You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by mt...@apache.org on 2011/09/12 16:22:06 UTC
svn commit: r1169761 - in /commons/sandbox/runtime/trunk/src/main/native:
include/acr/ssl.h modules/openssl/api.c
Author: mturk
Date: Mon Sep 12 14:22:05 2011
New Revision: 1169761
URL: http://svn.apache.org/viewvc?rev=1169761&view=rev
Log:
Add more SSL methods
Modified:
commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h
commons/sandbox/runtime/trunk/src/main/native/modules/openssl/api.c
Modified: commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h?rev=1169761&r1=1169760&r2=1169761&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h (original)
+++ commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h Mon Sep 12 14:22:05 2011
@@ -60,41 +60,74 @@
#define RAND_MAX INT_MAX
#endif
-#define SSL_ALGO_UNKNOWN (0)
-#define SSL_ALGO_RSA (1<<0)
-#define SSL_ALGO_DSA (1<<1)
+#if OPENSSL_VERSION_NUMBER >= 0x00908080 && !defined(OPENSSL_NO_OCSP) \
+ && !defined(OPENSSL_NO_TLSEXT)
+#define HAVE_OCSP_STAPLING
+#if (OPENSSL_VERSION_NUMBER < 0x10000000)
+#define sk_OPENSSL_STRING_pop sk_pop
+#endif
+#endif
+
+/* Default setting for per-dir reneg buffer. */
+#ifndef DEFAULT_RENEG_BUFFER_SIZE
+#define DEFAULT_RENEG_BUFFER_SIZE (128 * 1024)
+#endif
+
+/* Default for OCSP response validity */
+#ifndef DEFAULT_OCSP_MAX_SKEW
+#define DEFAULT_OCSP_MAX_SKEW (60 * 5)
+#endif
+
+/* Default timeout for OCSP queries */
+#ifndef DEFAULT_OCSP_TIMEOUT
+#define DEFAULT_OCSP_TIMEOUT 10
+#endif
+
+#define SSL_ALGO_UNKNOWN 0
+#define SSL_ALGO_RSA 1
+#define SSL_ALGO_DSA 2
+#ifndef OPENSSL_NO_EC
+#define SSL_ALGO_ECC 4
+#define SSL_ALGO_ALL (SSL_ALGO_RSA|SSL_ALGO_DSA|SSL_ALGO_ECC)
+#else
#define SSL_ALGO_ALL (SSL_ALGO_RSA|SSL_ALGO_DSA)
+#endif
-#define SSL_AIDX_RSA (0)
-#define SSL_AIDX_DSA (1)
-#define SSL_AIDX_MAX (2)
+#define SSL_AIDX_RSA 0
+#define SSL_AIDX_DSA 1
+#ifndef OPENSSL_NO_EC
+#define SSL_AIDX_ECC 2
+#define SSL_AIDX_MAX 3
+#else
+#define SSL_AIDX_MAX 2
+#endif
/*
* Define IDs for the temporary RSA keys and DH params
*/
-#define SSL_TMP_KEY_RSA_512 (0)
-#define SSL_TMP_KEY_RSA_1024 (1)
-#define SSL_TMP_KEY_RSA_2048 (2)
-#define SSL_TMP_KEY_RSA_4096 (3)
-#define SSL_TMP_KEY_DH_512 (4)
-#define SSL_TMP_KEY_DH_1024 (5)
-#define SSL_TMP_KEY_DH_2048 (6)
-#define SSL_TMP_KEY_DH_4096 (7)
