[Pkg-freeipa-devel] [Git][freeipa-team/jss][master] 27 commits: Updated version number to 4.7.0-1
Timo Aaltonen
gitlab at salsa.debian.org
Thu Aug 6 13:38:16 BST 2020
Timo Aaltonen pushed to branch master at FreeIPA packaging / jss
Commits:
14ca2a7b by Endi S. Dewata at 2020-07-09T13:48:15-05:00
Updated version number to 4.7.0-1
- - - - -
f7a41e47 by Endi S. Dewata at 2020-07-13T14:04:15-05:00
Fixed TestSSLEngine
The SSLEngine.getSupportedProtocols() on Fedora returns at least
2 protocols in FIPS mode, but on RHEL it returns only 1. The
TestSSLEngine has been changed such that it works with 1 protocol.
- - - - -
6fafc019 by Alexander Scheel at 2020-07-22T16:18:53-04:00
Handle NULL return from SSL_ImportFD
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
bd0e60f9 by Alexander Scheel at 2020-07-22T16:18:53-04:00
Close SSLEngine inbound during socket close
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
aa680985 by Alexander Scheel at 2020-07-22T16:18:53-04:00
Track SSLSocket close, inform user on re-use
Sockets in Java cannot be reused, per javadocs:
Once a socket has been closed, it is not available for
further networking use (i.e. can't be reconnected or
rebound). A new socket needs to be created.
Prevent this use in JSSSocket.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
68ae2b18 by Alexander Scheel at 2020-07-22T16:18:53-04:00
Fix TokenProxy leak
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
b597226f by Alexander Scheel at 2020-07-22T16:18:53-04:00
Allow sessions to clear PK11Cert instances
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
f426d2e4 by Alexander Scheel at 2020-07-22T16:18:53-04:00
Clear PRFDProxy after import, session on close
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
76396ae4 by Alexander Scheel at 2020-07-24T11:48:15-04:00
Fix memory leak during BufferPRFD destruction
BufferPRFDs must destroy their layer when they're they only layer left,
otherwise closing a layer will leave allocated resources around.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
81a14976 by Alexander Scheel at 2020-07-24T11:48:15-04:00
Fix memory leaks in TestBufferPRFDSSL
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
8de9d6cf by Alexander Scheel at 2020-07-24T12:00:20-04:00
Prevent hiding of optional test failures
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
d16a5b08 by Alexander Scheel at 2020-07-24T12:58:00-04:00
Update PKCS#11 Constants off of NSS v3.54
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
8f771193 by Alexander Scheel at 2020-07-24T13:20:42-04:00
Prevent usage of ssl_fd after closing
In the previous commit, 76396ae47adf740aac0db38f143d959e5d6c39ec, by
calling the destructor on BufferPRFD layer, we finally clean it up
properly. However, this resulted in multiple calls to closeInbound or
closeOutbound resulting in a use-after-free.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
ac387b9a by Alexander Scheel at 2020-07-24T13:20:42-04:00
Add keyhi.h to TestBufferPRFDSSL.c
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
ee3dd06c by Alexander Scheel at 2020-07-24T13:20:42-04:00
Duplicate client certificate in handler
When JSS passes the certificate for use in the client auth handler, it
doesn't duplicate this certificate. However, NSS will later attempt to
free this key. We should duplicate the key before returning it to NSS,
allowing NSS to free it safely.
Note that, because the key isn't passed in to the client auth handler,
but instead queried, we need not duplicate it.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
21988d38 by Alexander Scheel at 2020-07-24T13:20:42-04:00
Split optional tests into informational
Optional tests should generally pass. Informational tests include tasks
(like pkcs11checks) that while short, often fail. By splitting these two
types, we can allow the longer running optional tests to continue to
run.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
374f18b9 by Alexander Scheel at 2020-07-24T14:01:20-04:00
Fix build with CMake out-of-source build change
Fedora 33 has introduced the following change proposal:
https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
This makes CMake do out-of-source builds by default. However, Fedora has
opted to use the %{_vpath_builddir} macro as the location of the default
build directory, instead of the more standard (in the CMake community)
build/ directory. %{_vpath_builddir} expands to %{_target_platform},
giving a per-architecture build directory.
Replace build/ references with %{_vpath_builddir} in the RPM spec. In
the future, we could move %{__make} to %cmake_build instead.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
ea007506 by Alexander Scheel at 2020-07-28T14:59:55-04:00
Make SSL_ImportFD clear underlying PRFileDesc
When SSL_ImportFD executes successfully, the base PRFileDesc gets
consumed by NSS. This means the Java NativeProxy wrapper (PRFDProxy) can
get garbage collected. However, we need to ensure we don't call
PR.Close() on the underlying socket until we no longer need the
SSLFDProxy instance as well.
This affected JSSEngine's template as well: the base PRFDProxy
underlying the SSLFDProxy template should eventually get garbage
collected and freed, causing the template to no longer be valid. We
should instead allow the Java object to be GC'd without invoking
PR.Close().
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
aad4e90b by Alexander Scheel at 2020-07-28T14:59:55-04:00
Switch NativeProxy registry to use a WeakRefMap
One issue with the NativeProxy fix from last release
(33ae12d7055271b7ff5a95867302f9c6358eeb0a) was that we now always
stored strong references to tracked pointers rather than weak
references. The downside of this approach is that every single reference
must be explicitly closed rather than allowing the GC to close them as
they go out of scope. By using a weak reference, presence in the
NativeProxy registry is not sufficient to keep the reference around.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
33b38c44 by Alexander Scheel at 2020-07-28T15:01:57-04:00
Use Java8 compatible Javadoc generation
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
4c553ad4 by Alexander Scheel at 2020-07-28T15:01:57-04:00
Build javadoc on Debian and Fedora Rawhide
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
f4a874f9 by Alexander Scheel at 2020-07-28T15:37:03-04:00
Remove invalid Base64 logging
While a nice idea in theory, this generates a ton of spurious messages
right now. We should eventually fix this and re-enable logging, but for
now we'll remove it.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
c2ce7b13 by Endi S. Dewata at 2020-07-31T20:59:52-05:00
Updated version number to 4.7.1-1
- - - - -
023d117b by Timo Aaltonen at 2020-08-06T15:28:05+03:00
Merge branch 'upstream'
- - - - -
e38adf33 by Timo Aaltonen at 2020-08-06T15:28:29+03:00
bump the version
- - - - -
468ae451 by Timo Aaltonen at 2020-08-06T15:31:08+03:00
control: Bump policy to 4.5.0.
- - - - -
ad2f8413 by Timo Aaltonen at 2020-08-06T15:37:31+03:00
releasing package jss version 4.7.1-1
- - - - -
24 changed files:
- + .github/workflows/informational.yml
- .github/workflows/optional.yml
- cmake/JSSCommon.cmake
- debian/changelog
- debian/control
- jss.spec
- lib/jss.map
- org/mozilla/jss/netscape/security/util/Utils.java
- org/mozilla/jss/nss/SSL.c
- org/mozilla/jss/nss/SSL.java
- org/mozilla/jss/nss/SSLFDProxy.c
- org/mozilla/jss/pkcs11/PK11Cert.java
- org/mozilla/jss/pkcs11/PKCS11Constants.java
- org/mozilla/jss/provider/javax/crypto/JSSTokenKeyManager.java
- org/mozilla/jss/ssl/javax/BufferPRFD.c
- org/mozilla/jss/ssl/javax/JSSEngineReferenceImpl.java
- org/mozilla/jss/ssl/javax/JSSSession.java
- org/mozilla/jss/ssl/javax/JSSSocket.java
- org/mozilla/jss/ssl/javax/JSSSocketChannel.java
- org/mozilla/jss/tests/TestBufferPRFDSSL.c
- org/mozilla/jss/tests/TestSSLEngine.java
- org/mozilla/jss/util/NativeProxy.java
- tools/Dockerfiles/debian_jdk11
- tools/Dockerfiles/fedora_rawhide
Changes:
=====================================
.github/workflows/informational.yml
=====================================
@@ -0,0 +1,20 @@
+name: Optional Tests
+
+on: [push, pull_request]
+
+jobs:
+ test:
+ runs-on: ubuntu-latest
+ strategy:
+ matrix:
+ image:
+ - 'pkcs11check'
+ - 'fedora_sandbox'
+ - 'pki_build'
+
+ steps:
+ - name: Clone the repository
+ uses: actions/checkout at v2
+
+ - name: Build and Run the Docker Image
+ run: bash tools/run_container.sh "${{ matrix.image }}"
=====================================
.github/workflows/optional.yml
=====================================
@@ -7,19 +7,16 @@ jobs:
runs-on: ubuntu-latest
strategy:
matrix:
- image:
- - 'pkcs11check'
+ image:
- 'debian_jdk11'
- 'ubuntu_jdk8'
- 'fedora_rawhide'
- - 'fedora_sandbox'
- 'centos_7'
- 'centos_8'
- - 'pki_build'
steps:
- name: Clone the repository
uses: actions/checkout at v2
-
+
- name: Build and Run the Docker Image
- run: bash tools/run_container.sh "${{ matrix.image }}" || echo "::warning ::Job exited with status $?"
+ run: bash tools/run_container.sh "${{ matrix.image }}"
=====================================
cmake/JSSCommon.cmake
=====================================
@@ -227,7 +227,7 @@ macro(jss_build_javadocs)
add_custom_command(
OUTPUT ${JAVADOCS_OUTPUTS}
- COMMAND "${Java_JAVADOC_EXECUTABLE}" -overview "${PROJECT_SOURCE_DIR}/tools/javadoc/overview.html" -windowtitle "${JSS_WINDOW_TITLE}" -notimestamp -breakiterator -classpath ${JAVAC_CLASSPATH} -sourcepath ${PROJECT_SOURCE_DIR} -d ${DOCS_OUTPUT_DIR} @${JAVA_SOURCES_FILE}
+ COMMAND "${Java_JAVADOC_EXECUTABLE}" -source 1.8 -overview "${PROJECT_SOURCE_DIR}/tools/javadoc/overview.html" -windowtitle "${JSS_WINDOW_TITLE}" -notimestamp -breakiterator -classpath ${JAVAC_CLASSPATH} -sourcepath ${PROJECT_SOURCE_DIR} -d ${DOCS_OUTPUT_DIR} @${JAVA_SOURCES_FILE}
COMMAND touch "${JAVADOCS_OUTPUTS}"
DEPENDS ${JAVA_SOURCES}
)
=====================================
debian/changelog
=====================================
@@ -1,3 +1,10 @@
+jss (4.7.1-1) unstable; urgency=medium
+
+ * New upstream release.
+ * control: Bump policy to 4.5.0.
+
+ -- Timo Aaltonen <tjaalton at debian.org> Thu, 06 Aug 2020 15:37:23 +0300
+
jss (4.7.0-1) unstable; urgency=medium
* New upstream release.
=====================================
debian/control
=====================================
@@ -17,7 +17,7 @@ Build-Depends: debhelper-compat (= 12),
quilt,
unzip,
zip,
-Standards-Version: 4.4.0
+Standards-Version: 4.5.0
Vcs-Git: https://salsa.debian.org/freeipa-team/jss.git
Vcs-Browser: https://salsa.debian.org/freeipa-team/jss
Homepage: https://github.com/dogtagpki/jss
=====================================
jss.spec
=====================================
@@ -6,9 +6,9 @@ Summary: Java Security Services (JSS)
URL: http://www.dogtagpki.org/wiki/JSS
License: MPLv1.1 or GPLv2+ or LGPLv2+
-Version: 4.7.0
-Release: 0.4%{?_timestamp}%{?_commit_id}%{?dist}
-%global _phase -b4
+Version: 4.7.1
+Release: 1%{?_timestamp}%{?_commit_id}%{?dist}
+#global _phase -a1
# To generate the source tarball:
# $ git clone https://github.com/dogtagpki/jss.git
@@ -109,12 +109,12 @@ export CFLAGS
modutil -dbdir /etc/pki/nssdb -chkfips true | grep -q enabled && export FIPS_ENABLED=1
# The Makefile is not thread-safe
-rm -rf build && mkdir -p build && cd build
%cmake \
-DJAVA_HOME=%{java_home} \
-DJAVA_LIB_INSTALL_DIR=%{_jnidir} \
- ..
+ -B %{_vpath_builddir}
+cd %{_vpath_builddir}
%{__make} all
%{__make} javadoc
ctest --output-on-failure
@@ -126,19 +126,19 @@ ctest --output-on-failure
# jars
install -d -m 0755 $RPM_BUILD_ROOT%{_jnidir}
-install -m 644 build/jss4.jar ${RPM_BUILD_ROOT}%{_jnidir}/jss4.jar
+install -m 644 %{_vpath_builddir}/jss4.jar ${RPM_BUILD_ROOT}%{_jnidir}/jss4.jar
# We have to use the name libjss4.so because this is dynamically
# loaded by the jar file.
install -d -m 0755 $RPM_BUILD_ROOT%{_libdir}/jss
-install -m 0755 build/libjss4.so ${RPM_BUILD_ROOT}%{_libdir}/jss/
+install -m 0755 %{_vpath_builddir}/libjss4.so ${RPM_BUILD_ROOT}%{_libdir}/jss/
pushd ${RPM_BUILD_ROOT}%{_libdir}/jss
ln -fs %{_jnidir}/jss4.jar jss4.jar
popd
# javadoc
install -d -m 0755 $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
-cp -rp build/docs/* $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
+cp -rp %{_vpath_builddir}/docs/* $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
cp -p jss.html $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
=====================================
lib/jss.map
=====================================
@@ -485,3 +485,9 @@ Java_org_mozilla_jss_nss_SECErrors_getUntrustedCert;
local:
*;
};
+JSS_4.7.1 {
+ global:
+Java_org_mozilla_jss_nss_SSL_ImportFDNative;
+ local:
+ *;
+};
=====================================
org/mozilla/jss/netscape/security/util/Utils.java
=====================================
@@ -37,12 +37,7 @@ import java.util.Date;
import java.util.StringTokenizer;
import java.util.Vector;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
public class Utils {
- public static Logger logger = LoggerFactory.getLogger(Utils.class);
-
/**
* Checks if this is NT.
*/
@@ -417,7 +412,6 @@ public class Utils {
return Base64.getMimeDecoder().decode(string);
}
} catch (IllegalArgumentException iae) {
- logger.warn("Invalid base64: [" + string + "]: " + iae, iae);
return new byte[0];
}
}
=====================================
org/mozilla/jss/nss/SSL.c
=====================================
@@ -143,6 +143,15 @@ finish:
JNIEXPORT jobject JNICALL
Java_org_mozilla_jss_nss_SSL_ImportFD(JNIEnv *env, jclass clazz, jobject model,
jobject fd)
+{
+ PR_ASSERT(0);
+ JSS_throwMsg(env, NULL_POINTER_EXCEPTION, "JSS JAR/DLL version mismatch");
+ return NULL;
+}
+
+JNIEXPORT jbyteArray JNICALL
+Java_org_mozilla_jss_nss_SSL_ImportFDNative(JNIEnv *env, jclass clazz, jobject model,
+ jobject fd)
{
PRFileDesc *result = NULL;
PRFileDesc *real_model = NULL;
@@ -153,17 +162,20 @@ Java_org_mozilla_jss_nss_SSL_ImportFD(JNIEnv *env, jclass clazz, jobject model,
/* Note: NSS calling semantics state that either model or fd can be
* NULL; so when the Java Object is not-NULL, dereference it. */
- if (model != NULL && JSS_PR_getPRFileDesc(env, model, &real_model) != PR_SUCCESS) {
+ if (model != NULL && (JSS_PR_getPRFileDesc(env, model, &real_model) != PR_SUCCESS || real_model == NULL)) {
return NULL;
}
- if (fd != NULL && JSS_PR_getPRFileDesc(env, fd, &real_fd) != PR_SUCCESS) {
+ if (fd != NULL && (JSS_PR_getPRFileDesc(env, fd, &real_fd) != PR_SUCCESS || real_fd == NULL)) {
return NULL;
}
result = SSL_ImportFD(real_model, real_fd);
+ if (result == NULL) {
+ return NULL;
+ }
- return JSS_PR_wrapSSLFDProxy(env, &result);
+ return JSS_ptrToByteArray(env, result);
}
JNIEXPORT int JNICALL
=====================================
org/mozilla/jss/nss/SSL.java
=====================================
@@ -158,7 +158,23 @@ public class SSL {
*
* See also: SSL_ImportFD in /usr/include/nss3/ssl.h
*/
- public static native SSLFDProxy ImportFD(PRFDProxy model, PRFDProxy fd);
+ public static SSLFDProxy ImportFD(PRFDProxy model, PRFDProxy fd) {
+ if (fd == null) {
+ throw new NullPointerException("Expected fd != null");
+ }
+
+ byte[] ptr = ImportFDNative(model, fd);
+ if (ptr == null || ptr.length == 0) {
+ int error = PR.GetError();
+ throw new NullPointerException("SSL_ImportFD failed: " + PR.ErrorToName(error) + " (" + error + ")");
+ }
+
+ fd.clear();
+
+ return new SSLFDProxy(ptr);
+ }
+
+ public static native byte[] ImportFDNative(PRFDProxy model, PRFDProxy fd);
/**
* Set the value of a SSL option on the specified PRFileDesc.
=====================================
org/mozilla/jss/nss/SSLFDProxy.c
=====================================
@@ -237,7 +237,7 @@ JSSL_SSLFDCertSelectionCallback(void *arg,
return SECFailure;
}
- *pRetCert = cert;
+ *pRetCert = CERT_DupCertificate(cert);
*pRetKey = privkey;
return SECSuccess;
}
=====================================
org/mozilla/jss/pkcs11/PK11Cert.java
=====================================
@@ -410,7 +410,16 @@ public class PK11Cert
// This object also contains a token proxy; these are reference
// counted objects and long-lived; freeing them is of little benefit
// as they'll persist as long as CryptoManager holds a copy of all
- // known tokens.
+ // known tokens. However, we still need to attempt to release our
+ // reference to them, otherwise the JVM will persist its reference
+ // to them.
+ if (tokenProxy != null) {
+ try {
+ tokenProxy.close();
+ } finally {
+ tokenProxy = null;
+ }
+ }
}
///////////////////////////////////////////////////////////////////////
=====================================
org/mozilla/jss/pkcs11/PKCS11Constants.java
=====================================
The diff for this file was not included because it is too large.
=====================================
org/mozilla/jss/provider/javax/crypto/JSSTokenKeyManager.java
=====================================
@@ -118,8 +118,10 @@ public class JSSTokenKeyManager implements JSSKeyManager {
try {
if (jks == null) {
- org.mozilla.jss.crypto.X509Certificate cert = cm.findCertByNickname(alias);
- return cm.findPrivKeyByCert(cert);
+ try (PK11Cert cert = (PK11Cert) cm.findCertByNickname(alias)) {
+ PrivateKey key = cm.findPrivKeyByCert(cert);
+ return key;
+ }
}
return (PrivateKey) jks.getKey(alias, password);
=====================================
org/mozilla/jss/ssl/javax/BufferPRFD.c
=====================================
@@ -94,6 +94,7 @@ static PRStatus PRBufferClose(PRFileDesc *fd)
PR_ASSERT(fd->identity == buffer_layer_id);
PR_ASSERT(fd->higher == NULL);
PR_ASSERT(fd->lower == NULL);
+ fd->dtor(fd);
return rv;
}
=====================================
org/mozilla/jss/ssl/javax/JSSEngineReferenceImpl.java
=====================================
@@ -195,6 +195,12 @@ public class JSSEngineReferenceImpl extends JSSEngine {
// Initialize ssl_fd from the model Buffer-backed PRFileDesc.
ssl_fd = SSL.ImportFD(model, fd);
+ if (ssl_fd == null) {
+ PR.Close(fd);
+ throw new SSLException("Error creating SSL socket on top of buffer-backed PRFileDesc.");
+ }
+
+ fd = null;
closed_fd = false;
// Turn on SSL Alert Logging for the ssl_fd object.
@@ -536,14 +542,20 @@ public class JSSEngineReferenceImpl extends JSSEngine {
public void closeInbound() {
debug("JSSEngine: closeInbound()");
- PR.Shutdown(ssl_fd, PR.SHUTDOWN_RCV);
+ if (!is_inbound_closed && ssl_fd != null && !closed_fd) {
+ PR.Shutdown(ssl_fd, PR.SHUTDOWN_RCV);
+ }
+
is_inbound_closed = true;
}
public void closeOutbound() {
debug("JSSEngine: closeOutbound()");
- PR.Shutdown(ssl_fd, PR.SHUTDOWN_SEND);
+ if (!is_outbound_closed && ssl_fd != null && !closed_fd) {
+ PR.Shutdown(ssl_fd, PR.SHUTDOWN_SEND);
+ }
+
is_outbound_closed = true;
}
@@ -554,7 +566,9 @@ public class JSSEngineReferenceImpl extends JSSEngine {
public Runnable getDelegatedTask() {
debug("JSSEngine: getDelegatedTask()");
- checkNeedCertValidation();
+ if (ssl_fd != null) {
+ checkNeedCertValidation();
+ }
return task;
}
@@ -1422,6 +1436,12 @@ public class JSSEngineReferenceImpl extends JSSEngine {
// Then clean up the NSS state.
cleanupSSLFD();
+
+ // Clean up the session.
+ if (session != null) {
+ session.close();
+ session = null;
+ }
}
private void cleanupLoggingSocket() {
=====================================
org/mozilla/jss/ssl/javax/JSSSession.java
=====================================
@@ -1,5 +1,6 @@
package org.mozilla.jss.ssl.javax;
+import java.lang.AutoCloseable;
import java.security.cert.Certificate;
import javax.security.cert.X509Certificate;
import java.security.Principal;
@@ -11,7 +12,7 @@ import org.mozilla.jss.nss.*;
import org.mozilla.jss.pkcs11.*;
import org.mozilla.jss.ssl.*;
-public class JSSSession implements SSLSession {
+public class JSSSession implements SSLSession, AutoCloseable {
private JSSEngine parent;
private int applicationBufferSize;
@@ -37,6 +38,8 @@ public class JSSSession implements SSLSession {
private X509Certificate[] peerChain;
private Certificate[] peerCertificates;
+ private boolean closed;
+
protected JSSSession(JSSEngine engine, int buffer_size) {
this.parent = engine;
@@ -133,7 +136,7 @@ public class JSSSession implements SSLSession {
}
public boolean isValid() {
- return System.currentTimeMillis() < getExpirationTime();
+ return !closed && System.currentTimeMillis() < getExpirationTime();
}
public void invalidate() {
@@ -142,6 +145,11 @@ public class JSSSession implements SSLSession {
}
}
+ public void close() {
+ closed = true;
+ setPeerCertificates(null);
+ }
+
public void putValue(String name, Object value) {
if (appDataMap.containsKey(name)) {
removeValue(name);
@@ -184,6 +192,19 @@ public class JSSSession implements SSLSession {
}
protected void setPeerCertificates(Certificate[] new_certs) {
+ // Free existing certificates prior to setting new ones.
+ if (peerCertificates != null) {
+ for (Certificate cert : peerCertificates) {
+ try {
+ ((PK11Cert) cert).close();
+ } catch (Exception e) {
+ // We can't reasonably handle this exception. Raising
+ // a RuntimeException instead.
+ throw new RuntimeException(e.getMessage(), e);
+ }
+ }
+ }
+
peerCertificates = new_certs;
}
=====================================
org/mozilla/jss/ssl/javax/JSSSocket.java
=====================================
@@ -100,6 +100,11 @@ public class JSSSocket extends SSLSocket {
*/
private boolean autoClose = true;
+ /**
+ * Whether or not this socket has been closed.
+ */
+ private boolean closed;
+
/**
* Start building a new JSSSocket.
*
@@ -123,6 +128,11 @@ public class JSSSocket extends SSLSocket {
throw new IOException(msg);
}
+ if (closed) {
+ String msg = "Unable to perform operations on a closed socket!";
+ throw new IOException(msg);
+ }
+
this.parent = parent;
}
@@ -132,6 +142,11 @@ public class JSSSocket extends SSLSocket {
* This is used by initSSLEngine(..) to create the underlying SSLEngine.
*/
protected SSLContext getSSLContext() throws IOException {
+ if (closed) {
+ String msg = "Unable to perform operations on a closed socket!";
+ throw new IOException(msg);
+ }
+
if (jssContext == null) {
try {
jssContext = SSLContext.getInstance(engineProviderProtocol, engineProvider);
@@ -159,6 +174,11 @@ public class JSSSocket extends SSLSocket {
* Initialize the underlying SocketChannel.
