svn commit: r1648227 - in /tomcat/jk/trunk/native/common: jk_ajp_common.c jk_ajp_common.h jk_lb_worker.h jk_shm.h jk_status.c
Author: rjung Date: Sun Dec 28 17:12:59 2014 New Revision: 1648227 URL: http://svn.apache.org/r1648227 Log: Let JK_SHM_STR_SIZ be the full byte size including terminating 0 byte. Keep copying and comparing JK_SHM_STR_SIZ bytes. This is now one more byte, but we assume string length to be at most JK_SHM_STR_SIZ-1 and we don't want unexpected string truncation to happen. Still need to add length checks for the configuration input parameters. Modified: tomcat/jk/trunk/native/common/jk_ajp_common.c tomcat/jk/trunk/native/common/jk_ajp_common.h tomcat/jk/trunk/native/common/jk_lb_worker.h tomcat/jk/trunk/native/common/jk_shm.h tomcat/jk/trunk/native/common/jk_status.c Modified: tomcat/jk/trunk/native/common/jk_ajp_common.c URL: http://svn.apache.org/viewvc/tomcat/jk/trunk/native/common/jk_ajp_common.c?rev=1648227&r1=1648226&r2=1648227&view=diff == --- tomcat/jk/trunk/native/common/jk_ajp_common.c (original) +++ tomcat/jk/trunk/native/common/jk_ajp_common.c Sun Dec 28 17:12:59 2014 @@ -1099,7 +1099,7 @@ void jk_ajp_pull(ajp_worker_t * aw, int { int address_change = JK_FALSE; int port = 0; -char host[JK_SHM_STR_SIZ+1]; +char host[JK_SHM_STR_SIZ]; jk_sockaddr_t inet_addr; JK_TRACE_ENTER(l); Modified: tomcat/jk/trunk/native/common/jk_ajp_common.h URL: http://svn.apache.org/viewvc/tomcat/jk/trunk/native/common/jk_ajp_common.h?rev=1648227&r1=1648226&r2=1648227&view=diff == --- tomcat/jk/trunk/native/common/jk_ajp_common.h (original) +++ tomcat/jk/trunk/native/common/jk_ajp_common.h Sun Dec 28 17:12:59 2014 @@ -287,7 +287,7 @@ struct ajp_worker /* Shared memory worker data */ jk_shm_ajp_worker_t *s; -char name[JK_SHM_STR_SIZ+1]; +char name[JK_SHM_STR_SIZ]; /* Sequence counter starting at 0 and increasing * every time we change the config */ @@ -300,7 +300,7 @@ struct ajp_worker jk_sockaddr_t worker_inet_addr;/* Contains host and port */ unsigned connect_retry_attempts; -char host[JK_SHM_STR_SIZ+1]; +char host[JK_SHM_STR_SIZ]; int port; int addr_sequence; /* Whether the address is resolved */ int maintain_time; Modified: tomcat/jk/trunk/native/common/jk_lb_worker.h URL: http://svn.apache.org/viewvc/tomcat/jk/trunk/native/common/jk_lb_worker.h?rev=1648227&r1=1648226&r2=1648227&view=diff == --- tomcat/jk/trunk/native/common/jk_lb_worker.h (original) +++ tomcat/jk/trunk/native/common/jk_lb_worker.h Sun Dec 28 17:12:59 2014 @@ -140,18 +140,18 @@ struct lb_sub_worker /* Shared memory worker data */ jk_shm_lb_sub_worker_t *s; -char name[JK_SHM_STR_SIZ+1]; +char name[JK_SHM_STR_SIZ]; /* Sequence counter starting at 0 and increasing * every time we change the config */ volatile unsigned int sequence; /* route */ -charroute[JK_SHM_STR_SIZ+1]; +charroute[JK_SHM_STR_SIZ]; /* worker domain */ -chardomain[JK_SHM_STR_SIZ+1]; +chardomain[JK_SHM_STR_SIZ]; /* worker redirect route */ -charredirect[JK_SHM_STR_SIZ+1]; +charredirect[JK_SHM_STR_SIZ]; /* worker distance */ int distance; /* current activation state (config) of the worker */ @@ -171,7 +171,7 @@ struct lb_worker /* Shared memory worker data */ jk_shm_lb_worker_t *s; -char name[JK_SHM_STR_SIZ+1]; +char name[JK_SHM_STR_SIZ]; /* Sequence counter starting at 0 and increasing * every time we change the config */ @@ -197,11 +197,11 @@ struct lb_worker unsigned int max_packet_size; unsigned int next_offset; /* Session cookie */ -char session_cookie[JK_SHM_STR_SIZ+1]; +char session_cookie[JK_SHM_STR_SIZ]; /* Session path */ -char session_path[JK_SHM_STR_SIZ+1]; +char session_path[JK_SHM_STR_SIZ]; int set_session_cookie; -char session_cookie_path[JK_SHM_STR_SIZ+1]; +char session_cookie_path[JK_SHM_STR_SIZ]; }; typedef struct lb_worker lb_worker_t; Modified: tomcat/jk/trunk/native/common/jk_shm.h URL: http://svn.apache.org/viewvc/tomcat/jk/trunk/native/common/jk_shm.h?rev=1648227&r1=1648226&r2=1648227&view=diff == --- tomcat/jk/trunk/native/common/jk_shm.h (original) +++ tomcat/jk/trunk/native/common/jk_shm.h Sun Dec 28 17:12:59 2014 @@ -42,7 +42,7 @@ extern "C" #define JK_SHM_MAJOR'1' #define JK_SHM_MINOR'3' -#define JK_SHM_STR_SIZ (JK_ALIGN(JK_MAX_NAME_LEN + 1, 8) - 1) +#define JK_SHM_STR_SIZ (JK_ALIGN(JK_MAX_NAME_LEN + 1, 8)) #define JK_SHM_MAGIC'!', 'J', 'K', 'S', 'H', 'M', JK_SHM_MAJOR, JK_SHM_MINOR #define JK_SHM_
Re: svn commit: r1647530 - in /tomcat/trunk: java/org/apache/coyote/http11/Http11AprProtocol.java java/org/apache/tomcat/util/net/AprEndpoint.java java/org/apache/tomcat/util/net/LocalStrings.properti
Mark, On 12/23/14 5:09 AM, ma...@apache.org wrote: > Author: markt > Date: Tue Dec 23 10:09:03 2014 > New Revision: 1647530 > > URL: http://svn.apache.org/r1647530 > Log: > Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=57391 > Allow TLS Session Tickets to be disabled. > Patch provided by Josiah Purtlebaugh. > > Modified: > tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java > tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java > tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties > tomcat/trunk/webapps/docs/config/http.xml > > Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java > URL: > http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java?rev=1647530&r1=1647529&r2=1647530&view=diff > == > --- tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java > (original) > +++ tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java Tue Dec > 23 10:09:03 2014 > @@ -183,6 +183,13 @@ public class Http11AprProtocol extends A > public boolean getSSLDisableCompression() { return > ((AprEndpoint)getEndpoint()).getSSLDisableCompression(); } > public void setSSLDisableCompression(boolean disable) { > ((AprEndpoint)getEndpoint()).setSSLDisableCompression(disable); } > > +/** > + * Disable TLS Session Tickets (RFC 4507). > + */ > +public boolean getSSLDisableSessionTickets() { return > ((AprEndpoint)getEndpoint()).getSSLDisableSessionTickets(); } > +public void setSSLDisableSessionTickets(boolean enable) { > ((AprEndpoint)getEndpoint()).setSSLDisableSessionTickets(enable); } > + > + > // - JMX related > methods > > @Override > > Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java > URL: > http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1647530&r1=1647529&r2=1647530&view=diff > == > --- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original) > +++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Tue Dec 23 > 10:09:03 2014 > @@ -271,6 +271,12 @@ public class AprEndpoint extends Abstrac > public String getSSLCARevocationFile() { return SSLCARevocationFile; } > public void setSSLCARevocationFile(String SSLCARevocationFile) { > this.SSLCARevocationFile = SSLCARevocationFile; } > > +/** > + * SSL disable TLS Session Tickets (RFC 4507). > + */ > +protected boolean SSLDisableSessionTickets = false; > +public boolean getSSLDisableSessionTickets() { return > SSLDisableSessionTickets; } > +public void setSSLDisableSessionTickets(boolean > SSLDisableSessionTickets) { this.SSLDisableSessionTickets = > SSLDisableSessionTickets; } > > /** > * SSL verify client. > @@ -575,6 +581,24 @@ public class AprEndpoint extends Abstrac >SSL.versionString())); > } > } > + > +// Disable TLS Session Tickets (RFC4507) to protect perfect > forward secrecy > +if (SSLDisableSessionTickets) { > +boolean disableSessionTicketsSupported = false; > +try { > +disableSessionTicketsSupported = > SSL.hasOp(SSL.SSL_OP_NO_TICKET); > +if (disableSessionTicketsSupported) > +SSLContext.setOptions(sslContext, > SSL.SSL_OP_NO_TICKET); I think if the user requests disabled session tickets and the SSL library doesn't "have" that option-code, we should fail, here, instead of silently ignoring the request. I believe this is justified based upon the security implications of the setting. -chris > +} catch (UnsatisfiedLinkError e) { > +// Ignore > +} > + > +if (!disableSessionTicketsSupported) { > +// OpenSSL is too old to support TLS Session Tickets. > + > log.warn(sm.getString("endpoint.warn.noDisableSessionTickets", > + SSL.versionString())); > +} > +} > > // List the ciphers that the client is permitted to negotiate > SSLContext.setCipherSuite(sslContext, SSLCipherSuite); > > Modified: tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties > URL: > http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties?rev=1647530&r1=1647529&r2=1647530&view=diff > == > --- tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties > (original) > +++ tomcat/trunk/java/org/apache/tomcat/util/net/LocalSt
[GUMP@vmgump]: Project tomcat-native-make (in module tomcat-native) failed
To whom it may engage... This is an automated request, but not an unsolicited one. For more information please visit http://gump.apache.org/nagged.html, and/or contact the folk at gene...@gump.apache.org. Project tomcat-native-make has an issue affecting its community integration. This issue affects 4 projects, and has been outstanding for 40 runs. The current state of this project is 'Failed', with reason 'Build Failed'. For reference only, the following projects are affected by this: - tomcat-native-make : Tomcat native library using Apache Portable Runtime - tomcat-native-make-install : Tomcat native library using Apache Portable Runtime - tomcat-tc8.0.x-test-apr : Tomcat 8.x, a web server implementing the Java Servlet 3.1, ... - tomcat-trunk-test-apr : Tomcat 9.x, a web server implementing the Java Servlet 4.0, ... Full details are available at: http://vmgump.apache.org/gump/public/tomcat-native/tomcat-native-make/index.html That said, some information snippets are provided here. The following annotations (debug/informational/warning/error messages) were provided: -INFO- Failed with reason build failed The following work was performed: http://vmgump.apache.org/gump/public/tomcat-native/tomcat-native-make/gump_work/build_tomcat-native_tomcat-native-make.html Work Name: build_tomcat-native_tomcat-native-make (Type: Build) Work ended in a state of : Failed Elapsed: 10 secs Command Line: make [Working Directory: /srv/gump/public/workspace/tomcat-native/native] - make[1]: Entering directory `/srv/gump/public/workspace/tomcat-native/native' /bin/bash /srv/gump/public/workspace/apr-1/dest-20141229/build-1/libtool --silent --mode=compile gcc -g -O2 -pthread -DHAVE_CONFIG_H -DLINUX -D_REENTRANT -D_GNU_SOURCE -g -O2 -DHAVE_OPENSSL -I/srv/gump/public/workspace/tomcat-native/native/include -I/usr/lib/jvm/java-8-oracle/include -I/usr/lib/jvm/java-8-oracle/include/linux -I/srv/gump/public/workspace/openssl/dest-20141229/include -I/srv/gump/public/workspace/apr-1/dest-20141229/include/apr-1 -o src/address.lo -c src/address.c && touch src/address.lo /bin/bash /srv/gump/public/workspace/apr-1/dest-20141229/build-1/libtool --silent --mode=compile gcc -g -O2 -pthread -DHAVE_CONFIG_H -DLINUX -D_REENTRANT -D_GNU_SOURCE -g -O2 -DHAVE_OPENSSL -I/srv/gump/public/workspace/tomcat-native/native/include -I/usr/lib/jvm/java-8-oracle/include -I/usr/lib/jvm/java-8-oracle/include/linux -I/srv/gump/public/workspace/openssl/dest-20141229/include -I/srv/gump/public/workspace/apr-1/dest-20141229/include/apr-1 -o src/bb.lo -c src/bb.c && touch src/bb.lo /bin/bash /srv/gump/public/workspace/apr-1/dest-20141229/build-1/libtool --silent --mode=compile gcc -g -O2 -pthread -DHAVE_CONFIG_H -DLINUX -D_REENTRANT -D_GNU_SOURCE -g -O2 -DHAVE_OPENSSL -I/srv/gump/public/workspace/tomcat-native/native/include -I/usr/lib/jvm/java-8-oracle/include -I/usr/lib/jvm/java-8-oracle/include/linux -I/srv/gump/public/workspace/openssl/dest-20141229/include -I/srv/gump/public/workspace/apr-1/dest-20141229/include/apr-1 -o src/dir.lo -c src/dir.c && touch src/dir.lo /bin/bash /srv/gump/public/workspace/apr-1/dest-20141229/build-1/libtool --silent --mode=compile gcc -g -O2 -pthread -DHAVE_CONFIG_H -DLINUX -D_REENTRANT -D_GNU_SOURCE -g -O2 -DHAVE_OPENSSL -I/srv/gump/public/workspace/tomcat-native/native/include -I/usr/lib/jvm/java-8-oracle/include -I/usr/lib/jvm/java-8-oracle/include/linux -I/srv/gump/public/workspace/openssl/dest-20141229/include -I/srv/gump/public/workspace/apr-1/dest-20141229/include/apr-1 -o src/error.lo -c src/error.c && touch src/error.lo /bin/bash /srv/gump/public/workspace/apr-1/dest-20141229/build-1/libtool --silent --mode=compile gcc -g -O2 -pthread -DHAVE_CONFIG_H -DLINUX -D_REENTRANT -D_GNU_SOURCE -g -O2 -DHAVE_OPENSSL -I/srv/gump/public/workspace/tomcat-native/native/include -I/usr/lib/jvm/java-8-oracle/include -I/usr/lib/jvm/java-8-oracle/include/linux -I/srv/gump/public/workspace/openssl/dest-20141229/include -I/srv/gump/public/workspace/apr-1/dest-20141229/include/apr-1 -o src/file.lo -c src/file.c && touch src/file.lo /bin/bash /srv/gump/public/workspace/apr-1/dest-20141229/build-1/libtool --silent --mode=compile gcc -g -O2 -pthread -DHAVE_CONFIG_H -DLINUX -D_REENTRANT -D_GNU_SOURCE -g -O2 -DHAVE_OPENSSL -I/srv/gump/public/workspace/tomcat-native/native/include -I/usr/lib/jvm/java-8-oracle/include -I/usr/lib/jvm/java-8-oracle/include/linux -I/srv/gump/public/workspace/openssl/dest-20141229/include -I/srv/gump/public/workspace/apr-1/dest-20141229/include/apr-1 -o src/info.lo -c src/info.c && touch src/info.lo /bin/bash /srv/gump/public/workspace/apr-1/dest-20141229/build-1/libtool --silent --mode=compile gcc -g -O2 -pthread -DHAVE_CONFIG_H -DLINUX -D_REENTRANT -D_GNU_SOURCE -g -O2 -DHAVE_OPENSSL -I/srv/gump/public/workspace/tomca