This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 8e9c6305f5 Use ERR_error_string_n in FFM code
8e9c6305f5 is described below
commit 8e9c6305f57d26ee64973988e473f086498df1db
Author: remm <[email protected]>
AuthorDate: Wed May 15 15:51:30 2024 +0200
Use ERR_error_string_n in FFM code
The buffer previously used was too small.
---
.../util/net/openssl/panama/OpenSSLContext.java | 8 ++++--
java/org/apache/tomcat/util/openssl/openssl_h.java | 33 ++++++++++++++++++++++
res/openssl/openssl-tomcat.conf | 1 +
webapps/docs/changelog.xml | 8 ++++++
4 files changed, 47 insertions(+), 3 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index f72606ba05..b483506d19 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -76,6 +76,8 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
private static final Cleaner cleaner = Cleaner.create();
+ private static final int OPENSSL_ERROR_MESSAGE_BUFFER_SIZE = 256;
+
private static final String defaultProtocol = "TLS";
private static final int SSL_AIDX_RSA = 0;
@@ -564,7 +566,7 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
if ((sslHostConfig.getCaCertificateFile() != null ||
sslHostConfig.getCaCertificatePath() != null)
&& SSL_CTX_load_verify_locations(state.sslCtx,
caCertificateFileNative == null ?
MemorySegment.NULL : caCertificateFileNative,
- caCertificatePathNative == null ?
MemorySegment.NULL : caCertificatePathNative) <= 0) {
+ caCertificatePathNative == null ?
MemorySegment.NULL : caCertificatePathNative) <= 0) {
logLastError("openssl.errorConfiguringLocations");
} else {
var caCerts = SSL_CTX_get_client_CA_list(state.sslCtx);
@@ -1326,8 +1328,8 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
try (var localArena = Arena.ofConfined()) {
do {
// Loop until getLastErrorNumber() returns SSL_ERROR_NONE
- var buf = localArena.allocate(ValueLayout.JAVA_BYTE, 128);
- ERR_error_string(error, buf);
+ var buf = localArena.allocate(ValueLayout.JAVA_BYTE,
OPENSSL_ERROR_MESSAGE_BUFFER_SIZE);
+ ERR_error_string_n(error, buf,
OPENSSL_ERROR_MESSAGE_BUFFER_SIZE);
String err = buf.getString(0);
if (sslError == null) {
sslError = err;
diff --git a/java/org/apache/tomcat/util/openssl/openssl_h.java
b/java/org/apache/tomcat/util/openssl/openssl_h.java
index 9d9d701312..3c0dcd2046 100644
--- a/java/org/apache/tomcat/util/openssl/openssl_h.java
+++ b/java/org/apache/tomcat/util/openssl/openssl_h.java
@@ -5336,6 +5336,39 @@ public class openssl_h {
}
}
+ private static MethodHandle ERR_error_string_n$MH() {
+ class Holder {
+ static final FunctionDescriptor DESC = FunctionDescriptor.of(
+ openssl_h.C_POINTER,
+ openssl_h.C_LONG,
+ openssl_h.C_POINTER,
+ openssl_h.C_INT
+ );
+
+ static final MethodHandle MH =
Linker.nativeLinker().downcallHandle(
+ openssl_h.findOrThrow("ERR_error_string_n"),
+ DESC);
+ }
+ return Holder.MH;
+ }
+
+ /**
+ * {@snippet lang=c :
+ * char *ERR_error_string_n(unsigned long e, char *buf, size_t len)
+ * }
+ */
+ public static MemorySegment ERR_error_string_n(long e, MemorySegment buf,
int len) {
+ var mh$ = ERR_error_string_n$MH();
+ try {
+ if (TRACE_DOWNCALLS) {
+ traceDowncall("ERR_error_string_n", e, buf, len);
+ }
+ return (MemorySegment) mh$.invokeExact(e, buf, len);
+ } catch (Throwable ex$) {
+ throw new AssertionError("should not reach here", ex$);
+ }
+ }
+
private static MethodHandle PKCS12_verify_mac$MH() {
class Holder {
static final FunctionDescriptor DESC = FunctionDescriptor.of(
diff --git a/res/openssl/openssl-tomcat.conf b/res/openssl/openssl-tomcat.conf
index 66ebe76847..0d75c2654d 100644
--- a/res/openssl/openssl-tomcat.conf
+++ b/res/openssl/openssl-tomcat.conf
@@ -90,6 +90,7 @@
--include-function ERR_clear_error # header:
/usr/include/openssl/err.h
--include-function ERR_error_string # header:
/usr/include/openssl/err.h
+--include-function ERR_error_string_n # header:
/usr/include/openssl/err.h
--include-function ERR_get_error # header:
/usr/include/openssl/err.h
--include-function ERR_peek_last_error # header:
/usr/include/openssl/err.h
--include-constant ERR_REASON_MASK # header:
/usr/include/openssl/err.h
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 399b83b2fa..88926a59c7 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -105,6 +105,14 @@
issues do not "pop up" wrt. others).
-->
<section name="Tomcat 11.0.0-M21 (markt)" rtext="in development">
+ <subsection name="Coyote">
+ <changelog>
+ <fix>
+ Fix OpenSSL FFM use of ERR_error_string with a 128 byte buffer,
+ and use ERR_error_string_n instead. (remm)
+ </fix>
+ </changelog>
+ </subsection>
</section>
<section name="Tomcat 11.0.0-M20 (markt)" rtext="release in progress">
<subsection name="Catalina">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
