This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 5fff065183ff2b2c1fd9efc0b758f56427bc0964 Author: remm <[email protected]> AuthorDate: Thu Sep 11 17:09:33 2025 +0200 Add group configuration to OpenSSL FFM --- .../net/openssl/panama/LocalStrings.properties | 1 + .../util/net/openssl/panama/OpenSSLContext.java | 21 +++++++++++++ java/org/apache/tomcat/util/openssl/openssl_h.java | 10 +++++++ .../tomcat/util/openssl/openssl_h_Macros.java | 35 ++++++++++++++++++++++ res/openssl/openssl-tomcat.conf | 1 + 5 files changed, 68 insertions(+) diff --git a/java/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties b/java/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties index 5e4f66af2a..5c728accac 100644 --- a/java/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties +++ b/java/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties @@ -62,6 +62,7 @@ openssl.errorLoadingPassword=Error loading password file: [{0}] openssl.errorLoadingPrivateKey=Error loading private key: [{0}] openssl.errorPrivateKeyCheck=Private key does not match the certificate public key: [{0}] openssl.errorReadingPEMParameters=Failed reading PEM parameters [{0}] for certificate [{1}] +openssl.errorSettingGroups=Error setting group list: [{0}] openssl.errorSSLCtxInit=Error initializing SSL context openssl.invalidSslProtocol=An invalid value [{0}] was provided for the SSLProtocol attribute openssl.keyManagerMissing=No key manager found diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java index e7e51d4bd4..20e303ca24 100644 --- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java +++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java @@ -63,6 +63,7 @@ import org.apache.tomcat.util.net.openssl.OpenSSLConf; import org.apache.tomcat.util.net.openssl.OpenSSLConfCmd; import org.apache.tomcat.util.net.openssl.OpenSSLStatus; import org.apache.tomcat.util.net.openssl.OpenSSLUtil; +import org.apache.tomcat.util.net.openssl.ciphers.Group; import org.apache.tomcat.util.openssl.SSL_CTX_set_alpn_select_cb$cb; import org.apache.tomcat.util.openssl.SSL_CTX_set_cert_verify_callback$cb; import org.apache.tomcat.util.openssl.SSL_CTX_set_tmp_dh_callback$dh; @@ -259,6 +260,26 @@ public class OpenSSLContext implements org.apache.tomcat.util.net.SSLContext { // Set int pem_password_cb(char *buf, int size, int rwflag, void *u) callback SSL_CTX_set_default_passwd_cb(sslCtx, pem_password_cb.allocate(new PasswordCallback(null), contextArena)); + // Set server groups + if (sslHostConfig.getGroupList() != null) { + StringBuilder sb = new StringBuilder(); + boolean first = true; + for (Group group : sslHostConfig.getGroupList()) { + if (first) { + first = false; + } else { + sb.append(':'); + } + sb.append(group.toString()); + } + try (var localArena = Arena.ofConfined()) { + if (SSL_CTX_set1_groups_list(sslCtx, localArena.allocateFrom(sb.toString())) <= 0) { + logLastError("openssl.errorSettingGroups"); + // Consider this is not fatal + } + } + } + if (negotiableProtocols != null && !negotiableProtocols.isEmpty()) { alpn = true; negotiableProtocolsBytes = new ArrayList<>(negotiableProtocols.size() + 1); diff --git a/java/org/apache/tomcat/util/openssl/openssl_h.java b/java/org/apache/tomcat/util/openssl/openssl_h.java index 6e2fc76241..0c2465b633 100644 --- a/java/org/apache/tomcat/util/openssl/openssl_h.java +++ b/java/org/apache/tomcat/util/openssl/openssl_h.java @@ -776,6 +776,16 @@ public class openssl_h { return SSL_CTRL_SET_GROUPS; } + private static final int SSL_CTRL_SET_GROUPS_LIST = (int) 92L; + + /** + * {@snippet lang = c : * #define SSL_CTRL_SET_GROUPS_LIST 92 + * } + */ + public static int SSL_CTRL_SET_GROUPS_LIST() { + return SSL_CTRL_SET_GROUPS_LIST; + } + private static final int SSL_CTRL_SET_DH_AUTO = (int) 118L; /** diff --git a/java/org/apache/tomcat/util/openssl/openssl_h_Macros.java b/java/org/apache/tomcat/util/openssl/openssl_h_Macros.java index 3d83a07ca9..13106c484c 100644 --- a/java/org/apache/tomcat/util/openssl/openssl_h_Macros.java +++ b/java/org/apache/tomcat/util/openssl/openssl_h_Macros.java @@ -432,6 +432,41 @@ public class openssl_h_Macros { } + /** + * Set list of groups in preference order. + * {@snippet lang = c : + * # define SSL_set1_groups_list(s, str) \ + * SSL_ctrl(s,SSL_CTRL_SET_GROUPS_LIST,0,(char *)(str)) + * } + * + * @param sslCtx the SSL context + * @param groupsList the groups list as a String + * + * @return > 0 if successful + */ + public static long SSL_CTX_set1_groups_list(MemorySegment sslCtx, MemorySegment groupsList) { + if (openssl_h_Compatibility.BORINGSSL) { + class Holder { + static final String NAME = "SSL_CTX_set1_groups_list"; + static final FunctionDescriptor DESC = FunctionDescriptor.of(openssl_h.C_LONG, openssl_h.C_POINTER, + openssl_h.C_POINTER); + static final MethodHandle MH = Linker.nativeLinker().downcallHandle(openssl_h.findOrThrow(NAME), DESC); + } + var mh$ = Holder.MH; + try { + if (openssl_h.TRACE_DOWNCALLS) { + openssl_h.traceDowncall(Holder.NAME, sslCtx, groupsList); + } + return (long) mh$.invokeExact(sslCtx, groupsList); + } catch (Throwable ex$) { + throw new AssertionError("should not reach here", ex$); + } + } else { + return SSL_CTX_ctrl(sslCtx, SSL_CTRL_SET_GROUPS_LIST(), 0, groupsList); + } + } + + /** * Pass a path from which certificates are loaded into the store. * {@snippet lang = c : # define X509_LOOKUP_add_dir(x,name,type) \ diff --git a/res/openssl/openssl-tomcat.conf b/res/openssl/openssl-tomcat.conf index 7897fcd14b..892f3b84af 100644 --- a/res/openssl/openssl-tomcat.conf +++ b/res/openssl/openssl-tomcat.conf @@ -260,6 +260,7 @@ --include-constant SSL_CTRL_SESS_TIMEOUTS # header: /usr/include/openssl/ssl.h --include-constant SSL_CTRL_SET_DH_AUTO # header: /usr/include/openssl/ssl.h --include-constant SSL_CTRL_SET_GROUPS # header: /usr/include/openssl/ssl.h +--include-constant SSL_CTRL_SET_GROUPS_LIST # header: /usr/include/openssl/ssl.h --include-constant SSL_CTRL_SET_MAX_PROTO_VERSION # header: /usr/include/openssl/ssl.h --include-constant SSL_CTRL_SET_MIN_PROTO_VERSION # header: /usr/include/openssl/ssl.h --include-constant SSL_CTRL_SET_SESS_CACHE_MODE # header: /usr/include/openssl/ssl.h --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
