This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 85a25f3bc6 Add basic compatibility for BoringSSL
85a25f3bc6 is described below
commit 85a25f3bc6b1c27522a0533af65973ee42c42038
Author: remm <[email protected]>
AuthorDate: Thu Jul 4 12:37:05 2024 +0200
Add basic compatibility for BoringSSL
---
.../util/net/openssl/panama/OpenSSLContext.java | 90 +++++-----
.../util/net/openssl/panama/OpenSSLEngine.java | 7 +-
.../util/net/openssl/panama/OpenSSLLibrary.java | 22 +--
.../util/openssl/openssl_h_Compatibility.java | 47 +++--
.../tomcat/util/openssl/openssl_h_Macros.java | 199 +++++++++++++++++++--
webapps/docs/changelog.xml | 4 +
6 files changed, 284 insertions(+), 85 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index e186586d78..29d017f496 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -114,8 +114,6 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
}
}
- static final boolean OPENSSL_3 = (OpenSSL_version_num() >= 0x3000000fL);
-
private final SSLHostConfig sslHostConfig;
private final SSLHostConfigCertificate certificate;
private final boolean alpn;
@@ -1053,57 +1051,61 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
// Try to read DH parameters from the (first)
SSLCertificateFile
if (index == SSL_AIDX_RSA) {
BIO_reset(certificateBIO);
- if (!OPENSSL_3) {
- var dh = PEM_read_bio_DHparams(certificateBIO,
MemorySegment.NULL, MemorySegment.NULL, MemorySegment.NULL);
- if (!MemorySegment.NULL.equals(dh)) {
- SSL_CTX_set_tmp_dh(state.sslCtx, dh);
- DH_free(dh);
- }
- } else {
- var pkey = PEM_read_bio_Parameters(certificateBIO,
MemorySegment.NULL);
- if (!MemorySegment.NULL.equals(pkey)) {
- int numBits = EVP_PKEY_get_bits(pkey);
- if (SSL_CTX_set0_tmp_dh_pkey(state.sslCtx, pkey)
<= 0) {
- EVP_PKEY_free(pkey);
- } else {
-
log.debug(sm.getString("openssl.setCustomDHParameters",
Integer.valueOf(numBits), certificate.getCertificateFile()));
+ if (!openssl_h_Compatibility.BORINGSSL) {
+ if (!openssl_h_Compatibility.OPENSSL3) {
+ var dh = PEM_read_bio_DHparams(certificateBIO,
MemorySegment.NULL, MemorySegment.NULL, MemorySegment.NULL);
+ if (!MemorySegment.NULL.equals(dh)) {
+ SSL_CTX_set_tmp_dh(state.sslCtx, dh);
+ DH_free(dh);
}
} else {
- String errMessage = OpenSSLLibrary.getLastError();
- if (errMessage != null) {
-
log.debug(sm.getString("openssl.errorReadingPEMParameters", errMessage,
certificate.getCertificateFile()));
+ var pkey = PEM_read_bio_Parameters(certificateBIO,
MemorySegment.NULL);
+ if (!MemorySegment.NULL.equals(pkey)) {
+ int numBits = EVP_PKEY_get_bits(pkey);
+ if (SSL_CTX_set0_tmp_dh_pkey(state.sslCtx,
pkey) <= 0) {
+ EVP_PKEY_free(pkey);
+ } else {
+
log.debug(sm.getString("openssl.setCustomDHParameters",
Integer.valueOf(numBits), certificate.getCertificateFile()));
+ }
+ } else {
+ String errMessage =
OpenSSLLibrary.getLastError();
+ if (errMessage != null) {
+
log.debug(sm.getString("openssl.errorReadingPEMParameters", errMessage,
certificate.getCertificateFile()));
+ }
+ SSL_CTX_ctrl(state.sslCtx,
SSL_CTRL_SET_DH_AUTO(), 1, MemorySegment.NULL);
}
- SSL_CTX_ctrl(state.sslCtx, SSL_CTRL_SET_DH_AUTO(),
1, MemorySegment.NULL);
}
}
}
// Similarly, try to read the ECDH curve name from
SSLCertificateFile...
BIO_reset(certificateBIO);
- if (!OPENSSL_3) {
- var ecparams = PEM_read_bio_ECPKParameters(certificateBIO,
MemorySegment.NULL, MemorySegment.NULL, MemorySegment.NULL);
- if (!MemorySegment.NULL.equals(ecparams)) {
- int nid = EC_GROUP_get_curve_name(ecparams);
- var eckey = EC_KEY_new_by_curve_name(nid);
- SSL_CTX_set_tmp_ecdh(state.sslCtx, eckey);
- EC_KEY_free(eckey);
- EC_GROUP_free(ecparams);
- }
- // Set callback for DH parameters
- SSL_CTX_set_tmp_dh_callback(state.sslCtx,
SSL_CTX_set_tmp_dh_callback$dh.allocate(new TmpDHCallback(), contextArena));
- } else {
- var ecparams =
PEM_ASN1_read_bio(d2i_ECPKParameters$SYMBOL(),
- PEM_STRING_ECPARAMETERS(), certificateBIO,
MemorySegment.NULL, MemorySegment.NULL, MemorySegment.NULL);
- if (!MemorySegment.NULL.equals(ecparams)) {
- int curveNid = EC_GROUP_get_curve_name(ecparams);
- var curveNidAddress =
localArena.allocateFrom(ValueLayout.JAVA_INT, curveNid);
- if (SSL_CTX_set1_groups(state.sslCtx, curveNidAddress,
1) <= 0) {
- curveNid = 0;
+ if (!openssl_h_Compatibility.BORINGSSL) {
+ if (!openssl_h_Compatibility.OPENSSL3) {
+ var ecparams =
PEM_read_bio_ECPKParameters(certificateBIO, MemorySegment.NULL,
MemorySegment.NULL, MemorySegment.NULL);
+ if (!MemorySegment.NULL.equals(ecparams)) {
+ int nid = EC_GROUP_get_curve_name(ecparams);
+ var eckey = EC_KEY_new_by_curve_name(nid);
+ SSL_CTX_set_tmp_ecdh(state.sslCtx, eckey);
+ EC_KEY_free(eckey);
+ EC_GROUP_free(ecparams);
}
- if (log.isDebugEnabled()) {
- log.debug(sm.getString("openssl.setECDHCurve",
Integer.valueOf(curveNid),
- certificate.getCertificateFile()));
+ // Set callback for DH parameters
+ SSL_CTX_set_tmp_dh_callback(state.sslCtx,
SSL_CTX_set_tmp_dh_callback$dh.allocate(new TmpDHCallback(), contextArena));
+ } else {
+ var ecparams =
PEM_ASN1_read_bio(d2i_ECPKParameters$SYMBOL(),
+ PEM_STRING_ECPARAMETERS(), certificateBIO,
MemorySegment.NULL, MemorySegment.NULL, MemorySegment.NULL);
+ if (!MemorySegment.NULL.equals(ecparams)) {
+ int curveNid = EC_GROUP_get_curve_name(ecparams);
+ var curveNidAddress =
localArena.allocateFrom(ValueLayout.JAVA_INT, curveNid);
+ if (SSL_CTX_set1_groups(state.sslCtx,
curveNidAddress, 1) <= 0) {
+ curveNid = 0;
+ }
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString("openssl.setECDHCurve",
Integer.valueOf(curveNid),
+ certificate.getCertificateFile()));
+ }
+ EC_GROUP_free(ecparams);
}
- EC_GROUP_free(ecparams);
}
}
// Set certificate chain file
@@ -1212,7 +1214,7 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
logLastError("openssl.errorPrivateKeyCheck");
return false;
}
- if (!OPENSSL_3) {
+ if (!openssl_h_Compatibility.OPENSSL3) {
// Set callback for DH parameters
SSL_CTX_set_tmp_dh_callback(state.sslCtx,
SSL_CTX_set_tmp_dh_callback$dh.allocate(new
TmpDHCallback(), contextArena));
diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
index 053d4747cf..cf768e19a5 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
@@ -53,7 +53,6 @@ import javax.net.ssl.SSLSessionBindingListener;
import javax.net.ssl.SSLSessionContext;
import static org.apache.tomcat.util.openssl.openssl_h.*;
-import static org.apache.tomcat.util.openssl.openssl_h_Compatibility.*;
import static org.apache.tomcat.util.openssl.openssl_h_Macros.*;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
@@ -192,7 +191,7 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
} else {
SSL_set_accept_state(ssl);
}
- SSL_set_verify_result(ssl, X509_V_OK());
+ openssl_h_Compatibility.SSL_set_verify_result(ssl, X509_V_OK());
try (var localArena = Arena.ofConfined()) {
var internalBIOPointer = localArena.allocate(ValueLayout.ADDRESS);
var networkBIOPointer = localArena.allocate(ValueLayout.ADDRESS);
@@ -838,7 +837,7 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
private byte[] getPeerCertificate() {
try (var localArena = Arena.ofConfined()) {
- MemorySegment/*(X509*)*/ x509 = (OpenSSLContext.OPENSSL_3 ?
