Re: svn commit: r1676864 - in /tomcat/native/trunk/native: include/ssl_private.h src/sslcontext.c

Wed, 29 Apr 2015 15:06:05 -0700 

Mark,

On 4/29/15 5:31 PM, ma...@apache.org wrote:
> Author: markt
> Date: Wed Apr 29 21:31:43 2015
> New Revision: 1676864
> 
> URL: http://svn.apache.org/r1676864
> Log:
> Implement the native part of SNI
> 
> Modified:
>     tomcat/native/trunk/native/include/ssl_private.h
>     tomcat/native/trunk/native/src/sslcontext.c
> 
> Modified: tomcat/native/trunk/native/include/ssl_private.h
> URL: 
> http://svn.apache.org/viewvc/tomcat/native/trunk/native/include/ssl_private.h?rev=1676864&r1=1676863&r2=1676864&view=diff
> ==============================================================================
> --- tomcat/native/trunk/native/include/ssl_private.h (original)
> +++ tomcat/native/trunk/native/include/ssl_private.h Wed Apr 29 21:31:43 2015
> @@ -261,10 +261,6 @@ struct tcn_ssl_ctxt_t {
>       */
>      char            *alpn;
>      int             alpnlen;
> -    
> -    /* References to Java SSLContext class used by SNI callbacks */
> -    JNIEnv          *jnienv;
> -    jobject         java_object;
>  };
>  
>    
> 
> Modified: tomcat/native/trunk/native/src/sslcontext.c
> URL: 
> http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1676864&r1=1676863&r2=1676864&view=diff
> ==============================================================================
> --- tomcat/native/trunk/native/src/sslcontext.c (original)
> +++ tomcat/native/trunk/native/src/sslcontext.c Wed Apr 29 21:31:43 2015
> @@ -62,12 +62,37 @@ static apr_status_t ssl_context_cleanup(
>      return APR_SUCCESS;
>  }
>  
> +static jclass    ssl_context_class;
> +static jmethodID sni_java_callback;
> +
>  /* Callback used when OpenSSL receives a client hello with a Server Name
>   * Indication extension.
>   */
>  int ssl_callback_ServerNameIndication(SSL *ssl, int *al, tcn_ssl_ctxt_t *c)
>  {
> -    printf("SNI callback received");
> +    // Get the JNI environment for this callback
> +    JavaVM *javavm = tcn_get_java_vm();
> +    JNIEnv *env;
> +    (*javavm)->AttachCurrentThread(javavm, (void **)&env, NULL);

Is OpenSSL running the handshake in another thread? I don't know enough
about OpenSSL to know how it does things like callbacks for this stuff.
What thread is active when ssl_callback_ServerNameIndication is being
called? Is it a thread that initially requested the handshake (and is
therefore already bound to the JVM)?

> +    // Get the host name presented by the client
> +    const char *servername = SSL_get_servername(ssl, 
> TLSEXT_NAMETYPE_host_name);
> +    
> +    // Convert parameters ready for the method call
> +    jstring hostname = (*env)->NewStringUTF(env, servername);
> +    jlong original_ssl_context = P2J(c->ctx);
> + 
> +    // Make the call
> +    jlong new_ssl_context = (*env)->CallStaticLongMethod(env,
> +                                                            
> ssl_context_class,
> +                                                            
> sni_java_callback,
> +                                                            
> original_ssl_context,
> +                                                            hostname);
> +
> +    if (original_ssl_context != new_ssl_context) {
> +        SSL_set_SSL_CTX(ssl, J2P(new_ssl_context, SSL_CTX *));
> +    }
> + 
>      return SSL_TLSEXT_ERR_OK;
>  }
>   
> @@ -206,9 +231,14 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
>      SSL_CTX_set_default_passwd_cb_userdata(c->ctx, (void 
> *)(&tcn_password_callback));
>      SSL_CTX_set_info_callback(c->ctx, SSL_callback_handshake);
>      
> -    /* Set Server Name Indication (SNI) callback */
> -    c->jnienv      = e;
> -    c->java_object = o;
> +    /* Cache Java side SNI callback if not already cached */
> +    if (ssl_context_class == 0) {

This is okay, but graybeards might prefer:

     if(!ssl_context_class)

> +        ssl_context_class = (*e)->NewGlobalRef(e, o);
> +        sni_java_callback = (*e)->GetStaticMethodID(e, ssl_context_class,
> +                                                    "sniCallBack", 
> "(JLjava/lang/String;)J");
> +    }
> +
> +    /* Set up OpenSSL call back if SNI is provided by the client */
>      SSL_CTX_set_tlsext_servername_callback(c->ctx, 
> ssl_callback_ServerNameIndication);
>      SSL_CTX_set_tlsext_servername_arg(c->ctx, c);

-chris

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to