This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 1.3.x
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
commit 29f0cc900310b1982b462b16fc308cbfeade79d4
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Feb 5 13:43:27 2024 +0000
Update minimum LibreSSL version to 3.5.2. Remove NPN support.
Additional updates after reviewing the 1.2.x/1.3.x/2.0.x diff
---
native/BUILDING | 10 +-
native/include/ssl_private.h | 45 +-----
native/os/win32/libtcnative.rc | 4 +-
native/src/jnilib.c | 4 +-
native/src/ssl.c | 326 +-------------------------------------
native/src/sslcontext.c | 147 +----------------
native/src/sslutils.c | 20 +--
native/srclib/BUILDING | 4 +-
xdocs/miscellaneous/changelog.xml | 7 +
9 files changed, 28 insertions(+), 539 deletions(-)
diff --git a/native/BUILDING b/native/BUILDING
index 51793e02a..eab66a699 100644
--- a/native/BUILDING
+++ b/native/BUILDING
@@ -20,8 +20,8 @@ Linux / Unix / OSX (dynamic linking)
1. Prerequisites
- Install OpenSSL version 1.0.2 or higher
- Install APR version 1.4.3 or higher.
+ Install OpenSSL version 1.1.1 or higher
+ Install APR version 1.6.3 or higher.
Download and expand the source package or use an git checkout
> cd native
@@ -48,7 +48,7 @@ Linux / Unix / OSX (dynamic linking)
Linux / Unix / OSX (static linking)
===================================
-1. Build static version of OpenSSL 1.0.2 or later
+1. Build static version of OpenSSL 1.1.1 or later
> ./Configure --prefix=~/natives/openssl no-shared -fPIC
> make
@@ -57,7 +57,7 @@ Linux / Unix / OSX (static linking)
Note: For the Solaris platform you should use -KPIC instead -fPIC so that
the
library is compiled with position independent code.
-2. Build static version of APR 1.4.3 or later
+2. Build static version of APR 1.6.3 or later
> ./configure --prefix=~/natives/apr
> make
@@ -112,7 +112,7 @@ Windows
4. Build OpenSSL
Unpack the OpenSSL source distribution into native\srclib\openssl
- Apply openssl-msvcrt.patch
+ Apply openssl-msvcrt-3.0.x.patch
> c:\cmsc\setenv.bat x86
> perl Configure VC-WIN32
diff --git a/native/include/ssl_private.h b/native/include/ssl_private.h
index 286a50a04..aab34cc9d 100644
--- a/native/include/ssl_private.h
+++ b/native/include/ssl_private.h
@@ -46,7 +46,7 @@
#include <openssl/x509v3.h>
#include <openssl/dh.h>
#include <openssl/bn.h>
-#if (OPENSSL_VERSION_NUMBER > 0x2FFFFFFFL)
+#if OPENSSL_VERSION_NUMBER > 0x2FFFFFFFL && !defined(LIBRESSL_VERSION_NUMBER)
#include <openssl/provider.h>
#endif
/* Avoid tripping over an engine build installed globally and detected
@@ -217,39 +217,7 @@ extern ENGINE *tcn_ssl_engine;
#endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */
-/* LibreSSL compatibility */
-#if defined(LIBRESSL_VERSION_NUMBER)
-#define OpenSSL_version SSLeay_version
-#define OpenSSL_version_num SSLeay
-#define OPENSSL_VERSION SSLEAY_VERSION
-#define OPENSSL_malloc_init CRYPTO_malloc_init
-#define BN_get_rfc2409_prime_768 get_rfc2409_prime_768
-#define BN_get_rfc2409_prime_1024 get_rfc2409_prime_1024
-#define BN_get_rfc3526_prime_1536 get_rfc3526_prime_1536
-#define BN_get_rfc3526_prime_2048 get_rfc3526_prime_2048
-#define BN_get_rfc3526_prime_3072 get_rfc3526_prime_3072
-#define BN_get_rfc3526_prime_4096 get_rfc3526_prime_4096
-#define BN_get_rfc3526_prime_6144 get_rfc3526_prime_6144
-#define BN_get_rfc3526_prime_8192 get_rfc3526_prime_8192
-#define BIO_get_init(x) (x->init)
-#define BIO_set_init(x,v) (x->init=v)
-#define BIO_get_data(x) (x->ptr)
-#define BIO_set_data(x,v) (x->ptr=v)
-#define BIO_set_shutdown(x,v) (x->shutdown=v)
-#define X509_REVOKED_get0_serialNumber(x) x->serialNumber
-#define X509_STORE_CTX_get0_untrusted(x) (x->untrusted)
-#define X509_OBJECT_free(x) {X509_OBJECT_free_contents(obj);\
- OPENSSL_free(obj);}
-#define TLS_method SSLv23_method
-#define TLS_client_method SSLv23_client_method
-#define TLS_server_method SSLv23_server_method
-#endif /* defined(LIBRESSL_VERSION_NUMBER) */
-
-#if !defined(LIBRESSL_VERSION_NUMBER)
-#define HAVE_KEYLOG_CALLBACK
-#endif
-
-#define MAX_ALPN_NPN_PROTO_SIZE 65535
+#define MAX_ALPN_PROTO_SIZE 65535
#define SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL 1
