The Android Open Source Project | adc854b | 2009-03-03 19:28:47 -0800 | [diff] [blame] | 1 | /* |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2 | * Copyright (C) 2007-2008 The Android Open Source Project |
The Android Open Source Project | adc854b | 2009-03-03 19:28:47 -0800 | [diff] [blame] | 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | /** |
| 18 | * Native glue for Java class org.apache.harmony.xnet.provider.jsse.NativeCrypto |
| 19 | */ |
| 20 | |
| 21 | #define LOG_TAG "NativeCrypto" |
| 22 | |
Brian Carlstrom | 3900e26 | 2010-11-10 10:56:21 -0800 | [diff] [blame^] | 23 | #include <algorithm> |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 24 | #include <fcntl.h> |
| 25 | #include <sys/socket.h> |
| 26 | #include <unistd.h> |
| 27 | |
The Android Open Source Project | adc854b | 2009-03-03 19:28:47 -0800 | [diff] [blame] | 28 | #include <jni.h> |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 29 | |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 30 | #include <openssl/dsa.h> |
The Android Open Source Project | adc854b | 2009-03-03 19:28:47 -0800 | [diff] [blame] | 31 | #include <openssl/err.h> |
| 32 | #include <openssl/evp.h> |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 33 | #include <openssl/rand.h> |
The Android Open Source Project | adc854b | 2009-03-03 19:28:47 -0800 | [diff] [blame] | 34 | #include <openssl/rsa.h> |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 35 | #include <openssl/ssl.h> |
| 36 | |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 37 | #include "AsynchronousSocketCloseMonitor.h" |
Elliott Hughes | a9f5c16 | 2010-06-16 16:32:18 -0700 | [diff] [blame] | 38 | #include "JNIHelp.h" |
| 39 | #include "JniConstants.h" |
Elliott Hughes | 221d0cc | 2010-07-15 11:09:45 -0700 | [diff] [blame] | 40 | #include "JniException.h" |
Elliott Hughes | a9f5c16 | 2010-06-16 16:32:18 -0700 | [diff] [blame] | 41 | #include "LocalArray.h" |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 42 | #include "NetFd.h" |
Elliott Hughes | 3b0a5b9 | 2010-07-22 15:06:54 -0700 | [diff] [blame] | 43 | #include "NetworkUtilities.h" |
Brian Carlstrom | 3534c7c | 2010-05-14 21:49:34 -0700 | [diff] [blame] | 44 | #include "ScopedLocalRef.h" |
Elliott Hughes | 99c59bf | 2010-05-17 16:22:04 -0700 | [diff] [blame] | 45 | #include "ScopedPrimitiveArray.h" |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 46 | #include "ScopedUtfChars.h" |
| 47 | #include "UniquePtr.h" |
| 48 | |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 49 | #undef WITH_JNI_TRACE |
Brian Carlstrom | 0cbd33d | 2010-11-09 22:01:58 -0800 | [diff] [blame] | 50 | #undef WITH_JNI_TRACE_DATA |
| 51 | |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 52 | #ifdef WITH_JNI_TRACE |
| 53 | #define JNI_TRACE(...) \ |
| 54 | ((void)LOG(LOG_INFO, LOG_TAG "-jni", __VA_ARGS__)); \ |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 55 | /* |
| 56 | ((void)printf("I/" LOG_TAG "-jni:")); \ |
| 57 | ((void)printf(__VA_ARGS__)); \ |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 58 | ((void)printf("\n")) |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 59 | */ |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 60 | #else |
| 61 | #define JNI_TRACE(...) ((void)0) |
| 62 | #endif |
Brian Carlstrom | 0cbd33d | 2010-11-09 22:01:58 -0800 | [diff] [blame] | 63 | // don't overwhelm logcat |
Brian Carlstrom | 3900e26 | 2010-11-10 10:56:21 -0800 | [diff] [blame^] | 64 | #define WITH_JNI_TRACE_DATA_CHUNK_SIZE 512 |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 65 | |
| 66 | struct BIO_Delete { |
| 67 | void operator()(BIO* p) const { |
| 68 | BIO_free(p); |
| 69 | } |
| 70 | }; |
| 71 | typedef UniquePtr<BIO, BIO_Delete> Unique_BIO; |
| 72 | |
| 73 | struct BIGNUM_Delete { |
| 74 | void operator()(BIGNUM* p) const { |
| 75 | BN_free(p); |
| 76 | } |
| 77 | }; |
| 78 | typedef UniquePtr<BIGNUM, BIGNUM_Delete> Unique_BIGNUM; |
| 79 | |
Brian Carlstrom | aacf6f9 | 2010-05-20 01:02:17 -0700 | [diff] [blame] | 80 | struct DH_Delete { |
| 81 | void operator()(DH* p) const { |
| 82 | DH_free(p); |
| 83 | } |
| 84 | }; |
| 85 | typedef UniquePtr<DH, DH_Delete> Unique_DH; |
| 86 | |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 87 | struct DSA_Delete { |
| 88 | void operator()(DSA* p) const { |
| 89 | DSA_free(p); |
| 90 | } |
| 91 | }; |
| 92 | typedef UniquePtr<DSA, DSA_Delete> Unique_DSA; |
| 93 | |
| 94 | struct EVP_PKEY_Delete { |
| 95 | void operator()(EVP_PKEY* p) const { |
| 96 | EVP_PKEY_free(p); |
| 97 | } |
| 98 | }; |
| 99 | typedef UniquePtr<EVP_PKEY, EVP_PKEY_Delete> Unique_EVP_PKEY; |
| 100 | |
Brian Carlstrom | 12cd1f0 | 2010-06-22 23:43:20 -0700 | [diff] [blame] | 101 | struct PKCS8_PRIV_KEY_INFO_Delete { |
| 102 | void operator()(PKCS8_PRIV_KEY_INFO* p) const { |
| 103 | PKCS8_PRIV_KEY_INFO_free(p); |
| 104 | } |
| 105 | }; |
| 106 | typedef UniquePtr<PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_Delete> Unique_PKCS8_PRIV_KEY_INFO; |
| 107 | |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 108 | struct RSA_Delete { |
| 109 | void operator()(RSA* p) const { |
| 110 | RSA_free(p); |
| 111 | } |
| 112 | }; |
| 113 | typedef UniquePtr<RSA, RSA_Delete> Unique_RSA; |
| 114 | |
| 115 | struct SSL_Delete { |
| 116 | void operator()(SSL* p) const { |
| 117 | SSL_free(p); |
| 118 | } |
| 119 | }; |
| 120 | typedef UniquePtr<SSL, SSL_Delete> Unique_SSL; |
| 121 | |
| 122 | struct SSL_CTX_Delete { |
| 123 | void operator()(SSL_CTX* p) const { |
| 124 | SSL_CTX_free(p); |
| 125 | } |
| 126 | }; |
| 127 | typedef UniquePtr<SSL_CTX, SSL_CTX_Delete> Unique_SSL_CTX; |
| 128 | |
| 129 | struct X509_Delete { |
| 130 | void operator()(X509* p) const { |
| 131 | X509_free(p); |
| 132 | } |
| 133 | }; |
| 134 | typedef UniquePtr<X509, X509_Delete> Unique_X509; |
| 135 | |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 136 | struct X509_NAME_Delete { |
| 137 | void operator()(X509_NAME* p) const { |
| 138 | X509_NAME_free(p); |
| 139 | } |
| 140 | }; |
| 141 | typedef UniquePtr<X509_NAME, X509_NAME_Delete> Unique_X509_NAME; |
| 142 | |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 143 | struct sk_SSL_CIPHER_Delete { |
| 144 | void operator()(STACK_OF(SSL_CIPHER)* p) const { |
| 145 | sk_SSL_CIPHER_free(p); |
| 146 | } |
| 147 | }; |
| 148 | typedef UniquePtr<STACK_OF(SSL_CIPHER), sk_SSL_CIPHER_Delete> Unique_sk_SSL_CIPHER; |
| 149 | |
| 150 | struct sk_X509_Delete { |
| 151 | void operator()(STACK_OF(X509)* p) const { |
| 152 | sk_X509_free(p); |
| 153 | } |
| 154 | }; |
| 155 | typedef UniquePtr<STACK_OF(X509), sk_X509_Delete> Unique_sk_X509; |
| 156 | |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 157 | struct sk_X509_NAME_Delete { |
| 158 | void operator()(STACK_OF(X509_NAME)* p) const { |
| 159 | sk_X509_NAME_free(p); |
| 160 | } |
| 161 | }; |
| 162 | typedef UniquePtr<STACK_OF(X509_NAME), sk_X509_NAME_Delete> Unique_sk_X509_NAME; |
| 163 | |
The Android Open Source Project | adc854b | 2009-03-03 19:28:47 -0800 | [diff] [blame] | 164 | /** |
| 165 | * Frees the SSL error state. |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 166 | * |
The Android Open Source Project | adc854b | 2009-03-03 19:28:47 -0800 | [diff] [blame] | 167 | * OpenSSL keeps an "error stack" per thread, and given that this code |
| 168 | * can be called from arbitrary threads that we don't keep track of, |
| 169 | * we err on the side of freeing the error state promptly (instead of, |
| 170 | * say, at thread death). |
| 171 | */ |
| 172 | static void freeSslErrorState(void) { |
| 173 | ERR_clear_error(); |
| 174 | ERR_remove_state(0); |
| 175 | } |
| 176 | |
The Android Open Source Project | adc854b | 2009-03-03 19:28:47 -0800 | [diff] [blame] | 177 | /* |
| 178 | * Checks this thread's OpenSSL error queue and throws a RuntimeException if |
| 179 | * necessary. |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 180 | * |
The Android Open Source Project | adc854b | 2009-03-03 19:28:47 -0800 | [diff] [blame] | 181 | * @return 1 if an exception was thrown, 0 if not. |
| 182 | */ |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 183 | static int throwExceptionIfNecessary(JNIEnv* env, const char* location __attribute__ ((unused))) { |
The Android Open Source Project | adc854b | 2009-03-03 19:28:47 -0800 | [diff] [blame] | 184 | int error = ERR_get_error(); |
| 185 | int result = 0; |
| 186 | |
| 187 | if (error != 0) { |
Brian Carlstrom | f3f7cc7 | 2010-05-19 11:06:59 -0700 | [diff] [blame] | 188 | char message[256]; |
The Android Open Source Project | adc854b | 2009-03-03 19:28:47 -0800 | [diff] [blame] | 189 | ERR_error_string_n(error, message, sizeof(message)); |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 190 | JNI_TRACE("OpenSSL error in %s %d: %s", location, error, message); |
Elliott Hughes | da4f31d | 2010-01-28 13:43:39 -0800 | [diff] [blame] | 191 | jniThrowRuntimeException(env, message); |
The Android Open Source Project | adc854b | 2009-03-03 19:28:47 -0800 | [diff] [blame] | 192 | result = 1; |
| 193 | } |
| 194 | |
| 195 | freeSslErrorState(); |
| 196 | return result; |
| 197 | } |
| 198 | |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 199 | /** |
| 200 | * Throws an SocketTimeoutException with the given string as a message. |
| 201 | */ |
| 202 | static void throwSocketTimeoutException(JNIEnv* env, const char* message) { |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 203 | JNI_TRACE("throwSocketTimeoutException %s", message); |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 204 | jniThrowException(env, "java/net/SocketTimeoutException", message); |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 205 | } |
| 206 | |
| 207 | /** |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 208 | * Throws a javax.net.ssl.SSLException with the given string as a message. |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 209 | */ |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 210 | static void throwSSLExceptionStr(JNIEnv* env, const char* message) { |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 211 | JNI_TRACE("throwSSLExceptionStr %s", message); |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 212 | jniThrowException(env, "javax/net/ssl/SSLException", message); |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 213 | } |
| 214 | |
| 215 | /** |
Brian Carlstrom | f3f7cc7 | 2010-05-19 11:06:59 -0700 | [diff] [blame] | 216 | * Throws a javax.net.ssl.SSLProcotolException with the given string as a message. |
| 217 | */ |
| 218 | static void throwSSLProtocolExceptionStr(JNIEnv* env, const char* message) { |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 219 | JNI_TRACE("throwSSLProtocolExceptionStr %s", message); |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 220 | jniThrowException(env, "javax/net/ssl/SSLProtocolException", message); |
Brian Carlstrom | f3f7cc7 | 2010-05-19 11:06:59 -0700 | [diff] [blame] | 221 | } |
| 222 | |
| 223 | /** |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 224 | * Throws an SSLException with a message constructed from the current |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 225 | * SSL errors. This will also log the errors. |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 226 | * |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 227 | * @param env the JNI environment |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 228 | * @param ssl the possibly NULL SSL |
Brian Carlstrom | f3f7cc7 | 2010-05-19 11:06:59 -0700 | [diff] [blame] | 229 | * @param sslErrorCode error code returned from SSL_get_error() or |
| 230 | * SSL_ERROR_NONE to probe with ERR_get_error |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 231 | * @param message null-ok; general error message |
| 232 | */ |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 233 | static void throwSSLExceptionWithSslErrors( |
| 234 | JNIEnv* env, SSL* ssl, int sslErrorCode, const char* message) { |
Brian Carlstrom | f3f7cc7 | 2010-05-19 11:06:59 -0700 | [diff] [blame] | 235 | |
| 236 | if (message == NULL) { |
| 237 | message = "SSL error"; |
| 238 | } |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 239 | |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 240 | // First consult the SSL error code for the general message. |
Brian Carlstrom | f3f7cc7 | 2010-05-19 11:06:59 -0700 | [diff] [blame] | 241 | const char* sslErrorStr = NULL; |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 242 | switch (sslErrorCode) { |
| 243 | case SSL_ERROR_NONE: |
Brian Carlstrom | f3f7cc7 | 2010-05-19 11:06:59 -0700 | [diff] [blame] | 244 | if (ERR_peek_error() == 0) { |
| 245 | sslErrorStr = "OK"; |
| 246 | } else { |
| 247 | sslErrorStr = ""; |
| 248 | } |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 249 | break; |
| 250 | case SSL_ERROR_SSL: |
Brian Carlstrom | f3f7cc7 | 2010-05-19 11:06:59 -0700 | [diff] [blame] | 251 | sslErrorStr = "Failure in SSL library, usually a protocol error"; |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 252 | break; |
| 253 | case SSL_ERROR_WANT_READ: |
Elliott Hughes | 3b0a5b9 | 2010-07-22 15:06:54 -0700 | [diff] [blame] | 254 | sslErrorStr = "SSL_ERROR_WANT_READ occurred. You should never see this."; |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 255 | break; |
| 256 | case SSL_ERROR_WANT_WRITE: |
Elliott Hughes | 3b0a5b9 | 2010-07-22 15:06:54 -0700 | [diff] [blame] | 257 | sslErrorStr = "SSL_ERROR_WANT_WRITE occurred. You should never see this."; |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 258 | break; |
| 259 | case SSL_ERROR_WANT_X509_LOOKUP: |
Elliott Hughes | 3b0a5b9 | 2010-07-22 15:06:54 -0700 | [diff] [blame] | 260 | sslErrorStr = "SSL_ERROR_WANT_X509_LOOKUP occurred. You should never see this."; |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 261 | break; |
| 262 | case SSL_ERROR_SYSCALL: |
Brian Carlstrom | f3f7cc7 | 2010-05-19 11:06:59 -0700 | [diff] [blame] | 263 | sslErrorStr = "I/O error during system call"; |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 264 | break; |
| 265 | case SSL_ERROR_ZERO_RETURN: |
Elliott Hughes | 3b0a5b9 | 2010-07-22 15:06:54 -0700 | [diff] [blame] | 266 | sslErrorStr = "SSL_ERROR_ZERO_RETURN occurred. You should never see this."; |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 267 | break; |
| 268 | case SSL_ERROR_WANT_CONNECT: |
Elliott Hughes | 3b0a5b9 | 2010-07-22 15:06:54 -0700 | [diff] [blame] | 269 | sslErrorStr = "SSL_ERROR_WANT_CONNECT occurred. You should never see this."; |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 270 | break; |
| 271 | case SSL_ERROR_WANT_ACCEPT: |
Elliott Hughes | 3b0a5b9 | 2010-07-22 15:06:54 -0700 | [diff] [blame] | 272 | sslErrorStr = "SSL_ERROR_WANT_ACCEPT occurred. You should never see this."; |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 273 | break; |
| 274 | default: |
Brian Carlstrom | f3f7cc7 | 2010-05-19 11:06:59 -0700 | [diff] [blame] | 275 | sslErrorStr = "Unknown SSL error"; |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 276 | } |
| 277 | |
| 278 | // Prepend either our explicit message or a default one. |
Brian Carlstrom | f3f7cc7 | 2010-05-19 11:06:59 -0700 | [diff] [blame] | 279 | char* str; |
| 280 | if (asprintf(&str, "%s: ssl=%p: %s", message, ssl, sslErrorStr) <= 0) { |
| 281 | // problem with asprintf, just throw argument message, log everything |
| 282 | throwSSLExceptionStr(env, message); |
| 283 | LOGV("%s: ssl=%p: %s", message, ssl, sslErrorStr); |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 284 | freeSslErrorState(); |
| 285 | return; |
| 286 | } |
| 287 | |
| 288 | char* allocStr = str; |
| 289 | |
Brian Carlstrom | f3f7cc7 | 2010-05-19 11:06:59 -0700 | [diff] [blame] | 290 | // For protocol errors, SSL might have more information. |
| 291 | if (sslErrorCode == SSL_ERROR_NONE || sslErrorCode == SSL_ERROR_SSL) { |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 292 | // Append each error as an additional line to the message. |
| 293 | for (;;) { |
| 294 | char errStr[256]; |
| 295 | const char* file; |
| 296 | int line; |
| 297 | const char* data; |
| 298 | int flags; |
Brian Carlstrom | f3f7cc7 | 2010-05-19 11:06:59 -0700 | [diff] [blame] | 299 | unsigned long err = ERR_get_error_line_data(&file, &line, &data, &flags); |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 300 | if (err == 0) { |
| 301 | break; |
| 302 | } |
| 303 | |
| 304 | ERR_error_string_n(err, errStr, sizeof(errStr)); |
| 305 | |
Brian Carlstrom | f3f7cc7 | 2010-05-19 11:06:59 -0700 | [diff] [blame] | 306 | int ret = asprintf(&str, "%s\n%s (%s:%d %p:0x%08x)", |
| 307 | (allocStr == NULL) ? "" : allocStr, |
| 308 | errStr, |
| 309 | file, |
| 310 | line, |
| 311 | (flags & ERR_TXT_STRING) ? data : "(no data)", |
| 312 | flags); |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 313 | |
| 314 | if (ret < 0) { |
| 315 | break; |
| 316 | } |
| 317 | |
| 318 | free(allocStr); |
| 319 | allocStr = str; |
| 320 | } |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 321 | // For errors during system calls, errno might be our friend. |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 322 | } else if (sslErrorCode == SSL_ERROR_SYSCALL) { |
| 323 | if (asprintf(&str, "%s, %s", allocStr, strerror(errno)) >= 0) { |
| 324 | free(allocStr); |
| 325 | allocStr = str; |
| 326 | } |
| 327 | // If the error code is invalid, print it. |
| 328 | } else if (sslErrorCode > SSL_ERROR_WANT_ACCEPT) { |
| 329 | if (asprintf(&str, ", error code is %d", sslErrorCode) >= 0) { |
| 330 | free(allocStr); |
| 331 | allocStr = str; |
| 332 | } |
| 333 | } |
| 334 | |
Brian Carlstrom | f3f7cc7 | 2010-05-19 11:06:59 -0700 | [diff] [blame] | 335 | if (sslErrorCode == SSL_ERROR_SSL) { |
| 336 | throwSSLProtocolExceptionStr(env, allocStr); |
| 337 | } else { |
| 338 | throwSSLExceptionStr(env, allocStr); |
| 339 | } |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 340 | |
| 341 | LOGV("%s", allocStr); |
| 342 | free(allocStr); |
| 343 | freeSslErrorState(); |
| 344 | } |
| 345 | |
| 346 | /** |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 347 | * Helper function that grabs the casts an ssl pointer and then checks for nullness. |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 348 | * If this function returns NULL and <code>throwIfNull</code> is |
| 349 | * passed as <code>true</code>, then this function will call |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 350 | * <code>throwSSLExceptionStr</code> before returning, so in this case of |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 351 | * NULL, a caller of this function should simply return and allow JNI |
| 352 | * to do its thing. |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 353 | * |
| 354 | * @param env the JNI environment |
| 355 | * @param ssl_address; the ssl_address pointer as an integer |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 356 | * @param throwIfNull whether to throw if the SSL pointer is NULL |
| 357 | * @returns the pointer, which may be NULL |
| 358 | */ |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 359 | static SSL_CTX* to_SSL_CTX(JNIEnv* env, int ssl_ctx_address, bool throwIfNull) { |
| 360 | SSL_CTX* ssl_ctx = reinterpret_cast<SSL_CTX*>(static_cast<uintptr_t>(ssl_ctx_address)); |
| 361 | if ((ssl_ctx == NULL) && throwIfNull) { |
| 362 | JNI_TRACE("ssl_ctx == null"); |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 363 | jniThrowNullPointerException(env, "ssl_ctx == null"); |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 364 | } |
| 365 | return ssl_ctx; |
| 366 | } |
| 367 | |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 368 | static SSL* to_SSL(JNIEnv* env, int ssl_address, bool throwIfNull) { |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 369 | SSL* ssl = reinterpret_cast<SSL*>(static_cast<uintptr_t>(ssl_address)); |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 370 | if ((ssl == NULL) && throwIfNull) { |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 371 | JNI_TRACE("ssl == null"); |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 372 | jniThrowNullPointerException(env, "ssl == null"); |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 373 | } |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 374 | return ssl; |
| 375 | } |
| 376 | |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 377 | static SSL_SESSION* to_SSL_SESSION(JNIEnv* env, int ssl_session_address, bool throwIfNull) { |
| 378 | SSL_SESSION* ssl_session |
| 379 | = reinterpret_cast<SSL_SESSION*>(static_cast<uintptr_t>(ssl_session_address)); |
| 380 | if ((ssl_session == NULL) && throwIfNull) { |
| 381 | JNI_TRACE("ssl_session == null"); |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 382 | jniThrowNullPointerException(env, "ssl_session == null"); |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 383 | } |
| 384 | return ssl_session; |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 385 | } |
| 386 | |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 387 | /** |
| 388 | * Converts a Java byte[] to an OpenSSL BIGNUM, allocating the BIGNUM on the |
| 389 | * fly. |
| 390 | */ |
| 391 | static BIGNUM* arrayToBignum(JNIEnv* env, jbyteArray source) { |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 392 | JNI_TRACE("arrayToBignum(%p)", source); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 393 | |
Elliott Hughes | ebca53a | 2010-05-20 20:54:45 -0700 | [diff] [blame] | 394 | ScopedByteArrayRO sourceBytes(env, source); |
Elliott Hughes | 6410112 | 2010-07-12 09:53:54 -0700 | [diff] [blame] | 395 | if (sourceBytes.get() == NULL) { |
Brian Carlstrom | f62b503 | 2010-09-22 10:25:39 -0700 | [diff] [blame] | 396 | JNI_TRACE("arrayToBignum(%p) => NULL", source); |
Elliott Hughes | 6410112 | 2010-07-12 09:53:54 -0700 | [diff] [blame] | 397 | return NULL; |
| 398 | } |
Brian Carlstrom | f62b503 | 2010-09-22 10:25:39 -0700 | [diff] [blame] | 399 | BIGNUM* bn = BN_bin2bn(reinterpret_cast<const unsigned char*>(sourceBytes.get()), |
| 400 | sourceBytes.size(), |
| 401 | NULL); |
| 402 | JNI_TRACE("arrayToBignum(%p) => %p", source, bn); |
| 403 | return bn; |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 404 | } |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 405 | |
| 406 | /** |
| 407 | * OpenSSL locking support. Taken from the O'Reilly book by Viega et al., but I |
| 408 | * suppose there are not many other ways to do this on a Linux system (modulo |
| 409 | * isomorphism). |
| 410 | */ |
| 411 | #define MUTEX_TYPE pthread_mutex_t |
| 412 | #define MUTEX_SETUP(x) pthread_mutex_init(&(x), NULL) |
| 413 | #define MUTEX_CLEANUP(x) pthread_mutex_destroy(&(x)) |
| 414 | #define MUTEX_LOCK(x) pthread_mutex_lock(&(x)) |
| 415 | #define MUTEX_UNLOCK(x) pthread_mutex_unlock(&(x)) |
| 416 | #define THREAD_ID pthread_self() |
| 417 | #define THROW_EXCEPTION (-2) |
| 418 | #define THROW_SOCKETTIMEOUTEXCEPTION (-3) |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 419 | #define THROWN_SOCKETEXCEPTION (-4) |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 420 | |
Elliott Hughes | acce5ff | 2010-08-13 16:14:21 -0700 | [diff] [blame] | 421 | static MUTEX_TYPE* mutex_buf = NULL; |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 422 | |
Brian Carlstrom | 44e0e56 | 2010-05-06 23:44:16 -0700 | [diff] [blame] | 423 | static void locking_function(int mode, int n, const char*, int) { |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 424 | if (mode & CRYPTO_LOCK) { |
| 425 | MUTEX_LOCK(mutex_buf[n]); |
| 426 | } else { |
| 427 | MUTEX_UNLOCK(mutex_buf[n]); |
| 428 | } |
| 429 | } |
| 430 | |
| 431 | static unsigned long id_function(void) { |
| 432 | return ((unsigned long)THREAD_ID); |
| 433 | } |
| 434 | |
| 435 | int THREAD_setup(void) { |
Elliott Hughes | 583ce47 | 2010-07-22 10:23:42 -0700 | [diff] [blame] | 436 | mutex_buf = new MUTEX_TYPE[CRYPTO_num_locks()]; |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 437 | if (!mutex_buf) { |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 438 | return 0; |
| 439 | } |
| 440 | |
