This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new bf93413990 Separate Catalina listener code
bf93413990 is described below
commit bf93413990eecdfbe5662a814433f51127c0c488
Author: remm <r...@apache.org>
AuthorDate: Mon Aug 7 11:53:58 2023 +0200
Separate Catalina listener code
---
.../ciphers/OpenSSLCipherConfigurationParser.java | 1 +
.../util/net/openssl/panama/OpenSSLContext.java | 12 +-
.../util/net/openssl/panama/OpenSSLEngine.java | 2 +-
...LLifecycleListener.java => OpenSSLLibrary.java} | 126 +++----
.../openssl/panama/OpenSSLLifecycleListener.java | 362 +--------------------
.../net/openssl/panama/LocalStrings.properties | 32 +-
6 files changed, 76 insertions(+), 459 deletions(-)
diff --git
a/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
b/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
index a32bb33c2d..13be8d5eae 100644
---
a/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
+++
b/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
@@ -712,6 +712,7 @@ public class OpenSSLCipherConfigurationParser {
init();
}
String[] elements = expression.split(SEPARATOR);
+ // TODO: Handle PROFILE= using OpenSSL (if present, otherwise warn),
then replace elements with that
LinkedHashSet<Cipher> ciphers = new LinkedHashSet<>();
Set<Cipher> removedCiphers = new HashSet<>();
for (String element : elements) {
diff --git
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index 5030c04bb7..c482025a79 100644
---
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -197,7 +197,7 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
// Check that OpenSSL was initialized
if (!OpenSSLStatus.isInitialized()) {
try {
- OpenSSLLifecycleListener.init();
+ OpenSSLLibrary.init();
} catch (Exception e) {
throw new SSLException(e);
}
@@ -775,9 +775,9 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
if ((type == EVP_PKEY_RSA()) || (type == EVP_PKEY_DSA())) {
keylen = (OPENSSL_3 ? EVP_PKEY_get_bits(pkey) :
EVP_PKEY_bits(pkey));
}
- for (int i = 0; i < OpenSSLLifecycleListener.dhParameters.length; i++)
{
- if (keylen >= OpenSSLLifecycleListener.dhParameters[i].min) {
- return OpenSSLLifecycleListener.dhParameters[i].dh;
+ for (int i = 0; i < OpenSSLLibrary.dhParameters.length; i++) {
+ if (keylen >= OpenSSLLibrary.dhParameters[i].min) {
+ return OpenSSLLibrary.dhParameters[i].dh;
}
}
return MemorySegment.NULL;
@@ -1053,8 +1053,8 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
}
BIO_free(bio);
if (MemorySegment.NULL.equals(key)) {
- if
(!MemorySegment.NULL.equals(OpenSSLLifecycleListener.enginePointer)) {
- key =
ENGINE_load_private_key(OpenSSLLifecycleListener.enginePointer,
certificateKeyFileNative,
+ if
(!MemorySegment.NULL.equals(OpenSSLLibrary.enginePointer)) {
+ key =
ENGINE_load_private_key(OpenSSLLibrary.enginePointer, certificateKeyFileNative,
MemorySegment.NULL, MemorySegment.NULL);
}
}
diff --git
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
index e64dee7409..3b4073d833 100644
---
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
+++
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
@@ -102,7 +102,7 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
throw new IllegalStateException(e);
}
- OpenSSLLifecycleListener.initLibrary();
+ OpenSSLLibrary.initLibrary();
final Set<String> availableCipherSuites = new LinkedHashSet<>(128);
try (var localArena = Arena.ofConfined()) {
diff --git
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLLifecycleListener.java
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLLibrary.java
similarity index 75%
copy from
modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLLifecycleListener.java
copy to
modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLLibrary.java
index 884e502937..97ab8f452d 100644
---
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLLifecycleListener.java
+++
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLLibrary.java
@@ -25,32 +25,26 @@ import java.security.SecureRandom;
import static org.apache.tomcat.util.openssl.openssl_compat_h.FIPS_mode;
import static org.apache.tomcat.util.openssl.openssl_compat_h.FIPS_mode_set;
import static org.apache.tomcat.util.openssl.openssl_h.*;
-import org.apache.catalina.Lifecycle;
-import org.apache.catalina.LifecycleEvent;
-import org.apache.catalina.LifecycleListener;
-import org.apache.catalina.Server;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
-import org.apache.tomcat.util.ExceptionUtils;
import org.apache.tomcat.util.res.StringManager;
/**
- * Implementation of <code>LifecycleListener</code> that will do the global
- * initialization of OpenSSL according to specified configuration parameters.
