commons-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mt...@apache.org
Subject svn commit: r1188025 - in /commons/sandbox/runtime/trunk/src/main: java/org/apache/commons/runtime/ssl/ native/ native/include/acr/ native/modules/openssl/
Date Mon, 24 Oct 2011 05:46:52 GMT
Author: mturk
Date: Mon Oct 24 05:46:51 2011
New Revision: 1188025

URL: http://svn.apache.org/viewvc?rev=1188025&view=rev
Log:
Add stub files for proxy and client

Added:
    commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLClient.java
  (with props)
    commons/sandbox/runtime/trunk/src/main/native/modules/openssl/client.c   (with props)
    commons/sandbox/runtime/trunk/src/main/native/modules/openssl/netio.c   (with props)
    commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ocsp.c   (with props)
    commons/sandbox/runtime/trunk/src/main/native/modules/openssl/proxy.c   (with props)
    commons/sandbox/runtime/trunk/src/main/native/modules/openssl/stapling.c   (with props)
Modified:
    commons/sandbox/runtime/trunk/src/main/native/Makefile.unx.in
    commons/sandbox/runtime/trunk/src/main/native/include/acr/descriptor.h
    commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h
    commons/sandbox/runtime/trunk/src/main/native/modules/openssl/api.c
    commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c
    commons/sandbox/runtime/trunk/src/main/native/modules/openssl/server.c

Added: commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLClient.java
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLClient.java?rev=1188025&view=auto
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLClient.java
(added)
+++ commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLClient.java
Mon Oct 24 05:46:51 2011
@@ -0,0 +1,140 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.commons.runtime.ssl;
+
+import org.apache.commons.runtime.ClosedObjectException;
+import org.apache.commons.runtime.InvalidArgumentException;
+import org.apache.commons.runtime.OperationNotImplementedException;
+import org.apache.commons.runtime.ObjectNotInitializedException;
+import org.apache.commons.runtime.Status;
+import org.apache.commons.runtime.SystemException;
+
+import java.io.Closeable;
+import java.io.File;
+import java.io.IOException;
+import java.nio.ByteBuffer;
+
+/**
+ * Represents SSL client instance.
+ */
+public final class SSLClient extends SSLObject implements Closeable
+{
+
+    // Hide SSLObject
+    private final long            pointer = 0L;
+    private static native long    new0()
+        throws OutOfMemoryError;
+    private static native void    close0(long client);
+    private static native void    setbio0(long client, long bio);
+    private static native void    setctx0(long client, long ctx)
+        throws SSLException;
+
+    private SSLContext            ctx = null;
+
+    /**
+     * Creates a new client instance.
+     *
+     * @throws NullPointerException if hostId is {@code null}.
+     * @throws RuntimeException if SSL was not initialized.
+     */
+    public SSLClient()
+        throws NullPointerException
+    {
+        if (!SSL.initialized())
+            throw new RuntimeException(Local.sm.get("openssl.EINIT"));        
+        super.pointer = new0();
+    }
+
+    public synchronized final void dispose()
+        throws IllegalStateException
+    {
+        if (super.pointer == 0L)
+            return;
+        if (ctx != null) {
+            ctx.dispose();
+            ctx = null;
+        }
+        if (super.pointer != 0L) {
+            close0(super.pointer);
+            super.pointer = 0L;
+        }
+    }
+
+    /**
+     * Free the allocated resource by the Operating system.
+     * <p>
+     * Note that {@code Object.finalize()} method will call
+     * this function. However if the native code can block for
+     * long time explicit {@code close()} should be called.
+     * </p>
+     * @see java.io.Closeable#close()
+     * @throws IOException if an I/O error occurs.
+     */
+    public synchronized final void close()
+        throws IOException
+    {
+        dispose();
+    }
+
+    /**
+     * Set this clients's SSL context.
+     * <p>
+     *
+     * </p>
+     * @param ctx the context to set
+     * @return previous context or {@code null} if the context
+     *          was not set already.
+     * @throws ClosedObjectException if server is closed.
+     */
+    public synchronized final SSLContext setContext(SSLContext ctx)
+        throws IllegalStateException,
+               SSLException
+    {
+        if (super.pointer == 0L)
+            throw new ClosedObjectException();
+        if (this.ctx != null)
+            return this.ctx;
+        setctx0(super.pointer, ((SSLObject)ctx).pointer);
+        this.ctx = ctx;
+        return null;
+    }
+
+    /**
+     * Set the SSLBio used for error reporting.
+     * <p>
+     * By default all error messages will be printed to the
+     * stderr stream. This method allow to redirect those messages
+     * to the provided callback.
+     * </p>
+     *
+     * @param bio SSLBio callback.
+     *
+     * @throws ClosedObjectException if server is closed.
+     * @throws ObjectNotInitializedException if {@code bio} is invalid.
+     */
+    public void setErrorReportBio(SSLBio bio)
+        throws ClosedObjectException,
+               ObjectNotInitializedException
+    {
+        if (super.pointer == 0L)
+            throw new ClosedObjectException();
+        long bh = ((SSLObject)bio).pointer;
+        if (bh == 0L)
+            throw new ObjectNotInitializedException();
+        setbio0(super.pointer, bh);
+    }
+}

