You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by wr...@apache.org on 2013/01/25 07:28:33 UTC
svn commit: r1438342 - in /tomcat/native/trunk/native: include/ssl_private.h
src/sslcontext.c src/sslnetwork.c src/sslutils.c
Author: wrowe
Date: Fri Jan 25 06:28:32 2013
New Revision: 1438342
URL: http://svn.apache.org/viewvc?rev=1438342&view=rev
Log:
Replace the direct use of MD5 with the EVP API's SHA1 representation of
the host:port combination for the SSL session key context of each listener.
This restores FIPS functionality when combined with OpenSSL 1.0.1c which has
dropped support for direct hash functions when operating under FIPS mode.
This also anticipates some users dropping MD5 altogether from their OpenSSL.
Also eliminates the unused MD5 accessor function SSL_vhost_algo_id().
Modified:
tomcat/native/trunk/native/include/ssl_private.h
tomcat/native/trunk/native/src/sslcontext.c
tomcat/native/trunk/native/src/sslnetwork.c
tomcat/native/trunk/native/src/sslutils.c
Modified: tomcat/native/trunk/native/include/ssl_private.h
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/include/ssl_private.h?rev=1438342&r1=1438341&r2=1438342&view=diff
==============================================================================
--- tomcat/native/trunk/native/include/ssl_private.h (original)
+++ tomcat/native/trunk/native/include/ssl_private.h Fri Jan 25 06:28:32 2013
@@ -48,7 +48,6 @@
#include <openssl/evp.h>
#include <openssl/rand.h>
#include <openssl/x509v3.h>
-#include <openssl/md5.h>
/* Avoid tripping over an engine build installed globally and detected
* when the user points at an explicit non-engine flavor of OpenSSL
*/
@@ -230,7 +229,7 @@ struct tcn_ssl_ctxt_t {
BIO *bio_os;
BIO *bio_is;
- unsigned char context_id[MD5_DIGEST_LENGTH];
+ unsigned char context_id[SHA_DIGEST_LENGTH];
int protocol;
/* we are one or the other */
@@ -318,7 +317,6 @@ DH *SSL_dh_get_param_from_file(c
RSA *SSL_callback_tmp_RSA(SSL *, int, int);
DH *SSL_callback_tmp_DH(SSL *, int, int);
void SSL_callback_handshake(const SSL *, int, int);
-void SSL_vhost_algo_id(const unsigned char *, unsigned char *, int);
int SSL_CTX_use_certificate_chain(SSL_CTX *, const char *, int);
int SSL_callback_SSL_verify(int, X509_STORE_CTX *);
int SSL_rand_seed(const char *file);
Modified: tomcat/native/trunk/native/src/sslcontext.c
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1438342&r1=1438341&r2=1438342&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/sslcontext.c (original)
+++ tomcat/native/trunk/native/src/sslcontext.c Fri Jan 25 06:28:32 2013
@@ -150,9 +150,9 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
#endif
/* Default session context id and cache size */
SSL_CTX_sess_set_cache_size(c->ctx, SSL_DEFAULT_CACHE_SIZE);
- MD5((const unsigned char *)SSL_DEFAULT_VHOST_NAME,
- (unsigned long)(sizeof(SSL_DEFAULT_VHOST_NAME) - 1),
- &(c->context_id[0]));
+ EVP_Digest((const unsigned char *)SSL_DEFAULT_VHOST_NAME,
+ (unsigned long)((sizeof SSL_DEFAULT_VHOST_NAME) - 1),
+ &(c->context_id[0]), NULL, EVP_sha1(), NULL);
if (mode) {
SSL_CTX_set_tmp_rsa_callback(c->ctx, SSL_callback_tmp_RSA);
SSL_CTX_set_tmp_dh_callback(c->ctx, SSL_callback_tmp_DH);
@@ -198,9 +198,9 @@ TCN_IMPLEMENT_CALL(void, SSLContext, set
TCN_ASSERT(ctx != 0);
UNREFERENCED(o);
if (J2S(id)) {
- MD5((const unsigned char *)J2S(id),
- (unsigned long)strlen(J2S(id)),
- &(c->context_id[0]));
+ EVP_Digest((const unsigned char *)J2S(id),
+ (unsigned long)strlen(J2S(id)),
+ &(c->context_id[0]), NULL, EVP_sha1(), NULL);
}
TCN_FREE_CSTRING(id);
}
Modified: tomcat/native/trunk/native/src/sslnetwork.c
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslnetwork.c?rev=1438342&r1=1438341&r2=1438342&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/sslnetwork.c (original)
+++ tomcat/native/trunk/native/src/sslnetwork.c Fri Jan 25 06:28:32 2013
@@ -151,7 +151,7 @@ static tcn_ssl_conn_t *ssl_create(JNIEnv
SSL_set_tmp_rsa_callback(ssl, SSL_callback_tmp_RSA);
SSL_set_tmp_dh_callback(ssl, SSL_callback_tmp_DH);
SSL_set_session_id_context(ssl, &(ctx->context_id[0]),
- MD5_DIGEST_LENGTH);
+ sizeof ctx->context_id);
}
SSL_set_verify_result(ssl, X509_V_OK);
SSL_rand_seed(ctx->rand_file);
Modified: tomcat/native/trunk/native/src/sslutils.c
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslutils.c?rev=1438342&r1=1438341&r2=1438342&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/sslutils.c (original)
+++ tomcat/native/trunk/native/src/sslutils.c Fri Jan 25 06:28:32 2013
@@ -393,25 +393,6 @@ DH *SSL_callback_tmp_DH(SSL *ssl, int ex
return (DH *)SSL_temp_keys[idx];
}
-void SSL_vhost_algo_id(const unsigned char *vhost_id, unsigned char *md, int algo)
-{
- MD5_CTX c;
- MD5_Init(&c);
- MD5_Update(&c, vhost_id, MD5_DIGEST_LENGTH);
- switch (algo) {
- case SSL_ALGO_UNKNOWN:
- MD5_Update(&c, "UNKNOWN", 7);
- break;
- case SSL_ALGO_RSA:
- MD5_Update(&c, "RSA", 3);
- break;
- case SSL_ALGO_DSA:
- MD5_Update(&c, "DSA", 3);
- break;
- }
- MD5_Final(md, &c);
-}
-
/*
* Read a file that optionally contains the server certificate in PEM
* format, possibly followed by a sequence of CA certificates that
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1438342 - in /tomcat/native/trunk/native: include/ssl_private.h
src/sslcontext.c src/sslnetwork.c src/sslutils.c
Posted by Mladen Turk <mt...@apache.org>.
On 01/25/2013 07:28 AM, wrowe@apache.org wrote:
> Author: wrowe
> Date: Fri Jan 25 06:28:32 2013
> New Revision: 1438342
>
Hehe, I forgot you have commit karma.
Anyhow, I have applied your patch to active 1.1.x branch as well.
Regards
--
^TM
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org