typedef struct {
@@ -394,19 +362,10 @@ void SSL_callback_handshake(const SSL *, int, int);
int SSL_CTX_use_certificate_chain(SSL_CTX *, const char *, int);
int SSL_callback_SSL_verify(int, X509_STORE_CTX *);
int SSL_rand_seed(const char *file);
-int SSL_callback_next_protos(SSL *, const unsigned char **, unsigned
int *, void *);
-int SSL_callback_select_next_proto(SSL *, unsigned char **, unsigned
char *, const unsigned char *, unsigned int,void *);
int SSL_callback_alpn_select_proto(SSL *, const unsigned char **,
unsigned char *, const unsigned char *, unsigned int, void *);
-#ifdef HAVE_KEYLOG_CALLBACK
void SSL_callback_add_keylog(SSL_CTX *);
-#endif
-#if defined(LIBRESSL_VERSION_NUMBER) && ! (defined(WIN32) || defined(WIN64))
-unsigned long SSL_ERR_get(void);
-void SSL_ERR_clear(void);
-#else
#define SSL_ERR_get() ERR_get_error()
#define SSL_ERR_clear() ERR_clear_error()
-#endif
#endif /* SSL_PRIVATE_H */
diff --git a/native/os/win32/libtcnative.rc b/native/os/win32/libtcnative.rc
index e4d443823..55f623aa7 100644
--- a/native/os/win32/libtcnative.rc
+++ b/native/os/win32/libtcnative.rc
@@ -25,13 +25,13 @@ LANGUAGE 0x9,0x1
1001 DIALOGEX 0, 0, 252, 51
STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | DS_CENTER | WS_CAPTION
-CAPTION "Password prompt"
+CAPTION "Pass Phrase Prompt"
FONT 8, "MS Shell Dlg", 0, 0, 0x0
BEGIN
ICON 1000,-1,8,6,21,20
LTEXT "Some of your private key files are encrypted for security
reasons.\nIn order to read them you have to provide the pass phrases.",
-1,29,5,220,19
- LTEXT "Enter password:",-1,7,28,75,8
+ LTEXT "Enter pass phrase:",-1,7,28,75,8
EDITTEXT 1002,67,27,174,12,ES_PASSWORD | ES_AUTOHSCROLL
END
diff --git a/native/src/jnilib.c b/native/src/jnilib.c
index 300fe8caa..6f20dd94f 100644
--- a/native/src/jnilib.c
+++ b/native/src/jnilib.c
@@ -70,11 +70,11 @@ JNIEXPORT jint JNICALL JNI_OnLoad(JavaVM *vm, void
*reserved)
tcn_global_vm = vm;
env = (JNIEnv *)ppe;
/* Before doing anything else check if we have a valid
- * APR version. We need version 1.4.3 as minimum.
+ * APR version. We need version 1.6.3 as minimum.
*/
apr_version(&apv);
apvn = apv.major * 1000 + apv.minor * 100 + apv.patch;
- if (apvn < 1403) {
+ if (apvn < 1603) {
tcn_Throw(env, "Unsupported APR version %s: this tcnative requires at
least 1.4.3",
apr_version_string());
return JNI_ERR;
diff --git a/native/src/ssl.c b/native/src/ssl.c
index a5bdaf43c..56304ee29 100644
--- a/native/src/ssl.c
+++ b/native/src/ssl.c
@@ -30,7 +30,6 @@ extern apr_pool_t *tcn_global_pool;
ENGINE *tcn_ssl_engine = NULL;
tcn_pass_cb_t tcn_password_callback;
-#ifdef HAVE_KEYLOG_CALLBACK
static BIO *key_log_file = NULL;
static void ssl_keylog_callback(const SSL *ssl, const char *line)
@@ -40,30 +39,11 @@ static void ssl_keylog_callback(const SSL *ssl, const char
*line)
BIO_puts(key_log_file, "\n");
}
}
-#endif
/* From netty-tcnative */
static jclass byteArrayClass;
static jclass stringClass;
-#if defined(LIBRESSL_VERSION_NUMBER)
-/* Global reference to the pool used by the dynamic mutexes */
-static apr_pool_t *dynlockpool = NULL;
-
-/* Dynamic lock structure */
-struct CRYPTO_dynlock_value {
- apr_pool_t *pool;
- const char* file;
- int line;
- apr_thread_mutex_t *mutex;
-};
-
-#if ! (defined(WIN32) || defined(WIN64))
-apr_threadkey_t *thread_exit_key;
-static int threadkey_initialized = 0;
-#endif
-#endif
-
/*
* supported_ssl_opts is a bitmask that contains all supported SSL_OP_*
* options at compile-time. This is used in hasOp to determine which
@@ -210,29 +190,6 @@ static const jint supported_ssl_opts = 0
#endif
| 0;
-#if defined(LIBRESSL_VERSION_NUMBER)
-/* LibreSSL compatibility */
-/* Taken from OpenSSL 1.1.0 snapshot 20160410 */
-int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
-{
- /* q is optional */
- if (p == NULL || g == NULL)
- return 0;
- BN_free(dh->p);
- BN_free(dh->q);
- BN_free(dh->g);
- dh->p = p;
- dh->q = q;
- dh->g = g;
-
- if (q != NULL) {
- dh->length = BN_num_bits(q);
- }
-
- return 1;
-}
-#endif
-
/*
* Grab well-defined DH parameters from OpenSSL, see the BN_get_rfc*
* functions in <openssl/bn.h> for all available primes.