Elliott Hughes | 583ce47 | 2010-07-22 10:23:42 -0700 | [diff] [blame] | 441 | for (int i = 0; i < CRYPTO_num_locks(); ++i) { |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 442 | MUTEX_SETUP(mutex_buf[i]); |
| 443 | } |
| 444 | |
| 445 | CRYPTO_set_id_callback(id_function); |
| 446 | CRYPTO_set_locking_callback(locking_function); |
| 447 | |
| 448 | return 1; |
| 449 | } |
| 450 | |
| 451 | int THREAD_cleanup(void) { |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 452 | if (!mutex_buf) { |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 453 | return 0; |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 454 | } |
| 455 | |
| 456 | CRYPTO_set_id_callback(NULL); |
| 457 | CRYPTO_set_locking_callback(NULL); |
| 458 | |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 459 | for (int i = 0; i < CRYPTO_num_locks( ); i++) { |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 460 | MUTEX_CLEANUP(mutex_buf[i]); |
| 461 | } |
| 462 | |
| 463 | free(mutex_buf); |
| 464 | mutex_buf = NULL; |
| 465 | |
| 466 | return 1; |
| 467 | } |
| 468 | |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 469 | /** |
| 470 | * Initialization phase for every OpenSSL job: Loads the Error strings, the |
| 471 | * crypto algorithms and reset the OpenSSL library |
| 472 | */ |
Brian Carlstrom | 44e0e56 | 2010-05-06 23:44:16 -0700 | [diff] [blame] | 473 | static void NativeCrypto_clinit(JNIEnv*, jclass) |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 474 | { |
| 475 | SSL_load_error_strings(); |
| 476 | ERR_load_crypto_strings(); |
| 477 | SSL_library_init(); |
| 478 | OpenSSL_add_all_algorithms(); |
| 479 | THREAD_setup(); |
| 480 | } |
| 481 | |
| 482 | /** |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 483 | * public static native int EVP_PKEY_new_DSA(byte[] p, byte[] q, byte[] g, |
| 484 | * byte[] pub_key, byte[] priv_key); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 485 | */ |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 486 | static EVP_PKEY* NativeCrypto_EVP_PKEY_new_DSA(JNIEnv* env, jclass, |
| 487 | jbyteArray p, jbyteArray q, jbyteArray g, |
| 488 | jbyteArray pub_key, jbyteArray priv_key) { |
Brian Carlstrom | f62b503 | 2010-09-22 10:25:39 -0700 | [diff] [blame] | 489 | JNI_TRACE("EVP_PKEY_new_DSA(p=%p, q=%p, g=%p, pub_key=%p, priv_key=%p)", |
| 490 | p, q, g, pub_key, priv_key); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 491 | |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 492 | Unique_DSA dsa(DSA_new()); |
| 493 | if (dsa.get() == NULL) { |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 494 | jniThrowRuntimeException(env, "DSA_new failed"); |
| 495 | return NULL; |
| 496 | } |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 497 | |
| 498 | dsa->p = arrayToBignum(env, p); |
| 499 | dsa->q = arrayToBignum(env, q); |
| 500 | dsa->g = arrayToBignum(env, g); |
| 501 | dsa->pub_key = arrayToBignum(env, pub_key); |
| 502 | |
| 503 | if (priv_key != NULL) { |
| 504 | dsa->priv_key = arrayToBignum(env, priv_key); |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 505 | } |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 506 | |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 507 | if (dsa->p == NULL || dsa->q == NULL || dsa->g == NULL || dsa->pub_key == NULL) { |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 508 | jniThrowRuntimeException(env, "Unable to convert BigInteger to BIGNUM"); |
| 509 | return NULL; |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 510 | } |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 511 | |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 512 | Unique_EVP_PKEY pkey(EVP_PKEY_new()); |
| 513 | if (pkey.get() == NULL) { |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 514 | jniThrowRuntimeException(env, "EVP_PKEY_new failed"); |
| 515 | return NULL; |
| 516 | } |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 517 | if (EVP_PKEY_assign_DSA(pkey.get(), dsa.get()) != 1) { |
| 518 | jniThrowRuntimeException(env, "EVP_PKEY_assign_DSA failed"); |
| 519 | return NULL; |
| 520 | } |
| 521 | dsa.release(); |
Brian Carlstrom | f62b503 | 2010-09-22 10:25:39 -0700 | [diff] [blame] | 522 | JNI_TRACE("EVP_PKEY_new_DSA(p=%p, q=%p, g=%p, pub_key=%p, priv_key=%p) => %p", |
| 523 | p, q, g, pub_key, priv_key, pkey.get()); |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 524 | return pkey.release(); |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 525 | } |
| 526 | |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 527 | /** |
| 528 | * private static native int EVP_PKEY_new_RSA(byte[] n, byte[] e, byte[] d, byte[] p, byte[] q); |
| 529 | */ |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 530 | static EVP_PKEY* NativeCrypto_EVP_PKEY_new_RSA(JNIEnv* env, jclass, |
| 531 | jbyteArray n, jbyteArray e, jbyteArray d, |
| 532 | jbyteArray p, jbyteArray q) { |
Brian Carlstrom | f62b503 | 2010-09-22 10:25:39 -0700 | [diff] [blame] | 533 | JNI_TRACE("EVP_PKEY_new_RSA(n=%p, e=%p, d=%p, p=%p, q=%p)", n, e, d, p, q); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 534 | |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 535 | Unique_RSA rsa(RSA_new()); |
| 536 | if (rsa.get() == NULL) { |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 537 | jniThrowRuntimeException(env, "RSA_new failed"); |
| 538 | return NULL; |
| 539 | } |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 540 | |
| 541 | rsa->n = arrayToBignum(env, n); |
| 542 | rsa->e = arrayToBignum(env, e); |
| 543 | |
| 544 | if (d != NULL) { |
| 545 | rsa->d = arrayToBignum(env, d); |
| 546 | } |
| 547 | |
| 548 | if (p != NULL) { |
| 549 | rsa->p = arrayToBignum(env, p); |
| 550 | } |
| 551 | |
| 552 | if (q != NULL) { |
| 553 | rsa->q = arrayToBignum(env, q); |
| 554 | } |
| 555 | |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 556 | #ifdef WITH_JNI_TRACE |
Brian Carlstrom | f62b503 | 2010-09-22 10:25:39 -0700 | [diff] [blame] | 557 | if (p != NULL && q != NULL) { |
| 558 | int check = RSA_check_key(rsa.get()); |
| 559 | JNI_TRACE("EVP_PKEY_new_RSA(...) RSA_check_key returns %d", check); |
| 560 | } |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 561 | #endif |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 562 | |
| 563 | if (rsa->n == NULL || rsa->e == NULL) { |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 564 | jniThrowRuntimeException(env, "Unable to convert BigInteger to BIGNUM"); |
| 565 | return NULL; |
| 566 | } |
| 567 | |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 568 | Unique_EVP_PKEY pkey(EVP_PKEY_new()); |
| 569 | if (pkey.get() == NULL) { |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 570 | jniThrowRuntimeException(env, "EVP_PKEY_new failed"); |
| 571 | return NULL; |
| 572 | } |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 573 | if (EVP_PKEY_assign_RSA(pkey.get(), rsa.get()) != 1) { |
| 574 | jniThrowRuntimeException(env, "EVP_PKEY_new failed"); |
| 575 | return NULL; |
| 576 | } |
| 577 | rsa.release(); |
Brian Carlstrom | f62b503 | 2010-09-22 10:25:39 -0700 | [diff] [blame] | 578 | JNI_TRACE("EVP_PKEY_new_RSA(n=%p, e=%p, d=%p, p=%p, q=%p) => %p", n, e, d, p, q, pkey.get()); |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 579 | return pkey.release(); |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 580 | } |
| 581 | |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 582 | /** |
| 583 | * private static native void EVP_PKEY_free(int pkey); |
| 584 | */ |
Brian Carlstrom | 44e0e56 | 2010-05-06 23:44:16 -0700 | [diff] [blame] | 585 | static void NativeCrypto_EVP_PKEY_free(JNIEnv*, jclass, EVP_PKEY* pkey) { |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 586 | JNI_TRACE("EVP_PKEY_free(%p)", pkey); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 587 | |
| 588 | if (pkey != NULL) { |
| 589 | EVP_PKEY_free(pkey); |
| 590 | } |
| 591 | } |
| 592 | |
| 593 | /* |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 594 | * public static native int EVP_MD_CTX_create() |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 595 | */ |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 596 | static jint NativeCrypto_EVP_MD_CTX_create(JNIEnv* env, jclass) { |
| 597 | JNI_TRACE("NativeCrypto_EVP_MD_CTX_create"); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 598 | |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 599 | EVP_MD_CTX* ctx = EVP_MD_CTX_create(); |
| 600 | if (ctx == NULL) { |
| 601 | jniThrowOutOfMemoryError(env, "Unable to allocate EVP_MD_CTX"); |
| 602 | } |
| 603 | JNI_TRACE("NativeCrypto_EVP_MD_CTX_create => %p", ctx); |
| 604 | return (jint) ctx; |
| 605 | |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 606 | } |
| 607 | |
| 608 | /* |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 609 | * public static native void EVP_MD_CTX_destroy(int) |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 610 | */ |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 611 | static void NativeCrypto_EVP_MD_CTX_destroy(JNIEnv*, jclass, EVP_MD_CTX* ctx) { |
| 612 | JNI_TRACE("NativeCrypto_EVP_MD_CTX_destroy(%p)", ctx); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 613 | |
| 614 | if (ctx != NULL) { |
| 615 | EVP_MD_CTX_destroy(ctx); |
| 616 | } |
| 617 | } |
| 618 | |
| 619 | /* |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 620 | * public static native int EVP_MD_CTX_copy(int) |
| 621 | */ |
| 622 | static jint NativeCrypto_EVP_MD_CTX_copy(JNIEnv* env, jclass, EVP_MD_CTX* ctx) { |
| 623 | JNI_TRACE("NativeCrypto_EVP_MD_CTX_copy(%p)", ctx); |
| 624 | |
| 625 | if (ctx == NULL) { |
| 626 | jniThrowNullPointerException(env, NULL); |
| 627 | return NULL; |
| 628 | } |
| 629 | EVP_MD_CTX* copy = EVP_MD_CTX_create(); |
| 630 | if (copy == NULL) { |
| 631 | jniThrowOutOfMemoryError(env, "Unable to allocate copy of EVP_MD_CTX"); |
| 632 | return NULL; |
| 633 | } |
| 634 | EVP_MD_CTX_init(copy); |
| 635 | int result = EVP_MD_CTX_copy_ex(copy, ctx); |
| 636 | if (result == 0) { |
| 637 | EVP_MD_CTX_destroy(copy); |
| 638 | jniThrowRuntimeException(env, "Unable to copy EVP_MD_CTX"); |
| 639 | return NULL; |
| 640 | } |
| 641 | JNI_TRACE("NativeCrypto_EVP_MD_CTX_copy(%p) => %p", ctx, copy); |
| 642 | return (jint) copy; |
| 643 | } |
| 644 | |
| 645 | /* |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 646 | * public static native int EVP_DigestFinal(int, byte[], int) |
| 647 | */ |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 648 | static jint NativeCrypto_EVP_DigestFinal(JNIEnv* env, jclass, EVP_MD_CTX* ctx, |
| 649 | jbyteArray hash, jint offset) { |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 650 | JNI_TRACE("NativeCrypto_EVP_DigestFinal(%p, %p, %d)", ctx, hash, offset); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 651 | |
| 652 | if (ctx == NULL || hash == NULL) { |
| 653 | jniThrowNullPointerException(env, NULL); |
| 654 | return -1; |
| 655 | } |
| 656 | |
| 657 | int result = -1; |
| 658 | |
Elliott Hughes | ebca53a | 2010-05-20 20:54:45 -0700 | [diff] [blame] | 659 | ScopedByteArrayRW hashBytes(env, hash); |
Elliott Hughes | 6410112 | 2010-07-12 09:53:54 -0700 | [diff] [blame] | 660 | if (hashBytes.get() == NULL) { |
| 661 | return -1; |
| 662 | } |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 663 | EVP_DigestFinal(ctx, |
| 664 | reinterpret_cast<unsigned char*>(hashBytes.get() + offset), |
| 665 | reinterpret_cast<unsigned int*>(&result)); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 666 | |
Brian Carlstrom | 02d23a6 | 2010-05-04 22:44:46 -0700 | [diff] [blame] | 667 | throwExceptionIfNecessary(env, "NativeCrypto_EVP_DigestFinal"); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 668 | |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 669 | JNI_TRACE("NativeCrypto_EVP_DigestFinal(%p, %p, %d) => %d", ctx, hash, offset, result); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 670 | return result; |
| 671 | } |
| 672 | |
| 673 | /* |
| 674 | * public static native void EVP_DigestInit(int, java.lang.String) |
| 675 | */ |
Brian Carlstrom | 44e0e56 | 2010-05-06 23:44:16 -0700 | [diff] [blame] | 676 | static void NativeCrypto_EVP_DigestInit(JNIEnv* env, jclass, EVP_MD_CTX* ctx, jstring algorithm) { |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 677 | JNI_TRACE("NativeCrypto_EVP_DigestInit(%p, %p)", ctx, algorithm); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 678 | |
| 679 | if (ctx == NULL || algorithm == NULL) { |
| 680 | jniThrowNullPointerException(env, NULL); |
| 681 | return; |
| 682 | } |
| 683 | |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 684 | ScopedUtfChars algorithmChars(env, algorithm); |
Elliott Hughes | 0596087 | 2010-05-26 17:45:07 -0700 | [diff] [blame] | 685 | if (algorithmChars.c_str() == NULL) { |
| 686 | return; |
| 687 | } |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 688 | |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 689 | JNI_TRACE("NativeCrypto_EVP_DigestInit(%p, %s)", ctx, algorithmChars.c_str()); |
Brian Carlstrom | 12cd1f0 | 2010-06-22 23:43:20 -0700 | [diff] [blame] | 690 | const EVP_MD* digest = EVP_get_digestbynid(OBJ_txt2nid(algorithmChars.c_str())); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 691 | |
| 692 | if (digest == NULL) { |
| 693 | jniThrowRuntimeException(env, "Hash algorithm not found"); |
| 694 | return; |
| 695 | } |
| 696 | |
| 697 | EVP_DigestInit(ctx, digest); |
| 698 | |
Brian Carlstrom | 02d23a6 | 2010-05-04 22:44:46 -0700 | [diff] [blame] | 699 | throwExceptionIfNecessary(env, "NativeCrypto_EVP_DigestInit"); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 700 | } |
| 701 | |
| 702 | /* |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 703 | * public static native int EVP_MD_CTX_size(int) |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 704 | */ |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 705 | static jint NativeCrypto_EVP_MD_CTX_size(JNIEnv* env, jclass, EVP_MD_CTX* ctx) { |
| 706 | JNI_TRACE("NativeCrypto_EVP_MD_CTX_size(%p)", ctx); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 707 | |
| 708 | if (ctx == NULL) { |
| 709 | jniThrowNullPointerException(env, NULL); |
| 710 | return -1; |
| 711 | } |
| 712 | |
| 713 | int result = EVP_MD_CTX_size(ctx); |
| 714 | |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 715 | throwExceptionIfNecessary(env, "NativeCrypto_EVP_MD_CTX_size"); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 716 | |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 717 | JNI_TRACE("NativeCrypto_EVP_MD_CTX_size(%p) => %d", ctx, result); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 718 | return result; |
| 719 | } |
| 720 | |
| 721 | /* |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 722 | * public static int void EVP_MD_CTX_block_size(int) |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 723 | */ |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 724 | static jint NativeCrypto_EVP_MD_CTX_block_size(JNIEnv* env, jclass, EVP_MD_CTX* ctx) { |
| 725 | JNI_TRACE("NativeCrypto_EVP_MD_CTX_block_size(%p)", ctx); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 726 | |
| 727 | if (ctx == NULL) { |
| 728 | jniThrowNullPointerException(env, NULL); |
| 729 | return -1; |
| 730 | } |
| 731 | |
| 732 | int result = EVP_MD_CTX_block_size(ctx); |
| 733 | |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 734 | throwExceptionIfNecessary(env, "NativeCrypto_EVP_MD_CTX_block_size"); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 735 | |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 736 | JNI_TRACE("NativeCrypto_EVP_MD_CTX_block_size(%p) => %d", ctx, result); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 737 | return result; |
| 738 | } |
| 739 | |
| 740 | /* |
| 741 | * public static native void EVP_DigestUpdate(int, byte[], int, int) |
| 742 | */ |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 743 | static void NativeCrypto_EVP_DigestUpdate(JNIEnv* env, jclass, EVP_MD_CTX* ctx, |
| 744 | jbyteArray buffer, jint offset, jint length) { |
Brian Carlstrom | 760b683 | 2010-09-17 02:59:55 -0700 | [diff] [blame] | 745 | JNI_TRACE("NativeCrypto_EVP_DigestUpdate(%p, %p, %d, %d)", ctx, buffer, offset, length); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 746 | |
Brian Carlstrom | 44e4b13 | 2010-09-15 00:28:06 -0700 | [diff] [blame] | 747 | if (offset < 0 || length < 0) { |
| 748 | jniThrowException(env, "java/lang/IndexOutOfBoundsException", NULL); |
| 749 | return; |
| 750 | } |
| 751 | |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 752 | if (ctx == NULL || buffer == NULL) { |
| 753 | jniThrowNullPointerException(env, NULL); |
| 754 | return; |
| 755 | } |
| 756 | |
Elliott Hughes | ebca53a | 2010-05-20 20:54:45 -0700 | [diff] [blame] | 757 | ScopedByteArrayRO bufferBytes(env, buffer); |
Elliott Hughes | 6410112 | 2010-07-12 09:53:54 -0700 | [diff] [blame] | 758 | if (bufferBytes.get() == NULL) { |
| 759 | return; |
| 760 | } |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 761 | EVP_DigestUpdate(ctx, |
| 762 | reinterpret_cast<const unsigned char*>(bufferBytes.get() + offset), |
| 763 | length); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 764 | |
Brian Carlstrom | 02d23a6 | 2010-05-04 22:44:46 -0700 | [diff] [blame] | 765 | throwExceptionIfNecessary(env, "NativeCrypto_EVP_DigestUpdate"); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 766 | } |
| 767 | |
| 768 | /* |
| 769 | * public static native void EVP_VerifyInit(int, java.lang.String) |
| 770 | */ |
Brian Carlstrom | 44e0e56 | 2010-05-06 23:44:16 -0700 | [diff] [blame] | 771 | static void NativeCrypto_EVP_VerifyInit(JNIEnv* env, jclass, EVP_MD_CTX* ctx, jstring algorithm) { |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 772 | JNI_TRACE("NativeCrypto_EVP_VerifyInit(%p, %p)", ctx, algorithm); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 773 | |
| 774 | if (ctx == NULL || algorithm == NULL) { |
| 775 | jniThrowNullPointerException(env, NULL); |
| 776 | return; |
| 777 | } |
| 778 | |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 779 | ScopedUtfChars algorithmChars(env, algorithm); |
Elliott Hughes | 0596087 | 2010-05-26 17:45:07 -0700 | [diff] [blame] | 780 | if (algorithmChars.c_str() == NULL) { |
| 781 | return; |
| 782 | } |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 783 | |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 784 | JNI_TRACE("NativeCrypto_EVP_VerifyInit(%p, %s)", ctx, algorithmChars.c_str()); |
Brian Carlstrom | 12cd1f0 | 2010-06-22 23:43:20 -0700 | [diff] [blame] | 785 | const EVP_MD* digest = EVP_get_digestbynid(OBJ_txt2nid(algorithmChars.c_str())); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 786 | |
| 787 | if (digest == NULL) { |
| 788 | jniThrowRuntimeException(env, "Hash algorithm not found"); |
| 789 | return; |
| 790 | } |
| 791 | |
| 792 | EVP_VerifyInit(ctx, digest); |
| 793 | |
Brian Carlstrom | 02d23a6 | 2010-05-04 22:44:46 -0700 | [diff] [blame] | 794 | throwExceptionIfNecessary(env, "NativeCrypto_EVP_VerifyInit"); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 795 | } |
| 796 | |
| 797 | /* |
| 798 | * public static native void EVP_VerifyUpdate(int, byte[], int, int) |
| 799 | */ |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 800 | static void NativeCrypto_EVP_VerifyUpdate(JNIEnv* env, jclass, EVP_MD_CTX* ctx, |
| 801 | jbyteArray buffer, jint offset, jint length) { |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 802 | JNI_TRACE("NativeCrypto_EVP_VerifyUpdate(%p, %p, %d, %d)", ctx, buffer, offset, length); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 803 | |
| 804 | if (ctx == NULL || buffer == NULL) { |
| 805 | jniThrowNullPointerException(env, NULL); |
| 806 | return; |
| 807 | } |
| 808 | |
Elliott Hughes | ebca53a | 2010-05-20 20:54:45 -0700 | [diff] [blame] | 809 | ScopedByteArrayRO bufferBytes(env, buffer); |
Elliott Hughes | 6410112 | 2010-07-12 09:53:54 -0700 | [diff] [blame] | 810 | if (bufferBytes.get() == NULL) { |
| 811 | return; |
| 812 | } |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 813 | EVP_VerifyUpdate(ctx, |
| 814 | reinterpret_cast<const unsigned char*>(bufferBytes.get() + offset), |
| 815 | length); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 816 | |
Brian Carlstrom | 02d23a6 | 2010-05-04 22:44:46 -0700 | [diff] [blame] | 817 | throwExceptionIfNecessary(env, "NativeCrypto_EVP_VerifyUpdate"); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 818 | } |
| 819 | |
| 820 | /* |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 821 | * public static native int EVP_VerifyFinal(int, byte[], int, int, int) |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 822 | */ |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 823 | static int NativeCrypto_EVP_VerifyFinal(JNIEnv* env, jclass, EVP_MD_CTX* ctx, jbyteArray buffer, |
| 824 | jint offset, jint length, EVP_PKEY* pkey) { |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 825 | JNI_TRACE("NativeCrypto_EVP_VerifyFinal(%p, %p, %d, %d, %p)", |
| 826 | ctx, buffer, offset, length, pkey); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 827 | |
| 828 | if (ctx == NULL || buffer == NULL || pkey == NULL) { |
| 829 | jniThrowNullPointerException(env, NULL); |
| 830 | return -1; |
| 831 | } |
| 832 | |
Elliott Hughes | ebca53a | 2010-05-20 20:54:45 -0700 | [diff] [blame] | 833 | ScopedByteArrayRO bufferBytes(env, buffer); |
Elliott Hughes | 6410112 | 2010-07-12 09:53:54 -0700 | [diff] [blame] | 834 | if (bufferBytes.get() == NULL) { |
| 835 | return -1; |
| 836 | } |
Elliott Hughes | 583ce47 | 2010-07-22 10:23:42 -0700 | [diff] [blame] | 837 | int result = EVP_VerifyFinal(ctx, |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 838 | reinterpret_cast<const unsigned char*>(bufferBytes.get() + offset), |
| 839 | length, |
| 840 | pkey); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 841 | |
Brian Carlstrom | 02d23a6 | 2010-05-04 22:44:46 -0700 | [diff] [blame] | 842 | throwExceptionIfNecessary(env, "NativeCrypto_EVP_VerifyFinal"); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 843 | |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 844 | JNI_TRACE("NativeCrypto_EVP_VerifyFinal(%p, %p, %d, %d, %p) => %d", |
| 845 | ctx, buffer, offset, length, pkey, result); |
| 846 | |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 847 | return result; |
| 848 | } |
| 849 | |
| 850 | /** |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 851 | * Helper function that creates an RSA public key from two buffers containing |
| 852 | * the big-endian bit representation of the modulus and the public exponent. |
| 853 | * |
| 854 | * @param mod The data of the modulus |
| 855 | * @param modLen The length of the modulus data |
| 856 | * @param exp The data of the exponent |
| 857 | * @param expLen The length of the exponent data |
| 858 | * |
| 859 | * @return A pointer to the new RSA structure, or NULL on error |
| 860 | */ |
Elliott Hughes | 583ce47 | 2010-07-22 10:23:42 -0700 | [diff] [blame] | 861 | static RSA* rsaCreateKey(const jbyte* mod, int modLen, const jbyte* exp, int expLen) { |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 862 | JNI_TRACE("rsaCreateKey(..., %d, ..., %d)", modLen, expLen); |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 863 | |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 864 | Unique_RSA rsa(RSA_new()); |
| 865 | if (rsa.get() == NULL) { |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 866 | return NULL; |
| 867 | } |
| 868 | |
Elliott Hughes | 583ce47 | 2010-07-22 10:23:42 -0700 | [diff] [blame] | 869 | rsa->n = BN_bin2bn(reinterpret_cast<const unsigned char*>(mod), modLen, NULL); |
| 870 | rsa->e = BN_bin2bn(reinterpret_cast<const unsigned char*>(exp), expLen, NULL); |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 871 | |
| 872 | if (rsa->n == NULL || rsa->e == NULL) { |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 873 | return NULL; |
| 874 | } |
| 875 | |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 876 | JNI_TRACE("rsaCreateKey(..., %d, ..., %d) => %p", modLen, expLen, rsa.get()); |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 877 | return rsa.release(); |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 878 | } |
