You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by mt...@apache.org on 2005/05/30 08:17:54 UTC
cvs commit: jakarta-tomcat-connectors/jni/native/src ssl.c sslutils.c
mturk 2005/05/29 23:17:54
Modified: jni/native/include ssl_private.h tcn.h
jni/native/src ssl.c sslutils.c
Log:
Add random seed functions for PRNG initialization.
Revision Changes Path
1.4 +100 -2 jakarta-tomcat-connectors/jni/native/include/ssl_private.h
Index: ssl_private.h
===================================================================
RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/include/ssl_private.h,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- ssl_private.h 24 May 2005 09:24:39 -0000 1.3
+++ ssl_private.h 30 May 2005 06:17:54 -0000 1.4
@@ -18,7 +18,7 @@
* @author Mladen Turk
* @version $Revision$, $Date$
*/
-
+
#ifndef SSL_PRIVATE_H
#define SSL_PRIVATE_H
@@ -38,6 +38,104 @@
#include <openssl/engine.h>
#endif
+#ifndef RAND_MAX
+#include <limits.h>
+#define RAND_MAX INT_MAX
+#endif
+
+#define SSL_ALGO_UNKNOWN (0)
+#define SSL_ALGO_RSA (1<<0)
+#define SSL_ALGO_DSA (1<<1)
+#define SSL_ALGO_ALL (SSL_ALGO_RSA|SSL_ALGO_DSA)
+
+#define SSL_AIDX_RSA (0)
+#define SSL_AIDX_DSA (1)
+#define SSL_AIDX_MAX (2)
+
+/*
+ * Define IDs for the temporary RSA keys and DH params
+ */
+
+#define SSL_TMP_KEY_RSA_512 (0)
+#define SSL_TMP_KEY_RSA_1024 (1)
+#define SSL_TMP_KEY_DH_512 (2)
+#define SSL_TMP_KEY_DH_1024 (3)
+#define SSL_TMP_KEY_MAX (4)
+
+/*
+ * Define the SSL options
+ */
+#define SSL_OPT_NONE (0)
+#define SSL_OPT_RELSET (1<<0)
+#define SSL_OPT_STDENVVARS (1<<1)
+#define SSL_OPT_EXPORTCERTDATA (1<<3)
+#define SSL_OPT_FAKEBASICAUTH (1<<4)
+#define SSL_OPT_STRICTREQUIRE (1<<5)
+#define SSL_OPT_OPTRENEGOTIATE (1<<6)
+#define SSL_OPT_ALL (SSL_OPT_STDENVVARS|SSL_OPT_EXPORTCERTDATA|SSL_OPT_FAKEBASICAUTH|SSL_OPT_STRICTREQUIRE|SSL_OPT_OPTRENEGOTIATE)
+
+/*
+ * Define the SSL Protocol options
+ */
+#define SSL_PROTOCOL_NONE (0)
+#define SSL_PROTOCOL_SSLV2 (1<<0)
+#define SSL_PROTOCOL_SSLV3 (1<<1)
+#define SSL_PROTOCOL_TLSV1 (1<<2)
+#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
+
+/* public cert/private key */
+typedef struct {
+ /*
+ * server only has 1-2 certs/keys
+ * 1 RSA and/or 1 DSA
+ */
+ const char *cert_files[SSL_AIDX_MAX];
+ const char *key_files[SSL_AIDX_MAX];
+ X509 *certs[SSL_AIDX_MAX];
+ EVP_PKEY *keys[SSL_AIDX_MAX];
+
+ /* Certificates which specify the set of CA names which should be
+ * sent in the CertificateRequest message: */
+ const char *ca_name_path;
+ const char *ca_name_file;
+} ssl_pks_t;
+
+typedef struct {
+ /* client can have any number of cert/key pairs */
+ const char *cert_file;
+ const char *cert_path;
+ STACK_OF(X509_INFO) *certs;
+} ssl_pkc_t;
+
+struct tcn_ssl_ctxt {
+ apr_pool_t *pool;
+ SSL_CTX *ctx;
+ unsigned char vhost_id[MD5_DIGEST_LENGTH];
+
+ int protocol;
+ /* we are one or the other */
+ int mode;
+ union {
+ ssl_pks_t s;
+ ssl_pkc_t c;
+ } pk;
+
+ const char *cert_chain;
+ /* certificate revocation list */
+ const char *crl_path;
