diff --git a/0002_fix_CVE-2024-34447 b/0002_fix_CVE-2024-34447 new file mode 100644 index 0000000000000000000000000000000000000000..f59983f1b3639b1e678c4b9c7350563897f39544 --- /dev/null +++ b/0002_fix_CVE-2024-34447 @@ -0,0 +1,214 @@ +From c47f6444a744396135322784b5fea1d35d46a8a7 Mon Sep 17 00:00:00 2001 +From: Peter Dettman +Date: Wed, 3 Apr 2024 21:24:27 +0700 +Subject: [PATCH] BCJSSE: Improved workaround for InetAddress limitation + +- URLConnectionUtil now calls BCSSLSocket.setHost instead of direct SNI config +--- + .../jsse/provider/ProvSSLSocketDirect.java | 14 ++-- + .../jsse/provider/ProvSSLSocketWrap.java | 14 ++-- + .../jsse/util/SetHostSocketFactory.java | 80 +++++++++++++++++++ + .../jsse/util/URLConnectionUtil.java | 2 +- + 4 files changed, 99 insertions(+), 11 deletions(-) + create mode 100644 tls/src/main/java/org/bouncycastle/jsse/util/SetHostSocketFactory.java + +diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketDirect.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketDirect.java +index fe2d7138c1..245b1eb461 100644 +--- a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketDirect.java ++++ b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketDirect.java +@@ -345,7 +345,6 @@ public synchronized void setEnableSessionCreation(boolean flag) + public synchronized void setHost(String host) + { + this.peerHost = host; +- this.peerHostSNI = host; + } + + @Override +@@ -531,6 +530,7 @@ synchronized void notifyConnected() + InetAddress peerAddress = getInetAddress(); + if (null == peerAddress) + { ++ this.peerHostSNI = null; + return; + } + +@@ -538,8 +538,8 @@ synchronized void notifyConnected() + * TODO[jsse] If we could somehow access the 'originalHostName' of peerAddress, it would be + * usable as a default SNI host_name. + */ +-// String originalHostName = null; +-// if (null != originalHostName) ++// String originalHostName = peerAddress.holder().getOriginalHostName(); ++// if (JsseUtils.isNameSpecified(originalHostName)) + // { + // this.peerHost = originalHostName; + // this.peerHostSNI = originalHostName; +@@ -555,13 +555,17 @@ synchronized void notifyConnected() + return; + } + +- if (useClientMode && provJdkTlsTrustNameService) ++ if (!useClientMode) ++ { ++ this.peerHost = peerAddress.getHostAddress(); ++ } ++ else if (provJdkTlsTrustNameService) + { + this.peerHost = peerAddress.getHostName(); + } + else + { +- this.peerHost = peerAddress.getHostAddress(); ++ this.peerHost = null; + } + + this.peerHostSNI = null; +diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketWrap.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketWrap.java +index b31f215289..59fabd7bb4 100644 +--- a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketWrap.java ++++ b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketWrap.java +@@ -470,7 +470,6 @@ public synchronized void setEnableSessionCreation(boolean flag) + public synchronized void setHost(String host) + { + this.peerHost = host; +- this.peerHostSNI = host; + } + + @Override +@@ -720,6 +719,7 @@ synchronized void notifyConnected() + InetAddress peerAddress = getInetAddress(); + if (null == peerAddress) + { ++ this.peerHostSNI = null; + return; + } + +@@ -727,8 +727,8 @@ synchronized void notifyConnected() + * TODO[jsse] If we could somehow access the 'originalHostName' of peerAddress, it would be + * usable as a default SNI host_name. + */ +-// String originalHostName = null; +-// if (null != originalHostName) ++// String originalHostName = peerAddress.holder().getOriginalHostName(); ++// if (JsseUtils.isNameSpecified(originalHostName)) + // { + // this.peerHost = originalHostName; + // this.peerHostSNI = originalHostName; +@@ -744,13 +744,17 @@ synchronized void notifyConnected() + return; + } + +- if (useClientMode && provJdkTlsTrustNameService) ++ if (!useClientMode) ++ { ++ this.peerHost = peerAddress.getHostAddress(); ++ } ++ else if (provJdkTlsTrustNameService) + { + this.peerHost = peerAddress.getHostName(); + } + else + { +- this.peerHost = peerAddress.getHostAddress(); ++ this.peerHost = null; + } + + this.peerHostSNI = null; +diff --git a/tls/src/main/java/org/bouncycastle/jsse/util/SetHostSocketFactory.java b/tls/src/main/java/org/bouncycastle/jsse/util/SetHostSocketFactory.java +new file mode 100644 +index 0000000000..0eeccaf367 +--- /dev/null ++++ b/tls/src/main/java/org/bouncycastle/jsse/util/SetHostSocketFactory.java +@@ -0,0 +1,80 @@ ++package org.bouncycastle.jsse.util; ++ ++import java.net.Socket; ++import java.net.URL; ++import java.util.concurrent.Callable; ++import java.util.logging.Logger; ++ ++import javax.net.SocketFactory; ++import javax.net.ssl.SSLSocketFactory; ++ ++import org.bouncycastle.jsse.BCSSLSocket; ++ ++public class SetHostSocketFactory extends CustomSSLSocketFactory ++{ ++ private static final Logger LOG = Logger.getLogger(SetHostSocketFactory.class.getName()); ++ ++ protected static final ThreadLocal threadLocal = new ThreadLocal(); ++ ++ /** ++ * Signature matches {@link SSLSocketFactory#getDefault()} so that it can be ++ * used with e.g. the "java.naming.ldap.factory.socket" property or similar. ++ * ++ * @see #call(Callable) ++ */ ++ public static SocketFactory getDefault() ++ { ++ SSLSocketFactory sslSocketFactory = threadLocal.get(); ++ if (null != sslSocketFactory) ++ { ++ return sslSocketFactory; ++ } ++ ++ return SSLSocketFactory.getDefault(); ++ } ++ ++ protected final URL url; ++ ++ public SetHostSocketFactory(SSLSocketFactory delegate, URL url) ++ { ++ super(delegate); ++ ++ this.url = url; ++ } ++ ++ /** ++ * Calls a {@link Callable} in a context where this class's static ++ * {@link #getDefault()} method will return this {@link SetHostSocketFactory}. ++ */ ++ public V call(Callable callable) throws Exception ++ { ++ try ++ { ++ threadLocal.set(this); ++ ++ return callable.call(); ++ } ++ finally ++ { ++ threadLocal.remove(); ++ } ++ } ++ ++ @Override ++ protected Socket configureSocket(Socket s) ++ { ++ if (url != null && s instanceof BCSSLSocket) ++ { ++ BCSSLSocket ssl = (BCSSLSocket)s; ++ ++ String host = url.getHost(); ++ if (host != null) ++ { ++ LOG.fine("Setting host on socket: " + host); ++ ++ ssl.setHost(host); ++ } ++ } ++ return s; ++ } ++} +diff --git a/tls/src/main/java/org/bouncycastle/jsse/util/URLConnectionUtil.java b/tls/src/main/java/org/bouncycastle/jsse/util/URLConnectionUtil.java +index 63a7db5a0b..6eb4861f2d 100644 +--- a/tls/src/main/java/org/bouncycastle/jsse/util/URLConnectionUtil.java ++++ b/tls/src/main/java/org/bouncycastle/jsse/util/URLConnectionUtil.java +@@ -66,6 +66,6 @@ protected URLConnection configureConnection(URL url, URLConnection connection) + + protected SSLSocketFactory createSSLSocketFactory(SSLSocketFactory delegate, URL url) + { +- return new SNISocketFactory(delegate, url); ++ return new SetHostSocketFactory(delegate, url); + } + } diff --git a/bouncycastle.spec b/bouncycastle.spec index d251fdda998e25cd663e574da01f47954d356f25..ff3982de663f21b479a04a4c5633b2bef7e487f7 100644 --- a/bouncycastle.spec +++ b/bouncycastle.spec @@ -1,4 +1,4 @@ -%define anolis_release 1 +%define anolis_release 2 %global gittag r1rv77 %global classname org.bouncycastle.jce.provider.BouncyCastleProvider @@ -29,6 +29,7 @@ Source8: get-poms.sh # From https://src.fedoraproject.org/rpms/bouncycastle/blob/d0ad563d8f8f61b9631e5562028b30b407d97094/f/jmail.packages.patch Patch0: 1001-jmail_packages.patch +Patch1: 0002_fix_CVE-2024-34447 BuildArch: noarch ExclusiveArch: %{java_arches} noarch @@ -108,9 +109,8 @@ Summary: Javadoc for %{name} API documentation for the Bouncy Castle Cryptography APIs. %prep -%setup -q -n bc-java-%{gittag} -%patch -P0 -p1 - +%setup -q -n -p1 bc-java-%{gittag} +%patch -P0 -p1 for x in `find | grep -e x_pkcs7_signature.java -e PKCS7ContentHandler.java -e multipart_signed.java` ; do sed "s/getTransferData.ActivationDataFlavor/getTransferData(DataFlavor/g" -i $x sed "s/ ActivationDataFlavor df,/ DataFlavor df,/g" -i $x @@ -242,6 +242,9 @@ fi %license LICENSE.html %changelog +* Mon Jun 16 2025 lzq11122 - 1.78-1 +- Update to 1.78 + * Mon Jun 09 2025 zhoujiajia111 - 1.77-1 - Update to 1.77