Google Git
Sign in
chromium / external / netty-tcnative / 5b46a8ef4a39c39c576fcdaaf718b585d75df463 / . / java / io / netty / internal / tcnative / SSL.java
blob: a126d1837f2486b25a542f33bae5a45b336383a5 [file] [log] [blame]
/*
* Copyright 2016 The Netty Project
*
* The Netty Project licenses this file to you under the Apache License,
* version 2.0 (the "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations
* under the License.
*/
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package io.netty.internal.tcnative;
import java.nio.ByteBuffer;
import static io.netty.internal.tcnative.NativeStaticallyReferencedJniMethods.*;
public final class SSL {
private SSL() { }
/*
* Define the SSL Protocol options
*/
public static final int SSL_PROTOCOL_NONE = 0;
public static final int SSL_PROTOCOL_SSLV2 = (1<<0);
public static final int SSL_PROTOCOL_SSLV3 = (1<<1);
public static final int SSL_PROTOCOL_TLSV1 = (1<<2);
public static final int SSL_PROTOCOL_TLSV1_1 = (1<<3);
public static final int SSL_PROTOCOL_TLSV1_2 = (1<<4);
/** TLS_*method according to <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_new.html">SSL_CTX_new</a> */
public static final int SSL_PROTOCOL_TLS = (SSL_PROTOCOL_SSLV3 | SSL_PROTOCOL_TLSV1 | SSL_PROTOCOL_TLSV1_1 | SSL_PROTOCOL_TLSV1_2);
public static final int SSL_PROTOCOL_ALL = (SSL_PROTOCOL_SSLV2 | SSL_PROTOCOL_TLS);
/*
* Define the SSL verify levels
*/
public static final int SSL_CVERIFY_IGNORED = -1;
public static final int SSL_CVERIFY_NONE = 0;
public static final int SSL_CVERIFY_OPTIONAL = 1;
public static final int SSL_CVERIFY_REQUIRED = 2;
public static final int SSL_OP_CIPHER_SERVER_PREFERENCE = sslOpCipherServerPreference();
public static final int SSL_OP_NO_SSLv2 = sslOpNoSSLv2();
public static final int SSL_OP_NO_SSLv3 = sslOpNoSSLv3();
public static final int SSL_OP_NO_TLSv1 = sslOpNoTLSv1();
public static final int SSL_OP_NO_TLSv1_1 = sslOpNoTLSv11();
public static final int SSL_OP_NO_TLSv1_2 = sslOpNoTLSv12();
public static final int SSL_OP_NO_TICKET = sslOpNoTicket();
public static final int SSL_OP_NO_COMPRESSION = sslOpNoCompression();
public static final int SSL_MODE_CLIENT = 0;
public static final int SSL_MODE_SERVER = 1;
public static final int SSL_MODE_COMBINED = 2;
public static final long SSL_SESS_CACHE_OFF = sslSessCacheOff();
public static final long SSL_SESS_CACHE_SERVER = sslSessCacheServer();
public static final int SSL_SELECTOR_FAILURE_NO_ADVERTISE = 0;
public static final int SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL = 1;
public static final int SSL_ST_CONNECT = sslStConnect();
public static final int SSL_ST_ACCEPT = sslStAccept();
public static final int SSL_MODE_ENABLE_PARTIAL_WRITE = sslModeEnablePartialWrite();
public static final int SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER = sslModeAcceptMovingWriteBuffer();
public static final int SSL_MODE_RELEASE_BUFFERS = sslModeReleaseBuffers();
// https://www.openssl.org/docs/man1.0.2/crypto/X509_check_host.html
public static final int X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT = x509CheckFlagAlwaysCheckSubject();
public static final int X509_CHECK_FLAG_NO_WILD_CARDS = x509CheckFlagDisableWildCards();
public static final int X509_CHECK_FLAG_NO_PARTIAL_WILD_CARDS = x509CheckFlagNoPartialWildCards();
public static final int X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS = x509CheckFlagMultiLabelWildCards();
/* Return OpenSSL version number */
public static native int version();
/* Return OpenSSL version string */
public static native String versionString();
/**
* Initialize OpenSSL support.
*
* This function needs to be called once for the
* lifetime of JVM. See {@link Library#initialize(String, String)}
*
* @param engine Support for external a Crypto Device ("engine"),
* usually a hardware accelerator card for crypto operations.
* @return APR status code
*/
static native int initialize(String engine);
/**
* Initialize new in-memory BIO that is located in the secure heap.
*
* @return New BIO handle
* @throws Exception if an error happened.
