FFM / Panama: A case study with OpenSSL and Tomcat
jfclere
71 views
51 slides
Oct 10, 2024
Slide 1 of 51
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
About This Presentation
the presentationfocus on the use of the OpenSSL native library with Apache Tomcat.
It will show how the Foreign Function & Memory API API (Since Java 22) was leveraged to rewrite its integration using only Java code.
The FFM API allows us to retain the performance and capabilities of the existin...
Slide Content
FFM /Panama: A case study
With OpenSSL and Apache Tomcat
TM
With OpenSSL and Apache Tomcat
TM
Jean-Frederic Clere
Software engineer at Red Hat
Working on HTTPD and Tomcat (JBCS/JWS)
Apache Tomcat committer for years
ASF member
Software engineer at Red Hat
Working on HTTPD and Tomcat (JBCS/JWS)
Apache Tomcat committer for years
ASF member
Contents
FFM / Panama basics
OpenSSL and Tomcat
Tooling
Design
Challenges
Results
FFM / Panama basics
OpenSSL and Tomcat
Tooling
Design
Challenges
Results
Panama
The Panama project
“foreign function and memory API”
Project developed by Oracle for inclusion in java.base
Replacement for JNI
Improve safety and reliability
Better management of native memory
Replacement for various Unsafe based hacks
Incubating and JEPs since Java 14, released in 22 (March 2024)
Java code
Native code
“foreign function and memory API”
Project developed by Oracle for inclusion in java.base
Replacement for JNI
Improve safety and reliability
Better management of native memory
Replacement for various Unsafe based hacks
Incubating and JEPs since Java 14, released in 22 (March 2024)
Java code
Native code
ResourceScope/MemorySession/Arena
Handles native access lifecycle
Allocations and deallocations
Explicit close or GC close
Handles native access lifecycle
Allocations and deallocations
Explicit close or GC close
MemorySegment
The main API in Java 21 (previously also MemoryAddress and Addressable)
Native or heap memory, with associated segment size
Basically a pointer
Tied to an associated session
Does size and lifecycle checks -> safety
The main API in Java 21 (previously also MemoryAddress and Addressable)
Native or heap memory, with associated segment size
Basically a pointer
Tied to an associated session
Does size and lifecycle checks -> safety
Memory layouts and native types
Allows modelling types and structures
Simple types are easy
Valhalla will provide support for additional types (Vectors)
Allows modelling types and structures
Simple types are easy
Valhalla will provide support for additional types (Vectors)
Function descriptors and Method handles
FunctionDescriptor API allows describing the native calls to the JVM
Associate a native function to a matching method handle
Use the Linker API for that
FunctionDescriptor API allows describing the native calls to the JVM
Associate a native function to a matching method handle
Use the Linker API for that
Downcalls
Calls from Java to native
Use lookup to get the native symbol
Use the linker to get the method handle
Simply call the method handle with the right arguments
Calls from Java to native
Use lookup to get the native symbol
Use the linker to get the method handle
Simply call the method handle with the right arguments
Downcall example (21 here)
System.loadLibrary("ssl");
MemorySegment OpenSSL_versionSymbol = SymbolLookup.loaderLookup().find("OpenSSL_version").orElseThrow();
MethodHandle OpenSSL_version = Linker.nativeLinker().downcallHandle(OpenSSL_versionSymbol,
FunctionDescriptor.of(ValueLayout.ADDRESS, ValueLayout.JAVA_INT));
MemorySegment version = (MemorySegment) OpenSSL_version.invokeExact(0);
MemorySegment ptr = version.reinterpret(128);
String sversion = ptr.getUtf8String(0); /* change to getString(0) for 22+ */
System.loadLibrary("ssl");
MemorySegment OpenSSL_versionSymbol = SymbolLookup.loaderLookup().find("OpenSSL_version").orElseThrow();
MethodHandle OpenSSL_version = Linker.nativeLinker().downcallHandle(OpenSSL_versionSymbol,
FunctionDescriptor.of(ValueLayout.ADDRESS, ValueLayout.JAVA_INT));
MemorySegment version = (MemorySegment) OpenSSL_version.invokeExact(0);
MemorySegment ptr = version.reinterpret(128);
