mturk 2005/06/10 03:31:09 Modified: jni/native/include ssl_private.h jni/native/src sslnetwork.c Log: Add SSLSocket.create. This creates SSL from CTX. Revision Changes Path 1.23 +3 -1 jakarta-tomcat-connectors/jni/native/include/ssl_private.h Index: ssl_private.h =================================================================== RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/include/ssl_private.h,v retrieving revision 1.22 retrieving revision 1.23 diff -u -r1.22 -r1.23 --- ssl_private.h 10 Jun 2005 06:44:35 -0000 1.22 +++ ssl_private.h 10 Jun 2005 10:31:09 -0000 1.23 @@ -194,7 +194,9 @@ typedef struct { tcn_ssl_ctxt_t *ctx; SSL *ssl; + X509 *cert; int shutdown_type; + apr_socket_t *sock; } tcn_ssl_conn_t; 1.2 +134 -1 jakarta-tomcat-connectors/jni/native/src/sslnetwork.c Index: sslnetwork.c =================================================================== RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslnetwork.c,v retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 --- sslnetwork.c 24 May 2005 10:53:20 -0000 1.1 +++ sslnetwork.c 10 Jun 2005 10:31:09 -0000 1.2 @@ -30,6 +30,139 @@ #ifdef HAVE_OPENSSL #include "ssl_private.h" +#ifdef TCN_DO_STATISTICS +#include "apr_atomic.h" + +static volatile apr_uint32_t ssl_created = 0; +static volatile apr_uint32_t ssl_closed = 0; +static volatile apr_uint32_t ssl_cleared = 0; +static volatile apr_uint32_t ssl_accepted = 0; + +void ssl_network_dump_statistics() +{ + fprintf(stderr, "SSL Network Statistics ..\n"); + fprintf(stderr, "Sockets created : %d\n", ssl_created); + fprintf(stderr, "Sockets accepted : %d\n", ssl_accepted); + fprintf(stderr, "Sockets closed : %d\n", ssl_closed); + fprintf(stderr, "Sockets cleared : %d\n", ssl_cleared); +} + +#endif + +static int ssl_smart_shutdown(SSL *ssl, int shutdown_type) +{ + int i; + int rc = 0; + + switch (shutdown_type) { + case SSL_SHUTDOWN_TYPE_UNCLEAN: + /* perform no close notify handshake at all + * (violates the SSL/TLS standard!) + */ + shutdown_type = SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN; + break; + case SSL_SHUTDOWN_TYPE_ACCURATE: + /* send close notify and wait for clients close notify + * (standard compliant, but usually causes connection hangs) + */ + shutdown_type = 0; + break; + default: + /* + * case SSL_SHUTDOWN_TYPE_UNSET: + * case SSL_SHUTDOWN_TYPE_STANDARD: + * send close notify, but don't wait for clients close notify + * (standard compliant and safe, so it's the DEFAULT!) + */ + shutdown_type = SSL_RECEIVED_SHUTDOWN; + break; + } + + SSL_set_shutdown(ssl, shutdown_type); + /* + * Repeat the calls, because SSL_shutdown internally dispatches through a + * little state machine. Usually only one or two interation should be + * needed, so we restrict the total number of restrictions in order to + * avoid process hangs in case the client played bad with the socket + * connection and OpenSSL cannot recognize it. + * max 2x pending + 2x data = 4 + */ + for (i = 0; i < 4; i++) { + if ((rc = SSL_shutdown(ssl))) + break; + } + return rc; +} + +static apr_status_t ssl_socket_cleanup(void *data) +{ + tcn_ssl_conn_t *con = (tcn_ssl_conn_t *)data; + + if (con) { + if (con->ssl) { + ssl_smart_shutdown(con->ssl, con->shutdown_type); + SSL_free(con->ssl); + con->ssl = NULL; + } + if (con->cert) { + X509_free(con->cert); + con->cert = NULL; + } + if (con->sock) { + apr_socket_close(con->sock); + con->sock = NULL; + } + } + +#ifdef TCN_DO_STATISTICS + apr_atomic_inc32(&ssl_cleared); +#endif + return APR_SUCCESS; +} + +TCN_IMPLEMENT_CALL(jlong, SSLSocket, create)(TCN_STDARGS, jlong ctx, + jlong pool) +{ + tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *); + apr_pool_t *p = J2P(pool, apr_pool_t *); + tcn_ssl_conn_t *con; + SSL *ssl; + + UNREFERENCED(o); + TCN_ASSERT(pool != 0); + TCN_ASSERT(ctx != 0); + + if ((con = apr_pcalloc(p, sizeof(tcn_ssl_conn_t))) == NULL) { + tcn_ThrowAPRException(e, apr_get_os_error()); + goto cleanup; + } + if ((ssl = SSL_new(c->ctx)) == NULL) { + char err[256]; + ERR_error_string(ERR_get_error(), err); + tcn_Throw(e, "SSL_new failed (%s)", err); + con = NULL; + goto cleanup; + } + SSL_clear(ssl); + + con->ctx = c; + con->ssl = ssl; + con->shutdown_type = c->shutdown_type; + apr_pool_cleanup_register(p, (const void *)con, + ssl_socket_cleanup, + apr_pool_cleanup_null); + +#ifdef TCN_DO_STATISTICS + ssl_created++; +#endif +cleanup: + return P2J(con); + +} + + + + #else /* OpenSSL is not supported * If someday we make OpenSSL optional
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]