Projects
Kolab:3.4
jss
debian-patches-aggregate.patch
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File debian-patches-aggregate.patch of Package jss
diff -ur jss-4.3.2.orig/mozilla/security/jss/lib/jss.def jss-4.3.2/mozilla/security/jss/lib/jss.def --- jss-4.3.2.orig/mozilla/security/jss/lib/jss.def 2009-09-25 17:38:04.000000000 +0100 +++ jss-4.3.2/mozilla/security/jss/lib/jss.def 2013-09-08 21:09:13.039701900 +0100 @@ -175,6 +175,7 @@ Java_org_mozilla_jss_ssl_SSLSocket_forceHandshake; Java_org_mozilla_jss_ssl_SSLSocket_getKeepAlive; Java_org_mozilla_jss_ssl_SSLSocket_getLocalAddressNative; +Java_org_mozilla_jss_ssl_SocketBase_getLocalAddressByteArrayNative; Java_org_mozilla_jss_ssl_SSLSocket_getPort; Java_org_mozilla_jss_ssl_SSLSocket_getReceiveBufferSize; Java_org_mozilla_jss_ssl_SSLSocket_getSendBufferSize; @@ -199,6 +200,7 @@ Java_org_mozilla_jss_ssl_SSLSocket_socketWrite; Java_org_mozilla_jss_ssl_SocketBase_getLocalPortNative; Java_org_mozilla_jss_ssl_SocketBase_getPeerAddressNative; +Java_org_mozilla_jss_ssl_SocketBase_getPeerAddressByteArrayNative; Java_org_mozilla_jss_ssl_SocketBase_setClientCertNicknameNative; Java_org_mozilla_jss_ssl_SocketBase_requestClientAuthNoExpiryCheckNative; Java_org_mozilla_jss_ssl_SocketBase_setSSLOption; @@ -326,6 +328,10 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateECKeyPairWithOpFlags; Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateRSAKeyPairWithOpFlags; Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateDSAKeyPairWithOpFlags; +Java_org_mozilla_jss_CryptoManager_OCSPCacheSettingsNative; +Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative; +Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative; +Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative; ;+ local: ;+ *; ;+}; diff -ur jss-4.3.2.orig/mozilla/security/jss/org/mozilla/jss/CryptoManager.c jss-4.3.2/mozilla/security/jss/org/mozilla/jss/CryptoManager.c --- jss-4.3.2.orig/mozilla/security/jss/org/mozilla/jss/CryptoManager.c 2008-05-22 05:28:09.000000000 +0100 +++ jss-4.3.2/mozilla/security/jss/org/mozilla/jss/CryptoManager.c 2013-09-08 21:08:17.729914864 +0100 @@ -985,3 +985,45 @@ } } + +/********************************************************************** +* OCSPCacheSettingsNative +* +* Allows configuration of the OCSP responder cache during runtime. +*/ +JNIEXPORT void JNICALL +Java_org_mozilla_jss_CryptoManager_OCSPCacheSettingsNative( + JNIEnv *env, jobject this, + jint ocsp_cache_size, + jint ocsp_min_cache_entry_duration, + jint ocsp_max_cache_entry_duration) +{ + SECStatus rv = SECFailure; + + rv = CERT_OCSPCacheSettings( + ocsp_cache_size, ocsp_min_cache_entry_duration, + ocsp_max_cache_entry_duration); + + if (rv != SECSuccess) { + JSS_throwMsgPrErr(env, + GENERAL_SECURITY_EXCEPTION, + "Failed to set OCSP cache: error "+ PORT_GetError()); + } +} + +JNIEXPORT void JNICALL +Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative( + JNIEnv *env, jobject this, + jint ocsp_timeout ) +{ + SECStatus rv = SECFailure; + + rv = CERT_SetOCSPTimeout(ocsp_timeout); + + if (rv != SECSuccess) { + JSS_throwMsgPrErr(env, + GENERAL_SECURITY_EXCEPTION, + "Failed to set OCSP timeout: error "+ PORT_GetError()); + } +} + diff -ur jss-4.3.2.orig/mozilla/security/jss/org/mozilla/jss/CryptoManager.java jss-4.3.2/mozilla/security/jss/org/mozilla/jss/CryptoManager.java --- jss-4.3.2.orig/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2010-03-02 02:55:23.000000000 +0000 +++ jss-4.3.2/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2013-09-08 21:09:17.913683107 +0100 @@ -61,6 +61,7 @@ public final class CryptoManager implements TokenSupplier { /** + * note: this is obsolete in NSS * CertUsage options for validation */ public final static class CertUsage { @@ -103,6 +104,76 @@ public static final CertUsage AnyCA = new CertUsage(11, "AnyCA"); } + /** + * CertificateUsage options for validation + */ + public final static class CertificateUsage { + private int usage; + private