Skip to content
Commits on Source (11)
Expand all Hide whitespace changes
Inline Side-by-side
.gitignore
View file @ ac1d9389
......@@ -29,3 +29,11 @@
# Do not include stuff in the static modules as this is generated during the build
*-static/src
# exclude mainframer files
mainframer
.mainframer
# exclude cmake related files
CMakeLists.txt
cmake-*
boringssl-static/pom.xml
View file @ ac1d9389
......@@ -19,7 +19,7 @@
<parent>
<groupId>io.netty</groupId>
<artifactId>netty-tcnative-parent</artifactId>
<version>2.0.15.Final</version>
<version>2.0.20.Final</version>
</parent>
<artifactId>netty-tcnative-boringssl-static</artifactId>
<packaging>jar</packaging>
......@@ -89,6 +89,24 @@
</executions>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>build-helper-maven-plugin</artifactId>
<executions>
<execution>
<phase>generate-sources</phase>
<goals>
<goal>add-source</goal>
</goals>
<configuration>
<sources>
<source>${generatedSourcesDir}/java</source>
</sources>
</configuration>
</execution>
</executions>
</plugin>
<!-- Add the commit ID and branch to the manifest. -->
<plugin>
<groupId>org.apache.felix</groupId>
......@@ -126,7 +144,7 @@
<!-- Build the BoringSSL static libs -->
<execution>
<id>build-boringssl</id>
<phase>generate-sources</phase>
<phase>compile</phase>
<goals>
<goal>run</goal>
</goals>
......@@ -135,42 +153,52 @@
<!-- Add the ant tasks from ant-contrib -->
<taskdef resource="net/sf/antcontrib/antcontrib.properties" />
<mkdir dir="${boringsslBuildDir}" />
<if>
<equals arg1="${os.detected.name}" arg2="windows" />
<available file="${boringsslBuildDir}" />
<then>
<!-- On Windows, build with /MT for static linking -->
<property name="cmakeAsmFlags" value="" />
<property name="cmakeCFlags" value="/MT" />
<property name="cmakeCxxFlags" value="/MT" />
<echo message="BoringSSL was already build, skipping the build step." />
</then>
<elseif>
<equals arg1="${os.detected.name}" arg2="linux" />
<then>
<!-- On *nix, add ASM flags to disable executable stack -->
<property name="cmakeAsmFlags" value="-Wa,--noexecstack" />
<property name="cmakeCFlags" value="-std=c99 -O3 -fno-omit-frame-pointer" />
<property name="cmakeCxxFlags" value="-O3 -fno-omit-frame-pointer -Wno-error=maybe-uninitialized" />
</then>
</elseif>
<else>
<!-- On *nix, add ASM flags to disable executable stack -->
<property name="cmakeAsmFlags" value="-Wa,--noexecstack" />
<property name="cmakeCFlags" value="-std=c99 -O3 -fno-omit-frame-pointer" />
<property name="cmakeCxxFlags" value="-O3 -fno-omit-frame-pointer" />
<echo message="Building BoringSSL" />
<mkdir dir="${boringsslBuildDir}" />
<if>
<equals arg1="${os.detected.name}" arg2="windows" />
<then>
<!-- On Windows, build with /MT for static linking -->
<property name="cmakeAsmFlags" value="" />
<property name="cmakeCFlags" value="/MT" />
<property name="cmakeCxxFlags" value="/MT" />
</then>
<elseif>
<equals arg1="${os.detected.name}" arg2="linux" />
<then>
<!-- On *nix, add ASM flags to disable executable stack -->
<property name="cmakeAsmFlags" value="-Wa,--noexecstack" />
<property name="cmakeCFlags" value="-std=c99 -O3 -fno-omit-frame-pointer" />
<property name="cmakeCxxFlags" value="-O3 -fno-omit-frame-pointer -Wno-error=maybe-uninitialized" />
</then>
</elseif>
<else>
<!-- On *nix, add ASM flags to disable executable stack -->
<property name="cmakeAsmFlags" value="-Wa,--noexecstack" />
<property name="cmakeCFlags" value="-std=c99 -O3 -fno-omit-frame-pointer" />
<property name="cmakeCxxFlags" value="-O3 -fno-omit-frame-pointer" />
</else>
</if>
<exec executable="cmake" failonerror="true" dir="${boringsslBuildDir}" resolveexecutable="true">
<arg value="-DCMAKE_POSITION_INDEPENDENT_CODE=TRUE" />
<arg value="-DCMAKE_BUILD_TYPE=Release" />
<arg value="-DCMAKE_ASM_FLAGS=${cmakeAsmFlags}" />
<arg value="-DCMAKE_C_FLAGS_RELEASE=${cmakeCFlags}" />
<arg value="-DCMAKE_CXX_FLAGS_RELEASE=${cmakeCxxFlags}" />
<arg value="-GNinja" />
<arg value=".." />
</exec>
<exec executable="ninja" failonerror="true" dir="${boringsslBuildDir}" resolveexecutable="true" />
</else>
</if>
<exec executable="cmake" failonerror="true" dir="${boringsslBuildDir}" resolveexecutable="true">
<arg value="-DCMAKE_POSITION_INDEPENDENT_CODE=TRUE" />
<arg value="-DCMAKE_BUILD_TYPE=Release" />
<arg value="-DCMAKE_ASM_FLAGS=${cmakeAsmFlags}" />
<arg value="-DCMAKE_C_FLAGS_RELEASE=${cmakeCFlags}" />
<arg value="-DCMAKE_CXX_FLAGS_RELEASE=${cmakeCxxFlags}" />
<arg value="-GNinja" />
<arg value=".." />
</exec>
<exec executable="ninja" failonerror="true" dir="${boringsslBuildDir}" resolveexecutable="true" />
</target>
</configuration>
</execution>
......@@ -230,7 +258,8 @@
<phase>compile</phase>
<configuration>
<name>netty_tcnative</name>
<nativeSourceDirectory>${project.basedir}/src/main/c</nativeSourceDirectory>
<nativeSourceDirectory>${generatedSourcesDir}/c</nativeSourceDirectory>
<customPackageDirectory>${generatedSourcesDir}/native-package</customPackageDirectory>
<libDirectory>${nativeLibOnlyDir}</libDirectory>
<forceAutogen>${forceAutogen}</forceAutogen>
<forceConfigure>${forceConfigure}</forceConfigure>
......
debian/changelog
View file @ ac1d9389
netty-tcnative (2.0.20-1) unstable; urgency=medium
* Team upload.
* New upstream release
- Ignore the new netty-build dependency
* Standards-Version updated to 4.3.0
-- Emmanuel Bourg <ebourg@apache.org> Tue, 22 Jan 2019 11:34:46 +0100
netty-tcnative (2.0.15-2) unstable; urgency=medium
* Team upload.