SSL_get1_peer_certificate(state.ssl) : SSL_get_peer_certificate(state.ssl));
+ MemorySegment/*(X509*)*/ x509 =
openssl_h_Compatibility.SSL_get_peer_certificate(state.ssl);
MemorySegment bufPointer =
localArena.allocateFrom(ValueLayout.ADDRESS, MemorySegment.NULL);
int length = i2d_X509(x509, bufPointer);
if (length <= 0) {
@@ -1154,7 +1153,7 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
|| (errnum ==
X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE());
if (verifyErrorIsOptional && (state.certificateVerifyMode ==
OpenSSLContext.OPTIONAL_NO_CA)) {
ok = 1;
- SSL_set_verify_result(state.ssl, X509_V_OK());
+ openssl_h_Compatibility.SSL_set_verify_result(state.ssl,
X509_V_OK());
}
/*
* Expired certificates vs. "expired" CRLs: by default, OpenSSL
diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLLibrary.java
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLLibrary.java
index 37f313e628..df90d84bcf 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLLibrary.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLLibrary.java
@@ -182,12 +182,12 @@ public class OpenSSLLibrary {
initLibrary();
OpenSSLStatus.setVersion(OpenSSL_version_num());
+
// OpenSSL 3 onwards uses providers
- boolean isOpenSSL3 = (OpenSSL_version_num() >= 0x3000000fL);
// Setup engine
String engineName = "on".equalsIgnoreCase(SSLEngine) ? null :
SSLEngine;
- if (!isOpenSSL3 && engineName != null) {
+ if (!openssl_h_Compatibility.OPENSSL3 &&
!openssl_h_Compatibility.BORINGSSL && engineName != null) {
if ("auto".equals(engineName)) {
ENGINE_register_all_complete();
} else {
@@ -234,15 +234,15 @@ public class OpenSSLLibrary {
RAND_seed(memorySession.allocateFrom(ValueLayout.JAVA_BYTE, randomBytes), 128);
}
- if (!isOpenSSL3) {
+ if (!openssl_h_Compatibility.OPENSSL3 &&
!openssl_h_Compatibility.BORINGSSL) {
initDHParameters();
}
- if (isOpenSSL3 || !(null == FIPSMode ||
"off".equalsIgnoreCase(FIPSMode))) {
+ if (openssl_h_Compatibility.OPENSSL3 || !(null == FIPSMode ||
"off".equalsIgnoreCase(FIPSMode))) {
fipsModeActive = false;
final boolean enterFipsMode;
int fipsModeState = FIPS_OFF;
- if (isOpenSSL3) {
+ if (openssl_h_Compatibility.OPENSSL3) {
var md = EVP_MD_fetch(MemorySegment.NULL,
memorySession.allocateFrom("SHA-512"), MemorySegment.NULL);
var provider = EVP_MD_get0_provider(md);
String name =
OSSL_PROVIDER_get0_name(provider).getString(0);
@@ -265,13 +265,13 @@ public class OpenSSLLibrary {
enterFipsMode = false;
} else if ("on".equalsIgnoreCase(FIPSMode)) {
if (fipsModeState == FIPS_ON) {
- if (!isOpenSSL3) {
+ if (!openssl_h_Compatibility.OPENSSL3) {
log.info(sm.getString("openssllibrary.skipFIPSInitialization"));
}
fipsModeActive = true;
enterFipsMode = false;
} else {
- if (isOpenSSL3) {
+ if (openssl_h_Compatibility.OPENSSL3) {
throw new
IllegalStateException(sm.getString("openssllibrary.FIPSProviderNotDefault",
FIPSMode));
} else {
enterFipsMode = true;
@@ -282,7 +282,7 @@ public class OpenSSLLibrary {
fipsModeActive = true;
enterFipsMode = false;
} else {
- if (isOpenSSL3) {
+ if (openssl_h_Compatibility.OPENSSL3) {
throw new
IllegalStateException(sm.getString("openssllibrary.FIPSProviderNotDefault",
FIPSMode));
} else {
throw new
IllegalStateException(sm.getString("openssllibrary.requireNotInFIPSMode"));
@@ -290,13 +290,13 @@ public class OpenSSLLibrary {
}
} else if ("enter".equalsIgnoreCase(FIPSMode)) {
if (fipsModeState == FIPS_OFF) {
- if (isOpenSSL3) {
+ if (openssl_h_Compatibility.OPENSSL3) {
throw new
IllegalStateException(sm.getString("openssllibrary.FIPSProviderNotDefault",
FIPSMode));
} else {
enterFipsMode = true;
}
} else {
- if (isOpenSSL3) {
+ if (openssl_h_Compatibility.OPENSSL3) {
fipsModeActive = true;
enterFipsMode = false;
} else {
@@ -325,7 +325,7 @@ public class OpenSSLLibrary {
log.info(sm.getString("openssllibrary.initializeFIPSSuccess"));
}
- if (isOpenSSL3 && fipsModeActive) {
+ if (openssl_h_Compatibility.OPENSSL3 && fipsModeActive) {
log.info(sm.getString("aprListener.usingFIPSProvider"));
}
}
diff --git a/java/org/apache/tomcat/util/openssl/openssl_h_Compatibility.java
b/java/org/apache/tomcat/util/openssl/openssl_h_Compatibility.java
index 07513af8be..04578ceafd 100644
--- a/java/org/apache/tomcat/util/openssl/openssl_h_Compatibility.java
+++ b/java/org/apache/tomcat/util/openssl/openssl_h_Compatibility.java
@@ -21,15 +21,22 @@ import java.lang.invoke.MethodHandle;
import java.lang.foreign.*;
import static java.lang.foreign.ValueLayout.*;
import static org.apache.tomcat.util.openssl.openssl_h.OpenSSL_version;
+import static org.apache.tomcat.util.openssl.openssl_h.OpenSSL_version_num;
+import static
org.apache.tomcat.util.openssl.openssl_h.SSL_get1_peer_certificate;
/**
- * Methods used present in older OpenSSL versions but not in the current major
version.
+ * Methods used present in older OpenSSL versions but not in the current major
version or OpenSSL derivatives.
*/
public class openssl_h_Compatibility {
+ public static final boolean OPENSSL3;
+ public static final boolean BORINGSSL;
public static final boolean LIBRESSL;
static {
- LIBRESSL = OpenSSL_version(0).getString(0).contains("LibreSSL");
+ String versionString = OpenSSL_version(0).getString(0);
+ OPENSSL3 = versionString.contains("OpenSSL") && OpenSSL_version_num()
>= 0x3000000fL;
+ BORINGSSL = versionString.contains("BoringSSL");
+ LIBRESSL = versionString.contains("LibreSSL");
}
// OpenSSL 1.1 FIPS_mode
@@ -106,19 +113,23 @@ public class openssl_h_Compatibility {
// OpenSSL 1.1 SSL_get_peer_certificate
public static MemorySegment SSL_get_peer_certificate(MemorySegment s) {
- class Holder {
- static final String NAME = "SSL_get_peer_certificate";
- static final FunctionDescriptor DESC =
FunctionDescriptor.of(openssl_h.C_POINTER, openssl_h.C_POINTER);
- static final MethodHandle MH =
Linker.nativeLinker().downcallHandle(openssl_h.findOrThrow(NAME), DESC);
- }
- var mh$ = Holder.MH;
- try {
- if (openssl_h.TRACE_DOWNCALLS) {
- openssl_h.traceDowncall(Holder.NAME, s);
+ if (OPENSSL3) {
+ return SSL_get1_peer_certificate(s);
+ } else {
+ class Holder {
