tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mt...@apache.org
Subject cvs commit: jakarta-tomcat-connectors/jni/native/src ssl.c sslcontext.c sslutils.c
Date Mon, 06 Jun 2005 06:54:20 GMT
mturk       2005/06/05 23:54:19

  Modified:    jni/java/org/apache/tomcat/jni SSL.java SSLContext.java
               jni/native/include ssl_private.h tcn.h
               jni/native/src ssl.c sslcontext.c sslutils.c
  Log:
  Simplify the SSLContext API. We don't need to support the mod_ssl
  child process recycling.
  
  Revision  Changes    Path
  1.9       +14 -1     jakarta-tomcat-connectors/jni/java/org/apache/tomcat/jni/SSL.java
  
  Index: SSL.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-connectors/jni/java/org/apache/tomcat/jni/SSL.java,v
  retrieving revision 1.8
  retrieving revision 1.9
  diff -u -r1.8 -r1.9
  --- SSL.java	2 Jun 2005 09:52:45 -0000	1.8
  +++ SSL.java	6 Jun 2005 06:54:19 -0000	1.9
  @@ -136,6 +136,19 @@
       public static final int SSL_OP_NETSCAPE_CA_DN_BUG               = 0x20000000;
       public static final int SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG  = 0x40000000;
   
  +    public static final int SSL_CRT_FORMAT_UNDEF    = 0;
  +    public static final int SSL_CRT_FORMAT_ASN1     = 1;
  +    public static final int SSL_CRT_FORMAT_TEXT     = 2;
  +    public static final int SSL_CRT_FORMAT_PEM      = 3;
  +    public static final int SSL_CRT_FORMAT_NETSCAPE = 4;
  +    public static final int SSL_CRT_FORMAT_PKCS12   = 5;
  +    public static final int SSL_CRT_FORMAT_SMIME    = 6;
  +    public static final int SSL_CRT_FORMAT_ENGINE   = 7;
  +
  +    public static final int SSL_MODE_CLIENT         = 0;
  +    public static final int SSL_MODE_SERVER         = 1;
  +    public static final int SSL_MODE_COMBINED       = 2;
  +
   
       /* Return OpenSSL version number */
       public static native int version();
  
  
  
  1.13      +39 -117   jakarta-tomcat-connectors/jni/java/org/apache/tomcat/jni/SSLContext.java
  
  Index: SSLContext.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-connectors/jni/java/org/apache/tomcat/jni/SSLContext.java,v
  retrieving revision 1.12
  retrieving revision 1.13
  diff -u -r1.12 -r1.13
  --- SSLContext.java	3 Jun 2005 07:33:24 -0000	1.12
  +++ SSLContext.java	6 Jun 2005 06:54:19 -0000	1.13
  @@ -26,7 +26,7 @@
   
   
       /**
  -     * Initialize new Server context
  +     * Initialize new SSL context
        * @param pool The pool to use.
        * @param protocol The SSL protocol to use. It can be one of:
        * <PRE>
  @@ -36,23 +36,14 @@
        * SSL_PROTOCOL_TLSV1
        * SSL_PROTOCOL_ALL
        * </PRE>
  -     */
  -    public static native long initS(long pool, int protocol)
  -        throws Exception;
  -
  -    /**
  -     * Initialize new Client context
  -     * @param pool The pool to use.
  -     * @param protocol The SSL protocol to use. It can be one of:
  +     * @param mode SSL mode to use
        * <PRE>
  -     * SSL_PROTOCOL_SSLV2
  -     * SSL_PROTOCOL_SSLV3
  -     * SSL_PROTOCOL_SSLV2 | SSL_PROTOCOL_SSLV3
  -     * SSL_PROTOCOL_TLSV1
  -     * SSL_PROTOCOL_ALL
  -     * </PRE>
  +     * SSL_MODE_CLIENT
  +     * SSL_MODE_SERVER
  +     * SSL_MODE_COMBINED
  +     * </PRE>     
        */
  -    public static native long initC(long pool, int protocol)
  +    public static native long make(long pool, int protocol, int mode)
           throws Exception;
   
       /**
  @@ -136,11 +127,14 @@
           throws Exception;
   
       /**
  -     * Set Directory of PEM-encoded CA Certificates for Client Auth
  +     * Set File of concatenated PEM-encoded CA CRLs or
  +     * directory of PEM-encoded CA Certificates for Client Auth
        * <br />
  -     * This directive sets the directory where you keep the Certificates of
  -     * Certification Authorities (CAs) whose clients you deal with. These are
  -     * used to verify the client certificate on Client Authentication.
  +     * This directive sets the all-in-one file where you can assemble the
  +     * Certificate Revocation Lists (CRL) of Certification Authorities (CA)
  +     * whose clients you deal with. These are used for Client Authentication.
  +     * Such a file is simply the concatenation of the various PEM-encoded CRL
  +     * files, in order of preference.     
        * <br />
        * The files in this directory have to be PEM-encoded and are accessed through
        * hash filenames. So usually you can't just place the Certificate files there:
  @@ -148,23 +142,12 @@
        * always make sure this directory contains the appropriate symbolic links.
        * Use the Makefile which comes with mod_ssl to accomplish this task.
        * @param ctx Server or Client context to use.
  -     * @param path Directory of PEM-encoded CA Certificates for Client Auth.
  -     */
  -    public static native boolean setCARevocationPath(long ctx, String path);
  -
  -    /**
  -     * Set File of concatenated PEM-encoded CA CRLs for Client Auth
  -     * <br />
  -     * This directive sets the all-in-one file where you can assemble the
  -     * Certificate Revocation Lists (CRL) of Certification Authorities (CA)
  -     * whose clients you deal with. These are used for Client Authentication.
  -     * Such a file is simply the concatenation of the various PEM-encoded CRL
  -     * files, in order of preference. This can be used alternatively and/or
  -     * additionally to <code>setCARevocationPath</code>.
  -     * @param ctx Server or Client context to use.
        * @param file File of concatenated PEM-encoded CA CRLs for Client Auth.
  +     * @param path Directory of PEM-encoded CA Certificates for Client Auth.
        */
  -    public static native boolean setCARevocationFile(long ctx, String file);
  +    public static native boolean setCARevocation(long ctx, String file,
  +                                                 String path)
  +        throws Exception;
   
       /**
        * Set File of PEM-encoded Server CA Certificates
  @@ -187,7 +170,7 @@
       public static native boolean setCertificateChainFile(long ctx, String file);
   
       /**
  -     * Set Server Certificate
  +     * Set Certificate
        * <br />
        * Point setCertificateFile at a PEM encoded certificate.  If
        * the certificate is encrypted, then you will be prompted for a
  @@ -196,46 +179,33 @@
        * built time. Keep in mind that if you've both a RSA and a DSA
        * certificate you can configure both in parallel (to also allow
        * the use of DSA ciphers, etc.)
  -     * @param ctx Server or Client context to use.
  -     * @param file Certificate file.
  -     */
  -    public static native boolean setCertificateFile(long ctx, String file)
  -        throws Exception;
  -
  -    /**
  -     * Set Server Private Key
        * <br />
  -     * If the key is not combined with the certificate, use this
  -     * directive to point at the key file.  Keep in mind that if
  +     * If the key is not combined with the certificate, use key param
  +     * to point at the key file.  Keep in mind that if
        * you've both a RSA and a DSA private key you can configure
        * both in parallel (to also allow the use of DSA ciphers, etc.)
        * @param ctx Server or Client context to use.
  -     * @param file Server Private Key file.
  +     * @param cert Certificate file.
  +     * @param key Private Key file to use if not in cert.
  +     * @param password Certificate password. If null and certificate
  +     *                 is encrypted, password prompt will be dispayed.
  +     * @param idx Certificate index SSL_AIDX_RSA or SSL_AIDX_DSA.
        */
  -    public static native boolean setCertificateKeyFile(long ctx, String file)
  +    public static native boolean setCertificate(long ctx, String cert,
  +                                                String key, String password,
  +                                                int idx)
           throws Exception;
   
       /**
  -     * Set File of concatenated PEM-encoded CA Certificates for Client Auth
  +     * Set File and Directory of concatenated PEM-encoded CA Certificates
  +     * for Client Auth
        * <br />
        * This directive sets the all-in-one file where you can assemble the
        * Certificates of Certification Authorities (CA) whose clients you deal with.
        * These are used for Client Authentication. Such a file is simply the
        * concatenation of the various PEM-encoded Certificate files, in order of
        * preference. This can be used alternatively and/or additionally to
  -     * <code>setCACertificatePath</code>.
  -     * @param ctx Server or Client context to use.
  -     * @param file File of concatenated PEM-encoded CA Certificates for
  -     *             Client Auth.
  -     */
  -    public static native boolean setCACertificateFile(long ctx, String file);
  -
  -    /**
  -     * Set Directory of PEM-encoded CA Certificates for Client Auth
  -     * <br />
  -     * This directive sets the directory where you keep the Certificates of
  -     * Certification Authorities (CAs) whose clients you deal with. These are used
  -     * to verify the client certificate on Client Authentication.
  +     * path.
        * <br />
        * The files in this directory have to be PEM-encoded and are accessed through
        * hash filenames. So usually you can't just place the Certificate files there:
  @@ -243,60 +213,13 @@
        * always make sure this directory contains the appropriate symbolic links.
        * Use the Makefile which comes with mod_ssl to accomplish this task.
        * @param ctx Server or Client context to use.
  +     * @param file File of concatenated PEM-encoded CA Certificates for
  +     *             Client Auth.
        * @param path Directory of PEM-encoded CA Certificates for Client Auth.
        */
  -    public static native boolean setCACertificatePath(long ctx, String path);
  -
  -    /**
  -     * Set File of concatenated PEM-encoded CA Certificates for defining
  -     * acceptable CA names
  -     * <br />
  -     * When a client certificate is requested by mod_ssl, a list of acceptable
  -     * Certificate Authority names is sent to the client in the SSL handshake.
  -     * These CA names can be used by the client to select an appropriate client
  -     * certificate out of those it has available.
  -     * <br />
  -     * If neither of the directives <code>setCADNRequestPath</code> or
  -     * <code>setCADNRequestFile</code> are given, then the set of acceptable
  -     * CA names sent to the client is the names of all the CA certificates given
  -     * by the <code>setCACertificateFile</code> and
  -     * <code>setCACertificatePath</code> directives; in other words, the names
  -     * of the CAs which will actually be used to verify the client certificate.
  -     * <br />
  -     * In some circumstances, it is useful to be able to send a set of acceptable
  -     * CA names which differs from the actual CAs used to verify the client
  -     * certificate - for example, if the client certificates are signed by
  -     * intermediate CAs. In such cases, CADNRequestPath and/or CADNRequestFile
  -     * can be used; the acceptable CA names are then taken from the complete
  -     * set of certificates in the directory and/or file specified by
  -     * this pair of directives.
  -     * <br />
  -     * setCADNRequestFile must specify an all-in-one file containing a
  -     * concatenation of PEM-encoded CA certificates.
  -     * @param ctx Server or Client context to use.
  -     * @param file File of concatenated PEM-encoded CA Certificates for defining
  -     *             acceptable CA names.
  -     */
  -    public static native boolean setCADNRequestFile(long ctx, String file);
  -
  -    /**
  -     * Set Directory of PEM-encoded CA Certificates for defining acceptable
  -     * CA names
  -     * <br />
  -     * This optional directive can be used to specify the set of acceptable
  -     * CA names which will be sent to the client when a client certificate is
  -     * requested. See the <code>setCADNRequestFile</code> directive for more details.
  -     * <br />
  -     * The files in this directory have to be PEM-encoded and are accessed through
  -     * hash filenames. So usually you can't just place the Certificate files there:
  -     * you also have to create symbolic links named hash-value.N. And you should
  -     * always make sure this directory contains the appropriate symbolic links.
  -     * Use the Makefile which comes with mod_ssl to accomplish this task.
  -     * @param ctx Server or Client context to use.
  -     * @param path Directory of PEM-encoded CA Certificates for defining
  -     *             acceptable CA names.
  -     */
  -    public static native boolean setCADNRequestPath(long ctx, String path);
  +    public static native boolean setCACertificate(long ctx, String file,
  +                                                  String path)
  +        throws Exception;
   