......
debian/control
View file @ ac1d9389
......@@ -3,26 +3,28 @@ Section: java
Priority: optional
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Uploaders: Emmanuel Bourg <ebourg@apache.org>
Build-Depends: automake,
debhelper (>= 11~),
default-jdk,
junit4,
libapr1-dev,
libmaven-antrun-plugin-java,
libmaven-bundle-plugin-java,
libssl-dev,
libtool,
maven-debian-helper (>= 1.5)
Standards-Version: 4.2.1
Build-Depends:
automake,
debhelper (>= 11~),
default-jdk,
junit4,
libapr1-dev,
libmaven-antrun-plugin-java,
libmaven-bundle-plugin-java,
libssl-dev,
libtool,
maven-debian-helper (>= 1.5)
Standards-Version: 4.3.0
Vcs-Git: https://salsa.debian.org/java-team/netty-tcnative.git
Vcs-Browser: https://salsa.debian.org/java-team/netty-tcnative
Homepage: https://github.com/netty/netty-tcnative/
Package: libnetty-tcnative-java
Architecture: all
Depends: libnetty-tcnative-jni (>= ${source:Version}),
${maven:Depends},
${misc:Depends}
Depends:
libnetty-tcnative-jni (>= ${source:Version}),
${maven:Depends},
${misc:Depends}
Suggests: ${maven:OptionalDepends}
Description: Tomcat native fork for Netty
netty-tcnative is a fork of Tomcat Native, the native interface used by Tomcat
......@@ -36,7 +38,7 @@ Description: Tomcat native fork for Netty
Package: libnetty-tcnative-jni
Architecture: any
Depends: ${misc:Depends}, ${shlibs:Depends}
Depends: ${misc:Depends}, ${shlibs:Depends}
Description: Tomcat native fork for Netty (JNI library)
netty-tcnative is a fork of Tomcat Native, the native interface used by Tomcat
to leverage the Apache Portable Runtime and provide superior scalability,
......
debian/maven.ignoreRules
View file @ ac1d9389
io.netty netty-build * * * *
kr.motd.maven os-maven-plugin * * * *
org.apache.maven.plugins maven-antrun-plugin * * * *
org.apache.maven.plugins maven-enforcer-plugin * * * *
......
debian/patches/02-ignore-netty-build.patch 0 → 100644
View file @ ac1d9389
Description: Ignore the netty-build dependency
Author: Emmanuel Bourg <ebourg@apache.org>
Forwarded: not-needed
--- a/pom.xml
+++ b/pom.xml
@@ -171,12 +171,6 @@
<exclude>**/*TestUtil*</exclude>
</excludes>
<runOrder>random</runOrder>
- <properties>
- <property>
- <name>listener</name>
- <value>io.netty.build.junit.TimedOutTestsListener</value>
- </property>
- </properties>
<!-- Ensure the whole stacktrace is preserved when an exception is thrown. See https://issues.apache.org/jira/browse/SUREFIRE-1457 -->
<trimStackTrace>false</trimStackTrace>
</configuration>
debian/patches/series
View file @ ac1d9389
01-add-junit-dependency.patch
02-ignore-netty-build.patch
libressl-static/pom.xml
View file @ ac1d9389
......@@ -19,7 +19,7 @@
<parent>
<groupId>io.netty</groupId>
<artifactId>netty-tcnative-parent</artifactId>
<version>2.0.15.Final</version>
<version>2.0.20.Final</version>
</parent>
<artifactId>netty-tcnative-libressl-static</artifactId>
<packaging>jar</packaging>
......@@ -41,34 +41,6 @@
<build>
<plugins>
<!-- Configure the distribution statically linked against OpenSSL and APR -->
<plugin>
<groupId>org.fusesource.hawtjni</groupId>
<artifactId>maven-hawtjni-plugin</artifactId>
<executions>
<execution>
<id>build-native-lib</id>
<goals>
<goal>generate</goal>
<goal>build</goal>
</goals>
<phase>compile</phase>
<configuration>
<name>netty_tcnative</name>
<nativeSourceDirectory>${project.basedir}/src/main/c</nativeSourceDirectory>
<libDirectory>${nativeLibOnlyDir}</libDirectory>
<forceAutogen>${forceAutogen}</forceAutogen>
<forceConfigure>${forceConfigure}</forceConfigure>
<windowsBuildTool>msbuild</windowsBuildTool>
<configureArgs>
<configureArg>--with-ssl=${sslHome}</configureArg>
<configureArg>--with-apr=${aprHome}</configureArg>
<configureArg>--with-static-libs</configureArg>
</configureArgs>
</configuration>
</execution>
</executions>
</plugin>
<!-- Add the LibreSSL version to the manifest. -->
<plugin>
......@@ -82,6 +54,24 @@
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>build-helper-maven-plugin</artifactId>
<executions>
<execution>
<phase>generate-sources</phase>
<goals>
<goal>add-source</goal>
</goals>
<configuration>
<sources>
<source>${generatedSourcesDir}/java</source>
</sources>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<artifactId>maven-antrun-plugin</artifactId>
<executions>
......@@ -108,6 +98,36 @@
</execution>
</executions>
</plugin>
<!-- Configure the distribution statically linked against OpenSSL and APR -->
<plugin>
<groupId>org.fusesource.hawtjni</groupId>
<artifactId>maven-hawtjni-plugin</artifactId>
<executions>
<execution>
<id>build-native-lib</id>
<goals>
<goal>generate</goal>
<goal>build</goal>
</goals>
<phase>compile</phase>
<configuration>
<name>netty_tcnative</name>
<nativeSourceDirectory>${generatedSourcesDir}/c</nativeSourceDirectory>
<customPackageDirectory>${generatedSourcesDir}/native-package</customPackageDirectory>
<libDirectory>${nativeLibOnlyDir}</libDirectory>
<forceAutogen>${forceAutogen}</forceAutogen>
<forceConfigure>${forceConfigure}</forceConfigure>
<windowsBuildTool>msbuild</windowsBuildTool>
<configureArgs>
<configureArg>--with-ssl=${sslHome}</configureArg>
<configureArg>--with-apr=${aprHome}</configureArg>
<configureArg>--with-static-libs</configureArg>
</configureArgs>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
......@@ -165,27 +185,63 @@
<executions>
<!-- Download and build LibreSSL -->
<execution>
<id>build-libressl-non-windows</id>
<id>source-libressl-non-windows</id>
<phase>generate-sources</phase>
<goals>
<goal>run</goal>
</goals>
<configuration>
<target>
<get src="http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/${libresslArchive}" dest="${project.build.directory}/${libresslArchive}" verbose="on" />
<checksum file="${project.build.directory}/${libresslArchive}" algorithm="SHA-256" property="${libresslSha256}" verifyProperty="isEqual" />
<exec executable="tar" failonerror="true" dir="${project.build.directory}/" resolveexecutable="true">
<arg value="xfv" />
<arg value="${libresslArchive}" />
</exec>
<mkdir dir="${sslHome}" />
<exec executable="configure" failonerror="true" dir="${libresslCheckoutDir}" resolveexecutable="true">
<arg line="--disable-shared --prefix=${sslHome} CFLAGS='-O3 -fno-omit-frame-pointer -fPIC'" />
</exec>
<exec executable="make" failonerror="true" dir="${libresslCheckoutDir}" resolveexecutable="true" />
<exec executable="make" failonerror="true" dir="${libresslCheckoutDir}" resolveexecutable="true">
<arg line="install" />
</exec>
<!-- Add the ant tasks from ant-contrib -->
<taskdef resource="net/sf/antcontrib/antcontrib.properties" />
<if>
<available file="${libresslCheckoutDir}" />
<then>
<echo message="LibreSSL was already downloaded, skipping the build step." />
</then>
<else>
<echo message="Downloading LibreSSL" />
<get src="http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/${libresslArchive}" dest="${project.build.directory}/${libresslArchive}" verbose="on" />
<checksum file="${project.build.directory}/${libresslArchive}" algorithm="SHA-256" property="${libresslSha256}" verifyProperty="isEqual" />
<exec executable="tar" failonerror="true" dir="${project.build.directory}/" resolveexecutable="true">
<arg value="xfv" />
<arg value="${libresslArchive}" />
</exec>
</else>
</if>
</target>
</configuration>
</execution>
<execution>
<id>build-libressl-non-windows</id>
<phase>compile</phase>
<goals>
<goal>run</goal>
</goals>
<configuration>
<target>
<!-- Add the ant tasks from ant-contrib -->
<taskdef resource="net/sf/antcontrib/antcontrib.properties" />
<if>
<available file="${sslHome}" />
<then>
<echo message="LibreSSL was already build, skipping the build step." />
</then>
<else>
<echo message="Building LibreSSL" />
<mkdir dir="${sslHome}" />
<exec executable="configure" failonerror="true" dir="${libresslCheckoutDir}" resolveexecutable="true">
<arg line="--disable-shared --prefix=${sslHome} CFLAGS='-O3 -fno-omit-frame-pointer -fPIC'" />
</exec>
<exec executable="make" failonerror="true" dir="${libresslCheckoutDir}" resolveexecutable="true" />
<exec executable="make" failonerror="true" dir="${libresslCheckoutDir}" resolveexecutable="true">
<arg line="install" />
</exec>
</else>
</if>
</target>
</configuration>
</execution>
......