| 879 | |
| 880 | /** |
| 881 | * Helper function that verifies a given RSA signature for a given message. |
| 882 | * |
| 883 | * @param msg The message to verify |
| 884 | * @param msgLen The length of the message |
| 885 | * @param sig The signature to verify |
| 886 | * @param sigLen The length of the signature |
| 887 | * @param algorithm The name of the hash/sign algorithm to use, e.g. "RSA-SHA1" |
| 888 | * @param rsa The RSA public key to use |
| 889 | * |
| 890 | * @return 1 on success, 0 on failure, -1 on error (check SSL errors then) |
| 891 | * |
| 892 | */ |
Elliott Hughes | 583ce47 | 2010-07-22 10:23:42 -0700 | [diff] [blame] | 893 | static int rsaVerify(const jbyte* msg, unsigned int msgLen, const jbyte* sig, |
| 894 | unsigned int sigLen, const char* algorithm, RSA* rsa) { |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 895 | |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 896 | JNI_TRACE("rsaVerify(%p, %d, %p, %d, %s, %p)", |
| 897 | msg, msgLen, sig, sigLen, algorithm, rsa); |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 898 | |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 899 | Unique_EVP_PKEY pkey(EVP_PKEY_new()); |
| 900 | if (pkey.get() == NULL) { |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 901 | return -1; |
| 902 | } |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 903 | EVP_PKEY_set1_RSA(pkey.get(), rsa); |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 904 | |
Brian Carlstrom | 12cd1f0 | 2010-06-22 23:43:20 -0700 | [diff] [blame] | 905 | const EVP_MD* type = EVP_get_digestbyname(algorithm); |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 906 | if (type == NULL) { |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 907 | return -1; |
| 908 | } |
| 909 | |
| 910 | EVP_MD_CTX ctx; |
| 911 | EVP_MD_CTX_init(&ctx); |
| 912 | if (EVP_VerifyInit_ex(&ctx, type, NULL) == 0) { |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 913 | return -1; |
| 914 | } |
| 915 | |
| 916 | EVP_VerifyUpdate(&ctx, msg, msgLen); |
Elliott Hughes | 583ce47 | 2010-07-22 10:23:42 -0700 | [diff] [blame] | 917 | int result = EVP_VerifyFinal(&ctx, reinterpret_cast<const unsigned char*>(sig), sigLen, |
| 918 | pkey.get()); |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 919 | EVP_MD_CTX_cleanup(&ctx); |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 920 | |
| 921 | JNI_TRACE("rsaVerify(%p, %d, %p, %d, %s, %p) => %d", |
| 922 | msg, msgLen, sig, sigLen, algorithm, rsa, result); |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 923 | return result; |
| 924 | } |
| 925 | |
| 926 | /** |
| 927 | * Verifies an RSA signature. |
| 928 | */ |
Elliott Hughes | e22935d | 2010-08-12 17:27:27 -0700 | [diff] [blame] | 929 | static int NativeCrypto_verifySignature(JNIEnv* env, jclass, |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 930 | jbyteArray msg, jbyteArray sig, jstring algorithm, jbyteArray mod, jbyteArray exp) { |
| 931 | |
Elliott Hughes | e22935d | 2010-08-12 17:27:27 -0700 | [diff] [blame] | 932 | JNI_TRACE("NativeCrypto_verifySignature msg=%p sig=%p algorithm=%p mod=%p exp%p", |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 933 | msg, sig, algorithm, mod, exp); |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 934 | |
Elliott Hughes | 6410112 | 2010-07-12 09:53:54 -0700 | [diff] [blame] | 935 | ScopedByteArrayRO msgBytes(env, msg); |
| 936 | if (msgBytes.get() == NULL) { |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 937 | return -1; |
| 938 | } |
Elliott Hughes | ebca53a | 2010-05-20 20:54:45 -0700 | [diff] [blame] | 939 | ScopedByteArrayRO sigBytes(env, sig); |
Elliott Hughes | 6410112 | 2010-07-12 09:53:54 -0700 | [diff] [blame] | 940 | if (sigBytes.get() == NULL) { |
| 941 | return -1; |
| 942 | } |
Elliott Hughes | ebca53a | 2010-05-20 20:54:45 -0700 | [diff] [blame] | 943 | ScopedByteArrayRO modBytes(env, mod); |
Elliott Hughes | 6410112 | 2010-07-12 09:53:54 -0700 | [diff] [blame] | 944 | if (modBytes.get() == NULL) { |
| 945 | return -1; |
| 946 | } |
Elliott Hughes | ebca53a | 2010-05-20 20:54:45 -0700 | [diff] [blame] | 947 | ScopedByteArrayRO expBytes(env, exp); |
Elliott Hughes | 6410112 | 2010-07-12 09:53:54 -0700 | [diff] [blame] | 948 | if (expBytes.get() == NULL) { |
| 949 | return -1; |
| 950 | } |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 951 | |
| 952 | ScopedUtfChars algorithmChars(env, algorithm); |
Elliott Hughes | 0596087 | 2010-05-26 17:45:07 -0700 | [diff] [blame] | 953 | if (algorithmChars.c_str() == NULL) { |
| 954 | return -1; |
| 955 | } |
Elliott Hughes | e22935d | 2010-08-12 17:27:27 -0700 | [diff] [blame] | 956 | JNI_TRACE("NativeCrypto_verifySignature algorithmChars=%s", algorithmChars.c_str()); |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 957 | |
Elliott Hughes | 583ce47 | 2010-07-22 10:23:42 -0700 | [diff] [blame] | 958 | Unique_RSA rsa(rsaCreateKey(modBytes.get(), modBytes.size(), expBytes.get(), expBytes.size())); |
Elliott Hughes | 0596087 | 2010-05-26 17:45:07 -0700 | [diff] [blame] | 959 | int result = -1; |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 960 | if (rsa.get() != NULL) { |
Elliott Hughes | 583ce47 | 2010-07-22 10:23:42 -0700 | [diff] [blame] | 961 | result = rsaVerify(msgBytes.get(), msgBytes.size(), sigBytes.get(), sigBytes.size(), |
| 962 | algorithmChars.c_str(), rsa.get()); |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 963 | } |
| 964 | |
| 965 | if (result == -1) { |
Elliott Hughes | e22935d | 2010-08-12 17:27:27 -0700 | [diff] [blame] | 966 | if (!throwExceptionIfNecessary(env, "NativeCrypto_verifySignature")) { |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 967 | jniThrowRuntimeException(env, "Internal error during verification"); |
| 968 | } |
| 969 | } |
| 970 | |
Elliott Hughes | e22935d | 2010-08-12 17:27:27 -0700 | [diff] [blame] | 971 | JNI_TRACE("NativeCrypto_verifySignature => %d", result); |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 972 | return result; |
| 973 | } |
| 974 | |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 975 | static void NativeCrypto_RAND_seed(JNIEnv* env, jclass, jbyteArray seed) { |
| 976 | JNI_TRACE("NativeCrypto_RAND_seed seed=%p", seed); |
Elliott Hughes | 6410112 | 2010-07-12 09:53:54 -0700 | [diff] [blame] | 977 | ScopedByteArrayRO randseed(env, seed); |
| 978 | if (randseed.get() == NULL) { |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 979 | return; |
| 980 | } |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 981 | RAND_seed(randseed.get(), randseed.size()); |
| 982 | } |
| 983 | |
| 984 | static int NativeCrypto_RAND_load_file(JNIEnv* env, jclass, jstring filename, jlong max_bytes) { |
| 985 | JNI_TRACE("NativeCrypto_RAND_load_file filename=%p max_bytes=%lld", filename, max_bytes); |
Elliott Hughes | 0596087 | 2010-05-26 17:45:07 -0700 | [diff] [blame] | 986 | ScopedUtfChars file(env, filename); |
| 987 | if (file.c_str() == NULL) { |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 988 | return -1; |
| 989 | } |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 990 | int result = RAND_load_file(file.c_str(), max_bytes); |
| 991 | JNI_TRACE("NativeCrypto_RAND_load_file file=%s => %d", file.c_str(), result); |
| 992 | return result; |
| 993 | } |
| 994 | |
Brian Carlstrom | 44e0e56 | 2010-05-06 23:44:16 -0700 | [diff] [blame] | 995 | #ifdef WITH_JNI_TRACE |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 996 | /** |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 997 | * Based on example logging call back from SSL_CTX_set_info_callback man page |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 998 | */ |
Brian Carlstrom | 44e0e56 | 2010-05-06 23:44:16 -0700 | [diff] [blame] | 999 | static void info_callback_LOG(const SSL* s __attribute__ ((unused)), int where, int ret) |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 1000 | { |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1001 | int w = where & ~SSL_ST_MASK; |
| 1002 | const char* str; |
| 1003 | if (w & SSL_ST_CONNECT) { |
| 1004 | str = "SSL_connect"; |
| 1005 | } else if (w & SSL_ST_ACCEPT) { |
| 1006 | str = "SSL_accept"; |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 1007 | } else { |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1008 | str = "undefined"; |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 1009 | } |
| 1010 | |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1011 | if (where & SSL_CB_LOOP) { |
| 1012 | JNI_TRACE("ssl=%p %s:%s %s", s, str, SSL_state_string(s), SSL_state_string_long(s)); |
| 1013 | } else if (where & SSL_CB_ALERT) { |
| 1014 | str = (where & SSL_CB_READ) ? "read" : "write"; |
| 1015 | JNI_TRACE("ssl=%p SSL3 alert %s:%s:%s %s %s", |
| 1016 | s, |
| 1017 | str, |
| 1018 | SSL_alert_type_string(ret), |
| 1019 | SSL_alert_desc_string(ret), |
| 1020 | SSL_alert_type_string_long(ret), |
| 1021 | SSL_alert_desc_string_long(ret)); |
| 1022 | } else if (where & SSL_CB_EXIT) { |
| 1023 | if (ret == 0) { |
| 1024 | JNI_TRACE("ssl=%p %s:failed exit in %s %s", |
| 1025 | s, str, SSL_state_string(s), SSL_state_string_long(s)); |
| 1026 | } else if (ret < 0) { |
| 1027 | JNI_TRACE("ssl=%p %s:error exit in %s %s", |
| 1028 | s, str, SSL_state_string(s), SSL_state_string_long(s)); |
| 1029 | } else if (ret == 1) { |
| 1030 | JNI_TRACE("ssl=%p %s:ok exit in %s %s", |
| 1031 | s, str, SSL_state_string(s), SSL_state_string_long(s)); |
| 1032 | } else { |
| 1033 | JNI_TRACE("ssl=%p %s:unknown exit %d in %s %s", |
| 1034 | s, str, ret, SSL_state_string(s), SSL_state_string_long(s)); |
| 1035 | } |
| 1036 | } else if (where & SSL_CB_HANDSHAKE_START) { |
| 1037 | JNI_TRACE("ssl=%p handshake start in %s %s", |
| 1038 | s, SSL_state_string(s), SSL_state_string_long(s)); |
| 1039 | } else if (where & SSL_CB_HANDSHAKE_DONE) { |
| 1040 | JNI_TRACE("ssl=%p handshake done in %s %s", |
| 1041 | s, SSL_state_string(s), SSL_state_string_long(s)); |
| 1042 | } else { |
| 1043 | JNI_TRACE("ssl=%p %s:unknown where %d in %s %s", |
| 1044 | s, str, where, SSL_state_string(s), SSL_state_string_long(s)); |
| 1045 | } |
| 1046 | } |
Brian Carlstrom | 44e0e56 | 2010-05-06 23:44:16 -0700 | [diff] [blame] | 1047 | #endif |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1048 | |
| 1049 | /** |
| 1050 | * Returns an array containing all the X509 certificate's bytes. |
| 1051 | */ |
Elliott Hughes | a9f5c16 | 2010-06-16 16:32:18 -0700 | [diff] [blame] | 1052 | static jobjectArray getCertificateBytes(JNIEnv* env, const STACK_OF(X509)* chain) |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1053 | { |
| 1054 | if (chain == NULL) { |
| 1055 | // Chain can be NULL if the associated cipher doesn't do certs. |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 1056 | return NULL; |
| 1057 | } |
| 1058 | |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1059 | int count = sk_X509_num(chain); |
| 1060 | if (count <= 0) { |
Brian Carlstrom | 44e0e56 | 2010-05-06 23:44:16 -0700 | [diff] [blame] | 1061 | return NULL; |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1062 | } |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 1063 | |
Elliott Hughes | a9f5c16 | 2010-06-16 16:32:18 -0700 | [diff] [blame] | 1064 | jobjectArray joa = env->NewObjectArray(count, JniConstants::byteArrayClass, NULL); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1065 | if (joa == NULL) { |
| 1066 | return NULL; |
| 1067 | } |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 1068 | |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1069 | for (int i = 0; i < count; i++) { |
| 1070 | X509* cert = sk_X509_value(chain, i); |
| 1071 | |
Brian Carlstrom | 059dbc0 | 2010-07-08 14:44:44 -0700 | [diff] [blame] | 1072 | int len = i2d_X509(cert, NULL); |
| 1073 | if (len < 0) { |
| 1074 | return NULL; |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 1075 | } |
Brian Carlstrom | 059dbc0 | 2010-07-08 14:44:44 -0700 | [diff] [blame] | 1076 | ScopedLocalRef<jbyteArray> byteArray(env, env->NewByteArray(len)); |
| 1077 | if (byteArray.get() == NULL) { |
| 1078 | return NULL; |
| 1079 | } |
| 1080 | ScopedByteArrayRW bytes(env, byteArray.get()); |
| 1081 | if (bytes.get() == NULL) { |
| 1082 | return NULL; |
| 1083 | } |
| 1084 | unsigned char* p = reinterpret_cast<unsigned char*>(bytes.get()); |
| 1085 | int n = i2d_X509(cert, &p); |
| 1086 | if (n < 0) { |
| 1087 | return NULL; |
| 1088 | } |
| 1089 | env->SetObjectArrayElement(joa, i, byteArray.get()); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 1090 | } |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 1091 | |
Brian Carlstrom | 059dbc0 | 2010-07-08 14:44:44 -0700 | [diff] [blame] | 1092 | return joa; |
| 1093 | } |
| 1094 | |
| 1095 | /** |
| 1096 | * Returns an array containing all the X500 principal's bytes. |
| 1097 | */ |
| 1098 | static jobjectArray getPrincipalBytes(JNIEnv* env, const STACK_OF(X509_NAME)* names) |
| 1099 | { |
| 1100 | if (names == NULL) { |
| 1101 | return NULL; |
| 1102 | } |
| 1103 | |
| 1104 | int count = sk_X509_NAME_num(names); |
| 1105 | if (count <= 0) { |
| 1106 | return NULL; |
| 1107 | } |
| 1108 | |
| 1109 | jobjectArray joa = env->NewObjectArray(count, JniConstants::byteArrayClass, NULL); |
| 1110 | if (joa == NULL) { |
| 1111 | return NULL; |
| 1112 | } |
| 1113 | |
| 1114 | for (int i = 0; i < count; i++) { |
| 1115 | X509_NAME* principal = sk_X509_NAME_value(names, i); |
| 1116 | |
| 1117 | int len = i2d_X509_NAME(principal, NULL); |
| 1118 | if (len < 0) { |
| 1119 | return NULL; |
| 1120 | } |
| 1121 | ScopedLocalRef<jbyteArray> byteArray(env, env->NewByteArray(len)); |
| 1122 | if (byteArray.get() == NULL) { |
| 1123 | return NULL; |
| 1124 | } |
| 1125 | ScopedByteArrayRW bytes(env, byteArray.get()); |
| 1126 | if (bytes.get() == NULL) { |
| 1127 | return NULL; |
| 1128 | } |
| 1129 | unsigned char* p = reinterpret_cast<unsigned char*>(bytes.get()); |
| 1130 | int n = i2d_X509_NAME(principal, &p); |
| 1131 | if (n < 0) { |
| 1132 | return NULL; |
| 1133 | } |
| 1134 | env->SetObjectArrayElement(joa, i, byteArray.get()); |
| 1135 | } |
| 1136 | |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1137 | return joa; |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 1138 | } |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 1139 | |
| 1140 | /** |
| 1141 | * Our additional application data needed for getting synchronization right. |
| 1142 | * This maybe warrants a bit of lengthy prose: |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 1143 | * |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 1144 | * (1) We use a flag to reflect whether we consider the SSL connection alive. |
| 1145 | * Any read or write attempt loops will be cancelled once this flag becomes 0. |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 1146 | * |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 1147 | * (2) We use an int to count the number of threads that are blocked by the |
| 1148 | * underlying socket. This may be at most two (one reader and one writer), since |
| 1149 | * the Java layer ensures that no more threads will enter the native code at the |
| 1150 | * same time. |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 1151 | * |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 1152 | * (3) The pipe is used primarily as a means of cancelling a blocking select() |
| 1153 | * when we want to close the connection (aka "emergency button"). It is also |
| 1154 | * necessary for dealing with a possible race condition situation: There might |
| 1155 | * be cases where both threads see an SSL_ERROR_WANT_READ or |
| 1156 | * SSL_ERROR_WANT_WRITE. Both will enter a select() with the proper argument. |
| 1157 | * If one leaves the select() successfully before the other enters it, the |
| 1158 | * "success" event is already consumed and the second thread will be blocked, |
| 1159 | * possibly forever (depending on network conditions). |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 1160 | * |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 1161 | * The idea for solving the problem looks like this: Whenever a thread is |
| 1162 | * successful in moving around data on the network, and it knows there is |
| 1163 | * another thread stuck in a select(), it will write a byte to the pipe, waking |
| 1164 | * up the other thread. A thread that returned from select(), on the other hand, |
| 1165 | * knows whether it's been woken up by the pipe. If so, it will consume the |
| 1166 | * byte, and the original state of affairs has been restored. |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 1167 | * |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 1168 | * The pipe may seem like a bit of overhead, but it fits in nicely with the |
| 1169 | * other file descriptors of the select(), so there's only one condition to wait |
| 1170 | * for. |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 1171 | * |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 1172 | * (4) Finally, a mutex is needed to make sure that at most one thread is in |
| 1173 | * either SSL_read() or SSL_write() at any given time. This is an OpenSSL |
| 1174 | * requirement. We use the same mutex to guard the field for counting the |
| 1175 | * waiting threads. |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 1176 | * |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 1177 | * Note: The current implementation assumes that we don't have to deal with |
| 1178 | * problems induced by multiple cores or processors and their respective |
| 1179 | * memory caches. One possible problem is that of inconsistent views on the |
| 1180 | * "aliveAndKicking" field. This could be worked around by also enclosing all |
| 1181 | * accesses to that field inside a lock/unlock sequence of our mutex, but |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1182 | * currently this seems a bit like overkill. Marking volatile at the very least. |
| 1183 | * |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 1184 | * During handshaking, additional fields are used to up-call into |
Brian Carlstrom | e3a1871 | 2010-07-13 22:54:39 -0700 | [diff] [blame] | 1185 | * Java to perform certificate verification and handshake |
| 1186 | * completion. These are also used in any renegotiation. |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1187 | * |
| 1188 | * (5) the JNIEnv so we can invoke the Java callback |
| 1189 | * |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 1190 | * (6) a NativeCrypto.SSLHandshakeCallbacks instance for callbacks from native to Java |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1191 | * |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 1192 | * (7) a java.io.FileDescriptor wrapper to check for socket close |
| 1193 | * |
Brian Carlstrom | e3a1871 | 2010-07-13 22:54:39 -0700 | [diff] [blame] | 1194 | * Because renegotiation can be requested by the peer at any time, |
| 1195 | * care should be taken to maintain an appropriate JNIEnv on any |
| 1196 | * downcall to openssl since it could result in an upcall to Java. The |
| 1197 | * current code does try to cover these cases by conditionally setting |
Elliott Hughes | 3b0a5b9 | 2010-07-22 15:06:54 -0700 | [diff] [blame] | 1198 | * the JNIEnv on calls that can read and write to the SSL such as |
Brian Carlstrom | e3a1871 | 2010-07-13 22:54:39 -0700 | [diff] [blame] | 1199 | * SSL_do_handshake, SSL_read, SSL_write, and SSL_shutdown. |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1200 | * |
Brian Carlstrom | aacf6f9 | 2010-05-20 01:02:17 -0700 | [diff] [blame] | 1201 | * Finally, we have one other piece of state setup by OpenSSL callbacks: |
| 1202 | * |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 1203 | * (8) a set of ephemeral RSA keys that is lazily generated if a peer |
Brian Carlstrom | aacf6f9 | 2010-05-20 01:02:17 -0700 | [diff] [blame] | 1204 | * wants to use an exportable RSA cipher suite. |
| 1205 | * |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 1206 | */ |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1207 | class AppData { |
| 1208 | public: |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 1209 | volatile int aliveAndKicking; |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 1210 | int waitingThreads; |
| 1211 | int fdsEmergency[2]; |
| 1212 | MUTEX_TYPE mutex; |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1213 | JNIEnv* env; |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 1214 | jobject sslHandshakeCallbacks; |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 1215 | jobject fileDescriptor; |
Brian Carlstrom | aacf6f9 | 2010-05-20 01:02:17 -0700 | [diff] [blame] | 1216 | Unique_RSA ephemeralRsa; |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1217 | |
| 1218 | /** |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 1219 | * Creates the application data context for the SSL*. |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1220 | */ |
| 1221 | public: |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 1222 | static AppData* create() { |
| 1223 | UniquePtr<AppData> appData(new AppData()); |
| 1224 | if (pipe(appData.get()->fdsEmergency) == -1) { |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 1225 | return NULL; |
| 1226 | } |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 1227 | if (MUTEX_SETUP(appData.get()->mutex) == -1) { |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 1228 | return NULL; |
| 1229 | } |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 1230 | return appData.release(); |
Brian Carlstrom | 3534c7c | 2010-05-14 21:49:34 -0700 | [diff] [blame] | 1231 | } |
| 1232 | |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1233 | ~AppData() { |
| 1234 | aliveAndKicking = 0; |
| 1235 | if (fdsEmergency[0] != -1) { |
| 1236 | close(fdsEmergency[0]); |
| 1237 | } |
| 1238 | if (fdsEmergency[1] != -1) { |
| 1239 | close(fdsEmergency[1]); |
| 1240 | } |
| 1241 | MUTEX_CLEANUP(mutex); |
| 1242 | } |
| 1243 | |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 1244 | private: |
| 1245 | AppData() : |
| 1246 | aliveAndKicking(1), |
| 1247 | waitingThreads(0), |
| 1248 | env(NULL), |
| 1249 | sslHandshakeCallbacks(NULL), |
| 1250 | ephemeralRsa(NULL) { |
| 1251 | fdsEmergency[0] = -1; |
| 1252 | fdsEmergency[1] = -1; |
Brian Carlstrom | 3534c7c | 2010-05-14 21:49:34 -0700 | [diff] [blame] | 1253 | } |
| 1254 | |
| 1255 | public: |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 1256 | /** |
| 1257 | * Used to set the SSL-to-Java callback state before each SSL_* |
| 1258 | * call that may result in a callback. It should be cleared after |
| 1259 | * the operation returns with clearCallbackState. |
| 1260 | * |
| 1261 | * @param env The JNIEnv |
| 1262 | * @param shc The SSLHandshakeCallbacks |
| 1263 | * @param fd The FileDescriptor |
| 1264 | */ |
| 1265 | bool setCallbackState(JNIEnv* e, jobject shc, jobject fd) { |
| 1266 | NetFd netFd(e, fd); |
| 1267 | if (netFd.isClosed()) { |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 1268 | return false; |
| 1269 | } |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1270 | env = e; |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 1271 | sslHandshakeCallbacks = shc; |
| 1272 | fileDescriptor = fd; |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 1273 | return true; |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1274 | } |
Brian Carlstrom | 3534c7c | 2010-05-14 21:49:34 -0700 | [diff] [blame] | 1275 | |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 1276 | void clearCallbackState() { |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1277 | env = NULL; |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 1278 | sslHandshakeCallbacks = NULL; |
| 1279 | fileDescriptor = NULL; |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1280 | } |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 1281 | |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1282 | }; |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 1283 | |
