diff --git a/.gitignore b/.gitignore index fe33249..1c02d34 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/jss-4.6.2.tar.gz +SOURCES/jss-4.7.3.tar.gz diff --git a/.jss.metadata b/.jss.metadata index d14bd57..f86585b 100644 --- a/.jss.metadata +++ b/.jss.metadata @@ -1 +1 @@ -4fea1d770e0882aa9c1c6c493bce9eb579b5c085 SOURCES/jss-4.6.2.tar.gz +c3c5fdc3003d78b26071d0c215067019ede3ad60 SOURCES/jss-4.7.3.tar.gz diff --git a/SOURCES/0001-Fix-NativeProxy-reference-tracker.patch b/SOURCES/0001-Fix-NativeProxy-reference-tracker.patch deleted file mode 100644 index 529b576..0000000 --- a/SOURCES/0001-Fix-NativeProxy-reference-tracker.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 91514ca0a2979ba778d27220ced0cd312e2cd2d2 Mon Sep 17 00:00:00 2001 -From: Alexander Scheel -Date: Tue, 29 Oct 2019 10:43:56 -0400 -Subject: [PATCH] Fix NativeProxy reference tracker - -In eb5df01003d74b57473eacb84e538d31f5bb06ca, I introduced a bug by -setting mPointer after trying to add NativeProxy to the registry. In -most instances this won't matter, however, if another instance exists in -the HashSet with the same hash value, the equals comparator will be -used, triggering a NPE. - -Signed-off-by: Alexander Scheel ---- - org/mozilla/jss/util/NativeProxy.java | 13 +++++-------- - 1 file changed, 5 insertions(+), 8 deletions(-) - -diff --git a/org/mozilla/jss/util/NativeProxy.java b/org/mozilla/jss/util/NativeProxy.java -index 1c6d1aa5..a0811f76 100644 ---- a/org/mozilla/jss/util/NativeProxy.java -+++ b/org/mozilla/jss/util/NativeProxy.java -@@ -40,8 +40,8 @@ public abstract class NativeProxy implements AutoCloseable - */ - public NativeProxy(byte[] pointer) { - assert(pointer!=null); -- registry.add(this); - mPointer = pointer; -+ registry.add(this); - - if (saveStacktraces) { - mTrace = Arrays.toString(Thread.currentThread().getStackTrace()); -@@ -61,15 +61,12 @@ public abstract class NativeProxy implements AutoCloseable - if( ! (obj instanceof NativeProxy) ) { - return false; - } -- if( ((NativeProxy)obj).mPointer.length != mPointer.length) { -+ if (((NativeProxy)obj).mPointer == null) { -+ /* If mPointer is null, we have no way to compare the values -+ * of the pointers, so assume they're unequal. */ - return false; - } -- for(int i=0; i < mPointer.length; i++) { -- if(mPointer[i] != ((NativeProxy)obj).mPointer[i]) { -- return false; -- } -- } -- return true; -+ return Arrays.equals(((NativeProxy)obj).mPointer, mPointer); - } - - /** --- -2.21.0 - diff --git a/SOURCES/0002-Fix-swapped-parameter-names-with-PBE.patch b/SOURCES/0002-Fix-swapped-parameter-names-with-PBE.patch deleted file mode 100644 index 04830df..0000000 --- a/SOURCES/0002-Fix-swapped-parameter-names-with-PBE.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 9f29430656342829822568f4ef49f5237b41164b Mon Sep 17 00:00:00 2001 -From: Alexander Scheel -Date: Fri, 28 Feb 2020 14:10:32 -0500 -Subject: [PATCH 1/2] Fix swapped parameter names with PBE - -Commit 13998a9e77e60d6509ac814ed711dd21e1248ecd introduced a regression -related to extracting the parameter classes during PBE operations: -previously, the classes of the underlying encryption algorithm were -iterated over, instead of the classes of the PBE class itself. However, -this commit iterated over the PBE parameter classes; no PBE algorithm -accepts a IvParameterSpec, resulting in a null parameter passed to the -later encryption or key wrap operation. This resulted in stack traces -like the following: - -Caused by: java.security.InvalidAlgorithmParameterException: DES3/CBC/Pad cannot use a null parameter - at org.mozilla.jss.pkcs11.PK11KeyWrapper.checkParams(PK11KeyWrapper.java:225) - at org.mozilla.jss.pkcs11.PK11KeyWrapper.initWrap(PK11KeyWrapper.java:89) - at org.mozilla.jss.pkcs11.PK11KeyWrapper.initWrap(PK11KeyWrapper.java:57) - at org.mozilla.jss.pkix.primitive.EncryptedPrivateKeyInfo.createPBE(EncryptedPrivateKeyInfo.java:342) - -Resolves: rh-bz#1807371 - -Signed-off-by: Alexander Scheel ---- - org/mozilla/jss/pkcs7/EncryptedContentInfo.java | 2 +- - org/mozilla/jss/pkix/cms/EncryptedContentInfo.java | 2 +- - org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java | 4 ++-- - 3 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/org/mozilla/jss/pkcs7/EncryptedContentInfo.java b/org/mozilla/jss/pkcs7/EncryptedContentInfo.java -index 084752c3..0344b14d 100644 ---- a/org/mozilla/jss/pkcs7/EncryptedContentInfo.java -+++ b/org/mozilla/jss/pkcs7/EncryptedContentInfo.java -@@ -182,7 +182,7 @@ public class EncryptedContentInfo implements ASN1Value { - // generate IV - EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg(); - AlgorithmParameterSpec params=null; -- Class [] paramClasses = pbeAlg.getParameterClasses(); -+ Class [] paramClasses = encAlg.getParameterClasses(); - for (int i = 0; i < paramClasses.length; i ++) { - if ( paramClasses[i].equals( - javax.crypto.spec.IvParameterSpec.class ) ) { -diff --git a/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java b/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java -index a4709070..d85eb0d3 100644 ---- a/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java -+++ b/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java -@@ -180,7 +180,7 @@ public class EncryptedContentInfo implements ASN1Value { - // generate IV - EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg(); - AlgorithmParameterSpec params=null; -- Class [] paramClasses = pbeAlg.getParameterClasses(); -+ Class [] paramClasses = encAlg.getParameterClasses(); - for (int i = 0; i < paramClasses.length; i ++) { - if ( paramClasses[i].equals( IVParameterSpec.class ) ) { - params = new IVParameterSpec( kg.generatePBE_IV() ); -diff --git a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java -index b35714e3..ebd269f3 100644 ---- a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java -+++ b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java -@@ -147,7 +147,7 @@ public class EncryptedPrivateKeyInfo implements ASN1Value { - // generate IV - EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg(); - AlgorithmParameterSpec params=null; -- Class [] paramClasses = pbeAlg.getParameterClasses(); -+ Class [] paramClasses = encAlg.getParameterClasses(); - for (int i = 0; i < paramClasses.length; i ++) { - if ( paramClasses[i].equals( javax.crypto.spec.IvParameterSpec.class ) ) { - params = new IVParameterSpec( kg.generatePBE_IV() ); -@@ -328,7 +328,7 @@ public class EncryptedPrivateKeyInfo implements ASN1Value { - // generate IV - EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg(); - AlgorithmParameterSpec params=null; -- Class [] paramClasses = pbeAlg.getParameterClasses(); -+ Class [] paramClasses = encAlg.getParameterClasses(); - for (int i = 0; i < paramClasses.length; i ++) { - if ( paramClasses[i].equals( - javax.crypto.spec.IvParameterSpec.class ) ) { --- -2.24.1 - diff --git a/SOURCES/0003-Use-specified-algorithm-for-KeyWrap.patch b/SOURCES/0003-Use-specified-algorithm-for-KeyWrap.patch deleted file mode 100644 index 3f598a9..0000000 --- a/SOURCES/0003-Use-specified-algorithm-for-KeyWrap.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 55482c8bfa0addeb9db7b590703ba3704c5db167 Mon Sep 17 00:00:00 2001 -From: Alexander Scheel -Date: Fri, 28 Feb 2020 14:39:29 -0500 -Subject: [PATCH 2/2] Use specified algorithm for KeyWrap - -When the token-specified from of EncryptedPrivateKeyInfo.createPBE is -called, it would always request DES3_CBC_PAD as the key wrapping -algorithm, regardless of the input PBE key type. However, the other form -(with an implicit token) was correctly handling this case. - -Introduces a new KeyWrapAlgorithm method to take an OBJECT_IDENTIFIER -instead of having to convert to/from a String form. - -Signed-off-by: Alexander Scheel ---- - org/mozilla/jss/crypto/KeyWrapAlgorithm.java | 5 ++++- - org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java | 4 ++-- - 2 files changed, 6 insertions(+), 3 deletions(-) - -diff --git a/org/mozilla/jss/crypto/KeyWrapAlgorithm.java b/org/mozilla/jss/crypto/KeyWrapAlgorithm.java -index 3113f614..3a106977 100644 ---- a/org/mozilla/jss/crypto/KeyWrapAlgorithm.java -+++ b/org/mozilla/jss/crypto/KeyWrapAlgorithm.java -@@ -138,7 +138,10 @@ public class KeyWrapAlgorithm extends Algorithm { - - public static KeyWrapAlgorithm fromOID(String wrapOID) throws NoSuchAlgorithmException { - OBJECT_IDENTIFIER oid = new OBJECT_IDENTIFIER(wrapOID); -+ return fromOID(oid); -+ } - -+ public static KeyWrapAlgorithm fromOID(OBJECT_IDENTIFIER oid) throws NoSuchAlgorithmException { - if (oid.equals(AES_KEY_WRAP_PAD_OID)) - return AES_KEY_WRAP_PAD; - -@@ -154,6 +157,6 @@ public class KeyWrapAlgorithm extends Algorithm { - if (oid.equals(DES_CBC_PAD_OID)) - return DES_CBC_PAD; - -- throw new NoSuchAlgorithmException("Unknown Algorithm for OID: " + wrapOID); -+ throw new NoSuchAlgorithmException("Unknown Algorithm for OID: " + oid); - } - } -diff --git a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java -index ebd269f3..abfc39a7 100644 ---- a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java -+++ b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java -@@ -337,8 +337,8 @@ public class EncryptedPrivateKeyInfo implements ASN1Value { - } - } - -- KeyWrapper wrapper = token.getKeyWrapper( -- KeyWrapAlgorithm.DES3_CBC_PAD); -+ // wrap the key -+ KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.fromOID(encAlg.toOID())); - wrapper.initWrap(key, params); - byte encrypted[] = wrapper.wrap(pri); - --- -2.24.1 - diff --git a/SOURCES/0004-Remove-token-key-checks.patch b/SOURCES/0004-Remove-token-key-checks.patch deleted file mode 100644 index 7353cce..0000000 --- a/SOURCES/0004-Remove-token-key-checks.patch +++ /dev/null @@ -1,112 +0,0 @@ -From a3a91a8e85d7f05de3c85b0ae6ad1c80cf7c5b55 Mon Sep 17 00:00:00 2001 -From: Alexander Scheel -Date: Tue, 17 Mar 2020 12:54:49 -0400 -Subject: [PATCH 1/2] Remove token key checks - -Previously we enforced strict token key matching: the primary key used -for the operation must strictly reside on the current PKCS#11 token, -otherwise JSS would bail. However, NSS has the ability to move the key -to whichever token best supports the given operation. This means that -we'd prematurely bail when the operation would succeed if it were -actually executed. By removing these checks, we still leave the ability -to generate keys on a specific token, we just allow them to be used on -whatever token supports the given operation (and the key is allowed to -be moved to). - -Signed-off-by: Alexander Scheel ---- - org/mozilla/jss/pkcs11/PK11Cipher.java | 4 ---- - org/mozilla/jss/pkcs11/PK11KeyWrapper.java | 22 ------------------- - org/mozilla/jss/pkcs11/PK11MessageDigest.java | 7 ------ - 3 files changed, 33 deletions(-) - -diff --git a/org/mozilla/jss/pkcs11/PK11Cipher.java b/org/mozilla/jss/pkcs11/PK11Cipher.java -index 81b600a4..aac411a4 100644 ---- a/org/mozilla/jss/pkcs11/PK11Cipher.java -+++ b/org/mozilla/jss/pkcs11/PK11Cipher.java -@@ -262,10 +262,6 @@ public final class PK11Cipher extends org.mozilla.jss.crypto.Cipher { - if( key==null ) { - throw new InvalidKeyException("Key is null"); - } -- if( ! key.getOwningToken().equals(token) ) { -- throw new InvalidKeyException("Key does not reside on the "+ -- "current token"); -- } - if( ! (key instanceof PK11SymKey) ) { - throw new InvalidKeyException("Key is not a PKCS #11 key"); - } -diff --git a/org/mozilla/jss/pkcs11/PK11KeyWrapper.java b/org/mozilla/jss/pkcs11/PK11KeyWrapper.java -index 28840a87..eee2984d 100644 ---- a/org/mozilla/jss/pkcs11/PK11KeyWrapper.java -+++ b/org/mozilla/jss/pkcs11/PK11KeyWrapper.java -@@ -168,10 +168,6 @@ public final class PK11KeyWrapper implements KeyWrapper { - throw new InvalidKeyException("Key is null"); - } - try { -- if( ! key.getOwningToken().equals(token) ) { -- throw new InvalidKeyException("Key does not reside on the current token: key owning token="+ -- key.getOwningToken().getName()); -- } - if( ! (key instanceof PK11SymKey) ) { - throw new InvalidKeyException("Key is not a PKCS #11 key"); - } -@@ -196,10 +192,6 @@ public final class PK11KeyWrapper implements KeyWrapper { - if( key==null ) { - throw new InvalidKeyException("Key is null"); - } -- if( ! key.getOwningToken().equals(token) ) { -- throw new InvalidKeyException("Key does not reside on the "+ -- "current token"); -- } - if( ! (key instanceof PK11PrivKey) ) { - throw new InvalidKeyException("Key is not a PKCS #11 key"); - } -@@ -299,13 +291,6 @@ public final class PK11KeyWrapper implements KeyWrapper { - throw new InvalidKeyException("key to be wrapped is not a "+ - "PKCS #11 key"); - } --/* NSS is capable of moving keys appropriately, -- so this call is prematurely bailing -- if( ! symKey.getOwningToken().equals(token) ) { -- throw new InvalidKeyException("key to be wrapped does not live"+ -- " on the same token as the wrapping key"); -- } --*/ - } - - /** -@@ -320,13 +305,6 @@ public final class PK11KeyWrapper implements KeyWrapper { - throw new InvalidKeyException("key to be wrapped is not a "+ - "PKCS #11 key"); - } --/* NSS is capable of moving keys appropriately, -- so this call is prematurely bailing -- if( ! privKey.getOwningToken().equals(token) ) { -- throw new InvalidKeyException("key to be wrapped does not live"+ -- " on the same token as the wrapping key"); -- } --*/ - } - - /** -diff --git a/org/mozilla/jss/pkcs11/PK11MessageDigest.java b/org/mozilla/jss/pkcs11/PK11MessageDigest.java -index cd732788..7a1a6dad 100644 ---- a/org/mozilla/jss/pkcs11/PK11MessageDigest.java -+++ b/org/mozilla/jss/pkcs11/PK11MessageDigest.java -@@ -47,13 +47,6 @@ public final