You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by rj...@apache.org on 2015/05/22 21:05:38 UTC
svn commit: r1681189 - in /tomcat/native/trunk/native: include/ssl_private.h
src/ssl.c src/sslcontext.c src/sslutils.c
Author: rjung
Date: Fri May 22 19:05:38 2015
New Revision: 1681189
URL: http://svn.apache.org/r1681189
Log:
Port mod_ssl improvements to tcnative/ssl:
Partial backport of r1527295 from httpd/mod_ssl:
Improve ephemeral key handling (companion to r1526168):
- allow to configure custom DHE or ECDHE parameters via the
SSLCertificateFile directive.
- add ssl_ec_GetParamFromFile()
Sync name SSL_dh_GetParamFromFile with mod_ssl.
Modified:
tomcat/native/trunk/native/include/ssl_private.h
tomcat/native/trunk/native/src/ssl.c
tomcat/native/trunk/native/src/sslcontext.c
tomcat/native/trunk/native/src/sslutils.c
Modified: tomcat/native/trunk/native/include/ssl_private.h
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/include/ssl_private.h?rev=1681189&r1=1681188&r2=1681189&view=diff
==============================================================================
--- tomcat/native/trunk/native/include/ssl_private.h (original)
+++ tomcat/native/trunk/native/include/ssl_private.h Fri May 22 19:05:38 2015
@@ -333,7 +333,10 @@ int SSL_password_prompt(tcn_pass
int SSL_password_callback(char *, int, int, void *);
void SSL_BIO_close(BIO *);
void SSL_BIO_doref(BIO *);
-DH *SSL_dh_get_param_from_file(const char *);
+DH *SSL_dh_GetParamFromFile(const char *);
+#ifdef HAVE_ECC
+EC_GROUP *SSL_ec_GetParamFromFile(const char *);
+#endif
DH *SSL_callback_tmp_DH(SSL *, int, int);
void SSL_callback_handshake(const SSL *, int, int);
int SSL_CTX_use_certificate_chain(SSL_CTX *, const char *, int);
Modified: tomcat/native/trunk/native/src/ssl.c
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/ssl.c?rev=1681189&r1=1681188&r2=1681189&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/ssl.c (original)
+++ tomcat/native/trunk/native/src/ssl.c Fri May 22 19:05:38 2015
@@ -995,30 +995,6 @@ TCN_IMPLEMENT_CALL(void, SSL, setPasswor
TCN_FREE_CSTRING(password);
}
-// Commented out but might get reused later
-#if 0
-TCN_IMPLEMENT_CALL(jboolean, SSL, loadDSATempKey)(TCN_STDARGS, jint idx,
- jstring file)
-{
- jboolean r = JNI_FALSE;
- TCN_ALLOC_CSTRING(file);
- DH *dh;
- UNREFERENCED(o);
-
- if (!J2S(file))
- return JNI_FALSE;
- /* Removed */
- SSL_TMP_KEY_FREE(DSA, idx);
- if ((dh = SSL_dh_get_param_from_file(J2S(file)))) {
- /* Removed */
- SSL_temp_keys[idx] = dh;
- r = JNI_TRUE;
- }
- TCN_FREE_CSTRING(file);
- return r;
-}
-#endif
-
TCN_IMPLEMENT_CALL(jstring, SSL, getLastError)(TCN_STDARGS)
{
char buf[256];
Modified: tomcat/native/trunk/native/src/sslcontext.c
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1681189&r1=1681188&r2=1681189&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/sslcontext.c (original)
+++ tomcat/native/trunk/native/src/sslcontext.c Fri May 22 19:05:38 2015
@@ -241,15 +241,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
EVP_Digest((const unsigned char *)SSL_DEFAULT_VHOST_NAME,
(unsigned long)((sizeof SSL_DEFAULT_VHOST_NAME) - 1),
&(c->context_id[0]), NULL, EVP_sha1(), NULL);
- if (mode) {
-#ifdef HAVE_ECC
- /* Set default (nistp256) elliptic curve for ephemeral ECDH keys */
- EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
- SSL_CTX_set_tmp_ecdh(c->ctx, ecdh);
- EC_KEY_free(ecdh);
-#endif
- SSL_CTX_set_tmp_dh_callback(c->ctx, SSL_callback_tmp_DH);
- }
+
/* Set default Certificate verification level
* and depth for the Client Authentication
*/
@@ -701,6 +693,12 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
const char *key_file, *cert_file;
const char *p;
char err[256];
+#ifdef HAVE_ECC
+ EC_GROUP *ecparams;
+ int nid;
+ EC_KEY *eckey = NULL;
+#endif
+ DH *dhparams;
UNREFERENCED(o);
TCN_ASSERT(ctx != 0);
@@ -769,6 +767,42 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
rv = JNI_FALSE;
goto cleanup;
}
+
+ /*
+ * Try to read DH parameters from the (first) SSLCertificateFile
+ */
+ /* XXX Does this also work for pkcs12 or only for PEM files?
