connector redirect

[Romain Manni-Bucau]

Hi guys,

when redirecting ports between connectors tomcat uses a 302 ATM, any reason
to not use a 307 (ie support POST redirect as well)?

Romain Manni-Bucau
@rmannibucau  |  Blog
 | Github  |
LinkedIn  | Tomitriber

svn commit: r1686156 - in /tomcat/trunk: java/org/apache/coyote/http2/ test/org/apache/coyote/http2/

[markt]

Author: markt
Date: Thu Jun 18 09:43:06 2015
New Revision: 1686156

URL: http://svn.apache.org/r1686156
Log:
Add unit tests for data frames with padding including support for simple POST 
requests.
Fix errors in parsing of padded data frames.
Make parser responsible for swallowing unwanted data rather than the code using 
the parser and rename output methods to make this clearer
More debug logging

Modified:
tomcat/trunk/java/org/apache/coyote/http2/Http2Parser.java
tomcat/trunk/java/org/apache/coyote/http2/Http2UpgradeHandler.java
tomcat/trunk/java/org/apache/coyote/http2/LocalStrings.properties
tomcat/trunk/test/org/apache/coyote/http2/Http2TestBase.java
tomcat/trunk/test/org/apache/coyote/http2/TestHttp2Section_6_1.java

Modified: tomcat/trunk/java/org/apache/coyote/http2/Http2Parser.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http2/Http2Parser.java?rev=1686156&r1=1686155&r2=1686156&view=diff
==
--- tomcat/trunk/java/org/apache/coyote/http2/Http2Parser.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http2/Http2Parser.java Thu Jun 18 
09:43:06 2015
@@ -86,7 +86,7 @@ class Http2Parser {
 try {
 validateFrame(expected, frameType, streamId, flags, payloadSize);
 } catch (StreamException se) {
-swallow(payloadSize);
+swallow(streamId, payloadSize);
 throw se;
 }
 
@@ -136,28 +136,47 @@ class Http2Parser {
 
 boolean endOfStream = Flags.isEndOfStream(flags);
 
+int dataLength;
 if (Flags.hasPadding(flags)) {
 byte[] b = new byte[1];
 input.fill(true, b);
 padLength = b[0] & 0xFF;
+// +1 is for the padding length byte we just read above
+dataLength = payloadSize - (padLength + 1);
+} else {
+dataLength = payloadSize;
 }
 
-ByteBuffer dest = output.getInputByteBuffer(streamId, payloadSize);
+if (log.isDebugEnabled()) {
+String padding;
+if (Flags.hasPadding(flags)) {
+padding = Integer.toString(padLength);
+} else {
+padding = "none";
+}
+log.debug(sm.getString("http2Parser.processFrameData.lengths", 
connectionId,
+Integer.toString(streamId), Integer.toString(dataLength), 
padding));
+}
+
+ByteBuffer dest = output.getInputByteBuffer(streamId, dataLength);
 if (dest == null) {
-swallow(payloadSize);
+swallow(streamId, dataLength);
 if (endOfStream) {
 output.receiveEndOfStream(streamId);
 }
 } else {
 synchronized (dest) {
-input.fill(true, dest, payloadSize);
+input.fill(true, dest, dataLength);
 if (endOfStream) {
 output.receiveEndOfStream(streamId);
 }
 dest.notifyAll();
 }
 }
-swallow(padLength);
+if (padLength > 0) {
+swallow(streamId, padLength);
+output.swallowedPadding(streamId, padLength);
+}
 }
 
 
@@ -170,7 +189,7 @@ class Http2Parser {
 try {
 hpackDecoder.setHeaderEmitter(output.headersStart(streamId));
 } catch (StreamException se) {
-swallow(payloadSize);
+swallow(streamId, payloadSize);
 throw se;
 }
 
@@ -205,7 +224,7 @@ class Http2Parser {
 
 readHeaderBlock(payloadSize, endOfHeaders);
 
-swallow(padLength);
+swallow(streamId, padLength);
 
 if (endOfHeaders) {
 output.headersEnd(streamId);
@@ -386,11 +405,16 @@ class Http2Parser {
 
 private void readUnknownFrame(int streamId, FrameType frameType, int 
flags, int payloadSize)
 throws IOException {
-output.swallow(streamId, frameType, flags, payloadSize);
+swallow(streamId, payloadSize);
+output.swallowed(streamId, frameType, flags, payloadSize);
 }
 
 
-private void swallow(int len) throws IOException {
+private void swallow(int streamId, int len) throws IOException {
+if (log.isDebugEnabled()) {
+log.debug(sm.getString("http2Parser.swallow.debug", connectionId,
+Integer.toString(streamId), Integer.toString(len)));
+}
 if (len == 0) {
 return;
 }
@@ -527,6 +551,7 @@ class Http2Parser {
 // Data frames
 ByteBuffer getInputByteBuffer(int streamId, int payloadSize) throws 
Http2Exception;
 void receiveEndOfStream(int streamId) throws ConnectionException;
+void swallowedPadding(int streamId, int paddingLength) throws 
ConnectionException, IOException;
 
 // Header frames
 HeaderEmitter headersStart(int streamId) throws Http2Exception;
@@ -554,6 

svn commit: r1686157 - in /tomcat/trunk/java/org/apache/coyote/http2: Http2UpgradeHandler.java LocalStrings.properties

[markt]

Author: markt
Date: Thu Jun 18 09:45:43 2015
New Revision: 1686157

URL: http://svn.apache.org/r1686157
Log:
Remove unused code

Modified:
tomcat/trunk/java/org/apache/coyote/http2/Http2UpgradeHandler.java
tomcat/trunk/java/org/apache/coyote/http2/LocalStrings.properties

Modified: tomcat/trunk/java/org/apache/coyote/http2/Http2UpgradeHandler.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http2/Http2UpgradeHandler.java?rev=1686157&r1=1686156&r2=1686157&view=diff
==
--- tomcat/trunk/java/org/apache/coyote/http2/Http2UpgradeHandler.java 
(original)
+++ tomcat/trunk/java/org/apache/coyote/http2/Http2UpgradeHandler.java Thu Jun 
18 09:45:43 2015
@@ -317,24 +317,6 @@ public class Http2UpgradeHandler extends
 }
 
 
-private void swallow(int len) throws IOException {
-if (len == 0) {
-return;
-}
-int read = 0;
-byte[] buffer = new byte[1024];
-while (read < len) {
-int toRead = Math.min(buffer.length, len - read);
-int thisTime = socketWrapper.read(true, buffer, 0, toRead);
-if (thisTime == -1) {
-throw new IOException(
-sm.getString("upgradeHandler.swallow.eos", 
Integer.valueOf(len)));
-}
-read += thisTime;
-}
-}
-
-
 ConnectionSettings getRemoteSettings() {
 return remoteSettings;
 }

Modified: tomcat/trunk/java/org/apache/coyote/http2/LocalStrings.properties
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http2/LocalStrings.properties?rev=1686157&r1=1686156&r2=1686157&view=diff
==
--- tomcat/trunk/java/org/apache/coyote/http2/LocalStrings.properties (original)
+++ tomcat/trunk/java/org/apache/coyote/http2/LocalStrings.properties Thu Jun 
18 09:45:43 2015
@@ -82,7 +82,6 @@ upgradeHandler.stream.closed=Stream [{0}
 upgradeHandler.stream.even=A new remote stream ID of [{0}] was requested but 
all remote streams must use odd identifiers
 upgradeHandler.stream.old=A new remote stream ID of [{0}] was requested but 
the most recent stream was [{1}]
 upgradeHandler.tooManyRemoteStreams=The client attempted to use more than 
[{0}] active streams
-upgradeHandler.swallow.eos=End of stream found while trying to swallow [{0}] 
bytes
 upgradeHandler.unexpectedEos=Unexpected end of stream
 upgradeHandler.unexpectedStatus=An unexpected value of status ([{0}]) was 
passed to this method
 upgradeHandler.upgrade=Connection [{0}], HTTP/1.1 upgrade to stream [1]



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: connector redirect

[Mark Thomas]

On 18/06/2015 09:41, Romain Manni-Bucau wrote:
> Hi guys,
> 
> when redirecting ports between connectors tomcat uses a 302 ATM, any reason
> to not use a 307 (ie support POST redirect as well)?

Because the servlet spec says it has to be a 302.

https://java.net/jira/browse/SERVLET_SPEC-100

Additional support for that change welcome.

Mark


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: connector redirect

[Romain Manni-Bucau]

Hmm, link between connectors is tomcat specific so I guess we could have a
flag to support all http methods and not rely on default sendRedirect


Romain Manni-Bucau
@rmannibucau  |  Blog
 | Github  |
LinkedIn  | Tomitriber


2015-06-18 11:57 GMT+02:00 Mark Thomas :

> On 18/06/2015 09:41, Romain Manni-Bucau wrote:
> > Hi guys,
> >
> > when redirecting ports between connectors tomcat uses a 302 ATM, any
> reason
> > to not use a 307 (ie support POST redirect as well)?
>
> Because the servlet spec says it has to be a 302.
>
> https://java.net/jira/browse/SERVLET_SPEC-100
>
> Additional support for that change welcome.
>
> Mark
>
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
>

svn commit: r1686185 - in /tomcat/tc7.0.x/trunk/test/org/apache: catalina/startup/SimpleHttpClient.java coyote/http11/TestAbstractHttp11Processor.java

[violetagg]

Author: violetagg
Date: Thu Jun 18 11:15:08 2015
New Revision: 1686185

URL: http://svn.apache.org/r1686185
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=57530
Reimplement TestAbstractHttp11Processor.testNon2xxResponseWithExpectation test 
using SimpleHttpClient instead of Java 6

Modified:
tomcat/tc7.0.x/trunk/test/org/apache/catalina/startup/SimpleHttpClient.java

tomcat/tc7.0.x/trunk/test/org/apache/coyote/http11/TestAbstractHttp11Processor.java

Modified: 
tomcat/tc7.0.x/trunk/test/org/apache/catalina/startup/SimpleHttpClient.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/test/org/apache/catalina/startup/SimpleHttpClient.java?rev=1686185&r1=1686184&r2=1686185&view=diff
==
--- tomcat/tc7.0.x/trunk/test/org/apache/catalina/startup/SimpleHttpClient.java 
(original)
+++ tomcat/tc7.0.x/trunk/test/org/apache/catalina/startup/SimpleHttpClient.java 
Thu Jun 18 11:15:08 2015
@@ -50,6 +50,7 @@ public abstract class SimpleHttpClient {
 public static final String OK_200 = "HTTP/1.1 200";
 public static final String REDIRECT_302 = "HTTP/1.1 302";
 public static final String FAIL_400 = "HTTP/1.1 400";
+public static final String FORBIDDEN_403 = "HTTP/1.1 403";
 public static final String FAIL_404 = "HTTP/1.1 404";
 public static final String TIMEOUT_408 = "HTTP/1.1 408";
 public static final String FAIL_413 = "HTTP/1.1 413";
@@ -409,6 +410,10 @@ public abstract class SimpleHttpClient {
 return getResponseLine().startsWith(FAIL_400);
 }
 
+public boolean isResponse403() {
+return getResponseLine().startsWith(FORBIDDEN_403);
+}
+
 public boolean isResponse404() {
 return getResponseLine().startsWith(FAIL_404);
 }

Modified: 
tomcat/tc7.0.x/trunk/test/org/apache/coyote/http11/TestAbstractHttp11Processor.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/test/org/apache/coyote/http11/TestAbstractHttp11Processor.java?rev=1686185&r1=1686184&r2=1686185&view=diff
==
--- 
tomcat/tc7.0.x/trunk/test/org/apache/coyote/http11/TestAbstractHttp11Processor.java
 (original)
+++ 
tomcat/tc7.0.x/trunk/test/org/apache/coyote/http11/TestAbstractHttp11Processor.java
 Thu Jun 18 11:15:08 2015
@@ -23,10 +23,8 @@ import java.io.PrintWriter;
 import java.io.Writer;
 import java.net.Socket;
 import java.nio.CharBuffer;
-import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
-import java.util.Locale;
 import java.util.Map;
 import java.util.concurrent.CountDownLatch;
 
@@ -623,27 +621,12 @@ public class TestAbstractHttp11Processor
 
 tomcat.start();
 
