File jss-4.3.2-support-TLS1_1-TLS1_2.patch of Package mozilla-jss
diff -Ppru jss-4.3.2.orig/security/jss/lib/jss.def jss-4.3.2/security/jss/lib/jss.def
--- jss-4.3.2.orig/security/jss/lib/jss.def 2015-04-12 17:52:25.000000000 +0200
+++ jss-4.3.2/security/jss/lib/jss.def 2015-04-12 17:52:39.371928597 +0200
@@ -331,3 +331,10 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairG
;+ local:
;+ *;
;+};
+;+JSS_4.3.2 { # JSS 4.3.2 release
+;+ global:
+Java_org_mozilla_jss_ssl_SocketBase_setSSLVersionRange;
+Java_org_mozilla_jss_ssl_SSLSocket_setSSLVersionRangeDefault;
+;+ local:
+;+ *;
+;+};
diff -Ppru jss-4.3.2.orig/security/jss/org/mozilla/jss/ssl/common.c jss-4.3.2/security/jss/org/mozilla/jss/ssl/common.c
--- jss-4.3.2.orig/security/jss/org/mozilla/jss/ssl/common.c 2015-04-12 17:52:25.000000000 +0200
+++ jss-4.3.2/security/jss/org/mozilla/jss/ssl/common.c 2015-04-12 17:52:39.371928597 +0200
@@ -38,6 +38,7 @@
#include <pk11func.h>
#include <ssl.h>
#include <sslerr.h>
+#include <sslproto.h>
#include <jssutil.h>
#include <jss_exceptions.h>
@@ -414,6 +415,13 @@ PRInt32 JSSL_enums[] = {
SSL_RENEGOTIATE_REQUIRES_XTN, /* 26 */ /* ssl.h */
SSL_RENEGOTIATE_TRANSITIONAL, /* 27 */ /* ssl.h */
SSL_REQUIRE_SAFE_NEGOTIATION, /* 28 */ /* ssl.h */
+ SSL_LIBRARY_VERSION_2, /* 29 */ /* sslproto.h */
+ SSL_LIBRARY_VERSION_3_0, /* 30 */ /* sslproto.h */
+ SSL_LIBRARY_VERSION_TLS_1_0, /* 31 */ /* sslproto.h */
+ SSL_LIBRARY_VERSION_TLS_1_1, /* 32 */ /* sslproto.h */
+ SSL_LIBRARY_VERSION_TLS_1_2, /* 33 */ /* sslproto.h */
+ ssl_variant_stream, /* 34 */ /* sslt.h */
+ ssl_variant_datagram, /* 35 */ /* sslt.h */
0
};
diff -Ppru jss-4.3.2.orig/security/jss/org/mozilla/jss/ssl/jssl.h jss-4.3.2/security/jss/org/mozilla/jss/ssl/jssl.h
--- jss-4.3.2.orig/security/jss/org/mozilla/jss/ssl/jssl.h 2015-04-10 15:22:57.000000000 +0200
+++ jss-4.3.2/security/jss/org/mozilla/jss/ssl/jssl.h 2015-04-12 17:52:39.372928568 +0200
@@ -111,6 +111,7 @@ JSSL_DestroySocketData(JNIEnv *env, JSSL
extern PRInt32 JSSL_enums[];
+#define JSSL_enums_size 52
JSSL_SocketData*
JSSL_CreateSocketData(JNIEnv *env, jobject sockObj, PRFileDesc* newFD,
diff -Ppru jss-4.3.2.orig/security/jss/org/mozilla/jss/ssl/SocketBase.java jss-4.3.2/security/jss/org/mozilla/jss/ssl/SocketBase.java
--- jss-4.3.2.orig/security/jss/org/mozilla/jss/ssl/SocketBase.java 2015-04-12 17:52:25.000000000 +0200
+++ jss-4.3.2/security/jss/org/mozilla/jss/ssl/SocketBase.java 2015-04-12 17:52:39.372928568 +0200
@@ -105,8 +105,8 @@ class SocketBase {
static final int SSL_POLICY_DOMESTIC = 10;
static final int SSL_POLICY_EXPORT = 11;
static final int SSL_POLICY_FRANCE = 12;
- static final int SSL_BYPASS_PKCS11 = 13;
- static final int SSL_ROLLBACK_DETECTION = 14;
+ static final int SSL_BYPASS_PKCS11 = 13;
+ static final int SSL_ROLLBACK_DETECTION = 14;