- * Using the listener is completely optional, but is needed for configuration
- * and full cleanup of a few native memory allocations.
- * TODO: Move to o.a.catalina.core along with AprLifecycleListener
+ * Implementation of a global initialization of OpenSSL according to specified
+ * configuration parameters.
+ * Using this from a listener is completely optional, but is needed for
+ * configuration and full cleanup of a few native memory allocations.
*/
-public class OpenSSLLifecycleListener implements LifecycleListener {
+public class OpenSSLLibrary {
- private static final Log log =
LogFactory.getLog(OpenSSLLifecycleListener.class);
+ private static final Log log = LogFactory.getLog(OpenSSLLibrary.class);
/**
* The string manager for this package.
*/
- protected static final StringManager sm =
StringManager.getManager(OpenSSLLifecycleListener.class);
+ protected static final StringManager sm =
StringManager.getManager(OpenSSLLibrary.class);
// ---------------------------------------------- Properties
@@ -86,56 +80,10 @@ public class OpenSSLLifecycleListener implements
LifecycleListener {
return OpenSSLStatus.isAvailable();
}
- public OpenSSLLifecycleListener() {
+ public OpenSSLLibrary() {
OpenSSLStatus.setInstanceCreated(true);
}
- // ---------------------------------------------- LifecycleListener Methods
-
- /**
- * Primary entry point for startup and shutdown events.
- *
- * @param event The event that has occurred
- */
- @Override
- public void lifecycleEvent(LifecycleEvent event) {
-
- boolean initError = false;
- if (Lifecycle.BEFORE_INIT_EVENT.equals(event.getType())) {
- if (!(event.getLifecycle() instanceof Server)) {
- log.warn(sm.getString("listener.notServer",
- event.getLifecycle().getClass().getSimpleName()));
- }
- try {
- init();
- } catch (Throwable t) {
- t = ExceptionUtils.unwrapInvocationTargetException(t);
- ExceptionUtils.handleThrowable(t);
- log.error(sm.getString("listener.sslInit"), t);
- initError = true;
- }
- // Failure to initialize FIPS mode is fatal
- if (!(null == FIPSMode || "off".equalsIgnoreCase(FIPSMode)) &&
!isFIPSModeActive()) {
- String errorMessage =
sm.getString("listener.initializeFIPSFailed");
- Error e = new Error(errorMessage);
- // Log here, because thrown error might be not logged
- log.fatal(errorMessage, e);
- initError = true;
- }
- }
- if (initError ||
Lifecycle.AFTER_DESTROY_EVENT.equals(event.getType())) {
- // Note: Without the listener, destroy will never be called (which
is not a significant problem)
- try {
- destroy();
- } catch (Throwable t) {
- t = ExceptionUtils.unwrapInvocationTargetException(t);
- ExceptionUtils.handleThrowable(t);
- log.info(sm.getString("listener.destroy"));
- }
- }
-
- }
-
static MemorySegment enginePointer = MemorySegment.NULL;
static void initLibrary() {
@@ -262,7 +210,7 @@ public class OpenSSLLifecycleListener implements
LifecycleListener {
}
}
if (MemorySegment.NULL.equals(enginePointer)) {
- throw new
IllegalStateException(sm.getString("listener.engineError"));
+ throw new
IllegalStateException(sm.getString("openssllibrary.engineError"));
}
}
}
@@ -302,7 +250,7 @@ public class OpenSSLLifecycleListener implements
LifecycleListener {
}
if(log.isDebugEnabled()) {
- log.debug(sm.getString("listener.currentFIPSMode",
Integer.valueOf(fipsModeState)));
+
log.debug(sm.getString("openssllibrary.currentFIPSMode",
Integer.valueOf(fipsModeState)));
}
if (null == FIPSMode || "off".equalsIgnoreCase(FIPSMode)) {
@@ -313,13 +261,13 @@ public class OpenSSLLifecycleListener implements