-#define SSL_TMP_KEY_MAX (8)
-
-#define SSL_CRT_FORMAT_UNDEF (0)
-#define SSL_CRT_FORMAT_ASN1 (1)
-#define SSL_CRT_FORMAT_TEXT (2)
-#define SSL_CRT_FORMAT_PEM (3)
-#define SSL_CRT_FORMAT_NETSCAPE (4)
-#define SSL_CRT_FORMAT_PKCS12 (5)
-#define SSL_CRT_FORMAT_SMIME (6)
-#define SSL_CRT_FORMAT_ENGINE (7)
+#define SSL_TMP_KEY_RSA_512 0
+#define SSL_TMP_KEY_RSA_1024 1
+#define SSL_TMP_KEY_RSA_2048 2
+#define SSL_TMP_KEY_RSA_4096 3
+#define SSL_TMP_KEY_DH_512 4
+#define SSL_TMP_KEY_DH_1024 5
+#define SSL_TMP_KEY_DH_2048 6
+#define SSL_TMP_KEY_DH_4096 7
+#define SSL_TMP_KEY_MAX 8
+
+#define SSL_CRT_FORMAT_UNDEF 0
+#define SSL_CRT_FORMAT_ASN1 1
+#define SSL_CRT_FORMAT_TEXT 2
+#define SSL_CRT_FORMAT_PEM 3
+#define SSL_CRT_FORMAT_NETSCAPE 4
+#define SSL_CRT_FORMAT_PKCS12 5
+#define SSL_CRT_FORMAT_SMIME 6
+#define SSL_CRT_FORMAT_ENGINE 7
/* XXX this stupid macro helps us to avoid
* adding yet another param to load_*key()
*/
-#define SSL_KEY_FORMAT_IISSGC (8)
+#define SSL_KEY_FORMAT_IISSGC 8
/*
* Define the SSL options
@@ -111,84 +144,85 @@
/*
* Define the SSL Protocol options
*/
-#define SSL_PROTOCOL_NONE (0)
-#define SSL_PROTOCOL_SSLV2 (1)
-#define SSL_PROTOCOL_SSLV3 (2)
-#define SSL_PROTOCOL_SSLV23 (3)
-#define SSL_PROTOCOL_TLSV1 (4)
-#define SSL_PROTOCOL_DTLSV1 (5)
-
-#define SSL_MODE_CLIENT (0)
-#define SSL_MODE_SERVER (1)
-#define SSL_MODE_COMBINED (2)
-
-#define SSL_BIO_FLAG_RDONLY (1<<0)
-#define SSL_BIO_FLAG_CALLBACK (1<<1)
-#define SSL_DEFAULT_CACHE_SIZE (256)
-#define SSL_MAX_STR_LEN (2048)
-
-#define SSL_CVERIFY_UNSET (-1)
-#define SSL_CVERIFY_NONE (0)
-#define SSL_CVERIFY_OPTIONAL (1)
-#define SSL_CVERIFY_REQUIRE (2)
-#define SSL_CVERIFY_OPTIONAL_NO_CA (3)
+#define SSL_PROTOCOL_NONE 0
+#define SSL_PROTOCOL_SSLV2 1
+#define SSL_PROTOCOL_SSLV3 2
+#define SSL_PROTOCOL_SSLV23 3
+#define SSL_PROTOCOL_TLSV1 4
+#define SSL_PROTOCOL_DTLSV1 5
+
+#define SSL_MODE_CLIENT 0
+#define SSL_MODE_SERVER 1
+#define SSL_MODE_COMBINED 2
+
+#define SSL_BIO_FLAG_RDONLY 1
+#define SSL_BIO_FLAG_CALLBACK 2
+#define SSL_DEFAULT_CACHE_SIZE 256
+#define SSL_MAX_STR_LEN 2048
+
+#define SSL_CVERIFY_UNSET (-1)
+#define SSL_CVERIFY_NONE 0
+#define SSL_CVERIFY_OPTIONAL 1
+#define SSL_CVERIFY_REQUIRE 2
+#define SSL_CVERIFY_OPTIONAL_NO_CA 3
#define SSL_VERIFY_PEER_STRICT (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
