Merge branch 'main' into charan-first-contribution

Author: YCharanGowda

.github/workflows/ci-macos.yml

@@ -45,7 +45,7 @@ jobs:
 
     - name: Upload logs
       if: ${{ !cancelled() }}
-      uses: actions/upload-artifact@v6
+      uses: actions/upload-artifact@v7
       with:
         name: JDK25-macos-latest-logs
         path: |

.github/workflows/ci.yml

@@ -64,7 +64,7 @@ jobs:
 
     - name: Upload logs
       if: ${{ !cancelled() }}
-      uses: actions/upload-artifact@v6
+      uses: actions/upload-artifact@v7
       with:
         name: JDK${{ matrix.java }}-${{ matrix.os }}-logs
         path: |

README.md

@@ -48,11 +48,11 @@ The most up-to-date documentation for each version can be found at:
 
 ### Installation
 
-Please see [RUNNING.txt](RUNNING.txt) for more info.
+Please see [RUNNING.txt](RUNNING.txt) for more information.
 
 ### Licensing
 
-Please see [LICENSE](LICENSE) for more info.
+Please see [LICENSE](LICENSE) for more information.
 
 ### Support and Mailing List Information
 
@@ -74,5 +74,4 @@ instructions for reporting a bug
 
 ### Contributing
 
-For information on how to contribute to Apache Tomcat, please see
-[CONTRIBUTING.md](CONTRIBUTING.md).
+Please see [CONTRIBUTING](CONTRIBUTING.md) for more information.

build.properties.default

@@ -144,30 +144,26 @@ base-maven.loc=https://repo.maven.apache.org/maven2
 # ----- Eclipse JDT, version 4.7 or later -----#
 # See https://cwiki.apache.org/confluence/display/TOMCAT/Managing+Tomcat%27s+Dependency+on+the+Eclipse+JDT+Core+Batch+Compiler
 #
-# Checksum is from "SHA512 Checksums for 4.38" link at
-# https://download.eclipse.org/eclipse/downloads/drops4/R-4.38-202512010920/
-# https://download.eclipse.org/eclipse/downloads/drops4/R-4.38-202512010920/checksum/eclipse-4.38-SUMSSHA512
-#
-jdt.version=4.38
-jdt.release=R-4.38-202512010920
+jdt.version=4.39
+jdt.release=R-4.39-202602260420
 jdt.checksum.enabled=true
 jdt.checksum.algorithm=SHA-512
-jdt.checksum.value=41d5cea69f9bdc75eee3b5e89bf29ae9cbfe8de9f1ccdc94ea9364c182463bc4003fdee19b23c17b9ddc7c8950f4d196bb4cf3d8a5c2d1af56a769905385e906
+jdt.checksum.value=af25493d4a429fd24256f69a085a618afffe23bb09b284976fb9e82f651715a0455b704ee800432b43dd409f74874765089cd65fc148e2175d251f9ef830ce0a
 jdt.home=${base.path}/ecj-${jdt.version}
 jdt.jar=${jdt.home}/ecj-${jdt.version}.jar
 # The download will be moved to the archive area eventually. We are taking care of that in advance.
 jdt.loc.1=https://archive.eclipse.org/eclipse/downloads/drops4/${jdt.release}/ecj-${jdt.version}.jar
 jdt.loc.2=https://download.eclipse.org/eclipse/downloads/drops4/${jdt.release}/ecj-${jdt.version}.jar
 