*/
public static native long newMemBIO() throws Exception;
/**
* Return last SSL error string
*
* @return the last SSL error string.
*/
public static native String getLastError();
/**
* Return true if all the requested SSL_OP_* are supported by OpenSSL.
*
* @param op Bitwise-OR of all SSL_OP_* to test.
*
* @return true if all SSL_OP_* are supported by OpenSSL library.
*/
public static native boolean hasOp(int op);
/*
* Begin Twitter API additions
*/
public static final int SSL_SENT_SHUTDOWN = sslSendShutdown();
public static final int SSL_RECEIVED_SHUTDOWN = sslReceivedShutdown();
public static final int SSL_ERROR_NONE = sslErrorNone();
public static final int SSL_ERROR_SSL = sslErrorSSL();
public static final int SSL_ERROR_WANT_READ = sslErrorWantRead();
public static final int SSL_ERROR_WANT_WRITE = sslErrorWantWrite();
public static final int SSL_ERROR_WANT_X509_LOOKUP = sslErrorWantX509Lookup();
public static final int SSL_ERROR_SYSCALL = sslErrorSyscall(); /* look at error stack/return value/errno */
public static final int SSL_ERROR_ZERO_RETURN = sslErrorZeroReturn();
public static final int SSL_ERROR_WANT_CONNECT = sslErrorWantConnect();
public static final int SSL_ERROR_WANT_ACCEPT = sslErrorWantAccept();
/**
* SSL_new
* @param ctx Server or Client context to use.
* @param server if true configure SSL instance to use accept handshake routines
* if false configure SSL instance to use connect handshake routines
* @return pointer to SSL instance (SSL *)
*/
public static native long newSSL(long ctx, boolean server);
/**
* SSL_get_error
* @param ssl SSL pointer (SSL *)
* @param ret TLS/SSL I/O return value
* @return the error code
*/
public static native int getError(long ssl, int ret);
/**
* BIO_write
* @param bioAddress The address of a {@code BIO*}.
* @param wbufAddress The address of a native {@code char*}.
* @param wlen The length to write starting at {@code wbufAddress}.
* @return The number of bytes that were written.
* See <a href="https://www.openssl.org/docs/man1.0.1/crypto/BIO_write.html">BIO_write</a> for exceptional return values.
*/
public static native int bioWrite(long bioAddress, long wbufAddress, int wlen);
/**
* Initialize the BIO for the SSL instance. This is a custom BIO which is designed to play nicely with a direct
* {@link ByteBuffer}. Because it is a special BIO it requires special usage such that
* {@link #bioSetByteBuffer(long, long, int, boolean)} and {@link #bioClearByteBuffer(long)} are called in order to provide
* to supply data to SSL, and also to ensure the internal SSL buffering mechanism is expecting write at the appropriate times.
*
* @param ssl the SSL instance (SSL *)
* @param nonApplicationBufferSize The size of the internal buffer for write operations that are not
* initiated directly by the application attempting to encrypt data.
* Must be &gt;{@code 0}.
* @return pointer to the Network BIO (BIO *).
* The memory is owned by {@code ssl} and will be cleaned up by {@link #freeSSL(long)}.
*/
public static native long bioNewByteBuffer(long ssl, int nonApplicationBufferSize);
/**
* Set the memory location which that OpenSSL's internal BIO will use to write encrypted data to, or read encrypted
* data from.
* <p>
* After you are done buffering data you should call {@link #bioClearByteBuffer(long)}.
* @param bio {@code BIO*}.
* @param bufferAddress The memory address (typically from a direct {@link ByteBuffer}) which will be used
* to either write encrypted data to, or read encrypted data from by OpenSSL's internal BIO pair.
* @param maxUsableBytes The maximum usable length in bytes starting at {@code bufferAddress}.
* @param isSSLWriteSink {@code true} if this buffer is expected to buffer data as a result of calls to {@code SSL_write}.
* {@code false} if this buffer is expected to buffer data as a result of calls to {@code SSL_read}.
*/
public static native void bioSetByteBuffer(long bio, long bufferAddress, int maxUsableBytes, boolean isSSLWriteSink);
/**
* After you are done buffering data from {@link #bioSetByteBuffer(long, long, int, boolean)}, this will ensure the
* internal SSL write buffers are ready to capture data which may unexpectedly happen (e.g. handshake, renegotiation, etc..).
* @param bio {@code BIO*}.
*/
public static native void bioClearByteBuffer(long bio);
/**
* Flush any pending bytes in the internal SSL write buffer.
* <p>
* This does the same thing as {@code BIO_flush} for a {@code BIO*} of type {@link #bioNewByteBuffer(long, int)} but
* returns the number of bytes that were flushed.
