mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

big 370970 Server SSL code should invalidate Session ID when redoing handshake r=sparkins,sr=nkwan

This commit is contained in:
glen.beasley%sun.com 2007-03-20 22:39:28 +00:00
Родитель b7dc137d58
Коммит ca0b3b2704
9 изменённых файлов: 169 добавлений и 8 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

24
security/jss/org/mozilla/jss/ssl/SSLServerSocket.java
Просмотреть файл

@ -461,6 +461,7 @@ public class SSLServerSocket extends java.net.ServerSocket {
* peer. If requestClientAuth() has not already been called, this * peer. If requestClientAuth() has not already been called, this
* method will tell the socket to request client auth as well as requiring * method will tell the socket to request client auth as well as requiring
* it. * it.
* @deprecated use requireClientAuth(int)
*/ */
public void requireClientAuth(boolean require, boolean onRedo) public void requireClientAuth(boolean require, boolean onRedo)
throws SocketException throws SocketException
@ -468,6 +469,29 @@ public class SSLServerSocket extends java.net.ServerSocket {
base.requireClientAuth(require, onRedo); base.requireClientAuth(require, onRedo);
} }
/**
* Sets whether the socket requires client authentication from the remote
* peer. If requestClientAuth() has not already been called, this
* method will tell the socket to request client auth as well as requiring
* it.
* @param mode One of: SSLSocket.SSL_REQUIRE_NEVER,
* SSLSocket.SSL_REQUIRE_ALWAYS,
* SSLSocket.SSL_REQUIRE_FIRST_HANDSHAKE,
* SSLSocket.SSL_REQUIRE_NO_ERROR
*/
public void requireClientAuth(int mode)
throws SocketException
{
if (mode >= SocketBase.SSL_REQUIRE_NEVER &&
mode <= SocketBase.SSL_REQUIRE_NO_ERROR) {
base.requireClientAuth(mode);
} else {
throw new SocketException("Incorrect input value.");
}
}
/** /**
* Sets the nickname of the certificate to use for client authentication. * Sets the nickname of the certificate to use for client authentication.
*/ */

18
security/jss/org/mozilla/jss/ssl/SSLSocket.c
Просмотреть файл

@ -55,6 +55,7 @@
#include <winsock.h> #include <winsock.h>
#endif #endif
JNIEXPORT void JNICALL JNIEXPORT void JNICALL
Java_org_mozilla_jss_ssl_SSLSocket_setSSLDefaultOption(JNIEnv *env, Java_org_mozilla_jss_ssl_SSLSocket_setSSLDefaultOption(JNIEnv *env,
jclass clazz, jint joption, jint on) jclass clazz, jint joption, jint on)
@ -72,6 +73,23 @@ finish:
return; return;
} }
JNIEXPORT void JNICALL
Java_org_mozilla_jss_ssl_SSLSocket_setSSLDefaultOptionMode(JNIEnv *env,
jclass clazz, jint joption, jint mode)
{
SECStatus status;
/* set the option */
status = SSL_OptionSetDefault(JSSL_enums[joption],
JSSL_enums[mode]);
if( status != SECSuccess ) {
JSSL_throwSSLSocketException(env, "SSL_OptionSet failed");
goto finish;
}
finish:
return;
}
JNIEXPORT jint JNICALL JNIEXPORT jint JNICALL
Java_org_mozilla_jss_ssl_SSLSocket_getSSLDefaultOption(JNIEnv *env, Java_org_mozilla_jss_ssl_SSLSocket_getSSLDefaultOption(JNIEnv *env,

