[tomcat] branch main updated: Use FFM to resolve OpenSSL profiles

remm Tue, 24 Oct 2023 02:54:15 -0700

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git



The following commit(s) were added to refs/heads/main by this push:
     new d96ab437d6 Use FFM to resolve OpenSSL profiles
d96ab437d6 is described below

commit d96ab437d6be7fffdc07817ff2b1c988d74be1c2
Author: remm <r...@apache.org>
AuthorDate: Tue Oct 24 11:53:48 2023 +0200

    Use FFM to resolve OpenSSL profiles
---
 java/org/apache/tomcat/util/net/SSLUtilBase.java    |  4 ++--
 .../ciphers/OpenSSLCipherConfigurationParser.java   | 21 +++++++++++++++------
 2 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/java/org/apache/tomcat/util/net/SSLUtilBase.java 
b/java/org/apache/tomcat/util/net/SSLUtilBase.java
index 70735293eb..410a80c5d8 100644
--- a/java/org/apache/tomcat/util/net/SSLUtilBase.java
+++ b/java/org/apache/tomcat/util/net/SSLUtilBase.java
@@ -59,6 +59,7 @@ import javax.net.ssl.X509KeyManager;
 
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.compat.JreCompat;
 import org.apache.tomcat.util.file.ConfigFileLoader;
 import org.apache.tomcat.util.net.jsse.JSSEKeyManager;
 import org.apache.tomcat.util.net.jsse.PEMFile;
@@ -124,9 +125,8 @@ public abstract class SSLUtilBase implements SSLUtil {
         
sslHostConfig.setTls13RenegotiationAvailable(isTls13RenegAuthAvailable());
 
         // Calculate the enabled ciphers
-        if (/*!JreCompat.isJre22Available() && 
*/sslHostConfig.getCiphers().startsWith("PROFILE=")) {
+        if (!JreCompat.isJre22Available() && 
sslHostConfig.getCiphers().startsWith("PROFILE=")) {
             // OpenSSL profiles cannot be resolved without Java 22
-            // TODO: sslHostConfig should query that with Panama if possible
             this.enabledCiphers = new String[0];
         } else {
             boolean warnOnSkip = 
!sslHostConfig.getCiphers().equals(SSLHostConfig.DEFAULT_TLS_CIPHERS);
diff --git 
a/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
 
b/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
index 2599bf24c2..917f72074a 100644
--- 
a/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
+++ 
b/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
@@ -30,7 +30,10 @@ import java.util.Set;
 
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.ExceptionUtils;
+import org.apache.tomcat.util.compat.JreCompat;
 import org.apache.tomcat.util.net.Constants;
+import org.apache.tomcat.util.net.openssl.OpenSSLStatus;
 import org.apache.tomcat.util.res.StringManager;
 
 /**
@@ -714,13 +717,20 @@ public class OpenSSLCipherConfigurationParser {
         String[] elements = expression.split(SEPARATOR);
         // Handle PROFILE= using OpenSSL (if present, otherwise warn), then 
replace elements with that
         if (elements.length == 1 && elements[0].startsWith("PROFILE=")) {
-            // Only use with Panama and if OpenSSL has been successfully 
loaded before
-            /* FIXME: Merge OpenSSL Panama code
+            // Only use with Java 22 and if OpenSSL has been successfully 
loaded before
             if (JreCompat.isJre22Available()) {
                 if (OpenSSLStatus.isLibraryInitialized()) {
-                    List<String> cipherList = 
OpenSSLLibrary.findCiphers(elements[0]);
-                    // Replace the original list with the profile contents
-                    elements = cipherList.toArray(new String[0]);
+                    try {
+                        Class<?> openSSLLibraryClass = 
Class.forName("org.apache.tomcat.util.net.openssl.panama.OpenSSLLibrary");
+                        @SuppressWarnings("unchecked")
+                        List<String> cipherList = (List<String>) 
openSSLLibraryClass.getMethod("findCiphers").invoke(null, elements[0]);
+                        // Replace the original list with the profile contents
+                        elements = cipherList.toArray(new String[0]);
+                    } catch (Throwable t) {
+                        t = ExceptionUtils.unwrapInvocationTargetException(t);
+                        ExceptionUtils.handleThrowable(t);
+                        
log.error(sm.getString("opensslCipherConfigurationParser.unknownProfile", 
elements[0]), t);
+                    }
                 } else {
                     // OpenSSL is not available
                     
log.error(sm.getString("opensslCipherConfigurationParser.unknownProfile", 
elements[0]));
@@ -730,7 +740,6 @@ public class OpenSSLCipherConfigurationParser {
                 // but it might still work if using tomcat-native
                 
log.info(sm.getString("opensslCipherConfigurationParser.unknownProfile", 
elements[0]));
             }
-            */
         }
         LinkedHashSet<Cipher> ciphers = new LinkedHashSet<>();
         Set<Cipher> removedCiphers = new HashSet<>();


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch main updated: Use FFM to resolve OpenSSL profiles

Reply via email to