openssl-dynamic/pom.xml
View file @ ac1d9389
......@@ -19,7 +19,7 @@
<parent>
<groupId>io.netty</groupId>
<artifactId>netty-tcnative-parent</artifactId>
<version>2.0.15.Final</version>
<version>2.0.20.Final</version>
</parent>
<artifactId>netty-tcnative</artifactId>
<packaging>jar</packaging>
......
openssl-dynamic/src/main/c/native_constants.c
View file @ ac1d9389
......@@ -42,6 +42,10 @@ TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslOpNoTLSv12)(TC
return SSL_OP_NO_TLSv1_2;
}
TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslOpNoTLSv13)(TCN_STDARGS) {
return SSL_OP_NO_TLSv1_3;
}
TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslOpNoTicket)(TCN_STDARGS) {
return SSL_OP_NO_TICKET;
}
......@@ -484,6 +488,7 @@ static const JNINativeMethod method_table[] = {
{ TCN_METHOD_TABLE_ENTRY(sslOpNoTLSv1, ()I, NativeStaticallyReferencedJniMethods) },
{ TCN_METHOD_TABLE_ENTRY(sslOpNoTLSv11, ()I, NativeStaticallyReferencedJniMethods) },
{ TCN_METHOD_TABLE_ENTRY(sslOpNoTLSv12, ()I, NativeStaticallyReferencedJniMethods) },
{ TCN_METHOD_TABLE_ENTRY(sslOpNoTLSv13, ()I, NativeStaticallyReferencedJniMethods) },
{ TCN_METHOD_TABLE_ENTRY(sslOpNoTicket, ()I, NativeStaticallyReferencedJniMethods) },
{ TCN_METHOD_TABLE_ENTRY(sslOpNoCompression, ()I, NativeStaticallyReferencedJniMethods) },
{ TCN_METHOD_TABLE_ENTRY(sslSessCacheOff, ()I, NativeStaticallyReferencedJniMethods) },
......
openssl-dynamic/src/main/c/ssl.c
View file @ ac1d9389
......@@ -1559,27 +1559,50 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSL, getCiphers)(TCN_STDARGS, jlong ssl)
}
TCN_IMPLEMENT_CALL(jboolean, SSL, setCipherSuites)(TCN_STDARGS, jlong ssl,
jstring ciphers)
jstring ciphers, jboolean tlsv13)
{
jboolean rv = JNI_TRUE;
TCN_ALLOC_CSTRING(ciphers);
SSL *ssl_ = J2P(ssl, SSL *);
TCN_CHECK_NULL(ssl_, ssl, JNI_FALSE);
UNREFERENCED(o);
#ifdef OPENSSL_NO_TLS1_3
if (tlsv13 == JNI_TRUE) {
tcn_Throw(e, "TLSv1.3 not supported");
return JNI_FALSE;
}
#endif
if (ciphers == NULL || (*e)->GetStringUTFLength(e, ciphers) == 0) {
return JNI_FALSE;
}
TCN_ALLOC_CSTRING(ciphers);
UNREFERENCED(o);
if (!J2S(ciphers)) {
return JNI_FALSE;
}
if (!SSL_set_cipher_list(ssl_, J2S(ciphers))) {
char err[ERR_LEN];
#ifdef OPENSSL_NO_TLS1_3
rv = SSL_set_cipher_list(ssl_, J2S(ciphers)) == 0 ? JNI_FALSE : JNI_TRUE;
#else
if (tlsv13 == JNI_TRUE) {
#ifdef OPENSSL_IS_BORINGSSL
// BoringSSL does not support setting TLSv1.3 cipher suites explicit for now.
rv = JNI_TRUE;
#else
rv = SSL_set_ciphersuites(ssl_, J2S(ciphers)) == 0 ? JNI_FALSE : JNI_TRUE;
#endif // OPENSSL_IS_BORINGSSL
} else {
rv = SSL_set_cipher_list(ssl_, J2S(ciphers)) == 0 ? JNI_FALSE : JNI_TRUE;
}
#endif // OPENSSL_NO_TLS1_3
if (rv == JNI_FALSE) {
char err[256];
ERR_error_string(ERR_get_error(), err);
tcn_Throw(e, "Unable to configure permitted SSL ciphers (%s)", err);
rv = JNI_FALSE;
}
TCN_FREE_CSTRING(ciphers);
return rv;
}
......@@ -1632,7 +1655,7 @@ TCN_IMPLEMENT_CALL(void, SSL, clearError)(TCN_STDARGS)
ERR_clear_error();
}
TCN_IMPLEMENT_CALL(void, SSL, setTlsExtHostName)(TCN_STDARGS, jlong ssl, jstring hostname) {
TCN_IMPLEMENT_CALL(void, SSL, setTlsExtHostName0)(TCN_STDARGS, jlong ssl, jstring hostname) {
SSL *ssl_ = J2P(ssl, SSL *);
TCN_CHECK_NULL(ssl_, ssl, /* void */);
......@@ -1708,7 +1731,7 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSL, authenticationMethods)(TCN_STDARGS, jlong
for (i = 0; i < len; i++) {
(*e)->SetObjectArrayElement(e, array, i,
(*e)->NewStringUTF(e, tcn_SSL_cipher_authentication_method((SSL_CIPHER*) sk_value((_STACK*) ciphers, i))));
(*e)->NewStringUTF(e, tcn_SSL_cipher_authentication_method(sk_SSL_CIPHER_value(ciphers, i))));
}
return array;
}
......@@ -1910,7 +1933,7 @@ TCN_IMPLEMENT_CALL(void, SSL, freeX509Chain)(TCN_STDARGS, jlong x509Chain)
sk_X509_pop_free(chain, X509_free);
}
TCN_IMPLEMENT_CALL(void, SSL, setKeyMaterialServerSide)(TCN_STDARGS, jlong ssl, jlong chain, jlong key)
TCN_IMPLEMENT_CALL(void, SSL, setKeyMaterial)(TCN_STDARGS, jlong ssl, jlong chain, jlong key)
{
#if defined(LIBRESSL_VERSION_NUMBER)
tcn_Throw(e, "Not supported with LibreSSL");
......@@ -2196,6 +2219,95 @@ TCN_IMPLEMENT_CALL(void, SSL, fipsModeSet)(TCN_STDARGS, jint mode)
#endif
}
TCN_IMPLEMENT_CALL(jstring, SSL, getSniHostname)(TCN_STDARGS, jlong ssl)
{
SSL *ssl_ = J2P(ssl, SSL *);
TCN_CHECK_NULL(ssl_, ssl, 0);
