/hg/icedtea8-forest/jdk: 4 new changesets
andrew at icedtea.classpath.org
andrew at icedtea.classpath.org
Fri Apr 7 17:41:37 UTC 2017
changeset 1ac9b0f1bf17 in /hg/icedtea8-forest/jdk
details: http://icedtea.classpath.org/hg/icedtea8-forest/jdk?cmd=changeset;node=1ac9b0f1bf17
author: coffeys
date: Wed Feb 08 12:10:00 2017 +0000
8173783, PR3328: IllegalArgumentException: jdk.tls.namedGroups
Reviewed-by: xuelei, wetmore
changeset d41592af9af3 in /hg/icedtea8-forest/jdk
details: http://icedtea.classpath.org/hg/icedtea8-forest/jdk?cmd=changeset;node=d41592af9af3
author: adinn
date: Fri Feb 24 10:19:24 2017 +0000
8174729, PR3336, RH1420518: Race Condition in java.lang.reflect.WeakCache
Summary: Race can occur between Proxy.getProxyClass and Proxy.isProxyClass
Reviewed-by: mchung
changeset fb617df8fbac in /hg/icedtea8-forest/jdk
details: http://icedtea.classpath.org/hg/icedtea8-forest/jdk?cmd=changeset;node=fb617df8fbac
author: rpatil
date: Fri Sep 23 15:14:57 2016 +0530
8144566, PR3352: Custom HostnameVerifier disables SNI extension
Reviewed-by: coffeys
changeset c0e856f2dacd in /hg/icedtea8-forest/jdk
details: http://icedtea.classpath.org/hg/icedtea8-forest/jdk?cmd=changeset;node=c0e856f2dacd
author: rhalade
date: Mon May 16 10:36:51 2016 -0700
8155049, PR3352: New tests from 8144566 fail with "No expected Server Name Indication"
Reviewed-by: xuelei
diffstat:
src/share/classes/java/lang/reflect/WeakCache.java | 8 +-
src/share/classes/sun/security/ssl/SSLSocketImpl.java | 95 +-
src/share/classes/sun/security/ssl/SupportedEllipticCurvesExtension.java | 23 +-
test/java/lang/reflect/Proxy/ProxyRace.java | 88 ++
test/javax/net/ssl/ServerName/BestEffortOnLazyConnected.java | 335 ++++++++
test/sun/net/www/protocol/https/HttpsURLConnection/ImpactOnSNI.java | 391 ++++++++++
test/sun/security/ssl/ServerHandshaker/HelloExtensionsTest.java | 287 +++++++
7 files changed, 1193 insertions(+), 34 deletions(-)
diffs (truncated from 1359 to 500 lines):
diff -r 9f6a0864a734 -r c0e856f2dacd src/share/classes/java/lang/reflect/WeakCache.java
--- a/src/share/classes/java/lang/reflect/WeakCache.java Mon Mar 21 11:24:09 2016 +0100
+++ b/src/share/classes/java/lang/reflect/WeakCache.java Mon May 16 10:36:51 2016 -0700
@@ -239,11 +239,11 @@
// wrap value with CacheValue (WeakReference)
CacheValue<V> cacheValue = new CacheValue<>(value);
+ // put into reverseMap
+ reverseMap.put(cacheValue, Boolean.TRUE);
+
// try replacing us with CacheValue (this should always succeed)
- if (valuesMap.replace(subKey, this, cacheValue)) {
- // put also in reverseMap
- reverseMap.put(cacheValue, Boolean.TRUE);
- } else {
+ if (!valuesMap.replace(subKey, this, cacheValue)) {
throw new AssertionError("Should not reach here");
}
diff -r 9f6a0864a734 -r c0e856f2dacd src/share/classes/sun/security/ssl/SSLSocketImpl.java
--- a/src/share/classes/sun/security/ssl/SSLSocketImpl.java Mon Mar 21 11:24:09 2016 +0100
+++ b/src/share/classes/sun/security/ssl/SSLSocketImpl.java Mon May 16 10:36:51 2016 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -220,6 +220,11 @@
Collections.<SNIServerName>emptyList();
Collection<SNIMatcher> sniMatchers =
Collections.<SNIMatcher>emptyList();
+ // Is the serverNames set to empty with SSLParameters.setServerNames()?