| 1284 | /** |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1285 | * Dark magic helper function that checks, for a given SSL session, whether it |
| 1286 | * can SSL_read() or SSL_write() without blocking. Takes into account any |
| 1287 | * concurrent attempts to close the SSL session from the Java side. This is |
| 1288 | * needed to get rid of the hangs that occur when thread #1 closes the SSLSocket |
| 1289 | * while thread #2 is sitting in a blocking read or write. The type argument |
| 1290 | * specifies whether we are waiting for readability or writability. It expects |
| 1291 | * to be passed either SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE, since we |
| 1292 | * only need to wait in case one of these problems occurs. |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 1293 | * |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 1294 | * @param env |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1295 | * @param type Either SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 1296 | * @param fdObject The FileDescriptor, since appData->fileDescriptor should be NULL |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 1297 | * @param appData The application data structure with mutex info etc. |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1298 | * @param timeout The timeout value for select call, with the special value |
| 1299 | * 0 meaning no timeout at all (wait indefinitely). Note: This is |
| 1300 | * the Java semantics of the timeout value, not the usual |
| 1301 | * select() semantics. |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 1302 | * @return The result of the inner select() call, |
| 1303 | * THROW_SOCKETEXCEPTION if a SocketException was thrown, -1 on |
| 1304 | * additional errors |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 1305 | */ |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 1306 | static int sslSelect(JNIEnv* env, int type, jobject fdObject, AppData* appData, int timeout) { |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 1307 | // This loop is an expanded version of the NET_FAILURE_RETRY |
| 1308 | // macro. It cannot simply be used in this case because select |
| 1309 | // cannot be restarted without recreating the fd_sets and timeout |
| 1310 | // structure. |
| 1311 | int result; |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1312 | fd_set rfds; |
| 1313 | fd_set wfds; |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 1314 | do { |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 1315 | NetFd fd(env, fdObject); |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 1316 | if (fd.isClosed()) { |
| 1317 | result = THROWN_SOCKETEXCEPTION; |
| 1318 | break; |
| 1319 | } |
| 1320 | int intFd = fd.get(); |
| 1321 | JNI_TRACE("sslSelect type=%s fd=%d appData=%p timeout=%d", |
| 1322 | (type == SSL_ERROR_WANT_READ) ? "READ" : "WRITE", intFd, appData, timeout); |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 1323 | |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 1324 | FD_ZERO(&rfds); |
| 1325 | FD_ZERO(&wfds); |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 1326 | |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 1327 | if (type == SSL_ERROR_WANT_READ) { |
| 1328 | FD_SET(intFd, &rfds); |
| 1329 | } else { |
| 1330 | FD_SET(intFd, &wfds); |
| 1331 | } |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 1332 | |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 1333 | FD_SET(appData->fdsEmergency[0], &rfds); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1334 | |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 1335 | int max = intFd > appData->fdsEmergency[0] ? intFd : appData->fdsEmergency[0]; |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1336 | |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 1337 | // Build a struct for the timeout data if we actually want a timeout. |
| 1338 | timeval tv; |
| 1339 | timeval* ptv; |
| 1340 | if (timeout > 0) { |
| 1341 | tv.tv_sec = timeout / 1000; |
| 1342 | tv.tv_usec = 0; |
| 1343 | ptv = &tv; |
| 1344 | } else { |
| 1345 | ptv = NULL; |
| 1346 | } |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1347 | |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 1348 | { |
| 1349 | AsynchronousSocketCloseMonitor monitor(intFd); |
| 1350 | result = select(max + 1, &rfds, &wfds, NULL, ptv); |
Brian Carlstrom | 1be19cf | 2010-09-21 22:32:21 -0700 | [diff] [blame] | 1351 | JNI_TRACE("sslSelect %s fd=%d appData=%p timeout=%d => %d", |
| 1352 | (type == SSL_ERROR_WANT_READ) ? "READ" : "WRITE", |
| 1353 | fd.get(), appData, timeout, result); |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 1354 | if (result == -1) { |
| 1355 | if (fd.isClosed()) { |
| 1356 | result = THROWN_SOCKETEXCEPTION; |
| 1357 | break; |
| 1358 | } |
| 1359 | if (errno != EINTR) { |
| 1360 | break; |
| 1361 | } |
| 1362 | } |
| 1363 | } |
| 1364 | } while (result == -1); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1365 | |
| 1366 | // Lock |
| 1367 | if (MUTEX_LOCK(appData->mutex) == -1) { |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 1368 | return -1; |
| 1369 | } |
| 1370 | |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 1371 | if (result > 0) { |
| 1372 | // If we have been woken up by the emergency pipe, there must be a token in |
| 1373 | // it. Thus we can safely read it (even in a blocking way). |
| 1374 | if (FD_ISSET(appData->fdsEmergency[0], &rfds)) { |
| 1375 | char token; |
| 1376 | do { |
| 1377 | read(appData->fdsEmergency[0], &token, 1); |
| 1378 | } while (errno == EINTR); |
| 1379 | } |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 1380 | } |
| 1381 | |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1382 | // Tell the world that there is now one thread less waiting for the |
| 1383 | // underlying network. |
| 1384 | appData->waitingThreads--; |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 1385 | |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1386 | // Unlock |
| 1387 | MUTEX_UNLOCK(appData->mutex); |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 1388 | |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1389 | return result; |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 1390 | } |
| 1391 | |
| 1392 | /** |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1393 | * Helper function that wakes up a thread blocked in select(), in case there is |
| 1394 | * one. Is being called by sslRead() and sslWrite() as well as by JNI glue |
| 1395 | * before closing the connection. |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 1396 | * |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1397 | * @param data The application data structure with mutex info etc. |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 1398 | */ |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1399 | static void sslNotify(AppData* appData) { |
| 1400 | // Write a byte to the emergency pipe, so a concurrent select() can return. |
| 1401 | // Note we have to restore the errno of the original system call, since the |
| 1402 | // caller relies on it for generating error messages. |
| 1403 | int errnoBackup = errno; |
| 1404 | char token = '*'; |
| 1405 | do { |
| 1406 | errno = 0; |
| 1407 | write(appData->fdsEmergency[1], &token, 1); |
| 1408 | } while (errno == EINTR); |
| 1409 | errno = errnoBackup; |
| 1410 | } |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 1411 | |
Elliott Hughes | 583ce47 | 2010-07-22 10:23:42 -0700 | [diff] [blame] | 1412 | static AppData* toAppData(const SSL* ssl) { |
| 1413 | return reinterpret_cast<AppData*>(SSL_get_app_data(ssl)); |
| 1414 | } |
| 1415 | |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 1416 | /** |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1417 | * Verify the X509 certificate via SSL_CTX_set_cert_verify_callback |
| 1418 | */ |
Brian Carlstrom | 44e0e56 | 2010-05-06 23:44:16 -0700 | [diff] [blame] | 1419 | static int cert_verify_callback(X509_STORE_CTX* x509_store_ctx, void* arg __attribute__ ((unused))) |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1420 | { |
| 1421 | /* Get the correct index to the SSLobject stored into X509_STORE_CTX. */ |
Elliott Hughes | 583ce47 | 2010-07-22 10:23:42 -0700 | [diff] [blame] | 1422 | SSL* ssl = reinterpret_cast<SSL*>(X509_STORE_CTX_get_ex_data(x509_store_ctx, |
| 1423 | SSL_get_ex_data_X509_STORE_CTX_idx())); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1424 | JNI_TRACE("ssl=%p cert_verify_callback x509_store_ctx=%p arg=%p", ssl, x509_store_ctx, arg); |
| 1425 | |
Elliott Hughes | 583ce47 | 2010-07-22 10:23:42 -0700 | [diff] [blame] | 1426 | AppData* appData = toAppData(ssl); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1427 | JNIEnv* env = appData->env; |
| 1428 | if (env == NULL) { |
| 1429 | LOGE("AppData->env missing in cert_verify_callback"); |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 1430 | JNI_TRACE("ssl=%p cert_verify_callback => 0", ssl); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1431 | return 0; |
| 1432 | } |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 1433 | jobject sslHandshakeCallbacks = appData->sslHandshakeCallbacks; |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1434 | |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 1435 | jclass cls = env->GetObjectClass(sslHandshakeCallbacks); |
| 1436 | jmethodID methodID |
| 1437 | = env->GetMethodID(cls, "verifyCertificateChain", "([[BLjava/lang/String;)V"); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1438 | |
| 1439 | jobjectArray objectArray = getCertificateBytes(env, x509_store_ctx->untrusted); |
| 1440 | |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 1441 | const char* authMethod = SSL_authentication_method(ssl); |
| 1442 | JNI_TRACE("ssl=%p cert_verify_callback calling verifyCertificateChain authMethod=%s", |
| 1443 | ssl, authMethod); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1444 | jstring authMethodString = env->NewStringUTF(authMethod); |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 1445 | env->CallVoidMethod(sslHandshakeCallbacks, methodID, objectArray, authMethodString); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1446 | |
| 1447 | int result = (env->ExceptionCheck()) ? 0 : 1; |
| 1448 | JNI_TRACE("ssl=%p cert_verify_callback => %d", ssl, result); |
| 1449 | return result; |
| 1450 | } |
| 1451 | |
| 1452 | /** |
| 1453 | * Call back to watch for handshake to be completed. This is necessary |
| 1454 | * for SSL_MODE_HANDSHAKE_CUTTHROUGH support, since SSL_do_handshake |
| 1455 | * returns before the handshake is completed in this case. |
| 1456 | */ |
Elliott Hughes | acce5ff | 2010-08-13 16:14:21 -0700 | [diff] [blame] | 1457 | static void info_callback(const SSL* ssl, int where, int ret __attribute__ ((unused))) { |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1458 | JNI_TRACE("ssl=%p info_callback where=0x%x ret=%d", ssl, where, ret); |
| 1459 | #ifdef WITH_JNI_TRACE |
| 1460 | info_callback_LOG(ssl, where, ret); |
| 1461 | #endif |
| 1462 | if (!(where & SSL_CB_HANDSHAKE_DONE)) { |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 1463 | JNI_TRACE("ssl=%p info_callback ignored", ssl); |
| 1464 | return; |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1465 | } |
| 1466 | |
Elliott Hughes | 583ce47 | 2010-07-22 10:23:42 -0700 | [diff] [blame] | 1467 | AppData* appData = toAppData(ssl); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1468 | JNIEnv* env = appData->env; |
| 1469 | if (env == NULL) { |
| 1470 | LOGE("AppData->env missing in info_callback"); |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 1471 | JNI_TRACE("ssl=%p info_callback env error", ssl); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1472 | return; |
| 1473 | } |
Brian Carlstrom | 0c131a2 | 2010-05-20 15:27:31 -0700 | [diff] [blame] | 1474 | if (env->ExceptionCheck()) { |
| 1475 | JNI_TRACE("ssl=%p info_callback already pending exception", ssl); |
| 1476 | return; |
| 1477 | } |
| 1478 | |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 1479 | jobject sslHandshakeCallbacks = appData->sslHandshakeCallbacks; |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1480 | |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 1481 | jclass cls = env->GetObjectClass(sslHandshakeCallbacks); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1482 | jmethodID methodID = env->GetMethodID(cls, "handshakeCompleted", "()V"); |
| 1483 | |
| 1484 | JNI_TRACE("ssl=%p info_callback calling handshakeCompleted", ssl); |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 1485 | env->CallVoidMethod(sslHandshakeCallbacks, methodID); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1486 | |
| 1487 | if (env->ExceptionCheck()) { |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 1488 | JNI_TRACE("ssl=%p info_callback exception", ssl); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1489 | } |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1490 | JNI_TRACE("ssl=%p info_callback completed", ssl); |
| 1491 | } |
| 1492 | |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 1493 | /** |
| 1494 | * Call back to ask for a client certificate |
| 1495 | */ |
| 1496 | static int client_cert_cb(SSL* ssl, X509** x509Out, EVP_PKEY** pkeyOut) { |
| 1497 | JNI_TRACE("ssl=%p client_cert_cb x509Out=%p pkeyOut=%p", ssl, x509Out, pkeyOut); |
| 1498 | |
Elliott Hughes | 583ce47 | 2010-07-22 10:23:42 -0700 | [diff] [blame] | 1499 | AppData* appData = toAppData(ssl); |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 1500 | JNIEnv* env = appData->env; |
| 1501 | if (env == NULL) { |
| 1502 | LOGE("AppData->env missing in client_cert_cb"); |
| 1503 | JNI_TRACE("ssl=%p client_cert_cb env error => 0", ssl); |
| 1504 | return 0; |
| 1505 | } |
Brian Carlstrom | 30a77f3 | 2010-11-04 22:37:27 -0700 | [diff] [blame] | 1506 | if (env->ExceptionCheck()) { |
| 1507 | JNI_TRACE("ssl=%p client_cert_cb already pending exception", ssl); |
| 1508 | return 0; |
| 1509 | } |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 1510 | jobject sslHandshakeCallbacks = appData->sslHandshakeCallbacks; |
| 1511 | |
| 1512 | jclass cls = env->GetObjectClass(sslHandshakeCallbacks); |
| 1513 | jmethodID methodID |
Brian Carlstrom | 059dbc0 | 2010-07-08 14:44:44 -0700 | [diff] [blame] | 1514 | = env->GetMethodID(cls, "clientCertificateRequested", "([B[[B)V"); |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 1515 | |
| 1516 | // Call Java callback which can use SSL_use_certificate and SSL_use_PrivateKey to set values |
Brian Carlstrom | 059dbc0 | 2010-07-08 14:44:44 -0700 | [diff] [blame] | 1517 | char ssl2_ctype = SSL3_CT_RSA_SIGN; |
| 1518 | const char* ctype = NULL; |
| 1519 | int ctype_num = 0; |
| 1520 | jobjectArray issuers = NULL; |
| 1521 | switch (ssl->version) { |
| 1522 | case SSL2_VERSION: |
| 1523 | ctype = &ssl2_ctype; |
| 1524 | ctype_num = 1; |
| 1525 | break; |
| 1526 | case SSL3_VERSION: |
| 1527 | case TLS1_VERSION: |
| 1528 | case DTLS1_VERSION: |
| 1529 | ctype = ssl->s3->tmp.ctype; |
| 1530 | ctype_num = ssl->s3->tmp.ctype_num; |
| 1531 | issuers = getPrincipalBytes(env, ssl->s3->tmp.ca_names); |
| 1532 | break; |
| 1533 | } |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 1534 | #ifdef WITH_JNI_TRACE |
| 1535 | for (int i = 0; i < ctype_num; i++) { |
| 1536 | JNI_TRACE("ssl=%p clientCertificateRequested keyTypes[%d]=%d", ssl, i, ctype[i]); |
| 1537 | } |
| 1538 | #endif |
Brian Carlstrom | 059dbc0 | 2010-07-08 14:44:44 -0700 | [diff] [blame] | 1539 | |
| 1540 | jbyteArray keyTypes = env->NewByteArray(ctype_num); |
| 1541 | if (keyTypes == NULL) { |
| 1542 | JNI_TRACE("ssl=%p client_cert_cb bytes == null => 0", ssl); |
| 1543 | return 0; |
| 1544 | } |
| 1545 | env->SetByteArrayRegion(keyTypes, 0, ctype_num, reinterpret_cast<const jbyte*>(ctype)); |
| 1546 | |
| 1547 | JNI_TRACE("ssl=%p clientCertificateRequested calling clientCertificateRequested " |
| 1548 | "keyTypes=%p issuers=%p", ssl, keyTypes, issuers); |
| 1549 | env->CallVoidMethod(sslHandshakeCallbacks, methodID, keyTypes, issuers); |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 1550 | |
| 1551 | if (env->ExceptionCheck()) { |
| 1552 | JNI_TRACE("ssl=%p client_cert_cb exception => 0", ssl); |
| 1553 | return 0; |
| 1554 | } |
| 1555 | |
| 1556 | // Check for values set from Java |
| 1557 | X509* certificate = SSL_get_certificate(ssl); |
| 1558 | EVP_PKEY* privatekey = SSL_get_privatekey(ssl); |
| 1559 | int result; |
| 1560 | if (certificate != NULL && privatekey != NULL) { |
| 1561 | *x509Out = certificate; |
| 1562 | *pkeyOut = privatekey; |
| 1563 | result = 1; |
| 1564 | } else { |
| 1565 | *x509Out = NULL; |
| 1566 | *pkeyOut = NULL; |
| 1567 | result = 0; |
| 1568 | } |
| 1569 | JNI_TRACE("ssl=%p client_cert_cb => *x509=%p *pkey=%p %d", ssl, *x509Out, *pkeyOut, result); |
| 1570 | return result; |
| 1571 | } |
| 1572 | |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 1573 | static RSA* rsaGenerateKey(int keylength) { |
| 1574 | Unique_BIGNUM bn(BN_new()); |
| 1575 | if (bn.get() == NULL) { |
| 1576 | return NULL; |
| 1577 | } |
| 1578 | int setWordResult = BN_set_word(bn.get(), RSA_F4); |
| 1579 | if (setWordResult != 1) { |
| 1580 | return NULL; |
| 1581 | } |
| 1582 | Unique_RSA rsa(RSA_new()); |
| 1583 | if (rsa.get() == NULL) { |
| 1584 | return NULL; |
| 1585 | } |
| 1586 | int generateResult = RSA_generate_key_ex(rsa.get(), keylength, bn.get(), NULL); |
| 1587 | if (generateResult != 1) { |
| 1588 | return NULL; |
| 1589 | } |
| 1590 | return rsa.release(); |
| 1591 | } |
| 1592 | |
| 1593 | /** |
Brian Carlstrom | aacf6f9 | 2010-05-20 01:02:17 -0700 | [diff] [blame] | 1594 | * Call back to ask for an ephemeral RSA key for SSL_RSA_EXPORT_WITH_RC4_40_MD5 (aka EXP-RC4-MD5) |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 1595 | */ |
| 1596 | static RSA* tmp_rsa_callback(SSL* ssl __attribute__ ((unused)), |
| 1597 | int is_export __attribute__ ((unused)), |
| 1598 | int keylength) { |
Brian Carlstrom | aacf6f9 | 2010-05-20 01:02:17 -0700 | [diff] [blame] | 1599 | JNI_TRACE("ssl=%p tmp_rsa_callback is_export=%d keylength=%d", ssl, is_export, keylength); |
| 1600 | |
Elliott Hughes | 583ce47 | 2010-07-22 10:23:42 -0700 | [diff] [blame] | 1601 | AppData* appData = toAppData(ssl); |
Brian Carlstrom | aacf6f9 | 2010-05-20 01:02:17 -0700 | [diff] [blame] | 1602 | if (appData->ephemeralRsa.get() == NULL) { |
| 1603 | JNI_TRACE("ssl=%p tmp_rsa_callback generating ephemeral RSA key", ssl); |
| 1604 | appData->ephemeralRsa.reset(rsaGenerateKey(keylength)); |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 1605 | } |
Brian Carlstrom | aacf6f9 | 2010-05-20 01:02:17 -0700 | [diff] [blame] | 1606 | JNI_TRACE("ssl=%p tmp_rsa_callback => %p", ssl, appData->ephemeralRsa.get()); |
| 1607 | return appData->ephemeralRsa.get(); |
| 1608 | } |
| 1609 | |
| 1610 | static DH* dhGenerateParameters(int keylength) { |
| 1611 | |
| 1612 | /* |
| 1613 | * The SSL_CTX_set_tmp_dh_callback(3SSL) man page discusses two |
| 1614 | * different options for generating DH keys. One is generating the |
| 1615 | * keys using a single set of DH parameters. However, generating |
| 1616 | * DH parameters is slow enough (minutes) that they suggest doing |
| 1617 | * it once at install time. The other is to generate DH keys from |
| 1618 | * DSA parameters. Generating DSA parameters is faster than DH |
| 1619 | * parameters, but to prevent small subgroup attacks, they needed |
| 1620 | * to be regenerated for each set of DH keys. Setting the |
| 1621 | * SSL_OP_SINGLE_DH_USE option make sure OpenSSL will call back |
| 1622 | * for new DH parameters every type it needs to generate DH keys. |
| 1623 | */ |
| 1624 | #if 0 |
| 1625 | // Slow path that takes minutes but could be cached |
| 1626 | Unique_DH dh(DH_new()); |
| 1627 | if (!DH_generate_parameters_ex(dh.get(), keylength, 2, NULL)) { |
| 1628 | return NULL; |
| 1629 | } |
| 1630 | return dh.release(); |
| 1631 | #else |
| 1632 | // Faster path but must have SSL_OP_SINGLE_DH_USE set |
| 1633 | Unique_DSA dsa(DSA_new()); |
| 1634 | if (!DSA_generate_parameters_ex(dsa.get(), keylength, NULL, 0, NULL, NULL, NULL)) { |
| 1635 | return NULL; |
| 1636 | } |
| 1637 | DH* dh = DSA_dup_DH(dsa.get()); |
| 1638 | return dh; |
| 1639 | #endif |
| 1640 | } |
| 1641 | |
| 1642 | /** |
| 1643 | * Call back to ask for Diffie-Hellman parameters |
| 1644 | */ |
| 1645 | static DH* tmp_dh_callback(SSL* ssl __attribute__ ((unused)), |
| 1646 | int is_export __attribute__ ((unused)), |
| 1647 | int keylength) { |
| 1648 | JNI_TRACE("ssl=%p tmp_dh_callback is_export=%d keylength=%d", ssl, is_export, keylength); |
| 1649 | DH* tmp_dh = dhGenerateParameters(keylength); |
| 1650 | JNI_TRACE("ssl=%p tmp_dh_callback => %p", ssl, tmp_dh); |
| 1651 | return tmp_dh; |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 1652 | } |
| 1653 | |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1654 | /* |
| 1655 | * public static native int SSL_CTX_new(); |
| 1656 | */ |
Brian Carlstrom | 44e0e56 | 2010-05-06 23:44:16 -0700 | [diff] [blame] | 1657 | static int NativeCrypto_SSL_CTX_new(JNIEnv* env, jclass) { |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 1658 | Unique_SSL_CTX sslCtx(SSL_CTX_new(SSLv23_method())); |
| 1659 | if (sslCtx.get() == NULL) { |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 1660 | jniThrowRuntimeException(env, "SSL_CTX_new"); |
| 1661 | return NULL; |
| 1662 | } |
Brian Carlstrom | aacf6f9 | 2010-05-20 01:02:17 -0700 | [diff] [blame] | 1663 | SSL_CTX_set_options(sslCtx.get(), |
Brian Carlstrom | f7b8b35 | 2010-05-21 15:45:11 -0700 | [diff] [blame] | 1664 | SSL_OP_ALL |
| 1665 | // Note: We explicitly do not allow SSLv2 to be used. |
| 1666 | | SSL_OP_NO_SSLv2 |
Elliott Hughes | 3b0a5b9 | 2010-07-22 15:06:54 -0700 | [diff] [blame] | 1667 | // We also disable session tickets for better compatibility b/2682876 |
Brian Carlstrom | f7b8b35 | 2010-05-21 15:45:11 -0700 | [diff] [blame] | 1668 | | SSL_OP_NO_TICKET |
Brian Carlstrom | 4559b1d | 2010-07-22 16:33:48 -0700 | [diff] [blame] | 1669 | // We also disable compression for better compatibility b/2710492 b/2710497 |
| 1670 | | SSL_OP_NO_COMPRESSION |
Brian Carlstrom | f7b8b35 | 2010-05-21 15:45:11 -0700 | [diff] [blame] | 1671 | // Because dhGenerateParameters uses DSA_generate_parameters_ex |
| 1672 | | SSL_OP_SINGLE_DH_USE); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1673 | |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 1674 | int mode = SSL_CTX_get_mode(sslCtx.get()); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1675 | /* |
| 1676 | * Turn on "partial write" mode. This means that SSL_write() will |
| 1677 | * behave like Posix write() and possibly return after only |
| 1678 | * writing a partial buffer. Note: The alternative, perhaps |
| 1679 | * surprisingly, is not that SSL_write() always does full writes |
| 1680 | * but that it will force you to retry write calls having |
| 1681 | * preserved the full state of the original call. (This is icky |
| 1682 | * and undesirable.) |
| 1683 | */ |
| 1684 | mode |= SSL_MODE_ENABLE_PARTIAL_WRITE; |
| 1685 | #if defined(SSL_MODE_SMALL_BUFFERS) /* not all SSL versions have this */ |
| 1686 | mode |= SSL_MODE_SMALL_BUFFERS; /* lazily allocate record buffers; usually saves |
| 1687 | * 44k over the default */ |
| 1688 | #endif |
| 1689 | #if defined(SSL_MODE_HANDSHAKE_CUTTHROUGH) /* not all SSL versions have this */ |
| 1690 | mode |= SSL_MODE_HANDSHAKE_CUTTHROUGH; /* enable sending of client data as soon as |
| 1691 | * ClientCCS and ClientFinished are sent */ |
| 1692 | #endif |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 1693 | SSL_CTX_set_mode(sslCtx.get(), mode); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1694 | |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 1695 | SSL_CTX_set_cert_verify_callback(sslCtx.get(), cert_verify_callback, NULL); |
| 1696 | SSL_CTX_set_info_callback(sslCtx.get(), info_callback); |
| 1697 | SSL_CTX_set_client_cert_cb(sslCtx.get(), client_cert_cb); |
| 1698 | SSL_CTX_set_tmp_rsa_callback(sslCtx.get(), tmp_rsa_callback); |
