Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package netty-tcnative for openSUSE:Factory checked in at 2026-05-15 23:54:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/netty-tcnative (Old) and /work/SRC/openSUSE:Factory/.netty-tcnative.new.1966 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "netty-tcnative" Fri May 15 23:54:18 2026 rev:10 rq:1353282 version:2.0.77 Changes: -------- --- /work/SRC/openSUSE:Factory/netty-tcnative/netty-tcnative.changes 2026-03-30 18:37:54.891651496 +0200 +++ /work/SRC/openSUSE:Factory/.netty-tcnative.new.1966/netty-tcnative.changes 2026-05-15 23:54:34.855753586 +0200 @@ -1,0 +2,6 @@ +Fri May 15 06:39:37 UTC 2026 - Fridrich Strba <[email protected]> + +- Upgrade to version 2.0.77 Final + * No formal changelog present + +------------------------------------------------------------------- Old: ---- netty-tcnative-parent-2.0.75.Final.tar.gz New: ---- netty-tcnative-parent-2.0.77.Final.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ netty-tcnative.spec ++++++ --- /var/tmp/diff_new_pack.rjfVlH/_old 2026-05-15 23:54:35.663786847 +0200 +++ /var/tmp/diff_new_pack.rjfVlH/_new 2026-05-15 23:54:35.663786847 +0200 @@ -22,7 +22,7 @@ %define with_gcc 11 %endif Name: netty-tcnative -Version: 2.0.75 +Version: 2.0.77 Release: 0 Summary: Fork of Tomcat Native with improved OpenSSL and mavenized build License: Apache-2.0 ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.rjfVlH/_old 2026-05-15 23:54:35.707788658 +0200 +++ /var/tmp/diff_new_pack.rjfVlH/_new 2026-05-15 23:54:35.711788823 +0200 @@ -1,6 +1,6 @@ -mtime: 1774874211 -commit: cef0961fe81b4ea806eadf622e954423b07e78db220bc004f28e9ed2598c6199 -url: https://src.opensuse.org/java-packages/netty-tcnative.git -revision: cef0961fe81b4ea806eadf622e954423b07e78db220bc004f28e9ed2598c6199 +mtime: 1778827339 +commit: 30e453ecc5f6c2cb6785aeb8b133859edd3b11d68b3b264d64439380cff60da5 +url: https://src.opensuse.org/java-packages/netty-tcnative +revision: 30e453ecc5f6c2cb6785aeb8b133859edd3b11d68b3b264d64439380cff60da5 projectscmsync: https://src.opensuse.org/java-packages/_ObsPrj ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-05-15 08:42:19.000000000 +0200 @@ -0,0 +1 @@ +.osc ++++++ netty-tcnative-parent-2.0.75.Final.tar.gz -> netty-tcnative-parent-2.0.77.Final.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/netty-tcnative-netty-tcnative-parent-2.0.75.Final/boringssl-static/pom.xml new/netty-tcnative-netty-tcnative-parent-2.0.77.Final/boringssl-static/pom.xml --- old/netty-tcnative-netty-tcnative-parent-2.0.75.Final/boringssl-static/pom.xml 2026-02-04 08:42:18.000000000 +0100 +++ new/netty-tcnative-netty-tcnative-parent-2.0.77.Final/boringssl-static/pom.xml 2026-04-23 11:49:13.000000000 +0200 @@ -19,7 +19,7 @@ <parent> <groupId>io.netty</groupId> <artifactId>netty-tcnative-parent</artifactId> - <version>2.0.75.Final</version> + <version>2.0.77.Final</version> </parent> <artifactId>${project.artifactId}</artifactId> <packaging>jar</packaging> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/netty-tcnative-netty-tcnative-parent-2.0.75.Final/libressl-static/pom.xml new/netty-tcnative-netty-tcnative-parent-2.0.77.Final/libressl-static/pom.xml --- old/netty-tcnative-netty-tcnative-parent-2.0.75.Final/libressl-static/pom.xml 2026-02-04 08:42:18.000000000 +0100 +++ new/netty-tcnative-netty-tcnative-parent-2.0.77.Final/libressl-static/pom.xml 2026-04-23 11:49:13.000000000 +0200 @@ -19,7 +19,7 @@ <parent> <groupId>io.netty</groupId> <artifactId>netty-tcnative-parent</artifactId> - <version>2.0.75.Final</version> + <version>2.0.77.Final</version> </parent> <artifactId>netty-tcnative-libressl-static</artifactId> <packaging>jar</packaging> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/netty-tcnative-netty-tcnative-parent-2.0.75.Final/openssl-classes/pom.xml new/netty-tcnative-netty-tcnative-parent-2.0.77.Final/openssl-classes/pom.xml --- old/netty-tcnative-netty-tcnative-parent-2.0.75.Final/openssl-classes/pom.xml 2026-02-04 08:42:18.000000000 +0100 +++ new/netty-tcnative-netty-tcnative-parent-2.0.77.Final/openssl-classes/pom.xml 2026-04-23 11:49:13.000000000 +0200 @@ -19,7 +19,7 @@ <parent> <groupId>io.netty</groupId> <artifactId>netty-tcnative-parent</artifactId> - <version>2.0.75.Final</version> + <version>2.0.77.Final</version> </parent> <artifactId>netty-tcnative-classes</artifactId> <packaging>jar</packaging> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/netty-tcnative-netty-tcnative-parent-2.0.75.Final/openssl-classes/src/main/java/io/netty/internal/tcnative/KeyLogCallback.java new/netty-tcnative-netty-tcnative-parent-2.0.77.Final/openssl-classes/src/main/java/io/netty/internal/tcnative/KeyLogCallback.java --- old/netty-tcnative-netty-tcnative-parent-2.0.75.Final/openssl-classes/src/main/java/io/netty/internal/tcnative/KeyLogCallback.java 2026-02-04 08:42:18.000000000 +0100 +++ new/netty-tcnative-netty-tcnative-parent-2.0.77.Final/openssl-classes/src/main/java/io/netty/internal/tcnative/KeyLogCallback.java 2026-04-23 11:49:13.000000000 +0200 @@ -38,6 +38,8 @@ * <p> * <strong>Warning:</strong> The log output will contain secret key material, and can be used to decrypt * TLS sessions! The log output should be handled with the same care given to the private keys. + * <p> + * This method is expected to never throw any {@link Throwable} as everything will just be silently discarded. * * @param ssl the SSL instance * @param line an array of the key types on client-mode or {@code null} on server-mode. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/netty-tcnative-netty-tcnative-parent-2.0.75.Final/openssl-classes/src/main/java/io/netty/internal/tcnative/SSL.java new/netty-tcnative-netty-tcnative-parent-2.0.77.Final/openssl-classes/src/main/java/io/netty/internal/tcnative/SSL.java --- old/netty-tcnative-netty-tcnative-parent-2.0.75.Final/openssl-classes/src/main/java/io/netty/internal/tcnative/SSL.java 2026-02-04 08:42:18.000000000 +0100 +++ new/netty-tcnative-netty-tcnative-parent-2.0.77.Final/openssl-classes/src/main/java/io/netty/internal/tcnative/SSL.java 2026-04-23 11:49:13.000000000 +0200 @@ -358,6 +358,13 @@ public static native String getVersion(long ssl); /** + * SSL_version + * @param ssl the SSL instance (SSL *) + * @return numeric protocol version (e.g. 0x0304 for TLSv1.3) + */ + public static native int getVersionInt(long ssl); + + /** * SSL_do_handshake * @param ssl the SSL instance (SSL *) * @return the return code of {@code SSL_do_handshake}. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/netty-tcnative-netty-tcnative-parent-2.0.75.Final/openssl-dynamic/pom.xml new/netty-tcnative-netty-tcnative-parent-2.0.77.Final/openssl-dynamic/pom.xml --- old/netty-tcnative-netty-tcnative-parent-2.0.75.Final/openssl-dynamic/pom.xml 2026-02-04 08:42:18.000000000 +0100 +++ new/netty-tcnative-netty-tcnative-parent-2.0.77.Final/openssl-dynamic/pom.xml 2026-04-23 11:49:13.000000000 +0200 @@ -19,7 +19,7 @@ <parent> <groupId>io.netty</groupId> <artifactId>netty-tcnative-parent</artifactId> - <version>2.0.75.Final</version> + <version>2.0.77.Final</version> </parent> <artifactId>netty-tcnative</artifactId> <packaging>jar</packaging> @@ -267,7 +267,7 @@ <configureArgs> <configureArg>${macOsxDeploymentTarget}</configureArg> <configureArg>--with-apr=/usr/local/opt/apr/</configureArg> - <configureArg>--with-ssl=/usr/local/opt/[email protected]/</configureArg> + <configureArg>--with-ssl=/usr/local/opt/openssl@${openssl.lib.version}/</configureArg> </configureArgs> </configuration> <goals> @@ -306,7 +306,7 @@ <configureArgs> <configureArg>${macOsxDeploymentTarget}</configureArg> <configureArg>--with-apr=/opt/homebrew/opt/apr/</configureArg> - <configureArg>--with-ssl=/opt/homebrew/opt/[email protected]/</configureArg> + <configureArg>--with-ssl=/opt/homebrew/opt/openssl@${openssl.lib.version}/</configureArg> </configureArgs> </configuration> <goals> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/netty-tcnative-netty-tcnative-parent-2.0.75.Final/openssl-dynamic/src/main/c/cert_compress.c new/netty-tcnative-netty-tcnative-parent-2.0.77.Final/openssl-dynamic/src/main/c/cert_compress.c --- old/netty-tcnative-netty-tcnative-parent-2.0.75.Final/openssl-dynamic/src/main/c/cert_compress.c 2026-02-04 08:42:18.000000000 +0100 +++ new/netty-tcnative-netty-tcnative-parent-2.0.77.Final/openssl-dynamic/src/main/c/cert_compress.c 2026-04-23 11:49:13.000000000 +0200 @@ -100,18 +100,19 @@ if (uncompressed_len != resultLen) { return 0; // Unexpected uncompressed length } - uint8_t* outData; - if (!((*out) = CRYPTO_BUFFER_alloc(&outData, uncompressed_len))) { - return 0; // Unable to allocate certificate decompression buffer - } jbyte* resultData = (*e)->GetByteArrayElements(e, resultArray, NULL); if (resultData == NULL) { return 0; } + uint8_t* outData; + if (!((*out) = CRYPTO_BUFFER_alloc(&outData, uncompressed_len))) { + // Unable to allocate certificate decompression buffer + (*e)->ReleaseByteArrayElements(e, resultArray, resultData, JNI_ABORT); + return 0; + } memcpy(outData, resultData, uncompressed_len); (*e)->ReleaseByteArrayElements(e, resultArray, resultData, JNI_ABORT); return 1; // Success - } int zlib_compress_java(SSL* ssl, CBB* out, const uint8_t* in, size_t in_len) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/netty-tcnative-netty-tcnative-parent-2.0.75.Final/openssl-dynamic/src/main/c/ssl.c new/netty-tcnative-netty-tcnative-parent-2.0.77.Final/openssl-dynamic/src/main/c/ssl.c --- old/netty-tcnative-netty-tcnative-parent-2.0.75.Final/openssl-dynamic/src/main/c/ssl.c 