From tejohnson at yahoo.com Sun Jan 3 13:00:03 2010 From: tejohnson at yahoo.com (Todd E. Johnson) Date: Sun, 03 Jan 2010 16:00:03 -0500 Subject: [security-dev 01487]: OCSP Issues in JDK6 Message-ID: <4B410553.8090608@yahoo.com> Hello, I posted a bug on this issue at http://bugreport.sun.com/ The Sun provider currently ignores all but the first SingleResponse in an OCSPResponse object. This leads to an OCSP validation attempt being discarded when receiving a response from an OCSP responder that provides 1..n SingleRespone in a responses Sequence. The provider also may allow the encounter of an OCSP extension that is flagged critical. The provider currently ignores all extensions in the SingleResponse object. I believe if an extension is flagged critical, and the provider is not capable of processing the extension, the response MUST be discarded. I have created a patch to the JDK6 provider, and a piece of code to provide an example pre/post patching. It can be retrieved from: http://keysupport.org/code/java/Sun_Provider_OCSP_Proposed.tar.gz Thanks! -- Regards, Todd E. Johnson From Weijun.Wang at Sun.COM Sun Jan 3 21:47:13 2010 From: Weijun.Wang at Sun.COM (Max (Weijun) Wang) Date: Mon, 04 Jan 2010 13:47:13 +0800 Subject: [security-dev 01488]: Re: RFC: keytab automatic refresh in Java In-Reply-To: <6DFB7922-FFB9-48A4-B050-80C83D2A0AD6@sun.com> References: <6DFB7922-FFB9-48A4-B050-80C83D2A0AD6@sun.com> Message-ID: Hi Please take a review at the CCC: http://ccc.sfbay.sun.com/6894072 Thanks Max On Dec 22, 2009, at 12:25 PM, Max (Weijun) Wang wrote: > Hi All > > I'm planning to support keytab refresh in Java, which means the > keytab's content is always reloaded right after AP-REQ is received > on the acceptor side. > > One benefit is that when the service is started, the keytab file > needn't include the keys for the service, or, it can simply be non- > existent. More benefits are key refresh, key revocation, etc, etc. > > Currently, when useKeyTab is specified in the JAAS login config > file, if keys for the service name cannot be found inside the > keytab, JAAS automatically fallback to username/password prompt, and > if they cannot be provided, the login fails. In my plan, when keytab > refresh is supported, keytab will always be used even if it does not > exist, because there's a chance that it will contain the proper keys > later. > > So this introduces a behavior change, and I want to know how big the > risk is. > > Do you know if any customer relies on the current fallback? That is > to say, they manually config useKeyTab=true in the JAAS login > config, but (sometimes) does not provide a keytab file with correct > keys, and they expect username and password will be prompted for. > > The behavior change also means that if there is really something > wrong with the keytab config (say, wrong path name), currently an > app fails as soon as it starts, but with keytab refresh, it only > fails when AP-REQ is received. > > How does Solaris deal with keytab changes? Does it accept an empty > (or non-existent) keytab? > > Thanks > Max > From weijun.wang at sun.com Mon Jan 4 18:43:30 2010 From: weijun.wang at sun.com (weijun.wang at sun.com) Date: Tue, 05 Jan 2010 02:43:30 +0000 Subject: [security-dev 01489]: hg: jdk7/tl/jdk: 2 new changesets Message-ID: <20100105024356.518AB422D7@hg.openjdk.java.net> Changeset: ef9774dc4f5a Author: weijun Date: 2010-01-05 10:40 +0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/ef9774dc4f5a 6895424: RFC 5653 Reviewed-by: valeriep ! src/share/classes/org/ietf/jgss/GSSName.java ! src/share/classes/sun/security/jgss/GSSManagerImpl.java ! src/share/classes/sun/security/jgss/GSSNameImpl.java ! src/share/classes/sun/security/jgss/GSSUtil.java ! src/share/classes/sun/security/jgss/wrapper/GSSNameElement.java + test/sun/security/krb5/auto/Test5653.java Changeset: c028d78fa438 Author: weijun Date: 2010-01-05 10:40 +0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/c028d78fa438 6913636: kvno check in JSSE Reviewed-by: valeriep ! src/share/classes/sun/security/ssl/krb5/KerberosClientKeyExchangeImpl.java ! test/sun/security/krb5/auto/SSL.java From Sean.Mullan at Sun.COM Tue Jan 5 13:20:29 2010 From: Sean.Mullan at Sun.COM (Sean Mullan) Date: Tue, 05 Jan 2010 16:20:29 -0500 Subject: [security-dev 01490]: Re: OCSP Issues in JDK6 In-Reply-To: <4B410553.8090608@yahoo.com> References: <4B410553.8090608@yahoo.com> Message-ID: <4B43AD1D.5090404@sun.com> Hi Todd, This should be fixed in OpenJDK 7. Can you test against JDK 7 to see if it works and I'll investigate porting the fix to OpenJDK 6? --Sean Todd E. Johnson wrote: > Hello, > > I posted a bug on this issue at http://bugreport.sun.com/ > > The Sun provider currently ignores all but the first SingleResponse in > an OCSPResponse object. This leads to an OCSP validation attempt being > discarded when receiving a response from an OCSP responder that provides > 1..n SingleRespone in a responses Sequence. > > The provider also may allow the encounter of an OCSP extension that is > flagged critical. The provider currently ignores all extensions in the > SingleResponse object. I believe if an extension is flagged critical, > and the provider is not capable of processing the extension, the > response MUST be discarded. > > I have created a patch to the JDK6 provider, and a piece of code to > provide an example pre/post patching. It can be retrieved from: > > http://keysupport.org/code/java/Sun_Provider_OCSP_Proposed.tar.gz > > Thanks! > From kelly.ohair at sun.com Tue Jan 5 13:44:27 2010 From: kelly.ohair at sun.com (kelly.ohair at sun.com) Date: Tue, 05 Jan 2010 21:44:27 +0000 Subject: [security-dev 01491]: hg: jdk7/tl/jdk: 10 new changesets Message-ID: <20100105214650.D5D7B42414@hg.openjdk.java.net> Changeset: 7e116fd3a724 Author: ohair Date: 2010-01-04 15:30 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/7e116fd3a724 6910834: TEST: java/io/File/Basic.java fails on Windows CYGWIN environment Reviewed-by: tbell, alanb ! test/java/io/File/Basic.java ! test/java/io/File/basic.sh Changeset: ad19f61a0fa6 Author: ohair Date: 2010-01-04 15:33 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/ad19f61a0fa6 6910835: TESTS: 3 java/io run.sh tests fail when run on Windows XP CYGWIN Reviewed-by: tbell, alanb ! test/java/io/Serializable/evolution/RenamePackage/run.sh ! test/java/io/Serializable/serialver/classpath/run.sh ! test/java/io/Serializable/serialver/nested/run.sh Changeset: f9aa7e58974d Author: ohair Date: 2010-01-04 15:36 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/f9aa7e58974d 6911113: These tests do not work with CYGWIN: java/nio Reviewed-by: tbell, alanb ! test/java/nio/channels/Selector/lots_of_updates.sh ! test/java/nio/channels/spi/AsynchronousChannelProvider/custom_provider.sh ! test/java/nio/file/Files/walk_file_tree.sh ! test/java/nio/file/Path/delete_on_close.sh Changeset: 7595c6a198d3 Author: ohair Date: 2010-01-04 15:38 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/7595c6a198d3 6911117: These tests do not work with CYGWIN: com/sun/jdi Reviewed-by: tbell, alanb ! test/com/sun/jdi/ProcessAttachTest.sh ! test/com/sun/jdi/connect/spi/JdiLoadedByCustomLoader.sh Changeset: caf27afcae8d Author: ohair Date: 2010-01-04 15:41 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/caf27afcae8d 6911131: Test does not work