 # ----- Tomcat native library -----
-tomcat-native.version=2.0.12
-tomcat-native-openssl.version=3.5.4
+tomcat-native.version=2.0.14
+tomcat-native-openssl.version=3.5.5
 tomcat-native.src.checksum.enabled=true
 tomcat-native.src.checksum.algorithm=SHA-512
-tomcat-native.src.checksum.value=d937e04f7c9f0fa6ef82b32928fa2d59dbdac45cb58c7ba8eff4338fbd942297b1c9512a0a8ff80cf758d9b6ca5cc5cba8cefdc91507318b72afc56888aa1f3c
+tomcat-native.src.checksum.value=33d626fab35cbfa7398ca90cabd99950c6362ab4e19637012850fd84ecc78184e4c6c975ece92dc8d6461b6a8c2f83221cbc7374ff154422e7722606a4a144c7
 tomcat-native.win.checksum.enabled=true
 tomcat-native.win.checksum.algorithm=SHA-512
-tomcat-native.win.checksum.value=f743c151a1d48a1967c08f01986b1a30176cc8a388ad760cb8aac19e6956e5630d7ddff54782c2e136e8f247809d573fd48a31ed1a756923a3ad0954e2d4a3fe
+tomcat-native.win.checksum.value=82c46733be9f84f11bcbf97cc1db3b9c9b861c32f30b9dee3fb3ebe1d400325587eb6b77c384622515583d455f170017201cfac62498f0a0886211839bdfa56f
 tomcat-native.home=${base.path}/tomcat-native-${tomcat-native.version}
 tomcat-native.tar.gz=${tomcat-native.home}/tomcat-native.tar.gz
 tomcat-native.loc.1=${base-tomcat.loc.1}/tomcat-connectors/native/${tomcat-native.version}/source/tomcat-native-${tomcat-native.version}-src.tar.gz
@@ -245,19 +241,19 @@ easymock.jar=${easymock.home}/easymock-${easymock.version}.jar
 easymock.loc=${base-maven.loc}/org/easymock/easymock/${easymock.version}/easymock-${easymock.version}.jar
 
 # ----- objenesis, used by EasyMock, version 3.3 or later -----
-objenesis.version=3.4
+objenesis.version=3.5
 objenesis.checksum.enabled=true
-objenesis.checksum.algorithm=MD5|SHA-1
-objenesis.checksum.value=51242320cb2bb25a3f36e2e21fa87de0|675cbe121a68019235d27f6c34b4f0ac30e07418
+objenesis.checksum.algorithm=SHA-512
+objenesis.checksum.value=7587fabe1dd4a639e869e4478a097665d34686de8c1ec5794356a5ebc27501fdad42a365e0f000bdf30b0b0f73d6c02523346fc6cfb9109239e5b2f7876e981e
 objenesis.home=${base.path}/objenesis-${objenesis.version}
 objenesis.jar=${objenesis.home}/objenesis-${objenesis.version}.jar
 objenesis.loc=${base-maven.loc}/org/objenesis/objenesis/${objenesis.version}/objenesis-${objenesis.version}.jar
 
 # ----- byte-buddy, used by EasyMock, version 1.12.18 or later -----
-bytebuddy.version=1.18.3
+bytebuddy.version=1.18.7
 bytebuddy.checksum.enabled=true
 bytebuddy.checksum.algorithm=SHA-512
-bytebuddy.checksum.value=8f35c806a25d9089a08d12a7aaf22c5bea2f356c432a21655f30a7935918b6385e1e080180b6ef5ad3638796fc3a7243220dfec08c31c1195416e6790fd797af
+bytebuddy.checksum.value=23333645a93afb4d0246a20c133cfac1b029e51c9b3fd6558ac75c455689f44de63e4fee3fc6a467312cfcc56aa29a76a2bb6deb2fdcf7a8033ebef18edbc888
 bytebuddy.home=${base.path}/byte-buddy-${bytebuddy.version}
 bytebuddy.jar=${bytebuddy.home}/byte-buddy-${bytebuddy.version}.jar
 bytebuddy.loc=${base-maven.loc}/net/bytebuddy/byte-buddy/${bytebuddy.version}/byte-buddy-${bytebuddy.version}.jar
@@ -272,10 +268,10 @@ unboundid.jar=${unboundid.home}/unboundid-ldapsdk-${unboundid.version}.jar
 unboundid.loc=${base-maven.loc}/com/unboundid/unboundid-ldapsdk/${unboundid.version}/unboundid-ldapsdk-${unboundid.version}.jar
 
 # ----- Checkstyle, version 6.16 or later -----
-checkstyle.version=13.0.0
+checkstyle.version=13.3.0
 checkstyle.checksum.enabled=true
 checkstyle.checksum.algorithm=SHA-512
-checkstyle.checksum.value=95e2955274996a9f0811014bdf1e50f3f2496d2f398ef1674015286a8abcfb1c0d540406695b5a3af6b7b5dce02dafa50d854f021401ae0d78287233ba8afa3d
+checkstyle.checksum.value=4ed499d509f5cbd40c351da291a281d5c34d0f01811237efdabb29c6273c7a10cf823ce2428ac03b049978100b448ff628b0cb9468adc78beb84f26750deb29e
 checkstyle.home=${base.path}/checkstyle-${checkstyle.version}
 checkstyle.jar=${checkstyle.home}/checkstyle-${checkstyle.version}-all.jar
 checkstyle.loc=${base-gh.loc}/checkstyle/checkstyle/releases/download/checkstyle-${checkstyle.version}/checkstyle-${checkstyle.version}-all.jar
@@ -300,10 +296,10 @@ spotbugs.loc=${base-maven.loc}/com/github/spotbugs/spotbugs/${spotbugs.version}/
 
