diff -Nru tomcat-native-1.2.17/build.properties.default tomcat-native-1.2.21/build.properties.default --- tomcat-native-1.2.17/build.properties.default 2018-06-07 09:30:12.000000000 +0000 +++ tomcat-native-1.2.21/build.properties.default 2019-01-25 17:34:00.000000000 +0000 @@ -18,7 +18,7 @@ # ----- Version Control Flags ----- version.major=1 version.minor=2 -version.build=17 +version.build=21 version.patch=0 version.suffix= diff -Nru tomcat-native-1.2.17/build.xml tomcat-native-1.2.21/build.xml --- tomcat-native-1.2.17/build.xml 2018-01-04 17:28:38.000000000 +0000 +++ tomcat-native-1.2.21/build.xml 2019-01-01 21:42:03.000000000 +0000 @@ -30,7 +30,7 @@ - + @@ -174,7 +174,7 @@ packagenames="org.apache.tomcat.*" windowtitle="${title} (Version ${version})" doctitle="<h1>${title} (Version ${version})</h1>" - bottom="Copyright 2002-2018 The Apache Software Foundation.<!-- + bottom="Copyright 2002-2019 The Apache Software Foundation.<!-- Licensed under the Apache License, Version 2.0 (the 'License'); you may not use this file except in compliance with the License. diff -Nru tomcat-native-1.2.17/CHANGELOG.txt tomcat-native-1.2.21/CHANGELOG.txt --- tomcat-native-1.2.17/CHANGELOG.txt 2018-06-07 10:01:20.000000000 +0000 +++ tomcat-native-1.2.21/CHANGELOG.txt 2019-01-25 17:34:12.000000000 +0000 @@ -2,6 +2,44 @@ This is the Changelog for Tomcat Native 1.2. + Changes in 1.2.21 + + * Fix: Correct a possible JVM crash during shutdown caused by a bug in + the fix for the per connection memory leak included in 1.2.20. (rjung) + + Changes in 1.2.20 + + * Fix: Update includedir name to tomcat-native instead of apr. + (csutherl) + * Fix: Fix a minor memory leak. It occurred every time a TLS connector + was started so the impact was very unlikely to be noticed. (markt) + * Fix: Fix some minor memory leaks that could occur after error + conditions during TLS connector initialisation. (markt) + * Fix: Fix a per connection memory leak when using OpenSSL BIO. This is + typically used when OpenSSL is providing the TLS support for NIO or + NIO2. (markt) + + Changes in 1.2.19 + + * Fix: 62892: Fix memory leaks in OCSP handling. (jfclere) + * Fix: 62944: Fix copy/paste error that prevented TLS 1.0 and TLS 1.1 + from being used if TLS 1.3 was available. Patch provided by Dean + Rasheed. (markt) + * Fix: Include OpenSSL licensing information in the Tomcat Native + binaries for Windows that are built with OpenSSL. (markt) + * Update: Update recommended OpenSSL version to 1.0.2q or later. (markt) + + Changes in 1.2.18 + + * Fix: 62641: libtool invocations should use --tag=CC. (michaelo) + * Code: Remove support for Netware as there has not been a supported + Netware platform for a number of years. (markt) + * Add: 62748: Add support for TLS 1.3 when built with OpenSSL 1.1.1 or + equivalent. (schultz/markt) + * Add: Expose the API necessary for CLIENT-CERT authentication to be + correctly supported when using Tomcat's JSSE implementation backed by + OpenSSL. (markt) + Changes in 1.2.17 * Fix: 62094: Certificate verification using CRL with Tomcat APR @@ -199,4 +237,4 @@ Please see the 1.1.x changelog. - Copyright © 2008-2018, The Apache Software Foundation + Copyright © 2008-2019, The Apache Software Foundation diff -Nru tomcat-native-1.2.17/debian/changelog tomcat-native-1.2.21/debian/changelog --- tomcat-native-1.2.17/debian/changelog 2018-06-12 13:22:46.000000000 +0000 +++ tomcat-native-1.2.21/debian/changelog 2019-02-25 14:34:15.000000000 +0000 @@ -1,3 +1,32 @@ +tomcat-native (1.2.21-1~18.04.1) bionic; urgency=medium + + * Backport for OpenJDK 11. LP: #1817567. + + -- Matthias Klose Mon, 25 Feb 2019 15:34:15 +0100 + +tomcat-native (1.2.21-1) unstable; urgency=medium + + * Team upload. + * New upstream release + * Standards-Version updated to 4.3.0 + + -- Emmanuel Bourg Thu, 31 Jan 2019 22:11:32 +0100 + +tomcat-native (1.2.19-1) unstable; urgency=medium + + * Team upload. + * New upstream release + + -- Emmanuel Bourg Tue, 11 Dec 2018 00:10:54 +0100 + +tomcat-native (1.2.18-1) unstable; urgency=medium + + * Team upload. + * New upstream release + * Standards-Version updated to 4.2.1 + + -- Emmanuel Bourg Tue, 06 Nov 2018 10:47:37 +0100 + tomcat-native (1.2.17-1) unstable; urgency=medium * Team upload. diff -Nru tomcat-native-1.2.17/debian/control tomcat-native-1.2.21/debian/control --- tomcat-native-1.2.17/debian/control 2018-06-12 13:11:42.000000000 +0000 +++ tomcat-native-1.2.21/debian/control 2019-01-31 21:11:06.000000000 +0000 @@ -9,7 +9,7 @@ dpkg-dev (>= 1.16.1~), libapr1-dev, libssl-dev -Standards-Version: 4.1.4 +Standards-Version: 4.3.0 Vcs-Git: https://salsa.debian.org/java-team/tomcat-native.git Vcs-Browser: https://salsa.debian.org/java-team/tomcat-native Homepage: http://tomcat.apache.org/native-doc/ diff -Nru tomcat-native-1.2.17/debian/rules tomcat-native-1.2.21/debian/rules --- tomcat-native-1.2.17/debian/rules 2018-06-12 13:09:37.000000000 +0000 +++ tomcat-native-1.2.21/debian/rules 2019-01-31 21:11:13.000000000 +0000 @@ -10,11 +10,8 @@ override_dh_auto_install: dh_auto_install rmdir debian/libtcnative-1/usr/bin - rmdir debian/libtcnative-1/usr/include + rm -Rf debian/libtcnative-1/usr/include find $(DEB_DESTDIR) -name "*.la" -exec rm -vf {} \; # No check target override_dh_auto_test: - -get-orig-source: - uscan --force-download --rename diff -Nru tomcat-native-1.2.17/debian/watch tomcat-native-1.2.21/debian/watch --- tomcat-native-1.2.17/debian/watch 2018-06-12 13:12:07.000000000 +0000 +++ tomcat-native-1.2.21/debian/watch 2019-01-31 20:48:23.000000000 +0000 @@ -1,2 +1,3 @@ -version=3 +version=4 +opts="repack,compression=xz" \ https://www.apache.org/dist/tomcat/tomcat-connectors/native/([\d\.]+)/source/tomcat-native-([\d\.]+)-src\.tar\.gz debian uupdate diff -Nru tomcat-native-1.2.17/docs/index.html tomcat-native-1.2.21/docs/index.html --- tomcat-native-1.2.17/docs/index.html 2018-06-07 10:01:20.000000000 +0000 +++ tomcat-native-1.2.21/docs/index.html 2019-01-25 17:34:12.000000000 +0000 @@ -1,5 +1,5 @@ -Apache Tomcat Native Library - Documentation Index

Documentation Index

Introduction

+Apache Tomcat Native Library - Documentation Index

Documentation Index

Introduction

The Apache Tomcat Native Library is an optional component for use with @@ -27,10 +27,10 @@

Headlines

@@ -180,5 +180,5 @@
\ No newline at end of file diff -Nru tomcat-native-1.2.17/docs/miscellaneous/changelog.html tomcat-native-1.2.21/docs/miscellaneous/changelog.html --- tomcat-native-1.2.17/docs/miscellaneous/changelog.html 2018-06-07 10:01:20.000000000 +0000 +++ tomcat-native-1.2.21/docs/miscellaneous/changelog.html 2019-01-25 17:34:12.000000000 +0000 @@ -3,6 +3,68 @@

This is the Changelog for Tomcat Native 1.2.

+

Changes in 1.2.21

+
    +
  • Fix: + Correct a possible JVM crash during shutdown caused by a bug in the fix + for the per connection memory leak included in 1.2.20. (rjung) +
    • +
+

Changes in 1.2.20

+
    +
  • Fix: + Update includedir name to tomcat-native instead of apr. (csutherl) +
    • +
  • Fix: + Fix a minor memory leak. It occurred every time a TLS connector was + started so the impact was very unlikely to be noticed. (markt) +
    • +
  • Fix: + Fix some minor memory leaks that could occur after error conditions during + TLS connector initialisation. (markt) +
    • +
  • Fix: + Fix a per connection memory leak when using OpenSSL BIO. This is typically + used when OpenSSL is providing the TLS support for NIO or NIO2. (markt) +
    • +
+

Changes in 1.2.19

+
    +
  • Fix: + 62892: Fix memory leaks in OCSP handling. (jfclere) +
    • +
  • Fix: + 62944: Fix copy/paste error that prevented TLS 1.0 and TLS 1.1 + from being used if TLS 1.3 was available. Patch provided by Dean Rasheed. + (markt) +
    • +
  • Fix: + Include OpenSSL licensing information in the Tomcat Native binaries for + Windows that are built with OpenSSL. (markt) +
    • +
  • Update: + Update recommended OpenSSL version to 1.0.2q or later. (markt) +
    • +
+

Changes in 1.2.18

+
    +
  • Fix: + 62641: libtool invocations should use --tag=CC. (michaelo) +
    • +
  • Code: + Remove support for Netware as there has not been a supported Netware + platform for a number of years. (markt) +
    • +
  • Add: + 62748: Add support for TLS 1.3 when built with OpenSSL 1.1.1 or + equivalent. (schultz/markt) +
    • +
  • Add: + Expose the API necessary for CLIENT-CERT authentication to be correctly + supported when using Tomcat's JSSE implementation backed by OpenSSL. + (markt) +
    • +

Changes in 1.2.17

\ No newline at end of file diff -Nru tomcat-native-1.2.17/docs/news/2008.html tomcat-native-1.2.21/docs/news/2008.html --- tomcat-native-1.2.17/docs/news/2008.html 2018-06-07 10:01:20.000000000 +0000 +++ tomcat-native-1.2.21/docs/news/2008.html 2019-01-25 17:34:12.000000000 +0000 @@ -24,5 +24,5 @@

\ No newline at end of file diff -Nru tomcat-native-1.2.17/docs/news/2009.html tomcat-native-1.2.21/docs/news/2009.html --- tomcat-native-1.2.17/docs/news/2009.html 2018-06-07 10:01:20.000000000 +0000 +++ tomcat-native-1.2.21/docs/news/2009.html 2019-01-25 17:34:12.000000000 +0000 @@ -8,5 +8,5 @@

\ No newline at end of file diff -Nru tomcat-native-1.2.17/docs/news/2010.html tomcat-native-1.2.21/docs/news/2010.html --- tomcat-native-1.2.17/docs/news/2010.html 2018-06-07 10:01:20.000000000 +0000 +++ tomcat-native-1.2.21/docs/news/2010.html 2019-01-25 17:34:12.000000000 +0000 @@ -13,5 +13,5 @@

\ No newline at end of file diff -Nru tomcat-native-1.2.17/docs/news/2011.html tomcat-native-1.2.21/docs/news/2011.html --- tomcat-native-1.2.17/docs/news/2011.html 2018-06-07 10:01:20.000000000 +0000 +++ tomcat-native-1.2.21/docs/news/2011.html 2019-01-25 17:34:12.000000000 +0000 @@ -9,5 +9,5 @@

\ No newline at end of file diff -Nru tomcat-native-1.2.17/docs/news/2012.html tomcat-native-1.2.21/docs/news/2012.html --- tomcat-native-1.2.17/docs/news/2012.html 2018-06-07 10:01:20.000000000 +0000 +++ tomcat-native-1.2.21/docs/news/2012.html 2019-01-25 17:34:12.000000000 +0000 @@ -19,5 +19,5 @@

\ No newline at end of file diff -Nru tomcat-native-1.2.17/docs/news/2013.html tomcat-native-1.2.21/docs/news/2013.html --- tomcat-native-1.2.17/docs/news/2013.html 2018-06-07 10:01:20.000000000 +0000 +++ tomcat-native-1.2.21/docs/news/2013.html 2019-01-25 17:34:12.000000000 +0000 @@ -22,5 +22,5 @@

\ No newline at end of file diff -Nru tomcat-native-1.2.17/docs/news/2014.html tomcat-native-1.2.21/docs/news/2014.html --- tomcat-native-1.2.17/docs/news/2014.html 2018-06-07 10:01:20.000000000 +0000 +++ tomcat-native-1.2.21/docs/news/2014.html 2019-01-25 17:34:12.000000000 +0000 @@ -19,5 +19,5 @@

\ No newline at end of file diff -Nru tomcat-native-1.2.17/docs/news/2015.html tomcat-native-1.2.21/docs/news/2015.html --- tomcat-native-1.2.17/docs/news/2015.html 2018-06-07 10:01:20.000000000 +0000 +++ tomcat-native-1.2.21/docs/news/2015.html 2019-01-25 17:34:12.000000000 +0000 @@ -26,5 +26,5 @@

\ No newline at end of file diff -Nru tomcat-native-1.2.17/docs/news/2016.html tomcat-native-1.2.21/docs/news/2016.html --- tomcat-native-1.2.17/docs/news/2016.html 2018-06-07 10:01:20.000000000 +0000 +++ tomcat-native-1.2.21/docs/news/2016.html 2019-01-25 17:34:12.000000000 +0000 @@ -39,5 +39,5 @@

\ No newline at end of file diff -Nru tomcat-native-1.2.17/docs/news/2017.html tomcat-native-1.2.21/docs/news/2017.html --- tomcat-native-1.2.17/docs/news/2017.html 2018-06-07 10:01:20.000000000 +0000 +++ tomcat-native-1.2.21/docs/news/2017.html 2019-01-25 17:34:12.000000000 +0000 @@ -22,5 +22,5 @@

\ No newline at end of file diff -Nru tomcat-native-1.2.17/docs/news/2018.html tomcat-native-1.2.21/docs/news/2018.html --- tomcat-native-1.2.17/docs/news/2018.html 1970-01-01 00:00:00.000000000 +0000 +++ tomcat-native-1.2.21/docs/news/2018.html 2019-01-25 17:34:12.000000000 +0000 @@ -0,0 +1,26 @@ + +The Apache Tomcat Native - News - 2018 News and Status

2018 News and Status

2018 News & Status

+

4 Dec 2018 - TC-Native-1.2.19 released

+

The Apache Tomcat team is proud to announce the immediate availability of + Tomcat Native 1.2.19. This is a bugfix release that also updates the + dependencies for the Windows binaries and includes Windows binaries built + with OpenSSL 1.0.2q/APR 1.6.5 and 1.1.1a/APR 1.6.5. +

+
+

20 Oct 2018 - TC-Native-1.2.18 released

+

The Apache Tomcat team is proud to announce the immediate availability of + Tomcat Native 1.2.18. This is a feature and bugfix release that adds TLSv1.3 + support when built with OpenSSL 1.1.1. It also includes Windows binaries built + with OpenSSL 1.0.2p/APR 1.6.5 and 1.1.1/APR 1.6.5. +

+
+

13 Jun 2018 - TC-Native-1.2.17 released

+

The Apache Tomcat team is proud to announce the immediate availability of + Tomcat Native 1.2.17. This is a bugfix release that also updates the + dependencies for the Windows binaries and includes Windows binaries built with + OpenSSL 1.0.2o and APR 1.6.3. +

+
+
\ No newline at end of file diff -Nru tomcat-native-1.2.17/java/org/apache/tomcat/jni/Library.java tomcat-native-1.2.21/java/org/apache/tomcat/jni/Library.java --- tomcat-native-1.2.17/java/org/apache/tomcat/jni/Library.java 2015-11-02 15:17:57.000000000 +0000 +++ tomcat-native-1.2.21/java/org/apache/tomcat/jni/Library.java 2018-10-17 20:19:26.000000000 +0000 @@ -34,12 +34,12 @@ private Library() throws Exception { boolean loaded = false; - String path = System.getProperty("java.library.path"); - String [] paths = path.split(File.pathSeparator); StringBuilder err = new StringBuilder(); + File binLib = new File(System.getProperty("catalina.home"), "bin"); for (int i = 0; i < NAMES.length; i++) { + File library = new File(binLib, System.mapLibraryName(NAMES[i])); try { - System.loadLibrary(NAMES[i]); + System.load(library.getAbsolutePath()); loaded = true; } catch (ThreadDeath t) { throw t; @@ -48,13 +48,9 @@ // the JNI code identical between Tomcat 6/7/8/9 throw t; } catch (Throwable t) { - String name = System.mapLibraryName(NAMES[i]); - for (int j = 0; j < paths.length; j++) { - java.io.File fd = new java.io.File(paths[j] , name); - if (fd.exists()) { - // File exists but failed to load - throw t; - } + if (library.exists()) { + // File exists but failed to load + throw t; } if (i > 0) { err.append(", "); @@ -66,6 +62,38 @@ } } if (!loaded) { + String path = System.getProperty("java.library.path"); + String [] paths = path.split(File.pathSeparator); + for (int i = 0; i < NAMES.length; i++) { + try { + System.loadLibrary(NAMES[i]); + loaded = true; + } catch (ThreadDeath t) { + throw t; + } catch (VirtualMachineError t) { + // Don't use a Java 7 multiple exception catch so we can keep + // the JNI code identical between Tomcat 6/7/8/9 + throw t; + } catch (Throwable t) { + String name = System.mapLibraryName(NAMES[i]); + for (int j = 0; j < paths.length; j++) { + java.io.File fd = new java.io.File(paths[j] , name); + if (fd.exists()) { + // File exists but failed to load + throw t; + } + } + if (err.length() > 0) { + err.append(", "); + } + err.append(t.getMessage()); + } + if (loaded) { + break; + } + } + } + if (!loaded) { StringBuilder names = new StringBuilder(); for (String name : NAMES) { names.append(name); @@ -226,4 +254,41 @@ } return initialize(); } + + /** + * Calls System.load(filename). System.load() associates the + * loaded library with the class loader of the class that called + * the System method. A native library may not be loaded by more + * than one class loader, so calling the System method from a class that + * was loaded by a Webapp class loader will make it impossible for + * other Webapps to load it. + * + * Using this method will load the native library via a shared class + * loader (typically the Common class loader, but may vary in some + * configurations), so that it can be loaded by multiple Webapps. + * + * @param filename - absolute path of the native library + */ + public static void load(String filename){ + System.load(filename); + } + + /** + * Calls System.loadLibrary(libname). System.loadLibrary() associates the + * loaded library with the class loader of the class that called + * the System method. A native library may not be loaded by more + * than one class loader, so calling the System method from a class that + * was loaded by a Webapp class loader will make it impossible for + * other Webapps to load it. + * + * Using this method will load the native library via a shared class + * loader (typically the Common class loader, but may vary in some + * configurations), so that it can be loaded by multiple Webapps. + * + * @param libname - the name of the native library + */ + public static void loadLibrary(String libname){ + System.loadLibrary(libname); + } + } diff -Nru tomcat-native-1.2.17/java/org/apache/tomcat/jni/OS.java tomcat-native-1.2.21/java/org/apache/tomcat/jni/OS.java --- tomcat-native-1.2.17/java/org/apache/tomcat/jni/OS.java 2016-01-18 15:03:55.000000000 +0000 +++ tomcat-native-1.2.21/java/org/apache/tomcat/jni/OS.java 2018-09-03 09:47:49.000000000 +0000 @@ -25,7 +25,6 @@ /* OS Enums */ private static final int UNIX = 1; - private static final int NETWARE = 2; private static final int WIN32 = 3; private static final int WIN64 = 4; private static final int LINUX = 5; @@ -47,7 +46,13 @@ private static native boolean is(int type); public static final boolean IS_UNIX = is(UNIX); - public static final boolean IS_NETWARE = is(NETWARE); + /** + * @deprecated Hard-coded to false since there has not been a supported + * Netware platform for many years. + * This will be removed in Tomcat 10 onwards + */ + @Deprecated + public static final boolean IS_NETWARE = false; public static final boolean IS_WIN32 = is(WIN32); public static final boolean IS_WIN64 = is(WIN64); public static final boolean IS_LINUX = is(LINUX); diff -Nru tomcat-native-1.2.17/java/org/apache/tomcat/jni/Procattr.java tomcat-native-1.2.21/java/org/apache/tomcat/jni/Procattr.java --- tomcat-native-1.2.17/java/org/apache/tomcat/jni/Procattr.java 2016-01-18 15:03:55.000000000 +0000 +++ tomcat-native-1.2.21/java/org/apache/tomcat/jni/Procattr.java 2018-09-03 09:47:49.000000000 +0000 @@ -139,8 +139,8 @@ * Determine if the child should start in its own address space or using the * current one from its parent * @param attr The procattr we care about. - * @param addrspace Should the child start in its own address space? Default - * is no on NetWare and yes on other platforms. + * @param addrspace Should the child start in its own address space? + * Default is yes. * @return the operation status */ public static native int addrspaceSet(long attr, int addrspace); diff -Nru tomcat-native-1.2.17/java/org/apache/tomcat/jni/SSLContext.java tomcat-native-1.2.21/java/org/apache/tomcat/jni/SSLContext.java --- tomcat-native-1.2.17/java/org/apache/tomcat/jni/SSLContext.java 2017-08-22 11:03:28.000000000 +0000 +++ tomcat-native-1.2.21/java/org/apache/tomcat/jni/SSLContext.java 2018-10-09 17:23:48.000000000 +0000 @@ -41,6 +41,7 @@ * {@link SSL#SSL_PROTOCOL_TLSV1} * {@link SSL#SSL_PROTOCOL_TLSV1_1} * {@link SSL#SSL_PROTOCOL_TLSV1_2} + * {@link SSL#SSL_PROTOCOL_TLSV1_3} * {@link SSL#SSL_PROTOCOL_ALL} ( == all TLS versions, no SSL) * * @param mode SSL mode to use diff -Nru tomcat-native-1.2.17/java/org/apache/tomcat/jni/SSL.java tomcat-native-1.2.21/java/org/apache/tomcat/jni/SSL.java --- tomcat-native-1.2.17/java/org/apache/tomcat/jni/SSL.java 2017-08-19 20:50:13.000000000 +0000 +++ tomcat-native-1.2.21/java/org/apache/tomcat/jni/SSL.java 2018-10-17 20:14:20.000000000 +0000 @@ -73,7 +73,18 @@ public static final int SSL_PROTOCOL_TLSV1 = (1<<2); public static final int SSL_PROTOCOL_TLSV1_1 = (1<<3); public static final int SSL_PROTOCOL_TLSV1_2 = (1<<4); - public static final int SSL_PROTOCOL_ALL = (SSL_PROTOCOL_TLSV1 | SSL_PROTOCOL_TLSV1_1 | SSL_PROTOCOL_TLSV1_2); + public static final int SSL_PROTOCOL_TLSV1_3 = (1<<5); + public static final int SSL_PROTOCOL_ALL; + + static { + if (SSL.version() >= 0x1010100f) { + SSL_PROTOCOL_ALL = (SSL_PROTOCOL_TLSV1 | SSL_PROTOCOL_TLSV1_1 | SSL_PROTOCOL_TLSV1_2 | + SSL_PROTOCOL_TLSV1_3); + } else { + SSL_PROTOCOL_ALL = (SSL_PROTOCOL_TLSV1 | SSL_PROTOCOL_TLSV1_1 | SSL_PROTOCOL_TLSV1_2); + } + } + /* * Define the SSL verify levels @@ -555,6 +566,27 @@ public static native int renegotiate(long ssl); /** + * SSL_renegotiate_pending + * @param ssl the SSL instance (SSL *) + * @return the operation status + */ + public static native int renegotiatePending(long ssl); + + /** + * SSL_verify_client_post_handshake + * @param ssl the SSL instance (SSL *) + * @return the operation status + */ + public static native int verifyClientPostHandshake(long ssl); + + /** + * Is post handshake authentication in progress on this connection? + * @param ssl the SSL instance (SSL *) + * @return the operation status + */ + public static native int getPostHandshakeAuthInProgress(long ssl); + + /** * SSL_in_init. * @param ssl the SSL instance (SSL *) * @return the status diff -Nru tomcat-native-1.2.17/native/build/buildcheck.sh tomcat-native-1.2.21/native/build/buildcheck.sh --- tomcat-native-1.2.17/native/build/buildcheck.sh 2015-05-24 15:39:50.000000000 +0000 +++ tomcat-native-1.2.21/native/build/buildcheck.sh 2018-10-12 16:02:57.000000000 +0000 @@ -19,14 +19,14 @@ echo "buildconf: checking installation..." # any python -python=`build/PrintPath python` +python=${PYTHON-`build/PrintPath python3 python2 python`} if test -z "$python"; then echo "buildconf: python not found." echo " You need python installed" echo " to build Tomcat Native from SVN." exit 1 else -py_version=`python -c 'import sys; print sys.version' 2>&1|sed 's/ .*//;q'` +py_version=`$python -c 'import sys; print sys.version' 2>&1|sed 's/ .*//;q'` echo "buildconf: python version $py_version (ok)" fi diff -Nru tomcat-native-1.2.17/native/build/config.guess tomcat-native-1.2.21/native/build/config.guess --- tomcat-native-1.2.17/native/build/config.guess 2018-06-07 10:01:20.000000000 +0000 +++ tomcat-native-1.2.21/native/build/config.guess 2019-01-25 17:34:12.000000000 +0000 @@ -1,8 +1,8 @@ #! /bin/sh # Attempt to guess a canonical system name. -# Copyright 1992-2017 Free Software Foundation, Inc. +# Copyright 1992-2018 Free Software Foundation, Inc. -timestamp='2017-09-16' +timestamp='2018-01-01' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -39,7 +39,7 @@ Output the configuration name of the system \`$me' is run on. -Operation modes: +Options: -h, --help print this help, then exit -t, --time-stamp print date of last modification, then exit -v, --version print version number, then exit @@ -50,7 +50,7 @@ GNU config.guess ($timestamp) Originally written by Per Bothner. -Copyright 1992-2017 Free Software Foundation, Inc. +Copyright 1992-2018 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -244,6 +244,9 @@ UNAME_MACHINE_ARCH=`arch | sed 's/^.*BSD\.//'` echo ${UNAME_MACHINE_ARCH}-unknown-libertybsd${UNAME_RELEASE} exit ;; + *:MidnightBSD:*:*) + echo ${UNAME_MACHINE}-unknown-midnightbsd${UNAME_RELEASE} + exit ;; *:ekkoBSD:*:*) echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE} exit ;; @@ -262,6 +265,9 @@ *:Redox:*:*) echo ${UNAME_MACHINE}-unknown-redox exit ;; + mips:OSF1:*.*) + echo mips-dec-osf1 + exit ;; alpha:OSF1:*:*) case $UNAME_RELEASE in *4.0) @@ -479,13 +485,13 @@ #endif #if defined (host_mips) && defined (MIPSEB) #if defined (SYSTYPE_SYSV) - printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0); + printf ("mips-mips-riscos%ssysv\\n", argv[1]); exit (0); #endif #if defined (SYSTYPE_SVR4) - printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0); + printf ("mips-mips-riscos%ssvr4\\n", argv[1]); exit (0); #endif #if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD) - printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0); + printf ("mips-mips-riscos%sbsd\\n", argv[1]); exit (0); #endif #endif exit (-1); @@ -608,7 +614,7 @@ *:AIX:*:*) echo rs6000-ibm-aix exit ;; - ibmrt:4.4BSD:*|romp-ibm:BSD:*) + ibmrt:4.4BSD:*|romp-ibm:4.4BSD:*) echo romp-ibm-bsd4.4 exit ;; ibmrt:*BSD:*|romp-ibm:BSD:*) # covers RT/PC BSD and @@ -629,8 +635,8 @@ 9000/[34678]??:HP-UX:*:*) HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` case "${UNAME_MACHINE}" in - 9000/31? ) HP_ARCH=m68000 ;; - 9000/[34]?? ) HP_ARCH=m68k ;; + 9000/31?) HP_ARCH=m68000 ;; + 9000/[34]??) HP_ARCH=m68k ;; 9000/[678][0-9][0-9]) if [ -x /usr/bin/getconf ]; then sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` @@ -743,7 +749,7 @@ { echo "$SYSTEM_NAME"; exit; } echo unknown-hitachi-hiuxwe2 exit ;; - 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* ) + 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:*) echo hppa1.1-hp-bsd exit ;; 9000/8??:4.3bsd:*:*) @@ -752,7 +758,7 @@ *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*) echo hppa1.0-hp-mpeix exit ;; - hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* ) + hp7??:OSF1:*:* | hp8?[79]:OSF1:*:*) echo hppa1.1-hp-osf exit ;; hp8??:OSF1:*:*) @@ -1072,7 +1078,7 @@ i*86:*DOS:*:*) echo ${UNAME_MACHINE}-pc-msdosdjgpp exit ;; - i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*) + i*86:*:4.*:*) UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'` if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL} @@ -1400,8 +1406,20 @@ exit ;; esac +echo "$0: unable to guess system type" >&2 + +case "${UNAME_MACHINE}:${UNAME_SYSTEM}" in + mips:Linux | mips64:Linux) + # If we got here on MIPS GNU/Linux, output extra information. + cat >&2 <&2 < @@ -54,7 +54,7 @@ sysconfdir: ${prefix}/conf datadir: ${prefix} installbuilddir: ${datadir}/build - includedir: ${prefix}/include/apr-${TCNATIVE_MAJOR_VERSION} + includedir: ${prefix}/include localstatedir: ${prefix} libsuffix: -${TCNATIVE_MAJOR_VERSION} @@ -139,7 +139,7 @@ sysconfdir: /etc/httpd/conf datadir: /var/www installbuilddir: ${datadir}/build - includedir: ${prefix}/include/apr + includedir: ${prefix}/include/tomcat-native localstatedir: /var runtimedir: ${localstatedir}/run @@ -190,7 +190,7 @@ sysconfdir: /etc/httpd datadir: /usr/local/httpd installbuilddir: ${datadir}/build - includedir: ${prefix}/include/apr + includedir: ${prefix}/include/tomcat-native localstatedir: /var/lib/httpd runtimedir: /var/run @@ -207,7 +207,7 @@ sysconfdir: ${prefix}/conf datadir: ${prefix} installbuilddir: ${datadir}/build - includedir: ${exec_prefix}/include/apr + includedir: ${exec_prefix}/include/tomcat-native localstatedir: /var runtimedir: ${localstatedir}/run @@ -241,7 +241,7 @@ sysconfdir: ${prefix}/conf datadir: ${prefix} installbuilddir: ${prefix}/build - includedir: ${exec_prefix}/lib/apr/include + includedir: ${exec_prefix}/lib/tomcat-native/include localstatedir: ${prefix} runtimedir: ${prefix}/logs @@ -256,7 +256,7 @@ libexecdir: ${exec_prefix}/lib/apr/modules mandir: ${exec_prefix}/share/man datadir: ${exec_prefix}/share/apr - includedir: ${exec_prefix}/include/apr-${TCNATIVE_MAJOR_VERSION} + includedir: ${exec_prefix}/include/tomcat-native-${TCNATIVE_MAJOR_VERSION} localstatedir: ${prefix}/var/run runtimedir: ${prefix}/var/run infodir: ${exec_prefix}/share/info diff -Nru tomcat-native-1.2.17/native/configure tomcat-native-1.2.21/native/configure --- tomcat-native-1.2.17/native/configure 2018-06-07 10:01:20.000000000 +0000 +++ tomcat-native-1.2.21/native/configure 2019-01-25 17:34:12.000000000 +0000 @@ -651,6 +651,7 @@ docdir oldincludedir includedir +runstatedir localstatedir sharedstatedir sysconfdir @@ -729,6 +730,7 @@ sysconfdir='${prefix}/etc' sharedstatedir='${prefix}/com' localstatedir='${prefix}/var' +runstatedir='${localstatedir}/run' includedir='${prefix}/include' oldincludedir='/usr/include' docdir='${datarootdir}/doc/${PACKAGE}' @@ -981,6 +983,15 @@ | -silent | --silent | --silen | --sile | --sil) silent=yes ;; + -runstatedir | --runstatedir | --runstatedi | --runstated \ + | --runstate | --runstat | --runsta | --runst | --runs \ + | --run | --ru | --r) + ac_prev=runstatedir ;; + -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ + | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ + | --run=* | --ru=* | --r=*) + runstatedir=$ac_optarg ;; + -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) ac_prev=sbindir ;; -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ @@ -1118,7 +1129,7 @@ for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ datadir sysconfdir sharedstatedir localstatedir includedir \ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ - libdir localedir mandir + libdir localedir mandir runstatedir do eval ac_val=\$$ac_var # Remove trailing slashes. @@ -1271,6 +1282,7 @@ --sysconfdir=DIR read-only single-machine data [PREFIX/etc] --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] + --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] --libdir=DIR object code libraries [EPREFIX/lib] --includedir=DIR C header files [PREFIX/include] --oldincludedir=DIR C header files for non-gcc [/usr/include] @@ -4060,6 +4072,29 @@ fi done fi + + ;; + *linux*) + + if test "x$CFLAGS" = "x"; then + test "x$silent" != "xyes" && echo " setting CFLAGS to \"-DTCNATIVE_LINUX\"" + CFLAGS="-DTCNATIVE_LINUX" + else + apr_addto_bugger="-DTCNATIVE_LINUX" + for i in $apr_addto_bugger; do + apr_addto_duplicate="0" + for j in $CFLAGS; do + if test "x$i" = "x$j"; then + apr_addto_duplicate="1" + break + fi + done + if test $apr_addto_duplicate = "0"; then + test "x$silent" != "xyes" && echo " adding \"$i\" to CFLAGS" + CFLAGS="$CFLAGS $i" + fi + done + fi ;; *) diff -Nru tomcat-native-1.2.17/native/configure.in tomcat-native-1.2.21/native/configure.in --- tomcat-native-1.2.17/native/configure.in 2017-08-23 21:12:17.000000000 +0000 +++ tomcat-native-1.2.21/native/configure.in 2018-10-12 10:59:10.000000000 +0000 @@ -226,6 +226,9 @@ *-solaris2*) APR_ADDTO(TCNATIVE_LIBS, -lkstat) ;; + *linux*) + APR_ADDTO(CFLAGS, -DTCNATIVE_LINUX) + ;; *) ;; esac diff -Nru tomcat-native-1.2.17/native/include/ssl_private.h tomcat-native-1.2.21/native/include/ssl_private.h --- tomcat-native-1.2.17/native/include/ssl_private.h 2017-08-23 10:55:53.000000000 +0000 +++ tomcat-native-1.2.21/native/include/ssl_private.h 2019-01-24 15:20:49.000000000 +0000 @@ -84,6 +84,7 @@ #define SSL_PROTOCOL_TLSV1 (1<<2) #define SSL_PROTOCOL_TLSV1_1 (1<<3) #define SSL_PROTOCOL_TLSV1_2 (1<<4) +#define SSL_PROTOCOL_TLSV1_3 (1<<5) #define SSL_MODE_CLIENT (0) #define SSL_MODE_SERVER (1) @@ -180,6 +181,10 @@ #define HAVE_TLSV1_2 #endif +#if defined(SSL_OP_NO_TLSv1_3) +#define HAVE_TLSV1_3 +#endif + /* Check for SSL_CONF support */ #if defined(SSL_CONF_FLAG_FILE) #define HAVE_SSL_CONF_CMD @@ -319,7 +324,7 @@ SSL_CONF_CTX *cctx; }; #endif - + typedef struct { apr_pool_t *pool; tcn_ssl_ctxt_t *ctx; @@ -330,7 +335,7 @@ * that all client-initiated renegotiations can be rejected, as a * partial fix for CVE-2009-3555. */ - enum { + enum { RENEG_INIT = 0, /* Before initial handshake */ RENEG_REJECT, /* After initial handshake; any client-initiated * renegotiation should be rejected @@ -342,6 +347,11 @@ * connection */ } reneg_state; + enum { + PHA_NONE = 0, /* Before PHA */ + PHA_STARTED, /* PHA req sent to client but no response */ + PHA_COMPLETE /* Client has returned cert */ + } pha_state; apr_socket_t *sock; apr_pollset_t *pollset; } tcn_ssl_conn_t; @@ -350,13 +360,16 @@ /* * Additional Functions */ -void SSL_init_app_data2_3_idx(void); -/* The app_data2 is used to store the tcn_ssl_ctxt_t pointer for the SSL instance. */ +void SSL_init_app_data_idx(void); +/* The app_data2 is used to store the tcn_ssl_ctxt_t pointer for the SSL instance. */ void *SSL_get_app_data2(SSL *); void SSL_set_app_data2(SSL *, void *); /* The app_data3 is used to store the handshakeCount pointer for the SSL instance. */ void *SSL_get_app_data3(const SSL *); void SSL_set_app_data3(SSL *, void *); +/* The app_data4 is used to store the destroyCount pointer for the SSL instance. */ +void *SSL_get_app_data4(const SSL *); +void SSL_set_app_data4(SSL *, void *); int SSL_password_prompt(tcn_pass_cb_t *); int SSL_password_callback(char *, int, int, void *); void SSL_BIO_close(BIO *); diff -Nru tomcat-native-1.2.17/native/include/tcn_version.h tomcat-native-1.2.21/native/include/tcn_version.h --- tomcat-native-1.2.17/native/include/tcn_version.h 2018-06-07 09:30:12.000000000 +0000 +++ tomcat-native-1.2.21/native/include/tcn_version.h 2019-01-25 17:34:00.000000000 +0000 @@ -63,7 +63,7 @@ #define TCN_MINOR_VERSION 2 /** patch level */ -#define TCN_PATCH_VERSION 17 +#define TCN_PATCH_VERSION 21 /** * This symbol is defined for internal, "development" copies of TCN. This diff -Nru tomcat-native-1.2.17/native/LICENSE.bin.win tomcat-native-1.2.21/native/LICENSE.bin.win --- tomcat-native-1.2.17/native/LICENSE.bin.win 1970-01-01 00:00:00.000000000 +0000 +++ tomcat-native-1.2.21/native/LICENSE.bin.win 2018-11-30 11:46:52.000000000 +0000 @@ -0,0 +1,328 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + + +For OpenSSL: + + LICENSE ISSUES + ============== + + The OpenSSL toolkit stays under a double license, i.e. both the conditions of + the OpenSSL License and the original SSLeay license apply to the toolkit. + See below for the actual license texts. + + OpenSSL License + --------------- + +/* ==================================================================== + * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + + Original SSLeay License + ----------------------- + +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ diff -Nru tomcat-native-1.2.17/native/Makefile.in tomcat-native-1.2.21/native/Makefile.in --- tomcat-native-1.2.17/native/Makefile.in 2017-08-23 21:12:17.000000000 +0000 +++ tomcat-native-1.2.21/native/Makefile.in 2018-12-20 18:48:22.000000000 +0000 @@ -57,7 +57,7 @@ LIBTOOL=$(LIBTOOL_OLD) endif -LINK = $(LIBTOOL) $(LTFLAGS) --mode=link $(LT_LDFLAGS) $(COMPILE) -version-info $(TCNATIVE_LIBTOOL_VERSION) $(ALL_LDFLAGS) -o $@ +LINK = $(LIBTOOL) $(LTFLAGS) --mode=link --tag=CC $(LT_LDFLAGS) $(COMPILE) -version-info $(TCNATIVE_LIBTOOL_VERSION) $(ALL_LDFLAGS) -o $@ CLEAN_SUBDIRS = test CLEAN_TARGETS = .make.dirs @@ -80,13 +80,14 @@ $(APR_MKDIR) $(DESTDIR)$(includedir) $(DESTDIR)$(libdir)/pkgconfig \ $(DESTDIR)$(libdir) $(DESTDIR)$(bindir) $(INSTALL_DATA) tcnative.pc $(DESTDIR)$(libdir)/pkgconfig/$(TCNATIVE_PCFILE) + $(INSTALL_DATA) include/*.h $(DESTDIR)$(includedir) list='$(INSTALL_SUBDIRS)'; for i in $$list; do \ ( cd $$i ; $(MAKE) DESTDIR=$(DESTDIR) install ); \ done $(LIBTOOL) --mode=install $(INSTALL) -m 755 $(TARGET_LIB) $(DESTDIR)$(libdir) $(TARGET_LIB): $(OBJECTS) - $(LINK) @lib_target@ @TCNATIVE_LDFLAGS@ @TCNATIVE_LIBS@ + $(LINK) @lib_target@ $(TCNATIVE_LDFLAGS) $(TCNATIVE_LIBS) check: $(TARGET_LIB) (cd test && $(MAKE) check) diff -Nru tomcat-native-1.2.17/native/NMAKEmakefile tomcat-native-1.2.21/native/NMAKEmakefile --- tomcat-native-1.2.17/native/NMAKEmakefile 2017-08-20 13:04:02.000000000 +0000 +++ tomcat-native-1.2.21/native/NMAKEmakefile 2018-10-17 16:34:55.000000000 +0000 @@ -18,8 +18,9 @@ # NMAKEmakefile Master Tomcat Native makefile. # Usage: # APR_DECLARE_STATIC=1 Use static version of the APR -# ENABLE_OCSP=1 Enable OpenSSL OCSP code -# DEBUG=1 Build DEBUG version of TCN +# ENABLE_OCSP=1 Enable OpenSSL OCSP code +# OPENSSL_NEW_LIBS=1 Use new OpenSSL lib file names +# DEBUG=1 Build DEBUG version of TCN # # Originally contributed by Mladen Turk # @@ -74,7 +75,11 @@ !IF DEFINED(WITH_FIPS) LFLAGS = $(LFLAGS) libeayfips32.lib libeaycompat32.lib ssleay32.lib /NODEFAULTLIB:LIBCMT !ELSE -LFLAGS = $(LFLAGS) libeay32.lib ssleay32.lib +!IF DEFINED(OPENSSL_NEW_LIBS) +LFLAGS = $(LFLAGS) libssl.lib libcrypto.lib crypt32.lib +!ELSE +LFLAGS = $(LFLAGS) libeay32.lib ssleay32.lib +!ENDIF !ENDIF CFLAGS = $(CFLAGS) -DZLIB_WINAPI -DNO_IDEA -DNO_RC5 -DNO_MDC2 -DOPENSSL_NO_IDEA \ diff -Nru tomcat-native-1.2.17/native/NOTICE.bin.win tomcat-native-1.2.21/native/NOTICE.bin.win --- tomcat-native-1.2.17/native/NOTICE.bin.win 1970-01-01 00:00:00.000000000 +0000 +++ tomcat-native-1.2.21/native/NOTICE.bin.win 2018-11-30 11:46:52.000000000 +0000 @@ -0,0 +1,20 @@ +Apache Tomcat Native Library +Copyright 2002-2018 The Apache Software Foundation + +This product includes software developed at +The Apache Software Foundation (http://www.apache.org/). + +This software contains code derived from netty-native +developed by the Netty project +(http://netty.io, https://github.com/netty/netty-tcnative/) +and from finagle-native developed at Twitter +(https://github.com/twitter/finagle). + +This product includes software developed by the OpenSSL Project +for use in the OpenSSL Toolkit. (http://www.openssl.org/) + +This product includes cryptographic software written by +Eric Young (eay@cryptsoft.com) + +This product includes software written by +Tim Hudson (tjh@cryptsoft.com) \ No newline at end of file diff -Nru tomcat-native-1.2.17/native/os/netware/system.c tomcat-native-1.2.21/native/os/netware/system.c --- tomcat-native-1.2.17/native/os/netware/system.c 2015-05-23 09:28:12.000000000 +0000 +++ tomcat-native-1.2.21/native/os/netware/system.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,39 +0,0 @@ -/* Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include "apr.h" -#include "apr_pools.h" -#include "apr_network_io.h" -#include "apr_poll.h" - -#include "tcn.h" - -TCN_IMPLEMENT_CALL(jboolean, OS, is)(TCN_STDARGS, jint type) -{ - UNREFERENCED_STDARGS; - if (type == 2) - return JNI_TRUE; - else - return JNI_FALSE; -} - -TCN_IMPLEMENT_CALL(jint, OS, info)(TCN_STDARGS, - jlongArray inf) -{ - UNREFERENCED_STDARGS; - UNREFERENCED(inf); - return APR_ENOTIMPL; -} diff -Nru tomcat-native-1.2.17/native/os/win32/libtcnative.rc tomcat-native-1.2.21/native/os/win32/libtcnative.rc --- tomcat-native-1.2.17/native/os/win32/libtcnative.rc 2017-11-15 11:15:36.000000000 +0000 +++ tomcat-native-1.2.21/native/os/win32/libtcnative.rc 2019-01-21 14:09:47.000000000 +0000 @@ -20,7 +20,7 @@ "See the License for the specific language governing " \ "permissions and limitations under the License." -#define TCN_VERSION "1.2.17" +#define TCN_VERSION "1.2.21" 1000 ICON "apache.ico" 1001 DIALOGEX 0, 0, 252, 51 @@ -36,8 +36,8 @@ END 1 VERSIONINFO - FILEVERSION 1,2,17,0 - PRODUCTVERSION 1,2,17,0 + FILEVERSION 1,2,21,0 + PRODUCTVERSION 1,2,21,0 FILEFLAGSMASK 0x3fL #ifdef _DEBUG FILEFLAGS 0x1L diff -Nru tomcat-native-1.2.17/native/src/proc.c tomcat-native-1.2.21/native/src/proc.c --- tomcat-native-1.2.17/native/src/proc.c 2015-05-23 09:28:12.000000000 +0000 +++ tomcat-native-1.2.21/native/src/proc.c 2018-09-03 09:54:19.000000000 +0000 @@ -311,7 +311,7 @@ { UNREFERENCED_STDARGS; -#if defined(WIN32) || defined (NETWARE) +#if defined(WIN32) UNREFERENCED(daemonize); return APR_ENOTIMPL; #else diff -Nru tomcat-native-1.2.17/native/src/ssl.c tomcat-native-1.2.21/native/src/ssl.c --- tomcat-native-1.2.17/native/src/ssl.c 2018-06-05 06:06:06.000000000 +0000 +++ tomcat-native-1.2.21/native/src/ssl.c 2019-01-24 15:20:49.000000000 +0000 @@ -822,8 +822,8 @@ * low entropy seed. */ SSL_rand_seed(NULL); - /* For SSL_get_app_data2() and SSL_get_app_data3() at request time */ - SSL_init_app_data2_3_idx(); + /* For SSL_get_app_data2(), SSL_get_app_data3() and SSL_get_app_data4() at request time */ + SSL_init_app_data_idx(); init_dh_params(); #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) @@ -1273,27 +1273,61 @@ } } +static apr_status_t ssl_con_pool_cleanup(void *data) +{ + SSL *ssl = (SSL*) data; + int *destroyCount; + + TCN_ASSERT(ssl != 0); + + destroyCount = SSL_get_app_data4(ssl); + if (destroyCount != NULL) { + ++(*destroyCount); + } + + return APR_SUCCESS; +} + TCN_IMPLEMENT_CALL(jlong /* SSL * */, SSL, newSSL)(TCN_STDARGS, jlong ctx /* tcn_ssl_ctxt_t * */, jboolean server) { tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *); int *handshakeCount = malloc(sizeof(int)); + int *destroyCount = malloc(sizeof(int)); SSL *ssl; + apr_pool_t *p = NULL; tcn_ssl_conn_t *con; UNREFERENCED_STDARGS; TCN_ASSERT(ctx != 0); + ssl = SSL_new(c->ctx); if (ssl == NULL) { + free(handshakeCount); + free(destroyCount); tcn_ThrowException(e, "cannot create new ssl"); return 0; } - if ((con = apr_pcalloc(c->pool, sizeof(tcn_ssl_conn_t))) == NULL) { + + apr_pool_create(&p, c->pool); + if (p == NULL) { + free(handshakeCount); + free(destroyCount); + SSL_free(ssl); + tcn_ThrowAPRException(e, apr_get_os_error()); + return 0; + } + + if ((con = apr_pcalloc(p, sizeof(tcn_ssl_conn_t))) == NULL) { + free(handshakeCount); + free(destroyCount); + SSL_free(ssl); + apr_pool_destroy(p); tcn_ThrowAPRException(e, apr_get_os_error()); return 0; } - con->pool = c->pool; + con->pool = p; con->ctx = c; con->ssl = ssl; con->shutdown_type = c->shutdown_type; @@ -1302,6 +1336,10 @@ *handshakeCount = 0; SSL_set_app_data3(ssl, handshakeCount); + /* Store the destroyCount in the SSL instance. */ + *destroyCount = 0; + SSL_set_app_data4(ssl, destroyCount); + /* Add callback to keep track of handshakes. */ SSL_CTX_set_info_callback(c->ctx, ssl_info_callback); @@ -1318,6 +1356,11 @@ /* Store for later usage in SSL_callback_SSL_verify */ SSL_set_app_data2(ssl, c); SSL_set_app_data(ssl, con); + /* Register cleanup that prevent double destruction */ + apr_pool_cleanup_register(con->pool, (const void *)ssl, + ssl_con_pool_cleanup, + apr_pool_cleanup_null); + return P2J(ssl); } @@ -1415,9 +1458,17 @@ jlong ssl /* SSL * */) { SSL *ssl_ = J2P(ssl, SSL *); int *handshakeCount = SSL_get_app_data3(ssl_); + int *destroyCount = SSL_get_app_data4(ssl_); + tcn_ssl_conn_t *con = SSL_get_app_data(ssl_); UNREFERENCED_STDARGS; + if (destroyCount != NULL) { + if (*destroyCount == 0) { + apr_pool_destroy(con->pool); + } + free(destroyCount); + } if (handshakeCount != NULL) { free(handshakeCount); } @@ -1527,6 +1578,62 @@ return SSL_renegotiate(ssl_); } +TCN_IMPLEMENT_CALL(jint, SSL, renegotiatePending)(TCN_STDARGS, + jlong ssl /* SSL * */) { + SSL *ssl_ = J2P(ssl, SSL *); + if (ssl_ == NULL) { + tcn_ThrowException(e, "ssl is null"); + return 0; + } + + UNREFERENCED(o); + + return SSL_renegotiate_pending(ssl_); +} + +TCN_IMPLEMENT_CALL(jint, SSL, verifyClientPostHandshake)(TCN_STDARGS, + jlong ssl /* SSL * */) { +#if defined(SSL_OP_NO_TLSv1_3) + SSL *ssl_ = J2P(ssl, SSL *); + tcn_ssl_conn_t *con; + + if (ssl_ == NULL) { + tcn_ThrowException(e, "ssl is null"); + return 0; + } + + UNREFERENCED(o); + + con = (tcn_ssl_conn_t *)SSL_get_app_data(ssl_); + con->pha_state = PHA_STARTED; + + return SSL_verify_client_post_handshake(ssl_); +#else + return 0; +#endif +} + +TCN_IMPLEMENT_CALL(jint, SSL, getPostHandshakeAuthInProgress)(TCN_STDARGS, + jlong ssl /* SSL * */) { +#if defined(SSL_OP_NO_TLSv1_3) + SSL *ssl_ = J2P(ssl, SSL *); + tcn_ssl_conn_t *con; + + if (ssl_ == NULL) { + tcn_ThrowException(e, "ssl is null"); + return 0; + } + + UNREFERENCED(o); + + con = (tcn_ssl_conn_t *)SSL_get_app_data(ssl_); + + return (con->pha_state == PHA_STARTED); +#else + return 0; +#endif +} + /* Read which protocol was negotiated for the given SSL *. */ TCN_IMPLEMENT_CALL(jstring, SSL, getNextProtoNegotiated)(TCN_STDARGS, jlong ssl /* SSL * */) { @@ -1826,12 +1933,14 @@ UNREFERENCED_STDARGS; if (ssl_ == NULL) { + TCN_FREE_CSTRING(ciphers); tcn_ThrowException(e, "ssl is null"); return JNI_FALSE; } UNREFERENCED(o); if (!J2S(ciphers)) { + TCN_FREE_CSTRING(ciphers); return JNI_FALSE; } if (!SSL_set_cipher_list(ssl_, J2S(ciphers))) { @@ -2155,6 +2264,27 @@ UNREFERENCED(o); UNREFERENCED(ssl); tcn_ThrowException(e, "Not implemented"); + return 0; +} + +TCN_IMPLEMENT_CALL(jint, SSL, renegotiatePending)(TCN_STDARGS, jlong ssl) { + UNREFERENCED(o); + UNREFERENCED(ssl); + tcn_ThrowException(e, "Not implemented"); + return 0; +} + +TCN_IMPLEMENT_CALL(jint, SSL, verifyClientPostHandshake)(TCN_STDARGS, jlong ssl) { + UNREFERENCED(o); + UNREFERENCED(ssl); + tcn_ThrowException(e, "Not implemented"); + return 0; +} + +TCN_IMPLEMENT_CALL(jint, SSL, getPostHandshakeAuthInProgress)(TCN_STDARGS, jlong ssl) { + UNREFERENCED(o); + UNREFERENCED(ssl); + tcn_ThrowException(e, "Not implemented"); return 0; } diff -Nru tomcat-native-1.2.17/native/src/sslconf.c tomcat-native-1.2.21/native/src/sslconf.c --- tomcat-native-1.2.17/native/src/sslconf.c 2017-08-25 14:58:55.000000000 +0000 +++ tomcat-native-1.2.21/native/src/sslconf.c 2018-11-29 13:06:21.000000000 +0000 @@ -220,8 +220,8 @@ unsigned long ec; #ifndef HAVE_EXPORT_CIPHERS size_t len; - char *buf = NULL; #endif + char *buf = NULL; TCN_ALLOC_CSTRING(cmd); TCN_ALLOC_CSTRING(value); UNREFERENCED(o); diff -Nru tomcat-native-1.2.17/native/src/sslcontext.c tomcat-native-1.2.21/native/src/sslcontext.c --- tomcat-native-1.2.17/native/src/sslcontext.c 2018-06-06 13:00:15.000000000 +0000 +++ tomcat-native-1.2.21/native/src/sslcontext.c 2019-01-10 22:07:56.000000000 +0000 @@ -152,7 +152,16 @@ } #if OPENSSL_VERSION_NUMBER < 0x10100000L - if (protocol == SSL_PROTOCOL_TLSV1_2) { + if (protocol == SSL_PROTOCOL_TLSV1_3) { +#ifdef HAVE_TLSV1_3 + if (mode == SSL_MODE_CLIENT) + ctx = SSL_CTX_new(TLSv1_3_client_method()); + else if (mode == SSL_MODE_SERVER) + ctx = SSL_CTX_new(TLSv1_3_server_method()); + else + ctx = SSL_CTX_new(TLSv1_3_method()); +#endif + } else if (protocol == SSL_PROTOCOL_TLSV1_2) { #ifdef HAVE_TLSV1_2 if (mode == SSL_MODE_CLIENT) ctx = SSL_CTX_new(TLSv1_2_client_method()); @@ -186,6 +195,10 @@ ctx = SSL_CTX_new(SSLv3_method()); } else if (protocol == SSL_PROTOCOL_SSLV2) { /* requested but not supported */ +#ifndef HAVE_TLSV1_3 + } else if (protocol & SSL_PROTOCOL_TLSV1_3) { + /* requested but not supported */ +#endif #ifndef HAVE_TLSV1_2 } else if (protocol & SSL_PROTOCOL_TLSV1_2) { /* requested but not supported */ @@ -241,9 +254,19 @@ if (!(protocol & SSL_PROTOCOL_TLSV1_2)) SSL_CTX_set_options(c->ctx, SSL_OP_NO_TLSv1_2); #endif +#ifdef HAVE_TLSV1_3 + if (!(protocol & SSL_PROTOCOL_TLSV1_3)) + SSL_CTX_set_options(c->ctx, SSL_OP_NO_TLSv1_3); +#endif #else /* if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) */ /* We first determine the maximum protocol version we should provide */ +#ifdef HAVE_TLSV1_3 + if (protocol & SSL_PROTOCOL_TLSV1_3) { + prot = TLS1_3_VERSION; + } else +/* NOTE the dangling else above: take care to preserve it */ +#endif if (protocol & SSL_PROTOCOL_TLSV1_2) { prot = TLS1_2_VERSION; } else if (protocol & SSL_PROTOCOL_TLSV1_1) { @@ -261,6 +284,11 @@ /* Next we scan for the minimal protocol version we should provide, * but we do not allow holes between max and min */ +#ifdef HAVE_TLSV1_3 + if (prot == TLS1_3_VERSION && protocol & SSL_PROTOCOL_TLSV1_2) { + prot = TLS1_2_VERSION; + } +#endif if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) { prot = TLS1_1_VERSION; } @@ -346,10 +374,12 @@ apr_pool_cleanup_null); /* Cache the byte[].class for performance reasons */ - clazz = (*e)->FindClass(e, "[B"); - byteArrayClass = (jclass) (*e)->NewGlobalRef(e, clazz); - sClazz = (*e)->FindClass(e, "java/lang/String"); - stringClass = (jclass) (*e)->NewGlobalRef(e, sClazz); + if (stringClass == NULL) { + clazz = (*e)->FindClass(e, "[B"); + byteArrayClass = (jclass) (*e)->NewGlobalRef(e, clazz); + sClazz = (*e)->FindClass(e, "java/lang/String"); + stringClass = (jclass) (*e)->NewGlobalRef(e, sClazz); + } return P2J(c); init_failed: @@ -984,7 +1014,7 @@ if (J2S(password)) { if (!c->cb_data) c->cb_data = &tcn_password_callback; - strncpy(c->cb_data->password, J2S(password), SSL_MAX_PASSWORD_LEN); + strncpy(c->cb_data->password, J2S(password), SSL_MAX_PASSWORD_LEN - 1); c->cb_data->password[SSL_MAX_PASSWORD_LEN-1] = '\0'; } key_file = J2S(key); diff -Nru tomcat-native-1.2.17/native/src/sslnetwork.c tomcat-native-1.2.21/native/src/sslnetwork.c --- tomcat-native-1.2.17/native/src/sslnetwork.c 2017-08-21 08:22:17.000000000 +0000 +++ tomcat-native-1.2.21/native/src/sslnetwork.c 2018-10-12 11:09:26.000000000 +0000 @@ -616,32 +616,19 @@ return APR_SUCCESS; } -TCN_IMPLEMENT_CALL(jint, SSLSocket, renegotiate)(TCN_STDARGS, - jlong sock) +static int ssl_do_renegotiate(tcn_ssl_conn_t *con, int use_pha) { - tcn_socket_t *s = J2P(sock, tcn_socket_t *); - tcn_ssl_conn_t *con; int retVal; int error = 0; char peekbuf[1]; apr_interval_time_t timeout; - UNREFERENCED_STDARGS; - TCN_ASSERT(sock != 0); - con = (tcn_ssl_conn_t *)s->opaque; - - /* Toggle the renegotiation state to allow the new - * handshake to proceed. - */ - con->reneg_state = RENEG_ALLOW; - - // Schedule a renegotiation request - retVal = SSL_renegotiate(con->ssl); - if (retVal <= 0) - return APR_EGENERAL; + apr_socket_timeout_get(con->sock, &timeout); - /* Need to trigger the renegotiation handshake by reading. + /* Trigger reading of the certs from the client. * Peeking 0 bytes actually works. + * Before TLS 1.3 this will result in a renegotiation. + * for TLS 1.3 in PHA. * See: http://marc.info/?t=145493359200002&r=1&w=2 * * This will normally return SSL_ERROR_WANT_READ whether the renegotiation @@ -653,9 +640,8 @@ error = SSL_get_error(con->ssl, retVal); } - apr_socket_timeout_get(con->sock, &timeout); - // If the renegotiation is still pending, then I/O needs to be triggered - while (SSL_renegotiate_pending(con->ssl)) { + // If the certs have not been received, then need to wait for I/O + while ((use_pha && con->pha_state == PHA_STARTED) || (!use_pha && SSL_renegotiate_pending(con->ssl))) { // SSL_ERROR_WANT_READ is expected. Anything else is an error. if (error == SSL_ERROR_WANT_READ) { retVal = wait_for_io_or_timeout(con, error, timeout); @@ -664,7 +650,6 @@ * error. */ if (retVal != APR_SUCCESS) { - printf("ERROR\n"); con->shutdown_type = SSL_SHUTDOWN_TYPE_UNCLEAN; return retVal; } @@ -679,15 +664,74 @@ } else { /* * Reset error to handle case where SSL_Peek returns 0 but - * SSL_renegotiate_pending returns true. This will trigger an error - * to be returned. + * the pha resp. renegotiation state has not changed. + * This will trigger an error to be returned. */ error = 0; } } - - con->reneg_state = RENEG_REJECT; + return APR_SUCCESS; +} + +TCN_IMPLEMENT_CALL(jint, SSLSocket, renegotiate)(TCN_STDARGS, + jlong sock) +{ + tcn_socket_t *s = J2P(sock, tcn_socket_t *); + tcn_ssl_conn_t *con; + int retVal; +#if defined(SSL_OP_NO_TLSv1_3) + const SSL_SESSION *session; +#endif + + UNREFERENCED_STDARGS; + TCN_ASSERT(sock != 0); + con = (tcn_ssl_conn_t *)s->opaque; + +#if defined(SSL_OP_NO_TLSv1_3) + session = SSL_get_session(con->ssl); + if (SSL_SESSION_get_protocol_version(session) == TLS1_3_VERSION) { + // TLS 1.3 renegotiation + retVal = SSL_verify_client_post_handshake(con->ssl); + if (retVal <= 0) { + return APR_EGENERAL; + } + + con->pha_state = PHA_STARTED; + // Need to trigger a write operation to sent the cert request to the + // client. As per OpenSSL docs, use SSL_do_handshake() for this. + retVal = SSL_do_handshake(con->ssl); + if (retVal <= 0) { + return APR_EGENERAL; + } + retVal = ssl_do_renegotiate(con, 1); + if (retVal != APR_SUCCESS) { + return retVal; + } + + } else { +#endif + // TLS 1.2 and earlier renegotiation + + /* Toggle the renegotiation state to allow the new + * handshake to proceed. + */ + con->reneg_state = RENEG_ALLOW; + + // Schedule a renegotiation request + retVal = SSL_renegotiate(con->ssl); + if (retVal <= 0) { + return APR_EGENERAL; + } + retVal = ssl_do_renegotiate(con, 0); + if (retVal != APR_SUCCESS) { + return retVal; + } + + con->reneg_state = RENEG_REJECT; +#if defined(SSL_OP_NO_TLSv1_3) + } +#endif return APR_SUCCESS; } diff -Nru tomcat-native-1.2.17/native/src/sslutils.c tomcat-native-1.2.21/native/src/sslutils.c --- tomcat-native-1.2.17/native/src/sslutils.c 2018-06-06 08:52:57.000000000 +0000 +++ tomcat-native-1.2.21/native/src/sslutils.c 2019-01-24 15:20:49.000000000 +0000 @@ -34,7 +34,7 @@ #define ASN1_SEQUENCE 0x30 #define ASN1_OID 0x06 #define ASN1_STRING 0x86 -static int ssl_verify_OCSP(int ok, X509_STORE_CTX *ctx); +static int ssl_verify_OCSP(X509_STORE_CTX *ctx); static int ssl_ocsp_request(X509 *cert, X509 *issuer, X509_STORE_CTX *ctx); #endif @@ -52,8 +52,9 @@ */ static int SSL_app_data2_idx = -1; static int SSL_app_data3_idx = -1; +static int SSL_app_data4_idx = -1; -void SSL_init_app_data2_3_idx(void) +void SSL_init_app_data_idx(void) { int i; @@ -78,6 +79,15 @@ "Third Application Data for SSL", NULL, NULL, NULL); + if (SSL_app_data4_idx > -1) { + return; + } + + SSL_app_data4_idx = + SSL_get_ex_new_index(0, + "Fourth Application Data for SSL", + NULL, NULL, NULL); + } void *SSL_get_app_data2(SSL *ssl) @@ -102,6 +112,16 @@ SSL_set_ex_data(ssl, SSL_app_data3_idx, arg); } +void *SSL_get_app_data4(const SSL *ssl) +{ + return SSL_get_ex_data(ssl, SSL_app_data4_idx); +} + +void SSL_set_app_data4(SSL *ssl, void *arg) +{ + SSL_set_ex_data(ssl, SSL_app_data4_idx, arg); +} + /* Simple echo password prompting */ int SSL_password_prompt(tcn_pass_cb_t *data) { @@ -305,9 +325,14 @@ int verify = con->ctx->verify_mode; int depth = con->ctx->verify_depth; +#if defined(SSL_OP_NO_TLSv1_3) + con->pha_state = PHA_COMPLETE; +#endif + if (verify == SSL_CVERIFY_UNSET || - verify == SSL_CVERIFY_NONE) + verify == SSL_CVERIFY_NONE) { return 1; + } if (SSL_VERIFY_ERROR_IS_OPTIONAL(errnum) && (verify == SSL_CVERIFY_OPTIONAL_NO_CA)) { @@ -344,7 +369,7 @@ ok = 0; } else { - int ocsp_response = ssl_verify_OCSP(ok, ctx); + int ocsp_response = ssl_verify_OCSP(ctx); if (ocsp_response == OCSP_STATUS_REVOKED) { ok = 0 ; errnum = X509_STORE_CTX_get_error(ctx); @@ -386,12 +411,24 @@ void SSL_callback_handshake(const SSL *ssl, int where, int rc) { tcn_ssl_conn_t *con = (tcn_ssl_conn_t *)SSL_get_app_data(ssl); +#ifdef HAVE_TLSV1_3 + const SSL_SESSION *session = SSL_get_session(ssl); +#endif /* Retrieve the conn_rec and the associated SSLConnRec. */ if (con == NULL) { return; } +#ifdef HAVE_TLSV1_3 + /* TLS 1.3 does not use renegotiation so do not update the renegotiation + * state once we know we are using TLS 1.3. */ + if (session != NULL) { + if (SSL_SESSION_get_protocol_version(session) == TLS1_3_VERSION) { + return; + } + } +#endif /* If the reneg state is to reject renegotiations, check the SSL * state machine and move to ABORT if a Client Hello is being @@ -405,7 +442,6 @@ else if ((where & SSL_CB_HANDSHAKE_DONE) && con->reneg_state == RENEG_INIT) { con->reneg_state = RENEG_REJECT; } - } int SSL_callback_next_protos(SSL *ssl, const unsigned char **data, @@ -492,7 +528,7 @@ #ifdef HAVE_OCSP_STAPLING /* Function that is used to do the OCSP verification */ -static int ssl_verify_OCSP(int ok, X509_STORE_CTX *ctx) +static int ssl_verify_OCSP(X509_STORE_CTX *ctx) { X509 *cert, *issuer; int r = OCSP_STATUS_UNKNOWN; @@ -595,7 +631,7 @@ // Single byte length *len = **asn1; } - + (*asn1)++; return 0; @@ -707,24 +743,22 @@ /* stolen from openssl ocsp command */ -static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer, - STACK_OF(OCSP_CERTID) *ids) +static int add_ocsp_cert(OCSP_REQUEST *req, X509 *cert, X509 *issuer) { OCSP_CERTID *id; if (!issuer) return 0; - if (!*req) - *req = OCSP_REQUEST_new(); - if (!*req) - return 0; id = OCSP_cert_to_id(NULL, cert, issuer); - if (!id || !sk_OCSP_CERTID_push(ids, id)) + if (!id) return 0; - if (!OCSP_request_add0_id(*req, id)) + if (!OCSP_request_add0_id(req, id)) { + OCSP_CERTID_free(id); return 0; - else + } else { + /* id will be freed by OCSP_REQUEST_free() */ return 1; + } } @@ -786,7 +820,6 @@ int len; char buf[TCN_BUFFER_SZ]; apr_status_t rv; - int ok = 1; while ((len = BIO_read(req, buf, sizeof buf)) > 0) { char *wbuf = buf; @@ -800,12 +833,11 @@ } while (rv == APR_SUCCESS && remain > 0); if (rv != APR_SUCCESS) { - apr_socket_close(sock); - ok = 0; + return 0; } } - return ok; + return 1; } @@ -894,7 +926,7 @@ /* Reads the response from the APR socket to a buffer, and parses the buffer to return the OCSP response */ #define ADDLEN 512 -static OCSP_RESPONSE *ocsp_get_resp(apr_socket_t *sock) +static OCSP_RESPONSE *ocsp_get_resp(apr_pool_t *mp, apr_socket_t *sock) { int buflen; apr_size_t totalread = 0; @@ -904,7 +936,7 @@ apr_pool_t *p; OCSP_RESPONSE *resp; - apr_pool_create(&p, NULL); + apr_pool_create(&p, mp); buflen = ADDLEN; buf = apr_palloc(p, buflen); if (buf == NULL) { @@ -944,34 +976,29 @@ } /* Creates and OCSP request and returns the OCSP_RESPONSE */ -static OCSP_RESPONSE *get_ocsp_response(X509 *cert, X509 *issuer, char *url) +static OCSP_RESPONSE *get_ocsp_response(apr_pool_t *p, X509 *cert, X509 *issuer, char *url) { OCSP_RESPONSE *ocsp_resp = NULL; OCSP_REQUEST *ocsp_req = NULL; BIO *bio_req; char *hostname, *path, *c_port; int port, use_ssl; - STACK_OF(OCSP_CERTID) *ids = NULL; int ok = 0; apr_socket_t *apr_sock = NULL; apr_pool_t *mp; - apr_pool_create(&mp, NULL); - ids = sk_OCSP_CERTID_new_null(); - - /* problem parsing the URL */ - if (OCSP_parse_url(url,&hostname, &c_port, &path, &use_ssl) == 0 ) { - sk_OCSP_CERTID_free(ids); - return NULL; - } + if (OCSP_parse_url(url,&hostname, &c_port, &path, &use_ssl) == 0 ) + goto end; - /* Create the OCSP request */ if (sscanf(c_port, "%d", &port) != 1) goto end; + + /* Create the OCSP request */ ocsp_req = OCSP_REQUEST_new(); if (ocsp_req == NULL) - return NULL; - if (add_ocsp_cert(&ocsp_req,cert,issuer,ids) == 0 ) + goto end; + + if (add_ocsp_cert(ocsp_req,cert,issuer) == 0 ) goto free_req; /* create the BIO with the request to send */ @@ -980,29 +1007,30 @@ goto free_req; } + apr_pool_create(&mp, p); apr_sock = make_socket(hostname, port, mp); if (apr_sock == NULL) { - ocsp_resp = NULL; goto free_bio; } ok = ocsp_send_req(apr_sock, bio_req); - if (ok) - ocsp_resp = ocsp_get_resp(apr_sock); + if (ok) { + ocsp_resp = ocsp_get_resp(mp, apr_sock); + } + apr_socket_close(apr_sock); free_bio: BIO_free(bio_req); - -free_req: - if(apr_sock && ok) /* if ok == 0 we have already closed the socket */ - apr_socket_close(apr_sock); - apr_pool_destroy(mp); - sk_OCSP_CERTID_free(ids); +free_req: OCSP_REQUEST_free(ocsp_req); end: + OPENSSL_free(hostname); + OPENSSL_free(c_port); + OPENSSL_free(path); + return ocsp_resp; } @@ -1019,14 +1047,12 @@ r = OCSP_response_status(ocsp_resp); if (r != OCSP_RESPONSE_STATUS_SUCCESSFUL) { - OCSP_RESPONSE_free(ocsp_resp); return OCSP_STATUS_UNKNOWN; } bs = OCSP_response_get1_basic(ocsp_resp); certid = OCSP_cert_to_id(NULL, cert, issuer); if (certid == NULL) { - OCSP_RESPONSE_free(ocsp_resp); return OCSP_STATUS_UNKNOWN; } ss = OCSP_resp_get0(bs, OCSP_resp_find(bs, certid, -1)); /* find by serial number and get the matching response */ @@ -1042,7 +1068,7 @@ /* we clean up */ OCSP_CERTID_free(certid); - OCSP_RESPONSE_free(ocsp_resp); + OCSP_BASICRESP_free(bs); return o; } @@ -1072,7 +1098,7 @@ int rv = OCSP_STATUS_UNKNOWN; /* for the time being just check for the fist response .. a better approach is to iterate for all the possible ocsp urls */ - resp = get_ocsp_response(cert, issuer, ocsp_urls[0]); + resp = get_ocsp_response(p, cert, issuer, ocsp_urls[0]); if (resp != NULL) { rv = process_ocsp_response(resp, cert, issuer); } else { @@ -1081,6 +1107,7 @@ } if (resp != NULL) { + OCSP_RESPONSE_free(resp); apr_pool_destroy(p); return rv; } diff -Nru tomcat-native-1.2.17/native/srclib/BUILDING tomcat-native-1.2.21/native/srclib/BUILDING --- tomcat-native-1.2.17/native/srclib/BUILDING 2012-05-30 02:20:59.000000000 +0000 +++ tomcat-native-1.2.21/native/srclib/BUILDING 2018-10-17 16:35:24.000000000 +0000 @@ -15,8 +15,8 @@ compiler is setup for the target architecture. -Building OpenSSL ----------------- +Building OpenSSL 1.1.0 and earlier +---------------------------------- Apply openssl-msvcrt.patch @@ -36,7 +36,25 @@ > ms\do_win64a > nmake -f ms\nt.mak -For 64-bit Windows on Itanium processor use -> perl Configure VC-WIN64I -> ms\do_win64i -> nmake -f ms\nt.mak + +Building OpenSSL 1.1.1 and later +---------------------------------- + +Apply openssl-msvcrt-1.1.1.patch + +This patch addresses issues caused by CMSC compiling against an older Windows +API than expected for the compiler version in additional to the static linking +issues described above. + +Then follow the standard OpenSSL make procedure ... + +> perl Configure no-shared VC-WIN32 +> nmake + +For 64-bit Windows use +> perl Configure no-shared VC-WIN64A +> nmake + + +For a step-by-step guide to building OpenSSL on Windows see: +https://cwiki.apache.org/confluence/display/TOMCAT/Building+the+Tomcat+Native+Connector+binaries+for+Windows diff -Nru tomcat-native-1.2.17/native/srclib/openssl/openssl-msvcrt-1.1.1.patch tomcat-native-1.2.21/native/srclib/openssl/openssl-msvcrt-1.1.1.patch --- tomcat-native-1.2.17/native/srclib/openssl/openssl-msvcrt-1.1.1.patch 1970-01-01 00:00:00.000000000 +0000 +++ tomcat-native-1.2.21/native/srclib/openssl/openssl-msvcrt-1.1.1.patch 2018-11-30 19:44:21.000000000 +0000 @@ -0,0 +1,74 @@ +--- Configurations/10-main.conf ++++ Configurations/10-main.conf +@@ -1268,7 +1268,7 @@ + # prefer [non-debug] openssl.exe to be free from Micorosoft RTL + # redistributable. + bin_cflags => add(picker(debug => "/MDd", +- release => sub { $disabled{shared} ? "/MT" : () }, ++ release => "/MD", + )), + bin_lflags => add("/subsystem:console /opt:ref"), + ex_libs => add(sub { +--- crypto/engine/eng_openssl.c ++++ crypto/engine/eng_openssl.c +@@ -9,6 +9,7 @@ + */ + + #include ++#include "e_os.h" + #include + #include "internal/cryptlib.h" + #include "internal/engine.h" +--- crypto/o_time.c ++++ crypto/o_time.c +@@ -41,10 +41,6 @@ + if (gmtime_r(timer, result) == NULL) + return NULL; + ts = result; +-#elif defined (OPENSSL_SYS_WINDOWS) && defined(_MSC_VER) && _MSC_VER >= 1400 +- if (gmtime_s(result, timer)) +- return NULL; +- ts = result; + #else + ts = gmtime(timer); + if (ts == NULL) +--- engines/e_capi.c ++++ engines/e_capi.c +@@ -15,6 +15,7 @@ + # include + + # include ++# include "e_os.h" + # include + # include + # include +--- test/testutil/basic_output.c ++++ test/testutil/basic_output.c +@@ -10,6 +10,7 @@ + #include "../testutil.h" + #include "output.h" + #include "tu_local.h" ++#include "../../e_os.h" + + #include + #include +--- e_os.h ++++ e_os.h +@@ -149,7 +149,7 @@ + # endif + # include + # if defined(_MSC_VER) && !defined(_WIN32_WCE) && !defined(_DLL) && defined(stdin) +-# if _MSC_VER>=1300 && _MSC_VER<1600 ++# ifdef _WIN64 + # undef stdin + # undef stdout + # undef stderr +@@ -157,7 +157,7 @@ + # define stdin (&__iob_func()[0]) + # define stdout (&__iob_func()[1]) + # define stderr (&__iob_func()[2]) +-# elif _MSC_VER<1300 && defined(I_CAN_LIVE_WITH_LNK4049) ++# else + # undef stdin + # undef stdout + # undef stderr diff -Nru tomcat-native-1.2.17/native/srclib/openssl/openssl-msvcrt.patch tomcat-native-1.2.21/native/srclib/openssl/openssl-msvcrt.patch --- tomcat-native-1.2.17/native/srclib/openssl/openssl-msvcrt.patch 2016-03-06 18:46:46.000000000 +0000 +++ tomcat-native-1.2.21/native/srclib/openssl/openssl-msvcrt.patch 2018-10-17 10:56:24.000000000 +0000 @@ -1,3 +1,16 @@ +--- crypto/o_time.c ++++ crypto/o_time.c +@@ -109,10 +109,6 @@ + if (gmtime_r(timer, result) == NULL) + return NULL; + ts = result; +-#elif defined (OPENSSL_SYS_WINDOWS) && defined(_MSC_VER) && _MSC_VER >= 1400 +- if (gmtime_s(result, timer)) +- return NULL; +- ts = result; + #elif !defined(OPENSSL_SYS_VMS) || defined(VMS_GMTIME_OK) + ts = gmtime(timer); + if (ts == NULL) --- util/pl/VC-32.pl +++ util/pl/VC-32.pl @@ -45,7 +45,7 @@ diff -Nru tomcat-native-1.2.17/native/srclib/VERSIONS tomcat-native-1.2.21/native/srclib/VERSIONS --- tomcat-native-1.2.17/native/srclib/VERSIONS 2017-11-14 11:19:11.000000000 +0000 +++ tomcat-native-1.2.21/native/srclib/VERSIONS 2018-11-30 13:04:18.000000000 +0000 @@ -1,4 +1,4 @@ Use the following version of the libraries -- APR 1.6.3 or later, http://apr.apache.org -- OpenSSL 1.0.2m or later, http://www.openssl.org +- APR 1.6.5 or later, http://apr.apache.org +- OpenSSL 1.0.2q or later, http://www.openssl.org diff -Nru tomcat-native-1.2.17/native/tcnative.spec tomcat-native-1.2.21/native/tcnative.spec --- tomcat-native-1.2.17/native/tcnative.spec 2018-06-07 10:01:20.000000000 +0000 +++ tomcat-native-1.2.21/native/tcnative.spec 2019-01-25 17:34:12.000000000 +0000 @@ -21,7 +21,7 @@ Summary: Tomcat Native Java library Name: tcnative -Version: 1.2.17 +Version: 1.2.21 Release: 1 License: Apache Software License Group: System Environment/Libraries @@ -50,7 +50,7 @@ %build %configure --with-apr=%{_prefix} \ - --includedir=%{_includedir}/apr-%{aprmajor} + --includedir=%{_includedir}/%{name} make %{?_smp_mflags} && make dox %check @@ -87,7 +87,7 @@ %{_libdir}/libtcnative-%{tcnver}.*a %{_libdir}/libtcnative-%{tcnver}.so %{_libdir}/pkgconfig/tcnative-%{tcnver}.pc -%{_includedir}/apr-%{aprmajor}/*.h +%{_includedir}/%{name}/*.h %doc --parents html %changelog diff -Nru tomcat-native-1.2.17/NOTICE tomcat-native-1.2.21/NOTICE --- tomcat-native-1.2.17/NOTICE 2018-01-04 17:28:38.000000000 +0000 +++ tomcat-native-1.2.21/NOTICE 2019-01-01 21:42:03.000000000 +0000 @@ -1,5 +1,5 @@ Apache Tomcat Native Library -Copyright 2002-2018 The Apache Software Foundation +Copyright 2002-2019 The Apache Software Foundation This product includes software developed at The Apache Software Foundation (http://www.apache.org/). diff -Nru tomcat-native-1.2.17/test/org/apache/tomcat/jni/TestSocketServerAnyLocalAddress.java tomcat-native-1.2.21/test/org/apache/tomcat/jni/TestSocketServerAnyLocalAddress.java --- tomcat-native-1.2.17/test/org/apache/tomcat/jni/TestSocketServerAnyLocalAddress.java 2017-01-31 20:14:34.000000000 +0000 +++ tomcat-native-1.2.21/test/org/apache/tomcat/jni/TestSocketServerAnyLocalAddress.java 2018-02-06 22:17:17.000000000 +0000 @@ -33,6 +33,9 @@ */ public class TestSocketServerAnyLocalAddress extends AbstractJniTest { + // Excessive but allows for slow systems + private static final int TIMEOUT_MICROSECONDS = 10 * 1000 * 1000; + private long serverSocket = 0; private long clientSocket = 0; @@ -80,8 +83,8 @@ /* Accept the client connection */ clientSocket = Socket.accept(serverSocket); - /* Configure a 2ms timeout for reading from client */ - Socket.timeoutSet(clientSocket, 10000); + /* Configure a 10s timeout for reading from client */ + Socket.timeoutSet(clientSocket, TIMEOUT_MICROSECONDS); byte [] buf = new byte[1]; while (Socket.recv(clientSocket, buf, 0, 1) == 1) { @@ -96,7 +99,7 @@ } else if (buf[0] == 'Z') { // NO-OP - connection closing } else { - Assert.fail("Unexpected data"); + Assert.fail("Unexpected data [" + (char) buf[0] + "]"); } } @@ -122,8 +125,8 @@ try { InetSocketAddress connectAddress = getConnectAddress(serverSocket); java.net.Socket sock = new java.net.Socket(); - sock.connect(connectAddress, 10000); - sock.setSoTimeout(10000); + sock.connect(connectAddress, TIMEOUT_MICROSECONDS); + sock.setSoTimeout(TIMEOUT_MICROSECONDS); OutputStream ou = sock.getOutputStream(); InputStream in = sock.getInputStream(); ou.write('A'); @@ -131,12 +134,12 @@ int rep = in.read(); sock.close(); if (rep != 'Z') { - throw new Exception("Read wrong data"); + throw new Exception("Read wrong data [" + rep + "]"); } sock = new java.net.Socket(); - sock.connect(connectAddress, 10000); - sock.setSoTimeout(10000); + sock.connect(connectAddress, TIMEOUT_MICROSECONDS); + sock.setSoTimeout(TIMEOUT_MICROSECONDS); ou = sock.getOutputStream(); ou.write('E'); ou.flush(); diff -Nru tomcat-native-1.2.17/test/org/apache/tomcat/jni/TestSocketServer.java tomcat-native-1.2.21/test/org/apache/tomcat/jni/TestSocketServer.java --- tomcat-native-1.2.17/test/org/apache/tomcat/jni/TestSocketServer.java 2017-01-31 20:14:34.000000000 +0000 +++ tomcat-native-1.2.21/test/org/apache/tomcat/jni/TestSocketServer.java 2018-06-25 10:24:31.000000000 +0000 @@ -30,11 +30,23 @@ public class TestSocketServer extends AbstractJniTest { private static final String HOST = "localhost"; + private static final long ERROR_MARGIN; private int port = 0; private long serverSocket = 0; private long clientSocket = 0; + // Determine the resolution of System.nanoTime() so an appropriate error + // margin can be used in tests that use nanoTime() + static { + long start = System.nanoTime(); + long end = System.nanoTime(); + while (end == start) { + end = System.nanoTime(); + } + ERROR_MARGIN = 2 * (end - start); + } + @Before public void init() throws Exception { @@ -96,8 +108,10 @@ while (Socket.recv(clientSocket, buf, 0, 1) == 1) { } long wait = System.nanoTime() - start; - Assert.assertFalse("Socket.timeoutSet failed (<1s) [" + wait + "]", wait < 1000000000); - Assert.assertFalse("Socket.timeoutSet failed (>2s) [" + wait + "]", wait > 2000000000); + Assert.assertFalse("Socket.timeoutSet failed (<1s) [" + wait + "] +-[" + ERROR_MARGIN + "]", + wait < 1000000000 - ERROR_MARGIN); + Assert.assertFalse("Socket.timeoutSet failed (>2s) [" + wait + "] +-[" + ERROR_MARGIN + "]", + wait > 2000000000 + ERROR_MARGIN); client.countDown(); client.join(); @@ -123,8 +137,8 @@ while (Socket.recv(clientSocket, buf, 0, 1) == 1) { } long wait = System.nanoTime() - start; - Assert.assertFalse("non_blocking client Socket.APR_SO_NONBLOCK failed (>1ms)", - wait > 1000000); + Assert.assertFalse("non_blocking client Socket.APR_SO_NONBLOCK failed (>2ms) [" + wait + + "] +-[" + ERROR_MARGIN + "]", wait > 2000000 + ERROR_MARGIN); client.countDown(); client.join(); @@ -148,8 +162,8 @@ while (Socket.recv(clientSocket, buf, 0, 1) == 1) { } long wait = System.nanoTime() - start; - Assert.assertFalse("non_blocking client Socket.APR_SO_NONBLOCK failed (>1ms)", - wait > 1000000); + Assert.assertFalse("non_blocking client Socket.APR_SO_NONBLOCK failed (>1ms) [" + wait + + "] +-[" + ERROR_MARGIN + "]", wait > 1000000 + ERROR_MARGIN); /* Configure for blocking */ Socket.optSet(clientSocket, Socket.APR_SO_NONBLOCK, 0); @@ -158,8 +172,8 @@ while (Socket.recv(clientSocket, buf, 0, 1) == 1) { } wait = System.nanoTime() - start; - Assert.assertFalse("non_blocking client Socket.APR_SO_NONBLOCK false failed", - wait < 1000000); + Assert.assertFalse("non_blocking client Socket.APR_SO_NONBLOCK false failed (<1ms) [" + + wait + "] +-[" + ERROR_MARGIN + "]", wait < 1000000 - ERROR_MARGIN); client.countDown(); client.join(); @@ -181,8 +195,8 @@ } long wait = System.nanoTime() - start; Assert.assertTrue("Timeout failed", ok); - Assert.assertFalse("non_blocking accept Socket.APR_SO_NONBLOCK failed (>1ms)", - wait > 1000000); + Assert.assertFalse("non_blocking accept Socket.APR_SO_NONBLOCK failed (>1ms) [" + wait + + "] +-[" + ERROR_MARGIN + "]", wait > 1000000 + ERROR_MARGIN); } diff -Nru tomcat-native-1.2.17/xdocs/index.xml tomcat-native-1.2.21/xdocs/index.xml --- tomcat-native-1.2.17/xdocs/index.xml 2017-11-21 09:59:44.000000000 +0000 +++ tomcat-native-1.2.21/xdocs/index.xml 2018-12-05 10:19:24.000000000 +0000 @@ -59,10 +59,10 @@
    -
  • 20 November 2017 - TC-Native-1.2.16 +
  • 4 Dec 2018 - TC-Native-1.2.19 released

    The Apache Tomcat team is proud to announce the immediate availability of -Tomcat Native 1.2.16 Stable.

    +Tomcat Native 1.2.19 Stable.

    The sources and the binaries for selected platforms are available from the Download page. @@ -196,8 +196,8 @@

    Refer to the tomcat documentation to configure the connectors - (See Tomcat 8.5.x, - Tomcat 8.0.x + (See Tomcat 9.0.x + Tomcat 8.5.x and Tomcat 7.0.x)

    diff -Nru tomcat-native-1.2.17/xdocs/miscellaneous/changelog.xml tomcat-native-1.2.21/xdocs/miscellaneous/changelog.xml --- tomcat-native-1.2.17/xdocs/miscellaneous/changelog.xml 2018-06-07 08:38:26.000000000 +0000 +++ tomcat-native-1.2.21/xdocs/miscellaneous/changelog.xml 2019-01-25 17:28:04.000000000 +0000 @@ -34,6 +34,72 @@ This is the Changelog for Tomcat Native 1.2.

+
+ + + Correct a possible JVM crash during shutdown caused by a bug in the fix + for the per connection memory leak included in 1.2.20. (rjung) + + +
+
+ + + Update includedir name to tomcat-native instead of apr. (csutherl) + + + Fix a minor memory leak. It occurred every time a TLS connector was + started so the impact was very unlikely to be noticed. (markt) + + + Fix some minor memory leaks that could occur after error conditions during + TLS connector initialisation. (markt) + + + Fix a per connection memory leak when using OpenSSL BIO. This is typically + used when OpenSSL is providing the TLS support for NIO or NIO2. (markt) + + +
+
+ + + 62892: Fix memory leaks in OCSP handling. (jfclere) + + + 62944: Fix copy/paste error that prevented TLS 1.0 and TLS 1.1 + from being used if TLS 1.3 was available. Patch provided by Dean Rasheed. + (markt) + + + Include OpenSSL licensing information in the Tomcat Native binaries for + Windows that are built with OpenSSL. (markt) + + + Update recommended OpenSSL version to 1.0.2q or later. (markt) + + +
+
+ + + 62641: libtool invocations should use --tag=CC. (michaelo) + + + Remove support for Netware as there has not been a supported Netware + platform for a number of years. (markt) + + + 62748: Add support for TLS 1.3 when built with OpenSSL 1.1.1 or + equivalent. (schultz/markt) + + + Expose the API necessary for CLIENT-CERT authentication to be correctly + supported when using Tomcat's JSSE implementation backed by OpenSSL. + (markt) + + +
diff -Nru tomcat-native-1.2.17/xdocs/news/2018.xml tomcat-native-1.2.21/xdocs/news/2018.xml --- tomcat-native-1.2.17/xdocs/news/2018.xml 1970-01-01 00:00:00.000000000 +0000 +++ tomcat-native-1.2.21/xdocs/news/2018.xml 2018-12-05 10:19:24.000000000 +0000 @@ -0,0 +1,55 @@ + + + +]> + + + &project; + + + 2018 News and Status + + + + +
+ +

The Apache Tomcat team is proud to announce the immediate availability of + Tomcat Native 1.2.19. This is a bugfix release that also updates the + dependencies for the Windows binaries and includes Windows binaries built + with OpenSSL 1.0.2q/APR 1.6.5 and 1.1.1a/APR 1.6.5. +

+ + +

The Apache Tomcat team is proud to announce the immediate availability of + Tomcat Native 1.2.18. This is a feature and bugfix release that adds TLSv1.3 + support when built with OpenSSL 1.1.1. It also includes Windows binaries built + with OpenSSL 1.0.2p/APR 1.6.5 and 1.1.1/APR 1.6.5. +

+ + +

The Apache Tomcat team is proud to announce the immediate availability of + Tomcat Native 1.2.17. This is a bugfix release that also updates the + dependencies for the Windows binaries and includes Windows binaries built with + OpenSSL 1.0.2o and APR 1.6.3. +

+ +
+ + diff -Nru tomcat-native-1.2.17/xdocs/project.xml tomcat-native-1.2.21/xdocs/project.xml --- tomcat-native-1.2.17/xdocs/project.xml 2017-08-02 19:29:35.000000000 +0000 +++ tomcat-native-1.2.21/xdocs/project.xml 2018-06-15 16:10:42.000000000 +0000 @@ -34,6 +34,7 @@ + diff -Nru tomcat-native-1.2.17/xdocs/style.xsl tomcat-native-1.2.21/xdocs/style.xsl --- tomcat-native-1.2.17/xdocs/style.xsl 2018-01-04 17:28:38.000000000 +0000 +++ tomcat-native-1.2.21/xdocs/style.xsl 2019-01-01 21:42:03.000000000 +0000 @@ -125,7 +125,7 @@