String sversion = ptr.getUtf8String(0); /* change to getString(0) for 22+ */
Demo
Upcalls
Calls from native to Java
Get a method handle from your Java method
The linker gives a memory segment containing a function pointer
Call the appropriate native downcall to set the function pointer
Calls from native to Java
Get a method handle from your Java method
The linker gives a memory segment containing a function pointer
Call the appropriate native downcall to set the function pointer
Upcall example (find the doconvert to call)
Arena arena = Arena.ofConfined();
MemorySegment nativeString = arena.allocateUtf8String("Hello World! Panama style");
System.loadLibrary("hex");
SymbolLookup mylib = SymbolLookup.libraryLookup("libhex.so", arena);
Linker cLinker = Linker.nativeLinker();
MethodHandle doconvert = cLinker.downcallHandle(mylib.find("doconvert").orElseThrow(),
FunctionDescriptor.of(ValueLayout.JAVA_INT, AddressLayout.ADDRESS));
Arena arena = Arena.ofConfined();
MemorySegment nativeString = arena.allocateUtf8String("Hello World! Panama style");
System.loadLibrary("hex");
SymbolLookup mylib = SymbolLookup.libraryLookup("libhex.so", arena);
Linker cLinker = Linker.nativeLinker();
MethodHandle doconvert = cLinker.downcallHandle(mylib.find("doconvert").orElseThrow(),
FunctionDescriptor.of(ValueLayout.JAVA_INT, AddressLayout.ADDRESS));
Upcall example set the callback to java method
FunctionDescriptor desc = FunctionDescriptor.of(ValueLayout.JAVA_INT, AddressLayout.ADDRESS);
MethodHandle set_add_cb = cLinker.downcallHandle(mylib.find("set_add_cb").orElseThrow(), desc);
FunctionDescriptor jfcconvertdesc = FunctionDescriptor.of(ValueLayout.JAVA_INT, AddressLayout.ADDRESS);
MethodHandle jfcconvert = MethodHandles.lookup().findStatic(Hex.class, "jfcconvert", MethodType.methodType(int.class, MemorySegment.class));
MemorySegment call = Linker.nativeLinker().upcallStub(jfcconvert, jfcconvertdesc, arena);
set_add_cb.invoke(call);
len = (int) doconvert.invoke(nativeString);
FunctionDescriptor desc = FunctionDescriptor.of(ValueLayout.JAVA_INT, AddressLayout.ADDRESS);
MethodHandle set_add_cb = cLinker.downcallHandle(mylib.find("set_add_cb").orElseThrow(), desc);
FunctionDescriptor jfcconvertdesc = FunctionDescriptor.of(ValueLayout.JAVA_INT, AddressLayout.ADDRESS);
MethodHandle jfcconvert = MethodHandles.lookup().findStatic(Hex.class, "jfcconvert", MethodType.methodType(int.class, MemorySegment.class));
MemorySegment call = Linker.nativeLinker().upcallStub(jfcconvert, jfcconvertdesc, arena);
set_add_cb.invoke(call);
len = (int) doconvert.invoke(nativeString);
Upcall example part 3 (java method that is called)
public static int jfcconvert(MemorySegment mem) {
MemorySegment ptr = mem.reinterpret(128);
String string = ptr.getUtf8String(0);
string = jfcconvert(string);
ptr.setUtf8String(0, string);
return 0;
}
public static int jfcconvert(MemorySegment mem) {
MemorySegment ptr = mem.reinterpret(128);
String string = ptr.getUtf8String(0);
string = jfcconvert(string);
ptr.setUtf8String(0, string);
return 0;
}
Demo
1 - call without setting the callback, get default the C code.
2 - call with the callback to java, get the toUpperCase() called.
1 - call without setting the callback, get default the C code.
2 - call with the callback to java, get the toUpperCase() called.
OpenSSL
All things TLS
Everything
Even more later
Extremely useful to Tomcat
Everything
Even more later
Extremely useful to Tomcat
Tomcat needs
TLS 1.3 with PHA (post handshake authentication)
More key formats, ciphers, protocols as they are appear
Better performance
High level API for QUIC
TLS 1.3 with PHA (post handshake authentication)
More key formats, ciphers, protocols as they are appear
Better performance
High level API for QUIC
Also used through Tomcat-native
Legacy code (java connector, C dynamic library linked with openssl).
Modernized and cleaned up with 2.0
Some platforms need static linking of OpenSSL (= CVEs !)
Productization needed
Cloud annoyances
Legacy code (java connector, C dynamic library linked with openssl).
Modernized and cleaned up with 2.0
Some platforms need static linking of OpenSSL (= CVEs !)