       /**
        * Set Maximum depth of CA Certificates in Client Certificate verification
  @@ -345,7 +268,6 @@
        * @param ctx Server or Client context to use.
        * @param level Type of Client Certificate verification.
        */
  -    public static native boolean setVerifyClient(long ctx, int level)
  -        throws Exception;
  +    public static native void setVerifyClient(long ctx, int level);
   
   }
  
  
  
  1.13      +70 -54    jakarta-tomcat-connectors/jni/native/include/ssl_private.h
  
  Index: ssl_private.h
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/include/ssl_private.h,v
  retrieving revision 1.12
  retrieving revision 1.13
  diff -u -r1.12 -r1.13
  --- ssl_private.h	3 Jun 2005 08:16:24 -0000	1.12
  +++ ssl_private.h	6 Jun 2005 06:54:19 -0000	1.13
  @@ -56,38 +56,60 @@
    * Define IDs for the temporary RSA keys and DH params
    */
   
  -#define SSL_TMP_KEY_RSA_512  (0)
  -#define SSL_TMP_KEY_RSA_1024 (1)
  -#define SSL_TMP_KEY_DH_512   (2)
  -#define SSL_TMP_KEY_DH_1024  (3)
  -#define SSL_TMP_KEY_MAX      (4)
  +#define SSL_TMP_KEY_RSA_512     (0)
  +#define SSL_TMP_KEY_RSA_1024    (1)
  +#define SSL_TMP_KEY_RSA_2048    (2)
  +#define SSL_TMP_KEY_RSA_4096    (4)
  +#define SSL_TMP_KEY_DH_512      (4)
  +#define SSL_TMP_KEY_DH_1024     (5)
  +#define SSL_TMP_KEY_DH_2048     (6)
  +#define SSL_TMP_KEY_DH_4096     (7)
  +#define SSL_TMP_KEY_MAX         (8)
  +
  +#define SSL_CRT_FORMAT_UNDEF    (0)
  +#define SSL_CRT_FORMAT_ASN1     (1)
  +#define SSL_CRT_FORMAT_TEXT     (2)
  +#define SSL_CRT_FORMAT_PEM      (3)
  +#define SSL_CRT_FORMAT_NETSCAPE (4)
  +#define SSL_CRT_FORMAT_PKCS12   (5)
  +#define SSL_CRT_FORMAT_SMIME    (6)
  +#define SSL_CRT_FORMAT_ENGINE   (7)
  +/* XXX this stupid macro helps us to avoid
  + * adding yet another param to load_*key()
  + */
  +#define SSL_KEY_FORMAT_IISSGC   (8)
   
   /*
    * Define the SSL options
    */
  -#define SSL_OPT_NONE           (0)
  -#define SSL_OPT_RELSET         (1<<0)
  -#define SSL_OPT_STDENVVARS     (1<<1)
  -#define SSL_OPT_EXPORTCERTDATA (1<<3)
  -#define SSL_OPT_FAKEBASICAUTH  (1<<4)
  -#define SSL_OPT_STRICTREQUIRE  (1<<5)
  -#define SSL_OPT_OPTRENEGOTIATE (1<<6)
  -#define SSL_OPT_ALL            (SSL_OPT_STDENVVARS|SSL_OPT_EXPORTCERTDATA|SSL_OPT_FAKEBASICAUTH|SSL_OPT_STRICTREQUIRE|SSL_OPT_OPTRENEGOTIATE)
  +#define SSL_OPT_NONE            (0)
  +#define SSL_OPT_RELSET          (1<<0)
  +#define SSL_OPT_STDENVVARS      (1<<1)
  +#define SSL_OPT_EXPORTCERTDATA  (1<<3)
  +#define SSL_OPT_FAKEBASICAUTH   (1<<4)
  +#define SSL_OPT_STRICTREQUIRE   (1<<5)
  +#define SSL_OPT_OPTRENEGOTIATE  (1<<6)
  +#define SSL_OPT_ALL             (SSL_OPT_STDENVVARS|SSL_OPT_EXPORTCERTDATA|SSL_OPT_FAKEBASICAUTH|SSL_OPT_STRICTREQUIRE|SSL_OPT_OPTRENEGOTIATE)
   
   /*
    * Define the SSL Protocol options
    */
  -#define SSL_PROTOCOL_NONE  (0)
  -#define SSL_PROTOCOL_SSLV2 (1<<0)
  -#define SSL_PROTOCOL_SSLV3 (1<<1)
  -#define SSL_PROTOCOL_TLSV1 (1<<2)
  -#define SSL_PROTOCOL_ALL   (SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
  +#define SSL_PROTOCOL_NONE       (0)
  +#define SSL_PROTOCOL_SSLV2      (1<<0)
  +#define SSL_PROTOCOL_SSLV3      (1<<1)
  +#define SSL_PROTOCOL_TLSV1      (1<<2)
  +#define SSL_PROTOCOL_ALL        (SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
  +
  +#define SSL_MODE_CLIENT         (0)
  +#define SSL_MODE_SERVER         (1)
  +#define SSL_MODE_COMBINED       (2)
   
   #define SSL_BIO_FLAG_RDONLY     (1<<0)
   #define SSL_BIO_FLAG_CALLBACK   (1<<1)
   #define SSL_DEFAULT_CACHE_SIZE  (256)
   #define SSL_DEFAULT_VHOST_NAME  ("_default_:443")
  -#define SSL_MAX_STR_LEN         2048
  +#define SSL_MAX_STR_LEN         (2048)
  +#define SSL_MAX_PASSWORD_LEN    (256)
   
   #define SSL_CVERIFY_UNSET           (-1)
   #define SSL_CVERIFY_NONE            (0)
  @@ -96,22 +118,7 @@
   #define SSL_CVERIFY_OPTIONAL_NO_CA  (3)
   #define SSL_VERIFY_PEER_STRICT      (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
   
  -/* public cert/private key */
  -typedef struct {
  -    /*
  -     * server only has 1-2 certs/keys
  -     * 1 RSA and/or 1 DSA
  -     */
  -    const char  *cert_files[SSL_AIDX_MAX];
  -    const char  *key_files[SSL_AIDX_MAX];
  -    X509        *certs[SSL_AIDX_MAX];
  -    EVP_PKEY    *keys[SSL_AIDX_MAX];
  -
  -    /* Certificates which specify the set of CA names which should be
  -     * sent in the CertificateRequest message: */
  -    const char  *ca_name_path;
  -    const char  *ca_name_file;
  -} ssl_pks_t;
  +extern void *SSL_temp_keys[SSL_TMP_KEY_MAX];
   
   typedef struct {
       /* client can have any number of cert/key pairs */
  @@ -120,46 +127,55 @@
       STACK_OF(X509_INFO) *certs;
   } ssl_pkc_t;
   
  -struct tcn_ssl_ctxt {
  +typedef struct tcn_ssl_ctxt_t tcn_ssl_ctxt_t;
  +
  +typedef struct {
  +    char            password[SSL_MAX_PASSWORD_LEN];
  +    const char     *prompt;
  +    tcn_ssl_ctxt_t *ctx;
  +} tcn_pass_cb_t;
  +
  +struct tcn_ssl_ctxt_t {
       apr_pool_t      *pool;
       SSL_CTX         *ctx;
       BIO             *bio_os;
       BIO             *bio_is;
  +
       unsigned char   vhost_id[MD5_DIGEST_LENGTH];
   
       int             protocol;
       /* we are one or the other */
       int             mode;
  -    union {
  -        ssl_pks_t   s;
  -        ssl_pkc_t   c;
  -    } pk;
   
       const char      *cert_chain;
       /* certificate revocation list */
       X509_STORE      *crl;
  +    const char      *cert_files[SSL_AIDX_MAX];
  +    const char      *key_files[SSL_AIDX_MAX];
  +    X509            *certs[SSL_AIDX_MAX];
  +    EVP_PKEY        *keys[SSL_AIDX_MAX];
  +
  +    int             ca_certs;
   
  -    /* known/trusted CAs */
  -    const char      *ca_cert_path;
  -    const char      *ca_cert_file;
       const char      *cipher_suite;
       /* for client or downstream server authentication */
       int             verify_depth;
       int             verify_mode;
       void            *temp_keys[SSL_TMP_KEY_MAX];
  +    tcn_pass_cb_t   password;
   };
   
  -typedef struct tcn_ssl_ctxt tcn_ssl_ctxt_t;
  -
  -struct tcn_ssl_conn {
  +typedef struct {
       tcn_ssl_ctxt_t *ctx;
       SSL            *ssl;
  -};
  +} tcn_ssl_conn_t;
   
  -typedef struct tcn_ssl_conn tcn_ssl_conn_t;
   
  -#define SSL_CTX_get_extra_certs(ctx)       (ctx->extra_certs)
  -#define SSL_CTX_set_extra_certs(ctx,value) {ctx->extra_certs = value;}
  +#define SSL_CTX_get_extra_certs(ctx)        ((ctx)->extra_certs)
  +#define SSL_CTX_set_extra_certs(ctx, value) \
  +    TCN_BEGIN_MACRO                         \
  +        (ctx)->extra_certs = (value);       \
  +    TCN_END_MACRO
   