Brian Carlstrom | aacf6f9 | 2010-05-20 01:02:17 -0700 | [diff] [blame] | 1699 | SSL_CTX_set_tmp_dh_callback(sslCtx.get(), tmp_dh_callback); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1700 | |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 1701 | JNI_TRACE("NativeCrypto_SSL_CTX_new => %p", sslCtx.get()); |
| 1702 | return (jint) sslCtx.release(); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1703 | } |
| 1704 | |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1705 | /** |
| 1706 | * public static native void SSL_CTX_free(int ssl_ctx) |
| 1707 | */ |
| 1708 | static void NativeCrypto_SSL_CTX_free(JNIEnv* env, |
| 1709 | jclass, jint ssl_ctx_address) |
| 1710 | { |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 1711 | SSL_CTX* ssl_ctx = to_SSL_CTX(env, ssl_ctx_address, true); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1712 | JNI_TRACE("ssl_ctx=%p NativeCrypto_SSL_CTX_free", ssl_ctx); |
| 1713 | if (ssl_ctx == NULL) { |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1714 | return; |
| 1715 | } |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1716 | SSL_CTX_free(ssl_ctx); |
| 1717 | } |
| 1718 | |
| 1719 | /** |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 1720 | * public static native int SSL_new(int ssl_ctx) throws SSLException; |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1721 | */ |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 1722 | static jint NativeCrypto_SSL_new(JNIEnv* env, jclass, jint ssl_ctx_address) |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1723 | { |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 1724 | SSL_CTX* ssl_ctx = to_SSL_CTX(env, ssl_ctx_address, true); |
| 1725 | JNI_TRACE("ssl_ctx=%p NativeCrypto_SSL_new", ssl_ctx); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1726 | if (ssl_ctx == NULL) { |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1727 | return NULL; |
| 1728 | } |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 1729 | Unique_SSL ssl(SSL_new(ssl_ctx)); |
| 1730 | if (ssl.get() == NULL) { |
| 1731 | throwSSLExceptionWithSslErrors(env, NULL, SSL_ERROR_NONE, |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1732 | "Unable to create SSL structure"); |
| 1733 | JNI_TRACE("ssl_ctx=%p NativeCrypto_SSL_new => NULL", ssl_ctx); |
| 1734 | return NULL; |
| 1735 | } |
| 1736 | |
| 1737 | /* Java code in class OpenSSLSocketImpl does the verification. Meaning of |
| 1738 | * SSL_VERIFY_NONE flag in client mode: if not using an anonymous cipher |
| 1739 | * (by default disabled), the server will send a certificate which will |
| 1740 | * be checked. The result of the certificate verification process can be |
| 1741 | * checked after the TLS/SSL handshake using the SSL_get_verify_result(3) |
| 1742 | * function. The handshake will be continued regardless of the |
| 1743 | * verification result. |
| 1744 | */ |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 1745 | SSL_set_verify(ssl.get(), SSL_VERIFY_NONE, NULL); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1746 | |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 1747 | JNI_TRACE("ssl_ctx=%p NativeCrypto_SSL_new => ssl=%p", ssl_ctx, ssl.get()); |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 1748 | return (jint) ssl.release(); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1749 | } |
| 1750 | |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 1751 | static void NativeCrypto_SSL_use_PrivateKey(JNIEnv* env, jclass, |
| 1752 | jint ssl_address, jbyteArray privatekey) |
| 1753 | { |
| 1754 | SSL* ssl = to_SSL(env, ssl_address, true); |
| 1755 | JNI_TRACE("ssl=%p NativeCrypto_SSL_use_PrivateKey privatekey=%p", ssl, privatekey); |
| 1756 | if (ssl == NULL) { |
| 1757 | return; |
| 1758 | } |
| 1759 | |
Elliott Hughes | 6410112 | 2010-07-12 09:53:54 -0700 | [diff] [blame] | 1760 | ScopedByteArrayRO buf(env, privatekey); |
| 1761 | if (buf.get() == NULL) { |
| 1762 | JNI_TRACE("ssl=%p NativeCrypto_SSL_use_PrivateKey => threw exception", ssl); |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 1763 | return; |
| 1764 | } |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 1765 | const unsigned char* tmp = reinterpret_cast<const unsigned char*>(buf.get()); |
Brian Carlstrom | 12cd1f0 | 2010-06-22 23:43:20 -0700 | [diff] [blame] | 1766 | Unique_PKCS8_PRIV_KEY_INFO pkcs8(d2i_PKCS8_PRIV_KEY_INFO(NULL, &tmp, buf.size())); |
| 1767 | if (pkcs8.get() == NULL) { |
| 1768 | LOGE("%s", ERR_error_string(ERR_peek_error(), NULL)); |
| 1769 | throwSSLExceptionWithSslErrors(env, ssl, SSL_ERROR_NONE, |
| 1770 | "Error parsing private key from DER to PKCS8"); |
| 1771 | SSL_clear(ssl); |
| 1772 | JNI_TRACE("ssl=%p NativeCrypto_SSL_use_PrivateKey => error from DER to PKCS8", ssl); |
| 1773 | return; |
| 1774 | } |
| 1775 | |
| 1776 | Unique_EVP_PKEY privatekeyevp(EVP_PKCS82PKEY(pkcs8.get())); |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 1777 | if (privatekeyevp.get() == NULL) { |
Brian Carlstrom | bf87c56 | 2010-05-27 23:09:59 -0700 | [diff] [blame] | 1778 | LOGE("%s", ERR_error_string(ERR_peek_error(), NULL)); |
Elliott Hughes | ccbe340 | 2010-07-09 16:39:48 -0700 | [diff] [blame] | 1779 | throwSSLExceptionWithSslErrors(env, ssl, SSL_ERROR_NONE, |
Brian Carlstrom | 12cd1f0 | 2010-06-22 23:43:20 -0700 | [diff] [blame] | 1780 | "Error creating private key from PKCS8"); |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 1781 | SSL_clear(ssl); |
Brian Carlstrom | 12cd1f0 | 2010-06-22 23:43:20 -0700 | [diff] [blame] | 1782 | JNI_TRACE("ssl=%p NativeCrypto_SSL_use_PrivateKey => error from PKCS8 to key", ssl); |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 1783 | return; |
| 1784 | } |
| 1785 | |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 1786 | int ret = SSL_use_PrivateKey(ssl, privatekeyevp.get()); |
| 1787 | if (ret == 1) { |
| 1788 | privatekeyevp.release(); |
| 1789 | } else { |
Brian Carlstrom | bf87c56 | 2010-05-27 23:09:59 -0700 | [diff] [blame] | 1790 | LOGE("%s", ERR_error_string(ERR_peek_error(), NULL)); |
Brian Carlstrom | 12cd1f0 | 2010-06-22 23:43:20 -0700 | [diff] [blame] | 1791 | throwSSLExceptionWithSslErrors(env, ssl, SSL_ERROR_NONE, "Error setting private key"); |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 1792 | SSL_clear(ssl); |
| 1793 | JNI_TRACE("ssl=%p NativeCrypto_SSL_use_PrivateKey => error", ssl); |
| 1794 | return; |
| 1795 | } |
| 1796 | |
| 1797 | JNI_TRACE("ssl=%p NativeCrypto_SSL_use_PrivateKey => ok", ssl); |
| 1798 | } |
| 1799 | |
| 1800 | static void NativeCrypto_SSL_use_certificate(JNIEnv* env, jclass, |
Brian Carlstrom | 12cd1f0 | 2010-06-22 23:43:20 -0700 | [diff] [blame] | 1801 | jint ssl_address, jobjectArray certificates) |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 1802 | { |
| 1803 | SSL* ssl = to_SSL(env, ssl_address, true); |
| 1804 | JNI_TRACE("ssl=%p NativeCrypto_SSL_use_certificate certificates=%p", ssl, certificates); |
| 1805 | if (ssl == NULL) { |
| 1806 | return; |
| 1807 | } |
| 1808 | |
| 1809 | if (certificates == NULL) { |
Brian Carlstrom | 12cd1f0 | 2010-06-22 23:43:20 -0700 | [diff] [blame] | 1810 | jniThrowNullPointerException(env, "certificates == null"); |
| 1811 | JNI_TRACE("ssl=%p NativeCrypto_SSL_use_certificate => certificates == null", ssl); |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 1812 | return; |
| 1813 | } |
| 1814 | |
Brian Carlstrom | 12cd1f0 | 2010-06-22 23:43:20 -0700 | [diff] [blame] | 1815 | int length = env->GetArrayLength(certificates); |
| 1816 | if (length == 0) { |
| 1817 | jniThrowException(env, "java/lang/IllegalArgumentException", "certificates.length == 0"); |
| 1818 | JNI_TRACE("ssl=%p NativeCrypto_SSL_use_certificate => certificates.length == 0", ssl); |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 1819 | return; |
| 1820 | } |
| 1821 | |
Brian Carlstrom | 12cd1f0 | 2010-06-22 23:43:20 -0700 | [diff] [blame] | 1822 | Unique_X509 certificatesX509[length]; |
| 1823 | for (int i = 0; i < length; i++) { |
| 1824 | ScopedLocalRef<jbyteArray> certificate(env, |
| 1825 | reinterpret_cast<jbyteArray>(env->GetObjectArrayElement(certificates, i))); |
| 1826 | if (certificate.get() == NULL) { |
| 1827 | jniThrowNullPointerException(env, "certificates element == null"); |
| 1828 | JNI_TRACE("ssl=%p NativeCrypto_SSL_use_certificate => certificates element null", ssl); |
| 1829 | return; |
| 1830 | } |
| 1831 | |
| 1832 | ScopedByteArrayRO buf(env, certificate.get()); |
Elliott Hughes | 6410112 | 2010-07-12 09:53:54 -0700 | [diff] [blame] | 1833 | if (buf.get() == NULL) { |
| 1834 | JNI_TRACE("ssl=%p NativeCrypto_SSL_use_certificate => threw exception", ssl); |
| 1835 | return; |
| 1836 | } |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 1837 | const unsigned char* tmp = reinterpret_cast<const unsigned char*>(buf.get()); |
Brian Carlstrom | 12cd1f0 | 2010-06-22 23:43:20 -0700 | [diff] [blame] | 1838 | certificatesX509[i].reset(d2i_X509(NULL, &tmp, buf.size())); |
| 1839 | |
| 1840 | if (certificatesX509[i].get() == NULL) { |
| 1841 | LOGE("%s", ERR_error_string(ERR_peek_error(), NULL)); |
| 1842 | throwSSLExceptionWithSslErrors(env, ssl, SSL_ERROR_NONE, "Error parsing certificate"); |
| 1843 | SSL_clear(ssl); |
| 1844 | JNI_TRACE("ssl=%p NativeCrypto_SSL_use_certificate => certificates parsing error", ssl); |
| 1845 | return; |
| 1846 | } |
| 1847 | } |
| 1848 | |
| 1849 | int ret = SSL_use_certificate(ssl, certificatesX509[0].get()); |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 1850 | if (ret == 1) { |
Brian Carlstrom | 12cd1f0 | 2010-06-22 23:43:20 -0700 | [diff] [blame] | 1851 | certificatesX509[0].release(); |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 1852 | } else { |
Brian Carlstrom | bf87c56 | 2010-05-27 23:09:59 -0700 | [diff] [blame] | 1853 | LOGE("%s", ERR_error_string(ERR_peek_error(), NULL)); |
Brian Carlstrom | 12cd1f0 | 2010-06-22 23:43:20 -0700 | [diff] [blame] | 1854 | throwSSLExceptionWithSslErrors(env, ssl, SSL_ERROR_NONE, "Error setting certificate"); |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 1855 | SSL_clear(ssl); |
Brian Carlstrom | 12cd1f0 | 2010-06-22 23:43:20 -0700 | [diff] [blame] | 1856 | JNI_TRACE("ssl=%p NativeCrypto_SSL_use_certificate => SSL_use_certificate error", ssl); |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 1857 | return; |
| 1858 | } |
| 1859 | |
Brian Carlstrom | 059dbc0 | 2010-07-08 14:44:44 -0700 | [diff] [blame] | 1860 | Unique_sk_X509 chain(sk_X509_new_null()); |
| 1861 | if (chain.get() == NULL) { |
| 1862 | jniThrowOutOfMemoryError(env, "Unable to allocate local certificate chain"); |
| 1863 | JNI_TRACE("ssl=%p NativeCrypto_SSL_use_certificate => chain allocation error", ssl); |
| 1864 | return; |
| 1865 | } |
| 1866 | for (int i = 1; i < length; i++) { |
| 1867 | if (!sk_X509_push(chain.get(), certificatesX509[i].release())) { |
| 1868 | jniThrowOutOfMemoryError(env, "Unable to push certificate"); |
| 1869 | JNI_TRACE("ssl=%p NativeCrypto_SSL_use_certificate => certificate push error", ssl); |
| 1870 | return; |
| 1871 | } |
| 1872 | } |
| 1873 | int chainResult = SSL_use_certificate_chain(ssl, chain.get()); |
| 1874 | if (chainResult == 0) { |
| 1875 | throwSSLExceptionWithSslErrors(env, ssl, SSL_ERROR_NONE, "Error setting certificate chain"); |
| 1876 | JNI_TRACE("ssl=%p NativeCrypto_SSL_use_certificate => SSL_use_certificate_chain error", |
| 1877 | ssl); |
| 1878 | return; |
| 1879 | } else { |
| 1880 | chain.release(); |
| 1881 | } |
| 1882 | |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 1883 | JNI_TRACE("ssl=%p NativeCrypto_SSL_use_certificate => ok", ssl); |
| 1884 | } |
| 1885 | |
| 1886 | static void NativeCrypto_SSL_check_private_key(JNIEnv* env, jclass, jint ssl_address) |
| 1887 | { |
| 1888 | SSL* ssl = to_SSL(env, ssl_address, true); |
| 1889 | JNI_TRACE("ssl=%p NativeCrypto_SSL_check_private_key", ssl); |
| 1890 | if (ssl == NULL) { |
| 1891 | return; |
| 1892 | } |
| 1893 | int ret = SSL_check_private_key(ssl); |
| 1894 | if (ret != 1) { |
Brian Carlstrom | 12cd1f0 | 2010-06-22 23:43:20 -0700 | [diff] [blame] | 1895 | throwSSLExceptionWithSslErrors(env, ssl, SSL_ERROR_NONE, "Error checking private key"); |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 1896 | SSL_clear(ssl); |
| 1897 | JNI_TRACE("ssl=%p NativeCrypto_SSL_check_private_key => error", ssl); |
| 1898 | return; |
| 1899 | } |
| 1900 | JNI_TRACE("ssl=%p NativeCrypto_SSL_check_private_key => ok", ssl); |
| 1901 | } |
| 1902 | |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 1903 | static void NativeCrypto_SSL_set_client_CA_list(JNIEnv* env, jclass, |
| 1904 | jint ssl_address, jobjectArray principals) |
| 1905 | { |
| 1906 | SSL* ssl = to_SSL(env, ssl_address, true); |
| 1907 | JNI_TRACE("ssl=%p NativeCrypto_SSL_set_client_CA_list principals=%p", ssl, principals); |
| 1908 | if (ssl == NULL) { |
| 1909 | return; |
| 1910 | } |
| 1911 | |
| 1912 | if (principals == NULL) { |
| 1913 | jniThrowNullPointerException(env, "principals == null"); |
| 1914 | JNI_TRACE("ssl=%p NativeCrypto_SSL_set_client_CA_list => principals == null", ssl); |
| 1915 | return; |
| 1916 | } |
| 1917 | |
| 1918 | int length = env->GetArrayLength(principals); |
| 1919 | if (length == 0) { |
| 1920 | jniThrowException(env, "java/lang/IllegalArgumentException", "principals.length == 0"); |
| 1921 | JNI_TRACE("ssl=%p NativeCrypto_SSL_set_client_CA_list => principals.length == 0", ssl); |
| 1922 | return; |
| 1923 | } |
| 1924 | |
| 1925 | Unique_sk_X509_NAME principalsStack(sk_X509_NAME_new_null()); |
| 1926 | if (principalsStack.get() == NULL) { |
| 1927 | jniThrowOutOfMemoryError(env, "Unable to allocate principal stack"); |
| 1928 | JNI_TRACE("ssl=%p NativeCrypto_SSL_set_client_CA_list => stack allocation error", ssl); |
| 1929 | return; |
| 1930 | } |
| 1931 | for (int i = 0; i < length; i++) { |
| 1932 | ScopedLocalRef<jbyteArray> principal(env, |
| 1933 | reinterpret_cast<jbyteArray>(env->GetObjectArrayElement(principals, i))); |
| 1934 | if (principal.get() == NULL) { |
| 1935 | jniThrowNullPointerException(env, "principals element == null"); |
| 1936 | JNI_TRACE("ssl=%p NativeCrypto_SSL_set_client_CA_list => principals element null", ssl); |
| 1937 | return; |
| 1938 | } |
| 1939 | |
| 1940 | ScopedByteArrayRO buf(env, principal.get()); |
| 1941 | if (buf.get() == NULL) { |
| 1942 | JNI_TRACE("ssl=%p NativeCrypto_SSL_set_client_CA_list => threw exception", ssl); |
| 1943 | return; |
| 1944 | } |
| 1945 | const unsigned char* tmp = reinterpret_cast<const unsigned char*>(buf.get()); |
| 1946 | Unique_X509_NAME principalX509Name(d2i_X509_NAME(NULL, &tmp, buf.size())); |
| 1947 | |
| 1948 | if (principalX509Name.get() == NULL) { |
| 1949 | LOGE("%s", ERR_error_string(ERR_peek_error(), NULL)); |
| 1950 | throwSSLExceptionWithSslErrors(env, ssl, SSL_ERROR_NONE, "Error parsing principal"); |
| 1951 | SSL_clear(ssl); |
| 1952 | JNI_TRACE("ssl=%p NativeCrypto_SSL_set_client_CA_list => principals parsing error", |
| 1953 | ssl); |
| 1954 | return; |
| 1955 | } |
| 1956 | |
| 1957 | if (!sk_X509_NAME_push(principalsStack.get(), principalX509Name.release())) { |
| 1958 | jniThrowOutOfMemoryError(env, "Unable to push principal"); |
| 1959 | JNI_TRACE("ssl=%p NativeCrypto_SSL_set_client_CA_list => principal push error", ssl); |
| 1960 | return; |
| 1961 | } |
| 1962 | } |
| 1963 | |
| 1964 | SSL_set_client_CA_list(ssl, principalsStack.release()); |
| 1965 | JNI_TRACE("ssl=%p NativeCrypto_SSL_set_client_CA_list => ok", ssl); |
| 1966 | } |
| 1967 | |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 1968 | /** |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1969 | * public static native long SSL_get_mode(int ssl); |
| 1970 | */ |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 1971 | static jlong NativeCrypto_SSL_get_mode(JNIEnv* env, jclass, jint ssl_address) { |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 1972 | SSL* ssl = to_SSL(env, ssl_address, true); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1973 | JNI_TRACE("ssl=%p NativeCrypto_SSL_get_mode", ssl); |
| 1974 | if (ssl == NULL) { |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1975 | return 0; |
| 1976 | } |
| 1977 | long mode = SSL_get_mode(ssl); |
| 1978 | JNI_TRACE("ssl=%p NativeCrypto_SSL_get_mode => 0x%lx", ssl, mode); |
| 1979 | return mode; |
| 1980 | } |
| 1981 | |
| 1982 | /** |
| 1983 | * public static native long SSL_set_mode(int ssl, long mode); |
| 1984 | */ |
| 1985 | static jlong NativeCrypto_SSL_set_mode(JNIEnv* env, jclass, |
| 1986 | jint ssl_address, jlong mode) { |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 1987 | SSL* ssl = to_SSL(env, ssl_address, true); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 1988 | JNI_TRACE("ssl=%p NativeCrypto_SSL_set_mode mode=0x%llx", ssl, mode); |
| 1989 | if (ssl == NULL) { |
| 1990 | return 0; |
| 1991 | } |
| 1992 | long result = SSL_set_mode(ssl, mode); |
| 1993 | JNI_TRACE("ssl=%p NativeCrypto_SSL_set_mode => 0x%lx", ssl, result); |
| 1994 | return result; |
| 1995 | } |
| 1996 | |
| 1997 | /** |
| 1998 | * public static native long SSL_clear_mode(int ssl, long mode); |
| 1999 | */ |
| 2000 | static jlong NativeCrypto_SSL_clear_mode(JNIEnv* env, jclass, |
| 2001 | jint ssl_address, jlong mode) { |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 2002 | SSL* ssl = to_SSL(env, ssl_address, true); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2003 | JNI_TRACE("ssl=%p NativeCrypto_SSL_clear_mode mode=0x%llx", ssl, mode); |
| 2004 | if (ssl == NULL) { |
| 2005 | return 0; |
| 2006 | } |
| 2007 | long result = SSL_clear_mode(ssl, mode); |
| 2008 | JNI_TRACE("ssl=%p NativeCrypto_SSL_clear_mode => 0x%lx", ssl, result); |
| 2009 | return result; |
| 2010 | } |
| 2011 | |
| 2012 | /** |
| 2013 | * public static native long SSL_get_options(int ssl); |
| 2014 | */ |
| 2015 | static jlong NativeCrypto_SSL_get_options(JNIEnv* env, jclass, |
| 2016 | jint ssl_address) { |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 2017 | SSL* ssl = to_SSL(env, ssl_address, true); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2018 | JNI_TRACE("ssl=%p NativeCrypto_SSL_get_options", ssl); |
| 2019 | if (ssl == NULL) { |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2020 | return 0; |
| 2021 | } |
| 2022 | long options = SSL_get_options(ssl); |
| 2023 | JNI_TRACE("ssl=%p NativeCrypto_SSL_get_options => 0x%lx", ssl, options); |
| 2024 | return options; |
| 2025 | } |
| 2026 | |
| 2027 | /** |
| 2028 | * public static native long SSL_set_options(int ssl, long options); |
| 2029 | */ |
| 2030 | static jlong NativeCrypto_SSL_set_options(JNIEnv* env, jclass, |
| 2031 | jint ssl_address, jlong options) { |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 2032 | SSL* ssl = to_SSL(env, ssl_address, true); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2033 | JNI_TRACE("ssl=%p NativeCrypto_SSL_set_options options=0x%llx", ssl, options); |
| 2034 | if (ssl == NULL) { |
| 2035 | return 0; |
| 2036 | } |
| 2037 | long result = SSL_set_options(ssl, options); |
| 2038 | JNI_TRACE("ssl=%p NativeCrypto_SSL_set_options => 0x%lx", ssl, result); |
| 2039 | return result; |
| 2040 | } |
| 2041 | |
| 2042 | /** |
| 2043 | * public static native long SSL_clear_options(int ssl, long options); |
| 2044 | */ |
| 2045 | static jlong NativeCrypto_SSL_clear_options(JNIEnv* env, jclass, |
| 2046 | jint ssl_address, jlong options) { |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 2047 | SSL* ssl = to_SSL(env, ssl_address, true); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2048 | JNI_TRACE("ssl=%p NativeCrypto_SSL_clear_options options=0x%llx", ssl, options); |
| 2049 | if (ssl == NULL) { |
| 2050 | return 0; |
| 2051 | } |
| 2052 | long result = SSL_clear_options(ssl, options); |
| 2053 | JNI_TRACE("ssl=%p NativeCrypto_SSL_clear_options => 0x%lx", ssl, result); |
| 2054 | return result; |
| 2055 | } |
| 2056 | |
| 2057 | /** |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2058 | * Sets the ciphers suites that are enabled in the SSL |
| 2059 | */ |
Brian Carlstrom | 9acacc3 | 2010-05-14 11:14:18 -0700 | [diff] [blame] | 2060 | static void NativeCrypto_SSL_set_cipher_lists(JNIEnv* env, jclass, |
| 2061 | jint ssl_address, jobjectArray cipherSuites) |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2062 | { |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 2063 | SSL* ssl = to_SSL(env, ssl_address, true); |
Brian Carlstrom | 9acacc3 | 2010-05-14 11:14:18 -0700 | [diff] [blame] | 2064 | JNI_TRACE("ssl=%p NativeCrypto_SSL_set_cipher_lists cipherSuites=%p", ssl, cipherSuites); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2065 | if (ssl == NULL) { |
Brian Carlstrom | 9acacc3 | 2010-05-14 11:14:18 -0700 | [diff] [blame] | 2066 | return; |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2067 | } |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 2068 | if (cipherSuites == NULL) { |
| 2069 | jniThrowNullPointerException(env, "cipherSuites == null"); |
| 2070 | return; |
| 2071 | } |
Brian Carlstrom | 9acacc3 | 2010-05-14 11:14:18 -0700 | [diff] [blame] | 2072 | |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 2073 | Unique_sk_SSL_CIPHER cipherstack(sk_SSL_CIPHER_new_null()); |
| 2074 | if (cipherstack.get() == NULL) { |
Brian Carlstrom | 9acacc3 | 2010-05-14 11:14:18 -0700 | [diff] [blame] | 2075 | jniThrowRuntimeException(env, "sk_SSL_CIPHER_new_null failed"); |
| 2076 | return; |
| 2077 | } |
| 2078 | |
| 2079 | const SSL_METHOD* ssl_method = ssl->method; |
| 2080 | int num_ciphers = ssl_method->num_ciphers(); |
| 2081 | |
| 2082 | int length = env->GetArrayLength(cipherSuites); |
| 2083 | JNI_TRACE("ssl=%p NativeCrypto_SSL_set_cipher_lists length=%d", ssl, length); |
| 2084 | for (int i = 0; i < length; i++) { |
Elliott Hughes | 8044bf6 | 2010-05-17 22:34:46 -0700 | [diff] [blame] | 2085 | ScopedLocalRef<jstring> cipherSuite(env, |
| 2086 | reinterpret_cast<jstring>(env->GetObjectArrayElement(cipherSuites, i))); |
| 2087 | ScopedUtfChars c(env, cipherSuite.get()); |
Elliott Hughes | 0596087 | 2010-05-26 17:45:07 -0700 | [diff] [blame] | 2088 | if (c.c_str() == NULL) { |
| 2089 | return; |
| 2090 | } |
Brian Carlstrom | 9acacc3 | 2010-05-14 11:14:18 -0700 | [diff] [blame] | 2091 | JNI_TRACE("ssl=%p NativeCrypto_SSL_set_cipher_lists cipherSuite=%s", ssl, c.c_str()); |
| 2092 | bool found = false; |
| 2093 | for (int j = 0; j < num_ciphers; j++) { |
| 2094 | const SSL_CIPHER* cipher = ssl_method->get_cipher(j); |
| 2095 | if ((strcmp(c.c_str(), cipher->name) == 0) |
| 2096 | && (strcmp(SSL_CIPHER_get_version(cipher), "SSLv2"))) { |
Brian Carlstrom | 059dbc0 | 2010-07-08 14:44:44 -0700 | [diff] [blame] | 2097 | if (!sk_SSL_CIPHER_push(cipherstack.get(), cipher)) { |
| 2098 | jniThrowOutOfMemoryError(env, "Unable to push cipher"); |
| 2099 | JNI_TRACE("ssl=%p NativeCrypto_SSL_set_cipher_lists => cipher push error", ssl); |
| 2100 | return; |
| 2101 | } |
Brian Carlstrom | 9acacc3 | 2010-05-14 11:14:18 -0700 | [diff] [blame] | 2102 | found = true; |
| 2103 | } |
| 2104 | } |
| 2105 | if (!found) { |
Brian Carlstrom | 9acacc3 | 2010-05-14 11:14:18 -0700 | [diff] [blame] | 2106 | jniThrowException(env, "java/lang/IllegalArgumentException", |
| 2107 | "Could not find cipher suite."); |
| 2108 | return; |
| 2109 | } |
| 2110 | } |
| 2111 | |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 2112 | int rc = SSL_set_cipher_lists(ssl, cipherstack.get()); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2113 | if (rc == 0) { |
| 2114 | freeSslErrorState(); |
| 2115 | jniThrowException(env, "java/lang/IllegalArgumentException", |
| 2116 | "Illegal cipher suite strings."); |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 2117 | } else { |
| 2118 | cipherstack.release(); |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2119 | } |
| 2120 | } |
| 2121 | |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2122 | /** |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2123 | * Sets certificate expectations, especially for server to request client auth |
| 2124 | */ |
| 2125 | static void NativeCrypto_SSL_set_verify(JNIEnv* env, |
| 2126 | jclass, jint ssl_address, jint mode) |
