[Git][java-team/netty-tcnative][upstream] 5 commits: New upstream version 2.0.16
Emmanuel Bourg
gitlab at salsa.debian.org
Tue Jan 22 10:36:17 GMT 2019
Emmanuel Bourg pushed to branch upstream at Debian Java Maintainers / netty-tcnative
Commits:
f9dd8e43 by Emmanuel Bourg at 2019-01-21T23:03:03Z
New upstream version 2.0.16
- - - - -
87efbae4 by Emmanuel Bourg at 2019-01-21T23:03:08Z
New upstream version 2.0.17
- - - - -
00c72d6f by Emmanuel Bourg at 2019-01-21T23:03:12Z
New upstream version 2.0.18
- - - - -
26bdee4a by Emmanuel Bourg at 2019-01-21T23:03:30Z
New upstream version 2.0.19
- - - - -
0cb0c299 by Emmanuel Bourg at 2019-01-22T10:18:05Z
New upstream version 2.0.20
- - - - -
16 changed files:
- .gitignore
- boringssl-static/pom.xml
- libressl-static/pom.xml
- openssl-dynamic/pom.xml
- openssl-dynamic/src/main/c/native_constants.c
- openssl-dynamic/src/main/c/ssl.c
- openssl-dynamic/src/main/c/ssl_private.h
- openssl-dynamic/src/main/c/sslcontext.c
- openssl-dynamic/src/main/c/sslutils.c
- + openssl-dynamic/src/main/java/io/netty/internal/tcnative/CertificateCallback.java
- openssl-dynamic/src/main/java/io/netty/internal/tcnative/CertificateRequestedCallback.java
- openssl-dynamic/src/main/java/io/netty/internal/tcnative/NativeStaticallyReferencedJniMethods.java
- openssl-dynamic/src/main/java/io/netty/internal/tcnative/SSL.java
- openssl-dynamic/src/main/java/io/netty/internal/tcnative/SSLContext.java
- openssl-static/pom.xml
- pom.xml
Changes:
=====================================
.gitignore
=====================================
@@ -29,3 +29,11 @@
# Do not include stuff in the static modules as this is generated during the build
*-static/src
+
+# exclude mainframer files
+mainframer
+.mainframer
+
+# exclude cmake related files
+CMakeLists.txt
+cmake-*
=====================================
boringssl-static/pom.xml
=====================================
@@ -19,7 +19,7 @@
<parent>
<groupId>io.netty</groupId>
<artifactId>netty-tcnative-parent</artifactId>
- <version>2.0.15.Final</version>
+ <version>2.0.20.Final</version>
</parent>
<artifactId>netty-tcnative-boringssl-static</artifactId>
<packaging>jar</packaging>
@@ -89,6 +89,24 @@
</executions>
</plugin>
+ <plugin>
+ <groupId>org.codehaus.mojo</groupId>
+ <artifactId>build-helper-maven-plugin</artifactId>
+ <executions>
+ <execution>
+ <phase>generate-sources</phase>
+ <goals>
+ <goal>add-source</goal>
+ </goals>
+ <configuration>
+ <sources>
+ <source>${generatedSourcesDir}/java</source>
+ </sources>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
+
<!-- Add the commit ID and branch to the manifest. -->
<plugin>
<groupId>org.apache.felix</groupId>
@@ -126,7 +144,7 @@
<!-- Build the BoringSSL static libs -->
<execution>
<id>build-boringssl</id>
- <phase>generate-sources</phase>
+ <phase>compile</phase>
<goals>
<goal>run</goal>
</goals>
@@ -135,42 +153,52 @@
<!-- Add the ant tasks from ant-contrib -->
<taskdef resource="net/sf/antcontrib/antcontrib.properties" />
- <mkdir dir="${boringsslBuildDir}" />
-
<if>
- <equals arg1="${os.detected.name}" arg2="windows" />
+ <available file="${boringsslBuildDir}" />
<then>
- <!-- On Windows, build with /MT for static linking -->
- <property name="cmakeAsmFlags" value="" />
- <property name="cmakeCFlags" value="/MT" />
- <property name="cmakeCxxFlags" value="/MT" />
+ <echo message="BoringSSL was already build, skipping the build step." />
</then>
- <elseif>
- <equals arg1="${os.detected.name}" arg2="linux" />
- <then>
- <!-- On *nix, add ASM flags to disable executable stack -->
- <property name="cmakeAsmFlags" value="-Wa,--noexecstack" />
- <property name="cmakeCFlags" value="-std=c99 -O3 -fno-omit-frame-pointer" />
- <property name="cmakeCxxFlags" value="-O3 -fno-omit-frame-pointer -Wno-error=maybe-uninitialized" />
- </then>
- </elseif>
<else>
- <!-- On *nix, add ASM flags to disable executable stack -->
- <property name="cmakeAsmFlags" value="-Wa,--noexecstack" />
- <property name="cmakeCFlags" value="-std=c99 -O3 -fno-omit-frame-pointer" />
- <property name="cmakeCxxFlags" value="-O3 -fno-omit-frame-pointer" />
+ <echo message="Building BoringSSL" />
+
+ <mkdir dir="${boringsslBuildDir}" />
+
+ <if>
+ <equals arg1="${os.detected.name}" arg2="windows" />
+ <then>
+ <!-- On Windows, build with /MT for static linking -->
+ <property name="cmakeAsmFlags" value="" />
+ <property name="cmakeCFlags" value="/MT" />
+ <property name="cmakeCxxFlags" value="/MT" />
+ </then>
+ <elseif>
+ <equals arg1="${os.detected.name}" arg2="linux" />
+ <then>
+ <!-- On *nix, add ASM flags to disable executable stack -->
+ <property name="cmakeAsmFlags" value="-Wa,--noexecstack" />
+ <property name="cmakeCFlags" value="-std=c99 -O3 -fno-omit-frame-pointer" />
+ <property name="cmakeCxxFlags" value="-O3 -fno-omit-frame-pointer -Wno-error=maybe-uninitialized" />
+ </then>
+ </elseif>
+ <else>
+ <!-- On *nix, add ASM flags to disable executable stack -->
+ <property name="cmakeAsmFlags" value="-Wa,--noexecstack" />
+ <property name="cmakeCFlags" value="-std=c99 -O3 -fno-omit-frame-pointer" />
+ <property name="cmakeCxxFlags" value="-O3 -fno-omit-frame-pointer" />
+ </else>
+ </if>
+ <exec executable="cmake" failonerror="true" dir="${boringsslBuildDir}" resolveexecutable="true">
+ <arg value="-DCMAKE_POSITION_INDEPENDENT_CODE=TRUE" />
+ <arg value="-DCMAKE_BUILD_TYPE=Release" />
+ <arg value="-DCMAKE_ASM_FLAGS=${cmakeAsmFlags}" />
+ <arg value="-DCMAKE_C_FLAGS_RELEASE=${cmakeCFlags}" />
+ <arg value="-DCMAKE_CXX_FLAGS_RELEASE=${cmakeCxxFlags}" />
+ <arg value="-GNinja" />
+ <arg value=".." />
+ </exec>
+ <exec executable="ninja" failonerror="true" dir="${boringsslBuildDir}" resolveexecutable="true" />
</else>
</if>
- <exec executable="cmake" failonerror="true" dir="${boringsslBuildDir}" resolveexecutable="true">
- <arg value="-DCMAKE_POSITION_INDEPENDENT_CODE=TRUE" />
- <arg value="-DCMAKE_BUILD_TYPE=Release" />
- <arg value="-DCMAKE_ASM_FLAGS=${cmakeAsmFlags}" />
- <arg value="-DCMAKE_C_FLAGS_RELEASE=${cmakeCFlags}" />
- <arg value="-DCMAKE_CXX_FLAGS_RELEASE=${cmakeCxxFlags}" />
- <arg value="-GNinja" />
- <arg value=".." />
- </exec>
- <exec executable="ninja" failonerror="true" dir="${boringsslBuildDir}" resolveexecutable="true" />
</target>
</configuration>
</execution>
@@ -230,7 +258,8 @@
<phase>compile</phase>
<configuration>
<name>netty_tcnative</name>
- <nativeSourceDirectory>${project.basedir}/src/main/c</nativeSourceDirectory>
+ <nativeSourceDirectory>${generatedSourcesDir}/c</nativeSourceDirectory>
+ <customPackageDirectory>${generatedSourcesDir}/native-package</customPackageDirectory>
<libDirectory>${nativeLibOnlyDir}</libDirectory>
<forceAutogen>${forceAutogen}</forceAutogen>
<forceConfigure>${forceConfigure}</forceConfigure>
=====================================
libressl-static/pom.xml
=====================================
@@ -19,7 +19,7 @@
<parent>
<groupId>io.netty</groupId>
<artifactId>netty-tcnative-parent</artifactId>
- <version>2.0.15.Final</version>
+ <version>2.0.20.Final</version>
</parent>
<artifactId>netty-tcnative-libressl-static</artifactId>
<packaging>jar</packaging>
@@ -41,34 +41,6 @@
<build>
<plugins>
- <!-- Configure the distribution statically linked against OpenSSL and APR -->
- <plugin>
- <groupId>org.fusesource.hawtjni</groupId>
- <artifactId>maven-hawtjni-plugin</artifactId>
- <executions>
- <execution>
- <id>build-native-lib</id>
- <goals>
- <goal>generate</goal>
- <goal>build</goal>
- </goals>
- <phase>compile</phase>
- <configuration>
- <name>netty_tcnative</name>
- <nativeSourceDirectory>${project.basedir}/src/main/c</nativeSourceDirectory>
- <libDirectory>${nativeLibOnlyDir}</libDirectory>
- <forceAutogen>${forceAutogen}</forceAutogen>
- <forceConfigure>${forceConfigure}</forceConfigure>
- <windowsBuildTool>msbuild</windowsBuildTool>
- <configureArgs>
- <configureArg>--with-ssl=${sslHome}</configureArg>
- <configureArg>--with-apr=${aprHome}</configureArg>
- <configureArg>--with-static-libs</configureArg>
- </configureArgs>
- </configuration>
- </execution>
- </executions>
- </plugin>
<!-- Add the LibreSSL version to the manifest. -->
<plugin>
@@ -82,6 +54,24 @@
</configuration>
</plugin>
+ <plugin>
+ <groupId>org.codehaus.mojo</groupId>
+ <artifactId>build-helper-maven-plugin</artifactId>
+ <executions>
+ <execution>
+ <phase>generate-sources</phase>
+ <goals>
+ <goal>add-source</goal>
+ </goals>
+ <configuration>
+ <sources>
+ <source>${generatedSourcesDir}/java</source>
+ </sources>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
+
<plugin>
<artifactId>maven-antrun-plugin</artifactId>
<executions>
@@ -108,6 +98,36 @@
</execution>
</executions>
</plugin>
+
+ <!-- Configure the distribution statically linked against OpenSSL and APR -->
+ <plugin>
+ <groupId>org.fusesource.hawtjni</groupId>
+ <artifactId>maven-hawtjni-plugin</artifactId>
+ <executions>
+ <execution>
+ <id>build-native-lib</id>
+ <goals>
+ <goal>generate</goal>
+ <goal>build</goal>
+ </goals>
+ <phase>compile</phase>
+ <configuration>
+ <name>netty_tcnative</name>
+ <nativeSourceDirectory>${generatedSourcesDir}/c</nativeSourceDirectory>
+ <customPackageDirectory>${generatedSourcesDir}/native-package</customPackageDirectory>
+ <libDirectory>${nativeLibOnlyDir}</libDirectory>
+ <forceAutogen>${forceAutogen}</forceAutogen>