-#define SSL_SHUTDOWN_TYPE_UNSET (0)
-#define SSL_SHUTDOWN_TYPE_STANDARD (1)
-#define SSL_SHUTDOWN_TYPE_UNCLEAN (2)
-#define SSL_SHUTDOWN_TYPE_ACCURATE (3)
+#define SSL_SHUTDOWN_TYPE_UNSET 0
+#define SSL_SHUTDOWN_TYPE_STANDARD 1
+#define SSL_SHUTDOWN_TYPE_UNCLEAN 2
+#define SSL_SHUTDOWN_TYPE_ACCURATE 3
#define SSL_TO_ACR_ERROR(X) (ACR_OS_START_USERERR + 1000 + X)
-#define SSL_INFO_SESSION_ID (0x0001)
-#define SSL_INFO_CIPHER (0x0002)
-#define SSL_INFO_CIPHER_USEKEYSIZE (0x0003)
-#define SSL_INFO_CIPHER_ALGKEYSIZE (0x0004)
-#define SSL_INFO_CIPHER_VERSION (0x0005)
-#define SSL_INFO_CIPHER_DESCRIPTION (0x0006)
-#define SSL_INFO_PROTOCOL (0x0007)
-
-#define SSL_INFO_CLIENT_S_DN (0x0010)
-#define SSL_INFO_CLIENT_I_DN (0x0020)
-#define SSL_INFO_SERVER_S_DN (0x0040)
-#define SSL_INFO_SERVER_I_DN (0x0080)
-
-#define SSL_INFO_DN_COUNTRYNAME (0x0001)
-#define SSL_INFO_DN_STATEORPROVINCENAME (0x0002)
-#define SSL_INFO_DN_LOCALITYNAME (0x0003)
-#define SSL_INFO_DN_ORGANIZATIONNAME (0x0004)
-#define SSL_INFO_DN_ORGANIZATIONALUNITNAME (0x0005)
-#define SSL_INFO_DN_COMMONNAME (0x0006)
-#define SSL_INFO_DN_TITLE (0x0007)
-#define SSL_INFO_DN_INITIALS (0x0008)
-#define SSL_INFO_DN_GIVENNAME (0x0009)
-#define SSL_INFO_DN_SURNAME (0x000A)
-#define SSL_INFO_DN_DESCRIPTION (0x000B)
-#define SSL_INFO_DN_UNIQUEIDENTIFIER (0x000C)
-#define SSL_INFO_DN_EMAILADDRESS (0x000D)
-
-#define SSL_INFO_CLIENT_MASK (0x0100)
-
-#define SSL_INFO_CLIENT_M_VERSION (0x0101)
-#define SSL_INFO_CLIENT_M_SERIAL (0x0102)
-#define SSL_INFO_CLIENT_V_START (0x0103)
-#define SSL_INFO_CLIENT_V_END (0x0104)
-#define SSL_INFO_CLIENT_A_SIG (0x0105)
-#define SSL_INFO_CLIENT_A_KEY (0x0106)
-#define SSL_INFO_CLIENT_CERT (0x0107)
-#define SSL_INFO_CLIENT_V_REMAIN (0x0108)
-
-#define SSL_INFO_SERVER_MASK (0x0200)
-
-#define SSL_INFO_SERVER_M_VERSION (0x0201)
-#define SSL_INFO_SERVER_M_SERIAL (0x0202)
-#define SSL_INFO_SERVER_V_START (0x0203)
-#define SSL_INFO_SERVER_V_END (0x0204)
-#define SSL_INFO_SERVER_A_SIG (0x0205)
-#define SSL_INFO_SERVER_A_KEY (0x0206)
-#define SSL_INFO_SERVER_CERT (0x0207)
-#define SSL_INFO_CLIENT_CERT_CHAIN (0x0400)
+#define SSL_INFO_SESSION_ID 0x0001
+#define SSL_INFO_CIPHER 0x0002
+#define SSL_INFO_CIPHER_USEKEYSIZE 0x0003
+#define SSL_INFO_CIPHER_ALGKEYSIZE 0x0004
+#define SSL_INFO_CIPHER_VERSION 0x0005