Propchange: commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLClient.java
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: commons/sandbox/runtime/trunk/src/main/native/Makefile.unx.in
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/Makefile.unx.in?rev=1188025&r1=1188024&r2=1188025&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/Makefile.unx.in (original)
+++ commons/sandbox/runtime/trunk/src/main/native/Makefile.unx.in Mon Oct 24 05:46:51 2011
@@ -153,14 +153,19 @@ SSLSOURCES=\
 	$(TOPDIR)/modules/openssl/api.c \
 	$(TOPDIR)/modules/openssl/bio.c \
 	$(TOPDIR)/modules/openssl/cert.c \
+	$(TOPDIR)/modules/openssl/client.c \
 	$(TOPDIR)/modules/openssl/ctx.c \
 	$(TOPDIR)/modules/openssl/engine.c \
 	$(TOPDIR)/modules/openssl/init.c \
 	$(TOPDIR)/modules/openssl/key.c \
+	$(TOPDIR)/modules/openssl/netio.c \
+	$(TOPDIR)/modules/openssl/ocsp.c \
 	$(TOPDIR)/modules/openssl/password.c \
+	$(TOPDIR)/modules/openssl/proxy.c \
 	$(TOPDIR)/modules/openssl/rand.c \
 	$(TOPDIR)/modules/openssl/server.c \
 	$(TOPDIR)/modules/openssl/ssl.c \
+	$(TOPDIR)/modules/openssl/stapling.c \
 	$(TOPDIR)/modules/openssl/util.c
 
 CXXSOURCES=

Modified: commons/sandbox/runtime/trunk/src/main/native/include/acr/descriptor.h
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/include/acr/descriptor.h?rev=1188025&r1=1188024&r2=1188025&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/include/acr/descriptor.h (original)
+++ commons/sandbox/runtime/trunk/src/main/native/include/acr/descriptor.h Mon Oct 24 05:46:51
2011
@@ -64,6 +64,8 @@ struct acr_fd_t {
 #else
     int                     f;
 #endif
+    void                   *opaque;     /**< Descriptor attachment    */
+    void                   *ctx;        /**< Descriptor context       */
 };
 
 typedef struct acr_sd_t acr_sd_t;
@@ -84,10 +86,14 @@ struct acr_sd_t {
 #if defined(WINDOWS)
     WCHAR                  *socketfname;
 #endif
+    void                   *opaque;     /**< Descriptor attachment    */
+    void                   *ctx;        /**< Descriptor context       */
 };
 
 typedef struct acr_sf_t acr_sf_t;
 struct acr_sf_t {
+    void         *opaque;
+    void         *ctx;
 #if !defined(WINDOWS)
     int           fd;
 #else

Modified: commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h?rev=1188025&r1=1188024&r2=1188025&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h (original)
+++ commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h Mon Oct 24 05:46:51 2011
@@ -19,9 +19,16 @@
 
 #include "acr/stdtypes.h"
 #include "acr/callback.h"
+#include "acr/descriptor.h"
 #include "acr/time.h"
+
 #if HAVE_OPENSSL
 
+#ifndef RAND_MAX
+#include <limits.h>
+#define RAND_MAX INT_MAX
+#endif
+
 /* Exclude unused OpenSSL features
  * even if the OpenSSL supports them
  */
@@ -57,11 +64,8 @@
 #include <openssl/engine.h>
 #endif
 
-#ifndef RAND_MAX
-#include <limits.h>
-#define RAND_MAX INT_MAX
-#endif
-
+#if HAVE_OCSP
+#include <openssl/ocsp.h>
 #if OPENSSL_VERSION_NUMBER >= 0x00908080 && !defined(OPENSSL_NO_OCSP) \
     && !defined(OPENSSL_NO_TLSEXT)
 #define HAVE_OCSP_STAPLING
@@ -69,6 +73,7 @@
 #define sk_OPENSSL_STRING_pop sk_pop
 #endif
 #endif
+#endif
 
