This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push: new 85a25f3bc6 Add basic compatibility for BoringSSL 85a25f3bc6 is described below commit 85a25f3bc6b1c27522a0533af65973ee42c42038 Author: remm <r...@apache.org> AuthorDate: Thu Jul 4 12:37:05 2024 +0200 Add basic compatibility for BoringSSL --- .../util/net/openssl/panama/OpenSSLContext.java | 90 +++++----- .../util/net/openssl/panama/OpenSSLEngine.java | 7 +- .../util/net/openssl/panama/OpenSSLLibrary.java | 22 +-- .../util/openssl/openssl_h_Compatibility.java | 47 +++-- .../tomcat/util/openssl/openssl_h_Macros.java | 199 +++++++++++++++++++-- webapps/docs/changelog.xml | 4 + 6 files changed, 284 insertions(+), 85 deletions(-) diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java index e186586d78..29d017f496 100644 --- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java +++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java @@ -114,8 +114,6 @@ public class OpenSSLContext implements org.apache.tomcat.util.net.SSLContext { } } - static final boolean OPENSSL_3 = (OpenSSL_version_num() >= 0x3000000fL); - private final SSLHostConfig sslHostConfig; private final SSLHostConfigCertificate certificate; private final boolean alpn; @@ -1053,57 +1051,61 @@ public class OpenSSLContext implements org.apache.tomcat.util.net.SSLContext { // Try to read DH parameters from the (first) SSLCertificateFile if (index == SSL_AIDX_RSA) { BIO_reset(certificateBIO); - if (!OPENSSL_3) { - var dh = PEM_read_bio_DHparams(certificateBIO, MemorySegment.NULL, MemorySegment.NULL, MemorySegment.NULL); - if (!MemorySegment.NULL.equals(dh)) { - SSL_CTX_set_tmp_dh(state.sslCtx, dh); - DH_free(dh); - } - } else { - var pkey = PEM_read_bio_Parameters(certificateBIO, MemorySegment.NULL); - if (!MemorySegment.NULL.equals(pkey)) { - int numBits = EVP_PKEY_get_bits(pkey); - if (SSL_CTX_set0_tmp_dh_pkey(state.sslCtx, pkey) <= 0) { - EVP_PKEY_free(pkey); - } else { - log.debug(sm.getString("openssl.setCustomDHParameters", Integer.valueOf(numBits), certificate.getCertificateFile())); + if (!openssl_h_Compatibility.BORINGSSL) { + if (!openssl_h_Compatibility.OPENSSL3) { + var dh = PEM_read_bio_DHparams(certificateBIO, MemorySegment.NULL, MemorySegment.NULL, MemorySegment.NULL); + if (!MemorySegment.NULL.equals(dh)) { + SSL_CTX_set_tmp_dh(state.sslCtx, dh); + DH_free(dh); } } else { - String errMessage = OpenSSLLibrary.getLastError(); - if (errMessage != null) { - log.debug(sm.getString("openssl.errorReadingPEMParameters", errMessage, certificate.getCertificateFile())); + var pkey = PEM_read_bio_Parameters(certificateBIO, MemorySegment.NULL); + if (!MemorySegment.NULL.equals(pkey)) { + int numBits = EVP_PKEY_get_bits(pkey); + if (SSL_CTX_set0_tmp_dh_pkey(state.sslCtx, pkey) <= 0) { + EVP_PKEY_free(pkey); + } else { + log.debug(sm.getString("openssl.setCustomDHParameters", Integer.valueOf(numBits), certificate.getCertificateFile())); + } + } else { + String errMessage = OpenSSLLibrary.getLastError(); + if (errMessage != null) { + log.debug(sm.getString("openssl.errorReadingPEMParameters", errMessage, certificate.getCertificateFile())); + } + SSL_CTX_ctrl(state.sslCtx, SSL_CTRL_SET_DH_AUTO(), 