| OLD | NEW |
|---|
| 1 Name: Tomcat Native Fork for Netty | 1 Name: Tomcat Native Fork for Netty |
| 2 Short Name: netty-tcnative | 2 Short Name: netty-tcnative |
| 3 URL: https://github.com/netty/netty-tcnative | 3 URL: https://github.com/netty/netty-tcnative.git |
| 4 SHA: 856865181ca38c07b7d2be619903ee98f6f77a23 netty-tcnative-1.1.33.zip | 4 Version: 2.0.0.Final |
| 5 Version: 1.1.33 | 5 Date: March 9, 2017 |
| 6 Date: October 13, 2015 | 6 Revision: 28d9d70090f1b18927f4554621648cc1922d6e05 |
| 7 Revision: 2aa47be27783ec31086ca9881402f845543de4e6 | |
| 8 License: Apache 2.0 | 7 License: Apache 2.0 |
| 9 License File: NOT_SHIPPED | 8 License File: NOT_SHIPPED |
| 10 Security Critical: no | 9 Security Critical: no |
| 11 The library is not security critical because it is used for tests only. | 10 The library is not security critical because it is used for tests only. |
| 12 Do not link it into production code. | 11 Do not link it into production code. |
| 13 | 12 |
| 14 Description: | 13 Description: |
| 15 netty-tcnative is a fork of Tomcat Native. It includes a set of changes cont
ributed | 14 netty-tcnative is a fork of Tomcat Native. It includes a set of changes cont
ributed |
| 16 by Twitter, Inc, such as: | 15 by Twitter, Inc, such as: |
| 17 | 16 |
| 18 Simplified distribution and linkage of native library | 17 Simplified distribution and linkage of native library |
| 19 Complete mavenization of the project | 18 Complete mavenization of the project |
| 20 Improved OpenSSL support | 19 Improved OpenSSL support |
| 21 | 20 |
| 22 Local Modifications: | 21 Local Modifications: |
| 23 | 22 |
| 24 diff -ruN ./original/src/main/c/ssl.c ./src/third_party/netty-tcnative/src/c/ssl
.c | |
| 25 --- ./original/src/main/c/ssl.c 2015-10-13 08:36:59.000000000 -0400 | |
| 26 +++ ./src/third_party/netty-tcnative/src/c/ssl.c 2016-01-04 10:18:31.7297
65992 -0500 | |
| 27 @@ -1821,7 +1821,7 @@ | |
| 28 verify = SSL_VERIFY_NONE; | |
| 29 | |
| 30 UNREFERENCED(o); | |
| 31 - TCN_ASSERT(ctx != 0); | |
| 32 + TCN_ASSERT(c->ctx != 0); | |
| 33 c->verify_mode = level; | |
| 34 | |
| 35 if (c->verify_mode == SSL_CVERIFY_UNSET) | |
| 36 | |
| 37 diff --git a/c/ssl.c b/c/ssl.c | |
| 38 index 89e6cad..97c7982 100644 | |
| 39 --- a/c/ssl.c | |
| 40 +++ b/c/ssl.c | |
| 41 @@ -231,26 +231,38 @@ static const jint supported_ssl_opts = 0 | |
| 42 | |
| 43 static int ssl_tmp_key_init_rsa(int bits, int idx) | |
| 44 { | |
| 45 -#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(OPENSSL_USE_DEPRECATED) | |
| 46 - if (!(SSL_temp_keys[idx] = | |
| 47 - RSA_generate_key(bits, RSA_F4, NULL, NULL))) { | |
| 48 +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) | |
| 49 + return 0; | |
| 50 +#else | |
| 51 + | |
| 52 #ifdef OPENSSL_FIPS | |
| 53 - /** | |
| 54 - * With FIPS mode short RSA keys cannot be | |
| 55 - * generated. | |
| 56 - */ | |
| 57 - if (bits < 1024) | |
| 58 - return 0; | |
| 59 - else | |
| 60 -#endif | |
| 61 - return 1; | |
| 62 - } | |
| 63 - else { | |
| 64 + /** | |
| 65 + * Short RSA keys cannot be generated in FIPS mode. | |
| 66 + */ | |
| 67 + if (bits < 1024) | |
| 68 return 0; | |
| 69 - } | |
| 70 -#else | |
| 71 - return 0; | |
| 72 #endif | |
| 73 + | |
| 74 + BIGNUM *e = BN_new(); | |
| 75 + RSA *rsa = RSA_new(); | |
| 76 + int ret = 1; | |
| 77 + | |
| 78 + if (e == NULL || | |
| 79 + rsa == NULL || | |
| 80 + !BN_set_word(e, RSA_F4) || | |
| 81 + RSA_generate_key_ex(rsa, bits, e, NULL) != 1) { | |
| 82 + goto err; | |
| 83 + } | |
| 84 + | |
| 85 + SSL_temp_keys[idx] = rsa; | |
| 86 + rsa = NULL; | |
| 87 + ret = 0; | |
| 88 + | |
| 89 +err: | |