+#define SSL_INFO_CIPHER_DESCRIPTION 0x0006
+#define SSL_INFO_PROTOCOL 0x0007
+
+#define SSL_INFO_CLIENT_S_DN 0x0010
+#define SSL_INFO_CLIENT_I_DN 0x0020
+#define SSL_INFO_SERVER_S_DN 0x0040
+#define SSL_INFO_SERVER_I_DN 0x0080
+
+#define SSL_INFO_DN_COUNTRYNAME 0x0001
+#define SSL_INFO_DN_STATEORPROVINCENAME 0x0002
+#define SSL_INFO_DN_LOCALITYNAME 0x0003
+#define SSL_INFO_DN_ORGANIZATIONNAME 0x0004
+#define SSL_INFO_DN_ORGANIZATIONALUNITNAME 0x0005
+#define SSL_INFO_DN_COMMONNAME 0x0006
+#define SSL_INFO_DN_TITLE 0x0007
+#define SSL_INFO_DN_INITIALS 0x0008
+#define SSL_INFO_DN_GIVENNAME 0x0009
+#define SSL_INFO_DN_SURNAME 0x000A
+#define SSL_INFO_DN_DESCRIPTION 0x000B
+#define SSL_INFO_DN_UNIQUEIDENTIFIER 0x000C
+#define SSL_INFO_DN_EMAILADDRESS 0x000D
+
+#define SSL_INFO_CLIENT_MASK 0x0100
+
+#define SSL_INFO_CLIENT_M_VERSION 0x0101
+#define SSL_INFO_CLIENT_M_SERIAL 0x0102
+#define SSL_INFO_CLIENT_V_START 0x0103
+#define SSL_INFO_CLIENT_V_END 0x0104
+#define SSL_INFO_CLIENT_A_SIG 0x0105
+#define SSL_INFO_CLIENT_A_KEY 0x0106
+#define SSL_INFO_CLIENT_CERT 0x0107
+#define SSL_INFO_CLIENT_V_REMAIN 0x0108
+
+#define SSL_INFO_SERVER_MASK 0x0200
+
+#define SSL_INFO_SERVER_M_VERSION 0x0201
+#define SSL_INFO_SERVER_M_SERIAL 0x0202
+#define SSL_INFO_SERVER_V_START 0x0203
+#define SSL_INFO_SERVER_V_END 0x0204
+#define SSL_INFO_SERVER_A_SIG 0x0205
+#define SSL_INFO_SERVER_A_KEY 0x0206
+#define SSL_INFO_SERVER_CERT 0x0207
+
+#define SSL_INFO_CLIENT_CERT_CHAIN 0x0400
#define SSL_VERIFY_ERROR_IS_OPTIONAL(errnum) \
((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \
@@ -249,6 +283,18 @@ typedef struct acr_ssl_ctxt_t {
/* for client or downstream server authentication */
int verify_depth;
int verify_mode;
+#ifdef HAVE_OCSP_STAPLING
+ /** OCSP stapling options */
+ int stapling_enabled;
+ long stapling_resptime_skew;
+ long stapling_resp_maxage;
+ int stapling_cache_timeout;
+ BOOL stapling_return_errors;
+ BOOL stapling_fake_trylater;
+ int stapling_errcache_timeout;
+ arc_time_t stapling_responder_timeout;
+ const char *stapling_force_url;
+#endif
int ocsp_enabled; /* true if OCSP verification enabled */
int ocsp_force_default; /* true if the default responder URL is
@@ -267,6 +313,38 @@ typedef struct acr_ssl_ctxt_t {
(ctx)->extra_certs = (value); \
} while (0)
+/**
+ * SSL socket descriptor.