1, MemorySegment.NULL); } - SSL_CTX_ctrl(state.sslCtx, SSL_CTRL_SET_DH_AUTO(), 1, MemorySegment.NULL); } } } // Similarly, try to read the ECDH curve name from SSLCertificateFile... BIO_reset(certificateBIO); - if (!OPENSSL_3) { - var ecparams = PEM_read_bio_ECPKParameters(certificateBIO, MemorySegment.NULL, MemorySegment.NULL, MemorySegment.NULL); - if (!MemorySegment.NULL.equals(ecparams)) { - int nid = EC_GROUP_get_curve_name(ecparams); - var eckey = EC_KEY_new_by_curve_name(nid); - SSL_CTX_set_tmp_ecdh(state.sslCtx, eckey); - EC_KEY_free(eckey); - EC_GROUP_free(ecparams); - } - // Set callback for DH parameters - SSL_CTX_set_tmp_dh_callback(state.sslCtx, SSL_CTX_set_tmp_dh_callback$dh.allocate(new TmpDHCallback(), contextArena)); - } else { - var ecparams = PEM_ASN1_read_bio(d2i_ECPKParameters$SYMBOL(), - PEM_STRING_ECPARAMETERS(), certificateBIO, MemorySegment.NULL, MemorySegment.NULL, MemorySegment.NULL); - if (!MemorySegment.NULL.equals(ecparams)) { - int curveNid = EC_GROUP_get_curve_name(ecparams); - var curveNidAddress = localArena.allocateFrom(ValueLayout.JAVA_INT, curveNid); - if (SSL_CTX_set1_groups(state.sslCtx, curveNidAddress, 1) <= 0) { - curveNid = 0; + if (!openssl_h_Compatibility.BORINGSSL) { + if (!openssl_h_Compatibility.OPENSSL3) { + var ecparams = PEM_read_bio_ECPKParameters(certificateBIO, MemorySegment.NULL, MemorySegment.NULL, MemorySegment.NULL); + if (!MemorySegment.NULL.equals(ecparams)) { + int nid = EC_GROUP_get_curve_name(ecparams); + var eckey = EC_KEY_new_by_curve_name(nid); + SSL_CTX_set_tmp_ecdh(state.sslCtx, eckey); + EC_KEY_free(eckey); + EC_GROUP_free(ecparams); } - if (log.isDebugEnabled()) { - log.debug(sm.getString("openssl.setECDHCurve", Integer.valueOf(curveNid), - certificate.getCertificateFile())); + // Set callback for DH parameters + SSL_CTX_set_tmp_dh_callback(state.sslCtx, SSL_CTX_set_tmp_dh_callback$dh.allocate(new TmpDHCallback(), contextArena)); + } else { + var ecparams = PEM_ASN1_read_bio(d2i_ECPKParameters$SYMBOL(), + PEM_STRING_ECPARAMETERS(), certificateBIO, MemorySegment.NULL, MemorySegment.NULL, MemorySegment.NULL); + if (!MemorySegment.NULL.equals(ecparams)) { + int curveNid = EC_GROUP_get_curve_name(ecparams); + var curveNidAddress = localArena.allocateFrom(ValueLayout.JAVA_INT, curveNid); + if (SSL_CTX_set1_groups(state.sslCtx, curveNidAddress, 1) <= 0) { + curveNid = 0; + } + if (log.isDebugEnabled()) { + log.debug(sm.getString("openssl.setECDHCurve", Integer.valueOf(curveNid), + certificate.getCertificateFile())); + } + EC_GROUP_free(ecparams); } - EC_GROUP_free(ecparams); } } // Set certificate chain file @@ -1212,7 +1214,7 @@ public class OpenSSLContext implements org.apache.tomcat.util.net.SSLContext { logLastError("openssl.errorPrivateKeyCheck"); return false; } - if (!OPENSSL_3) { + if (!openssl_h_Compatibility.OPENSSL3) { // Set callback for DH parameters SSL_CTX_set_tmp_dh_callback(state.sslCtx, SSL_CTX_set_tmp_dh_callback$dh.allocate(new TmpDHCallback(), contextArena)); diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java index 053d4747cf..cf768e19a5 100644 --- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java +++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java @@ -53,7 +53,6 @@ import javax.net.ssl.SSLSessionBindingListener; import javax.net.ssl.SSLSessionContext; import static org.apache.tomcat.util.openssl.openssl_h.