| 90 + BN_free(e); | |
| 91 + RSA_free(rsa); | |
| 92 + return ret; | |
| 93 +#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ | |
| 94 } | |
| 95 | |
| 96 static int ssl_tmp_key_init_dh(int bits, int idx) | |
| 97 @@ -610,45 +622,6 @@ int SSL_rand_seed(const char *file) | |
| 98 return RAND_status(); | |
| 99 } | |
| 100 | |
| 101 -static int ssl_rand_make(const char *file, int len, int base64) | |
| 102 -{ | |
| 103 - int r; | |
| 104 - int num = len; | |
| 105 - BIO *out = NULL; | |
| 106 - | |
| 107 - out = BIO_new(BIO_s_file()); | |
| 108 - if (out == NULL) | |
| 109 - return 0; | |
| 110 - if ((r = BIO_write_filename(out, (char *)file)) < 0) { | |
| 111 - BIO_free_all(out); | |
| 112 - return 0; | |
| 113 - } | |
| 114 - if (base64) { | |
| 115 - BIO *b64 = BIO_new(BIO_f_base64()); | |
| 116 - if (b64 == NULL) { | |
| 117 - BIO_free_all(out); | |
| 118 - return 0; | |
| 119 - } | |
| 120 - out = BIO_push(b64, out); | |
| 121 - } | |
| 122 - while (num > 0) { | |
| 123 - unsigned char buf[4096]; | |
| 124 - int len = num; | |
| 125 - if (len > sizeof(buf)) | |
| 126 - len = sizeof(buf); | |
| 127 - r = RAND_bytes(buf, len); | |
| 128 - if (r <= 0) { | |
| 129 - BIO_free_all(out); | |
| 130 - return 0; | |
| 131 - } | |
| 132 - BIO_write(out, buf, len); | |
| 133 - num -= len; | |
| 134 - } | |
| 135 - r = BIO_flush(out); | |
| 136 - BIO_free_all(out); | |
| 137 - return r > 0 ? 1 : 0; | |
| 138 -} | |
| 139 - | |
| 140 TCN_IMPLEMENT_CALL(jint, SSL, initialize)(TCN_STDARGS, jstring engine) | |
| 141 { | |
| 142 int r = 0; | |
| 143 @@ -785,17 +758,6 @@ TCN_IMPLEMENT_CALL(jboolean, SSL, randSave)(TCN_STDARGS, js
tring file) | |
| 144 return r ? JNI_TRUE : JNI_FALSE; | |
| 145 } | |
| 146 | |
| 147 -TCN_IMPLEMENT_CALL(jboolean, SSL, randMake)(TCN_STDARGS, jstring file, | |
| 148 - jint length, jboolean base64) | |
| 149 -{ | |
| 150 - TCN_ALLOC_CSTRING(file); | |
| 151 - int r; | |
| 152 - UNREFERENCED(o); | |
| 153 - r = ssl_rand_make(J2S(file), length, base64); | |
| 154 - TCN_FREE_CSTRING(file); | |
| 155 - return r ? JNI_TRUE : JNI_FALSE; | |
| 156 -} | |
| 157 - | |
| 158 TCN_IMPLEMENT_CALL(void, SSL, randSet)(TCN_STDARGS, jstring file) | |
| 159 { | |
| 160 TCN_ALLOC_CSTRING(file); | |
| 161 | |
| 162 diff --git a/c/sslcontext.c b/c/sslcontext.c | 23 diff --git a/c/sslcontext.c b/c/sslcontext.c |
| 163 index 925ca2a..78afe61 100644 | 24 index 5668298..25bfb6e 100644 |
| 164 --- a/c/sslcontext.c | 25 --- a/c/sslcontext.c |
| 165 +++ b/c/sslcontext.c | 26 +++ b/c/sslcontext.c |
| 166 @@ -1464,7 +1464,11 @@ static const char* authentication_method(const SSL* ssl)
{ | 27 @@ -1178,7 +1178,7 @@ static int SSL_cert_verify(X509_STORE_CTX *ctx, void *arg)
{ |
| 167 case SSL2_VERSION: | 28 tcn_ssl_ctxt_t *c = SSL_get_app_data2(ssl); |
| 168 return SSL_TXT_RSA; | 29 TCN_ASSERT(c != NULL); |
| 169 default: | 30 tcn_ssl_verify_config_t* verify_config = SSL_get_app_data4(ssl); |
| 170 +#if defined(OPENSSL_IS_BORINGSSL) | 31 - TCN_ASSERT(verify_confg != NULL); |
| 171 + return cipher_authentication_method(SSL_get_pending_cipher(ssl)); | 32 + TCN_ASSERT(verify_config != NULL); |
| 172 +#else | |
| 173 return cipher_authentication_method(ssl->s3->tmp.new_cipher); | |
| 174 +#endif | |
| 175 } | |
| 176 } | |
| 177 } | |
| 178 | 33 |
| 179 | 34 // Get a stack of all certs in the chain |
| 180 025da0aad4f9c2fdeebb64bcebf11bbf2c12a2bd and | 35 STACK_OF(X509) *sk = ctx->untrusted; |
| 181 fd68c837b156ddb4b054e03d99a401e93068b34d were backported from upstream. | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2843293002:
Switched to new versions of netty and tcnative (Closed)
