diff -pruN 1.2.17-1/build.properties.default 1.2.18-1/build.properties.default --- 1.2.17-1/build.properties.default 2018-06-07 09:30:12.000000000 +0000 +++ 1.2.18-1/build.properties.default 2018-10-17 20:50:43.000000000 +0000 @@ -18,7 +18,7 @@ # ----- Version Control Flags ----- version.major=1 version.minor=2 -version.build=17 +version.build=18 version.patch=0 version.suffix= diff -pruN 1.2.17-1/CHANGELOG.txt 1.2.18-1/CHANGELOG.txt --- 1.2.17-1/CHANGELOG.txt 2018-06-07 10:01:20.000000000 +0000 +++ 1.2.18-1/CHANGELOG.txt 2018-10-17 20:51:36.000000000 +0000 @@ -2,6 +2,17 @@ This is the Changelog for Tomcat Native 1.2. + Changes in 1.2.18 + + * Fix: 62641: libtool invocations should use --tag=CC. (michaelo) + * Code: Remove support for Netware as there has not been a supported + Netware platform for a number of years. (markt) + * Add: 62748: Add support for TLS 1.3 when built with OpenSSL 1.1.1 or + equivalent. (schultz/markt) + * Add: Expose the API necessary for CLIENT-CERT authentication to be + correctly supported when using Tomcat's JSSE implementation backed by + OpenSSL. (markt) + Changes in 1.2.17 * Fix: 62094: Certificate verification using CRL with Tomcat APR diff -pruN 1.2.17-1/debian/changelog 1.2.18-1/debian/changelog --- 1.2.17-1/debian/changelog 2018-06-12 13:22:46.000000000 +0000 +++ 1.2.18-1/debian/changelog 2018-11-06 09:47:37.000000000 +0000 @@ -1,3 +1,11 @@ +tomcat-native (1.2.18-1) unstable; urgency=medium + + * Team upload. + * New upstream release + * Standards-Version updated to 4.2.1 + + -- Emmanuel Bourg Tue, 06 Nov 2018 10:47:37 +0100 + tomcat-native (1.2.17-1) unstable; urgency=medium * Team upload. diff -pruN 1.2.17-1/debian/control 1.2.18-1/debian/control --- 1.2.17-1/debian/control 2018-06-12 13:11:42.000000000 +0000 +++ 1.2.18-1/debian/control 2018-11-06 09:41:28.000000000 +0000 @@ -9,7 +9,7 @@ Build-Depends: dpkg-dev (>= 1.16.1~), libapr1-dev, libssl-dev -Standards-Version: 4.1.4 +Standards-Version: 4.2.1 Vcs-Git: https://salsa.debian.org/java-team/tomcat-native.git Vcs-Browser: https://salsa.debian.org/java-team/tomcat-native Homepage: http://tomcat.apache.org/native-doc/ diff -pruN 1.2.17-1/debian/watch 1.2.18-1/debian/watch --- 1.2.17-1/debian/watch 2018-06-12 13:12:07.000000000 +0000 +++ 1.2.18-1/debian/watch 2018-11-06 09:41:28.000000000 +0000 @@ -1,2 +1,3 @@ -version=3 +version=4 +opts="repack,compression=xz" \ https://www.apache.org/dist/tomcat/tomcat-connectors/native/([\d\.]+)/source/tomcat-native-([\d\.]+)-src\.tar\.gz debian uupdate diff -pruN 1.2.17-1/docs/index.html 1.2.18-1/docs/index.html --- 1.2.17-1/docs/index.html 2018-06-07 10:01:20.000000000 +0000 +++ 1.2.18-1/docs/index.html 2018-10-17 20:51:36.000000000 +0000 @@ -1,5 +1,5 @@ -Apache Tomcat Native Library - Documentation Index

Documentation Index

Introduction

+Apache Tomcat Native Library - Documentation Index

Documentation Index

Introduction

The Apache Tomcat Native Library is an optional component for use with @@ -27,10 +27,10 @@

Headlines

    -
  • 20 November 2017 - TC-Native-1.2.16 +
  • 13 June 2018 - TC-Native-1.2.17 released

    The Apache Tomcat team is proud to announce the immediate availability of -Tomcat Native 1.2.16 Stable.

    +Tomcat Native 1.2.17 Stable.

    The sources and the binaries for selected platforms are available from the Download page. diff -pruN 1.2.17-1/docs/miscellaneous/changelog.html 1.2.18-1/docs/miscellaneous/changelog.html --- 1.2.17-1/docs/miscellaneous/changelog.html 2018-06-07 10:01:20.000000000 +0000 +++ 1.2.18-1/docs/miscellaneous/changelog.html 2018-10-17 20:51:36.000000000 +0000 @@ -3,6 +3,25 @@

    This is the Changelog for Tomcat Native 1.2.

    +

Changes in 1.2.18

+
    +
  • Fix: + 62641: libtool invocations should use --tag=CC. (michaelo) +
  • +
  • Code: + Remove support for Netware as there has not been a supported Netware + platform for a number of years. (markt) +
  • +
  • Add: + 62748: Add support for TLS 1.3 when built with OpenSSL 1.1.1 or + equivalent. (schultz/markt) +
  • +
  • Add: + Expose the API necessary for CLIENT-CERT authentication to be correctly + supported when using Tomcat's JSSE implementation backed by OpenSSL. + (markt) +
  • +

Changes in 1.2.17

  • Fix: diff -pruN 1.2.17-1/docs/news/2018.html 1.2.18-1/docs/news/2018.html --- 1.2.17-1/docs/news/2018.html 1970-01-01 00:00:00.000000000 +0000 +++ 1.2.18-1/docs/news/2018.html 2018-10-17 20:51:36.000000000 +0000 @@ -0,0 +1,12 @@ + +The Apache Tomcat Native - News - 2018 News and Status

    2018 News and Status

    2018 News & Status

    +

    13 Jun 2018 - TC-Native-1.2.17 released

    +

    The Apache Tomcat team is proud to announce the immediate availability of + Tomcat Native 1.2.17. This is a bugfix release that also updates the + dependencies for the Windows binaries and includes Windows binaries built with + OpenSSL 1.0.2o and APR 1.6.3. +

    +
    +
    \ No newline at end of file diff -pruN 1.2.17-1/java/org/apache/tomcat/jni/Library.java 1.2.18-1/java/org/apache/tomcat/jni/Library.java --- 1.2.17-1/java/org/apache/tomcat/jni/Library.java 2015-11-02 15:17:57.000000000 +0000 +++ 1.2.18-1/java/org/apache/tomcat/jni/Library.java 2018-10-17 20:19:26.000000000 +0000 @@ -34,12 +34,12 @@ public final class Library { private Library() throws Exception { boolean loaded = false; - String path = System.getProperty("java.library.path"); - String [] paths = path.split(File.pathSeparator); StringBuilder err = new StringBuilder(); + File binLib = new File(System.getProperty("catalina.home"), "bin"); for (int i = 0; i < NAMES.length; i++) { + File library = new File(binLib, System.mapLibraryName(NAMES[i])); try { - System.loadLibrary(NAMES[i]); + System.load(library.getAbsolutePath()); loaded = true; } catch (ThreadDeath t) { throw t; @@ -48,13 +48,9 @@ public final class Library { // the JNI code identical between Tomcat 6/7/8/9 throw t; } catch (Throwable t) { - String name = System.mapLibraryName(NAMES[i]); - for (int j = 0; j < paths.length; j++) { - java.io.File fd = new java.io.File(paths[j] , name); - if (fd.exists()) { - // File exists but failed to load - throw t; - } + if (library.exists()) { + // File exists but failed to load + throw t; } if (i > 0) { err.append(", "); @@ -66,6 +62,38 @@ public final class Library { } } if (!loaded) { + String path = System.getProperty("java.library.path"); + String [] paths = path.split(File.pathSeparator); + for (int i = 0; i < NAMES.length; i++) { + try { + System.loadLibrary(NAMES[i]); + loaded = true; + } catch (ThreadDeath t) { + throw t; + } catch (VirtualMachineError t) { + // Don't use a Java 7 multiple exception catch so we can keep + // the JNI code identical between Tomcat 6/7/8/9 + throw t; + } catch (Throwable t) { + String name = System.mapLibraryName(NAMES[i]); + for (int j = 0; j < paths.length; j++) { + java.io.File fd = new java.io.File(paths[j] , name); + if (fd.exists()) { + // File exists but failed to load + throw t; + } + } + if (err.length() > 0) { + err.append(", "); + } + err.append(t.getMessage()); + } + if (loaded) { + break; + } + } + } + if (!loaded) { StringBuilder names = new StringBuilder(); for (String name : NAMES) { names.append(name); @@ -226,4 +254,41 @@ public final class Library { } return initialize(); } + + /** + * Calls System.load(filename). System.load() associates the + * loaded library with the class loader of the class that called + * the System method. A native library may not be loaded by more + * than one class loader, so calling the System method from a class that + * was loaded by a Webapp class loader will make it impossible for + * other Webapps to load it. + * + * Using this method will load the native library via a shared class + * loader (typically the Common class loader, but may vary in some + * configurations), so that it can be loaded by multiple Webapps. + * + * @param filename - absolute path of the native library + */ + public static void load(String filename){ + System.load(filename); + } + + /** + * Calls System.loadLibrary(libname). System.loadLibrary() associates the + * loaded library with the class loader of the class that called + * the System method. A native library may not be loaded by more + * than one class loader, so calling the System method from a class that + * was loaded by a Webapp class loader will make it impossible for + * other Webapps to load it. + * + * Using this method will load the native library via a shared class + * loader (typically the Common class loader, but may vary in some + * configurations), so that it can be loaded by multiple Webapps. + * + * @param libname - the name of the native library + */ + public static void loadLibrary(String libname){ + System.loadLibrary(libname); + } + } diff -pruN 1.2.17-1/java/org/apache/tomcat/jni/OS.java 1.2.18-1/java/org/apache/tomcat/jni/OS.java --- 1.2.17-1/java/org/apache/tomcat/jni/OS.java 2016-01-18 15:03:55.000000000 +0000 +++ 1.2.18-1/java/org/apache/tomcat/jni/OS.java 2018-09-03 09:47:49.000000000 +0000 @@ -25,7 +25,6 @@ public class OS { /* OS Enums */ private static final int UNIX = 1; - private static final int NETWARE = 2; private static final int WIN32 = 3; private static final int WIN64 = 4; private static final int LINUX = 5; @@ -47,7 +46,13 @@ public class OS { private static native boolean is(int type); public static final boolean IS_UNIX = is(UNIX); - public static final boolean IS_NETWARE = is(NETWARE); + /** + * @deprecated Hard-coded to false since there has not been a supported + * Netware platform for many years. + * This will be removed in Tomcat 10 onwards + */ + @Deprecated + public static final boolean IS_NETWARE = false; public static final boolean IS_WIN32 = is(WIN32); public static final boolean IS_WIN64 = is(WIN64); public static final boolean IS_LINUX = is(LINUX); diff -pruN 1.2.17-1/java/org/apache/tomcat/jni/Procattr.java 1.2.18-1/java/org/apache/tomcat/jni/Procattr.java --- 1.2.17-1/java/org/apache/tomcat/jni/Procattr.java 2016-01-18 15:03:55.000000000 +0000 +++ 1.2.18-1/java/org/apache/tomcat/jni/Procattr.java 2018-09-03 09:47:49.000000000 +0000 @@ -139,8 +139,8 @@ public class Procattr { * Determine if the child should start in its own address space or using the * current one from its parent * @param attr The procattr we care about. - * @param addrspace Should the child start in its own address space? Default - * is no on NetWare and yes on other platforms. + * @param addrspace Should the child start in its own address space? + * Default is yes. * @return the operation status */ public static native int addrspaceSet(long attr, int addrspace); diff -pruN 1.2.17-1/java/org/apache/tomcat/jni/SSLContext.java 1.2.18-1/java/org/apache/tomcat/jni/SSLContext.java --- 1.2.17-1/java/org/apache/tomcat/jni/SSLContext.java 2017-08-22 11:03:28.000000000 +0000 +++ 1.2.18-1/java/org/apache/tomcat/jni/SSLContext.java 2018-10-09 17:23:48.000000000 +0000 @@ -41,6 +41,7 @@ public final class SSLContext { * {@link SSL#SSL_PROTOCOL_TLSV1} * {@link SSL#SSL_PROTOCOL_TLSV1_1} * {@link SSL#SSL_PROTOCOL_TLSV1_2} + * {@link SSL#SSL_PROTOCOL_TLSV1_3} * {@link SSL#SSL_PROTOCOL_ALL} ( == all TLS versions, no SSL) * * @param mode SSL mode to use diff -pruN 1.2.17-1/java/org/apache/tomcat/jni/SSL.java 1.2.18-1/java/org/apache/tomcat/jni/SSL.java --- 1.2.17-1/java/org/apache/tomcat/jni/SSL.java 2017-08-19 20:50:13.000000000 +0000 +++ 1.2.18-1/java/org/apache/tomcat/jni/SSL.java 2018-10-17 20:14:20.000000000 +0000 @@ -73,7 +73,18 @@ public final class SSL { public static final int SSL_PROTOCOL_TLSV1 = (1<<2); public static final int SSL_PROTOCOL_TLSV1_1 = (1<<3); public static final int SSL_PROTOCOL_TLSV1_2 = (1<<4); - public static final int SSL_PROTOCOL_ALL = (SSL_PROTOCOL_TLSV1 | SSL_PROTOCOL_TLSV1_1 | SSL_PROTOCOL_TLSV1_2); + public static final int SSL_PROTOCOL_TLSV1_3 = (1<<5); + public static final int SSL_PROTOCOL_ALL; + + static { + if (SSL.version() >= 0x1010100f) { + SSL_PROTOCOL_ALL = (SSL_PROTOCOL_TLSV1 | SSL_PROTOCOL_TLSV1_1 | SSL_PROTOCOL_TLSV1_2 | + SSL_PROTOCOL_TLSV1_3); + } else { + SSL_PROTOCOL_ALL = (SSL_PROTOCOL_TLSV1 | SSL_PROTOCOL_TLSV1_1 | SSL_PROTOCOL_TLSV1_2); + } + } + /* * Define the SSL verify levels @@ -555,6 +566,27 @@ public final class SSL { public static native int renegotiate(long ssl); /** + * SSL_renegotiate_pending + * @param ssl the SSL instance (SSL *) + * @return the operation status + */ + public static native int renegotiatePending(long ssl); + + /** + * SSL_verify_client_post_handshake + * @param ssl the SSL instance (SSL *) + * @return the operation status + */ + public static native int verifyClientPostHandshake(long ssl); + + /** + * Is post handshake authentication in progress on this connection? + * @param ssl the SSL instance (SSL *) + * @return the operation status + */ + public static native int getPostHandshakeAuthInProgress(long ssl); + + /** * SSL_in_init. * @param ssl the SSL instance (SSL *) * @return the status diff -pruN 1.2.17-1/native/build/buildcheck.sh 1.2.18-1/native/build/buildcheck.sh --- 1.2.17-1/native/build/buildcheck.sh 2015-05-24 15:39:50.000000000 +0000 +++ 1.2.18-1/native/build/buildcheck.sh 2018-10-12 16:02:57.000000000 +0000 @@ -19,14 +19,14 @@ echo "buildconf: checking installation..." # any python -python=`build/PrintPath python` +python=${PYTHON-`build/PrintPath python3 python2 python`} if test -z "$python"; then echo "buildconf: python not found." echo " You need python installed" echo " to build Tomcat Native from SVN." exit 1 else -py_version=`python -c 'import sys; print sys.version' 2>&1|sed 's/ .*//;q'` +py_version=`$python -c 'import sys; print sys.version' 2>&1|sed 's/ .*//;q'` echo "buildconf: python version $py_version (ok)" fi diff -pruN 1.2.17-1/native/build/config.guess 1.2.18-1/native/build/config.guess --- 1.2.17-1/native/build/config.guess 2018-06-07 10:01:20.000000000 +0000 +++ 1.2.18-1/native/build/config.guess 2018-10-17 20:51:36.000000000 +0000 @@ -1,8 +1,8 @@ #! /bin/sh # Attempt to guess a canonical system name. -# Copyright 1992-2017 Free Software Foundation, Inc. +# Copyright 1992-2018 Free Software Foundation, Inc. -timestamp='2017-09-16' +timestamp='2018-01-01' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -39,7 +39,7 @@ Usage: $0 [OPTION] Output the configuration name of the system \`$me' is run on. -Operation modes: +Options: -h, --help print this help, then exit -t, --time-stamp print date of last modification, then exit -v, --version print version number, then exit @@ -50,7 +50,7 @@ version="\ GNU config.guess ($timestamp) Originally written by Per Bothner. -Copyright 1992-2017 Free Software Foundation, Inc. +Copyright 1992-2018 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -244,6 +244,9 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:$ UNAME_MACHINE_ARCH=`arch | sed 's/^.*BSD\.//'` echo ${UNAME_MACHINE_ARCH}-unknown-libertybsd${UNAME_RELEASE} exit ;; + *:MidnightBSD:*:*) + echo ${UNAME_MACHINE}-unknown-midnightbsd${UNAME_RELEASE} + exit ;; *:ekkoBSD:*:*) echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE} exit ;; @@ -262,6 +265,9 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:$ *:Redox:*:*) echo ${UNAME_MACHINE}-unknown-redox exit ;; + mips:OSF1:*.*) + echo mips-dec-osf1 + exit ;; alpha:OSF1:*:*) case $UNAME_RELEASE in *4.0) @@ -479,13 +485,13 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:$ #endif #if defined (host_mips) && defined (MIPSEB) #if defined (SYSTYPE_SYSV) - printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0); + printf ("mips-mips-riscos%ssysv\\n", argv[1]); exit (0); #endif #if defined (SYSTYPE_SVR4) - printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0); + printf ("mips-mips-riscos%ssvr4\\n", argv[1]); exit (0); #endif #if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD) - printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0); + printf ("mips-mips-riscos%sbsd\\n", argv[1]); exit (0); #endif #endif exit (-1); @@ -608,7 +614,7 @@ EOF *:AIX:*:*) echo rs6000-ibm-aix exit ;; - ibmrt:4.4BSD:*|romp-ibm:BSD:*) + ibmrt:4.4BSD:*|romp-ibm:4.4BSD:*) echo romp-ibm-bsd4.4 exit ;; ibmrt:*BSD:*|romp-ibm:BSD:*) # covers RT/PC BSD and @@ -629,8 +635,8 @@ EOF 9000/[34678]??:HP-UX:*:*) HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` case "${UNAME_MACHINE}" in - 9000/31? ) HP_ARCH=m68000 ;; - 9000/[34]?? ) HP_ARCH=m68k ;; + 9000/31?) HP_ARCH=m68000 ;; + 9000/[34]??) HP_ARCH=m68k ;; 9000/[678][0-9][0-9]) if [ -x /usr/bin/getconf ]; then sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` @@ -743,7 +749,7 @@ EOF { echo "$SYSTEM_NAME"; exit; } echo unknown-hitachi-hiuxwe2 exit ;; - 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* ) + 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:*) echo hppa1.1-hp-bsd exit ;; 9000/8??:4.3bsd:*:*) @@ -752,7 +758,7 @@ EOF *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*) echo hppa1.0-hp-mpeix exit ;; - hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* ) + hp7??:OSF1:*:* | hp8?[79]:OSF1:*:*) echo hppa1.1-hp-osf exit ;; hp8??:OSF1:*:*) @@ -1072,7 +1078,7 @@ EOF i*86:*DOS:*:*) echo ${UNAME_MACHINE}-pc-msdosdjgpp exit ;; - i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*) + i*86:*:4.