OLD | NEW |
1 Name: Tomcat Native Fork for Netty | 1 Name: Tomcat Native Fork for Netty |
2 Short Name: netty-tcnative | 2 Short Name: netty-tcnative |
3 URL: https://github.com/netty/netty-tcnative | 3 URL: https://github.com/netty/netty-tcnative.git |
4 SHA: 856865181ca38c07b7d2be619903ee98f6f77a23 netty-tcnative-1.1.33.zip | 4 Version: 2.0.0.Final |
5 Version: 1.1.33 | 5 Date: March 9, 2017 |
6 Date: October 13, 2015 | 6 Revision: 28d9d70090f1b18927f4554621648cc1922d6e05 |
7 Revision: 2aa47be27783ec31086ca9881402f845543de4e6 | |
8 License: Apache 2.0 | 7 License: Apache 2.0 |
9 License File: NOT_SHIPPED | 8 License File: NOT_SHIPPED |
10 Security Critical: no | 9 Security Critical: no |
11 The library is not security critical because it is used for tests only. | 10 The library is not security critical because it is used for tests only. |
12 Do not link it into production code. | 11 Do not link it into production code. |
13 | 12 |
14 Description: | 13 Description: |
15 netty-tcnative is a fork of Tomcat Native. It includes a set of changes cont
ributed | 14 netty-tcnative is a fork of Tomcat Native. It includes a set of changes cont
ributed |
16 by Twitter, Inc, such as: | 15 by Twitter, Inc, such as: |
17 | 16 |
18 Simplified distribution and linkage of native library | 17 Simplified distribution and linkage of native library |
19 Complete mavenization of the project | 18 Complete mavenization of the project |
20 Improved OpenSSL support | 19 Improved OpenSSL support |
21 | 20 |
22 Local Modifications: | 21 Local Modifications: |
23 | 22 |
24 diff -ruN ./original/src/main/c/ssl.c ./src/third_party/netty-tcnative/src/c/ssl
.c | |
25 --- ./original/src/main/c/ssl.c 2015-10-13 08:36:59.000000000 -0400 | |
26 +++ ./src/third_party/netty-tcnative/src/c/ssl.c 2016-01-04 10:18:31.7297
65992 -0500 | |
27 @@ -1821,7 +1821,7 @@ | |
28 verify = SSL_VERIFY_NONE; | |
29 | |
30 UNREFERENCED(o); | |
31 - TCN_ASSERT(ctx != 0); | |
32 + TCN_ASSERT(c->ctx != 0); | |
33 c->verify_mode = level; | |
34 | |
35 if (c->verify_mode == SSL_CVERIFY_UNSET) | |
36 | |
37 diff --git a/c/ssl.c b/c/ssl.c | |
38 index 89e6cad..97c7982 100644 | |
39 --- a/c/ssl.c | |
40 +++ b/c/ssl.c | |
41 @@ -231,26 +231,38 @@ static const jint supported_ssl_opts = 0 | |
42 | |
43 static int ssl_tmp_key_init_rsa(int bits, int idx) | |
44 { | |
45 -#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(OPENSSL_USE_DEPRECATED) | |
46 - if (!(SSL_temp_keys[idx] = | |
47 - RSA_generate_key(bits, RSA_F4, NULL, NULL))) { | |
48 +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) | |
49 + return 0; | |
50 +#else | |
51 + | |
52 #ifdef OPENSSL_FIPS | |
53 - /** | |
54 - * With FIPS mode short RSA keys cannot be | |
55 - * generated. | |
56 - */ | |
57 - if (bits < 1024) | |
58 - return 0; | |
59 - else | |
60 -#endif | |
61 - return 1; | |
62 - } | |
63 - else { | |
64 + /** | |
65 + * Short RSA keys cannot be generated in FIPS mode. | |
66 + */ | |
67 + if (bits < 1024) | |
68 return 0; | |
69 - } | |
70 -#else | |
71 - return 0; | |
72 #endif | |
73 + | |
74 + BIGNUM *e = BN_new(); | |
75 + RSA *rsa = RSA_new(); | |
76 + int ret = 1; | |
77 + | |
78 + if (e == NULL || | |
79 + rsa == NULL || | |
80 + !BN_set_word(e, RSA_F4) || | |
81 + RSA_generate_key_ex(rsa, bits, e, NULL) != 1) { | |
82 + goto err; | |
83 + } | |
84 + | |
85 + SSL_temp_keys[idx] = rsa; | |
86 + rsa = NULL; | |
