This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 55152c4fb8 Code clean-up - formatting. No functional change.
55152c4fb8 is described below
commit 55152c4fb8ec19d0bf2d7c7c40bce59d51788962
Author: Mark Thomas <[email protected]>
AuthorDate: Fri Aug 29 11:43:34 2025 +0100
Code clean-up - formatting. No functional change.
---
.../util/net/openssl/panama/OpenSSLContext.java | 51 ++++++++++----------
.../util/net/openssl/panama/OpenSSLEngine.java | 56 +++++++++++++++++++---
2 files changed, 76 insertions(+), 31 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index 8e9cc2e33c..bb2f916567 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -439,11 +439,10 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
/**
* Set up the SSL_CTX.
*
- * @param kms Must contain a KeyManager of the type
- * {@code OpenSSLKeyManager}
- * @param tms Must contain a TrustManager of the type
- * {@code X509TrustManager}
- * @param sr Is not used for this implementation.
+ * @param kms Must contain a KeyManager of the type {@code
OpenSSLKeyManager}
+ * @param tms Must contain a TrustManager of the type {@code
X509TrustManager}
+ * @param sr Is not used for this implementation.
+ *
* @throws KeyManagementException if an error occurs
*/
@Override
@@ -485,15 +484,14 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
// List the ciphers that the client is permitted to negotiate
if (minTlsVersion <= TLS1_2_VERSION()) {
- if (SSL_CTX_set_cipher_list(state.sslCtx,
- localArena.allocateFrom(sslHostConfig.getCiphers()))
<= 0) {
+ if (SSL_CTX_set_cipher_list(state.sslCtx,
localArena.allocateFrom(sslHostConfig.getCiphers())) <= 0) {
log.warn(sm.getString("engine.failedCipherList",
sslHostConfig.getCiphers()));
}
}
// Check if the ciphers have been changed from the defaults
- if (maxTlsVersion >= TLS1_3_VERSION() &&
(sslHostConfig.getCiphers() != SSLHostConfig.DEFAULT_TLS_CIPHERS)) {
- if (SSL_CTX_set_ciphersuites(state.sslCtx,
- localArena.allocateFrom(sslHostConfig.getCiphers()))
<= 0) {
+ if (maxTlsVersion >= TLS1_3_VERSION() &&
+ (sslHostConfig.getCiphers() !=
SSLHostConfig.DEFAULT_TLS_CIPHERS)) {
+ if (SSL_CTX_set_ciphersuites(state.sslCtx,
localArena.allocateFrom(sslHostConfig.getCiphers())) <= 0) {
log.warn(sm.getString("engine.failedCipherSuite",
sslHostConfig.getCiphers()));
}
}
@@ -521,8 +519,8 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
if (tms != null) {
// Client certificate verification based on custom trust
managers
x509TrustManager = chooseTrustManager(tms);
- SSL_CTX_set_cert_verify_callback(state.sslCtx,
- SSL_CTX_set_cert_verify_callback$cb.allocate(new
CertVerifyCallback(x509TrustManager), contextArena), state.sslCtx);
+ SSL_CTX_set_cert_verify_callback(state.sslCtx,
SSL_CTX_set_cert_verify_callback$cb
+ .allocate(new CertVerifyCallback(x509TrustManager),
contextArena), state.sslCtx);
// Pass along the DER encoded certificates of the accepted
client
// certificate issuers, so that their subjects can be presented
@@ -542,13 +540,17 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
}
} else {
// Client certificate verification based on trusted CA files
and dirs
- MemorySegment caCertificateFileNative =
sslHostConfig.getCaCertificateFile() != null
- ?
localArena.allocateFrom(SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificateFile()))
: MemorySegment.NULL;
- MemorySegment caCertificatePathNative =
sslHostConfig.getCaCertificatePath() != null
- ?
localArena.allocateFrom(SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificatePath()))
: MemorySegment.NULL;
- if ((sslHostConfig.getCaCertificateFile() != null ||
sslHostConfig.getCaCertificatePath() != null)
- && SSL_CTX_load_verify_locations(state.sslCtx,
- caCertificateFileNative,
caCertificatePathNative) <= 0) {
+ MemorySegment caCertificateFileNative =
sslHostConfig.getCaCertificateFile() != null ?
+ localArena
+
.allocateFrom(SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificateFile()))
:
+ MemorySegment.NULL;
+ MemorySegment caCertificatePathNative =
sslHostConfig.getCaCertificatePath() != null ?
+ localArena
+
.allocateFrom(SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificatePath()))
:
+ MemorySegment.NULL;
+ if ((sslHostConfig.getCaCertificateFile() != null ||
sslHostConfig.getCaCertificatePath() != null) &&
+ SSL_CTX_load_verify_locations(state.sslCtx,
caCertificateFileNative,
+ caCertificatePathNative) <= 0) {
logLastError("openssl.errorConfiguringLocations");
} else {
var caCerts = SSL_CTX_get_client_CA_list(state.sslCtx);
@@ -559,8 +561,8 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
}
} else {
// OpenSSL might crash here when passing null on some
platforms
- if (MemorySegment.NULL.equals(caCertificateFileNative)
- ||
(SSL_add_file_cert_subjects_to_stack(caCerts, caCertificateFileNative) <= 0)) {
+ if (MemorySegment.NULL.equals(caCertificateFileNative)
||
+ (SSL_add_file_cert_subjects_to_stack(caCerts,
caCertificateFileNative) <= 0)) {
caCerts = MemorySegment.NULL;
}
}
@@ -571,8 +573,8 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
}
if (negotiableProtocols != null && !negotiableProtocols.isEmpty())
{
- SSL_CTX_set_alpn_select_cb(state.sslCtx,
- SSL_CTX_set_alpn_select_cb$cb.allocate(new
ALPNSelectCallback(negotiableProtocols), contextArena), state.sslCtx);
+ SSL_CTX_set_alpn_select_cb(state.sslCtx,
SSL_CTX_set_alpn_select_cb$cb
+ .allocate(new ALPNSelectCallback(negotiableProtocols),
contextArena), state.sslCtx);
}
// Log any non fatal init errors
@@ -630,8 +632,7 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
if ((opts & SSL_OP_NO_SSLv3()) == 0) {
enabled.add(Constants.SSL_PROTO_SSLv3);
}
- sslHostConfig.setEnabledProtocols(
- enabled.toArray(new String[0]));
+ sslHostConfig.setEnabledProtocols(enabled.toArray(new
String[0]));
// Reconfigure the enabled ciphers
sslHostConfig.setEnabledCiphers(getCiphers(state.sslCtx));
}
diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
index 6f8ef25a28..d8f7e48ca8 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
@@ -741,13 +741,56 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
@Override
public synchronized void setEnabledProtocols(String[] protocols) {
- if(initialized){return;}if(protocols==null){
- // This is correct from the API docs
- throw new IllegalArgumentException();}if(destroyed){return;}boolean
sslv2=false;boolean sslv3=false;boolean tlsv1=false;boolean
tlsv1_1=false;boolean tlsv1_2=false;boolean tlsv1_3=false;for(String
p:protocols){if(!IMPLEMENTED_PROTOCOLS_SET.contains(p)){throw new
IllegalArgumentException(sm.getString("engine.unsupportedProtocol",p));}switch(p){case
Constants.SSL_PROTO_SSLv2->sslv2=true;case
Constants.SSL_PROTO_SSLv3->sslv3=true;case
Constants.SSL_PROTO_TLSv1->tlsv1=true;case Const [...]