 #if (OPENSSL_VERSION_NUMBER >= 0x10000000)
 #define CONST_SSL_METHOD        const SSL_METHOD
@@ -316,6 +321,8 @@ typedef struct ssl_obj_t {
 extern UI_METHOD *acr_ssl_password_ui;
 
 typedef struct acr_ssl_srv_t    acr_ssl_srv_t;
+typedef struct acr_ssl_client_t acr_ssl_client_t;
+typedef struct acr_ssl_proxy_t  acr_ssl_proxy_t;
 
 /* SSL context */
 typedef struct acr_ssl_ctx_t {
@@ -356,6 +363,8 @@ typedef struct acr_ssl_ctx_t {
     char            *cipher_suite;
     int              verify_depth;
     int              verify_mode;
+    int              verify_error;
+    int              verify_return_error;
 
     int              crl_check;
 
@@ -407,6 +416,35 @@ struct acr_ssl_srv_t {
     char             error_str[ACR_ERR_BUFFSIZE];
 };
 
+/* Client context */
+struct acr_ssl_client_t {
+    acr_refcount_t  refs;
+    int             type;
+    acr_ssl_ctx_t   *ctx;
+    BIO             *bio;
+    int             inited;
+    long            options;
+    int             enabled;
+    int             error_num;
+    char            error_str[ACR_ERR_BUFFSIZE];
+};
+
+/* Proxy context */
+struct acr_ssl_proxy_t {
+    acr_refcount_t  refs;
+    int             type;
+    acr_ssl_ctx_t   *ctx;
+    char            *proxyname;
+    char            *proxyid;
+    BIO             *bio;
+    int             inited;
+    int             proxyid_len;
+    long            options;
+    int             enabled;
+    int             error_num;
+    char            error_str[ACR_ERR_BUFFSIZE];
+};
+
 #define ssl_ctx_get_extra_certs(ctx)        ((ctx)->extra_certs)
 #define ssl_ctx_set_extra_certs(ctx, value)     \
     do {                                        \
@@ -415,30 +453,18 @@ struct acr_ssl_srv_t {
 
 /**
  * SSL socket descriptor.
- * Make sure it is in sync with acr_sd_t so
- * it can be casted to it
  */
 typedef struct ssl_sd_t ssl_sd_t;
 struct ssl_sd_t {
-    acr_refcount_t          refs;       /**< Reference  counter      */
-    int                     type;       /**< Descriptor type         */
-    int                     timeout;
-    int                     flags;
-#if defined(WINDOWS)
-    union {
-        HANDLE              h;
-        SOCKET              s;
-        LPVOID              p;
-    };
-#else
-    int                     s;
-#endif
-#if defined(WINDOWS)
-    WCHAR                  *socketfname;
-#endif
-   /*** SSL struct members ***/ 
-    acr_ssl_srv_t          *srv;
+    acr_refcount_t          refs;
+    int                     type;
+    acr_sd_t               *sd;         /**< Real socket descriptor  */
     acr_ssl_ctx_t          *ctx;
+    union {
+        acr_ssl_client_t   *client;
+        acr_ssl_proxy_t    *proxy;
+        acr_ssl_srv_t      *srv;
+    } u;
     SSL                    *ssl;
     X509                   *peer;
     int                     shutdown_type;
@@ -458,6 +484,10 @@ SSL_CTX    *ssl_ctx_retain(acr_ssl_ctx_t
 int         ssl_ctx_release(acr_ssl_ctx_t *c);
 void        ssl_srv_retain(acr_ssl_srv_t *s);
 int         ssl_srv_release(acr_ssl_srv_t *s);
+void        ssl_client_retain(acr_ssl_client_t *s);
+int         ssl_client_release(acr_ssl_client_t *s);
+void        ssl_proxy_retain(acr_ssl_proxy_t *s);
+int         ssl_proxy_release(acr_ssl_proxy_t *s);
 
 void        ssl_init_app_data2_idx(void);
 void       *ssl_get_app_data2(SSL *);

Modified: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/api.c
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/modules/openssl/api.c?rev=1188025&r1=1188024&r2=1188025&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/modules/openssl/api.c (original)
+++ commons/sandbox/runtime/trunk/src/main/native/modules/openssl/api.c Mon Oct 24 05:46:51
2011
@@ -186,6 +186,11 @@ struct SSLAPIst {
     int                 (*fpSSL_CTX_use_PrivateKey)(SSL_CTX *, EVP_PKEY *);
     int                 (*fpSSL_CTX_use_certificate)(SSL_CTX *, X509 *);
     int                 (*fpSSL_CTX_check_private_key)(const SSL_CTX *);
+    void                (*fpSSL_CTX_set_client_CA_list)(SSL_CTX *, STACK_OF(X509_NAME) *);
+    STACK_OF(X509_NAME)*(*fpSSL_CTX_get_client_CA_list)(const SSL_CTX *);
+    int                 (*fpSSL_CTX_set_cipher_list)(SSL_CTX *, const char *);
+
+
     