* @param bio {@code BIO*}.
* @return The number of bytes that were flushed.
*/
public static native int bioFlushByteBuffer(long bio);
/**
* Get the remaining length of the {@link ByteBuffer} set by {@link #bioSetByteBuffer(long, long, int, boolean)}.
* @param bio {@code BIO*}.
* @return The remaining length of the {@link ByteBuffer} set by {@link #bioSetByteBuffer(long, long, int, boolean)}.
*/
public static native int bioLengthByteBuffer(long bio);
/**
* Get the amount of data pending in buffer used for non-application writes.
* This value will not exceed the value configured in {@link #bioNewByteBuffer(long, int)}.
* @param bio {@code BIO*}.
* @return the amount of data pending in buffer used for non-application writes.
*/
public static native int bioLengthNonApplication(long bio);
/**
* SSL_write
* @param ssl the SSL instance (SSL *)
* @param wbuf the memory address of the buffer
* @param wlen the length
* @return the number of written bytes
*/
public static native int writeToSSL(long ssl, long wbuf, int wlen);
/**
* SSL_read
* @param ssl the SSL instance (SSL *)
* @param rbuf the memory address of the buffer
* @param rlen the length
* @return the number of read bytes
*/
public static native int readFromSSL(long ssl, long rbuf, int rlen);
/**
* SSL_get_shutdown
* @param ssl the SSL instance (SSL *)
* @return the return code of {@code SSL_get_shutdown}
*/
public static native int getShutdown(long ssl);
/**
* SSL_set_shutdown
* @param ssl the SSL instance (SSL *)
* @param mode the mode to use
*/
public static native void setShutdown(long ssl, int mode);
/**
* SSL_free
* @param ssl the SSL instance (SSL *)
*/
public static native void freeSSL(long ssl);
/**
* BIO_free
* @param bio the BIO
*/
public static native void freeBIO(long bio);
/**
* SSL_shutdown
* @param ssl the SSL instance (SSL *)
* @return the return code of {@code SSL_shutdown}
*/
public static native int shutdownSSL(long ssl);
/**
* Get the error number representing the last error OpenSSL encountered on this thread.
* @return the last error code for the calling thread.
*/
public static native int getLastErrorNumber();
/**
* SSL_get_cipher
* @param ssl the SSL instance (SSL *)
* @return the name of the current cipher.
*/
public static native String getCipherForSSL(long ssl);
/**
* SSL_get_version
* @param ssl the SSL instance (SSL *)
* @return the version.
*/
public static native String getVersion(long ssl);
/**
* SSL_do_handshake
* @param ssl the SSL instance (SSL *)
* @return the return code of {@code SSL_do_handshake}.
*/
public static native int doHandshake(long ssl);
/**
* SSL_in_init
* @param ssl the SSL instance (SSL *)
* @return the return code of {@code SSL_in_init}.
*/
public static native int isInInit(long ssl);
/**
* SSL_get0_next_proto_negotiated
* @param ssl the SSL instance (SSL *)
* @return the name of the negotiated proto
*/
public static native String getNextProtoNegotiated(long ssl);
/*
* End Twitter API Additions
*/
/**
* SSL_get0_alpn_selected
* @param ssl the SSL instance (SSL *)
* @return the name of the selected ALPN protocol
*/
public static native String getAlpnSelected(long ssl);
/**
* Get the peer certificate chain or {@code null} if none was send.
* @param ssl the SSL instance (SSL *)
* @return the chain or {@code null} if none was send
*/
public static native byte[][] getPeerCertChain(long ssl);
/**
* Get the peer certificate or {@code null} if non was send.
* @param ssl the SSL instance (SSL *)
* @return the peer certificate or {@code null} if none was send
*/
public static native byte[] getPeerCertificate(long ssl);
/**
* Get the error string representing for the given {@code errorNumber}.
*
* @param errorNumber the error number / code
* @return the error string
*/
public static native String getErrorString(long errorNumber);
/**
* SSL_get_time
* @param ssl the SSL instance (SSL *)
* @return returns the time at which the session ssl was established. The time is given in seconds since the Epoch
*/
public static native long getTime(long ssl);
/**
* SSL_get_timeout
* @param ssl the SSL instance (SSL *)
* @return returns the timeout for the session ssl The time is given in seconds since the Epoch
*/
public static native long getTimeout(long ssl);
/**
* SSL_set_timeout
* @param ssl the SSL instance (SSL *)
* @param seconds timeout in seconds
* @return returns the timeout for the session ssl before this call. The time is given in seconds since the Epoch
*/
public static native long setTimeout(long ssl, long seconds);
/**
* Set Type of Client Certificate verification and Maximum depth of CA Certificates
* in Client Certificate verification.