+ private boolean noSniExtension = false;
+
+ // Is the sniMatchers set to empty with SSLParameters.setSNIMatchers()?
+ private boolean noSniMatcher = false;
/*
* READ ME * READ ME * READ ME * READ ME * READ ME * READ ME *
@@ -666,6 +671,11 @@
}
super.connect(endpoint, timeout);
+
+ if (host == null || host.length() == 0) {
+ useImplicitHost(false);
+ }
+
doneConnect();
}
@@ -2158,41 +2168,61 @@
output.r.setVersion(protocolVersion);
}
+ //
+ // ONLY used by ClientHandshaker for the server hostname during handshaking
+ //
synchronized String getHost() {
// Note that the host may be null or empty for localhost.
if (host == null || host.length() == 0) {
- if (!trustNameService) {
- // If the local name service is not trustworthy, reverse host
- // name resolution should not be performed for endpoint
- // identification. Use the application original specified
- // hostname or IP address instead.
- host = getOriginalHostname(getInetAddress());
- } else {
- host = getInetAddress().getHostName();
- }
+ useImplicitHost(true);
}
return host;
}
/*
- * Get the original application specified hostname.
+ * Try to set and use the implicit specified hostname
*/
- private static String getOriginalHostname(InetAddress inetAddress) {
- /*
- * Get the original hostname via sun.misc.SharedSecrets.
- */
+ private synchronized void useImplicitHost(boolean noSniUpdate) {
+
+ // Note: If the local name service is not trustworthy, reverse
+ // host name resolution should not be performed for endpoint
+ // identification. Use the application original specified
+ // hostname or IP address instead.
+
+ // Get the original hostname via jdk.internal.misc.SharedSecrets
+ InetAddress inetAddress = getInetAddress();
+ if (inetAddress == null) { // not connected
+ return;
+ }
+
JavaNetAccess jna = SharedSecrets.getJavaNetAccess();
String originalHostname = jna.getOriginalHostName(inetAddress);
+ if ((originalHostname != null) &&
+ (originalHostname.length() != 0)) {
- /*
- * If no application specified hostname, use the IP address.
- */
- if (originalHostname == null || originalHostname.length() == 0) {
- originalHostname = inetAddress.getHostAddress();
+ host = originalHostname;
+ if (!noSniUpdate && serverNames.isEmpty() && !noSniExtension) {
+ serverNames =
+ Utilities.addToSNIServerNameList(serverNames, host);
+
+ if (!roleIsServer &&
+ (handshaker != null) && !handshaker.started()) {
+ handshaker.setSNIServerNames(serverNames);
+ }
+ }
+
+ return;
}
- return originalHostname;
+ // No explicitly specified hostname, no server name indication.
+ if (!trustNameService) {
+ // The local name service is not trustworthy, use IP address.
+ host = inetAddress.getHostAddress();
+ } else {
+ // Use the underlying reverse host name resolution service.
+ host = getInetAddress().getHostName();
+ }
}
@@ -2205,6 +2235,10 @@
this.host = host;
this.serverNames =
Utilities.addToSNIServerNameList(this.serverNames, this.host);
+
+ if (!roleIsServer && (handshaker != null) && !handshaker.started()) {
+ handshaker.setSNIServerNames(serverNames);
+ }
}
/**
@@ -2571,8 +2605,21 @@
// the super implementation does not handle the following parameters
params.setEndpointIdentificationAlgorithm(identificationProtocol);
params.setAlgorithmConstraints(algorithmConstraints);
- params.setSNIMatchers(sniMatchers);
- params.setServerNames(serverNames);
+
+ if (sniMatchers.isEmpty() && !noSniMatcher) {
+ // 'null' indicates none has been set
+ params.setSNIMatchers(null);
+ } else {
+ params.setSNIMatchers(sniMatchers);
+ }
+
+ if (serverNames.isEmpty() && !noSniExtension) {
+ // 'null' indicates none has been set
+ params.setServerNames(null);
+ } else {
+ params.setServerNames(serverNames);
+ }
+
params.setUseCipherSuitesOrder(preferLocalCipherSuites);
return params;
@@ -2592,11 +2639,13 @@
List<SNIServerName> sniNames = params.getServerNames();
if (sniNames != null) {
+ noSniExtension = sniNames.isEmpty();
serverNames = sniNames;
}
Collection<SNIMatcher> matchers = params.getSNIMatchers();