-byte[] requestBody = "HelloWorld".getBytes("UTF-8");
-Map> reqHeaders = null;
-if (useExpectation) {
-reqHeaders = new HashMap>();
-List expectation = new ArrayList();
-expectation.add("100-continue");
-reqHeaders.put("Expect", expectation);
-}
-ByteChunk responseBody = new ByteChunk();
-Map> responseHeaders = new 
HashMap>();
-int rc = postUrl(requestBody, "http://localhost:"; + getPort() + 
"/echo",
-responseBody, reqHeaders, responseHeaders);
-
-Assert.assertEquals(HttpServletResponse.SC_FORBIDDEN, rc);
-List connectionHeaders = responseHeaders.get("Connection");
-if (useExpectation) {
-Assert.assertEquals(1, connectionHeaders.size());
-Assert.assertEquals("close", 
connectionHeaders.get(0).toLowerCase(Locale.ENGLISH));
-} else {
-Assert.assertNull(connectionHeaders);
-}
+Non2xxResponseClient client = new Non2xxResponseClient(useExpectation);
+client.setPort(getPort());
+client.doResourceRequest("GET http://localhost:"; + getPort()
++ "/echo HTTP/1.1", "HelloWorld");
+Assert.assertTrue(client.isResponse403());
+Assert.assertTrue(client.checkConnectionHeader());
 }
 
 
@@ -856,4 +839,64 @@ public class TestAbstractHttp11Processor
 return true;
 }
 }
+
+private static class Non2xxResponseClient extends SimpleHttpClient {
+private static final String HEADER_EXPECT = "Expect: 100-continue";
+private static final String HEADER_CONNECTION = "Connection: close";
+private boolean useExpectation;
+
+Non2xxResponseClient(boolean useExpectation) {
+this.useExpectation = useExpectation;
+}
+
+void doResourceRequest(String resourceUri, String requestBody)
+throws Exception {
+StringBuilder requestHead = new StringBuilder();
+requestHead.append(resourceUri).append(CRLF);
+
+if (useExpectation) {
+requestHead.append(HEADER_EXPECT).append(CRLF);
+}
+
+requestHead.append(CRLF);
+  

[Bug 57530] Reimplement TestAbstractHttp11Processor.testNon2xxResponseWithExpectation test using SimpleHttpClient instead of Java 6

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=57530

Violeta Georgieva  changed:

   What|Removed |Added

 Resolution|--- |FIXED
 Status|NEW |RESOLVED

--- Comment #7 from Violeta Georgieva  ---
Fix is available in Tomcat 7 trunk

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [GitHub] tomcat-native pull request: Port Netty-tc-native code to tomcat-na...

[jean-frederic clere]

I am going to merge it today and fix in svn what will be broken after.

Cheers

Jean-Frederic

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [GitHub] tomcat-native pull request: Port Netty-tc-native code to tomcat-na...

[Mark Thomas]

On 18 June 2015 13:12:52 BST, jean-frederic clere  wrote:
>I am going to merge it today and fix in svn what will be broken after.
>
>Cheers
>
>Jean-Frederic
>
>-
>To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: dev-h...@tomcat.apache.org

+1. This is trunk and I have the builds I need for testing alpn so breaking 
trunk for a few days should be fine. 

Mark

svn commit: r1686209 - in /tomcat/trunk/java/org/apache/catalina/startup: ConnectorCreateRule.java LocalStrings.properties

[remm]

Author: remm
Date: Thu Jun 18 12:57:13 2015
New Revision: 1686209

URL: http://svn.apache.org/r1686209
Log:
Make sslImplementationName a special attribute (like protocol) so that it is 
set before any other and can be used to validate.

Modified:
tomcat/trunk/java/org/apache/catalina/startup/ConnectorCreateRule.java
tomcat/trunk/java/org/apache/catalina/startup/LocalStrings.properties

Modified: tomcat/trunk/java/org/apache/catalina/startup/ConnectorCreateRule.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/startup/ConnectorCreateRule.java?rev=1686209&r1=1686208&r2=1686209&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/startup/ConnectorCreateRule.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/startup/ConnectorCreateRule.java Thu 
Jun 18 12:57:13 2015
@@ -28,6 +28,7 @@ import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
 import org.apache.tomcat.util.IntrospectionUtils;
 import org.apache.tomcat.util.digester.Rule;
+import org.apache.tomcat.util.res.StringManager;
 import org.xml.sax.Attributes;
 
 
@@ -38,6 +39,7 @@ import org.xml.sax.Attributes;
 public class ConnectorCreateRule extends Rule {
 
 private static final Log log = 
LogFactory.getLog(ConnectorCreateRule.class);
+protected static final StringManager sm = 
StringManager.getManager(ConnectorCreateRule.class);
 // - Public Methods
 
 
@@ -60,20 +62,33 @@ public class ConnectorCreateRule extends
 ex = svc.getExecutor(attributes.getValue("executor"));
 }
 Connector con = new Connector(attributes.getValue("protocol"));
-if ( ex != null )  _setExecutor(con,ex);
-
+if (ex != null) {
+setExecutor(con, ex);
+}
+String sslImplementationName = 
attributes.getValue("sslImplementationName");
+if (sslImplementationName != null) {
+setSSLImplementationName(con, sslImplementationName);
+}
 digester.push(con);
 }
 
-public void _setExecutor(Connector con, Executor ex) throws Exception {
+private static void setExecutor(Connector con, Executor ex) throws 
Exception {
 Method m = 
IntrospectionUtils.findMethod(con.getProtocolHandler().getClass(),"setExecutor",new
 Class[] {java.util.concurrent.Executor.class});
 if (m!=null) {
 m.invoke(con.getProtocolHandler(), new Object[] {ex});
 }else {
-log.warn("Connector ["+con+"] does not support external executors. 
Method setExecutor(java.util.concurrent.Executor) not found.");
+log.warn(sm.getString("connector.noSetExecutor", con));
 }
 }
 
+private static void setSSLImplementationName(Connector con, String 
sslImplementationName) throws Exception {
+Method m = 
IntrospectionUtils.findMethod(con.getProtocolHandler().getClass(),"setSslImplementationName",new
 Class[] {String.class});
+if (m != null) {
+m.invoke(con.getProtocolHandler(), new Object[] 
{sslImplementationName});
+} else {
+log.warn(sm.getString("connector.noSetSSLImplementationName", 
con));
+}
+}
 
 /**
  * Process the end of this element.

Modified: tomcat/trunk/java/org/apache/catalina/startup/LocalStrings.properties
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/startup/LocalStrings.properties?rev=1686209&r1=1686208&r2=1686209&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/startup/LocalStrings.properties 
(original)
+++ tomcat/trunk/java/org/apache/catalina/startup/LocalStrings.properties Thu 
Jun 18 12:57:13 2015
@@ -137,3 +137,7 @@ versionLoggerListener.arg
 versionLoggerListener.env  =Environment variable:  {0} = 
{1}
 versionLoggerListener.prop =System property:   {0} = 
{1}
 webAnnotationSet.invalidInjection=Invalid method resource injection annotation.
+
+connector.noSetExecutor=Connector [{0}] does not support external executors. 
Method setExecutor(java.util.concurrent.Executor) not found.
+connector.noSetSSLImplementationName=Connector [{0}] does not support changing 
the SSL implementation. Method setSslImplementationName(String) not found.
+ 
\ No newline at end of file



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 58031] Posting data exceeding maxPostSize should result in HTTP 413.

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=58031

--- Comment #9 from Christopher Schultz  ---
I'd prefer being able to set the response code using an init-param. If we want
to keep the current behavior and add on to it, it seems we need a second
attribute to indicate the second condition. In either case, I think it woul dbe
nice for the user to be able to customize the HTTP response code.

[I don't like returning 413 (Entity Too Large) for "too many request
parameters" unless it's actually a POST with a request entity.]

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: connector redirect

[Christopher Schultz]

Mark,

On 6/18/15 5:57 AM, Mark Thomas wrote:
> On 18/06/2015 09:41, Romain Manni-Bucau wrote:
>> Hi guys,
>>
>> when redirecting ports between connectors tomcat uses a 302 ATM, any reason
>> to not use a 307 (ie support POST redirect as well)?
> 
> Because the servlet spec says it has to be a 302.
> 
> https://java.net/jira/browse/SERVLET_SPEC-100
> 
> Additional support for that change welcome.

Voted

-chris



signature.asc
Description: OpenPGP digital signature

svn commit: r1686252 - in /tomcat/native/trunk/native: include/ssl_private.h src/ssl.c src/sslutils.c

[jfclere]

Author: jfclere
Date: Thu Jun 18 15:49:12 2015
New Revision: 1686252

URL: http://svn.apache.org/r1686252
Log:
Add netty-tc-native ssl.c modifications.

Modified:
tomcat/native/trunk/native/include/ssl_private.h
tomcat/native/trunk/native/src/ssl.c
tomcat/native/trunk/native/src/sslutils.c

Modified: tomcat/native/trunk/native/include/ssl_private.h
URL: 
http://svn.apache.org/viewvc/tomcat/native/trunk/native/include/ssl_private.h?rev=1686252&r1=1686251&r2=1686252&view=diff
==
--- tomcat/native/trunk/native/include/ssl_private.h (original)
+++ tomcat/native/trunk/native/include/ssl_private.h Thu Jun 18 15:49:12 2015
@@ -292,9 +292,13 @@ typedef struct {
 /*
  *  Additional Functions
  */
-voidSSL_init_app_data2_idx(void);
+voidSSL_init_app_data2_3_idx(void);
+/* The app_data2 is used to store the tcn_ssl_ctxt_t pointer for the SSL 
instance. */ 
 void   *SSL_get_app_data2(SSL *);
 voidSSL_set_app_data2(SSL *, void *);
+/* The app_data3 is used to store the handshakeCount pointer for the SSL 
instance. */
+void   *SSL_get_app_data3(SSL *);
+voidSSL_set_app_data3(SSL *, void *);
 int SSL_password_prompt(tcn_pass_cb_t *);
 int SSL_password_callback(char *, int, int, void *);
 voidSSL_BIO_close(BIO *);

Modified: tomcat/native/trunk/native/src/ssl.c
URL: 
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/ssl.c?rev=1686252&r1=1686251&r2=1686252&view=diff
==
--- tomcat/native/trunk/native/src/ssl.c (original)
+++ tomcat/native/trunk/native/src/ssl.c Thu Jun 18 15:49:12 2015
@@ -33,6 +33,10 @@ tcn_pass_cb_t tcn_password_callback;
 /* Global reference to the pool used by the dynamic mutexes */
 static apr_pool_t *dynlockpool = NULL;
 
+/* From netty-tcnative */
+static jclass byteArrayClass;
+static jclass stringClass;
+
 /* Dynamic lock structure */
 struct CRYPTO_dynlock_value {
 apr_pool_t *pool;
@@ -637,6 +641,10 @@ static int ssl_rand_make(const char *fil
 
 TCN_IMPLEMENT_CALL(jint, SSL, initialize)(TCN_STDARGS, jstring engine)
 {
+int r = 0;
+jclass clazz;
+jclass sClazz;
+
 TCN_ALLOC_CSTRING(engine);
 
 UNREFERENCED(o);
@@ -709,8 +717,8 @@ TCN_IMPLEMENT_CALL(jint, SSL, initialize
  * low entropy seed.
  */
 SSL_rand_seed(NULL);
-/* For SSL_get_app_data2() at request time */
-SSL_init_app_data2_idx();
+/* For SSL_get_app_data2() and SSL_get_app_data3() at request time */
+SSL_init_app_data2_3_idx();
 
 init_dh_params();
 
@@ -721,6 +729,15 @@ TCN_IMPLEMENT_CALL(jint, SSL, initialize
   ssl_init_cleanup,
   apr_pool_cleanup_null);
 TCN_FREE_CSTRING(engine);
+
+/* Cache the byte[].class for performance reasons */
+clazz = (*e)->FindClass(e, "[B");
+byteArrayClass = (jclass) (*e)->NewGlobalRef(e, clazz);
+
+/* Cache the String.class for performance reasons */
+sClazz = (*e)->FindClass(e, "java/lang/String");
+stringClass = (jclass) (*e)->NewGlobalRef(e, sClazz);
+
 return (jint)APR_SUCCESS;
 }
 
@@ -887,7 +904,7 @@ static int jbs_free(BIO *bi)
 
 static int jbs_write(BIO *b, const char *in, int inl)
 {
-jint ret = 0;
+jint ret = -1;
 if (b->init && in != NULL) {
 BIO_JAVA *j = (BIO_JAVA *)b->ptr;
 JNIEnv   *e = NULL;
@@ -895,6 +912,7 @@ static int jbs_write(BIO *b, const char
 tcn_get_java_env(&e);
 jb = (*e)->NewByteArray(e, inl);
 if (!(*e)->ExceptionOccurred(e)) {
+BIO_clear_retry_flags(b);
 (*e)->SetByteArrayRegion(e, jb, 0, inl, (jbyte *)in);
 ret = (*e)->CallIntMethod(e, j->cb.obj,
   j->cb.mid[0], jb);
@@ -902,6 +920,11 @@ static int jbs_write(BIO *b, const char
 (*e)->DeleteLocalRef(e, jb);
 }
 }
+/* From netty-tc-native, in the AF we were returning 0 */
+if (ret == 0) {
+BIO_set_retry_write(b);
+ret = -1;
+}
 return ret;
 }
 
@@ -915,12 +938,16 @@ static int jbs_read(BIO *b, char *out, i
 tcn_get_java_env(&e);
 jb = (*e)->NewByteArray(e, outl);
 if (!(*e)->ExceptionOccurred(e)) {
+BIO_clear_retry_flags(b);
 ret = (*e)->CallIntMethod(e, j->cb.obj,
   j->cb.mid[1], jb);
 if (ret > 0) {
 jbyte *jout = (*e)->GetPrimitiveArrayCritical(e, jb, NULL);
 memcpy(out, jout, ret);
 (*e)->ReleasePrimitiveArrayCritical(e, jb, jout, 0);
+} else if (outl != 0) {
+ret = -1;
+BIO_set_retry_read(b);
 }
 (*e)->DeleteLocalRef(e, jb);
 }
@@ -968,7 +995,16 @@ static int jbs_gets(BIO *b, char *out, i
 
 static long jbs_ctrl(BIO *b, int cmd, long num, void *ptr

svn commit: r1686255 - /tomcat/native/trunk/native/src/ssl.c

[jfclere]

Author: jfclere
Date: Thu Jun 18 15:51:04 2015
New Revision: 1686255

URL: http://svn.apache.org/r1686255
Log:
 Add empty stubs from netty-tcnative. 

Modified:
tomcat/native/trunk/native/src/ssl.c

Modified: tomcat/native/trunk/native/src/ssl.c
URL: 
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/ssl.c?rev=1686255&r1=1686254&r2=1686255&view=diff
==
--- tomcat/native/trunk/native/src/ssl.c (original)
+++ tomcat/native/trunk/native/src/ssl.c Thu Jun 18 15:51:04 2015
@@ -1241,4 +1241,248 @@ TCN_IMPLEMENT_CALL(jboolean, SSL, hasOp)
 UNREFERENCED(op);
 return JNI_FALSE;
 }
+
+/*** Begin Twitter 1:1 API addition ***/
+TCN_IMPLEMENT_CALL(jint, SSL, getLastErrorNumber)(TCN_STDARGS) {
+  UNREFERENCED(o);
+  tcn_ThrowException(e, "Not implemented");
+  return 0;
+}
+
+TCN_IMPLEMENT_CALL(jlong, SSL, newSSL)(TCN_STDARGS, jlong ssl_ctx) {
+  UNREFERENCED(o);
+  UNREFERENCED(ssl_ctx);
+  tcn_ThrowException(e, "Not implemented");
+  return 0;
+}
+
+TCN_IMPLEMENT_CALL(void, SSL, setBIO)(TCN_STDARGS, jlong ssl, jlong rbio, 
jlong wbio) {
+  UNREFERENCED(o);
+  UNREFERENCED(ssl);
+  UNREFERENCED(rbio);
+  UNREFERENCED(wbio);
+  tcn_ThrowException(e, "Not implemented");
+}
+
+TCN_IMPLEMENT_CALL(jint, SSL, pendingWrittenBytesInBIO)(TCN_STDARGS, jlong 
bio) {
+  UNREFERENCED(o);
+  UNREFERENCED(bio);
+  tcn_ThrowException(e, "Not implemented");
+  return 0;
+}
+
+TCN_IMPLEMENT_CALL(jint, SSL, pendingReadableBytesInSSL)(TCN_STDARGS, jlong 
ssl) {
+  UNREFERENCED(o);
+  UNREFERENCED(ssl);
+  tcn_ThrowException(e, "Not implemented");
+  return 0;
+}
+
+TCN_IMPLEMENT_CALL(jint, SSL, writeToBIO)(TCN_STDARGS, jlong bio, jlong wbuf, 
jint wlen) {
+  UNREFERENCED(o);
+  UNREFERENCED(bio);
+  UNREFERENCED(wbuf);
+  UNREFERENCED(wlen);
+  tcn_ThrowException(e, "Not implemented");
+  return 0;
+}
+
+TCN_IMPLEMENT_CALL(jint, SSL, readFromBIO)(TCN_STDARGS, jlong bio, jlong rbuf, 
jint rlen) {
+  UNREFERENCED(o);
+  UNREFERENCED(bio);
+  UNREFERENCED(rbuf);
+  UNREFERENCED(rlen);
+  tcn_ThrowException(e, "Not implemented");
+  return 0;
+}
+
+TCN_IMPLEMENT_CALL(jint, SSL, writeToSSL)(TCN_STDARGS, jlong ssl, jlong wbuf, 
jint wlen) {
+  UNREFERENCED(o);
+  UNREFERENCED(ssl);
+  UNREFERENCED(wbuf);
+  UNREFERENCED(wlen);
+  tcn_ThrowException(e, "Not implemented");
+  return 0;
+}
+
+TCN_IMPLEMENT_CALL(jint, SSL, readFromSSL)(TCN_STDARGS, jlong ssl, jlong rbuf, 
jint rlen) {
+  UNREFERENCED(o);
+  UNREFERENCED(ssl);
+  UNREFERENCED(rbuf);
+  UNREFERENCED(rlen);
+  tcn_ThrowException(e, "Not implemented");
+  return 0;
+}
+
+TCN_IMPLEMENT_CALL(jint, SSL, getShutdown)(TCN_STDARGS, jlong ssl) {
+  UNREFERENCED(o);
+  UNREFERENCED(ssl);
+  tcn_ThrowException(e, "Not implemented");
+  return 0;
+}
+
+TCN_IMPLEMENT_CALL(void, SSL, setShutdown)(TCN_STDARGS, jlong ssl, jint mode) {
+  UNREFERENCED(o);
+  UNREFERENCED(ssl);
+  UNREFERENCED(mode);
+  tcn_ThrowException(e, "Not implemented");
+}
+
+TCN_IMPLEMENT_CALL(void, SSL, freeSSL)(TCN_STDARGS, jlong ssl) {
+  UNREFERENCED(o);
+  UNREFERENCED(ssl);
+  tcn_ThrowException(e, "Not implemented");
+}
+
+TCN_IMPLEMENT_CALL(jlong, SSL, makeNetworkBIO)(TCN_STDARGS, jlong ssl) {
+  UNREFERENCED(o);
+  UNREFERENCED(ssl);
+  tcn_ThrowException(e, "Not implemented");
+  return 0;
+}
+
+TCN_IMPLEMENT_CALL(void, SSL, freeBIO)(TCN_STDARGS, jlong bio) {
+  UNREFERENCED(o);
+  UNREFERENCED(bio);
+  tcn_ThrowException(e, "Not implemented");
+}
+
+TCN_IMPLEMENT_CALL(jint, SSL, shutdownSSL)(TCN_STDARGS, jlong ssl) {
+  UNREFERENCED(o);
+  UNREFERENCED(ssl);
+  tcn_ThrowException(e, "Not implemented");
+  return 0;
+}
+
+TCN_IMPLEMENT_CALL(jstring, SSL, getCipherForSSL)(TCN_STDARGS, jlong ssl) {
+  UNREFERENCED(o);
+  UNREFERENCED(ssl);
+  tcn_ThrowException(e, "Not implemented");
+  return NULL;
+}
+
+TCN_IMPLEMENT_CALL(jint, SSL, isInInit)(TCN_STDARGS, jlong ssl) {
+  UNREFERENCED(o);
+  UNREFERENCED(ssl);
+  tcn_ThrowException(e, "Not implemented");
+  return 0;
+}
+
+TCN_IMPLEMENT_CALL(jint, SSL, doHandshake)(TCN_STDARGS, jlong ssl) {
+  UNREFERENCED(o);
+  UNREFERENCED(ssl);
+  tcn_ThrowException(e, "Not implemented");
+}
+
+TCN_IMPLEMENT_CALL(jstring, SSL, getNextProtoNegotiated)(TCN_STDARGS, jlong 
ssl) {
+  UNREFERENCED(o);
+  UNREFERENCED(ssl);
+  tcn_ThrowException(e, "Not implemented");
+  return NULL;
+}
+
+/*** End Twitter 1:1 API addition ***/
+
+/*** Begin Apple 1:1 API addition ***/
+
+TCN_IMPLEMENT_CALL(jstring, SSL, getAlpnSelected)(TCN_STDARGS, jlong ssl) {
+UNREFERENCED(o);
+UNREFERENCED(ssl);
+tcn_ThrowException(e, "Not implemented");
+return NULL;
+}
+
+TCN_IMPLEMENT_CALL(jobjectArray, SSL, getPeerCertChain)(TCN_STDARGS, jlong ssl)
+{
+  UNREFERENCED(o);
+  UNREFERENCED(ssl);
+  tcn_ThrowException(e, "Not implemented");
+  return NULL;
+}
+
+TCN_IMPLEMENT_CALL(jbyteArray, SSL, getPeerCertificate)(TCN_STDARGS, jlong ssl)
+{
+  UNREFERENCED(o);
+  UNREFERENCED(ssl);
+  tcn_ThrowExcep

svn commit: r1686257 - in /tomcat/native/trunk/native: include/ssl_private.h src/ssl.c src/sslutils.c

[jfclere]

Author: jfclere
Date: Thu Jun 18 15:53:35 2015
New Revision: 1686257

URL: http://svn.apache.org/r1686257
Log:
Add more Twitter and Apple code and fix warnings. 

Modified:
tomcat/native/trunk/native/include/ssl_private.h
tomcat/native/trunk/native/src/ssl.c
tomcat/native/trunk/native/src/sslutils.c

Modified: tomcat/native/trunk/native/include/ssl_private.h
URL: 
http://svn.apache.org/viewvc/tomcat/native/trunk/native/include/ssl_private.h?rev=1686257&r1=1686256&r2=1686257&view=diff
==
--- tomcat/native/trunk/native/include/ssl_private.h (original)
+++ tomcat/native/trunk/native/include/ssl_private.h Thu Jun 18 15:53:35 2015
@@ -297,7 +297,7 @@ voidSSL_init_app_data2_3_idx(voi
 void   *SSL_get_app_data2(SSL *);
 voidSSL_set_app_data2(SSL *, void *);
 /* The app_data3 is used to store the handshakeCount pointer for the SSL 
instance. */
-void   *SSL_get_app_data3(SSL *);
+void   *SSL_get_app_data3(const SSL *);
 voidSSL_set_app_data3(SSL *, void *);
 int SSL_password_prompt(tcn_pass_cb_t *);
 int SSL_password_callback(char *, int, int, void *);

Modified: tomcat/native/trunk/native/src/ssl.c
URL: 
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/ssl.c?rev=1686257&r1=1686256&r2=1686257&view=diff
==
--- tomcat/native/trunk/native/src/ssl.c (original)
+++ tomcat/native/trunk/native/src/ssl.c Thu Jun 18 15:53:35 2015
@@ -1115,6 +1115,610 @@ TCN_IMPLEMENT_CALL(jboolean, SSL, hasOp)
 return op == (op & supported_ssl_opts) ? JNI_TRUE : JNI_FALSE;
 }
 