LifecycleListener {
} else if ("on".equalsIgnoreCase(FIPSMode)) {
if (fipsModeState == FIPS_ON) {
if (!usingProviders) {
-
log.info(sm.getString("listener.skipFIPSInitialization"));
+
log.info(sm.getString("openssllibrary.skipFIPSInitialization"));
}
fipsModeActive = true;
enterFipsMode = false;
} else {
if (usingProviders) {
- throw new
IllegalStateException(sm.getString("listener.FIPSProviderNotDefault",
FIPSMode));
+ throw new
IllegalStateException(sm.getString("openssllibrary.FIPSProviderNotDefault",
FIPSMode));
} else {
enterFipsMode = true;
}
@@ -330,15 +278,15 @@ public class OpenSSLLifecycleListener implements
LifecycleListener {
enterFipsMode = false;
} else {
if (usingProviders) {
- throw new
IllegalStateException(sm.getString("listener.FIPSProviderNotDefault",
FIPSMode));
+ throw new
IllegalStateException(sm.getString("openssllibrary.FIPSProviderNotDefault",
FIPSMode));
} else {
- throw new
IllegalStateException(sm.getString("listener.requireNotInFIPSMode"));
+ throw new
IllegalStateException(sm.getString("openssllibrary.requireNotInFIPSMode"));
}
}
} else if ("enter".equalsIgnoreCase(FIPSMode)) {
if (fipsModeState == FIPS_OFF) {
if (usingProviders) {
- throw new
IllegalStateException(sm.getString("listener.FIPSProviderNotDefault",
FIPSMode));
+ throw new
IllegalStateException(sm.getString("openssllibrary.FIPSProviderNotDefault",
FIPSMode));
} else {
enterFipsMode = true;
}
@@ -348,28 +296,28 @@ public class OpenSSLLifecycleListener implements
LifecycleListener {
enterFipsMode = false;
} else {
throw new IllegalStateException(sm.getString(
- "listener.enterAlreadyInFIPSMode",
Integer.valueOf(fipsModeState)));
+
"openssllibrary.enterAlreadyInFIPSMode", Integer.valueOf(fipsModeState)));
}
}
} else {
throw new IllegalArgumentException(sm.getString(
- "listener.wrongFIPSMode", FIPSMode));
+ "openssllibrary.wrongFIPSMode", FIPSMode));
}
if (enterFipsMode) {
- log.info(sm.getString("listener.initializingFIPS"));
+
log.info(sm.getString("openssllibrary.initializingFIPS"));
fipsModeState = FIPS_mode_set(FIPS_ON);
if (fipsModeState != FIPS_ON) {
// This case should be handled by the native
method,
// but we'll make absolutely sure, here.
- String message =
sm.getString("listener.initializeFIPSFailed");
+ String message =
sm.getString("openssllibrary.initializeFIPSFailed");
log.error(message);
throw new IllegalStateException(message);
}
fipsModeActive = true;
-
log.info(sm.getString("listener.initializeFIPSSuccess"));
+
log.info(sm.getString("openssllibrary.initializeFIPSSuccess"));
}
if (usingProviders && fipsModeActive) {
@@ -377,7 +325,7 @@ public class OpenSSLLifecycleListener implements
LifecycleListener {
}
}
- log.info(sm.getString("listener.initializedOpenSSL",
OpenSSL_version(0).getString(0)));
+ log.info(sm.getString("openssllibrary.initializedOpenSSL",
OpenSSL_version(0).getString(0)));
OpenSSLStatus.setAvailable(true);
}
}
@@ -405,55 +353,55 @@ public class OpenSSLLifecycleListener implements
LifecycleListener {
}
}
- public String getSSLEngine() {
+ public static String getSSLEngine() {
return SSLEngine;
}
- public void setSSLEngine(String SSLEngine) {
- if (!SSLEngine.equals(OpenSSLLifecycleListener.SSLEngine)) {
+ public static void setSSLEngine(String SSLEngine) {
+ if (!SSLEngine.equals(OpenSSLLibrary.SSLEngine)) {
// Ensure that the SSLEngine is consistent with that used for SSL
init
if (OpenSSLStatus.isInitialized()) {
throw new IllegalStateException(
- sm.getString("listener.tooLateForSSLEngine"));