2026-02-04 08:42:18.000000000 +0100 +++ new/netty-tcnative-netty-tcnative-parent-2.0.77.Final/openssl-dynamic/src/main/c/ssl.c 2026-04-23 11:49:13.000000000 +0200 @@ -899,15 +899,6 @@ return ERR_get_error(); } -static void ssl_info_callback(const SSL *ssl, int where, int ret) { - tcn_ssl_state_t* state = NULL; - if (0 != (where & SSL_CB_HANDSHAKE_START)) { - if ((state = tcn_SSL_get_app_state(ssl)) != NULL) { - state->handshakeCount++; - } - } -} - static tcn_ssl_state_t* new_ssl_state(tcn_ssl_ctxt_t* ctx) { if (ctx == NULL) { return NULL; @@ -962,9 +953,6 @@ // Set the app_data2 before all the others because it may be used in SSL_free. tcn_SSL_set_app_state(ssl, state); - // Add callback to keep track of handshakes. - SSL_CTX_set_info_callback(c->ctx, ssl_info_callback); - if (server) { SSL_set_accept_state(ssl); } else { @@ -1209,6 +1197,17 @@ return AJP_TO_JSTRING(SSL_get_version(ssl_)); } +// Read which protocol version was negotiated for the given SSL as integer *. +TCN_IMPLEMENT_CALL(jint, SSL, getVersionInt)(TCN_STDARGS, jlong ssl /* SSL * */) +{ + SSL *ssl_ = J2P(ssl, SSL *); + + TCN_CHECK_NULL(ssl_, ssl, 0); + + // Returns one of TLS1_VERSION, TLS1_1_VERSION, TLS1_2_VERSION, TLS1_3_VERSION, etc. + return (jint) SSL_version(ssl_); +} + // Is the handshake over yet? TCN_IMPLEMENT_CALL(jint, SSL, isInInit)(TCN_STDARGS, jlong ssl /* SSL * */) { @@ -1632,6 +1631,7 @@ return NULL; } (*e)->SetObjectArrayElement(e, array, i, c_name); + (*e)->DeleteLocalRef(e, c_name); } return array; } @@ -1645,6 +1645,9 @@ return JNI_FALSE; } const char *nativeString = (*e)->GetStringUTFChars(e, curves, 0); + if (nativeString == NULL) { + return JNI_FALSE; + } int ret = tcn_SSL_set1_curves_list(ssl_, nativeString); (*e)->ReleaseStringUTFChars(e, curves, nativeString); @@ -1661,6 +1664,9 @@ } int len = (*e)->GetArrayLength(e, curves); jint *nativeCurves = (*e)->GetIntArrayElements(e, curves, NULL); + if (nativeCurves == NULL) { + return JNI_FALSE; + } int ret = tcn_SSL_set1_curves(ssl_, (int *) nativeCurves, len); (*e)->ReleaseIntArrayElements(e, curves, nativeCurves, JNI_ABORT); return ret == 1 ? JNI_TRUE : JNI_FALSE; @@ -1955,6 +1961,9 @@ } const char *hostname = (*e)->GetStringUTFChars(e, hostnameString, JNI_FALSE); + if (hostname == NULL) { + return; + } if (X509_VERIFY_PARAM_set1_host(param, hostname, hostnameLen) != 1) { char err[ERR_LEN]; @@ -1992,6 +2001,7 @@ return NULL; } (*e)->SetObjectArrayElement(e, array, i, methodString); + (*e)->DeleteLocalRef(e, methodString); } return array; } @@ -2182,6 +2192,7 @@ data = NULL; if (buffer == NULL || sk_CRYPTO_BUFFER_push(chain, buffer) <= 0) { + CRYPTO_BUFFER_free(buffer); // safe with NULL; frees buffer if push failed #else chain = sk_X509_new_null(); while ((cert = PEM_read_bio_X509(cert_bio, NULL, NULL, NULL)) != NULL) { @@ -2729,6 +2740,7 @@ { TCN_METHOD_TABLE_ENTRY(shutdownSSL, (J)I, SSL) }, { TCN_METHOD_TABLE_ENTRY(getCipherForSSL, (J)Ljava/lang/String;, SSL) }, { TCN_METHOD_TABLE_ENTRY(getVersion, (J)Ljava/lang/String;, SSL) }, + { TCN_METHOD_TABLE_ENTRY(getVersionInt, (J)I, SSL) }, { TCN_METHOD_TABLE_ENTRY(isInInit, (J)I, SSL) }, { TCN_METHOD_TABLE_ENTRY(doHandshake, (J)I, SSL) }, { TCN_METHOD_TABLE_ENTRY(getNextProtoNegotiated, (J)Ljava/lang/String;, SSL) }, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/netty-tcnative-netty-tcnative-parent-2.0.75.Final/openssl-dynamic/src/main/c/ssl_private.h