
+        case SSL_COPT_NO_TICKET:
+#ifndef OPENSSL_NO_TLSEXT
+            clr = SSL_OP_NO_TICKET;
+#endif
+        break;
+        case SSL_COPT_ALLOW_UNSAFE_RENEG:
+            clr = SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+        break;
     }
-    if (clr != 0) {
+    if (clr != 0 && (c->options & clr) != 0) {
         SSL_CTX_clear_options(c->ctx, clr);
         c->options &= clr;
     }

Modified: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/server.c
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/modules/openssl/server.c?rev=1172737&r1=1172736&r2=1172737&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/modules/openssl/server.c (original)
+++ commons/sandbox/runtime/trunk/src/main/native/modules/openssl/server.c Mon Sep 19 18:17:22
2011
@@ -49,6 +49,7 @@ ACR_SSL_EXPORT(void, SSLServer, close0)(
     acr_ssl_srv_t *s = J2P(srv, acr_ssl_srv_t *);
     if (s != 0) {
         AcrFree(s->hostid);
+        AcrFree(s->servname);
         /* SSLServer cleanup */
         AcrFree(s);
     }
@@ -65,3 +66,27 @@ ACR_SSL_EXPORT(void, SSLServer, setctx2)
     acr_ssl_srv_t *s = J2P(srv, acr_ssl_srv_t *);
     s->ctx2 = J2P(ctx, acr_ssl_ctx_t *);
 }
+
+ACR_SSL_EXPORT(void, SSLServer, setopt0)(JNI_STDARGS, jlong srv, jint opt, jboolean on)
+{
+    acr_ssl_srv_t *s = J2P(srv, acr_ssl_srv_t *);
+
+    switch (opt) {
+        case 1:
+#ifndef OPENSSL_NO_TLSEXT
+            if (on)
+                s->tlsext_extension_error = SSL_TLSEXT_ERR_ALERT_FATAL;
+            else
+                s->tlsext_extension_error = 0;
+#endif
+        break;
+    }
+}
+
+ACR_SSL_EXPORT(void, SSLServer, setservname0)(JNI_STDARGS, jlong srv, jstring name)
+{
+    acr_ssl_srv_t *s = J2P(srv, acr_ssl_srv_t *);
+
+    AcrFree(s->servname);
+    s->servname = AcrGetJavaStringA(env, name, 0);
+}



Mime
View raw message