+ sm.getString("openssllibrary.tooLateForSSLEngine"));
}
- OpenSSLLifecycleListener.SSLEngine = SSLEngine;
+ OpenSSLLibrary.SSLEngine = SSLEngine;
}
}
- public String getSSLRandomSeed() {
+ public static String getSSLRandomSeed() {
return SSLRandomSeed;
}
- public void setSSLRandomSeed(String SSLRandomSeed) {
- if (!SSLRandomSeed.equals(OpenSSLLifecycleListener.SSLRandomSeed)) {
+ public static void setSSLRandomSeed(String SSLRandomSeed) {
+ if (!SSLRandomSeed.equals(OpenSSLLibrary.SSLRandomSeed)) {
// Ensure that the random seed is consistent with that used for
SSL init
if (OpenSSLStatus.isInitialized()) {
throw new IllegalStateException(
- sm.getString("listener.tooLateForSSLRandomSeed"));
+
sm.getString("openssllibrary.tooLateForSSLRandomSeed"));
}
- OpenSSLLifecycleListener.SSLRandomSeed = SSLRandomSeed;
+ OpenSSLLibrary.SSLRandomSeed = SSLRandomSeed;
}
}
- public String getFIPSMode() {
+ public static String getFIPSMode() {
return FIPSMode;
}
- public void setFIPSMode(String FIPSMode) {
- if (!FIPSMode.equals(OpenSSLLifecycleListener.FIPSMode)) {
+ public static void setFIPSMode(String FIPSMode) {
+ if (!FIPSMode.equals(OpenSSLLibrary.FIPSMode)) {
// Ensure that the FIPS mode is consistent with that used for SSL
init
if (OpenSSLStatus.isInitialized()) {
throw new IllegalStateException(
- sm.getString("listener.tooLateForFIPSMode"));
+ sm.getString("openssllibrary.tooLateForFIPSMode"));
}
- OpenSSLLifecycleListener.FIPSMode = FIPSMode;
+ OpenSSLLibrary.FIPSMode = FIPSMode;
}
}
- public boolean isFIPSModeActive() {
+ public static boolean isFIPSModeActive() {
return fipsModeActive;
}
diff --git
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLLifecycleListener.java
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLLifecycleListener.java
index 884e502937..d2c8368e3c 100644
---
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLLifecycleListener.java
+++
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLLifecycleListener.java
@@ -17,14 +17,6 @@
package org.apache.tomcat.util.net.openssl.panama;
-import java.lang.foreign.Arena;
-import java.lang.foreign.MemorySegment;
-import java.lang.foreign.ValueLayout;
-import java.security.SecureRandom;
-
-import static org.apache.tomcat.util.openssl.openssl_compat_h.FIPS_mode;
-import static org.apache.tomcat.util.openssl.openssl_compat_h.FIPS_mode_set;
-import static org.apache.tomcat.util.openssl.openssl_h.*;
import org.apache.catalina.Lifecycle;
import org.apache.catalina.LifecycleEvent;
import org.apache.catalina.LifecycleListener;
@@ -53,41 +45,8 @@ public class OpenSSLLifecycleListener implements
LifecycleListener {
protected static final StringManager sm =
StringManager.getManager(OpenSSLLifecycleListener.class);
- // ---------------------------------------------- Properties
- protected static String SSLEngine = "on"; //default on
- protected static String FIPSMode = "off"; // default off, valid only when
SSLEngine="on"
- protected static String SSLRandomSeed = "builtin";
- protected static boolean fipsModeActive = false;
-
- /**
- * The "FIPS mode" level that we use as the argument to OpenSSL method
- * <code>FIPS_mode_set()</code> to enable FIPS mode and that we expect as
- * the return value of <code>FIPS_mode()</code> when FIPS mode is enabled.
- * <p>
- * In the future the OpenSSL library might grow support for different
- * non-zero "FIPS" modes that specify different allowed subsets of ciphers
- * or whatever, but nowadays only "1" is the supported value.
- * </p>
- * @see <a
href="http://wiki.openssl.org/index.php/FIPS_mode_set%28%29";>OpenSSL method
FIPS_mode_set()</a>
- * @see <a
href="http://wiki.openssl.org/index.php/FIPS_mode%28%29";>OpenSSL method
FIPS_mode()</a>
- */
- private static final int FIPS_ON = 1;
-
- private static final int FIPS_OFF = 0;
-
- protected static final Object lock = new Object();
-
public static boolean isAvailable() {
- if (OpenSSLStatus.isInstanceCreated()) {
- synchronized (lock) {
- init();
- }
- }
- return OpenSSLStatus.isAvailable();
- }
-
- public OpenSSLLifecycleListener() {
- OpenSSLStatus.setInstanceCreated(true);
+ return OpenSSLLibrary.isAvailable();
}
// ---------------------------------------------- LifecycleListener Methods
@@ -107,16 +66,16 @@ public class OpenSSLLifecycleListener implements
LifecycleListener {
event.getLifecycle().getClass().getSimpleName()));
}
try {
- init();
+ OpenSSLLibrary.init();
} catch (Throwable t) {
t = ExceptionUtils.unwrapInvocationTargetException(t);
ExceptionUtils.handleThrowable(t);
- log.error(sm.getString("listener.sslInit"), t);
+ log.error(sm.getString("openssllistener.sslInit"), t);
initError = true;
}
// Failure to initialize FIPS mode is fatal
- if (!(null == FIPSMode || "off".equalsIgnoreCase(FIPSMode)) &&
!isFIPSModeActive()) {
- String errorMessage =
sm.getString("listener.initializeFIPSFailed");
+ if (!(null == OpenSSLLibrary.FIPSMode ||
"off".equalsIgnoreCase(OpenSSLLibrary.FIPSMode)) && !isFIPSModeActive()) {
+ String errorMessage =
sm.getString("openssllistener.initializeFIPSFailed");
Error e = new Error(errorMessage);
// Log here, because thrown error might be not logged
log.fatal(errorMessage, e);
@@ -126,335 +85,42 @@ public class OpenSSLLifecycleListener implements
LifecycleListener {
if (initError ||
Lifecycle.AFTER_DESTROY_EVENT.equals(event.getType())) {
// Note: Without the listener, destroy will never be called (which
is not a significant problem)
try {
- destroy();
+ OpenSSLLibrary.destroy();
} catch (Throwable t) {
t = ExceptionUtils.unwrapInvocationTargetException(t);
ExceptionUtils.handleThrowable(t);
- log.info(sm.getString("listener.destroy"));
- }
- }
-
- }
-
- static MemorySegment enginePointer = MemorySegment.NULL;
-
- static void initLibrary() {
- synchronized (lock) {
- if (OpenSSLStatus.isLibraryInitialized()) {
- return;
- }
- OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN(),
MemorySegment.NULL);
- OpenSSLStatus.setLibraryInitialized(true);
- }
- }
-
- /*
- { BN_get_rfc3526_prime_8192, NULL, 6145 },
- { BN_get_rfc3526_prime_6144, NULL, 4097 },
- { BN_get_rfc3526_prime_4096, NULL, 3073 },
- { BN_get_rfc3526_prime_3072, NULL, 2049 },
- { BN_get_rfc3526_prime_2048, NULL, 1025 },
- { BN_get_rfc2409_prime_1024, NULL, 0 }
- */
- static final class DHParam {
- final MemorySegment dh;
- final int min;
- private DHParam(MemorySegment dh, int min) {
- this.dh = dh;
- this.min = min;
- }
- }
- static final DHParam[] dhParameters = new DHParam[6];
-
- private static void initDHParameters() {
- var dh = DH_new();
- var p = BN_get_rfc3526_prime_8192(MemorySegment.NULL);
- var g = BN_new();
- BN_set_word(g, 2);
- DH_set0_pqg(dh, p, MemorySegment.NULL, g);
- dhParameters[0] = new DHParam(dh, 6145);
- dh = DH_new();
- p = BN_get_rfc3526_prime_6144(MemorySegment.NULL);
- g = BN_new();
- BN_set_word(g, 2);
- DH_set0_pqg(dh, p, MemorySegment.NULL, g);
- dhParameters[1] = new DHParam(dh, 4097);
- dh = DH_new();
- p = BN_get_rfc3526_prime_4096(MemorySegment.NULL);
- g = BN_new();
- BN_set_word(g, 2);
- DH_set0_pqg(dh, p, MemorySegment.NULL, g);
- dhParameters[2] = new DHParam(dh, 3073);
- dh = DH_new();
- p = BN_get_rfc3526_prime_3072(MemorySegment.NULL);
