Author: costin
Date: Tue Feb 7 06:13:36 2012
New Revision: 1241356
URL: http://svn.apache.org/viewvc?rev=1241356&view=rev
Log:
Add the new ssl methods from tomcat-native ( and few poll methods that seemed
to be missing ).
APR connector will not work unless you recompile tomcat-native ! ( it is ok to
use the current version of
openssl, but npn methods will not work )
Added:
tomcat/trunk/java/org/apache/tomcat/jni/SSLExt.java
Modified:
tomcat/trunk/java/org/apache/tomcat/jni/Poll.java
tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
Modified: tomcat/trunk/java/org/apache/tomcat/jni/Poll.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/Poll.java?rev=1241356&r1=1241355&r2=1241356&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/jni/Poll.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/jni/Poll.java Tue Feb 7 06:13:36 2012
@@ -154,4 +154,19 @@ public class Poll {
*/
public static native int pollset(long pollset, long [] descriptors);
+ /**
+ * Make poll() return.
+ *
+ * @param pollset
+ * @return
+ */
+ public static native int interrupt(long pollset);
+
+ /**
+ * Check if interrupt() is allowed.
+ *
+ * @param pollset
+ * @return
+ */
+ public static native boolean wakeable(long pollset);
}
Modified: tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/SSL.java?rev=1241356&r1=1241355&r2=1241356&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/jni/SSL.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/jni/SSL.java Tue Feb 7 06:13:36 2012
@@ -136,7 +136,8 @@ public final class SSL {
public static final int SSL_OP_NO_SSLv2 =
0x01000000;
public static final int SSL_OP_NO_SSLv3 =
0x02000000;
public static final int SSL_OP_NO_TLSv1 =
0x04000000;
-
+ public static final int SSL_OP_NO_TICKET =
0x00004000;
+
/* The next flag deliberately changes the ciphertest, this is a check
* for the PKCS#1 attack */
public static final int SSL_OP_PKCS1_CHECK_1 =
0x08000000;
Added: tomcat/trunk/java/org/apache/tomcat/jni/SSLExt.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/SSLExt.java?rev=1241356&view=auto
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/jni/SSLExt.java (added)
+++ tomcat/trunk/java/org/apache/tomcat/jni/SSLExt.java Tue Feb 7 06:13:36 2012
@@ -0,0 +1,153 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.tomcat.jni;
+
+/**
+ * Support TLS extensions and extra methods.
+ *
+ * The methods are separated to make it easier for java code to
+ * support existing native library - it can check if this class can
+ * be loaded in order to use the exensions.
+ *
+ * @author Costin Manolache
+ */
+public final class SSLExt {
+
+
+ /**
+ * Set advertised NPN protocol.
+ * This is only available for recent or patched openssl.
+ *
+ * Example: "\x06spdy/2"
+ *
+ * Works with TLS1, doesn't with SSL2/SSL3
+ *
+ * Servers sends list in ServerHelo, client selects it and
+ * sends it back after ChangeChipher
+ *
+ * Not supported in 1.0.0, seems to be in 1.0.1 and after
+ */
+ public static native int setNPN(long tcctx, byte[] proto, int len);
+
+ /**
+ * Get other side's advertised protocols.
+ * Only works after handshake.
+ */
+ public static native int getNPN(long tcsock, byte[] proto);
+
+ /**
+ * Enabling dump/debugging on the socket. Both raw and decrypted
+ * packets will be logged.
+ */
+ public static native int debug(long tcsock);
+
+ /**
+ * Server: Extract the session data associated with the socket.
+ * Must be saved, keyed by session ID.
+ */
+ public static native byte[] getSessionData(long tcsock);
+
+ /**
+ * Server: Set the session data for a socket.
+ */
+ public static native int setSessionData(long tcsock, byte[] data, int len);
+
+
+// /**
+// * Client: get the ticket received from server, if tickets are
supported.
+// */
+// public static native int getTicket(long tcsock, byte[] resBuf);
+//
+// /**
+// * Client: set the previously received ticket.
+// */
+// public static native int setTicket(long tcsock, byte[] data, int len);
+//
+// /**
+// * Set the key used by server to generate tickets.
+// * Key must be 48 bytes.
+// */
+// public static native int setTicketKeys(long ctx, byte[] data, int len);
+//
+ /**
+ * For client side calls. Data should be a \0 terminated string
+ */
+ public static native int setSNI(long tcsock, byte[] data, int len);
+
+ /* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success
+ * when just a single record has been written): */
+ static final int SSL_MODE_ENABLE_PARTIAL_WRITE = 0x1;
+
+ /* Make it possible to retry SSL_write() with changed buffer location
+ * (buffer contents must stay the same!); this is not the default to avoid
+ * the misconception that non-blocking SSL_write() behaves like
+ * non-blocking write(): */
+ static final int SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER = 0x2;
+
+ /* Don't attempt to automatically build certificate chain */
+ static final int SSL_MODE_NO_AUTO_CHAIN = 0x8;
+
+ /* Save RAM by releasing read and write buffers when they're empty. (SSL3
and
+ * TLS only.) "Released" buffers are put onto a free-list in the context
+ * or just freed (depending on the context's setting for
freelist_max_len). */
+ static final int SSL_MODE_SMALL_BUFFERS = 0x10;
+
+ // 1.1
+ //static final int SSL_MODE_HANDSHAKE_CUTTHROUGH = ..;
+
+ /**
+ * SSL_set_mode
+ */
+ public static native int sslSetMode(long tcsock, int mode);
+
+ public static int setNPN(long sslContext, byte[] spdyNPN) {
+ try {
+ return SSLExt.setNPN(sslContext, spdyNPN, spdyNPN.length);
+ } catch (Throwable t) {
+ t.printStackTrace();
+ return -1;
+ }
+ }
+
+ /**
+ * Higher level method, checking if the specified protocol has been
+ * negotiated.
+ */
+ public static boolean checkNPN(long tcsocket, byte[] expected) {
+ byte[] npn = new byte[expected.length + 1];
+ int npnLen = 0;
+ try {
+ npnLen = SSLExt.getNPN(tcsocket, npn);
+ if (npnLen != expected.length) {
+ return false;
+ }
+ } catch (Throwable t) {
+ // ignore
+ return false;
+ }
+ for (int i = 0; i < expected.length; i++) {
+ if (expected[i] != npn[i]) {
+ return false;
+ }
+ }
+ return true;
+ }
+
+
+
+}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