*; -import static org.apache.tomcat.util.openssl.openssl_h_Compatibility.*; import static org.apache.tomcat.util.openssl.openssl_h_Macros.*; import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; @@ -192,7 +191,7 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn } else { SSL_set_accept_state(ssl); } - SSL_set_verify_result(ssl, X509_V_OK()); + openssl_h_Compatibility.SSL_set_verify_result(ssl, X509_V_OK()); try (var localArena = Arena.ofConfined()) { var internalBIOPointer = localArena.allocate(ValueLayout.ADDRESS); var networkBIOPointer = localArena.allocate(ValueLayout.ADDRESS); @@ -838,7 +837,7 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn private byte[] getPeerCertificate() { try (var localArena = Arena.ofConfined()) { - MemorySegment/*(X509*)*/ x509 = (OpenSSLContext.OPENSSL_3 ? SSL_get1_peer_certificate(state.ssl) : SSL_get_peer_certificate(state.ssl)); + MemorySegment/*(X509*)*/ x509 = openssl_h_Compatibility.SSL_get_peer_certificate(state.ssl); MemorySegment bufPointer = localArena.allocateFrom(ValueLayout.ADDRESS, MemorySegment.NULL); int length = i2d_X509(x509, bufPointer); if (length <= 0) { @@ -1154,7 +1153,7 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE()); if (verifyErrorIsOptional && (state.certificateVerifyMode == OpenSSLContext.OPTIONAL_NO_CA)) { ok = 1; - SSL_set_verify_result(state.ssl, X509_V_OK()); + openssl_h_Compatibility.SSL_set_verify_result(state.ssl, X509_V_OK()); } /* * Expired certificates vs. "expired" CRLs: by default, OpenSSL diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLLibrary.java b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLLibrary.java index 37f313e628..df90d84bcf 100644 --- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLLibrary.java +++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLLibrary.java @@ -182,12 +182,12 @@ public class OpenSSLLibrary { initLibrary(); OpenSSLStatus.setVersion(OpenSSL_version_num()); + // OpenSSL 3 onwards uses providers - boolean isOpenSSL3 = (OpenSSL_version_num() >= 0x3000000fL); // Setup engine String engineName = "on".equalsIgnoreCase(SSLEngine) ? null : SSLEngine; - if (!isOpenSSL3 && engineName != null) { + if (!openssl_h_Compatibility.OPENSSL3 && !openssl_h_Compatibility.BORINGSSL && engineName != null) { if ("auto".equals(engineName)) { ENGINE_register_all_complete(); } else { @@ -234,15 +234,15 @@ public class OpenSSLLibrary { RAND_seed(memorySession.allocateFrom(ValueLayout.JAVA_BYTE, randomBytes), 128); } - if (!isOpenSSL3) { + if (!openssl_h_Compatibility.OPENSSL3 && !openssl_h_Compatibility.BORINGSSL) { initDHParameters(); } - if (isOpenSSL3 || !(null == FIPSMode || "off".equalsIgnoreCase(FIPSMode))) { + if (openssl_h_Compatibility.OPENSSL3 || !