- g = BN_new();
- BN_set_word(g, 2);
- DH_set0_pqg(dh, p, MemorySegment.NULL, g);
- dhParameters[3] = new DHParam(dh, 2049);
- dh = DH_new();
- p = BN_get_rfc3526_prime_2048(MemorySegment.NULL);
- g = BN_new();
- BN_set_word(g, 2);
- DH_set0_pqg(dh, p, MemorySegment.NULL, g);
- dhParameters[4] = new DHParam(dh, 1025);
- dh = DH_new();
- p = BN_get_rfc2409_prime_1024(MemorySegment.NULL);
- g = BN_new();
- BN_set_word(g, 2);
- DH_set0_pqg(dh, p, MemorySegment.NULL, g);
- dhParameters[5] = new DHParam(dh, 0);
- }
-
- private static void freeDHParameters() {
- for (int i = 0; i < dhParameters.length; i++) {
- if (dhParameters[i] != null) {
- MemorySegment dh = dhParameters[i].dh;
- if (dh != null && !MemorySegment.NULL.equals(dh)) {
- DH_free(dh);
- dhParameters[i] = null;
- }
- }
- }
- }
-
- static void init() {
- synchronized (lock) {
-
- if (OpenSSLStatus.isInitialized()) {
- return;
- }
- OpenSSLStatus.setInitialized(true);
-
- if ("off".equalsIgnoreCase(SSLEngine)) {
- return;
- }
-
- try (var memorySession = Arena.ofConfined()) {
-
- // Main library init
- initLibrary();
-
- // Setup engine
- String engineName = "on".equalsIgnoreCase(SSLEngine) ? null :
SSLEngine;
- if (engineName != null) {
- if ("auto".equals(engineName)) {
- ENGINE_register_all_complete();
- } else {
- var engine = memorySession.allocateFrom(engineName);
- enginePointer = ENGINE_by_id(engine);
- if (MemorySegment.NULL.equals(enginePointer)) {
- enginePointer =
ENGINE_by_id(memorySession.allocateFrom("dynamic"));
- if (enginePointer != null) {
- if (ENGINE_ctrl_cmd_string(enginePointer,
memorySession.allocateFrom("SO_PATH"), engine, 0) == 0
- ||
ENGINE_ctrl_cmd_string(enginePointer, memorySession.allocateFrom("LOAD"),
- MemorySegment.NULL, 0) == 0) {
- // Engine load error
- ENGINE_free(enginePointer);
- enginePointer = MemorySegment.NULL;
- }
- }
- }
- if (!MemorySegment.NULL.equals(enginePointer)) {
- if (ENGINE_set_default(enginePointer,
ENGINE_METHOD_ALL()) == 0) {
- // Engine load error
- ENGINE_free(enginePointer);
- enginePointer = MemorySegment.NULL;
- }
- }
- if (MemorySegment.NULL.equals(enginePointer)) {
- throw new
IllegalStateException(sm.getString("listener.engineError"));
- }
- }
- }
-
- // Set the random seed, translated to the Java way
- boolean seedDone = false;
- if (SSLRandomSeed != null || SSLRandomSeed.length() != 0 ||
!"builtin".equals(SSLRandomSeed)) {
- var randomSeed = memorySession.allocateFrom(SSLRandomSeed);
- seedDone = RAND_load_file(randomSeed, 128) > 0;
- }
- if (!seedDone) {
- // Use a regular random to get some bytes
- SecureRandom random = new SecureRandom();
- byte[] randomBytes = random.generateSeed(128);
-
RAND_seed(memorySession.allocateFrom(ValueLayout.JAVA_BYTE, randomBytes), 128);
- }
-
- initDHParameters();
-
- // OpenSSL 3 onwards uses providers
- boolean usingProviders = (OpenSSL_version_num() >=
0x3000000fL);
-
- if (usingProviders || !(null == FIPSMode ||
"off".equalsIgnoreCase(FIPSMode))) {
- fipsModeActive = false;
- final boolean enterFipsMode;
- int fipsModeState = FIPS_OFF;
- if (usingProviders) {
- var md = EVP_MD_fetch(MemorySegment.NULL,
memorySession.allocateFrom("SHA-512"), MemorySegment.NULL);
- var provider = EVP_MD_get0_provider(md);
- String name =
OSSL_PROVIDER_get0_name(provider).getString(0);
- EVP_MD_free(md);
- if ("fips".equals(name)) {
- fipsModeState = FIPS_ON;
- }
- } else {
- fipsModeState = FIPS_mode();
- }
-
- if(log.isDebugEnabled()) {
- log.debug(sm.getString("listener.currentFIPSMode",
Integer.valueOf(fipsModeState)));
- }
-
- if (null == FIPSMode || "off".equalsIgnoreCase(FIPSMode)) {
- if (fipsModeState == FIPS_ON) {
- fipsModeActive = true;
