зеркало из https://github.com/mozilla/gecko-dev.git
big 370970 Server SSL code should invalidate Session ID when redoing handshake r=sparkins,sr=nkwan
This commit is contained in:
Родитель
b7dc137d58
Коммит
ca0b3b2704
|
@ -461,6 +461,7 @@ public class SSLServerSocket extends java.net.ServerSocket {
|
|||
* peer. If requestClientAuth() has not already been called, this
|
||||
* method will tell the socket to request client auth as well as requiring
|
||||
* it.
|
||||
* @deprecated use requireClientAuth(int)
|
||||
*/
|
||||
public void requireClientAuth(boolean require, boolean onRedo)
|
||||
throws SocketException
|
||||
|
@ -468,6 +469,29 @@ public class SSLServerSocket extends java.net.ServerSocket {
|
|||
base.requireClientAuth(require, onRedo);
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets whether the socket requires client authentication from the remote
|
||||
* peer. If requestClientAuth() has not already been called, this
|
||||
* method will tell the socket to request client auth as well as requiring
|
||||
* it.
|
||||
* @param mode One of: SSLSocket.SSL_REQUIRE_NEVER,
|
||||
* SSLSocket.SSL_REQUIRE_ALWAYS,
|
||||
* SSLSocket.SSL_REQUIRE_FIRST_HANDSHAKE,
|
||||
* SSLSocket.SSL_REQUIRE_NO_ERROR
|
||||
*/
|
||||
|
||||
public void requireClientAuth(int mode)
|
||||
throws SocketException
|
||||
{
|
||||
if (mode >= SocketBase.SSL_REQUIRE_NEVER &&
|
||||
mode <= SocketBase.SSL_REQUIRE_NO_ERROR) {
|
||||
base.requireClientAuth(mode);
|
||||
} else {
|
||||
throw new SocketException("Incorrect input value.");
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Sets the nickname of the certificate to use for client authentication.
|
||||
*/
|
||||
|
|
|
@ -55,6 +55,7 @@
|
|||
#include <winsock.h>
|
||||
#endif
|
||||
|
||||
|
||||
JNIEXPORT void JNICALL
|
||||
Java_org_mozilla_jss_ssl_SSLSocket_setSSLDefaultOption(JNIEnv *env,
|
||||
jclass clazz, jint joption, jint on)
|
||||
|
@ -72,6 +73,23 @@ finish:
|
|||
return;
|
||||
}
|
||||
|
||||
JNIEXPORT void JNICALL
|
||||
Java_org_mozilla_jss_ssl_SSLSocket_setSSLDefaultOptionMode(JNIEnv *env,
|
||||
jclass clazz, jint joption, jint mode)
|
||||
{
|
||||
SECStatus status;
|
||||
|
||||
/* set the option */
|
||||
status = SSL_OptionSetDefault(JSSL_enums[joption],
|
||||
JSSL_enums[mode]);
|
||||
if( status != SECSuccess ) {
|
||||
JSSL_throwSSLSocketException(env, "SSL_OptionSet failed");
|
||||
goto finish;
|
||||
}
|
||||
|
||||
finish:
|
||||
return;
|
||||
}
|
||||
|
||||
JNIEXPORT jint JNICALL
|
||||
Java_org_mozilla_jss_ssl_SSLSocket_getSSLDefaultOption(JNIEnv *env,
|
||||
|
|
|
@ -42,8 +42,6 @@ import java.net.SocketTimeoutException;
|
|||
import java.io.*;
|
||||
import java.io.IOException;
|
||||
import java.util.Vector;
|
||||
import java.net.SocketPermission;
|
||||
import java.security.AccessController;
|
||||
|
||||
/**
|
||||
* SSL client socket.
