All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.apache.tomcat.jni.SSLExt Maven / Gradle / Ivy

Go to download

A Mavenized fork of Tomcat Native which incorporates various patches. This artifact is statically linked to OpenSSL and Apache APR.

The newest version!
/*
 *  Licensed to the Apache Software Foundation (ASF) under one or more
 *  contributor license agreements.  See the NOTICE file distributed with
 *  this work for additional information regarding copyright ownership.
 *  The ASF licenses this file to You under the Apache License, Version 2.0
 *  (the "License"); you may not use this file except in compliance with
 *  the License.  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS,
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 */
package org.apache.tomcat.jni;

/**
 * Support TLS extensions and extra methods.
 *
 * The methods are separated to make it easier for java code to
 * support existing native library - it can check if this class can
 * be loaded in order to use the exensions.
 *
 * @author Costin Manolache
 */
public final class SSLExt {


    /**
     * Set advertised NPN protocol.
     * This is only available for recent or patched openssl.
     *
     * Example: "\x06spdy/2"
     *
     * Works with TLS1, doesn't with SSL2/SSL3
     *
     * Servers sends list in ServerHelo, client selects it and
     * sends it back after ChangeChipher
     *
     * Not supported in 1.0.0, seems to be in 1.0.1 and after
     */
    public static native int setNPN(long tcctx, byte[] proto, int len);

    /**
     * Get other side's advertised protocols.
     * Only works after handshake.
     */
    public static native int getNPN(long tcsock, byte[] proto);

    /**
     * Enabling dump/debugging on the socket. Both raw and decrypted
     * packets will be logged.
     */
    public static native int debug(long tcsock);

    /**
     * Server: Extract the session data associated with the socket.
     * Must be saved, keyed by session ID.
     */
    public static native byte[] getSessionData(long tcsock);

    /**
     * Server: Set the session data for a socket.
     */
    public static native int setSessionData(long tcsock, byte[] data, int len);


    /**
     * Client: get the ticket received from server, if tickets are supported.
     */
    public static native int getTicket(long tcsock, byte[] resBuf);

    /**
     * Client: set the previously received ticket.
     */
    public static native int setTicket(long tcsock, byte[] data, int len);

    /**
     * Set the key used by server to generate tickets.
     * Key must be 48 bytes.
     */
    public static native int setTicketKeys(long ctx, byte[] data, int len);

    /**
     * For client side calls. Data should be a \0 terminated string
     */
    public static native int setSNI(long tcsock, byte[] data, int len);

    /**
     * Return the last openssl error
     */
    public static native String sslErrReasonErrorString();

    public static native long sslCtxSetMode(long ctx, long mode);

    /* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success
     * when just a single record has been written): */
    public static final int SSL_MODE_ENABLE_PARTIAL_WRITE = 0x1;

    /* Make it possible to retry SSL_write() with changed buffer location
     * (buffer contents must stay the same!); this is not the default to avoid
     * the misconception that non-blocking SSL_write() behaves like
     * non-blocking write(): */
    public static final int SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER = 0x2;

    /* Don't attempt to automatically build certificate chain */
    static final int SSL_MODE_NO_AUTO_CHAIN = 0x8;

    /* Save RAM by releasing read and write buffers when they're empty. (SSL3 and
     * TLS only.)  "Released" buffers are put onto a free-list in the context
     * or just freed (depending on the context's setting for freelist_max_len). */
    public static final int SSL_MODE_RELEASE_BUFFERS = 0x10;

    // 1.1
    //static final int SSL_MODE_HANDSHAKE_CUTTHROUGH = ..;

    /**
     * SSL_set_mode
     */
    public static native long sslSetMode(long tcsock, long mode);

    public static int setNPN(long sslContext, byte[] spdyNPN) {
        try {
            return SSLExt.setNPN(sslContext, spdyNPN, spdyNPN.length);
        } catch (Throwable t) {
            t.printStackTrace();
            return -1;
        }
    }

    /**
     * Higher level method, checking if the specified protocol has been
     * negotiated.
     */
    public static boolean checkNPN(long tcsocket, byte[] expected) {
        byte[] npn = new byte[expected.length + 1];
        int npnLen = 0;
        try {
            npnLen = SSLExt.getNPN(tcsocket, npn);
            if (npnLen != expected.length) {
                return false;
            }
        } catch (Throwable t) {
            // ignore
            return false;
        }
        for (int i = 0; i < expected.length; i++) {
            if (expected[i] != npn[i]) {
                return false;
            }
        }
        return true;
    }



}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy