/hg/icedtea6-hg: 4 new changesets
andrew at icedtea.classpath.org
andrew at icedtea.classpath.org
Fri Jan 29 21:40:44 UTC 2016
changeset eac2bcbee2d4 in /hg/icedtea6-hg
details: http://icedtea.classpath.org/hg/icedtea6-hg?cmd=changeset;node=eac2bcbee2d4
author: Andrew John Hughes <gnu.andrew at redhat.com>
date: Thu Jan 21 01:17:36 2016 +0000
Update to b38 tarball.
2016-01-20 Andrew John Hughes <gnu.andrew at redhat.com>
* Makefile.am:
(OPENJDK_DATE): Bump to b38 creation date;
20th of January, 2016.
(OPENJDK_SHA256SUM): Update for b38 tarball.
changeset 33e9441c53fc in /hg/icedtea6-hg
details: http://icedtea.classpath.org/hg/icedtea6-hg?cmd=changeset;node=33e9441c53fc
author: Andrew John Hughes <gnu.andrew at redhat.com>
date: Mon Jan 25 19:10:54 2016 +0000
Add 1.13.10 release notes.
2016-01-25 Andrew John Hughes <gnu.andrew at redhat.com>
* NEWS: Add 1.13.10 release notes.
changeset 412e3ce4141e in /hg/icedtea6-hg
details: http://icedtea.classpath.org/hg/icedtea6-hg?cmd=changeset;node=412e3ce4141e
author: Andrew John Hughes <gnu.andrew at redhat.com>
date: Mon Jan 25 22:06:42 2016 +0000
S8076221, PR2808: Disable RC4 cipher suites
2016-01-25 Andrew John Hughes <gnu.andrew at redhat.com>
* Makefile.am:
(ICEDTEA_PATCHES): Add new patches.
* NEWS: Updated.
* patches/openjdk/8076221-pr2808-disable_rc4_cipher_suites.patch:
Backport of 8076221 to OpenJDK 6 b38.
* patches/openjdk/8078823-disabledalgorithms_fails_intermittently.patch:
Improve reliability of DisabledAlgorithms test.
* patches/pr2808-fix_disabled_algorithms_test.patch:
Remove Java 7 features from new DisabledAlgorithms test.
changeset 9e1c6190ff58 in /hg/icedtea6-hg
details: http://icedtea.classpath.org/hg/icedtea6-hg?cmd=changeset;node=9e1c6190ff58
author: Andrew John Hughes <gnu.andrew at redhat.com>
date: Fri Jan 29 21:40:32 2016 +0000
Bump to next release, b39.
2016-01-29 Andrew John Hughes <gnu.andrew at redhat.com>
* Makefile.am:
(OPENJDK_VERSION): Bump to next release, b39.
diffstat:
ChangeLog | 28 +
Makefile.am | 11 +-
NEWS | 25 +-
patches/openjdk/8076221-pr2808-disable_rc4_cipher_suites.patch | 553 ++++++++++
patches/openjdk/8078823-disabledalgorithms_fails_intermittently.patch | 58 +
patches/pr2808-fix_disabled_algorithms_test.patch | 226 ++++
6 files changed, 887 insertions(+), 14 deletions(-)
diffs (truncated from 955 to 500 lines):
diff -r 6df2ff9d8f54 -r 9e1c6190ff58 ChangeLog
--- a/ChangeLog Wed Jan 20 05:19:11 2016 +0000
+++ b/ChangeLog Fri Jan 29 21:40:32 2016 +0000
@@ -1,3 +1,31 @@
+2016-01-29 Andrew John Hughes <gnu.andrew at redhat.com>
+
+ * Makefile.am:
+ (OPENJDK_VERSION): Bump to next release, b39.
+
+2016-01-25 Andrew John Hughes <gnu.andrew at redhat.com>
+
+ * Makefile.am:
+ (ICEDTEA_PATCHES): Add new patches.
+ * NEWS: Updated.
+ * patches/openjdk/8076221-pr2808-disable_rc4_cipher_suites.patch:
+ Backport of 8076221 to OpenJDK 6 b38.
+ * patches/openjdk/8078823-disabledalgorithms_fails_intermittently.patch:
+ Improve reliability of DisabledAlgorithms test.
+ * patches/pr2808-fix_disabled_algorithms_test.patch:
+ Remove Java 7 features from new DisabledAlgorithms test.
