Return-Path: 
 <commits-return-22215-apmail-commons-commits-archive=commons.apache.org@commons.apache.org>
X-Original-To: apmail-commons-commits-archive@minotaur.apache.org
Delivered-To: apmail-commons-commits-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 06589836B
	for <apmail-commons-commits-archive@minotaur.apache.org>;
 Sat, 17 Sep 2011 17:18:08 +0000 (UTC)
Received: (qmail 85057 invoked by uid 500); 17 Sep 2011 17:18:07 -0000
Delivered-To: apmail-commons-commits-archive@commons.apache.org
Received: (qmail 84985 invoked by uid 500); 17 Sep 2011 17:18:07 -0000
Mailing-List: contact commits-help@commons.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@commons.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@commons.apache.org>
List-Post: <mailto:commits@commons.apache.org>
List-Id: <commits.commons.apache.org>
Reply-To: dev@commons.apache.org
Delivered-To: mailing list commits@commons.apache.org
Received: (qmail 84978 invoked by uid 99); 17 Sep 2011 17:18:07 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 17 Sep 2011 17:18:07 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=5.0
	tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 17 Sep 2011 17:18:06 +0000
Received: from eris.apache.org (localhost [127.0.0.1])
	by eris.apache.org (Postfix) with ESMTP id 01B20238897D
	for <commits@commons.apache.org>; Sat, 17 Sep 2011 17:17:46 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1172022 - in /commons/sandbox/runtime/trunk/src/main:
 java/org/apache/commons/runtime/ssl/SSLContext.java
 native/include/acr/ssl.h native/modules/openssl/api.c
 native/modules/openssl/ctx.c
Date: Sat, 17 Sep 2011 17:17:45 -0000
To: commits@commons.apache.org
From: mturk@apache.org
X-Mailer: svnmailer-1.0.8-patched
Message-Id: <20110917171746.01B20238897D@eris.apache.org>

Author: mturk
Date: Sat Sep 17 17:17:45 2011
New Revision: 1172022

URL: http://svn.apache.org/viewvc?rev=1172022&view=rev
Log:
Add support for session id prefix

Modified:
    commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java
    commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h
    commons/sandbox/runtime/trunk/src/main/native/modules/openssl/api.c
    commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c

Modified: commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java?rev=1172022&r1=1172021&r2=1172022&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java (original)
+++ commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java Sat Sep 17 17:17:45 2011
@@ -17,6 +17,7 @@
 package org.apache.commons.runtime.ssl;
 
 import org.apache.commons.runtime.InvalidArgumentException;
+import org.apache.commons.runtime.InvalidRangeException;
 import org.apache.commons.runtime.OperationNotImplementedException;
 import org.apache.commons.runtime.Status;
 import org.apache.commons.runtime.SystemException;
@@ -39,6 +40,7 @@ public final class SSLContext extends Na
 
     private static native long         new0(int protocol, int mode)
         throws OperationNotImplementedException;
+    private static native void         setsprefix0(long ctx, String prefix);
     private static native void         setid0(long ctx, String id);
     private static native void         setscachesize0(long ctx, int size);
     private static native void         setpasscb0(long ctx, long cb);
@@ -97,5 +99,33 @@ public final class SSLContext extends Na
         if (super.pointer != 0L)
             setverify0(super.pointer, mode.valueOf(), depth);
     }
+
+    /**
+     * Set session id prefix.
+     * <p>
+     * When a new session is established between client and server, the server
+     * generates a session id. The session id is an arbitrary sequence of bytes.
+     * The length of the session id is 16 bytes for {@code SSLv2}
+     * sessions and between 1 and 32 bytes for {@code SSLv3/TLSv1}.
+     * The session id is not security critical but must be unique for
+     * the server. Additionally, the session id is transmitted in the clear
+     * when reusing the session so it must not contain sensitive information.
+     * </p>
+     * <p>
+     * Using the prefix, the session id can be changed to contain
+     * additional information like e.g. a host id in order to improve load
+     * balancing or external caching techniques.
+     * </p>
+     *
+     * @param prefix session id prefix.
+     * @throws InvalidRangeException if the length of the prefix is too large.
+     */
+    public void setSessionIdPrefix(String prefix)
+        throws InvalidRangeException
+    {
+        if (prefix.length() > 31)
+            throw new InvalidRangeException();
+        setsprefix0(super.pointer, prefix);
+    }
 }
 