*/
private void init() throws IOException {
+ if (closed) {
+ String msg = "Unable to perform operations on a closed socket!";
+ throw new IOException(msg);
+ }
+
if (engine == null) {
initEngine();
}
@@ -689,6 +709,8 @@ public class JSSSocket extends SSLSocket {
getInternalChannel().close();
engine.cleanup();
engine = null;
+ channel = null;
+ closed = true;
}
@Override
=====================================
org/mozilla/jss/ssl/javax/JSSSocketChannel.java
=====================================
@@ -378,6 +378,9 @@ public class JSSSocketChannel extends SocketChannel {
shutdownOutput();
}
+ // Make sure we close the input side of the SSLEngine.
+ engine.closeInbound();
+
outboundClosed = true;
inboundClosed = true;
}
=====================================
org/mozilla/jss/tests/TestBufferPRFDSSL.c
=====================================
@@ -25,6 +25,7 @@
#include <certt.h>
#include <secmod.h>
#include <sslproto.h>
+#include <keyhi.h>
/* Standard includes */
#include <errno.h>
@@ -142,6 +143,8 @@ static CERTCertificate *get_cert(char *host)
}
}
+ CERT_DestroyCertList(clist);
+
return NULL;
}
@@ -180,7 +183,7 @@ static SECKEYPrivateKey *get_privkey(CERTCertificate *cert, char *password)
return PK11_FindPrivateKeyFromCert(slot, cert, NULL);
}
-static PRFileDesc *setup_nss_server(PRFileDesc *s_nspr, char *host, char *password, char *nickname)
+static PRFileDesc *setup_nss_server(PRFileDesc *s_nspr, char *host, char *password, char *nickname, SECKEYPrivateKey **priv_key)
{
/* Set up the server end of the SSL connection and find certificates. */
/* Adapted from aforementioned Fedora developer guide and mod_nss. */
@@ -190,8 +193,8 @@ static PRFileDesc *setup_nss_server(PRFileDesc *s_nspr, char *host, char *passwo
exit(1);
}
- SECKEYPrivateKey *priv_key = get_privkey(cert, password);
- if (priv_key == NULL) {
+ *priv_key = get_privkey(cert, password);
+ if (*priv_key == NULL) {
printf("Failed to find private key for certificate for host: %s\n", host);
const PRErrorCode err = PR_GetError();
fprintf(stderr, "error %d: %s\n",
@@ -221,7 +224,7 @@ static PRFileDesc *setup_nss_server(PRFileDesc *s_nspr, char *host, char *passwo
/* This part differs from the client side: set the certificate and
* private key we're using. */
- if (SSL_ConfigServerCert(s_nspr, cert, priv_key, NULL, 0) != SECSuccess) {
+ if (SSL_ConfigServerCert(s_nspr, cert, *priv_key, NULL, 0) != SECSuccess) {
const PRErrorCode err = PR_GetError();
fprintf(stderr, "error: SSL_ConfigServerCert error %d: %s\n",
err, PR_ErrorToName(err));
@@ -304,8 +307,9 @@ int main(int argc, char** argv)
/* Set up client and server sockets with NSSL */
char *host = "localhost";
+ SECKEYPrivateKey *priv_key;
c_nspr = setup_nss_client(c_nspr, host);
- s_nspr = setup_nss_server(s_nspr, host, argv[2], argv[3]);
+ s_nspr = setup_nss_server(s_nspr, host, argv[2], argv[3], &priv_key);
/* In the handshake step, we blindly try to step both the client and
* server ends of the handshake. As NSS stores the contents of what we're
@@ -421,5 +425,12 @@ int main(int argc, char** argv)
jb_free(c_read_buf);
jb_free(c_write_buf);
+ free(buf);
+ free(buf2);
+
+ SECKEY_DestroyPrivateKey(priv_key);
+
+ NSS_Shutdown();
+
return 0;
}
=====================================
org/mozilla/jss/tests/TestSSLEngine.java
=====================================
@@ -1,17 +1,28 @@
package org.mozilla.jss.tests;
-import java.lang.*;
-import java.nio.*;
-import java.net.*;
-import java.util.*;
-import java.security.*;
-import javax.net.ssl.*;
-
-import org.mozilla.jss.*;
-import org.mozilla.jss.nss.*;
-import org.mozilla.jss.ssl.*;
-import org.mozilla.jss.ssl.javax.*;
-import org.mozilla.jss.provider.javax.crypto.*;
+import java.nio.ByteBuffer;
+import java.security.KeyStore;
+import java.util.ArrayList;
+import java.util.Arrays;
+
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLEngineResult;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+
+import org.mozilla.jss.CryptoManager;
+import org.mozilla.jss.provider.javax.crypto.JSSNativeTrustManager;
+import org.mozilla.jss.provider.javax.crypto.JSSTrustManager;
+import org.mozilla.jss.ssl.SSLCipher;
+import org.mozilla.jss.ssl.SSLVersion;
+import org.mozilla.jss.ssl.javax.JSSEngine;
+import org.mozilla.jss.ssl.javax.JSSEngineReferenceImpl;
+import org.mozilla.jss.ssl.javax.JSSParameters;
public class TestSSLEngine {
public static boolean debug = false;
@@ -66,13 +77,16 @@ public class TestSSLEngine {
// Tests {get,set}EnabledProtocols()
String[] protocols = ssle.getSupportedProtocols();
- assert protocols.length >= 2;
- String secondProtocol = protocols[1];
- String[] oneProtocols = new String[]{ secondProtocol };
+
+ // Fedora returns at least 2 supported protocols
+ // in FIPS mode, but RHEL returns only 1.
+ assert protocols.length >= 1;
+ String firstProtocol = protocols[0];
+ String[] oneProtocols = new String[]{ firstProtocol };
ssle.setEnabledProtocols(oneProtocols);
protocols = ssle.getEnabledProtocols();
assert protocols.length == 1;
- assert protocols[0].equals(secondProtocol);
+ assert protocols[0].equals(firstProtocol);
// Tests {get,set}UseClientMode
ssle.setUseClientMode(true);
=====================================
org/mozilla/jss/util/NativeProxy.java
=====================================
@@ -4,12 +4,14 @@
package org.mozilla.jss.util;
-import java.util.HashSet;
-
import java.lang.AutoCloseable;
import java.lang.Thread;
import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashSet;
import java.util.Objects;
+import java.util.Set;
+import java.util.WeakHashMap;
import java.util.concurrent.atomic.AtomicInteger;
import org.mozilla.jss.CryptoManager;
@@ -59,13 +61,11 @@ public abstract class NativeProxy implements AutoCloseable
mHashCode += Arrays.hashCode(mPointer);
}
- if (track) {
+ if (track && saveStacktraces) {
assert(pointer != null);
registry.add(this);
- if (saveStacktraces) {
- mTrace = Arrays.toString(Thread.currentThread().getStackTrace());
- }
+ mTrace = Arrays.toString(Thread.currentThread().getStackTrace());
}
}
@@ -165,7 +165,7 @@ public abstract class NativeProxy implements AutoCloseable
*/
public final void clear() {
this.mPointer = null;
- registry.remove(this);
+ // registry.remove(this);
}
/**
@@ -199,7 +199,7 @@ public abstract class NativeProxy implements AutoCloseable
* NativeProxy.finalize() from their subclasses of NativeProxy, so that
* releaseNativeResources() gets called.
*/
- static HashSet<NativeProxy> registry = new HashSet<NativeProxy>();
+ static Set<NativeProxy> registry = Collections.newSetFromMap(new WeakHashMap<NativeProxy, Boolean>());
static AtomicInteger registryIndex = new AtomicInteger();
public String toString() {
=====================================
tools/Dockerfiles/debian_jdk11
=====================================
@@ -32,4 +32,5 @@ CMD true \
&& cmake .. \
&& make all \
&& ctest --output-on-failure \
+ && make javadoc \
&& true
=====================================
tools/Dockerfiles/fedora_rawhide
=====================================
@@ -29,4 +29,5 @@ CMD true \
&& cmake .. \
&& make all \
&& ctest --output-on-failure \
+ && make javadoc \
&& true
View it on GitLab: https://salsa.debian.org/freeipa-team/jss/-/compare/217dc9e4421f67c1836f261373a0297fff68adc9...ad2f8413efbf28bfc759410e6758b2e4d972e7cc
--
View it on GitLab: https://salsa.debian.org/freeipa-team/jss/-/compare/217dc9e4421f67c1836f261373a0297fff68adc9...ad2f8413efbf28bfc759410e6758b2e4d972e7cc
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20200806/24cd7d17/attachment-0001.html>
More information about the Pkg-freeipa-devel
mailing list