* <p>
* This directive sets the Certificate verification level for the Client
* Authentication. Notice that this directive can be used both in per-server
* and per-directory context. In per-server context it applies to the client
* authentication process used in the standard SSL handshake when a connection
* is established. In per-directory context it forces a SSL renegotiation with
* the reconfigured client verification level after the HTTP request was read
* but before the HTTP response is sent.
* <p>
* The following levels are available for level:
* <ul>
* <li>{@link #SSL_CVERIFY_IGNORED} - The level is ignored. Only depth will change.</li>
* <li>{@link #SSL_CVERIFY_NONE} - No client Certificate is required at all</li>
* <li>{@link #SSL_CVERIFY_OPTIONAL} - The client may present a valid Certificate</li>
* <li>{@link #SSL_CVERIFY_REQUIRED} - The client has to present a valid Certificate</li>
* </ul>
* The depth actually is the maximum number of intermediate certificate issuers,
* i.e. the number of CA certificates which are max allowed to be followed while
* verifying the client certificate. A depth of 0 means that self-signed client
* certificates are accepted only, the default depth of 1 means the client
* certificate can be self-signed or has to be signed by a CA which is directly
* known to the server (i.e. the CA's certificate is under
* {@code setCACertificatePath}, etc.
*
* @param ssl the SSL instance (SSL *)
* @param level Type of Client Certificate verification.
* @param depth Maximum depth of CA Certificates in Client Certificate
* verification. Ignored if value is {@code <0}.
*/
public static native void setVerify(long ssl, int level, int depth);
/**
* Set OpenSSL Option.
* @param ssl the SSL instance (SSL *)
* @param options See SSL.SSL_OP_* for option flags.
*/
public static native void setOptions(long ssl, int options);
/**
* Clear OpenSSL Option.
* @param ssl the SSL instance (SSL *)
* @param options See SSL.SSL_OP_* for option flags.
*/
public static native void clearOptions(long ssl, int options);
/**
* Get OpenSSL Option.
* @param ssl the SSL instance (SSL *)
* @return options See SSL.SSL_OP_* for option flags.
*/
public static native int getOptions(long ssl);
/**
* Returns all Returns the cipher suites that are available for negotiation in an SSL handshake.
* @param ssl the SSL instance (SSL *)
* @return ciphers
*/
public static native String[] getCiphers(long ssl);
/**
* Returns the cipher suites available for negotiation in SSL handshake.
* <p>
* This complex directive uses a colon-separated cipher-spec string consisting
* of OpenSSL cipher specifications to configure the Cipher Suite the client
* is permitted to negotiate in the SSL handshake phase. Notice that this
* directive can be used both in per-server and per-directory context.
* In per-server context it applies to the standard SSL handshake when a
* connection is established. In per-directory context it forces a SSL
* renegotiation with the reconfigured Cipher Suite after the HTTP request
* was read but before the HTTP response is sent.
* @param ssl the SSL instance (SSL *)
* @param ciphers an SSL cipher specification
* @return {@code true} if successful
* @throws Exception if an error happened
*/
public static native boolean setCipherSuites(long ssl, String ciphers)
throws Exception;
/**
* Returns the ID of the session as byte array representation.
*
* @param ssl the SSL instance (SSL *)
* @return the session as byte array representation obtained via SSL_SESSION_get_id.
*/
public static native byte[] getSessionId(long ssl);
/**
* Returns the number of handshakes done for this SSL instance. This also includes renegations.
*
* @param ssl the SSL instance (SSL *)
* @return the number of handshakes done for this SSL instance.
*/
public static native int getHandshakeCount(long ssl);
/**
* Clear all the errors from the error queue that OpenSSL encountered on this thread.
*/
public static native void clearError();
/**
* Call SSL_renegotiate.
*
* @param ssl the SSL instance (SSL *)
* @return the result of the operation
*/
public static native int renegotiate(long ssl);
/**
* Call SSL_set_state.
*
* @param ssl the SSL instance (SSL *)
* @param state the state to set
*/
public static native void setState(long ssl, int state);
/**
* Call SSL_set_tlsext_host_name
*
* @param ssl the SSL instance (SSL *)
* @param hostname the hostname
*/
public static native void setTlsExtHostName(long ssl, String hostname);
/**
* Explicitly control <a href="https://wiki.openssl.org/index.php/Hostname_validation">hostname validation</a>
* <a href="https://www.openssl.org/docs/man1.0.2/crypto/X509_check_host.html">see X509_check_host for X509_CHECK_FLAG* definitions</a>.
* Values are defined as a bitmask of {@code X509_CHECK_FLAG*} values.
* @param ssl the SSL instance (SSL*).
* @param flags a bitmask of {@code X509_CHECK_FLAG*} values.
* @param hostname the hostname which is expected for validation.
*/
public static native void setHostNameValidation(long ssl, int flags, String hostname);
/**
* Return the methods used for authentication.
*
* @param ssl the SSL instance (SSL*)
* @return the methods
*/
public static native String[] authenticationMethods(long ssl);
/**
* Set BIO of PEM-encoded Server CA Certificates
* <p>
* This directive sets the optional all-in-one file where you can assemble the
* certificates of Certification Authorities (CA) which form the certificate
* chain of the server certificate. This starts with the issuing CA certificate
* of of the server certificate and can range up to the root CA certificate.
* Such a file is simply the concatenation of the various PEM-encoded CA
* Certificate files, usually in certificate chain order.
* <p>
* But be careful: Providing the certificate chain works only if you are using
* a single (either RSA or DSA) based server certificate. If you are using a
* coupled RSA+DSA certificate pair, this will work only if actually both
* certificates use the same certificate chain. Otherwsie the browsers will be
* confused in this situation.
* @param ssl Server or Client to use.
* @param bio BIO of PEM-encoded Server CA Certificates.
* @param skipfirst Skip first certificate if chain file is inside
* certificate file.
*/
public static native void setCertificateChainBio(long ssl, long bio, boolean skipfirst);
/**
* Set Certificate
* <br>
* Point setCertificate at a PEM encoded certificate stored in a BIO. If
* the certificate is encrypted, then you will be prompted for a
* pass phrase. Note that a kill -HUP will prompt again. A test
* certificate can be generated with `make certificate' under
* built time. Keep in mind that if you've both a RSA and a DSA
* certificate you can configure both in parallel (to also allow
* the use of DSA ciphers, etc.)
* <br>
* If the key is not combined with the certificate, use key param
* to point at the key file. Keep in mind that if
* you've both a RSA and a DSA private key you can configure
* both in parallel (to also allow the use of DSA ciphers, etc.)
* @param ssl Server or Client to use.
* @param certBio Certificate BIO.
* @param keyBio Private Key BIO to use if not in cert.
* @param password Certificate password. If null and certificate
* is encrypted.
* @throws Exception if an error happened
*/
public static native void setCertificateBio(
long ssl, long certBio, long keyBio, String password) throws Exception;
/**
* Parse private key from BIO and return {@code EVP_PKEY} pointer.
*
* <p>Be sure you understand how OpenSsl will behave with respect to reference counting!
*
* If the {@code EVP_PKEY} pointer is used with the client certificate callback
* {@link CertificateRequestedCallback} the ownership goes over to OpenSsl / Tcnative and so calling
* {@link #freePrivateKey(long)} should <strong>NOT</strong> be done in this case. Otherwise you may
* need to call {@link #freePrivateKey(long)} to decrement the reference count and free memory.
*
* @param privateKeyBio the pointer to the {@code BIO} that contains the private key
* @param password the password or {@code null} if no password is needed
* @return {@code EVP_PKEY} pointer
* @throws Exception if an error happened
*/
public static native long parsePrivateKey(long privateKeyBio, String password) throws Exception;
/**
* Free private key ({@code EVP_PKEY} pointer).
*
* @param privateKey {@code EVP_PKEY} pointer
*/
public static native void freePrivateKey(long privateKey);
/**
* Parse X509 chain from BIO and return ({@code STACK_OF(X509)} pointer).
*
* <p>Be sure you understand how OpenSsl will behave with respect to reference counting!
*
* If the {@code STACK_OF(X509)} pointer is used with the client certificate callback
* {@link CertificateRequestedCallback} the ownership goes over to OpenSsl / Tcnative and and so calling
* {@link #freeX509Chain(long)} should <strong>NOT</strong> be done in this case. Otherwise you may
* need to call {@link #freeX509Chain(long)} to decrement the reference count and free memory.
*
* @param x509ChainBio the pointer to the {@code BIO} that contains the X509 chain
* @return {@code STACK_OF(X509)} pointer
* @throws Exception if an error happened
*/
public static native long parseX509Chain(long x509ChainBio) throws Exception;
/**
* Free x509 chain ({@code STACK_OF(X509)} pointer).
*
* @param x509Chain {@code STACK_OF(X509)} pointer
*/
public static native void freeX509Chain(long x509Chain);
}