     /*** SSL      ***/
     void*               (*fpSSL_get_ex_data)(const SSL *, int);
@@ -194,7 +199,17 @@ struct SSLAPIst {
     int                 (*fpSSL_library_init)(void);
     void                (*fpSSL_load_error_strings)(void);
     int                 (*fpSSL_set_ex_data)(SSL *, int, void *);
+    STACK_OF(X509_NAME)*(*fpSSL_load_client_CA_file)(const char *);
+    int                 (*fpSSL_add_file_cert_subjects_to_stack)(STACK_OF(X509_NAME) *, const
char *);
+    SSL*                (*fpSSL_new)(SSL_CTX *);
+    int                 (*fpSSL_set_session_id_context)(SSL *,const unsigned char *, unsigned
int);
+    void                (*fpSSL_free)(SSL *);
+    int                 (*fpSSL_accept)(SSL *);
+    int                 (*fpSSL_connect)(SSL *);
+    void                (*fpSSL_set_verify_result)(SSL *, long);
+    int                 (*fpSSL_set_fd)(SSL *, int);
 
+    
     CONST_SSL_METHOD*   (*fpSSLv3_method)(void);           /* SSLv3 */
     CONST_SSL_METHOD*   (*fpSSLv3_server_method)(void);    /* SSLv3 */
     CONST_SSL_METHOD*   (*fpSSLv3_client_method)(void);    /* SSLv3 */
@@ -250,6 +265,7 @@ struct SSLAPIst {
     int                 (*fpX509_STORE_set_flags)(X509_STORE *, unsigned long);
     int                 (*fpX509_STORE_load_locations)(X509_STORE *, const char *, const
char *);    
     X509*               (*fpd2i_X509_bio)(BIO *, X509 **);
+    int                 (*fpX509_get_ex_new_index)(long, void *, CRYPTO_EX_new *, CRYPTO_EX_dup
*, CRYPTO_EX_free *);
 
     /*** _STACK   ***/
     void                (*fpsk_pop_free)(SSLAPI_STACK *, void (*)(void *));
@@ -331,6 +347,15 @@ ACR_JNI_EXPORT(jboolean, Native, ldopens
     LIBSSL_FPLOAD(SSL_library_init);
     LIBSSL_FPLOAD(SSL_load_error_strings);
     LIBSSL_FPLOAD(SSL_set_ex_data);
+    LIBSSL_FPLOAD(SSL_load_client_CA_file);
+    LIBSSL_FPLOAD(SSL_add_file_cert_subjects_to_stack);
+    LIBSSL_FPLOAD(SSL_new);
+    LIBSSL_FPLOAD(SSL_set_session_id_context);
+    LIBSSL_FPLOAD(SSL_free);
+    LIBSSL_FPLOAD(SSL_accept);
+    LIBSSL_FPLOAD(SSL_connect);
+    LIBSSL_FPLOAD(SSL_set_verify_result);
+    LIBSSL_FPLOAD(SSL_set_fd);
 
     LIBSSL_FPLOAD(SSLv3_method);
     LIBSSL_FPLOAD(SSLv3_server_method);
@@ -362,6 +387,9 @@ ACR_JNI_EXPORT(jboolean, Native, ldopens
     LIBSSL_FPLOAD(SSL_CTX_use_PrivateKey);
     LIBSSL_FPLOAD(SSL_CTX_use_certificate);
     LIBSSL_FPLOAD(SSL_CTX_check_private_key);
+    LIBSSL_FPLOAD(SSL_CTX_set_client_CA_list);
+    LIBSSL_FPLOAD(SSL_CTX_get_client_CA_list);
+    LIBSSL_FPLOAD(SSL_CTX_set_cipher_list);
 
     /*** BIO      ***/
     CRYPTO_FPLOAD(BIO_ctrl);
@@ -472,6 +500,7 @@ ACR_JNI_EXPORT(jboolean, Native, ldopens
     CRYPTO_FPLOAD(X509_STORE_set_flags);
     CRYPTO_FPLOAD(X509_STORE_load_locations);
     CRYPTO_FPLOAD(d2i_X509_bio);
+    CRYPTO_FPLOAD(X509_get_ex_new_index);
 