String name; + + // certificateUsage, these must be kept in sync with nss/lib/certdb/certt.h + private static final int certificateUsageCheckAllUsages = 0x0000; + private static final int certificateUsageSSLClient = 0x0001; + private static final int certificateUsageSSLServer = 0x0002; + private static final int certificateUsageSSLServerWithStepUp = 0x0004; + private static final int certificateUsageSSLCA = 0x0008; + private static final int certificateUsageEmailSigner = 0x0010; + private static final int certificateUsageEmailRecipient = 0x0020; + private static final int certificateUsageObjectSigner = 0x0040; + private static final int certificateUsageUserCertImport = 0x0080; + private static final int certificateUsageVerifyCA = 0x0100; + private static final int certificateUsageProtectedObjectSigner = 0x0200; + private static final int certificateUsageStatusResponder = 0x0400; + private static final int certificateUsageAnyCA = 0x0800; + + static private ArrayList list = new ArrayList(); + private CertificateUsage() {}; + private CertificateUsage(int usage, String name) { + this.usage = usage; + this.name = name; + this.list.add(this); + + } + public int getUsage() { + return usage; + } + + static public Iterator getCertificateUsages() { + return list.iterator(); + + } + public String toString() { + return name; + } + + public static final CertificateUsage CheckAllUsages = new CertificateUsage(certificateUsageCheckAllUsages, "CheckAllUsages"); + public static final CertificateUsage SSLClient = new CertificateUsage(certificateUsageSSLClient, "SSLClient"); + public static final CertificateUsage SSLServer = new CertificateUsage(certificateUsageSSLServer, "SSLServer"); + public static final CertificateUsage SSLServerWithStepUp = new CertificateUsage(certificateUsageSSLServerWithStepUp, "SSLServerWithStepUp"); + public static final CertificateUsage SSLCA = new CertificateUsage(certificateUsageSSLCA, "SSLCA"); + public static final CertificateUsage EmailSigner = new CertificateUsage(certificateUsageEmailSigner, "EmailSigner"); + public static final CertificateUsage EmailRecipient = new CertificateUsage(certificateUsageEmailRecipient, "EmailRecipient"); + public static final CertificateUsage ObjectSigner = new CertificateUsage(certificateUsageObjectSigner, "ObjectSigner"); + public static final CertificateUsage UserCertImport = new CertificateUsage(certificateUsageUserCertImport, "UserCertImport"); + public static final CertificateUsage VerifyCA = new CertificateUsage(certificateUsageVerifyCA, "VerifyCA"); + public static final CertificateUsage ProtectedObjectSigner = new CertificateUsage(certificateUsageProtectedObjectSigner, "ProtectedObjectSigner"); + public static final CertificateUsage StatusResponder = new CertificateUsage(certificateUsageStatusResponder, "StatusResponder"); + public static final CertificateUsage AnyCA = new CertificateUsage(certificateUsageAnyCA, "AnyCA"); + + /* + The folllowing usages cannot be verified: + certUsageAnyCA + certUsageProtectedObjectSigner + certUsageUserCertImport + certUsageVerifyCA + */ + public static final int basicCertificateUsages = /*0x0b80;*/ + certificateUsageUserCertImport | + certificateUsageVerifyCA | + certificateUsageProtectedObjectSigner | + certificateUsageAnyCA ; + } + public final static class NotInitializedException extends Exception {} public final static class NicknameConflictException extends Exception {} public final static class UserCertConflictException extends Exception {} @@ -1499,6 +1570,80 @@ * against Now. * @param nickname The nickname of the certificate to verify. * @param checkSig verify the signature of the certificate + * @return currCertificateUsage which contains current usage bit map as defined in CertificateUsage + * + * @exception InvalidNicknameException If the nickname is null + * @exception ObjectNotFoundException If no certificate could be found + * with the given nickname. + */ + public int isCertValid(String nickname, boolean checkSig) + throws ObjectNotFoundException, InvalidNicknameException + { + if (nickname==null) { + throw new InvalidNicknameException("Nickname must be non-null"); + } + int currCertificateUsage = 0x0000; // initialize it to 0 + currCertificateUsage = verifyCertificateNowCUNative(nickname, + checkSig); + return currCertificateUsage; + } + + private native int verifyCertificateNowCUNative(String nickname, + boolean checkSig) throws ObjectNotFoundException; + + ///////////////////////////////////////////////////////////// + // isCertValid + ///////////////////////////////////////////////////////////// + /** + * Verify a certificate that exists in the given cert database, + * check if is valid and that we trust the issuer. Verify time + * against Now. + * @param nickname The nickname of the certificate to verify. + * @param checkSig verify the signature of the certificate + * @param certificateUsage see certificateUsage defined to verify Certificate; to retrieve current certificate usage, call the isCertValid() above + * @return true for success; false otherwise + * + * @exception InvalidNicknameException If the nickname is null + * @exception ObjectNotFoundException If no certificate could be found + * with the given nickname. + */ + public boolean isCertValid(String nickname, boolean checkSig, + CertificateUsage certificateUsage) + throws ObjectNotFoundException, InvalidNicknameException + { + if (nickname==null) { + throw new InvalidNicknameException("Nickname must be non-null"); + } + // 0 certificate usage will get current usage + // should call isCertValid() call above that returns certificate usage + if ((certificateUsage == null) || + (certificateUsage == CertificateUsage.CheckAllUsages)){ + int currCertificateUsage = 0x0000; + currCertificateUsage = verifyCertificateNowCUNative(nickname, + checkSig); + + if (currCertificateUsage == CertificateUsage.basicCertificateUsages){ + // cert is good for nothing + return false; + } else + return true; + } else { + return verifyCertificateNowNative(nickname, checkSig, + certificateUsage.getUsage()); + } + } + + private native boolean verifyCertificateNowNative(String nickname, + boolean checkSig, int certificateUsage) throws ObjectNotFoundException; + + /** + * note: this method calls obsolete function in NSS + * + * Verify a certificate that exists in the given cert database, + * check if is valid and that we trust the issuer. Verify time + * against Now. + * @param nickname The nickname of the certificate to verify. + * @param checkSig verify the signature of the certificate * @param certUsage see exposed certUsage defines to verify Certificate * @return true for success; false otherwise * @@ -1517,6 +1662,9 @@ return verifyCertNowNative(nickname, checkSig, certUsage.getUsage()); } + /* + * Obsolete in NSS + */ private native boolean verifyCertNowNative(String nickname, boolean checkSig, int cUsage) throws ObjectNotFoundException; @@ -1583,4 +1731,41 @@ String ocspResponderCertNickname ) throws GeneralSecurityException; + /** + * change OCSP cache settings + * * @param ocsp_cache_size max cache entries + * * @param ocsp_min_cache_entry_duration minimum seconds to next fetch attempt + * * @param ocsp_max_cache_entry_duration maximum seconds to next fetch attempt + */ + public void OCSPCacheSettings( + int ocsp_cache_size, + int ocsp_min_cache_entry_duration, + int ocsp_max_cache_entry_duration) + throws GeneralSecurityException + { + OCSPCacheSettingsNative(ocsp_cache_size, + ocsp_min_cache_entry_duration, + ocsp_max_cache_entry_duration); + } + + private native void OCSPCacheSettingsNative( + int ocsp_cache_size, + int ocsp_min_cache_entry_duration, + int ocsp_max_cache_entry_duration) + throws GeneralSecurityException; + + /** + * set OCSP timeout value + * * @param ocspTimeout OCSP timeout in seconds + */ + public void setOCSPTimeout( + int ocsp_timeout ) + throws GeneralSecurityException + { + setOCSPTimeoutNative( ocsp_timeout); + } + + private native void