+ static final String NAME = "SSL_get_peer_certificate";
+ static final FunctionDescriptor DESC =
FunctionDescriptor.of(openssl_h.C_POINTER, openssl_h.C_POINTER);
+ static final MethodHandle MH =
Linker.nativeLinker().downcallHandle(openssl_h.findOrThrow(NAME), DESC);
+ }
+ var mh$ = Holder.MH;
+ try {
+ if (openssl_h.TRACE_DOWNCALLS) {
+ openssl_h.traceDowncall(Holder.NAME, s);
+ }
+ return (java.lang.foreign.MemorySegment) mh$.invokeExact(s);
+ } catch (Throwable ex$) {
+ throw new AssertionError("should not reach here", ex$);
}
- return (java.lang.foreign.MemorySegment) mh$.invokeExact(s);
- } catch (Throwable ex$) {
- throw new AssertionError("should not reach here", ex$);
}
}
@@ -217,5 +228,11 @@ public class openssl_h_Compatibility {
}
}
-}
+ // BoringSSL removed SSL_set_verify_result which does not do anything in
OpenSSL
+ public static void SSL_set_verify_result(MemorySegment ssl, long v) {
+ if (!BORINGSSL) {
+ openssl_h.SSL_set_verify_result(ssl, v);
+ }
+ }
+}
diff --git a/java/org/apache/tomcat/util/openssl/openssl_h_Macros.java
b/java/org/apache/tomcat/util/openssl/openssl_h_Macros.java
index 9472c312b4..5c6101c7f4 100644
--- a/java/org/apache/tomcat/util/openssl/openssl_h_Macros.java
+++ b/java/org/apache/tomcat/util/openssl/openssl_h_Macros.java
@@ -17,7 +17,10 @@
package org.apache.tomcat.util.openssl;
+import java.lang.foreign.FunctionDescriptor;
+import java.lang.foreign.Linker;
import java.lang.foreign.MemorySegment;
+import java.lang.invoke.MethodHandle;
import static org.apache.tomcat.util.openssl.openssl_h.*;
@@ -40,7 +43,24 @@ public class openssl_h_Macros {
* @return > 0 if successful
*/
public static long SSL_CTX_set_max_proto_version(MemorySegment sslCtx,
long version) {
- return SSL_CTX_ctrl(sslCtx, SSL_CTRL_SET_MAX_PROTO_VERSION(), version,
MemorySegment.NULL);
+ if (openssl_h_Compatibility.BORINGSSL) {
+ class Holder {
+ static final String NAME = "SSL_CTX_set_max_proto_version";
+ static final FunctionDescriptor DESC =
FunctionDescriptor.of(openssl_h.C_LONG, openssl_h.C_POINTER, openssl_h.C_LONG);
+ static final MethodHandle MH =
Linker.nativeLinker().downcallHandle(openssl_h.findOrThrow(NAME), DESC);
+ }
+ var mh$ = Holder.MH;
+ try {
+ if (openssl_h.TRACE_DOWNCALLS) {
+ openssl_h.traceDowncall(Holder.NAME, sslCtx, version);
+ }
+ return (long) mh$.invokeExact(sslCtx, version);
+ } catch (Throwable ex$) {
+ throw new AssertionError("should not reach here", ex$);
+ }
+ } else {
+ return SSL_CTX_ctrl(sslCtx, SSL_CTRL_SET_MAX_PROTO_VERSION(),
version, MemorySegment.NULL);
+ }
}
@@ -56,7 +76,24 @@ public class openssl_h_Macros {
* @return > 0 if successful
*/
public static long SSL_CTX_set_min_proto_version(MemorySegment sslCtx,
long version) {
- return SSL_CTX_ctrl(sslCtx, SSL_CTRL_SET_MIN_PROTO_VERSION(), version,
MemorySegment.NULL);
+ if (openssl_h_Compatibility.BORINGSSL) {
+ class Holder {
+ static final String NAME = "SSL_CTX_set_min_proto_version";
+ static final FunctionDescriptor DESC =
FunctionDescriptor.of(openssl_h.C_LONG, openssl_h.C_POINTER, openssl_h.C_LONG);
+ static final MethodHandle MH =
Linker.nativeLinker().downcallHandle(openssl_h.findOrThrow(NAME), DESC);
+ }
+ var mh$ = Holder.MH;
+ try {
+ if (openssl_h.TRACE_DOWNCALLS) {
+ openssl_h.traceDowncall(Holder.NAME, sslCtx, version);
+ }
+ return (long) mh$.invokeExact(sslCtx, version);
+ } catch (Throwable ex$) {
+ throw new AssertionError("should not reach here", ex$);
+ }
+ } else {
+ return SSL_CTX_ctrl(sslCtx, SSL_CTRL_SET_MIN_PROTO_VERSION(),
version, MemorySegment.NULL);
+ }
}
@@ -71,7 +108,24 @@ public class openssl_h_Macros {
* @return > 0 if successful
*/
public static long SSL_CTX_sess_get_cache_size(MemorySegment sslCtx) {
- return SSL_CTX_ctrl(sslCtx, SSL_CTRL_GET_SESS_CACHE_SIZE(), 0,
MemorySegment.NULL);
+ if (openssl_h_Compatibility.BORINGSSL) {
+ class Holder {
+ static final String NAME = "SSL_CTX_sess_get_cache_size";
+ static final FunctionDescriptor DESC =
FunctionDescriptor.of(openssl_h.C_LONG, openssl_h.C_POINTER);
+ static final MethodHandle MH =
Linker.nativeLinker().downcallHandle(openssl_h.findOrThrow(NAME), DESC);
+ }
+ var mh$ = Holder.MH;
+ try {
+ if (openssl_h.TRACE_DOWNCALLS) {
+ openssl_h.traceDowncall(Holder.NAME, sslCtx);
+ }
+ return (long) mh$.invokeExact(sslCtx);
+ } catch (Throwable ex$) {
+ throw new AssertionError("should not reach here", ex$);
+ }
+ } else {
+ return SSL_CTX_ctrl(sslCtx, SSL_CTRL_GET_SESS_CACHE_SIZE(), 0,
MemorySegment.NULL);
+ }
}
@@ -87,7 +141,24 @@ public class openssl_h_Macros {
* @return > 0 if successful
*/
public static long SSL_CTX_sess_set_cache_size(MemorySegment sslCtx, long
cacheSize) {
- return SSL_CTX_ctrl(sslCtx, SSL_CTRL_SET_SESS_CACHE_SIZE(), cacheSize,
MemorySegment.NULL);
+ if (openssl_h_Compatibility.BORINGSSL) {
+ class Holder {
+ static final String NAME = "SSL_CTX_sess_set_cache_size";
+ static final FunctionDescriptor DESC =
FunctionDescriptor.of(openssl_h.C_LONG, openssl_h.C_POINTER, openssl_h.C_LONG);
+ static final MethodHandle MH =
Linker.nativeLinker().downcallHandle(openssl_h.findOrThrow(NAME), DESC);
+ }
+ var mh$ = Holder.MH;
+ try {
+ if (openssl_h.TRACE_DOWNCALLS) {
+ openssl_h.traceDowncall(Holder.NAME, sslCtx, cacheSize);
+ }
+ return (long) mh$.invokeExact(sslCtx, cacheSize);
+ } catch (Throwable ex$) {
+ throw new AssertionError("should not reach here", ex$);
+ }
+ } else {
+ return SSL_CTX_ctrl(sslCtx, SSL_CTRL_SET_SESS_CACHE_SIZE(),
cacheSize, MemorySegment.NULL);
+ }
}
@@ -102,7 +173,24 @@ public class openssl_h_Macros {
* @return > 0 if successful
*/
public static long SSL_CTX_get_session_cache_mode(MemorySegment sslCtx) {
- return SSL_CTX_ctrl(sslCtx, SSL_CTRL_GET_SESS_CACHE_MODE(), 0,
MemorySegment.NULL);
+ if (openssl_h_Compatibility.BORINGSSL) {
+ class Holder {
+ static final String NAME = "SSL_CTX_get_session_cache_mode";
+ static final FunctionDescriptor DESC =
FunctionDescriptor.of(openssl_h.C_LONG, openssl_h.C_POINTER);
+ static final MethodHandle MH =
Linker.nativeLinker().downcallHandle(openssl_h.findOrThrow(NAME), DESC);
+ }
+ var mh$ = Holder.MH;
+ try {