if (matchers != null) {
+ noSniMatcher = matchers.isEmpty();
sniMatchers = matchers;
}
diff -r 9f6a0864a734 -r c0e856f2dacd src/share/classes/sun/security/ssl/SupportedEllipticCurvesExtension.java
--- a/src/share/classes/sun/security/ssl/SupportedEllipticCurvesExtension.java Mon Mar 21 11:24:09 2016 +0100
+++ b/src/share/classes/sun/security/ssl/SupportedEllipticCurvesExtension.java Mon May 16 10:36:51 2016 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -43,6 +43,9 @@
final class SupportedEllipticCurvesExtension extends HelloExtension {
+ /* Class and subclass dynamic debugging support */
+ private static final Debug debug = Debug.getInstance("ssl");
+
private static final int ARBITRARY_PRIME = 0xff01;
private static final int ARBITRARY_CHAR2 = 0xff02;
@@ -159,6 +162,11 @@
} // ignore unknown curves
}
}
+ if (idList.isEmpty() && JsseJce.isEcAvailable()) {
+ throw new IllegalArgumentException(
+ "System property jdk.tls.namedGroups(" + property + ") " +
+ "contains no supported elliptic curves");
+ }
} else { // default curves
int[] ids;
if (requireFips) {
@@ -183,18 +191,19 @@
}
}
- if (idList.isEmpty()) {
- throw new IllegalArgumentException(
- "System property jdk.tls.namedGroups(" + property + ") " +
- "contains no supported elliptic curves");
- } else {
+ if (debug != null && idList.isEmpty()) {
+ debug.println(
+ "Initialized [jdk.tls.namedGroups|default] list contains " +
+ "no available elliptic curves. " +
+ (property != null ? "(" + property + ")" : "[Default]"));
+ }
+
supportedCurveIds = new int[idList.size()];
int i = 0;
for (Integer id : idList) {
supportedCurveIds[i++] = id;
}
}
- }
// check whether the curve is supported by the underlying providers
private static boolean isAvailableCurve(int curveId) {
diff -r 9f6a0864a734 -r c0e856f2dacd test/java/lang/reflect/Proxy/ProxyRace.java
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/test/java/lang/reflect/Proxy/ProxyRace.java Mon May 16 10:36:51 2016 -0700
@@ -0,0 +1,88 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.lang.reflect.Proxy;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.Phaser;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.atomic.AtomicInteger;
+
+/**
+ * @test
+ * @bug 8174729
+ * @summary Proxy.getProxyClass() / Proxy.isProxyClass() race detector
+ * @run main ProxyRace
+ * @author plevart
+ */
+
+public class ProxyRace {
+
+ static final int threads = 8;
+
+ static volatile ClassLoader classLoader;
+ static volatile boolean terminate;
+ static final AtomicInteger racesDetected = new AtomicInteger();
+
+ public static void main(String[] args) throws Exception {
+
+ Phaser phaser = new Phaser(threads) {
+ @Override
+ protected boolean onAdvance(int phase, int registeredParties) {
+ // install new ClassLoader on each advance
+ classLoader = new CL();
+ return terminate;
+ }
+ };
+
+ ExecutorService exe = Executors.newFixedThreadPool(threads);
+
+ for (int i = 0; i < threads; i++) {
+ exe.execute(() -> {
+ while (phaser.arriveAndAwaitAdvance() >= 0) {
+ Class<?> proxyClass = Proxy.getProxyClass(classLoader, Runnable.class);
+ if (!Proxy.isProxyClass(proxyClass)) {
+ racesDetected.incrementAndGet();
+ }
+ }
+ });
+ }
+
+ Thread.sleep(5000L);
+
+ terminate = true;
+ exe.shutdown();
+ exe.awaitTermination(5L, TimeUnit.SECONDS);
+
+ System.out.println(racesDetected.get() + " races detected");
+ if (racesDetected.get() != 0) {
+ throw new RuntimeException(racesDetected.get() + " races detected");
+ }
+ }
+
+ static class CL extends ClassLoader {
+ public CL() {
+ super(ClassLoader.getSystemClassLoader());
+ }
+ }
+}
diff -r 9f6a0864a734 -r c0e856f2dacd test/javax/net/ssl/ServerName/BestEffortOnLazyConnected.java
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/test/javax/net/ssl/ServerName/BestEffortOnLazyConnected.java Mon May 16 10:36:51 2016 -0700
@@ -0,0 +1,335 @@
+/*
+ * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+//
+// SunJSSE does not support dynamic system properties, no way to re-use
+// system properties in samevm/agentvm mode.