+/*** Begin Twitter 1:1 API addition ***/
+TCN_IMPLEMENT_CALL(jint, SSL, getLastErrorNumber)(TCN_STDARGS) {
+UNREFERENCED_STDARGS;
+return ERR_get_error();
+}
+
+static void ssl_info_callback(const SSL *ssl, int where, int ret) {
+int *handshakeCount = NULL;
+if (0 != (where & SSL_CB_HANDSHAKE_START)) {
+handshakeCount = (int*) SSL_get_app_data3(ssl);
+if (handshakeCount != NULL) {
+++(*handshakeCount);
+}
+}
+}
+
+TCN_IMPLEMENT_CALL(jlong /* SSL * */, SSL, newSSL)(TCN_STDARGS,
+   jlong ctx /* tcn_ssl_ctxt_t 
* */,
+   jboolean server) {
+tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
+int *handshakeCount = malloc(sizeof(int));
+SSL *ssl;
+
+UNREFERENCED_STDARGS;
+
+TCN_ASSERT(ctx != 0);
+ssl = SSL_new(c->ctx);
+if (ssl == NULL) {
+tcn_ThrowException(e, "cannot create new ssl");
+return 0;
+}
+
+/* Store the handshakeCount in the SSL instance. */
+*handshakeCount = 0;
+SSL_set_app_data3(ssl, handshakeCount);
+
+/* Add callback to keep track of handshakes. */
+SSL_CTX_set_info_callback(c->ctx, ssl_info_callback);
+
+if (server) {
+SSL_set_accept_state(ssl);
+} else {
+SSL_set_connect_state(ssl);
+}
+
+/* Setup verify and seed */
+SSL_set_verify_result(ssl, X509_V_OK);
+SSL_rand_seed(c->rand_file);
+
+/* Store for later usage in SSL_callback_SSL_verify */
+SSL_set_app_data2(ssl, c);
+return P2J(ssl);
+}
+
+TCN_IMPLEMENT_CALL(void, SSL, setBIO)(TCN_STDARGS,
+  jlong ssl /* SSL * */,
+  jlong rbio /* BIO * */,
+  jlong wbio /* BIO * */) {
+UNREFERENCED_STDARGS;
+SSL_set_bio(J2P(ssl, SSL *), J2P(rbio, BIO *), J2P(wbio, BIO *));
+return;
+}
+
+TCN_IMPLEMENT_CALL(jint, SSL, getError)(TCN_STDARGS,
+   jlong ssl /* SSL * */,
+   jint ret) {
+UNREFERENCED_STDARGS;
+return SSL_get_error(J2P(ssl, SSL*), ret);
+}
+
+/* How much did SSL write into this BIO? */
+TCN_IMPLEMENT_CALL(jint /* nbytes */, SSL, 
pendingWrittenBytesInBIO)(TCN_STDARGS,
+ jlong bio 
/* BIO * */) {
+UNREFERENCED_STDARGS;
+
+return BIO_ctrl_pending(J2P(bio, BIO *));
+}
+
+/* How much is available for reading in the given SSL struct? */
+TCN_IMPLEMENT_CALL(jint, SSL, pendingReadableBytesInSSL)(TCN_STDARGS, jlong 
ssl /* SSL * */) {
+UNREFERENCED_STDARGS;
+
+return SSL_pending(J2P(ssl, SSL *));
+}
+
+/* Write wlen bytes from wbuf into bio */
+TCN_IMPLEMENT_CALL(jint /* status */, SSL, writeToBIO)(TCN_STDARGS,
+   jlong bio /* BIO * */,
+   jlong wbuf /* char* */,
+   jint wlen /* 
sizeof(wbuf) */) {
+UNREFERENCED_STDARGS;
+
+return BIO_write(J2P(bio, BIO *), J2P(wbuf, void *), wlen);
+
+}
+
+/* Read up to rlen bytes from bio into rbuf */
+TCN_IMPLEMENT_CALL(jint /* status */, 

svn commit: r1686258 - in /tomcat/native/trunk/native: include/ssl_private.h src/sslcontext.c src/sslutils.c

[jfclere]

Author: jfclere
Date: Thu Jun 18 15:55:06 2015
New Revision: 1686258

URL: http://svn.apache.org/r1686258
Log:
Add netty-tcnative methods to sslcontext.c 

Modified:
tomcat/native/trunk/native/include/ssl_private.h
tomcat/native/trunk/native/src/sslcontext.c
tomcat/native/trunk/native/src/sslutils.c

Modified: tomcat/native/trunk/native/include/ssl_private.h
URL: 
http://svn.apache.org/viewvc/tomcat/native/trunk/native/include/ssl_private.h?rev=1686258&r1=1686257&r2=1686258&view=diff
==
--- tomcat/native/trunk/native/include/ssl_private.h (original)
+++ tomcat/native/trunk/native/include/ssl_private.h Thu Jun 18 15:55:06 2015
@@ -203,6 +203,9 @@
 
 #endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */
 
+#define MAX_ALPN_NPN_PROTO_SIZE 65535
+#define SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL1
+
 typedef struct {
 /* client can have any number of cert/key pairs */
 const char  *cert_file;
@@ -259,6 +262,20 @@ struct tcn_ssl_ctxt_t {
  */
 char*alpn;
 int alpnlen;
+/* Add from netty-tcnative */
+/* certificate verifier callback */
+jobject verifier;
+jmethodID verifier_method;
+
+unsigned char   *next_proto_data;
+unsigned intnext_proto_len;
+int next_selector_failure_behavior;
+
+/* Holds the alpn protocols, each of them prefixed with the len of the 
protocol */
+unsigned char   *alpn_proto_data;
+unsigned intalpn_proto_len;
+int alpn_selector_failure_behavior;
+/* End add from netty-tcnative */
 };
 
   
@@ -313,5 +330,9 @@ voidSSL_callback_handshake(const
 int SSL_CTX_use_certificate_chain(SSL_CTX *, const char *, int);
 int SSL_callback_SSL_verify(int, X509_STORE_CTX *);
 int SSL_rand_seed(const char *file);
+int SSL_callback_next_protos(SSL *, const unsigned char **, unsigned 
int *, void *);
+int SSL_callback_select_next_proto(SSL *, unsigned char **, unsigned 
char *, const unsigned char *, unsigned int,void *);
+int SSL_callback_alpn_select_proto(SSL *, const unsigned char **, 
unsigned char *, const unsigned char *, unsigned int, void *);
+
 
 #endif /* SSL_PRIVATE_H */

Modified: tomcat/native/trunk/native/src/sslcontext.c
URL: 
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1686258&r1=1686257&r2=1686258&view=diff
==
--- tomcat/native/trunk/native/src/sslcontext.c (original)
+++ tomcat/native/trunk/native/src/sslcontext.c Thu Jun 18 15:55:06 2015
@@ -26,6 +26,8 @@
 #ifdef HAVE_OPENSSL
 #include "ssl_private.h"
 
+static jclass byteArrayClass;
+
 static apr_status_t ssl_context_cleanup(void *data)
 {
 tcn_ssl_ctxt_t *c = (tcn_ssl_ctxt_t *)data;
@@ -55,6 +57,26 @@ static apr_status_t ssl_context_cleanup(
 SSL_BIO_close(c->bio_os);
 c->bio_os = NULL;
 }
+
+if (c->verifier) {
+JNIEnv *e;
+tcn_get_java_env(&e);
+(*e)->DeleteGlobalRef(e, c->verifier);
+c->verifier = NULL;
+}
+c->verifier_method = NULL;
+
+if (c->next_proto_data) {
+free(c->next_proto_data);
+c->next_proto_data = NULL;
+}
+c->next_proto_len = 0;
+
+if (c->alpn_proto_data) {
+free(c->alpn_proto_data);
+c->alpn_proto_data = NULL;
+}
+c->alpn_proto_len = 0;
 }
 return APR_SUCCESS;
 }
@@ -67,9 +89,9 @@ static jmethodID sni_java_callback;
  */
 int ssl_callback_ServerNameIndication(SSL *ssl, int *al, tcn_ssl_ctxt_t *c)
 {
-// TODO: Is it better to cache the JNIEnv* during the call to handshake?
+/* TODO: Is it better to cache the JNIEnv* during the call to handshake? */
 
-// Get the JNI environment for this callback
+/* Get the JNI environment for this callback */
 JavaVM *javavm = tcn_get_java_vm();
 JNIEnv *env;
 const char *servername;
@@ -105,7 +127,9 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
 apr_pool_t *p = J2P(pool, apr_pool_t *);
 tcn_ssl_ctxt_t *c = NULL;
 SSL_CTX *ctx = NULL;
+jclass clazz;
 
+UNREFERENCED(o);
 if (protocol == SSL_PROTOCOL_NONE) {
 tcn_Throw(e, "No SSL protocols requested");
 goto init_failed;
@@ -211,6 +235,11 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
 #ifdef HAVE_ECC
 SSL_CTX_set_options(c->ctx, SSL_OP_SINGLE_ECDH_USE);
 #endif
+#ifdef SSL_OP_NO_COMPRESSION
+/* Disable SSL compression to be safe */
+SSL_CTX_set_options(c->ctx, SSL_OP_NO_COMPRESSION);
+#endif
+
 
 /** To get back the tomcat wrapper from CTX */
 SSL_CTX_set_app_data(c->ctx, (char *)c);
@@ -222,8 +251,17 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
  */
 SSL_CTX_set_options(c->ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
 #endif
+#i

svn commit: r1686259 - /tomcat/native/trunk/native/src/sslcontext.c

[jfclere]

Author: jfclere
Date: Thu Jun 18 15:56:00 2015
New Revision: 1686259

URL: http://svn.apache.org/r1686259
Log:
Add empty stubs when without openssl. 

Modified:
tomcat/native/trunk/native/src/sslcontext.c

Modified: tomcat/native/trunk/native/src/sslcontext.c
URL: 
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1686259&r1=1686258&r2=1686259&view=diff
==
--- tomcat/native/trunk/native/src/sslcontext.c (original)
+++ tomcat/native/trunk/native/src/sslcontext.c Thu Jun 18 15:56:00 2015
@@ -1631,6 +1631,12 @@ TCN_IMPLEMENT_CALL(void, SSLContext, set
 UNREFERENCED(opt);
 }
 
+TCN_IMPLEMENT_CALL(jint, SSLContext, getOptions)(TCN_STDARGS, jlong ctx)
+{
+UNREFERENCED_STDARGS;
+UNREFERENCED(ctx);
+}
+
 TCN_IMPLEMENT_CALL(void, SSLContext, clearOptions)(TCN_STDARGS, jlong ctx,
jint opt)
 {
@@ -1737,4 +1743,176 @@ TCN_IMPLEMENT_CALL(jint, SSLExt, setALPN
 UNREFERENCED(len);
 return APR_ENOTIMPL;
 }
+
+/* Start of netty-tc-native add */
+
+TCN_IMPLEMENT_CALL(void, SSLContext, setNpnProtos)(TCN_STDARGS, jlong ctx, 
jobjectArray next_protos,
+jint selectorFailureBehavior)
+{
+UNREFERENCED_STDARGS;
+UNREFERENCED(ctx);
+UNREFERENCED(next_protos);
+}
+
+
+TCN_IMPLEMENT_CALL(void, SSLContext, setAlpnProtos)(TCN_STDARGS, jlong ctx, 
jobjectArray alpn_protos,
+jint selectorFailureBehavior)
+{
+UNREFERENCED_STDARGS;
+UNREFERENCED(ctx);
+UNREFERENCED(alpn_protos);
+}
+
+TCN_IMPLEMENT_CALL(jlong, SSLContext, setSessionCacheMode)(TCN_STDARGS, jlong 
ctx, jlong mode)
+{
+UNREFERENCED_STDARGS;
+UNREFERENCED(ctx);
+UNREFERENCED(mode);
+return -1;
+}
+
+TCN_IMPLEMENT_CALL(jlong, SSLContext, getSessionCacheMode)(TCN_STDARGS, jlong 
ctx)
+{
+UNREFERENCED_STDARGS;
+UNREFERENCED(ctx);
+return -1;
+}
+
+
+TCN_IMPLEMENT_CALL(jlong, SSLContext, setSessionCacheTimeout)(TCN_STDARGS, 
jlong ctx, jlong timeout)
+{
+UNREFERENCED_STDARGS;
+UNREFERENCED(ctx);
+UNREFERENCED(timeout);
+return -1;
+}
+
+TCN_IMPLEMENT_CALL(jlong, SSLContext, getSessionCacheTimeout)(TCN_STDARGS, 
jlong ctx)
+{
+UNREFERENCED_STDARGS;
+UNREFERENCED(ctx);
+return -1;
+}
+
+TCN_IMPLEMENT_CALL(jlong, SSLContext, setSessionCacheSize)(TCN_STDARGS, jlong 
ctx, jlong size)
+{
+UNREFERENCED_STDARGS;
+UNREFERENCED(ctx);
+UNREFERENCED(size);
+return -1;
+}
+
+TCN_IMPLEMENT_CALL(jlong, SSLContext, getSessionCacheSize)(TCN_STDARGS, jlong 
ctx)
+{
+UNREFERENCED_STDARGS;
+UNREFERENCED(ctx);
+return -1;
+}
+
+TCN_IMPLEMENT_CALL(jlong, SSLContext, sessionNumber)(TCN_STDARGS, jlong ctx)
+{
+UNREFERENCED_STDARGS;
+UNREFERENCED(ctx);
+return 0;
+}
+
+TCN_IMPLEMENT_CALL(jlong, SSLContext, sessionConnect)(TCN_STDARGS, jlong ctx)
+{
+UNREFERENCED_STDARGS;
+UNREFERENCED(ctx);
+return 0;
+}
+
+TCN_IMPLEMENT_CALL(jlong, SSLContext, sessionConnectGood)(TCN_STDARGS, jlong 
ctx)
+{
+UNREFERENCED_STDARGS;
+UNREFERENCED(ctx);
+return 0;
+}
+
+TCN_IMPLEMENT_CALL(jlong, SSLContext, sessionConnectRenegotiate)(TCN_STDARGS, 
jlong ctx)
+{
+UNREFERENCED_STDARGS;
+UNREFERENCED(ctx);
+return 0;
+}
+
+TCN_IMPLEMENT_CALL(jlong, SSLContext, sessionAccept)(TCN_STDARGS, jlong ctx)
+{
+UNREFERENCED_STDARGS;
+UNREFERENCED(ctx);
+return 0;
+}
+
+TCN_IMPLEMENT_CALL(jlong, SSLContext, sessionAcceptGood)(TCN_STDARGS, jlong 
ctx)
+{
+UNREFERENCED_STDARGS;
+UNREFERENCED(ctx);
+return 0;
+}
+
+TCN_IMPLEMENT_CALL(jlong, SSLContext, sessionAcceptRenegotiate)(TCN_STDARGS, 
jlong ctx)
+{
+UNREFERENCED_STDARGS;
+UNREFERENCED(ctx);
+return 0;
+}
+
+TCN_IMPLEMENT_CALL(jlong, SSLContext, sessionHits)(TCN_STDARGS, jlong ctx)
+{
+UNREFERENCED_STDARGS;
+UNREFERENCED(ctx);
+return 0;
+}
+
+TCN_IMPLEMENT_CALL(jlong, SSLContext, sessionCbHits)(TCN_STDARGS, jlong ctx)
+{
+UNREFERENCED_STDARGS;
+UNREFERENCED(ctx);
+return 0;
+}
+
+TCN_IMPLEMENT_CALL(jlong, SSLContext, sessionTimeouts)(TCN_STDARGS, jlong ctx)
+{
+UNREFERENCED_STDARGS;
+UNREFERENCED(ctx);
+return 0;
+}
+
+TCN_IMPLEMENT_CALL(jlong, SSLContext, sessionCacheFull)(TCN_STDARGS, jlong ctx)
+{
+UNREFERENCED_STDARGS;
+UNREFERENCED(ctx);
+return 0;
+}
+
+TCN_IMPLEMENT_CALL(jlong, SSLContext, sessionMisses)(TCN_STDARGS, jlong ctx)
+{
+UNREFERENCED_STDARGS;
+UNREFERENCED(ctx);
+return 0;
+}
+
+TCN_IMPLEMENT_CALL(void, SSLContext, setSessionTicketKeys)(TCN_STDARGS, jlong 
ctx, jbyteArray keys)
+{
+UNREFERENCED_STDARGS;
+UNREFERENCED(ctx);
+UNREFERENCED(keys);
+}
+
+TCN_IMPLEMENT_CALL(void, SSLContext, setCertVerifyCallback)(TCN_STDARGS, jlong 
ctx, jobject verifier)
+{
+UNREFERENCED_STDARGS;
+UNREFERENCED(ctx);
+UNREFERENCED(verifier);
+}
+TCN_IMPLEMENT_CALL(jboolean, SSLContext, setSessionIdContext)(TCN_STDARGS, 
jlong

Re: [GitHub] tomcat-native pull request: Port Netty-tc-native code to tomcat-na...

[jean-frederic clere]

On 06/18/2015 02:41 PM, Mark Thomas wrote:

On 18 June 2015 13:12:52 BST, jean-frederic clere  wrote:

I am going to merge it today and fix in svn what will be broken after.

Cheers

Jean-Frederic

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org


+1. This is trunk and I have the builds I need for testing alpn so breaking 
trunk for a few days should be fine.


I am done.

Actually netty-tc-native also brings some alpn logic I have kept both 
that probably needs some cleaning.


I have built on F22 and use openssl-1.0.2c and apr-1.3.12 other version 
might cause problems I will try to test on other platform, is you need 
one tell me I can start with it.


Cheers

Jean-Frederic

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1686276 [1/2] - in /tomcat/trunk: ./ java/org/apache/catalina/core/ java/org/apache/tomcat/jni/ java/org/apache/tomcat/jni/socket/

[remm]

Author: remm
Date: Thu Jun 18 17:10:08 2015
New Revision: 1686276

URL: http://svn.apache.org/r1686276
Log:
- Add JNI API updates from Netty and Twitter. jni.socket.* is not useful to 
Tomcat at the moment, but is a NIO2 style API on top of APR.
- Update recommended native library version to 1.2. If not using the new 
OpenSSL features, this shouldn't break and I prefer not requiring a trunk build.

Added:
tomcat/trunk/java/org/apache/tomcat/jni/CertificateVerifier.java
tomcat/trunk/java/org/apache/tomcat/jni/SSLExt.java
tomcat/trunk/java/org/apache/tomcat/jni/socket/
tomcat/trunk/java/org/apache/tomcat/jni/socket/AprSocket.java
tomcat/trunk/java/org/apache/tomcat/jni/socket/AprSocketContext.java
tomcat/trunk/java/org/apache/tomcat/jni/socket/HostInfo.java
Modified:
tomcat/trunk/NOTICE
tomcat/trunk/java/org/apache/catalina/core/AprLifecycleListener.java
tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java

Modified: tomcat/trunk/NOTICE
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/NOTICE?rev=1686276&r1=1686275&r2=1686276&view=diff
==
--- tomcat/trunk/NOTICE (original)
+++ tomcat/trunk/NOTICE Thu Jun 18 17:10:08 2015
@@ -4,6 +4,12 @@ Copyright 1999-2015 The Apache Software
 This product includes software developed at
 The Apache Software Foundation (http://www.apache.org/).
 
+This software contains code derived from netty-native
+developed by the Netty project
+(http://netty.io, https://github.com/netty/netty-tcnative/)
+and from finagle-native developed at Twitter
+(https://github.com/twitter/finagle).
+
 The Windows Installer is built with the Nullsoft
 Scriptable Install System (NSIS), which is
 open source software.  The original software and
@@ -15,6 +21,13 @@ JDT Core Batch Compiler component, which
 The original software and related information is available at
 http://www.eclipse.org/jdt/core/.
 
+For portions of the Tomcat JNI OpenSSL API and the OpenSSL JSSE integration
+The org.apache.tomcat.jni and the org.apache.tomcat.net.openssl packages
+are derivative work originating from the Netty project and the finagle-native
+project developed at Twitter
+* Copyright 2014 The Netty Project
+* Copyright 2014 Twitter
+
 The original XML Schemas for Java EE Deployment Descriptors:
  - javaee_5.xsd
  - javaee_web_services_1_2.xsd

Modified: tomcat/trunk/java/org/apache/catalina/core/AprLifecycleListener.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/AprLifecycleListener.java?rev=1686276&r1=1686275&r2=1686276&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/core/AprLifecycleListener.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/core/AprLifecycleListener.java Thu 
Jun 18 17:10:08 2015
@@ -68,8 +68,8 @@ public class AprLifecycleListener
 protected static final int TCN_REQUIRED_MAJOR = 1;
 protected static final int TCN_REQUIRED_MINOR = 1;
 protected static final int TCN_REQUIRED_PATCH = 32;
-protected static final int TCN_RECOMMENDED_MINOR = 1;
-protected static final int TCN_RECOMMENDED_PV = 33;
+protected static final int TCN_RECOMMENDED_MINOR = 2;
+protected static final int TCN_RECOMMENDED_PV = 0;
 
 
 // -- Properties

Added: tomcat/trunk/java/org/apache/tomcat/jni/CertificateVerifier.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/CertificateVerifier.java?rev=1686276&view=auto
==
--- tomcat/trunk/java/org/apache/tomcat/jni/CertificateVerifier.java (added)
+++ tomcat/trunk/java/org/apache/tomcat/jni/CertificateVerifier.java Thu Jun 18 
17:10:08 2015
@@ -0,0 +1,34 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.jni;
+
+/**
+ * Is called during handshake and hooked into openssl via {@code 
SSL_CTX_set_cert_verify_callback}.
+ */
+public interface CertificateVerifier {
+
+/**
+ * Returns {@code true} if the passed in certificate chain coul

svn commit: r1686276 [2/2] - in /tomcat/trunk: ./ java/org/apache/catalina/core/ java/org/apache/tomcat/jni/ java/org/apache/tomcat/jni/socket/

[remm]

Added: tomcat/trunk/java/org/apache/tomcat/jni/socket/AprSocketContext.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/socket/AprSocketContext.java?rev=1686276&view=auto
==
--- tomcat/trunk/java/org/apache/tomcat/jni/socket/AprSocketContext.java (added)
+++ tomcat/trunk/java/org/apache/tomcat/jni/socket/AprSocketContext.java Thu 
Jun 18 17:10:08 2015
@@ -0,0 +1,1352 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one or more
+ *  contributor license agreements.  See the NOTICE file distributed with
+ *  this work for additional information regarding copyright ownership.
+ *  The ASF licenses this file to You under the Apache License, Version 2.0
+ *  (the "License"); you may not use this file except in compliance with
+ *  the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package org.apache.tomcat.jni.socket;
+
+import java.io.IOException;
+import java.net.InetSocketAddress;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.BlockingQueue;
+import java.util.concurrent.Executor;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.LinkedBlockingQueue;
+import java.util.concurrent.RejectedExecutionHandler;
+import java.util.concurrent.ThreadFactory;
+import java.util.concurrent.ThreadPoolExecutor;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.atomic.AtomicBoolean;
+import java.util.concurrent.atomic.AtomicInteger;
+import java.util.concurrent.atomic.AtomicLong;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+import org.apache.tomcat.jni.Address;
+import org.apache.tomcat.jni.Error;
+import org.apache.tomcat.jni.Library;
+import org.apache.tomcat.jni.OS;
+import org.apache.tomcat.jni.Poll;
+import org.apache.tomcat.jni.Pool;
+import org.apache.tomcat.jni.SSL;
+import org.apache.tomcat.jni.SSLContext;
+import org.apache.tomcat.jni.SSLExt;
+import org.apache.tomcat.jni.Socket;
+import org.apache.tomcat.jni.Status;
+
+public class AprSocketContext {
+/**
+ * Called when a chunk of data is sent or received. This is very low
+ * level, used mostly for debugging or stats.
+ */
+public static interface RawDataHandler {
+public void rawData(AprSocket ch, boolean input, byte[] data, int pos,
+int len, int requested, boolean closed);
+}
+
+/**
+ * Called in SSL mode after the handshake is completed.
+ *
+ * @see AprSocketContext#customVerification(TlsCertVerifier)
+ */
+public static interface TlsCertVerifier {
+public void handshakeDone(AprSocket ch);
+}
+
+/**
+ * Delegates loading of persistent info about a host - public certs,
+ * tickets, config, persistent info etc.
+ */
+public static interface HostInfoLoader {
+public HostInfo getHostInfo(String name, int port, boolean ssl);
+}
+
+private static final Logger log = Logger.getLogger("AprSocketCtx");
+
+// If interrupt() or thread-safe poll update are not supported - the
+// poll updates will happen after the poll() timeout.
+// The poll timeout with interrupt/thread safe updates can be much higher/
+private static final int FALLBACK_POLL_TIME = 2000;
+
+// It seems to send the ticket, get server helo / ChangeCipherSpec, but 
than
+// SSL3_GET_RECORD:decryption failed or bad record mac in s3_pkt.c:480:
+// Either bug in openssl, or some combination of ciphers - needs more 
debugging.
+// ( this can save a roundtrip and CPU on TLS handshake )
+boolean USE_TICKETS = false;
+
+private final AprSocket END = new AprSocket(this);
+
+private static final AtomicInteger contextNumber = new AtomicInteger();
+private int contextId;
+
+private final AtomicInteger threadNumber = new AtomicInteger();
+
+/**
+ * For now - single acceptor thread per connector.
+ */
+private AcceptorThread acceptor;
+private AcceptorDispatchThread acceptorDispatch;
+
+// APR/JNI is thread safe
+private boolean threadSafe = true;
+
+/**
+ * Pollers.
+ */
+private final List pollers = new ArrayList<>();
+
+// Set on all accepted or connected sockets.
+// TODO: add the other properties
+boolean tcpNoDelay = true;
+
+protected boolean running = true;
+
+protected boolean sslMode;
+
+// onSocket() will be called in accept thread.
+// If false: use executor ( but

svn commit: r1686277 - /tomcat/trunk/java/org/apache/catalina/startup/LocalStrings.properties

[remm]

Author: remm
Date: Thu Jun 18 17:10:30 2015
New Revision: 1686277

URL: http://svn.apache.org/r1686277
Log:
Remove extra space.

Modified:
tomcat/trunk/java/org/apache/catalina/startup/LocalStrings.properties

Modified: tomcat/trunk/java/org/apache/catalina/startup/LocalStrings.properties
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/startup/LocalStrings.properties?rev=1686277&r1=1686276&r2=1686277&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/startup/LocalStrings.properties 
(original)
+++ tomcat/trunk/java/org/apache/catalina/startup/LocalStrings.properties Thu 
Jun 18 17:10:30 2015
@@ -140,4 +140,3 @@ webAnnotationSet.invalidInjection=Invali
 
 connector.noSetExecutor=Connector [{0}] does not support external executors. 
Method setExecutor(java.util.concurrent.Executor) not found.
 connector.noSetSSLImplementationName=Connector [{0}] does not support changing 
the SSL implementation. Method setSslImplementationName(String) not found.
- 
\ No newline at end of file



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1686279 [1/2] - /tomcat/trunk/java/org/apache/tomcat/util/net/openssl/

[remm]

Author: remm
Date: Thu Jun 18 17:13:40 2015
New Revision: 1686279

URL: http://svn.apache.org/r1686279
Log:
Add SSL engine backed by OpenSSL, based on code from Nume de Montmollin and 
derived from work done by Netty and Twitter.

Added:
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/

tomcat/trunk/java/org/apache/tomcat/util/net/openssl/CipherSuiteConverter.java
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java

tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLImplementation.java
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLKeyManager.java
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLProtocols.java

tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLServerSessionContext.java

tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLSessionContext.java

tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLSessionStats.java
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java

tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLX509Certificate.java

Added: 
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/CipherSuiteConverter.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/CipherSuiteConverter.java?rev=1686279&view=auto
==
--- 
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/CipherSuiteConverter.java 
(added)
+++ 
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/CipherSuiteConverter.java 
Thu Jun 18 17:13:40 2015
@@ -0,0 +1,421 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.net.openssl;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ConcurrentMap;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.res.StringManager;
+
+/**
+ * Converts a Java cipher suite string to an OpenSSL cipher suite string and 
vice versa.
+ *
+ * @see http://en.wikipedia.org/wiki/Cipher_suite";>Wikipedia page 
about cipher suite
+ */
+public final class CipherSuiteConverter {
+
+private static final Log logger = 
LogFactory.getLog(CipherSuiteConverter.class);
+private static final StringManager sm = 
StringManager.getManager(CipherSuiteConverter.class);
+
+/**
+ * A_B_WITH_C_D, where:
+ *
+ * A - TLS or SSL (protocol)
+ * B - handshake algorithm (key exchange and authentication algorithms to 
be precise)
+ * C - bulk cipher
+ * D - HMAC algorithm
+ *
+ * This regular expression assumees that:
+ *
+ * 1) A is always TLS or SSL, and
+ * 2) D is always a single word.
+ */
+private static final Pattern JAVA_CIPHERSUITE_PATTERN =
+Pattern.compile("^(?:TLS|SSL)_((?:(?!_WITH_).)+)_WITH_(.*)_(.*)$");
+
+/**
+ * A-B-C, where:
+ *
+ * A - handshake algorithm (key exchange and authentication algorithms to 
be precise)
+ * B - bulk cipher
+ * C - HMAC algorithm
+ *
+ * This regular expression assumes that:
+ *
+ * 1) A has some deterministic pattern as shown below, and
+ * 2) C is always a single word
+ */
+private static final Pattern OPENSSL_CIPHERSUITE_PATTERN =
+// Be very careful not to break the indentation while editing.
+Pattern.compile(
+"^(?:(" + // BEGIN handshake algorithm
+"(?:(?:EXP-)?" +
+"(?:" +
+
"(?:DHE|EDH|ECDH|ECDHE|SRP)-(?:DSS|RSA|ECDSA)|" +
+"(?:ADH|AECDH|KRB5|PSK|SRP)" +
+')' +
+")|" +
+"EXP" +
+")-)?" +  // END handshake algorithm
+"(.*)-(.*)$");
+
+private static final Pattern JAVA_

svn commit: r1686279 [2/2] - /tomcat/trunk/java/org/apache/tomcat/util/net/openssl/

[remm]

Added: tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java?rev=1686279&view=auto
==
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java 
(added)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java Thu 
Jun 18 17:13:40 2015
@@ -0,0 +1,1312 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.net.openssl;
+
+import java.nio.ByteBuffer;
+import java.nio.ReadOnlyBufferException;
+import java.security.Principal;
+import java.security.cert.Certificate;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.LinkedHashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.concurrent.atomic.AtomicIntegerFieldUpdater;
+import java.util.concurrent.atomic.AtomicReferenceFieldUpdater;
+
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLEngineResult;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLPeerUnverifiedException;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLSessionBindingEvent;
+import javax.net.ssl.SSLSessionBindingListener;
+import javax.net.ssl.SSLSessionContext;
+import javax.security.cert.CertificateException;
+import javax.security.cert.X509Certificate;
+
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.jni.Buffer;
+import org.apache.tomcat.jni.Pool;
+import org.apache.tomcat.jni.SSL;
+import org.apache.tomcat.jni.SSLContext;
+import org.apache.tomcat.util.buf.ByteBufferUtils;
+import org.apache.tomcat.util.net.Constants;
+import org.apache.tomcat.util.res.StringManager;
+
+/**
+ * Implements a {@link SSLEngine} using
+ * https://www.openssl.org/docs/crypto/BIO_s_bio.html#EXAMPLE";>OpenSSL
+ * BIO abstractions.
+ */
+public final class OpenSSLEngine extends SSLEngine {
+
+private static final Log logger = LogFactory.getLog(OpenSSLEngine.class);
+private static final StringManager sm = 
StringManager.getManager(OpenSSLEngine.class);
+
+private static final Certificate[] EMPTY_CERTIFICATES = new Certificate[0];
+private static final SSLException ENGINE_CLOSED = new 
SSLException(sm.getString("engine.engineClosed"));
+private static final SSLException RENEGOTIATION_UNSUPPORTED = new 
SSLException(sm.getString("engine.renegociationUnsupported"));
+private static final SSLException ENCRYPTED_PACKET_OVERSIZED = new 
SSLException(sm.getString("engine.oversizedPacket"));
+
+private static final Set AVAILABLE_CIPHER_SUITES;
+
+static {
+final Set availableCipherSuites = new 
LinkedHashSet(128);
+final long aprPool = Pool.create(0);
+try {
+final long sslCtx = SSLContext.make(aprPool, SSL.SSL_PROTOCOL_ALL, 
SSL.SSL_MODE_SERVER);
+try {
+SSLContext.setOptions(sslCtx, SSL.SSL_OP_ALL);
+SSLContext.setCipherSuite(sslCtx, "ALL");
+final long ssl = SSL.newSSL(sslCtx, true);
+try {
+for (String c: SSL.getCiphers(ssl)) {
+// Filter out bad input.
+if (c == null || c.length() == 0 || 
availableCipherSuites.contains(c)) {
+continue;
+}
+
availableCipherSuites.add(CipherSuiteConverter.toJava(c, "ALL"));
+}
+} finally {
+SSL.freeSSL(ssl);
+}
+} finally {
+SSLContext.free(sslCtx);
+}
+} catch (Exception e) {
+logger.warn(sm.getString("engine.ciphersFailure"), e);
+} finally {
+Pool.destroy(aprPool);
+}
+AVAILABLE_CIPHER_SUITES = 
Collections.unmodifiableSet(availableCipherSuites);
+}
+
+static {
+ENGINE_CLOSED.setStackTrace(new StackTraceElement[0]);
+RENEGOTIATION_UNSUPPORTED.setStackTrace(new S

svn commit: r1686281 - in /tomcat/trunk: java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java webapps/docs/changelog.xml webapps/docs/config/http.xml webapps/docs/ssl-howto.xml

[remm]

Author: remm
Date: Thu Jun 18 17:15:51 2015
New Revision: 1686281

URL: http://svn.apache.org/r1686281
Log:
- When using the OpenSSL SSL engine, use the OpenSSL style configuration.
- Add some "documentation" that says the APR SSL configuration should be used 
when using the OpenSSL sslImplementationName. Better than nothing ...

Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
tomcat/trunk/webapps/docs/changelog.xml
tomcat/trunk/webapps/docs/config/http.xml
tomcat/trunk/webapps/docs/ssl-howto.xml

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java?rev=1686281&r1=1686280&r2=1686281&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java Thu 
Jun 18 17:15:51 2015
@@ -21,6 +21,7 @@ import javax.net.ssl.SSLParameters;
 import javax.net.ssl.SSLSessionContext;
 
 import org.apache.tomcat.util.net.SSLHostConfig.Type;
+import org.apache.tomcat.util.net.openssl.OpenSSLImplementation;
 
 public abstract class AbstractJsseEndpoint extends AbstractEndpoint {
 
@@ -57,7 +58,11 @@ public abstract class AbstractJsseEndpoi
 
 @Override
 protected Type getSslConfigType() {
-return SSLHostConfig.Type.JSSE;
+if 
(OpenSSLImplementation.IMPLEMENTATION_NAME.equals(sslImplementationName)) {
+return SSLHostConfig.Type.OPENSSL;
+} else {
+return SSLHostConfig.Type.JSSE;
+}
 }
 
 

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1686281&r1=1686280&r2=1686281&view=diff
==
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Thu Jun 18 17:15:51 2015
@@ -82,6 +82,11 @@
 has been significant changes to the SSL configuration in server.xml to
 support this. (markt)
   
+  
+Add SSL engine backed by OpenSSL, based on code contributed by Numa de
+Montmollin and derived from code developed by Twitter and Netty.
+(remm)
+  
 
   
   

Modified: tomcat/trunk/webapps/docs/config/http.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1686281&r1=1686280&r2=1686281&view=diff
==
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Thu Jun 18 17:15:51 2015
@@ -1343,7 +1343,13 @@
   The class name of the SSL implementation to use. If not specified, the
   default of 
org.apache.tomcat.util.net.jsse.JSSEImplementation
   will be used which wraps JVM's default JSSE provider. Note that the
-  JVM can be configured to use a different JSSE provider as the 
default.
+  JVM can be configured to use a different JSSE provider as the default.
+  Tomcat also bundles a special SSL implementation for JSSE that is backed
+  by OpenSSL. To enable it, the native library should be enabled as if
+  intending to use the APR connector, the value of this attribute should be
+  org.apache.tomcat.util.net.openssl.OpenSSLImplementation,
+  and the SSL attributes configuration used should be the one from the APR
+  connector.
 
 
   

Modified: tomcat/trunk/webapps/docs/ssl-howto.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/ssl-howto.xml?rev=1686281&r1=1686280&r2=1686281&view=diff
==
--- tomcat/trunk/webapps/docs/ssl-howto.xml (original)
+++ tomcat/trunk/webapps/docs/ssl-howto.xml Thu Jun 18 17:15:51 2015
@@ -300,12 +300,21 @@ loaded or not, use one of the following:
 
 ]]>
+
+Tomcat also provides a SSL engine that directly uses OpenSSL. If the APR 
library
+is installed (as for using the APR connector), using the sslImplementationName 
attribute
+allows enabling it. In that case, the configuration must not use the JSSE 
attributes, but
+all the attributes that are defined for the APR connector.
+
+
 Alternatively, to specify an APR connector (the APR library must be 
available) use:
 
 
-
 If you are using APR, you have the option of configuring an alternative 
engine to OpenSSL.
 



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

OpenSSL SSL engine

[Rémy Maucherat]

Hi,

I have now committed the initial work for this new feature. Advanced SSL
functionality (renegotiation) is disabled since that was like that upstream
and I didn't dare trying to hack it yet.

Testsuite integration (I have it in my git repository
https://github.com/rmaucher/tomcat ) is convoluted and requires additional
full runs. Obviously that's not the best idea so I am not adding it yet.
Maybe using some dedicated tests that would be slightly duplicated ?

