This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new a5180e740d Move ciphers finder
a5180e740d is described below
commit a5180e740d4dfc39431d55f05fbb36a4fa816dfb
Author: remm <[email protected]>
AuthorDate: Mon Aug 7 16:33:37 2023 +0200
Move ciphers finder
It would need to be used by OpenSSLCipherConfigurationParser.parse to
resolve PROFILE=, eventually, so prepare for that
---
.../util/net/openssl/panama/OpenSSLEngine.java | 44 +-------------------
.../util/net/openssl/panama/OpenSSLLibrary.java | 48 ++++++++++++++++++++++
.../net/openssl/panama/LocalStrings.properties | 2 +-
3 files changed, 51 insertions(+), 43 deletions(-)
diff --git
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
index 3b4073d833..aa4fb1d2b8 100644
---
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
+++
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
@@ -102,33 +102,8 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
throw new IllegalStateException(e);
}
- OpenSSLLibrary.initLibrary();
-
final Set<String> availableCipherSuites = new LinkedHashSet<>(128);
- try (var localArena = Arena.ofConfined()) {
- var sslCtx = SSL_CTX_new(TLS_server_method());
- try {
- SSL_CTX_set_options(sslCtx, SSL_OP_ALL());
- SSL_CTX_set_cipher_list(sslCtx,
localArena.allocateFrom("ALL"));
- var ssl = SSL_new(sslCtx);
- SSL_set_accept_state(ssl);
- try {
- for (String c : getCiphers(ssl)) {
- // Filter out bad input.
- if (c == null || c.length() == 0 ||
availableCipherSuites.contains(c)) {
- continue;
- }
-
availableCipherSuites.add(OpenSSLCipherConfigurationParser.openSSLToJsse(c));
- }
- } finally {
- SSL_free(ssl);
- }
- } finally {
- SSL_CTX_free(sslCtx);
- }
- } catch (Exception e) {
- log.warn(sm.getString("engine.ciphersFailure"), e);
- }
+ availableCipherSuites.addAll(OpenSSLLibrary.findCiphers("ALL"));
AVAILABLE_CIPHER_SUITES =
Collections.unmodifiableSet(availableCipherSuites);
HashSet<String> protocols = new HashSet<>();
@@ -142,21 +117,6 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
IMPLEMENTED_PROTOCOLS_SET = Collections.unmodifiableSet(protocols);
}
- private static String[] getCiphers(MemorySegment ssl) {
- MemorySegment sk = SSL_get_ciphers(ssl);
- int len = OPENSSL_sk_num(sk);
- if (len <= 0) {
- return null;
- }
- ArrayList<String> ciphers = new ArrayList<>(len);
- for (int i = 0; i < len; i++) {
- MemorySegment cipher = OPENSSL_sk_value(sk, i);
- MemorySegment cipherName = SSL_CIPHER_get_name(cipher);
- ciphers.add(cipherName.getString(0));
- }
- return ciphers.toArray(new String[0]);
- }
-
private static final int MAX_PLAINTEXT_LENGTH = 16 * 1024; // 2^14
private static final int MAX_COMPRESSED_LENGTH = MAX_PLAINTEXT_LENGTH +
1024;
private static final int MAX_CIPHERTEXT_LENGTH = MAX_COMPRESSED_LENGTH +
1024;
@@ -718,7 +678,7 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
if (destroyed) {
return new String[0];
}
- String[] enabled = getCiphers(state.ssl);
+ String[] enabled = OpenSSLLibrary.getCiphers(state.ssl);
if (enabled == null) {
return new String[0];
} else {
diff --git
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLLibrary.java
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLLibrary.java
index 18a4915681..9ed7f76f2d 100644
---
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLLibrary.java
+++
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLLibrary.java
@@ -21,12 +21,15 @@ import java.lang.foreign.Arena;
import java.lang.foreign.MemorySegment;
import java.lang.foreign.ValueLayout;
import java.security.SecureRandom;
+import java.util.ArrayList;
+import java.util.List;
import static org.apache.tomcat.util.openssl.openssl_compat_h.FIPS_mode;
import static org.apache.tomcat.util.openssl.openssl_compat_h.FIPS_mode_set;
import static org.apache.tomcat.util.openssl.openssl_h.*;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
+import
org.apache.tomcat.util.net.openssl.ciphers.OpenSSLCipherConfigurationParser;
import org.apache.tomcat.util.res.StringManager;
@@ -396,4 +399,49 @@ public class OpenSSLLibrary {
return fipsModeActive;
}
+ public static List<String> findCiphers(String ciphers) {
+ ArrayList<String> ciphersList = new ArrayList<>();
+ try (var localArena = Arena.ofConfined()) {
+ initLibrary();
+ var sslCtx = SSL_CTX_new(TLS_server_method());
+ try {
+ SSL_CTX_set_options(sslCtx, SSL_OP_ALL());
+ SSL_CTX_set_cipher_list(sslCtx,
localArena.allocateFrom(ciphers));
+ var ssl = SSL_new(sslCtx);
+ SSL_set_accept_state(ssl);
+ try {
+ for (String c : getCiphers(ssl)) {
+ // Filter out bad input.
+ if (c == null || c.length() == 0 ||
ciphersList.contains(c)) {
+ continue;
+ }
+
ciphersList.add(OpenSSLCipherConfigurationParser.openSSLToJsse(c));
+ }
+ } finally {
+ SSL_free(ssl);
+ }
+ } finally {
+ SSL_CTX_free(sslCtx);
+ }
+ } catch (Exception e) {
+ log.warn(sm.getString("openssllibrary.ciphersFailure"), e);
+ }
+ return ciphersList;
+ }
+
+ static String[] getCiphers(MemorySegment ssl) {
+ MemorySegment sk = SSL_get_ciphers(ssl);
+ int len = OPENSSL_sk_num(sk);
+ if (len <= 0) {
+ return null;
+ }
+ ArrayList<String> ciphers = new ArrayList<>(len);
+ for (int i = 0; i < len; i++) {
+ MemorySegment cipher = OPENSSL_sk_value(sk, i);
+ MemorySegment cipherName = SSL_CIPHER_get_name(cipher);
+ ciphers.add(cipherName.getString(0));
+ }
+ return ciphers.toArray(new String[0]);
+ }
+
}
diff --git
a/modules/openssl-foreign/src/main/resources/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
b/modules/openssl-foreign/src/main/resources/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
index 4cfc82eb75..b8b108272b 100644
---
a/modules/openssl-foreign/src/main/resources/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
+++
b/modules/openssl-foreign/src/main/resources/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
@@ -13,7 +13,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-engine.ciphersFailure=Failed getting cipher list
engine.emptyCipherSuite=Empty cipher suite
engine.engineClosed=Engine is closed
engine.failedCipherList=Some or all of cipher list [{0}] for TLS 1.2- could
not be enabled
@@ -83,6 +82,7 @@ openssllistener.destroy=Failed shutdown of OpenSSL
openssllistener.initializeFIPSFailed=Failed to enter FIPS mode
openssllistener.sslInit=Failed to initialize the SSLEngine.
+openssllibrary.ciphersFailure=Failed getting cipher list
openssllibrary.currentFIPSMode=Current FIPS mode: [{0}]
openssllibrary.engineError=Error creating engine
openssllibrary.enterAlreadyInFIPSMode=AprLifecycleListener is configured to
force entering FIPS mode, but library is already in FIPS mode [{0}]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