| 2127 | { |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 2128 | SSL* ssl = to_SSL(env, ssl_address, true); |
Brian Carlstrom | df349b3 | 2010-09-13 22:04:32 -0700 | [diff] [blame] | 2129 | JNI_TRACE("ssl=%p NativeCrypto_SSL_set_verify mode=%x", ssl, mode); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2130 | if (ssl == NULL) { |
| 2131 | return; |
| 2132 | } |
| 2133 | SSL_set_verify(ssl, (int)mode, NULL); |
| 2134 | } |
| 2135 | |
| 2136 | /** |
| 2137 | * Sets the ciphers suites that are enabled in the SSL |
| 2138 | */ |
| 2139 | static void NativeCrypto_SSL_set_session(JNIEnv* env, jclass, |
| 2140 | jint ssl_address, jint ssl_session_address) |
| 2141 | { |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 2142 | SSL* ssl = to_SSL(env, ssl_address, true); |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 2143 | SSL_SESSION* ssl_session = to_SSL_SESSION(env, ssl_session_address, false); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2144 | JNI_TRACE("ssl=%p NativeCrypto_SSL_set_session ssl_session=%p", ssl, ssl_session); |
| 2145 | if (ssl == NULL) { |
| 2146 | return; |
| 2147 | } |
| 2148 | |
| 2149 | int ret = SSL_set_session(ssl, ssl_session); |
| 2150 | if (ret != 1) { |
| 2151 | /* |
| 2152 | * Translate the error, and throw if it turns out to be a real |
| 2153 | * problem. |
| 2154 | */ |
| 2155 | int sslErrorCode = SSL_get_error(ssl, ret); |
| 2156 | if (sslErrorCode != SSL_ERROR_ZERO_RETURN) { |
Brian Carlstrom | f3f7cc7 | 2010-05-19 11:06:59 -0700 | [diff] [blame] | 2157 | throwSSLExceptionWithSslErrors(env, ssl, sslErrorCode, "SSL session set"); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2158 | SSL_clear(ssl); |
| 2159 | } |
| 2160 | } |
| 2161 | } |
| 2162 | |
| 2163 | /** |
| 2164 | * Sets the ciphers suites that are enabled in the SSL |
| 2165 | */ |
| 2166 | static void NativeCrypto_SSL_set_session_creation_enabled(JNIEnv* env, jclass, |
| 2167 | jint ssl_address, jboolean creation_enabled) |
| 2168 | { |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 2169 | SSL* ssl = to_SSL(env, ssl_address, true); |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 2170 | JNI_TRACE("ssl=%p NativeCrypto_SSL_set_session_creation_enabled creation_enabled=%d", |
| 2171 | ssl, creation_enabled); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2172 | if (ssl == NULL) { |
| 2173 | return; |
| 2174 | } |
| 2175 | SSL_set_session_creation_enabled(ssl, creation_enabled); |
| 2176 | } |
| 2177 | |
Brian Carlstrom | 4559b1d | 2010-07-22 16:33:48 -0700 | [diff] [blame] | 2178 | static void NativeCrypto_SSL_set_tlsext_host_name(JNIEnv* env, jclass, |
| 2179 | jint ssl_address, jstring hostname) |
| 2180 | { |
| 2181 | SSL* ssl = to_SSL(env, ssl_address, true); |
| 2182 | JNI_TRACE("ssl=%p NativeCrypto_SSL_set_tlsext_host_name hostname=%p", |
| 2183 | ssl, hostname); |
| 2184 | if (ssl == NULL) { |
| 2185 | return; |
| 2186 | } |
| 2187 | |
| 2188 | ScopedUtfChars hostnameChars(env, hostname); |
| 2189 | if (hostnameChars.c_str() == NULL) { |
| 2190 | return; |
| 2191 | } |
| 2192 | JNI_TRACE("NativeCrypto_SSL_set_tlsext_host_name hostnameChars=%s", hostnameChars.c_str()); |
| 2193 | |
| 2194 | int ret = SSL_set_tlsext_host_name(ssl, hostnameChars.c_str()); |
| 2195 | if (ret != 1) { |
| 2196 | throwSSLExceptionWithSslErrors(env, ssl, SSL_ERROR_NONE, "Error setting host name"); |
| 2197 | SSL_clear(ssl); |
| 2198 | JNI_TRACE("ssl=%p NativeCrypto_SSL_set_tlsext_host_name => error", ssl); |
| 2199 | return; |
| 2200 | } |
| 2201 | JNI_TRACE("ssl=%p NativeCrypto_SSL_set_tlsext_host_name => ok", ssl); |
| 2202 | } |
| 2203 | |
| 2204 | static jstring NativeCrypto_SSL_get_servername(JNIEnv* env, jclass, jint ssl_address) { |
| 2205 | SSL* ssl = to_SSL(env, ssl_address, true); |
| 2206 | JNI_TRACE("ssl=%p NativeCrypto_SSL_get_servername", ssl); |
| 2207 | if (ssl == NULL) { |
| 2208 | return NULL; |
| 2209 | } |
| 2210 | const char* servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); |
| 2211 | JNI_TRACE("ssl=%p NativeCrypto_SSL_get_servername => %s", ssl, servername); |
| 2212 | return env->NewStringUTF(servername); |
| 2213 | } |
| 2214 | |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2215 | /** |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2216 | * Perform SSL handshake |
| 2217 | */ |
| 2218 | static jint NativeCrypto_SSL_do_handshake(JNIEnv* env, jclass, |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 2219 | jint ssl_address, jobject fdObject, jobject shc, jint timeout, jboolean client_mode) |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2220 | { |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 2221 | SSL* ssl = to_SSL(env, ssl_address, true); |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 2222 | JNI_TRACE("ssl=%p NativeCrypto_SSL_do_handshake fd=%p shc=%p timeout=%d client_mode=%d", |
| 2223 | ssl, fdObject, shc, timeout, client_mode); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2224 | if (ssl == NULL) { |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2225 | return 0; |
| 2226 | } |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 2227 | if (fdObject == NULL) { |
| 2228 | jniThrowNullPointerException(env, "fd == null"); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2229 | JNI_TRACE("ssl=%p NativeCrypto_SSL_do_handshake => 0", ssl); |
| 2230 | return 0; |
| 2231 | } |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 2232 | if (shc == NULL) { |
| 2233 | jniThrowNullPointerException(env, "sslHandshakeCallbacks == null"); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2234 | JNI_TRACE("ssl=%p NativeCrypto_SSL_do_handshake => 0", ssl); |
| 2235 | return 0; |
| 2236 | } |
| 2237 | |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 2238 | NetFd fd(env, fdObject); |
| 2239 | if (fd.isClosed()) { |
| 2240 | // SocketException thrown by NetFd.isClosed |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2241 | SSL_clear(ssl); |
| 2242 | JNI_TRACE("ssl=%p NativeCrypto_SSL_do_handshake => 0", ssl); |
| 2243 | return 0; |
| 2244 | } |
| 2245 | |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 2246 | int ret = SSL_set_fd(ssl, fd.get()); |
Brian Carlstrom | 1be19cf | 2010-09-21 22:32:21 -0700 | [diff] [blame] | 2247 | JNI_TRACE("ssl=%p NativeCrypto_SSL_do_handshake s=%d", ssl, fd.get()); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2248 | |
| 2249 | if (ret != 1) { |
Brian Carlstrom | f3f7cc7 | 2010-05-19 11:06:59 -0700 | [diff] [blame] | 2250 | throwSSLExceptionWithSslErrors(env, ssl, SSL_ERROR_NONE, |
| 2251 | "Error setting the file descriptor"); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2252 | SSL_clear(ssl); |
| 2253 | JNI_TRACE("ssl=%p NativeCrypto_SSL_do_handshake => 0", ssl); |
| 2254 | return 0; |
| 2255 | } |
| 2256 | |
| 2257 | /* |
| 2258 | * Make socket non-blocking, so SSL_connect SSL_read() and SSL_write() don't hang |
| 2259 | * forever and we can use select() to find out if the socket is ready. |
| 2260 | */ |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 2261 | if (!setBlocking(fd.get(), false)) { |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2262 | throwSSLExceptionStr(env, "Unable to make socket non blocking"); |
| 2263 | SSL_clear(ssl); |
| 2264 | JNI_TRACE("ssl=%p NativeCrypto_SSL_do_handshake => 0", ssl); |
| 2265 | return 0; |
| 2266 | } |
| 2267 | |
| 2268 | /* |
| 2269 | * Create our special application data. |
| 2270 | */ |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 2271 | AppData* appData = AppData::create(); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2272 | if (appData == NULL) { |
| 2273 | throwSSLExceptionStr(env, "Unable to create application data"); |
| 2274 | SSL_clear(ssl); |
| 2275 | JNI_TRACE("ssl=%p NativeCrypto_SSL_do_handshake => 0", ssl); |
| 2276 | return 0; |
| 2277 | } |
Elliott Hughes | 583ce47 | 2010-07-22 10:23:42 -0700 | [diff] [blame] | 2278 | SSL_set_app_data(ssl, reinterpret_cast<char*>(appData)); |
Brian Carlstrom | 3534c7c | 2010-05-14 21:49:34 -0700 | [diff] [blame] | 2279 | JNI_TRACE("ssl=%p AppData::create => %p", ssl, appData); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2280 | |
| 2281 | if (client_mode) { |
| 2282 | SSL_set_connect_state(ssl); |
| 2283 | } else { |
| 2284 | SSL_set_accept_state(ssl); |
| 2285 | } |
| 2286 | |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 2287 | ret = 0; |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2288 | while (appData->aliveAndKicking) { |
| 2289 | errno = 0; |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 2290 | if (!appData->setCallbackState(env, shc, fdObject)) { |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 2291 | // SocketException thrown by NetFd.isClosed |
| 2292 | SSL_clear(ssl); |
| 2293 | JNI_TRACE("ssl=%p NativeCrypto_SSL_do_handshake => 0", ssl); |
| 2294 | return 0; |
| 2295 | } |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2296 | ret = SSL_do_handshake(ssl); |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 2297 | appData->clearCallbackState(); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2298 | // cert_verify_callback threw exception |
| 2299 | if (env->ExceptionCheck()) { |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 2300 | SSL_clear(ssl); |
| 2301 | JNI_TRACE("ssl=%p NativeCrypto_SSL_do_handshake => 0", ssl); |
| 2302 | return 0; |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2303 | } |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 2304 | // success case |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2305 | if (ret == 1) { |
| 2306 | break; |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 2307 | } |
| 2308 | // retry case |
| 2309 | if (errno == EINTR) { |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2310 | continue; |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 2311 | } |
| 2312 | // error case |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 2313 | int sslError = SSL_get_error(ssl, ret); |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 2314 | JNI_TRACE("ssl=%p NativeCrypto_SSL_do_handshake ret=%d errno=%d sslError=%d timeout=%d", |
| 2315 | ssl, ret, errno, sslError, timeout); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2316 | |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 2317 | /* |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 2318 | * If SSL_do_handshake doesn't succeed due to the socket being |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 2319 | * either unreadable or unwritable, we use sslSelect to |
| 2320 | * wait for it to become ready. If that doesn't happen |
| 2321 | * before the specified timeout or an error occurs, we |
| 2322 | * cancel the handshake. Otherwise we try the SSL_connect |
| 2323 | * again. |
| 2324 | */ |
| 2325 | if (sslError == SSL_ERROR_WANT_READ || sslError == SSL_ERROR_WANT_WRITE) { |
| 2326 | appData->waitingThreads++; |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 2327 | int selectResult = sslSelect(env, sslError, fdObject, appData, timeout); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2328 | |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 2329 | if (selectResult == THROWN_SOCKETEXCEPTION) { |
| 2330 | // SocketException thrown by NetFd.isClosed |
| 2331 | SSL_clear(ssl); |
| 2332 | JNI_TRACE("ssl=%p NativeCrypto_SSL_do_handshake => 0", ssl); |
| 2333 | return 0; |
| 2334 | } |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 2335 | if (selectResult == -1) { |
| 2336 | throwSSLExceptionWithSslErrors(env, ssl, SSL_ERROR_SYSCALL, "handshake error"); |
| 2337 | SSL_clear(ssl); |
| 2338 | JNI_TRACE("ssl=%p NativeCrypto_SSL_do_handshake => 0", ssl); |
| 2339 | return 0; |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2340 | } |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 2341 | if (selectResult == 0) { |
| 2342 | throwSocketTimeoutException(env, "SSL handshake timed out"); |
| 2343 | SSL_clear(ssl); |
| 2344 | freeSslErrorState(); |
| 2345 | JNI_TRACE("ssl=%p NativeCrypto_SSL_do_handshake => 0", ssl); |
| 2346 | return 0; |
| 2347 | } |
| 2348 | } else { |
| 2349 | // LOGE("Unknown error %d during handshake", error); |
| 2350 | break; |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2351 | } |
| 2352 | } |
| 2353 | |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 2354 | // clean error. See SSL_do_handshake(3SSL) man page. |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2355 | if (ret == 0) { |
| 2356 | /* |
| 2357 | * The other side closed the socket before the handshake could be |
| 2358 | * completed, but everything is within the bounds of the TLS protocol. |
| 2359 | * We still might want to find out the real reason of the failure. |
| 2360 | */ |
Brian Carlstrom | f3f7cc7 | 2010-05-19 11:06:59 -0700 | [diff] [blame] | 2361 | int sslError = SSL_get_error(ssl, ret); |
| 2362 | if (sslError == SSL_ERROR_NONE || (sslError == SSL_ERROR_SYSCALL && errno == 0)) { |
| 2363 | throwSSLExceptionStr(env, "Connection closed by peer"); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2364 | } else { |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 2365 | throwSSLExceptionWithSslErrors(env, ssl, sslError, "SSL handshake terminated"); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2366 | } |
| 2367 | SSL_clear(ssl); |
| 2368 | JNI_TRACE("ssl=%p NativeCrypto_SSL_do_handshake => 0", ssl); |
| 2369 | return 0; |
| 2370 | } |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 2371 | |
| 2372 | // unclean error. See SSL_do_handshake(3SSL) man page. |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2373 | if (ret < 0) { |
| 2374 | /* |
| 2375 | * Translate the error and throw exception. We are sure it is an error |
| 2376 | * at this point. |
| 2377 | */ |
Brian Carlstrom | f3f7cc7 | 2010-05-19 11:06:59 -0700 | [diff] [blame] | 2378 | int sslError = SSL_get_error(ssl, ret); |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 2379 | throwSSLExceptionWithSslErrors(env, ssl, sslError, "SSL handshake aborted"); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2380 | SSL_clear(ssl); |
| 2381 | JNI_TRACE("ssl=%p NativeCrypto_SSL_do_handshake => 0", ssl); |
| 2382 | return 0; |
| 2383 | } |
| 2384 | SSL_SESSION* ssl_session = SSL_get1_session(ssl); |
| 2385 | JNI_TRACE("ssl=%p NativeCrypto_SSL_do_handshake => ssl_session=%p", ssl, ssl_session); |
| 2386 | return (jint) ssl_session; |
| 2387 | } |
| 2388 | |
| 2389 | /** |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 2390 | * Perform SSL renegotiation |
| 2391 | */ |
| 2392 | static void NativeCrypto_SSL_renegotiate(JNIEnv* env, jclass, jint ssl_address) |
| 2393 | { |
| 2394 | SSL* ssl = to_SSL(env, ssl_address, true); |
| 2395 | JNI_TRACE("ssl=%p NativeCrypto_SSL_renegotiate", ssl); |
| 2396 | if (ssl == NULL) { |
| 2397 | return; |
| 2398 | } |
| 2399 | int result = SSL_renegotiate(ssl); |
| 2400 | if (result != 1) { |
| 2401 | throwSSLExceptionStr(env, "Problem with SSL_renegotiate"); |
| 2402 | return; |
| 2403 | } |
| 2404 | int ret = SSL_do_handshake(ssl); |
| 2405 | if (ret != 1) { |
| 2406 | int sslError = SSL_get_error(ssl, ret); |
| 2407 | throwSSLExceptionWithSslErrors(env, ssl, sslError, |
| 2408 | "Problem with SSL_do_handshake after SSL_renegotiate"); |
| 2409 | |
| 2410 | return; |
| 2411 | } |
| 2412 | JNI_TRACE("ssl=%p NativeCrypto_SSL_renegotiate =>", ssl); |
| 2413 | } |
| 2414 | |
| 2415 | /** |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2416 | * public static native byte[][] SSL_get_certificate(int ssl); |
| 2417 | */ |
| 2418 | static jobjectArray NativeCrypto_SSL_get_certificate(JNIEnv* env, jclass, jint ssl_address) |
| 2419 | { |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 2420 | SSL* ssl = to_SSL(env, ssl_address, true); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2421 | JNI_TRACE("ssl=%p NativeCrypto_SSL_get_certificate", ssl); |
| 2422 | if (ssl == NULL) { |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 2423 | return NULL; |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2424 | } |
| 2425 | X509* certificate = SSL_get_certificate(ssl); |
| 2426 | if (certificate == NULL) { |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 2427 | JNI_TRACE("ssl=%p NativeCrypto_SSL_get_certificate => NULL", ssl); |
| 2428 | return NULL; |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2429 | } |
Brian Carlstrom | 059dbc0 | 2010-07-08 14:44:44 -0700 | [diff] [blame] | 2430 | |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 2431 | Unique_sk_X509 chain(sk_X509_new_null()); |
| 2432 | if (chain.get() == NULL) { |
Brian Carlstrom | 059dbc0 | 2010-07-08 14:44:44 -0700 | [diff] [blame] | 2433 | jniThrowOutOfMemoryError(env, "Unable to allocate local certificate chain"); |
Elliott Hughes | 6410112 | 2010-07-12 09:53:54 -0700 | [diff] [blame] | 2434 | JNI_TRACE("ssl=%p NativeCrypto_SSL_get_certificate => threw exception", ssl); |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 2435 | return NULL; |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2436 | } |
Brian Carlstrom | 059dbc0 | 2010-07-08 14:44:44 -0700 | [diff] [blame] | 2437 | if (!sk_X509_push(chain.get(), certificate)) { |
| 2438 | jniThrowOutOfMemoryError(env, "Unable to push local certificate"); |
| 2439 | JNI_TRACE("ssl=%p NativeCrypto_SSL_get_certificate => NULL", ssl); |
| 2440 | return NULL; |
| 2441 | } |
| 2442 | STACK_OF(X509)* cert_chain = SSL_get_certificate_chain(ssl, certificate); |
| 2443 | for (int i=0; i<sk_X509_num(cert_chain); i++) { |
Brian Carlstrom | 4559b1d | 2010-07-22 16:33:48 -0700 | [diff] [blame] | 2444 | if (!sk_X509_push(chain.get(), sk_X509_value(cert_chain, i))) { |
Brian Carlstrom | 059dbc0 | 2010-07-08 14:44:44 -0700 | [diff] [blame] | 2445 | jniThrowOutOfMemoryError(env, "Unable to push local certificate chain"); |
| 2446 | JNI_TRACE("ssl=%p NativeCrypto_SSL_get_certificate => NULL", ssl); |
| 2447 | return NULL; |
| 2448 | } |
| 2449 | } |
| 2450 | |
Brian Carlstrom | b5b39e4 | 2010-05-19 15:29:11 -0700 | [diff] [blame] | 2451 | jobjectArray objectArray = getCertificateBytes(env, chain.get()); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2452 | JNI_TRACE("ssl=%p NativeCrypto_SSL_get_certificate => %p", ssl, objectArray); |
| 2453 | return objectArray; |
| 2454 | } |
| 2455 | |
Brian Carlstrom | df349b3 | 2010-09-13 22:04:32 -0700 | [diff] [blame] | 2456 | // Fills a byte[][] with the peer certificates in the chain. |
| 2457 | static jobjectArray NativeCrypto_SSL_get_peer_cert_chain(JNIEnv* env, jclass, jint ssl_address) |
| 2458 | { |
| 2459 | SSL* ssl = to_SSL(env, ssl_address, true); |
| 2460 | JNI_TRACE("ssl=%p NativeCrypto_SSL_get_peer_cert_chain", ssl); |
| 2461 | if (ssl == NULL) { |
| 2462 | return NULL; |
| 2463 | } |
| 2464 | STACK_OF(X509)* chain = SSL_get_peer_cert_chain(ssl); |
| 2465 | Unique_sk_X509 chain_copy(NULL); |
| 2466 | if (ssl->server) { |
| 2467 | X509* x509 = SSL_get_peer_certificate(ssl); |
| 2468 | if (x509 == NULL) { |
| 2469 | JNI_TRACE("ssl=%p NativeCrypto_SSL_get_peer_cert_chain => NULL", ssl); |
| 2470 | return NULL; |
| 2471 | } |
| 2472 | chain_copy.reset(sk_X509_dup(chain)); |
| 2473 | if (chain_copy.get() == NULL) { |
| 2474 | jniThrowOutOfMemoryError(env, "Unable to allocate peer certificate chain"); |
| 2475 | JNI_TRACE("ssl=%p NativeCrypto_SSL_get_peer_cert_chain => certificate dup error", ssl); |
| 2476 | return NULL; |
| 2477 | } |
| 2478 | if (!sk_X509_push(chain_copy.get(), x509)) { |
| 2479 | jniThrowOutOfMemoryError(env, "Unable to push server's peer certificate"); |
| 2480 | JNI_TRACE("ssl=%p NativeCrypto_SSL_get_peer_cert_chain => certificate push error", ssl); |
| 2481 | return NULL; |
| 2482 | } |
| 2483 | chain = chain_copy.get(); |
| 2484 | } |
| 2485 | jobjectArray objectArray = getCertificateBytes(env, chain); |
| 2486 | JNI_TRACE("ssl=%p NativeCrypto_SSL_get_peer_cert_chain => %p", ssl, objectArray); |
| 2487 | return objectArray; |
| 2488 | } |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2489 | |
| 2490 | /** |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2491 | * Helper function which does the actual reading. The Java layer guarantees that |
| 2492 | * at most one thread will enter this function at any given time. |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 2493 | * |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2494 | * @param ssl non-null; the SSL context |
| 2495 | * @param buf non-null; buffer to read into |
| 2496 | * @param len length of the buffer, in bytes |
| 2497 | * @param sslReturnCode original SSL return code |
| 2498 | * @param sslErrorCode filled in with the SSL error code in case of error |
| 2499 | * @return number of bytes read on success, -1 if the connection was |
| 2500 | * cleanly shut down, or THROW_EXCEPTION if an exception should be thrown. |
| 2501 | */ |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 2502 | static int sslRead(JNIEnv* env, SSL* ssl, jobject fdObject, jobject shc, char* buf, jint len, |
| 2503 | int* sslReturnCode, int* sslErrorCode, int timeout) { |
Brian Carlstrom | 0cbd33d | 2010-11-09 22:01:58 -0800 | [diff] [blame] | 2504 | JNI_TRACE("ssl=%p sslRead buf=%p len=%d", ssl, buf, len); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 2505 | |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2506 | if (len == 0) { |
| 2507 | // Don't bother doing anything in this case. |
| 2508 | return 0; |
| 2509 | } |
| 2510 | |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2511 | BIO* bio = SSL_get_rbio(ssl); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 2512 | |
Elliott Hughes | 583ce47 | 2010-07-22 10:23:42 -0700 | [diff] [blame] | 2513 | AppData* appData = toAppData(ssl); |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 2514 | if (appData == NULL) { |
| 2515 | return THROW_EXCEPTION; |
| 2516 | } |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2517 | |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2518 | while (appData->aliveAndKicking) { |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2519 | errno = 0; |
| 2520 | |
| 2521 | // Lock |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2522 | if (MUTEX_LOCK(appData->mutex) == -1) { |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2523 | return -1; |
| 2524 | } |
| 2525 | |
| 2526 | unsigned int bytesMoved = BIO_number_read(bio) + BIO_number_written(bio); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 2527 | |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 2528 | if (!appData->setCallbackState(env, shc, fdObject)) { |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 2529 | MUTEX_UNLOCK(appData->mutex); |
| 2530 | return THROWN_SOCKETEXCEPTION; |
| 2531 | } |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2532 | int result = SSL_read(ssl, buf, len); |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 2533 | appData->clearCallbackState(); |
Brian Carlstrom | f3f7cc7 | 2010-05-19 11:06:59 -0700 | [diff] [blame] | 2534 | int sslError = SSL_ERROR_NONE; |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2535 | if (result <= 0) { |
Brian Carlstrom | f3f7cc7 | 2010-05-19 11:06:59 -0700 | [diff] [blame] | 2536 | sslError = SSL_get_error(ssl, result); |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2537 | freeSslErrorState(); |
| 2538 | } |
Brian Carlstrom | 0cbd33d | 2010-11-09 22:01:58 -0800 | [diff] [blame] | 2539 | JNI_TRACE("ssl=%p sslRead SSL_read result=%d sslError=%d", ssl, result, sslError); |
| 2540 | #ifdef WITH_JNI_TRACE_DATA |
Brian Carlstrom | 3900e26 | 2010-11-10 10:56:21 -0800 | [diff] [blame^] | 2541 | for (int i = 0; i < result; i+= WITH_JNI_TRACE_DATA_CHUNK_SIZE) { |
| 2542 | int n = std::min(result - i, WITH_JNI_TRACE_DATA_CHUNK_SIZE); |
Brian Carlstrom | 0cbd33d | 2010-11-09 22:01:58 -0800 | [diff] [blame] | 2543 | JNI_TRACE("ssl=%p sslRead data: %d: %*s", ssl, n, n, buf+i); |
| 2544 | } |
| 2545 | #endif |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2546 | |
| 2547 | // If we have been successful in moving data around, check whether it |
| 2548 | // might make sense to wake up other blocked threads, so they can give |