with CYGWIN: sun/management/jmxremote/bootstrap/RmiSslNoKeyStoreTest.sh Reviewed-by: tbell, alanb ! test/sun/management/jmxremote/bootstrap/GeneratePropertyPassword.sh Changeset: f86db0646421 Author: ohair Date: 2010-01-04 15:45 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/f86db0646421 6911112: Tests do not work with CYGWIN: javax/imageio/, javax/script/, and sun/misc/ Reviewed-by: tbell, alanb ! test/javax/imageio/stream/StreamCloserLeak/run_test.sh ! test/javax/script/CommonSetup.sh ! test/javax/script/ProviderTest.sh ! test/sun/misc/URLClassPath/ClassnameCharTest.sh Changeset: 07fdd926aaea Author: ohair Date: 2010-01-04 15:49 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/07fdd926aaea 6911129: These tests do not work with CYGWIN: java/lang Reviewed-by: tbell, alanb ! test/java/beans/Introspector/Test5102804.java ! test/java/lang/ClassLoader/deadlock/TestOneWayDelegate.sh ! test/java/lang/StringCoding/CheckEncodings.sh ! test/java/lang/System/finalization/FinExit.sh ! test/java/lang/annotation/loaderLeak/LoaderLeak.sh ! test/java/lang/instrument/appendToClassLoaderSearch/CommonSetup.sh Changeset: 1d6f315e42f1 Author: ohair Date: 2010-01-04 15:52 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/1d6f315e42f1 6911108: These tests do not work with CYGWIN: java/util Reviewed-by: tbell, alanb ! test/java/util/Currency/PropertiesTest.sh ! test/java/util/PluggableLocale/ExecTest.sh ! test/java/util/ResourceBundle/Bug6299235Test.sh ! test/java/util/ResourceBundle/Control/ExpirationTest.sh ! test/java/util/ServiceLoader/basic.sh Changeset: 6f2a5912f5be Author: ohair Date: 2010-01-04 15:56 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/6f2a5912f5be 6911104: Tests do not work with CYGWIN: tools, sun/tools, and com/sun/tools Reviewed-by: tbell, alanb ! test/com/sun/tools/attach/ApplicationSetup.sh ! test/com/sun/tools/attach/BasicTests.sh ! test/com/sun/tools/attach/CommonSetup.sh ! test/com/sun/tools/attach/PermissionTests.sh ! test/com/sun/tools/attach/ProviderTests.sh ! test/sun/jvmstat/testlibrary/utils.sh ! test/sun/tools/common/ApplicationSetup.sh ! test/sun/tools/common/CommonSetup.sh ! test/sun/tools/jps/jps-help.sh ! test/sun/tools/jstat/jstatHelp.sh ! test/sun/tools/jstat/jstatOptions1.sh ! test/sun/tools/jstatd/jstatdUsage1.sh ! test/sun/tools/native2ascii/Native2AsciiTests.sh ! test/tools/launcher/ChangeDataModel.sh ! test/tools/launcher/ClassPathWildCard.sh ! test/tools/launcher/DefaultLocaleTest.sh ! test/tools/launcher/UnicodeTest.sh Changeset: b7cf91e43c67 Author: ohair Date: 2010-01-05 13:44 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/b7cf91e43c67 Merge From Sean.Mullan at Sun.COM Wed Jan 6 05:40:11 2010 From: Sean.Mullan at Sun.COM (Sean Mullan) Date: Wed, 06 Jan 2010 08:40:11 -0500 Subject: [security-dev 01492]: Secure Coding Guidelines for the Java Programming Language, Version 3.0 Message-ID: <4B4492BB.5050205@sun.com> A new version (3.0) of the Secure Coding Guidelines for the Java Programming Language has just been published at http://java.sun.com/security/seccodeguide.html The secure coding guidelines documents best practices and patterns that you should adhere to when writing Java code in order to avoid vulnerabilities. These guidelines are important for every Java developer, whether you are writing a trusted library or an end-user application. Version 3.0 is a significant enhancement and includes a new section on fundamentals as well as many new guidelines and enhancements. Please send us any feedback you may have. Thanks, Sean From jonathan.gibbons at sun.com Wed Jan 6 13:11:53 2010 From: jonathan.gibbons at sun.com (jonathan.gibbons at sun.com) Date: Wed, 06 Jan 2010 21:11:53 +0000 Subject: [security-dev 01493]: hg: jdk7/tl/langtools: 6307206: missing lint control for pkg-info Message-ID: <20100106211159.37EB342595@hg.openjdk.java.net> Changeset: 0220a3ab1a40 Author: jjg Date: 2010-01-06 13:09 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/langtools/rev/0220a3ab1a40 6307206: missing lint control for pkg-info Reviewed-by: darcy ! src/share/classes/com/sun/tools/javac/resources/compiler.properties From jonathan.gibbons at sun.com Wed Jan 6 13:17:40 2010 From: jonathan.gibbons at sun.com (jonathan.gibbons at sun.com) Date: Wed, 06 Jan 2010 21:17:40 +0000 Subject: [security-dev 01494]: hg: jdk7/tl/langtools: 6855236: Compiler Tree API TreePath class generates NullPointerException from Iterator Message-ID: <20100106211742.0860D42599@hg.openjdk.java.net> Changeset: d4e0ae9b4ecb Author: jjg Date: 2010-01-06 13:16 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/langtools/rev/d4e0ae9b4ecb 6855236: Compiler Tree API TreePath class generates NullPointerException from Iterator Reviewed-by: darcy + test/tools/javac/T6855236.java From tomasg at primekey.se Thu Jan 7 00:10:44 2010 From: tomasg at primekey.se (Tomas Gustavsson) Date: Thu, 07 Jan 2010 09:10:44 +0100 Subject: [security-dev 01495]: ECC non-named parameters in ECParameters.java In-Reply-To: <20100106211742.0860D42599@hg.openjdk.java.net> References: <20100106211742.0860D42599@hg.openjdk.java.net> Message-ID: <4B459704.3000802@primekey.se> Hi, In ECParameters,java there is a section that is commented out and claims to be incomplete. We have used this code successfully to use Brainpool curves (not supported by jdk otherwise) using an HSM (SafeNet ProtectServer). I wrote a howto for users of EJBCA at http://ejbca.org/cvccas.html#Using%20EC%20keys. This howto naturally includes patching ECParameters to enable this code. It seems to work just fine. Does anyone know why this code is supposed to be incomplete? And what would it take to get it enabled in JDK so we don't have to patch the jdk? Kind regards, Tomas Gustavsson PrimeKey Solutions AB From mandy.chung at sun.com Thu Jan 7 08:15:59 2010 From: mandy.chung at sun.com (mandy.chung at sun.com) Date: Thu, 07 Jan 2010 16:15:59 +0000 Subject: [security-dev 01496]: hg: jdk7/tl/jdk: 6911737: Module build: generate modules with native libraries and any other files not in jar Message-ID: <20100107161644.9D5CE426CC@hg.openjdk.java.net> Changeset: d30f2e22fffd Author: mchung Date: 2010-01-07 08:14 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/d30f2e22fffd 6911737: Module build: generate modules with native libraries and any other files not in jar Summary: create modules under OUTPUTDIR/modules directory containing resources, native libraries Reviewed-by: alanb, ohair ! make/com/sun/crypto/provider/Makefile ! make/com/sun/java/pack/Makefile ! make/com/sun/java/pack/prop/Makefile ! make/com/sun/jndi/cosnaming/Makefile ! make/com/sun/jndi/dns/Makefile ! make/com/sun/jndi/ldap/Makefile ! make/com/sun/jndi/rmi/registry/Makefile ! make/com/sun/nio/sctp/Makefile ! make/com/sun/org/apache/xml/Makefile ! make/com/sun/rowset/Makefile ! make/com/sun/script/Makefile ! make/com/sun/security/auth/module/Makefile ! make/com/sun/servicetag/Makefile ! make/com/sun/tools/attach/Makefile ! make/common/Defs.gmk ! make/common/Demo.gmk ! make/common/Library.gmk ! make/common/Modules.gmk ! make/common/Program.gmk ! make/common/internal/BinaryPlugs.gmk ! make/common/internal/Resources.gmk ! make/common/shared/Sanity.gmk ! make/java/awt/Makefile ! make/java/fdlibm/Makefile ! make/java/hpi/native/Makefile ! make/java/hpi/windows/Makefile ! make/java/instrument/Makefile ! make/java/java/Makefile ! make/java/java_crw_demo/Makefile ! make/java/java_hprof_demo/Makefile ! make/java/jli/Makefile ! make/java/jvm/Makefile ! make/java/logging/Makefile ! make/java/main/java/Makefile ! make/java/main/javaw/Makefile ! make/java/management/Makefile ! make/java/net/Makefile ! make/java/nio/Makefile ! make/java/npt/Makefile - make/java/redist/FILES.gmk ! make/java/redist/Makefile + make/java/redist/fonts/Makefile + make/java/redist/sajdi/Makefile ! make/java/security/Makefile ! make/java/sql/Makefile ! make/java/text/Makefile ! make/java/verify/Makefile ! make/java/zip/Makefile ! make/javax/crypto/Makefile ! make/javax/imageio/Makefile ! make/javax/print/Makefile ! make/javax/sound/Makefile ! make/javax/sound/jsoundalsa/Makefile ! make/javax/sound/jsoundds/Makefile ! make/javax/sql/Makefile ! make/javax/swing/Makefile ! make/javax/swing/plaf/Makefile ! make/jpda/back/Makefile ! make/jpda/transport/Makefile ! make/jpda/transport/shmem/Makefile ! make/jpda/transport/socket/Makefile ! make/jpda/tty/Makefile ! make/launchers/Makefile ! make/mkdemo/jvmti/Makefile ! make/mkdemo/management/Makefile ! make/mksample/dtrace/Makefile ! make/mksample/jmx/jmx-scandir/Makefile ! make/mksample/nbproject/Makefile ! make/mksample/nio/file/Makefile ! make/mksample/nio/multicast/Makefile ! make/mksample/nio/server/Makefile ! make/mksample/scripting/scriptpad/Makefile ! make/mksample/webservices/EbayClient/Makefile ! make/mksample/webservices/EbayServer/Makefile ! make/modules/Makefile ! make/modules/modules.config ! make/modules/tools/nbproject/project.xml ! make/modules/tools/src/com/sun/classanalyzer/Module.java ! make/sun/applet/Makefile ! make/sun/awt/Makefile ! make/sun/cmm/Makefile ! make/sun/cmm/kcms/Makefile ! make/sun/cmm/lcms/Makefile ! make/sun/dcpr/Makefile ! make/sun/font/Makefile ! make/sun/font/t2k/Makefile ! make/sun/headless/Makefile ! make/sun/image/generic/Makefile ! make/sun/image/vis/Makefile ! make/sun/jar/Makefile ! make/sun/javazic/Makefile ! make/sun/jawt/Makefile ! make/sun/jconsole/Makefile ! make/sun/jdbc/Makefile ! make/sun/jdga/Makefile ! make/sun/jkernel/Makefile ! make/sun/jpeg/Makefile ! make/sun/launcher/Makefile ! make/sun/management/Makefile ! make/sun/native2ascii/Makefile ! make/sun/net/others/Makefile ! make/sun/net/spi/nameservice/dns/Makefile - make/sun/nio/FILES_java.gmk ! make/sun/nio/Makefile + make/sun/nio/cs/FILES_java.gmk + make/sun/nio/cs/Makefile ! make/sun/org/mozilla/javascript/Makefile ! make/sun/pisces/Makefile ! make/sun/rmi/cgi/Makefile ! make/sun/rmi/oldtools/Makefile ! make/sun/rmi/registry/Makefile ! make/sun/rmi/rmi/Makefile ! make/sun/rmi/rmic/Makefile ! make/sun/rmi/rmid/Makefile ! make/sun/security/ec/Makefile ! make/sun/security/jgss/wrapper/Makefile ! make/sun/security/krb5/Makefile ! make/sun/security/mscapi/Makefile ! make/sun/security/pkcs11/Makefile ! make/sun/security/smartcardio/Makefile ! make/sun/security/tools/Makefile ! make/sun/serialver/Makefile ! make/sun/splashscreen/Makefile ! make/sun/text/Makefile ! make/sun/tools/Makefile ! make/sun/tracing/dtrace/Makefile ! make/sun/xawt/Makefile From Christopher.Wood at entrust.com Thu Jan 7 08:47:17 2010 From: Christopher.Wood at entrust.com (Christopher Wood ( Ottawa )) Date: Thu, 7 Jan 2010 11:47:17 -0500 Subject: [security-dev 01497]: Support for TLS 1.1 & 1.2 Message-ID: I have two question regarding TLS support in JSSE: 1. In a previous email (January 2008) someone asked about support for TLS 1.1. The reply indicated that it was planned for J2SE 7 and that the implementation was in progress; is that still the case? Is the implementation complete? 