+
+2016-01-25 Andrew John Hughes <gnu.andrew at redhat.com>
+
+ * NEWS: Add 1.13.10 release notes.
+
+2016-01-20 Andrew John Hughes <gnu.andrew at redhat.com>
+
+ * Makefile.am:
+ (OPENJDK_DATE): Bump to b38 creation date;
+ 20th of January, 2016.
+ (OPENJDK_SHA256SUM): Update for b38 tarball.
+
2016-01-19 Andrew John Hughes <gnu.andrew at redhat.com>
* patches/openjdk/p11cipher-4898461-support_ecb_and_cbc.patch,
diff -r 6df2ff9d8f54 -r 9e1c6190ff58 Makefile.am
--- a/Makefile.am Wed Jan 20 05:19:11 2016 +0000
+++ b/Makefile.am Fri Jan 29 21:40:32 2016 +0000
@@ -1,8 +1,8 @@
# Dependencies
-OPENJDK_DATE = 11_nov_2015
-OPENJDK_SHA256SUM = 462ac2c28f6dbfb4a18eb46efca232b907d6027f7618715cbc4de5dd73b89e8d
-OPENJDK_VERSION = b38
+OPENJDK_DATE = 20_jan_2016
+OPENJDK_SHA256SUM = ff88dbcbda6c3c7d80b7cbd28065a455cdb009de9874fcf9ff9ca8205d38a257
+OPENJDK_VERSION = b39
OPENJDK_URL = https://java.net/downloads/openjdk6/
CACAO_VERSION = 68fe50ac34ec
@@ -647,7 +647,10 @@
patches/openjdk/6929479-pr363-disable_mmap_zip.patch \
patches/pr2513-layoutengine_reset.patch \
patches/openjdk/7169111-pr2757-unreadable_menu_bar_with_ambiance_theme.patch \
- patches/openjdk/8140620-pr2711-find_default.sf2.patch
+ patches/openjdk/8140620-pr2711-find_default.sf2.patch \
+ patches/openjdk/8076221-pr2808-disable_rc4_cipher_suites.patch \
+ patches/openjdk/8078823-disabledalgorithms_fails_intermittently.patch \
+ patches/pr2808-fix_disabled_algorithms_test.patch
if WITH_RHINO
ICEDTEA_PATCHES += \
diff -r 6df2ff9d8f54 -r 9e1c6190ff58 NEWS
--- a/NEWS Wed Jan 20 05:19:11 2016 +0000
+++ b/NEWS Fri Jan 29 21:40:32 2016 +0000
@@ -14,6 +14,21 @@
New in release 1.14.0 (201X-XX-XX):
+* Backports
+ - S6611637: NullPointerException in sun.font.GlyphLayout$EngineRecord.init
+ - S6727719: Performance of TextLayout.getBounds()
+ - S6745225: Memory leak while drawing Attributed String
+ - S6904962: GlyphVector.getVisualBounds should not be affected by leading or trailing white space.
+ - S7151089: PS NUMA: NUMA allocator should not attempt to free pages when using SHM large pages
+ - S8013057: Detect mmap() commit failures in Linux and Solaris os::commit_memory() impls and call vm_exit_out_of_memory()
+ - S8026887: Make issues due to failed large pages allocations easier to debug
+ - S8076221, PR2808: Disable RC4 cipher suites
+* Bug fixes
+ - PR1886: IcedTea does not checksum supplied tarballs
+ - PR2083: Add support for building Zero on AArch64
+
+New in release 1.13.10 (2016-01-22):
+
* Security fixes
- S8059054, CVE-2016-0402: Better URL processing
- S8130710, CVE-2016-0448: Better attributes processing
@@ -46,18 +61,8 @@
- S8145551: Test failed with Crash for Improved font lookups
- S8147466: Add -fno-strict-overflow to IndicRearrangementProcessor{,2}.cpp
* Backports
- - S6611637: NullPointerException in sun.font.GlyphLayout$EngineRecord.init
- - S6727719: Performance of TextLayout.getBounds()
- - S6745225: Memory leak while drawing Attributed String
- - S6904962: GlyphVector.getVisualBounds should not be affected by leading or trailing white space.