(null == FIPSMode || "off".equalsIgnoreCase(FIPSMode))) { fipsModeActive = false; final boolean enterFipsMode; int fipsModeState = FIPS_OFF; - if (isOpenSSL3) { + if (openssl_h_Compatibility.OPENSSL3) { var md = EVP_MD_fetch(MemorySegment.NULL, memorySession.allocateFrom("SHA-512"), MemorySegment.NULL); var provider = EVP_MD_get0_provider(md); String name = OSSL_PROVIDER_get0_name(provider).getString(0); @@ -265,13 +265,13 @@ public class OpenSSLLibrary { enterFipsMode = false; } else if ("on".equalsIgnoreCase(FIPSMode)) { if (fipsModeState == FIPS_ON) { - if (!isOpenSSL3) { + if (!openssl_h_Compatibility.OPENSSL3) { log.info(sm.getString("openssllibrary.skipFIPSInitialization")); } fipsModeActive = true; enterFipsMode = false; } else { - if (isOpenSSL3) { + if (openssl_h_Compatibility.OPENSSL3) { throw new IllegalStateException(sm.getString("openssllibrary.FIPSProviderNotDefault", FIPSMode)); } else { enterFipsMode = true; @@ -282,7 +282,7 @@ public class OpenSSLLibrary { fipsModeActive = true; enterFipsMode = false; } else { - if (isOpenSSL3) { + if (openssl_h_Compatibility.OPENSSL3) { throw new IllegalStateException(sm.getString("openssllibrary.FIPSProviderNotDefault", FIPSMode)); } else { throw new IllegalStateException(sm.getString("openssllibrary.requireNotInFIPSMode")); @@ -290,13 +290,13 @@ public class OpenSSLLibrary { } } else if ("enter".equalsIgnoreCase(FIPSMode)) { if (fipsModeState == FIPS_OFF) { - if (isOpenSSL3) { + if (openssl_h_Compatibility.OPENSSL3) { throw new IllegalStateException(sm.getString("openssllibrary.FIPSProviderNotDefault", FIPSMode)); } else { enterFipsMode = true; } } else { - if (isOpenSSL3) { + if (openssl_h_Compatibility.OPENSSL3) { fipsModeActive = true; enterFipsMode = false; } else { @@ -325,7 +325,7 @@ public class OpenSSLLibrary { log.info(sm.getString("openssllibrary.initializeFIPSSuccess")); } - if (isOpenSSL3 && fipsModeActive) { + if (openssl_h_Compatibility.OPENSSL3 && fipsModeActive) { log.info(sm.getString("aprListener.usingFIPSProvider")); } } diff --git a/java/org/apache/tomcat/util/openssl/openssl_h_Compatibility.java b/java/org/apache/tomcat/util/openssl/openssl_h_Compatibility.java index 07513af8be..04578ceafd 100644 --- a/java/org/apache/tomcat/util/openssl/openssl_h_Compatibility.java +++ b/java/org/apache/tomcat/util/openssl/openssl_h_Compatibility.java @@ -21,15 +21,22 @@ import java.lang.invoke.MethodHandle; import java.lang.foreign.*; import static java.lang.foreign.ValueLayout.*; import static org.apache.tomcat.util.openssl.openssl_h.OpenSSL_version; +import static org.apache.tomcat.util.openssl.openssl_h.OpenSSL_version_num; +import static org.apache.tomcat.util.openssl.openssl_h.SSL_get1_peer_certificate; /** - * Methods used present in older OpenSSL versions but not in the current major version. + * Methods used present in older OpenSSL versions but not in the current major version or OpenSSL derivatives. */ public class openssl_h_Compatibility { + public static final boolean OPENSSL3; + public static final boolean BORINGSSL; public static final boolean LIBRESSL; static { - LIBRESSL = OpenSSL_version(0).getString(0).contains("LibreSSL"); + String versionString = OpenSSL_version(0).getString(0); + OPENSSL3 = versionString.contains("OpenSSL") && OpenSSL_version_num() >= 0x3000000fL; + BORINGSSL = versionString.contains("BoringSSL"); + LIBRESSL = versionString.contains("LibreSSL"); } // OpenSSL 1.1 FIPS_mode @@ -106,19 +113,23 @@ public class