+ const char *crl_file;
+ X509_STORE *crl;
+
+ /* known/trusted CAs */
+ const char *ca_cert_path;
+ const char *ca_cert_file;
+ const char *cipher_suite;
+ /* for client or downstream server authentication */
+ int verify_depth;
+ int verify_mode;
+
+};
+typedef struct tcn_ssl_ctxt tcn_ssl_ctxt_t;
#endif /* SSL_PRIVATE_H */
1.9 +4 -3 jakarta-tomcat-connectors/jni/native/include/tcn.h
Index: tcn.h
===================================================================
RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/include/tcn.h,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- tcn.h 28 May 2005 08:29:14 -0000 1.8
+++ tcn.h 30 May 2005 06:17:54 -0000 1.9
@@ -55,13 +55,14 @@
#define TCN_IMPLEMENT_CALL(RT, CL, FN) \
JNIEXPORT RT JNICALL Java_org_apache_tomcat_jni_##CL##_##FN
-
+/* Private helper functions */
void tcn_Throw(JNIEnv *env, const char *cname, const char *msg);
void tcn_ThrowException(JNIEnv *env, const char *msg);
void tcn_ThrowAPRException(JNIEnv *env, apr_status_t err);
jstring tcn_new_string(JNIEnv *env, const char *str);
char *tcn_get_string(JNIEnv *env, jstring jstr);
-char *tcn_dup_string(JNIEnv *env, jstring jstr);
+char *tcn_strdup(JNIEnv *env, jstring jstr);
+char *tcn_pstrdup(JNIEnv *env, jstring jstr, apr_pool_t *p);
apr_status_t tcn_load_finfo_class(JNIEnv *env);
apr_status_t tcn_load_ainfo_class(JNIEnv *env);
1.13 +154 -2 jakarta-tomcat-connectors/jni/native/src/ssl.c
Index: ssl.c
===================================================================
RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/ssl.c,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- ssl.c 24 May 2005 09:34:05 -0000 1.12
+++ ssl.c 30 May 2005 06:17:54 -0000 1.13
@@ -18,12 +18,14 @@
* @author Mladen Turk
* @version $Revision$, $Date$
*/
-
+
#include "apr.h"
#include "apr_pools.h"
#include "apr_file_io.h"
#include "apr_portable.h"
#include "apr_thread_mutex.h"
+#include "apr_strings.h"
+#include "apr_atomic.h"
#include "tcn.h"
@@ -173,6 +175,123 @@
apr_pool_cleanup_null);
}
+static int ssl_rand_choosenum(int l, int h)
+{
+ int i;
+ char buf[50];
+
+ apr_snprintf(buf, sizeof(buf), "%.0f",
+ (((double)(rand()%RAND_MAX)/RAND_MAX)*(h-l)));
+ i = atoi(buf)+1;
+ if (i < l) i = l;
+ if (i > h) i = h;
+ return i;
+}
+
+static int ssl_rand_load_file(const char *file)
+{
+ char buffer[200];
+ int n;
+
+ if (file == NULL)
+ file = RAND_file_name(buffer, sizeof(buffer));
+ else if ((n = RAND_egd(file)) > 0) {
+ return n;
+ }
+ if (file && (n = RAND_load_file(file, -1)) > 0)
+ return n;
+ else
+ return -1;
+}
+
+/*
+ * writes a number of random bytes (currently 1024) to
+ * file which can be used to initialize the PRNG by calling
+ * RAND_load_file() in a later session
+ */
+static int ssl_rand_save_file(const char *file)
+{
+ char buffer[200];
+ int n;
+
+ if (file == NULL)
+ file = RAND_file_name(buffer, sizeof(buffer));
+ else if ((n = RAND_egd(file)) > 0) {
+ return 0;
+ }
+ if (file == NULL || !RAND_write_file(file))
+ return 0;
+ else
+ return 1;
+}
+