*:*) UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'` if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL} @@ -1400,8 +1406,20 @@ EOF exit ;; esac +echo "$0: unable to guess system type" >&2 + +case "${UNAME_MACHINE}:${UNAME_SYSTEM}" in + mips:Linux | mips64:Linux) + # If we got here on MIPS GNU/Linux, output extra information. + cat >&2 <&2 < # @@ -74,7 +75,11 @@ LFLAGS = $(LFLAGS) $(APR_LIB) !IF DEFINED(WITH_FIPS) LFLAGS = $(LFLAGS) libeayfips32.lib libeaycompat32.lib ssleay32.lib /NODEFAULTLIB:LIBCMT !ELSE -LFLAGS = $(LFLAGS) libeay32.lib ssleay32.lib +!IF DEFINED(OPENSSL_NEW_LIBS) +LFLAGS = $(LFLAGS) libssl.lib libcrypto.lib crypt32.lib +!ELSE +LFLAGS = $(LFLAGS) libeay32.lib ssleay32.lib +!ENDIF !ENDIF CFLAGS = $(CFLAGS) -DZLIB_WINAPI -DNO_IDEA -DNO_RC5 -DNO_MDC2 -DOPENSSL_NO_IDEA \ diff -pruN 1.2.17-1/native/os/netware/system.c 1.2.18-1/native/os/netware/system.c --- 1.2.17-1/native/os/netware/system.c 2015-05-23 09:28:12.000000000 +0000 +++ 1.2.18-1/native/os/netware/system.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,39 +0,0 @@ -/* Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include "apr.h" -#include "apr_pools.h" -#include "apr_network_io.h" -#include "apr_poll.h" - -#include "tcn.h" - -TCN_IMPLEMENT_CALL(jboolean, OS, is)(TCN_STDARGS, jint type) -{ - UNREFERENCED_STDARGS; - if (type == 2) - return JNI_TRUE; - else - return JNI_FALSE; -} - -TCN_IMPLEMENT_CALL(jint, OS, info)(TCN_STDARGS, - jlongArray inf) -{ - UNREFERENCED_STDARGS; - UNREFERENCED(inf); - return APR_ENOTIMPL; -} diff -pruN 1.2.17-1/native/os/win32/libtcnative.rc 1.2.18-1/native/os/win32/libtcnative.rc --- 1.2.17-1/native/os/win32/libtcnative.rc 2017-11-15 11:15:36.000000000 +0000 +++ 1.2.18-1/native/os/win32/libtcnative.rc 2018-10-08 16:31:29.000000000 +0000 @@ -20,7 +20,7 @@ LANGUAGE 0x9,0x1 "See the License for the specific language governing " \ "permissions and limitations under the License." -#define TCN_VERSION "1.2.17" +#define TCN_VERSION "1.2.18" 1000 ICON "apache.ico" 1001 DIALOGEX 0, 0, 252, 51 @@ -36,8 +36,8 @@ BEGIN END 1 VERSIONINFO - FILEVERSION 1,2,17,0 - PRODUCTVERSION 1,2,17,0 + FILEVERSION 1,2,18,0 + PRODUCTVERSION 1,2,18,0 FILEFLAGSMASK 0x3fL #ifdef _DEBUG FILEFLAGS 0x1L diff -pruN 1.2.17-1/native/src/proc.c 1.2.18-1/native/src/proc.c --- 1.2.17-1/native/src/proc.c 2015-05-23 09:28:12.000000000 +0000 +++ 1.2.18-1/native/src/proc.c 2018-09-03 09:54:19.000000000 +0000 @@ -311,7 +311,7 @@ TCN_IMPLEMENT_CALL(jint, Proc, detach)(T { UNREFERENCED_STDARGS; -#if defined(WIN32) || defined (NETWARE) +#if defined(WIN32) UNREFERENCED(daemonize); return APR_ENOTIMPL; #else diff -pruN 1.2.17-1/native/src/ssl.c 1.2.18-1/native/src/ssl.c --- 1.2.17-1/native/src/ssl.c 2018-06-05 06:06:06.000000000 +0000 +++ 1.2.18-1/native/src/ssl.c 2018-10-11 22:25:41.000000000 +0000 @@ -1527,6 +1527,62 @@ TCN_IMPLEMENT_CALL(jint, SSL, renegotiat return SSL_renegotiate(ssl_); } +TCN_IMPLEMENT_CALL(jint, SSL, renegotiatePending)(TCN_STDARGS, + jlong ssl /* SSL * */) { + SSL *ssl_ = J2P(ssl, SSL *); + if (ssl_ == NULL) { + tcn_ThrowException(e, "ssl is null"); + return 0; + } + + UNREFERENCED(o); + + return SSL_renegotiate_pending(ssl_); +} + +TCN_IMPLEMENT_CALL(jint, SSL, verifyClientPostHandshake)(TCN_STDARGS, + jlong ssl /* SSL * */) { +#if defined(SSL_OP_NO_TLSv1_3) + SSL *ssl_ = J2P(ssl, SSL *); + tcn_ssl_conn_t *con; + + if (ssl_ == NULL) { + tcn_ThrowException(e, "ssl is null"); + return 0; + } + + UNREFERENCED(o); + + con = (tcn_ssl_conn_t *)SSL_get_app_data(ssl_); + con->pha_state = PHA_STARTED; + + return SSL_verify_client_post_handshake(ssl_); +#else + return 0; +#endif +} + +TCN_IMPLEMENT_CALL(jint, SSL, getPostHandshakeAuthInProgress)(TCN_STDARGS, + jlong ssl /* SSL * */) { +#if defined(SSL_OP_NO_TLSv1_3) + SSL *ssl_ = J2P(ssl, SSL *); + tcn_ssl_conn_t *con; + + if (ssl_ == NULL) { + tcn_ThrowException(e, "ssl is null"); + return 0; + } + + UNREFERENCED(o); + + con = (tcn_ssl_conn_t *)SSL_get_app_data(ssl_); + + return (con->pha_state == PHA_STARTED); +#else + return 0; +#endif +} + /* Read which protocol was negotiated for the given SSL *. */ TCN_IMPLEMENT_CALL(jstring, SSL, getNextProtoNegotiated)(TCN_STDARGS, jlong ssl /* SSL * */) { @@ -2155,6 +2211,27 @@ TCN_IMPLEMENT_CALL(jint, SSL, renegotiat UNREFERENCED(o); UNREFERENCED(ssl); tcn_ThrowException(e, "Not implemented"); + return 0; +} + +TCN_IMPLEMENT_CALL(jint, SSL, renegotiatePending)(TCN_STDARGS, jlong ssl) { + UNREFERENCED(o); + UNREFERENCED(ssl); + tcn_ThrowException(e, "Not implemented"); + return 0; +} + +TCN_IMPLEMENT_CALL(jint, SSL, verifyClientPostHandshake)(TCN_STDARGS, jlong ssl) { + UNREFERENCED(o); + UNREFERENCED(ssl); + tcn_ThrowException(e, "Not implemented"); + return 0; +} + +TCN_IMPLEMENT_CALL(jint, SSL, getPostHandshakeAuthInProgress)(TCN_STDARGS, jlong ssl) { + UNREFERENCED(o); + UNREFERENCED(ssl); + tcn_ThrowException(e, "Not implemented"); return 0; } diff -pruN 1.2.17-1/native/src/sslcontext.c 1.2.18-1/native/src/sslcontext.c --- 1.2.17-1/native/src/sslcontext.c 2018-06-06 13:00:15.000000000 +0000 +++ 1.2.18-1/native/src/sslcontext.c 2018-10-12 10:55:54.000000000 +0000 @@ -152,7 +152,16 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma } #if OPENSSL_VERSION_NUMBER < 0x10100000L - if (protocol == SSL_PROTOCOL_TLSV1_2) { + if (protocol == SSL_PROTOCOL_TLSV1_3) { +#ifdef HAVE_TLSV1_3 + if (mode == SSL_MODE_CLIENT) + ctx = SSL_CTX_new(TLSv1_3_client_method()); + else if (mode == SSL_MODE_SERVER) + ctx = SSL_CTX_new(TLSv1_3_server_method()); + else + ctx = SSL_CTX_new(TLSv1_3_method()); +#endif + } else if (protocol == SSL_PROTOCOL_TLSV1_2) { #ifdef HAVE_TLSV1_2 if (mode == SSL_MODE_CLIENT) ctx = SSL_CTX_new(TLSv1_2_client_method()); @@ -186,6 +195,10 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma ctx = SSL_CTX_new(SSLv3_method()); } else if (protocol == SSL_PROTOCOL_SSLV2) { /* requested but not supported */ +#ifndef HAVE_TLSV1_3 + } else if (protocol & SSL_PROTOCOL_TLSV1_3) { + /* requested but not supported */ +#endif #ifndef HAVE_TLSV1_2 } else if (protocol & SSL_PROTOCOL_TLSV1_2) { /* requested but not supported */ @@ -241,9 +254,19 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma if (!(protocol & SSL_PROTOCOL_TLSV1_2)) SSL_CTX_set_options(c->ctx, SSL_OP_NO_TLSv1_2); #endif +#ifdef HAVE_TLSV1_3 + if (!(protocol & SSL_PROTOCOL_TLSV1_3)) + SSL_CTX_set_options(c->ctx, SSL_OP_NO_TLSv1_3); +#endif #else /* if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) */ /* We first determine the maximum protocol version we should provide */ +#ifdef HAVE_TLSV1_3 + if (protocol & SSL_PROTOCOL_TLSV1_3) { + prot = TLS1_3_VERSION; + } else +/* NOTE the dangling else above: take care to preserve it */ +#endif if (protocol & SSL_PROTOCOL_TLSV1_2) { prot = TLS1_2_VERSION; } else if (protocol & SSL_PROTOCOL_TLSV1_1) { @@ -261,6 +284,12 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma /* Next we scan for the minimal protocol version we should provide, * but we do not allow holes between max and min */ +#ifdef HAVE_TLSV1_3 + if (prot == TLS1_3_VERSION && protocol & SSL_PROTOCOL_TLSV1_2) { + prot = TLS1_2_VERSION; + } else +/* NOTE the dangling else above: take care to preserve it */ +#endif if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) { prot = TLS1_1_VERSION; } @@ -984,7 +1013,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, if (J2S(password)) { if (!c->cb_data) c->cb_data = &tcn_password_callback; - strncpy(c->cb_data->password, J2S(password), SSL_MAX_PASSWORD_LEN); + strncpy(c->cb_data->password, J2S(password), SSL_MAX_PASSWORD_LEN - 1); c->cb_data->password[SSL_MAX_PASSWORD_LEN-1] = '\0'; } key_file = J2S(key); diff -pruN 1.2.17-1/native/src/sslnetwork.c 1.2.18-1/native/src/sslnetwork.c --- 1.2.17-1/native/src/sslnetwork.c 2017-08-21 08:22:17.000000000 +0000 +++ 1.2.18-1/native/src/sslnetwork.c 2018-10-12 11:09:26.000000000 +0000 @@ -616,32 +616,19 @@ TCN_IMPLEMENT_CALL(jint, SSLSocket, atta return APR_SUCCESS; } -TCN_IMPLEMENT_CALL(jint, SSLSocket, renegotiate)(TCN_STDARGS, - jlong sock) +static int ssl_do_renegotiate(tcn_ssl_conn_t *con, int use_pha) { - tcn_socket_t *s = J2P(sock, tcn_socket_t *); - tcn_ssl_conn_t *con; int retVal; int error = 0; char peekbuf[1]; apr_interval_time_t timeout; - UNREFERENCED_STDARGS; - TCN_ASSERT(sock != 0); - con = (tcn_ssl_conn_t *)s->opaque; - - /* Toggle the renegotiation state to allow the new - * handshake to proceed. - */ - con->reneg_state = RENEG_ALLOW; - - // Schedule a renegotiation request - retVal = SSL_renegotiate(con->ssl); - if (retVal <= 0) - return APR_EGENERAL; + apr_socket_timeout_get(con->sock, &timeout); - /* Need to trigger the renegotiation handshake by reading. + /* Trigger reading of the certs from the client. * Peeking 0 bytes actually works. + * Before TLS 1.3 this will result in a renegotiation. + * for TLS 1.3 in PHA. * See: http://marc.info/?t=145493359200002&r=1&w=2 * * This will normally return SSL_ERROR_WANT_READ whether the renegotiation @@ -653,9 +640,8 @@ TCN_IMPLEMENT_CALL(jint, SSLSocket, rene error = SSL_get_error(con->ssl, retVal); } - apr_socket_timeout_get(con->sock, &timeout); - // If the renegotiation is still pending, then I/O needs to be triggered - while (SSL_renegotiate_pending(con->ssl)) { + // If the certs have not been received, then need to wait for I/O + while ((use_pha && con->pha_state == PHA_STARTED) || (!use_pha && SSL_renegotiate_pending(con->ssl))) { // SSL_ERROR_WANT_READ is expected. Anything else is an error. if (error == SSL_ERROR_WANT_READ) { retVal = wait_for_io_or_timeout(con, error, timeout); @@ -664,7 +650,6 @@ TCN_IMPLEMENT_CALL(jint, SSLSocket, rene * error. */ if (retVal != APR_SUCCESS) { - printf("ERROR\n"); con->shutdown_type = SSL_SHUTDOWN_TYPE_UNCLEAN; return retVal; } @@ -679,15 +664,74 @@ TCN_IMPLEMENT_CALL(jint, SSLSocket, rene } else { /* * Reset error to handle case where SSL_Peek returns 0 but - * SSL_renegotiate_pending returns true. This will trigger an error - * to be returned. + * the pha resp. renegotiation state has not changed. + * This will trigger an error to be returned. */ error = 0; } } - - con->reneg_state = RENEG_REJECT; + return APR_SUCCESS; +} + +TCN_IMPLEMENT_CALL(jint, SSLSocket, renegotiate)(TCN_STDARGS, + jlong sock) +{ + tcn_socket_t *s = J2P(sock, tcn_socket_t *); + tcn_ssl_conn_t *con; + int retVal; +#if defined(SSL_OP_NO_TLSv1_3) + const SSL_SESSION *session; +#endif + + UNREFERENCED_STDARGS; + TCN_ASSERT(sock != 0); + con = (tcn_ssl_conn_t *)s->opaque; + +#if defined(SSL_OP_NO_TLSv1_3) + session = SSL_get_session(con->ssl); + if (SSL_SESSION_get_protocol_version(session) == TLS1_3_VERSION) { + // TLS 1.3 renegotiation + retVal = SSL_verify_client_post_handshake(con->ssl); + if (retVal <= 0) { + return APR_EGENERAL; + } + + con->pha_state = PHA_STARTED; + // Need to trigger a write operation to sent the cert request to the + // client. As per OpenSSL docs, use SSL_do_handshake() for this. + retVal = SSL_do_handshake(con->ssl); + if (retVal <= 0) { + return APR_EGENERAL; + } + retVal = ssl_do_renegotiate(con, 1); + if (retVal != APR_SUCCESS) { + return retVal; + } + + } else { +#endif + // TLS 1.2 and earlier renegotiation + + /* Toggle the renegotiation state to allow the new + * handshake to proceed. + */ + con->reneg_state = RENEG_ALLOW; + + // Schedule a renegotiation request + retVal = SSL_renegotiate(con->ssl); + if (retVal <= 0) { + return APR_EGENERAL; + } + retVal = ssl_do_renegotiate(con, 0); + if (retVal != APR_SUCCESS) { + return retVal; + } + + con->reneg_state = RENEG_REJECT; +#if defined(SSL_OP_NO_TLSv1_3) + } +#endif return APR_SUCCESS; } diff -pruN 1.2.17-1/native/src/sslutils.c 1.2.18-1/native/src/sslutils.c --- 1.2.17-1/native/src/sslutils.c 2018-06-06 08:52:57.000000000 +0000 +++ 1.2.18-1/native/src/sslutils.c 2018-10-10 21:49:55.000000000 +0000 @@ -305,6 +305,10 @@ int SSL_callback_SSL_verify(int ok, X509 int verify = con->ctx->verify_mode; int depth = con->ctx->verify_depth; +#if defined(SSL_OP_NO_TLSv1_3) + con->pha_state = PHA_COMPLETE; +#endif + if (verify == SSL_CVERIFY_UNSET || verify == SSL_CVERIFY_NONE) return 1; @@ -386,12 +390,24 @@ int SSL_callback_SSL_verify(int ok, X509 void SSL_callback_handshake(const SSL *ssl, int where, int rc) { tcn_ssl_conn_t *con = (tcn_ssl_conn_t *)SSL_get_app_data(ssl); +#ifdef HAVE_TLSV1_3 + const SSL_SESSION *session = SSL_get_session(ssl); +#endif /* Retrieve the conn_rec and the associated SSLConnRec. */ if (con == NULL) { return; } +#ifdef HAVE_TLSV1_3 + /* TLS 1.3 does not use renegotiation so do not update the renegotiation + * state once we know we are using TLS 1.3. */ + if (session != NULL) { + if (SSL_SESSION_get_protocol_version(session) == TLS1_3_VERSION) { + return; + } + } +#endif /* If the reneg state is to reject renegotiations, check the SSL * state machine and move to ABORT if a Client Hello is being @@ -405,7 +421,6 @@ void SSL_callback_handshake(const SSL *s else if ((where & SSL_CB_HANDSHAKE_DONE) && con->reneg_state == RENEG_INIT) { con->reneg_state = RENEG_REJECT; } - } int SSL_callback_next_protos(SSL *ssl, const unsigned char **data, @@ -595,7 +610,7 @@ static int parse_asn1_length(unsigned ch // Single byte length *len = **asn1; } - + (*asn1)++; return 0; diff -pruN 1.2.17-1/native/srclib/BUILDING 1.2.18-1/native/srclib/BUILDING --- 1.2.17-1/native/srclib/BUILDING 2012-05-30 02:20:59.000000000 +0000 +++ 1.2.18-1/native/srclib/BUILDING 2018-10-17 16:35:24.000000000 +0000 @@ -15,8 +15,8 @@ environment before calling nmake so that compiler is setup for the target architecture. -Building OpenSSL ----------------- +Building OpenSSL 1.1.0 and earlier +---------------------------------- Apply openssl-msvcrt.patch @@ -36,7 +36,25 @@ For 64-bit Windows use > ms\do_win64a > nmake -f ms\nt.mak -For 64-bit Windows on Itanium processor use -> perl Configure VC-WIN64I -> ms\do_win64i -> nmake -f ms\nt.mak + +Building OpenSSL 1.1.1 and later +---------------------------------- + +Apply openssl-msvcrt-1.1.1.patch + +This patch addresses issues caused by CMSC compiling against an older Windows +API than expected for the compiler version in additional to the static linking +issues described above. + +Then follow the standard OpenSSL make procedure ... + +> perl Configure no-shared VC-WIN32 +> nmake + +For 64-bit Windows use +> perl Configure no-shared VC-WIN64A +> nmake + + +For a step-by-step guide to building OpenSSL on Windows see: +https://cwiki.apache.org/confluence/display/TOMCAT/Building+the+Tomcat+Native+Connector+binaries+for+Windows diff -pruN 1.2.17-1/native/srclib/openssl/openssl-msvcrt-1.1.1.patch 1.2.18-1/native/srclib/openssl/openssl-msvcrt-1.1.1.patch --- 1.2.17-1/native/srclib/openssl/openssl-msvcrt-1.1.1.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.2.18-1/native/srclib/openssl/openssl-msvcrt-1.1.1.patch 2018-10-17 16:35:49.000000000 +0000 @@ -0,0 +1,97 @@ +--- Configurations/10-main.conf ++++ Configurations/10-main.conf +@@ -1268,7 +1268,7 @@ + # prefer [non-debug] openssl.exe to be free from Micorosoft RTL + # redistributable. + bin_cflags => add(picker(debug => "/MDd", +- release => sub { $disabled{shared} ? "/MT" : () }, ++ release => "/MD", + )), + bin_lflags => add("/subsystem:console /opt:ref"), + ex_libs => add(sub { +--- crypto/engine/eng_openssl.c ++++ crypto/engine/eng_openssl.c +@@ -9,6 +9,7 @@ + */ + + #include ++#include "e_os.h" + #include + #include "internal/cryptlib.h" + #include "internal/engine.h" +--- crypto/sm2/sm2_sign.c ++++ crypto/sm2/sm2_sign.c +@@ -12,6 +12,7 @@ + #include "internal/sm2.h" + #include "internal/sm2err.h" + #include "internal/ec_int.h" /* ec_group_do_inverse_ord() */ ++#include "internal/numbers.h" + #include + #include + #include +--- crypto/o_time.c ++++ crypto/o_time.c +@@ -41,10 +41,6 @@ + if (gmtime_r(timer, result) == NULL) + return NULL; + ts = result; +-#elif defined (OPENSSL_SYS_WINDOWS) && defined(_MSC_VER) && _MSC_VER >= 1400 +- if (gmtime_s(result, timer)) +- return NULL; +- ts = result; + #else + ts = gmtime(timer); + if (ts == NULL) +--- engines/e_capi.c ++++ engines/e_capi.c +@@ -15,6 +15,7 @@ + # include + + # include ++# include "e_os.h" + # include + # include + # include +--- test/testutil/basic_output.c ++++ test/testutil/basic_output.c +@@ -10,6 +10,7 @@ + #include "../testutil.h" + #include "output.h" + #include "tu_local.h" ++#include "../../e_os.h" + + #include + #include +--- test/ct_test.c ++++ test/ct_test.c +@@ -500,8 +500,8 @@ + { + int success = 0; + CT_POLICY_EVAL_CTX *ct_policy_ctx = CT_POLICY_EVAL_CTX_new(); +- const time_t default_time = CT_POLICY_EVAL_CTX_get_time(ct_policy_ctx) / +- 1000; ++ const time_t default_time = ++ (time_t)(CT_POLICY_EVAL_CTX_get_time(ct_policy_ctx) / 1000); + const time_t time_tolerance = 600; /* 10 minutes */ + + if (!TEST_time_t_le(abs((int)difftime(time(NULL), default_time)), +--- e_os.h ++++ e_os.h +@@ -149,7 +149,7 @@ + # endif + # include + # if defined(_MSC_VER) && !defined(_WIN32_WCE) && !defined(_DLL) && defined(stdin) +-# if _MSC_VER>=1300 && _MSC_VER<1600 ++# ifdef _WIN64 + # undef stdin + # undef stdout + # undef stderr +@@ -157,7 +157,7 @@ + # define stdin (&__iob_func()[0]) + # define stdout (&__iob_func()[1]) + # define stderr (&__iob_func()[2]) +-# elif _MSC_VER<1300 && defined(I_CAN_LIVE_WITH_LNK4049) ++# else + # undef stdin + # undef stdout + # undef stderr diff -pruN 1.2.17-1/native/srclib/openssl/openssl-msvcrt.patch 1.2.18-1/native/srclib/openssl/openssl-msvcrt.patch --- 1.2.17-1/native/srclib/openssl/openssl-msvcrt.patch 2016-03-06 18:46:46.000000000 +0000 +++ 1.2.18-1/native/srclib/openssl/openssl-msvcrt.patch 2018-10-17 10:56:24.000000000 +0000 @@ -1,3 +1,16 @@ +--- crypto/o_time.c ++++ crypto/o_time.c +@@ -109,10 +109,6 @@ + if (gmtime_r(timer, result) == NULL) + return NULL; + ts = result; +-#elif defined (OPENSSL_SYS_WINDOWS) && defined(_MSC_VER) && _MSC_VER >= 1400 +- if (gmtime_s(result, timer)) +- return NULL; +- ts = result; + #elif !defined(OPENSSL_SYS_VMS) || defined(VMS_GMTIME_OK) + ts = gmtime(timer); + if (ts == NULL) --- util/pl/VC-32.pl +++ util/pl/VC-32.pl @@ -45,7 +45,7 @@ diff -pruN 1.2.17-1/native/srclib/VERSIONS 1.2.18-1/native/srclib/VERSIONS --- 1.2.17-1/native/srclib/VERSIONS 2017-11-14 11:19:11.000000000 +0000 +++ 1.2.18-1/native/srclib/VERSIONS 2018-10-17 09:52:27.000000000 +0000 @@ -1,4 +1,4 @@ Use the following version of the libraries -- APR 1.6.3 or later, http://apr.apache.org -- OpenSSL 1.0.2m or later, http://www.openssl.org +- APR 1.6.5 or later, http://apr.apache.org +- OpenSSL 1.0.2p or later, http://www.openssl.org diff -pruN 1.2.17-1/native/tcnative.spec 1.2.18-1/native/tcnative.spec --- 1.2.17-1/native/tcnative.spec 2018-06-07 10:01:20.000000000 +0000 +++ 1.2.18-1/native/tcnative.spec 2018-10-17 20:51:36.000000000 +0000 @@ -21,7 +21,7 @@ Summary: Tomcat Native Java library Name: tcnative -Version: 1.2.17 +Version: 1.2.18 Release: 1 License: Apache Software License Group: System Environment/Libraries diff -pruN 1.2.17-1/test/org/apache/tomcat/jni/TestSocketServerAnyLocalAddress.java 1.2.18-1/test/org/apache/tomcat/jni/TestSocketServerAnyLocalAddress.java --- 1.2.17-1/test/org/apache/tomcat/jni/TestSocketServerAnyLocalAddress.java 2017-01-31 20:14:34.000000000 +0000 +++ 1.2.18-1/test/org/apache/tomcat/jni/TestSocketServerAnyLocalAddress.java 2018-02-06 22:17:17.000000000 +0000 @@ -33,6 +33,9 @@ import org.junit.Test; */ public class TestSocketServerAnyLocalAddress extends AbstractJniTest { + // Excessive but allows for slow systems + private static final int TIMEOUT_MICROSECONDS = 10 * 1000 * 1000; + private long serverSocket = 0; private long clientSocket = 0; @@ -80,8 +83,8 @@ public class TestSocketServerAnyLocalAdd /* Accept the client connection */ clientSocket = Socket.accept(serverSocket); - /* Configure a 2ms timeout for reading from client */ - Socket.timeoutSet(clientSocket, 10000); + /* Configure a 10s timeout for reading from client */ + Socket.timeoutSet(clientSocket, TIMEOUT_MICROSECONDS); byte [] buf = new byte[1]; while (Socket.recv(clientSocket, buf, 0, 1) == 1) { @@ -96,7 +99,7 @@ public class TestSocketServerAnyLocalAdd } else if (buf[0] == 'Z') { // NO-OP - connection closing } else { - Assert.fail("Unexpected data"); + Assert.fail("Unexpected data [" + (char) buf[0] + "]"); } } @@ -122,8 +125,8 @@ public class TestSocketServerAnyLocalAdd try { InetSocketAddress connectAddress = getConnectAddress(serverSocket); java.net.Socket sock = new java.net.Socket(); - sock.connect(connectAddress, 10000); - sock.setSoTimeout(10000); + sock.connect(connectAddress, TIMEOUT_MICROSECONDS); + sock.setSoTimeout(TIMEOUT_MICROSECONDS); OutputStream ou = sock.getOutputStream(); InputStream in = sock.getInputStream(); ou.write('A'); @@ -131,12 +134,12 @@ public class TestSocketServerAnyLocalAdd int rep = in.read(); sock.close(); if (rep != 'Z') { - throw new Exception("Read wrong data"); + throw new Exception("Read wrong data [" + rep + "]"); } sock = new java.net.Socket(); - sock.connect(connectAddress, 10000); - sock.setSoTimeout(10000); + sock.connect(connectAddress, TIMEOUT_MICROSECONDS); + sock.setSoTimeout(TIMEOUT_MICROSECONDS); ou = sock.getOutputStream(); ou.write('E'); ou.flush(); diff -pruN 1.2.17-1/test/org/apache/tomcat/jni/TestSocketServer.java 1.2.18-1/test/org/apache/tomcat/jni/TestSocketServer.java --- 1.2.17-1/test/org/apache/tomcat/jni/TestSocketServer.java 2017-01-31 20:14:34.000000000 +0000 +++ 1.2.18-1/test/org/apache/tomcat/jni/TestSocketServer.java 2018-06-25 10:24:31.000000000 +0000 @@ -30,11 +30,23 @@ import org.junit.Test; public class TestSocketServer extends AbstractJniTest { private static final String HOST = "localhost"; + private static final long ERROR_MARGIN; private int port = 0; private long serverSocket = 0; private long clientSocket = 0; + // Determine the resolution of System.nanoTime() so an appropriate error + // margin can be used in tests that use nanoTime() + static { + long start = System.nanoTime(); + long end = System.nanoTime(); + while (end == start) { + end = System.nanoTime(); + } + ERROR_MARGIN = 2 * (end - start); + } + @Before public void init() throws Exception { @@ -96,8 +108,10 @@ public class TestSocketServer extends Ab while (Socket.recv(clientSocket, buf, 0, 1) == 1) { } long wait = System.nanoTime() - start; - Assert.assertFalse("Socket.timeoutSet failed (<1s) [" + wait + "]", wait < 1000000000); - Assert.assertFalse("Socket.timeoutSet failed (>2s) [" + wait + "]", wait > 2000000000); + Assert.assertFalse("Socket.timeoutSet failed (<1s) [" + wait + "] +-[" + ERROR_MARGIN + "]", + wait < 1000000000 - ERROR_MARGIN); + Assert.assertFalse("Socket.timeoutSet failed (>2s) [" + wait + "] +-[" + ERROR_MARGIN + "]", + wait > 2000000000 + ERROR_MARGIN); client.countDown(); client.join(); @@ -123,8 +137,8 @@ public class TestSocketServer extends Ab while (Socket.recv(clientSocket, buf, 0, 1) == 1) { } long wait = System.nanoTime() - start; - Assert.assertFalse("non_blocking client Socket.APR_SO_NONBLOCK failed (>1ms)", - wait > 1000000); + Assert.assertFalse("non_blocking client Socket.APR_SO_NONBLOCK failed (>2ms) [" + wait + + "] +-[" + ERROR_MARGIN + "]", wait > 2000000 + ERROR_MARGIN); client.countDown(); client.join(); @@ -148,8 +162,8 @@ public class TestSocketServer extends Ab while (Socket.recv(clientSocket, buf, 0, 1) == 1) { } long wait = System.nanoTime() - start; - Assert.assertFalse("non_blocking client Socket.APR_SO_NONBLOCK failed (>1ms)", - wait > 1000000); + Assert.assertFalse("non_blocking client Socket.APR_SO_NONBLOCK failed (>1ms) [" + wait + + "] +-[" + ERROR_MARGIN + "]", wait > 1000000 + ERROR_MARGIN); /* Configure for blocking */ Socket.optSet(clientSocket, Socket.APR_SO_NONBLOCK, 0); @@ -158,8 +172,8 @@ public class TestSocketServer extends Ab while (Socket.recv(clientSocket, buf, 0, 1) == 1) { } wait = System.nanoTime() - start; - Assert.assertFalse("non_blocking client Socket.APR_SO_NONBLOCK false failed", - wait < 1000000); + Assert.assertFalse("non_blocking client Socket.APR_SO_NONBLOCK false failed (<1ms) [" + + wait + "] +-[" + ERROR_MARGIN + "]", wait < 1000000 - ERROR_MARGIN); client.countDown(); client.join(); @@ -181,8 +195,8 @@ public class TestSocketServer extends Ab } long wait = System.nanoTime() - start; Assert.assertTrue("Timeout failed", ok); - Assert.assertFalse("non_blocking accept Socket.APR_SO_NONBLOCK failed (>1ms)", - wait > 1000000); + Assert.assertFalse("non_blocking accept Socket.APR_SO_NONBLOCK failed (>1ms) [" + wait + + "] +-[" + ERROR_MARGIN + "]", wait > 1000000 + ERROR_MARGIN); } diff -pruN 1.2.17-1/xdocs/index.xml 1.2.18-1/xdocs/index.xml --- 1.2.17-1/xdocs/index.xml 2017-11-21 09:59:44.000000000 +0000 +++ 1.2.18-1/xdocs/index.xml 2018-06-15 15:53:25.000000000 +0000 @@ -59,10 +59,10 @@
      -
    • 20 November 2017 - TC-Native-1.2.16 +
    • 13 June 2018 - TC-Native-1.2.17 released