class PK11MessageDigest extends JSSMessageDigest { - } - - hmacKey = (PK11SymKey) key; -- -- if( ! key.getOwningToken().equals(token) ) { -- hmacKey = null; -- throw new InvalidKeyException( -- "HMAC key does not live on the same token as this digest"); -- } -- - this.digestProxy = initHMAC(token, alg, hmacKey); - } - --- -2.25.1 - diff --git a/SOURCES/0005-Fix-NativeProxy-release.patch b/SOURCES/0005-Fix-NativeProxy-release.patch deleted file mode 100644 index e279abd..0000000 --- a/SOURCES/0005-Fix-NativeProxy-release.patch +++ /dev/null @@ -1,147 +0,0 @@ -From e623f14abcee16b5dfc57d6956e0ab4bb526ba5b Mon Sep 17 00:00:00 2001 -From: Alexander Scheel -Date: Wed, 8 Apr 2020 12:21:49 -0400 -Subject: [PATCH] Fix NativeProxy registry tracking - -When the switch was made to a HashSet-based registry in -eb5df01003d74b57473eacb84e538d31f5bb06ca, NativeProxy didn't override -hashCode(...). This resulted in calls to close() (and thus, finalize()) -not invoking the releaseNativeResources() function to release the -underlying memory. - -Signed-off-by: Alexander Scheel ---- - org/mozilla/jss/util/NativeProxy.java | 55 +++++++++++++++++++++------ - 1 file changed, 44 insertions(+), 11 deletions(-) - -diff --git a/org/mozilla/jss/util/NativeProxy.java b/org/mozilla/jss/util/NativeProxy.java -index a0811f76..385c49f9 100644 ---- a/org/mozilla/jss/util/NativeProxy.java -+++ b/org/mozilla/jss/util/NativeProxy.java -@@ -9,8 +9,10 @@ import java.util.HashSet; - import java.lang.AutoCloseable; - import java.lang.Thread; - import java.util.Arrays; -+import java.util.concurrent.atomic.AtomicInteger; - - import org.mozilla.jss.CryptoManager; -+import org.mozilla.jss.netscape.security.util.Utils; - - import org.slf4j.Logger; - import org.slf4j.LoggerFactory; -@@ -39,11 +41,13 @@ public abstract class NativeProxy implements AutoCloseable - * NativeProxy instance acts as a proxy for that native data structure. - */ - public NativeProxy(byte[] pointer) { -- assert(pointer!=null); -+ assert(pointer!=null); -+ - mPointer = pointer; -- registry.add(this); -+ mHashCode = registryIndex.getAndIncrement(); - - if (saveStacktraces) { -+ registry.add(this); - mTrace = Arrays.toString(Thread.currentThread().getStackTrace()); - } - } -@@ -55,18 +59,31 @@ public abstract class NativeProxy implements AutoCloseable - * a different underlying native pointer. - */ - public boolean equals(Object obj) { -- if(obj==null) { -+ if (obj == null) { - return false; - } -- if( ! (obj instanceof NativeProxy) ) { -+ if (!(obj instanceof NativeProxy)) { - return false; - } -- if (((NativeProxy)obj).mPointer == null) { -- /* If mPointer is null, we have no way to compare the values -- * of the pointers, so assume they're unequal. */ -+ NativeProxy nObj = (NativeProxy) obj; -+ if (this.mPointer == null || nObj.mPointer == null) { - return false; - } -- return Arrays.equals(((NativeProxy)obj).mPointer, mPointer); -+ -+ return Arrays.equals(this.mPointer, nObj.mPointer); -+ } -+ -+ /** -+ * Hash code based around mPointer value. -+ * -+ * Note that Object.hashCode() isn't sufficient as it tries to determine -+ * the Object's value based on all internal variables. Because we want a -+ * single static hashCode that is unique to each instance of nativeProxy, -+ * we construct it up front based on an incrementing counter and cache it -+ * throughout the lifetime of this object. -+ */ -+ public int hashCode() { -+ return mHashCode; - } - - /** -@@ -112,11 +129,11 @@ public abstract class NativeProxy implements AutoCloseable - */ - public final void close() throws Exception { - try { -- if (registry.remove(this)) { -+ if (mPointer != null) { - releaseNativeResources(); - } - } finally { -- mPointer = null; -+ clear(); - } - } - -@@ -131,13 +148,16 @@ public abstract class NativeProxy implements AutoCloseable - */ - public final void clear() { - this.mPointer = null; -- registry.remove(this); -+ if (saveStacktraces) { -+ registry.remove(this); -+ } - } - - /** - * Byte array containing native pointer bytes. - */ - private byte mPointer[]; -+ private int mHashCode; - - /** - * String containing backtrace of pointer generation. -@@ -158,6 +178,15 @@ public abstract class NativeProxy implements AutoCloseable - * releaseNativeResources() gets called. - */ - static HashSet registry = new HashSet(); -+ static AtomicInteger registryIndex = new AtomicInteger(); -+ -+ public String toString() { -+ if (mPointer == null) { -+ return this.getClass().getName() + "[" + mHashCode + "@null]"; -+ } -+ -+ return this.getClass().getName() + "[" + mHashCode + "@" + Utils.HexEncode(mPointer) + "]"; -+ } - - /** - * Internal helper to check whether or not assertions are enabled in the -@@ -178,6 +207,10 @@ public abstract class NativeProxy implements AutoCloseable - * is thrown. - */ - public synchronized static void assertRegistryEmpty() { -+ if (!saveStacktraces) { -+ return; -+ } -+ - if (!registry.isEmpty()) { - logger.warn(registry.size() + " NativeProxys are still registered."); - --- -2.25.2 - diff --git a/SOURCES/0006-Fix-SSLSocket-closure.patch b/SOURCES/0006-Fix-SSLSocket-closure.patch deleted file mode 100644 index f7a401c..0000000 --- a/SOURCES/0006-Fix-SSLSocket-closure.patch +++ /dev/null @@ -1,108 +0,0 @@ -From 278ff534e0a30cb112e8c29de573bf45b4264ad2 Mon Sep 17 00:00:00 2001 -From: Alexander Scheel -Date: Wed, 15 Apr 2020 08:20:37 -0400 -Subject: [PATCH] Fix SSLSocket closure - -Signed-off-by: Alexander Scheel ---- - org/mozilla/jss/ssl/SocketBase.java | 14 +++++++++++- - org/mozilla/jss/ssl/common.c | 34 +++++++++++++++++++---------- - 2 files changed, 36 insertions(+), 12 deletions(-) - -diff --git a/org/mozilla/jss/ssl/SocketBase.java b/org/mozilla/jss/ssl/SocketBase.java -index 2c835913..27109369 100644 ---- a/org/mozilla/jss/ssl/SocketBase.java -+++ b/org/mozilla/jss/ssl/SocketBase.java -@@ -106,7 +106,19 @@ class SocketBase { - static final int SSL_AF_INET6 = 51; - - void close() throws IOException { -- socketClose(); -+ try { -+ if (sockProxy != null) { -+ socketClose(); -+ sockProxy.close(); -+ } -+ } catch (Exception e) { -+ String msg = "Unexpected exception while trying to finalize "; -+ msg += "SocketProxy: " + e.getMessage(); -+ -+ throw new IOException(msg, e); -+ } finally { -+ sockProxy = null; -+ } - } - - // SSLServerSocket and SSLSocket close methods -diff --git a/org/mozilla/jss/ssl/common.c b/org/mozilla/jss/ssl/common.c -index 2db9fda1..2c52a9d6 100644 ---- a/org/mozilla/jss/ssl/common.c -+++ b/org/mozilla/jss/ssl/common.c -@@ -333,21 +333,28 @@ JNIEXPORT void JNICALL - Java_org_mozilla_jss_ssl_SocketProxy_releaseNativeResources - (JNIEnv *env, jobject this) - { -- /* SSLSocket.close and SSLServerSocket.close call */ -- /* SocketBase.close to destroy all native Resources */ -- /* attached to the socket. There is no