rpms/jss
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import jss-4.7.3-1.module+el8.3.0+8058+d5cd4219

Browse Source
This commit is contained in:
CentOS Sources 2020-11-03 07:42:17 -05:00 committed by Andrew Lukoshko
parent b98978f120
commit e702b3dad2
9 changed files with 52 additions and 589 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/jss-4.6.2.tar.gz SOURCES/jss-4.7.3.tar.gz

2
.jss.metadata
View File

@ -1 +1 @@
4fea1d770e0882aa9c1c6c493bce9eb579b5c085 SOURCES/jss-4.6.2.tar.gz c3c5fdc3003d78b26071d0c215067019ede3ad60 SOURCES/jss-4.7.3.tar.gz

53
SOURCES/0001-Fix-NativeProxy-reference-tracker.patch
View File

@ -1,53 +0,0 @@
From 91514ca0a2979ba778d27220ced0cd312e2cd2d2 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Tue, 29 Oct 2019 10:43:56 -0400
Subject: [PATCH] Fix NativeProxy reference tracker
In eb5df01003d74b57473eacb84e538d31f5bb06ca, I introduced a bug by
setting mPointer after trying to add NativeProxy to the registry. In
most instances this won't matter, however, if another instance exists in
the HashSet with the same hash value, the equals comparator will be
used, triggering a NPE.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
org/mozilla/jss/util/NativeProxy.java | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/org/mozilla/jss/util/NativeProxy.java b/org/mozilla/jss/util/NativeProxy.java
index 1c6d1aa5..a0811f76 100644
--- a/org/mozilla/jss/util/NativeProxy.java
+++ b/org/mozilla/jss/util/NativeProxy.java
@@ -40,8 +40,8 @@ public abstract class NativeProxy implements AutoCloseable
*/
public NativeProxy(byte[] pointer) {
assert(pointer!=null);
- registry.add(this);
mPointer = pointer;
+ registry.add(this);
if (saveStacktraces) {
mTrace = Arrays.toString(Thread.currentThread().getStackTrace());
@@ -61,15 +61,12 @@ public abstract class NativeProxy implements AutoCloseable
if( ! (obj instanceof NativeProxy) ) {
return false;
}
- if( ((NativeProxy)obj).mPointer.length != mPointer.length) {
+ if (((NativeProxy)obj).mPointer == null) {
+ /* If mPointer is null, we have no way to compare the values
+ * of the pointers, so assume they're unequal. */
return false;
}
- for(int i=0; i < mPointer.length; i++) {
- if(mPointer[i] != ((NativeProxy)obj).mPointer[i]) {
- return false;
- }
- }
- return true;
+ return Arrays.equals(((NativeProxy)obj).mPointer, mPointer);
}
/**
--
2.21.0

80
SOURCES/0002-Fix-swapped-parameter-names-with-PBE.patch
View File

@ -1,80 +0,0 @@
From 9f29430656342829822568f4ef49f5237b41164b Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Fri, 28 Feb 2020 14:10:32 -0500
Subject: [PATCH 1/2] Fix swapped parameter names with PBE
Commit 13998a9e77e60d6509ac814ed711dd21e1248ecd introduced a regression
related to extracting the parameter classes during PBE operations:
previously, the classes of the underlying encryption algorithm were
iterated over, instead of the classes of the PBE class itself. However,
this commit iterated over the PBE parameter classes; no PBE algorithm
accepts a IvParameterSpec, resulting in a null parameter passed to the
later encryption or key wrap operation. This resulted in stack traces
like the following:
Caused by: java.security.InvalidAlgorithmParameterException: DES3/CBC/Pad cannot use a null parameter
at org.mozilla.jss.pkcs11.PK11KeyWrapper.checkParams(PK11KeyWrapper.java:225)
at org.mozilla.jss.pkcs11.PK11KeyWrapper.initWrap(PK11KeyWrapper.java:89)
at org.mozilla.jss.pkcs11.PK11KeyWrapper.initWrap(PK11KeyWrapper.java:57)
at org.mozilla.jss.pkix.primitive.EncryptedPrivateKeyInfo.createPBE(EncryptedPrivateKeyInfo.java:342)
Resolves: rh-bz#1807371
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
org/mozilla/jss/pkcs7/EncryptedContentInfo.java | 2 +-
org/mozilla/jss/pkix/cms/EncryptedContentInfo.java | 2 +-
org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java | 4 ++--
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/org/mozilla/jss/pkcs7/EncryptedContentInfo.java b/org/mozilla/jss/pkcs7/EncryptedContentInfo.java
index 084752c3..0344b14d 100644
--- a/org/mozilla/jss/pkcs7/EncryptedContentInfo.java
+++ b/org/mozilla/jss/pkcs7/EncryptedContentInfo.java
@@ -182,7 +182,7 @@ public class EncryptedContentInfo implements ASN1Value {
// generate IV
EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
AlgorithmParameterSpec params=null;
- Class<?> [] paramClasses = pbeAlg.getParameterClasses();
+ Class<?> [] paramClasses = encAlg.getParameterClasses();
for (int i = 0; i < paramClasses.length; i ++) {
if ( paramClasses[i].equals(
javax.crypto.spec.IvParameterSpec.class ) ) {
diff --git a/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java b/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java
index a4709070..d85eb0d3 100644
--- a/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java
+++ b/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java
@@ -180,7 +180,7 @@ public class EncryptedContentInfo implements ASN1Value {
// generate IV
EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
AlgorithmParameterSpec params=null;
- Class<?> [] paramClasses = pbeAlg.getParameterClasses();
+ Class<?> [] paramClasses = encAlg.getParameterClasses();
for (int i = 0; i < paramClasses.length; i ++) {
if ( paramClasses[i].equals( IVParameterSpec.class ) ) {
params = new IVParameterSpec( kg.generatePBE_IV() );
diff --git a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
index b35714e3..ebd269f3 100644
--- a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
+++ b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
@@ -147,7 +147,7 @@ public class EncryptedPrivateKeyInfo implements ASN1Value {
// generate IV
EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
AlgorithmParameterSpec params=null;
- Class<?> [] paramClasses = pbeAlg.getParameterClasses();
+ Class<?> [] paramClasses = encAlg.getParameterClasses();
for (int i = 0; i < paramClasses.length; i ++) {
if ( paramClasses[i].equals( javax.crypto.spec.IvParameterSpec.class ) ) {
params = new IVParameterSpec( kg.generatePBE_IV() );
@@ -328,7 +328,7 @@ public class EncryptedPrivateKeyInfo implements ASN1Value {
// generate IV
EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
AlgorithmParameterSpec params=null;
- Class<?> [] paramClasses = pbeAlg.getParameterClasses();
+ Class<?> [] paramClasses = encAlg.getParameterClasses();
for (int i = 0; i < paramClasses.length; i ++) {
if ( paramClasses[i].equals(
javax.crypto.spec.IvParameterSpec.class ) ) {
--
2.24.1

60
SOURCES/0003-Use-specified-algorithm-for-KeyWrap.patch
View File

@ -1,60 +0,0 @@
From 55482c8bfa0addeb9db7b590703ba3704c5db167 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Fri, 28 Feb 2020 14:39:29 -0500
Subject: [PATCH 2/2] Use specified algorithm for KeyWrap
When the token-specified from of EncryptedPrivateKeyInfo.createPBE is
called, it would always request DES3_CBC_PAD as the key wrapping
algorithm, regardless of the input PBE key type. However, the other form
(with an implicit token) was correctly handling this case.
Introduces a new KeyWrapAlgorithm method to take an OBJECT_IDENTIFIER
instead of having to convert to/from a String form.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
org/mozilla/jss/crypto/KeyWrapAlgorithm.java | 5 ++++-
org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java | 4 ++--
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/org/mozilla/jss/crypto/KeyWrapAlgorithm.java b/org/mozilla/jss/crypto/KeyWrapAlgorithm.java
index 3113f614..3a106977 100644
--- a/org/mozilla/jss/crypto/KeyWrapAlgorithm.java
+++ b/org/mozilla/jss/crypto/KeyWrapAlgorithm.java
@@ -138,7 +138,10 @@ public class KeyWrapAlgorithm extends Algorithm {
public static KeyWrapAlgorithm fromOID(String wrapOID) throws NoSuchAlgorithmException {
OBJECT_IDENTIFIER oid = new OBJECT_IDENTIFIER(wrapOID);
+ return fromOID(oid);
+ }
+ public static KeyWrapAlgorithm fromOID(OBJECT_IDENTIFIER oid) throws NoSuchAlgorithmException {
if (oid.equals(AES_KEY_WRAP_PAD_OID))
return AES_KEY_WRAP_PAD;
@@ -154,6 +157,6 @@ public class KeyWrapAlgorithm extends Algorithm {
if (oid.equals(DES_CBC_PAD_OID))
return DES_CBC_PAD;
- throw new NoSuchAlgorithmException("Unknown Algorithm for OID: " + wrapOID);
+ throw new NoSuchAlgorithmException("Unknown Algorithm for OID: " + oid);
}
}
diff --git a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
index ebd269f3..abfc39a7 100644
--- a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
+++ b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
@@ -337,8 +337,8 @@ public class EncryptedPrivateKeyInfo implements ASN1Value {
}
}
- KeyWrapper wrapper = token.getKeyWrapper(
- KeyWrapAlgorithm.DES3_CBC_PAD);
+ // wrap the key
+ KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.fromOID(encAlg.toOID()));
wrapper.initWrap(key, params);
byte encrypted[] = wrapper.wrap(pri);
--
2.24.1

112
SOURCES/0004-Remove-token-key-checks.patch
View File

@ -1,112 +0,0 @@
From a3a91a8e85d7f05de3c85b0ae6ad1c80cf7c5b55 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Tue, 17 Mar 2020 12:54:49 -0400
Subject: [PATCH 1/2] Remove token key checks
Previously we enforced strict token key matching: the primary key used
for the operation must strictly reside on the current PKCS#11 token,
otherwise JSS would bail. However, NSS has the ability to move the key
to whichever token best supports the given operation. This means that
we'd prematurely bail when the operation would succeed if it were
actually executed. By removing these checks, we still leave the ability
to generate keys on a specific token, we just allow them to be used on
whatever token supports the given operation (and the key is allowed to
be moved to).
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
org/mozilla/jss/pkcs11/PK11Cipher.java | 4 ----
org/mozilla/jss/pkcs11/PK11KeyWrapper.java | 22 -------------------
org/mozilla/jss/pkcs11/PK11MessageDigest.java | 7 ------
3 files changed, 33 deletions(-)
diff --git a/org/mozilla/jss/pkcs11/PK11Cipher.java b/org/mozilla/jss/pkcs11/PK11Cipher.java
index 81b600a4..aac411a4 100644
--- a/org/mozilla/jss/pkcs11/PK11Cipher.java
+++ b/org/mozilla/jss/pkcs11/PK11Cipher.java
@@ -262,10 +262,6 @@ public final class PK11Cipher extends org.mozilla.jss.crypto.Cipher {
if( key==null ) {
throw new InvalidKeyException("Key is null");
}
- if( ! key.getOwningToken().equals(token) ) {
- throw new InvalidKeyException("Key does not reside on the "+
- "current token");
- }
if( ! (key instanceof PK11SymKey) ) {
throw new InvalidKeyException("Key is not a PKCS #11 key");
}
diff --git a/org/mozilla/jss/pkcs11/PK11KeyWrapper.java b/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
index 28840a87..eee2984d 100644
--- a/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
+++ b/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
@@ -168,10 +168,6 @@ public final class PK11KeyWrapper implements KeyWrapper {
throw new InvalidKeyException("Key is null");
}
try {
- if( ! key.getOwningToken().equals(token) ) {
- throw new InvalidKeyException("Key does not reside on the current token: key owning token="+
- key.getOwningToken().getName());
- }
if( ! (key instanceof PK11SymKey) ) {
throw new InvalidKeyException("Key is not a PKCS #11 key");
}
@@ -196,10 +192,6 @@ public final class PK11KeyWrapper implements KeyWrapper {
if( key==null ) {
throw new InvalidKeyException("Key is null");
}
- if( ! key.getOwningToken().equals(token) ) {
- throw new InvalidKeyException("Key does not reside on the "+
- "current token");
- }
if( ! (key instanceof PK11PrivKey) ) {
throw new InvalidKeyException("Key is not a PKCS #11 key");
}
@@ -299,13 +291,6 @@ public final class PK11KeyWrapper implements KeyWrapper {
throw new InvalidKeyException("key to be wrapped is not a "+
"PKCS #11 key");
}
-/* NSS is capable of moving keys appropriately,
- so this call is prematurely bailing
- if( ! symKey.getOwningToken().equals(token) ) {
- throw new InvalidKeyException("key to be wrapped does not live"+
- " on the same token as the wrapping key");
- }
-*/
}
/**
@@ -320,13 +305,6 @@ public final class PK11KeyWrapper implements KeyWrapper {
throw new InvalidKeyException("key to be wrapped is not a "+
"PKCS #11 key");
}
-/* NSS is capable of moving keys appropriately,
- so this call is prematurely bailing
- if( ! privKey.getOwningToken().equals(token) ) {
- throw new InvalidKeyException("key to be wrapped does not live"+
- " on the same token as the wrapping key");
- }
-*/
}
/**
diff --git a/org/mozilla/jss/pkcs11/PK11MessageDigest.java b/org/mozilla/jss/pkcs11/PK11MessageDigest.java
index cd732788..7a1a6dad 100644
--- a/org/mozilla/jss/pkcs11/PK11MessageDigest.java
+++ b/org/mozilla/jss/pkcs11/PK11MessageDigest.java
@@ -47,13 +47,6 @@ public final class PK11MessageDigest extends JSSMessageDigest {
}
hmacKey = (PK11SymKey) key;
-
- if( ! key.getOwningToken().equals(token) ) {
- hmacKey = null;
- throw new InvalidKeyException(
- "HMAC key does not live on the same token as this digest");
- }
-
this.digestProxy = initHMAC(token, alg, hmacKey);
}
--
2.25.1

147
SOURCES/0005-Fix-NativeProxy-release.patch
View File

@ -1,147 +0,0 @@
From e623f14abcee16b5dfc57d6956e0ab4bb526ba5b Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 8 Apr 2020 12:21:49 -0400
Subject: [PATCH] Fix NativeProxy registry tracking
When the switch was made to a HashSet-based registry in
eb5df01003d74b57473eacb84e538d31f5bb06ca, NativeProxy didn't override
hashCode(...). This resulted in calls to close() (and thus, finalize())
not invoking the releaseNativeResources() function to release the
underlying memory.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
org/mozilla/jss/util/NativeProxy.java | 55 +++++++++++++++++++++------
1 file changed, 44 insertions(+), 11 deletions(-)
diff --git a/org/mozilla/jss/util/NativeProxy.java b/org/mozilla/jss/util/NativeProxy.java
index a0811f76..385c49f9 100644
--- a/org/mozilla/jss/util/NativeProxy.java
+++ b/org/mozilla/jss/util/NativeProxy.java
@@ -9,8 +9,10 @@ import java.util.HashSet;
import java.lang.AutoCloseable;
import java.lang.Thread;
import java.util.Arrays;
+import java.util.concurrent.atomic.AtomicInteger;
import org.mozilla.jss.CryptoManager;
+import org.mozilla.jss.netscape.security.util.Utils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -39,11 +41,13 @@ public abstract class NativeProxy implements AutoCloseable
* NativeProxy instance acts as a proxy for that native data structure.
*/
public NativeProxy(byte[] pointer) {
- assert(pointer!=null);
+ assert(pointer!=null);
+
mPointer = pointer;
- registry.add(this);
+ mHashCode = registryIndex.getAndIncrement();
if (saveStacktraces) {
+ registry.add(this);
mTrace = Arrays.toString(Thread.currentThread().getStackTrace());
}
}
@@ -55,18 +59,31 @@ public abstract class NativeProxy implements AutoCloseable
* a different underlying native pointer.
*/
public boolean equals(Object obj) {
- if(obj==null) {
+ if (obj == null) {
return false;
}
- if( ! (obj instanceof NativeProxy) ) {
+ if (!(obj instanceof NativeProxy)) {
return false;
}
- if (((NativeProxy)obj).mPointer == null) {
- /* If mPointer is null, we have no way to compare the values
- * of the pointers, so assume they're unequal. */
+ NativeProxy nObj = (NativeProxy) obj;
+ if (this.mPointer == null || nObj.mPointer == null) {
return false;
}
- return Arrays.equals(((NativeProxy)obj).mPointer, mPointer);
+
+ return Arrays.equals(this.mPointer, nObj.mPointer);
+ }
+
+ /**
+ * Hash code based around mPointer value.
+ *
+ * Note that Object.hashCode() isn't sufficient as it tries to determine
+ * the Object's value based on all internal variables. Because we want a
+ * single static hashCode that is unique to each instance of nativeProxy,
+ * we construct it up front based on an incrementing counter and cache it
+ * throughout the lifetime of this object.
+ */
+ public int hashCode() {
+ return mHashCode;
}
/**
@@ -112,11 +129,11 @@ public abstract class NativeProxy implements AutoCloseable
*/
public final void close() throws Exception {
try {
- if (registry.remove(this)) {
+ if (mPointer != null) {
releaseNativeResources();
}
} finally {
- mPointer = null;
+ clear();
}
}
@@ -131,13 +148,16 @@ public abstract class NativeProxy implements AutoCloseable
*/
public final void clear() {
this.mPointer = null;
- registry.remove(this);
+ if (saveStacktraces) {
+ registry.remove(this);
+ }
}
/**
* Byte array containing native pointer bytes.
*/
private byte mPointer[];
+ private int mHashCode;
/**
* String containing backtrace of pointer generation.
@@ -158,6 +178,15 @@ public abstract class NativeProxy implements AutoCloseable
* releaseNativeResources() gets called.
*/
static HashSet<NativeProxy> registry = new HashSet<NativeProxy>();
+ static AtomicInteger registryIndex = new AtomicInteger();
+
+ public String toString() {
+ if (mPointer == null) {
+ return this.getClass().getName() + "[" + mHashCode + "@null]";
+ }
+
+ return this.getClass().getName() + "[" + mHashCode + "@" + Utils.HexEncode(mPointer) + "]";
+ }
/**
* Internal helper to check whether or not assertions are enabled in the
@@ -178,6 +207,10 @@ public abstract class NativeProxy implements AutoCloseable
* is thrown.
*/
public synchronized static void assertRegistryEmpty() {
+ if (!saveStacktraces) {
+ return;
+ }
+
if (!registry.isEmpty()) {
logger.warn(registry.size() + " NativeProxys are still registered.");
--
2.25.2

108
SOURCES/0006-Fix-SSLSocket-closure.patch
View File

@ -1,108 +0,0 @@
From 278ff534e0a30cb112e8c29de573bf45b4264ad2 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 15 Apr 2020 08:20:37 -0400
Subject: [PATCH] Fix SSLSocket closure
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
org/mozilla/jss/ssl/SocketBase.java | 14 +++++++++++-
org/mozilla/jss/ssl/common.c | 34 +++++++++++++++++++----------
2 files changed, 36 insertions(+), 12 deletions(-)
diff --git a/org/mozilla/jss/ssl/SocketBase.java b/org/mozilla/jss/ssl/SocketBase.java
index 2c835913..27109369 100644
--- a/org/mozilla/jss/ssl/SocketBase.java
+++ b/org/mozilla/jss/ssl/SocketBase.java
@@ -106,7 +106,19 @@ class SocketBase {
static final int SSL_AF_INET6 = 51;
void close() throws IOException {
- socketClose();
+ try {
+ if (sockProxy != null) {
+ socketClose();
+ sockProxy.close();
+ }
+ } catch (Exception e) {
+ String msg = "Unexpected exception while trying to finalize ";
+ msg += "SocketProxy: " + e.getMessage();
+
+ throw new IOException(msg, e);
+ } finally {
+ sockProxy = null;
+ }
}
// SSLServerSocket and SSLSocket close methods
diff --git a/org/mozilla/jss/ssl/common.c b/org/mozilla/jss/ssl/common.c
index 2db9fda1..2c52a9d6 100644
--- a/org/mozilla/jss/ssl/common.c
+++ b/org/mozilla/jss/ssl/common.c
@@ -333,21 +333,28 @@ JNIEXPORT void JNICALL
Java_org_mozilla_jss_ssl_SocketProxy_releaseNativeResources
(JNIEnv *env, jobject this)
{
- /* SSLSocket.close and SSLServerSocket.close call */
- /* SocketBase.close to destroy all native Resources */
- /* attached to the socket. There is no native resource */
- /* to release after close has been called. This method */
- /* remains because SocketProxy extends org.mozilla.jss.util.NativeProxy*/
- /* which defines releaseNativeResources as abstract and */
- /* therefore must be implemented by SocketProxy */
+ JSSL_SocketData *sockdata;
+
+ PR_ASSERT(env != NULL && this != NULL);
+
+ if (JSS_getPtrFromProxy(env, this, (void**)&sockdata) != PR_SUCCESS) {
+ return;
+ }
+
+ JSSL_DestroySocketData(env, sockdata);
}
void
JSSL_DestroySocketData(JNIEnv *env, JSSL_SocketData *sd)
{
- PR_ASSERT(sd != NULL);
+ if (sd == NULL) {
+ return;
+ }
- PR_Close(sd->fd);
+ if (sd->fd != NULL) {
+ PR_Close(sd->fd);
+ sd->fd = NULL;
+ }
if( sd->socketObject != NULL ) {
DELETE_WEAK_GLOBAL_REF(env, sd->socketObject );
@@ -367,6 +374,8 @@ JSSL_DestroySocketData(JNIEnv *env, JSSL_SocketData *sd)
if( sd->lock != NULL ) {
PR_DestroyLock(sd->lock);
}
+
+ memset(sd, 0, sizeof(JSSL_SocketData));
PR_Free(sd);
}
@@ -540,12 +549,15 @@ Java_org_mozilla_jss_ssl_SocketBase_socketClose(JNIEnv *env, jobject self)
JSSL_SocketData *sock = NULL;
/* get the FD */
- if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS) {
+ if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS || sock == NULL) {
/* exception was thrown */
return;
}
- JSSL_DestroySocketData(env, sock);
+ if (sock->fd != NULL) {
+ PR_Close(sock->fd);
+ sock->fd = NULL;
+ }
}
JNIEXPORT void JNICALL
--
2.25.2

75
SPECS/jss.spec
View File

@ -6,8 +6,8 @@ Summary: Java Security Services (JSS)
URL: http://www.dogtagpki.org/wiki/JSS URL: http://www.dogtagpki.org/wiki/JSS
License: MPLv1.1 or GPLv2+ or LGPLv2+ License: MPLv1.1 or GPLv2+ or LGPLv2+
Version: 4.6.2 Version: 4.7.3
Release: 6%{?_timestamp}%{?_commit_id}%{?dist} Release: 1%{?_timestamp}%{?_commit_id}%{?dist}
#global _phase -a1 #global _phase -a1
# To generate the source tarball: # To generate the source tarball:
@ -25,12 +25,6 @@ Source: https://github.com/dogtagpki/%{name}/archive/v%{version}%{?_phas
# <version tag> \ # <version tag> \
# > jss-VERSION-RELEASE.patch # > jss-VERSION-RELEASE.patch
# Patch: jss-VERSION-RELEASE.patch # Patch: jss-VERSION-RELEASE.patch
Patch0: 0001-Fix-NativeProxy-reference-tracker.patch
Patch1: 0002-Fix-swapped-parameter-names-with-PBE.patch
Patch3: 0003-Use-specified-algorithm-for-KeyWrap.patch
Patch4: 0004-Remove-token-key-checks.patch
Patch5: 0005-Fix-NativeProxy-release.patch
Patch6: 0006-Fix-SSLSocket-closure.patch
################################################################################ ################################################################################
# Build Dependencies # Build Dependencies
@ -40,11 +34,13 @@ Patch6: 0006-Fix-SSLSocket-closure.patch
BuildRequires: git BuildRequires: git
BuildRequires: make BuildRequires: make
BuildRequires: cmake BuildRequires: cmake
BuildRequires: zip
BuildRequires: unzip
BuildRequires: gcc-c++ BuildRequires: gcc-c++
BuildRequires: nspr-devel >= 4.13.1 BuildRequires: nspr-devel >= 4.13.1
BuildRequires: nss-devel >= 3.30 BuildRequires: nss-devel >= 3.44
BuildRequires: nss-tools >= 3.30 BuildRequires: nss-tools >= 3.44
BuildRequires: java-devel BuildRequires: java-devel
BuildRequires: jpackage-utils BuildRequires: jpackage-utils
BuildRequires: slf4j BuildRequires: slf4j
@ -55,11 +51,10 @@ BuildRequires: glassfish-jaxb-api
BuildRequires: slf4j-jdk14 BuildRequires: slf4j-jdk14
%endif %endif
BuildRequires: apache-commons-lang BuildRequires: apache-commons-lang
BuildRequires: apache-commons-codec
BuildRequires: junit BuildRequires: junit
Requires: nss >= 3.30 Requires: nss >= 3.44
Requires: java-headless Requires: java-headless
Requires: jpackage-utils Requires: jpackage-utils
Requires: slf4j Requires: slf4j
@ -70,7 +65,6 @@ Requires: glassfish-jaxb-api
Requires: slf4j-jdk14 Requires: slf4j-jdk14
%endif %endif
Requires: apache-commons-lang Requires: apache-commons-lang
Requires: apache-commons-codec
Conflicts: ldapjdk < 4.20 Conflicts: ldapjdk < 4.20
Conflicts: idm-console-framework < 1.2 Conflicts: idm-console-framework < 1.2
@ -114,15 +108,28 @@ export CFLAGS
# Check if we're in FIPS mode # Check if we're in FIPS mode
modutil -dbdir /etc/pki/nssdb -chkfips true | grep -q enabled && export FIPS_ENABLED=1 modutil -dbdir /etc/pki/nssdb -chkfips true | grep -q enabled && export FIPS_ENABLED=1
# RHEL's CMake doesn't support -B flag.
%if 0%{?rhel}
%{__mkdir_p} %{_vpath_builddir}
cd %{_vpath_builddir}
%endif
# The Makefile is not thread-safe # The Makefile is not thread-safe
rm -rf build && mkdir -p build && cd build
%cmake \ %cmake \
-DJAVA_HOME=%{java_home} \ -DJAVA_HOME=%{java_home} \
-DJAVA_LIB_INSTALL_DIR=%{_jnidir} \ -DJAVA_LIB_INSTALL_DIR=%{_jnidir} \
%if 0%{?rhel}
.. ..
%else
-B %{_vpath_builddir}
%endif
%if 0%{?fedora}
cd %{_vpath_builddir}
%endif
%{__make} all %{__make} all
%{__make} javadoc || true %{__make} javadoc
ctest --output-on-failure ctest --output-on-failure
################################################################################ ################################################################################