static final int SSL_NO_STEP_DOWN = 15;
static final int SSL_ENABLE_FDX = 16;
static final int SSL_V2_COMPATIBLE_HELLO = 17;
@@ -121,6 +121,15 @@ class SocketBase {
static final int SSL_RENEGOTIATE_REQUIRES_XTN = 26;
static final int SSL_RENEGOTIATE_TRANSITIONAL = 27;
static final int SSL_REQUIRE_SAFE_NEGOTIATION = 28;
+ /* ssl/sslproto.h for supporting SSLVersionRange */
+ static final int SSL_LIBRARY_VERSION_2 = 29;
+ static final int SSL_LIBRARY_VERSION_3_0 = 30;
+ static final int SSL_LIBRARY_VERSION_TLS_1_0 = 31;
+ static final int SSL_LIBRARY_VERSION_TLS_1_1 = 32;
+ static final int SSL_LIBRARY_VERSION_TLS_1_2 = 33;
+ /* ssl/sslt.h */
+ static final int SSL_Variant_Stream = 34;
+ static final int SSL_Variant_Datagram = 35;
static final int SSL_AF_INET = 50;
@@ -197,13 +206,25 @@ class SocketBase {
void enableV2CompatibleHello(boolean enable) throws SocketException {
setSSLOption(SSL_V2_COMPATIBLE_HELLO, enable);
}
-
+
void setSSLOption(int option, boolean on)
throws SocketException
{
setSSLOption(option, on ? 1 : 0);
}
+ void setSSLVersionRange(org.mozilla.jss.ssl.SSLSocket.SSLVersionRange range)
+ throws SocketException
+ {
+ setSSLVersionRange(range.getMinEnum(), range.getMaxEnum());
+ }
+
+ /**
+ * Sets SSL Version Range for this socket to support TLS v1.1 and v1.2
+ */
+ native void setSSLVersionRange(int min, int max)
+ throws SocketException;
+
/**
* Sets SSL options for this socket that have simple
* enable/disable values.
diff -Ppru jss-4.3.2.orig/security/jss/org/mozilla/jss/ssl/SSLSocket.c jss-4.3.2/security/jss/org/mozilla/jss/ssl/SSLSocket.c
--- jss-4.3.2.orig/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2015-04-12 17:52:25.000000000 +0200
+++ jss-4.3.2/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2015-04-12 17:52:39.372928568 +0200
@@ -55,6 +55,104 @@
#include <winsock.h>
#endif
+/*
+ * support TLS v1.1 and v1.2
+ * sets default SSL version range for sockets created after this call
+ */
+JNIEXPORT void JNICALL
+Java_org_mozilla_jss_ssl_SSLSocket_setSSLVersionRangeDefault(JNIEnv *env,
+ jclass clazz, jint ssl_variant, jint min, jint max)
+{
+ SECStatus status;
+ SSLVersionRange vrange;
+
+ if (ssl_variant <0 || ssl_variant >= JSSL_enums_size||
+ min <0 || min >= JSSL_enums_size ||
+ max <0 || max >= JSSL_enums_size) {
+ char buf[128];
+ PR_snprintf(buf, 128, "JSS setSSLVersionRangeDefault(): for variant=%d min=%d max=%d failed - out of range for array JSSL_enums size: %d", JSSL_enums[ssl_variant], min, max, JSSL_enums_size);
+ JSSL_throwSSLSocketException(env, buf);
+ goto finish;
+ }
+
+ vrange.min = JSSL_enums[min];
+ vrange.max = JSSL_enums[max];
+
+ /* get supported range */
+ SSLVersionRange supported_range;
+ status = SSL_VersionRangeGetSupported(JSSL_enums[ssl_variant],
+ &supported_range);
+ if( status != SECSuccess ) {
