cvs commit: jakarta-tomcat-connectors/jni/native/src ssl.c sslcontext.c sslutils.c
mturk 2005/06/12 00:33:08 Modified:jni/java/org/apache/tomcat/jni SSL.java jni/native/include ssl_private.h jni/native/src ssl.c sslcontext.c sslutils.c Added: jni/java/org/apache/tomcat/jni PasswordCallback.java Log: Change PasswordCallback instead BIO for obtaining passwords. A single global function is enough. Revision ChangesPath 1.18 +4 -4 jakarta-tomcat-connectors/jni/java/org/apache/tomcat/jni/SSL.java Index: SSL.java === RCS file: /home/cvs/jakarta-tomcat-connectors/jni/java/org/apache/tomcat/jni/SSL.java,v retrieving revision 1.17 retrieving revision 1.18 diff -u -r1.17 -r1.18 --- SSL.java 11 Jun 2005 18:16:42 - 1.17 +++ SSL.java 12 Jun 2005 07:33:08 - 1.18 @@ -220,10 +220,10 @@ public static native int closeBIO(long bio); /** - * Set global Password callback BIO for obtaining passwords. - * @param bio BIO to use. + * Set global Password callback for obtaining passwords. + * @param callback PasswordCallback implementation to use. */ - public static native void setPasswordBIO(long bio); + public static native void setPasswordCallback(PasswordCallback callback); /** * Set global Password for decrypting certificates and keys. 1.1 jakarta-tomcat-connectors/jni/java/org/apache/tomcat/jni/PasswordCallback.java Index: PasswordCallback.java === /* * Copyright 1999-2004 The Apache Software Foundation * * Licensed under the Apache License, Version 2.0 (the License); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an AS IS BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.apache.tomcat.jni; /** PasswordCallback Interface * * @author Mladen Turk * @version $Revision: 1.1 $, $Date: 2005/06/12 07:33:07 $ */ public interface PasswordCallback { /** * Called when the password is required * @param prompt Password prompt * @return Valid password or null */ public String callback(String prompt); } 1.27 +2 -2 jakarta-tomcat-connectors/jni/native/include/ssl_private.h Index: ssl_private.h === RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/include/ssl_private.h,v retrieving revision 1.26 retrieving revision 1.27 diff -u -r1.26 -r1.27 --- ssl_private.h 11 Jun 2005 18:20:10 - 1.26 +++ ssl_private.h 12 Jun 2005 07:33:08 - 1.27 @@ -168,7 +168,7 @@ typedef struct { charpassword[SSL_MAX_PASSWORD_LEN]; const char *prompt; -BIO*bio; +tcn_callback_t cb; } tcn_pass_cb_t; extern tcn_pass_cb_t tcn_password_callback; 1.35 +21 -11jakarta-tomcat-connectors/jni/native/src/ssl.c Index: ssl.c === RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/ssl.c,v retrieving revision 1.34 retrieving revision 1.35 diff -u -r1.34 -r1.35 --- ssl.c 12 Jun 2005 07:01:03 - 1.34 +++ ssl.c 12 Jun 2005 07:33:08 - 1.35 @@ -113,6 +113,12 @@ if (!ssl_initialized) return APR_SUCCESS; ssl_initialized = 0; + +if (tcn_password_callback.cb.obj) { +TCN_UNLOAD_CLASS(tcn_password_callback.cb.env, + tcn_password_callback.cb.obj); +} + SSL_TMP_KEYS_FREE(RSA); SSL_TMP_KEYS_FREE(DH); /* @@ -693,19 +699,23 @@ return APR_SUCCESS; } -TCN_IMPLEMENT_CALL(void, SSL, setPasswordBIO)(TCN_STDARGS, jlong bio) +TCN_IMPLEMENT_CALL(void, SSL, setPasswordCallback)(TCN_STDARGS, + jobject callback) { -BIO *bio_handle = J2P(bio, BIO *); +jclass cls; -UNREFERENCED_STDARGS; -if (tcn_password_callback.bio -tcn_password_callback.bio != bio_handle) { -SSL_BIO_close(tcn_password_callback.bio); -tcn_password_callback.bio = bio_handle; +UNREFERENCED(o); +if (tcn_password_callback.cb.obj) { +TCN_UNLOAD_CLASS(tcn_password_callback.cb.env, + tcn_password_callback.cb.obj); } -else -return;
cvs commit: jakarta-tomcat-connectors/jni/native/src ssl.c sslcontext.c
mturk 2005/06/11 00:03:45 Modified:jni/examples/org/apache/tomcat/jni SSLServer.java jni/java/org/apache/tomcat/jni SSLSocket.java jni/native/include ssl_private.h jni/native/os/netware system.c jni/native/os/unix system.c jni/native/os/win32 system.c jni/native/src ssl.c sslcontext.c Log: Remove accept and connect. Use two new functions attach and handshake. Revision ChangesPath 1.5 +96 -4 jakarta-tomcat-connectors/jni/examples/org/apache/tomcat/jni/SSLServer.java Index: SSLServer.java === RCS file: /home/cvs/jakarta-tomcat-connectors/jni/examples/org/apache/tomcat/jni/SSLServer.java,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- SSLServer.java9 Jun 2005 09:13:54 - 1.4 +++ SSLServer.java11 Jun 2005 07:03:45 - 1.5 @@ -17,12 +17,14 @@ public static String serverAddr = null; public static int serverPort= 0; public static int serverNmax= 0; +public static int serverNrun= 0; public static long serverPool = 0; public static long serverCtx= 0; public static String serverCert = null; public static String serverKey = null; public static String serverCiphers = null; public static String serverPassword = null; +private static Acceptor serverAcceptor = null; private static Object threadLock = new Object(); @@ -58,15 +60,105 @@ SSLContext.setCipherSuite(serverCtx, serverCiphers); /* Load Server key and certificate */ SSLContext.setCertificate(serverCtx, serverCert, serverKey, serverPassword, SSL.SSL_AIDX_RSA); -SSLContext.setVerifyDepth(serverCtx, 