new/netty-tcnative-netty-tcnative-parent-2.0.77.Final/openssl-dynamic/src/main/c/ssl_private.h --- old/netty-tcnative-netty-tcnative-parent-2.0.75.Final/openssl-dynamic/src/main/c/ssl_private.h 2026-02-04 08:42:18.000000000 +0100 +++ new/netty-tcnative-netty-tcnative-parent-2.0.77.Final/openssl-dynamic/src/main/c/ssl_private.h 2026-04-23 11:49:13.000000000 +0200 @@ -294,9 +294,8 @@ typedef struct { unsigned char key_name[SSL_SESSION_TICKET_KEY_NAME_LEN]; -#if OPENSSL_VERSION_NUMBER < 0x30000000L - unsigned char hmac_key[SSL_SESSION_TICKET_HMAC_KEY_LEN]; -#else + unsigned char hmac_key[SSL_SESSION_TICKET_HMAC_KEY_LEN]; +#if OPENSSL_VERSION_NUMBER >= 0x30000000L OSSL_PARAM mac_params[3]; #endif unsigned char aes_key[SSL_SESSION_TICKET_AES_KEY_LEN]; @@ -410,6 +409,10 @@ tcn_ssl_ctxt_t *ctx; tcn_ssl_task_t* ssl_task; tcn_ssl_verify_config_t verify_config; + // Saved at async task creation time so the retry path can reproduce the + // len < sk_CRYPTO_BUFFER_num(chain) check (both locals are 0/NULL there). + int task_array_len; + int task_chain_num; }; #define TCN_GET_SSL_CTX(ssl, C) \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/netty-tcnative-netty-tcnative-parent-2.0.75.Final/openssl-dynamic/src/main/c/sslcontext.c new/netty-tcnative-netty-tcnative-parent-2.0.77.Final/openssl-dynamic/src/main/c/sslcontext.c --- old/netty-tcnative-netty-tcnative-parent-2.0.75.Final/openssl-dynamic/src/main/c/sslcontext.c 2026-02-04 08:42:18.000000000 +0100 +++ new/netty-tcnative-netty-tcnative-parent-2.0.77.Final/openssl-dynamic/src/main/c/sslcontext.c 2026-04-23 11:49:13.000000000 +0200 @@ -163,7 +163,9 @@ } c->alpn_proto_len = 0; - apr_thread_rwlock_destroy(c->mutex); + if (c->mutex != NULL) { + apr_thread_rwlock_destroy(c->mutex); + } if (c->ticket_keys != NULL) { OPENSSL_free(c->ticket_keys); @@ -180,6 +182,15 @@ return APR_SUCCESS; } +static void ssl_info_callback(const SSL *ssl, int where, int ret) { + tcn_ssl_state_t* state = NULL; + if (0 != (where & SSL_CB_HANDSHAKE_START)) { + if ((state = tcn_SSL_get_app_state(ssl)) != NULL) { + state->handshakeCount++; + } + } +} + /* Initialize server context */ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS, jint protocol, jint mode) { @@ -354,7 +365,9 @@ TCN_THROW_IF_ERR(apr_pool_create(&p, tcn_global_pool), p); if ((c = apr_pcalloc(p, sizeof(tcn_ssl_ctxt_t))) == NULL) { - tcn_ThrowAPRException(e, apr_get_os_error()); + char err[ERR_LEN] = {0}; + apr_strerror(apr_get_os_error(), err, ERR_LEN); + tcn_Throw(e, "Unable to allocate memory for tcn_ssl_ctxt_t via apr_pcalloc(...) (%s)", err); goto cleanup; } @@ -445,13 +458,21 @@ SSL_CTX_set_default_passwd_cb(c->ctx, (pem_password_cb *) tcn_SSL_password_callback); SSL_CTX_set_default_passwd_cb_userdata(c->ctx, (void *) c->password); + // Add callback to keep track of handshakes. + SSL_CTX_set_info_callback(c->ctx, ssl_info_callback); + #if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) if (mode != SSL_MODE_SERVER) { // Set this to make the behaviour consistent with openssl / libressl SSL_CTX_set_allow_unknown_alpn_protos(ctx, 1); } #endif - apr_thread_rwlock_create(&c->mutex, p); + if (apr_thread_rwlock_create(&c->mutex, p) != APR_SUCCESS) { + char err[ERR_LEN] = {0}; + apr_strerror(apr_get_os_error(), err, ERR_LEN); + tcn_Throw(e, "Unable to create lock via to apr_thread_rwlock_create(...) (%s)", err); + goto cleanup; + } /* * Let us cleanup the ssl context when the pool is destroyed */ @@ -690,7 +711,7 @@ SSL_CTX_set_tmp_dh_callback(c->ctx, tcn_SSL_callback_tmp_DH_4096); return; default: - tcn_Throw(e, "Unsupported length %s", length); + tcn_Throw(e, "Unsupported length %d", length); return; } #endif // OPENSSL_VERSION_NUMBER < 0x30000000L @@ -1004,6 +1025,10 @@ int next_protos_len = (*e)->GetArrayLength(e, next_protos); c->next_proto_data = OPENSSL_malloc(next_protos_len); + if (c->next_proto_data == NULL) { + tcn_throwOutOfMemoryError(e, "OPENSSL_malloc failed"); + return; + } c->next_proto_len = next_protos_len; (*e)->GetByteArrayRegion(e, next_protos, 0, next_protos_len, (jbyte*) c->next_proto_data); @@ -1037,6 +1062,10 @@ int alpn_protos_len = (*e)->GetArrayLength(e, alpn_protos); c->alpn_proto_data = OPENSSL_malloc(alpn_protos_len); + if (c->alpn_proto_data == NULL) { + tcn_throwOutOfMemoryError(e, "OPENSSL_malloc failed"); + return; + } c->alpn_proto_len = alpn_protos_len; (*e)->GetByteArrayRegion(e, alpn_protos, 0, alpn_protos_len, (jbyte*) c->alpn_proto_data); @@ -1383,6 +1412,7 @@ } if ((b = (*e)->GetByteArrayElements(e, keys, NULL)) == NULL) { + OPENSSL_free(ticket_keys); tcn_ThrowException(e, "GetByteArrayElements() returned null"); return; } @@ -1390,10 +1420,9 @@ for (i = 0; i < cnt; ++i) { key = b + (SSL_SESSION_TICKET_KEY_SIZE * i); memcpy(ticket_keys[i].key_name, key, 16); -#if OPENSSL_VERSION_NUMBER < 0x30000000L memcpy(ticket_keys[i].hmac_key, key + 16, 16); -#else - ticket_keys[i].mac_params[0] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, key + 16, 16); +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + ticket_keys[i].mac_params[0] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, ticket_keys[i].hmac_key, 16); ticket_keys[i].mac_params[1] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, "sha256", 0); ticket_keys[i].mac_params[2] = OSSL_PARAM_construct_end(); #endif @@ -1429,7 +1458,7 @@ #else // Directly access the struct to get the current cipher as SSL_get_current_cipher(...) // does not exists prior openssl 1.1.0 - cipher = ssl->s3->tmp.new_cipher + cipher = ssl->s3->tmp.new_cipher; #endif if (cipher == NULL) { // No cipher available so return UNKNOWN. @@ -1682,7 +1711,7 @@ // If we failed to verify for an unknown reason (currently this happens if we can't find a common root) then we should // fail with the same status as recommended in the OpenSSL docs https://www.openssl.org/docs/man1.0.2/ssl/SSL_set_verify.html - if (result == X509_V_ERR_UNSPECIFIED && len < sk_CRYPTO_BUFFER_num(chain)) { + if (result == X509_V_ERR_UNSPECIFIED && state->task_array_len < state->task_chain_num) { result = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; } goto complete; @@ -1722,6 +1751,8 @@ if ((state->ssl_task = tcn_ssl_task_new(e, task)) == NULL) { goto complete; } + state->task_array_len = len; + state->task_chain_num = sk_CRYPTO_BUFFER_num(chain); // Signal back that we want to suspend the handshake. ret = ssl_verify_retry; @@ -1820,11 +1851,11 @@ #else SSL_CTX_set_cert_verify_callback(c->ctx, SSL_cert_verify, NULL); #endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) + } - // Delete the reference to the previous specified verifier if needed. - if (oldVerifier != NULL) { - (*e)->DeleteGlobalRef(e, oldVerifier); - } + // Delete the reference to the previous specified verifier if needed. + if (oldVerifier != NULL) { + (*e)->DeleteGlobalRef(e, oldVerifier); } } @@ -2645,6 +2676,10 @@ // Execute the java callback (*e)->CallVoidMethod(e, state->ctx->keylog_callback, state->ctx->keylog_callback_method, P2J(ssl), outputLine); + // Clear the exception if any was thrown as otherwise we might corrupt the JNI state + if ((*e)->ExceptionCheck(e) == JNI_TRUE) { + (*e)->ExceptionClear(e); + } } #endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) @@ -2835,6 +2870,9 @@ return JNI_FALSE; } const char *nativeString = (*e)->GetStringUTFChars(e, curves, 0); + if (nativeString == NULL) { + return JNI_FALSE; + } int ret = tcn_SSL_CTX_set1_curves_list(c->ctx, nativeString); (*e)->ReleaseStringUTFChars(e, curves, nativeString); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/netty-tcnative-netty-tcnative-parent-2.0.75.Final/openssl-dynamic/src/main/c/sslutils.c new/netty-tcnative-netty-tcnative-parent-2.0.77.Final/openssl-dynamic/src/main/c/sslutils.c --- old/netty-tcnative-netty-tcnative-parent-2.0.75.Final/openssl-dynamic/src/main/c/sslutils.c 2026-02-04 08:42:18.000000000 +0100 +++ new/netty-tcnative-netty-tcnative-parent-2.0.77.Final/openssl-dynamic/src/main/c/sslutils.c 2026-04-23 11:49:13.000000000 +0200 @@ -700,12 +700,18 @@ unsigned char *p = NULL; const unsigned char *end = NULL; unsigned char *proto = NULL; - unsigned char proto_len; + unsigned char proto_len = 0; + unsigned char *last_supported_proto = NULL; + unsigned char last_supported_proto_len = 0; while (i < supported_protos_len) { target_proto_len = *supported_protos; ++supported_protos; + // Track our last supported protocol for the fallback case. + last_supported_proto = supported_protos; + last_supported_proto_len = target_proto_len; + p = (unsigned char*) in; end = p + inlen; @@ -731,13 +737,10 @@ supported_protos += target_proto_len; } - if (failure_behavior == SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL) { + if (failure_behavior == SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL && last_supported_proto != NULL) { // There were no match but we just select our last protocol and hope the other peer support it. - // - // decrement the pointer again so the pointer points to the start of the protocol. - p -= proto_len; - *out = p; - *outlen = proto_len; + *out = last_supported_proto; + *outlen = last_supported_proto_len; return SSL_TLSEXT_ERR_OK; } // TODO: OpenSSL currently not support to fail with fatal error. Once this changes we can also support it here. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/netty-tcnative-netty-tcnative-parent-2.0.75.Final/openssl-static/pom.xml new/netty-tcnative-netty-tcnative-parent-2.0.77.Final/openssl-static/pom.xml --- old/netty-tcnative-netty-tcnative-parent-2.0.75.Final/openssl-static/pom.xml 2026-02-04 08:42:18.000000000 +0100 +++ new/netty-tcnative-netty-tcnative-parent-2.0.77.Final/openssl-static/pom.xml 2026-04-23 11:49:13.000000000 +0200 @@ -19,7 +19,7 @@ <parent> <groupId>io.netty</groupId> <artifactId>netty-tcnative-parent</artifactId> - <version>2.0.75.Final</version> + <version>2.0.77.Final</version> </parent> <artifactId>netty-tcnative-openssl-static</artifactId> <packaging>jar</packaging> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/netty-tcnative-netty-tcnative-parent-2.0.75.Final/pom.xml new/netty-tcnative-netty-tcnative-parent-2.0.77.Final/pom.xml --- old/netty-tcnative-netty-tcnative-parent-2.0.75.Final/pom.xml 2026-02-04 08:42:18.000000000 +0100 +++ new/netty-tcnative-netty-tcnative-parent-2.0.77.Final/pom.xml 2026-04-23 11:49:13.000000000 +0200 @@ -24,7 +24,7 @@ <groupId>io.netty</groupId> <artifactId>netty-tcnative-parent</artifactId> - <version>2.0.75.Final</version> + <version>2.0.77.Final</version> <packaging>pom</packaging> <name>Netty/TomcatNative [Parent]</name> @@ -103,10 +103,11 @@ See https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/SHA256 for the SHA256 signature --> <libresslSha256>ff88bffe354818b3ccf545e3cafe454c5031c7a77217074f533271d63c37f08d</libresslSha256> - <opensslMinorVersion>3.1</opensslMinorVersion> - <opensslPatchVersion>6</opensslPatchVersion> + <opensslMinorVersion>3.6</opensslMinorVersion> + <opensslPatchVersion>1</opensslPatchVersion> + <openssl.lib.version>3.6</openssl.lib.version> <opensslVersion>${opensslMinorVersion}.${opensslPatchVersion}</opensslVersion> - <opensslSha256>5d2be4036b478ef3cb0a854ca9b353072c3a0e26d8a56f8f0ab9fb6ed32d38d7</opensslSha256> + <opensslSha256>b1bfedcd5b289ff22aee87c9d600f515767ebf45f77168cb6d64f231f518a82e</opensslSha256> <aprHome>${project.build.directory}/apr</aprHome> <aprSourceDir>${project.build.directory}/apr-source</aprSourceDir> <aprBuildDir>${project.build.directory}/apr-build</aprBuildDir> @@ -768,7 +769,11 @@ + See https://stackoverflow.com/a/1605497/1074097 + --> <exec executable="configure" failonerror="true" dir="${aprSourceDir}" resolveexecutable="true"> - <arg line="--disable-shared --prefix=${aprHome} --host=aarch64-linux-gnu CC=aarch64-none-linux-gnu-gcc CFLAGS='-O3 -fno-omit-frame-pointer -fPIC' ac_cv_have_decl_sys_siglist=no ac_cv_file__dev_zero=yes ac_cv_func_setpgrp_void=yes apr_cv_tcp_nodelay_with_cork=yes ac_cv_sizeof_struct_iovec=8" /> + <!-- + Also ensure that we can use locks as detection fails when cross-compiling. + See https://github.com/netty/netty-tcnative/issues/974 + --> + <arg line="--disable-shared --prefix=${aprHome} --host=aarch64-linux-gnu CC=aarch64-none-linux-gnu-gcc CFLAGS='-O3 -fno-omit-frame-pointer -fPIC -DHAVE_PTHREAD_RWLOCKS=1' ac_cv_have_decl_sys_siglist=no ac_cv_file__dev_zero=yes ac_cv_func_setpgrp_void=yes apr_cv_tcp_nodelay_with_cork=yes ac_cv_sizeof_struct_iovec=8" /> </exec> <!-- Make will fail when it tries to use the gen_test_char program.