- - S7151089: PS NUMA: NUMA allocator should not attempt to free pages when using SHM large pages
- S7169111, PR2757: Unreadable menu bar with Ambiance theme in GTK L&F
- - S8013057: Detect mmap() commit failures in Linux and Solaris os::commit_memory() impls and call vm_exit_out_of_memory()
- - S8026887: Make issues due to failed large pages allocations easier to debug
- S8140620, PR2711: Find and load default.sf2 as the default soundbank on Linux
-* Bug fixes
- - PR1886: IcedTea does not checksum supplied tarballs
- - PR2083: Add support for building Zero on AArch64
New in release 1.13.9 (2015-11-13):
diff -r 6df2ff9d8f54 -r 9e1c6190ff58 patches/openjdk/8076221-pr2808-disable_rc4_cipher_suites.patch
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/openjdk/8076221-pr2808-disable_rc4_cipher_suites.patch Fri Jan 29 21:40:32 2016 +0000
@@ -0,0 +1,553 @@
+# HG changeset patch
+# User xuelei
+# Date 1429096621 0
+# Wed Apr 15 11:17:01 2015 +0000
+# Node ID 6a24fc5e32a359335538bfa453040fc2d9ba13e9
+# Parent fe93a8cd20a56dc59e5f2464d7e6bd0d52b807b3
+8076221: Disable RC4 cipher suites
+Reviewed-by: xuelei, wetmore
+
+diff -Nru openjdk.orig/jdk/src/share/lib/security/java.security-linux openjdk/jdk/src/share/lib/security/java.security-linux
+--- openjdk.orig/jdk/src/share/lib/security/java.security-linux 2016-01-20 01:47:58.000000000 +0000
++++ openjdk/jdk/src/share/lib/security/java.security-linux 2016-01-25 20:25:35.722972332 +0000
+@@ -451,7 +451,7 @@
+ #
+ # Example:
+ # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
+-jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768
++jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
+
+ # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
+ # processing in JSSE implementation.
+diff -Nru openjdk.orig/jdk/src/share/lib/security/java.security-solaris openjdk/jdk/src/share/lib/security/java.security-solaris
+--- openjdk.orig/jdk/src/share/lib/security/java.security-solaris 2016-01-20 01:47:58.000000000 +0000
++++ openjdk/jdk/src/share/lib/security/java.security-solaris 2016-01-25 20:24:27.088115212 +0000
+@@ -411,7 +411,7 @@
+ #
+ # Example:
+ # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
+-jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768
++jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
+
+ # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
+ # processing in JSSE implementation.
+diff -Nru openjdk.orig/jdk/src/share/lib/security/java.security-windows openjdk/jdk/src/share/lib/security/java.security-windows
+--- openjdk.orig/jdk/src/share/lib/security/java.security-windows 2016-01-20 01:47:58.000000000 +0000
++++ openjdk/jdk/src/share/lib/security/java.security-windows 2016-01-25 20:23:50.300727758 +0000
+@@ -428,7 +428,7 @@
+ #
+ # Example:
+ # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
+-jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768
++jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
+
+ # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
+ # processing in JSSE implementation.
+diff -Nru openjdk.orig/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java openjdk/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java
+--- openjdk.orig/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java 1970-01-01 01:00:00.000000000 +0100
++++ openjdk/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java 2016-01-25 20:17:49.902742622 +0000
+@@ -0,0 +1,362 @@
++/*
++ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++import java.io.BufferedInputStream;
++import java.io.BufferedOutputStream;
++import java.io.IOException;
++import java.io.InputStream;
++import java.io.OutputStream;
++import java.security.NoSuchAlgorithmException;