const char *servername = SSL_get_servername(ssl_, TLSEXT_NAMETYPE_host_name);
if (servername == NULL) {
return NULL;
}
return tcn_new_string(e, servername);
}
TCN_IMPLEMENT_CALL(jobjectArray, SSL, getSigAlgs)(TCN_STDARGS, jlong ssl) {
SSL *ssl_ = J2P(ssl, SSL *);
TCN_CHECK_NULL(ssl_, ssl, NULL);
// Not supported in LibreSSL
#if defined(LIBRESSL_VERSION_NUMBER)
return NULL;
#elif defined(OPENSSL_IS_BORINGSSL)
// Using a different API in BoringSSL
// https://boringssl.googlesource.com/boringssl/+/ba16a1e405c617f4179bd780ad15522fb25b0a65%5E%21/
int i;
jobjectArray array;
jstring algString;
const uint16_t *peer_sigalgs;
size_t num_peer_sigalgs = SSL_get0_peer_verify_algorithms(ssl_, &peer_sigalgs);
if (num_peer_sigalgs <= 0) {
return NULL;
}
array = (*e)->NewObjectArray(e, num_peer_sigalgs, tcn_get_string_class(), NULL);
if (array == NULL) {
return NULL;
}
for (i = 0; i < num_peer_sigalgs; i++) {
algString = (*e)->NewStringUTF(e, SSL_get_signature_algorithm_name(peer_sigalgs[i], SSL_version(ssl_) != TLS1_2_VERSION));
if (algString == NULL) {
// something is wrong we should better just return here
return NULL;
}
(*e)->SetObjectArrayElement(e, array, i, algString);
}
return array;
#else
// Use weak linking with GCC as this will alow us to run the same packaged version with multiple
// version of openssl.
#if defined(__GNUC__) || defined(__GNUG__)
if (!SSL_get_sigalgs) {
UNREFERENCED(o);
return NULL;
}
#endif
// We can only support it when either use openssl version >= 1.0.2 or GCC as this way we can use weak linking
#if OPENSSL_VERSION_NUMBER >= 0x10002000L || defined(__GNUC__) || defined(__GNUG__)
int i;
int nsig;
int psignhash;
jobjectArray array;
jstring algString;
UNREFERENCED(o);
nsig = SSL_get_sigalgs(ssl_, 0, NULL, NULL, NULL, NULL, NULL);
if (nsig <= 0) {
return NULL;
}
array = (*e)->NewObjectArray(e, nsig, tcn_get_string_class(), NULL);
if (array == NULL) {
return NULL;
}
for (i = 0; i < nsig; i++) {
SSL_get_sigalgs(ssl_, i, NULL, NULL, &psignhash, NULL, NULL);
algString = (*e)->NewStringUTF(e, OBJ_nid2ln(psignhash));
if (algString == NULL) {
// something is wrong we should better just return here
return NULL;
}
(*e)->SetObjectArrayElement(e, array, i, algString);
}
return array;
#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L || defined(__GNUC__) || defined(__GNUG__)
#endif // defined(OPENSSL_IS_BORINGSSL) || defined(LIBRESSL_VERSION_NUMBER)
}
// JNI Method Registration Table Begin
static const JNINativeMethod method_table[] = {
......@@ -2243,11 +2355,11 @@ static const JNINativeMethod method_table[] = {
{ TCN_METHOD_TABLE_ENTRY(getMode, (J)I, SSL) },
{ TCN_METHOD_TABLE_ENTRY(getMaxWrapOverhead, (J)I, SSL) },
{ TCN_METHOD_TABLE_ENTRY(getCiphers, (J)[Ljava/lang/String;, SSL) },
{ TCN_METHOD_TABLE_ENTRY(setCipherSuites, (JLjava/lang/String;)Z, SSL) },
{ TCN_METHOD_TABLE_ENTRY(setCipherSuites, (JLjava/lang/String;Z)Z, SSL) },
{ TCN_METHOD_TABLE_ENTRY(getSessionId, (J)[B, SSL) },
{ TCN_METHOD_TABLE_ENTRY(getHandshakeCount, (J)I, SSL) },
{ TCN_METHOD_TABLE_ENTRY(clearError, ()V, SSL) },
{ TCN_METHOD_TABLE_ENTRY(setTlsExtHostName, (JLjava/lang/String;)V, SSL) },
{ TCN_METHOD_TABLE_ENTRY(setTlsExtHostName0, (JLjava/lang/String;)V, SSL) },
{ TCN_METHOD_TABLE_ENTRY(setHostNameValidation, (JILjava/lang/String;)V, SSL) },
{ TCN_METHOD_TABLE_ENTRY(authenticationMethods, (J)[Ljava/lang/String;, SSL) },
{ TCN_METHOD_TABLE_ENTRY(setCertificateBio, (JJJLjava/lang/String;)V, SSL) },
......@@ -2257,12 +2369,14 @@ static const JNINativeMethod method_table[] = {
{ TCN_METHOD_TABLE_ENTRY(freePrivateKey, (J)V, SSL) },
{ TCN_METHOD_TABLE_ENTRY(parseX509Chain, (J)J, SSL) },
{ TCN_METHOD_TABLE_ENTRY(freeX509Chain, (J)V, SSL) },
{ TCN_METHOD_TABLE_ENTRY(setKeyMaterialServerSide, (JJJ)V, SSL) },
{ TCN_METHOD_TABLE_ENTRY(setKeyMaterial, (JJJ)V, SSL) },
{ TCN_METHOD_TABLE_ENTRY(setKeyMaterialClientSide, (JJJJJ)V, SSL) },
{ TCN_METHOD_TABLE_ENTRY(enableOcsp, (J)V, SSL) },
{ TCN_METHOD_TABLE_ENTRY(setOcspResponse, (J[B)V, SSL) },
{ TCN_METHOD_TABLE_ENTRY(getOcspResponse, (J)[B, SSL) },
{ TCN_METHOD_TABLE_ENTRY(fipsModeSet, (I)V, SSL) }
{ TCN_METHOD_TABLE_ENTRY(fipsModeSet, (I)V, SSL) },
{ TCN_METHOD_TABLE_ENTRY(getSniHostname, (J)Ljava/lang/String;, SSL) },
{ TCN_METHOD_TABLE_ENTRY(getSigAlgs, (J)[Ljava/lang/String;, SSL) }
};
static const jint method_table_size = sizeof(method_table) / sizeof(method_table[0]);
......