+static int ssl_rand_seed(const char *file)
+{
+ unsigned char stackdata[256];
+ static volatile apr_uint32_t counter = 0;
+
+ if (ssl_rand_load_file(file) < 0) {
+ int n;
+ struct {
+ apr_time_t t;
+ pid_t p;
+ unsigned long i;
+ apr_uint32_t u;
+ } _ssl_seed;
+ _ssl_seed.t = apr_time_now();
+ _ssl_seed.p = getpid();
+ _ssl_seed.i = ssl_thread_id();
+ apr_atomic_inc32(&counter);
+ _ssl_seed.u = counter;
+ RAND_seed((unsigned char *)&_ssl_seed, sizeof(_ssl_seed));
+ /*
+ * seed in some current state of the run-time stack (128 bytes)
+ */
+ n = ssl_rand_choosenum(0, sizeof(stackdata)-128-1);
+ RAND_seed(stackdata + n, 128);
+ }
+ return RAND_status();
+}
+
+static int ssl_rand_make(const char *file, int len, int base64)
+{
+ int r;
+ int num = len;
+ BIO *out = NULL;
+
+ out = BIO_new(BIO_s_file());
+ if (out == NULL)
+ return 0;
+ if ((r = BIO_write_filename(out, (char *)file)) < 0) {
+ BIO_free_all(out);
+ return 0;
+ }
+ if (base64) {
+ BIO *b64 = BIO_new(BIO_f_base64());
+ if (b64 == NULL) {
+ BIO_free_all(out);
+ return 0;
+ }
+ out = BIO_push(b64, out);
+ }
+ while (num > 0) {
+ unsigned char buf[4096];
+ int len = num;
+ if (len > sizeof(buf))
+ len = sizeof(buf);
+ r = RAND_bytes(buf, len);
+ if (r <= 0) {
+ BIO_free_all(out);
+ return 0;
+ }
+ BIO_write(out, buf, len);
+ num -= len;
+ }
+ BIO_flush(out);
+ BIO_free_all(out);
+ return 1;
+}
+
TCN_IMPLEMENT_CALL(jint, SSL, initialize)(TCN_STDARGS, jstring engine)
{
TCN_ALLOC_CSTRING(engine);
@@ -230,6 +349,8 @@
tcn_ssl_engine = ee;
}
#endif
+ /* Initialize PRNG */
+ ssl_rand_seed(NULL);
/*
* Let us cleanup the ssl library when the library is unloaded
*/
@@ -242,6 +363,37 @@
return (jint)APR_SUCCESS;
}
+TCN_IMPLEMENT_CALL(jboolean, SSL, randLoad)(TCN_STDARGS, jstring file)
+{
+ TCN_ALLOC_CSTRING(file);
+ int r;
+ UNREFERENCED(o);
+ r = ssl_rand_seed(J2S(file));
+ TCN_FREE_CSTRING(file);
+ return r ? JNI_TRUE : JNI_FALSE;
+}
+
+TCN_IMPLEMENT_CALL(jboolean, SSL, randSave)(TCN_STDARGS, jstring file)
+{
+ TCN_ALLOC_CSTRING(file);
+ int r;
+ UNREFERENCED(o);
+ r = ssl_rand_save_file(J2S(file));
+ TCN_FREE_CSTRING(file);
+ return r ? JNI_TRUE : JNI_FALSE;
+}
+
+TCN_IMPLEMENT_CALL(jboolean, SSL, randMake)(TCN_STDARGS, jstring file,
+ jint length, jboolean base64)
+{
+ TCN_ALLOC_CSTRING(file);
+ int r;
+ UNREFERENCED(o);
+ r = ssl_rand_make(J2S(file), length, base64);
+ TCN_FREE_CSTRING(file);
+ return r ? JNI_TRUE : JNI_FALSE;
+}
+
#else
/* OpenSSL is not supported
* If someday we make OpenSSL optional
1.2 +2 -1 jakarta-tomcat-connectors/jni/native/src/sslutils.c
Index: sslutils.c
===================================================================
RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslutils.c,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sslutils.c 24 May 2005 10:53:20 -0000 1.1
+++ sslutils.c 30 May 2005 06:17:54 -0000 1.2
@@ -30,6 +30,7 @@
#ifdef HAVE_OPENSSL
#include "ssl_private.h"
+
#else
/* OpenSSL is not supported
* If someday we make OpenSSL optional
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org