+ if (openssl_h.TRACE_DOWNCALLS) {
+ openssl_h.traceDowncall(Holder.NAME, sslCtx);
+ }
+ return (long) mh$.invokeExact(sslCtx);
+ } catch (Throwable ex$) {
+ throw new AssertionError("should not reach here", ex$);
+ }
+ } else {
+ return SSL_CTX_ctrl(sslCtx, SSL_CTRL_GET_SESS_CACHE_MODE(), 0,
MemorySegment.NULL);
+ }
}
@@ -118,7 +206,24 @@ public class openssl_h_Macros {
* @return > 0 if successful
*/
public static long SSL_CTX_set_session_cache_mode(MemorySegment sslCtx,
long cacheMode) {
- return SSL_CTX_ctrl(sslCtx, SSL_CTRL_SET_SESS_CACHE_MODE(), cacheMode,
MemorySegment.NULL);
+ if (openssl_h_Compatibility.BORINGSSL) {
+ class Holder {
+ static final String NAME = "SSL_CTX_set_session_cache_mode";
+ static final FunctionDescriptor DESC =
FunctionDescriptor.of(openssl_h.C_LONG, openssl_h.C_POINTER, openssl_h.C_LONG);
+ static final MethodHandle MH =
Linker.nativeLinker().downcallHandle(openssl_h.findOrThrow(NAME), DESC);
+ }
+ var mh$ = Holder.MH;
+ try {
+ if (openssl_h.TRACE_DOWNCALLS) {
+ openssl_h.traceDowncall(Holder.NAME, sslCtx, cacheMode);
+ }
+ return (long) mh$.invokeExact(sslCtx, cacheMode);
+ } catch (Throwable ex$) {
+ throw new AssertionError("should not reach here", ex$);
+ }
+ } else {
+ return SSL_CTX_ctrl(sslCtx, SSL_CTRL_SET_SESS_CACHE_MODE(),
cacheMode, MemorySegment.NULL);
+ }
}
@@ -134,7 +239,24 @@ public class openssl_h_Macros {
* @return > 0 if successful
*/
public static long SSL_CTX_add0_chain_cert(MemorySegment sslCtx,
MemorySegment x509) {
- return SSL_CTX_ctrl(sslCtx, SSL_CTRL_CHAIN_CERT(), 0, x509);
+ if (openssl_h_Compatibility.BORINGSSL) {
+ class Holder {
+ static final String NAME = "SSL_CTX_add0_chain_cert";
+ static final FunctionDescriptor DESC =
FunctionDescriptor.of(openssl_h.C_LONG, openssl_h.C_POINTER,
openssl_h.C_POINTER);
+ static final MethodHandle MH =
Linker.nativeLinker().downcallHandle(openssl_h.findOrThrow(NAME), DESC);
+ }
+ var mh$ = Holder.MH;
+ try {
+ if (openssl_h.TRACE_DOWNCALLS) {
+ openssl_h.traceDowncall(Holder.NAME, sslCtx, x509);
+ }
+ return (long) mh$.invokeExact(sslCtx, x509);
+ } catch (Throwable ex$) {
+ throw new AssertionError("should not reach here", ex$);
+ }
+ } else {
+ return SSL_CTX_ctrl(sslCtx, SSL_CTRL_CHAIN_CERT(), 0, x509);
+ }
}
@@ -151,7 +273,24 @@ public class openssl_h_Macros {
* @return > 0 if successful
*/
public static long SSL_CTX_set_tlsext_ticket_keys(MemorySegment sslCtx,
MemorySegment keys, long keyLength) {
- return SSL_CTX_ctrl(sslCtx, SSL_CTRL_SET_TLSEXT_TICKET_KEYS(),
keyLength, keys);
+ if (openssl_h_Compatibility.BORINGSSL) {
+ class Holder {
+ static final String NAME = "SSL_CTX_set_tlsext_ticket_keys";
+ static final FunctionDescriptor DESC =
FunctionDescriptor.of(openssl_h.C_LONG, openssl_h.C_POINTER,
openssl_h.C_POINTER, openssl_h.C_LONG);
+ static final MethodHandle MH =
Linker.nativeLinker().downcallHandle(openssl_h.findOrThrow(NAME), DESC);
+ }
+ var mh$ = Holder.MH;
+ try {
+ if (openssl_h.TRACE_DOWNCALLS) {
+ openssl_h.traceDowncall(Holder.NAME, sslCtx, keys,
keyLength);
