Fix cause of crashes with Native + NIO2 + OpenSSL

Prevent concurrent release of <code>OpenSSLEngine</code> resources and
the termination of the Tomcat Native library as it can cause crashes
during Tomcat shutdown. NIO2 is no longer present in 12.0.x but there
may be rarer crashes with NIO.

Author: markt-asf

java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java

@@ -30,6 +30,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import java.util.concurrent.locks.Lock;
 
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLEngineResult;
@@ -42,6 +43,7 @@
 
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.jni.AprStatus;
 import org.apache.tomcat.jni.Buffer;
 import org.apache.tomcat.jni.Pool;
 import org.apache.tomcat.jni.SSL;
@@ -222,9 +224,9 @@ public String getNegotiatedProtocol() {
     public synchronized void shutdown() {
         if (!destroyed) {
             destroyed = true;
-            cleanable.clean();
             // internal errors can cause shutdown without marking the engine closed
             isInboundDone = isOutboundDone = engineClosed = true;
+            cleanable.clean();
             ByteBufferUtils.cleanDirectBuffer(buf);
         }
     }
@@ -1400,11 +1402,19 @@ public int getApplicationBufferSize() {
     private record OpenSSLState(long ssl, long networkBIO) implements Runnable {
         @Override
         public void run() {
-            if (networkBIO != 0) {
-                SSL.freeBIO(networkBIO);
-            }
-            if (ssl != 0) {
-                SSL.freeSSL(ssl);
+            Lock readLock = AprStatus.getStatusLock().readLock();
+            readLock.lock();
+            try {
+                if (!AprStatus.isAprInitialized()) {
+                    if (networkBIO != 0) {
+                        SSL.freeBIO(networkBIO);
+                    }
+                    if (ssl != 0) {
+                        SSL.freeSSL(ssl);
+                    }
+                }
+            } finally {
+                readLock.unlock();
             }
         }
     }

webapps/docs/changelog.xml

@@ -307,6 +307,11 @@
         Fix OpenSSL FFM code compatibility with LibreSSL versions below 3.5.
         (remm)
       </fix>
+      <fix>
+        Prevent concurrent release of <code>OpenSSLEngine</code> resources and
+        the termination of the Tomcat Native library as it might cause crashes
+        during Tomcat shutdown. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">