 # ----- bnd, version 6.3.0 or later  -----
 # ----- provides OSGI metadata for JARs       -----
-bnd.version=7.2.0
+bnd.version=7.2.1
 bnd.checksum.enabled=true
 bnd.checksum.algorithm=MD5|SHA-1
-bnd.checksum.value=dea22b7afa9de21e1adb27d2e835a94c|af26ddc466eb178963d4eb800d2824f488037aec
+bnd.checksum.value=7c316ab40b78515251efd71bc68837ca|d18f9e95f252e2e4d9237f478e1e6f21117f97d2
 
 bnd.home=${base.path}/bnd-${bnd.version}
 bnd.jar=${bnd.home}/biz.aQute.bnd-${bnd.version}.jar

java/org/apache/catalina/core/AprLifecycleListener.java

@@ -72,7 +72,7 @@ public class AprLifecycleListener implements LifecycleListener {
     protected static final int TCN_REQUIRED_PATCH = 12;
     protected static final int TCN_RECOMMENDED_MAJOR = 2;
     protected static final int TCN_RECOMMENDED_MINOR = 0;
-    protected static final int TCN_RECOMMENDED_PV = 12;
+    protected static final int TCN_RECOMMENDED_PV = 14;
 
 
     // ---------------------------------------------- Properties

java/org/apache/catalina/core/LocalStrings_fr.properties

@@ -269,7 +269,9 @@ standardHost.noContext=Aucun contexte n'est configuré pour traiter cette requê
 standardHost.notContext=Le fils d'un hôte (child of a Host) doit être un contexte
 standardHost.nullName=Le nom d'hôte est requis
 standardHost.problematicAppBase=Utiliser une chaîne vide pour l''appBase de l''hôte [{0}] la fera correspondre à CATALINA_BASE, ce qui causera des problèmes
+standardHost.problematicAppBaseParent=appBase de l''hôte [{0}] est un parent du répertoire CATALINA_BASE, ce qui est mauvais
 standardHost.problematicLegacyAppBase=L''utilisation d''une chaîne vide pour legacyAppBase de l''hôte [{0}] le fixera à CATALINA_BASE, ce qui n''est pas judicieux
+standardHost.problematicLegacyAppBaseParent=legacyAppBase de l''hôte [{0}] est un parent du répertoire CATALINA_BASE, ce qui est mauvais
 
 standardHostValve.customStatusFailed=La page d''erreur personnalisée [{0}] n''a pu être redirigée correctement
 standardHostValve.exception=Exception lors du traitement de [{0}]

java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java

@@ -22,6 +22,7 @@
 import java.security.NoSuchProviderException;
 import java.security.SecureRandom;
 import java.security.spec.AlgorithmParameterSpec;
+import java.util.Locale;
 import java.util.concurrent.ConcurrentLinkedQueue;
 
 import javax.crypto.Cipher;
@@ -42,7 +43,6 @@
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
 
-
 /**
  * Adds encryption using a pre-shared key. The length of the key (in bytes) must be acceptable for the encryption
  * algorithm being used. For example, for AES, you must use a key of either 16 bytes (128 bits, 24 bytes 192 bits), or
@@ -54,7 +54,7 @@ public class EncryptInterceptor extends ChannelInterceptorBase implements Encryp
     private static final Log log = LogFactory.getLog(EncryptInterceptor.class);
     protected static final StringManager sm = StringManager.getManager(EncryptInterceptor.class);
 
