in java/org/apache/tomcat/util/net/openssl/panama/OpenSSLLibrary.java [163:346]
public static void init() {
synchronized (lock) {
if (referenceCount++ != 0) {
// Already loaded (note test is performed before reference count is incremented)
return;
}
if (OpenSSLStatus.isInitialized()) {
return;
}
OpenSSLStatus.setInitialized(true);
if ("off".equalsIgnoreCase(SSLEngine)) {
return;
}
try (var memorySession = Arena.ofConfined()) {
// Main library init
initLibrary();
OpenSSLStatus.setVersion(OpenSSL_version_num());
if (openssl_h_Compatibility.OPENSSL3) {
OpenSSLStatus.setName(OpenSSLStatus.Name.OPENSSL3);
} else if (openssl_h_Compatibility.OPENSSL) {
OpenSSLStatus.setName(OpenSSLStatus.Name.OPENSSL);
} else if (openssl_h_Compatibility.LIBRESSL) {
OpenSSLStatus.setName(OpenSSLStatus.Name.LIBRESSL);
} else if (openssl_h_Compatibility.BORINGSSL) {
OpenSSLStatus.setName(OpenSSLStatus.Name.BORINGSSL);
}
// OpenSSL 3 onwards uses providers
// Setup engine
String engineName = "on".equalsIgnoreCase(SSLEngine) ? null : SSLEngine;
if (!openssl_h_Compatibility.OPENSSL3 && !openssl_h_Compatibility.BORINGSSL && engineName != null) {
if ("auto".equals(engineName)) {
ENGINE_register_all_complete();
} else {
var engine = memorySession.allocateFrom(engineName);
enginePointer = ENGINE_by_id(engine);
if (MemorySegment.NULL.equals(enginePointer)) {
enginePointer = ENGINE_by_id(memorySession.allocateFrom("dynamic"));
if (enginePointer != null) {
if (ENGINE_ctrl_cmd_string(enginePointer, memorySession.allocateFrom("SO_PATH"), engine, 0) == 0
|| ENGINE_ctrl_cmd_string(enginePointer, memorySession.allocateFrom("LOAD"),
MemorySegment.NULL, 0) == 0) {
// Engine load error
ENGINE_free(enginePointer);
enginePointer = MemorySegment.NULL;
}
}
}
if (!MemorySegment.NULL.equals(enginePointer)) {
if (ENGINE_set_default(enginePointer, ENGINE_METHOD_ALL()) == 0) {
// Engine load error
ENGINE_free(enginePointer);
enginePointer = MemorySegment.NULL;
}
}
if (MemorySegment.NULL.equals(enginePointer)) {
throw new IllegalStateException(sm.getString("openssllibrary.engineError"));
}
}
}
// Set the random seed, translated to the Java way
boolean seedDone = false;
if (SSLRandomSeed != null && !SSLRandomSeed.isEmpty() && !"builtin".equals(SSLRandomSeed)) {
var randomSeed = memorySession.allocateFrom(SSLRandomSeed);
seedDone = RAND_load_file(randomSeed, 128) > 0;
if (!seedDone) {
log.warn(sm.getString("openssllibrary.errorSettingSSLRandomSeed", SSLRandomSeed, OpenSSLLibrary.getLastError()));
}
}
if (!seedDone) {
// Use a regular random to get some bytes
SecureRandom random = new SecureRandom();
byte[] randomBytes = random.generateSeed(128);
RAND_seed(memorySession.allocateFrom(ValueLayout.JAVA_BYTE, randomBytes), 128);
}
if (!openssl_h_Compatibility.OPENSSL3 && !openssl_h_Compatibility.BORINGSSL) {
initDHParameters();
}
if (openssl_h_Compatibility.OPENSSL3 || !(null == FIPSMode || "off".equalsIgnoreCase(FIPSMode))) {
fipsModeActive = false;
final boolean enterFipsMode;
int fipsModeState = FIPS_OFF;
if (openssl_h_Compatibility.OPENSSL3) {
var md = EVP_MD_fetch(MemorySegment.NULL, memorySession.allocateFrom("SHA-512"), MemorySegment.NULL);
var provider = EVP_MD_get0_provider(md);
String name = OSSL_PROVIDER_get0_name(provider).getString(0);
EVP_MD_free(md);
if ("fips".equals(name)) {
fipsModeState = FIPS_ON;
}
} else {
fipsModeState = FIPS_mode();
}
if(log.isDebugEnabled()) {
log.debug(sm.getString("openssllibrary.currentFIPSMode", Integer.valueOf(fipsModeState)));
}
if (null == FIPSMode || "off".equalsIgnoreCase(FIPSMode)) {
if (fipsModeState == FIPS_ON) {
fipsModeActive = true;
}
enterFipsMode = false;
} else if ("on".equalsIgnoreCase(FIPSMode)) {
if (fipsModeState == FIPS_ON) {
if (!openssl_h_Compatibility.OPENSSL3) {
log.info(sm.getString("openssllibrary.skipFIPSInitialization"));
}
fipsModeActive = true;
enterFipsMode = false;
} else {
if (openssl_h_Compatibility.OPENSSL3) {
throw new IllegalStateException(sm.getString("openssllibrary.FIPSProviderNotDefault", FIPSMode));
} else {
enterFipsMode = true;
}
}
} else if ("require".equalsIgnoreCase(FIPSMode)) {
if (fipsModeState == FIPS_ON) {
fipsModeActive = true;
enterFipsMode = false;
} else {
if (openssl_h_Compatibility.OPENSSL3) {
throw new IllegalStateException(sm.getString("openssllibrary.FIPSProviderNotDefault", FIPSMode));
} else {
throw new IllegalStateException(sm.getString("openssllibrary.requireNotInFIPSMode"));
}
}
} else if ("enter".equalsIgnoreCase(FIPSMode)) {
if (fipsModeState == FIPS_OFF) {
if (openssl_h_Compatibility.OPENSSL3) {
throw new IllegalStateException(sm.getString("openssllibrary.FIPSProviderNotDefault", FIPSMode));
} else {
enterFipsMode = true;
}
} else {
if (openssl_h_Compatibility.OPENSSL3) {
fipsModeActive = true;
enterFipsMode = false;
} else {
throw new IllegalStateException(sm.getString(
"openssllibrary.enterAlreadyInFIPSMode", Integer.valueOf(fipsModeState)));
}
}
} else {
throw new IllegalArgumentException(sm.getString(
"openssllibrary.wrongFIPSMode", FIPSMode));
}
if (enterFipsMode) {
log.info(sm.getString("openssllibrary.initializingFIPS"));
fipsModeState = FIPS_mode_set(FIPS_ON);
if (fipsModeState != FIPS_ON) {
// This case should be handled by the native method,
// but we'll make absolutely sure, here.
String message = sm.getString("openssllibrary.initializeFIPSFailed");
log.error(message);
throw new IllegalStateException(message);
}
fipsModeActive = true;
log.info(sm.getString("openssllibrary.initializeFIPSSuccess"));
}
if (openssl_h_Compatibility.OPENSSL3 && fipsModeActive) {
log.info(sm.getString("aprListener.usingFIPSProvider"));
}
}
log.info(sm.getString("openssllibrary.initializedOpenSSL", OpenSSL_version(0).getString(0)));
OpenSSLStatus.setAvailable(true);
}
}
}