Productization needed
Cloud annoyances
OpenSSL API style
Factories and destructors for everything
Accessors and setters for everything
No need to model structures in Panama
Many callbacks needed
Factories and destructors for everything
Accessors and setters for everything
No need to model structures in Panama
Many callbacks needed
Tooling
Jextract
Helps write boilerplate code, handle library updates
Upcalls
Downcalls
Structures
Helps track Panama API changes across Java versions
Helps write boilerplate code, handle library updates
Upcalls
Downcalls
Structures
Helps track Panama API changes across Java versions
Using jextract
Now easier to build from https://github.com/openjdk/jextract (or download it)
Uses native library headers
Generates sources or classes
Skips functional macros
Big library means huge very verbose blob
Now easier to build from https://github.com/openjdk/jextract (or download it)
Uses native library headers
Generates sources or classes
Skips functional macros
Big library means huge very verbose blob
Trimming down the blob
List native APIs actually used
Limit jextract to these APIs
Time consuming …
List native APIs actually used
Limit jextract to these APIs
Time consuming …
Using jextract
●With OpenSSL
●Config file
●With OpenSSL
●Config file
Design and coding
Java code we had
Working OpenSSL implementation for JSSE (not a full provider but close)
Rather well tested
Support for OpenSSL 3.x
Significant amount of Java code using a thinner native API (compared to APR connector)
Working OpenSSL implementation for JSSE (not a full provider but close)
Rather well tested
Support for OpenSSL 3.x
Significant amount of Java code using a thinner native API (compared to APR connector)
Tomcat-native code
Needs translation to Java code using FFM/Panama
Then integrate into the Tomcat OpenSSL code
Lots of wrapper code, needless structures and state tracking
Problem: large amount of logic inside the JNI layer in some places (certs handling, init, OCSP)
Needs translation to Java code using FFM/Panama
Then integrate into the Tomcat OpenSSL code
Lots of wrapper code, needless structures and state tracking
Problem: large amount of logic inside the JNI layer in some places (certs handling, init, OCSP)
Lifecycle and Memory management
Was already appropriate for Panama
Needs to remain GC based for safety
Was already appropriate for Panama
Needs to remain GC based for safety
Process to get it to the actual state…
Generate the full OpenSSL API with jextract
Write OpenSSL init code and test out Panama
Translate the rest of the tomcat-native code into the existing Java classes
Add state tracking for upcalls
Test, fix, improve, test, fix, improve, etc
Generate the full OpenSSL API with jextract
Write OpenSSL init code and test out Panama
Translate the rest of the tomcat-native code into the existing Java classes
Add state tracking for upcalls
Test, fix, improve, test, fix, improve, etc
Challenges
No #ifdef and precompiler
This is bad for us
Also no functional macros support
Have to target real API functions
Of course there are tons macros and real API are often hidden in OpenSSL
This is bad for us
Also no functional macros support
Have to target real API functions
Of course there are tons macros and real API are often hidden in OpenSSL
OpenSSL API compatibility
Initial target was 1.1
API changes in 3.0, resolved by macros (which don't work with Panama)
Manual downcall declarations needed, with runtime version check
Extensive API changes would need a fully separate implementation
For example, support of LibreSSL and others are not doable as part of the same module
Initial target was 1.1
API changes in 3.0, resolved by macros (which don't work with Panama)
Manual downcall declarations needed, with runtime version check
Extensive API changes would need a fully separate implementation
For example, support of LibreSSL and others are not doable as part of the same module
Memory leaks are easy
OpenSSL structures need cleanup
Memory segments point to the session
Bound downcalls unfortunately pins the session
OpenSSL structures need cleanup
Memory segments point to the session
Bound downcalls unfortunately pins the session
API changes
Java 17 is the first LTS release with the incubating Panama (JEP 412)
Some changes in Java 18 (JEP 419)
Same in Java 19, moving to preview status (--enable-preview is enough) (JEP 424)
Same in Java 20, still preview, heavy API changes
Java 21 LTS was the target for the stable API but still preview
Java 17 is the first LTS release with the incubating Panama (JEP 412)
Some changes in Java 18 (JEP 419)
Same in Java 19, moving to preview status (--enable-preview is enough) (JEP 424)
Same in Java 20, still preview, heavy API changes
Java 21 LTS was the target for the stable API but still preview
Java 17
Needs scary command line arguments (users will panic)
API is less refined than current
Functionally equivalent for us
Panama seems surprisingly stable
Ok for in house projects that cannot wait for Java 21, not ok for real productization
Needs scary command line arguments (users will panic)
API is less refined than current
Functionally equivalent for us
Panama seems surprisingly stable
Ok for in house projects that cannot wait for Java 21, not ok for real productization
Java 21…
Still Needs scary command line arguments (users will panic)
API is less refined than current
Functionally equivalent for us
Panama seems surprisingly stable
Ok for in house projects that cannot wait for Java 22, not ok for real productization
Still Needs scary command line arguments (users will panic)
API is less refined than current
Functionally equivalent for us
Panama seems surprisingly stable
Ok for in house projects that cannot wait for Java 22, not ok for real productization
Instability
Instability when initially trying with Java 18
Mysterious behaviors, debugging was inconclusive
Had to report to the Panama team
Was caused by stack corruption with (lots of) upcalls
Thankfully fixed
Instability when initially trying with Java 18
Mysterious behaviors, debugging was inconclusive
Had to report to the Panama team
Was caused by stack corruption with (lots of) upcalls
Thankfully fixed
Updating to a new Java
Monitor Panama API changes in openjdk/panama-foreign and evaluate impact
Code merge into next Java openjdk/jdk
Wait for jextract updates to target new API (needed for a large library like OpenSSL)
Migrate and test !