87 + ret = 0; | |
88 + | |
89 +err: | |
90 + BN_free(e); | |
91 + RSA_free(rsa); | |
92 + return ret; | |
93 +#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ | |
94 } | |
95 | |
96 static int ssl_tmp_key_init_dh(int bits, int idx) | |
97 @@ -610,45 +622,6 @@ int SSL_rand_seed(const char *file) | |
98 return RAND_status(); | |
99 } | |
100 | |
101 -static int ssl_rand_make(const char *file, int len, int base64) | |
102 -{ | |
103 - int r; | |
104 - int num = len; | |
105 - BIO *out = NULL; | |
106 - | |
107 - out = BIO_new(BIO_s_file()); | |
108 - if (out == NULL) | |
109 - return 0; | |
110 - if ((r = BIO_write_filename(out, (char *)file)) < 0) { | |
111 - BIO_free_all(out); | |
112 - return 0; | |
113 - } | |
114 - if (base64) { | |
115 - BIO *b64 = BIO_new(BIO_f_base64()); | |
116 - if (b64 == NULL) { | |
117 - BIO_free_all(out); | |
118 - return 0; | |
119 - } | |
120 - out = BIO_push(b64, out); | |
121 - } | |
122 - while (num > 0) { | |
123 - unsigned char buf[4096]; | |
124 - int len = num; | |
125 - if (len > sizeof(buf)) | |
126 - len = sizeof(buf); | |
127 - r = RAND_bytes(buf, len); | |
128 - if (r <= 0) { | |
129 - BIO_free_all(out); | |
130 - return 0; | |
131 - } | |
132 - BIO_write(out, buf, len); | |
133 - num -= len; | |
134 - } | |
135 - r = BIO_flush(out); | |
136 - BIO_free_all(out); | |
137 - return r > 0 ? 1 : 0; | |
138 -} | |
139 - | |
140 TCN_IMPLEMENT_CALL(jint, SSL, initialize)(TCN_STDARGS, jstring engine) | |
141 { | |
142 int r = 0; | |
143 @@ -785,17 +758,6 @@ TCN_IMPLEMENT_CALL(jboolean, SSL, randSave)(TCN_STDARGS, js
tring file) | |
144 return r ? JNI_TRUE : JNI_FALSE; | |
145 } | |
146 | |
147 -TCN_IMPLEMENT_CALL(jboolean, SSL, randMake)(TCN_STDARGS, jstring file, | |
148 - jint length, jboolean base64) | |
149 -{ | |
150 - TCN_ALLOC_CSTRING(file); | |
151 - int r; | |
152 - UNREFERENCED(o); | |
153 - r = ssl_rand_make(J2S(file), length, base64); | |
154 - TCN_FREE_CSTRING(file); | |
155 - return r ? JNI_TRUE : JNI_FALSE; | |
156 -} | |
157 - | |
158 TCN_IMPLEMENT_CALL(void, SSL, randSet)(TCN_STDARGS, jstring file) | |
159 { | |
160 TCN_ALLOC_CSTRING(file); | |
161 | |
162 diff --git a/c/sslcontext.c b/c/sslcontext.c | 23 diff --git a/c/sslcontext.c b/c/sslcontext.c |
163 index 925ca2a..78afe61 100644 | 24 index 5668298..25bfb6e 100644 |
164 --- a/c/sslcontext.c | 25 --- a/c/sslcontext.c |
165 +++ b/c/sslcontext.c | 26 +++ b/c/sslcontext.c |
166 @@ -1464,7 +1464,11 @@ static const char* authentication_method(const SSL* ssl)
{ | 27 @@ -1178,7 +1178,7 @@ static int SSL_cert_verify(X509_STORE_CTX *ctx, void *arg)
{ |
167 case SSL2_VERSION: | 28 tcn_ssl_ctxt_t *c = SSL_get_app_data2(ssl); |
168 return SSL_TXT_RSA; | 29 TCN_ASSERT(c != NULL); |
169 default: | 30 tcn_ssl_verify_config_t* verify_config = SSL_get_app_data4(ssl); |
170 +#if defined(OPENSSL_IS_BORINGSSL) | 31 - TCN_ASSERT(verify_confg != NULL); |
171 + return cipher_authentication_method(SSL_get_pending_cipher(ssl)); | 32 + TCN_ASSERT(verify_config != NULL); |
172 +#else | |
173 return cipher_authentication_method(ssl->s3->tmp.new_cipher); | |
174 +#endif | |
175 } | |
176 } | |
177 } | |
178 | 33 |
179 | 34 // Get a stack of all certs in the chain |
180 025da0aad4f9c2fdeebb64bcebf11bbf2c12a2bd and | 35 STACK_OF(X509) *sk = ctx->untrusted; |
181 fd68c837b156ddb4b054e03d99a401e93068b34d were backported from upstream. | |
OLD | NEW |