This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new 99332822c1 Add back OpenSSL 1.1.1 compatibility
99332822c1 is described below
commit 99332822c1f849fe00b97081a7adfc33a8f12e67
Author: remm <[email protected]>
AuthorDate: Tue Oct 14 14:04:31 2025 +0200
Add back OpenSSL 1.1.1 compatibility
---
.../util/net/openssl/panama/OpenSSLEngine.java | 25 ++++++-----
.../util/openssl/openssl_h_Compatibility.java | 52 ++++++++++++++++++++++
2 files changed, 67 insertions(+), 10 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
index 28a9879ddd..ce5ec1a6c2 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
@@ -59,7 +59,6 @@ import org.apache.tomcat.util.buf.Asn1Parser;
import org.apache.tomcat.util.http.Method;
import org.apache.tomcat.util.net.Constants;
import org.apache.tomcat.util.net.SSLUtil;
-import org.apache.tomcat.util.net.openssl.OpenSSLStatus;
import
org.apache.tomcat.util.net.openssl.ciphers.OpenSSLCipherConfigurationParser;
import org.apache.tomcat.util.openssl.SSL_CTX_set_verify$callback;
import org.apache.tomcat.util.openssl.SSL_set_info_callback$cb;
@@ -1203,12 +1202,18 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
} else {
try (var localArena = Arena.ofConfined()) {
// If we can't get the issuer, we cannot perform OCSP
verification
- MemorySegment x509IssuerPointer =
localArena.allocateFrom(ValueLayout.ADDRESS, MemorySegment.NULL);
- int res = X509_STORE_CTX_get1_issuer(x509IssuerPointer,
x509ctx, x509);
- if (res > 0) {
- MemorySegment issuer = MemorySegment.NULL;
- try {
- issuer =
x509IssuerPointer.get(ValueLayout.ADDRESS, 0);
+ MemorySegment issuer = MemorySegment.NULL;
+ try {
+ if (openssl_h_Compatibility.OPENSSL &&
!openssl_h_Compatibility.OPENSSL3) {
+ issuer =
openssl_h_Compatibility.X509_STORE_CTX_get0_current_issuer(x509ctx);
+ } else {
+ MemorySegment x509IssuerPointer =
localArena.allocateFrom(ValueLayout.ADDRESS, MemorySegment.NULL);
+ int res =
X509_STORE_CTX_get1_issuer(x509IssuerPointer, x509ctx, x509);
+ if (res > 0) {
+ issuer =
x509IssuerPointer.get(ValueLayout.ADDRESS, 0);
+ }
+ }
+ if (!MemorySegment.NULL.equals(issuer)) {
// sslutils.c ssl_ocsp_request(x509, issuer,
x509ctx);
int nid = X509_get_ext_by_NID(x509,
NID_info_access(), -1);
if (nid >= 0) {
@@ -1246,9 +1251,9 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
}
}
}
- } finally {
- X509_free(issuer);
}
+ } finally {
+ X509_free(issuer);
}
}
}
@@ -1287,7 +1292,7 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
private static int processOCSPRequest(URL url, MemorySegment issuer,
MemorySegment x509,
MemorySegment /* X509_STORE_CTX */ x509ctx, Arena localArena) {
- if (OpenSSLStatus.Name.BORINGSSL.equals(OpenSSLStatus.getName())) {
+ if (openssl_h_Compatibility.BORINGSSL) {
return V_OCSP_CERTSTATUS_UNKNOWN();
}
MemorySegment ocspRequest = MemorySegment.NULL;
diff --git a/java/org/apache/tomcat/util/openssl/openssl_h_Compatibility.java
b/java/org/apache/tomcat/util/openssl/openssl_h_Compatibility.java
index 825fd326a5..69e9311e20 100644
--- a/java/org/apache/tomcat/util/openssl/openssl_h_Compatibility.java
+++ b/java/org/apache/tomcat/util/openssl/openssl_h_Compatibility.java
@@ -136,6 +136,58 @@ public class openssl_h_Compatibility {
}
}
+ private static class X509_STORE_CTX_get0_current_issuer {
+ public static final FunctionDescriptor DESC =
FunctionDescriptor.of(openssl_h.C_POINTER, openssl_h.C_POINTER);
+
+ public static final MemorySegment ADDR =
openssl_h.findOrThrow("X509_STORE_CTX_get0_current_issuer");
+
+ public static final MethodHandle HANDLE =
Linker.nativeLinker().downcallHandle(ADDR, DESC);
+ }
+
+ /**
+ * OpenSSL 1.1 X509_STORE_CTX_get0_current_issuer
+ * Function descriptor for:
+ * {@snippet lang = c : * X509 *X509_STORE_CTX_get0_current_issuer(const
X509_STORE_CTX *ctx)
+ * }
+ */
+ public static FunctionDescriptor
X509_STORE_CTX_get0_current_issuer$descriptor() {
+ return X509_STORE_CTX_get0_current_issuer.DESC;
+ }
+
+ /**
+ * Downcall method handle for:
+ * {@snippet lang = c : * X509 *X509_STORE_CTX_get0_current_issuer(const
X509_STORE_CTX *ctx)
+ * }
+ */
+ public static MethodHandle X509_STORE_CTX_get0_current_issuer$handle() {
+ return X509_STORE_CTX_get0_current_issuer.HANDLE;
+ }
+
+ /**
+ * Address for:
+ * {@snippet lang = c : * X509 *X509_STORE_CTX_get0_current_issuer(const
X509_STORE_CTX *ctx)
+ * }
+ */
+ public static MemorySegment X509_STORE_CTX_get0_current_issuer$address() {
+ return X509_STORE_CTX_get0_current_issuer.ADDR;
+ }
+
+ /**
+ * {@snippet lang = c : * X509 *X509_STORE_CTX_get0_current_issuer(const
X509_STORE_CTX *ctx)
+ * }
+ */
+ public static MemorySegment
X509_STORE_CTX_get0_current_issuer(MemorySegment ctx) {
+ var mh$ = X509_STORE_CTX_get0_current_issuer.HANDLE;
+ try {
+ if (openssl_h.TRACE_DOWNCALLS) {
+ openssl_h.traceDowncall("X509_STORE_CTX_get0_current_issuer",
ctx);
+ }
+ return (MemorySegment) mh$.invokeExact(ctx);
+ } catch (Throwable ex$) {
+ throw new AssertionError("should not reach here", ex$);
+ }
+ }
+
// LibreSSL SSL_CTRL_OPTIONS
public static final int SSL_CTRL_OPTIONS = 32;
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
