From 4395d7a0b1519eae4c99d4a5cdb79bcb182790be Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Wed, 6 Nov 2024 13:56:19 -0700 Subject: [PATCH 1/5] JNI/JSSE: use select() for Windows since no poll() available --- native/com_wolfssl_WolfSSLSession.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/native/com_wolfssl_WolfSSLSession.c b/native/com_wolfssl_WolfSSLSession.c index 8f50f2c1..a697ad3e 100644 --- a/native/com_wolfssl_WolfSSLSession.c +++ b/native/com_wolfssl_WolfSSLSession.c @@ -32,11 +32,11 @@ #include #include #include -#endif -#ifdef WOLFJNI_USE_IO_SELECT - #include -#else - #include + #if defined(WOLFJNI_USE_IO_SELECT) + #include + #else + #include + #endif #endif #ifndef WOLFSSL_JNI_DEFAULT_PEEK_TIMEOUT @@ -615,7 +615,8 @@ enum { WOLFJNI_IO_EVENT_INVALID_TIMEOUT = -17 }; -#ifdef WOLFJNI_USE_IO_SELECT +/* Windows doesn't have poll(), use select() */ +#if defined(WOLFJNI_USE_IO_SELECT) || defined(USE_WINDOWS_API) /* Perform a select() call on the underlying socket to wait for socket to be * ready for read/write, or timeout. Note that we explicitly set the underlying @@ -787,7 +788,7 @@ static int socketPoll(int sockfd, int timeout_ms, int rx, int tx) return WOLFJNI_IO_EVENT_FAIL; } -#endif /* WOLFJNI_USE_IO_SELECT */ +#endif /* WOLFJNI_USE_IO_SELECT | USE_WINDOWS_API */ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLSession_connect (JNIEnv* jenv, jobject jcl, jlong sslPtr, jint timeout) From e45ba59ffc3ca0605f793c808a2806d803dc19d3 Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Wed, 6 Nov 2024 13:58:51 -0700 Subject: [PATCH 2/5] JSSE: bump version to 1.14 --- README.md | 2 +- build.xml | 2 +- pom.xml | 2 +- src/java/com/wolfssl/provider/jsse/WolfSSLProvider.java | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index ca1da561..3e4e5217 100644 --- a/README.md +++ b/README.md @@ -186,7 +186,7 @@ an application can include this as a dependency in the application's com.wolfssl wolfssl-jsse - 1.13.0-SNAPSHOT + 1.14.0-SNAPSHOT ... diff --git a/build.xml b/build.xml index 2f8087d3..53fa1eb2 100644 --- a/build.xml +++ b/build.xml @@ -14,7 +14,7 @@ - + diff --git a/pom.xml b/pom.xml index a0acf67a..afb25b5c 100644 --- a/pom.xml +++ b/pom.xml @@ -4,7 +4,7 @@ 4.0.0 com.wolfssl wolfssl-jsse - 1.13.0-SNAPSHOT + 1.14.0-SNAPSHOT jar wolfssl-jsse https://www.wolfssl.com diff --git a/src/java/com/wolfssl/provider/jsse/WolfSSLProvider.java b/src/java/com/wolfssl/provider/jsse/WolfSSLProvider.java index eeae927f..ec4209a7 100644 --- a/src/java/com/wolfssl/provider/jsse/WolfSSLProvider.java +++ b/src/java/com/wolfssl/provider/jsse/WolfSSLProvider.java @@ -73,8 +73,8 @@ public void errorCallback(int ok, int err, String hash) { * wolfSSL JSSE Provider class */ public WolfSSLProvider() { - super("wolfJSSE", 1.13, "wolfSSL JSSE Provider"); - //super("wolfJSSE", "1.13", "wolfSSL JSSE Provider"); + super("wolfJSSE", 1.14, "wolfSSL JSSE Provider"); + //super("wolfJSSE", "1.14", "wolfSSL JSSE Provider"); /* load native wolfSSLJNI library */ WolfSSL.loadLibrary(); From 31815eeed2b5e283008a95b920d2987a73fdc4c3 Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Wed, 6 Nov 2024 15:47:55 -0700 Subject: [PATCH 3/5] JNI/JSSE: adjust README for Windows builds --- IDE/WIN/README.md | 50 ++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 41 insertions(+), 9 deletions(-) diff --git a/IDE/WIN/README.md b/IDE/WIN/README.md index 96a095b8..3a312ea1 100644 --- a/IDE/WIN/README.md +++ b/IDE/WIN/README.md @@ -137,6 +137,7 @@ section titled `/* Configuration */`: ``` #define WOLFSSL_JNI #define HAVE_EX_DATA +#define OPENSSL_EXTRA #define OPENSSL_ALL #define HAVE_CRL #define HAVE_OCSP @@ -146,9 +147,16 @@ section titled `/* Configuration */`: #define HAVE_DH #define WOLFSSL_CERT_EXT #define WOLFSSL_CERT_GEN +#define WOLFSSL_KEY_GEN +#define WOLFSSL_CERT_REQ +#define WOLFSSL_ALT_NAMES #define HAVE_TLS_EXTENSIONS #define HAVE_SNI #define HAVE_ALPN +#define KEEP_PEER_CERT +#define SESSION_CERTS +#define WOLFSSL_ALT_CERT_CHAINS +#define WOLFSSL_ALWAYS_VERIFY_CB ``` After editing and saving the `user_settings.h` file, select one of the following @@ -171,10 +179,13 @@ When bulding wolfSSL JNI/JSSE, the Visual Studio project file for that library will look in the above locations to link against the wolfSSL DLL matching the same build configuration. -## wolfSSL FIPS 140-2 (Certificate #3389) +## wolfSSL FIPS 140-2 (Certificate #3389, Now Historical) + +Please consider looking at and migrating to wolfSSL's new FIPS 140-3 +validated version of wolfCrypt. Email fips@wolfssl.com for more information. To build a wolfSSL FIPS 140-2 variant of wolfSSL for use with FIPS 140-2 -certificate #3389 or later, use the Visual Studio solution file located under +certificate #3389, use the Visual Studio solution file located under the `IDE\WIN10` directory inside the wolfSSL FIPS release package: ``` @@ -216,6 +227,7 @@ and set the values for `HAVE_FIPS`, `HAVE_FIPS_VERSION`, and ``` #define WOLFSSL_JNI #define HAVE_EX_DATA +#define OPENSSL_EXTRA #define OPENSSL_ALL #define HAVE_CRL #define HAVE_OCSP @@ -225,9 +237,16 @@ and set the values for `HAVE_FIPS`, `HAVE_FIPS_VERSION`, and #define HAVE_DH #define WOLFSSL_CERT_EXT #define WOLFSSL_CERT_GEN +#define WOLFSSL_KEY_GEN +#define WOLFSSL_CERT_REQ +#define WOLFSSL_ALT_NAMES #define HAVE_TLS_EXTENSIONS #define HAVE_SNI #define HAVE_ALPN +#define KEEP_PEER_CERT +#define SESSION_CERTS +#define WOLFSSL_ALT_CERT_CHAINS +#define WOLFSSL_ALWAYS_VERIFY_CB ``` 6. Build the `wolfssl-fips` project, which will create a DLL in one of the @@ -254,19 +273,20 @@ in the wolfCrypt tests successfully running. See the FIPS User Guide for more details on the FIPS verifyCore hash, or email support@wolfssl.com. -## wolfSSL FIPS 140-3 (Upcoming) +## wolfSSL FIPS 140-3 (Certificate #4718) -To build a version of wolfSSL that has been submitted for FIPS 140-3, use -the Visual Studio solution file under the `IDE\WIN10` directory inside the -wolfSSL package: +To build a wolfSSL FIPS 140-3 variant for use with FIPS 140-3 certificate +#4718, use the Visual Studio solution file located in the `IDE/WIN10` +directory inside the wolfSSL package: ``` \IDE\WIN10\wolfssl-fips.sln ``` Follow instructions in the above section for 140-2 / 3389, except use the -following values for `HAVE_FIPS`, `HAVE_FIPS_VERSION`, and -`HAVE_FIPS_VERSION_MINOR` in `user_settings.h`: +following values for `HAVE_FIPS`, `HAVE_FIPS_VERSION`, +`HAVE_FIPS_VERSION_MAJOR`, `HAVE_FIPS_VERSION_MINOR`, and +`HAVE_FIPS_VERSION_PATCH` in `user_settings.h`: ``` #if 1 @@ -274,8 +294,12 @@ following values for `HAVE_FIPS`, `HAVE_FIPS_VERSION`, and #define HAVE_FIPS #undef HAVE_FIPS_VERSION #define HAVE_FIPS_VERSION 5 +#undef HAVE_FIPS_VERSION_MAJOR +#define HAVE_FIPS_VERSION_MAJOR 5 #undef HAVE_FIPS_VERSION_MINOR -#define HAVE_FIPS_VERSION_MINOR 1 +#define HAVE_FIPS_VERSION_MINOR 2 +#undef HAVE_FIPS_VERSION_PATCH +#define HAVE_FIPS_VERSION_PATCH 0 #endif ``` @@ -285,6 +309,7 @@ The following additional defines will also need to be added to ``` #define WOLFSSL_JNI #define HAVE_EX_DATA +#define OPENSSL_EXTRA #define OPENSSL_ALL #define HAVE_CRL #define HAVE_OCSP @@ -294,9 +319,16 @@ The following additional defines will also need to be added to #define HAVE_DH #define WOLFSSL_CERT_EXT #define WOLFSSL_CERT_GEN +#define WOLFSSL_KEY_GEN +#define WOLFSSL_CERT_REQ +#define WOLFSSL_ALT_NAMES #define HAVE_TLS_EXTENSIONS #define HAVE_SNI #define HAVE_ALPN +#define KEEP_PEER_CERT +#define SESSION_CERTS +#define WOLFSSL_ALT_CERT_CHAINS +#define WOLFSSL_ALWAYS_VERIFY_CB ``` For additional help, contact support@wolfssl.com. From b91676cd210ff097f8c16a31a2bae38558384c00 Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Wed, 6 Nov 2024 15:48:37 -0700 Subject: [PATCH 4/5] JSSE: WolfSSLTrustX509Test, only run RSA-PSS TLS 1.3 test if both are compiled in --- .../com/wolfssl/provider/jsse/test/WolfSSLTrustX509Test.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/test/com/wolfssl/provider/jsse/test/WolfSSLTrustX509Test.java b/src/test/com/wolfssl/provider/jsse/test/WolfSSLTrustX509Test.java index 649b4670..9aeeb2f3 100644 --- a/src/test/com/wolfssl/provider/jsse/test/WolfSSLTrustX509Test.java +++ b/src/test/com/wolfssl/provider/jsse/test/WolfSSLTrustX509Test.java @@ -1514,8 +1514,9 @@ public void testCheckServerTrustedWithDuplicatedRootInChain() @Test public void testUsingRsaPssCert() throws Exception { - /* skip if RSA_PSS is not compiled in at native level */ - if (WolfSSL.RsaPssEnabled() == false) { + /* skip if RSA_PSS or TLS 1.3 are not compiled in at native level */ + if ((WolfSSL.RsaPssEnabled() == false) || + (WolfSSL.TLSv13Enabled() == false)) { return; } From 13e73db1dd596aa2a7adeb4bde0deb20ae58cef5 Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Wed, 6 Nov 2024 17:25:21 -0700 Subject: [PATCH 5/5] Update ChangeLog for 1.14 release --- ChangeLog.md | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) diff --git a/ChangeLog.md b/ChangeLog.md index 0d42277a..cd6a923d 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,3 +1,70 @@ +### wolfSSL JNI Release 1.14.0 (11/7/2024) + +Release 1.14.0 has bug fixes and new features including: + +**New JSSE Functionality:** +* Add wolfJCE WKS KeyStore type support (PR 178) +* Add support for native `poll()` and set as default over `select()` (PR 201) +* Add `getSSLParameters()` to SSLServerSocket implementation (PR 214) +* Add `rsa_pss` support and tests to wolfJSSE (PR 218) +* Add LDAPS endpoint identification to X509ExtendedTrustManager (PR 227) + +**JSSE System/Security Property Support:** +* Add option to print debug logs in JSON format (`wolfjsse.debugFormat=JSON`) (PR 187) +* Add Security property to disable Java client session cache (`wolfjsse.clientSessionCache.disabled=true`) (PR 225) + +**JSSE Changes:** +* Fix for native memory leak when calling `wolfSSL_get_peer_certificate()` (PR 188) +* Optimization to allow for easier garbage collection (PR 189) +* Fix for SSLEngine session storage and unwrap() FINISHED state (PR 193) +* Fix to not close SSLSocket when SSLServerSocket is closed (PR 194) +* Fix for getting end of stream when calling InputStream.read() (PR 195) +* Fix for throwing exceptions on KeyManagerFactory/TrustManagerFactory use before init (PR 196) +* Fix for SSLEngine HandshakeStatus when receiving TLS 1.3 session tickets after handshake (PR 197) +* Throw SSLException to indicate lack of renegotiation support in `SSLEngine.beginHandshake()` (PR 197) +* Fix to mark inbound and outbound closed in SSLEngine when fatal alerts are received (PR 197) +* Return `X509Certificate[]` from `SSLSession.getPeerCertificates()` (PR 199) +* Remove unneeded `SSLServerSocket.close()` method (PR 200) +* Fix `SSLSession.getLocalPrincipal()` to assume user cert is first in chain (PR 204) +* Ensure that socket is closed if implicit handshake in `SSLSocket.getSession()` fails (PR 205) +* If SSLSocket handshake is unsuccessful, close Socket before throwing an exception (PR 205) +* Close SSLEngine inbound on ALPN protocol name error (PR 208) +* Adjust client-side session resumption to check cipher suite and protocol (PR 209) +* Pass lower level exception messages up during X509TrustManager verification (PR 211) +* Refactor code calls not available in Android API 24 (PR 216) +* Fix to return end of stream in `InputStream.read()` on socket error (PR 217) +* Fix to update the TLS protocol in SSLSession after handshake completes (PR 219) +* Fix potential deadlock on close() between SSLSocket and Input/OutputStream (PR 220) +* Fixes for issues found with SpotBugs (PR 221) +* Clean up ant build warnings on Corretto 20.0.1 (PR 223) +* Error out on invalid port during creation of SSLEngine (PR 224) +* Correct SSLSocket exception types and fix setting of native file descriptor (PR 228) +* Fix deadlock issues between `SSLSocket close()` and `OutputStream.write()` (PR 230) + +**New JNI Wrapped APIs and Functionality:** +* `wolfSSL_SessionIsSetup()` (PR 191) +* `wolfSSL_SESSION_dup()` (PR 206) + +**JNI Changes:** +* Fix for JNI example use of TLS 1.3 secret callback strings (PR 192) + +**Example Changes:** +* Add Host into HTTP GET in example ClientJSSE when used with `-g` (PR 213) +* Add example JNI-only threaded client/server applications (PR 212) +* Add basic RMI example client and server (PR 226) + +**Debugging Changes:** +* Fix typo in SSLEngine debug logs (PR 203) + +**Testing Changes:** +* Run Facebook Infer on all PRs with GitHub Actions (PR 190) +* Run TLS 1.0 and 1.1 tests if enabled in native wolfSSL even if disabled in `java.security` (PR 198) +* Add GitHub Actions PRB test for Android gradle build (PR 222) + +The wolfSSL JNI Manual is available at: +https://www.wolfssl.com/documentation/manuals/wolfssljni. For build +instructions and more detailed comments, please check the manual. + ### wolfSSL JNI Release 1.13.0 (4/9/2024) Release 1.13.0 has bug fixes and new features including: