You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by re...@apache.org on 2021/11/23 08:45:32 UTC
[tomcat] branch main updated (d78c719 -> 09a8c07)
This is an automated email from the ASF dual-hosted git repository.
remm pushed a change to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git.
from d78c719 Cookie updates for Servlet 6.0. Only support RFC 6265. Remove others.
new 5de0b18 Fix bad check for destroy
new 88e43fe Remove "next" item
new 09a8c07 Improve sync
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
TOMCAT-NEXT.txt | 9 +-
.../openssl/panama/OpenSSLLifecycleListener.java | 287 +++++++++++----------
2 files changed, 150 insertions(+), 146 deletions(-)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 03/03: Improve sync
Posted by re...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 09a8c07110750c89a89bbb823a0cb6cf11fb46fd
Author: remm <re...@apache.org>
AuthorDate: Tue Nov 23 09:27:48 2021 +0100
Improve sync
---
.../openssl/panama/OpenSSLLifecycleListener.java | 287 +++++++++++----------
1 file changed, 148 insertions(+), 139 deletions(-)
diff --git a/modules/openssl-java17/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLLifecycleListener.java b/modules/openssl-java17/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLLifecycleListener.java
index 06831ca..03c4540 100644
--- a/modules/openssl-java17/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLLifecycleListener.java
+++ b/modules/openssl-java17/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLLifecycleListener.java
@@ -77,6 +77,15 @@ public class OpenSSLLifecycleListener implements LifecycleListener {
protected static final Object lock = new Object();
+ public static boolean isAvailable() {
+ if (OpenSSLStatus.isInstanceCreated()) {
+ synchronized (lock) {
+ init();
+ }
+ }
+ return OpenSSLStatus.isAvailable();
+ }
+
public OpenSSLLifecycleListener() {
OpenSSLStatus.setInstanceCreated(true);
}
@@ -97,35 +106,31 @@ public class OpenSSLLifecycleListener implements LifecycleListener {
log.warn(sm.getString("listener.notServer",
event.getLifecycle().getClass().getSimpleName()));
}
- synchronized (lock) {
- try {
- init();
- } catch (Throwable t) {
- t = ExceptionUtils.unwrapInvocationTargetException(t);
- ExceptionUtils.handleThrowable(t);
- log.error(sm.getString("listener.sslInit"), t);
- initError = true;
- }
- // Failure to initialize FIPS mode is fatal
- if (!(null == FIPSMode || "off".equalsIgnoreCase(FIPSMode)) && !isFIPSModeActive()) {
- String errorMessage = sm.getString("listener.initializeFIPSFailed");
- Error e = new Error(errorMessage);
- // Log here, because thrown error might be not logged
- log.fatal(errorMessage, e);
- initError = true;
- }
+ try {
+ init();
+ } catch (Throwable t) {
+ t = ExceptionUtils.unwrapInvocationTargetException(t);
+ ExceptionUtils.handleThrowable(t);
+ log.error(sm.getString("listener.sslInit"), t);
+ initError = true;
+ }
+ // Failure to initialize FIPS mode is fatal
+ if (!(null == FIPSMode || "off".equalsIgnoreCase(FIPSMode)) && !isFIPSModeActive()) {
+ String errorMessage = sm.getString("listener.initializeFIPSFailed");
+ Error e = new Error(errorMessage);
+ // Log here, because thrown error might be not logged
+ log.fatal(errorMessage, e);
+ initError = true;
}
}
if (initError || Lifecycle.AFTER_DESTROY_EVENT.equals(event.getType())) {
// Note: Without the listener, destroy will never be called (which is not a significant problem)
- synchronized (lock) {
- try {
- destroy();
- } catch (Throwable t) {
- t = ExceptionUtils.unwrapInvocationTargetException(t);
- ExceptionUtils.handleThrowable(t);
- log.info(sm.getString("listener.destroy"));
- }
+ try {
+ destroy();
+ } catch (Throwable t) {
+ t = ExceptionUtils.unwrapInvocationTargetException(t);
+ ExceptionUtils.handleThrowable(t);
+ log.info(sm.getString("listener.destroy"));
}
}
@@ -134,12 +139,12 @@ public class OpenSSLLifecycleListener implements LifecycleListener {
static MemoryAddress enginePointer = MemoryAddress.NULL;
static void initLibrary() {
- synchronized (OpenSSLStatus.class) {
+ synchronized (lock) {
if (OpenSSLStatus.isLibraryInitialized()) {
return;
}
- OpenSSLStatus.setLibraryInitialized(true);
OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN(), MemoryAddress.NULL);
+ OpenSSLStatus.setLibraryInitialized(true);
}
}
@@ -212,148 +217,152 @@ public class OpenSSLLifecycleListener implements LifecycleListener {
}
}
- static void init() throws Exception {
+ static void init() {
+ synchronized (lock) {
- if (OpenSSLStatus.isInitialized()) {
- return;
- }
- OpenSSLStatus.setInitialized(true);
+ if (OpenSSLStatus.isInitialized()) {
+ return;
+ }
+ OpenSSLStatus.setInitialized(true);
- if ("off".equalsIgnoreCase(SSLEngine)) {
- return;
- }
+ if ("off".equalsIgnoreCase(SSLEngine)) {
+ return;
+ }
+
+ var scope = ResourceScope.globalScope();
+ var allocator = SegmentAllocator.ofScope(scope);
+
+ // Main library init
+ initLibrary();
- var scope = ResourceScope.globalScope();
- var allocator = SegmentAllocator.ofScope(scope);
-
- // Main library init
- initLibrary();
-
- // Setup engine
- String engineName = "on".equalsIgnoreCase(SSLEngine) ? null : SSLEngine;
- if (engineName != null) {
- if ("auto".equals(engineName)) {
- ENGINE_register_all_complete();
- } else {
- var engine = CLinker.toCString(engineName, scope);
- enginePointer = ENGINE_by_id(engine);
- if (MemoryAddress.NULL.equals(enginePointer)) {
- enginePointer = ENGINE_by_id(CLinker.toCString("dynamic", scope));
- if (enginePointer != null) {
- if (ENGINE_ctrl_cmd_string(enginePointer, CLinker.toCString("SO_PATH", scope), engine, 0) == 0
- || ENGINE_ctrl_cmd_string(enginePointer, CLinker.toCString("LOAD", scope),
- MemoryAddress.NULL, 0) == 0) {
+ // Setup engine
+ String engineName = "on".equalsIgnoreCase(SSLEngine) ? null : SSLEngine;
+ if (engineName != null) {
+ if ("auto".equals(engineName)) {
+ ENGINE_register_all_complete();
+ } else {
+ var engine = CLinker.toCString(engineName, scope);
+ enginePointer = ENGINE_by_id(engine);
+ if (MemoryAddress.NULL.equals(enginePointer)) {
+ enginePointer = ENGINE_by_id(CLinker.toCString("dynamic", scope));
+ if (enginePointer != null) {
+ if (ENGINE_ctrl_cmd_string(enginePointer, CLinker.toCString("SO_PATH", scope), engine, 0) == 0
+ || ENGINE_ctrl_cmd_string(enginePointer, CLinker.toCString("LOAD", scope),
+ MemoryAddress.NULL, 0) == 0) {
+ // Engine load error
+ ENGINE_free(enginePointer);
+ enginePointer = MemoryAddress.NULL;
+ }
+ }
+ }
+ if (!MemoryAddress.NULL.equals(enginePointer)) {
+ if (ENGINE_set_default(enginePointer, ENGINE_METHOD_ALL()) == 0) {
// Engine load error
ENGINE_free(enginePointer);
enginePointer = MemoryAddress.NULL;
}
}
- }
- if (!MemoryAddress.NULL.equals(enginePointer)) {
- if (ENGINE_set_default(enginePointer, ENGINE_METHOD_ALL()) == 0) {
- // Engine load error
- ENGINE_free(enginePointer);
- enginePointer = MemoryAddress.NULL;
+ if (MemoryAddress.NULL.equals(enginePointer)) {
+ throw new IllegalStateException(sm.getString("listener.engineError"));
}
}
- if (MemoryAddress.NULL.equals(enginePointer)) {
- throw new IllegalStateException(sm.getString("listener.engineError"));
- }
}
- }
