/* * Copyright 2016 The Netty Project * * The Netty Project licenses this file to you under the Apache License, * version 2.0 (the "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at: * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the * License for the specific language governing permissions and limitations * under the License. */ /* * Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package io.netty.internal.tcnative; import java.nio.ByteBuffer; import static io.netty.internal.tcnative.NativeStaticallyReferencedJniMethods.*; public final class SSL { private SSL() { } /* * Define the SSL Protocol options */ public static final int SSL_PROTOCOL_NONE = 0; public static final int SSL_PROTOCOL_SSLV2 = (1<<0); public static final int SSL_PROTOCOL_SSLV3 = (1<<1); public static final int SSL_PROTOCOL_TLSV1 = (1<<2); public static final int SSL_PROTOCOL_TLSV1_1 = (1<<3); public static final int SSL_PROTOCOL_TLSV1_2 = (1<<4); /** TLS_*method according to SSL_CTX_new */ public static final int SSL_PROTOCOL_TLS = (SSL_PROTOCOL_SSLV3 | SSL_PROTOCOL_TLSV1 | SSL_PROTOCOL_TLSV1_1 | SSL_PROTOCOL_TLSV1_2); public static final int SSL_PROTOCOL_ALL = (SSL_PROTOCOL_SSLV2 | SSL_PROTOCOL_TLS); /* * Define the SSL verify levels */ public static final int SSL_CVERIFY_IGNORED = -1; public static final int SSL_CVERIFY_NONE = 0; public static final int SSL_CVERIFY_OPTIONAL = 1; public static final int SSL_CVERIFY_REQUIRED = 2; public static final int SSL_OP_CIPHER_SERVER_PREFERENCE = sslOpCipherServerPreference(); public static final int SSL_OP_NO_SSLv2 = sslOpNoSSLv2(); public static final int SSL_OP_NO_SSLv3 = sslOpNoSSLv3(); public static final int SSL_OP_NO_TLSv1 = sslOpNoTLSv1(); public static final int SSL_OP_NO_TLSv1_1 = sslOpNoTLSv11(); public static final int SSL_OP_NO_TLSv1_2 = sslOpNoTLSv12(); public static final int SSL_OP_NO_TICKET = sslOpNoTicket(); public static final int SSL_OP_NO_COMPRESSION = sslOpNoCompression(); public static final int SSL_MODE_CLIENT = 0; public static final int SSL_MODE_SERVER = 1; public static final int SSL_MODE_COMBINED = 2; public static final long SSL_SESS_CACHE_OFF = sslSessCacheOff(); public static final long SSL_SESS_CACHE_SERVER = sslSessCacheServer(); public static final int SSL_SELECTOR_FAILURE_NO_ADVERTISE = 0; public static final int SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL = 1; public static final int SSL_ST_CONNECT = sslStConnect(); public static final int SSL_ST_ACCEPT = sslStAccept(); public static final int SSL_MODE_ENABLE_PARTIAL_WRITE = sslModeEnablePartialWrite(); public static final int SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER = sslModeAcceptMovingWriteBuffer(); public static final int SSL_MODE_RELEASE_BUFFERS = sslModeReleaseBuffers(); // https://www.openssl.org/docs/man1.0.2/crypto/X509_check_host.html public static final int X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT = x509CheckFlagAlwaysCheckSubject(); public static final int X509_CHECK_FLAG_NO_WILD_CARDS = x509CheckFlagDisableWildCards(); public static final int X509_CHECK_FLAG_NO_PARTIAL_WILD_CARDS = x509CheckFlagNoPartialWildCards(); public static final int X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS = x509CheckFlagMultiLabelWildCards(); /* Return OpenSSL version number */ public static native int version(); /* Return OpenSSL version string */ public static native String versionString(); /** * Initialize OpenSSL support. * * This function needs to be called once for the * lifetime of JVM. See {@link Library#initialize(String, String)} * * @param engine Support for external a Crypto Device ("engine"), * usually a hardware accelerator card for crypto operations. * @return APR status code */ static native int initialize(String engine); /** * Initialize new in-memory BIO that is located in the secure heap. * * @return New BIO handle * @throws Exception if an error happened. */ public static native long newMemBIO() throws Exception; /** * Return last SSL error string * * @return the last SSL error string. */ public static native String getLastError(); /** * Return true if all the requested SSL_OP_* are supported by OpenSSL. * * @param op Bitwise-OR of all SSL_OP_* to test. * * @return true if all SSL_OP_* are supported by OpenSSL library. */ public static native boolean hasOp(int op); /* * Begin Twitter API additions */ public static final int SSL_SENT_SHUTDOWN = sslSendShutdown(); public static final int SSL_RECEIVED_SHUTDOWN = sslReceivedShutdown(); public static final int SSL_ERROR_NONE = sslErrorNone(); public static final int SSL_ERROR_SSL = sslErrorSSL(); public static final int SSL_ERROR_WANT_READ = sslErrorWantRead(); public static final int SSL_ERROR_WANT_WRITE = sslErrorWantWrite(); public static final int SSL_ERROR_WANT_X509_LOOKUP = sslErrorWantX509Lookup(); public static final int SSL_ERROR_SYSCALL = sslErrorSyscall(); /* look at error stack/return value/errno */ public static final int SSL_ERROR_ZERO_RETURN = sslErrorZeroReturn(); public static final int SSL_ERROR_WANT_CONNECT = sslErrorWantConnect(); public static final int SSL_ERROR_WANT_ACCEPT = sslErrorWantAccept(); /** * SSL_new * @param ctx Server or Client context to use. * @param server if true configure SSL instance to use accept handshake routines * if false configure SSL instance to use connect handshake routines * @return pointer to SSL instance (SSL *) */ public static native long newSSL(long ctx, boolean server); /** * SSL_get_error * @param ssl SSL pointer (SSL *) * @param ret TLS/SSL I/O return value * @return the error code */ public static native int getError(long ssl, int ret); /** * BIO_write * @param bioAddress The address of a {@code BIO*}. * @param wbufAddress The address of a native {@code char*}. * @param wlen The length to write starting at {@code wbufAddress}. * @return The number of bytes that were written. * See BIO_write for exceptional return values. */ public static native int bioWrite(long bioAddress, long wbufAddress, int wlen); /** * Initialize the BIO for the SSL instance. This is a custom BIO which is designed to play nicely with a direct * {@link ByteBuffer}. Because it is a special BIO it requires special usage such that * {@link #bioSetByteBuffer(long, long, int, boolean)} and {@link #bioClearByteBuffer(long)} are called in order to provide * to supply data to SSL, and also to ensure the internal SSL buffering mechanism is expecting write at the appropriate times. * * @param ssl the SSL instance (SSL *) * @param nonApplicationBufferSize The size of the internal buffer for write operations that are not * initiated directly by the application attempting to encrypt data. * Must be >{@code 0}. * @return pointer to the Network BIO (BIO *). * The memory is owned by {@code ssl} and will be cleaned up by {@link #freeSSL(long)}. */ public static native long bioNewByteBuffer(long ssl, int nonApplicationBufferSize); /** * Set the memory location which that OpenSSL's internal BIO will use to write encrypted data to, or read encrypted * data from. *