native resource */ -- /* to release after close has been called. This method */ -- /* remains because SocketProxy extends org.mozilla.jss.util.NativeProxy*/ -- /* which defines releaseNativeResources as abstract and */ -- /* therefore must be implemented by SocketProxy */ -+ JSSL_SocketData *sockdata; -+ -+ PR_ASSERT(env != NULL && this != NULL); -+ -+ if (JSS_getPtrFromProxy(env, this, (void**)&sockdata) != PR_SUCCESS) { -+ return; -+ } -+ -+ JSSL_DestroySocketData(env, sockdata); - } - - void - JSSL_DestroySocketData(JNIEnv *env, JSSL_SocketData *sd) - { -- PR_ASSERT(sd != NULL); -+ if (sd == NULL) { -+ return; -+ } - -- PR_Close(sd->fd); -+ if (sd->fd != NULL) { -+ PR_Close(sd->fd); -+ sd->fd = NULL; -+ } - - if( sd->socketObject != NULL ) { - DELETE_WEAK_GLOBAL_REF(env, sd->socketObject ); -@@ -367,6 +374,8 @@ JSSL_DestroySocketData(JNIEnv *env, JSSL_SocketData *sd) - if( sd->lock != NULL ) { - PR_DestroyLock(sd->lock); - } -+ -+ memset(sd, 0, sizeof(JSSL_SocketData)); - PR_Free(sd); - } - -@@ -540,12 +549,15 @@ Java_org_mozilla_jss_ssl_SocketBase_socketClose(JNIEnv *env, jobject self) - JSSL_SocketData *sock = NULL; - - /* get the FD */ -- if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS) { -+ if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS || sock == NULL) { - /* exception was thrown */ - return; - } - -- JSSL_DestroySocketData(env, sock); -+ if (sock->fd != NULL) { -+ PR_Close(sock->fd); -+ sock->fd = NULL; -+ } - } - - JNIEXPORT void JNICALL --- -2.25.2 - diff --git a/SPECS/jss.spec b/SPECS/jss.spec index 172f73e..8b3f9c6 100644 --- a/SPECS/jss.spec +++ b/SPECS/jss.spec @@ -6,9 +6,9 @@ Summary: Java Security Services (JSS) URL: http://www.dogtagpki.org/wiki/JSS License: MPLv1.1 or GPLv2+ or LGPLv2+ -Version: 4.6.2 -Release: 6%{?_timestamp}%{?_commit_id}%{?dist} -# global _phase -a1 +Version: 4.7.3 +Release: 1%{?_timestamp}%{?_commit_id}%{?dist} +#global _phase -a1 # To generate the source tarball: # $ git clone https://github.com/dogtagpki/jss.git @@ -25,12 +25,6 @@ Source: https://github.com/dogtagpki/%{name}/archive/v%{version}%{?_phas # \ # > jss-VERSION-RELEASE.patch # Patch: jss-VERSION-RELEASE.patch -Patch0: 0001-Fix-NativeProxy-reference-tracker.patch -Patch1: 0002-Fix-swapped-parameter-names-with-PBE.patch -Patch3: 0003-Use-specified-algorithm-for-KeyWrap.patch -Patch4: 0004-Remove-token-key-checks.patch -Patch5: 0005-Fix-NativeProxy-release.patch -Patch6: 0006-Fix-SSLSocket-closure.patch ################################################################################ # Build Dependencies @@ -40,11 +34,13 @@ Patch6: 0006-Fix-SSLSocket-closure.patch BuildRequires: git BuildRequires: make BuildRequires: cmake +BuildRequires: zip +BuildRequires: unzip BuildRequires: gcc-c++ BuildRequires: nspr-devel >= 4.13.1 -BuildRequires: nss-devel >= 3.30 -BuildRequires: nss-tools >= 3.30 +BuildRequires: nss-devel >= 3.44 +BuildRequires: nss-tools >= 3.44 BuildRequires: java-devel BuildRequires: jpackage-utils BuildRequires: slf4j @@ -55,11 +51,10 @@ BuildRequires: glassfish-jaxb-api BuildRequires: slf4j-jdk14 %endif BuildRequires: apache-commons-lang -BuildRequires: apache-commons-codec BuildRequires: junit -Requires: nss >= 3.30 +Requires: nss >= 3.44 Requires: java-headless Requires: jpackage-utils Requires: slf4j @@ -70,7 +65,6 @@ Requires: glassfish-jaxb-api Requires: slf4j-jdk14 %endif Requires: apache-commons-lang -Requires: apache-commons-codec Conflicts: ldapjdk < 4.20 Conflicts: idm-console-framework < 1.2 @@ -114,15 +108,28 @@ export CFLAGS # Check if we're in FIPS mode modutil -dbdir /etc/pki/nssdb -chkfips true | grep -q enabled && export FIPS_ENABLED=1 +# RHEL's CMake doesn't support -B flag. +%if 0%{?rhel} +%{__mkdir_p} %{_vpath_builddir} +cd %{_vpath_builddir} +%endif + # The Makefile is not thread-safe -rm -rf build && mkdir -p build && cd build %cmake \ -DJAVA_HOME=%{java_home} \ -DJAVA_LIB_INSTALL_DIR=%{_jnidir} \ +%if 0%{?rhel} .. +%else + -B %{_vpath_builddir} +%endif + +%if 0%{?fedora} +cd %{_vpath_builddir} +%endif %{__make} all -%{__make} javadoc || true +%{__make} javadoc ctest --output-on-failure ################################################################################ @@ -132,19 +139,19 @@ ctest --output-on-failure # jars install -d -m 0755 $RPM_BUILD_ROOT%{_jnidir} -install -m 644 build/jss4.jar ${RPM_BUILD_ROOT}%{_jnidir}/jss4.jar +install -m 644 %{_vpath_builddir}/jss4.jar ${RPM_BUILD_ROOT}%{_jnidir}/jss4.jar # We have to use the name libjss4.so because this is dynamically # loaded by the jar file. install -d -m 0755 $RPM_BUILD_ROOT%{_libdir}/jss -install -m 0755 build/libjss4.so ${RPM_BUILD_ROOT}%{_libdir}/jss/ +install -m 0755 %{_vpath_builddir}/libjss4.so ${RPM_BUILD_ROOT}%{_libdir}/jss/ pushd ${RPM_BUILD_ROOT}%{_libdir}/jss ln -fs %{_jnidir}/jss4.jar jss4.jar popd # javadoc install -d -m 0755 $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} -cp -rp build/docs/* $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} +cp -rp %{_vpath_builddir}/docs/* $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} cp -p jss.html $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} @@ -153,7 +160,8 @@ cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} %files %defattr(-,root,root,-) -%doc jss.html MPL-1.1.txt gpl.txt lgpl.txt +%doc jss.html +%license MPL-1.1.txt gpl.txt lgpl.txt %{_libdir}/* %{_jnidir}/* @@ -165,14 +173,29 @@ cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} ################################################################################ %changelog -* Wed Apr 15 2020 Red Hat PKI Team 4.6.2-6 -- NativeProxy never calls releaseNativeResources - Memory Leak - Additional patch to fix SSLSocket resource freeing - Bugzilla #1822402 - -* Tue Apr 14 2020 Red Hat PKI Team 4.6.2-5 -- NativeProxy never calls releaseNativeResources - Memory Leak - Bugzilla #1822402 +* Fri Sep 11 2020 Red Hat PKI Team 4.7.3-1 +- Rebase to upstream stable release JSS v4.7.3 +- Red Hat Bugzilla #1873235 - Fix SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT in pki ca-user-cert-add + +* Thu Aug 06 2020 Red Hat PKI Team 4.7.2-1 +- Rebase to upstream stable release JSS v4.7.2 +- Red Hat Bugzilla #1822246 - Fix SSLSocket NULL pointer deference after close + +* Fri Jul 31 2020 Red Hat PKI Team 4.7.1-1 +- Rebase to upstream stable release JSS v4.7.1 + +* Thu Jul 09 2020 Red Hat PKI Team 4.7.0-1 +- Rebase to upstream stable release JSS v4.7.0 +- Fixed TestSSLEngine + +* Thu Jun 25 2020 Red Hat PKI Team 4.7.0-0.4 +- Rebased to JSS 4.7.0-b4 + +* Mon Jun 22 2020 Red Hat PKI Team 4.7.0-0.3 +- Rebased to JSS 4.7.0-b3 + +* Tue May 26 2020 Red Hat PKI Team 4.7.0-0.1 +- Rebased to JSS 4.7.0-b1 * Mon Mar 23 2020 Red Hat PKI Team 4.6.2-4 - Red Hat Bugzilla #1807371 - KRA-HSM: Async and sync key recovery using kra agent web is failing