(tomcat) branch main updated: Add group configuration to OpenSSL FFM

Thu, 11 Sep 2025 08:09:51 -0700 

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
     new c16254da5d Add group configuration to OpenSSL FFM
c16254da5d is described below

commit c16254da5d2c3b8f0bead922fe8b19eae9ce1dcc
Author: remm <[email protected]>
AuthorDate: Thu Sep 11 17:09:33 2025 +0200

    Add group configuration to OpenSSL FFM
---
 .../net/openssl/panama/LocalStrings.properties     |  1 +
 .../util/net/openssl/panama/OpenSSLContext.java    | 21 +++++++++++++
 java/org/apache/tomcat/util/openssl/openssl_h.java | 10 +++++++
 .../tomcat/util/openssl/openssl_h_Macros.java      | 35 ++++++++++++++++++++++
 res/openssl/openssl-tomcat.conf                    |  1 +
 5 files changed, 68 insertions(+)

diff --git 
a/java/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties 
b/java/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
index 328a36ac49..75d54dcecc 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
@@ -59,6 +59,7 @@ openssl.errorLoadingPassword=Error loading password file: 
[{0}]
 openssl.errorLoadingPrivateKey=Error loading private key: [{0}]
 openssl.errorPrivateKeyCheck=Private key does not match the certificate public 
key: [{0}]
 openssl.errorReadingPEMParameters=Failed reading PEM parameters [{0}] for 
certificate [{1}]
+openssl.errorSettingGroups=Error setting group list: [{0}]
 openssl.errorSSLCtxInit=Error initializing SSL context
 openssl.invalidSslProtocol=An invalid value [{0}] was provided for the 
SSLProtocol attribute
 openssl.keyManagerMissing=No key manager found
diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java 
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index 2d7d654357..cbee5711d0 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -63,6 +63,7 @@ import org.apache.tomcat.util.net.openssl.OpenSSLConf;
 import org.apache.tomcat.util.net.openssl.OpenSSLConfCmd;
 import org.apache.tomcat.util.net.openssl.OpenSSLStatus;
 import org.apache.tomcat.util.net.openssl.OpenSSLUtil;
+import org.apache.tomcat.util.net.openssl.ciphers.Group;
 import org.apache.tomcat.util.openssl.SSL_CTX_set_alpn_select_cb$cb;
 import org.apache.tomcat.util.openssl.SSL_CTX_set_cert_verify_callback$cb;
 import org.apache.tomcat.util.openssl.SSL_CTX_set_tmp_dh_callback$dh;
@@ -264,6 +265,26 @@ public class OpenSSLContext implements 
org.apache.tomcat.util.net.SSLContext {
             // Set int pem_password_cb(char *buf, int size, int rwflag, void 
*u) callback
             SSL_CTX_set_default_passwd_cb(sslCtx, pem_password_cb.allocate(new 
PasswordCallback(null), contextArena));
 
+            // Set server groups
+            if (sslHostConfig.getGroupList() != null) {
+                StringBuilder sb = new StringBuilder();
+                boolean first = true;
+                for (Group group : sslHostConfig.getGroupList()) {
+                    if (first) {
+                        first = false;
+                    } else {
+                        sb.append(':');
+                    }
+                    sb.append(group.toString());
+                }
+                try (var localArena = Arena.ofConfined()) {
+                    if (SSL_CTX_set1_groups_list(sslCtx, 
localArena.allocateFrom(sb.toString())) <= 0) {
+                        logLastError("openssl.errorSettingGroups");
+                        // Consider this is not fatal
+                    }
+                }
+            }
+
             if (negotiableProtocols != null && !negotiableProtocols.isEmpty()) 
{
                 alpn = true;
                 negotiableProtocolsBytes = new 
ArrayList<>(negotiableProtocols.size() + 1);
diff --git a/java/org/apache/tomcat/util/openssl/openssl_h.java 
b/java/org/apache/tomcat/util/openssl/openssl_h.java
index 6e2fc76241..0c2465b633 100644
--- a/java/org/apache/tomcat/util/openssl/openssl_h.java
+++ b/java/org/apache/tomcat/util/openssl/openssl_h.java
@@ -776,6 +776,16 @@ public class openssl_h {
         return SSL_CTRL_SET_GROUPS;
     }
 
+    private static final int SSL_CTRL_SET_GROUPS_LIST = (int) 92L;
+
+    /**
+     * {@snippet lang = c : * #define SSL_CTRL_SET_GROUPS_LIST 92
+     * }
+     */
+    public static int SSL_CTRL_SET_GROUPS_LIST() {
+        return SSL_CTRL_SET_GROUPS_LIST;
+    }
+
     private static final int SSL_CTRL_SET_DH_AUTO = (int) 118L;
 
     /**
diff --git a/java/org/apache/tomcat/util/openssl/openssl_h_Macros.java 
b/java/org/apache/tomcat/util/openssl/openssl_h_Macros.java
index 3d83a07ca9..13106c484c 100644
--- a/java/org/apache/tomcat/util/openssl/openssl_h_Macros.java
+++ b/java/org/apache/tomcat/util/openssl/openssl_h_Macros.java
@@ -432,6 +432,41 @@ public class openssl_h_Macros {
     }
 
 
+    /**
+     * Set list of groups in preference order.
+     * {@snippet lang = c :
+     * # define SSL_set1_groups_list(s, str) \
+     *          SSL_ctrl(s,SSL_CTRL_SET_GROUPS_LIST,0,(char *)(str))
+     * }
+     *
+     * @param sslCtx     the SSL context
+     * @param groupsList the groups list as a String
+     *
+     * @return > 0 if successful
+     */
+    public static long SSL_CTX_set1_groups_list(MemorySegment sslCtx, 
MemorySegment groupsList) {
+        if (openssl_h_Compatibility.BORINGSSL) {
+            class Holder {
+                static final String NAME = "SSL_CTX_set1_groups_list";
+                static final FunctionDescriptor DESC = 
FunctionDescriptor.of(openssl_h.C_LONG, openssl_h.C_POINTER,
+                        openssl_h.C_POINTER);
+                static final MethodHandle MH = 
Linker.nativeLinker().downcallHandle(openssl_h.findOrThrow(NAME), DESC);
+            }
+            var mh$ = Holder.MH;
+            try {
+                if (openssl_h.TRACE_DOWNCALLS) {
+                    openssl_h.traceDowncall(Holder.NAME, sslCtx, groupsList);
+                }
+                return (long) mh$.invokeExact(sslCtx, groupsList);
+            } catch (Throwable ex$) {
+                throw new AssertionError("should not reach here", ex$);
+            }
+        } else {
+            return SSL_CTX_ctrl(sslCtx, SSL_CTRL_SET_GROUPS_LIST(), 0, 
groupsList);
+        }
+    }
+
+
     /**
      * Pass a path from which certificates are loaded into the store.
      * {@snippet lang = c : # define X509_LOOKUP_add_dir(x,name,type) \
diff --git a/res/openssl/openssl-tomcat.conf b/res/openssl/openssl-tomcat.conf
index 7897fcd14b..892f3b84af 100644
--- a/res/openssl/openssl-tomcat.conf
+++ b/res/openssl/openssl-tomcat.conf
@@ -260,6 +260,7 @@
 --include-constant SSL_CTRL_SESS_TIMEOUTS                           # header: 
/usr/include/openssl/ssl.h
 --include-constant SSL_CTRL_SET_DH_AUTO                             # header: 
/usr/include/openssl/ssl.h
 --include-constant SSL_CTRL_SET_GROUPS                              # header: 
/usr/include/openssl/ssl.h
+--include-constant SSL_CTRL_SET_GROUPS_LIST                         # header: 
/usr/include/openssl/ssl.h
 --include-constant SSL_CTRL_SET_MAX_PROTO_VERSION                   # header: 
/usr/include/openssl/ssl.h
 --include-constant SSL_CTRL_SET_MIN_PROTO_VERSION                   # header: 
/usr/include/openssl/ssl.h
 --include-constant SSL_CTRL_SET_SESS_CACHE_MODE                     # header: 
/usr/include/openssl/ssl.h


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to