     /*** _STACK   ***/
     CRYPTO_FPLOAD(sk_pop_free);
@@ -1019,6 +1048,21 @@ int SSL_CTX_check_private_key(const SSL_
     return SSLAPI_CALL(SSL_CTX_check_private_key)(ctx);
 }
 
+void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list)
+{
+    SSLAPI_CALL(SSL_CTX_set_client_CA_list)(ctx, name_list);
+}
+
+STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *s)
+{
+    return SSLAPI_CALL(SSL_CTX_get_client_CA_list)(s);
+}
+
+int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
+{
+    return SSLAPI_CALL(SSL_CTX_set_cipher_list)(ctx, str);
+}
+
 
 void *SSL_get_ex_data(const SSL *ssl, int idx)
 {
@@ -1052,6 +1096,54 @@ int SSL_set_ex_data(SSL *ssl, int idx, v
     return SSLAPI_CALL(SSL_set_ex_data)(ssl, idx, data);
 }
 
+STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
+{
+    return SSLAPI_CALL(SSL_load_client_CA_file)(file);
+
+}
+
+int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
+                                        const char *file)
+{
+    return SSLAPI_CALL(SSL_add_file_cert_subjects_to_stack)(stackCAs, file);
+}
+
+SSL *SSL_new(SSL_CTX *ctx)
+{
+    return SSLAPI_CALL(SSL_new)(ctx);
+}
+
+int SSL_set_session_id_context(SSL *ssl,const unsigned char *sid_ctx,
+                                   unsigned int sid_ctx_len)
+{
+    return SSLAPI_CALL(SSL_set_session_id_context)(ssl, sid_ctx, sid_ctx_len);
+}
+
+void SSL_free(SSL *ssl)
+{
+    SSLAPI_CALL(SSL_free)(ssl);
+}
+
+int SSL_accept(SSL *ssl)
+{
+    return SSLAPI_CALL(SSL_accept)(ssl);
+}
+
+int SSL_connect(SSL *ssl)
+{
+    return SSLAPI_CALL(SSL_connect)(ssl);
+}
+
+void SSL_set_verify_result(SSL *ssl, long v)
+{
+    SSLAPI_CALL(SSL_set_verify_result)(ssl, v);
+}
+
+int SSL_set_fd(SSL *s, int fd)
+{
+    return SSLAPI_CALL(SSL_set_fd)(s, fd);
+}
+
 #define IMPLEMENT_SSLAPI_METHOD(name)                   \
 CONST_SSL_METHOD *name##_method(void) {                 \
     return (*SSLapi.fp##name##_method)();               \
@@ -1236,6 +1328,13 @@ int X509_STORE_load_locations (X509_STOR
     return SSLAPI_CALL(X509_STORE_load_locations)(ctx, file, dir);
 }
 
+int X509_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+             CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
+{
+    return SSLAPI_CALL(X509_get_ex_new_index)(argl, argp, new_func, dup_func, free_func);
+}
+
+
 void sk_pop_free(SSLAPI_STACK *st, void (*func)(void *))
 {
     SSLAPI_CALL(sk_pop_free)(st, func);

Added: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/client.c
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/modules/openssl/client.c?rev=1188025&view=auto
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/modules/openssl/client.c (added)
+++ commons/sandbox/runtime/trunk/src/main/native/modules/openssl/client.c Mon Oct 24 05:46:51
2011
@@ -0,0 +1,79 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "acr/clazz.h"
+#include "acr/error.h"
+#include "acr/misc.h"
+#include "acr/string.h"
+#include "acr/port.h"
+#include "acr/ssl.h"
+#include "arch_sync.h"
+
+#if !HAVE_OPENSSL
+#error "Cannot compile this file without HAVE_OPENSSL defined"
+#endif
+
+/* NOTICE: Not implemented yet.
+ */
+
+
+ACR_SSL_EXPORT(jlong, SSLClient, new0)(JNI_STDARGS)
+{
+    acr_ssl_client_t *c;
+
+    c = ACR_TALLOC(acr_ssl_client_t);
+    if (c == 0)
+        return 0;
+    if ((c->bio = BIO_new(BIO_s_file())) != 0)
+        BIO_set_fp(c->bio, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+    c->refs = 1;
+    return P2J(c);
+}
+
+void ssl_client_retain(acr_ssl_client_t *c)
+{
+    if (c != 0)
+        AcrAtomic32Inc(&c->refs);
+}
+
+int ssl_client_release(acr_ssl_client_t *c)
+{
+    if (c == 0)
+        return 0;
+    if (AcrAtomic32Dec(&c->refs) != 0)
+        return 0;
+    ssl_ctx_release(c->ctx);
+    ssl_bio_close(c->bio);
+    /* SSLServer cleanup */
+    AcrFree(c);
+    return 1;
+}
+
+ACR_SSL_EXPORT(void, SSLClient, close0)(JNI_STDARGS, jlong c)
+{
+    ssl_client_release(J2P(c, acr_ssl_client_t *));
+}
+
+ACR_SSL_EXPORT(void, SSLClient, setbio0)(JNI_STDARGS, jlong cp, jlong bp)
+{
+    acr_ssl_client_t *c = J2P(cp, acr_ssl_client_t *);
+    BIO *bio         = J2P(bp,  BIO *);
+
+    if (c->bio != 0 && c->bio != bio)
+        ssl_bio_close(c->bio);
+    c->bio = bio;
+    ssl_bio_doref(bio);
+}