10); -SSLContext.setVerifyClient(serverCtx, SSL.SSL_CVERIFY_REQUIRE); - +SSLContext.setVerify(serverCtx, SSL.SSL_CVERIFY_REQUIRE, 10); +serverAcceptor = new Acceptor(); +serverAcceptor.start(); + } catch (Exception e) { e.printStackTrace(); } } +public static void incThreads() { +synchronized(threadLock) { +serverNrun++; +} +} + +public static void decThreads() { +synchronized(threadLock) { +serverNrun--; +} +} + +/* Acceptor thread. Listens for new connections */ +private class Acceptor extends Thread { +private long serverSock = 0; +private long inetAddress = 0; +private long pool = 0; +public Acceptor() throws Exception { +try { + +pool = Pool.create(SSLServer.serverPool); +System.out.println(Accepting: + SSLServer.serverAddr + : + + SSLServer.serverPort); +inetAddress = Address.info(SSLServer.serverAddr, Socket.APR_INET, + SSLServer.serverPort, 0, + pool); +serverSock = Socket.create(Socket.APR_INET, Socket.SOCK_STREAM, + Socket.APR_PROTO_TCP, pool); +long sa = Address.get(Socket.APR_LOCAL, serverSock); +Sockaddr addr = new Sockaddr(); +if (Address.fill(addr, sa)) { +System.out.println(Host: + addr.hostname); +System.out.println(Server: + addr.servname); +System.out.println(IP: + Address.getip(sa) + + : + addr.port); +} +int rc = Socket.bind(serverSock, inetAddress); +if (rc != 0) { + throw(new Exception(Can't create Acceptor: bind: + Error.strerror(rc))); +} +Socket.listen(serverSock, 5); +} +catch( Exception ex ) { +ex.printStackTrace(); +throw(new Exception(Can't create Acceptor)); +} +} +public void run() { +int i = 0; +try { +while (true) { +long clientSock = Socket.accept(serverSock, pool); +System.out.println(Accepted id: + i); + +try { +long sa = Address.get(Socket.APR_REMOTE, clientSock); +Sockaddr raddr = new Sockaddr(); +if (Address.fill(raddr, sa)) { +System.out.println(Remote Host: + Address.getnameinfo(sa, 0)); +System.out.println(Remote IP: + Address.getip(sa) + +
cvs commit: jakarta-tomcat-connectors/jni/native/src ssl.c sslcontext.c
mturk 2005/06/11 11:22:25 Modified:jni/native/src ssl.c sslcontext.c Log: Native part of changes in SSL.java and SSLContext.java Revision ChangesPath 1.33 +9 -1 jakarta-tomcat-connectors/jni/native/src/ssl.c Index: ssl.c === RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/ssl.c,v retrieving revision 1.32 retrieving revision 1.33 diff -u -r1.32 -r1.33 --- ssl.c 11 Jun 2005 07:03:45 - 1.32 +++ ssl.c 11 Jun 2005 18:22:25 - 1.33 @@ -760,6 +760,14 @@ return r; } +TCN_IMPLEMENT_CALL(jstring, SSL, getLastError)(TCN_STDARGS) +{ +char buf[256]; +UNREFERENCED(o); +ERR_error_string(ERR_get_error(), buf); +return tcn_new_string(e, buf, -1); +} + #else /* OpenSSL is not supported * If someday we make OpenSSL optional 1.34 +16 -6 jakarta-tomcat-connectors/jni/native/src/sslcontext.c Index: sslcontext.c === RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslcontext.c,v retrieving revision 1.33 retrieving revision 1.34 diff -u -r1.33 -r1.34 --- sslcontext.c 11 Jun 2005 07:03:45 - 1.33 +++ sslcontext.c 11 Jun 2005 18:22:25 - 1.34 @@ -145,11 +145,11 @@ */ SSL_CTX_set_options(c-ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); #endif -/* Default vhost id and cache size */ +/* Default session context id and cache size */ SSL_CTX_sess_set_cache_size(c-ctx, SSL_DEFAULT_CACHE_SIZE); MD5((const unsigned char *)SSL_DEFAULT_VHOST_NAME, (unsigned long)(sizeof(SSL_DEFAULT_VHOST_NAME) - 1), -(c-vhost_id[0])); +(c-context_id[0])); if (mode) { SSL_CTX_set_tmp_rsa_callback(c-ctx, SSL_callback_tmp_RSA); SSL_CTX_set_tmp_dh_callback(c-ctx, SSL_callback_tmp_DH); @@ -185,8 +185,8 @@ return apr_pool_cleanup_run(c-pool, c, ssl_context_cleanup); } -TCN_IMPLEMENT_CALL(void, SSLContext, setVhostId)(TCN_STDARGS, jlong ctx, - jstring id) +TCN_IMPLEMENT_CALL(void, SSLContext, setContextId)(TCN_STDARGS, jlong ctx, + jstring id) { tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *); TCN_ALLOC_CSTRING(id); @@ -196,7 +196,7 @@ if (J2S(id)) { MD5((const unsigned char *)J2S(id), (unsigned long)strlen(J2S(id)), -(c-vhost_id[0])); +(c-context_id[0])); } TCN_FREE_CSTRING(id); } @@ -363,6 +363,7 @@ rv = JNI_FALSE; goto cleanup; } +c-store = SSL_CTX_get_cert_store(c-ctx); if (c-mode) { STACK_OF(X509_NAME) *ca_certs; c-ca_certs++; @@ -425,6 +426,15 @@ if ((c-verify_mode == SSL_CVERIFY_OPTIONAL) || (c-verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA)) verify |= SSL_VERIFY_PEER; +if (!c-store) { +if (SSL_CTX_set_default_verify_paths(c-ctx)) { +c-store = SSL_CTX_get_cert_store(c-ctx); +X509_STORE_set_flags(c-store, 0); +} +else { +/* XXX: See if this is fatal */ +} +} SSL_CTX_set_verify(c-ctx, verify, SSL_callback_SSL_verify); } - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-connectors/jni/native/src ssl.c sslcontext.c
[EMAIL PROTECTED] wrote: jfclere 2005/06/08 09:52:58 Modified:jni/examples/org/apache/tomcat/jni SSLServer.java jni/java/org/apache/tomcat/jni BIOCallback.java SSL.java SSLContext.java jni/native/src ssl.c sslcontext.c Log: Change the BIOCallback interface to use write(byte[] buf) and read(byte[] buf); Add SSL_accept to do the client handshake. Arrange the corresponding example. +++ CUT +++ Hi, I am not 100% happy with the code. Mladen already asked me to rollback the changes. I think the worst thing is setSock() I have added to BIOCallback. My idea is/was to use BIOCallback or a similar interface to be able to openssl either with normal JAVA sockets or APR native ones. Comments? Cheers Jean-Frederic - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-connectors/jni/native/src ssl.c sslcontext.c
jean-frederic clere wrote: [EMAIL PROTECTED] wrote: Log: Change the BIOCallback interface to use write(byte[] buf) and read(byte[] buf); Add SSL_accept to do the client handshake. Arrange the corresponding example. +++ CUT +++ Hi, I am not 100% happy with the code. Mladen already asked me to rollback the changes. I think the worst thing is setSock() I have added to BIOCallback. Yes please rollback. My idea is/was to use BIOCallback or a similar interface to be able to openssl either with normal JAVA sockets or APR native ones. I plan to create the SSLSocket that will use created Socket (here I speak about Native sockets only) then obtain apr_os_sock_t and then do a SSL accept on that accepted socket. SSLSocket.create will create tcn_ssl_t from SSLContext and will contain both apr_sock_t* and SSL*. We need APR socket to be able to do the polling on the SSL sockets as well. Please give me a day or two to finish the skeleton implementation, that will do a basic s_server/s_client. BIOCallback will be used only for: 1. Password callbacks 2. Error logging 3. Custom byte streams for certificate data contained in non file system storage. For example right now we have: SSLContext.setCertificate(..., file, ...) I plan to add the: SSLContext.setCertificate(..., BIOCallback, ...) read/write callback methods could be used for reading certificate data from database blobs, or directly from keystorage. Regards, Mladen. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-connectors/jni/native/src ssl.c sslcontext.c
- Original Message - From: jean-frederic clere [EMAIL PROTECTED] To: Tomcat Developers List tomcat-dev@jakarta.apache.org Sent: Thursday, June 09, 2005 12:20 AM Subject: Re: cvs commit: jakarta-tomcat-connectors/jni/native/src ssl.c sslcontext.c [EMAIL PROTECTED] wrote: jfclere 2005/06/08 09:52:58 Modified:jni/examples/org/apache/tomcat/jni SSLServer.java jni/java/org/apache/tomcat/jni BIOCallback.java SSL.java SSLContext.java jni/native/src ssl.c sslcontext.c Log: Change the BIOCallback interface to use write(byte[] buf) and read(byte[] buf); Add SSL_accept to do the client handshake. Arrange the corresponding example. +++ CUT +++ Hi, I am not 100% happy with the code. Mladen already asked me to rollback the changes. I think the worst thing is setSock() I have added to BIOCallback. My idea is/was to use BIOCallback or a similar interface to be able to openssl either with normal JAVA sockets or APR native ones. Comments? It looked OK to me. Basically it's the APR implementation of SSLEngine. Don't really see a problem. Of course, I don't really care about the APR-SSL Connector one way or the other. Since the config is the same as for mod_ssl, there is absolutely no reason to not simply use mod_ssl instead. If I just wanted the native-code optimizations, I'd use PureTLS instead. Cheers Jean-Frederic - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments. In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-connectors/jni/native/src ssl.c sslcontext.c
Bill Barker wrote: I am not 100% happy with the code. Mladen already asked me to rollback the changes. It looked OK to me. Basically it's the APR implementation of SSLEngine. Don't really see a problem. It does not, because it should fit inside the APR standard socket implementation. Having callbacks would actually make a thing way slower, because we would have to call the native, and from the native call the Java that would call back the native again. Of course, I don't really care about the APR-SSL Connector one way or the other. Since the config is the same as for mod_ssl, there is absolutely no reason to not simply use mod_ssl instead. If I just wanted the native-code optimizations, I'd use PureTLS instead. It's not an APR-SSL connector, but rather the SSL support for the APR connector. Since all that is optional feel free to just not use it :) Regards, Mladen. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-connectors/jni/native/src ssl.c sslcontext.c
jfclere 2005/06/09 02:13:55 Modified:jni/examples/org/apache/tomcat/jni SSLServer.java jni/java/org/apache/tomcat/jni BIOCallback.java SSL.java SSLContext.java jni/native/src ssl.c sslcontext.c Log: Undo my previous commit. Revision ChangesPath 1.4 +1 -52 jakarta-tomcat-connectors/jni/examples/org/apache/tomcat/jni/SSLServer.java Index: SSLServer.java === RCS file: /home/cvs/jakarta-tomcat-connectors/jni/examples/org/apache/tomcat/jni/SSLServer.java,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- SSLServer.java8 Jun 2005 16:52:57 - 1.3 +++ SSLServer.java9 Jun 2005 09:13:54 - 1.4 @@ -47,27 +47,6 @@ } } -private class CallBack implements BIOCallback { -long clientSock = 0; -public int write(byte [] buf) { -return(Socket.send(clientSock, buf, 0, buf.length)); -} -public int read(byte [] buf) { -return(Socket.recv(clientSock, buf, 0, buf.length)); -} -public int puts(String data) { -System.out.println(CallBack.puts); -return -1; -} -public String gets(int len) { -System.out.println(CallBack.gets); -return ; -} -public void setsock(long sock) { -clientSock = sock; -} -} - public SSLServer() { int i; @@ -81,36 +60,6 @@ SSLContext.setCertificate(serverCtx, serverCert, serverKey, serverPassword, SSL.SSL_AIDX_RSA); SSLContext.setVerifyDepth(serverCtx, 10); SSLContext.setVerifyClient(serverCtx, SSL.SSL_CVERIFY_REQUIRE); - -CallBack SSLCallBack = new CallBack(); -long callback = SSL.newBIO(serverPool, SSLCallBack); -/* -SSLContext.setBIO(serverCtx, callback, 1); -SSLContext.setBIO(serverCtx, callback, 0); - */ -long serverSSL = SSL.make(serverCtx, callback, callback); - -long serverSock = Socket.create(Socket.APR_INET, Socket.SOCK_STREAM, -Socket.APR_PROTO_TCP, serverPool); -long inetAddress = Address.info(SSLServer.serverAddr, Socket.APR_INET, SSLServer.serverPort, 0, serverPool); -int rc = Socket.bind(serverSock, inetAddress); -if (rc != 0) { -throw(new Exception(Can't bind: + Error.strerror(rc))); -} -Socket.listen(serverSock, 5); -long clientSock = Socket.accept(serverSock, serverPool); -long sa = Address.get(Socket.APR_REMOTE, clientSock); -Sockaddr raddr = new Sockaddr(); -if (Address.fill(raddr, sa)) { -System.out.println(Remote Host: + Address.getnameinfo(sa, 0)); -System.out.println(Remote IP: + Address.getip(sa) + - : + raddr.port); -} -SSLCallBack.setsock(clientSock); -int retcode = SSL.accept(serverSSL); -if (retcode=0) { -throw(new Exception(Can't SSL accept: + SSLContext.geterror(serverCtx, retcode))); -} } catch (Exception e) { e.printStackTrace(); 1.3 +7 -7 jakarta-tomcat-connectors/jni/java/org/apache/tomcat/jni/BIOCallback.java Index: BIOCallback.java === RCS file: /home/cvs/jakarta-tomcat-connectors/jni/java/org/apache/tomcat/jni/BIOCallback.java,v retrieving revision 1.2 retrieving revision 1.3 diff -u -r1.2 -r1.3 --- BIOCallback.java 8 Jun 2005 16:52:58 - 1.2 +++ BIOCallback.java 9 Jun 2005 09:13:54 - 1.3 @@ -26,17 +26,17 @@ /** * Write data - * @param buf containg the bytes to write. - * @return Number of characters written. + * @param data String to write + * @return Number of characters written */ -public int write(byte [] buf); +public int write(String data); /** * Read data - * @param buf buffer to store the read bytes. - * @return number of bytes read. + * @param len Maximum number of characters to read + * @return String with up to len bytes readed */ -public int read(byte [] buf); +public String read(int len); /** * Puts string 1.15 +1 -16 jakarta-tomcat-connectors/jni/java/org/apache/tomcat/jni/SSL.java Index: SSL.java === RCS file:
Re: cvs commit: jakarta-tomcat-connectors/jni/native/src ssl.c sslcontext.c
Mladen Turk wrote: Bill Barker wrote: I am not 100% happy with the code. Mladen already asked me to rollback the changes. It looked OK to me. Basically it's the APR implementation of SSLEngine. Don't really see a problem. It does not, because it should fit inside the APR standard socket implementation. Having callbacks would actually make a thing way slower, because we would have to call the native, and from the native call the Java that would call back the native again. Well we just need a nativeBIO and a javaBIO. Of course, I don't really care about the APR-SSL Connector one way or the other. Since the config is the same as for mod_ssl, there is absolutely no reason to not simply use mod_ssl instead. If I just wanted the native-code optimizations, I'd use PureTLS instead. It's not an APR-SSL connector, but rather the SSL support for the APR connector. Since all that is optional feel free to just not use it :) Regards, Mladen. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-connectors/jni/native/src ssl.c sslcontext.c
jean-frederic clere wrote: It does not, because it should fit inside the APR standard socket implementation. Having callbacks would actually make a thing way slower, because we would have to call the native, and from the native call the Java that would call back the native again. Well we just need a nativeBIO and a javaBIO. The plan is to use the: 1. apr_sock_accept/connect 2. obtain a os_sock 3. Make a BIO with os_sock_t 4. Use APR for socket_opt_set/socket_opt_get 5. Do a SSL_accept/SSL_connect 6. Make verify/handshake 7. use SSL_write/SSL_read for I/O. All that will use the poller and the pool cleanup. The Java part will go to the SSLSocket with the Socket API with specific read* and write* Regards, Mladen. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-connectors/jni/native/src ssl.c sslcontext.c
Mladen Turk wrote: jean-frederic clere wrote: It does not, because it should fit inside the APR standard socket implementation. Having callbacks would actually make a thing way slower, because we would have to call the native, and from the native call the Java that would call back the native again. Well we just need a nativeBIO and a javaBIO. The plan is to use the: 1. apr_sock_accept/connect 2. obtain a os_sock 3. Make a BIO with os_sock_t 4. Use APR for socket_opt_set/socket_opt_get 5. Do a SSL_accept/SSL_connect 6. Make verify/handshake 7. use SSL_write/SSL_read for I/O. All that will use the poller and the pool cleanup. The Java part will go to the SSLSocket with the Socket API with specific read* and write* OK, I will create a SSLBIO.java/sslbio.c to go on testing/experimenting using with the BIOCallback, the interest there is to use an hardware accelator with openssl. Regards, Mladen. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-connectors/jni/native/src ssl.c sslcontext.c
jean-frederic clere wrote: OK, I will create a SSLBIO.java/sslbio.c to go on testing/experimenting using with the BIOCallback, the interest there is to use an hardware accelator with openssl. Please, can you give me a day to finish initial implementation. Hardware accelerator is used by default on SSL.initialize(egineName) Once again, can you hold up with adding new files? Thanks, Mladen. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-connectors/jni/native/src ssl.c sslcontext.c
jfclere 2005/06/08 09:52:58 Modified:jni/examples/org/apache/tomcat/jni SSLServer.java jni/java/org/apache/tomcat/jni BIOCallback.java SSL.java SSLContext.java jni/native/src ssl.c sslcontext.c Log: Change the BIOCallback interface to use write(byte[] buf) and read(byte[] buf); Add SSL_accept to do the client handshake. Arrange the corresponding example. Revision ChangesPath 1.3 +52 -1 jakarta-tomcat-connectors/jni/examples/org/apache/tomcat/jni/SSLServer.java Index: SSLServer.java === RCS file: /home/cvs/jakarta-tomcat-connectors/jni/examples/org/apache/tomcat/jni/SSLServer.java,v retrieving revision 1.2 retrieving revision 1.3 diff -u -r1.2 -r1.3 --- SSLServer.java7 Jun 2005 09:16:59 - 1.2 +++ SSLServer.java8 Jun 2005 16:52:57 - 1.3 @@ -47,6 +47,27 @@ } } +private class CallBack implements BIOCallback { +long clientSock = 0; +public int write(byte [] buf) { +return(Socket.send(clientSock, buf, 0, buf.length)); +} +public int read(byte [] buf) { +return(Socket.recv(clientSock, buf, 0, buf.length)); +} +public int puts(String data) { +System.out.println(CallBack.puts); +return -1; +} +public String gets(int len) { +System.out.println(CallBack.gets); +return ; +} +public void setsock(long sock) { +clientSock = sock; +} +} + public SSLServer() { int i; @@ -60,6 +81,36 @@ SSLContext.setCertificate(serverCtx, serverCert, serverKey, serverPassword, SSL.SSL_AIDX_RSA); SSLContext.setVerifyDepth(serverCtx, 10); SSLContext.setVerifyClient(serverCtx, SSL.SSL_CVERIFY_REQUIRE); + +CallBack SSLCallBack = new CallBack(); +long callback = SSL.newBIO(serverPool, SSLCallBack); +/* +SSLContext.setBIO(serverCtx, callback, 1); +SSLContext.setBIO(serverCtx, callback, 0); + */ +long serverSSL = SSL.make(serverCtx, callback, callback); + +long serverSock = Socket.create(Socket.APR_INET, Socket.SOCK_STREAM, +Socket.APR_PROTO_TCP, serverPool); +long inetAddress = Address.info(SSLServer.serverAddr, Socket.APR_INET, SSLServer.serverPort, 0, serverPool); +int rc = Socket.bind(serverSock, inetAddress); +if (rc != 0) { +throw(new Exception(Can't bind: + Error.strerror(rc))); +} +Socket.listen(serverSock, 5); +long clientSock = Socket.accept(serverSock, serverPool); +long sa = Address.get(Socket.APR_REMOTE, clientSock); +Sockaddr raddr = new Sockaddr(); +if (Address.fill(raddr, sa)) { +System.out.println(Remote Host: + Address.getnameinfo(sa, 0)); +System.out.println(Remote IP: + Address.getip(sa) + + : + raddr.port); +} +SSLCallBack.setsock(clientSock); +int retcode = SSL.accept(serverSSL); +if (retcode=0) { +throw(new Exception(Can't SSL accept: + SSLContext.geterror(serverCtx, retcode))); +} } catch (Exception e) { e.printStackTrace(); 1.2 +7 -7 jakarta-tomcat-connectors/jni/java/org/apache/tomcat/jni/BIOCallback.java Index: BIOCallback.java === RCS file: /home/cvs/jakarta-tomcat-connectors/jni/java/org/apache/tomcat/jni/BIOCallback.java,v retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 --- BIOCallback.java 1 Jun 2005 08:20:43 - 1.1 +++ BIOCallback.java 8 Jun 2005 16:52:58 - 1.2 @@ -26,17 +26,17 @@ /** * Write data - * @param data String to write - * @return Number of characters written + * @param buf containg the bytes to write. + * @return Number of characters written. */ -public int write(String data); +public int write(byte [] buf); /** * Read data - * @param len Maximum number of characters to read - * @return String with up to len bytes readed + * @param buf buffer to store the read bytes. + * @return number of bytes read. */ -public String read(int len); +public int read(byte [] buf); /** * Puts string 1.14 +16 -1 jakarta-tomcat-connectors/jni/java/org/apache/tomcat/jni/SSL.java
cvs commit: jakarta-tomcat-connectors/jni/native/src ssl.c sslcontext.c sslutils.c
mturk 2005/06/07 04:05:07 Modified:jni/native/include ssl_private.h jni/native/src ssl.c sslcontext.c sslutils.c Log: Add global password callback handle. In case we set the callback BIO per context then it will be used to allow multple passwords and keys per vhost base. Since context are created from single thread we can have multiple passwords without setting per context BIO. Revision ChangesPath 1.18 +9 -3 jakarta-tomcat-connectors/jni/native/include/ssl_private.h Index: ssl_private.h === RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/include/ssl_private.h,v retrieving revision 1.17 retrieving revision 1.18 diff -u -r1.17 -r1.18 --- ssl_private.h 7 Jun 2005 09:13:22 - 1.17 +++ ssl_private.h 7 Jun 2005 11:05:07 - 1.18 @@ -118,6 +118,10 @@ #define SSL_CVERIFY_OPTIONAL_NO_CA (3) #define SSL_VERIFY_PEER_STRICT (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT) +#define SSL_DEFAULT_PASS_PROMPT Some of your private key files are encrypted for security reasons.\n \ +In order to read them you have to provide the pass phrases.\n \ +Enter password : + extern void *SSL_temp_keys[SSL_TMP_KEY_MAX]; typedef struct { @@ -132,9 +136,11 @@ typedef struct { charpassword[SSL_MAX_PASSWORD_LEN]; const char *prompt; -tcn_ssl_ctxt_t *ctx; +BIO*bio; } tcn_pass_cb_t; +extern tcn_pass_cb_t tcn_password_callback; + struct tcn_ssl_ctxt_t { apr_pool_t *pool; SSL_CTX *ctx; @@ -162,7 +168,7 @@ int verify_depth; int verify_mode; void*temp_keys[SSL_TMP_KEY_MAX]; -tcn_pass_cb_t password; +tcn_pass_cb_t *cb_data; }; typedef struct { 1.21 +4 -1 jakarta-tomcat-connectors/jni/native/src/ssl.c Index: ssl.c === RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/ssl.c,v retrieving revision 1.20 retrieving revision 1.21 diff -u -r1.20 -r1.21 --- ssl.c 6 Jun 2005 08:14:50 - 1.20 +++ ssl.c 7 Jun 2005 11:05:07 - 1.21 @@ -37,6 +37,7 @@ ENGINE *tcn_ssl_engine = NULL; void *SSL_temp_keys[SSL_TMP_KEY_MAX]; +tcn_pass_cb_t tcn_password_callback; /* * Handle the Temporary RSA Keys and DH Params @@ -404,6 +405,8 @@ tcn_ssl_engine = ee; } #endif + +memset(tcn_password_callback, 0, sizeof(tcn_pass_cb_t)); /* Initialize PRNG * This will in most cases call the builtin * low entropy seed. 1.27 +15 -8 jakarta-tomcat-connectors/jni/native/src/sslcontext.c Index: sslcontext.c === RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslcontext.c,v retrieving revision 1.26 retrieving revision 1.27 diff -u -r1.26 -r1.27 --- sslcontext.c 7 Jun 2005 09:57:22 - 1.26 +++ sslcontext.c 7 Jun 2005 11:05:07 - 1.27 @@ -123,7 +123,6 @@ c-ctx = ctx; c-pool = p; c-bio_os = BIO_new(BIO_s_file()); -c-password.ctx = c; if (c-bio_os != NULL) BIO_set_fp(c-bio_os, stderr, BIO_NOCLOSE | BIO_FP_TEXT); SSL_CTX_set_options(c-ctx, SSL_OP_ALL); @@ -162,7 +161,7 @@ /* Set default password callback */ SSL_CTX_set_default_passwd_cb(c-ctx, (pem_password_cb *)SSL_password_callback); -SSL_CTX_set_default_passwd_cb_userdata(c-ctx, (void *)(c-password)); +SSL_CTX_set_default_passwd_cb_userdata(c-ctx, (void *)(tcn_password_callback)); /* * Let us cleanup the ssl context when the pool is destroyed */ @@ -214,9 +213,12 @@ c-bio_os = bio_handle; } else if (dir == 1) { -if (c-bio_os c-bio_is != bio_handle) +if (c-bio_is c-bio_is != bio_handle) SSL_BIO_close(c-bio_is); -c-bio_os = bio_handle; +c-bio_is = bio_handle; +if (!c-cb_data) +c-cb_data = (tcn_pass_cb_t *)apr_pcalloc(c-pool, sizeof(tcn_pass_cb_t)); +c-cb_data-bio = bio_handle; } else return; @@ -426,6 +428,7 @@ { BIO *bio = NULL; EVP_PKEY *key = NULL; +void *cb_data = c-cb_data; if ((bio = BIO_new(BIO_s_file())) == NULL) { return NULL; @@ -434,9 +437,11 @@ BIO_free(bio); return NULL; } +if (!cb_data) +cb_data = tcn_password_callback; key = PEM_read_bio_PrivateKey(bio, NULL, (pem_password_cb *)SSL_password_callback, -(void
cvs commit: jakarta-tomcat-connectors/jni/native/src ssl.c sslcontext.c sslutils.c
mturk 2005/06/02 00:44:39 Modified:jni/java/org/apache/tomcat/jni SSLContext.java jni/native/include ssl_private.h jni/native/src ssl.c sslcontext.c sslutils.c Log: Add more configuration directives to SSL Context. Revision ChangesPath 1.9 +126 -1 jakarta-tomcat-connectors/jni/java/org/apache/tomcat/jni/SSLContext.java Index: SSLContext.java === RCS file: /home/cvs/jakarta-tomcat-connectors/jni/java/org/apache/tomcat/jni/SSLContext.java,v retrieving revision 1.8 retrieving revision 1.9 diff -u -r1.8 -r1.9 --- SSLContext.java 1 Jun 2005 12:36:24 - 1.8 +++ SSLContext.java 2 Jun 2005 07:44:38 - 1.9 @@ -118,4 +118,129 @@ */ public static native void setQuietShutdown(long ctx, boolean mode); +/** + * Cipher Suite available for negotiation in SSL handshake. + * br / + * This complex directive uses a colon-separated cipher-spec string consisting + * of OpenSSL cipher specifications to configure the Cipher Suite the client + * is permitted to negotiate in the SSL handshake phase. Notice that this + * directive can be used both in per-server and per-directory context. + * In per-server context it applies to the standard SSL handshake when a + * connection is established. In per-directory context it forces a SSL + * renegotation with the reconfigured Cipher Suite after the HTTP request + * was read but before the HTTP response is sent. + * @param ctx Server or Client context to use. + * @param ciphers An SSL cipher specification. + */ +public static native boolean setCipherSuite(long ctx, String ciphers); + +/** + * Set Directory of PEM-encoded CA Certificates for Client Auth + * br / + * This directive sets the directory where you keep the Certificates of + * Certification Authorities (CAs) whose clients you deal with. These are + * used to verify the client certificate on Client Authentication. + * br / + * The files in this directory have to be PEM-encoded and are accessed through + * hash filenames. So usually you can't just place the Certificate files there: + * you also have to create symbolic links named hash-value.N. And you should + * always make sure this directory contains the appropriate symbolic links. + * Use the Makefile which comes with mod_ssl to accomplish this task. + * @param ctx Server or Client context to use. + * @param path Directory of PEM-encoded CA Certificates for Client Auth. + */ +public static native boolean setCARevocationPath(long ctx, String path); + +/** + * Set File of concatenated PEM-encoded CA CRLs for Client Auth + * br / + * This directive sets the all-in-one file where you can assemble the + * Certificate Revocation Lists (CRL) of Certification Authorities (CA) + * whose clients you deal with. These are used for Client Authentication. + * Such a file is simply the concatenation of the various PEM-encoded CRL + * files, in order of preference. This can be used alternatively and/or + * additionally to codesetCARevocationPath/code. + * @param ctx Server or Client context to use. + * @param file File of concatenated PEM-encoded CA CRLs for Client Auth. + */ +public static native boolean setCARevocationFile(long ctx, String file); + +/** + * Set File of PEM-encoded Server CA Certificates + * br / + * This directive sets the optional all-in-one file where you can assemble the + * certificates of Certification Authorities (CA) which form the certificate + * chain of the server certificate. This starts with the issuing CA certificate + * of of the server certificate and can range up to the root CA certificate. + * Such a file is simply the concatenation of the various PEM-encoded CA + * Certificate files, usually in certificate chain order. + * br / + * But be careful: Providing the certificate chain works only if you are using + * a single (either RSA or DSA) based server certificate. If you are using a + * coupled RSA+DSA certificate pair, this will work only if actually both + * certificates use the same certificate chain. Else the browsers will be + * confused in this situation. + * @param ctx Server or Client context to use. + * @param file File of PEM-encoded Server CA Certificates. + */ +public static native boolean setCertificateChainFile(long ctx, String file); + +/** + * Set Server Certificate + * br / + * Point setCertificateFile at a PEM encoded certificate. If + * the certificate is encrypted, then you will be prompted for a + * pass phrase. Note
cvs commit: jakarta-tomcat-connectors/jni/native/src ssl.c sslcontext.c sslutils.c
mturk 2005/06/01 01:19:39 Modified:jni/java/org/apache/tomcat/jni SSLContext.java jni/native/include ssl_private.h jni/native/src ssl.c sslcontext.c sslutils.c Log: Add functions for setting error and password prompt BIO callbacks. Revision ChangesPath 1.4 +34 -1 jakarta-tomcat-connectors/jni/java/org/apache/tomcat/jni/SSLContext.java Index: SSLContext.java === RCS file: /home/cvs/jakarta-tomcat-connectors/jni/java/org/apache/tomcat/jni/SSLContext.java,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- SSLContext.java 1 Jun 2005 06:38:09 - 1.3 +++ SSLContext.java 1 Jun 2005 08:19:39 - 1.4 @@ -61,6 +61,39 @@ * @return APR Status code. */ public static native int free(long ctx); + +/** + * Set Virtual host id. Usually host:port combination. + * @param ctx Context to use. + * @param id String that uniquely identifies this context. + */ + public static native void setVhostId(long ctx, String id); + +/** + * Asssociate BIOCallback for error reporting. + * br / + * First word in the output string will contain error + * level in the form: + * PRE + * [ERROR] -- Critical error messages + * [WARN] -- Varning messages + * [INFO] -- Informational messages + * [DEBUG] -- Debugging messaged + * /PRE + * Callback can use that word to determine application logging level + * by intercepting bwrite/b call. + * If the bbio/b is set to 0 no error messages will be displayed. + * Default is to use the stderr output stream. + * @param ctx Server or Client context to use. + * @param bio BIO handle to use, created with SSL.newBIO + */ + public static native void setErrBIO(long ctx, long bio); +/** + * Asssociate BIOCallback for Password prompting. + * @param ctx Server or Client context to use. + * @param bio BIO handle to use, created with SSL.newBIO + */ + public static native void setPPromptBIO(long ctx, long bio); } 1.6 +4 -2 jakarta-tomcat-connectors/jni/native/include/ssl_private.h Index: ssl_private.h === RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/include/ssl_private.h,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- ssl_private.h 1 Jun 2005 06:38:09 - 1.5 +++ ssl_private.h 1 Jun 2005 08:19:39 - 1.6 @@ -110,6 +110,8 @@ struct tcn_ssl_ctxt { apr_pool_t *pool; SSL_CTX *ctx; +BIO *bio_err; +BIO *pprompt; unsigned char vhost_id[MD5_DIGEST_LENGTH]; int protocol; @@ -144,6 +146,6 @@ voidSSL_init_app_data2_idx(void); void *SSL_get_app_data2(SSL *); voidSSL_set_app_data2(SSL *, void *); - +int SSL_password_prompt(tcn_ssl_ctxt_t *, char *, int); #endif /* SSL_PRIVATE_H */ 1.15 +2 -2 jakarta-tomcat-connectors/jni/native/src/ssl.c Index: ssl.c === RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/ssl.c,v retrieving revision 1.14 retrieving revision 1.15 diff -u -r1.14 -r1.15 --- ssl.c 1 Jun 2005 06:38:09 - 1.14 +++ ssl.c 1 Jun 2005 08:19:39 - 1.15 @@ -438,8 +438,8 @@ TCN_UNLOAD_CLASS(j-cb.env, j-cb.obj); } bi-init = 0; +OPENSSL_free(bi-ptr); } -OPENSSL_free(bi-ptr); bi-ptr = NULL; return 1; } 1.5 +67 -4 jakarta-tomcat-connectors/jni/native/src/sslcontext.c Index: sslcontext.c === RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslcontext.c,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- sslcontext.c 1 Jun 2005 06:35:26 - 1.4 +++ sslcontext.c 1 Jun 2005 08:19:39 - 1.5 @@ -53,9 +53,16 @@ } } } -else { +else if (c-pk.c.certs) { sk_X509_INFO_pop_free(c-pk.c.certs, X509_INFO_free); +c-pk.c.certs = NULL; } +if (c-pprompt) +BIO_free(c-pprompt); +c-pprompt = NULL; +if (c-bio_err) +BIO_free(c-bio_err); +c-bio_err = NULL; } return APR_SUCCESS; } @@ -98,7 +105,14 @@ c-mode = 1; c-ctx = ctx; c-pool = p; - +c-bio_err = BIO_new(BIO_s_file()); +c-pprompt = BIO_new(BIO_s_file()); +
cvs commit: jakarta-tomcat-connectors/jni/native/src ssl.c sslcontext.c sslutils.c
mturk 2005/06/01 03:45:03 Modified:jni/native/include ssl_private.h jni/native/src ssl.c sslcontext.c sslutils.c Log: Add reference counter to BIO handler, so that multiple context can register the same BIO. Revision ChangesPath 1.8 +6 -1 jakarta-tomcat-connectors/jni/native/include/ssl_private.h Index: ssl_private.h === RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/include/ssl_private.h,v retrieving revision 1.7 retrieving revision 1.8 diff -u -r1.7 -r1.8 --- ssl_private.h 1 Jun 2005 09:05:08 - 1.7 +++ ssl_private.h 1 Jun 2005 10:45:02 - 1.8 @@ -83,6 +83,9 @@ #define SSL_PROTOCOL_TLSV1 (12) #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1) +#define SSL_BIO_FLAG_RDONLY (10) +#define SSL_BIO_FLAG_CALLBACK (11) + /* public cert/private key */ typedef struct { /* @@ -147,5 +150,7 @@ void *SSL_get_app_data2(SSL *); voidSSL_set_app_data2(SSL *, void *); int SSL_password_prompt(tcn_ssl_ctxt_t *, char *, int); +voidSSL_BIO_close(BIO *); +voidSSL_BIO_doref(BIO *); #endif /* SSL_PRIVATE_H */ 1.16 +42 -9 jakarta-tomcat-connectors/jni/native/src/ssl.c Index: ssl.c === RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/ssl.c,v retrieving revision 1.15 retrieving revision 1.16 diff -u -r1.15 -r1.16 --- ssl.c 1 Jun 2005 08:19:39 - 1.15 +++ ssl.c 1 Jun 2005 10:45:03 - 1.16 @@ -400,10 +400,12 @@ /* OpenSSL Java Stream BIO */ typedef struct { +intrefcount; apr_pool_t *pool; tcn_callback_t cb; } BIO_JAVA; + static apr_status_t generic_bio_cleanup(void *data) { BIO *b = (BIO *)data; @@ -414,12 +416,43 @@ return APR_SUCCESS; } +void SSL_BIO_close(BIO *bi) +{ +if (bi == NULL) +return; +if (bi-ptr != NULL (bi-flags SSL_BIO_FLAG_CALLBACK)) { +BIO_JAVA *j = (BIO_JAVA *)bi-ptr; +j-refcount--; +if (j-refcount == 0) { +if (j-pool) +apr_pool_cleanup_run(j-pool, bi, generic_bio_cleanup); +else +BIO_free(bi); +} +} +else +BIO_free(bi); +} + +void SSL_BIO_doref(BIO *bi) +{ +if (bi == NULL) +return; +if (bi-ptr != NULL (bi-flags SSL_BIO_FLAG_CALLBACK)) { +BIO_JAVA *j = (BIO_JAVA *)bi-ptr; +j-refcount++; +} +} + + static int jbs_new(BIO *bi) { BIO_JAVA *j; if ((j = OPENSSL_malloc(sizeof(BIO_JAVA))) == NULL) return 0; +j-pool = NULL; +j-refcount = 1; bi-shutdown = 1; bi-init = 0; bi-num = -1; @@ -435,9 +468,9 @@ if (bi-ptr != NULL) { BIO_JAVA *j = (BIO_JAVA *)bi-ptr; if (bi-init) { +bi-init = 0; TCN_UNLOAD_CLASS(j-cb.env, j-cb.obj); } -bi-init = 0; OPENSSL_free(bi-ptr); } bi-ptr = NULL; @@ -552,6 +585,10 @@ goto init_failed; } j = (BIO_JAVA *)bio-ptr; +if ((j = (BIO_JAVA *)bio-ptr) == NULL) { +tcn_ThrowException(e, Create BIO failed); +goto init_failed; +} j-pool = J2P(pool, apr_pool_t *); if (j-pool) { apr_pool_cleanup_register(j-pool, (const void *)bio, @@ -568,7 +605,8 @@ /* TODO: Check if method id's are valid */ j-cb.obj= (*e)-NewGlobalRef(e, callback); -bio-init = 1; +bio-init = 1; +bio-flags = SSL_BIO_FLAG_CALLBACK; return P2J(bio); init_failed: return 0; @@ -577,13 +615,8 @@ TCN_IMPLEMENT_CALL(jint, SSL, closeBIO)(TCN_STDARGS, jlong bio) { BIO *b = J2P(bio, BIO *); -BIO_JAVA *j; - UNREFERENCED_STDARGS; -j = (BIO_JAVA *)b-ptr; -if (j-pool) { -apr_pool_cleanup_run(j-pool, b, generic_bio_cleanup); -} +SSL_BIO_close(b); return APR_SUCCESS; } 1.7 +10 -7 jakarta-tomcat-connectors/jni/native/src/sslcontext.c Index: sslcontext.c === RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslcontext.c,v retrieving revision 1.6 retrieving revision 1.7 diff -u -r1.6 -r1.7 --- sslcontext.c 1 Jun 2005 09:05:08 - 1.6 +++ sslcontext.c 1 Jun 2005 10:45:03 - 1.7 @@ -57,11 +57,12 @@ sk_X509_INFO_pop_free(c-pk.c.certs, X509_INFO_free); c-pk.c.certs = NULL; } + if (c-bio_is) -BIO_free(c-bio_is);