@ -132,19 +139,19 @@ ctest --output-on-failure
# jars # jars
install -d -m 0755 $RPM_BUILD_ROOT%{_jnidir} install -d -m 0755 $RPM_BUILD_ROOT%{_jnidir}
install -m 644 build/jss4.jar ${RPM_BUILD_ROOT}%{_jnidir}/jss4.jar install -m 644 %{_vpath_builddir}/jss4.jar ${RPM_BUILD_ROOT}%{_jnidir}/jss4.jar
# We have to use the name libjss4.so because this is dynamically # We have to use the name libjss4.so because this is dynamically
# loaded by the jar file. # loaded by the jar file.
install -d -m 0755 $RPM_BUILD_ROOT%{_libdir}/jss install -d -m 0755 $RPM_BUILD_ROOT%{_libdir}/jss
install -m 0755 build/libjss4.so ${RPM_BUILD_ROOT}%{_libdir}/jss/ install -m 0755 %{_vpath_builddir}/libjss4.so ${RPM_BUILD_ROOT}%{_libdir}/jss/
pushd ${RPM_BUILD_ROOT}%{_libdir}/jss pushd ${RPM_BUILD_ROOT}%{_libdir}/jss
ln -fs %{_jnidir}/jss4.jar jss4.jar ln -fs %{_jnidir}/jss4.jar jss4.jar
popd popd
# javadoc # javadoc
install -d -m 0755 $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} install -d -m 0755 $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
cp -rp build/docs/* $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} cp -rp %{_vpath_builddir}/docs/* $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
cp -p jss.html $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} cp -p jss.html $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
@ -153,7 +160,8 @@ cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
%files %files
%defattr(-,root,root,-) %defattr(-,root,root,-)
%doc jss.html MPL-1.1.txt gpl.txt lgpl.txt %doc jss.html
%license MPL-1.1.txt gpl.txt lgpl.txt
%{_libdir}/* %{_libdir}/*
%{_jnidir}/* %{_jnidir}/*
@ -165,14 +173,29 @@ cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
################################################################################ ################################################################################
%changelog %changelog
* Wed Apr 15 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.2-6 * Fri Sep 11 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.3-1
- NativeProxy never calls releaseNativeResources - Memory Leak - Rebase to upstream stable release JSS v4.7.3
Additional patch to fix SSLSocket resource freeing - Red Hat Bugzilla #1873235 - Fix SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT in pki ca-user-cert-add
Bugzilla #1822402
* Tue Apr 14 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.2-5 * Thu Aug 06 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.2-1
- NativeProxy never calls releaseNativeResources - Memory Leak - Rebase to upstream stable release JSS v4.7.2
Bugzilla #1822402 - Red Hat Bugzilla #1822246 - Fix SSLSocket NULL pointer deference after close
* Fri Jul 31 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.1-1
- Rebase to upstream stable release JSS v4.7.1
* Thu Jul 09 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.0-1
- Rebase to upstream stable release JSS v4.7.0
- Fixed TestSSLEngine
* Thu Jun 25 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.0-0.4
- Rebased to JSS 4.7.0-b4
* Mon Jun 22 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.0-0.3
- Rebased to JSS 4.7.0-b3
* Tue May 26 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.0-0.1
- Rebased to JSS 4.7.0-b1
* Mon Mar 23 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.2-4 * Mon Mar 23 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.2-4
- Red Hat Bugzilla #1807371 - KRA-HSM: Async and sync key recovery using kra agent web is failing - Red Hat Bugzilla #1807371 - KRA-HSM: Async and sync key recovery using kra agent web is failing