You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by re...@apache.org on 2021/11/08 22:35:38 UTC
[tomcat] branch main updated: Tighten up some uses of scope
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new e88f5c8 Tighten up some uses of scope
e88f5c8 is described below
commit e88f5c8384aab73ea7fcbe94e225f795db40ac1f
Author: remm <re...@apache.org>
AuthorDate: Mon Nov 8 23:35:20 2021 +0100
Tighten up some uses of scope
The engine should always use its scope if possible (it is tied to a
connection). However, the context should avoid it (it will almost never
be closed).
Also add a sync in the context's openSSLCallbackVerify, just in case it
is actually used.
---
.../util/net/openssl/panama/OpenSSLContext.java | 47 +++++++++++-----------
.../util/net/openssl/panama/OpenSSLEngine.java | 46 ++++++++++-----------
2 files changed, 45 insertions(+), 48 deletions(-)
diff --git a/modules/openssl-java17/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java b/modules/openssl-java17/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index 7a4dd35..374c808 100644
--- a/modules/openssl-java17/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++ b/modules/openssl-java17/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -826,37 +826,38 @@ public class OpenSSLContext implements org.apache.tomcat.util.net.SSLContext {
// const unsigned char *in, unsigned int inlen, void *arg)
public int openSSLCallbackAlpnSelectProto(MemoryAddress ssl, MemoryAddress out, MemoryAddress outlen,
MemoryAddress in, int inlen, MemoryAddress arg) {
- // No scope, so byte by byte read, the ALPN data is small
- byte[] advertisedBytes = in.asSegment(inlen, state.scope).toByteArray();
- ArrayList<byte[]> negotiableProtocolsBytes = new ArrayList<>(negotiableProtocols.size() + 1);
- for (String negotiableProtocol : negotiableProtocols) {
- negotiableProtocolsBytes.add(negotiableProtocol.getBytes());
- }
- negotiableProtocolsBytes.add(HTTP_11_PROTOCOL);
- for (byte[] negotiableProtocolBytes : negotiableProtocolsBytes) {
- for (int i = 0; i <= advertisedBytes.length - negotiableProtocolBytes.length; i++) {
- if (advertisedBytes[i] == negotiableProtocolBytes[0]) {
- for (int j = 0; j < negotiableProtocolBytes.length; j++) {
- if (advertisedBytes[i + j] == negotiableProtocolBytes[j]) {
- if (j == negotiableProtocolBytes.length - 1) {
- MemorySegment outSegment = out.asSegment(CLinker.C_POINTER.byteSize(), state.scope);
- MemorySegment outlenSegment = outlen.asSegment(CLinker.C_CHAR.byteSize(), state.scope);
- // Match
- MemoryAccess.setAddress(outSegment, in.addOffset(i));
- MemoryAccess.setByte(outlenSegment, (byte) negotiableProtocolBytes.length);
- return SSL_TLSEXT_ERR_OK();
+ try (ResourceScope scope = ResourceScope.newConfinedScope()) {
+ byte[] advertisedBytes = in.asSegment(inlen, scope).toByteArray();
+ ArrayList<byte[]> negotiableProtocolsBytes = new ArrayList<>(negotiableProtocols.size() + 1);
+ for (String negotiableProtocol : negotiableProtocols) {
+ negotiableProtocolsBytes.add(negotiableProtocol.getBytes());
+ }
+ negotiableProtocolsBytes.add(HTTP_11_PROTOCOL);
+ for (byte[] negotiableProtocolBytes : negotiableProtocolsBytes) {
+ for (int i = 0; i <= advertisedBytes.length - negotiableProtocolBytes.length; i++) {
+ if (advertisedBytes[i] == negotiableProtocolBytes[0]) {
+ for (int j = 0; j < negotiableProtocolBytes.length; j++) {
+ if (advertisedBytes[i + j] == negotiableProtocolBytes[j]) {
+ if (j == negotiableProtocolBytes.length - 1) {
+ MemorySegment outSegment = out.asSegment(CLinker.C_POINTER.byteSize(), scope);
+ MemorySegment outlenSegment = outlen.asSegment(CLinker.C_CHAR.byteSize(), scope);
+ // Match
+ MemoryAccess.setAddress(outSegment, in.addOffset(i));
+ MemoryAccess.setByte(outlenSegment, (byte) negotiableProtocolBytes.length);
+ return SSL_TLSEXT_ERR_OK();
+ }
+ } else {
+ break;
}
- } else {
- break;
}
}
}
}
+ return SSL_TLSEXT_ERR_NOACK();
}
- return SSL_TLSEXT_ERR_NOACK();
}
- public int openSSLCallbackVerify(int preverify_ok, MemoryAddress /*X509_STORE_CTX*/ x509ctx) {
+ public synchronized int openSSLCallbackVerify(int preverify_ok, MemoryAddress /*X509_STORE_CTX*/ x509ctx) {
if (log.isDebugEnabled()) {
log.debug("Verification with mode [" + certificateVerifyMode + "]");
}
diff --git a/modules/openssl-java17/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java b/modules/openssl-java17/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
index d8d827f..688be9f 100644
--- a/modules/openssl-java17/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
+++ b/modules/openssl-java17/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
@@ -1095,7 +1095,7 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn
/**
* Clear out any errors, but log a warning.
*/
- private static void clearLastError() {
+ private void clearLastError() {
getLastError();
}
@@ -1108,25 +1108,23 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn
* zero result.
* @return the first error in the stack
*/
- private static String getLastError() {
+ private String getLastError() {
String sslError = null;
long error = ERR_get_error();
if (error != SSL_ERROR_NONE()) {
- try (var scope = ResourceScope.newConfinedScope()) {
- var allocator = SegmentAllocator.ofScope(scope);
- do {
- // Loop until getLastErrorNumber() returns SSL_ERROR_NONE
- var buf = allocator.allocateArray(CLinker.C_CHAR, new byte[128]);
- ERR_error_string(error, buf);
- String err = CLinker.toJavaString(buf);
- if (sslError == null) {
- sslError = err;
- }
- if (logger.isDebugEnabled()) {
- logger.debug(sm.getString("engine.openSSLError", Long.toString(error), err));
- }
- } while ((error = ERR_get_error()) != SSL_ERROR_NONE());
- }
+ var allocator = SegmentAllocator.ofScope(state.scope);
+ do {
+ // Loop until getLastErrorNumber() returns SSL_ERROR_NONE
+ var buf = allocator.allocateArray(CLinker.C_CHAR, new byte[128]);
+ ERR_error_string(error, buf);
+ String err = CLinker.toJavaString(buf);
+ if (sslError == null) {
+ sslError = err;
+ }
+ if (logger.isDebugEnabled()) {
+ logger.debug(sm.getString("engine.openSSLError", Long.toString(error), err));
+ }
+ } while ((error = ERR_get_error()) != SSL_ERROR_NONE());
}
return sslError;
}
@@ -1562,14 +1560,12 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn
byte[] id = null;
synchronized (OpenSSLEngine.this) {
if (!destroyed) {
- try (var scope = ResourceScope.newConfinedScope()) {
- var allocator = SegmentAllocator.ofScope(scope);
- MemorySegment lenPointer = allocator.allocate(CLinker.C_POINTER);
- var session = SSL_get_session(state.ssl);
- MemoryAddress sessionId = SSL_SESSION_get_id(session, lenPointer);
- int length = MemoryAccess.getInt(lenPointer);
- id = (length == 0) ? new byte[0] : sessionId.asSegment(length, scope).toByteArray();
- }
+ var allocator = SegmentAllocator.ofScope(state.scope);
+ MemorySegment lenPointer = allocator.allocate(CLinker.C_POINTER);
+ var session = SSL_get_session(state.ssl);
+ MemoryAddress sessionId = SSL_SESSION_get_id(session, lenPointer);
+ int length = MemoryAccess.getInt(lenPointer);
+ id = (length == 0) ? new byte[0] : sessionId.asSegment(length, state.scope).toByteArray();
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org