* After you are done buffering data you should call {@link #bioClearByteBuffer(long)}. * @param bio {@code BIO*}. * @param bufferAddress The memory address (typically from a direct {@link ByteBuffer}) which will be used * to either write encrypted data to, or read encrypted data from by OpenSSL's internal BIO pair. * @param maxUsableBytes The maximum usable length in bytes starting at {@code bufferAddress}. * @param isSSLWriteSink {@code true} if this buffer is expected to buffer data as a result of calls to {@code SSL_write}. * {@code false} if this buffer is expected to buffer data as a result of calls to {@code SSL_read}. */ public static native void bioSetByteBuffer(long bio, long bufferAddress, int maxUsableBytes, boolean isSSLWriteSink); /** * After you are done buffering data from {@link #bioSetByteBuffer(long, long, int, boolean)}, this will ensure the * internal SSL write buffers are ready to capture data which may unexpectedly happen (e.g. handshake, renegotiation, etc..). * @param bio {@code BIO*}. */ public static native void bioClearByteBuffer(long bio); /** * Flush any pending bytes in the internal SSL write buffer. *

* This does the same thing as {@code BIO_flush} for a {@code BIO*} of type {@link #bioNewByteBuffer(long, int)} but * returns the number of bytes that were flushed. * @param bio {@code BIO*}. * @return The number of bytes that were flushed. */ public static native int bioFlushByteBuffer(long bio); /** * Get the remaining length of the {@link ByteBuffer} set by {@link #bioSetByteBuffer(long, long, int, boolean)}. * @param bio {@code BIO*}. * @return The remaining length of the {@link ByteBuffer} set by {@link #bioSetByteBuffer(long, long, int, boolean)}. */ public static native int bioLengthByteBuffer(long bio); /** * Get the amount of data pending in buffer used for non-application writes. * This value will not exceed the value configured in {@link #bioNewByteBuffer(long, int)}. * @param bio {@code BIO*}. * @return the amount of data pending in buffer used for non-application writes. */ public static native int bioLengthNonApplication(long bio); /** * SSL_write * @param ssl the SSL instance (SSL *) * @param wbuf the memory address of the buffer * @param wlen the length * @return the number of written bytes */ public static native int writeToSSL(long ssl, long wbuf, int wlen); /** * SSL_read * @param ssl the SSL instance (SSL *) * @param rbuf the memory address of the buffer * @param rlen the length * @return the number of read bytes */ public static native int readFromSSL(long ssl, long rbuf, int rlen); /** * SSL_get_shutdown * @param ssl the SSL instance (SSL *) * @return the return code of {@code SSL_get_shutdown} */ public static native int getShutdown(long ssl); /** * SSL_set_shutdown * @param ssl the SSL instance (SSL *) * @param mode the mode to use */ public static native void setShutdown(long ssl, int mode); /** * SSL_free * @param ssl the SSL instance (SSL *) */ public static native void freeSSL(long ssl); /** * BIO_free * @param bio the BIO */ public static native void freeBIO(long bio); /** * SSL_shutdown * @param ssl the SSL instance (SSL *) * @return the return code of {@code SSL_shutdown} */ public static native int shutdownSSL(long ssl); /** * Get the error number representing the last error OpenSSL encountered on this thread. * @return the last error code for the calling thread. */ public static native int getLastErrorNumber(); /** * SSL_get_cipher * @param ssl the SSL instance (SSL *) * @return the name of the current cipher. */ public static native String getCipherForSSL(long ssl); /** * SSL_get_version * @param ssl the SSL instance (SSL *) * @return the version. */ public static native String getVersion(long ssl); /** * SSL_do_handshake * @param ssl the SSL instance (SSL *) * @return the return code of {@code SSL_do_handshake}. */ public static native int doHandshake(long ssl); /** * SSL_in_init * @param ssl the SSL instance (SSL *) * @return the return code of {@code SSL_in_init}. */ public static native int isInInit(long ssl); /** * SSL_get0_next_proto_negotiated * @param ssl the SSL instance (SSL *) * @return the name of the negotiated proto */ public static native String getNextProtoNegotiated(long ssl); /* * End Twitter API Additions */ /** * SSL_get0_alpn_selected * @param ssl the SSL instance (SSL *) * @return the name of the selected ALPN protocol */ public static native String getAlpnSelected(long ssl); /** * Get the peer certificate chain or {@code null} if none was send. * @param ssl the SSL instance (SSL *) * @return the chain or {@code null} if none was send */ public static native byte[][] getPeerCertChain(long ssl); /** * Get the peer certificate or {@code null} if non was send. * @param ssl the SSL instance (SSL *) * @return the peer certificate or {@code null} if none was send */ public static native byte[] getPeerCertificate(long ssl); /** * Get the error string representing for the given {@code errorNumber}. * * @param errorNumber the error number / code * @return the error string */ public static native String getErrorString(long errorNumber); /** * SSL_get_time * @param ssl the SSL instance (SSL *) * @return returns the time at which the session ssl was established. The time is given in seconds since the Epoch */ public static native long getTime(long ssl); /** * SSL_get_timeout * @param ssl the SSL instance (SSL *) * @return returns the timeout for the session ssl The time is given in seconds since the Epoch */ public static native long getTimeout(long ssl); /** * SSL_set_timeout * @param ssl the SSL instance (SSL *) * @param seconds timeout in seconds * @return returns the timeout for the session ssl before this call. The time is given in seconds since the Epoch */ public static native long setTimeout(long ssl, long seconds); /** * Set Type of Client Certificate verification and Maximum depth of CA Certificates * in Client Certificate verification. *