openssl-dynamic/src/main/c/ssl_private.h
View file @ ac1d9389
......@@ -131,6 +131,15 @@ extern const char* TCN_UNKNOWN_AUTH_METHOD;
#define TLS1_3_VERSION 0x0304
#endif
#ifndef SSL_OP_NO_TLSv1_3
// TLSV1_3 is not really supported by the underlying OPENSSL version
#ifndef OPENSSL_NO_TLS1_3
#define OPENSSL_NO_TLS1_3
#endif // OPENSSL_NO_TLS1_3
#define SSL_OP_NO_TLSv1_3 0x00000000U
#endif // SSL_OP_NO_TLSv1_3
/* OpenSSL 1.0.2 compatibility */
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
#define TLS_method SSLv23_method
......@@ -224,6 +233,9 @@ struct tcn_ssl_ctxt_t {
jobject cert_requested_callback;
jmethodID cert_requested_callback_method;
jobject certificate_callback;
jmethodID certificate_callback_method;
jobject sni_hostname_matcher;
jmethodID sni_hostname_matcher_method;
......@@ -317,6 +329,9 @@ const char *tcn_SSL_cipher_authentication_method(const SSL_CIPHER *);
extern X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl) __attribute__((weak));
extern void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, unsigned int flags) __attribute__((weak));
extern int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, const char *name, size_t namelen) __attribute__((weak));
extern int SSL_get_sigalgs(SSL *s, int idx, int *psign, int *phash, int *psignhash, unsigned char *rsig, unsigned char *rhash) __attribute__((weak));
extern void SSL_CTX_set_cert_cb(SSL_CTX *c, int (*cert_cb)(SSL *ssl, void *arg), void *arg) __attribute__((weak));
#endif
#endif /* SSL_PRIVATE_H */
openssl-dynamic/src/main/c/sslcontext.c
View file @ ac1d9389
......@@ -63,6 +63,13 @@ static apr_status_t ssl_context_cleanup(void *data)
}
c->cert_requested_callback_method = NULL;
if (c->certificate_callback != NULL) {
tcn_get_java_env(&e);
(*e)->DeleteGlobalRef(e, c->certificate_callback);
c->certificate_callback = NULL;
}
c->certificate_callback_method = NULL;
if (c->sni_hostname_matcher != NULL) {
tcn_get_java_env(&e);
(*e)->DeleteGlobalRef(e, c->sni_hostname_matcher);
......@@ -118,6 +125,14 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS, jint protocol, jint mod
ctx = SSL_CTX_new(TLS_server_method());
else
ctx = SSL_CTX_new(TLS_method());
// Needed in BoringSSL to be able to use TLSv1.3
//
// See http://hg.nginx.org/nginx/rev/7ad0f4ace359
#if defined(OPENSSL_IS_BORINGSSL)
SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION);
#endif
#else
switch (protocol) {
case SSL_PROTOCOL_TLS:
......@@ -415,24 +430,50 @@ TCN_IMPLEMENT_CALL(void, SSLContext, clearOptions)(TCN_STDARGS, jlong ctx,
}
TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCipherSuite)(TCN_STDARGS, jlong ctx,
jstring ciphers)
jstring ciphers, jboolean tlsv13)
{
tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
jboolean rv = JNI_TRUE;
TCN_CHECK_NULL(c, ctx, JNI_FALSE);
TCN_ALLOC_CSTRING(ciphers);
#ifdef OPENSSL_NO_TLS1_3
if (tlsv13 == JNI_TRUE) {
tcn_Throw(e, "TLSv1.3 not supported");
return JNI_FALSE;
}
#endif
if (ciphers == NULL || (*e)->GetStringUTFLength(e, ciphers) == 0) {
return JNI_FALSE;
}
TCN_ALLOC_CSTRING(ciphers);
UNREFERENCED(o);
if (!J2S(ciphers))
if (!J2S(ciphers)) {
return JNI_FALSE;
}
#ifdef OPENSSL_NO_TLS1_3
rv = SSL_CTX_set_cipher_list(c->ctx, J2S(ciphers)) == 0 ? JNI_FALSE : JNI_TRUE;
#else
if (tlsv13 == JNI_TRUE) {
#ifdef OPENSSL_IS_BORINGSSL
// BoringSSL does not support setting TLSv1.3 cipher suites explicit for now.
rv = JNI_TRUE;
#else
rv = SSL_CTX_set_ciphersuites(c->ctx, J2S(ciphers)) == 0 ? JNI_FALSE : JNI_TRUE;
#endif // OPENSSL_IS_BORINGSSL
if (!SSL_CTX_set_cipher_list(c->ctx, J2S(ciphers))) {
} else {
rv = SSL_CTX_set_cipher_list(c->ctx, J2S(ciphers)) == 0 ? JNI_FALSE : JNI_TRUE;
}
#endif // OPENSSL_NO_TLS1_3
if (rv == JNI_FALSE) {
char err[256];
ERR_error_string(ERR_get_error(), err);
tcn_Throw(e, "Unable to configure permitted SSL ciphers (%s)", err);
rv = JNI_FALSE;
}
TCN_FREE_CSTRING(ciphers);
return rv;
......@@ -1427,6 +1468,22 @@ TCN_IMPLEMENT_CALL(void, SSLContext, setCertVerifyCallback)(TCN_STDARGS, jlong c
}
}
static jbyteArray keyTypes(JNIEnv* e, SSL* ssl) {
jbyte* ctype_bytes;
jbyteArray types;
int ctype_num = tcn_SSL_get0_certificate_types(ssl, (const uint8_t **) &ctype_bytes);
if (ctype_num <= 0) {
// No idea what we should use... Let the caller handle it.
return NULL;
}
types = (*e)->NewByteArray(e, ctype_num);
if (types == NULL) {
return NULL;
}
(*e)->SetByteArrayRegion(e, types, 0, ctype_num, ctype_bytes);
return types;
}
/**
* Returns an array containing all the X500 principal's bytes.
*
......@@ -1495,31 +1552,18 @@ static int cert_requested(SSL* ssl, X509** x509Out, EVP_PKEY** pkeyOut) {
#endif // OPENSSL_IS_BORINGSSL
tcn_ssl_ctxt_t *c = tcn_SSL_get_app_data2(ssl);
int ctype_num;
jbyte* ctype_bytes;
jobjectArray issuers;
JNIEnv *e;
jbyteArray keyTypes;
jbyteArray types;
tcn_get_java_env(&e);
ctype_num = tcn_SSL_get0_certificate_types(ssl, (const uint8_t **) &ctype_bytes);
if (ctype_num <= 0) {
// Use no certificate
return 0;
}
keyTypes = (*e)->NewByteArray(e, ctype_num);
if (keyTypes == NULL) {
// Something went seriously wrong, bail out!
return -1;
}
(*e)->SetByteArrayRegion(e, keyTypes, 0, ctype_num, ctype_bytes);
types = keyTypes(e, ssl);
issuers = principalBytes(e, SSL_get_client_CA_list(ssl));
// Execute the java callback
(*e)->CallVoidMethod(e, c->cert_requested_callback, c->cert_requested_callback_method,
P2J(ssl), P2J(x509Out), P2J(pkeyOut), keyTypes, issuers);
P2J(ssl), P2J(x509Out), P2J(pkeyOut), types, issuers);
// Check if java threw an exception and if so signal back that we should not continue with the handshake.