+//
+
+/**
+ * @test
+ * @bug 8144566
+ * @summary Custom HostnameVerifier disables SNI extension
+ * @run main/othervm BestEffortOnLazyConnected
+ */
+
+import java.io.*;
+import java.net.*;
+import javax.net.ssl.*;
+
+public class BestEffortOnLazyConnected {
+
+ /*
+ * =============================================================
+ * Set the various variables needed for the tests, then
+ * specify what tests to run on each side.
+ */
+
+ /*
+ * Should we run the client or server in a separate thread?
+ * Both sides can throw exceptions, but do you have a preference
+ * as to which side should be the main thread.
+ */
+ private static final boolean separateServerThread = true;
+
+ /*
+ * Where do we find the keystores?
+ */
+ private static final String pathToStores = "../../../../sun/security/ssl/etc";
+ private static final String keyStoreFile = "keystore";
+ private static final String trustStoreFile = "truststore";
+ private static final String passwd = "passphrase";
+
+ /*
+ * Is the server ready to serve?
+ */
+ private static volatile boolean serverReady = false;
+
+ /*
+ * Turn on SSL debugging?
+ */
+ private static final boolean debug = false;
+
+ /*
+ * the fully qualified domain name of localhost
+ */
+ private static String hostname = null;
+
+ /*
+ * If the client or server is doing some kind of object creation
+ * that the other side depends on, and that thread prematurely
+ * exits, you may experience a hang. The test harness will
+ * terminate all hung threads after its timeout has expired,
+ * currently 3 minutes by default, but you might try to be
+ * smart about it....
+ */
+
+ /*
+ * Define the server side of the test.
+ *
+ * If the server prematurely exits, serverReady will be set to true
+ * to avoid infinite hangs.
+ */
+ private void doServerSide() throws Exception {
+ SSLServerSocketFactory sslssf =
+ (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
+ try (SSLServerSocket sslServerSocket =
+ (SSLServerSocket) sslssf.createServerSocket(serverPort)) {
+
+ serverPort = sslServerSocket.getLocalPort();
+
+ /*
+ * Signal Client, we're ready for his connect.
+ */
+ serverReady = true;
+
+ try (SSLSocket sslSocket = (SSLSocket)sslServerSocket.accept()) {
+ InputStream sslIS = sslSocket.getInputStream();
+ OutputStream sslOS = sslSocket.getOutputStream();
+
+ sslIS.read();
+ sslOS.write(85);
+ sslOS.flush();
+
+ ExtendedSSLSession session =
+ (ExtendedSSLSession)sslSocket.getSession();
+ if (session.getRequestedServerNames().isEmpty()) {
+ throw new Exception("No expected Server Name Indication");
+ }
+ }
+ }
+ }
+
+ /*
+ * Define the client side of the test.
+ *
+ * If the server prematurely exits, serverReady will be set to true
+ * to avoid infinite hangs.
+ */
+ private void doClientSide() throws Exception {
+
+ /*
+ * Wait for server to get started.
+ */
+ while (!serverReady) {
+ Thread.sleep(50);
+ }
+
+ SSLSocketFactory sslsf =
+ (SSLSocketFactory) SSLSocketFactory.getDefault();
+
+ try (SSLSocket sslSocket = (SSLSocket)sslsf.createSocket()) {
+
+ sslSocket.connect(new InetSocketAddress(hostname, serverPort), 0);
+
+ InputStream sslIS = sslSocket.getInputStream();
+ OutputStream sslOS = sslSocket.getOutputStream();
+
+ sslOS.write(280);
+ sslOS.flush();
+ sslIS.read();
+ }
+ }
+
+
+ /*
+ * =============================================================
+ * The remainder is just support stuff
+ */
+
+ // use any free port by default
+ private volatile int serverPort = 0;
+
More information about the distro-pkg-dev
mailing list