+ }
+ return (long) mh$.invokeExact(sslCtx, keys, keyLength);
+ } catch (Throwable ex$) {
+ throw new AssertionError("should not reach here", ex$);
+ }
+ } else {
+ return SSL_CTX_ctrl(sslCtx, SSL_CTRL_SET_TLSEXT_TICKET_KEYS(),
keyLength, keys);
+ }
}
@@ -183,7 +322,11 @@ public class openssl_h_Macros {
* @return > 0 if successful
*/
public static long SSL_CTX_set_tmp_dh(MemorySegment sslCtx, MemorySegment
dh) {
- return SSL_CTX_ctrl(sslCtx, SSL_CTRL_SET_TMP_DH(), 0, dh);
+ if (openssl_h_Compatibility.BORINGSSL) {
+ return 1;
+ } else {
+ return SSL_CTX_ctrl(sslCtx, SSL_CTRL_SET_TMP_DH(), 0, dh);
+ }
}
@@ -199,7 +342,24 @@ public class openssl_h_Macros {
* @return > 0 if successful
*/
public static long SSL_CTX_set_tmp_ecdh(MemorySegment sslCtx,
MemorySegment ecdh) {
- return SSL_CTX_ctrl(sslCtx, SSL_CTRL_SET_TMP_ECDH(), 0, ecdh);
+ if (openssl_h_Compatibility.BORINGSSL) {
+ class Holder {
+ static final String NAME = "SSL_CTX_set_tmp_ecdh";
+ static final FunctionDescriptor DESC =
FunctionDescriptor.of(openssl_h.C_LONG, openssl_h.C_POINTER,
openssl_h.C_POINTER);
+ static final MethodHandle MH =
Linker.nativeLinker().downcallHandle(openssl_h.findOrThrow(NAME), DESC);
+ }
+ var mh$ = Holder.MH;
+ try {
+ if (openssl_h.TRACE_DOWNCALLS) {
+ openssl_h.traceDowncall(Holder.NAME, sslCtx, ecdh);
+ }
+ return (long) mh$.invokeExact(sslCtx, ecdh);
+ } catch (Throwable ex$) {
+ throw new AssertionError("should not reach here", ex$);
+ }
+ } else {
+ return SSL_CTX_ctrl(sslCtx, SSL_CTRL_SET_TMP_ECDH(), 0, ecdh);
+ }
}
@@ -243,7 +403,24 @@ public class openssl_h_Macros {
* @return > 0 if successful
*/
public static long SSL_CTX_set1_groups(MemorySegment sslCtx, MemorySegment
groupsList, int listLength) {
- return SSL_CTX_ctrl(sslCtx, SSL_CTRL_SET_GROUPS(), listLength,
groupsList);
+ if (openssl_h_Compatibility.BORINGSSL) {
+ class Holder {
+ static final String NAME = "SSL_CTX_set1_groups";
+ static final FunctionDescriptor DESC =
FunctionDescriptor.of(openssl_h.C_LONG, openssl_h.C_POINTER,
openssl_h.C_POINTER, openssl_h.C_INT);
+ static final MethodHandle MH =
Linker.nativeLinker().downcallHandle(openssl_h.findOrThrow(NAME), DESC);
+ }
+ var mh$ = Holder.MH;
+ try {
+ if (openssl_h.TRACE_DOWNCALLS) {
+ openssl_h.traceDowncall(Holder.NAME, sslCtx, groupsList,
listLength);
+ }
+ return (long) mh$.invokeExact(sslCtx, groupsList, listLength);
+ } catch (Throwable ex$) {
+ throw new AssertionError("should not reach here", ex$);
+ }
+ } else {
+ return SSL_CTX_ctrl(sslCtx, SSL_CTRL_SET_GROUPS(), listLength,
groupsList);
+ }
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index abb8096aab..3f5fcb2949 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -119,6 +119,10 @@
than the FFM library loading code) to configure the OpenSSL library
loading using FFM. (remm)
</update>
+ <update>
+ Add FFM compatibility methods for BoringSSL support. Renegotiation is
+ not supported in many cases. (remm)
+ </update>
</changelog>
</subsection>
</section>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