if ((*e)->ExceptionCheck(e)) {
......@@ -1564,6 +1608,101 @@ TCN_IMPLEMENT_CALL(void, SSLContext, setCertRequestedCallback)(TCN_STDARGS, jlon
}
}
static int certificate_cb(SSL* ssl, void* arg) {
#if defined(LIBRESSL_VERSION_NUMBER)
// Not supported with LibreSSL
return -1;
#else
#ifndef OPENSSL_IS_BORINGSSL
if (OpenSSL_version_num() < 0x10002000L) {
// Only supported on openssl 1.0.2+
return -1;
}
#endif // OPENSSL_IS_BORINGSSL
tcn_ssl_ctxt_t *c = tcn_SSL_get_app_data2(ssl);
TCN_ASSERT(c != NULL);
jobjectArray issuers;
JNIEnv *e;
jbyteArray types;
tcn_get_java_env(&e);
if (c->mode == SSL_MODE_SERVER) {
// TODO: Consider filling these somehow.
types = NULL;
issuers = NULL;
} else {
types = keyTypes(e, ssl);
issuers = principalBytes(e, SSL_get_client_CA_list(ssl));
}
// Execute the java callback
(*e)->CallVoidMethod(e, c->certificate_callback, c->certificate_callback_method,
P2J(ssl), types, issuers);
// Check if java threw an exception and if so signal back that we should not continue with the handshake.
if ((*e)->ExceptionCheck(e)) {
return -1;
}
// Everything good...
return 1;
#endif /* defined(LIBRESSL_VERSION_NUMBER) */
}
TCN_IMPLEMENT_CALL(void, SSLContext, setCertificateCallback)(TCN_STDARGS, jlong ctx, jobject callback)
{
tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
TCN_CHECK_NULL(c, ctx, /* void */);
#if defined(LIBRESSL_VERSION_NUMBER)
tcn_Throw(e, "Not supported with LibreSSL");
#else
UNREFERENCED(o);
// Use weak linking with GCC as this will alow us to run the same packaged version with multiple
// version of openssl.
#if defined(__GNUC__) || defined(__GNUG__)
if (!SSL_CTX_set_cert_cb) {
UNREFERENCED(o);
tcn_ThrowException(e, "Requires OpenSSL 1.0.2+");
}
#endif // defined(__GNUC__) || defined(__GNUG__)
// We can only support it when either use openssl version >= 1.0.2 or GCC as this way we can use weak linking
#if OPENSSL_VERSION_NUMBER >= 0x10002000L || defined(__GNUC__) || defined(__GNUG__)
if (callback == NULL) {
SSL_CTX_set_cert_cb(c->ctx, NULL, NULL);
} else {
jclass callback_class = (*e)->GetObjectClass(e, callback);
if (callback_class == NULL) {
tcn_Throw(e, "Unable to retrieve callback class");
return;
}
jmethodID method = (*e)->GetMethodID(e, callback_class, "handle", "(J[B[[B)V");
if (method == NULL) {
tcn_Throw(e, "Unable to retrieve callback method");
return;
}
if (c->certificate_callback != NULL) {
(*e)->DeleteGlobalRef(e, c->certificate_callback);
}
c->certificate_callback = (*e)->NewGlobalRef(e, callback);
c->certificate_callback_method = method;
SSL_CTX_set_cert_cb(c->ctx, certificate_cb, NULL);
}
#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L || defined(__GNUC__) || defined(__GNUG__)
#endif // defined(LIBRESSL_VERSION_NUMBER)
}
static int ssl_servername_cb(SSL *ssl, int *ad, void *arg)
{
JNIEnv *e = NULL;
......@@ -1674,6 +1813,15 @@ TCN_IMPLEMENT_CALL(jint, SSLContext, getMode)(TCN_STDARGS, jlong ctx)
return (jint) SSL_CTX_get_mode(c->ctx);
}
TCN_IMPLEMENT_CALL(jlong, SSLContext, getSslCtx)(TCN_STDARGS, jlong ctx)
{
tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
TCN_CHECK_NULL(c, ctx, 0);
return P2J(c->ctx);
}
#if !defined(OPENSSL_NO_OCSP) && !defined(TCN_OCSP_NOT_SUPPORTED) && !defined(OPENSSL_IS_BORINGSSL)
static const int OCSP_CLIENT_ACK = 1;
......@@ -1755,7 +1903,7 @@ static const JNINativeMethod fixed_method_table[] = {
{ TCN_METHOD_TABLE_ENTRY(setOptions, (JI)V, SSLContext) },
{ TCN_METHOD_TABLE_ENTRY(getOptions, (J)I, SSLContext) },
{ TCN_METHOD_TABLE_ENTRY(clearOptions, (JI)V, SSLContext) },
{ TCN_METHOD_TABLE_ENTRY(setCipherSuite, (JLjava/lang/String;)Z, SSLContext) },
{ TCN_METHOD_TABLE_ENTRY(setCipherSuite, (JLjava/lang/String;Z)Z, SSLContext) },
{ TCN_METHOD_TABLE_ENTRY(setCertificateChainFile, (JLjava/lang/String;Z)Z, SSLContext) },
{ TCN_METHOD_TABLE_ENTRY(setCertificateChainBio, (JJZ)Z, SSLContext) },
{ TCN_METHOD_TABLE_ENTRY(setCACertificateBio, (JJ)Z, SSLContext) },
......@@ -1791,19 +1939,21 @@ static const JNINativeMethod fixed_method_table[] = {
// setCertVerifyCallback -> needs dynamic method table
// setCertRequestedCallback -> needs dynamic method table
// setCertificateCallback -> needs dynamic method table
// setSniHostnameMatcher -> needs dynamic method table
{ TCN_METHOD_TABLE_ENTRY(setSessionIdContext, (J[B)Z, SSLContext) },
{ TCN_METHOD_TABLE_ENTRY(setMode, (JI)I, SSLContext) },
{ TCN_METHOD_TABLE_ENTRY(getMode, (J)I, SSLContext) },
{ TCN_METHOD_TABLE_ENTRY(enableOcsp, (JZ)V, SSLContext) },
{ TCN_METHOD_TABLE_ENTRY(disableOcsp, (J)V, SSLContext) }
{ TCN_METHOD_TABLE_ENTRY(disableOcsp, (J)V, SSLContext) },
{ TCN_METHOD_TABLE_ENTRY(getSslCtx, (J)J, SSLContext) }
};
static const jint fixed_method_table_size = sizeof(fixed_method_table) / sizeof(fixed_method_table[0]);
static jint dynamicMethodsTableSize() {
return fixed_method_table_size + 3;
return fixed_method_table_size + 4;
}
static JNINativeMethod* createDynamicMethodsTable(const char* packagePrefix) {
......@@ -1823,8 +1973,15 @@ static JNINativeMethod* createDynamicMethodsTable(const char* packagePrefix) {
dynamicMethod->fnPtr = (void *) TCN_FUNCTION_NAME(SSLContext, setCertRequestedCallback);
free(dynamicTypeName);
dynamicTypeName = netty_internal_tcnative_util_prepend(packagePrefix, "io/netty/internal/tcnative/SniHostNameMatcher;)V");
dynamicTypeName = netty_internal_tcnative_util_prepend(packagePrefix, "io/netty/internal/tcnative/CertificateCallback;)V");
dynamicMethod = &dynamicMethods[fixed_method_table_size + 2];
dynamicMethod->name = "setCertificateCallback";
dynamicMethod->signature = netty_internal_tcnative_util_prepend("(JL", dynamicTypeName);
dynamicMethod->fnPtr = (void *) TCN_FUNCTION_NAME(SSLContext, setCertificateCallback);
free(dynamicTypeName);
dynamicTypeName = netty_internal_tcnative_util_prepend(packagePrefix, "io/netty/internal/tcnative/SniHostNameMatcher;)V");
dynamicMethod = &dynamicMethods[fixed_method_table_size + 3];
dynamicMethod->name = "setSniHostnameMatcher";
dynamicMethod->signature = netty_internal_tcnative_util_prepend("(JL", dynamicTypeName);
dynamicMethod->fnPtr = (void *) TCN_FUNCTION_NAME(SSLContext, setSniHostnameMatcher);
......
openssl-dynamic/src/main/c/sslutils.c
View file @ ac1d9389
......@@ -106,6 +106,12 @@ const char* tcn_SSL_cipher_authentication_method(const SSL_CIPHER* cipher){
default:
return TCN_UNKNOWN_AUTH_METHOD;
}
#ifndef OPENSSL_NO_TLS1_3
case NID_kx_any:
// Let us just pick one as we could use whatever we want.