@@ -294,14 +251,12 @@ static void free_dh_params(void)
}
}
-#ifdef HAVE_KEYLOG_CALLBACK
void SSL_callback_add_keylog(SSL_CTX *ctx)
{
if (key_log_file) {
SSL_CTX_set_keylog_callback(ctx, ssl_keylog_callback);
}
}
-#endif
/* Hand out the same DH structure though once generated as we leak
* memory otherwise and freeing the structure up after use would be
@@ -321,10 +276,8 @@ DH *SSL_get_dh_params(unsigned keylen)
return NULL; /* impossible to reach. */
}
-#if !defined(LIBRESSL_VERSION_NUMBER)
static void init_bio_methods(void);
static void free_bio_methods(void);
-#endif
TCN_IMPLEMENT_CALL(jint, SSL, version)(TCN_STDARGS)
{
@@ -349,12 +302,6 @@ static apr_status_t ssl_init_cleanup(void *data)
return APR_SUCCESS;
ssl_initialized = 0;
-#if defined(LIBRESSL_VERSION_NUMBER) && ! (defined(WIN32) || defined(WIN64))
- if (threadkey_initialized) {
- threadkey_initialized = 0;
- apr_threadkey_private_delete(thread_exit_key);
- }
-#endif
if (tcn_password_callback.cb.obj) {
JNIEnv *env;
tcn_get_java_env(&env);
@@ -362,9 +309,7 @@ static apr_status_t ssl_init_cleanup(void *data)
tcn_password_callback.cb.obj);
}
-#if !defined(LIBRESSL_VERSION_NUMBER)
free_bio_methods();
-#endif
free_dh_params();
#ifndef OPENSSL_NO_ENGINE
@@ -375,39 +320,12 @@ static apr_status_t ssl_init_cleanup(void *data)
}
#endif
-#if !defined(LIBRESSL_VERSION_NUMBER)
- /* Openssl v1.1+ handles all termination automatically. Do
- * nothing in this case.
- */
-#else
- /*
- * Try to kill the internals of the SSL library.
- */
-#ifdef OPENSSL_FIPS
- FIPS_mode_set(0);
-#endif
- /* Corresponds to OPENSSL_load_builtin_modules() */
- CONF_modules_free();
- /* Corresponds to SSL_library_init: */
- EVP_cleanup();
-#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
- ENGINE_cleanup();
-#endif
-#ifndef OPENSSL_NO_COMP
- SSL_COMP_free_compression_methods();
-#endif
- CRYPTO_cleanup_all_ex_data();
-#if defined(LIBRESSL_VERSION_NUMBER)
- ERR_remove_thread_state(NULL);
-#endif
-#endif
+ /* Openssl v1.1+ handles all termination automatically. */
-#ifdef HAVE_KEYLOG_CALLBACK
if (key_log_file) {
BIO_free(key_log_file);
key_log_file = NULL;
}
-#endif
/* Don't call ERR_free_strings here; ERR_load_*_strings only
* actually load the error strings once per process due to static
@@ -438,182 +356,14 @@ static ENGINE *ssl_try_load_engine(const char *engine)
#endif
/*
- * To ensure thread-safetyness in OpenSSL
+ * To ensure thread-safetyness in LibreSSL
*/
-#if defined(LIBRESSL_VERSION_NUMBER)
-static apr_thread_mutex_t **ssl_lock_cs;
-static int ssl_lock_num_locks;
-
-static void ssl_thread_lock(int mode, int type,
- const char *file, int line)
-{
- UNREFERENCED(file);
- UNREFERENCED(line);
- if (type < ssl_lock_num_locks) {
- if (mode & CRYPTO_LOCK) {
- apr_thread_mutex_lock(ssl_lock_cs[type]);
- }
- else {
- apr_thread_mutex_unlock(ssl_lock_cs[type]);
- }
- }
-}
-#endif
-
static unsigned long ssl_thread_id(void)
{
return (unsigned long)tcn_get_thread_id();
}
-#if defined(LIBRESSL_VERSION_NUMBER)
-#if ! (defined(WIN32) || defined(WIN64))
-void SSL_thread_exit(void) {
- ERR_remove_thread_state(NULL);
- apr_threadkey_private_set(NULL, thread_exit_key);
-}
-
-unsigned long SSL_ERR_get() {
- apr_threadkey_private_set(thread_exit_key, thread_exit_key);
- return ERR_get_error();
-}
-
-void SSL_ERR_clear() {
- apr_threadkey_private_set(thread_exit_key, thread_exit_key);
- ERR_clear_error();
-}
-
-static void _ssl_thread_exit(void *data) {
- UNREFERENCED(data);
- SSL_thread_exit();
-}
-#endif
-
-static void ssl_set_thread_id(CRYPTO_THREADID *id)
-{
- CRYPTO_THREADID_set_numeric(id, ssl_thread_id());