-    private static final String DEFAULT_ENCRYPTION_ALGORITHM = "AES/CBC/PKCS5Padding";
+    private static final String DEFAULT_ENCRYPTION_ALGORITHM = "AES/GCM/NoPadding";
 
     private String providerName;
     private String encryptionAlgorithm = DEFAULT_ENCRYPTION_ALGORITHM;
@@ -140,17 +140,17 @@ public void messageReceived(ChannelMessage msg) {
             xbb.clear();
             xbb.append(data, 0, data.length);
 
-            super.messageReceived(msg);
         } catch (GeneralSecurityException gse) {
             log.error(sm.getString("encryptInterceptor.decrypt.failed"), gse);
         }
+        super.messageReceived(msg);
     }
 
     /**
      * Sets the encryption algorithm to be used for encrypting and decrypting channel messages. You must specify the
      * <code>algorithm/mode/padding</code>. Information on standard algorithm names may be found in the
      * <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html">Java
-     * documentation</a>. Default is <code>AES/CBC/PKCS5Padding</code>.
+     * documentation</a>. Default is <code>AES/GCM/NoPadding</code>.
      *
      * @param algorithm The algorithm to use.
      */
@@ -314,33 +314,68 @@ private static BaseEncryptionManager createEncryptionManager(String algorithm, b
 
         String algorithmName;
         String algorithmMode;
+        String algorithmPadding;
 
-        // We need to break-apart the algorithm name e.g. AES/CBC/PKCS5Padding
+        // We need to break-apart the algorithm name e.g. AES/GCM/NoPadding
         // take just the algorithm part.
         int pos = algorithm.indexOf('/');
 
         if (pos >= 0) {
-            algorithmName = algorithm.substring(0, pos);
+            algorithmName = algorithm.substring(0, pos).toUpperCase(Locale.ENGLISH);
             int pos2 = algorithm.indexOf('/', pos + 1);
 
             if (pos2 >= 0) {
-                algorithmMode = algorithm.substring(pos + 1, pos2);
+                algorithmMode = algorithm.substring(pos + 1, pos2).toUpperCase(Locale.ENGLISH);
+                algorithmPadding = algorithm.substring(pos2 + 1).toUpperCase(Locale.ENGLISH);
             } else {
-                algorithmMode = "CBC";
+                algorithmMode = "GCM";
+                algorithmPadding = "NOPADDING";
             }
         } else {
             algorithmName = algorithm;
-            algorithmMode = "CBC";
+            algorithmMode = "GCM";
+            algorithmPadding = "NOPADDING";
         }
 
-        if ("GCM".equalsIgnoreCase(algorithmMode)) {
+        /*
+         * Limit the cipher algorithm modes available. The limits are based on the cipher algorithm modes listed in the
+         * Java Standard Names documentation. Those modes that are not appropriate or provide no protection are blocked.
+         * Where there are performance or security concerns regarding a mode, a warning is logged. Unrecognised modes,
+         * such as those provided by custom JCA providers are allowed but will be rejected if there is no JCA provider
+         * to support them.
+         */
+        if ("NONE".equals(algorithmMode) || "ECB".equals(algorithmMode) || "PCBC".equals(algorithmMode) ||
+                "CTS".equals(algorithmMode) || "KW".equals(algorithmMode) || "KWP".equals(algorithmMode) ||
+                "CTR".equals(algorithmMode) ||
+                ("CBC".equals(algorithmMode) && "NOPADDING".equals(algorithmPadding)) ||
+                ("CFB".equals(algorithmMode) && "NOPADDING".equals(algorithmPadding)) ||
+                ("GCM".equals(algorithmMode) && "PKCS5PADDING".equals(algorithmPadding)) ||
+                ("OFB".equals(algorithmMode) && "NOPADDING".equals(algorithmPadding))) {
+            // Insecure, unsuitable or unsupported
+            throw new IllegalArgumentException(sm.getString("encryptInterceptor.algorithm.unsupported", algorithm));
+
+        } else if (("CBC".equals(algorithmMode) && "PKCS5PADDING".equals(algorithmPadding)) ||
+                ("CFB".equals(algorithmMode) && "PKCS5PADDING".equals(algorithmPadding)) ||
+                ("OFB".equals(algorithmMode) && "PKCS5PADDING".equals(algorithmPadding))) {
+            // Supported but not recommended as more secure modes are available
+            log.warn(sm.getString("encryptInterceptor.algorithm.switch", algorithm));
+
+        } else if (algorithmMode.startsWith("CFB") || algorithmMode.startsWith("OFB")) {
+            // Using a non-default block size. Not supported as insecure and/or inefficient.
+            throw new IllegalArgumentException(
+                    sm.getString("encryptInterceptor.algorithm.unsupported", algorithm));
+
+        } else if ("GCM".equalsIgnoreCase(algorithmMode) && "NOPADDING".equals(algorithmPadding)) {
+            // Needs a specialised encryption manager to handle the differences between GCM and other modes
             return new GCMEncryptionManager(algorithm, new SecretKeySpec(encryptionKey, algorithmName), providerName);
-        } else if ("CBC".equalsIgnoreCase(algorithmMode) || "OFB".equalsIgnoreCase(algorithmMode) ||
-                "CFB".equalsIgnoreCase(algorithmMode)) {
+        }
+
+        // Use the default encryption manager
+        try {
             return new BaseEncryptionManager(algorithm, new SecretKeySpec(encryptionKey, algorithmName), providerName);
-        } else {
-            throw new IllegalArgumentException(
-                    sm.getString("encryptInterceptor.algorithm.unsupported-mode", algorithmMode));
+        } catch (NoSuchAlgorithmException | NoSuchPaddingException | NoSuchProviderException ex) {
+            throw new IllegalArgumentException(sm.getString("encryptInterceptor.algorithm.unsupported", algorithmMode),
+                    ex);
         }
     }
 