Modified: commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h?rev=1172022&r1=1172021&r2=1172022&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h (original)
+++ commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h Sat Sep 17 17:17:45 2011
@@ -318,6 +318,9 @@ typedef struct acr_ssl_ctxt_t {
     /* for client or downstream server authentication */
     int              verify_depth;
     int              verify_mode;
+    char             session_id_prefix[32];
+    unsigned int     session_id_prefix_len;
+
 #ifdef HAVE_OCSP_STAPLING
     /** OCSP stapling options */
     BOOL             stapling_enabled;

Modified: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/api.c
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/modules/openssl/api.c?rev=1172022&r1=1172021&r2=1172022&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/modules/openssl/api.c (original)
+++ commons/sandbox/runtime/trunk/src/main/native/modules/openssl/api.c Sat Sep 17 17:17:45 2011
@@ -155,6 +155,7 @@ struct SSLAPIst {
     int                 (*fpRAND_egd)(const char *);
     const char*         (*fpRAND_file_name)(char *, size_t);
     int                 (*fpRAND_load_file)(const char *, long);
+    int                 (*fpRAND_pseudo_bytes)(unsigned char *, int);    
     void                (*fpRAND_seed)(const void *, int);
     int                 (*fpRAND_status)(void);
 
@@ -170,10 +171,12 @@ struct SSLAPIst {
     X509_STORE*         (*fpSSL_CTX_get_cert_store)(const SSL_CTX *);
     int                 (*fpSSL_CTX_set_default_verify_paths)(SSL_CTX *);
     void                (*fpSSL_CTX_set_verify)(SSL_CTX *, int, int (*)(int, X509_STORE_CTX *));
+    int                 (*fpSSL_CTX_set_generate_session_id)(SSL_CTX *, GEN_SESSION_CB);
 
     /*** SSL      ***/
     void*               (*fpSSL_get_ex_data)(const SSL *, int);
     int                 (*fpSSL_get_ex_new_index)(long, void *, CRYPTO_EX_new *, CRYPTO_EX_dup *, CRYPTO_EX_free *);
+    int                 (*fpSSL_has_matching_session_id)(const SSL *, const unsigned char *, unsigned int);    
     int                 (*fpSSL_library_init)(void);
     void                (*fpSSL_load_error_strings)(void);
     int                 (*fpSSL_set_ex_data)(SSL *, int, void *);
@@ -279,6 +282,7 @@ ACR_JNI_EXPORT(jboolean, Native, ldopens
     /*** SSL      ***/
     LIBSSL_FPLOAD(SSL_get_ex_data);
     LIBSSL_FPLOAD(SSL_get_ex_new_index);
+    LIBSSL_FPLOAD(SSL_has_matching_session_id);
     LIBSSL_FPLOAD(SSL_library_init);
     LIBSSL_FPLOAD(SSL_load_error_strings);
     LIBSSL_FPLOAD(SSL_set_ex_data);
@@ -307,6 +311,7 @@ ACR_JNI_EXPORT(jboolean, Native, ldopens
     LIBSSL_FPLOAD(SSL_CTX_get_cert_store);
     LIBSSL_FPLOAD(SSL_CTX_set_default_verify_paths);
     LIBSSL_FPLOAD(SSL_CTX_set_verify);
+    LIBSSL_FPLOAD(SSL_CTX_set_generate_session_id);
 
     /*** BIO      ***/
     CRYPTO_FPLOAD(BIO_ctrl);
@@ -377,6 +382,7 @@ ACR_JNI_EXPORT(jboolean, Native, ldopens
     CRYPTO_FPLOAD(RAND_egd);
     CRYPTO_FPLOAD(RAND_file_name);
     CRYPTO_FPLOAD(RAND_load_file);
+    CRYPTO_FPLOAD(RAND_pseudo_bytes);
     CRYPTO_FPLOAD(RAND_seed);
     CRYPTO_FPLOAD(RAND_status);
 