Rémy

Re: OpenSSL SSL engine

[Mark Thomas]

On 18/06/2015 18:22, Rémy Maucherat wrote:
> Hi,
> 
> I have now committed the initial work for this new feature. Advanced SSL
> functionality (renegotiation) is disabled since that was like that upstream
> and I didn't dare trying to hack it yet.
> 
> Testsuite integration (I have it in my git repository
> https://github.com/rmaucher/tomcat ) is convoluted and requires additional
> full runs. Obviously that's not the best idea so I am not adding it yet.
> Maybe using some dedicated tests that would be slightly duplicated ?
> 
> Rémy

I assume it only makes sense to run the various SSL tests. We should be
able to (possibly with a little renaming) set things up so we can filter
test classes by name for *SSL* (or better yet *TLS*) and run them as an
additional batch of tests in the test task in the build script.

As an aside, silvaus.a.o (the CI machine the Tomcat builds use) has 16
cores. I think we can tweak the test configuration to get much faster
results (while still keeping the code coverage data).

I am thinking we create two test targets for each branch.

One has 16 threads, no code coverage and runs 5 minutes after the last
change (as per the current config)

One runs daily and uses 1 thread and runs the code coverage.

I'll try setting this up for trunk and if it works we can expand it.

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1686288 - /tomcat/trunk/java/org/apache/catalina/Context.java

[markt]

Author: markt
Date: Thu Jun 18 18:50:38 2015
New Revision: 1686288

URL: http://svn.apache.org/r1686288
Log:
Trivial commit to test CI

Modified:
tomcat/trunk/java/org/apache/catalina/Context.java

Modified: tomcat/trunk/java/org/apache/catalina/Context.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/Context.java?rev=1686288&r1=1686287&r2=1686288&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/Context.java (original)
+++ tomcat/trunk/java/org/apache/catalina/Context.java Thu Jun 18 18:50:38 2015
@@ -324,12 +324,16 @@ public interface Context extends Contain
 
 /**
  * Return the alternate Deployment Descriptor name.
+ *
+ * @return the name
  */
 public String getAltDDName();
 
 
 /**
  * Set an alternate Deployment Descriptor name.
+ *
+ * @param altDDName The new name
  */
 public void setAltDDName(String altDDName) ;
 



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

buildbot failure in ASF Buildbot on tomcat-trunk

[buildbot]

The Buildbot has detected a new failure on builder tomcat-trunk while building 
ASF Buildbot. Full details are available at:
http://ci.apache.org/builders/tomcat-trunk/builds/1405

Buildbot URL: http://ci.apache.org/

Buildslave for this Build: silvanus_ubuntu

Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-commit' 
triggered this build
Build Source Stamp: [branch tomcat/trunk] 1686288
Blamelist: markt

BUILD FAILED: failed compile_1

Sincerely,
 -The Buildbot




-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1686300 - in /tomcat/trunk: java/org/apache/coyote/http2/Http2Parser.java java/org/apache/coyote/http2/LocalStrings.properties test/org/apache/coyote/http2/TestHttp2Section_6_1.java

[markt]

Author: markt
Date: Thu Jun 18 19:33:54 2015
New Revision: 1686300

URL: http://svn.apache.org/r1686300
Log:
Implement optional padding validation

Modified:
tomcat/trunk/java/org/apache/coyote/http2/Http2Parser.java
tomcat/trunk/java/org/apache/coyote/http2/LocalStrings.properties
tomcat/trunk/test/org/apache/coyote/http2/TestHttp2Section_6_1.java

Modified: tomcat/trunk/java/org/apache/coyote/http2/Http2Parser.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http2/Http2Parser.java?rev=1686300&r1=1686299&r2=1686300&view=diff
==
--- tomcat/trunk/java/org/apache/coyote/http2/Http2Parser.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http2/Http2Parser.java Thu Jun 18 
19:33:54 2015
@@ -86,7 +86,7 @@ class Http2Parser {
 try {
 validateFrame(expected, frameType, streamId, flags, payloadSize);
 } catch (StreamException se) {
-swallow(streamId, payloadSize);
+swallow(streamId, payloadSize, false);
 throw se;
 }
 
@@ -160,7 +160,7 @@ class Http2Parser {
 
 ByteBuffer dest = output.getInputByteBuffer(streamId, dataLength);
 if (dest == null) {
-swallow(streamId, dataLength);
+swallow(streamId, dataLength, false);
 if (endOfStream) {
 output.receiveEndOfStream(streamId);
 }
@@ -174,7 +174,7 @@ class Http2Parser {
 }
 }
 if (padLength > 0) {
-swallow(streamId, padLength);
+swallow(streamId, padLength, true);
 output.swallowedPadding(streamId, padLength);
 }
 }
@@ -189,7 +189,7 @@ class Http2Parser {
 try {
 hpackDecoder.setHeaderEmitter(output.headersStart(streamId));
 } catch (StreamException se) {
-swallow(streamId, payloadSize);
+swallow(streamId, payloadSize, false);
 throw se;
 }
 
@@ -224,7 +224,7 @@ class Http2Parser {
 
 readHeaderBlock(payloadSize, endOfHeaders);
 
-swallow(streamId, padLength);
+swallow(streamId, padLength, true);
 
 if (endOfHeaders) {
 output.headersEnd(streamId);
@@ -405,12 +405,18 @@ class Http2Parser {
 
 private void readUnknownFrame(int streamId, FrameType frameType, int 
flags, int payloadSize)
 throws IOException {
-swallow(streamId, payloadSize);
+try {
+swallow(streamId, payloadSize, false);
+} catch (ConnectionException e) {
+// Will never happen because swallow() is called with mustBeZero 
set
+// to false
+}
 output.swallowed(streamId, frameType, flags, payloadSize);
 }
 
 
-private void swallow(int streamId, int len) throws IOException {
+private void swallow(int streamId, int len, boolean mustBeZero)
+throws IOException, ConnectionException {
 if (log.isDebugEnabled()) {
 log.debug(sm.getString("http2Parser.swallow.debug", connectionId,
 Integer.toString(streamId), Integer.toString(len)));
@@ -423,6 +429,17 @@ class Http2Parser {
 while (read < len) {
 int thisTime = Math.min(buffer.length, len - read);
 input.fill(true, buffer, 0, thisTime);
+if (mustBeZero) {
+// Validate the padding is zero since receiving non-zero 
padding
+// is a strong indication of either a faulty client or a server
+// side bug.
+for (int i = 0; i < thisTime; i++) {
+if (buffer[i] != 0) {
+throw new 
ConnectionException(sm.getString("http2Parser.nonZeroPadding",
+connectionId, Integer.toString(streamId)), 
Http2Error.PROTOCOL_ERROR);
+}
+}
+}
 read += thisTime;
 }
 }

Modified: tomcat/trunk/java/org/apache/coyote/http2/LocalStrings.properties
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http2/LocalStrings.properties?rev=1686300&r1=1686299&r2=1686300&view=diff
==
--- tomcat/trunk/java/org/apache/coyote/http2/LocalStrings.properties (original)
+++ tomcat/trunk/java/org/apache/coyote/http2/LocalStrings.properties Thu Jun 
18 19:33:54 2015
@@ -38,6 +38,7 @@ hpackhuffman.huffmanEncodedHpackValueDid
 
 http2Parser.headers.wrongFrameType=Connection [{0}], headers in progress for 
stream [{1}] but a frame of type [{2}] was received
 http2Parser.headers.wrongStream=Connection [{0}], headers in progress for 
stream [{1}] but a frame for stream [{2}] was received
+http2Parser.nonZeroPadding=Connection [{0}], Stream [{1}], Non-zero padding 
received
 http2Parser.payloadTooBig=The payload is [{0}] bytes long but the maximum 
frame size is [{1}]
 h

svn commit: r1686302 - /tomcat/trunk/test/org/apache/coyote/http2/TestHttp2Section_6_1.java

[markt]

Author: markt
Date: Thu Jun 18 19:40:20 2015
New Revision: 1686302

URL: http://svn.apache.org/r1686302
Log:
Add a test for data frames on stream 0.

Modified:
tomcat/trunk/test/org/apache/coyote/http2/TestHttp2Section_6_1.java

Modified: tomcat/trunk/test/org/apache/coyote/http2/TestHttp2Section_6_1.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/coyote/http2/TestHttp2Section_6_1.java?rev=1686302&r1=1686301&r2=1686302&view=diff
==
--- tomcat/trunk/test/org/apache/coyote/http2/TestHttp2Section_6_1.java 
(original)
+++ tomcat/trunk/test/org/apache/coyote/http2/TestHttp2Section_6_1.java Thu Jun 
18 19:40:20 2015
@@ -92,5 +92,29 @@ public class TestHttp2Section_6_1 extend
 Assert.assertTrue(trace, trace.startsWith("0-Goaway-[3]-[1]-["));
 }
 
+
+@Test
+public void testDataFrameOnStreamZero() throws Exception {
+http2Connect();
+
+byte[] dataFrame = new byte[10];
+
+// Header
+// length
+ByteUtil.setThreeBytes(dataFrame, 0, 1);
+// type (0 for data)
+// flags (0)
+// stream (0)
+// payload (0)
+
+os.write(dataFrame);
+os.flush();
+
+parser.readFrame(true);
+
+String trace = output.getTrace();
+Assert.assertTrue(trace, trace.startsWith("0-Goaway-[1]-[1]-["));
+}
+
 // TODO: Remainder if section 6.1 tests
 }



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1686304 - in /tomcat/trunk: java/org/apache/coyote/http2/Http2Parser.java java/org/apache/coyote/http2/LocalStrings.properties test/org/apache/coyote/http2/TestHttp2Section_6_1.java

[markt]

Author: markt
Date: Thu Jun 18 19:50:29 2015
New Revision: 1686304

URL: http://svn.apache.org/r1686304
Log:
Validate that the padding is not too long

Modified:
tomcat/trunk/java/org/apache/coyote/http2/Http2Parser.java
tomcat/trunk/java/org/apache/coyote/http2/LocalStrings.properties
tomcat/trunk/test/org/apache/coyote/http2/TestHttp2Section_6_1.java

Modified: tomcat/trunk/java/org/apache/coyote/http2/Http2Parser.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http2/Http2Parser.java?rev=1686304&r1=1686303&r2=1686304&view=diff
==
--- tomcat/trunk/java/org/apache/coyote/http2/Http2Parser.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http2/Http2Parser.java Thu Jun 18 
19:50:29 2015
@@ -141,6 +141,13 @@ class Http2Parser {
 byte[] b = new byte[1];
 input.fill(true, b);
 padLength = b[0] & 0xFF;
+
+if (padLength >= payloadSize) {
+throw new ConnectionException(
+
sm.getString("http2Parser.processFrameData.tooMuchPadding", connectionId,
+Integer.toString(streamId), 
Integer.toString(padLength),
+Integer.toString(payloadSize)), 
Http2Error.PROTOCOL_ERROR);
+}
 // +1 is for the padding length byte we just read above
 dataLength = payloadSize - (padLength + 1);
 } else {

Modified: tomcat/trunk/java/org/apache/coyote/http2/LocalStrings.properties
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http2/LocalStrings.properties?rev=1686304&r1=1686303&r2=1686304&view=diff
==
--- tomcat/trunk/java/org/apache/coyote/http2/LocalStrings.properties (original)
+++ tomcat/trunk/java/org/apache/coyote/http2/LocalStrings.properties Thu Jun 
18 19:50:29 2015
@@ -46,6 +46,7 @@ http2Parser.processFrame=Connection [{0}
 http2Parser.processFrame.unexpectedType=Expected frame type [{0}] but received 
frame type [{1}]
 http2Parser.processFrameContinuation.notExpected=Connection [{0}], 
Continuation frame received for stream [{1}] when no headers were in progress
 http2Parser.processFrameData.lengths=Connection [{0}], Stream [{1}], Data 
length, [{2}], Padding length [{3}]
+http2Parser.processFrameData.tooMuchPadding=Connection [{0}], Stream [{1}], 
The padding length [{2}] was too big for the payload [{3}]
 http2Parser.processFrameGoaway.payloadTooSmall=Connection [{0}]: Goaway 
payload size was [{1}] which is less than the minimum 8
 http2Parser.processFrameHeaders.decodingFailed=There was an error during the 
HPACK decoding of HTTP headers
 http2Parser.processFrameHeaders.decodingDataLeft=Data left over after HPACK 
decoding - it should have been consumed