+ <forceConfigure>${forceConfigure}</forceConfigure>
+ <windowsBuildTool>msbuild</windowsBuildTool>
+ <configureArgs>
+ <configureArg>--with-ssl=${sslHome}</configureArg>
+ <configureArg>--with-apr=${aprHome}</configureArg>
+ <configureArg>--with-static-libs</configureArg>
+ </configureArgs>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
</plugins>
</build>
@@ -165,27 +185,63 @@
<executions>
<!-- Download and build LibreSSL -->
<execution>
- <id>build-libressl-non-windows</id>
+ <id>source-libressl-non-windows</id>
<phase>generate-sources</phase>
<goals>
<goal>run</goal>
</goals>
<configuration>
<target>
- <get src="http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/${libresslArchive}" dest="${project.build.directory}/${libresslArchive}" verbose="on" />
- <checksum file="${project.build.directory}/${libresslArchive}" algorithm="SHA-256" property="${libresslSha256}" verifyProperty="isEqual" />
- <exec executable="tar" failonerror="true" dir="${project.build.directory}/" resolveexecutable="true">
- <arg value="xfv" />
- <arg value="${libresslArchive}" />
- </exec>
- <mkdir dir="${sslHome}" />
- <exec executable="configure" failonerror="true" dir="${libresslCheckoutDir}" resolveexecutable="true">
- <arg line="--disable-shared --prefix=${sslHome} CFLAGS='-O3 -fno-omit-frame-pointer -fPIC'" />
- </exec>
- <exec executable="make" failonerror="true" dir="${libresslCheckoutDir}" resolveexecutable="true" />
- <exec executable="make" failonerror="true" dir="${libresslCheckoutDir}" resolveexecutable="true">
- <arg line="install" />
- </exec>
+ <!-- Add the ant tasks from ant-contrib -->
+ <taskdef resource="net/sf/antcontrib/antcontrib.properties" />
+
+ <if>
+ <available file="${libresslCheckoutDir}" />
+ <then>
+ <echo message="LibreSSL was already downloaded, skipping the build step." />
+ </then>
+ <else>
+ <echo message="Downloading LibreSSL" />
+
+ <get src="http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/${libresslArchive}" dest="${project.build.directory}/${libresslArchive}" verbose="on" />
+ <checksum file="${project.build.directory}/${libresslArchive}" algorithm="SHA-256" property="${libresslSha256}" verifyProperty="isEqual" />
+ <exec executable="tar" failonerror="true" dir="${project.build.directory}/" resolveexecutable="true">
+ <arg value="xfv" />
+ <arg value="${libresslArchive}" />
+ </exec>
+ </else>
+ </if>
+ </target>
+ </configuration>
+ </execution>
+ <execution>
+ <id>build-libressl-non-windows</id>
+ <phase>compile</phase>
+ <goals>
+ <goal>run</goal>
+ </goals>
+ <configuration>
+ <target>
+ <!-- Add the ant tasks from ant-contrib -->
+ <taskdef resource="net/sf/antcontrib/antcontrib.properties" />
+
+ <if>
+ <available file="${sslHome}" />
+ <then>
+ <echo message="LibreSSL was already build, skipping the build step." />
+ </then>
+ <else>
+ <echo message="Building LibreSSL" />
+ <mkdir dir="${sslHome}" />
+ <exec executable="configure" failonerror="true" dir="${libresslCheckoutDir}" resolveexecutable="true">
+ <arg line="--disable-shared --prefix=${sslHome} CFLAGS='-O3 -fno-omit-frame-pointer -fPIC'" />
+ </exec>
+ <exec executable="make" failonerror="true" dir="${libresslCheckoutDir}" resolveexecutable="true" />
+ <exec executable="make" failonerror="true" dir="${libresslCheckoutDir}" resolveexecutable="true">
+ <arg line="install" />
+ </exec>
+ </else>
+ </if>
</target>
</configuration>
</execution>
=====================================
openssl-dynamic/pom.xml
=====================================
@@ -19,7 +19,7 @@
<parent>
<groupId>io.netty</groupId>
<artifactId>netty-tcnative-parent</artifactId>
- <version>2.0.15.Final</version>
+ <version>2.0.20.Final</version>
</parent>
<artifactId>netty-tcnative</artifactId>
<packaging>jar</packaging>
=====================================
openssl-dynamic/src/main/c/native_constants.c
=====================================
@@ -42,6 +42,10 @@ TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslOpNoTLSv12)(TC
return SSL_OP_NO_TLSv1_2;
}
+TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslOpNoTLSv13)(TCN_STDARGS) {
+ return SSL_OP_NO_TLSv1_3;
+}
+
TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslOpNoTicket)(TCN_STDARGS) {
return SSL_OP_NO_TICKET;
}
@@ -484,6 +488,7 @@ static const JNINativeMethod method_table[] = {
{ TCN_METHOD_TABLE_ENTRY(sslOpNoTLSv1, ()I, NativeStaticallyReferencedJniMethods) },
{ TCN_METHOD_TABLE_ENTRY(sslOpNoTLSv11, ()I, NativeStaticallyReferencedJniMethods) },
{ TCN_METHOD_TABLE_ENTRY(sslOpNoTLSv12, ()I, NativeStaticallyReferencedJniMethods) },
+ { TCN_METHOD_TABLE_ENTRY(sslOpNoTLSv13, ()I, NativeStaticallyReferencedJniMethods) },
{ TCN_METHOD_TABLE_ENTRY(sslOpNoTicket, ()I, NativeStaticallyReferencedJniMethods) },
{ TCN_METHOD_TABLE_ENTRY(sslOpNoCompression, ()I, NativeStaticallyReferencedJniMethods) },
{ TCN_METHOD_TABLE_ENTRY(sslSessCacheOff, ()I, NativeStaticallyReferencedJniMethods) },
=====================================
openssl-dynamic/src/main/c/ssl.c
=====================================
@@ -1559,27 +1559,50 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSL, getCiphers)(TCN_STDARGS, jlong ssl)
}
TCN_IMPLEMENT_CALL(jboolean, SSL, setCipherSuites)(TCN_STDARGS, jlong ssl,
- jstring ciphers)
+ jstring ciphers, jboolean tlsv13)
{
jboolean rv = JNI_TRUE;
- TCN_ALLOC_CSTRING(ciphers);
SSL *ssl_ = J2P(ssl, SSL *);
TCN_CHECK_NULL(ssl_, ssl, JNI_FALSE);
- UNREFERENCED(o);
+#ifdef OPENSSL_NO_TLS1_3
+ if (tlsv13 == JNI_TRUE) {
+ tcn_Throw(e, "TLSv1.3 not supported");
+ return JNI_FALSE;
+ }
+ #endif
+ if (ciphers == NULL || (*e)->GetStringUTFLength(e, ciphers) == 0) {
+ return JNI_FALSE;
+ }
+
+ TCN_ALLOC_CSTRING(ciphers);
+ UNREFERENCED(o);
if (!J2S(ciphers)) {
return JNI_FALSE;
}
- if (!SSL_set_cipher_list(ssl_, J2S(ciphers))) {
- char err[ERR_LEN];
+#ifdef OPENSSL_NO_TLS1_3
+ rv = SSL_set_cipher_list(ssl_, J2S(ciphers)) == 0 ? JNI_FALSE : JNI_TRUE;
+#else
+ if (tlsv13 == JNI_TRUE) {
+#ifdef OPENSSL_IS_BORINGSSL
+ // BoringSSL does not support setting TLSv1.3 cipher suites explicit for now.
+ rv = JNI_TRUE;
+#else
+ rv = SSL_set_ciphersuites(ssl_, J2S(ciphers)) == 0 ? JNI_FALSE : JNI_TRUE;
+#endif // OPENSSL_IS_BORINGSSL
+ } else {
+ rv = SSL_set_cipher_list(ssl_, J2S(ciphers)) == 0 ? JNI_FALSE : JNI_TRUE;
+ }
+#endif // OPENSSL_NO_TLS1_3
+
+ if (rv == JNI_FALSE) {
+ char err[256];
ERR_error_string(ERR_get_error(), err);
tcn_Throw(e, "Unable to configure permitted SSL ciphers (%s)", err);
- rv = JNI_FALSE;
}
-
TCN_FREE_CSTRING(ciphers);
return rv;
}
@@ -1632,7 +1655,7 @@ TCN_IMPLEMENT_CALL(void, SSL, clearError)(TCN_STDARGS)
ERR_clear_error();
}
-TCN_IMPLEMENT_CALL(void, SSL, setTlsExtHostName)(TCN_STDARGS, jlong ssl, jstring hostname) {
+TCN_IMPLEMENT_CALL(void, SSL, setTlsExtHostName0)(TCN_STDARGS, jlong ssl, jstring hostname) {
SSL *ssl_ = J2P(ssl, SSL *);
TCN_CHECK_NULL(ssl_, ssl, /* void */);
@@ -1708,7 +1731,7 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSL, authenticationMethods)(TCN_STDARGS, jlong
for (i = 0; i < len; i++) {
(*e)->SetObjectArrayElement(e, array, i,
- (*e)->NewStringUTF(e, tcn_SSL_cipher_authentication_method((SSL_CIPHER*) sk_value((_STACK*) ciphers, i))));
+ (*e)->NewStringUTF(e, tcn_SSL_cipher_authentication_method(sk_SSL_CIPHER_value(ciphers, i))));
}
return array;
}
@@ -1910,7 +1933,7 @@ TCN_IMPLEMENT_CALL(void, SSL, freeX509Chain)(TCN_STDARGS, jlong x509Chain)
sk_X509_pop_free(chain, X509_free);
}
-TCN_IMPLEMENT_CALL(void, SSL, setKeyMaterialServerSide)(TCN_STDARGS, jlong ssl, jlong chain, jlong key)
+TCN_IMPLEMENT_CALL(void, SSL, setKeyMaterial)(TCN_STDARGS, jlong ssl, jlong chain, jlong key)
{
#if defined(LIBRESSL_VERSION_NUMBER)
tcn_Throw(e, "Not supported with LibreSSL");
@@ -2196,6 +2219,95 @@ TCN_IMPLEMENT_CALL(void, SSL, fipsModeSet)(TCN_STDARGS, jint mode)
#endif
}
+TCN_IMPLEMENT_CALL(jstring, SSL, getSniHostname)(TCN_STDARGS, jlong ssl)
+{
+ SSL *ssl_ = J2P(ssl, SSL *);
+ TCN_CHECK_NULL(ssl_, ssl, 0);
+
+ const char *servername = SSL_get_servername(ssl_, TLSEXT_NAMETYPE_host_name);
+ if (servername == NULL) {
+ return NULL;
+ }
+ return tcn_new_string(e, servername);
+}
+
+TCN_IMPLEMENT_CALL(jobjectArray, SSL, getSigAlgs)(TCN_STDARGS, jlong ssl) {
+ SSL *ssl_ = J2P(ssl, SSL *);
+ TCN_CHECK_NULL(ssl_, ssl, NULL);
+
+// Not supported in LibreSSL
+#if defined(LIBRESSL_VERSION_NUMBER)
+ return NULL;
+#elif defined(OPENSSL_IS_BORINGSSL)
+ // Using a different API in BoringSSL
+ // https://boringssl.googlesource.com/boringssl/+/ba16a1e405c617f4179bd780ad15522fb25b0a65%5E%21/
+ int i;
+ jobjectArray array;
+ jstring algString;
+ const uint16_t *peer_sigalgs;
+ size_t num_peer_sigalgs = SSL_get0_peer_verify_algorithms(ssl_, &peer_sigalgs);
+ if (num_peer_sigalgs <= 0) {
+ return NULL;
+ }
+ array = (*e)->NewObjectArray(e, num_peer_sigalgs, tcn_get_string_class(), NULL);
+
+ if (array == NULL) {
+ return NULL;
+ }
+
+ for (i = 0; i < num_peer_sigalgs; i++) {
+ algString = (*e)->NewStringUTF(e, SSL_get_signature_algorithm_name(peer_sigalgs[i], SSL_version(ssl_) != TLS1_2_VERSION));
+ if (algString == NULL) {
+ // something is wrong we should better just return here
+ return NULL;
+ }
+ (*e)->SetObjectArrayElement(e, array, i, algString);
+ }
+ return array;
+#else
+
+// Use weak linking with GCC as this will alow us to run the same packaged version with multiple
+// version of openssl.