+ * Make sure it is in sync with acr_sd_t so
+ * it can be casted to it
+ */
+typedef struct ssl_sd_t ssl_sd_t;
+struct ssl_sd_t {
+ volatile acr_atomic32_t refs; /**< Reference counter */
+ int type; /**< Descriptor type */
+ int timeout;
+ int flags;
+#if defined(WINDOWS)
+ union {
+ HANDLE h;
+ SOCKET s;
+ LPVOID p;
+ };
+#else
+ int s;
+#endif
+#if defined(WINDOWS)
+ WCHAR *socketfname;
+#endif
+ /*** SSL struct members ***/
+ acr_ssl_ctxt_t *ctx;
+ SSL *ssl;
+ X509 *peer;
+ int shutdown_type;
+ int is_proxy;
+ int disabled;
+ int non_ssl_request;
+};
/**
* Additional Functions
Modified: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/api.c
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/modules/openssl/api.c?rev=1169761&r1=1169760&r2=1169761&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/modules/openssl/api.c (original)
+++ commons/sandbox/runtime/trunk/src/main/native/modules/openssl/api.c Mon Sep 12 14:22:05 2011
@@ -148,6 +148,25 @@ struct SSLAPIst {
void (*fpSSL_load_error_strings)(void);
int (*fpSSL_set_ex_data)(SSL *, int, void *);
+ const SSL_METHOD* (*fpSSLv3_method)(void); /* SSLv3 */
+ const SSL_METHOD* (*fpSSLv3_server_method)(void); /* SSLv3 */
+ const SSL_METHOD* (*fpSSLv3_client_method)(void); /* SSLv3 */
+
+ const SSL_METHOD* (*fpSSLv23_method)(void); /* SSLv3 but can rollback to v2 */
+ const SSL_METHOD* (*fpSSLv23_server_method)(void); /* SSLv3 but can rollback to v2 */
+ const SSL_METHOD* (*fpSSLv23_client_method)(void); /* SSLv3 but can rollback to v2 */
+
+ const SSL_METHOD* (*fpTLSv1_method)(void); /* TLSv1.0 */
+ const SSL_METHOD* (*fpTLSv1_server_method)(void); /* TLSv1.0 */
+ const SSL_METHOD* (*fpTLSv1_client_method)(void); /* TLSv1.0 */
+
+ const SSL_METHOD* (*fpDTLSv1_method)(void); /* DTLSv1.0 */
+ const SSL_METHOD* (*fpDTLSv1_server_method)(void); /* DTLSv1.0 */
+ const SSL_METHOD* (*fpDTLSv1_client_method)(void); /* DTLSv1.0 */
+
+ void (*fpSSL_CTX_set_default_passwd_cb)(SSL_CTX *, pem_password_cb *);
+ void (*fpSSL_CTX_set_default_passwd_cb_userdata)(SSL_CTX *ctx, void *u);
+
/*** X509 ***/
void (*fpX509_free)(X509 *);
void (*fpNULL)(void);
@@ -179,7 +198,14 @@ struct SSLOPTst {
/*** RAND ***/
int (*fpRAND_set_rand_engine)(ENGINE *);
-#endif
+#endif
+
+#ifndef OPENSSL_NO_SSL2
+ const SSL_METHOD* (*fpSSLv2_method)(void); /* SSLv2 */
+ const SSL_METHOD* (*fpSSLv2_server_method)(void); /* SSLv2 */
+ const SSL_METHOD* (*fpSSLv2_client_method)(void); /* SSLv2 */
+#endif
+
void (*fpNULL)(void);
};
@@ -218,10 +244,26 @@ ACR_JNI_EXPORT(jboolean, Native, ldopens
LIBSSL_FPLOAD(SSL_load_error_strings);
LIBSSL_FPLOAD(SSL_set_ex_data);