- }
- enterFipsMode = false;
- } else if ("on".equalsIgnoreCase(FIPSMode)) {
- if (fipsModeState == FIPS_ON) {
- if (!usingProviders) {
-
log.info(sm.getString("listener.skipFIPSInitialization"));
- }
- fipsModeActive = true;
- enterFipsMode = false;
- } else {
- if (usingProviders) {
- throw new
IllegalStateException(sm.getString("listener.FIPSProviderNotDefault",
FIPSMode));
- } else {
- enterFipsMode = true;
- }
- }
- } else if ("require".equalsIgnoreCase(FIPSMode)) {
- if (fipsModeState == FIPS_ON) {
- fipsModeActive = true;
- enterFipsMode = false;
- } else {
- if (usingProviders) {
- throw new
IllegalStateException(sm.getString("listener.FIPSProviderNotDefault",
FIPSMode));
- } else {
- throw new
IllegalStateException(sm.getString("listener.requireNotInFIPSMode"));
- }
- }
- } else if ("enter".equalsIgnoreCase(FIPSMode)) {
- if (fipsModeState == FIPS_OFF) {
- if (usingProviders) {
- throw new
IllegalStateException(sm.getString("listener.FIPSProviderNotDefault",
FIPSMode));
- } else {
- enterFipsMode = true;
- }
- } else {
- if (usingProviders) {
- fipsModeActive = true;
- enterFipsMode = false;
- } else {
- throw new IllegalStateException(sm.getString(
- "listener.enterAlreadyInFIPSMode",
Integer.valueOf(fipsModeState)));
- }
- }
- } else {
- throw new IllegalArgumentException(sm.getString(
- "listener.wrongFIPSMode", FIPSMode));
- }
-
- if (enterFipsMode) {
- log.info(sm.getString("listener.initializingFIPS"));
-
- fipsModeState = FIPS_mode_set(FIPS_ON);
- if (fipsModeState != FIPS_ON) {
- // This case should be handled by the native
method,
- // but we'll make absolutely sure, here.
- String message =
sm.getString("listener.initializeFIPSFailed");
- log.error(message);
- throw new IllegalStateException(message);
- }
-
- fipsModeActive = true;
-
log.info(sm.getString("listener.initializeFIPSSuccess"));
- }
-
- if (usingProviders && fipsModeActive) {
-
log.info(sm.getString("aprListener.usingFIPSProvider"));
- }
- }
-
- log.info(sm.getString("listener.initializedOpenSSL",
OpenSSL_version(0).getString(0)));
- OpenSSLStatus.setAvailable(true);
+ log.info(sm.getString("openssllistener.destroy"));
}
}
- }
-
- static void destroy() {
- synchronized (lock) {
- if (!OpenSSLStatus.isInitialized()) {
- return;
- }
- OpenSSLStatus.setAvailable(false);
- try {
- freeDHParameters();
- if (!MemorySegment.NULL.equals(enginePointer)) {
- ENGINE_free(enginePointer);
- }
- if (OpenSSL_version_num() < 0x3000000fL) {
- FIPS_mode_set(0);
- }
- } finally {
- OpenSSLStatus.setInitialized(false);
- fipsModeActive = false;
- }
- }
}
public String getSSLEngine() {
- return SSLEngine;
+ return OpenSSLLibrary.getSSLEngine();
}
public void setSSLEngine(String SSLEngine) {
- if (!SSLEngine.equals(OpenSSLLifecycleListener.SSLEngine)) {
- // Ensure that the SSLEngine is consistent with that used for SSL
init
- if (OpenSSLStatus.isInitialized()) {
- throw new IllegalStateException(
- sm.getString("listener.tooLateForSSLEngine"));
- }
-
- OpenSSLLifecycleListener.SSLEngine = SSLEngine;
- }
+ OpenSSLLibrary.setSSLEngine(SSLEngine);
}
public String getSSLRandomSeed() {
- return SSLRandomSeed;
+ return OpenSSLLibrary.getSSLRandomSeed();
}
public void setSSLRandomSeed(String SSLRandomSeed) {
- if (!SSLRandomSeed.equals(OpenSSLLifecycleListener.SSLRandomSeed)) {
- // Ensure that the random seed is consistent with that used for
SSL init
- if (OpenSSLStatus.isInitialized()) {
- throw new IllegalStateException(
- sm.getString("listener.tooLateForSSLRandomSeed"));
- }
-
- OpenSSLLifecycleListener.SSLRandomSeed = SSLRandomSeed;
- }
+ OpenSSLLibrary.setSSLRandomSeed(SSLRandomSeed);
}
public String getFIPSMode() {
- return FIPSMode;