+#if defined(__GNUC__) || defined(__GNUG__)
+ if (!SSL_get_sigalgs) {
+ UNREFERENCED(o);
+ return NULL;
+ }
+#endif
+
+// We can only support it when either use openssl version >= 1.0.2 or GCC as this way we can use weak linking
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L || defined(__GNUC__) || defined(__GNUG__)
+ int i;
+ int nsig;
+ int psignhash;
+ jobjectArray array;
+ jstring algString;
+
+ UNREFERENCED(o);
+
+ nsig = SSL_get_sigalgs(ssl_, 0, NULL, NULL, NULL, NULL, NULL);
+ if (nsig <= 0) {
+ return NULL;
+ }
+ array = (*e)->NewObjectArray(e, nsig, tcn_get_string_class(), NULL);
+
+ if (array == NULL) {
+ return NULL;
+ }
+
+ for (i = 0; i < nsig; i++) {
+ SSL_get_sigalgs(ssl_, i, NULL, NULL, &psignhash, NULL, NULL);
+ algString = (*e)->NewStringUTF(e, OBJ_nid2ln(psignhash));
+ if (algString == NULL) {
+ // something is wrong we should better just return here
+ return NULL;
+ }
+ (*e)->SetObjectArrayElement(e, array, i, algString);
+ }
+ return array;
+#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L || defined(__GNUC__) || defined(__GNUG__)
+#endif // defined(OPENSSL_IS_BORINGSSL) || defined(LIBRESSL_VERSION_NUMBER)
+}
// JNI Method Registration Table Begin
static const JNINativeMethod method_table[] = {
@@ -2243,11 +2355,11 @@ static const JNINativeMethod method_table[] = {
{ TCN_METHOD_TABLE_ENTRY(getMode, (J)I, SSL) },
{ TCN_METHOD_TABLE_ENTRY(getMaxWrapOverhead, (J)I, SSL) },
{ TCN_METHOD_TABLE_ENTRY(getCiphers, (J)[Ljava/lang/String;, SSL) },
- { TCN_METHOD_TABLE_ENTRY(setCipherSuites, (JLjava/lang/String;)Z, SSL) },
+ { TCN_METHOD_TABLE_ENTRY(setCipherSuites, (JLjava/lang/String;Z)Z, SSL) },
{ TCN_METHOD_TABLE_ENTRY(getSessionId, (J)[B, SSL) },
{ TCN_METHOD_TABLE_ENTRY(getHandshakeCount, (J)I, SSL) },
{ TCN_METHOD_TABLE_ENTRY(clearError, ()V, SSL) },
- { TCN_METHOD_TABLE_ENTRY(setTlsExtHostName, (JLjava/lang/String;)V, SSL) },
+ { TCN_METHOD_TABLE_ENTRY(setTlsExtHostName0, (JLjava/lang/String;)V, SSL) },
{ TCN_METHOD_TABLE_ENTRY(setHostNameValidation, (JILjava/lang/String;)V, SSL) },
{ TCN_METHOD_TABLE_ENTRY(authenticationMethods, (J)[Ljava/lang/String;, SSL) },
{ TCN_METHOD_TABLE_ENTRY(setCertificateBio, (JJJLjava/lang/String;)V, SSL) },
@@ -2257,12 +2369,14 @@ static const JNINativeMethod method_table[] = {
{ TCN_METHOD_TABLE_ENTRY(freePrivateKey, (J)V, SSL) },
{ TCN_METHOD_TABLE_ENTRY(parseX509Chain, (J)J, SSL) },
{ TCN_METHOD_TABLE_ENTRY(freeX509Chain, (J)V, SSL) },
- { TCN_METHOD_TABLE_ENTRY(setKeyMaterialServerSide, (JJJ)V, SSL) },
+ { TCN_METHOD_TABLE_ENTRY(setKeyMaterial, (JJJ)V, SSL) },
{ TCN_METHOD_TABLE_ENTRY(setKeyMaterialClientSide, (JJJJJ)V, SSL) },
{ TCN_METHOD_TABLE_ENTRY(enableOcsp, (J)V, SSL) },
{ TCN_METHOD_TABLE_ENTRY(setOcspResponse, (J[B)V, SSL) },
{ TCN_METHOD_TABLE_ENTRY(getOcspResponse, (J)[B, SSL) },
- { TCN_METHOD_TABLE_ENTRY(fipsModeSet, (I)V, SSL) }
+ { TCN_METHOD_TABLE_ENTRY(fipsModeSet, (I)V, SSL) },
+ { TCN_METHOD_TABLE_ENTRY(getSniHostname, (J)Ljava/lang/String;, SSL) },
+ { TCN_METHOD_TABLE_ENTRY(getSigAlgs, (J)[Ljava/lang/String;, SSL) }
};
static const jint method_table_size = sizeof(method_table) / sizeof(method_table[0]);
=====================================
openssl-dynamic/src/main/c/ssl_private.h
=====================================
@@ -131,6 +131,15 @@ extern const char* TCN_UNKNOWN_AUTH_METHOD;
#define TLS1_3_VERSION 0x0304
#endif
+#ifndef SSL_OP_NO_TLSv1_3
+// TLSV1_3 is not really supported by the underlying OPENSSL version
+#ifndef OPENSSL_NO_TLS1_3
+#define OPENSSL_NO_TLS1_3
+#endif // OPENSSL_NO_TLS1_3
+
+#define SSL_OP_NO_TLSv1_3 0x00000000U
+#endif // SSL_OP_NO_TLSv1_3
+
/* OpenSSL 1.0.2 compatibility */
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
#define TLS_method SSLv23_method
@@ -224,6 +233,9 @@ struct tcn_ssl_ctxt_t {
jobject cert_requested_callback;
jmethodID cert_requested_callback_method;
+ jobject certificate_callback;
+ jmethodID certificate_callback_method;
+
jobject sni_hostname_matcher;
jmethodID sni_hostname_matcher_method;
@@ -317,6 +329,9 @@ const char *tcn_SSL_cipher_authentication_method(const SSL_CIPHER *);
extern X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl) __attribute__((weak));
extern void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, unsigned int flags) __attribute__((weak));
extern int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, const char *name, size_t namelen) __attribute__((weak));
+
+ extern int SSL_get_sigalgs(SSL *s, int idx, int *psign, int *phash, int *psignhash, unsigned char *rsig, unsigned char *rhash) __attribute__((weak));
+ extern void SSL_CTX_set_cert_cb(SSL_CTX *c, int (*cert_cb)(SSL *ssl, void *arg), void *arg) __attribute__((weak));
#endif
#endif /* SSL_PRIVATE_H */
=====================================
openssl-dynamic/src/main/c/sslcontext.c
=====================================
@@ -63,6 +63,13 @@ static apr_status_t ssl_context_cleanup(void *data)
}
c->cert_requested_callback_method = NULL;
+ if (c->certificate_callback != NULL) {
+ tcn_get_java_env(&e);
+ (*e)->DeleteGlobalRef(e, c->certificate_callback);
+ c->certificate_callback = NULL;
+ }
+ c->certificate_callback_method = NULL;
+
if (c->sni_hostname_matcher != NULL) {
tcn_get_java_env(&e);
(*e)->DeleteGlobalRef(e, c->sni_hostname_matcher);
@@ -118,6 +125,14 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS, jint protocol, jint mod
ctx = SSL_CTX_new(TLS_server_method());
else
ctx = SSL_CTX_new(TLS_method());
+
+
+ // Needed in BoringSSL to be able to use TLSv1.3
+ //
+ // See http://hg.nginx.org/nginx/rev/7ad0f4ace359
+ #if defined(OPENSSL_IS_BORINGSSL)
+ SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION);
+ #endif
#else
switch (protocol) {
case SSL_PROTOCOL_TLS:
@@ -415,24 +430,50 @@ TCN_IMPLEMENT_CALL(void, SSLContext, clearOptions)(TCN_STDARGS, jlong ctx,
}
TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCipherSuite)(TCN_STDARGS, jlong ctx,
- jstring ciphers)
+ jstring ciphers, jboolean tlsv13)
{
tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
jboolean rv = JNI_TRUE;
TCN_CHECK_NULL(c, ctx, JNI_FALSE);
- TCN_ALLOC_CSTRING(ciphers);
+#ifdef OPENSSL_NO_TLS1_3
+ if (tlsv13 == JNI_TRUE) {
+ tcn_Throw(e, "TLSv1.3 not supported");
+ return JNI_FALSE;
+ }
+#endif
+ if (ciphers == NULL || (*e)->GetStringUTFLength(e, ciphers) == 0) {
+ return JNI_FALSE;
+ }
+
+ TCN_ALLOC_CSTRING(ciphers);
UNREFERENCED(o);
- if (!J2S(ciphers))
+ if (!J2S(ciphers)) {
return JNI_FALSE;
+ }
+
+#ifdef OPENSSL_NO_TLS1_3
+ rv = SSL_CTX_set_cipher_list(c->ctx, J2S(ciphers)) == 0 ? JNI_FALSE : JNI_TRUE;
+#else
+
+ if (tlsv13 == JNI_TRUE) {
+#ifdef OPENSSL_IS_BORINGSSL
+ // BoringSSL does not support setting TLSv1.3 cipher suites explicit for now.
+ rv = JNI_TRUE;
+#else
+ rv = SSL_CTX_set_ciphersuites(c->ctx, J2S(ciphers)) == 0 ? JNI_FALSE : JNI_TRUE;
+#endif // OPENSSL_IS_BORINGSSL
- if (!SSL_CTX_set_cipher_list(c->ctx, J2S(ciphers))) {
+ } else {
+ rv = SSL_CTX_set_cipher_list(c->ctx, J2S(ciphers)) == 0 ? JNI_FALSE : JNI_TRUE;
+ }
+#endif // OPENSSL_NO_TLS1_3
+ if (rv == JNI_FALSE) {
char err[256];
ERR_error_string(ERR_get_error(), err);
tcn_Throw(e, "Unable to configure permitted SSL ciphers (%s)", err);
- rv = JNI_FALSE;
}
TCN_FREE_CSTRING(ciphers);
return rv;
@@ -1427,6 +1468,22 @@ TCN_IMPLEMENT_CALL(void, SSLContext, setCertVerifyCallback)(TCN_STDARGS, jlong c
}
}
+static jbyteArray keyTypes(JNIEnv* e, SSL* ssl) {
+ jbyte* ctype_bytes;
+ jbyteArray types;
+ int ctype_num = tcn_SSL_get0_certificate_types(ssl, (const uint8_t **) &ctype_bytes);
+ if (ctype_num <= 0) {
+ // No idea what we should use... Let the caller handle it.
+ return NULL;
+ }
+ types = (*e)->NewByteArray(e, ctype_num);
+ if (types == NULL) {
+ return NULL;
+ }
+ (*e)->SetByteArrayRegion(e, types, 0, ctype_num, ctype_bytes);
+ return types;
+}
+
/**
* Returns an array containing all the X500 principal's bytes.
*
@@ -1495,31 +1552,18 @@ static int cert_requested(SSL* ssl, X509** x509Out, EVP_PKEY** pkeyOut) {
#endif // OPENSSL_IS_BORINGSSL
tcn_ssl_ctxt_t *c = tcn_SSL_get_app_data2(ssl);
- int ctype_num;
- jbyte* ctype_bytes;
jobjectArray issuers;
JNIEnv *e;
- jbyteArray keyTypes;
+ jbyteArray types;
tcn_get_java_env(&e);
- ctype_num = tcn_SSL_get0_certificate_types(ssl, (const uint8_t **) &ctype_bytes);
- if (ctype_num <= 0) {
- // Use no certificate
- return 0;
- }
- keyTypes = (*e)->NewByteArray(e, ctype_num);
- if (keyTypes == NULL) {
- // Something went seriously wrong, bail out!
