import jss-4.6.2-6.module+el8.2.0+6305+445d7b5a

SOURCES/0005-Fix-NativeProxy-release.patch

@@ -0,0 +1,147 @@
+From e623f14abcee16b5dfc57d6956e0ab4bb526ba5b Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Wed, 8 Apr 2020 12:21:49 -0400
+Subject: [PATCH] Fix NativeProxy registry tracking
+
+When the switch was made to a HashSet-based registry in
+eb5df01003d74b57473eacb84e538d31f5bb06ca, NativeProxy didn't override
+hashCode(...). This resulted in calls to close() (and thus, finalize())
+not invoking the releaseNativeResources() function to release the
+underlying memory.
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ org/mozilla/jss/util/NativeProxy.java | 55 +++++++++++++++++++++------
+ 1 file changed, 44 insertions(+), 11 deletions(-)
+
+diff --git a/org/mozilla/jss/util/NativeProxy.java b/org/mozilla/jss/util/NativeProxy.java
+index a0811f76..385c49f9 100644
+--- a/org/mozilla/jss/util/NativeProxy.java
++++ b/org/mozilla/jss/util/NativeProxy.java
+@@ -9,8 +9,10 @@ import java.util.HashSet;
+ import java.lang.AutoCloseable;
+ import java.lang.Thread;
+ import java.util.Arrays;
++import java.util.concurrent.atomic.AtomicInteger;
+ 
+ import org.mozilla.jss.CryptoManager;
++import org.mozilla.jss.netscape.security.util.Utils;
+ 
+ import org.slf4j.Logger;
+ import org.slf4j.LoggerFactory;
+@@ -39,11 +41,13 @@ public abstract class NativeProxy implements AutoCloseable
+      * NativeProxy instance acts as a proxy for that native data structure.
+      */
+     public NativeProxy(byte[] pointer) {
+-		assert(pointer!=null);
++        assert(pointer!=null);
++
+         mPointer = pointer;
+-        registry.add(this);
++        mHashCode = registryIndex.getAndIncrement();
+ 
+         if (saveStacktraces) {
++            registry.add(this);
+             mTrace = Arrays.toString(Thread.currentThread().getStackTrace());
+         }
+     }
+@@ -55,18 +59,31 @@ public abstract class NativeProxy implements AutoCloseable
+      *      a different underlying native pointer.
+      */
+     public boolean equals(Object obj) {
+-        if(obj==null) {
++        if (obj == null) {
+             return false;
+         }
+-        if( ! (obj instanceof NativeProxy) ) {
++        if (!(obj instanceof NativeProxy)) {
+             return false;
+         }
+-        if (((NativeProxy)obj).mPointer == null) {
+-            /* If mPointer is null, we have no way to compare the values
+-             * of the pointers, so assume they're unequal. */
++        NativeProxy nObj = (NativeProxy) obj;
++        if (this.mPointer == null || nObj.mPointer == null) {
+             return false;
+         }
+-        return Arrays.equals(((NativeProxy)obj).mPointer, mPointer);
++
++        return Arrays.equals(this.mPointer, nObj.mPointer);
++    }
++
++    /**
++     * Hash code based around mPointer value.
++     *
++     * Note that Object.hashCode() isn't sufficient as it tries to determine
++     * the Object's value based on all internal variables. Because we want a
++     * single static hashCode that is unique to each instance of nativeProxy,
++     * we construct it up front based on an incrementing counter and cache it
++     * throughout the lifetime of this object.
++     */
++    public int hashCode() {
++        return mHashCode;
+     }
+ 
+     /**
+@@ -112,11 +129,11 @@ public abstract class NativeProxy implements AutoCloseable
+      */
+     public final void close() throws Exception {
+         try {
+-            if (registry.remove(this)) {
++            if (mPointer != null) {
+                 releaseNativeResources();
+             }
+         } finally {
+-            mPointer = null;
++            clear();
+         }
+     }
+ 
+@@ -131,13 +148,16 @@ public abstract class NativeProxy implements AutoCloseable
+      */
+     public final void clear() {
+         this.mPointer = null;
+-        registry.remove(this);
++        if (saveStacktraces) {
++            registry.remove(this);
++        }
+     }
+ 
+     /**
+      * Byte array containing native pointer bytes.
+      */
+     private byte mPointer[];
++    private int mHashCode;
+ 
+     /**
+      * String containing backtrace of pointer generation.
+@@ -158,6 +178,15 @@ public abstract class NativeProxy implements AutoCloseable
+      * releaseNativeResources() gets called.
+      */
+     static HashSet<NativeProxy> registry = new HashSet<NativeProxy>();
++    static AtomicInteger registryIndex = new AtomicInteger();
++
++    public String toString() {
++        if (mPointer == null) {
++            return this.getClass().getName() + "[" + mHashCode + "@null]";
++        }
++
++        return this.getClass().getName() + "[" + mHashCode + "@" + Utils.HexEncode(mPointer) + "]";
++    }
+ 
+     /**
+      * Internal helper to check whether or not assertions are enabled in the
+@@ -178,6 +207,10 @@ public abstract class NativeProxy implements AutoCloseable
+      * is thrown.
+      */
+     public synchronized static void assertRegistryEmpty() {
++        if (!saveStacktraces) {
++            return;
++        }
++
+         if (!registry.isEmpty()) {
+             logger.warn(registry.size() + " NativeProxys are still registered.");
+ 
+-- 
+2.25.2
+