openssl_h_Compatibility { // OpenSSL 1.1 SSL_get_peer_certificate public static MemorySegment SSL_get_peer_certificate(MemorySegment s) { - class Holder { - static final String NAME = "SSL_get_peer_certificate"; - static final FunctionDescriptor DESC = FunctionDescriptor.of(openssl_h.C_POINTER, openssl_h.C_POINTER); - static final MethodHandle MH = Linker.nativeLinker().downcallHandle(openssl_h.findOrThrow(NAME), DESC); - } - var mh$ = Holder.MH; - try { - if (openssl_h.TRACE_DOWNCALLS) { - openssl_h.traceDowncall(Holder.NAME, s); + if (OPENSSL3) { + return SSL_get1_peer_certificate(s); + } else { + class Holder { + static final String NAME = "SSL_get_peer_certificate"; + static final FunctionDescriptor DESC = FunctionDescriptor.of(openssl_h.C_POINTER, openssl_h.C_POINTER); + static final MethodHandle MH = Linker.nativeLinker().downcallHandle(openssl_h.findOrThrow(NAME), DESC); + } + var mh$ = Holder.MH; + try { + if (openssl_h.TRACE_DOWNCALLS) { + openssl_h.traceDowncall(Holder.NAME, s); + } + return (java.lang.foreign.MemorySegment) mh$.invokeExact(s); + } catch (Throwable ex$) { + throw new AssertionError("should not reach here", ex$); } - return (java.lang.foreign.MemorySegment) mh$.invokeExact(s); - } catch (Throwable ex$) { - throw new AssertionError("should not reach here", ex$); } } @@ -217,5 +228,11 @@ public class openssl_h_Compatibility { } } -} + // BoringSSL removed SSL_set_verify_result which does not do anything in OpenSSL + public static void SSL_set_verify_result(MemorySegment ssl, long v) { + if (!BORINGSSL) { + openssl_h.SSL_set_verify_result(ssl, v); + } + } +} diff --git a/java/org/apache/tomcat/util/openssl/openssl_h_Macros.java b/java/org/apache/tomcat/util/openssl/openssl_h_Macros.java index 9472c312b4..5c6101c7f4 100644 --- a/java/org/apache/tomcat/util/openssl/openssl_h_Macros.java +++ b/java/org/apache/tomcat/util/openssl/openssl_h_Macros.java @@ -17,7 +17,10 @@ package org.apache.tomcat.util.openssl; +import java.lang.foreign.FunctionDescriptor; +import java.lang.foreign.Linker; import java.lang.foreign.MemorySegment; +import java.lang.invoke.MethodHandle; import static org.apache.tomcat.util.openssl.openssl_h.*; @@ -40,7 +43,24 @@ public class openssl_h_Macros { * @return > 0 if successful */ public static long SSL_CTX_set_max_proto_version(MemorySegment sslCtx, long version) { - return SSL_CTX_ctrl(sslCtx, SSL_CTRL_SET_MAX_PROTO_VERSION(), version, MemorySegment.NULL); + if (openssl_h_Compatibility.BORINGSSL) { + class Holder { + static final String NAME = "SSL_CTX_set_max_proto_version"; + static final FunctionDescriptor DESC = FunctionDescriptor.of(openssl_h.C_LONG, openssl_h.C_POINTER, openssl_h.C_LONG); + static final MethodHandle MH = Linker.nativeLinker().downcallHandle(openssl_h.findOrThrow(NAME), DESC); + } + var mh$ = Holder.MH; + try { + if (openssl_h.TRACE_DOWNCALLS) { + openssl_h.traceDowncall(Holder.NAME, sslCtx, version); + } + return (long) mh$.invokeExact(sslCtx, version); + } catch (Throwable ex$) { + throw new AssertionError("should not reach here", ex$); + } + } else { + return SSL_CTX_ctrl(sslCtx, SSL_CTRL_SET_MAX_PROTO_VERSION(), version, MemorySegment.NULL); + } } @@ -56,7 +76,24 @@ public