// See https://www.openssl.org/docs/man1.1.1/man3/SSL_CIPHER_get_kx_nid.html
return "ECDHE_" SSL_TXT_RSA;
#endif
default:
return TCN_UNKNOWN_AUTH_METHOD;
}
......
openssl-dynamic/src/main/java/io/netty/internal/tcnative/CertificateCallback.java 0 → 100644
View file @ ac1d9389
/*
* Copyright 2018 The Netty Project
*
* The Netty Project licenses this file to you under the Apache License,
* version 2.0 (the "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations
* under the License.
*/
package io.netty.internal.tcnative;
/**
* Is called during handshake and hooked into openssl via {@code SSL_CTX_set_cert_cb}.
*
* IMPORTANT: Implementations of this interface should be static as it is stored as a global reference via JNI. This
* means if you use an inner / anonymous class to implement this and also depend on the finalizer of the
* class to free up the SSLContext the finalizer will never run as the object is never GC, due the hard
* reference to the enclosing class. This will most likely result in a memory leak.
*/
public interface CertificateCallback {
/**
* The types contained in the {@code keyTypeBytes} array.
*/
// Extracted from https://github.com/openssl/openssl/blob/master/include/openssl/tls1.h
byte TLS_CT_RSA_SIGN = 1;
byte TLS_CT_DSS_SIGN = 2;
byte TLS_CT_RSA_FIXED_DH = 3;
byte TLS_CT_DSS_FIXED_DH = 4;
byte TLS_CT_ECDSA_SIGN = 64;
byte TLS_CT_RSA_FIXED_ECDH = 65;
byte TLS_CT_ECDSA_FIXED_ECDH = 66;
/**
* Called during cert selection. If a certificate chain / key should be used
* {@link SSL#setKeyMaterial(long, long, long)} must be called from this callback after
* all preparations / validations were completed.
*
* @param ssl the SSL instance
* @param keyTypeBytes an array of the key types on client-mode or {@code null} on server-mode.
* @param asn1DerEncodedPrincipals the principals or {@code null}.
*
*/
void handle(long ssl, byte[] keyTypeBytes, byte[][] asn1DerEncodedPrincipals) throws Exception;
}
openssl-dynamic/src/main/java/io/netty/internal/tcnative/CertificateRequestedCallback.java
View file @ ac1d9389
......@@ -21,21 +21,24 @@ package io.netty.internal.tcnative;
* IMPORTANT: Implementations of this interface should be static as it is stored as a global reference via JNI. This
* means if you use an inner / anonymous class to implement this and also depend on the finalizer of the
* class to free up the SSLContext the finalizer will never run as the object is never GC, due the hard
* reference to the enclosing class. This will most likely result in a memory leak.
* reference to the enclosing class. This will most likely result in a memory leak.+
*
* @deprecated use {@link CertificateCallback}
*/
@Deprecated
public interface CertificateRequestedCallback {
/**
* The types contained in the {@code keyTypeBytes} array.
*/
// Extracted from https://github.com/openssl/openssl/blob/master/include/openssl/tls1.h
byte TLS_CT_RSA_SIGN = 1;
byte TLS_CT_DSS_SIGN = 2;
byte TLS_CT_RSA_FIXED_DH = 3;
byte TLS_CT_DSS_FIXED_DH = 4;
byte TLS_CT_ECDSA_SIGN = 64;
byte TLS_CT_RSA_FIXED_ECDH = 65;
byte TLS_CT_ECDSA_FIXED_ECDH = 66;
byte TLS_CT_RSA_SIGN = CertificateCallback.TLS_CT_RSA_SIGN;
byte TLS_CT_DSS_SIGN = CertificateCallback.TLS_CT_DSS_SIGN;
byte TLS_CT_RSA_FIXED_DH = CertificateCallback.TLS_CT_RSA_FIXED_DH;
byte TLS_CT_DSS_FIXED_DH = CertificateCallback.TLS_CT_DSS_FIXED_DH;
byte TLS_CT_ECDSA_SIGN = CertificateCallback.TLS_CT_ECDSA_SIGN;
byte TLS_CT_RSA_FIXED_ECDH = CertificateCallback.TLS_CT_RSA_FIXED_ECDH;
byte TLS_CT_ECDSA_FIXED_ECDH = CertificateCallback.TLS_CT_ECDSA_FIXED_ECDH;
/**
* Called during cert selection. If a certificate chain / key should be used
......
openssl-dynamic/src/main/java/io/netty/internal/tcnative/NativeStaticallyReferencedJniMethods.java
View file @ ac1d9389
......@@ -40,6 +40,7 @@ final class NativeStaticallyReferencedJniMethods {
static native int sslOpNoTLSv1();
static native int sslOpNoTLSv11();
static native int sslOpNoTLSv12();
static native int sslOpNoTLSv13();
static native int sslOpNoTicket();
/**
......
openssl-dynamic/src/main/java/io/netty/internal/tcnative/SSL.java
View file @ ac1d9389
......@@ -50,9 +50,10 @@ public final class SSL {
public static final int SSL_PROTOCOL_TLSV1 = (1<<2);
public static final int SSL_PROTOCOL_TLSV1_1 = (1<<3);
public static final int SSL_PROTOCOL_TLSV1_2 = (1<<4);
public static final int SSL_PROTOCOL_TLSV1_3 = (1<<5);
/** TLS_*method according to <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_new.html">SSL_CTX_new</a> */
public static final int SSL_PROTOCOL_TLS = (SSL_PROTOCOL_SSLV3 | SSL_PROTOCOL_TLSV1 | SSL_PROTOCOL_TLSV1_1 | SSL_PROTOCOL_TLSV1_2);
public static final int SSL_PROTOCOL_TLS = (SSL_PROTOCOL_SSLV3 | SSL_PROTOCOL_TLSV1 | SSL_PROTOCOL_TLSV1_1 | SSL_PROTOCOL_TLSV1_2 | SSL_PROTOCOL_TLSV1_3);
public static final int SSL_PROTOCOL_ALL = (SSL_PROTOCOL_SSLV2 | SSL_PROTOCOL_TLS);
/*
......@@ -69,6 +70,7 @@ public final class SSL {
public static final int SSL_OP_NO_TLSv1 = sslOpNoTLSv1();
public static final int SSL_OP_NO_TLSv1_1 = sslOpNoTLSv11();
public static final int SSL_OP_NO_TLSv1_2 = sslOpNoTLSv12();
public static final int SSL_OP_NO_TLSv1_3 = sslOpNoTLSv13();
public static final int SSL_OP_NO_TICKET = sslOpNoTicket();
public static final int SSL_OP_NO_COMPRESSION = sslOpNoCompression();
......@@ -500,10 +502,33 @@ public final class SSL {
* @param ciphers an SSL cipher specification
* @return {@code true} if successful
* @throws Exception if an error happened
* @deprecated Use {@link #setCipherSuites(long, String, boolean)}
*/
public static native boolean setCipherSuites(long ssl, String ciphers)
throws Exception;
@Deprecated
public static boolean setCipherSuites(long ssl, String ciphers)
throws Exception {
return setCipherSuites(ssl, ciphers, false);
}
/**
* Returns the cipher suites available for negotiation in SSL handshake.