* This directive sets the Certificate verification level for the Client * Authentication. Notice that this directive can be used both in per-server * and per-directory context. In per-server context it applies to the client * authentication process used in the standard SSL handshake when a connection * is established. In per-directory context it forces a SSL renegotiation with * the reconfigured client verification level after the HTTP request was read * but before the HTTP response is sent. *

* The following levels are available for level: *

* The depth actually is the maximum number of intermediate certificate issuers, * i.e. the number of CA certificates which are max allowed to be followed while * verifying the client certificate. A depth of 0 means that self-signed client * certificates are accepted only, the default depth of 1 means the client * certificate can be self-signed or has to be signed by a CA which is directly * known to the server (i.e. the CA's certificate is under * {@code setCACertificatePath}, etc. * * @param ssl the SSL instance (SSL *) * @param level Type of Client Certificate verification. * @param depth Maximum depth of CA Certificates in Client Certificate * verification. Ignored if value is {@code <0}. */ public static native void setVerify(long ssl, int level, int depth); /** * Set OpenSSL Option. * @param ssl the SSL instance (SSL *) * @param options See SSL.SSL_OP_* for option flags. */ public static native void setOptions(long ssl, int options); /** * Clear OpenSSL Option. * @param ssl the SSL instance (SSL *) * @param options See SSL.SSL_OP_* for option flags. */ public static native void clearOptions(long ssl, int options); /** * Get OpenSSL Option. * @param ssl the SSL instance (SSL *) * @return options See SSL.SSL_OP_* for option flags. */ public static native int getOptions(long ssl); /** * Returns all Returns the cipher suites that are available for negotiation in an SSL handshake. * @param ssl the SSL instance (SSL *) * @return ciphers */ public static native String[] getCiphers(long ssl); /** * Returns the cipher suites available for negotiation in SSL handshake. *

* This complex directive uses a colon-separated cipher-spec string consisting * of OpenSSL cipher specifications to configure the Cipher Suite the client * is permitted to negotiate in the SSL handshake phase. Notice that this * directive can be used both in per-server and per-directory context. * In per-server context it applies to the standard SSL handshake when a * connection is established. In per-directory context it forces a SSL * renegotiation with the reconfigured Cipher Suite after the HTTP request * was read but before the HTTP response is sent. * @param ssl the SSL instance (SSL *) * @param ciphers an SSL cipher specification * @return {@code true} if successful * @throws Exception if an error happened */ public static native boolean setCipherSuites(long ssl, String ciphers) throws Exception; /** * Returns the ID of the session as byte array representation. * * @param ssl the SSL instance (SSL *) * @return the session as byte array representation obtained via SSL_SESSION_get_id. */ public static native byte[] getSessionId(long ssl); /** * Returns the number of handshakes done for this SSL instance. This also includes renegations. * * @param ssl the SSL instance (SSL *) * @return the number of handshakes done for this SSL instance. */ public static native int getHandshakeCount(long ssl); /** * Clear all the errors from the error queue that OpenSSL encountered on this thread. */ public static native void clearError(); /** * Call SSL_renegotiate. * * @param ssl the SSL instance (SSL *) * @return the result of the operation */ public static native int renegotiate(long ssl); /** * Call SSL_set_state. * * @param ssl the SSL instance (SSL *) * @param state the state to set */ public static native void setState(long ssl, int state); /** * Call SSL_set_tlsext_host_name * * @param ssl the SSL instance (SSL *) * @param hostname the hostname */ public static native void setTlsExtHostName(long ssl, String hostname); /** * Explicitly control hostname validation * see X509_check_host for X509_CHECK_FLAG* definitions. * Values are defined as a bitmask of {@code X509_CHECK_FLAG*} values. * @param ssl the SSL instance (SSL*). * @param flags a bitmask of {@code X509_CHECK_FLAG*} values. * @param hostname the hostname which is expected for validation. */ public static native void setHostNameValidation(long ssl, int flags, String hostname); /** * Return the methods used for authentication. * * @param ssl the SSL instance (SSL*) * @return the methods */ public static native String[] authenticationMethods(long ssl); /** * Set BIO of PEM-encoded Server CA Certificates *

