This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push: new cad3983e19 Use ERR_error_string_n in FFM code cad3983e19 is described below commit cad3983e19a3d03ffb4c86ca25297097f136fd03 Author: remm <r...@apache.org> AuthorDate: Wed May 15 15:51:30 2024 +0200 Use ERR_error_string_n in FFM code The buffer previously used was too small. --- .../util/net/openssl/panama/OpenSSLContext.java | 8 ++++-- java/org/apache/tomcat/util/openssl/openssl_h.java | 33 ++++++++++++++++++++++ res/openssl/openssl-tomcat.conf | 1 + webapps/docs/changelog.xml | 9 +++++- 4 files changed, 47 insertions(+), 4 deletions(-) diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java index f72606ba05..b483506d19 100644 --- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java +++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java @@ -76,6 +76,8 @@ public class OpenSSLContext implements org.apache.tomcat.util.net.SSLContext { private static final Cleaner cleaner = Cleaner.create(); + private static final int OPENSSL_ERROR_MESSAGE_BUFFER_SIZE = 256; + private static final String defaultProtocol = "TLS"; private static final int SSL_AIDX_RSA = 0; @@ -564,7 +566,7 @@ public class OpenSSLContext implements org.apache.tomcat.util.net.SSLContext { if ((sslHostConfig.getCaCertificateFile() != null || sslHostConfig.getCaCertificatePath() != null) && SSL_CTX_load_verify_locations(state.sslCtx, caCertificateFileNative == null ? MemorySegment.NULL : caCertificateFileNative, - caCertificatePathNative == null ? MemorySegment.NULL : caCertificatePathNative) <= 0) { + caCertificatePathNative == null ? MemorySegment.NULL : caCertificatePathNative) <= 0) { logLastError("openssl.errorConfiguringLocations"); } else { var caCerts = SSL_CTX_get_client_CA_list(state.sslCtx); @@ -1326,8 +1328,8 @@ public class OpenSSLContext implements org.apache.tomcat.util.net.SSLContext { try (var localArena = Arena.ofConfined()) { do { // Loop until getLastErrorNumber() returns SSL_ERROR_NONE - var buf = localArena.allocate(ValueLayout.JAVA_BYTE, 128); - ERR_error_string(error, buf); + var buf = localArena.allocate(ValueLayout.JAVA_BYTE, OPENSSL_ERROR_MESSAGE_BUFFER_SIZE); + ERR_error_string_n(error, buf, OPENSSL_ERROR_MESSAGE_BUFFER_SIZE); String err = buf.getString(0); if (sslError == null) { sslError = err; diff --git a/java/org/apache/tomcat/util/openssl/openssl_h.java b/java/org/apache/tomcat/util/openssl/openssl_h.java index 9d9d701312..3c0dcd2046 100644 --- a/java/org/apache/tomcat/util/openssl/openssl_h.java +++ b/java/org/apache/tomcat/util/openssl/openssl_h.java @@ -5336,6 +5336,39 @@ public class openssl_h { } } + private static MethodHandle ERR_error_string_n$MH() { + class Holder { + static final FunctionDescriptor DESC = FunctionDescriptor.of( + openssl_h.C_POINTER, + openssl_h.C_LONG, + openssl_h.C_POINTER, + openssl_h.C_INT + ); + + static final MethodHandle MH = Linker.nativeLinker().downcallHandle( + openssl_h.findOrThrow("ERR_error_string_n"), + DESC); + } + return Holder.MH; + } + + /** + * {@snippet lang=c : + * char *ERR_error_string_n(unsigned long e, char *buf, size_t len) + * } + */ + public static MemorySegment ERR_error_string_n(long e, MemorySegment buf, int len) { + var mh$ = ERR_error_string_n$MH(); + try { + if (TRACE_DOWNCALLS) { + traceDowncall("ERR_error_string_n", e, buf, len); + } + return (MemorySegment) mh$.invokeExact(e, buf, len); + } catch (Throwable ex$) { + throw new AssertionError("should not reach here", ex$); + } + } + private static MethodHandle PKCS12_verify_mac$MH() { class Holder { static final FunctionDescriptor DESC = FunctionDescriptor.of( diff --git a/res/openssl/openssl-tomcat.conf b/res/openssl/openssl-tomcat.conf index 66ebe76847..0d75c2654d 100644 --- a/res/openssl/openssl-tomcat.conf +++ b/res/openssl/openssl-tomcat.conf @@ -90,6 +90,7 @@ --include-function ERR_clear_error # header: /usr/include/openssl/err.h --include-function ERR_error_string # header: /usr/include/openssl/err.h +--include-function ERR_error_string_n # header: /usr/include/openssl/err.h --include-function ERR_get_error # header: /usr/include/openssl/err.h --include-function ERR_peek_last_error # header: /usr/include/openssl/err.h --include-constant ERR_REASON_MASK # header: /usr/include/openssl/err.h diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 9a3e5f3b61..75f815fa42 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -105,8 +105,15 @@ issues do not "pop up" wrt. others). --> <section name="Tomcat 10.1.25 (schultz)" rtext="in development"> + <subsection name="Coyote"> + <changelog> + <fix> + Fix OpenSSL FFM use of ERR_error_string with a 128 byte buffer, + and use ERR_error_string_n instead. (remm) + </fix> + </changelog> + </subsection> </section> - <section name="Tomcat 10.1.24 (schultz)" rtext="releaser in progress"> <subsection name="Catalina"> <changelog> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org