-}
-
-static apr_status_t ssl_thread_cleanup(void *data)
-{
- UNREFERENCED(data);
- CRYPTO_THREADID_set_callback(NULL);
- CRYPTO_set_locking_callback(NULL);
- CRYPTO_set_dynlock_create_callback(NULL);
- CRYPTO_set_dynlock_lock_callback(NULL);
- CRYPTO_set_dynlock_destroy_callback(NULL);
-
- dynlockpool = NULL;
-
- /* Let the registered mutex cleanups do their own thing
- */
- return APR_SUCCESS;
-}
-
-/*
- * Dynamic lock creation callback
- */
-static struct CRYPTO_dynlock_value *ssl_dyn_create_function(const char *file,
- int line)
-{
- struct CRYPTO_dynlock_value *value;
- apr_pool_t *p;
- apr_status_t rv;
-
- /*
- * We need a pool to allocate our mutex. Since we can't clear
- * allocated memory from a pool, create a subpool that we can blow
- * away in the destruction callback.
- */
- rv = apr_pool_create(&p, dynlockpool);
- if (rv != APR_SUCCESS) {
- /* TODO log that fprintf(stderr, "Failed to create subpool for dynamic
lock"); */
- return NULL;
- }
-
- value = (struct CRYPTO_dynlock_value *)apr_palloc(p,
- sizeof(struct
CRYPTO_dynlock_value));
- if (!value) {
- /* TODO log that fprintf(stderr, "Failed to allocate dynamic lock
structure"); */
- return NULL;
- }
-
- value->pool = p;
- /* Keep our own copy of the place from which we were created,
- using our own pool. */
- value->file = apr_pstrdup(p, file);
- value->line = line;
- rv = apr_thread_mutex_create(&(value->mutex), APR_THREAD_MUTEX_DEFAULT,
- p);
- if (rv != APR_SUCCESS) {
- /* TODO log that fprintf(stderr, "Failed to create thread mutex for
dynamic lock"); */
- apr_pool_destroy(p);
- return NULL;
- }
- return value;
-}
-
-/*
- * Dynamic locking and unlocking function
- */
-
-static void ssl_dyn_lock_function(int mode, struct CRYPTO_dynlock_value *l,
- const char *file, int line)
-{
-
-
- if (mode & CRYPTO_LOCK) {
- apr_thread_mutex_lock(l->mutex);
- }
- else {
- apr_thread_mutex_unlock(l->mutex);
- }
-}
-
-/*
- * Dynamic lock destruction callback
- */
-static void ssl_dyn_destroy_function(struct CRYPTO_dynlock_value *l,
- const char *file, int line)
-{
- apr_status_t rv;
- rv = apr_thread_mutex_destroy(l->mutex);
- if (rv != APR_SUCCESS) {
- /* TODO log that fprintf(stderr, "Failed to destroy mutex for dynamic
lock %s:%d", l->file, l->line); */
- }
- /* Trust that whomever owned the CRYPTO_dynlock_value we were
- * passed has no future use for it...
- */
- apr_pool_destroy(l->pool);
-}
-
-static void ssl_thread_setup(apr_pool_t *p)
-{
- int i;
-
- CRYPTO_THREADID_set_callback(ssl_set_thread_id);
- ssl_lock_num_locks = CRYPTO_num_locks();
- ssl_lock_cs = apr_palloc(p, ssl_lock_num_locks * sizeof(*ssl_lock_cs));
-
- for (i = 0; i < ssl_lock_num_locks; i++) {
- apr_thread_mutex_create(&(ssl_lock_cs[i]),
- APR_THREAD_MUTEX_DEFAULT, p);
- }
-
- CRYPTO_set_locking_callback(ssl_thread_lock);
- /* Set up dynamic locking scaffolding for OpenSSL to use at its
- * convenience.
- */
- dynlockpool = p;
- CRYPTO_set_dynlock_create_callback(ssl_dyn_create_function);
- CRYPTO_set_dynlock_lock_callback(ssl_dyn_lock_function);
- CRYPTO_set_dynlock_destroy_callback(ssl_dyn_destroy_function);
-
- apr_pool_cleanup_register(p, NULL, ssl_thread_cleanup,
- apr_pool_cleanup_null);
-}
-#endif
-
static int ssl_rand_choosenum(int l, int h)
{
int i;
@@ -770,40 +520,12 @@ TCN_IMPLEMENT_CALL(jint, SSL, initialize)(TCN_STDARGS,
jstring engine)
TCN_FREE_CSTRING(engine);
return (jint)APR_SUCCESS;
}
-#if !defined(LIBRESSL_VERSION_NUMBER)
/* Openssl v1.1+ handles all initialisation automatically, apart
* from hints as to how we want to use the library.