java/org/apache/catalina/tribes/group/interceptors/LocalStrings.properties

@@ -16,8 +16,9 @@
 domainFilterInterceptor.member.refused=Member [{0}] was refused to join cluster
 domainFilterInterceptor.message.refused=Received message from cluster[{0}] was refused.
 
-encryptInterceptor.algorithm.required=Encryption algorithm is required, fully-specified e.g. AES/CBC/PKCS5Padding
-encryptInterceptor.algorithm.unsupported-mode=EncryptInterceptor does not support block cipher mode [{0}]
+encryptInterceptor.algorithm.required=Encryption algorithm is required, fully-specified e.g. AES/GCM/NoPadding
+encryptInterceptor.algorithm.switch=The EncryptInterceptor is using the algorithm [{0}]. It is recommended to switch to using AES/GCM/NoPadding.
+encryptInterceptor.algorithm.unsupported=EncryptInterceptor does not support algorithm [{0}]
 encryptInterceptor.decrypt.error.short-message=Failed to decrypt message: premature end-of-message
 encryptInterceptor.decrypt.failed=Failed to decrypt message
 encryptInterceptor.encrypt.failed=Failed to encrypt message

java/org/apache/catalina/tribes/group/interceptors/LocalStrings_fr.properties

@@ -20,7 +20,6 @@ domainFilterInterceptor.member.refused=Le membre [{0}] a été refusé dans le c
 domainFilterInterceptor.message.refused=Le message reçu du cluster [{0}] a été refusé
 
 encryptInterceptor.algorithm.required=Un algorithme de cryptage est requis, avec une spécification complète telle que AES/CBC/PKCS5Padding
-encryptInterceptor.algorithm.unsupported-mode=L''EncryptInterceptor ne supporte pas le mode de chiffrage de bloc [{0}]
 encryptInterceptor.decrypt.error.short-message=Echec du décryptage du message : fin de message prématuré
 encryptInterceptor.decrypt.failed=Echec de décryptage du message
 encryptInterceptor.encrypt.failed=Erreur de cryptage du message

java/org/apache/catalina/tribes/group/interceptors/LocalStrings_ja.properties

@@ -20,7 +20,6 @@ domainFilterInterceptor.member.refused=メンバーはクラスター [{0}] へ
 domainFilterInterceptor.message.refused=クラスター [{0}] から受信したメッセージは拒否されました。
 
 encryptInterceptor.algorithm.required=暗号化アルゴリズムが必要です。完全指定。 AES/CBC/PKCS5Padding
-encryptInterceptor.algorithm.unsupported-mode=EncryptInterceptorはブロック暗号モード [{0}]をサポートしていません。
 encryptInterceptor.decrypt.error.short-message=メッセージの復号に失敗: メッセージの末尾が途切れています
 encryptInterceptor.decrypt.failed=メッセージの復号に失敗しました。
 encryptInterceptor.encrypt.failed=メッセージを暗号化できません。