2. Are there any plans to support TLS 1.2? If so, in what release and timeframe? Christopher Wood Software Developer Phone: (613) 270-2926 Entrust Securing Digital Identities & Information http://www.entrust.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.openjdk.java.net/pipermail/security-dev/attachments/20100107/6e936266/attachment.html From joe.darcy at sun.com Thu Jan 7 19:34:45 2010 From: joe.darcy at sun.com (joe.darcy at sun.com) Date: Fri, 08 Jan 2010 03:34:45 +0000 Subject: [security-dev 01498]: hg: jdk7/tl/jdk: 6915171: Clarify checked/unchecked status of Throwable and its subclasses Message-ID: <20100108033511.09D8942785@hg.openjdk.java.net> Changeset: d36fa10de3cb Author: darcy Date: 2010-01-07 19:42 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/d36fa10de3cb 6915171: Clarify checked/unchecked status of Throwable and its subclasses Reviewed-by: dholmes ! src/share/classes/java/lang/Error.java ! src/share/classes/java/lang/Exception.java ! src/share/classes/java/lang/RuntimeException.java ! src/share/classes/java/lang/Throwable.java From jonathan.gibbons at sun.com Fri Jan 8 11:14:46 2010 From: jonathan.gibbons at sun.com (jonathan.gibbons at sun.com) Date: Fri, 08 Jan 2010 19:14:46 +0000 Subject: [security-dev 01499]: hg: jdk7/tl/langtools: 6878147: Keywords.log is declared and initialized but unused Message-ID: <20100108191450.89D594288B@hg.openjdk.java.net> Changeset: c315df443ff2 Author: jjg Date: 2010-01-08 11:11 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/langtools/rev/c315df443ff2 6878147: Keywords.log is declared and initialized but unused Reviewed-by: darcy ! src/share/classes/com/sun/tools/javac/parser/Keywords.java From jonathan.gibbons at sun.com Fri Jan 8 11:18:46 2010 From: jonathan.gibbons at sun.com (jonathan.gibbons at sun.com) Date: Fri, 08 Jan 2010 19:18:46 +0000 Subject: [security-dev 01500]: hg: jdk7/tl/langtools: 6878146: incorrect unused value should be deleted Message-ID: <20100108191848.1B15B4288F@hg.openjdk.java.net> Changeset: 2d15bf467aea Author: jjg Date: 2010-01-08 11:16 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/langtools/rev/2d15bf467aea 6878146: incorrect unused value should be deleted Reviewed-by: darcy ! src/share/classes/com/sun/tools/javac/util/LayoutCharacters.java From jonathan.gibbons at sun.com Fri Jan 8 11:29:35 2010 From: jonathan.gibbons at sun.com (jonathan.gibbons at sun.com) Date: Fri, 08 Jan 2010 19:29:35 +0000 Subject: [security-dev 01501]: hg: jdk7/tl/langtools: 6665791: com.sun.source.tree.MethodTree.toString() does not output default values Message-ID: <20100108192937.B918942892@hg.openjdk.java.net> Changeset: 0e75f9f6d1d4 Author: jjg Date: 2010-01-08 11:28 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/langtools/rev/0e75f9f6d1d4 6665791: com.sun.source.tree.MethodTree.toString() does not output default values Reviewed-by: darcy ! src/share/classes/com/sun/tools/javac/tree/Pretty.java + test/tools/javac/T6665791.java From jonathan.gibbons at sun.com Fri Jan 8 11:33:48 2010 From: jonathan.gibbons at sun.com (jonathan.gibbons at sun.com) Date: Fri, 08 Jan 2010 19:33:48 +0000 Subject: [security-dev 01502]: hg: jdk7/tl/langtools: 6915078: ALT_JDK_IMPORT_PATH typo in langtools/make/Makefile Message-ID: <20100108193350.9219742894@hg.openjdk.java.net> Changeset: aa06467be3a2 Author: jjg Date: 2010-01-08 11:32 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/langtools/rev/aa06467be3a2 6915078: ALT_JDK_IMPORT_PATH typo in langtools/make/Makefile Reviewed-by: tbell ! make/Makefile From jonathan.gibbons at sun.com Fri Jan 8 13:36:33 2010 From: jonathan.gibbons at sun.com (jonathan.gibbons at sun.com) Date: Fri, 08 Jan 2010 21:36:33 +0000 Subject: [security-dev 01503]: hg: jdk7/tl/langtools: 6915152: langtools build failures with import.jdk on Windows Message-ID: <20100108213636.E3650428B7@hg.openjdk.java.net> Changeset: 96c56220dcc2 Author: jjg Date: 2010-01-08 13:14 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/langtools/rev/96c56220dcc2 6915152: langtools build failures with import.jdk on Windows Reviewed-by: ohair ! make/build.xml From alan.bateman at sun.com Sun Jan 10 04:45:24 2010 From: alan.bateman at sun.com (alan.bateman at sun.com) Date: Sun, 10 Jan 2010 12:45:24 +0000 Subject: [security-dev 01504]: hg: jdk7/tl/jdk: 2 new changesets Message-ID: <20100110124632.EA1E842B34@hg.openjdk.java.net> Changeset: 755dd6bdccca Author: alanb Date: 2010-01-09 19:32 +0000 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/755dd6bdccca 6907760: (file) OVERFLOW event should cause pending events to be purged Reviewed-by: chegar ! src/share/classes/sun/nio/fs/AbstractWatchKey.java + test/java/nio/file/WatchService/OverflowEventIsLoner.java Changeset: 0f0aee89e282 Author: alanb Date: 2010-01-10 12:29 +0000 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/0f0aee89e282 6913877: (fs) AsynchronousFileChannel.write can return wrong result under load [win] Reviewed-by: chegar ! src/windows/classes/sun/nio/ch/WindowsAsynchronousFileChannelImpl.java ! src/windows/native/sun/nio/ch/WindowsAsynchronousFileChannelImpl.c + test/java/nio/channels/AsynchronousFileChannel/LotsOfWrites.java From christopher.hegarty at sun.com Mon Jan 11 13:58:05 2010 From: christopher.hegarty at sun.com (christopher.hegarty at sun.com) Date: Mon, 11 Jan 2010 21:58:05 +0000 Subject: [security-dev 01505]: hg: jdk7/tl/jdk: 6915313: Reorganize implementation to make it more feasible to port to JDK6 Message-ID: <20100111215849.1D5CA42D47@hg.openjdk.java.net> Changeset: fc5578368a0c Author: chegar Date: 2010-01-11 16:04 +0000 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/fc5578368a0c 6915313: Reorganize implementation to make it more feasible to port to JDK6 Summary: This makes the SCTP implementation easier to run with Suns JDK6. Reviewed-by: alanb ! make/com/sun/nio/sctp/FILES_java.gmk ! make/com/sun/nio/sctp/mapfile-vers ! src/solaris/classes/sun/nio/ch/SctpChannelImpl.java ! src/solaris/classes/sun/nio/ch/SctpMultiChannelImpl.java ! src/solaris/classes/sun/nio/ch/SctpNet.java ! src/solaris/classes/sun/nio/ch/SctpServerChannelImpl.java - src/solaris/classes/sun/nio/ch/SctpSocketDispatcher.java ! src/solaris/native/sun/nio/ch/SctpNet.c From jonathan.gibbons at sun.com Mon Jan 11 14:06:33 2010 From: jonathan.gibbons at sun.com (jonathan.gibbons at sun.com) Date: Mon, 11 Jan 2010 22:06:33 +0000 Subject: [security-dev 01506]: hg: jdk7/tl/langtools: 6326754: Compiler will fail to handle -Xmaxerrs with -ve numbers Message-ID: <20100111220639.EFF4242D4A@hg.openjdk.java.net> Changeset: d02e99d31cc0 Author: jjg Date: 2010-01-11 14:05 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/langtools/rev/d02e99d31cc0 6326754: Compiler will fail to handle -Xmaxerrs with -ve numbers Reviewed-by: ksrini ! src/share/classes/com/sun/tools/javac/util/Log.java + test/tools/javac/T6326754.java + test/tools/javac/T6326754.out From jonathan.gibbons at sun.com Mon Jan 11 14:10:03 2010 From: jonathan.gibbons at sun.com (jonathan.gibbons at sun.com) Date: Mon, 11 Jan 2010 22:10:03 +0000 Subject: [security-dev 01507]: hg: jdk7/tl/langtools: 6764569: [PATCH] Fix unused imports in list resource bundles Message-ID: <20100111221005.0BD0242D4B@hg.openjdk.java.net> Changeset: f983c1dca202 Author: jjg Date: 2010-01-11 14:09 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/langtools/rev/f983c1dca202 6764569: [PATCH] Fix unused imports in list resource bundles Reviewed-by: ksrini Contributed-by: jesse.glick at sun.com ! make/tools/CompileProperties/CompileProperties.java ! make/tools/CompileProperties/CompilePropertiesTask.java From jonathan.gibbons at sun.com Mon Jan 11 14:13:01 2010 From: jonathan.gibbons at sun.com (jonathan.gibbons at sun.com) Date: Mon, 11 Jan 2010 22:13:01 +0000 Subject: [security-dev 01508]: hg: jdk7/tl/langtools: 6915476: java.util.regex.PatternSyntaxException in com.sun.tools.javac.nio.PathFileObject Message-ID: <20100111221303.9844A42D4D@hg.openjdk.java.net> Changeset: ca6bc36b2305 Author: jjg Date: 2010-01-11 14:12 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/langtools/rev/ca6bc36b2305 6915476: java.util.regex.PatternSyntaxException in com.sun.tools.javac.nio.PathFileObject Reviewed-by: darcy ! src/share/classes/com/sun/tools/javac/nio/PathFileObject.java ! test/tools/javac/nio/compileTest/CompileTest.java From jonathan.gibbons at sun.com Mon Jan 11 14:17:48 2010 From: jonathan.gibbons at sun.com (jonathan.gibbons at sun.com) Date: Mon, 11 Jan 2010 22:17:48 +0000 Subject: [security-dev 01509]: hg: jdk7/tl/langtools: 6915497: test test/tools/javac/nio/compileTest/CompileTest.java fails under Hudson Message-ID: <20100111221750.C51BC42D51@hg.openjdk.java.net> Changeset: 14a4c45ef734 Author: jjg Date: 2010-01-11 14:17 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/langtools/rev/14a4c45ef734 6915497: test test/tools/javac/nio/compileTest/CompileTest.java fails under Hudson Reviewed-by: darcy ! test/tools/javac/nio/compileTest/CompileTest.java From joe.darcy at sun.com Mon Jan 11 15:35:39 2010 From: joe.darcy at sun.com (joe.darcy at sun.com) Date: Mon, 11 Jan 2010 23:35:39 +0000 Subject: [security-dev 01510]: hg: jdk7/tl/jdk: 6828204: NavigableSet.subSet() documentation refers to nonexistent parameters Message-ID: <20100111233552.6326F42D66@hg.openjdk.java.net> Changeset: 9d38ab65acff Author: darcy Date: 2010-01-11 15:35 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/9d38ab65acff 6828204: NavigableSet.subSet() documentation refers to nonexistent parameters Reviewed-by: martin ! src/share/classes/java/util/NavigableMap.java ! src/share/classes/java/util/NavigableSet.java From jonathan.gibbons at sun.com Mon Jan 11 16:19:13 2010 From: jonathan.gibbons at sun.com (jonathan.gibbons at sun.com) Date: Tue, 12 Jan 2010 00:19:13 +0000 Subject: [security-dev 01511]: hg: jdk7/tl/langtools: 6909470: langtools stub generator should prune unnecessary imports Message-ID: <20100112001918.DB02F42D73@hg.openjdk.java.net> Changeset: 51011e02c02f Author: jjg Date: 2010-01-11 16:18 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/langtools/rev/51011e02c02f 6909470: langtools stub generator should prune unnecessary imports Reviewed-by: darcy ! make/tools/GenStubs/GenStubs.java From mandy.chung at sun.com Tue Jan 12 15:22:06 2010 From: mandy.chung at sun.com (mandy.chung at sun.com) Date: Tue, 12 Jan 2010 23:22:06 +0000 Subject: [security-dev 01512]: hg: jdk7/tl/jdk: 6915502: Legal notice repairs needed in jdk/make/modules/tools Message-ID: <20100112232245.3E02342EE5@hg.openjdk.java.net> Changeset: ba74184a952c Author: mchung Date: 2010-01-12 15:19 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/ba74184a952c 6915502: Legal notice repairs needed in jdk/make/modules/tools Summary: Fix the legal notice in jdk/make/modules/tools Reviewed-by: tbell ! make/modules/tools/build.xml ! make/modules/tools/nbproject/project.properties ! make/modules/tools/nbproject/project.xml From jonathan.gibbons at sun.com Wed Jan 13 17:40:51 2010 From: jonathan.gibbons at sun.com (jonathan.gibbons at sun.com) