diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.cfuSaved jss-4.2.6/mozilla/security/jss/lib/jss.def --- jss-4.2.6/mozilla/security/jss/lib/jss.def.cfuSaved 2014-09-27 16:55:40.898557263 -0700 +++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2014-09-27 16:56:20.750422041 -0700 @@ -334,6 +334,8 @@ Java_org_mozilla_jss_CryptoManager_setOC Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative; Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative; Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid; +Java_org_mozilla_jss_ssl_SocketBase_setSSLVersionRange; +Java_org_mozilla_jss_ssl_SSLSocket_setSSLVersionRangeDefault; ;+ local: ;+ *; ;+}; diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c.cfuSaved jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c --- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c.cfuSaved 2014-09-27 16:55:40.903557246 -0700 +++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2014-09-27 17:04:31.812788717 -0700 @@ -56,6 +56,86 @@ #endif +/* + * support TLS v1.1 and v1.2 + * sets default SSL version range for sockets created after this call + */ +JNIEXPORT void JNICALL +Java_org_mozilla_jss_ssl_SSLSocket_setSSLVersionRangeDefault(JNIEnv *env, + jclass clazz, jint ssl_variant, jint min, jint max) +{ + SECStatus status; + SSLVersionRange vrange; + + vrange.min = JSSL_enums[min]; + vrange.max = JSSL_enums[max]; + + /* get supported range */ + SSLVersionRange supported_range; + status = SSL_VersionRangeGetSupported(JSSL_enums[ssl_variant], + &supported_range); + if( status != SECSuccess ) { + char buf[128]; + PR_snprintf(buf, 128, "SSL_VersionRangeGetSupported() for variant=%d failed: %d", JSSL_enums[ssl_variant], PR_GetError()); + } + /* now check the min and max */ + if (vrange.min < supported_range.min || + vrange.max > supported_range.max) { + char buf[128]; + PR_snprintf(buf, 128, "SSL_VersionRangeSetDefault() for variant=%d with min=%d max=%d out of range (%d:%d): %d", JSSL_enums[ssl_variant], vrange.min, vrange.max, supported_range.min, supported_range.max, PR_GetError()); + JSSL_throwSSLSocketException(env, buf); + goto finish; + } + + /* set the default SSL Version Range */ + status = SSL_VersionRangeSetDefault(JSSL_enums[ssl_variant], + &vrange); + if( status != SECSuccess ) { + char buf[128]; + PR_snprintf(buf, 128, "SSL_VersionRangeSetDefault() for variant=%d with min=%d max=%d failed: %d", JSSL_enums[ssl_variant], vrange.min, vrange.max, PR_GetError()); + JSSL_throwSSLSocketException(env, buf); + goto finish; + } + +finish: + return; +} + +/* + * support TLS v1.1 and v1.2 + * sets SSL version range for this socket + */ +JNIEXPORT void JNICALL +Java_org_mozilla_jss_ssl_SocketBase_setSSLVersionRange + (JNIEnv *env, jobject self, jint min, jint max) +{ + SECStatus status; + JSSL_SocketData *sock = NULL; + SSLVersionRange vrange; + + /* get my fd */ + if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS ) { + goto finish; + } + + vrange.min = JSSL_enums[min]; + vrange.max = JSSL_enums[max]; + + /* + * set the SSL Version Range + * The validity of the range will be checked by this NSS call + */ + status = SSL_VersionRangeSet(sock->fd, &vrange); + if( status != SECSuccess ) { + JSSL_throwSSLSocketException(env, "SSL_VersionRangeSet failed"); + goto finish; + } + +finish: + EXCEPTION_CHECK(env, sock) + return; +} + JNIEXPORT void JNICALL Java_org_mozilla_jss_ssl_SSLSocket_setSSLDefaultOption(JNIEnv *env, jclass clazz, jint joption, jint on) diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java.cfuSaved jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java --- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java.cfuSaved 2014-09-27 16:55:40.904557243 -0700 +++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java 2014-09-27 16:56:20.751422038 -0700 @@ -36,6 +36,7 @@ package org.mozilla.jss.ssl; +import java.lang.IllegalArgumentException; import java.net.*; import java.net.SocketException; import java.net.SocketTimeoutException; @@ -948,6 +949,61 @@ public class SSLSocket extends java.net. setSSLDefaultOption(SocketBase.SSL_NO_CACHE, !b); } + /* + * _min_enum and _max_enum should be one of the following: + * SocketBase.SSL_LIBRARY_VERSION_3_0 + * SocketBase.SSL_LIBRARY_VERSION_TLS_1_0 + * SocketBase.SSL_LIBRARY_VERSION_TLS_1_1 + * SocketBase.SSL_LIBRARY_VERSION_TLS_1_2 + */ + public static class SSLVersionRange { + private int _min_enum; + private int _max_enum; + public static final int ssl3 = SocketBase.SSL_LIBRARY_VERSION_3_0; + public static final int tls1_0 = SocketBase.SSL_LIBRARY_VERSION_TLS_1_0; + public static final int tls1_1 = SocketBase.SSL_LIBRARY_VERSION_TLS_1_1; + public static final int tls1_2 = SocketBase.SSL_LIBRARY_VERSION_TLS_1_2; + public SSLVersionRange(int min_enum, int max_enum) + throws IllegalArgumentException { + if ((min_enum >= SocketBase.SSL_LIBRARY_VERSION_3_0) && + (max_enum <= SocketBase.SSL_LIBRARY_VERSION_TLS_1_2) && + (min_enum <= max_enum)) { + _min_enum = min_enum; + _max_enum = max_enum; + } else { + throw new IllegalArgumentException("JSS SSLSocket SSLVersionRange: arguments out of range"); + } + } + + int getMinEnum() { return _min_enum; } + int getMaxEnum() { return _max_enum; } + + } + + public static class SSLProtocolVariant { + private int _enum; + private SSLProtocolVariant(int val) { _enum = val; } + + int getEnum() { return _enum; } + + public static final SSLProtocolVariant STREAM = + new SSLProtocolVariant(SocketBase.SSL_Variant_Stream); + public static final SSLProtocolVariant DATA_GRAM = + new SSLProtocolVariant(SocketBase.SSL_Variant_Datagram); + + } + + public static void setSSLVersionRangeDefault(SSLProtocolVariant ssl_variant, SSLVersionRange range) + throws SocketException + { + setSSLVersionRangeDefault(ssl_variant.getEnum(), range.getMinEnum(), range.getMaxEnum()); + } + + /** + * Sets SSL Version Range Default + */ + private static native void setSSLVersionRangeDefault(int ssl_variant, int min, int max) + throws SocketException; private static void setSSLDefaultOption(int option, boolean on) throws SocketException @@ -1221,6 +1277,8 @@ public class SSLSocket extends java.net. public final static int TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063; public final static int TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = 0x0065; public final static int TLS_DHE_DSS_WITH_RC4_128_SHA = 0x0066; + public final static int TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067; + public final static int TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B; // New TLS cipher suites in NSS 3.4 public final static int TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F; @@ -1236,6 +1294,10 @@ public class SSLSocket extends java.net. public final static int TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038; public final static int TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039; public final static int TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A; + public final static int TLS_RSA_WITH_NULL_SHA256 = 0x003B; + public final static int TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C; + public final static int TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D; + public final static int TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0041; public final static int TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0042; @@ -1251,6 +1313,12 @@ public class SSLSocket extends java.net. public final static int TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0088; public final static int TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA = 0x0089; + public final static int TLS_RSA_WITH_SEED_CBC_SHA = 0x0096; + + public final static int TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C; + public final static int TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E; + public final static int TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 0x00A2; + public final static int TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xc001; public final static int TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xc002; public final static int TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xc003; @@ -1281,5 +1349,13 @@ public class SSLSocket extends java.net. public final static int TLS_ECDH_anon_WITH_AES_128_CBC_SHA = 0xc018; public final static int TLS_ECDH_anon_WITH_AES_256_CBC_SHA = 0xc019; + public final static int TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xc023; + public final static int TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xc027; + + public final static int TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xc02B; + public final static int TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 0xc02D; + public final static int TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xc02F; + public final static int TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0xc031; + } diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java.cfuSaved jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java --- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java.cfuSaved 2014-09-27 16:55:40.901557253 -0700 +++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java 2014-09-27 16:56:20.751422038 -0700 @@ -114,6 +114,15 @@ class SocketBase { static final int SSL_REQUIRE_ALWAYS = 19; static final int SSL_REQUIRE_FIRST_HANDSHAKE = 20; static final int SSL_REQUIRE_NO_ERROR = 21; + /* ssl/sslproto.h for supporting SSLVersionRange */ + static final int SSL_LIBRARY_VERSION_2 = 22; + static final int SSL_LIBRARY_VERSION_3_0 = 23; + static final int SSL_LIBRARY_VERSION_TLS_1_0 = 24; + static final int SSL_LIBRARY_VERSION_TLS_1_1 = 25; + static final int SSL_LIBRARY_VERSION_TLS_1_2 = 26; + /* ssl/sslt.h */ + static final int SSL_Variant_Stream = 27; + static final int SSL_Variant_Datagram = 28; static final int SSL_AF_INET = 50; @@ -190,6 +199,18 @@ class SocketBase { native void setSSLOption(int option, int on) throws SocketException; + void setSSLVersionRange(org.mozilla.jss.ssl.SSLSocket.SSLVersionRange range) + throws SocketException + { + setSSLVersionRange(range.getMinEnum(), range.getMaxEnum()); + } + + /** + * Sets SSL Version Range for this socket to support TLS v1.1 and v1.2 + */ + native void setSSLVersionRange(int min, int max) + throws SocketException; + /** * Sets the SSL option setting mode value use for options * that have more values than just enable/diasable. diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c.cfuSaved jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c --- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c.cfuSaved 2014-09-27 16:55:40.900557257 -0700 +++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c 2014-09-27 16:56:20.751422038 -0700 @@ -38,6 +38,7 @@ #include #include #include +#include #include #include @@ -407,6 +408,13 @@ PRInt32 JSSL_enums[] = { SSL_REQUIRE_ALWAYS, /* 19 */ /* ssl.h */ SSL_REQUIRE_FIRST_HANDSHAKE,/* 20 */ /* ssl.h */ SSL_REQUIRE_NO_ERROR, /* 21 */ /* ssl.h */ + SSL_LIBRARY_VERSION_2, /* 22 */ /* sslproto.h */ + SSL_LIBRARY_VERSION_3_0, /* 23 */ /* sslproto.h */ + SSL_LIBRARY_VERSION_TLS_1_0, /* 24 */ /* sslproto.h */ + SSL_LIBRARY_VERSION_TLS_1_1, /* 25 */ /* sslproto.h */ + SSL_LIBRARY_VERSION_TLS_1_2, /* 26 */ /* sslproto.h */ + ssl_variant_stream, /* 27 */ /* sslt.h */ + ssl_variant_datagram, /* 28 */ /* sslt.h */ 0 }; diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/Constants.java.cfuSaved jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/Constants.java --- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/Constants.java.cfuSaved 2014-09-27 16:55:40.906557236 -0700 +++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/Constants.java 2014-09-27 16:56:20.752422035 -0700 @@ -149,6 +149,21 @@ public interface Constants { /*52*/ new cipher(SSLSocket.SSL2_DES_64_CBC_WITH_MD5, "SSL2_DES_64_CBC_WITH_MD5"), /*53*/ new cipher(SSLSocket.SSL2_RC4_128_EXPORT40_WITH_MD5, "SSL2_RC4_128_EXPORT40_WITH_MD5"), /*54*/ new cipher(SSLSocket.SSL2_RC2_128_CBC_EXPORT40_WITH_MD5, "SSL2_RC2_128_CBC_EXPORT40_WITH_MD5"), +/*55*/ new cipher(SSLSocket.TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"), +/*56*/ new cipher(SSLSocket.TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"), +/*57*/ new cipher(SSLSocket.TLS_RSA_WITH_NULL_SHA256, "TLS_RSA_WITH_NULL_SHA256"), +/*58*/ new cipher(SSLSocket.TLS_RSA_WITH_AES_128_CBC_SHA256, "TLS_RSA_WITH_AES_128_CBC_SHA256"), +/*59*/ new cipher(SSLSocket.TLS_RSA_WITH_AES_256_CBC_SHA256, "TLS_RSA_WITH_AES_256_CBC_SHA256"), +/*60*/ new cipher(SSLSocket.TLS_RSA_WITH_SEED_CBC_SHA, "TLS_RSA_WITH_SEED_CBC_SHA"), +/*61*/ new cipher(SSLSocket.TLS_RSA_WITH_AES_128_GCM_SHA256, "TLS_RSA_WITH_AES_128_GCM_SHA256"), +/*62*/ new cipher(SSLSocket.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"), +/*63*/ new cipher(SSLSocket.TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256"), +/*64*/ new cipher(SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"), +/*65*/ new cipher(SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"), +/*66*/ new cipher(SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"), +/*67*/ new cipher(SSLSocket.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256"), +/*68*/ new cipher(SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"), +/*69*/ new cipher(SSLSocket.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256") }; /** Cipher supported by JSSE (JDK 1.5.x) */