SOURCES/0006-Fix-SSLSocket-closure.patch

@@ -0,0 +1,108 @@
+From 278ff534e0a30cb112e8c29de573bf45b4264ad2 Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Wed, 15 Apr 2020 08:20:37 -0400
+Subject: [PATCH] Fix SSLSocket closure
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ org/mozilla/jss/ssl/SocketBase.java | 14 +++++++++++-
+ org/mozilla/jss/ssl/common.c        | 34 +++++++++++++++++++----------
+ 2 files changed, 36 insertions(+), 12 deletions(-)
+
+diff --git a/org/mozilla/jss/ssl/SocketBase.java b/org/mozilla/jss/ssl/SocketBase.java
+index 2c835913..27109369 100644
+--- a/org/mozilla/jss/ssl/SocketBase.java
++++ b/org/mozilla/jss/ssl/SocketBase.java
+@@ -106,7 +106,19 @@ class SocketBase {
+     static final int SSL_AF_INET6 = 51;
+ 
+     void close() throws IOException {
+-        socketClose();
++        try {
++            if (sockProxy != null) {
++                socketClose();
++                sockProxy.close();
++            }
++        } catch (Exception e) {
++            String msg = "Unexpected exception while trying to finalize ";
++            msg += "SocketProxy: " + e.getMessage();
++
++            throw new IOException(msg, e);
++        } finally {
++            sockProxy = null;
++        }
+     }
+ 
+     // SSLServerSocket and SSLSocket close methods
+diff --git a/org/mozilla/jss/ssl/common.c b/org/mozilla/jss/ssl/common.c
+index 2db9fda1..2c52a9d6 100644
+--- a/org/mozilla/jss/ssl/common.c
++++ b/org/mozilla/jss/ssl/common.c
+@@ -333,21 +333,28 @@ JNIEXPORT void JNICALL
+ Java_org_mozilla_jss_ssl_SocketProxy_releaseNativeResources
+     (JNIEnv *env, jobject this)
+ {
+-    /* SSLSocket.close and SSLServerSocket.close call	  */
+-    /* SocketBase.close to destroy all native Resources */
+-    /* attached to the socket. There is no native resource */
+-    /* to release after close has been called. This method  */
+-    /* remains because SocketProxy extends org.mozilla.jss.util.NativeProxy*/
+-    /* which defines releaseNativeResources as abstract and */
+-    /* therefore must be implemented by SocketProxy */
++    JSSL_SocketData *sockdata;
++
++    PR_ASSERT(env != NULL && this != NULL);
++
++    if (JSS_getPtrFromProxy(env, this, (void**)&sockdata) != PR_SUCCESS) {
++        return;
++    }
++
++    JSSL_DestroySocketData(env, sockdata);
+ }
+ 
+ void
+ JSSL_DestroySocketData(JNIEnv *env, JSSL_SocketData *sd)
+ {
+-    PR_ASSERT(sd != NULL);
++    if (sd == NULL) {
++        return;
++    }
+ 
+-    PR_Close(sd->fd);
++    if (sd->fd != NULL) {
++        PR_Close(sd->fd);
++        sd->fd = NULL;
++    }
+ 
+     if( sd->socketObject != NULL ) {
+         DELETE_WEAK_GLOBAL_REF(env, sd->socketObject );
+@@ -367,6 +374,8 @@ JSSL_DestroySocketData(JNIEnv *env, JSSL_SocketData *sd)
+     if( sd->lock != NULL ) {
+         PR_DestroyLock(sd->lock);
+     }
++
++    memset(sd, 0, sizeof(JSSL_SocketData));
+     PR_Free(sd);
+ }
+ 
+@@ -540,12 +549,15 @@ Java_org_mozilla_jss_ssl_SocketBase_socketClose(JNIEnv *env, jobject self)
+     JSSL_SocketData *sock = NULL;
+ 
+     /* get the FD */
+-    if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS) {
++    if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS || sock == NULL) {
+         /* exception was thrown */
+         return;
+     }
+ 
+-    JSSL_DestroySocketData(env, sock);
++    if (sock->fd != NULL) {
++        PR_Close(sock->fd);
++        sock->fd = NULL;
++    }
+ }
+ 
+ JNIEXPORT void JNICALL
+-- 
+2.25.2
+

SPECS/jss.spec

@@ -7,7 +7,7 @@ URL:            http://www.dogtagpki.org/wiki/JSS
 License:        MPLv1.1 or GPLv2+ or LGPLv2+
 
 Version:        4.6.2
-Release:        4%{?_timestamp}%{?_commit_id}%{?dist}
+Release:        6%{?_timestamp}%{?_commit_id}%{?dist}
 # global         _phase -a1
 
 # To generate the source tarball:
@@ -29,6 +29,8 @@ Patch0: 0001-Fix-NativeProxy-reference-tracker.patch
 Patch1: 0002-Fix-swapped-parameter-names-with-PBE.patch
 Patch3: 0003-Use-specified-algorithm-for-KeyWrap.patch
 Patch4: 0004-Remove-token-key-checks.patch
+Patch5: 0005-Fix-NativeProxy-release.patch
+Patch6: 0006-Fix-SSLSocket-closure.patch
 
 ################################################################################
 # Build Dependencies
@@ -163,6 +165,15 @@ cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
 
 ################################################################################
 %changelog
+* Wed Apr 15 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.2-6
+- NativeProxy never calls releaseNativeResources - Memory Leak
+  Additional patch to fix SSLSocket resource freeing
+  Bugzilla #1822402
+
+* Tue Apr 14 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.2-5
+- NativeProxy never calls releaseNativeResources - Memory Leak
+  Bugzilla #1822402
+
 * Mon Mar 23 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.2-4
 - Red Hat Bugzilla #1807371 - KRA-HSM: Async and sync key recovery using kra agent web is failing