- // Set the random seed, translated to the Java way
- boolean seedDone = false;
- if (SSLRandomSeed != null || SSLRandomSeed.length() != 0 || !"builtin".equals(SSLRandomSeed)) {
- var randomSeed = CLinker.toCString(SSLRandomSeed, scope);
- seedDone = RAND_load_file(randomSeed, 128) > 0;
- }
- if (!seedDone) {
- // Use a regular random to get some bytes
- SecureRandom random = new SecureRandom();
- byte[] randomBytes = random.generateSeed(128);
- RAND_seed(allocator.allocateArray(CLinker.C_CHAR, randomBytes), 128);
- }
-
- initDHParameters();
+ // Set the random seed, translated to the Java way
+ boolean seedDone = false;
+ if (SSLRandomSeed != null || SSLRandomSeed.length() != 0 || !"builtin".equals(SSLRandomSeed)) {
+ var randomSeed = CLinker.toCString(SSLRandomSeed, scope);
+ seedDone = RAND_load_file(randomSeed, 128) > 0;
+ }
+ if (!seedDone) {
+ // Use a regular random to get some bytes
+ SecureRandom random = new SecureRandom();
+ byte[] randomBytes = random.generateSeed(128);
+ RAND_seed(allocator.allocateArray(CLinker.C_CHAR, randomBytes), 128);
+ }
- if (!(null == FIPSMode || "off".equalsIgnoreCase(FIPSMode))) {
+ initDHParameters();
- fipsModeActive = false;
+ if (!(null == FIPSMode || "off".equalsIgnoreCase(FIPSMode))) {
- final boolean enterFipsMode;
- int fipsModeState = FIPS_mode();
+ fipsModeActive = false;
- if(log.isDebugEnabled()) {
- log.debug(sm.getString("listener.currentFIPSMode",
- Integer.valueOf(fipsModeState)));
- }
+ final boolean enterFipsMode;
+ int fipsModeState = FIPS_mode();
- if ("on".equalsIgnoreCase(FIPSMode)) {
- if (fipsModeState == FIPS_ON) {
- log.info(sm.getString("listener.skipFIPSInitialization"));
- fipsModeActive = true;
- enterFipsMode = false;
- } else {
- enterFipsMode = true;
- }
- } else if ("require".equalsIgnoreCase(FIPSMode)) {
- if (fipsModeState == FIPS_ON) {
- fipsModeActive = true;
- enterFipsMode = false;
- } else {
- throw new IllegalStateException(
- sm.getString("listener.requireNotInFIPSMode"));
+ if(log.isDebugEnabled()) {
+ log.debug(sm.getString("listener.currentFIPSMode",
+ Integer.valueOf(fipsModeState)));
}
- } else if ("enter".equalsIgnoreCase(FIPSMode)) {
- if (fipsModeState == FIPS_OFF) {
- enterFipsMode = true;
+
+ if ("on".equalsIgnoreCase(FIPSMode)) {
+ if (fipsModeState == FIPS_ON) {
+ log.info(sm.getString("listener.skipFIPSInitialization"));
+ fipsModeActive = true;
+ enterFipsMode = false;
+ } else {
+ enterFipsMode = true;
+ }
+ } else if ("require".equalsIgnoreCase(FIPSMode)) {
+ if (fipsModeState == FIPS_ON) {
+ fipsModeActive = true;
+ enterFipsMode = false;
+ } else {
+ throw new IllegalStateException(
+ sm.getString("listener.requireNotInFIPSMode"));
+ }
+ } else if ("enter".equalsIgnoreCase(FIPSMode)) {
+ if (fipsModeState == FIPS_OFF) {
+ enterFipsMode = true;
+ } else {
+ throw new IllegalStateException(sm.getString(
+ "listener.enterAlreadyInFIPSMode",
+ Integer.valueOf(fipsModeState)));
+ }
} else {
- throw new IllegalStateException(sm.getString(
- "listener.enterAlreadyInFIPSMode",
- Integer.valueOf(fipsModeState)));
+ throw new IllegalArgumentException(sm.getString(
+ "listener.wrongFIPSMode", FIPSMode));
}
- } else {
- throw new IllegalArgumentException(sm.getString(
- "listener.wrongFIPSMode", FIPSMode));
- }
- if (enterFipsMode) {
- log.info(sm.getString("listener.initializingFIPS"));
+ if (enterFipsMode) {
+ log.info(sm.getString("listener.initializingFIPS"));
- fipsModeState = FIPS_mode_set(FIPS_ON);
- if (fipsModeState != FIPS_ON) {
- // This case should be handled by the native method,
- // but we'll make absolutely sure, here.