* <p>
* This complex directive uses a colon-separated cipher-spec string consisting
* of OpenSSL cipher specifications to configure the Cipher Suite the client
* is permitted to negotiate in the SSL handshake phase. Notice that this
* directive can be used both in per-server and per-directory context.
* In per-server context it applies to the standard SSL handshake when a
* connection is established. In per-directory context it forces a SSL
* renegotiation with the reconfigured Cipher Suite after the HTTP request
* was read but before the HTTP response is sent.
* @param ssl the SSL instance (SSL *)
* @param ciphers an SSL cipher specification
* @param tlsv13 {@code true} if the ciphers are for TLSv1.3
* @return {@code true} if successful
* @throws Exception if an error happened
*/
public static native boolean setCipherSuites(long ssl, String ciphers, boolean tlsv13)
throws Exception;
/**
* Returns the ID of the session as byte array representation.
*
......@@ -531,7 +556,16 @@ public final class SSL {
* @param ssl the SSL instance (SSL *)
* @param hostname the hostname
*/
public static native void setTlsExtHostName(long ssl, String hostname);
public static void setTlsExtHostName(long ssl, String hostname) {
if (hostname != null && hostname.endsWith(".")) {
// Strip trailing dot if included.
// See https://github.com/netty/netty-tcnative/issues/400
hostname = hostname.substring(0, hostname.length() - 1);
}
setTlsExtHostName0(ssl, hostname);
}
private static native void setTlsExtHostName0(long ssl, String hostname);
/**
* Explicitly control <a href="https://wiki.openssl.org/index.php/Hostname_validation">hostname validation</a>
......@@ -678,15 +712,31 @@ public final class SSL {
* {@link #parseX509Chain(long)} and {@link #parsePrivateKey(long, String)}. It's important to note that the caller
* of the method is responsible to free the passed in chain and key in any case as this method will increment the
* reference count of the chain and key.
*
* @deprecated use {@link #setKeyMaterial(long, long, long)}
*/
public static native void setKeyMaterialServerSide(long ssl, long chain, long key) throws Exception;
@Deprecated
public static void setKeyMaterialServerSide(long ssl, long chain, long key) throws Exception {
setKeyMaterial(ssl, chain, key);
}
/**
* Sets the keymaterial to be used. The passed in chain and key needs to be generated via
* {@link #parseX509Chain(long)} and {@link #parsePrivateKey(long, String)}. It's important to note that the caller
* of the method is responsible to free the passed in chain and key in any case as this method will increment the
* reference count of the chain and key.
*/
public static native void setKeyMaterial(long ssl, long chain, long key) throws Exception;
/**
* Sets the keymaterial to be used for the client side. The passed in chain and key needs to be generated via
* {@link #parseX509Chain(long)} and {@link #parsePrivateKey(long, String)}. It's important to note that the caller
* of the method is responsible to free the passed in chain and key in any case as this method will increment the
* reference count of the chain and key.
*
* @deprecated use {@link #setKeyMaterial(long, long, long)}
*/
@Deprecated
public static native void setKeyMaterialClientSide(long ssl, long x509Out, long pkeyOut, long chain, long key) throws Exception;
/**
......@@ -722,4 +772,21 @@ public final class SSL {
* @throws Exception throws if setting the fips mode failed.
*/
public static native void fipsModeSet(int mode) throws Exception;
/**
* Return the SNI hostname that was sent as part of the SSL Hello.
* @param ssl the SSL instance (SSL *)
* @return the SNI hostname or {@code null} if none was used.
*/
public static native String getSniHostname(long ssl);
/**
* Return the signature algorithms that the remote peer supports or {@code null} if none are supported.
* See <a href="https://www.openssl.org/docs/man1.1.0/ssl/SSL_get_sigalgs.html"> man SSL_get_sigalgs</a> for more details.
* The returned names are generated using {@code OBJ_nid2ln} with the {@code psignhash} as parameter.
*
* @param ssl the SSL instance (SSL *)
* @return the signature algorithms or {@code null}.
*/
public static native String[] getSigAlgs(long ssl);
}
openssl-dynamic/src/main/java/io/netty/internal/tcnative/SSLContext.java
View file @ ac1d9389
......@@ -110,8 +110,31 @@ public final class SSLContext {
* @param ciphers An SSL cipher specification.
* @return {@code true} if successful
* @throws Exception if an error happened
* @deprecated Use {@link #setCipherSuite(long, String, boolean)}.
*/
public static native boolean setCipherSuite(long ctx, String ciphers) throws Exception;
@Deprecated
public static boolean setCipherSuite(long ctx, String ciphers) throws Exception {
return setCipherSuite(ctx, ciphers, false);
}
/**
* Cipher Suite available for negotiation in SSL handshake.
* <br>
* This complex directive uses a colon-separated cipher-spec string consisting
* of OpenSSL cipher specifications to configure the Cipher Suite the client
* is permitted to negotiate in the SSL handshake phase. Notice that this
* directive can be used both in per-server and per-directory context.
* In per-server context it applies to the standard SSL handshake when a
* connection is established. In per-directory context it forces a SSL
* renegotiation with the reconfigured Cipher Suite after the HTTP request
* was read but before the HTTP response is sent.
* @param ctx Server or Client context to use.
* @param ciphers An SSL cipher specification.
* @param tlsv13 {@code true} if the ciphers are for TLSv1.3
* @return {@code true} if successful
* @throws Exception if an error happened
*/
public static native boolean setCipherSuite(long ctx, String ciphers, boolean tlsv13) throws Exception;
/**
* Set File of PEM-encoded Server CA Certificates
......@@ -486,6 +509,15 @@ public final class SSLContext {
*/
public static native void setCertRequestedCallback(long ctx, CertificateRequestedCallback callback);
/**
* Allow to hook {@link CertificateCallback} into the certificate choosing process.
* This will call {@code SSL_CTX_set_cert_cb} and so replace the default verification
* callback used by openssl
* @param ctx Server or Client context to use.
* @param callback the callback to call during certificate selection.
*/
public static native void setCertificateCallback(long ctx, CertificateCallback callback);
/**
* Allow to hook {@link SniHostNameMatcher} into the sni processing.
* This will call {@code SSL_CTX_set_tlsext_servername_callback} and so replace the default
......@@ -565,4 +597,9 @@ public final class SSLContext {
* <p><a href="https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html">Search for OCSP</a>
*/
public static native void disableOcsp(long ctx);
/**
* Returns the {@code SSL_CTX}.
*/
public static native long getSslCtx(long ctx);
}
openssl-static/pom.xml
View file @ ac1d9389
This diff is collapsed.