+ LIBSSL_FPLOAD(SSLv3_method);
+ LIBSSL_FPLOAD(SSLv3_server_method);
+ LIBSSL_FPLOAD(SSLv3_client_method);
+ LIBSSL_FPLOAD(SSLv23_method);
+ LIBSSL_FPLOAD(SSLv23_server_method);
+ LIBSSL_FPLOAD(SSLv23_client_method);
+ LIBSSL_FPLOAD(TLSv1_method);
+ LIBSSL_FPLOAD(TLSv1_server_method);
+ LIBSSL_FPLOAD(TLSv1_client_method);
+ LIBSSL_FPLOAD(DTLSv1_method);
+ LIBSSL_FPLOAD(DTLSv1_server_method);
+ LIBSSL_FPLOAD(DTLSv1_client_method);
+
/*** SSL_CTX ***/
LIBSSL_FPLOAD(SSL_CTX_ctrl);
LIBSSL_FPLOAD(SSL_CTX_new);
LIBSSL_FPLOAD(SSL_CTX_free);
+ LIBSSL_FPLOAD(SSL_CTX_set_default_passwd_cb);
+ LIBSSL_FPLOAD(SSL_CTX_set_default_passwd_cb_userdata);
+
/*** BIO ***/
CRYPTO_FPLOAD(BIO_ctrl);
@@ -303,6 +345,12 @@ ACR_JNI_EXPORT(jboolean, Native, ldopens
CRYPTO_LDDOPT(ENGINE_set_default);
CRYPTO_LDDOPT(RAND_set_rand_engine);
#endif
+#ifndef OPENSSL_NO_SSL2
+ LIBSSL_LDDOPT(SSLv2_method);
+ LIBSSL_LDDOPT(SSLv2_server_method);
+ LIBSSL_LDDOPT(SSLv2_client_method);
+#endif
+
return JNI_TRUE;
failed:
AcrThrowEx(env, ACR_EX_ENOENT, "Cannot find %s::%s()", dname, fname);
@@ -606,11 +654,58 @@ void SSL_load_error_strings(void)
SSLAPI_CALL(SSL_load_error_strings)();
}
-int SSL_set_ex_data(SSL *ssl,int idx,void *data)
+int SSL_set_ex_data(SSL *ssl, int idx, void *data)
{
return SSLAPI_CALL(SSL_set_ex_data)(ssl, idx, data);
}
+#define IMPLEMENT_SSLAPI_METHOD(name) \
+const SSL_METHOD *name##_method(void) { \
+ return (*SSLapi.fp##name##_method)(); \
+}
+
+#define IMPLEMENT_SSLOPT_METHOD(name) \
+const SSL_METHOD *name##_method(void) { \
+ if (SSLopt.fp##name##_method != 0) \
+ return (*SSLopt.fp##name##_method)(); \
+ else { ACR_SET_OS_ERROR(ACR_ENOTIMPL); return 0; } \
+}
+
+#ifndef OPENSSL_NO_SSL2
+IMPLEMENT_SSLOPT_METHOD(SSLv2)
+IMPLEMENT_SSLOPT_METHOD(SSLv2_server)
+IMPLEMENT_SSLOPT_METHOD(SSLv2_client)
+#endif
+
+IMPLEMENT_SSLAPI_METHOD(SSLv3)
+IMPLEMENT_SSLAPI_METHOD(SSLv3_server)
+IMPLEMENT_SSLAPI_METHOD(SSLv3_client)
+
+IMPLEMENT_SSLAPI_METHOD(SSLv23)
+IMPLEMENT_SSLAPI_METHOD(SSLv23_server)
+IMPLEMENT_SSLAPI_METHOD(SSLv23_client)
+
+IMPLEMENT_SSLAPI_METHOD(TLSv1)
+IMPLEMENT_SSLAPI_METHOD(TLSv1_server)
+IMPLEMENT_SSLAPI_METHOD(TLSv1_client)
+
+IMPLEMENT_SSLAPI_METHOD(DTLSv1)
+IMPLEMENT_SSLAPI_METHOD(DTLSv1_server)
+IMPLEMENT_SSLAPI_METHOD(DTLSv1_client)
+
+#undef IMPLEMENT_SSLOPT_METHOD
+#undef IMPLEMENT_SSLAPI_METHOD
+
+void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb)
+{
+ SSLAPI_CALL(SSL_CTX_set_default_passwd_cb)(ctx, cb);
+}
+
+void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u)
+{
+ SSLAPI_CALL(SSL_CTX_set_default_passwd_cb_userdata)(ctx, u);
+}
+
void X509_free(X509 *x)
{
SSLAPI_CALL(X509_free)(x);