setOCSPTimeoutNative( + int ocsp_timeout ) + throws GeneralSecurityException; } Only in jss-4.3.2/mozilla/security/jss/org/mozilla/jss: CryptoManager.java.orig diff -ur jss-4.3.2.orig/mozilla/security/jss/org/mozilla/jss/PK11Finder.c jss-4.3.2/mozilla/security/jss/org/mozilla/jss/PK11Finder.c --- jss-4.3.2.orig/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2009-07-14 23:30:56.000000000 +0100 +++ jss-4.3.2/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2013-09-08 21:09:23.219662644 +0100 @@ -1574,9 +1574,116 @@ } } + /*********************************************************************** - * CryptoManager.verifyCertNowNative + * CryptoManager.verifyCertificateNow + */ +SECStatus verifyCertificateNow(JNIEnv *env, jobject self, jstring nickString, + jboolean checkSig, jint required_certificateUsage, + SECCertificateUsage *currUsage) +{ + SECStatus rv = SECFailure; + SECCertificateUsage certificateUsage; + CERTCertificate *cert=NULL; + char *nickname=NULL; + + nickname = (char *) (*env)->GetStringUTFChars(env, nickString, NULL); + if( nickname == NULL ) { + goto finish; + } + + certificateUsage = required_certificateUsage; + + cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname); + + if (cert == NULL) { + JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION); + goto finish; + } else { + /* 0 for certificateUsage in call to CERT_VerifyCertificateNow will + * retrieve the current valid usage into currUsage + */ + rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert, + checkSig, certificateUsage, NULL, currUsage ); + if ((rv == SECSuccess) && certificateUsage == 0x0000) { + if (*currUsage == + ( certUsageUserCertImport | + certUsageVerifyCA | + certUsageProtectedObjectSigner | + certUsageAnyCA )) { + + /* the cert is good for nothing + The folllowing usages cannot be verified: + certUsageAnyCA + certUsageProtectedObjectSigner + certUsageUserCertImport + certUsageVerifyCA + (0x0b80) */ + rv =SECFailure; + } + } + } + +finish: + if(nickname != NULL) { + (*env)->ReleaseStringUTFChars(env, nickString, nickname); + } + if(cert != NULL) { + CERT_DestroyCertificate(cert); + } + + return rv; +} + +/*********************************************************************** + * CryptoManager.verifyCertificateNowCUNative * + * Returns jint which contains bits in SECCertificateUsage that reflects + * the cert usage(s) that the cert is good for + * if the cert is good for nothing, returned value is + * (0x0b80): + * certUsageUserCertImport | + * certUsageVerifyCA | + * certUsageProtectedObjectSigner | + * certUsageAnyCA + */ +JNIEXPORT jint JNICALL +Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative(JNIEnv *env, + jobject self, jstring nickString, jboolean checkSig) +{ + SECStatus rv = SECFailure; + SECCertificateUsage currUsage = 0x0000; + + rv = verifyCertificateNow(env, self, nickString, checkSig, 0, &currUsage); + /* rv is ignored */ + + return currUsage; +} + +/*********************************************************************** + * CryptoManager.verifyCertificateNowNative + * + * Returns JNI_TRUE if success, JNI_FALSE otherwise + */ +JNIEXPORT jboolean JNICALL +Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env, + jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage) +{ + SECStatus rv = SECFailure; + SECCertificateUsage currUsage = 0x0000; + + rv = verifyCertificateNow(env, self, nickString, checkSig, required_certificateUsage, &currUsage); + + if( rv == SECSuccess) { + return JNI_TRUE; + } else { + return JNI_FALSE; + } +} + +/*********************************************************************** + * CryptoManager.verifyCertNowNative + * note: this calls obsolete NSS function * Returns JNI_TRUE if success, JNI_FALSE otherwise */ JNIEXPORT jboolean JNICALL diff -ur jss-4.3.2.orig/mozilla/security/jss/org/mozilla/jss/ssl/common.c jss-4.3.2/mozilla/security/jss/org/mozilla/jss/ssl/common.c --- jss-4.3.2.orig/mozilla/security/jss/org/mozilla/jss/ssl/common.c 2010-03-01 21:57:01.000000000 +0000 +++ jss-4.3.2/mozilla/security/jss/org/mozilla/jss/ssl/common.c 2013-09-08 21:07:41.270054939 +0100 @@ -33,7 +33,6 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ - #include <nspr.h> #include <jni.h> #include <pk11func.h> @@ -51,6 +50,9 @@ #include <winsock.h> #endif +#define SSL_AF_INET 50 +#define SSL_AF_INET6 51 + void JSSL_throwSSLSocketException(JNIEnv *env, char *message) { @@ -142,7 +144,7 @@ JNIEXPORT jbyteArray JNICALL Java_org_mozilla_jss_ssl_SocketBase_socketCreate(JNIEnv *env, jobject self, jobject sockObj, jobject certApprovalCallback, - jobject clientCertSelectionCallback, jobject javaSock, jstring host) + jobject clientCertSelectionCallback, jobject javaSock, jstring host,jint family) { jbyteArray sdArray = NULL; JSSL_SocketData *sockdata = NULL; @@ -150,10 +152,21 @@ PRFileDesc *newFD; PRFileDesc *tmpFD; PRFilePrivate *priv = NULL; + int socketFamily = 0; + + if (family != SSL_AF_INET6 && family != SSL_AF_INET) { + JSSL_throwSSLSocketException(env, + "socketCreate() Invalid family!"); + goto finish; + } + if( family == SSL_AF_INET) + socketFamily = PR_AF_INET; + else + socketFamily = PR_AF_INET6; if( javaSock == NULL ) { /* create a TCP socket */ - newFD = PR_NewTCPSocket(); + newFD = PR_OpenTCPSocket(socketFamily); if( newFD == NULL ) { JSSL_throwSSLSocketException(env, "PR_NewTCPSocket() returned NULL"); @@ -411,8 +424,13 @@ JSSL_SocketData *sock; PRNetAddr addr; jbyte *addrBAelems = NULL; + int addrBALen = 0; PRStatus status; + jmethodID supportsIPV6ID; + jclass socketBaseClass; + jboolean supportsIPV6 = 0; + if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS) { /* exception was thrown */ goto finish; @@ -421,19 +439,72 @@ /* * setup the PRNetAddr structure */ - addr.inet.family = AF_INET; - addr.inet.port = htons(port); + + /* + * Do we support IPV6? + */ + + socketBaseClass = (*env)->FindClass(env, SOCKET_BASE_NAME); + if( socketBaseClass == NULL ) { + ASSERT_OUTOFMEM(env); + goto finish; + } + supportsIPV6ID = (*env)->GetStaticMethodID(env, socketBaseClass, + SUPPORTS_IPV6_NAME, SUPPORTS_IPV6_SIG); + + if( supportsIPV6ID == NULL ) { + ASSERT_OUTOFMEM(env); + goto finish; + } + + supportsIPV6 = (*env)->CallStaticBooleanMethod(env, socketBaseClass, + supportsIPV6ID); + + memset( &addr, 0, sizeof( PRNetAddr )); + if( addrBA != NULL ) { - PR_ASSERT(sizeof(addr.inet.ip) == 4); - PR_ASSERT( (*env)->GetArrayLength(env, addrBA) == 4); addrBAelems = (*env)->GetByteArrayElements(env, addrBA, NULL); + addrBALen = (*env)->GetArrayLength(env, addrBA); + if( addrBAelems == NULL ) { ASSERT_OUTOFMEM(env); goto finish; } - memcpy(&addr.inet.ip, addrBAelems, 4); + + if(addrBALen != 4 && addrBALen != 16) { + JSS_throwMsgPrErr(env, BIND_EXCEPTION, + "Invalid address in bind!"); + goto finish; + } + + if( addrBALen == 4) { + addr.inet.family = PR_AF_INET; + addr.inet.port = PR_htons(port); + memcpy(&addr.inet.ip, addrBAelems, 4); + + if(supportsIPV6) { + addr.inet.family = PR_AF_INET6; + addr.ipv6.port = PR_htons(port); + PR_ConvertIPv4AddrToIPv6(addr.inet.ip,&addr.ipv6.ip); + } + + } else { /* Must be 16 and ipv6 */ + if(supportsIPV6) { + addr.ipv6.family = PR_AF_INET6; + addr.ipv6.port = PR_htons(port); + memcpy(&addr.ipv6.ip,addrBAelems, 16); + } else { + JSS_throwMsgPrErr(env, BIND_EXCEPTION, + "Invalid address in bind!"); + goto finish; + } + } } else { - addr.inet.ip = PR_htonl(INADDR_ANY); + if(supportsIPV6) { + status = PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr); + } else { + status = PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET, port, &addr); + } } /* do the bind() call */ @@ -607,6 +678,78 @@ return status; } +JNIEXPORT jbyteArray JNICALL +Java_org_mozilla_jss_ssl_SocketBase_getPeerAddressByteArrayNative + (JNIEnv *env, jobject self) +{ + jbyteArray byteArray=NULL; + PRNetAddr addr; + jbyte *address=NULL; + int size=4; + + if( JSSL_getSockAddr(env, self, &addr, PEER_SOCK) != PR_SUCCESS) { + goto finish; + } + + if( PR_NetAddrFamily(&addr) == PR_AF_INET6) { + size = 16; + address = (jbyte *) &addr.ipv6.ip; + } else { + address = (jbyte *) &addr.inet.ip; + } + + byteArray = (*env)->NewByteArray(env,size); + if(byteArray == NULL) { + ASSERT_OUTOFMEM(env); + goto finish; + } + (*env)->SetByteArrayRegion(env, byteArray, 0,size ,address); + if( (*env)->ExceptionOccurred(env) != NULL) { + PR_ASSERT(PR_FALSE); + goto finish; + } + +finish: + return byteArray; +} + +JNIEXPORT jbyteArray JNICALL +Java_org_mozilla_jss_ssl_SocketBase_getLocalAddressByteArrayNative + (JNIEnv *env, jobject self) +{ + jbyteArray byteArray=NULL; + PRNetAddr addr; + jbyte *address=NULL; + int size=4; + + if( JSSL_getSockAddr(env, self, &addr, LOCAL_SOCK) != PR_SUCCESS) { + goto finish; + } + + if( PR_NetAddrFamily(&addr) == PR_AF_INET6) { + size = 16; + address = (jbyte *) &addr.ipv6.ip; + } else { + address = (jbyte *) &addr.inet.ip; + } + + byteArray = (*env)->NewByteArray(env,size); + if(byteArray == NULL) { + ASSERT_OUTOFMEM(env); + goto finish; + } + (*env)->SetByteArrayRegion(env, byteArray, 0,size,address); + if( (*env)->ExceptionOccurred(env) != NULL) { + PR_ASSERT(PR_FALSE); + goto finish; + } + +finish: + return byteArray; +} + +/* Leave the original versions of these functions for compatibility */ + JNIEXPORT jint JNICALL Java_org_mozilla_jss_ssl_SocketBase_getPeerAddressNative (JNIEnv *env, jobject self) diff -ur jss-4.3.2.orig/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c jss-4.3.2/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c --- jss-4.3.2.orig/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c 2007-04-24 19:34:58.000000000 +0100 +++ jss-4.3.2/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c 2013-09-08 21:07:41.270054939 +0100 @@ -290,6 +290,7 @@ jobject inetAddress; jbyteArray addrByteArray; jint port; + int addrBALen = 0; if( GET_ENV(fd->secret->javaVM, env) ) goto finish; @@ -377,8 +378,9 @@ memset(addr, 0, sizeof(PRNetAddr)); - /* we only handle IPV4 */ - PR_ASSERT( (*env)->GetArrayLength(env, addrByteArray) == 4 ); + addrBALen = (*env)->GetArrayLength(env, addrByteArray); + + PR_ASSERT( (addrBALen == 4) || (addrBALen == 16 ) ); /* make sure you release them later */ addrBytes = (*env)->GetByteArrayElements(env, addrByteArray, NULL); @@ -388,9 +390,16 @@ } /* ip field is in network byte order */ - memcpy( (void*) &addr->inet.ip, addrBytes, 4); - addr->inet.family = PR_AF_INET; - addr->inet.port = port; + + if (addrBALen == 4) { + memcpy( (void*) &addr->inet.ip, addrBytes, 4); + addr->inet.family = PR_AF_INET; + addr->inet.port = port; + } else { + memcpy( (void*) &addr->ipv6.ip,addrBytes, 16); + addr->inet.family = PR_AF_INET6; + addr->inet.port = port; + } (*env)->ReleaseByteArrayElements(env, addrByteArray, addrBytes, JNI_ABORT); diff -ur jss-4.3.2.orig/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java jss-4.3.2/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java --- jss-4.3.2.orig/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java 2010-03-01 21:57:01.000000000 +0000 +++ jss-4.3.2/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java 2013-09-08 21:07:41.269054942 +0100 @@ -70,16 +70,16 @@ native byte[] socketCreate(Object socketObject, SSLCertificateApprovalCallback certApprovalCallback, SSLClientCertificateSelectionCallback clientCertSelectionCallback, - java.net.Socket javaSock, String host) + java.net.Socket javaSock, String host,int family) throws SocketException; byte[] socketCreate(Object socketObject, SSLCertificateApprovalCallback certApprovalCallback, - SSLClientCertificateSelectionCallback clientCertSelectionCallback) + SSLClientCertificateSelectionCallback clientCertSelectionCallback,int family) throws SocketException { return socketCreate(socketObject, certApprovalCallback, - clientCertSelectionCallback, null, null); + clientCertSelectionCallback, null, null,family); } native void socketBind(byte[] addrBA, int port) throws SocketException; @@ -122,6 +122,10 @@ static final int SSL_RENEGOTIATE_TRANSITIONAL = 27; static