+ char buf[128];
+ PR_snprintf(buf, 128, "SSL_VersionRangeGetSupported() for variant=%d failed: %d", JSSL_enums[ssl_variant], PR_GetError());
+ JSSL_throwSSLSocketException(env, buf);
+ goto finish;
+ }
+ /* now check the min and max */
+ if (vrange.min < supported_range.min ||
+ vrange.max > supported_range.max) {
+ char buf[128];
+ PR_snprintf(buf, 128, "SSL_VersionRangeSetDefault() for variant=%d with min=%d max=%d out of range (%d:%d): %d", JSSL_enums[ssl_variant], vrange.min, vrange.max, supported_range.min, supported_range.max, PR_GetError());
+ JSSL_throwSSLSocketException(env, buf);
+ goto finish;
+ }
+
+ /* set the default SSL Version Range */
+ status = SSL_VersionRangeSetDefault(JSSL_enums[ssl_variant],
+ &vrange);
+ if( status != SECSuccess ) {
+ char buf[128];
+ PR_snprintf(buf, 128, "SSL_VersionRangeSetDefault() for variant=%d with min=%d max=%d failed: %d", JSSL_enums[ssl_variant], vrange.min, vrange.max, PR_GetError());
+ JSSL_throwSSLSocketException(env, buf);
+ goto finish;
+ }
+
+finish:
+ return;
+}
+
+/*
+ * support TLS v1.1 and v1.2
+ * sets SSL version range for this socket
+ */
+JNIEXPORT void JNICALL
+Java_org_mozilla_jss_ssl_SocketBase_setSSLVersionRange
+ (JNIEnv *env, jobject self, jint min, jint max)
+{
+ SECStatus status;
+ JSSL_SocketData *sock = NULL;
+ SSLVersionRange vrange;
+
+ if ( min <0 || min >= JSSL_enums_size ||
+ max <0 || max >= JSSL_enums_size) {
+ char buf[128];
+ PR_snprintf(buf, 128, "JSS setSSLVersionRange(): for max=%d failed - out of range for array JSSL_enums size: %d", min, max, JSSL_enums_size);
+ JSSL_throwSSLSocketException(env, buf);
+ goto finish;
+ }
+
+ /* get my fd */
+ if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS ) {
+ goto finish;
+ }
+
+ vrange.min = JSSL_enums[min];
+ vrange.max = JSSL_enums[max];
+
+ /*
+ * set the SSL Version Range
+ * The validity of the range will be checked by this NSS call
+ */
+ status = SSL_VersionRangeSet(sock->fd, &vrange);
+ if( status != SECSuccess ) {
+ JSSL_throwSSLSocketException(env, "SSL_VersionRangeSet failed");
+ goto finish;
+ }
+
+finish:
+ EXCEPTION_CHECK(env, sock)
+ return;
+}
JNIEXPORT void JNICALL
Java_org_mozilla_jss_ssl_SSLSocket_setSSLDefaultOption(JNIEnv *env,
diff -Ppru jss-4.3.2.orig/security/jss/org/mozilla/jss/ssl/SSLSocket.java jss-4.3.2/security/jss/org/mozilla/jss/ssl/SSLSocket.java
--- jss-4.3.2.orig/security/jss/org/mozilla/jss/ssl/SSLSocket.java 2015-04-12 17:52:25.000000000 +0200
+++ jss-4.3.2/security/jss/org/mozilla/jss/ssl/SSLSocket.java 2015-04-12 17:52:39.372928568 +0200
@@ -36,6 +36,7 @@
package org.mozilla.jss.ssl;
+import java.lang.IllegalArgumentException;
import java.net.*;
import java.net.SocketException;
import java.net.SocketTimeoutException;
@@ -1090,6 +1091,63 @@ public class SSLSocket extends java.net.