- String message = sm.getString("listener.initializeFIPSFailed");
- log.error(message);
- throw new IllegalStateException(message);
- }
+ fipsModeState = FIPS_mode_set(FIPS_ON);
+ if (fipsModeState != FIPS_ON) {
+ // This case should be handled by the native method,
+ // but we'll make absolutely sure, here.
+ String message = sm.getString("listener.initializeFIPSFailed");
+ log.error(message);
+ throw new IllegalStateException(message);
+ }
- fipsModeActive = true;
- log.info(sm.getString("listener.initializeFIPSSuccess"));
+ fipsModeActive = true;
+ log.info(sm.getString("listener.initializeFIPSSuccess"));
+ }
}
- }
- log.info(sm.getString("listener.initializedOpenSSL", CLinker.toJavaString(OpenSSL_version(0))));
- OpenSSLStatus.setAvailable(true);
+ log.info(sm.getString("listener.initializedOpenSSL", CLinker.toJavaString(OpenSSL_version(0))));
+ OpenSSLStatus.setAvailable(true);
+ }
}
static void destroy() {
- if (!OpenSSLStatus.isInitialized()) {
- return;
- }
- OpenSSLStatus.setAvailable(false);
+ synchronized (lock) {
+ if (!OpenSSLStatus.isInitialized()) {
+ return;
+ }
+ OpenSSLStatus.setAvailable(false);
- try {
- freeDHParameters();
- if (!MemoryAddress.NULL.equals(enginePointer)) {
- ENGINE_free(enginePointer);
+ try {
+ freeDHParameters();
+ if (!MemoryAddress.NULL.equals(enginePointer)) {
+ ENGINE_free(enginePointer);
+ }
+ FIPS_mode_set(0);
+ } finally {
+ OpenSSLStatus.setInitialized(false);
+ fipsModeActive = false;
}
- FIPS_mode_set(0);
- } finally {
- OpenSSLStatus.setInitialized(false);
- fipsModeActive = false;
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 02/03: Remove "next" item
Posted by re...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 88e43fe09feee457d5896220e63ee591aa859cad
Author: remm <re...@apache.org>
AuthorDate: Mon Nov 22 21:59:31 2021 +0100
Remove "next" item
---
TOMCAT-NEXT.txt | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/TOMCAT-NEXT.txt b/TOMCAT-NEXT.txt
index da59f9b..05d4717 100644
--- a/TOMCAT-NEXT.txt
+++ b/TOMCAT-NEXT.txt
@@ -27,13 +27,8 @@ Items carried over from the 9.0.x list:
Deferred until 10.1.x:
- 1. Remove org.apache.tomcat.jni and replace with the minimum necessary to
- interface with OpenSSL and clones.
- We might want to park this one until we see what is available direct from
- the JRE with project Panama.
+ 1. Review code forked from Commons projects and consider removing unused code.
- 2. Review code forked from Commons projects and consider removing unused code.
-
- 3. Implement OCSP checks for client certs with NIO/NIO2.
+ 2. Implement OCSP checks for client certs with NIO/NIO2.
Useful reference:
https://stackoverflow.com/questions/5161504/ocsp-revocation-on-client-certificate
\ No newline at end of file
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 01/03: Fix bad check for destroy
Posted by re...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 5de0b182a51c77c0335096572dfc250d2896d659
Author: remm <re...@apache.org>
AuthorDate: Mon Nov 22 21:56:57 2021 +0100
Fix bad check for destroy
---
.../apache/tomcat/util/net/openssl/panama/OpenSSLLifecycleListener.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/openssl-java17/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLLifecycleListener.java b/modules/openssl-java17/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLLifecycleListener.java
index 76637bc..06831ca 100644
--- a/modules/openssl-java17/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLLifecycleListener.java
+++ b/modules/openssl-java17/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLLifecycleListener.java
@@ -340,7 +340,7 @@ public class OpenSSLLifecycleListener implements LifecycleListener {
}
static void destroy() {
- if (!OpenSSLStatus.isAvailable()) {
+ if (!OpenSSLStatus.isInitialized()) {
return;
}
OpenSSLStatus.setAvailable(false);
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org