+ if (initialized) {
+ return;
+ }
+ if (protocols == null) {
+ // This is correct from the API docs
+ throw new IllegalArgumentException();
+ }
+ if (destroyed) {
+ return;
+ }
+ boolean sslv2 = false;
+ boolean sslv3 = false;
+ boolean tlsv1 = false;
+ boolean tlsv1_1 = false;
+ boolean tlsv1_2 = false;
+ boolean tlsv1_3 = false;
+ for (String p : protocols) {
+ if (!IMPLEMENTED_PROTOCOLS_SET.contains(p)) {
+ throw new
IllegalArgumentException(sm.getString("engine.unsupportedProtocol", p));
+ }
+ switch (p) {
+ case Constants.SSL_PROTO_SSLv2 -> sslv2 = true;
+ case Constants.SSL_PROTO_SSLv3 -> sslv3 = true;
+ case Constants.SSL_PROTO_TLSv1 -> tlsv1 = true;
+ case Constants.SSL_PROTO_TLSv1_1 -> tlsv1_1 = true;
+ case Constants.SSL_PROTO_TLSv1_2 -> tlsv1_2 = true;
+ case Constants.SSL_PROTO_TLSv1_3 -> tlsv1_3 = true;
+ }
+ }
// Enable all and then disable what we not want
- openssl_h_Compatibility.SSL_set_options(state.ssl,SSL_OP_ALL());
+ openssl_h_Compatibility.SSL_set_options(state.ssl, SSL_OP_ALL());
-
if(!sslv2){openssl_h_Compatibility.SSL_set_options(state.ssl,SSL_OP_NO_SSLv2());}if(!sslv3){openssl_h_Compatibility.SSL_set_options(state.ssl,SSL_OP_NO_SSLv3());}if(!tlsv1){openssl_h_Compatibility.SSL_set_options(state.ssl,SSL_OP_NO_TLSv1());}if(!tlsv1_1){openssl_h_Compatibility.SSL_set_options(state.ssl,SSL_OP_NO_TLSv1_1());}if(!tlsv1_2){openssl_h_Compatibility.SSL_set_options(state.ssl,SSL_OP_NO_TLSv1_2());}if(!tlsv1_3){openssl_h_Compatibility.SSL_set_options(state.ssl,SSL_OP_N
[...]
+ if (!sslv2) {
+ openssl_h_Compatibility.SSL_set_options(state.ssl,
SSL_OP_NO_SSLv2());
+ }
+ if (!sslv3) {
+ openssl_h_Compatibility.SSL_set_options(state.ssl,
SSL_OP_NO_SSLv3());
+ }
+ if (!tlsv1) {
+ openssl_h_Compatibility.SSL_set_options(state.ssl,
SSL_OP_NO_TLSv1());
+ }
+ if (!tlsv1_1) {
+ openssl_h_Compatibility.SSL_set_options(state.ssl,
SSL_OP_NO_TLSv1_1());
+ }
+ if (!tlsv1_2) {
+ openssl_h_Compatibility.SSL_set_options(state.ssl,
SSL_OP_NO_TLSv1_2());
+ }
+ if (!tlsv1_3) {
+ openssl_h_Compatibility.SSL_set_options(state.ssl,
SSL_OP_NO_TLSv1_3());
+ }
}
@Override
@@ -1031,7 +1074,8 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
state.certificateVerifyMode = switch (mode) {
case NONE -> SSL_VERIFY_NONE();
case REQUIRE -> SSL_VERIFY_FAIL_IF_NO_PEER_CERT();
- case OPTIONAL -> certificateVerificationOptionalNoCA ?
OpenSSLContext.OPTIONAL_NO_CA : SSL_VERIFY_PEER();
+ case OPTIONAL ->
+ certificateVerificationOptionalNoCA ?
OpenSSLContext.OPTIONAL_NO_CA : SSL_VERIFY_PEER();
};
// Set int verify_callback(int preverify_ok, X509_STORE_CTX
*x509_ctx) callback
int value = switch (mode) {
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