| 2549 | // it a try, too. |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 2550 | if (BIO_number_read(bio) + BIO_number_written(bio) != bytesMoved |
| 2551 | && appData->waitingThreads > 0) { |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2552 | sslNotify(appData); |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2553 | } |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 2554 | |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2555 | // If we are blocked by the underlying socket, tell the world that |
| 2556 | // there will be one more waiting thread now. |
Brian Carlstrom | f3f7cc7 | 2010-05-19 11:06:59 -0700 | [diff] [blame] | 2557 | if (sslError == SSL_ERROR_WANT_READ || sslError == SSL_ERROR_WANT_WRITE) { |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2558 | appData->waitingThreads++; |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2559 | } |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 2560 | |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2561 | // Unlock |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2562 | MUTEX_UNLOCK(appData->mutex); |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2563 | |
Brian Carlstrom | f3f7cc7 | 2010-05-19 11:06:59 -0700 | [diff] [blame] | 2564 | switch (sslError) { |
Elliott Hughes | 3b0a5b9 | 2010-07-22 15:06:54 -0700 | [diff] [blame] | 2565 | // Successfully read at least one byte. |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2566 | case SSL_ERROR_NONE: { |
| 2567 | return result; |
| 2568 | } |
| 2569 | |
| 2570 | // Read zero bytes. End of stream reached. |
| 2571 | case SSL_ERROR_ZERO_RETURN: { |
| 2572 | return -1; |
| 2573 | } |
| 2574 | |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 2575 | // Need to wait for availability of underlying layer, then retry. |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2576 | case SSL_ERROR_WANT_READ: |
| 2577 | case SSL_ERROR_WANT_WRITE: { |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 2578 | int selectResult = sslSelect(env, sslError, fdObject, appData, timeout); |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 2579 | if (selectResult == THROWN_SOCKETEXCEPTION) { |
| 2580 | return THROWN_SOCKETEXCEPTION; |
| 2581 | } |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2582 | if (selectResult == -1) { |
| 2583 | *sslReturnCode = -1; |
Brian Carlstrom | f3f7cc7 | 2010-05-19 11:06:59 -0700 | [diff] [blame] | 2584 | *sslErrorCode = sslError; |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2585 | return THROW_EXCEPTION; |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 2586 | } |
| 2587 | if (selectResult == 0) { |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2588 | return THROW_SOCKETTIMEOUTEXCEPTION; |
| 2589 | } |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 2590 | |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2591 | break; |
| 2592 | } |
| 2593 | |
Elliott Hughes | 3b0a5b9 | 2010-07-22 15:06:54 -0700 | [diff] [blame] | 2594 | // A problem occurred during a system call, but this is not |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2595 | // necessarily an error. |
| 2596 | case SSL_ERROR_SYSCALL: { |
| 2597 | // Connection closed without proper shutdown. Tell caller we |
| 2598 | // have reached end-of-stream. |
| 2599 | if (result == 0) { |
| 2600 | return -1; |
| 2601 | } |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 2602 | |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2603 | // System call has been interrupted. Simply retry. |
| 2604 | if (errno == EINTR) { |
| 2605 | break; |
| 2606 | } |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 2607 | |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2608 | // Note that for all other system call errors we fall through |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 2609 | // to the default case, which results in an Exception. |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2610 | } |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 2611 | |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2612 | // Everything else is basically an error. |
| 2613 | default: { |
| 2614 | *sslReturnCode = result; |
Brian Carlstrom | f3f7cc7 | 2010-05-19 11:06:59 -0700 | [diff] [blame] | 2615 | *sslErrorCode = sslError; |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2616 | return THROW_EXCEPTION; |
| 2617 | } |
| 2618 | } |
| 2619 | } |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 2620 | |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2621 | return -1; |
| 2622 | } |
| 2623 | |
| 2624 | /** |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 2625 | * OpenSSL read function (1): only one chunk is read (returned as jint). |
| 2626 | */ |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 2627 | static jint NativeCrypto_SSL_read_byte(JNIEnv* env, jclass, jint ssl_address, |
| 2628 | jobject fdObject, jobject shc, jint timeout) |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 2629 | { |
| 2630 | SSL* ssl = to_SSL(env, ssl_address, true); |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 2631 | JNI_TRACE("ssl=%p NativeCrypto_SSL_read_byte fd=%p shc=%p timeout=%d", |
| 2632 | ssl, fdObject, shc, timeout); |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 2633 | if (ssl == NULL) { |
| 2634 | return 0; |
| 2635 | } |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 2636 | if (fdObject == NULL) { |
| 2637 | jniThrowNullPointerException(env, "fd == null"); |
| 2638 | JNI_TRACE("ssl=%p NativeCrypto_SSL_read_byte => 0", ssl); |
| 2639 | return 0; |
| 2640 | } |
| 2641 | if (shc == NULL) { |
| 2642 | jniThrowNullPointerException(env, "sslHandshakeCallbacks == null"); |
| 2643 | JNI_TRACE("ssl=%p NativeCrypto_SSL_read_byte => 0", ssl); |
| 2644 | return 0; |
| 2645 | } |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 2646 | |
| 2647 | unsigned char byteRead; |
| 2648 | int returnCode = 0; |
Brian Carlstrom | f3f7cc7 | 2010-05-19 11:06:59 -0700 | [diff] [blame] | 2649 | int sslErrorCode = SSL_ERROR_NONE; |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 2650 | |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 2651 | int ret = sslRead(env, ssl, fdObject, shc, reinterpret_cast<char*>(&byteRead), 1, |
Brian Carlstrom | 4559b1d | 2010-07-22 16:33:48 -0700 | [diff] [blame] | 2652 | &returnCode, &sslErrorCode, timeout); |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 2653 | |
| 2654 | int result; |
| 2655 | switch (ret) { |
| 2656 | case THROW_EXCEPTION: |
| 2657 | // See sslRead() regarding improper failure to handle normal cases. |
Brian Carlstrom | f3f7cc7 | 2010-05-19 11:06:59 -0700 | [diff] [blame] | 2658 | throwSSLExceptionWithSslErrors(env, ssl, sslErrorCode, "Read error"); |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 2659 | result = -1; |
| 2660 | break; |
| 2661 | case THROW_SOCKETTIMEOUTEXCEPTION: |
| 2662 | throwSocketTimeoutException(env, "Read timed out"); |
| 2663 | result = -1; |
| 2664 | break; |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 2665 | case THROWN_SOCKETEXCEPTION: |
| 2666 | // SocketException thrown by NetFd.isClosed |
| 2667 | result = -1; |
| 2668 | break; |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 2669 | case -1: |
| 2670 | // Propagate EOF upwards. |
| 2671 | result = -1; |
| 2672 | break; |
| 2673 | default: |
| 2674 | // Return the actual char read, make sure it stays 8 bits wide. |
| 2675 | result = ((jint) byteRead) & 0xFF; |
| 2676 | break; |
| 2677 | } |
| 2678 | JNI_TRACE("ssl=%p NativeCrypto_SSL_read_byte => %d", ssl, result); |
| 2679 | return result; |
| 2680 | } |
| 2681 | |
| 2682 | /** |
| 2683 | * OpenSSL read function (2): read into buffer at offset n chunks. |
| 2684 | * Returns 1 (success) or value <= 0 (failure). |
| 2685 | */ |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 2686 | static jint NativeCrypto_SSL_read(JNIEnv* env, jclass, jint ssl_address, jobject fdObject, |
| 2687 | jobject shc, jbyteArray b, jint offset, jint len, jint timeout) |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 2688 | { |
| 2689 | SSL* ssl = to_SSL(env, ssl_address, true); |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 2690 | JNI_TRACE("ssl=%p NativeCrypto_SSL_read fd=%p shc=%p b=%p offset=%d len=%d timeout=%d", |
| 2691 | ssl, fdObject, shc, b, offset, len, timeout); |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 2692 | if (ssl == NULL) { |
| 2693 | return 0; |
| 2694 | } |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 2695 | if (fdObject == NULL) { |
| 2696 | jniThrowNullPointerException(env, "fd == null"); |
| 2697 | JNI_TRACE("ssl=%p NativeCrypto_SSL_read => fd == null", ssl); |
| 2698 | return 0; |
| 2699 | } |
| 2700 | if (shc == NULL) { |
| 2701 | jniThrowNullPointerException(env, "sslHandshakeCallbacks == null"); |
| 2702 | JNI_TRACE("ssl=%p NativeCrypto_SSL_read => sslHandshakeCallbacks == null", ssl); |
| 2703 | return 0; |
| 2704 | } |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 2705 | |
Elliott Hughes | ccbe340 | 2010-07-09 16:39:48 -0700 | [diff] [blame] | 2706 | ScopedByteArrayRW bytes(env, b); |
Elliott Hughes | 6410112 | 2010-07-12 09:53:54 -0700 | [diff] [blame] | 2707 | if (bytes.get() == NULL) { |
| 2708 | JNI_TRACE("ssl=%p NativeCrypto_SSL_read => threw exception", ssl); |
| 2709 | return 0; |
| 2710 | } |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 2711 | int returnCode = 0; |
Brian Carlstrom | f3f7cc7 | 2010-05-19 11:06:59 -0700 | [diff] [blame] | 2712 | int sslErrorCode = SSL_ERROR_NONE;; |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 2713 | |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 2714 | int ret = sslRead(env, ssl, fdObject, shc, reinterpret_cast<char*>(bytes.get() + offset), len, |
Brian Carlstrom | f7b8b35 | 2010-05-21 15:45:11 -0700 | [diff] [blame] | 2715 | &returnCode, &sslErrorCode, timeout); |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 2716 | |
| 2717 | int result; |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 2718 | switch (ret) { |
| 2719 | case THROW_EXCEPTION: |
| 2720 | // See sslRead() regarding improper failure to handle normal cases. |
| 2721 | throwSSLExceptionWithSslErrors(env, ssl, sslErrorCode, "Read error"); |
| 2722 | result = -1; |
| 2723 | break; |
| 2724 | case THROW_SOCKETTIMEOUTEXCEPTION: |
| 2725 | throwSocketTimeoutException(env, "Read timed out"); |
| 2726 | result = -1; |
| 2727 | break; |
| 2728 | case THROWN_SOCKETEXCEPTION: |
| 2729 | // SocketException thrown by NetFd.isClosed |
| 2730 | result = -1; |
| 2731 | break; |
| 2732 | default: |
| 2733 | result = ret; |
| 2734 | break; |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 2735 | } |
| 2736 | |
| 2737 | JNI_TRACE("ssl=%p NativeCrypto_SSL_read => %d", ssl, result); |
| 2738 | return result; |
| 2739 | } |
| 2740 | |
| 2741 | /** |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2742 | * Helper function which does the actual writing. The Java layer guarantees that |
| 2743 | * at most one thread will enter this function at any given time. |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 2744 | * |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2745 | * @param ssl non-null; the SSL context |
| 2746 | * @param buf non-null; buffer to write |
| 2747 | * @param len length of the buffer, in bytes |
| 2748 | * @param sslReturnCode original SSL return code |
| 2749 | * @param sslErrorCode filled in with the SSL error code in case of error |
| 2750 | * @return number of bytes read on success, -1 if the connection was |
| 2751 | * cleanly shut down, or THROW_EXCEPTION if an exception should be thrown. |
| 2752 | */ |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 2753 | static int sslWrite(JNIEnv* env, SSL* ssl, jobject fdObject, jobject shc, const char* buf, jint len, |
| 2754 | int* sslReturnCode, int* sslErrorCode) { |
Brian Carlstrom | 0cbd33d | 2010-11-09 22:01:58 -0800 | [diff] [blame] | 2755 | JNI_TRACE("ssl=%p sslWrite buf=%p len=%d", ssl, buf, len); |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2756 | |
| 2757 | if (len == 0) { |
| 2758 | // Don't bother doing anything in this case. |
| 2759 | return 0; |
| 2760 | } |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 2761 | |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2762 | BIO* bio = SSL_get_wbio(ssl); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 2763 | |
Elliott Hughes | 583ce47 | 2010-07-22 10:23:42 -0700 | [diff] [blame] | 2764 | AppData* appData = toAppData(ssl); |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 2765 | if (appData == NULL) { |
| 2766 | return THROW_EXCEPTION; |
| 2767 | } |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 2768 | |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2769 | int count = len; |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 2770 | |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2771 | while (appData->aliveAndKicking && len > 0) { |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2772 | errno = 0; |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2773 | if (MUTEX_LOCK(appData->mutex) == -1) { |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2774 | return -1; |
| 2775 | } |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 2776 | |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2777 | unsigned int bytesMoved = BIO_number_read(bio) + BIO_number_written(bio); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 2778 | |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2779 | // LOGD("Doing SSL_write() with %d bytes to go", len); |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 2780 | if (!appData->setCallbackState(env, shc, fdObject)) { |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 2781 | MUTEX_UNLOCK(appData->mutex); |
| 2782 | return THROWN_SOCKETEXCEPTION; |
| 2783 | } |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2784 | int result = SSL_write(ssl, buf, len); |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 2785 | appData->clearCallbackState(); |
Brian Carlstrom | f3f7cc7 | 2010-05-19 11:06:59 -0700 | [diff] [blame] | 2786 | int sslError = SSL_ERROR_NONE; |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2787 | if (result <= 0) { |
Brian Carlstrom | f3f7cc7 | 2010-05-19 11:06:59 -0700 | [diff] [blame] | 2788 | sslError = SSL_get_error(ssl, result); |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2789 | freeSslErrorState(); |
| 2790 | } |
Brian Carlstrom | 0cbd33d | 2010-11-09 22:01:58 -0800 | [diff] [blame] | 2791 | JNI_TRACE("ssl=%p sslWrite SSL_write result=%d sslError=%d", ssl, result, sslError); |
| 2792 | #ifdef WITH_JNI_TRACE_DATA |
Brian Carlstrom | 3900e26 | 2010-11-10 10:56:21 -0800 | [diff] [blame^] | 2793 | for (int i = 0; i < result; i+= WITH_JNI_TRACE_DATA_CHUNK_SIZE) { |
| 2794 | int n = std::min(result - i, WITH_JNI_TRACE_DATA_CHUNK_SIZE); |
Brian Carlstrom | 0cbd33d | 2010-11-09 22:01:58 -0800 | [diff] [blame] | 2795 | JNI_TRACE("ssl=%p sslWrite data: %d: %*s", ssl, n, n, buf+i); |
| 2796 | } |
| 2797 | #endif |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2798 | |
| 2799 | // If we have been successful in moving data around, check whether it |
| 2800 | // might make sense to wake up other blocked threads, so they can give |
| 2801 | // it a try, too. |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 2802 | if (BIO_number_read(bio) + BIO_number_written(bio) != bytesMoved |
| 2803 | && appData->waitingThreads > 0) { |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2804 | sslNotify(appData); |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2805 | } |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 2806 | |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2807 | // If we are blocked by the underlying socket, tell the world that |
| 2808 | // there will be one more waiting thread now. |
Brian Carlstrom | f3f7cc7 | 2010-05-19 11:06:59 -0700 | [diff] [blame] | 2809 | if (sslError == SSL_ERROR_WANT_READ || sslError == SSL_ERROR_WANT_WRITE) { |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2810 | appData->waitingThreads++; |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2811 | } |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 2812 | |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2813 | MUTEX_UNLOCK(appData->mutex); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 2814 | |
Brian Carlstrom | f3f7cc7 | 2010-05-19 11:06:59 -0700 | [diff] [blame] | 2815 | switch (sslError) { |
Elliott Hughes | 3b0a5b9 | 2010-07-22 15:06:54 -0700 | [diff] [blame] | 2816 | // Successfully write at least one byte. |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2817 | case SSL_ERROR_NONE: { |
| 2818 | buf += result; |
| 2819 | len -= result; |
| 2820 | break; |
| 2821 | } |
| 2822 | |
| 2823 | // Wrote zero bytes. End of stream reached. |
| 2824 | case SSL_ERROR_ZERO_RETURN: { |
| 2825 | return -1; |
| 2826 | } |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 2827 | |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2828 | // Need to wait for availability of underlying layer, then retry. |
| 2829 | // The concept of a write timeout doesn't really make sense, and |
| 2830 | // it's also not standard Java behavior, so we wait forever here. |
| 2831 | case SSL_ERROR_WANT_READ: |
| 2832 | case SSL_ERROR_WANT_WRITE: { |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 2833 | int selectResult = sslSelect(env, sslError, fdObject, appData, 0); |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 2834 | if (selectResult == THROWN_SOCKETEXCEPTION) { |
| 2835 | return THROWN_SOCKETEXCEPTION; |
| 2836 | } |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2837 | if (selectResult == -1) { |
| 2838 | *sslReturnCode = -1; |
Brian Carlstrom | f3f7cc7 | 2010-05-19 11:06:59 -0700 | [diff] [blame] | 2839 | *sslErrorCode = sslError; |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2840 | return THROW_EXCEPTION; |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 2841 | } |
| 2842 | if (selectResult == 0) { |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2843 | return THROW_SOCKETTIMEOUTEXCEPTION; |
| 2844 | } |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 2845 | |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2846 | break; |
| 2847 | } |
| 2848 | |
Elliott Hughes | 3b0a5b9 | 2010-07-22 15:06:54 -0700 | [diff] [blame] | 2849 | // An problem occurred during a system call, but this is not |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2850 | // necessarily an error. |
| 2851 | case SSL_ERROR_SYSCALL: { |
| 2852 | // Connection closed without proper shutdown. Tell caller we |
| 2853 | // have reached end-of-stream. |
| 2854 | if (result == 0) { |
| 2855 | return -1; |
| 2856 | } |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 2857 | |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2858 | // System call has been interrupted. Simply retry. |
| 2859 | if (errno == EINTR) { |
| 2860 | break; |
| 2861 | } |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 2862 | |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2863 | // Note that for all other system call errors we fall through |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 2864 | // to the default case, which results in an Exception. |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2865 | } |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 2866 | |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2867 | // Everything else is basically an error. |
| 2868 | default: { |
| 2869 | *sslReturnCode = result; |
Brian Carlstrom | f3f7cc7 | 2010-05-19 11:06:59 -0700 | [diff] [blame] | 2870 | *sslErrorCode = sslError; |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2871 | return THROW_EXCEPTION; |
| 2872 | } |
| 2873 | } |
| 2874 | } |
Brian Carlstrom | 0cbd33d | 2010-11-09 22:01:58 -0800 | [diff] [blame] | 2875 | JNI_TRACE("ssl=%p sslWrite => count=%d", ssl, count); |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 2876 | |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2877 | return count; |
| 2878 | } |
| 2879 | |
| 2880 | /** |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2881 | * OpenSSL write function (1): only one chunk is written. |
| 2882 | */ |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 2883 | static void NativeCrypto_SSL_write_byte(JNIEnv* env, jclass, jint ssl_address, |
| 2884 | jobject fdObject, jobject shc, jint b) |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2885 | { |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 2886 | SSL* ssl = to_SSL(env, ssl_address, true); |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 2887 | JNI_TRACE("ssl=%p NativeCrypto_SSL_write_byte fd=%p shc=%p b=%d", ssl, fdObject, shc, b); |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2888 | if (ssl == NULL) { |
| 2889 | return; |
| 2890 | } |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 2891 | if (fdObject == NULL) { |
| 2892 | jniThrowNullPointerException(env, "fd == null"); |
| 2893 | JNI_TRACE("ssl=%p NativeCrypto_SSL_write_byte => fd == null", ssl); |
| 2894 | return; |
| 2895 | } |
| 2896 | if (shc == NULL) { |
| 2897 | jniThrowNullPointerException(env, "sslHandshakeCallbacks == null"); |
| 2898 | JNI_TRACE("ssl=%p NativeCrypto_SSL_write_byte => sslHandshakeCallbacks == null", ssl); |
| 2899 | return; |
| 2900 | } |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2901 | |
| 2902 | int returnCode = 0; |
Brian Carlstrom | f3f7cc7 | 2010-05-19 11:06:59 -0700 | [diff] [blame] | 2903 | int sslErrorCode = SSL_ERROR_NONE; |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2904 | char buf[1] = { (char) b }; |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 2905 | int ret = sslWrite(env, ssl, fdObject, shc, buf, 1, &returnCode, &sslErrorCode); |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2906 | |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 2907 | switch (ret) { |
| 2908 | case THROW_EXCEPTION: |
| 2909 | // See sslWrite() regarding improper failure to handle normal cases. |
| 2910 | throwSSLExceptionWithSslErrors(env, ssl, sslErrorCode, "Write error"); |
| 2911 | break; |
| 2912 | case THROW_SOCKETTIMEOUTEXCEPTION: |
| 2913 | throwSocketTimeoutException(env, "Write timed out"); |
| 2914 | break; |
| 2915 | case THROWN_SOCKETEXCEPTION: |
| 2916 | // SocketException thrown by NetFd.isClosed |
| 2917 | break; |
| 2918 | default: |
| 2919 | break; |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2920 | } |
| 2921 | } |
| 2922 | |
| 2923 | /** |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 2924 | * OpenSSL write function (2): write into buffer at offset n chunks. |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2925 | */ |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 2926 | static void NativeCrypto_SSL_write(JNIEnv* env, jclass, jint ssl_address, jobject fdObject, |
| 2927 | jobject shc, jbyteArray b, jint offset, jint len) |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2928 | { |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 2929 | SSL* ssl = to_SSL(env, ssl_address, true); |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 2930 | JNI_TRACE("ssl=%p NativeCrypto_SSL_write fd=%p shc=%p b=%p offset=%d len=%d", |
| 2931 | ssl, fdObject, shc, b, offset, len); |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2932 | if (ssl == NULL) { |
| 2933 | return; |
| 2934 | } |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 2935 | if (fdObject == NULL) { |
| 2936 | jniThrowNullPointerException(env, "fd == null"); |
| 2937 | JNI_TRACE("ssl=%p NativeCrypto_SSL_write => fd == null", ssl); |
| 2938 | return; |
| 2939 | } |
| 2940 | if (shc == NULL) { |
| 2941 | jniThrowNullPointerException(env, "sslHandshakeCallbacks == null"); |
| 2942 | JNI_TRACE("ssl=%p NativeCrypto_SSL_write => sslHandshakeCallbacks == null", ssl); |
| 2943 | return; |
| 2944 | } |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2945 | |
Elliott Hughes | ccbe340 | 2010-07-09 16:39:48 -0700 | [diff] [blame] | 2946 | ScopedByteArrayRO bytes(env, b); |
Elliott Hughes | 6410112 | 2010-07-12 09:53:54 -0700 | [diff] [blame] | 2947 | if (bytes.get() == NULL) { |
| 2948 | JNI_TRACE("ssl=%p NativeCrypto_SSL_write => threw exception", ssl); |
| 2949 | return; |
| 2950 | } |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2951 | int returnCode = 0; |
Brian Carlstrom | f3f7cc7 | 2010-05-19 11:06:59 -0700 | [diff] [blame] | 2952 | int sslErrorCode = SSL_ERROR_NONE; |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 2953 | int ret = sslWrite(env, ssl, fdObject, shc, reinterpret_cast<const char*>(bytes.get() + offset), |
| 2954 | len, &returnCode, &sslErrorCode); |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2955 | |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 2956 | switch (ret) { |
| 2957 | case THROW_EXCEPTION: |
| 2958 | // See sslWrite() regarding improper failure to handle normal cases. |
| 2959 | throwSSLExceptionWithSslErrors(env, ssl, sslErrorCode, "Write error"); |
| 2960 | break; |
| 2961 | case THROW_SOCKETTIMEOUTEXCEPTION: |
| 2962 | throwSocketTimeoutException(env, "Write timed out"); |
| 2963 | break; |
| 2964 | case THROWN_SOCKETEXCEPTION: |
| 2965 | // SocketException thrown by NetFd.isClosed |
| 2966 | break; |
| 2967 | default: |
| 2968 | break; |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2969 | } |
| 2970 | } |
| 2971 | |
| 2972 | /** |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 2973 | * Interrupt any pending IO before closing the socket. |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2974 | */ |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 2975 | static void NativeCrypto_SSL_interrupt( |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 2976 | JNIEnv* env, jclass, jint ssl_address) { |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 2977 | SSL* ssl = to_SSL(env, ssl_address, false); |
| 2978 | JNI_TRACE("ssl=%p NativeCrypto_SSL_interrupt", ssl); |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2979 | if (ssl == NULL) { |
| 2980 | return; |
| 2981 | } |
| 2982 | |
| 2983 | /* |
| 2984 | * Mark the connection as quasi-dead, then send something to the emergency |
| 2985 | * file descriptor, so any blocking select() calls are woken up. |
| 2986 | */ |
Elliott Hughes | 583ce47 | 2010-07-22 10:23:42 -0700 | [diff] [blame] | 2987 | AppData* appData = toAppData(ssl); |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2988 | if (appData != NULL) { |
| 2989 | appData->aliveAndKicking = 0; |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2990 | |
| 2991 | // At most two threads can be waiting. |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 2992 | sslNotify(appData); |
| 2993 | sslNotify(appData); |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2994 | } |
| 2995 | } |
| 2996 | |
| 2997 | /** |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 2998 | * OpenSSL close SSL socket function. |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 2999 | */ |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 3000 | static void NativeCrypto_SSL_shutdown(JNIEnv* env, jclass, jint ssl_address, |
| 3001 | jobject fdObject, jobject shc) { |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 3002 | SSL* ssl = to_SSL(env, ssl_address, false); |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 3003 | JNI_TRACE("ssl=%p NativeCrypto_SSL_shutdown fd=%p shc=%p", ssl, fdObject, shc); |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 3004 | if (ssl == NULL) { |
| 3005 | return; |
| 3006 | } |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 3007 | if (fdObject == NULL) { |
| 3008 | jniThrowNullPointerException(env, "fd == null"); |
| 3009 | JNI_TRACE("ssl=%p NativeCrypto_SSL_shutdown => fd == null", ssl); |
| 3010 | return; |
| 3011 | } |
| 3012 | if (shc == NULL) { |
| 3013 | jniThrowNullPointerException(env, "sslHandshakeCallbacks == null"); |
| 3014 | JNI_TRACE("ssl=%p NativeCrypto_SSL_shutdown => sslHandshakeCallbacks == null", ssl); |
| 3015 | return; |
| 3016 | } |
| 3017 | |
Elliott Hughes | 583ce47 | 2010-07-22 10:23:42 -0700 | [diff] [blame] | 3018 | AppData* appData = toAppData(ssl); |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 3019 | if (appData != NULL) { |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 3020 | if (!appData->setCallbackState(env, shc, fdObject)) { |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 3021 | // SocketException thrown by NetFd.isClosed |
| 3022 | SSL_clear(ssl); |
| 3023 | freeSslErrorState(); |
| 3024 | return; |
| 3025 | } |
| 3026 | |
| 3027 | /* |
| 3028 | * Try to make socket blocking again. OpenSSL literature recommends this. |
| 3029 | */ |
| 3030 | int fd = SSL_get_fd(ssl); |
| 3031 | JNI_TRACE("ssl=%p NativeCrypto_SSL_shutdown s=%d", ssl, fd); |
| 3032 | if (fd != -1) { |
| 3033 | setBlocking(fd, true); |
| 3034 | } |
| 3035 | |
| 3036 | int ret = SSL_shutdown(ssl); |
| 3037 | switch (ret) { |
| 3038 | case 0: |
| 3039 | /* |
| 3040 | * Shutdown was not successful (yet), but there also |
| 3041 | * is no error. Since we can't know whether the remote |
| 3042 | * server is actually still there, and we don't want to |
| 3043 | * get stuck forever in a second SSL_shutdown() call, we |
| 3044 | * simply return. This is not security a problem as long |
| 3045 | * as we close the underlying socket, which we actually |
| 3046 | * do, because that's where we are just coming from. |
| 3047 | */ |
| 3048 | break; |
| 3049 | case 1: |
| 3050 | /* |
| 3051 | * Shutdown was successful. We can safely return. Hooray! |
| 3052 | */ |
| 3053 | break; |
| 3054 | default: |
| 3055 | /* |
| 3056 | * Everything else is a real error condition. We should |
| 3057 | * let the Java layer know about this by throwing an |
| 3058 | * exception. |
| 3059 | */ |
| 3060 | int sslError = SSL_get_error(ssl, ret); |
| 3061 | throwSSLExceptionWithSslErrors(env, ssl, sslError, "SSL shutdown failed"); |
| 3062 | break; |
| 3063 | } |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 3064 | appData->clearCallbackState(); |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 3065 | } |
Brian Carlstrom | 84f1612 | 2010-09-21 02:09:29 -0700 | [diff] [blame] | 3066 | |
Brian Carlstrom | ecaf759 | 2010-03-02 16:55:35 -0800 | [diff] [blame] | 3067 | SSL_clear(ssl); |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 3068 | freeSslErrorState(); |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 3069 | } |
| 3070 | |
| 3071 | /** |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 3072 | * public static native void SSL_free(int ssl); |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 3073 | */ |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 3074 | static void NativeCrypto_SSL_free(JNIEnv* env, jclass, jint ssl_address) |
| 3075 | { |
| 3076 | SSL* ssl = to_SSL(env, ssl_address, true); |
| 3077 | JNI_TRACE("ssl=%p NativeCrypto_SSL_free", ssl); |
| 3078 | if (ssl == NULL) { |
Brian Carlstrom | 3534c7c | 2010-05-14 21:49:34 -0700 | [diff] [blame] | 3079 | return; |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 3080 | } |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 3081 | |
Elliott Hughes | 583ce47 | 2010-07-22 10:23:42 -0700 | [diff] [blame] | 3082 | AppData* appData = toAppData(ssl); |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 3083 | SSL_set_app_data(ssl, NULL); |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 3084 | delete appData; |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 3085 | SSL_free(ssl); |
| 3086 | } |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 3087 | |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 3088 | /** |
| 3089 | * Gets and returns in a byte array the ID of the actual SSL session. |
| 3090 | */ |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 3091 | static jbyteArray NativeCrypto_SSL_SESSION_session_id(JNIEnv* env, jclass, |
| 3092 | jint ssl_session_address) { |
| 3093 | SSL_SESSION* ssl_session = to_SSL_SESSION(env, ssl_session_address, true); |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 3094 | JNI_TRACE("ssl_session=%p NativeCrypto_SSL_SESSION_session_id", ssl_session); |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 3095 | if (ssl_session == NULL) { |
| 3096 | return NULL; |
| 3097 | } |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 3098 | jbyteArray result = env->NewByteArray(ssl_session->session_id_length); |
| 3099 | if (result != NULL) { |
| 3100 | jbyte* src = reinterpret_cast<jbyte*>(ssl_session->session_id); |
| 3101 | env->SetByteArrayRegion(result, 0, ssl_session->session_id_length, src); |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 3102 | } |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 3103 | JNI_TRACE("ssl_session=%p NativeCrypto_SSL_SESSION_session_id => %p session_id_length=%d", |
| 3104 | ssl_session, result, ssl_session->session_id_length); |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 3105 | return result; |
| 3106 | } |
| 3107 | |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 3108 | /** |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 3109 | * Gets and returns in a long integer the creation's time of the |
| 3110 | * actual SSL session. |
| 3111 | */ |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 3112 | static jlong NativeCrypto_SSL_SESSION_get_time(JNIEnv* env, jclass, jint ssl_session_address) { |
| 3113 | SSL_SESSION* ssl_session = to_SSL_SESSION(env, ssl_session_address, true); |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 3114 | JNI_TRACE("ssl_session=%p NativeCrypto_SSL_SESSION_get_time", ssl_session); |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 3115 | if (ssl_session == NULL) { |
| 3116 | return 0; |
| 3117 | } |
| 3118 | // result must be jlong, not long or *1000 will overflow |
| 3119 | jlong result = SSL_SESSION_get_time(ssl_session); |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 3120 | result *= 1000; // OpenSSL uses seconds, Java uses milliseconds. |
| 3121 | JNI_TRACE("ssl_session=%p NativeCrypto_SSL_SESSION_get_time => %lld", ssl_session, result); |
| 3122 | return result; |
| 3123 | } |
| 3124 | |
| 3125 | /** |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 3126 | * Gets and returns in a string the version of the SSL protocol. If it |
| 3127 | * returns the string "unknown" it means that no connection is established. |
| 3128 | */ |
| 3129 | static jstring NativeCrypto_SSL_SESSION_get_version(JNIEnv* env, jclass, jint ssl_session_address) { |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 3130 | SSL_SESSION* ssl_session = to_SSL_SESSION(env, ssl_session_address, true); |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 3131 | JNI_TRACE("ssl_session=%p NativeCrypto_SSL_SESSION_get_version", ssl_session); |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 3132 | if (ssl_session == NULL) { |
| 3133 | return NULL; |
| 3134 | } |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 3135 | const char* protocol = SSL_SESSION_get_version(ssl_session); |
| 3136 | JNI_TRACE("ssl_session=%p NativeCrypto_SSL_SESSION_get_version => %s", ssl_session, protocol); |
| 3137 | return env->NewStringUTF(protocol); |
| 3138 | } |
| 3139 | |
| 3140 | /** |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 3141 | * Gets and returns in a string the cipher negotiated for the SSL session. |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 3142 | */ |
| 3143 | static jstring NativeCrypto_SSL_SESSION_cipher(JNIEnv* env, jclass, jint ssl_session_address) { |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 3144 | SSL_SESSION* ssl_session = to_SSL_SESSION(env, ssl_session_address, true); |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 3145 | JNI_TRACE("ssl_session=%p NativeCrypto_SSL_SESSION_cipher", ssl_session); |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 3146 | if (ssl_session == NULL) { |
| 3147 | return NULL; |
| 3148 | } |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 3149 | const SSL_CIPHER* cipher = ssl_session->cipher; |
| 3150 | const char* name = SSL_CIPHER_get_name(cipher); |
| 3151 | JNI_TRACE("ssl_session=%p NativeCrypto_SSL_SESSION_cipher => %s", ssl_session, name); |
| 3152 | return env->NewStringUTF(name); |
| 3153 | } |
| 3154 | |
| 3155 | /** |
Brian Carlstrom | 4559b1d | 2010-07-22 16:33:48 -0700 | [diff] [blame] | 3156 | * Gets and returns in a string the compression method negotiated for the SSL session. |
| 3157 | */ |
| 3158 | static jstring NativeCrypto_SSL_SESSION_compress_meth(JNIEnv* env, jclass, |
| 3159 | jint ssl_ctx_address, |
| 3160 | jint ssl_session_address) { |
| 3161 | SSL_CTX* ssl_ctx = to_SSL_CTX(env, ssl_ctx_address, true); |
| 3162 | SSL_SESSION* ssl_session = to_SSL_SESSION(env, ssl_session_address, true); |
| 3163 | JNI_TRACE("ssl_session=%p NativeCrypto_SSL_SESSION_compress_meth ssl_ctx=%p", |
| 3164 | ssl_session, ssl_ctx); |
| 3165 | if (ssl_ctx == NULL || ssl_session == NULL) { |
| 3166 | return NULL; |
| 3167 | } |
| 3168 | |
| 3169 | int compress_meth = ssl_session->compress_meth; |
| 3170 | if (compress_meth == 0) { |
| 3171 | const char* name = "NULL"; |
| 3172 | JNI_TRACE("ssl_session=%p NativeCrypto_SSL_SESSION_compress_meth => %s", ssl_session, name); |
| 3173 | return env->NewStringUTF(name); |
| 3174 | } |
| 3175 | |
| 3176 | int num_comp_methods = sk_SSL_COMP_num(ssl_ctx->comp_methods); |
| 3177 | for (int i = 0; i < num_comp_methods; i++) { |
| 3178 | SSL_COMP* comp = sk_SSL_COMP_value(ssl_ctx->comp_methods, i); |
| 3179 | if (comp->id != compress_meth) { |
| 3180 | continue; |
| 3181 | } |
| 3182 | const char* name = ((comp->method && comp->method->type == NID_zlib_compression) |
| 3183 | ? SN_zlib_compression |
| 3184 | : (comp->name ? comp->name : "UNKNOWN")); |
| 3185 | JNI_TRACE("ssl_session=%p NativeCrypto_SSL_SESSION_compress_meth => %s", ssl_session, name); |
| 3186 | return env->NewStringUTF(name); |
| 3187 | } |
| 3188 | throwSSLExceptionStr(env, "Unknown compression method"); |
| 3189 | return NULL; |
| 3190 | } |
| 3191 | |
| 3192 | /** |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 3193 | * Frees the SSL session. |
| 3194 | */ |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 3195 | static void NativeCrypto_SSL_SESSION_free(JNIEnv* env, jclass, jint ssl_session_address) { |
| 3196 | SSL_SESSION* ssl_session = to_SSL_SESSION(env, ssl_session_address, true); |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 3197 | JNI_TRACE("ssl_session=%p NativeCrypto_SSL_SESSION_free", ssl_session); |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 3198 | if (ssl_session == NULL) { |
| 3199 | return; |
| 3200 | } |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 3201 | SSL_SESSION_free(ssl_session); |
| 3202 | } |
| 3203 | |
| 3204 | |
| 3205 | /** |
| 3206 | * Serializes the native state of the session (ID, cipher, and keys but |
| 3207 | * not certificates). Returns a byte[] containing the DER-encoded state. |
| 3208 | * See apache mod_ssl. |
| 3209 | */ |
| 3210 | static jbyteArray NativeCrypto_i2d_SSL_SESSION(JNIEnv* env, jclass, jint ssl_session_address) { |
Brian Carlstrom | 6df6339 | 2010-05-18 11:33:13 -0700 | [diff] [blame] | 3211 | SSL_SESSION* ssl_session = to_SSL_SESSION(env, ssl_session_address, true); |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 3212 | JNI_TRACE("ssl_session=%p NativeCrypto_i2d_SSL_SESSION", ssl_session); |
| 3213 | if (ssl_session == NULL) { |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 3214 | return NULL; |
| 3215 | } |
| 3216 | |
| 3217 | // Compute the size of the DER data |
| 3218 | int size = i2d_SSL_SESSION(ssl_session, NULL); |
| 3219 | if (size == 0) { |
| 3220 | JNI_TRACE("ssl_session=%p NativeCrypto_i2d_SSL_SESSION => NULL", ssl_session); |
| 3221 | return NULL; |
| 3222 | } |
| 3223 | |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 3224 | jbyteArray javaBytes = env->NewByteArray(size); |
| 3225 | if (javaBytes != NULL) { |
| 3226 | ScopedByteArrayRW bytes(env, javaBytes); |
| 3227 | if (bytes.get() == NULL) { |
Brian Carlstrom | 059dbc0 | 2010-07-08 14:44:44 -0700 | [diff] [blame] | 3228 | JNI_TRACE("ssl_session=%p NativeCrypto_i2d_SSL_SESSION => threw exception", |
| 3229 | ssl_session); |
Elliott Hughes | 6410112 | 2010-07-12 09:53:54 -0700 | [diff] [blame] | 3230 | return NULL; |
| 3231 | } |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 3232 | unsigned char* ucp = reinterpret_cast<unsigned char*>(bytes.get()); |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 3233 | i2d_SSL_SESSION(ssl_session, &ucp); |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 3234 | } |
| 3235 | |
| 3236 | JNI_TRACE("ssl_session=%p NativeCrypto_i2d_SSL_SESSION => size=%d", ssl_session, size); |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 3237 | return javaBytes; |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 3238 | } |
| 3239 | |
| 3240 | /** |
| 3241 | * Deserialize the session. |
| 3242 | */ |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 3243 | static jint NativeCrypto_d2i_SSL_SESSION(JNIEnv* env, jclass, jbyteArray javaBytes) { |
| 3244 | JNI_TRACE("NativeCrypto_d2i_SSL_SESSION bytes=%p", javaBytes); |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 3245 | |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 3246 | ScopedByteArrayRO bytes(env, javaBytes); |
| 3247 | if (bytes.get() == NULL) { |
Elliott Hughes | 6410112 | 2010-07-12 09:53:54 -0700 | [diff] [blame] | 3248 | JNI_TRACE("NativeCrypto_d2i_SSL_SESSION => threw exception"); |
| 3249 | return 0; |
| 3250 | } |
Brian Carlstrom | ef628d1 | 2010-07-19 13:52:03 -0700 | [diff] [blame] | 3251 | const unsigned char* ucp = reinterpret_cast<const unsigned char*>(bytes.get()); |
| 3252 | SSL_SESSION* ssl_session = d2i_SSL_SESSION(NULL, &ucp, bytes.size()); |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 3253 | |
| 3254 | JNI_TRACE("NativeCrypto_d2i_SSL_SESSION => %p", ssl_session); |
| 3255 | return static_cast<jint>(reinterpret_cast<uintptr_t>(ssl_session)); |
| 3256 | } |
| 3257 | |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 3258 | #define FILE_DESCRIPTOR "Ljava/io/FileDescriptor;" |
| 3259 | #define SSL_CALLBACKS "Lorg/apache/harmony/xnet/provider/jsse/NativeCrypto$SSLHandshakeCallbacks;" |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 3260 | static JNINativeMethod sNativeCryptoMethods[] = { |
Elliott Hughes | e22935d | 2010-08-12 17:27:27 -0700 | [diff] [blame] | 3261 | NATIVE_METHOD(NativeCrypto, clinit, "()V"), |
| 3262 | NATIVE_METHOD(NativeCrypto, EVP_PKEY_new_DSA, "([B[B[B[B[B)I"), |
| 3263 | NATIVE_METHOD(NativeCrypto, EVP_PKEY_new_RSA, "([B[B[B[B[B)I"), |
| 3264 | NATIVE_METHOD(NativeCrypto, EVP_PKEY_free, "(I)V"), |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 3265 | NATIVE_METHOD(NativeCrypto, EVP_MD_CTX_create, "()I"), |
| 3266 | NATIVE_METHOD(NativeCrypto, EVP_MD_CTX_destroy, "(I)V"), |
| 3267 | NATIVE_METHOD(NativeCrypto, EVP_MD_CTX_copy, "(I)I"), |
Elliott Hughes | e22935d | 2010-08-12 17:27:27 -0700 | [diff] [blame] | 3268 | NATIVE_METHOD(NativeCrypto, EVP_DigestFinal, "(I[BI)I"), |
| 3269 | NATIVE_METHOD(NativeCrypto, EVP_DigestInit, "(ILjava/lang/String;)V"), |
Brian Carlstrom | a3de55d | 2010-09-16 01:32:17 -0700 | [diff] [blame] | 3270 | NATIVE_METHOD(NativeCrypto, EVP_MD_CTX_block_size, "(I)I"), |
| 3271 | NATIVE_METHOD(NativeCrypto, EVP_MD_CTX_size, "(I)I"), |
Elliott Hughes | e22935d | 2010-08-12 17:27:27 -0700 | [diff] [blame] | 3272 | NATIVE_METHOD(NativeCrypto, EVP_DigestUpdate, "(I[BII)V"), |
| 3273 | NATIVE_METHOD(NativeCrypto, EVP_VerifyInit, "(ILjava/lang/String;)V"), |
| 3274 | NATIVE_METHOD(NativeCrypto, EVP_VerifyUpdate, "(I[BII)V"), |
| 3275 | NATIVE_METHOD(NativeCrypto, EVP_VerifyFinal, "(I[BIII)I"), |
| 3276 | NATIVE_METHOD(NativeCrypto, verifySignature, "([B[BLjava/lang/String;[B[B)I"), |
| 3277 | NATIVE_METHOD(NativeCrypto, RAND_seed, "([B)V"), |
| 3278 | NATIVE_METHOD(NativeCrypto, RAND_load_file, "(Ljava/lang/String;J)I"), |
| 3279 | NATIVE_METHOD(NativeCrypto, SSL_CTX_new, "()I"), |
| 3280 | NATIVE_METHOD(NativeCrypto, SSL_CTX_free, "(I)V"), |
| 3281 | NATIVE_METHOD(NativeCrypto, SSL_new, "(I)I"), |
| 3282 | NATIVE_METHOD(NativeCrypto, SSL_use_PrivateKey, "(I[B)V"), |
| 3283 | NATIVE_METHOD(NativeCrypto, SSL_use_certificate, "(I[[B)V"), |
| 3284 | NATIVE_METHOD(NativeCrypto, SSL_check_private_key, "(I)V"), |
| 3285 | NATIVE_METHOD(NativeCrypto, SSL_set_client_CA_list, "(I[[B)V"), |
| 3286 | NATIVE_METHOD(NativeCrypto, SSL_get_mode, "(I)J"), |
| 3287 | NATIVE_METHOD(NativeCrypto, SSL_set_mode, "(IJ)J"), |
| 3288 | NATIVE_METHOD(NativeCrypto, SSL_clear_mode, "(IJ)J"), |
| 3289 | NATIVE_METHOD(NativeCrypto, SSL_get_options, "(I)J"), |
| 3290 | NATIVE_METHOD(NativeCrypto, SSL_set_options, "(IJ)J"), |
| 3291 | NATIVE_METHOD(NativeCrypto, SSL_clear_options, "(IJ)J"), |
| 3292 | NATIVE_METHOD(NativeCrypto, SSL_set_cipher_lists, "(I[Ljava/lang/String;)V"), |
| 3293 | NATIVE_METHOD(NativeCrypto, SSL_set_verify, "(II)V"), |
| 3294 | NATIVE_METHOD(NativeCrypto, SSL_set_session, "(II)V"), |
| 3295 | NATIVE_METHOD(NativeCrypto, SSL_set_session_creation_enabled, "(IZ)V"), |
| 3296 | NATIVE_METHOD(NativeCrypto, SSL_set_tlsext_host_name, "(ILjava/lang/String;)V"), |
| 3297 | NATIVE_METHOD(NativeCrypto, SSL_get_servername, "(I)Ljava/lang/String;"), |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 3298 | NATIVE_METHOD(NativeCrypto, SSL_do_handshake, "(I" FILE_DESCRIPTOR SSL_CALLBACKS "IZ)I"), |
Elliott Hughes | e22935d | 2010-08-12 17:27:27 -0700 | [diff] [blame] | 3299 | NATIVE_METHOD(NativeCrypto, SSL_renegotiate, "(I)V"), |
| 3300 | NATIVE_METHOD(NativeCrypto, SSL_get_certificate, "(I)[[B"), |
Brian Carlstrom | df349b3 | 2010-09-13 22:04:32 -0700 | [diff] [blame] | 3301 | NATIVE_METHOD(NativeCrypto, SSL_get_peer_cert_chain, "(I)[[B"), |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 3302 | NATIVE_METHOD(NativeCrypto, SSL_read_byte, "(I" FILE_DESCRIPTOR SSL_CALLBACKS "I)I"), |
| 3303 | NATIVE_METHOD(NativeCrypto, SSL_read, "(I" FILE_DESCRIPTOR SSL_CALLBACKS "[BIII)I"), |
| 3304 | NATIVE_METHOD(NativeCrypto, SSL_write_byte, "(I" FILE_DESCRIPTOR SSL_CALLBACKS "I)V"), |
| 3305 | NATIVE_METHOD(NativeCrypto, SSL_write, "(I" FILE_DESCRIPTOR SSL_CALLBACKS "[BII)V"), |
Elliott Hughes | e22935d | 2010-08-12 17:27:27 -0700 | [diff] [blame] | 3306 | NATIVE_METHOD(NativeCrypto, SSL_interrupt, "(I)V"), |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 3307 | NATIVE_METHOD(NativeCrypto, SSL_shutdown, "(I" FILE_DESCRIPTOR SSL_CALLBACKS ")V"), |
Elliott Hughes | e22935d | 2010-08-12 17:27:27 -0700 | [diff] [blame] | 3308 | NATIVE_METHOD(NativeCrypto, SSL_free, "(I)V"), |
| 3309 | NATIVE_METHOD(NativeCrypto, SSL_SESSION_session_id, "(I)[B"), |
Elliott Hughes | e22935d | 2010-08-12 17:27:27 -0700 | [diff] [blame] | 3310 | NATIVE_METHOD(NativeCrypto, SSL_SESSION_get_time, "(I)J"), |
| 3311 | NATIVE_METHOD(NativeCrypto, SSL_SESSION_get_version, "(I)Ljava/lang/String;"), |
| 3312 | NATIVE_METHOD(NativeCrypto, SSL_SESSION_cipher, "(I)Ljava/lang/String;"), |
| 3313 | NATIVE_METHOD(NativeCrypto, SSL_SESSION_compress_meth, "(II)Ljava/lang/String;"), |
| 3314 | NATIVE_METHOD(NativeCrypto, SSL_SESSION_free, "(I)V"), |
| 3315 | NATIVE_METHOD(NativeCrypto, i2d_SSL_SESSION, "(I)[B"), |
| 3316 | NATIVE_METHOD(NativeCrypto, d2i_SSL_SESSION, "([B)I"), |
Brian Carlstrom | 0348e62 | 2010-02-10 22:56:47 -0800 | [diff] [blame] | 3317 | }; |
| 3318 | |
Elliott Hughes | c08f9fb | 2010-04-16 17:44:12 -0700 | [diff] [blame] | 3319 | int register_org_apache_harmony_xnet_provider_jsse_NativeCrypto(JNIEnv* env) { |
Brian Carlstrom | bcfb325 | 2010-05-02 11:27:52 -0700 | [diff] [blame] | 3320 | JNI_TRACE("register_org_apache_harmony_xnet_provider_jsse_NativeCrypto"); |
Brian Carlstrom | 3e24c53 | 2010-05-06 00:23:21 -0700 | [diff] [blame] | 3321 | // Register org.apache.harmony.xnet.provider.jsse.NativeCrypto methods |
Brian Carlstrom | df9c090 | 2010-09-30 19:22:21 -0700 | [diff] [blame] | 3322 | return jniRegisterNativeMethods(env, |
| 3323 | "org/apache/harmony/xnet/provider/jsse/NativeCrypto", |
| 3324 | sNativeCryptoMethods, |
| 3325 | NELEM(sNativeCryptoMethods)); |
The Android Open Source Project | adc854b | 2009-03-03 19:28:47 -0800 | [diff] [blame] | 3326 | } |