      The Apache Tomcat team is proud to announce the immediate availability of -Tomcat Native 1.2.16 Stable.

      +Tomcat Native 1.2.17 Stable.

      The sources and the binaries for selected platforms are available from the Download page. diff -pruN 1.2.17-1/xdocs/miscellaneous/changelog.xml 1.2.18-1/xdocs/miscellaneous/changelog.xml --- 1.2.17-1/xdocs/miscellaneous/changelog.xml 2018-06-07 08:38:26.000000000 +0000 +++ 1.2.18-1/xdocs/miscellaneous/changelog.xml 2018-10-17 09:39:04.000000000 +0000 @@ -34,6 +34,26 @@ This is the Changelog for Tomcat Native 1.2.

    +
    + + + 62641: libtool invocations should use --tag=CC. (michaelo) + + + Remove support for Netware as there has not been a supported Netware + platform for a number of years. (markt) + + + 62748: Add support for TLS 1.3 when built with OpenSSL 1.1.1 or + equivalent. (schultz/markt) + + + Expose the API necessary for CLIENT-CERT authentication to be correctly + supported when using Tomcat's JSSE implementation backed by OpenSSL. + (markt) + + +
    diff -pruN 1.2.17-1/xdocs/news/2018.xml 1.2.18-1/xdocs/news/2018.xml --- 1.2.17-1/xdocs/news/2018.xml 1970-01-01 00:00:00.000000000 +0000 +++ 1.2.18-1/xdocs/news/2018.xml 2018-06-15 16:10:42.000000000 +0000 @@ -0,0 +1,41 @@ + + + +]> + + + &project; + + + 2018 News and Status + + + + +
    + +

    The Apache Tomcat team is proud to announce the immediate availability of + Tomcat Native 1.2.17. This is a bugfix release that also updates the + dependencies for the Windows binaries and includes Windows binaries built with + OpenSSL 1.0.2o and APR 1.6.3. +

    +
    +
    + +
    diff -pruN 1.2.17-1/xdocs/project.xml 1.2.18-1/xdocs/project.xml --- 1.2.17-1/xdocs/project.xml 2017-08-02 19:29:35.000000000 +0000 +++ 1.2.18-1/xdocs/project.xml 2018-06-15 16:10:42.000000000 +0000 @@ -34,6 +34,7 @@ +