class openssl_h_Macros { * @return > 0 if successful */ public static long SSL_CTX_set_min_proto_version(MemorySegment sslCtx, long version) { - return SSL_CTX_ctrl(sslCtx, SSL_CTRL_SET_MIN_PROTO_VERSION(), version, MemorySegment.NULL); + if (openssl_h_Compatibility.BORINGSSL) { + class Holder { + static final String NAME = "SSL_CTX_set_min_proto_version"; + static final FunctionDescriptor DESC = FunctionDescriptor.of(openssl_h.C_LONG, openssl_h.C_POINTER, openssl_h.C_LONG); + static final MethodHandle MH = Linker.nativeLinker().downcallHandle(openssl_h.findOrThrow(NAME), DESC); + } + var mh$ = Holder.MH; + try { + if (openssl_h.TRACE_DOWNCALLS) { + openssl_h.traceDowncall(Holder.NAME, sslCtx, version); + } + return (long) mh$.invokeExact(sslCtx, version); + } catch (Throwable ex$) { + throw new AssertionError("should not reach here", ex$); + } + } else { + return SSL_CTX_ctrl(sslCtx, SSL_CTRL_SET_MIN_PROTO_VERSION(), version, MemorySegment.NULL); + } } @@ -71,7 +108,24 @@ public class openssl_h_Macros { * @return > 0 if successful */ public static long SSL_CTX_sess_get_cache_size(MemorySegment sslCtx) { - return SSL_CTX_ctrl(sslCtx, SSL_CTRL_GET_SESS_CACHE_SIZE(), 0, MemorySegment.NULL); + if (openssl_h_Compatibility.BORINGSSL) { + class Holder { + static final String NAME = "SSL_CTX_sess_get_cache_size"; + static final FunctionDescriptor DESC = FunctionDescriptor.of(openssl_h.C_LONG, openssl_h.C_POINTER); + static final MethodHandle MH = Linker.nativeLinker().downcallHandle(openssl_h.findOrThrow(NAME), DESC); + } + var mh$ = Holder.MH; + try { + if (openssl_h.TRACE_DOWNCALLS) { + openssl_h.traceDowncall(Holder.NAME, sslCtx); + } + return (long) mh$.invokeExact(sslCtx); + } catch (Throwable ex$) { + throw new AssertionError("should not reach here", ex$); + } + } else { + return SSL_CTX_ctrl(sslCtx, SSL_CTRL_GET_SESS_CACHE_SIZE(), 0, MemorySegment.NULL); + } } @@ -87,7 +141,24 @@ public class openssl_h_Macros { * @return > 0 if successful */ public static long SSL_CTX_sess_set_cache_size(MemorySegment sslCtx, long cacheSize) { - return SSL_CTX_ctrl(sslCtx, SSL_CTRL_SET_SESS_CACHE_SIZE(), cacheSize, MemorySegment.NULL); + if (openssl_h_Compatibility.BORINGSSL) { + class Holder { + static final String NAME = "SSL_CTX_sess_set_cache_size"; + static final FunctionDescriptor DESC = FunctionDescriptor.of(openssl_h.C_LONG, openssl_h.C_POINTER, openssl_h.C_LONG); + static final MethodHandle MH = Linker.nativeLinker().downcallHandle(openssl_h.findOrThrow(NAME), DESC); + } + var mh$ = Holder.MH; + try { + if (openssl_h.TRACE_DOWNCALLS) { + openssl_h.traceDowncall(Holder.NAME, sslCtx, cacheSize); + } + return (long) mh$.invokeExact(sslCtx, cacheSize); + } catch (Throwable ex$) { + throw new AssertionError("should not reach here", ex$); + } + } else { + return SSL_CTX_ctrl(sslCtx, SSL_CTRL_SET_SESS_CACHE_SIZE(), cacheSize, MemorySegment.NULL); + } } @@ -102,7 +173,24 @@ public class openssl_h_Macros { * @return > 0 if successful */ public static long SSL_CTX_get_session_cache_mode(MemorySegment sslCtx) { - return SSL_CTX_ctrl(sslCtx, SSL_CTRL_GET_SESS_CACHE_MODE(), 0, MemorySegment.NULL); + if (openssl_h_Compatibility.BORINGSSL) { + class Holder { + static final String NAME = "SSL_CTX_get_session_cache_mode"; + static final FunctionDescriptor DESC = FunctionDescriptor.of(openssl_h.C_LONG, openssl_h.C_POINTER); + static final MethodHandle MH = Linker.nativeLinker().downcallHandle(openssl_h.findOrThrow(NAME), DESC); + } + var mh$ = Holder.MH; + try { + if (openssl_h.TRACE_DOWNCALLS) { + openssl_h.traceDowncall(Holder.NAME, sslCtx); + } + return (long) mh$.invokeExact(sslCtx); + } catch (Throwable ex$) { + throw new AssertionError("should not reach here", ex$); + } + } else { + return SSL_CTX_ctrl(sslCtx, SSL_CTRL_GET_SESS_CACHE_MODE(), 0, MemorySegment.NULL); + } } @@ -118,7 +206,24 @@ public class openssl_h_Macros { * @return > 0 if successful */ public static long SSL_CTX_set_session_cache_mode(MemorySegment sslCtx, long cacheMode) { - return SSL_CTX_ctrl(sslCtx, SSL_CTRL_SET_SESS_CACHE_MODE(), cacheMode, MemorySegment.NULL); + if (openssl_h_Compatibility.BORINGSSL) { + class Holder { + static final String NAME = "SSL_CTX_set_session_cache_mode"; + static final FunctionDescriptor DESC = FunctionDescriptor.of(openssl_h.C_LONG, openssl_h.C_POINTER, openssl_h.C_LONG); + static final MethodHandle MH = Linker.nativeLinker().downcallHandle(openssl_h.findOrThrow(NAME), DESC); + } + var mh$ = Holder.MH; + try { + if (openssl_h.TRACE_DOWNCALLS) { + openssl_h.traceDowncall(Holder.NAME, sslCtx, cacheMode); + } + return (long) mh$.invokeExact(sslCtx, cacheMode); + } catch (Throwable ex$) { + throw new AssertionError("should not reach here", ex$); + } + } else { + return SSL_CTX_ctrl(sslCtx, SSL_CTRL_SET_SESS_CACHE_MODE(), cacheMode, MemorySegment.NULL); + } } @@ -134,7 +239,24 @@ public class openssl_h_Macros { * @return > 0 if successful */ public static long SSL_CTX_add0_chain_cert(MemorySegment sslCtx, MemorySegment x509) { - return SSL_CTX_ctrl(sslCtx, SSL_CTRL_CHAIN_CERT(), 0, x509); + if (openssl_h_Compatibility.BORINGSSL) { + class Holder { + static final String NAME = "SSL_CTX_add0_chain_cert"; + static final FunctionDescriptor DESC = FunctionDescriptor.of(openssl_h.C_LONG, openssl_h.C_POINTER, openssl_h.C_POINTER); + static final MethodHandle MH = Linker.nativeLinker().downcallHandle(openssl_h.findOrThrow(NAME), DESC); + } + var mh$ = Holder.MH; + try { + if (openssl_h.TRACE_DOWNCALLS) { + openssl_h.traceDowncall(Holder.NAME, sslCtx, x509); + } + return (long) mh$.invokeExact(sslCtx, x509); + } catch (Throwable ex$) { + throw new AssertionError("should not reach here", ex$); + } + } else { + return SSL_CTX_ctrl(sslCtx, SSL_CTRL_CHAIN_CERT(), 0, x509); + } } @@ -151,7 +273,24 @@ public class openssl_h_Macros { * @return > 0 if successful */ public static long SSL_CTX_set_tlsext_ticket_keys(MemorySegment sslCtx, MemorySegment keys, long keyLength) { - return SSL_CTX_ctrl(sslCtx, SSL_CTRL_SET_TLSEXT_TICKET_KEYS(), keyLength, keys); + if (openssl_h_Compatibility.BORINGSSL) { + class Holder { + static final String NAME = "SSL_CTX_set_tlsext_ticket_keys"; + static final FunctionDescriptor DESC = FunctionDescriptor.of(openssl_h.C_LONG, openssl_h.C_POINTER, openssl_h.C_POINTER, openssl_h.C_LONG); + static final MethodHandle MH = Linker.nativeLinker().downcallHandle(openssl_h.findOrThrow(NAME), DESC); + } + var