*
* We tell openssl we want to include engine support.
*/
OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);
-#else
- /* We must register the library in full, to ensure our configuration
- * code can successfully test the SSL environment.
- */
- OPENSSL_malloc_init();
- ERR_load_crypto_strings();
- SSL_load_error_strings();
- SSL_library_init();
- OpenSSL_add_all_algorithms();
-#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
- ENGINE_load_builtin_engines();
-#endif
- OPENSSL_load_builtin_modules();
-
-#if ! (defined(WIN32) || defined(WIN64))
- err = apr_threadkey_private_create(&thread_exit_key, _ssl_thread_exit,
- tcn_global_pool);
- if (err != APR_SUCCESS) {
- ssl_init_cleanup(NULL);
- tcn_ThrowAPRException(e, err);
- return (jint)err;
- }
- threadkey_initialized = 1;
-#endif
- /* Initialize thread support */
- ssl_thread_setup(tcn_global_pool);
-#endif
#ifndef OPENSSL_NO_ENGINE
if (J2S(engine)) {
@@ -844,9 +566,7 @@ TCN_IMPLEMENT_CALL(jint, SSL, initialize)(TCN_STDARGS,
jstring engine)
SSL_init_app_data_idx();
init_dh_params();
-#if !defined(LIBRESSL_VERSION_NUMBER)
init_bio_methods();
-#endif
/*
* Let us cleanup the ssl library when the library is unloaded
@@ -864,7 +584,6 @@ TCN_IMPLEMENT_CALL(jint, SSL, initialize)(TCN_STDARGS,
jstring engine)
sClazz = (*e)->FindClass(e, "java/lang/String");
stringClass = (jclass) (*e)->NewGlobalRef(e, sClazz);
-#ifdef HAVE_KEYLOG_CALLBACK
if (!key_log_file) {
char *key_log_file_name = getenv("SSLKEYLOGFILE");
if (key_log_file_name) {
@@ -878,7 +597,6 @@ TCN_IMPLEMENT_CALL(jint, SSL, initialize)(TCN_STDARGS,
jstring engine)
}
}
}
-#endif
return (jint)APR_SUCCESS;
}
@@ -1175,20 +893,6 @@ static long jbs_ctrl(BIO *b, int cmd, long num, void *ptr)
return ret;
}
-#if defined(LIBRESSL_VERSION_NUMBER)
-static BIO_METHOD jbs_methods = {
- BIO_TYPE_FILE,
- "Java Callback",
- jbs_write,
- jbs_read,
- jbs_puts,
- jbs_gets,
- jbs_ctrl,
- jbs_new,
- jbs_free,
- NULL
-};
-#else
static BIO_METHOD *jbs_methods = NULL;
static void init_bio_methods(void)
@@ -1207,7 +911,6 @@ static void free_bio_methods(void)
{
BIO_meth_free(jbs_methods);
}
-#endif
static BIO_METHOD *BIO_jbs()
{
@@ -1685,24 +1388,6 @@ TCN_IMPLEMENT_CALL(jint, SSL,
getPostHandshakeAuthInProgress)(TCN_STDARGS,
#endif
}
-/* Read which protocol was negotiated for the given SSL *. */
-TCN_IMPLEMENT_CALL(jstring, SSL, getNextProtoNegotiated)(TCN_STDARGS,
- jlong ssl /* SSL *
*/) {
- SSL *ssl_ = J2P(ssl, SSL *);
- const unsigned char *proto;
- unsigned int proto_len;
-
- if (ssl_ == NULL) {
- tcn_ThrowException(e, "ssl is null");
- return NULL;
- }
-
- UNREFERENCED(o);
-
- SSL_get0_next_proto_negotiated(ssl_, &proto, &proto_len);
- return tcn_new_stringn(e, (const char *)proto, (size_t) proto_len);
-}
-
/*** End Twitter API Additions ***/
/*** Apple API Additions ***/
@@ -2336,13 +2021,6 @@ TCN_IMPLEMENT_CALL(jint, SSL,
getPostHandshakeAuthInProgress)(TCN_STDARGS, jlong
return 0;
}
-TCN_IMPLEMENT_CALL(jstring, SSL, getNextProtoNegotiated)(TCN_STDARGS, jlong
ssl) {
- UNREFERENCED(o);
- UNREFERENCED(ssl);
- tcn_ThrowException(e, "Not implemented");
- return NULL;
-}
-
/*** End Twitter 1:1 API addition ***/
/*** Begin Apple 1:1 API addition ***/
diff --git a/native/src/sslcontext.c b/native/src/sslcontext.c
index a2ddf8fce..660aed768 100644
--- a/native/src/sslcontext.c
+++ b/native/src/sslcontext.c
@@ -274,9 +274,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS,
jlong pool,
goto init_failed;
}
-#ifdef HAVE_KEYLOG_CALLBACK