   /*
    *  Additional Functions
  @@ -167,7 +183,8 @@
   void        SSL_init_app_data2_idx(void);
   void       *SSL_get_app_data2(SSL *);
   void        SSL_set_app_data2(SSL *, void *);
  -int         SSL_password_prompt(tcn_ssl_ctxt_t *, char *, size_t);
  +int         SSL_password_prompt(tcn_pass_cb_t *);
  +int         SSL_password_callback(char *, int, int, void *);
   void        SSL_BIO_close(BIO *);
   void        SSL_BIO_doref(BIO *);
   DH         *SSL_dh_get_tmp_param(int);
  @@ -175,8 +192,7 @@
   RSA        *SSL_callback_tmp_RSA(SSL *, int, int);
   DH         *SSL_callback_tmp_DH(SSL *, int, int);
   void        SSL_vhost_algo_id(const unsigned char *, unsigned char *, int);
  +int         SSL_CTX_use_certificate_chain(SSL_CTX *, const char *, int);
   int         SSL_callback_SSL_verify(int, X509_STORE_CTX *);
  -STACK_OF(X509_NAME)
  -            *SSL_init_findCAList(tcn_ssl_ctxt_t *, const char *, const char *);
   
   #endif /* SSL_PRIVATE_H */
  
  
  
  1.12      +12 -14    jakarta-tomcat-connectors/jni/native/include/tcn.h
  
  Index: tcn.h
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/include/tcn.h,v
  retrieving revision 1.11
  retrieving revision 1.12
  diff -u -r1.11 -r1.12
  --- tcn.h	3 Jun 2005 07:35:07 -0000	1.11
  +++ tcn.h	6 Jun 2005 06:54:19 -0000	1.12
  @@ -56,15 +56,15 @@
       JNIEXPORT RT JNICALL Java_org_apache_tomcat_jni_##CL##_##FN
   
   /* Private helper functions */
  -void tcn_Throw(JNIEnv *env, const char *fmt, ...);
  -void tcn_ThrowException(JNIEnv *env, const char *msg);
  -void tcn_ThrowAPRException(JNIEnv *env, apr_status_t err);
  -jstring tcn_new_string(JNIEnv *env, const char *str, int l);
  -char *tcn_get_string(JNIEnv *env, jstring jstr);
  -char *tcn_strdup(JNIEnv *env, jstring jstr);
  -char *tcn_pstrdup(JNIEnv *env, jstring jstr, apr_pool_t *p);
  -apr_status_t tcn_load_finfo_class(JNIEnv *env);
  -apr_status_t tcn_load_ainfo_class(JNIEnv *env);
  +void            tcn_Throw(JNIEnv *, const char *, ...);
  +void            tcn_ThrowException(JNIEnv *, const char *);
  +void            tcn_ThrowAPRException(JNIEnv *, apr_status_t);
  +jstring         tcn_new_string(JNIEnv *, const char *, int);
  +char           *tcn_get_string(JNIEnv *, jstring);
  +char           *tcn_strdup(JNIEnv *, jstring);
  +char           *tcn_pstrdup(JNIEnv *, jstring, apr_pool_t *);
  +apr_status_t    tcn_load_finfo_class(JNIEnv *);
  +apr_status_t    tcn_load_ainfo_class(JNIEnv *);
   
   #define J2S(V)  c##V
   #define J2L(V)  p##V
  @@ -136,14 +136,12 @@
   
   #define TCN_MAX_METHODS 8
   
  -struct tcn_callback {
  +typedef struct {
       JNIEnv      *env;
       jobject     obj;
       jmethodID   mid[TCN_MAX_METHODS];
       void        *opaque;
  -};
  -
  -typedef struct tcn_callback tcn_callback_t;
  +} tcn_callback_t;
   
   #define TCN_MIN(a, b) ((a) < (b) ? (a) : (b))
   #define TCN_MAX(a, b) ((a) > (b) ? (a) : (b))
  
  
  
  1.19      +62 -8     jakarta-tomcat-connectors/jni/native/src/ssl.c
  
  Index: ssl.c
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/ssl.c,v
  retrieving revision 1.18
  retrieving revision 1.19
  diff -u -r1.18 -r1.19
  --- ssl.c	2 Jun 2005 09:52:46 -0000	1.18
  +++ ssl.c	6 Jun 2005 06:54:19 -0000	1.19
  @@ -26,7 +26,6 @@
   #include "apr_thread_mutex.h"
   #include "apr_strings.h"
   #include "apr_atomic.h"
  -#include "apr_hash.h"
   
   #include "tcn.h"
   
  @@ -35,10 +34,59 @@
   
   static int ssl_initialized = 0;
   extern apr_pool_t *tcn_global_pool;
  +
   ENGINE *tcn_ssl_engine = NULL;
  +void *SSL_temp_keys[SSL_TMP_KEY_MAX];
  +
  +/*
  + * Handle the Temporary RSA Keys and DH Params
  + */
  +
  +#define SSL_TMP_KEY_FREE(type, idx)                     \
  +    if (SSL_temp_keys[idx]) {                           \
  +        type##_free((type *)SSL_temp_keys[idx]);        \
  +        SSL_temp_keys[idx] = NULL;                      \
  +    } else (void *)(0)
  +
  +#define SSL_TMP_KEYS_FREE(type) \
  +    SSL_TMP_KEY_FREE(type, SSL_TMP_KEY_##type##_512);   \
  +    SSL_TMP_KEY_FREE(type, SSL_TMP_KEY_##type##_1024);  \
  +    SSL_TMP_KEY_FREE(type, SSL_TMP_KEY_##type##_2048);  \
  +    SSL_TMP_KEY_FREE(type, SSL_TMP_KEY_##type##_4096)
  +
  +#define SSL_TMP_KEY_INIT_RSA(bits) \
  +    ssl_tmp_key_init_rsa(bits, SSL_TMP_KEY_RSA_##bits)
  +
  +#define SSL_TMP_KEY_INIT_DH(bits)  \
  +    ssl_tmp_key_init_dh(bits, SSL_TMP_KEY_DH_##bits)
  +
  +#define SSL_TMP_KEYS_INIT(R)            \
  +    R |= SSL_TMP_KEY_INIT_RSA(512);     \
  +    R |= SSL_TMP_KEY_INIT_RSA(1024);    \
  +    R |= SSL_TMP_KEY_INIT_RSA(2048);    \
  +    R |= SSL_TMP_KEY_INIT_DH(512);      \
  +    R |= SSL_TMP_KEY_INIT_DH(1024);     \
  +    R |= SSL_TMP_KEY_INIT_DH(2048);     \
  +    R |= SSL_TMP_KEY_INIT_DH(4096)
  +
  +static int ssl_tmp_key_init_rsa(int bits, int idx)
  +{
  +    if (!(SSL_temp_keys[idx] =
  +          RSA_generate_key(bits, RSA_F4, NULL, NULL)))
  +        return 1;
  +    else
  +        return 0;
  +}
  +
  +static int ssl_tmp_key_init_dh(int bits, int idx)
  +{
  +    if (!(SSL_temp_keys[idx] =
  +          SSL_dh_get_tmp_param(bits)))
  +        return 1;
  +    else
  +        return 0;
  +}
   
  -apr_hash_t  *tcn_private_keys = NULL;
  -apr_hash_t  *tcn_public_certs = NULL;
   
   TCN_IMPLEMENT_CALL(jint, SSL, version)(TCN_STDARGS)
   {
  @@ -62,6 +110,8 @@
       if (!ssl_initialized)
           return APR_SUCCESS;
       ssl_initialized = 0;
  +    SSL_TMP_KEYS_FREE(RSA);
  +    SSL_TMP_KEYS_FREE(DH);
       /*
        * Try to kill the internals of the SSL library.
        */
  @@ -298,6 +348,7 @@
   
   TCN_IMPLEMENT_CALL(jint, SSL, initialize)(TCN_STDARGS, jstring engine)
   {
  +    int r;
       TCN_ALLOC_CSTRING(engine);
   
       UNREFERENCED(o);
  @@ -360,10 +411,13 @@
       ssl_rand_seed(NULL);
       /* For SSL_get_app_data2() at request time */
       SSL_init_app_data2_idx();
  -    
  -    /* Create tables for global private keys and certs */
  -    tcn_private_keys = apr_hash_make(tcn_global_pool);
  -    tcn_public_certs = apr_hash_make(tcn_global_pool);
  +
  +    SSL_TMP_KEYS_INIT(r);
  +    if (r) {
  +        TCN_FREE_CSTRING(engine);
  +        ssl_init_cleanup(NULL);
  +        return APR_ENOTIMPL;
  +    }
       /*
        * Let us cleanup the ssl library when the library is unloaded
        */
  
  
  
  1.20      +216 -335  jakarta-tomcat-connectors/jni/native/src/sslcontext.c
  
  Index: sslcontext.c
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslcontext.c,v
  retrieving revision 1.19
  retrieving revision 1.20
  diff -u -r1.19 -r1.20
  --- sslcontext.c	3 Jun 2005 07:34:27 -0000	1.19
  +++ sslcontext.c	6 Jun 2005 06:54:19 -0000	1.20
  @@ -30,94 +30,42 @@
   #ifdef HAVE_OPENSSL
   #include "ssl_private.h"
   
  -/*
  - * Handle the Temporary RSA Keys and DH Params
  - */
  -
  -#define SSL_TMP_KEY_FREE(ctx, type, idx) \
  -    if (ctx->temp_keys[idx]) { \
  -        type##_free((type *)ctx->temp_keys[idx]); \
  -        ctx->temp_keys[idx] = NULL; \
  -    }
  -
  -#define SSL_TMP_KEYS_FREE(ctx, type) \
  -    SSL_TMP_KEY_FREE(ctx, type, SSL_TMP_KEY_##type##_512); \
  -    SSL_TMP_KEY_FREE(ctx, type, SSL_TMP_KEY_##type##_1024)
  -
  -static void ssl_tmp_keys_free(tcn_ssl_ctxt_t *ctx)
  -{
  -
  -    SSL_TMP_KEYS_FREE(ctx, RSA);
  -    SSL_TMP_KEYS_FREE(ctx, DH);
  -}
  -
  -static int ssl_tmp_key_init_rsa(tcn_ssl_ctxt_t *ctx,
  -                                int bits, int idx)
  -{
  -    if (!(ctx->temp_keys[idx] =
  -          RSA_generate_key(bits, RSA_F4, NULL, NULL))) {
  -        BIO_printf(ctx->bio_os, "[ERROR] "
  -                   "Init: Failed to generate temporary "
  -                   "%d bit RSA private key", bits);
  -        return 0;
  -    }
  -    return 1;
  -}
  -
  -static int ssl_tmp_key_init_dh(tcn_ssl_ctxt_t *ctx,
  -                               int bits, int idx)
  -{
  -    if (!(ctx->temp_keys[idx] =
  -          SSL_dh_get_tmp_param(bits))) {
  -        BIO_printf(ctx->bio_os, "[ERROR] "
  -                   "Init: Failed to generate temporary "
  -                   "%d bit DH parameters", bits);
  -        return 0;
  -    }
  -    return 1;
  -}
  -
   static apr_status_t ssl_context_cleanup(void *data)
   {
       tcn_ssl_ctxt_t *c = (tcn_ssl_ctxt_t *)data;
       if (c) {
  +        int i;
           if (c->crl)
               X509_STORE_free(c->crl);
           c->crl = NULL;
           if (c->ctx)
               SSL_CTX_free(c->ctx);
           c->ctx = NULL;
  -        if (c->mode) {
  -            int i;
  -            for (i = 0; i < SSL_AIDX_MAX; i++) {
  -                if (c->pk.s.certs[i]) {
  -                    X509_free(c->pk.s.certs[i]);
  -                    c->pk.s.certs[i] = NULL;
  -                }
  -                if (c->pk.s.keys[i]) {
  -                    EVP_PKEY_free(c->pk.s.keys[i]);
  -                    c->pk.s.keys[i] = NULL;
  -                }
  +        for (i = 0; i < SSL_AIDX_MAX; i++) {
  +            if (c->certs[i]) {
  +                X509_free(c->certs[i]);
  +                c->certs[i] = NULL;
  +            }
  +            if (c->keys[i]) {
  +                EVP_PKEY_free(c->keys[i]);
  +                c->keys[i] = NULL;
               }
           }
  -        else if (c->pk.c.certs) {
  -            sk_X509_INFO_pop_free(c->pk.c.certs, X509_INFO_free);
  -            c->pk.c.certs = NULL;
  -        }
  -
  -        if (c->bio_is)
  +        if (c->bio_is) {
               SSL_BIO_close(c->bio_is);
  -        c->bio_is = NULL;
  -        if (c->bio_os)
  +            c->bio_is = NULL;
  +        }
  +        if (c->bio_os) {
               SSL_BIO_close(c->bio_os);
  -        c->bio_os = NULL;
  +            c->bio_os = NULL;
  +        }
       }
       return APR_SUCCESS;
   }
   
