1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
|
Name: Tomcat Native Fork for Netty
Short Name: netty-tcnative
URL: https://github.com/netty/netty-tcnative
SHA: 856865181ca38c07b7d2be619903ee98f6f77a23 netty-tcnative-1.1.33.zip
Version: 1.1.33
Date: October 13, 2015
Revision: 2aa47be27783ec31086ca9881402f845543de4e6
License: Apache 2.0
License File: NOT_SHIPPED
Security Critical: no
The library is not security critical because it is used for tests only.
Do not link it into production code.
Description:
netty-tcnative is a fork of Tomcat Native. It includes a set of changes contributed
by Twitter, Inc, such as:
Simplified distribution and linkage of native library
Complete mavenization of the project
Improved OpenSSL support
Local Modifications:
diff -ruN ./original/src/main/c/ssl.c ./src/third_party/netty-tcnative/src/c/ssl.c
--- ./original/src/main/c/ssl.c 2015-10-13 08:36:59.000000000 -0400
+++ ./src/third_party/netty-tcnative/src/c/ssl.c 2016-01-04 10:18:31.729765992 -0500
@@ -1821,7 +1821,7 @@
verify = SSL_VERIFY_NONE;
UNREFERENCED(o);
- TCN_ASSERT(ctx != 0);
+ TCN_ASSERT(c->ctx != 0);
c->verify_mode = level;
if (c->verify_mode == SSL_CVERIFY_UNSET)
diff --git a/c/ssl.c b/c/ssl.c
index 89e6cad..97c7982 100644
--- a/c/ssl.c
+++ b/c/ssl.c
@@ -231,26 +231,38 @@ static const jint supported_ssl_opts = 0
static int ssl_tmp_key_init_rsa(int bits, int idx)
{
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(OPENSSL_USE_DEPRECATED)
- if (!(SSL_temp_keys[idx] =
- RSA_generate_key(bits, RSA_F4, NULL, NULL))) {
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+ return 0;
+#else
+
#ifdef OPENSSL_FIPS
- /**
- * With FIPS mode short RSA keys cannot be
- * generated.
- */
- if (bits < 1024)
- return 0;
- else
-#endif
- return 1;
- }
- else {
+ /**
+ * Short RSA keys cannot be generated in FIPS mode.
+ */
+ if (bits < 1024)
return 0;
- }
-#else
- return 0;
#endif
+
+ BIGNUM *e = BN_new();
+ RSA *rsa = RSA_new();
+ int ret = 1;
+
+ if (e == NULL ||
+ rsa == NULL ||
+ !BN_set_word(e, RSA_F4) ||
+ RSA_generate_key_ex(rsa, bits, e, NULL) != 1) {
+ goto err;
+ }
+
+ SSL_temp_keys[idx] = rsa;
+ rsa = NULL;
+ ret = 0;
+
+err:
+ BN_free(e);
+ RSA_free(rsa);
+ return ret;
+#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
}
static int ssl_tmp_key_init_dh(int bits, int idx)
@@ -610,45 +622,6 @@ int SSL_rand_seed(const char *file)
return RAND_status();
}
-static int ssl_rand_make(const char *file, int len, int base64)
-{
- int r;
- int num = len;
- BIO *out = NULL;
-
- out = BIO_new(BIO_s_file());
- if (out == NULL)
- return 0;
- if ((r = BIO_write_filename(out, (char *)file)) < 0) {
- BIO_free_all(out);
- return 0;
- }
- if (base64) {
- BIO *b64 = BIO_new(BIO_f_base64());
- if (b64 == NULL) {
- BIO_free_all(out);
- return 0;
- }
- out = BIO_push(b64, out);
- }
- while (num > 0) {
- unsigned char buf[4096];
- int len = num;
- if (len > sizeof(buf))
- len = sizeof(buf);
- r = RAND_bytes(buf, len);
- if (r <= 0) {
- BIO_free_all(out);
- return 0;
- }
- BIO_write(out, buf, len);
- num -= len;
- }
- r = BIO_flush(out);
- BIO_free_all(out);
- return r > 0 ? 1 : 0;
-}
-
TCN_IMPLEMENT_CALL(jint, SSL, initialize)(TCN_STDARGS, jstring engine)
{
int r = 0;
@@ -785,17 +758,6 @@ TCN_IMPLEMENT_CALL(jboolean, SSL, randSave)(TCN_STDARGS, jstring file)
return r ? JNI_TRUE : JNI_FALSE;
}
-TCN_IMPLEMENT_CALL(jboolean, SSL, randMake)(TCN_STDARGS, jstring file,
- jint length, jboolean base64)
-{
- TCN_ALLOC_CSTRING(file);
- int r;
- UNREFERENCED(o);
- r = ssl_rand_make(J2S(file), length, base64);
- TCN_FREE_CSTRING(file);
- return r ? JNI_TRUE : JNI_FALSE;
-}
-
TCN_IMPLEMENT_CALL(void, SSL, randSet)(TCN_STDARGS, jstring file)
{
TCN_ALLOC_CSTRING(file);
diff --git a/c/sslcontext.c b/c/sslcontext.c
index 925ca2a..78afe61 100644
--- a/c/sslcontext.c
+++ b/c/sslcontext.c
@@ -1464,7 +1464,11 @@ static const char* authentication_method(const SSL* ssl) {
case SSL2_VERSION:
return SSL_TXT_RSA;
default:
+#if defined(OPENSSL_IS_BORINGSSL)
+ return cipher_authentication_method(SSL_get_pending_cipher(ssl));
+#else
return cipher_authentication_method(ssl->s3->tmp.new_cipher);
+#endif
}
}
}
025da0aad4f9c2fdeebb64bcebf11bbf2c12a2bd and
fd68c837b156ddb4b054e03d99a401e93068b34d were backported from upstream.
|