SSL_callback_add_keylog(ctx);
-#endif
c->protocol = protocol;
c->mode = mode;
@@ -287,27 +285,6 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS,
jlong pool,
BIO_set_fp(c->bio_os, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
SSL_CTX_set_options(c->ctx, SSL_OP_ALL);
-#if defined(LIBRESSL_VERSION_NUMBER)
- /* always disable SSLv2, as per RFC 6176 */
- SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
- if (!(protocol & SSL_PROTOCOL_SSLV3))
- SSL_CTX_set_options(c->ctx, SSL_OP_NO_SSLv3);
- if (!(protocol & SSL_PROTOCOL_TLSV1))
- SSL_CTX_set_options(c->ctx, SSL_OP_NO_TLSv1);
-#ifdef HAVE_TLSV1_1
- if (!(protocol & SSL_PROTOCOL_TLSV1_1))
- SSL_CTX_set_options(c->ctx, SSL_OP_NO_TLSv1_1);
-#endif
-#ifdef HAVE_TLSV1_2
- if (!(protocol & SSL_PROTOCOL_TLSV1_2))
- SSL_CTX_set_options(c->ctx, SSL_OP_NO_TLSv1_2);
-#endif
-#ifdef HAVE_TLSV1_3
- if (!(protocol & SSL_PROTOCOL_TLSV1_3))
- SSL_CTX_set_options(c->ctx, SSL_OP_NO_TLSv1_3);
-#endif
-
-#else /* if defined(LIBRESSL_VERSION_NUMBER) */
/* We first determine the maximum protocol version we should provide */
#ifdef HAVE_TLSV1_3
if (protocol & SSL_PROTOCOL_TLSV1_3) {
@@ -347,7 +324,6 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS,
jlong pool,
prot = SSL3_VERSION;
}
SSL_CTX_set_min_proto_version(ctx, prot);
-#endif
/*
* Configure additional context ingredients
@@ -591,9 +567,6 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSLContext,
getCiphers)(TCN_STDARGS, jlong ctx)
const char *name;
int i;
jstring c_name;
-#if defined(LIBRESSL_VERSION_NUMBER)
- SSL *ssl;
-#endif
UNREFERENCED_STDARGS;
@@ -602,25 +575,10 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSLContext,
getCiphers)(TCN_STDARGS, jlong ctx)
return NULL;
}
- /* Before OpenSSL 1.1.0, get_ciphers() was only available
- * on an SSL, not for an SSL_CTX. */
-#if defined(LIBRESSL_VERSION_NUMBER)
- ssl = SSL_new(c->ctx);
- if (ssl == NULL) {
- tcn_ThrowException(e, "could not create temporary ssl from ssl
context");
- return NULL;
- }
-
- sk = SSL_get_ciphers(ssl);
-#else
sk = SSL_CTX_get_ciphers(c->ctx);
-#endif
len = sk_SSL_CIPHER_num(sk);
if (len <= 0) {
-#if defined(LIBRESSL_VERSION_NUMBER)
- SSL_free(ssl);
-#endif
return NULL;
}
@@ -633,9 +591,6 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSLContext,
getCiphers)(TCN_STDARGS, jlong ctx)
c_name = (*e)->NewStringUTF(e, name);
(*e)->SetObjectArrayElement(e, array, i, c_name);
}
-#if defined(LIBRESSL_VERSION_NUMBER)
- SSL_free(ssl);
-#endif
return array;
}
@@ -1292,14 +1247,9 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
addChainCertificateRaw)(TCN_STDARGS, jl
ERR_error_string(SSL_ERR_get(), err);
tcn_Throw(e, "Error reading certificate (%s)", err);
rv = JNI_FALSE;
-#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20901000L
- } else {
- tcn_Throw(e, "Unable to use Java keystores with LibreSSL");
-#else
} else if (SSL_CTX_add0_chain_cert(c->ctx, certs) <= 0) {
ERR_error_string(SSL_ERR_get(), err);
tcn_Throw(e, "Error adding certificate to chain (%s)", err);
-#endif
rv = JNI_FALSE;
}
@@ -1529,7 +1479,7 @@ static int initProtocols(JNIEnv *e, const tcn_ssl_ctxt_t
*c, unsigned char **pro
proto_chars = (*e)->GetStringUTFChars(e, proto_string, 0);
proto_chars_len = strlen(proto_chars);
- if (proto_chars_len > 0 && proto_chars_len <=
MAX_ALPN_NPN_PROTO_SIZE) {
+ if (proto_chars_len > 0 && proto_chars_len <= MAX_ALPN_PROTO_SIZE) {
// We need to add +1 as each protocol is prefixed by it's length
(unsigned char).