setSSLDefaultOption(SocketBase.SSL_NO_CACHE, !b);
}
+ /*
+ * _min_enum and _max_enum should be one of the following:
+ * SocketBase.SSL_LIBRARY_VERSION_3_0
+ * SocketBase.SSL_LIBRARY_VERSION_TLS_1_0
+ * SocketBase.SSL_LIBRARY_VERSION_TLS_1_1
+ * SocketBase.SSL_LIBRARY_VERSION_TLS_1_2
+ */
+ public static class SSLVersionRange {
+ private int _min_enum;
+ private int _max_enum;
+ public static final int ssl3 = SocketBase.SSL_LIBRARY_VERSION_3_0;
+ public static final int tls1_0 = SocketBase.SSL_LIBRARY_VERSION_TLS_1_0;
+ public static final int tls1_1 = SocketBase.SSL_LIBRARY_VERSION_TLS_1_1;
+ public static final int tls1_2 = SocketBase.SSL_LIBRARY_VERSION_TLS_1_2;
+ public SSLVersionRange(int min_enum, int max_enum)
+ throws IllegalArgumentException {
+ if ((min_enum >= SocketBase.SSL_LIBRARY_VERSION_3_0) &&
+ (max_enum <= SocketBase.SSL_LIBRARY_VERSION_TLS_1_2) &&
+ (min_enum <= max_enum)) {
+ _min_enum = min_enum;
+ _max_enum = max_enum;
+ } else {
+ throw new IllegalArgumentException("JSS SSLSocket SSLVersionRange: arguments out of range");
+ }
+ }
+
+ int getMinEnum() { return _min_enum; }
+ int getMaxEnum() { return _max_enum; }
+
+ }
+
+ public static class SSLProtocolVariant {
+ private int _enum;
+ private SSLProtocolVariant(int val) { _enum = val; }
+
+ int getEnum() { return _enum; }
+
+ public static final SSLProtocolVariant STREAM =
+ new SSLProtocolVariant(SocketBase.SSL_Variant_Stream);
+ public static final SSLProtocolVariant DATA_GRAM =
+ new SSLProtocolVariant(SocketBase.SSL_Variant_Datagram);
+
+ }
+
+ public static void setSSLVersionRangeDefault(SSLProtocolVariant ssl_variant, SSLVersionRange range)
+ throws SocketException
+ {
+ if (range == null)
+ throw new SocketException("setSSLVersionRangeDefault: range null");
+ setSSLVersionRangeDefault(ssl_variant.getEnum(), range.getMinEnum(), range.getMaxEnum());
+ }
+
+ /**
+ * Sets SSL Version Range Default
+ */
+ private static native void setSSLVersionRangeDefault(int ssl_variant, int min, int max)
+ throws SocketException;
private static void setSSLDefaultOption(int option, boolean on)
throws SocketException
@@ -1363,6 +1421,8 @@ public class SSLSocket extends java.net.
public final static int TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063;
public final static int TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = 0x0065;
public final static int TLS_DHE_DSS_WITH_RC4_128_SHA = 0x0066;
+ public final static int TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067;
+ public final static int TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B;
// New TLS cipher suites in NSS 3.4
public final static int TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F;
@@ -1378,6 +1438,9 @@ public class SSLSocket extends java.net.
public final static int TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038;
public final static int TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039;
public final static int TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A;
+ public final static int TLS_RSA_WITH_NULL_SHA256 = 0x003B;
+ public final static int TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C;
+ public final static int TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D;
public final static int TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0041;
public final static int TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0042;
@@ -1395,6 +1458,10 @@ public class SSLSocket extends java.net.
public final static int TLS_RSA_WITH_SEED_CBC_SHA = 0x0096;
+ public final static int TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C;
+ public final static int TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E;
+ public final static int TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 0x00A2;
+
public final static int TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xc001;
public final static int TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xc002;
public final static int TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xc003;
@@ -1425,5 +1492,13 @@ public class SSLSocket extends java.net.
public final static int TLS_ECDH_anon_WITH_AES_128_CBC_SHA = 0xc018;
public final static int TLS_ECDH_anon_WITH_AES_256_CBC_SHA = 0xc019;
+ public final static int TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xc023;
+ public final static int TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xc027;
+
+ public final static int TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xc02B;
+ public final static int TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 0xc02D;
+ public final static int TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xc02F;
+ public final static int TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0xc031;
+
}
diff -Ppru jss-4.3.2.orig/security/jss/org/mozilla/jss/tests/Constants.java jss-4.3.2/security/jss/org/mozilla/jss/tests/Constants.java
--- jss-4.3.2.orig/security/jss/org/mozilla/jss/tests/Constants.java 2015-04-10 15:22:57.000000000 +0200
+++ jss-4.3.2/security/jss/org/mozilla/jss/tests/Constants.java 2015-04-12 17:52:39.373928539 +0200
@@ -149,7 +149,25 @@ public interface Constants {
/*52 */ new cipher(SSLSocket.SSL2_DES_192_EDE3_CBC_WITH_MD5, "SSL2_DES_192_EDE3_CBC_WITH_MD5"),
/*53 */ new cipher(SSLSocket.SSL2_DES_64_CBC_WITH_MD5, "SSL2_DES_64_CBC_WITH_MD5"),
/*54 */ new cipher(SSLSocket.SSL2_RC4_128_EXPORT40_WITH_MD5, "SSL2_RC4_128_EXPORT40_WITH_MD5"),
-/*55 */ new cipher(SSLSocket.SSL2_RC2_128_CBC_EXPORT40_WITH_MD5, "SSL2_RC2_128_CBC_EXPORT40_WITH_MD5")
+/*55 */ new cipher(SSLSocket.SSL2_RC2_128_CBC_EXPORT40_WITH_MD5, "SSL2_RC2_128_CBC_EXPORT40_WITH_MD5"),
+/**
+ * TLS1.1 and TLS1.2 ciphersuites.
+ **/
+/*55*/ new cipher(SSLSocket.TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"),
+/*56*/ new cipher(SSLSocket.TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"),
+/*57*/ new cipher(SSLSocket.TLS_RSA_WITH_NULL_SHA256, "TLS_RSA_WITH_NULL_SHA256"),
+/*58*/ new cipher(SSLSocket.TLS_RSA_WITH_AES_128_CBC_SHA256, "TLS_RSA_WITH_AES_128_CBC_SHA256"),
+/*59*/ new cipher(SSLSocket.TLS_RSA_WITH_AES_256_CBC_SHA256, "TLS_RSA_WITH_AES_256_CBC_SHA256"),
+/*60*/ new cipher(SSLSocket.TLS_RSA_WITH_SEED_CBC_SHA, "TLS_RSA_WITH_SEED_CBC_SHA"),
+/*61*/ new cipher(SSLSocket.TLS_RSA_WITH_AES_128_GCM_SHA256, "TLS_RSA_WITH_AES_128_GCM_SHA256"),
+/*62*/ new cipher(SSLSocket.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"),
+/*63*/ new cipher(SSLSocket.TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256"),
+/*64*/ new cipher(SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"),
+/*65*/ new cipher(SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"),
+/*66*/ new cipher(SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"),
+/*67*/ new cipher(SSLSocket.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256"),
+/*68*/ new cipher(SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"),
+/*69*/ new cipher(SSLSocket.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256")
};
/** Cipher supported by JSSE (JDK 1.5.x) */