++import java.security.Security;
++import java.util.concurrent.TimeUnit;
++import javax.net.ssl.SSLContext;
++import javax.net.ssl.SSLHandshakeException;
++import javax.net.ssl.SSLServerSocket;
++import javax.net.ssl.SSLServerSocketFactory;
++import javax.net.ssl.SSLSocket;
++import javax.net.ssl.SSLSocketFactory;
++
++/**
++ * @test
++ * @bug 8076221
++ * @summary Check if weak cipher suites are disabled
++ * @run main/othervm DisabledAlgorithms default
++ * @run main/othervm DisabledAlgorithms empty
++ */
++public class DisabledAlgorithms {
++
++ private static final String pathToStores =
++ "../../../../sun/security/ssl/etc";
++ private static final String keyStoreFile = "keystore";
++ private static final String trustStoreFile = "truststore";
++ private static final String passwd = "passphrase";
++
++ private static final String keyFilename =
++ System.getProperty("test.src", "./") + "/" + pathToStores +
++ "/" + keyStoreFile;
++
++ private static final String trustFilename =
++ System.getProperty("test.src", "./") + "/" + pathToStores +
++ "/" + trustStoreFile;
++
++ // supported RC4 cipher suites
++ // it does not contain KRB5 cipher suites because they need a KDC
++ private static final String[] rc4_ciphersuites = new String[] {
++ "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
++ "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
++ "SSL_RSA_WITH_RC4_128_SHA",
++ "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
++ "TLS_ECDH_RSA_WITH_RC4_128_SHA",
++ "SSL_RSA_WITH_RC4_128_MD5",
++ "TLS_ECDH_anon_WITH_RC4_128_SHA",
++ "SSL_DH_anon_WITH_RC4_128_MD5"
++ };
++
++ public static void main(String[] args) throws Exception {
++ if (args.length < 1) {
++ throw new RuntimeException("No parameters specified");
++ }
++
++ System.setProperty("javax.net.ssl.keyStore", keyFilename);
++ System.setProperty("javax.net.ssl.keyStorePassword", passwd);
++ System.setProperty("javax.net.ssl.trustStore", trustFilename);
++ System.setProperty("javax.net.ssl.trustStorePassword", passwd);
++
++ switch (args[0]) {
++ case "default":
++ // use default jdk.tls.disabledAlgorithms
++ System.out.println("jdk.tls.disabledAlgorithms = "
++ + Security.getProperty("jdk.tls.disabledAlgorithms"));
++
++ // check if RC4 cipher suites can't be used by default
++ checkFailure(rc4_ciphersuites);
++ break;
++ case "empty":
++ // reset jdk.tls.disabledAlgorithms
++ Security.setProperty("jdk.tls.disabledAlgorithms", "");
++ System.out.println("jdk.tls.disabledAlgorithms = "
++ + Security.getProperty("jdk.tls.disabledAlgorithms"));
++
++ // check if RC4 cipher suites can be used
++ // if jdk.tls.disabledAlgorithms is empty
++ checkSuccess(rc4_ciphersuites);
++ break;
++ default:
++ throw new RuntimeException("Wrong parameter: " + args[0]);
++ }
++ }
++
++ /*
++ * Checks if that specified cipher suites cannot be used.
++ */
++ private static void checkFailure(String[] ciphersuites) throws Exception {
++ try (SSLServer server = SSLServer.init(ciphersuites)) {
++ startNewThread(server);
++ while (!server.isRunning()) {
++ sleep();
++ }
++
++ int port = server.getPort();
++ for (String ciphersuite : ciphersuites) {
++ try (SSLClient client = SSLClient.init(port, ciphersuite)) {
++ client.connect();
++ throw new RuntimeException("Expected SSLHandshakeException "
++ + "not thrown");
++ } catch (SSLHandshakeException e) {
++ System.out.println("Expected exception on client side: "
++ + e);
++ }
++ }
++
++ server.stop();
++ while (server.isRunning()) {
++ sleep();
++ }
++
++ if (!server.sslError()) {
++ throw new RuntimeException("Expected SSL exception "
++ + "not thrown on server side");
++ }
++ }
++
++ }
++
++ /*
++ * Checks if specified cipher suites can be used.