Propchange: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/client.c
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c?rev=1188025&r1=1188024&r2=1188025&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c (original)
+++ commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c Mon Oct 24 05:46:51
2011
@@ -384,7 +384,28 @@ ACR_SSL_EXPORT(void, SSLContext, addcast
     acr_ssl_ctx_t *c = J2P(ctx, acr_ssl_ctx_t *);
     WITH_CSTR(file) {
     WITH_CSTR(path) {
-        if (!SSL_CTX_load_verify_locations(c->ctx, J2S(file), J2S(path)))
+        if (SSL_CTX_load_verify_locations(c->ctx, J2S(file), J2S(path))) {
+            if (c->mode != SSL_MODE_CLIENT && J2S(file) != 0) {
+                STACK_OF(X509_NAME) *ca_certs;
+
+                c->store = SSL_CTX_get_cert_store(c->ctx);
+                ca_certs = SSL_CTX_get_client_CA_list(c->ctx);
+                if (ca_certs == 0) {
+                    ca_certs = SSL_load_client_CA_file(J2S(file));
+                    if (ca_certs != 0)
+                        SSL_CTX_set_client_CA_list(c->ctx, ca_certs);
+                    else
+                        ssl_throw_errno(env, ACR_EX_ESSL);
+                }
+                else if (!SSL_add_file_cert_subjects_to_stack(ca_certs, J2S(file))) {
+                    ssl_throw_errno(env, ACR_EX_ESSL);
+                    ca_certs = 0;
+                }
+                if (ca_certs != 0)
+                    c->ca_certs++;
+            }
+        }
+        else
             ssl_throw_errno(env, ACR_EX_ESSL);
     } DONE_WITH_STR(path);
     } DONE_WITH_STR(file);
@@ -425,34 +446,12 @@ ACR_SSL_EXPORT(void, SSLContext, setcrlc
 ACR_SSL_EXPORT(void, SSLContext, setvmode0)(JNI_STDARGS, jlong ctx,
                                             jint mode, jint depth)
 {
-//    int verify = SSL_VERIFY_NONE;
     acr_ssl_ctx_t *c = J2P(ctx, acr_ssl_ctx_t *);
 
     if (depth > 0)
         c->verify_depth = depth;
-    c->verify_mode = mode;
-#if 0
-    if (c->verify_depth == UNSET)
-        c->verify_depth = 1;
-    /*
-     *  Configure callbacks for SSL context
-     */
-    if (c->verify_mode == SSL_CVERIFY_REQUIRE)
-        verify |= SSL_VERIFY_PEER_STRICT;
-    if (c->verify_mode == SSL_CVERIFY_OPTIONAL ||
-        c->verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA)
-        verify |= SSL_VERIFY_PEER;
-    if (c->store == 0) {
-        if (c->verify_mode != 0 && !SSL_CTX_set_default_verify_paths(c->ctx))
{
-            ssl_throw_errno(env, ACR_EX_ESSL);
-            return;
-        }
-        c->store = SSL_CTX_get_cert_store(c->ctx);
-        X509_STORE_set_flags(c->store, 0);
-    }
-    
-    SSL_CTX_set_verify(c->ctx, verify, 0 /* ssl_callback_ssl_verify */);
-#endif
+    c->verify_mode  = mode;
+    c->verify_error = X509_V_OK;
 }
 
 ACR_SSL_EXPORT(void, SSLContext, setpasscb0)(JNI_STDARGS, jlong ctx,
@@ -495,3 +494,18 @@ ACR_SSL_EXPORT(jboolean, SSLContext, use
     else
         return JNI_TRUE;
 }
+
+ACR_SSL_EXPORT(void, SSLContext, setcertchain0)(JNI_STDARGS, jlong ctx,
+                                                jstring file, jboolean skipfirst)
+{
+    acr_ssl_ctx_t *c = J2P(ctx, acr_ssl_ctx_t *);
+
+    WITH_CSTR(file) {
+        if (ssl_ctx_use_certificate_chain(c->ctx, J2S(file), skipfirst) < 0) {
+            /* XXX: Should we throw some custom error so we can
+             *      localize the message? Probably not.
+             */
+            ACR_THROW_MSG(ACR_EX_ESSL, "Failed to configure CA certificate chain");
+        }
+    } DONE_WITH_STR(file);
+}

Added: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/netio.c
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/modules/openssl/netio.c?rev=1188025&view=auto
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/modules/openssl/netio.c (added)
+++ commons/sandbox/runtime/trunk/src/main/native/modules/openssl/netio.c Mon Oct 24 05:46:51
2011
@@ -0,0 +1,85 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "acr/clazz.h"
+#include "acr/error.h"
+#include "acr/misc.h"
+#include "acr/string.h"
+#include "acr/iofd.h"
+#include "acr/netapi.h"
+#include "acr/port.h"
+#include "acr/ssl.h"
+#include "arch_sync.h"
+
+#if !HAVE_OPENSSL
+#error "Cannot compile this file without HAVE_OPENSSL defined"
+#endif
+
+ACR_NET_EXPORT(jlong, SSLSocketDescriptor, socket0)(JNI_STDARGS, jlong ssd,
+                                                    jlong ctx)
+{
+    ssl_sd_t *s;
+    acr_sd_t *sd     = J2P(ssd, acr_sd_t *);
+    acr_ssl_ctx_t *c = J2P(c,   acr_ssl_ctx_t *);
+    
+    if (sd->ctx != 0) {
+        ACR_THROW_MSG(ACR_EX_EILLEGAL,
+                      "SocketDescriptor is already bound to another context");
+        return 0;
+    }
+    s = ACR_TALLOC(ssl_sd_t);
+    if (s == 0)
+        return 0;
+    s->refs = 1;
+    s->sd   = sd;
+    s->ctx  = c;
+    s->ssl  = SSL_new(c->ctx);
+    if (s->ssl == 0) {
+        AcrFree(s);
+        ACR_THROW_SYS_ERROR(ACR_ENOMEM);
+        return 0;
+    }
+    s->shutdown_type = c->shutdown_type;
+    SSL_set_app_data(s->ssl, s);
+    SSL_set_verify_result(s->ssl, X509_V_OK);
+    SSL_set_fd(s->ssl, (int)sd->s);
+
+    /* Reference SocketDescriptor so it doesn't get
+     * garbage collected before we close it
+     */
+    AcrAtomic32Inc(&sd->refs);
+    sd->ctx = s;
+    return P2J(s);
+}
+
+ACR_NET_EXPORT(jint, SSLSocketDescriptor, close0)(JNI_STDARGS, jlong sp)
+{
+    ssl_sd_t *ss  = J2P(sp, ssl_sd_t *);
+
+    if (ss == 0)
+        return ACR_EBADF;
+    if (AcrAtomic32Dec(&ss->refs) == 0) {
+        if (ss->ssl != 0) {
+            SSL_free(ss->ssl);
+        }
+        if (ss->peer != 0) {
+            X509_free(ss->peer);
+        }        
+        AcrAtomic32Dec(&ss->sd->refs);
+        AcrFree(ss);
+    }
+    return 0;
+}

Propchange: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/netio.c
------------------------------------------------------------------------------
    svn:eol-style = native

Added: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ocsp.c
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ocsp.c?rev=1188025&view=auto
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ocsp.c (added)
+++ commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ocsp.c Mon Oct 24 05:46:51
2011
@@ -0,0 +1,34 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "acr/clazz.h"
+#include "acr/error.h"
+#include "acr/misc.h"
+#include "acr/dso.h"
+#include "acr/port.h"
+#include "arch_sync.h"
+#include "acr/ssl.h"
+
+#if !HAVE_OPENSSL
+#error "Cannot compile this file without HAVE_OPENSSL defined"
+#endif
+
+#ifndef OPENSSL_NO_OCSP
+
+
+
+
+#endif /* OPENSSL_NO_OCSP */

Propchange: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ocsp.c
------------------------------------------------------------------------------
    svn:eol-style = native

Added: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/proxy.c
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/modules/openssl/proxy.c?rev=1188025&view=auto
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/modules/openssl/proxy.c (added)
+++ commons/sandbox/runtime/trunk/src/main/native/modules/openssl/proxy.c Mon Oct 24 05:46:51
2011
@@ -0,0 +1,65 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "acr/clazz.h"
+#include "acr/error.h"
+#include "acr/misc.h"
+#include "acr/string.h"
+#include "acr/port.h"
+#include "acr/ssl.h"
+#include "arch_sync.h"
+
+#if !HAVE_OPENSSL
+#error "Cannot compile this file without HAVE_OPENSSL defined"
+#endif
+
+/* NOTICE: Not implemented yet.
+ */
+
+void ssl_proxy_retain(acr_ssl_proxy_t *p)
+{
+    if (p != 0)
+        AcrAtomic32Inc(&p->refs);
+}
+
+int ssl_proxy_release(acr_ssl_proxy_t *p)
+{
+    if (p == 0)
+        return 0;
+    if (AcrAtomic32Dec(&p->refs) != 0)
+        return 0;
+    ssl_ctx_release(p->ctx);
+    ssl_bio_close(p->bio);
+    /* SSLProxy cleanup */
+    AcrFree(p);
+    return 1;
+}
+
+ACR_SSL_EXPORT(void, SSLProxy, close0)(JNI_STDARGS, jlong p)
+{
+    ssl_proxy_release(J2P(p, acr_ssl_proxy_t *));
+}
+
+ACR_SSL_EXPORT(void, SSLProxy, setbio0)(JNI_STDARGS, jlong pp, jlong bp)
+{
+    acr_ssl_proxy_t *p = J2P(pp, acr_ssl_proxy_t *);
+    BIO *bio         = J2P(bp,  BIO *);
+
+    if (p->bio != 0 && p->bio != bio)
+        ssl_bio_close(p->bio);
+    p->bio = bio;
+    ssl_bio_doref(bio);
+}

Propchange: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/proxy.c
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/server.c
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/modules/openssl/server.c?rev=1188025&r1=1188024&r2=1188025&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/modules/openssl/server.c (original)
+++ commons/sandbox/runtime/trunk/src/main/native/modules/openssl/server.c Mon Oct 24 05:46:51
2011
@@ -85,6 +85,7 @@ ACR_SSL_EXPORT(void, SSLServer, setctx0)
         s->ctx = c;
         if (s->options != 0)
             SSL_CTX_set_options(c->ctx, s->options);
+        
     }
 }
 

Added: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/stapling.c
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/modules/openssl/stapling.c?rev=1188025&view=auto
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/modules/openssl/stapling.c (added)
+++ commons/sandbox/runtime/trunk/src/main/native/modules/openssl/stapling.c Mon Oct 24 05:46:51
2011
@@ -0,0 +1,72 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "acr/clazz.h"
+#include "acr/error.h"
+#include "acr/misc.h"
+#include "acr/dso.h"
+#include "acr/port.h"
+#include "arch_sync.h"
+#include "acr/ssl.h"
+
+#if !HAVE_OPENSSL
+#error "Cannot compile this file without HAVE_OPENSSL defined"
+#endif
+
+#ifdef HAVE_OCSP_STAPLING
+
+/**
+ * Maxiumum OCSP stapling response size. This should be the response for a
+ * single certificate and will typically include the responder certificate chain
+ * so 10K should be more than enough.
+ *
+ */
+#define MAX_STAPLING_DER 10240
+
+/* Cached info stored in certificate ex_info. */
+typedef struct {
+    /* Index in session cache SHA1 hash of certificate */
+    UCHAR idx[20];
+    /* Certificate ID for OCSP requests or NULL if ID cannot be determined */
+    OCSP_CERTID *cid;
+    /* Responder details */
+    char *uri;
+} certinfo;
+
+static void certinfo_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+                                        int idx, long argl, void *argp)
+{
+    certinfo *cinf = ptr;
+
+    if (!cinf)
+        return;
+    if (cinf->uri)
+        OPENSSL_free(cinf->uri);
+    OPENSSL_free(cinf);
+}
+
+static int stapling_ex_idx = -1;
+
+void ssl_stapling_ex_init(void)
+{
+    if (stapling_ex_idx != -1)
+        return;
+    stapling_ex_idx = X509_get_ex_new_index(0, "X509 cached OCSP info", 0, 0,
+                                            certinfo_free);
+}
+
+
+#endif /* HAVE_OCSP_STAPLING */

Propchange: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/stapling.c
------------------------------------------------------------------------------
    svn:eol-style = native



Mime
View raw message