- return -1;
- }
- (*e)->SetByteArrayRegion(e, keyTypes, 0, ctype_num, ctype_bytes);
-
+ types = keyTypes(e, ssl);
issuers = principalBytes(e, SSL_get_client_CA_list(ssl));
// Execute the java callback
(*e)->CallVoidMethod(e, c->cert_requested_callback, c->cert_requested_callback_method,
- P2J(ssl), P2J(x509Out), P2J(pkeyOut), keyTypes, issuers);
+ P2J(ssl), P2J(x509Out), P2J(pkeyOut), types, issuers);
// Check if java threw an exception and if so signal back that we should not continue with the handshake.
if ((*e)->ExceptionCheck(e)) {
@@ -1564,6 +1608,101 @@ TCN_IMPLEMENT_CALL(void, SSLContext, setCertRequestedCallback)(TCN_STDARGS, jlon
}
}
+
+static int certificate_cb(SSL* ssl, void* arg) {
+#if defined(LIBRESSL_VERSION_NUMBER)
+ // Not supported with LibreSSL
+ return -1;
+#else
+#ifndef OPENSSL_IS_BORINGSSL
+ if (OpenSSL_version_num() < 0x10002000L) {
+ // Only supported on openssl 1.0.2+
+ return -1;
+ }
+#endif // OPENSSL_IS_BORINGSSL
+
+ tcn_ssl_ctxt_t *c = tcn_SSL_get_app_data2(ssl);
+ TCN_ASSERT(c != NULL);
+
+ jobjectArray issuers;
+ JNIEnv *e;
+ jbyteArray types;
+
+ tcn_get_java_env(&e);
+
+ if (c->mode == SSL_MODE_SERVER) {
+ // TODO: Consider filling these somehow.
+ types = NULL;
+ issuers = NULL;
+ } else {
+ types = keyTypes(e, ssl);
+ issuers = principalBytes(e, SSL_get_client_CA_list(ssl));
+ }
+
+ // Execute the java callback
+ (*e)->CallVoidMethod(e, c->certificate_callback, c->certificate_callback_method,
+ P2J(ssl), types, issuers);
+
+ // Check if java threw an exception and if so signal back that we should not continue with the handshake.
+ if ((*e)->ExceptionCheck(e)) {
+ return -1;
+ }
+
+ // Everything good...
+ return 1;
+#endif /* defined(LIBRESSL_VERSION_NUMBER) */
+}
+
+TCN_IMPLEMENT_CALL(void, SSLContext, setCertificateCallback)(TCN_STDARGS, jlong ctx, jobject callback)
+{
+ tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
+
+ TCN_CHECK_NULL(c, ctx, /* void */);
+
+#if defined(LIBRESSL_VERSION_NUMBER)
+ tcn_Throw(e, "Not supported with LibreSSL");
+#else
+ UNREFERENCED(o);
+
+// Use weak linking with GCC as this will alow us to run the same packaged version with multiple
+// version of openssl.
+#if defined(__GNUC__) || defined(__GNUG__)
+ if (!SSL_CTX_set_cert_cb) {
+ UNREFERENCED(o);
+ tcn_ThrowException(e, "Requires OpenSSL 1.0.2+");
+ }
+#endif // defined(__GNUC__) || defined(__GNUG__)
+
+// We can only support it when either use openssl version >= 1.0.2 or GCC as this way we can use weak linking
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L || defined(__GNUC__) || defined(__GNUG__)
+ if (callback == NULL) {
+ SSL_CTX_set_cert_cb(c->ctx, NULL, NULL);
+ } else {
+ jclass callback_class = (*e)->GetObjectClass(e, callback);
+ if (callback_class == NULL) {
+ tcn_Throw(e, "Unable to retrieve callback class");
+ return;
+ }
+
+ jmethodID method = (*e)->GetMethodID(e, callback_class, "handle", "(J[B[[B)V");
+
+ if (method == NULL) {
+ tcn_Throw(e, "Unable to retrieve callback method");
+ return;
+ }
+ if (c->certificate_callback != NULL) {
+ (*e)->DeleteGlobalRef(e, c->certificate_callback);
+ }
+ c->certificate_callback = (*e)->NewGlobalRef(e, callback);
+ c->certificate_callback_method = method;
+
+ SSL_CTX_set_cert_cb(c->ctx, certificate_cb, NULL);
+ }
+#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L || defined(__GNUC__) || defined(__GNUG__)
+
+#endif // defined(LIBRESSL_VERSION_NUMBER)
+}
+
static int ssl_servername_cb(SSL *ssl, int *ad, void *arg)
{
JNIEnv *e = NULL;
@@ -1674,6 +1813,15 @@ TCN_IMPLEMENT_CALL(jint, SSLContext, getMode)(TCN_STDARGS, jlong ctx)
return (jint) SSL_CTX_get_mode(c->ctx);
}
+TCN_IMPLEMENT_CALL(jlong, SSLContext, getSslCtx)(TCN_STDARGS, jlong ctx)
+{
+ tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
+
+ TCN_CHECK_NULL(c, ctx, 0);
+ return P2J(c->ctx);
+}
+
+
#if !defined(OPENSSL_NO_OCSP) && !defined(TCN_OCSP_NOT_SUPPORTED) && !defined(OPENSSL_IS_BORINGSSL)
static const int OCSP_CLIENT_ACK = 1;
@@ -1755,7 +1903,7 @@ static const JNINativeMethod fixed_method_table[] = {
{ TCN_METHOD_TABLE_ENTRY(setOptions, (JI)V, SSLContext) },
{ TCN_METHOD_TABLE_ENTRY(getOptions, (J)I, SSLContext) },
{ TCN_METHOD_TABLE_ENTRY(clearOptions, (JI)V, SSLContext) },
- { TCN_METHOD_TABLE_ENTRY(setCipherSuite, (JLjava/lang/String;)Z, SSLContext) },
+ { TCN_METHOD_TABLE_ENTRY(setCipherSuite, (JLjava/lang/String;Z)Z, SSLContext) },
{ TCN_METHOD_TABLE_ENTRY(setCertificateChainFile, (JLjava/lang/String;Z)Z, SSLContext) },
{ TCN_METHOD_TABLE_ENTRY(setCertificateChainBio, (JJZ)Z, SSLContext) },
{ TCN_METHOD_TABLE_ENTRY(setCACertificateBio, (JJ)Z, SSLContext) },
@@ -1791,19 +1939,21 @@ static const JNINativeMethod fixed_method_table[] = {
// setCertVerifyCallback -> needs dynamic method table
// setCertRequestedCallback -> needs dynamic method table
+ // setCertificateCallback -> needs dynamic method table
// setSniHostnameMatcher -> needs dynamic method table
{ TCN_METHOD_TABLE_ENTRY(setSessionIdContext, (J[B)Z, SSLContext) },
{ TCN_METHOD_TABLE_ENTRY(setMode, (JI)I, SSLContext) },
{ TCN_METHOD_TABLE_ENTRY(getMode, (J)I, SSLContext) },
{ TCN_METHOD_TABLE_ENTRY(enableOcsp, (JZ)V, SSLContext) },
- { TCN_METHOD_TABLE_ENTRY(disableOcsp, (J)V, SSLContext) }
+ { TCN_METHOD_TABLE_ENTRY(disableOcsp, (J)V, SSLContext) },
+ { TCN_METHOD_TABLE_ENTRY(getSslCtx, (J)J, SSLContext) }
};
static const jint fixed_method_table_size = sizeof(fixed_method_table) / sizeof(fixed_method_table[0]);
static jint dynamicMethodsTableSize() {
- return fixed_method_table_size + 3;
+ return fixed_method_table_size + 4;
}
static JNINativeMethod* createDynamicMethodsTable(const char* packagePrefix) {
@@ -1823,8 +1973,15 @@ static JNINativeMethod* createDynamicMethodsTable(const char* packagePrefix) {
dynamicMethod->fnPtr = (void *) TCN_FUNCTION_NAME(SSLContext, setCertRequestedCallback);
free(dynamicTypeName);
- dynamicTypeName = netty_internal_tcnative_util_prepend(packagePrefix, "io/netty/internal/tcnative/SniHostNameMatcher;)V");
+ dynamicTypeName = netty_internal_tcnative_util_prepend(packagePrefix, "io/netty/internal/tcnative/CertificateCallback;)V");
dynamicMethod = &dynamicMethods[fixed_method_table_size + 2];
+ dynamicMethod->name = "setCertificateCallback";
+ dynamicMethod->signature = netty_internal_tcnative_util_prepend("(JL", dynamicTypeName);
+ dynamicMethod->fnPtr = (void *) TCN_FUNCTION_NAME(SSLContext, setCertificateCallback);
+ free(dynamicTypeName);
+
+ dynamicTypeName = netty_internal_tcnative_util_prepend(packagePrefix, "io/netty/internal/tcnative/SniHostNameMatcher;)V");
+ dynamicMethod = &dynamicMethods[fixed_method_table_size + 3];
dynamicMethod->name = "setSniHostnameMatcher";
dynamicMethod->signature = netty_internal_tcnative_util_prepend("(JL", dynamicTypeName);
dynamicMethod->fnPtr = (void *) TCN_FUNCTION_NAME(SSLContext, setSniHostnameMatcher);
=====================================
openssl-dynamic/src/main/c/sslutils.c
=====================================
@@ -106,6 +106,12 @@ const char* tcn_SSL_cipher_authentication_method(const SSL_CIPHER* cipher){
default:
return TCN_UNKNOWN_AUTH_METHOD;
}
+#ifndef OPENSSL_NO_TLS1_3
+ case NID_kx_any:
+ // Let us just pick one as we could use whatever we want.
+ // See https://www.openssl.org/docs/man1.1.1/man3/SSL_CIPHER_get_kx_nid.html
+ return "ECDHE_" SSL_TXT_RSA;
+#endif
default:
return TCN_UNKNOWN_AUTH_METHOD;
}
=====================================
openssl-dynamic/src/main/java/io/netty/internal/tcnative/CertificateCallback.java
=====================================
@@ -0,0 +1,51 @@
+/*
+ * Copyright 2018 The Netty Project
+ *
+ * The Netty Project licenses this file to you under the Apache License,
+ * version 2.0 (the "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ */
+package io.netty.internal.tcnative;
+
+/**
+ * Is called during handshake and hooked into openssl via {@code SSL_CTX_set_cert_cb}.
+ *
+ * IMPORTANT: Implementations of this interface should be static as it is stored as a global reference via JNI. This
+ * means if you use an inner / anonymous class to implement this and also depend on the finalizer of the
+ * class to free up the SSLContext the finalizer will never run as the object is never GC, due the hard
+ * reference to the enclosing class. This will most likely result in a memory leak.
+ */
+public interface CertificateCallback {
+
+ /**
+ * The types contained in the {@code keyTypeBytes} array.
+ */
+ // Extracted from https://github.com/openssl/openssl/blob/master/include/openssl/tls1.h
+ byte TLS_CT_RSA_SIGN = 1;
+ byte TLS_CT_DSS_SIGN = 2;
+ byte TLS_CT_RSA_FIXED_DH = 3;
+ byte TLS_CT_DSS_FIXED_DH = 4;
+ byte TLS_CT_ECDSA_SIGN = 64;
+ byte TLS_CT_RSA_FIXED_ECDH = 65;
+ byte TLS_CT_ECDSA_FIXED_ECDH = 66;
+
+ /**
+ * Called during cert selection. If a certificate chain / key should be used
+ * {@link SSL#setKeyMaterial(long, long, long)} must be called from this callback after
+ * all preparations / validations were completed.
+ *
+ * @param ssl the SSL instance
+ * @param keyTypeBytes an array of the key types on client-mode or {@code null} on server-mode.
+ * @param asn1DerEncodedPrincipals the principals or {@code null}.
+ *
+ */
+ void handle(long ssl, byte[] keyTypeBytes, byte[][] asn1DerEncodedPrincipals) throws Exception;
+}
=====================================
openssl-dynamic/src/main/java/io/netty/internal/tcnative/CertificateRequestedCallback.java
=====================================
@@ -21,21 +21,24 @@ package io.netty.internal.tcnative;
* IMPORTANT: Implementations of this interface should be static as it is stored as a global reference via JNI. This
* means if you use an inner / anonymous class to implement this and also depend on the finalizer of the
* class to free up the SSLContext the finalizer will never run as the object is never GC, due the hard
- * reference to the enclosing class. This will most likely result in a memory leak.
+ * reference to the enclosing class. This will most likely result in a memory leak.+
+ *
+ * @deprecated use {@link CertificateCallback}
*/
+ at Deprecated
public interface CertificateRequestedCallback {
/**
* The types contained in the {@code keyTypeBytes} array.
*/
// Extracted from https://github.com/openssl/openssl/blob/master/include/openssl/tls1.h
- byte TLS_CT_RSA_SIGN = 1;
- byte TLS_CT_DSS_SIGN = 2;
- byte TLS_CT_RSA_FIXED_DH = 3;
- byte TLS_CT_DSS_FIXED_DH = 4;
- byte TLS_CT_ECDSA_SIGN = 64;
- byte TLS_CT_RSA_FIXED_ECDH = 65;
- byte TLS_CT_ECDSA_FIXED_ECDH = 66;
+ byte TLS_CT_RSA_SIGN = CertificateCallback.TLS_CT_RSA_SIGN;
+ byte TLS_CT_DSS_SIGN = CertificateCallback.TLS_CT_DSS_SIGN;
+ byte TLS_CT_RSA_FIXED_DH = CertificateCallback.TLS_CT_RSA_FIXED_DH;
+ byte TLS_CT_DSS_FIXED_DH = CertificateCallback.TLS_CT_DSS_FIXED_DH;
+ byte TLS_CT_ECDSA_SIGN = CertificateCallback.TLS_CT_ECDSA_SIGN;
+ byte TLS_CT_RSA_FIXED_ECDH = CertificateCallback.TLS_CT_RSA_FIXED_ECDH;
+ byte TLS_CT_ECDSA_FIXED_ECDH = CertificateCallback.TLS_CT_ECDSA_FIXED_ECDH;
/**
* Called during cert selection. If a certificate chain / key should be used
=====================================
openssl-dynamic/src/main/java/io/netty/internal/tcnative/NativeStaticallyReferencedJniMethods.java
=====================================
@@ -40,6 +40,7 @@ final class NativeStaticallyReferencedJniMethods {
static native int sslOpNoTLSv1();
static native int sslOpNoTLSv11();
static native int sslOpNoTLSv12();
+ static native int sslOpNoTLSv13();
static native int sslOpNoTicket();
/**
=====================================
openssl-dynamic/src/main/java/io/netty/internal/tcnative/SSL.java
=====================================
@@ -50,9 +50,10 @@ public final class SSL {
public static final int SSL_PROTOCOL_TLSV1 = (1<<2);
public static final int SSL_PROTOCOL_TLSV1_1 = (1<<3);
public static final int SSL_PROTOCOL_TLSV1_2 = (1<<4);
+ public static final int SSL_PROTOCOL_TLSV1_3 = (1<<5);
/** TLS_*method according to <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_new.html">SSL_CTX_new</a> */
- public static final int SSL_PROTOCOL_TLS = (SSL_PROTOCOL_SSLV3 | SSL_PROTOCOL_TLSV1 | SSL_PROTOCOL_TLSV1_1 | SSL_PROTOCOL_TLSV1_2);
+ public static final int SSL_PROTOCOL_TLS = (SSL_PROTOCOL_SSLV3 | SSL_PROTOCOL_TLSV1 | SSL_PROTOCOL_TLSV1_1 | SSL_PROTOCOL_TLSV1_2 | SSL_PROTOCOL_TLSV1_3);
public static final int SSL_PROTOCOL_ALL = (SSL_PROTOCOL_SSLV2 | SSL_PROTOCOL_TLS);
/*
@@ -69,6 +70,7 @@ public final class SSL {
public static final int SSL_OP_NO_TLSv1 = sslOpNoTLSv1();
public static final int SSL_OP_NO_TLSv1_1 = sslOpNoTLSv11();
public static final int SSL_OP_NO_TLSv1_2 = sslOpNoTLSv12();
+ public static final int SSL_OP_NO_TLSv1_3 = sslOpNoTLSv13();
public static final int SSL_OP_NO_TICKET = sslOpNoTicket();
public static final int SSL_OP_NO_COMPRESSION = sslOpNoCompression();
@@ -500,10 +502,33 @@ public final class SSL {
* @param ciphers an SSL cipher specification
* @return {@code true} if successful
* @throws Exception if an error happened
+ * @deprecated Use {@link #setCipherSuites(long, String, boolean)}
*/
- public static native boolean setCipherSuites(long ssl, String ciphers)
- throws Exception;
+ @Deprecated
+ public static boolean setCipherSuites(long ssl, String ciphers)
+ throws Exception {
+ return setCipherSuites(ssl, ciphers, false);
+ }
+ /**
+ * Returns the cipher suites available for negotiation in SSL handshake.
+ * <p>
+ * This complex directive uses a colon-separated cipher-spec string consisting
+ * of OpenSSL cipher specifications to configure the Cipher Suite the client
+ * is permitted to negotiate in the SSL handshake phase. Notice that this
+ * directive can be used both in per-server and per-directory context.
+ * In per-server context it applies to the standard SSL handshake when a
+ * connection is established. In per-directory context it forces a SSL
+ * renegotiation with the reconfigured Cipher Suite after the HTTP request
+ * was read but before the HTTP response is sent.
+ * @param ssl the SSL instance (SSL *)
+ * @param ciphers an SSL cipher specification
+ * @param tlsv13 {@code true} if the ciphers are for TLSv1.3
+ * @return {@code true} if successful
+ * @throws Exception if an error happened
+ */
+ public static native boolean setCipherSuites(long ssl, String ciphers, boolean tlsv13)
+ throws Exception;
/**
* Returns the ID of the session as byte array representation.
*
@@ -531,7 +556,16 @@ public final class SSL {
* @param ssl the SSL instance (SSL *)
* @param hostname the hostname
*/
- public static native void setTlsExtHostName(long ssl, String hostname);
+ public static void setTlsExtHostName(long ssl, String hostname) {
+ if (hostname != null && hostname.endsWith(".")) {
+ // Strip trailing dot if included.
+ // See https://github.com/netty/netty-tcnative/issues/400
+ hostname = hostname.substring(0, hostname.length() - 1);
+ }
+ setTlsExtHostName0(ssl, hostname);
+ }
+
+ private static native void setTlsExtHostName0(long ssl, String hostname);
/**
* Explicitly control <a href="https://wiki.openssl.org/index.php/Hostname_validation">hostname validation</a>
@@ -678,15 +712,31 @@ public final class SSL {
* {@link #parseX509Chain(long)} and {@link #parsePrivateKey(long, String)}. It's important to note that the caller
* of the method is responsible to free the passed in chain and key in any case as this method will increment the
* reference count of the chain and key.
+ *
+ * @deprecated use {@link #setKeyMaterial(long, long, long)}
*/
- public static native void setKeyMaterialServerSide(long ssl, long chain, long key) throws Exception;
+ @Deprecated
+ public static void setKeyMaterialServerSide(long ssl, long chain, long key) throws Exception {
+ setKeyMaterial(ssl, chain, key);
+ }
+
+ /**
+ * Sets the keymaterial to be used. The passed in chain and key needs to be generated via
+ * {@link #parseX509Chain(long)} and {@link #parsePrivateKey(long, String)}. It's important to note that the caller
+ * of the method is responsible to free the passed in chain and key in any case as this method will increment the
+ * reference count of the chain and key.
+ */
+ public static native void setKeyMaterial(long ssl, long chain, long key) throws Exception;
/**
* Sets the keymaterial to be used for the client side. The passed in chain and key needs to be generated via
* {@link #parseX509Chain(long)} and {@link #parsePrivateKey(long, String)}. It's important to note that the caller
* of the method is responsible to free the passed in chain and key in any case as this method will increment the
* reference count of the chain and key.
+ *
+ * @deprecated use {@link #setKeyMaterial(long, long, long)}
*/
+ @Deprecated
public static native void setKeyMaterialClientSide(long ssl, long x509Out, long pkeyOut, long chain, long key) throws Exception;
/**
@@ -722,4 +772,21 @@ public final class SSL {
* @throws Exception throws if setting the fips mode failed.
*/
public static native void fipsModeSet(int mode) throws Exception;
+
+ /**
+ * Return the SNI hostname that was sent as part of the SSL Hello.
+ * @param ssl the SSL instance (SSL *)
+ * @return the SNI hostname or {@code null} if none was used.
+ */
+ public static native String getSniHostname(long ssl);
+
+ /**
+ * Return the signature algorithms that the remote peer supports or {@code null} if none are supported.
+ * See <a href="https://www.openssl.org/docs/man1.1.0/ssl/SSL_get_sigalgs.html"> man SSL_get_sigalgs</a> for more details.
+ * The returned names are generated using {@code OBJ_nid2ln} with the {@code psignhash} as parameter.
+ *
+ * @param ssl the SSL instance (SSL *)
+ * @return the signature algorithms or {@code null}.
+ */
+ public static native String[] getSigAlgs(long ssl);
}
=====================================
openssl-dynamic/src/main/java/io/netty/internal/tcnative/SSLContext.java
=====================================
@@ -110,8 +110,31 @@ public final class SSLContext {
* @param ciphers An SSL cipher specification.
* @return {@code true} if successful
* @throws Exception if an error happened
+ * @deprecated Use {@link #setCipherSuite(long, String, boolean)}.
*/
- public static native boolean setCipherSuite(long ctx, String ciphers) throws Exception;
+ @Deprecated
+ public static boolean setCipherSuite(long ctx, String ciphers) throws Exception {
+ return setCipherSuite(ctx, ciphers, false);
+ }
+
+ /**
+ * Cipher Suite available for negotiation in SSL handshake.
+ * <br>
+ * This complex directive uses a colon-separated cipher-spec string consisting
+ * of OpenSSL cipher specifications to configure the Cipher Suite the client
+ * is permitted to negotiate in the SSL handshake phase. Notice that this
+ * directive can be used both in per-server and per-directory context.
+ * In per-server context it applies to the standard SSL handshake when a
+ * connection is established. In per-directory context it forces a SSL
+ * renegotiation with the reconfigured Cipher Suite after the HTTP request
+ * was read but before the HTTP response is sent.
+ * @param ctx Server or Client context to use.
+ * @param ciphers An SSL cipher specification.
+ * @param tlsv13 {@code true} if the ciphers are for TLSv1.3
+ * @return {@code true} if successful
+ * @throws Exception if an error happened
+ */
+ public static native boolean setCipherSuite(long ctx, String ciphers, boolean tlsv13) throws Exception;
/**
* Set File of PEM-encoded Server CA Certificates
@@ -486,6 +509,15 @@ public final class SSLContext {
*/
public static native void setCertRequestedCallback(long ctx, CertificateRequestedCallback callback);
+ /**
+ * Allow to hook {@link CertificateCallback} into the certificate choosing process.
+ * This will call {@code SSL_CTX_set_cert_cb} and so replace the default verification
+ * callback used by openssl
+ * @param ctx Server or Client context to use.
+ * @param callback the callback to call during certificate selection.
+ */
+ public static native void setCertificateCallback(long ctx, CertificateCallback callback);
+
/**
* Allow to hook {@link SniHostNameMatcher} into the sni processing.
* This will call {@code SSL_CTX_set_tlsext_servername_callback} and so replace the default
@@ -565,4 +597,9 @@ public final class SSLContext {
* <p><a href="https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html">Search for OCSP</a>
*/
public static native void disableOcsp(long ctx);
+
+ /**
+ * Returns the {@code SSL_CTX}.
+ */
+ public static native long getSslCtx(long ctx);
}
=====================================
openssl-static/pom.xml
=====================================
@@ -19,7 +19,7 @@
<parent>
<groupId>io.netty</groupId>
<artifactId>netty-tcnative-parent</artifactId>
- <version>2.0.15.Final</version>
+ <version>2.0.20.Final</version>
</parent>
<artifactId>netty-tcnative-openssl-static</artifactId>
<packaging>jar</packaging>
@@ -51,30 +51,19 @@
</configuration>
</plugin>
- <!-- Configure the distribution statically linked against OpenSSL and APR -->
<plugin>
- <groupId>org.fusesource.hawtjni</groupId>
- <artifactId>maven-hawtjni-plugin</artifactId>
+ <groupId>org.codehaus.mojo</groupId>
+ <artifactId>build-helper-maven-plugin</artifactId>
<executions>
<execution>
- <id>build-native-lib</id>
+ <phase>generate-sources</phase>
<goals>
- <goal>generate</goal>
- <goal>build</goal>
+ <goal>add-source</goal>
</goals>
- <phase>compile</phase>
<configuration>
- <name>netty_tcnative</name>
- <nativeSourceDirectory>${project.basedir}/src/main/c</nativeSourceDirectory>
- <libDirectory>${nativeLibOnlyDir}</libDirectory>
- <forceAutogen>${forceAutogen}</forceAutogen>
- <forceConfigure>${forceConfigure}</forceConfigure>
- <windowsBuildTool>msbuild</windowsBuildTool>
- <configureArgs>
- <configureArg>--with-ssl=${sslHome}</configureArg>
- <configureArg>--with-apr=${aprHome}</configureArg>
- <configureArg>--with-static-libs</configureArg>
- </configureArgs>
+ <sources>
+ <source>${generatedSourcesDir}/java</source>
+ </sources>
</configuration>
</execution>
</executions>
@@ -106,6 +95,36 @@
</execution>
</executions>
</plugin>
+
+ <!-- Configure the distribution statically linked against OpenSSL and APR -->
+ <plugin>
+ <groupId>org.fusesource.hawtjni</groupId>
+ <artifactId>maven-hawtjni-plugin</artifactId>
+ <executions>
+ <execution>
+ <id>build-native-lib</id>
+ <goals>
+ <goal>generate</goal>
+ <goal>build</goal>
+ </goals>
+ <phase>compile</phase>
+ <configuration>
+ <name>netty_tcnative</name>
+ <nativeSourceDirectory>${generatedSourcesDir}/c</nativeSourceDirectory>
+ <customPackageDirectory>${generatedSourcesDir}/native-package</customPackageDirectory>
+ <libDirectory>${nativeLibOnlyDir}</libDirectory>
+ <forceAutogen>${forceAutogen}</forceAutogen>
+ <forceConfigure>${forceConfigure}</forceConfigure>
+ <windowsBuildTool>msbuild</windowsBuildTool>
+ <configureArgs>
+ <configureArg>--with-ssl=${sslHome}</configureArg>
+ <configureArg>--with-apr=${aprHome}</configureArg>
+ <configureArg>--with-static-libs</configureArg>
+ </configureArgs>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
</plugins>
</build>
@@ -123,7 +142,7 @@
<artifactId>maven-antrun-plugin</artifactId>
<executions>
<execution>
- <id>build-openssl</id>
+ <id>source-openssl</id>
<phase>generate-sources</phase>
<goals>
<goal>run</goal>
@@ -133,46 +152,80 @@
<!-- Add the ant tasks from ant-contrib -->
<taskdef resource="net/sf/antcontrib/antcontrib.properties" />
- <!-- Download the openssl source. -->
- <ftp action="get" server="ftp.openssl.org" remotedir="source" userid="anonymous" password="anonymous" passive="yes" verbose="yes">
- <fileset dir="${project.build.directory}">
- <include name="**/openssl-${opensslVersion}.tar.gz" />
- </fileset>
- </ftp>
<if>
- <available file="${project.build.directory}/old/${opensslMinorVersion}/openssl-${opensslVersion}.tar.gz" />
+ <available file="${opensslBuildDir}" />
<then>
- <echo>Move old version of openssl to correct directory</echo>
- <move file="${project.build.directory}/old/${opensslMinorVersion}/openssl-${opensslVersion}.tar.gz" tofile="${project.build.directory}/openssl-${opensslVersion}.tar.gz" />
+ <echo message="OpenSSL was already downloaded, skipping the build step." />
</then>
+ <else>
+ <echo message="Downloading OpenSSL" />
+
+ <!-- Download the openssl source. -->
+ <ftp action="get" server="ftp.openssl.org" remotedir="source" userid="anonymous" password="anonymous" passive="yes" verbose="yes">
+ <fileset dir="${project.build.directory}">
+ <include name="**/openssl-${opensslVersion}.tar.gz" />
+ </fileset>
+ </ftp>
+ <if>
+ <available file="${project.build.directory}/old/${opensslMinorVersion}/openssl-${opensslVersion}.tar.gz" />
+ <then>
+ <echo>Move old version of openssl to correct directory</echo>
+ <move file="${project.build.directory}/old/${opensslMinorVersion}/openssl-${opensslVersion}.tar.gz" tofile="${project.build.directory}/openssl-${opensslVersion}.tar.gz" />
+ </then>
+ </if>
+ <checksum file="${project.build.directory}/openssl-${opensslVersion}.tar.gz" algorithm="SHA-256" property="${opensslSha256}" verifyProperty="isEqual" />
+ <gunzip src="${project.build.directory}/openssl-${opensslVersion}.tar.gz" dest="${project.build.directory}/" />
+ <untar src="${project.build.directory}/openssl-${opensslVersion}.tar" dest="${project.build.directory}/" />
+ </else>
</if>
- <checksum file="${project.build.directory}/openssl-${opensslVersion}.tar.gz" algorithm="SHA-256" property="${opensslSha256}" verifyProperty="isEqual" />
- <gunzip src="${project.build.directory}/openssl-${opensslVersion}.tar.gz" dest="${project.build.directory}/" />
- <untar src="${project.build.directory}/openssl-${opensslVersion}.tar" dest="${project.build.directory}/" />
+ </target>
+ </configuration>
+ </execution>
+
+ <execution>
+ <id>build-openssl</id>
+ <phase>compile</phase>
+ <goals>
+ <goal>run</goal>
+ </goals>
+ <configuration>
+ <target>
+ <!-- Add the ant tasks from ant-contrib -->
+ <taskdef resource="net/sf/antcontrib/antcontrib.properties" />
- <!-- Build for the correct platform -->
- <pathconvert property="sslHomePath" targetos="windows">
- <path location="${sslHome}" />
- </pathconvert>
<if>
- <equals arg1="${archBits}" arg2="32" />
+ <available file="${sslHome}" />
<then>
- <echo message="Building OpenSSL for Win32" />
- <exec executable="perl" failonerror="true" dir="${opensslBuildDir}" resolveexecutable="true">
- <arg line="Configure VC-WIN32 --prefix=${sslHomePath}" />
- </exec>
- <exec executable="nmake" failonerror="true" dir="${opensslBuildDir}" resolveexecutable="true">
- <arg line="install" />
- </exec>
+ <echo message="OpenSSL was already build, skipping the build step." />
</then>
<else>
- <echo message="Building OpenSSL for Win64" />
- <exec executable="perl" failonerror="true" dir="${opensslBuildDir}" resolveexecutable="true">
- <arg line="Configure VC-WIN64A --prefix=${sslHome}" />
- </exec>
- <exec executable="nmake" failonerror="true" dir="${opensslBuildDir}" resolveexecutable="true">
- <arg line="install" />
- </exec>
+ <echo message="Building OpenSSL" />
+
+ <!-- Build for the correct platform -->
+ <pathconvert property="sslHomePath" targetos="windows">
+ <path location="${sslHome}" />
+ </pathconvert>
+ <if>
+ <equals arg1="${archBits}" arg2="32" />
+ <then>
+ <echo message="Building OpenSSL for Win32" />
+ <exec executable="perl" failonerror="true" dir="${opensslBuildDir}" resolveexecutable="true">
+ <arg line="Configure VC-WIN32 --prefix=${sslHomePath}" />
+ </exec>
+ <exec executable="nmake" failonerror="true" dir="${opensslBuildDir}" resolveexecutable="true">
+ <arg line="install" />
+ </exec>
+ </then>
+ <else>
+ <echo message="Building OpenSSL for Win64" />
+ <exec executable="perl" failonerror="true" dir="${opensslBuildDir}" resolveexecutable="true">
+ <arg line="Configure VC-WIN64A --prefix=${sslHome}" />
+ </exec>
+ <exec executable="nmake" failonerror="true" dir="${opensslBuildDir}" resolveexecutable="true">
+ <arg line="install" />
+ </exec>
+ </else>
+ </if>
</else>
</if>
</target>
@@ -196,7 +249,7 @@
<artifactId>maven-antrun-plugin</artifactId>
<executions>
<execution>
- <id>build-openssl</id>
+ <id>source-openssl</id>
<phase>generate-sources</phase>
<goals>
<goal>run</goal>
@@ -206,35 +259,69 @@
<!-- Add the ant tasks from ant-contrib -->
<taskdef resource="net/sf/antcontrib/antcontrib.properties" />
- <!-- Download the openssl source. -->
- <ftp action="get" server="ftp.openssl.org" remotedir="source" userid="anonymous" password="anonymous" passive="yes" verbose="yes">
- <fileset dir="${project.build.directory}">
- <include name="**/openssl-${opensslVersion}.tar.gz" />
- </fileset>
- </ftp>
<if>
- <available file="${project.build.directory}/old/${opensslMinorVersion}/openssl-${opensslVersion}.tar.gz" />
+ <available file="${opensslBuildDir}" />
<then>
- <echo>Move old version of openssl to correct directory</echo>
- <move file="${project.build.directory}/old/${opensslMinorVersion}/openssl-${opensslVersion}.tar.gz" tofile="${project.build.directory}/openssl-${opensslVersion}.tar.gz" />
+ <echo message="OpenSSL was already downloaded, skipping the build step." />
</then>
+ <else>
+ <echo message="Downloading OpenSSL" />
+
+ <!-- Download the openssl source. -->
+ <ftp action="get" server="ftp.openssl.org" remotedir="source" userid="anonymous" password="anonymous" passive="yes" verbose="yes">
+ <fileset dir="${project.build.directory}">
+ <include name="**/openssl-${opensslVersion}.tar.gz" />
+ </fileset>
+ </ftp>
+ <if>
+ <available file="${project.build.directory}/old/${opensslMinorVersion}/openssl-${opensslVersion}.tar.gz" />
+ <then>
+ <echo>Move old version of openssl to correct directory</echo>
+ <move file="${project.build.directory}/old/${opensslMinorVersion}/openssl-${opensslVersion}.tar.gz" tofile="${project.build.directory}/openssl-${opensslVersion}.tar.gz" />
+ </then>
+ </if>
+ <!-- Use the tar command (rather than the untar ant task) in order to preserve file permissions. -->
+ <exec executable="tar" failonerror="true" dir="${project.build.directory}/" resolveexecutable="true">
+ <arg line="xfvz openssl-${opensslVersion}.tar.gz" />
+ </exec>
+ </else>
</if>
- <!-- Use the tar command (rather than the untar ant task) in order to preserve file permissions. -->
- <exec executable="tar" failonerror="true" dir="${project.build.directory}/" resolveexecutable="true">
- <arg line="xfvz openssl-${opensslVersion}.tar.gz" />
- </exec>
+ </target>
+ </configuration>
+ </execution>
- <mkdir dir="${sslHome}" />
- <exec executable="config" failonerror="true" dir="${opensslBuildDir}" resolveexecutable="true">
- <arg line="-O3 -fno-omit-frame-pointer -fPIC no-ssl2 no-ssl3 no-shared no-comp -DOPENSSL_NO_HEARTBEATS --prefix=${sslHome} --openssldir=${sslHome}" />
- </exec>
- <exec executable="make" failonerror="true" dir="${opensslBuildDir}" resolveexecutable="true">
- <arg value="depend" />
- </exec>
- <exec executable="make" failonerror="true" dir="${opensslBuildDir}" resolveexecutable="true" />
- <exec executable="make" failonerror="true" dir="${opensslBuildDir}" resolveexecutable="true">
- <arg value="install" />
- </exec>
+ <execution>
+ <id>build-openssl</id>
+ <phase>compile</phase>
+ <goals>
+ <goal>run</goal>
+ </goals>
+ <configuration>
+ <target>
+ <!-- Add the ant tasks from ant-contrib -->
+ <taskdef resource="net/sf/antcontrib/antcontrib.properties" />
+
+ <if>
+ <available file="${sslHome}" />
+ <then>
+ <echo message="OpenSSL was already build, skipping the build step." />
+ </then>
+ <else>
+ <echo message="Building OpenSSL" />
+ <mkdir dir="${sslHome}" />
+ <exec executable="config" failonerror="true" dir="${opensslBuildDir}" resolveexecutable="true">
+ <arg line="-O3 -fno-omit-frame-pointer -fPIC no-ssl2 no-ssl3 no-shared no-comp -DOPENSSL_NO_HEARTBEATS --prefix=${sslHome} --openssldir=${sslHome}" />
+ </exec>
+ <exec executable="make" failonerror="true" dir="${opensslBuildDir}" resolveexecutable="true">
+ <arg value="depend" />
+ </exec>
+ <exec executable="make" failonerror="true" dir="${opensslBuildDir}" resolveexecutable="true" />
+ <exec executable="make" failonerror="true" dir="${opensslBuildDir}" resolveexecutable="true">
+ <!-- Don't install manpages to make things as fast a possible -->
+ <arg value="install_sw" />
+ </exec>
+ </else>
+ </if>
</target>
</configuration>
</execution>
@@ -256,7 +343,7 @@
<artifactId>maven-antrun-plugin</artifactId>
<executions>
<execution>
- <id>build-openssl</id>
+ <id>source-openssl</id>
<phase>generate-sources</phase>
<goals>
<goal>run</goal>
@@ -266,35 +353,68 @@
<!-- Add the ant tasks from ant-contrib -->
<taskdef resource="net/sf/antcontrib/antcontrib.properties" />
- <!-- Download the openssl source. -->
- <ftp action="get" server="ftp.openssl.org" remotedir="source" userid="anonymous" password="anonymous" passive="yes" verbose="yes">
- <fileset dir="${project.build.directory}">
- <include name="**/openssl-${opensslVersion}.tar.gz" />
- </fileset>
- </ftp>
<if>
- <available file="${project.build.directory}/old/${opensslMinorVersion}/openssl-${opensslVersion}.tar.gz" />
+ <available file="${opensslBuildDir}" />
<then>
- <echo>Move old version of openssl to correct directory</echo>
- <move file="${project.build.directory}/old/${opensslMinorVersion}/openssl-${opensslVersion}.tar.gz" tofile="${project.build.directory}/openssl-${opensslVersion}.tar.gz" />
+ <echo message="OpenSSL was already downloaded, skipping the build step." />
</then>
+ <else>
+ <echo message="Downloading OpenSSL" />
+
+ <!-- Download the openssl source. -->
+ <ftp action="get" server="ftp.openssl.org" remotedir="source" userid="anonymous" password="anonymous" passive="yes" verbose="yes">
+ <fileset dir="${project.build.directory}">
+ <include name="**/openssl-${opensslVersion}.tar.gz" />
+ </fileset>
+ </ftp>
+ <if>
+ <available file="${project.build.directory}/old/${opensslMinorVersion}/openssl-${opensslVersion}.tar.gz" />
+ <then>
+ <echo>Move old version of openssl to correct directory</echo>
+ <move file="${project.build.directory}/old/${opensslMinorVersion}/openssl-${opensslVersion}.tar.gz" tofile="${project.build.directory}/openssl-${opensslVersion}.tar.gz" />
+ </then>
+ </if>
+ <!-- Use the tar command (rather than the untar ant task) in order to preserve file permissions. -->
+ <exec executable="tar" failonerror="true" dir="${project.build.directory}/" resolveexecutable="true">
+ <arg line="xfvz openssl-${opensslVersion}.tar.gz" />
+ </exec>
+ </else>
</if>
- <!-- Use the tar command (rather than the untar ant task) in order to preserve file permissions. -->
- <exec executable="tar" failonerror="true" dir="${project.build.directory}/" resolveexecutable="true">
- <arg line="xfvz openssl-${opensslVersion}.tar.gz" />
- </exec>
+ </target>
+ </configuration>
+ </execution>
+ <execution>
+ <id>build-openssl</id>
+ <phase>compile</phase>
+ <goals>
+ <goal>run</goal>
+ </goals>
+ <configuration>
+ <target>
+ <!-- Add the ant tasks from ant-contrib -->
+ <taskdef resource="net/sf/antcontrib/antcontrib.properties" />
- <mkdir dir="${sslHome}" />
- <exec executable="Configure" failonerror="true" dir="${opensslBuildDir}" resolveexecutable="true">
- <arg line="darwin64-x86_64-cc -O3 -fno-omit-frame-pointer -fPIC no-ssl2 no-ssl3 no-shared no-comp -DOPENSSL_NO_HEARTBEATS --prefix=${sslHome} --openssldir=${sslHome}" />
- </exec>
- <exec executable="make" failonerror="true" dir="${opensslBuildDir}" resolveexecutable="true">
- <arg value="depend" />
- </exec>
- <exec executable="make" failonerror="true" dir="${opensslBuildDir}" resolveexecutable="true" />
- <exec executable="make" failonerror="true" dir="${opensslBuildDir}" resolveexecutable="true">
- <arg value="install" />
- </exec>
+ <if>
+ <available file="${sslHome}" />
+ <then>
+ <echo message="OpenSSL was already build, skipping the build step." />
+ </then>
+ <else>
+ <echo message="Building OpenSSL" />
+ <mkdir dir="${sslHome}" />
+ <exec executable="Configure" failonerror="true" dir="${opensslBuildDir}" resolveexecutable="true">
+ <arg line="darwin64-x86_64-cc -O3 -fno-omit-frame-pointer -fPIC no-ssl2 no-ssl3 no-shared no-comp -DOPENSSL_NO_HEARTBEATS --prefix=${sslHome} --openssldir=${sslHome}" />
+ </exec>
+ <exec executable="make" failonerror="true" dir="${opensslBuildDir}" resolveexecutable="true">
+ <arg value="depend" />
+ </exec>
+ <exec executable="make" failonerror="true" dir="${opensslBuildDir}" resolveexecutable="true" />
+ <exec executable="make" failonerror="true" dir="${opensslBuildDir}" resolveexecutable="true">
+ <!-- Don't install manpages to make things as fast a possible -->
+ <arg value="install_sw" />
+ </exec>
+ </else>
+ </if>
</target>
</configuration>
</execution>
=====================================
pom.xml
=====================================
@@ -19,10 +19,10 @@
<parent>
<groupId>io.netty</groupId>
<artifactId>netty-parent</artifactId>
- <version>4.0.18.Final</version>
+ <version>4.0.29.Final</version>
</parent>
<artifactId>netty-tcnative-parent</artifactId>
- <version>2.0.15.Final</version>
+ <version>2.0.20.Final</version>
<packaging>pom</packaging>
<name>Netty/TomcatNative [Parent]</name>
@@ -35,11 +35,15 @@
<url>https://github.com/netty/netty-tcnative</url>
<connection>scm:git:git://github.com/netty/netty-tcnative.git</connection>
<developerConnection>scm:git:ssh://git@github.com/netty/netty-tcnative.git</developerConnection>
- <tag>netty-tcnative-parent-2.0.15.Final</tag>
+ <tag>netty-tcnative-parent-2.0.20.Final</tag>
</scm>
<properties>
<checkstyle.skip>true</checkstyle.skip>
+ <enforcer.plugin.version>1.4.1</enforcer.plugin.version>
+ <maven.compiler.source>1.6</maven.compiler.source>
+ <maven.compiler.target>1.6</maven.compiler.target>
+ <netty.build.version>22</netty.build.version>
<animal.sniffer.skip>true</animal.sniffer.skip>
<forceAutogen>false</forceAutogen>
<forceConfigure>false</forceConfigure>
@@ -49,8 +53,8 @@
<nativeJarFile>${project.build.directory}/${project.build.finalName}-${os.detected.classifier}.jar</nativeJarFile>
<nativeLibOnlyDir>${project.build.directory}/native-lib-only</nativeLibOnlyDir>
<nativeJarWorkdir>${project.build.directory}/native-jar-work</nativeJarWorkdir>
- <aprVersion>1.6.3</aprVersion>
- <aprMd5>57c6cc26a31fe420c546ad2234f22db4</aprMd5>
+ <aprVersion>1.6.5</aprVersion>
+ <aprSha256>70dcf9102066a2ff2ffc47e93c289c8e54c95d8dda23b503f9e61bb0cbd2d105</aprSha256>
<boringsslBranch>chromium-stable</boringsslBranch>
<libresslVersion>2.7.4</libresslVersion>
<!--
@@ -65,10 +69,10 @@
- Record the sha256: sha1sum -a 256 libressl-{libresslVersion}.tar.gz (shasum on osx)
-->
<libresslSha256>1e3a9fada06c1c060011470ad0ff960de28f9a0515277d7336f7e09362517da6</libresslSha256>
- <opensslMinorVersion>1.1.0</opensslMinorVersion>
- <opensslPatchVersion>i</opensslPatchVersion>
+ <opensslMinorVersion>1.1.1</opensslMinorVersion>
+ <opensslPatchVersion />
<opensslVersion>${opensslMinorVersion}${opensslPatchVersion}</opensslVersion>
- <opensslSha256>50a98e07b1a89eb8f6a99477f262df71c6fa7bef77df4dc83025a2845c827d00</opensslSha256>
+ <opensslSha256>2836875a0f89c03d0fdf483941512613a50cfb421d6fd94b9f41d7279d586a3d</opensslSha256>
<aprHome>${project.build.directory}/apr</aprHome>
<aprBuildDir>${project.build.directory}/apr-${aprVersion}</aprBuildDir>
<archBits>64</archBits>
@@ -78,6 +82,7 @@
<msvcSslLibDirs>${sslHome}/lib</msvcSslLibDirs>
<msvcSslLibs>libssl.lib;libcrypto.lib</msvcSslLibs>
<strip.skip>false</strip.skip>
+ <generatedSourcesDir>${project.build.directory}/generated-sources</generatedSourcesDir>
</properties>
<build>
@@ -146,12 +151,34 @@
</pluginManagement>
<plugins>
- <!-- Recent tcnative requires JDK 1.7 to build -->
<plugin>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
- <source>1.6</source>
- <target>1.6</target>
+ <source>${maven.compiler.source}</source>
+ <target>${maven.compiler.target}</target>
+ </configuration>
+ </plugin>
+
+ <plugin>
+ <artifactId>maven-surefire-plugin</artifactId>
+ <configuration combine.self="override">
+ <includes>
+ <include>**/*Test*.java</include>
+ <include>**/*Benchmark*.java</include>
+ </includes>
+ <excludes>
+ <exclude>**/Abstract*</exclude>
+ <exclude>**/*TestUtil*</exclude>
+ </excludes>
+ <runOrder>random</runOrder>
+ <properties>
+ <property>
+ <name>listener</name>
+ <value>io.netty.build.junit.TimedOutTestsListener</value>
+ </property>
+ </properties>
+ <!-- Ensure the whole stacktrace is preserved when an exception is thrown. See https://issues.apache.org/jira/browse/SUREFIRE-1457 -->
+ <trimStackTrace>false</trimStackTrace>
</configuration>
</plugin>
@@ -170,8 +197,8 @@
<!-- Copy all of the code from the dynamic module -->
<delete dir="src" quiet="true" />
<mkdir dir="src" />
- <copy todir="${basedir}/src" verbose="true">
- <fileset dir="${opensslDynamicDir}/src" />
+ <copy todir="${generatedSourcesDir}" verbose="true">
+ <fileset dir="${opensslDynamicDir}/src/main" />
</copy>
<!-- Convert the paths to windows format -->
@@ -199,7 +226,7 @@
<filter token="SSL_INCLUDE_DIRS" value="${sslIncludeDirsWindowsPath}" />
<filter token="SSL_LIB_DIR" value="${sslLibDirsWindowsPath}" />
<filter token="SSL_LIBS" value="${msvcSslLibs}" />
- <copy file="${vsStaticTemplateFile}" tofile="src/main/native-package/vs2010.vcxproj" filtering="true" overwrite="true" verbose="true" />
+ <copy file="${vsStaticTemplateFile}" tofile="${generatedSourcesDir}/native-package/vs2010.vcxproj" filtering="true" overwrite="true" verbose="true" />
</target>
</configuration>
</execution>
@@ -270,6 +297,7 @@
<plugin>
<artifactId>maven-enforcer-plugin</artifactId>
+ <version>${enforcer.plugin.version}</version>
<executions>
<execution>
<id>enforce-tools</id>
@@ -289,6 +317,14 @@
</plugins>
</build>
+ <dependencies>
+ <dependency>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-build</artifactId>
+ <version>${netty.build.version}</version>
+ <scope>test</scope>
+ </dependency>
+ </dependencies>
<profiles>
<profile>
<id>disable-autogen-windows</id>
@@ -313,35 +349,75 @@
<artifactId>maven-antrun-plugin</artifactId>
<executions>
<execution>
- <id>build-apr</id>
+ <id>source-apr</id>
<phase>generate-sources</phase>
<goals>
<goal>run</goal>
</goals>
<configuration>
- <target name="build-apr" if="${linkStatic}">
- <property name="aprArchiveFile" value="apr-${aprVersion}-win32-src.zip" />
- <get src="http://archive.apache.org/dist/apr/${aprArchiveFile}" dest="${project.build.directory}/${aprArchiveFile}" verbose="on" />
- <unzip src="${project.build.directory}/${aprArchiveFile}" dest="${project.build.directory}" />
- <condition property="windowsRelease" value="Win32 Release" else="x64 Release">
- <equals arg1="${archBits}" arg2="32" />
- </condition>
- <echo message="archBits=${archBits}. Using windowsRelease=${windowsRelease}" />
- <!-- On Windows, force building APR with /MT for static linking -->
- <replace dir="${aprBuildDir}" token="/MD" value="/MT">
- <include name="*.mak" />
- </replace>
- <retry retrycount="3">
- <exec executable="nmake" failonerror="true" dir="${aprBuildDir}" resolveexecutable="true">
- <arg line="/f Makefile.win ARCH="${windowsRelease}" PREFIX=..\apr buildall install" />
- </exec>
- </retry>
- <copy todir="${aprHome}/include">
- <fileset dir="${aprBuildDir}/include/arch/win32" includes="*.h" />
- </copy>
- <copy todir="${aprHome}">
- <fileset dir="${aprBuildDir}/include/arch" includes="*.h" />
- </copy>
+ <target if="${linkStatic}">
+ <!-- Add the ant tasks from ant-contrib -->
+ <taskdef resource="net/sf/antcontrib/antcontrib.properties" />
+
+ <if>
+ <available file="${aprBuildDir}" />
+ <then>
+ <echo message="APR was already downloaded, skipping the build step." />
+ </then>
+ <else>
+ <echo message="Downloading APR" />
+
+ <property name="aprArchiveFile" value="apr-${aprVersion}-win32-src.zip" />
+ <get src="http://archive.apache.org/dist/apr/${aprArchiveFile}" dest="${project.build.directory}/${aprArchiveFile}" verbose="on" />
+ <unzip src="${project.build.directory}/${aprArchiveFile}" dest="${project.build.directory}" />
+ <condition property="windowsRelease" value="Win32 Release" else="x64 Release">
+ <equals arg1="${archBits}" arg2="32" />
+ </condition>
+ </else>
+ </if>
+ </target>
+ </configuration>
+ </execution>
+ <execution>
+ <id>build-apr</id>
+ <phase>compile</phase>
+ <goals>
+ <goal>run</goal>
+ </goals>
+ <configuration>
+ <target if="${linkStatic}">
+ <!-- Add the ant tasks from ant-contrib -->
+ <taskdef resource="net/sf/antcontrib/antcontrib.properties" />
+
+ <if>
+ <available file="${aprHome}" />
+ <then>
+ <echo message="APR was already build, skipping the build step." />
+ </then>
+ <else>
+ <echo message="Building APR" />
+
+ <condition property="windowsRelease" value="Win32 Release" else="x64 Release">
+ <equals arg1="${archBits}" arg2="32" />
+ </condition>
+ <echo message="archBits=${archBits}. Using windowsRelease=${windowsRelease}" />
+ <!-- On Windows, force building APR with /MT for static linking -->
+ <replace dir="${aprBuildDir}" token="/MD" value="/MT">
+ <include name="*.mak" />
+ </replace>
+ <retry retrycount="3">
+ <exec executable="nmake" failonerror="true" dir="${aprBuildDir}" resolveexecutable="true">
+ <arg line="/f Makefile.win ARCH="${windowsRelease}" PREFIX=..\apr buildall install" />
+ </exec>
+ </retry>
+ <copy todir="${aprHome}/include">
+ <fileset dir="${aprBuildDir}/include/arch/win32" includes="*.h" />
+ </copy>
+ <copy todir="${aprHome}">
+ <fileset dir="${aprBuildDir}/include/arch" includes="*.h" />
+ </copy>
+ </else>
+ </if>
</target>
</configuration>
</execution>
@@ -363,30 +439,66 @@
<artifactId>maven-antrun-plugin</artifactId>
<executions>
<execution>
- <id>build-apr-linux-mac</id>
+ <id>source-apr-linux-mac</id>
<phase>generate-sources</phase>
<goals>
<goal>run</goal>
</goals>
<configuration>
<target if="${linkStatic}">
- <property name="aprTarGzFile" value="apr-${aprVersion}.tar.gz" />
- <property name="aprTarFile" value="apr-${aprVersion}.tar" />
- <get src="http://archive.apache.org/dist/apr/${aprTarGzFile}" dest="${project.build.directory}/${aprTarGzFile}" verbose="on" />
- <checksum file="${project.build.directory}/${aprTarGzFile}" algorithm="MD5" property="${aprMd5}" verifyProperty="isEqual" />
- <gunzip src="${project.build.directory}/${aprTarGzFile}" dest="${project.build.directory}" />
- <!-- Use the tar command (rather than the untar ant task) in order to preserve file permissions. -->
- <exec executable="tar" failonerror="true" dir="${project.build.directory}/" resolveexecutable="true">
- <arg line="xfvz ${aprTarGzFile}" />
- </exec>
- <mkdir dir="${aprHome}" />
- <exec executable="configure" failonerror="true" dir="${aprBuildDir}" resolveexecutable="true">
- <arg line="--disable-shared --prefix=${aprHome} CFLAGS='-O3 -fno-omit-frame-pointer -fPIC'" />
- </exec>
- <exec executable="make" failonerror="true" dir="${aprBuildDir}" resolveexecutable="true" />
- <exec executable="make" failonerror="true" dir="${aprBuildDir}" resolveexecutable="true">
- <arg line="install" />
- </exec>
+ <!-- Add the ant tasks from ant-contrib -->
+ <taskdef resource="net/sf/antcontrib/antcontrib.properties" />
+
+ <if>
+ <available file="${aprBuildDir}" />
+ <then>
+ <echo message="APR was already downloaded, skipping the build step." />
+ </then>
+ <else>
+ <echo message="Downloading and unpacking APR" />
+
+ <property name="aprTarGzFile" value="apr-${aprVersion}.tar.gz" />
+ <property name="aprTarFile" value="apr-${aprVersion}.tar" />
+ <get src="http://archive.apache.org/dist/apr/${aprTarGzFile}" dest="${project.build.directory}/${aprTarGzFile}" verbose="on" />
+ <checksum file="${project.build.directory}/${aprTarGzFile}" algorithm="SHA-256" property="${aprSha256}" verifyProperty="isEqual" />
+ <gunzip src="${project.build.directory}/${aprTarGzFile}" dest="${project.build.directory}" />
+ <!-- Use the tar command (rather than the untar ant task) in order to preserve file permissions. -->
+ <exec executable="tar" failonerror="true" dir="${project.build.directory}/" resolveexecutable="true">
+ <arg line="xfvz ${aprTarGzFile}" />
+ </exec>
+ </else>
+ </if>
+ </target>
+ </configuration>
+ </execution>
+ <execution>
+ <id>build-apr-linux-mac</id>
+ <phase>compile</phase>
+ <goals>
+ <goal>run</goal>
+ </goals>
+ <configuration>
+ <target if="${linkStatic}">
+ <!-- Add the ant tasks from ant-contrib -->
+ <taskdef resource="net/sf/antcontrib/antcontrib.properties" />
+
+ <if>
+ <available file="${aprHome}" />
+ <then>
+ <echo message="APR was already build, skipping the build step." />
+ </then>
+ <else>
+ <echo message="Building APR" />
+ <mkdir dir="${aprHome}" />
+ <exec executable="configure" failonerror="true" dir="${aprBuildDir}" resolveexecutable="true">
+ <arg line="--disable-shared --prefix=${aprHome} CFLAGS='-O3 -fno-omit-frame-pointer -fPIC'" />
+ </exec>
+ <exec executable="make" failonerror="true" dir="${aprBuildDir}" resolveexecutable="true" />
+ <exec executable="make" failonerror="true" dir="${aprBuildDir}" resolveexecutable="true">
+ <arg line="install" />
+ </exec>
+ </else>
+ </if>
</target>
</configuration>
</execution>
@@ -444,7 +556,7 @@
<dependency>
<groupId>com.ceilfors.maven.plugin</groupId>
<artifactId>enforcer-rules</artifactId>
- <version>1.1.0</version>
+ <version>1.2.0</version>
</dependency>
</dependencies>
</plugin>
@@ -475,5 +587,53 @@
<module>libressl-static</module>
</modules>
</profile>
+
+ <profile>
+ <id>java9</id>
+ <activation>
+ <jdk>9</jdk>
+ </activation>
+ <properties>
+ <!-- Needed because of https://issues.apache.org/jira/browse/MENFORCER-275 -->
+ <enforcer.plugin.version>3.0.0-M1</enforcer.plugin.version>
+ </properties>
+ </profile>
+
+ <profile>
+ <id>java10</id>
+ <activation>
+ <jdk>10</jdk>
+ </activation>
+ <properties>
+ <!-- Needed because of https://issues.apache.org/jira/browse/MENFORCER-275 -->
+ <enforcer.plugin.version>3.0.0-M1</enforcer.plugin.version>
+ </properties>
+ </profile>
+
+ <profile>
+ <id>java11</id>
+ <activation>
+ <jdk>11</jdk>
+ </activation>
+ <properties>
+ <!-- Needed because of https://issues.apache.org/jira/browse/MENFORCER-275 -->
+ <enforcer.plugin.version>3.0.0-M1</enforcer.plugin.version>
+ </properties>
+ </profile>
+
+ <profile>
+ <id>java12</id>
+ <activation>
+ <jdk>12</jdk>
+ </activation>
+ <properties>
+ <!-- Needed because of https://issues.apache.org/jira/browse/MENFORCER-275 -->
+ <enforcer.plugin.version>3.0.0-M1</enforcer.plugin.version>
+
+ <!-- This is the minimum supported by Java12 -->
+ <maven.compiler.source>1.7</maven.compiler.source>
+ <maven.compiler.target>1.7</maven.compiler.target>
+ </properties>
+ </profile>
</profiles>
</project>
View it on GitLab: https://salsa.debian.org/java-team/netty-tcnative/compare/3feab3ba73915675cd76c846dd433b7079b1f1d4...0cb0c2991c401c2c82943bfffe8a7df3067c2f56
--
View it on GitLab: https://salsa.debian.org/java-team/netty-tcnative/compare/3feab3ba73915675cd76c846dd433b7079b1f1d4...0cb0c2991c401c2c82943bfffe8a7df3067c2f56
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20190122/eb55592e/attachment.html>
More information about the pkg-java-commits
mailing list