// For all except of the last one we already have the extra space
as everything is
// delimited by ','.
@@ -1572,26 +1522,6 @@ static int initProtocols(JNIEnv *e, const tcn_ssl_ctxt_t
*c, unsigned char **pro
}
}
-TCN_IMPLEMENT_CALL(void, SSLContext, setNpnProtos)(TCN_STDARGS, jlong ctx,
jobjectArray next_protos,
- jint selectorFailureBehavior)
-{
- tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
-
- TCN_ASSERT(ctx != 0);
- UNREFERENCED(o);
-
- if (initProtocols(e, c, &c->next_proto_data, &c->next_proto_len,
next_protos) == 0) {
- c->next_selector_failure_behavior = selectorFailureBehavior;
-
- // depending on if it's client mode or not we need to call different
functions.
- if (c->mode == SSL_MODE_CLIENT) {
- SSL_CTX_set_next_proto_select_cb(c->ctx,
SSL_callback_select_next_proto, (void *)c);
- } else {
- SSL_CTX_set_next_protos_advertised_cb(c->ctx,
SSL_callback_next_protos, (void *)c);
- }
- }
-}
-
TCN_IMPLEMENT_CALL(void, SSLContext, setAlpnProtos)(TCN_STDARGS, jlong ctx,
jobjectArray alpn_protos,
jint selectorFailureBehavior)
{
@@ -1763,97 +1693,35 @@ TCN_IMPLEMENT_CALL(void, SSLContext,
setSessionTicketKeys)(TCN_STDARGS, jlong ct
(*e)->ReleaseByteArrayElements(e, keys, b, 0);
}
-
#if defined(LIBRESSL_VERSION_NUMBER)
/*
* Adapted from OpenSSL:
*
https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/ssl/ssl_locl.h#L318
*/
-/* Bits for algorithm_mkey (key exchange algorithm) */
-/* RSA key exchange */
-# define SSL_kRSA 0x00000001L
-/* DH cert, RSA CA cert */
-# define SSL_kDHr 0x00000002L
-/* DH cert, DSA CA cert */
-# define SSL_kDHd 0x00000004L
-/* tmp DH key no DH cert */
-# define SSL_kEDH 0x00000008L
-/* forward-compatible synonym */
-# define SSL_kDHE SSL_kEDH
-/* Kerberos5 key exchange */
-# define SSL_kKRB5 0x00000010L
-/* ECDH cert, RSA CA cert */
-# define SSL_kECDHr 0x00000020L
-/* ECDH cert, ECDSA CA cert */
-# define SSL_kECDHe 0x00000040L
-/* ephemeral ECDH */
-# define SSL_kEECDH 0x00000080L
-/* forward-compatible synonym */
-# define SSL_kECDHE SSL_kEECDH
-/* PSK */
-# define SSL_kPSK 0x00000100L
-/* GOST key exchange */
-# define SSL_kGOST 0x00000200L
-/* SRP */
-# define SSL_kSRP 0x00000400L
/* Bits for algorithm_auth (server authentication) */
-/* RSA auth */
-# define SSL_aRSA 0x00000001L
/* DSS auth */
# define SSL_aDSS 0x00000002L
-/* no auth (i.e. use ADH or AECDH) */
-# define SSL_aNULL 0x00000004L
-/* Fixed DH auth (kDHd or kDHr) */
-# define SSL_aDH 0x00000008L
-/* Fixed ECDH auth (kECDHe or kECDHr) */
-# define SSL_aECDH 0x00000010L
-/* KRB5 auth */
-# define SSL_aKRB5 0x00000020L
-/* ECDSA auth*/
-# define SSL_aECDSA 0x00000040L
-/* PSK auth */
-# define SSL_aPSK 0x00000080L
-/* GOST R 34.10-94 signature auth */
-# define SSL_aGOST94 0x00000100L
-/* GOST R 34.10-2001 signature auth */
-# define SSL_aGOST01 0x00000200L
-/* SRP auth */
-# define SSL_aSRP 0x00000400L
/* OpenSSL end */
-#define TCN_SSL_kRSA SSL_kRSA
-#define TCN_SSL_kDHr SSL_kDHr
-#define TCN_SSL_kDHd SSL_kDHd
-#define TCN_SSL_kDHE SSL_kDHE
-#define TCN_SSL_kKRB5 SSL_kKRB5
-#define TCN_SSL_kECDHr SSL_kECDHr
-#define TCN_SSL_kECDHe SSL_kECDHe
-#define TCN_SSL_kECDHE SSL_kECDHE
-
-#define TCN_SSL_aRSA SSL_aRSA
#define TCN_SSL_aDSS SSL_aDSS
-#define TCN_SSL_aNULL SSL_aNULL
-#define TCN_SSL_aDH SSL_aDH
-#define TCN_SSL_aECDH SSL_aECDH
-#define TCN_SSL_aKRB5 SSL_aKRB5
-#define TCN_SSL_aECDSA SSL_aECDSA
#else
+#define TCN_SSL_aDSS NID_auth_dss
+
+#endif
+
#define TCN_SSL_kRSA NID_kx_rsa
#define TCN_SSL_kDHE NID_kx_dhe
#define TCN_SSL_kECDHE NID_kx_ecdhe
#define TCN_SSL_aRSA NID_auth_rsa