Monitor Panama API changes in openjdk/panama-foreign and evaluate impact
Code merge into next Java openjdk/jdk
Wait for jextract updates to target new API (needed for a large library like OpenSSL)
Migrate and test !
Results
It worked !
Surprisingly stable on Java 17
Fast enough on Java 17
Works out of the box if OpenSSL is a system library
With new Java versions, only "--enable-preview" needed (with startup warnings)
Surprisingly stable on Java 17
Fast enough on Java 17
Works out of the box if OpenSSL is a system library
With new Java versions, only "--enable-preview" needed (with startup warnings)
We had to have multiple branches
Many API differences with each JEP
https://github.com/apache/tomcat/tree/main/modules/openssl-foreign : Tracks the Panama API (Java
"22" right now, hopefully final API in Java xx), support for OpenSSL 1.1 and 3.0
https://github.com/apache/tomcat/tree/main/modules/openssl-java21 : Frozen for Java 21, support for
OpenSSL 1.1 and 3.0, "stable"
https://github.com/apache/tomcat/tree/main/modules/openssl-java17 : Frozen for Java 17, support for
OpenSSL 1.1 and 3.0, "stable"
Now: java22+
https://github.com/apache/tomcat/tree/main/java/org/apache/tomcat/util/net/openssl/panama
Many API differences with each JEP
https://github.com/apache/tomcat/tree/main/modules/openssl-foreign : Tracks the Panama API (Java
"22" right now, hopefully final API in Java xx), support for OpenSSL 1.1 and 3.0
https://github.com/apache/tomcat/tree/main/modules/openssl-java21 : Frozen for Java 21, support for
OpenSSL 1.1 and 3.0, "stable"
https://github.com/apache/tomcat/tree/main/modules/openssl-java17 : Frozen for Java 17, support for
OpenSSL 1.1 and 3.0, "stable"
Now: java22+
https://github.com/apache/tomcat/tree/main/java/org/apache/tomcat/util/net/openssl/panama
Performance
A bit over 10% slower than JNI across Java 17 and 18
Custom Java 19 builds were about 5% slower
Probably not a glitch since all other testing results was unchanged
A bit over 10% slower than JNI across Java 17 and 18
Custom Java 19 builds were about 5% slower
Probably not a glitch since all other testing results was unchanged
OpenSSL Demo
●With Java "22"
●With Java "22"
Demo / configuration
<Listener className="org.apache.catalina.core.OpenSSLLifecycleListener" />
<SSLHostConfig>
<Certificate
certificateFile="/home/jfclere/CERTS/newcert.pem"
certificateKeyPassword="Of_Course_I_never_Remember_It"
certificateKeyFile="/home/jfclere/CERTS/newkey.pem"/>
</SSLHostConfig>
<Listener className="org.apache.catalina.core.OpenSSLLifecycleListener" />
<SSLHostConfig>
<Certificate
certificateFile="/home/jfclere/CERTS/newcert.pem"
certificateKeyPassword="Of_Course_I_never_Remember_It"
certificateKeyFile="/home/jfclere/CERTS/newkey.pem"/>
</SSLHostConfig>
Demo / log
org.apache.tomcat.util.net.openssl.panama.OpenSSLLibrary.init OpenSSL successfully initialized using
FFM [OpenSSL 3.2.2 4 Jun 2024]
org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-opensslffm-nio-8443"]
org.apache.tomcat.util.net.openssl.panama.OpenSSLLibrary.init OpenSSL successfully initialized using
FFM [OpenSSL 3.2.2 4 Jun 2024]
org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-opensslffm-nio-8443"]
Conclusion
Roadmap to stable
Good performance already with safer code
Still preview in Java 21 (09/2023)
Integrated into Tomcat's source tree and ready to use
Work out of the box on Java 22 YES!!!
tomcat-native will be maintained for a long time (after Java 21 so after Tomcat 11.0.x)
Good performance already with safer code
Still preview in Java 21 (09/2023)
Integrated into Tomcat's source tree and ready to use
Work out of the box on Java 22 YES!!!
tomcat-native will be maintained for a long time (after Java 21 so after Tomcat 11.0.x)
QUESTIONS
THANK YOU!
Everything at:
https://github.com/jfclere/apacheconna2023/tree/master/panama
https://github.com/apache/tomcat/tree/main/modules/openssl-foreign
Ask me:
[email protected]
THANK YOU!
Everything at:
https://github.com/jfclere/apacheconna2023/tree/master/panama
https://github.com/apache/tomcat/tree/main/modules/openssl-foreign
Ask me:
[email protected]
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 71
- Slides 51
- Age 418 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
33 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
31 views
14
Fertility awareness methods for women in the society
Isaiah47
30 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
27 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
29 views