Modified: tomcat/trunk/test/org/apache/coyote/http2/TestHttp2Section_6_1.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/coyote/http2/TestHttp2Section_6_1.java?rev=1686304&r1=1686303&r2=1686304&view=diff
==
--- tomcat/trunk/test/org/apache/coyote/http2/TestHttp2Section_6_1.java 
(original)
+++ tomcat/trunk/test/org/apache/coyote/http2/TestHttp2Section_6_1.java Thu Jun 
18 19:50:29 2015
@@ -116,5 +116,32 @@ public class TestHttp2Section_6_1 extend
 Assert.assertTrue(trace, trace.startsWith("0-Goaway-[1]-[1]-["));
 }
 
+
+@Test
+public void testDataFrameTooMuchPadding() throws Exception {
+http2Connect();
+
+byte[] dataFrame = new byte[10];
+
+// Header
+// length
+ByteUtil.setThreeBytes(dataFrame, 0, 1);
+// type 0 (data)
+// flags 8 (padded)
+dataFrame[4] = 0x08;
+// stream 3
+ByteUtil.set31Bits(dataFrame, 5, 3);
+// payload (pad length of 1)
+dataFrame[9] = 1;
+
+os.write(dataFrame);
+os.flush();
+
+parser.readFrame(true);
+
+String trace = output.getTrace();
+Assert.assertTrue(trace, trace.startsWith("0-Goaway-[1]-[1]-["));
+}
+
 // TODO: Remainder if section 6.1 tests
 }



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1686306 - /tomcat/trunk/test/org/apache/coyote/http2/TestHttp2Section_6_1.java

[markt]

Author: markt
Date: Thu Jun 18 19:55:37 2015
New Revision: 1686306

URL: http://svn.apache.org/r1686306
Log:
Add a test for zero length padding

Modified:
tomcat/trunk/test/org/apache/coyote/http2/TestHttp2Section_6_1.java

Modified: tomcat/trunk/test/org/apache/coyote/http2/TestHttp2Section_6_1.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/coyote/http2/TestHttp2Section_6_1.java?rev=1686306&r1=1686305&r2=1686306&view=diff
==
--- tomcat/trunk/test/org/apache/coyote/http2/TestHttp2Section_6_1.java 
(original)
+++ tomcat/trunk/test/org/apache/coyote/http2/TestHttp2Section_6_1.java Thu Jun 
18 19:55:37 2015
@@ -143,5 +143,23 @@ public class TestHttp2Section_6_1 extend
 Assert.assertTrue(trace, trace.startsWith("0-Goaway-[1]-[1]-["));
 }
 
-// TODO: Remainder if section 6.1 tests
+
+@Test
+public void testDataFrameWithZeroLengthPadding() throws Exception {
+http2Connect();
+
+byte[] padding = new byte[0];
+
+sendSimplePostRequest(3, padding);
+// Since padding is zero length, response looks like there is none.
+readSimplePostResponse(false);
+
+Assert.assertEquals("0-WindowSize-[127]\n"
++ "3-WindowSize-[127]\n"
++ "3-HeadersStart\n"
++ "3-Header-[:status]-[200]\n"
++ "3-HeadersEnd\n"
++ "3-Body-127\n"
++ "3-EndOfStream\n", output.getTrace());
+}
 }



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1686312 - in /tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl: Encryption.java EncryptionLevel.java MessageDigest.java

[markt]

Author: markt
Date: Thu Jun 18 20:03:35 2015
New Revision: 1686312

URL: http://svn.apache.org/r1686312
Log:
Reformat

Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Encryption.java

tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/EncryptionLevel.java
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/MessageDigest.java

Modified: 
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Encryption.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Encryption.java?rev=1686312&r1=1686311&r2=1686312&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Encryption.java 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Encryption.java 
Thu Jun 18 20:03:35 2015
@@ -18,5 +18,19 @@
 package org.apache.tomcat.util.net.jsse.openssl;
 
 enum Encryption {
-AES256GCM, AES256, AES128GCM, AES128, CAMELLIA256, CAMELLIA128, 
TRIPLE_DES, DES, IDEA, eGOST2814789CNT, SEED, FZA, RC4, RC2, eNULL;
+AES256GCM,
+AES256,
+AES128GCM,
+AES128,
+CAMELLIA256,
+CAMELLIA128,
+TRIPLE_DES,
+DES,
+IDEA,
+eGOST2814789CNT,
+SEED,
+FZA,
+RC4,
+RC2,
+eNULL;
 }

Modified: 
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/EncryptionLevel.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/EncryptionLevel.java?rev=1686312&r1=1686311&r2=1686312&view=diff
==
--- 
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/EncryptionLevel.java 
(original)
+++ 
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/EncryptionLevel.java 
Thu Jun 18 20:03:35 2015
@@ -18,5 +18,11 @@
 package org.apache.tomcat.util.net.jsse.openssl;
 
 enum EncryptionLevel {
-STRONG_NONE, EXP40, EXP56, LOW, MEDIUM, HIGH, FIPS;
+STRONG_NONE,
+EXP40,
+EXP56,
+LOW,
+MEDIUM,
+HIGH,
+FIPS;
 }

Modified: 
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/MessageDigest.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/MessageDigest.java?rev=1686312&r1=1686311&r2=1686312&view=diff
==
--- 
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/MessageDigest.java 
(original)
+++ 
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/MessageDigest.java 
Thu Jun 18 20:03:35 2015
@@ -18,5 +18,11 @@
 package org.apache.tomcat.util.net.jsse.openssl;
 
 enum MessageDigest {
-MD5, SHA1, GOST94, GOST89MAC, SHA256, SHA384, AEAD;
+MD5,
+SHA1,
+GOST94,
+GOST89MAC,
+SHA256,
+SHA384,
+AEAD;
 }



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

buildbot success in ASF Buildbot on tomcat-trunk

[buildbot]

The Buildbot has detected a restored build on builder tomcat-trunk while 
building ASF Buildbot. Full details are available at:
http://ci.apache.org/builders/tomcat-trunk/builds/1409

Buildbot URL: http://ci.apache.org/

Buildslave for this Build: silvanus_ubuntu

Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-commit' 
triggered this build
Build Source Stamp: [branch tomcat/trunk] 1686312
Blamelist: markt

Build succeeded!

Sincerely,
 -The Buildbot




-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1686317 - /tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java

[markt]

Author: markt
Date: Thu Jun 18 20:23:23 2015
New Revision: 1686317

URL: http://svn.apache.org/r1686317
Log:
Add a reference to the OpenSSL cipher suite definitions.
Fix some strength bits values

Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java?rev=1686317&r1=1686316&r2=1686317&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java Thu 
Jun 18 20:23:23 2015
@@ -25,6 +25,7 @@ import java.util.Set;
 /**
  * All the standard cipher suites for SSL/TSL.
  *
+ * @see https://github.com/openssl/openssl/blob/master/ssl/s3_lib.c";>OpenSSL
  * @see http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4";
  *  >The cipher suite registry
  * @see https://www.thesprawl.org/research/tls-and-ssl-cipher-suites/";
@@ -182,7 +183,7 @@ public enum Cipher {
 false,
 EncryptionLevel.HIGH,
 true,
-168,
+112,
 168,
 "SSL_RSA_WITH_3DES_EDE_CBC_SHA"
 ),
@@ -228,7 +229,7 @@ public enum Cipher {
 false,
 EncryptionLevel.HIGH,
 true,
-168,
+112,
 168,
 "SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA"
 ),
@@ -273,7 +274,7 @@ public enum Cipher {
 false,
 EncryptionLevel.HIGH,
 true,
-168,
+112,
 168,
 "SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA"
 ),
@@ -319,7 +320,7 @@ public enum Cipher {
 false,
 EncryptionLevel.HIGH,
 true,
-168,
+112,
 168,
 "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
 ),
@@ -364,7 +365,7 @@ public enum Cipher {
 false,
 EncryptionLevel.HIGH,
 true,
-168,
+112,
 168,
 "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA"
 ),
@@ -439,7 +440,7 @@ public enum Cipher {
 false,
 EncryptionLevel.HIGH,
 true,
-168,
+112,
 168,
 "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA"
 ),



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1686318 - /tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java

[markt]

Author: markt
Date: Thu Jun 18 20:33:07 2015
New Revision: 1686318

URL: http://svn.apache.org/r1686318
Log:
Add some missing cipher IDs to the comments

Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java?rev=1686318&r1=1686317&r2=1686318&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java Thu 
Jun 18 20:33:07 2015
@@ -445,6 +445,7 @@ public enum Cipher {
 "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA"
 ),
 /* Fortezza ciphersuite from SSL 3.0 spec */
+// Cipher 1C
 SSL_FORTEZZA_DMS_WITH_NULL_SHA(
 "FZA-NULL-SHA",
 KeyExchange.FZA,
@@ -458,6 +459,7 @@ public enum Cipher {
 0,
 0
 ),
+// Cipher 1D
 SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA(
 "FZA-FZA-CBC-SHA",
 KeyExchange.FZA,
@@ -471,6 +473,7 @@ public enum Cipher {
 0,
 0
 ),
+// Cipher 1E - duplicate
 SSL_FORTEZZA_DMS_WITH_RC4_128_SHA(
 "FZA-RC4-SHA",
 KeyExchange.FZA,
@@ -485,7 +488,7 @@ public enum Cipher {
 128
 ),
 /* The Kerberos ciphers*/
-// Cipher 1E
+// Cipher 1E - duplicate
 /*TLS_KRB5_WITH_DES_CBC_SHA(
 "KRB5-DES-CBC-SHA",
 KeyExchange.KRB5,



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

buildbot failure in ASF Buildbot on tomcat-trunk

[buildbot]

The Buildbot has detected a new failure on builder tomcat-trunk while building 
ASF Buildbot. Full details are available at:
http://ci.apache.org/builders/tomcat-trunk/builds/1410

Buildbot URL: http://ci.apache.org/

Buildslave for this Build: silvanus_ubuntu

Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-commit' 
triggered this build
Build Source Stamp: [branch tomcat/trunk] 1686317
Blamelist: markt

BUILD FAILED: failed compile_1

Sincerely,
 -The Buildbot




-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 58052] New: RewriteValve: Rewrite to a complete URI does not work because the colon is URL encoded

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=58052

Bug ID: 58052
   Summary: RewriteValve: Rewrite to a complete URI does not work
because the colon is URL encoded
   Product: Tomcat 8
   Version: 8.0.21
  Hardware: PC
Status: NEW
  Severity: normal
  Priority: P2
 Component: Catalina
  Assignee: dev@tomcat.apache.org
  Reporter: v...@cenote.de

Using rewite valve for example to rewite only some URL's to https does not
work:

RewriteCond %{REQUEST_URI}  !^/some/exception/.*$
RewriteCond %{REQUEST_URI}  ^/.*$
RewriteCond %{HTTPS}off
RewriteRule ^/(.*)$ https://localhost:8443%{REQUEST_URI}


because 
http://localhost:8443/
is rewritten to
https%3A//localhost%3A8443/

The colon ":" is encoded to "%3A"

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 58052] RewriteValve: Rewrite to a complete URI does not work because the colon is URL encoded

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=58052

Volker Voßkämper  changed:

   What|Removed |Added

 OS||All

--- Comment #1 from Volker Voßkämper  ---
Using Java 1.8.0_31-b13
Tomcat is configured with http and https connector
(org.apache.coyote.http11.Http11Nio2Protocol)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: OpenSSL SSL engine

[Rémy Maucherat]

2015-06-18 20:16 GMT+02:00 Mark Thomas :

> I assume it only makes sense to run the various SSL tests. We should be
> able to (possibly with a little renaming) set things up so we can filter
> test classes by name for *SSL* (or better yet *TLS*) and run them as an
> additional batch of tests in the test task in the build script.
>

Ok, +1 for separating the SSL tests, this would allow adding additional
"full" runs with them. There's some renaming work that should be done,
because the naming is not consistent enough to filter right now, some
classes have the "SSL" name but the tests don't, on other case it is the
test name and it is inside another class (ex:
TestWsWebSocketContainer.testConnectToServerEndpointSSL), and the case is
not consistent enough.

>
> As an aside, silvaus.a.o (the CI machine the Tomcat builds use) has 16
> cores. I think we can tweak the test configuration to get much faster
> results (while still keeping the code coverage data).
>
> I am thinking we create two test targets for each branch.
>
> One has 16 threads, no code coverage and runs 5 minutes after the last
> change (as per the current config)
>
> One runs daily and uses 1 thread and runs the code coverage.
>
> I'll try setting this up for trunk and if it works we can expand it.
>
> Ok.

Rémy