++ */
++ private static void checkSuccess(String[] ciphersuites) throws Exception {
++ try (SSLServer server = SSLServer.init(ciphersuites)) {
++ startNewThread(server);
++ while (!server.isRunning()) {
++ sleep();
++ }
++
++ int port = server.getPort();
++ for (String ciphersuite : ciphersuites) {
++ try (SSLClient client = SSLClient.init(port, ciphersuite)) {
++ client.connect();
++ String negotiated = client.getNegotiatedCipherSuite();
++ System.out.println("Negotiated cipher suite: "
++ + negotiated);
++ if (!negotiated.equals(ciphersuite)) {
++ throw new RuntimeException("Unexpected cipher suite: "
++ + negotiated);
++ }
++ }
++ }
++
++ server.stop();
++ while (server.isRunning()) {
++ sleep();
++ }
++
++ if (server.error()) {
++ throw new RuntimeException("Unexpected error on server side");
++ }
++ }
++
++ }
++
++ private static Thread startNewThread(SSLServer server) {
++ Thread serverThread = new Thread(server, "SSL server thread");
++ serverThread.setDaemon(true);
++ serverThread.start();
++ return serverThread;
++ }
++
++ private static void sleep() {
++ try {
++ TimeUnit.MILLISECONDS.sleep(50);
++ } catch (InterruptedException e) {
++ // do nothing
++ }
++ }
++
++ static class SSLServer implements Runnable, AutoCloseable {
++
++ private final SSLServerSocket ssocket;
++ private volatile boolean stopped = false;
++ private volatile boolean running = false;
++ private volatile boolean sslError = false;
++ private volatile boolean otherError = false;
++
++ private SSLServer(SSLServerSocket ssocket) {
++ this.ssocket = ssocket;
++ }
++
++ @Override
++ public void run() {
++ System.out.println("Server: started");
++ running = true;
++ while (!stopped) {
++ try (SSLSocket socket = (SSLSocket) ssocket.accept()) {
++ System.out.println("Server: accepted client connection");
++ InputStream in = socket.getInputStream();
++ OutputStream out = socket.getOutputStream();
++ int b = in.read();
++ if (b < 0) {
++ throw new IOException("Unexpected EOF");
++ }
++ System.out.println("Server: send data: " + b);
++ out.write(b);
++ out.flush();
++ socket.getSession().invalidate();
++ } catch (SSLHandshakeException e) {
++ System.out.println("Server: run: " + e);
++ sslError = true;
++ } catch (IOException e) {
++ if (!stopped) {
++ System.out.println("Server: run: " + e);
++ e.printStackTrace();
++ otherError = true;
++ }
++ }
++ }
++
++ System.out.println("Server: finished");
++ running = false;
++ }
++
++ int getPort() {
++ return ssocket.getLocalPort();
++ }
++
++ String[] getEnabledCiperSuites() {
++ return ssocket.getEnabledCipherSuites();
++ }
++
++ boolean isRunning() {
++ return running;
++ }
++
++ boolean sslError() {
++ return sslError;
++ }
++
++ boolean error() {
++ return sslError || otherError;
++ }
++
++ void stop() {
++ stopped = true;
++ if (!ssocket.isClosed()) {
++ try {
++ ssocket.close();
++ } catch (IOException e) {
++ System.out.println("Server: close: " + e);
++ }
++ }
++ }
++
++ @Override
++ public void close() {
++ stop();
++ }
++
++ static SSLServer init(String[] ciphersuites)
++ throws IOException {
++ SSLServerSocketFactory ssf = (SSLServerSocketFactory)
++ SSLServerSocketFactory.getDefault();
++ SSLServerSocket ssocket = (SSLServerSocket)
++ ssf.createServerSocket(0);
++
++ if (ciphersuites != null) {
++ System.out.println("Server: enable cipher suites: "
++ + java.util.Arrays.toString(ciphersuites));
++ ssocket.setEnabledCipherSuites(ciphersuites);
++ }
++
++ return new SSLServer(ssocket);
++ }
++ }
++
++ static class SSLClient implements AutoCloseable {
++
++ private final SSLSocket socket;
++
++ private SSLClient(SSLSocket socket) {
++ this.socket = socket;
++ }
++
++ void connect() throws IOException {
++ System.out.println("Client: connect to server");
++ try (
++ BufferedInputStream bis = new BufferedInputStream(
++ socket.getInputStream());
++ BufferedOutputStream bos = new BufferedOutputStream(
++ socket.getOutputStream())) {
++ bos.write('x');
++ bos.flush();
++
++ int read = bis.read();
++ if (read < 0) {
++ throw new IOException("Client: couldn't read a response");
++ }
++ socket.getSession().invalidate();
++ }
++ }
++
++ String[] getEnabledCiperSuites() {
++ return socket.getEnabledCipherSuites();
++ }
++
++ String getNegotiatedCipherSuite() {
++ return socket.getSession().getCipherSuite();
++ }
++
++ @Override
++ public void close() throws Exception {
++ if (!socket.isClosed()) {
++ try {
++ socket.close();
++ } catch (IOException e) {
++ System.out.println("Client: close: " + e);
++ }
++ }
++ }
++
++ static SSLClient init(int port)
++ throws NoSuchAlgorithmException, IOException {
++ return init(port, null);
++ }
More information about the distro-pkg-dev
mailing list