|
||||
|
@ -74,6 +72,14 @@ public class SSLSocket extends java.net.Socket {
|
|||
private boolean open = false;
|
||||
private boolean handshakeAsClient = true;
|
||||
private SocketBase base = new SocketBase();
|
||||
static final public int SSL_REQUIRE_NEVER =
|
||||
org.mozilla.jss.ssl.SocketBase.SSL_REQUIRE_NEVER;
|
||||
static final public int SSL_REQUIRE_ALWAYS =
|
||||
org.mozilla.jss.ssl.SocketBase.SSL_REQUIRE_ALWAYS;
|
||||
static final public int SSL_REQUIRE_FIRST_HANDSHAKE =
|
||||
org.mozilla.jss.ssl.SocketBase.SSL_REQUIRE_FIRST_HANDSHAKE;
|
||||
static final public int SSL_REQUIRE_NO_ERROR =
|
||||
org.mozilla.jss.ssl.SocketBase.SSL_REQUIRE_NO_ERROR;
|
||||
|
||||
/**
|
||||
* For sockets that get created by accept().
|
||||
|
@ -746,10 +752,11 @@ public class SSLSocket extends java.net.Socket {
|
|||
}
|
||||
|
||||
/**
|
||||
* Sets whether the socket requires client authentication from the remote
|
||||
* Sets whether the socket requires client authentication from the remote
|
||||
* peer. If requestClientAuth() has not already been called, this
|
||||
* method will tell the socket to request client auth as well as requiring
|
||||
* it.
|
||||
* @deprecated use requireClientAuth(int)
|
||||
*/
|
||||
public void requireClientAuth(boolean require, boolean onRedo)
|
||||
throws SocketException
|
||||
|
@ -758,8 +765,33 @@ public class SSLSocket extends java.net.Socket {
|
|||
}
|
||||
|
||||
/**
|
||||
* Sets the default setting for requiring client authorization.
|
||||
* Sets whether the socket requires client authentication from the remote
|
||||
* peer. If requestClientAuth() has not already been called, this method
|
||||
* will tell the socket to request client auth as well as requiring it.
|
||||
* This is only meaningful for the server end of the SSL connection.
|
||||
* During the next handshake, the remote peer will be asked to
|
||||
* authenticate itself with the requirement that was set.
|
||||
*
|
||||
* @param mode One of: SSLSocket.SSL_REQUIRE_NEVER,
|
||||
* SSLSocket.SSL_REQUIRE_ALWAYS,
|
||||
* SSLSocket.SSL_REQUIRE_FIRST_HANDSHAKE,
|
||||
* SSLSocket.SSL_REQUIRE_NO_ERROR
|
||||
*/
|
||||
public void requireClientAuth(int mode)
|
||||
throws SocketException
|
||||
{
|
||||
if (mode >= SocketBase.SSL_REQUIRE_NEVER &&
|
||||
mode <= SocketBase.SSL_REQUIRE_NO_ERROR) {
|
||||
base.requireClientAuth(mode);
|
||||
} else {
|
||||
throw new SocketException("Incorrect input value.");
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets the default setting for requiring client authorization.
|
||||
* All subsequently created sockets will use this default setting.
|
||||
* @deprecated use requireClientAuthDefault(int)
|
||||
*/
|
||||
public void requireClientAuthDefault(boolean require, boolean onRedo)
|
||||
throws SocketException
|
||||
|
@ -768,6 +800,29 @@ public class SSLSocket extends java.net.Socket {
|
|||
require ? (onRedo ? 1 : 2) : 0);
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets the default setting for requiring client authorization.
|
||||
* All subsequently created sockets will use this default setting
|
||||
* This is only meaningful for the server end of the SSL connection.
|
||||
*
|
||||
* @param mode One of: SSLSocket.SSL_REQUIRE_NEVER,
|
||||
* SSLSocket.SSL_REQUIRE_ALWAYS,
|
||||
* SSLSocket.SSL_REQUIRE_FIRST_HANDSHAKE,
|
||||
* SSLSocket.SSL_REQUIRE_NO_ERROR
|
||||
*/
|
||||
static public void requireClientAuthDefault(int mode)
|
||||
throws SocketException
|
||||
{
|
||||
if (mode >= SocketBase.SSL_REQUIRE_NEVER &&
|
||||
mode <= SocketBase.SSL_REQUIRE_NO_ERROR) {
|
||||
setSSLDefaultOption(SocketBase.SSL_REQUEST_CERTIFICATE, true);
|
||||
setSSLDefaultOptionMode(SocketBase.SSL_REQUIRE_CERTIFICATE,mode);
|
||||
} else {
|
||||
|
||||
throw new SocketException("Incorrect input value.");
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Force an already started SSL handshake to complete.
|
||||
* This method should block until the handshake has completed.
|
||||
|
@ -894,9 +949,19 @@ public class SSLSocket extends java.net.Socket {
|
|||
{
|
||||
setSSLDefaultOption(option, on ? 1 : 0);
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets SSL Default options that have simple enable/disable values.
|
||||
*/
|
||||
private static native void setSSLDefaultOption(int option, int on)
|
||||
throws SocketException;
|
||||
|
||||
/**
|
||||
* Set SSL default options that have more modes than enable/disable.
|
||||
*/
|
||||
private static native void setSSLDefaultOptionMode(int option, int mode)
|
||||
throws SocketException;
|
||||
|
||||
/**
|
||||
* Enables/disables the cipher on this socket.
|
||||
*/
|
||||
|
|
|
@ -110,6 +110,10 @@ class SocketBase {
|
|||
static final int SSL_NO_STEP_DOWN = 15;
|
||||
static final int SSL_ENABLE_FDX = 16;
|
||||
static final int SSL_V2_COMPATIBLE_HELLO = 17;
|
||||
static final int SSL_REQUIRE_NEVER = 18;
|
||||
static final int SSL_REQUIRE_ALWAYS = 19;
|
||||
static final int SSL_REQUIRE_FIRST_HANDSHAKE = 20;
|
||||
static final int SSL_REQUIRE_NO_ERROR = 21;
|
||||
|
||||
void close() throws IOException {
|
||||
socketClose();
|
||||
|
@ -175,9 +179,21 @@ class SocketBase {
|
|||
setSSLOption(option, on ? 1 : 0);
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets SSL options for this socket that have simple
|
||||
* enable/disable values.
|
||||
*/
|
||||
native void setSSLOption(int option, int on)
|
||||
throws SocketException;
|
||||
|
||||
/**
|
||||
* Sets the SSL option setting mode value use for options
|
||||
* that have more values than just enable/diasable.
|
||||
*/
|
||||
native void setSSLOptionMode(int option, int option2)
|
||||
throws SocketException;
|
||||
|
||||
|
||||
/* return 0 for option disabled 1 for option enabled. */
|
||||
native int getSSLOption(int option)
|
||||
throws SocketException;
|
||||
|
@ -309,6 +325,15 @@ class SocketBase {
|
|||
setSSLOption(SSL_REQUIRE_CERTIFICATE, require ? (onRedo ? 1 : 2) : 0);
|
||||
}
|
||||
|
||||
void requireClientAuth(int mode)
|
||||
throws SocketException
|
||||
{
|
||||
if(mode > 0 && !requestingClientAuth ) {
|
||||
requestClientAuth(true);
|
||||
}
|
||||
setSSLOptionMode(SocketBase.SSL_REQUIRE_CERTIFICATE, mode);
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets the nickname of the certificate to use for client authentication.