* This directive sets the optional all-in-one file where you can assemble the * certificates of Certification Authorities (CA) which form the certificate * chain of the server certificate. This starts with the issuing CA certificate * of of the server certificate and can range up to the root CA certificate. * Such a file is simply the concatenation of the various PEM-encoded CA * Certificate files, usually in certificate chain order. *

* But be careful: Providing the certificate chain works only if you are using * a single (either RSA or DSA) based server certificate. If you are using a * coupled RSA+DSA certificate pair, this will work only if actually both * certificates use the same certificate chain. Otherwsie the browsers will be * confused in this situation. * @param ssl Server or Client to use. * @param bio BIO of PEM-encoded Server CA Certificates. * @param skipfirst Skip first certificate if chain file is inside * certificate file. */ public static native void setCertificateChainBio(long ssl, long bio, boolean skipfirst); /** * Set Certificate *
* Point setCertificate at a PEM encoded certificate stored in a BIO. If * the certificate is encrypted, then you will be prompted for a * pass phrase. Note that a kill -HUP will prompt again. A test * certificate can be generated with `make certificate' under * built time. Keep in mind that if you've both a RSA and a DSA * certificate you can configure both in parallel (to also allow * the use of DSA ciphers, etc.) *
* If the key is not combined with the certificate, use key param * to point at the key file. Keep in mind that if * you've both a RSA and a DSA private key you can configure * both in parallel (to also allow the use of DSA ciphers, etc.) * @param ssl Server or Client to use. * @param certBio Certificate BIO. * @param keyBio Private Key BIO to use if not in cert. * @param password Certificate password. If null and certificate * is encrypted. * @throws Exception if an error happened */ public static native void setCertificateBio( long ssl, long certBio, long keyBio, String password) throws Exception; /** * Parse private key from BIO and return {@code EVP_PKEY} pointer. * *

Be sure you understand how OpenSsl will behave with respect to reference counting! * * If the {@code EVP_PKEY} pointer is used with the client certificate callback * {@link CertificateRequestedCallback} the ownership goes over to OpenSsl / Tcnative and so calling * {@link #freePrivateKey(long)} should NOT be done in this case. Otherwise you may * need to call {@link #freePrivateKey(long)} to decrement the reference count and free memory. * * @param privateKeyBio the pointer to the {@code BIO} that contains the private key * @param password the password or {@code null} if no password is needed * @return {@code EVP_PKEY} pointer * @throws Exception if an error happened */ public static native long parsePrivateKey(long privateKeyBio, String password) throws Exception; /** * Free private key ({@code EVP_PKEY} pointer). * * @param privateKey {@code EVP_PKEY} pointer */ public static native void freePrivateKey(long privateKey); /** * Parse X509 chain from BIO and return ({@code STACK_OF(X509)} pointer). * *

Be sure you understand how OpenSsl will behave with respect to reference counting! * * If the {@code STACK_OF(X509)} pointer is used with the client certificate callback * {@link CertificateRequestedCallback} the ownership goes over to OpenSsl / Tcnative and and so calling * {@link #freeX509Chain(long)} should NOT be done in this case. Otherwise you may * need to call {@link #freeX509Chain(long)} to decrement the reference count and free memory. * * @param x509ChainBio the pointer to the {@code BIO} that contains the X509 chain * @return {@code STACK_OF(X509)} pointer * @throws Exception if an error happened */ public static native long parseX509Chain(long x509ChainBio) throws Exception; /** * Free x509 chain ({@code STACK_OF(X509)} pointer). * * @param x509Chain {@code STACK_OF(X509)} pointer */ public static native void freeX509Chain(long x509Chain); }