+ return OpenSSLLibrary.getFIPSMode();
}
public void setFIPSMode(String FIPSMode) {
- if (!FIPSMode.equals(OpenSSLLifecycleListener.FIPSMode)) {
- // Ensure that the FIPS mode is consistent with that used for SSL
init
- if (OpenSSLStatus.isInitialized()) {
- throw new IllegalStateException(
- sm.getString("listener.tooLateForFIPSMode"));
- }
-
- OpenSSLLifecycleListener.FIPSMode = FIPSMode;
- }
+ OpenSSLLibrary.setFIPSMode(FIPSMode);
}
public boolean isFIPSModeActive() {
- return fipsModeActive;
+ return OpenSSLLibrary.isFIPSModeActive();
}
public static boolean isInstanceCreated() {
diff --git
a/modules/openssl-foreign/src/main/resources/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
b/modules/openssl-foreign/src/main/resources/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
index 92d0d74b91..4cfc82eb75 100644
---
a/modules/openssl-foreign/src/main/resources/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
+++
b/modules/openssl-foreign/src/main/resources/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
@@ -79,19 +79,21 @@ opensslconf.unknownCommandType=SSL_CONF command [{0}] type
unknown
sessionContext.nullTicketKeys=Null keys
-listener.currentFIPSMode=Current FIPS mode: [{0}]
-listener.destroy=Failed shutdown of OpenSSL
-listener.engineError=Error creating engine
-listener.enterAlreadyInFIPSMode=AprLifecycleListener is configured to force
entering FIPS mode, but library is already in FIPS mode [{0}]
-listener.initializeFIPSFailed=Failed to enter FIPS mode
-listener.initializeFIPSSuccess=Successfully entered FIPS mode
-listener.initializedOpenSSL=OpenSSL successfully initialized [{0}]
-listener.initializingFIPS=Initializing FIPS mode...
-listener.requireNotInFIPSMode=The listener is configured to require the
library to already be in FIPS mode, but it was not in FIPS mode
-listener.skipFIPSInitialization=Already in FIPS mode; skipping FIPS
initialization.
-listener.sslInit=Failed to initialize the SSLEngine.
-listener.tooLateForFIPSMode=Cannot setFIPSMode: SSL has already been
initialized
-listener.tooLateForSSLEngine=Cannot setSSLEngine: SSL has already been
initialized
-listener.tooLateForSSLRandomSeed=Cannot setSSLRandomSeed: SSL has already been
initialized
-listener.wrongFIPSMode=Unexpected value of FIPSMode option of
AprLifecycleListener: [{0}]
+openssllistener.destroy=Failed shutdown of OpenSSL
+openssllistener.initializeFIPSFailed=Failed to enter FIPS mode
+openssllistener.sslInit=Failed to initialize the SSLEngine.
+
+openssllibrary.currentFIPSMode=Current FIPS mode: [{0}]
+openssllibrary.engineError=Error creating engine
+openssllibrary.enterAlreadyInFIPSMode=AprLifecycleListener is configured to
force entering FIPS mode, but library is already in FIPS mode [{0}]
+openssllibrary.initializeFIPSFailed=Failed to enter FIPS mode
+openssllibrary.initializeFIPSSuccess=Successfully entered FIPS mode
+openssllibrary.initializedOpenSSL=OpenSSL successfully initialized [{0}]
+openssllibrary.initializingFIPS=Initializing FIPS mode...
+openssllibrary.requireNotInFIPSMode=The listener is configured to require the
library to already be in FIPS mode, but it was not in FIPS mode
+openssllibrary.skipFIPSInitialization=Already in FIPS mode; skipping FIPS
initialization.
+openssllibrary.tooLateForFIPSMode=Cannot setFIPSMode: SSL has already been
initialized
+openssllibrary.tooLateForSSLEngine=Cannot setSSLEngine: SSL has already been
initialized
+openssllibrary.tooLateForSSLRandomSeed=Cannot setSSLRandomSeed: SSL has
already been initialized
+openssllibrary.wrongFIPSMode=Unexpected value of FIPSMode option of
AprLifecycleListener: [{0}]
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