|
||||
*/
|
||||
|
|
|
@ -390,6 +390,10 @@ PRInt32 JSSL_enums[] = {
|
|||
SSL_NO_STEP_DOWN, /* 15 */ /* ssl.h */
|
||||
SSL_ENABLE_FDX, /* 16 */ /* ssl.h */
|
||||
SSL_V2_COMPATIBLE_HELLO, /* 17 */ /* ssl.h */
|
||||
SSL_REQUIRE_NEVER, /* 18 */ /* ssl.h */
|
||||
SSL_REQUIRE_ALWAYS, /* 19 */ /* ssl.h */
|
||||
SSL_REQUIRE_FIRST_HANDSHAKE,/* 20 */ /* ssl.h */
|
||||
SSL_REQUIRE_NO_ERROR, /* 21 */ /* ssl.h */
|
||||
|
||||
0
|
||||
};
|
||||
|
@ -519,6 +523,31 @@ finish:
|
|||
return;
|
||||
}
|
||||
|
||||
JNIEXPORT void JNICALL
|
||||
Java_org_mozilla_jss_ssl_SocketBase_setSSLOptionMode
|
||||
(JNIEnv *env, jobject self, jint option, jint mode)
|
||||
{
|
||||
SECStatus status;
|
||||
JSSL_SocketData *sock = NULL;
|
||||
|
||||
/* get my fd */
|
||||
if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS ) {
|
||||
goto finish;
|
||||
}
|
||||
|
||||
/* set the option */
|
||||
status = SSL_OptionSet(sock->fd, JSSL_enums[option], JSSL_enums[mode]);
|
||||
if( status != SECSuccess ) {
|
||||
JSSL_throwSSLSocketException(env, "SSL_OptionSet failed");
|
||||
goto finish;
|
||||
}
|
||||
|
||||
finish:
|
||||
EXCEPTION_CHECK(env, sock)
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
JNIEXPORT jint JNICALL
|
||||
Java_org_mozilla_jss_ssl_SocketBase_getSSLOption(JNIEnv *env,
|
||||
jobject self, jint option)
|
||||
|
|
|
@ -172,7 +172,7 @@ public class JSS_FileUploadServer {
|
|||
System.out.println("Server created socket");
|
||||
|
||||
//serverSock.setSoTimeout(120 * 1000);
|
||||
serverSock.requireClientAuth(true, true);
|
||||
serverSock.requireClientAuth(SSLSocket.SSL_REQUIRE_NO_ERROR);
|
||||
serverSock.setServerCertNickname(fServerCertNick);
|
||||
if ( Constants.debug_level >= 3 )
|
||||
System.out.println("Server specified cert by nickname");
|
||||
|
|
|
@ -201,7 +201,7 @@ public class JSS_SSLServer {
|
|||
System.out.println("Server created socket");
|
||||
|
||||
serverSock.setSoTimeout(120 * 1000);
|
||||
serverSock.requireClientAuth(true, true);
|
||||
serverSock.requireClientAuth(SSLSocket.SSL_REQUIRE_NO_ERROR);
|
||||
serverSock.setServerCertNickname(serverCertNick);
|
||||
if ( Constants.debug_level >= 3 )
|
||||
System.out.println("Server specified cert by nickname");
|
||||
|
|
|
@ -167,7 +167,7 @@ public class JSS_SelfServServer {
|
|||
|
||||
// Only used to reproduce CLOSE_WAIT error.
|
||||
//serverSock.setSoTimeout(5000); // Set timeout for 5 sec
|
||||
serverSock.requireClientAuth (true, true);
|
||||
serverSock.requireClientAuth(SSLSocket.SSL_REQUIRE_NO_ERROR);
|
||||
serverSock.setServerCertNickname (fServerCertNick);
|
||||
if ( Constants.debug_level >= 3 )
|
||||
System.out.println ("Server specified cert by nickname");
|
||||
|
|
|
@ -289,7 +289,7 @@ public class SSLClientAuth implements Runnable {
|
|||
SSLServerSocket serverSock = new SSLServerSocket(port, 5, null, null,
|
||||
true);
|
||||
System.out.println("Server created socket");
|
||||
serverSock.requireClientAuth(true, true);
|
||||
serverSock.requireClientAuth(SSLSocket.SSL_REQUIRE_NO_ERROR);
|
||||
if( useNickname ) {
|
||||
serverSock.setServerCertNickname(serverCertNick);
|
||||
System.out.println("Server specified cert by nickname");
|
||||
|
|
Загрузка…
Ссылка в новой задаче