73
security/jss/org/mozilla/jss/ssl/SSLSocket.java
Просмотреть файл

@ -42,8 +42,6 @@ import java.net.SocketTimeoutException;
import java.io.*; import java.io.*;
import java.io.IOException; import java.io.IOException;
import java.util.Vector; import java.util.Vector;
import java.net.SocketPermission;
import java.security.AccessController;
/** /**
* SSL client socket. * SSL client socket.
@ -74,6 +72,14 @@ public class SSLSocket extends java.net.Socket {
private boolean open = false; private boolean open = false;
private boolean handshakeAsClient = true; private boolean handshakeAsClient = true;
private SocketBase base = new SocketBase(); private SocketBase base = new SocketBase();
static final public int SSL_REQUIRE_NEVER =
org.mozilla.jss.ssl.SocketBase.SSL_REQUIRE_NEVER;
static final public int SSL_REQUIRE_ALWAYS =
org.mozilla.jss.ssl.SocketBase.SSL_REQUIRE_ALWAYS;
static final public int SSL_REQUIRE_FIRST_HANDSHAKE =
org.mozilla.jss.ssl.SocketBase.SSL_REQUIRE_FIRST_HANDSHAKE;
static final public int SSL_REQUIRE_NO_ERROR =
org.mozilla.jss.ssl.SocketBase.SSL_REQUIRE_NO_ERROR;
/** /**
* For sockets that get created by accept(). * For sockets that get created by accept().
@ -746,10 +752,11 @@ public class SSLSocket extends java.net.Socket {
} }
/** /**
* Sets whether the socket requires client authentication from the remote * Sets whether the socket requires client authentication from the remote
* peer. If requestClientAuth() has not already been called, this * peer. If requestClientAuth() has not already been called, this
* method will tell the socket to request client auth as well as requiring * method will tell the socket to request client auth as well as requiring
* it. * it.
* @deprecated use requireClientAuth(int)
*/ */
public void requireClientAuth(boolean require, boolean onRedo) public void requireClientAuth(boolean require, boolean onRedo)
throws SocketException throws SocketException
@ -758,8 +765,33 @@ public class SSLSocket extends java.net.Socket {
} }
/** /**
* Sets the default setting for requiring client authorization. * Sets whether the socket requires client authentication from the remote
* peer. If requestClientAuth() has not already been called, this method
* will tell the socket to request client auth as well as requiring it.
* This is only meaningful for the server end of the SSL connection.
* During the next handshake, the remote peer will be asked to
* authenticate itself with the requirement that was set.
*
* @param mode One of: SSLSocket.SSL_REQUIRE_NEVER,
* SSLSocket.SSL_REQUIRE_ALWAYS,
* SSLSocket.SSL_REQUIRE_FIRST_HANDSHAKE,
* SSLSocket.SSL_REQUIRE_NO_ERROR
*/
public void requireClientAuth(int mode)
throws SocketException
{
if (mode >= SocketBase.SSL_REQUIRE_NEVER &&
mode <= SocketBase.SSL_REQUIRE_NO_ERROR) {
base.requireClientAuth(mode);
} else {
throw new SocketException("Incorrect input value.");
}
}
/**
* Sets the default setting for requiring client authorization.
* All subsequently created sockets will use this default setting. * All subsequently created sockets will use this default setting.
* @deprecated use requireClientAuthDefault(int)
*/ */
public void requireClientAuthDefault(boolean require, boolean onRedo) public void requireClientAuthDefault(boolean require, boolean onRedo)
throws SocketException throws SocketException
@ -768,6 +800,29 @@ public class SSLSocket extends java.net.Socket {
require ? (onRedo ? 1 : 2) : 0); require ? (onRedo ? 1 : 2) : 0);
} }
/**
* Sets the default setting for requiring client authorization.
* All subsequently created sockets will use this default setting
* This is only meaningful for the server end of the SSL connection.
*
* @param mode One of: SSLSocket.SSL_REQUIRE_NEVER,
* SSLSocket.SSL_REQUIRE_ALWAYS,
* SSLSocket.SSL_REQUIRE_FIRST_HANDSHAKE,
* SSLSocket.SSL_REQUIRE_NO_ERROR
*/
static public void requireClientAuthDefault(int mode)
throws SocketException
{
if (mode >= SocketBase.SSL_REQUIRE_NEVER &&
mode <= SocketBase.SSL_REQUIRE_NO_ERROR) {
setSSLDefaultOption(SocketBase.SSL_REQUEST_CERTIFICATE, true);
setSSLDefaultOptionMode(SocketBase.SSL_REQUIRE_CERTIFICATE,mode);
} else {
throw new SocketException("Incorrect input value.");
}
}
/** /**
* Force an already started SSL handshake to complete. * Force an already started SSL handshake to complete.
* This method should block until the handshake has completed. * This method should block until the handshake has completed.
@ -894,9 +949,19 @@ public class SSLSocket extends java.net.Socket {
{ {
setSSLDefaultOption(option, on ? 1 : 0); setSSLDefaultOption(option, on ? 1 : 0);
} }
/**
* Sets SSL Default options that have simple enable/disable values.
*/
private static native void setSSLDefaultOption(int option, int on) private static native void setSSLDefaultOption(int option, int on)
throws SocketException; throws SocketException;
/**
* Set SSL default options that have more modes than enable/disable.
*/
private static native void setSSLDefaultOptionMode(int option, int mode)
throws SocketException;
/** /**
* Enables/disables the cipher on this socket. * Enables/disables the cipher on this socket.
*/ */

25
security/jss/org/mozilla/jss/ssl/SocketBase.java
Просмотреть файл

@ -110,6 +110,10 @@ class SocketBase {
static final int SSL_NO_STEP_DOWN = 15; static final int SSL_NO_STEP_DOWN = 15;
static final int SSL_ENABLE_FDX = 16; static final int SSL_ENABLE_FDX = 16;
static final int SSL_V2_COMPATIBLE_HELLO = 17; static final int SSL_V2_COMPATIBLE_HELLO = 17;
static final int SSL_REQUIRE_NEVER = 18;
static final int SSL_REQUIRE_ALWAYS = 19;
static final int SSL_REQUIRE_FIRST_HANDSHAKE = 20;
static final int SSL_REQUIRE_NO_ERROR = 21;
void close() throws IOException { void close() throws IOException {
socketClose(); socketClose();
@ -175,9 +179,21 @@ class SocketBase {
setSSLOption(option, on ? 1 : 0); setSSLOption(option, on ? 1 : 0);
} }
/**
* Sets SSL options for this socket that have simple
* enable/disable values.
*/
native void setSSLOption(int option, int on) native void setSSLOption(int option, int on)
throws SocketException; throws SocketException;
/**
* Sets the SSL option setting mode value use for options
* that have more values than just enable/diasable.
*/
native void setSSLOptionMode(int option, int option2)
throws SocketException;
/* return 0 for option disabled 1 for option enabled. */ /* return 0 for option disabled 1 for option enabled. */
native int getSSLOption(int option) native int getSSLOption(int option)
throws SocketException; throws SocketException;
@ -309,6 +325,15 @@ class SocketBase {
setSSLOption(SSL_REQUIRE_CERTIFICATE, require ? (onRedo ? 1 : 2) : 0); setSSLOption(SSL_REQUIRE_CERTIFICATE, require ? (onRedo ? 1 : 2) : 0);
} }
void requireClientAuth(int mode)
throws SocketException
{
if(mode > 0 && !requestingClientAuth ) {
requestClientAuth(true);
}
setSSLOptionMode(SocketBase.SSL_REQUIRE_CERTIFICATE, mode);
}
/** /**
* Sets the nickname of the certificate to use for client authentication. * Sets the nickname of the certificate to use for client authentication.
*/ */

29
security/jss/org/mozilla/jss/ssl/common.c
Просмотреть файл

@ -390,6 +390,10 @@ PRInt32 JSSL_enums[] = {
SSL_NO_STEP_DOWN, /* 15 */ /* ssl.h */ SSL_NO_STEP_DOWN, /* 15 */ /* ssl.h */
SSL_ENABLE_FDX, /* 16 */ /* ssl.h */ SSL_ENABLE_FDX, /* 16 */ /* ssl.h */
SSL_V2_COMPATIBLE_HELLO, /* 17 */ /* ssl.h */ SSL_V2_COMPATIBLE_HELLO, /* 17 */ /* ssl.h */
SSL_REQUIRE_NEVER, /* 18 */ /* ssl.h */
SSL_REQUIRE_ALWAYS, /* 19 */ /* ssl.h */
SSL_REQUIRE_FIRST_HANDSHAKE,/* 20 */ /* ssl.h */
SSL_REQUIRE_NO_ERROR, /* 21 */ /* ssl.h */
0 0
}; };
@ -519,6 +523,31 @@ finish:
return; return;
} }
JNIEXPORT void JNICALL
Java_org_mozilla_jss_ssl_SocketBase_setSSLOptionMode
(JNIEnv *env, jobject self, jint option, jint mode)
{
SECStatus status;
JSSL_SocketData *sock = NULL;
/* get my fd */
if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS ) {
goto finish;
}
/* set the option */
status = SSL_OptionSet(sock->fd, JSSL_enums[option], JSSL_enums[mode]);
if( status != SECSuccess ) {
JSSL_throwSSLSocketException(env, "SSL_OptionSet failed");
goto finish;
}
finish:
EXCEPTION_CHECK(env, sock)
return;
}
JNIEXPORT jint JNICALL JNIEXPORT jint JNICALL
Java_org_mozilla_jss_ssl_SocketBase_getSSLOption(JNIEnv *env, Java_org_mozilla_jss_ssl_SocketBase_getSSLOption(JNIEnv *env,
jobject self, jint option) jobject self, jint option)

2
security/jss/org/mozilla/jss/tests/JSS_FileUploadServer.java
Просмотреть файл

@ -172,7 +172,7 @@ public class JSS_FileUploadServer {
System.out.println("Server created socket"); System.out.println("Server created socket");
//serverSock.setSoTimeout(120 * 1000); //serverSock.setSoTimeout(120 * 1000);
serverSock.requireClientAuth(true, true); serverSock.requireClientAuth(SSLSocket.SSL_REQUIRE_NO_ERROR);
serverSock.setServerCertNickname(fServerCertNick); serverSock.setServerCertNickname(fServerCertNick);
if ( Constants.debug_level >= 3 ) if ( Constants.debug_level >= 3 )
System.out.println("Server specified cert by nickname"); System.out.println("Server specified cert by nickname");

2
security/jss/org/mozilla/jss/tests/JSS_SSLServer.java
Просмотреть файл

@ -201,7 +201,7 @@ public class JSS_SSLServer {
System.out.println("Server created socket"); System.out.println("Server created socket");
serverSock.setSoTimeout(120 * 1000); serverSock.setSoTimeout(120 * 1000);
serverSock.requireClientAuth(true, true); serverSock.requireClientAuth(SSLSocket.SSL_REQUIRE_NO_ERROR);
serverSock.setServerCertNickname(serverCertNick); serverSock.setServerCertNickname(serverCertNick);
if ( Constants.debug_level >= 3 ) if ( Constants.debug_level >= 3 )
System.out.println("Server specified cert by nickname"); System.out.println("Server specified cert by nickname");

2
security/jss/org/mozilla/jss/tests/JSS_SelfServServer.java
Просмотреть файл

@ -167,7 +167,7 @@ public class JSS_SelfServServer {
// Only used to reproduce CLOSE_WAIT error. // Only used to reproduce CLOSE_WAIT error.
//serverSock.setSoTimeout(5000); // Set timeout for 5 sec //serverSock.setSoTimeout(5000); // Set timeout for 5 sec
serverSock.requireClientAuth (true, true); serverSock.requireClientAuth(SSLSocket.SSL_REQUIRE_NO_ERROR);
serverSock.setServerCertNickname (fServerCertNick); serverSock.setServerCertNickname (fServerCertNick);
if ( Constants.debug_level >= 3 ) if ( Constants.debug_level >= 3 )
System.out.println ("Server specified cert by nickname"); System.out.println ("Server specified cert by nickname");

2
security/jss/org/mozilla/jss/tests/SSLClientAuth.java
Просмотреть файл

@ -289,7 +289,7 @@ public class SSLClientAuth implements Runnable {
SSLServerSocket serverSock = new SSLServerSocket(port, 5, null, null, SSLServerSocket serverSock = new SSLServerSocket(port, 5, null, null,
true); true);
System.out.println("Server created socket"); System.out.println("Server created socket");
serverSock.requireClientAuth(true, true); serverSock.requireClientAuth(SSLSocket.SSL_REQUIRE_NO_ERROR);
if( useNickname ) { if( useNickname ) {
serverSock.setServerCertNickname(serverCertNick); serverSock.setServerCertNickname(serverCertNick);
System.out.println("Server specified cert by nickname"); System.out.println("Server specified cert by nickname");