@@ -784,6 +790,11 @@ int RAND_load_file(const char *file, lon
     return SSLAPI_CALL(RAND_load_file)(file, max_bytes);
 }
 
+int RAND_pseudo_bytes(unsigned char *buf, int num)
+{
+    return SSLAPI_CALL(RAND_pseudo_bytes)(buf, num);
+}
+
 void RAND_seed(const void *buf, int num)
 {
     SSLAPI_CALL(RAND_seed)(buf, num);
@@ -841,6 +852,11 @@ void SSL_CTX_set_verify(SSL_CTX *ctx, in
     SSLAPI_CALL(SSL_CTX_set_verify)(ctx, mode, callback);
 }
 
+int  SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb)
+{
+    return SSLAPI_CALL(SSL_CTX_set_generate_session_id)(ctx, cb);
+}
+
 void *SSL_get_ex_data(const SSL *ssl, int idx)
 {
     return SSLAPI_CALL(SSL_get_ex_data)(ssl, idx);
@@ -852,6 +868,12 @@ int SSL_get_ex_new_index(long argl, void
     return SSLAPI_CALL(SSL_get_ex_new_index)(argl, argp, new_func, dup_func, free_func);
 }
 
+int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
+                                unsigned int id_len)
+{
+    return SSLAPI_CALL(SSL_has_matching_session_id)(ssl, id, id_len);
+}
+
 int SSL_library_init(void)
 {
     return SSLAPI_CALL(SSL_library_init)();

Modified: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c?rev=1172022&r1=1172021&r2=1172022&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c (original)
+++ commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c Sat Sep 17 17:17:45 2011
@@ -33,6 +33,33 @@ static struct {
     int mode;
 } context_id;
 
+#define MAX_SESSION_ID_ATTEMPTS 10
+static int generate_session_id(const SSL *ssl, unsigned char *id,
+                               unsigned int *id_len)
+{
+    unsigned int count = 0;
+    ssl_sd_t *sd = (ssl_sd_t *)SSL_get_app_data(ssl);    
+    do {
+        RAND_pseudo_bytes(id, *id_len);
+        if (sd == 0 || sd->ctx == 0)
+            break;
+        /* Prefix the session_id with the required prefix. NB: If our
+         * prefix is too long, clip it - but there will be worse effects
+         * anyway, eg. the server could only possibly create 1 session
+         * ID (ie. the prefix!) so all future session negotiations will
+         * fail due to conflicts.
+         */
+        memcpy(id, sd->ctx->session_id_prefix,
+               sd->ctx->session_id_prefix_len < *id_len ?
+               sd->ctx->session_id_prefix_len : *id_len);
+    } while (SSL_has_matching_session_id(ssl, id, *id_len) && (++count < MAX_SESSION_ID_ATTEMPTS));
+
+    if (count >= MAX_SESSION_ID_ATTEMPTS)
+        return 0;
+    else
+        return 1;
+}
+
 ACR_SSL_EXPORT(jlong, SSLContext, new0)(JNI_STDARGS, jint protocol, jint mode)
 {
     acr_ssl_ctxt_t   *c;
@@ -227,6 +254,17 @@ ACR_SSL_EXPORT(void, SSLContext, setid0)
     } DONE_WITH_STR(id);
 }
 
+ACR_SSL_EXPORT(void, SSLContext, setsprefix0)(JNI_STDARGS, jlong ctx,
+                                              jstring prefix)
+{
+    acr_ssl_ctxt_t *c = J2P(ctx, acr_ssl_ctxt_t *);
+
+    WITH_CSTR(prefix) {       
+        c->session_id_prefix_len = (unsigned int)strlcpy(c->session_id_prefix, J2S(prefix), 32);
+        SSL_CTX_set_generate_session_id(c->ctx, generate_session_id);
+    } DONE_WITH_STR(prefix);
+}
+
 ACR_SSL_EXPORT(void, SSLContext, setverify0)(JNI_STDARGS, jlong ctx,
                                              jint mode, jint depth)
 {