final int SSL_REQUIRE_SAFE_NEGOTIATION = 28; + + static final int SSL_AF_INET = 50; + static final int SSL_AF_INET6 = 51; + void close() throws IOException { socketClose(); } @@ -327,13 +331,25 @@ return in; } + private native byte[] getLocalAddressByteArrayNative() throws SocketException; + private native byte[] getPeerAddressByteArrayNative() throws SocketException; /** * @return the InetAddress of the peer end of the socket. */ InetAddress getInetAddress() { try { - return convertIntToInetAddress( getPeerAddressNative() ); + byte[] address = getPeerAddressByteArrayNative(); + + InetAddress iAddr = null; + + try { + + iAddr = InetAddress.getByAddress(address); + } catch(UnknownHostException e) { + } + + return iAddr; } catch(SocketException e) { return null; } @@ -345,7 +361,17 @@ */ InetAddress getLocalAddress() { try { - return convertIntToInetAddress( getLocalAddressNative() ); + byte[] address = getLocalAddressByteArrayNative(); + + InetAddress lAddr = null; + + try { + + lAddr = InetAddress.getByAddress(address); + } catch(UnknownHostException e) { + } + + return lAddr; } catch(SocketException e) { return null; } @@ -424,4 +450,45 @@ return topException; } } + + static private int supportsIPV6 = -1; + static boolean supportsIPV6() { + + if(supportsIPV6 >= 0) { + if(supportsIPV6 > 0) { + return true; + } else { + return false; + } + } + + Enumeration netInter; + try { + netInter = NetworkInterface.getNetworkInterfaces(); + } catch (SocketException e) { + + return false; + } + while ( netInter.hasMoreElements() ) + { + NetworkInterface ni = (NetworkInterface)netInter.nextElement(); + Enumeration addrs = ni.getInetAddresses(); + while ( addrs.hasMoreElements() ) + { + Object o = addrs.nextElement(); + if ( o.getClass() == InetAddress.class || + o.getClass() == Inet4Address.class || + o.getClass() == Inet6Address.class ) + { + InetAddress iaddr = (InetAddress) o; + if(o.getClass() == Inet6Address.class) { + supportsIPV6 = 1; + return true; + } + } + } + } + supportsIPV6 = 0; + return false; + } } diff -ur jss-4.3.2.orig/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java jss-4.3.2/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java --- jss-4.3.2.orig/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java 2010-03-01 21:57:01.000000000 +0000 +++ jss-4.3.2/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java 2013-09-08 21:07:41.266054954 +0100 @@ -36,7 +36,8 @@ package org.mozilla.jss.ssl; -import java.net.InetAddress; +import java.util.*; +import java.net.*; import java.io.IOException; import java.net.Socket; import java.net.SocketException; @@ -138,34 +139,34 @@ super.close(); // create the socket + + int socketFamily = SocketBase.SSL_AF_INET; + if(SocketBase.supportsIPV6()) { + socketFamily = SocketBase.SSL_AF_INET6; + } + sockProxy = new SocketProxy( - base.socketCreate(this, certApprovalCallback, null) ); + base.socketCreate(this, certApprovalCallback, null,socketFamily) ); base.setProxy(sockProxy); setReuseAddress(reuseAddr); - // bind it to the local address and port - if( bindAddr == null ) { - bindAddr = anyLocalAddr; - } byte[] bindAddrBA = null; if( bindAddr != null ) { bindAddrBA = bindAddr.getAddress(); } base.socketBind(bindAddrBA, port); + + String hostName = null; + if(bindAddr != null) { + hostName = bindAddr.getCanonicalHostName(); + } socketListen(backlog); } private native void socketListen(int backlog) throws SocketException; - private static InetAddress anyLocalAddr; - static { - try { - anyLocalAddr = InetAddress.getByName("0.0.0.0"); - } catch (java.net.UnknownHostException e) { } - } - /** * Accepts a connection. This call will block until a connection is made * or the timeout is reached. diff -ur jss-4.3.2.orig/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c jss-4.3.2/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c --- jss-4.3.2.orig/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2007-05-09 02:40:14.000000000 +0100 +++ jss-4.3.2/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2013-09-08 21:07:41.267054950 +0100 @@ -460,10 +460,15 @@ JSSL_SocketData *sock; PRNetAddr addr; jbyte *addrBAelems = NULL; + int addrBALen = 0; PRStatus status; int stat; const char *hostnameStr=NULL; + jmethodID supportsIPV6ID; + jclass socketBaseClass; + jboolean supportsIPV6 = 0; + if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS) { /* exception was thrown */ goto finish; @@ -472,16 +477,32 @@ /* * setup the PRNetAddr structure */ - addr.inet.family = AF_INET; - addr.inet.port = htons(port); - PR_ASSERT(sizeof(addr.inet.ip) == 4); - PR_ASSERT( (*env)->GetArrayLength(env, addrBA) == 4); + + socketBaseClass = (*env)->FindClass(env, SOCKET_BASE_NAME); + if( socketBaseClass == NULL ) { + ASSERT_OUTOFMEM(env); + goto finish; + } + supportsIPV6ID = (*env)->GetStaticMethodID(env, socketBaseClass, + SUPPORTS_IPV6_NAME, SUPPORTS_IPV6_SIG); + + if( supportsIPV6ID == NULL ) { + ASSERT_OUTOFMEM(env); + goto finish; + } + + supportsIPV6 = (*env)->CallStaticBooleanMethod(env, socketBaseClass, + supportsIPV6ID); + addrBAelems = (*env)->GetByteArrayElements(env, addrBA, NULL); + addrBALen = (*env)->GetArrayLength(env, addrBA); + + PR_ASSERT(addrBALen != 0); + if( addrBAelems == NULL ) { ASSERT_OUTOFMEM(env); goto finish; } - memcpy(&addr.inet.ip, addrBAelems, 4); /* * Tell SSL the URL we think we want to connect to. @@ -495,6 +516,38 @@ goto finish; } + if( addrBAelems == NULL ) { + ASSERT_OUTOFMEM(env); + goto finish; + } + + if(addrBALen != 4 && addrBALen != 16) { + JSSL_throwSSLSocketException(env, "Invalid address in connect!"); + goto finish; + } + + if( addrBALen == 4) { + addr.inet.family = AF_INET; + addr.inet.port = PR_htons(port); + memcpy(&addr.inet.ip, addrBAelems, 4); + + if(supportsIPV6) { + addr.ipv6.family = AF_INET6; + addr.ipv6.port = PR_htons(port); + PR_ConvertIPv4AddrToIPv6(addr.inet.ip,&addr.ipv6.ip); + } + + } else { /* Must be 16 and ipv6 */ + if(supportsIPV6) { + addr.ipv6.family = AF_INET6; + addr.ipv6.port = PR_htons(port); + memcpy(&addr.ipv6.ip,addrBAelems, 16); + } else { + JSSL_throwSSLSocketException(env, "Invalid address in connect!"); + goto finish; + } + } + /* * make the connect call */ diff -ur jss-4.3.2.orig/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java jss-4.3.2/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java --- jss-4.3.2.orig/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java 2010-03-01 21:57:01.000000000 +0000 +++ jss-4.3.2/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java 2013-09-08 21:07:41.268054946 +0100 @@ -251,11 +251,16 @@ SSLClientCertificateSelectionCallback clientCertSelectionCallback) throws IOException { + + int socketFamily = SocketBase.SSL_AF_INET; + if(SocketBase.supportsIPV6()) { + socketFamily = SocketBase.SSL_AF_INET6; + } // create the socket sockProxy = new SocketProxy( base.socketCreate( - this, certApprovalCallback, clientCertSelectionCallback) ); + this, certApprovalCallback, clientCertSelectionCallback,socketFamily) ); base.setProxy(sockProxy); @@ -296,7 +301,7 @@ new SocketProxy( base.socketCreate( this, certApprovalCallback, clientCertSelectionCallback, - s, host ) ); + s, host,SocketBase.SSL_AF_INET ) ); base.setProxy(sockProxy); resetHandshake(); diff -ur jss-4.3.2.orig/mozilla/security/jss/org/mozilla/jss/util/java_ids.h jss-4.3.2/mozilla/security/jss/org/mozilla/jss/util/java_ids.h --- jss-4.3.2.orig/mozilla/security/jss/org/mozilla/jss/util/java_ids.h 2008-04-21 16:32:28.000000000 +0100 +++ jss-4.3.2/mozilla/security/jss/org/mozilla/jss/util/java_ids.h 2013-09-08 21:07:41.271054934 +0100 @@ -312,6 +312,8 @@ #define SOCKET_BASE_NAME "org/mozilla/jss/ssl/SocketBase" #define PROCESS_EXCEPTIONS_NAME "processExceptions" #define PROCESS_EXCEPTIONS_SIG "(Ljava/lang/Throwable;Ljava/lang/Throwable;)Ljava/lang/Throwable;" +#define SUPPORTS_IPV6_NAME "supportsIPV6" +#define SUPPORTS_IPV6_SIG "()Z" /* * SSLCertificateApprovalCallback
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.