svn commit: r1719106 - in /tomcat/trunk/java/org/apache/tomcat/util/net: SSLContext.java jsse/JSSESSLContext.java openssl/OpenSSLContext.java

Thu, 10 Dec 2015 08:30:53 -0800 

Author: remm
Date: Thu Dec 10 16:30:23 2015
New Revision: 1719106

URL: http://svn.apache.org/viewvc?rev=1719106&view=rev
Log:
Using the finalizer for sensitive operations is not a good idea since nothing 
in Tomcat retains the SSLContext instances after using them to init.

Modified:
    tomcat/trunk/java/org/apache/tomcat/util/net/SSLContext.java
    tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESSLContext.java
    tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLContext.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLContext.java?rev=1719106&r1=1719105&r2=1719106&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLContext.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLContext.java Thu Dec 10 
16:30:23 2015
@@ -37,6 +37,8 @@ public interface SSLContext {
     public void init(KeyManager[] kms, TrustManager[] tms,
             SecureRandom sr) throws KeyManagementException;
 
+    public void destroy();
+
     public SSLSessionContext getServerSessionContext();
 
     public SSLEngine createSSLEngine();

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESSLContext.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESSLContext.java?rev=1719106&r1=1719105&r2=1719106&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESSLContext.java 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESSLContext.java Thu 
Dec 10 16:30:23 2015
@@ -44,6 +44,10 @@ class JSSESSLContext implements SSLConte
     }
 
     @Override
+    public void destroy() {
+    }
+
+    @Override
     public SSLSessionContext getServerSessionContext() {
         return context.getServerSessionContext();
     }

Modified: 
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java?rev=1719106&r1=1719105&r2=1719106&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java 
Thu Dec 10 16:30:23 2015
@@ -166,15 +166,20 @@ public class OpenSSLContext implements o
             throw new SSLException(sm.getString("openssl.errorSSLCtxInit"), e);
         } finally {
             if (!success) {
-                destroyPools();
+                destroy();
             }
         }
     }
 
-    private void destroyPools() {
+    public synchronized void destroy() {
         // Guard against multiple destroyPools() calls triggered by 
construction exception and finalize() later
-        if (aprPool != 0 && DESTROY_UPDATER.compareAndSet(this, 0, 1)) {
-            Pool.destroy(aprPool);
+        if (DESTROY_UPDATER.compareAndSet(this, 0, 1)) {
+            if (ctx != 0) {
+                SSLContext.free(ctx);
+            }
+            if (aprPool != 0) {
+                Pool.destroy(aprPool);
+            }
         }
     }
 
@@ -437,15 +442,4 @@ public class OpenSSLContext implements o
         throw new UnsupportedOperationException();
     }
 
-    @Override
-    protected final void finalize() throws Throwable {
-        super.finalize();
-        synchronized (OpenSSLContext.class) {
-            if (ctx != 0) {
-                SSLContext.free(ctx);
-            }
-        }
-        //FIXME: this causes crashes in the testsuite
-        //destroyPools();
-    }
 }



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to