-#define TCN_SSL_aDSS NID_auth_dss
#define TCN_SSL_aNULL NID_auth_null
#define TCN_SSL_aECDSA NID_auth_ecdsa
-#endif
-
/*
* Adapted from Android:
*
https://android.googlesource.com/platform/external/openssl/+/master/patches/0003-jsse.patch
@@ -1864,13 +1732,8 @@ static const char*
SSL_CIPHER_authentication_method(const SSL_CIPHER* cipher){
if (cipher == NULL) {
return "UNKNOWN";
}
-#if defined(LIBRESSL_VERSION_NUMBER)
- kx = cipher->algorithm_mkey;
- auth = cipher->algorithm_auth;
-#else
kx = SSL_CIPHER_get_kx_nid(cipher);
auth = SSL_CIPHER_get_auth_nid(cipher);
-#endif
switch (kx)
{
diff --git a/native/src/sslutils.c b/native/src/sslutils.c
index beefb31ed..d03fb491f 100644
--- a/native/src/sslutils.c
+++ b/native/src/sslutils.c
@@ -446,17 +446,6 @@ void SSL_callback_handshake(const SSL *ssl, int where, int
rc)
}
}
-int SSL_callback_next_protos(SSL *ssl, const unsigned char **data,
- unsigned int *len, void *arg)
-{
- tcn_ssl_ctxt_t *ssl_ctxt = arg;
-
- *data = ssl_ctxt->next_proto_data;
- *len = ssl_ctxt->next_proto_len;
-
- return SSL_TLSEXT_ERR_OK;
-}
-
/* The code here is inspired by nghttp2
*
* See
https://github.com/tatsuhiro-t/nghttp2/blob/ae0100a9abfcf3149b8d9e62aae216e946b517fb/src/shrpx_ssl.cc#L244
*/
@@ -515,13 +504,6 @@ int select_next_proto(SSL *ssl, const unsigned char **out,
unsigned char *outlen
return SSL_TLSEXT_ERR_NOACK;
}
-int SSL_callback_select_next_proto(SSL *ssl, unsigned char **out, unsigned
char *outlen,
- const unsigned char *in, unsigned int inlen,
- void *arg) {
- tcn_ssl_ctxt_t *ssl_ctxt = arg;
- return select_next_proto(ssl, (const unsigned char **) out, outlen, in,
inlen, ssl_ctxt->next_proto_data, ssl_ctxt->next_proto_len,
ssl_ctxt->next_selector_failure_behavior);
-}
-
int SSL_callback_alpn_select_proto(SSL* ssl, const unsigned char **out,
unsigned char *outlen,
const unsigned char *in, unsigned int inlen, void *arg) {
tcn_ssl_ctxt_t *ssl_ctxt = arg;
@@ -984,7 +966,7 @@ static OCSP_RESPONSE *get_ocsp_response(apr_pool_t *p, X509
*cert, X509 *issuer,
int ok = 0;
apr_socket_t *apr_sock = NULL;
apr_pool_t *mp;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || defined(LIBRESSL_VERSION_NUMBER)
if (OCSP_parse_url(url, &hostname, &c_port, &path, &use_ssl) == 0)
#else
if (OSSL_HTTP_parse_url(url, &use_ssl, NULL, &hostname, &c_port, NULL,
&path, NULL, NULL) == 0)
diff --git a/native/srclib/BUILDING b/native/srclib/BUILDING
index c116a11f8..261b79743 100644
--- a/native/srclib/BUILDING
+++ b/native/srclib/BUILDING
@@ -15,10 +15,10 @@ environment before calling nmake so that correct
compiler is setup for the target architecture.
-Building OpenSSL 1.1.1 and later
+Building OpenSSL 3.0.0 and later
----------------------------------
-Apply openssl-msvcrt-1.1.1.patch
+Apply openssl-msvcrt-3.0.x.patch
This patch makes sure that static version of OpenSSL libraries
is linked to msvcrt.dll instead statically linking msvcrt.
diff --git a/xdocs/miscellaneous/changelog.xml
b/xdocs/miscellaneous/changelog.xml
index 68b1136e2..f58dd3e24 100644
--- a/xdocs/miscellaneous/changelog.xml
+++ b/xdocs/miscellaneous/changelog.xml
@@ -51,6 +51,13 @@
longer set. Only the explicitly configured trust store, if any, will be
used. (michaelo)
</fix>
+ <update>
+ Update the minimum supported version of LibreSSL to 3.5.2. (markt)
+ </update>
+ <design>
+ Remove NPN support as NPN was never standardised and browser support was
+ removed in 2019. (markt)
+ </design>
</changelog>
</section>
<section name="Changes in 1.2.x">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