   /* Initialize server context */
  -TCN_IMPLEMENT_CALL(jlong, SSLContext, initS)(TCN_STDARGS, jlong pool,
  -                                             jint protocol)
  +TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS, jlong pool,
  +                                            jint protocol, jint mode)
   {
       apr_pool_t *p = J2P(pool, apr_pool_t *);
       tcn_ssl_ctxt_t *c = NULL;
  @@ -127,18 +75,38 @@
       switch (protocol) {
           case SSL_PROTOCOL_SSLV2:
           case SSL_PROTOCOL_SSLV2 | SSL_PROTOCOL_TLSV1:
  -            ctx = SSL_CTX_new(SSLv2_server_method());
  +            if (mode == SSL_MODE_CLIENT)
  +                ctx = SSL_CTX_new(SSLv2_client_method());
  +            else if (mode == SSL_MODE_SERVER)
  +                ctx = SSL_CTX_new(SSLv2_server_method());
  +            else
  +                ctx = SSL_CTX_new(SSLv2_method());
           break;
           case SSL_PROTOCOL_SSLV3:
           case SSL_PROTOCOL_SSLV3 | SSL_PROTOCOL_TLSV1:
  -            ctx = SSL_CTX_new(SSLv3_server_method());
  +            if (mode == SSL_MODE_CLIENT)
  +                ctx = SSL_CTX_new(SSLv3_client_method());
  +            else if (mode == SSL_MODE_SERVER)
  +                ctx = SSL_CTX_new(SSLv3_server_method());
  +            else
  +                ctx = SSL_CTX_new(SSLv3_method());
           break;
           case SSL_PROTOCOL_SSLV2 | SSL_PROTOCOL_SSLV3:
           case SSL_PROTOCOL_ALL:
  -            ctx = SSL_CTX_new(SSLv23_server_method());
  +            if (mode == SSL_MODE_CLIENT)
  +                ctx = SSL_CTX_new(SSLv23_client_method());
  +            else if (mode == SSL_MODE_SERVER)
  +                ctx = SSL_CTX_new(SSLv23_server_method());
  +            else
  +                ctx = SSL_CTX_new(SSLv23_method());
           break;
           case SSL_PROTOCOL_TLSV1:
  -            ctx = SSL_CTX_new(TLSv1_server_method());
  +            if (mode == SSL_MODE_CLIENT)
  +                ctx = SSL_CTX_new(TLSv1_client_method());
  +            else if (mode == SSL_MODE_SERVER)
  +                ctx = SSL_CTX_new(TLSv1_server_method());
  +            else
  +                ctx = SSL_CTX_new(TLSv1_method());
           break;
       }
       if (!ctx) {
  @@ -149,11 +117,12 @@
           tcn_ThrowAPRException(e, apr_get_os_error());
           goto init_failed;
       }
  -    /* server mode */
  -    c->mode = 1;
  -    c->ctx  = ctx;
  -    c->pool = p;
  -    c->bio_os = BIO_new(BIO_s_file());
  +
  +    c->protocol = protocol;
  +    c->mode     = mode;
  +    c->ctx      = ctx;
  +    c->pool     = p;
  +    c->bio_os   = BIO_new(BIO_s_file());
       if (c->bio_os != NULL)
           BIO_set_fp(c->bio_os, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
       SSL_CTX_set_options(c->ctx, SSL_OP_ALL);
  @@ -180,92 +149,19 @@
       MD5((const unsigned char *)SSL_DEFAULT_VHOST_NAME,
           (unsigned long)(sizeof(SSL_DEFAULT_VHOST_NAME) - 1),
           &(c->vhost_id[0]));
  -
  -    SSL_CTX_set_tmp_rsa_callback(c->ctx, SSL_callback_tmp_RSA);
  -    SSL_CTX_set_tmp_dh_callback(c->ctx,  SSL_callback_tmp_DH);
  -
  +    if (mode) {
  +        SSL_CTX_set_tmp_rsa_callback(c->ctx, SSL_callback_tmp_RSA);
  +        SSL_CTX_set_tmp_dh_callback(c->ctx,  SSL_callback_tmp_DH);
  +    }
       /* Set default Certificate verification level
        * and depth for the Client Authentication
        */
       c->verify_depth = 1;
       c->verify_mode  = SSL_CVERIFY_UNSET;
  -    /*
  -     * Let us cleanup the ssl context when the pool is destroyed
  -     */
  -    apr_pool_cleanup_register(p, (const void *)c,
  -                              ssl_context_cleanup,
  -                              apr_pool_cleanup_null);
  -
  -    return P2J(c);
  -init_failed:
  -    return 0;
  -}
   
  -/* Initialize client context */
  -TCN_IMPLEMENT_CALL(jlong, SSLContext, initC)(TCN_STDARGS, jlong pool,
  -                                             jint protocol)
  -{
  -    apr_pool_t *p = J2P(pool, apr_pool_t *);
  -    tcn_ssl_ctxt_t *c = NULL;
  -    SSL_CTX *ctx = NULL;
  -    UNREFERENCED(o);
  -
  -    switch (protocol) {
  -        case SSL_PROTOCOL_SSLV2:
  -        case SSL_PROTOCOL_SSLV2 | SSL_PROTOCOL_TLSV1:
  -            ctx = SSL_CTX_new(SSLv2_client_method());
  -        break;
  -        case SSL_PROTOCOL_SSLV3:
  -        case SSL_PROTOCOL_SSLV3 | SSL_PROTOCOL_TLSV1:
  -            ctx = SSL_CTX_new(SSLv3_client_method());
  -        break;
  -        case SSL_PROTOCOL_SSLV2 | SSL_PROTOCOL_SSLV3:
  -        case SSL_PROTOCOL_ALL:
  -            ctx = SSL_CTX_new(SSLv23_client_method());
  -        break;
  -        case SSL_PROTOCOL_TLSV1:
  -            ctx = SSL_CTX_new(TLSv1_client_method());
  -        break;
  -    }
  -    if (!ctx) {
  -        tcn_ThrowException(e, "Invalid Client SSL Protocol");
  -        goto init_failed;
  -    }
  -    if ((c = apr_pcalloc(p, sizeof(tcn_ssl_ctxt_t))) == NULL) {
  -        tcn_ThrowAPRException(e, apr_get_os_error());
  -        goto init_failed;
  -    }
  -    /* client mode */
  -    c->mode = 0;
  -    c->ctx  = ctx;
  -    c->pool = p;
  -    c->bio_os = BIO_new(BIO_s_file());
  -    if (c->bio_os != NULL)
  -        BIO_set_fp(c->bio_os, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
  -    SSL_CTX_set_options(c->ctx, SSL_OP_ALL);
  -    if (!(protocol & SSL_PROTOCOL_SSLV2))
  -        SSL_CTX_set_options(c->ctx, SSL_OP_NO_SSLv2);
  -    if (!(protocol & SSL_PROTOCOL_SSLV3))
  -        SSL_CTX_set_options(c->ctx, SSL_OP_NO_SSLv3);
  -    if (!(protocol & SSL_PROTOCOL_TLSV1))
  -        SSL_CTX_set_options(c->ctx, SSL_OP_NO_TLSv1);
  -    /*
  -     * Configure additional context ingredients
  -     */
  -    SSL_CTX_set_options(c->ctx, SSL_OP_SINGLE_DH_USE);
  -
  -#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
  -    /*
  -     * Disallow a session from being resumed during a renegotiation,
  -     * so that an acceptable cipher suite can be negotiated.
  -     */
  -    SSL_CTX_set_options(c->ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
  -#endif
  -    /* Default vhost id and cache size */
  -    SSL_CTX_sess_set_cache_size(c->ctx, SSL_DEFAULT_CACHE_SIZE);
  -    MD5((const unsigned char *)SSL_DEFAULT_VHOST_NAME,
  -        (unsigned long)(sizeof(SSL_DEFAULT_VHOST_NAME) - 1),
  -        &(c->vhost_id[0]));
  +    /* Set default password callback */
  +    SSL_CTX_set_default_passwd_cb(c->ctx, (pem_password_cb *)SSL_password_callback);
  +    SSL_CTX_set_default_passwd_cb_userdata(c->ctx, (void *)(&c->password));
       /*
        * Let us cleanup the ssl context when the pool is destroyed
        */
  @@ -366,62 +262,48 @@
       return rv;
   }
   
  -TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCARevocationFile)(TCN_STDARGS, jlong ctx,
  -                                                              jstring file)
  +TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCARevocation)(TCN_STDARGS, jlong ctx,
  +                                                          jstring file,
  +                                                          jstring path)
   {
       tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
       TCN_ALLOC_CSTRING(file);
  +    TCN_ALLOC_CSTRING(path);
       jboolean rv = JNI_FALSE;
       X509_LOOKUP *lookup;
   