mh$ = Holder.MH; + try { + if (openssl_h.TRACE_DOWNCALLS) { + openssl_h.traceDowncall(Holder.NAME, sslCtx, keys, keyLength); + } + return (long) mh$.invokeExact(sslCtx, keys, keyLength); + } catch (Throwable ex$) { + throw new AssertionError("should not reach here", ex$); + } + } else { + return SSL_CTX_ctrl(sslCtx, SSL_CTRL_SET_TLSEXT_TICKET_KEYS(), keyLength, keys); + } } @@ -183,7 +322,11 @@ public class openssl_h_Macros { * @return > 0 if successful */ public static long SSL_CTX_set_tmp_dh(MemorySegment sslCtx, MemorySegment dh) { - return SSL_CTX_ctrl(sslCtx, SSL_CTRL_SET_TMP_DH(), 0, dh); + if (openssl_h_Compatibility.BORINGSSL) { + return 1; + } else { + return SSL_CTX_ctrl(sslCtx, SSL_CTRL_SET_TMP_DH(), 0, dh); + } } @@ -199,7 +342,24 @@ public class openssl_h_Macros { * @return > 0 if successful */ public static long SSL_CTX_set_tmp_ecdh(MemorySegment sslCtx, MemorySegment ecdh) { - return SSL_CTX_ctrl(sslCtx, SSL_CTRL_SET_TMP_ECDH(), 0, ecdh); + if (openssl_h_Compatibility.BORINGSSL) { + class Holder { + static final String NAME = "SSL_CTX_set_tmp_ecdh"; + static final FunctionDescriptor DESC = FunctionDescriptor.of(openssl_h.C_LONG, openssl_h.C_POINTER, openssl_h.C_POINTER); + static final MethodHandle MH = Linker.nativeLinker().downcallHandle(openssl_h.findOrThrow(NAME), DESC); + } + var mh$ = Holder.MH; + try { + if (openssl_h.TRACE_DOWNCALLS) { + openssl_h.traceDowncall(Holder.NAME, sslCtx, ecdh); + } + return (long) mh$.invokeExact(sslCtx, ecdh); + } catch (Throwable ex$) { + throw new AssertionError("should not reach here", ex$); + } + } else { + return SSL_CTX_ctrl(sslCtx, SSL_CTRL_SET_TMP_ECDH(), 0, ecdh); + } } @@ -243,7 +403,24 @@ public class openssl_h_Macros { * @return > 0 if successful */ public static long SSL_CTX_set1_groups(MemorySegment sslCtx, MemorySegment groupsList, int listLength) { - return SSL_CTX_ctrl(sslCtx, SSL_CTRL_SET_GROUPS(), listLength, groupsList); + if (openssl_h_Compatibility.BORINGSSL) { + class Holder { + static final String NAME = "SSL_CTX_set1_groups"; + static final FunctionDescriptor DESC = FunctionDescriptor.of(openssl_h.C_LONG, openssl_h.C_POINTER, openssl_h.C_POINTER, openssl_h.C_INT); + static final MethodHandle MH = Linker.nativeLinker().downcallHandle(openssl_h.findOrThrow(NAME), DESC); + } + var mh$ = Holder.MH; + try { + if (openssl_h.TRACE_DOWNCALLS) { + openssl_h.traceDowncall(Holder.NAME, sslCtx, groupsList, listLength); + } + return (long) mh$.invokeExact(sslCtx, groupsList, listLength); + } catch (Throwable ex$) { + throw new AssertionError("should not reach here", ex$); + } + } else { + return SSL_CTX_ctrl(sslCtx, SSL_CTRL_SET_GROUPS(), listLength, groupsList); + } } diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index abb8096aab..3f5fcb2949 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -119,6 +119,10 @@ than the FFM library loading code) to configure the OpenSSL library loading using FFM. (remm) </update> + <update> + Add FFM compatibility methods for BoringSSL support. Renegotiation is + not supported in many cases. (remm) + </update> </changelog> </subsection> </section> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org