+ * If only for PEM files move above to the PEM handling */
+ if ((dhparams = SSL_dh_GetParamFromFile(cert_file))) {
+ SSL_CTX_set_tmp_dh(c->ctx, dhparams);
+ }
+
+#ifdef HAVE_ECC
+ /*
+ * Similarly, try to read the ECDH curve name from SSLCertificateFile...
+ */
+ /* XXX Does this also work for pkcs12 or only for PEM files?
+ * If only for PEM files move above to the PEM handling */
+ if ((ecparams = SSL_ec_GetParamFromFile(cert_file)) &&
+ (nid = EC_GROUP_get_curve_name(ecparams)) &&
+ (eckey = EC_KEY_new_by_curve_name(nid))) {
+ SSL_CTX_set_tmp_ecdh(c->ctx, eckey);
+ }
+ /*
+ * ...otherwise, configure NIST P-256 (required to enable ECDHE)
+ */
+ else {
+#if defined(SSL_CTX_set_ecdh_auto)
+ SSL_CTX_set_ecdh_auto(c->ctx, 1);
+#else
+ eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+ SSL_CTX_set_tmp_ecdh(c->ctx, eckey);
+#endif
+ }
+ EC_KEY_free(eckey);
+#endif
+ SSL_CTX_set_tmp_dh_callback(c->ctx, SSL_callback_tmp_DH);
+
cleanup:
TCN_FREE_CSTRING(cert);
TCN_FREE_CSTRING(key);
Modified: tomcat/native/trunk/native/src/sslutils.c
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslutils.c?rev=1681189&r1=1681188&r2=1681189&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/sslutils.c (original)
+++ tomcat/native/trunk/native/src/sslutils.c Fri May 22 19:05:38 2015
@@ -157,7 +157,12 @@ int SSL_password_callback(char *buf, int
return (int)strlen(buf);
}
-DH *SSL_dh_get_param_from_file(const char *file)
+/* _________________________________________________________________
+**
+** Custom (EC)DH parameter support
+** _________________________________________________________________
+*/
+DH *SSL_dh_GetParamFromFile(const char *file)
{
DH *dh = NULL;
BIO *bio;
@@ -169,6 +174,20 @@ DH *SSL_dh_get_param_from_file(const cha
return dh;
}
+#ifdef HAVE_ECC
+EC_GROUP *SSL_ec_GetParamFromFile(const char *file)
+{
+ EC_GROUP *group = NULL;
+ BIO *bio;
+
+ if ((bio = BIO_new_file(file, "r")) == NULL)
+ return NULL;
+ group = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL);
+ BIO_free(bio);
+ return (group);
+}
+#endif
+
/*
* Grab well-defined DH parameters from OpenSSL, see <openssl/bn.h>
* (get_rfc*) for all available primes.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org