       UNREFERENCED(o);
       TCN_ASSERT(ctx != 0);
  -    if (!J2S(file))
  +    if (J2S(file) == NULL && J2S(path) == NULL)
           return JNI_FALSE;
   
       if (!c->crl) {
           if ((c->crl = X509_STORE_new()) == NULL)
               goto cleanup;
       }
  -    lookup = X509_STORE_add_lookup(c->crl, X509_LOOKUP_file());
  -    if (lookup == NULL) {
  -        X509_STORE_free(c->crl);
  -        c->crl = NULL;
  -        goto cleanup;
  -    }
  -    X509_LOOKUP_load_file(lookup, J2S(file), X509_FILETYPE_PEM);
  -    rv = JNI_TRUE;
  -cleanup:
  -    TCN_FREE_CSTRING(file);
  -    return rv;
  -}
  -
  -TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCARevocationPath)(TCN_STDARGS, jlong ctx,
  -                                                              jstring path)
  -{
  -    tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
  -    TCN_ALLOC_CSTRING(path);
  -    jboolean rv = JNI_FALSE;
  -    X509_LOOKUP *lookup;
  -
  -    UNREFERENCED(o);
  -    TCN_ASSERT(ctx != 0);
  -    if (!J2S(path))
  -        return JNI_FALSE;
  -
  -    if (!c->crl) {
  -        if ((c->crl = X509_STORE_new()) == NULL)
  +    if (J2S(file)) {
  +        lookup = X509_STORE_add_lookup(c->crl, X509_LOOKUP_file());
  +        if (lookup == NULL) {
  +            X509_STORE_free(c->crl);
  +            c->crl = NULL;
  +            tcn_Throw(e, "Lookup failed for file %s", J2S(file));
               goto cleanup;
  +        }
  +        X509_LOOKUP_load_file(lookup, J2S(file), X509_FILETYPE_PEM);
       }
  -    lookup = X509_STORE_add_lookup(c->crl, X509_LOOKUP_hash_dir());
  -    if (lookup == NULL) {
  -        X509_STORE_free(c->crl);
  -        c->crl = NULL;
  -        goto cleanup;
  +    if (J2S(path)) {
  +        lookup = X509_STORE_add_lookup(c->crl, X509_LOOKUP_hash_dir());
  +        if (lookup == NULL) {
  +            X509_STORE_free(c->crl);
  +            c->crl = NULL;
  +            tcn_Throw(e, "Lookup failed for path %s", J2S(file));
  +            goto cleanup;
  +        }
  +        X509_LOOKUP_add_dir(lookup, J2S(path), X509_FILETYPE_PEM);
       }
  -    X509_LOOKUP_add_dir(lookup, J2S(path), X509_FILETYPE_PEM);
       rv = JNI_TRUE;
   cleanup:
  +    TCN_FREE_CSTRING(file);
       TCN_FREE_CSTRING(path);
       return rv;
   }
  @@ -442,111 +324,58 @@
       return rv;
   }
   
  -TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCertificateFile)(TCN_STDARGS, jlong ctx,
  -                                                             jstring file)
  -{
  -    tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
  -    int i;
  -
  -    UNREFERENCED(o);
  -    TCN_ASSERT(ctx != 0);
  -    if (!file)
  -        return JNI_FALSE;
  -    for (i = 0; i < SSL_AIDX_MAX; i++) {
  -        if (!c->pk.s.cert_files[i]) {
  -            c->pk.s.cert_files[i] = tcn_pstrdup(e, file, c->pool);
  -            return JNI_TRUE;
  -        }
  -    }
  -    tcn_Throw(e, "Only up to %d "
  -              "different certificates per virtual host allowed",
  -              SSL_AIDX_MAX);
  -    return JNI_FALSE;
  -}
  -
  -TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCertificateKeyFile)(TCN_STDARGS, jlong ctx,
  -                                                                jstring file)
  -{
  -    tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
  -    int i;
  -
  -    UNREFERENCED(o);
  -    TCN_ASSERT(ctx != 0);
  -    if (!file)
  -        return JNI_FALSE;
  -    for (i = 0; i < SSL_AIDX_MAX; i++) {
  -        if (!c->pk.s.key_files[i]) {
  -            c->pk.s.key_files[i] = tcn_pstrdup(e, file, c->pool);
  -            return JNI_TRUE;
  -        }
  -    }
  -    tcn_Throw(e, "Only up to %d "
  -              "different private keys per virtual host allowed",
  -              SSL_AIDX_MAX);
  -    return JNI_FALSE;
  -}
  -
  -TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCACertificateFile)(TCN_STDARGS, jlong ctx,
  -                                                               jstring file)
  -{
  -    tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
  -    jboolean rv = JNI_TRUE;
  -
  -    UNREFERENCED(o);
  -    TCN_ASSERT(ctx != 0);
  -    if (!file)
  -        return JNI_FALSE;
  -    if ((c->ca_cert_file = tcn_pstrdup(e, file, c->pool)) == NULL)
  -        rv = JNI_FALSE;
  -
  -    return rv;
  -}
  -
  -TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCACertificatePath)(TCN_STDARGS, jlong ctx,
  -                                                               jstring path)
  -{
  -    tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
  -    jboolean rv = JNI_TRUE;
  -
  -    UNREFERENCED(o);
  -    TCN_ASSERT(ctx != 0);
  -    if (!path)
  -        return JNI_FALSE;
  -    if ((c->ca_cert_path = tcn_pstrdup(e, path, c->pool)) == NULL)
  -        rv = JNI_FALSE;
  -
  -    return rv;
  -}
  -
  -TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCADNRequestFile)(TCN_STDARGS, jlong ctx,
  -                                                             jstring file)
  +TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCACertificate)(TCN_STDARGS,
  +                                                           jlong ctx,
  +                                                           jstring file,
  +                                                           jstring path)
   {
       tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
       jboolean rv = JNI_TRUE;
  +    TCN_ALLOC_CSTRING(file);
  +    TCN_ALLOC_CSTRING(path);
   
       UNREFERENCED(o);
       TCN_ASSERT(ctx != 0);
  -    if (!file)
  +    if (file == NULL && path == NULL)
           return JNI_FALSE;
  -    if ((c->pk.s.ca_name_file = tcn_pstrdup(e, file, c->pool)) == NULL)
  -        rv = JNI_FALSE;
  -
  -    return rv;
  -}
   
  -TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCADNRequestPath)(TCN_STDARGS, jlong ctx,
  -                                                             jstring path)
  -{
  -    tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
  -    jboolean rv = JNI_TRUE;
  -
  -    UNREFERENCED(o);
  -    TCN_ASSERT(ctx != 0);
  -    if (!path)
  -        return JNI_FALSE;
  -    if ((c->pk.s.ca_name_path = tcn_pstrdup(e, path, c->pool)) == NULL)
  +   /*
  +     * Configure Client Authentication details
  +     */
  +    if (!SSL_CTX_load_verify_locations(c->ctx,
  +                                       J2S(file), J2S(path))) {
  +        tcn_Throw(e, "Unable to configure locations "
  +                  "for client authentication");
           rv = JNI_FALSE;
  -
  +        goto cleanup;
  +    }
  +    if (c->mode) {
  +        STACK_OF(X509_NAME) *ca_certs;
  +        c->ca_certs++;
  +        ca_certs = SSL_CTX_get_client_CA_list(c->ctx);
  +        if (ca_certs == NULL) {
  +            SSL_load_client_CA_file(J2S(file));
  +            if (ca_certs != NULL)
  +                SSL_CTX_set_client_CA_list(c->ctx, (STACK *)ca_certs);
  +        }
  +        else {
  +            if (!SSL_add_file_cert_subjects_to_stack((STACK *)ca_certs, J2S(file)))
  +                ca_certs = NULL;
  +        }
  +        if (ca_certs == NULL && c->verify_mode == SSL_CVERIFY_REQUIRE) {
  +            /*
  +             * Give a warning when no CAs were configured but client authentication
  +             * should take place. This cannot work.
  +            */
  +            BIO_printf(c->bio_os,
  +                        "[WARN] Oops, you want to request client "
  +                        "authentication, but no CAs are known for "
  +                        "verification!?");
  +        }
  +    }
  +cleanup:
  +    TCN_FREE_CSTRING(file);
  +    TCN_FREE_CSTRING(path);
       return rv;
   }
   
  @@ -560,12 +389,11 @@
       c->verify_depth = depth;
   }
   
  -TCN_IMPLEMENT_CALL(jboolean, SSLContext, setVerifyClient)(TCN_STDARGS, jlong ctx,
  -                                                          jint level)
  +TCN_IMPLEMENT_CALL(void, SSLContext, setVerifyClient)(TCN_STDARGS, jlong ctx,
  +                                                      jint level)
   {
       tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
       int verify = SSL_VERIFY_NONE;
  -    STACK_OF(X509_NAME) *ca_list;
   
       UNREFERENCED(o);
       TCN_ASSERT(ctx != 0);
  @@ -584,52 +412,105 @@
           verify |= SSL_VERIFY_PEER;
   
       SSL_CTX_set_verify(c->ctx, verify, SSL_callback_SSL_verify);
  -   /*
  -     * Configure Client Authentication details
  -     */
  -    if (c->ca_cert_file || c->ca_cert_path) {
  -        if (!SSL_CTX_load_verify_locations(c->ctx,
  -                         c->ca_cert_file,
  -                         c->ca_cert_path)) {
  -            tcn_Throw(e, "Unable to configure verify locations "
  -                      "for client authentication");
  -            return JNI_FALSE;
  -        }
  +}
   
  -        if (c->mode && (c->pk.s.ca_name_file || c->pk.s.ca_name_path)) {
  -            ca_list = SSL_init_findCAList(c,
  -                                          c->pk.s.ca_name_file,
  -                                          c->pk.s.ca_name_path);
  -        }
  -        else {
  -            ca_list = SSL_init_findCAList(c,
  -                                          c->ca_cert_file,
  -                                          c->ca_cert_path);
  -        }
  -        if (!ca_list) {
  -            tcn_Throw(e, "Unable to determine list of acceptable "
  -                      "CA certificates for client authentication");
  -            return JNI_FALSE;
  -        }
  -        SSL_CTX_set_client_CA_list(c->ctx, (STACK *)ca_list);
  +static EVP_PKEY *load_pem_key(tcn_ssl_ctxt_t *c, const char *file)
  +{
  +    BIO *bio = NULL;
  +    EVP_PKEY *key = NULL;
  +
  +    if ((bio = BIO_new(BIO_s_file())) == NULL) {
  +        return NULL;
  +    }
  +    if (BIO_read_filename(bio, file) <= 0) {
  +        BIO_free(bio);
  +        return NULL;
       }
  +    key = PEM_read_bio_PrivateKey(bio, NULL,
  +                (pem_password_cb *)SSL_password_callback,
  +                (void *)(&c->password));
  +    BIO_free(bio);
  +    return key;
  +}
   
  -    /*
  -     * Give a warning when no CAs were configured but client authentication
  -     * should take place. This cannot work.
  -     */
  -    if (c->verify_mode == SSL_CVERIFY_REQUIRE) {
  -        ca_list = (STACK_OF(X509_NAME) *)SSL_CTX_get_client_CA_list(c->ctx);
  +static X509 *load_pem_cert(const char *file)
  +{
  +    BIO *bio = NULL;
  +    X509 *cert = NULL;
   
  -        if (sk_X509_NAME_num(ca_list) == 0) {
  -            BIO_printf(c->bio_os,
  -                       "[WARN] Oops, you want to request client "
  -                       "authentication, but no CAs are known for "
  -                       "verification!?  [Hint: setCACertificate*]");
  -        }
  +    if ((bio = BIO_new(BIO_s_file())) == NULL) {
  +        return NULL;
  +    }
  +    if (BIO_read_filename(bio, file) <= 0) {
  +        BIO_free(bio);
  +        return NULL;
       }
  +    cert = PEM_read_bio_X509_AUX(bio, NULL,
  +                (pem_password_cb *)SSL_password_callback,
  +                 NULL);
  +    BIO_free(bio);
  +    return cert;
  +}
  +
  +TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCertificate)(TCN_STDARGS, jlong ctx,
  +                                                         jstring cert, jstring key,
  +                                                         jstring password, jint idx)
  +{
  +    tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
  +    jboolean rv = JNI_TRUE;
  +    TCN_ALLOC_CSTRING(cert);
  +    TCN_ALLOC_CSTRING(key);
  +    TCN_ALLOC_CSTRING(password);
  +    const char *key_file, *cert_file;
   
  -    return JNI_TRUE;
  +    UNREFERENCED(o);
  +    TCN_ASSERT(ctx != 0);
  +
  +    if (idx < 0 || idx >= SSL_AIDX_MAX) {
  +        /* TODO: Throw something */
  +        rv = JNI_FALSE;
  +        goto cleanup;
  +    }
  +    if (J2S(password)) {
  +        strncpy(c->password.password, J2S(password), SSL_MAX_PASSWORD_LEN);
  +        c->password.password[SSL_MAX_PASSWORD_LEN - 1] = '\0';
  +    }
  +    key_file  = J2S(key);
  +    cert_file = J2S(cert);
  +    if (!key_file)
  +        key_file = cert_file;
  +    if ((c->keys[idx] = load_pem_key(c, key_file)) == NULL) {
  +        tcn_Throw(e, "Unable to load Certificate Key %",
  +                  key_file);
  +        rv = JNI_FALSE;
  +        goto cleanup;
  +    }
  +    if ((c->certs[idx] = load_pem_cert(cert_file)) == NULL) {
  +        tcn_Throw(e, "Unable to load Certificate %",
  +                  cert_file);
  +        rv = JNI_FALSE;
  +        goto cleanup;
  +    }
  +    if (SSL_CTX_use_certificate(c->ctx, c->certs[idx]) <= 0) {
  +        tcn_Throw(e, "error setting certificate");
  +        rv = JNI_FALSE;
  +        goto cleanup;
  +    }
  +    if (SSL_CTX_use_PrivateKey(c->ctx, c->keys[idx]) <= 0) {
  +        tcn_Throw(e, "error setting private key");
  +        rv = JNI_FALSE;
  +        goto cleanup;
  +    }
  +    if (SSL_CTX_check_private_key(c->ctx) <= 0) {
  +        tcn_Throw(e, "Private key does not match the certificate public key");
  +        rv = JNI_FALSE;
  +        goto cleanup;
  +    }
  +cleanup:
  +    TCN_FREE_CSTRING(cert);
  +    TCN_FREE_CSTRING(key);
  +    TCN_FREE_CSTRING(password);
  +    return rv;
   }
   
   #else
  
  
  
  1.12      +171 -205  jakarta-tomcat-connectors/jni/native/src/sslutils.c
  
  Index: sslutils.c
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslutils.c,v
  retrieving revision 1.11
  retrieving revision 1.12
  diff -u -r1.11 -r1.12
  --- sslutils.c	3 Jun 2005 08:14:46 -0000	1.11
  +++ sslutils.c	6 Jun 2005 06:54:19 -0000	1.12
  @@ -24,7 +24,6 @@
   #include "apr_file_io.h"
   #include "apr_portable.h"
   #include "apr_thread_mutex.h"
  -#include "apr_hash.h"
   #include "apr_strings.h"
   
   #include "tcn.h"
  @@ -38,12 +37,6 @@
   #include <curses.h> /* getch() */
   #endif
   
  -
  -
  -extern apr_hash_t  *tcn_private_keys;
  -extern apr_hash_t  *tcn_public_certs;
  -
  -
   /*  _________________________________________________________________
   **
   **  Additional High-Level Functions for OpenSSL
  @@ -118,7 +111,7 @@
       size_t i;
       int ch;
   
  -    fputs(prompt, stderr);    
  +    fputs(prompt, stderr);
       for (i = 0; i < (len - 1); i++) {
           ch = getch();
           if (ch == '\n')
  @@ -136,26 +129,30 @@
   
   #define PROMPT_STRING "Enter password: "
   /* Simple echo password prompting */
  -int SSL_password_prompt(tcn_ssl_ctxt_t *c, char *buf, size_t len)
  +int SSL_password_prompt(tcn_pass_cb_t *data)
   {
       int rv = 0;
  -    *buf = '\0';
  -    if (c->bio_is) {
  -        if (c->bio_is->flags & SSL_BIO_FLAG_RDONLY) {
  +    data->password[0] = '\0';
  +    if (!data->prompt)
  +        data->prompt = PROMPT_STRING;
  +    if (data->ctx && data->ctx->bio_is) {
  +        if (data->ctx->bio_is->flags & SSL_BIO_FLAG_RDONLY) {
               /* Use error BIO in case of stdin */
  -            BIO_printf(c->bio_os, PROMPT_STRING);
  +            BIO_printf(data->ctx->bio_is, data->prompt);
           }
  -        rv = BIO_gets(c->bio_is, buf, len);
  +        rv = BIO_gets(data->ctx->bio_is,
  +                      data->password, SSL_MAX_PASSWORD_LEN);
       }
       else {
  -        password_prompt(PROMPT_STRING, buf, len);
  +        password_prompt(data->prompt, data->password,
  +                        SSL_MAX_PASSWORD_LEN);
           fputc('\n', stderr);
           fflush(stderr);
  -        rv = strlen(buf);
  +        rv = strlen(data->password);
       }
       if (rv > 0) {
           /* Remove LF char if present */
  -        char *r = strchr(buf, '\n');
  +        char *r = strchr(data->password, '\n');
           if (r) {
               *r = '\0';
               rv--;
  @@ -164,112 +161,164 @@
       return rv;
   }
   
  -
  -/* ----BEGIN GENERATED SECTION-------- */
  -
  -/*
  -** Diffie-Hellman-Parameters: (512 bit)
  -**     prime:
  -**         00:d4:bc:d5:24:06:f6:9b:35:99:4b:88:de:5d:b8:
  -**         96:82:c8:15:7f:62:d8:f3:36:33:ee:57:72:f1:1f:
  -**         05:ab:22:d6:b5:14:5b:9f:24:1e:5a:cc:31:ff:09:
  -**         0a:4b:c7:11:48:97:6f:76:79:50:94:e7:1e:79:03:
  -**         52:9f:5a:82:4b
  -**     generator: 2 (0x2)
  -** Diffie-Hellman-Parameters: (1024 bit)
  -**     prime:
  -**         00:e6:96:9d:3d:49:5b:e3:2c:7c:f1:80:c3:bd:d4:
  -**         79:8e:91:b7:81:82:51:bb:05:5e:2a:20:64:90:4a:
  -**         79:a7:70:fa:15:a2:59:cb:d5:23:a6:a6:ef:09:c4:
  -**         30:48:d5:a2:2f:97:1f:3c:20:12:9b:48:00:0e:6e:
  -**         dd:06:1c:bc:05:3e:37:1d:79:4e:53:27:df:61:1e:
  -**         bb:be:1b:ac:9b:5c:60:44:cf:02:3d:76:e0:5e:ea:
  -**         9b:ad:99:1b:13:a6:3c:97:4e:9e:f1:83:9e:b5:db:
  -**         12:51:36:f7:26:2e:56:a8:87:15:38:df:d8:23:c6:
  -**         50:50:85:e2:1f:0d:d5:c8:6b
  -**     generator: 2 (0x2)
  -*/
  -
  -static unsigned char dh512_p[] =
  +int SSL_password_callback(char *buf, int bufsiz, int verify,
  +                          void *cb)
   {
  -    0xD4, 0xBC, 0xD5, 0x24, 0x06, 0xF6, 0x9B, 0x35, 0x99, 0x4B, 0x88, 0xDE,
  -    0x5D, 0xB8, 0x96, 0x82, 0xC8, 0x15, 0x7F, 0x62, 0xD8, 0xF3, 0x36, 0x33,
  -    0xEE, 0x57, 0x72, 0xF1, 0x1F, 0x05, 0xAB, 0x22, 0xD6, 0xB5, 0x14, 0x5B,
  -    0x9F, 0x24, 0x1E, 0x5A, 0xCC, 0x31, 0xFF, 0x09, 0x0A, 0x4B, 0xC7, 0x11,
  -    0x48, 0x97, 0x6F, 0x76, 0x79, 0x50, 0x94, 0xE7, 0x1E, 0x79, 0x03, 0x52,
  -    0x9F, 0x5A, 0x82, 0x4B,
  +    int rv = 0;
  +    tcn_pass_cb_t *cb_data = (tcn_pass_cb_t *)cb;
  +    tcn_pass_cb_t c;
  +
  +    if (buf == NULL)
  +        return 0;
  +    if (cb_data == NULL) {
  +        memset(&c, 0, sizeof(tcn_pass_cb_t));
  +        cb_data = &c;
  +    }
  +    if (cb_data->password[0] ||
  +        (SSL_password_prompt(cb_data) > 0)) {
  +        strncpy(buf, cb_data->password, bufsiz);
  +    }
  +    buf[bufsiz - 1] = '\0';
  +    return strlen(buf);
  +}
  +
  +static unsigned char dh0512_p[]={
  +    0xD9,0xBA,0xBF,0xFD,0x69,0x38,0xC9,0x51,0x2D,0x19,0x37,0x39,
  +    0xD7,0x7D,0x7E,0x3E,0x25,0x58,0x55,0x94,0x90,0x60,0x93,0x7A,
  +    0xF2,0xD5,0x61,0x5F,0x06,0xE8,0x08,0xB4,0x57,0xF4,0xCF,0xB4,
  +    0x41,0xCC,0xC4,0xAC,0xD4,0xF0,0x45,0x88,0xC9,0xD1,0x21,0x4C,
  +    0xB6,0x72,0x48,0xBD,0x73,0x80,0xE0,0xDD,0x88,0x41,0xA0,0xF1,
  +    0xEA,0x4B,0x71,0x13
   };
  -static unsigned char dh512_g[] =
  -{
  -    0x02,
  +static unsigned char dh1024_p[]={
  +    0xA2,0x95,0x7E,0x7C,0xA9,0xD5,0x55,0x1D,0x7C,0x77,0x11,0xAC,
  +    0xFD,0x48,0x8C,0x3B,0x94,0x1B,0xC5,0xC0,0x99,0x93,0xB5,0xDC,
  +    0xDC,0x06,0x76,0x9E,0xED,0x1E,0x3D,0xBB,0x9A,0x29,0xD6,0x8B,
  +    0x1F,0xF6,0xDA,0xC9,0xDF,0xD5,0x02,0x4F,0x09,0xDE,0xEC,0x2C,
  +    0x59,0x1E,0x82,0x32,0x80,0x9B,0xED,0x51,0x68,0xD2,0xFB,0x1E,
  +    0x25,0xDB,0xDF,0x9C,0x11,0x70,0xDF,0xCA,0x19,0x03,0x3D,0x3D,
  +    0xC1,0xAC,0x28,0x88,0x4F,0x13,0xAF,0x16,0x60,0x6B,0x5B,0x2F,
  +    0x56,0xC7,0x5B,0x5D,0xDE,0x8F,0x50,0x08,0xEC,0xB1,0xB9,0x29,
  +    0xAA,0x54,0xF4,0x05,0xC9,0xDF,0x95,0x9D,0x79,0xC6,0xEA,0x3F,
  +    0xC9,0x70,0x42,0xDA,0x90,0xC7,0xCC,0x12,0xB9,0x87,0x86,0x39,
  +    0x1E,0x1A,0xCE,0xF7,0x3F,0x15,0xB5,0x2B
  +};
  +static unsigned char dh2048_p[]={
  +    0xF2,0x4A,0xFC,0x7E,0x73,0x48,0x21,0x03,0xD1,0x1D,0xA8,0x16,
  +    0x87,0xD0,0xD2,0xDC,0x42,0xA8,0xD2,0x73,0xE3,0xA9,0x21,0x31,
  +    0x70,0x5D,0x69,0xC7,0x8F,0x95,0x0C,0x9F,0xB8,0x0E,0x37,0xAE,
  +    0xD1,0x6F,0x36,0x1C,0x26,0x63,0x2A,0x36,0xBA,0x0D,0x2A,0xF5,
  +    0x1A,0x0F,0xE8,0xC0,0xEA,0xD1,0xB5,0x52,0x47,0x1F,0x9A,0x0C,
  +    0x0F,0xED,0x71,0x51,0xED,0xE6,0x62,0xD5,0xF8,0x81,0x93,0x55,
  +    0xC1,0x0F,0xB4,0x72,0x64,0xB3,0x73,0xAA,0x90,0x9A,0x81,0xCE,
  +    0x03,0xFD,0x6D,0xB1,0x27,0x7D,0xE9,0x90,0x5E,0xE2,0x10,0x74,
  +    0x4F,0x94,0xC3,0x05,0x21,0x73,0xA9,0x12,0x06,0x9B,0x0E,0x20,
  +    0xD1,0x5F,0xF7,0xC9,0x4C,0x9D,0x4F,0xFA,0xCA,0x4D,0xFD,0xFF,
  +    0x6A,0x62,0x9F,0xF0,0x0F,0x3B,0xA9,0x1D,0xF2,0x69,0x29,0x00,
  +    0xBD,0xE9,0xB0,0x9D,0x88,0xC7,0x4A,0xAE,0xB0,0x53,0xAC,0xA2,
  +    0x27,0x40,0x88,0x58,0x8F,0x26,0xB2,0xC2,0x34,0x7D,0xA2,0xCF,
  +    0x92,0x60,0x9B,0x35,0xF6,0xF3,0x3B,0xC3,0xAA,0xD8,0x58,0x9C,
  +    0xCF,0x5D,0x9F,0xDB,0x14,0x93,0xFA,0xA3,0xFA,0x44,0xB1,0xB2,
  +    0x4B,0x0F,0x08,0x70,0x44,0x71,0x3A,0x73,0x45,0x8E,0x6D,0x9C,
  +    0x56,0xBC,0x9A,0xB5,0xB1,0x3D,0x8B,0x1F,0x1E,0x2B,0x0E,0x93,
  +    0xC2,0x9B,0x84,0xE2,0xE8,0xFC,0x29,0x85,0x83,0x8D,0x2E,0x5C,
  +    0xDD,0x9A,0xBB,0xFD,0xF0,0x87,0xBF,0xAF,0xC4,0xB6,0x1D,0xE7,
  +    0xF9,0x46,0x50,0x7F,0xC3,0xAC,0xFD,0xC9,0x8C,0x9D,0x66,0x6B,
  +    0x4C,0x6A,0xC9,0x3F,0x0C,0x0A,0x74,0x94,0x41,0x85,0x26,0x8F,
  +    0x9F,0xF0,0x7C,0x0B
  +};
  +static unsigned char dh4096_p[] = {
  +    0x8D,0xD3,0x8F,0x77,0x6F,0x6F,0xB0,0x74,0x3F,0x22,0xE9,0xD1,
  +    0x17,0x15,0x69,0xD8,0x24,0x85,0xCD,0xC4,0xE4,0x0E,0xF6,0x52,
  +    0x40,0xF7,0x1C,0x34,0xD0,0xA5,0x20,0x77,0xE2,0xFC,0x7D,0xA1,
  +    0x82,0xF1,0xF3,0x78,0x95,0x05,0x5B,0xB8,0xDB,0xB3,0xE4,0x17,
  +    0x93,0xD6,0x68,0xA7,0x0A,0x0C,0xC5,0xBB,0x9C,0x5E,0x1E,0x83,
  +    0x72,0xB3,0x12,0x81,0xA2,0xF5,0xCD,0x44,0x67,0xAA,0xE8,0xAD,
  +    0x1E,0x8F,0x26,0x25,0xF2,0x8A,0xA0,0xA5,0xF4,0xFB,0x95,0xAE,
  +    0x06,0x50,0x4B,0xD0,0xE7,0x0C,0x55,0x88,0xAA,0xE6,0xB8,0xF6,
  +    0xE9,0x2F,0x8D,0xA7,0xAD,0x84,0xBC,0x8D,0x4C,0xFE,0x76,0x60,
  +    0xCD,0xC8,0xED,0x7C,0xBF,0xF3,0xC1,0xF8,0x6A,0xED,0xEC,0xE9,
  +    0x13,0x7D,0x4E,0x72,0x20,0x77,0x06,0xA4,0x12,0xF8,0xD2,0x34,
  +    0x6F,0xDC,0x97,0xAB,0xD3,0xA0,0x45,0x8E,0x7D,0x21,0xA9,0x35,
  +    0x6E,0xE4,0xC9,0xC4,0x53,0xFF,0xE5,0xD9,0x72,0x61,0xC4,0x8A,
  +    0x75,0x78,0x36,0x97,0x1A,0xAB,0x92,0x85,0x74,0x61,0x7B,0xE0,
  +    0x92,0xB8,0xC6,0x12,0xA1,0x72,0xBB,0x5B,0x61,0xAA,0xE6,0x2C,
  +    0x2D,0x9F,0x45,0x79,0x9E,0xF4,0x41,0x93,0x93,0xEF,0x8B,0xEF,
  +    0xB7,0xBF,0x6D,0xF0,0x91,0x11,0x4F,0x7C,0x71,0x84,0xB5,0x88,
  +    0xA3,0x8C,0x1A,0xD5,0xD0,0x81,0x9C,0x50,0xAC,0xA9,0x2B,0xE9,
  +    0x92,0x2D,0x73,0x7C,0x0A,0xA3,0xFA,0xD3,0x6C,0x91,0x43,0xA6,
  +    0x80,0x7F,0xD7,0xC4,0xD8,0x6F,0x85,0xF8,0x15,0xFD,0x08,0xA6,
  +    0xF8,0x7B,0x3A,0xF4,0xD3,0x50,0xB4,0x2F,0x75,0xC8,0x48,0xB8,
  +    0xA8,0xFD,0xCA,0x8F,0x62,0xF1,0x4C,0x89,0xB7,0x18,0x67,0xB2,
  +    0x93,0x2C,0xC4,0xD4,0x71,0x29,0xA9,0x26,0x20,0xED,0x65,0x37,
  +    0x06,0x87,0xFC,0xFB,0x65,0x02,0x1B,0x3C,0x52,0x03,0xA1,0xBB,
  +    0xCF,0xE7,0x1B,0xA4,0x1A,0xE3,0x94,0x97,0x66,0x06,0xBF,0xA9,
  +    0xCE,0x1B,0x07,0x10,0xBA,0xF8,0xD4,0xD4,0x05,0xCF,0x53,0x47,
  +    0x16,0x2C,0xA1,0xFC,0x6B,0xEF,0xF8,0x6C,0x23,0x34,0xEF,0xB7,
  +    0xD3,0x3F,0xC2,0x42,0x5C,0x53,0x9A,0x00,0x52,0xCF,0xAC,0x42,
  +    0xD3,0x3B,0x2E,0xB6,0x04,0x32,0xE1,0x09,0xED,0x64,0xCD,0x6A,
  +    0x63,0x58,0xB8,0x43,0x56,0x5A,0xBE,0xA4,0x9F,0x68,0xD4,0xF7,
  +    0xC9,0x04,0xDF,0xCD,0xE5,0x93,0xB0,0x2F,0x06,0x19,0x3E,0xB8,
  +    0xAB,0x7E,0xF8,0xE7,0xE7,0xC8,0x53,0xA2,0x06,0xC3,0xC7,0xF9,
  +    0x18,0x3B,0x51,0xC3,0x9B,0xFF,0x8F,0x00,0x0E,0x87,0x19,0x68,
  +    0x2F,0x40,0xC0,0x68,0xFA,0x12,0xAE,0x57,0xB5,0xF0,0x97,0xCA,
  +    0x78,0x23,0x31,0xAB,0x67,0x7B,0x10,0x6B,0x59,0x32,0x9C,0x64,
  +    0x20,0x38,0x1F,0xC5,0x07,0x84,0x9E,0xC4,0x49,0xB1,0xDF,0xED,
  +    0x7A,0x8A,0xC3,0xE0,0xDD,0x30,0x55,0xFF,0x95,0x45,0xA6,0xEE,
  +    0xCB,0xE4,0x26,0xB9,0x8E,0x89,0x37,0x63,0xD4,0x02,0x3D,0x5B,
  +    0x4F,0xE5,0x90,0xF6,0x72,0xF8,0x10,0xEE,0x31,0x04,0x54,0x17,
  +    0xE3,0xD5,0x63,0x84,0x80,0x62,0x54,0x46,0x85,0x6C,0xD2,0xC1,
  +    0x3E,0x19,0xBD,0xE2,0x80,0x11,0x86,0xC7,0x4B,0x7F,0x67,0x86,
  +    0x47,0xD2,0x38,0xCD,0x8F,0xFE,0x65,0x3C,0x11,0xCD,0x96,0x99,
  +    0x4E,0x45,0xEB,0xEC,0x1D,0x94,0x8C,0x53,
  +};
  +static unsigned char dhxxx2_g[]={
  +    0x02
   };
   
  -static DH *ssl_dh_configure(unsigned char *p, int plen,
  -                            unsigned char *g, int glen)
  +static DH *get_dh(int idx)
   {
       DH *dh;
   
  -    if (!(dh = DH_new())) {
  +    if ((dh = DH_new()) == NULL)
           return NULL;
  +    switch (idx) {
  +        case SSL_TMP_KEY_DH_512:
  +            dh->p = BN_bin2bn(dh0512_p, sizeof(dh0512_p), NULL);
  +        break;
  +        case SSL_TMP_KEY_DH_1024:
  +            dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
  +        break;
  +        case SSL_TMP_KEY_DH_2048:
  +            dh->p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
  +        break;
  +        case SSL_TMP_KEY_DH_4096:
  +            dh->p = BN_bin2bn(dh4096_p, sizeof(dh2048_p), NULL);
  +        break;
       }
  -
  -#if defined(OPENSSL_VERSION_NUMBER) || (SSLC_VERSION_NUMBER < 0x2000)
  -    dh->p = BN_bin2bn(p, plen, NULL);
  -    dh->g = BN_bin2bn(g, glen, NULL);
  -    if (!(dh->p && dh->g)) {
  +    dh->g = BN_bin2bn(dhxxx2_g, sizeof(dhxxx2_g), NULL);
  +    if ((dh->p == NULL) || (dh->g == NULL)) {
           DH_free(dh);
           return NULL;
       }
  -#else
  -    R_EITEMS_add(dh->data, PK_TYPE_DH, PK_DH_P, 0, p, plen, R_EITEMS_PF_COPY);
  -    R_EITEMS_add(dh->data, PK_TYPE_DH, PK_DH_G, 0, g, glen, R_EITEMS_PF_COPY);
  -#endif
  -
  -    return dh;
  -}
  -
  -static DH *get_dh512(void)
  -{
  -    return ssl_dh_configure(dh512_p, sizeof(dh512_p),
  -                            dh512_g, sizeof(dh512_g));
  -}
  -
  -static unsigned char dh1024_p[] =
  -{
  -    0xE6, 0x96, 0x9D, 0x3D, 0x49, 0x5B, 0xE3, 0x2C, 0x7C, 0xF1, 0x80, 0xC3,
  -    0xBD, 0xD4, 0x79, 0x8E, 0x91, 0xB7, 0x81, 0x82, 0x51, 0xBB, 0x05, 0x5E,
  -    0x2A, 0x20, 0x64, 0x90, 0x4A, 0x79, 0xA7, 0x70, 0xFA, 0x15, 0xA2, 0x59,
  -    0xCB, 0xD5, 0x23, 0xA6, 0xA6, 0xEF, 0x09, 0xC4, 0x30, 0x48, 0xD5, 0xA2,
  -    0x2F, 0x97, 0x1F, 0x3C, 0x20, 0x12, 0x9B, 0x48, 0x00, 0x0E, 0x6E, 0xDD,
  -    0x06, 0x1C, 0xBC, 0x05, 0x3E, 0x37, 0x1D, 0x79, 0x4E, 0x53, 0x27, 0xDF,
  -    0x61, 0x1E, 0xBB, 0xBE, 0x1B, 0xAC, 0x9B, 0x5C, 0x60, 0x44, 0xCF, 0x02,
  -    0x3D, 0x76, 0xE0, 0x5E, 0xEA, 0x9B, 0xAD, 0x99, 0x1B, 0x13, 0xA6, 0x3C,
  -    0x97, 0x4E, 0x9E, 0xF1, 0x83, 0x9E, 0xB5, 0xDB, 0x12, 0x51, 0x36, 0xF7,
  -    0x26, 0x2E, 0x56, 0xA8, 0x87, 0x15, 0x38, 0xDF, 0xD8, 0x23, 0xC6, 0x50,
  -    0x50, 0x85, 0xE2, 0x1F, 0x0D, 0xD5, 0xC8, 0x6B,
  -};
  -static unsigned char dh1024_g[] =
  -{
  -    0x02,
  -};
  -
  -static DH *get_dh1024(void)
  -{
  -    return ssl_dh_configure(dh1024_p, sizeof(dh1024_p),
  -                            dh1024_g, sizeof(dh1024_g));
  +    else
  +        return dh;
   }
  -/* ----END GENERATED SECTION---------- */
   
  -DH *SSL_dh_get_tmp_param(int nKeyLen)
  +DH *SSL_dh_get_tmp_param(int key_len)
   {
       DH *dh;
   
  -    if (nKeyLen == 512)
  -        dh = get_dh512();
  -    else if (nKeyLen == 1024)
  -        dh = get_dh1024();
  +    if (key_len == 512)
  +        dh = get_dh(SSL_TMP_KEY_DH_512);
  +    else if (key_len == 1024)
  +        dh = get_dh(SSL_TMP_KEY_DH_1024);
  +    else if (key_len == 2048)
  +        dh = get_dh(SSL_TMP_KEY_DH_2048);
  +    else if (key_len == 4096)
  +        dh = get_dh(SSL_TMP_KEY_DH_4096);
       else
  -        dh = get_dh1024();
  +        dh = get_dh(SSL_TMP_KEY_DH_1024);
       return dh;
   }
   
  @@ -332,13 +381,20 @@
        * we won't be asked for keylen > 512 in that case.
        * if we are asked for a keylen > 1024, it is too expensive
        * to generate on the fly.
  -     * XXX: any reason not to generate 2048 bit keys at startup?
        */
   
       switch (keylen) {
           case 512:
               idx = SSL_TMP_KEY_RSA_512;
           break;
  +        case 2048:
  +            idx = SSL_TMP_KEY_RSA_2048;
  +        break;
  +        case 4096:
  +            idx = SSL_TMP_KEY_RSA_4096;
  +            if (conn->ctx->temp_keys[idx] == NULL)
  +                idx = SSL_TMP_KEY_RSA_2048;
  +        break;
           case 1024:
           default:
               idx = SSL_TMP_KEY_RSA_1024;
  @@ -358,6 +414,12 @@
           case 512:
               idx = SSL_TMP_KEY_DH_512;
           break;
  +        case 2048:
  +            idx = SSL_TMP_KEY_DH_2048;
  +        break;
  +        case 4096:
  +            idx = SSL_TMP_KEY_DH_4096;
  +        break;
           case 1024:
           default:
               idx = SSL_TMP_KEY_DH_1024;
  @@ -390,7 +452,7 @@
    * format, possibly followed by a sequence of CA certificates that
    * should be sent to the peer in the SSL Certificate message.
    */
  -int SSL_CTX_use_certificate_chain(SSL_CTX *ctx, char *file,
  +int SSL_CTX_use_certificate_chain(SSL_CTX *ctx, const char *file,
                                     int skipfirst)
   {
       BIO *bio;
  @@ -414,7 +476,7 @@
           X509_free(x509);
       }
       /* free a perhaps already configured extra chain */
  -    extra_certs=SSL_CTX_get_extra_certs(ctx);
  +    extra_certs = SSL_CTX_get_extra_certs(ctx);
       if (extra_certs != NULL) {
           sk_X509_pop_free((STACK_OF(X509) *)extra_certs, X509_free);
           SSL_CTX_set_extra_certs(ctx,NULL);
  @@ -442,102 +504,6 @@
       return n;
   }
   
  -static int ssl_init_X509NameCmp(X509_NAME **a, X509_NAME **b)
  -{
  -    return (X509_NAME_cmp(*a, *b));
  -}
  -
  -static void ssl_init_pushCAList(STACK_OF(X509_NAME) *ca_list,
  -                                const char *file)
  -{
  -    int n;
  -    STACK_OF(X509_NAME) *sk;
  -
  -    sk = (STACK_OF(X509_NAME) *)
  -             SSL_load_client_CA_file((char *)file);
  -
  -    if (!sk) {
  -        return;
  -    }
  -
  -    for (n = 0; n < sk_X509_NAME_num(sk); n++) {
  -        X509_NAME *name = sk_X509_NAME_value(sk, n);
  -        /*
  -         * note that SSL_load_client_CA_file() checks for duplicates,
  -         * but since we call it multiple times when reading a directory
  -         * we must also check for duplicates ourselves.
  -         */
  -
  -        if (sk_X509_NAME_find(ca_list, name) < 0) {
  -            /* this will be freed when ca_list is */
  -            sk_X509_NAME_push(ca_list, name);
  -        }
  -        else {
  -            /* need to free this ourselves, else it will leak */
  -            X509_NAME_free(name);
  -        }
  -    }
  -    sk_X509_NAME_free(sk);
  -}
  -
  -STACK_OF(X509_NAME) *SSL_init_findCAList(tcn_ssl_ctxt_t *c,
  -                                         const char *ca_file,
  -                                         const char *ca_path)
  -{
  -    STACK_OF(X509_NAME) *ca_list;
  -
  -    /*
  -     * Start with a empty stack/list where new
  -     * entries get added in sorted order.
  -     */
  -    ca_list = sk_X509_NAME_new(ssl_init_X509NameCmp);
  -
  -    /*
  -     * Process CA certificate bundle file
  -     */
  -    if (ca_file)
  -        ssl_init_pushCAList(ca_list, ca_file);
  -
  -    /*
  -     * Process CA certificate path files
  -     */
  -    if (ca_path) {
  -        apr_dir_t *dir;
  -        apr_finfo_t direntry;
  -        apr_int32_t finfo_flags = APR_FINFO_TYPE|APR_FINFO_NAME;
  -        apr_status_t rv;
  -        apr_pool_t *ptemp;
  -
  -        if ((apr_pool_create(&ptemp, c->pool)) != APR_SUCCESS)
  -            return NULL;
  -        if ((rv = apr_dir_open(&dir, ca_path, c->pool)) != APR_SUCCESS) {
  -            BIO_printf(c->bio_os, "[ERROR] "
  -                       "Failed to open Certificate Path `%s'",
  -                       ca_path);
  -            apr_pool_destroy(ptemp);
  -            return NULL;
  -        }
  -
  -        while ((apr_dir_read(&direntry, finfo_flags, dir)) == APR_SUCCESS) {
  -            const char *file;
  -            if (direntry.filetype == APR_DIR)
  -                continue; /* don't try to load directories */
  -            file = apr_pstrcat(ptemp, ca_path, "/", direntry.name, NULL);
  -            ssl_init_pushCAList(ca_list, file);
  -        }
  -
  -        apr_dir_close(dir);
  -        apr_pool_destroy(ptemp);
  -    }
  -
  -    /*
  -     * Cleanup
  -     */
  -    sk_X509_NAME_set_cmp_func(ca_list, NULL);
  -    return ca_list;
  -}
  -
  -
   /*
    * This OpenSSL callback function is called when OpenSSL
    * does client authentication and verifies the certificate chain.
  
  
  

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message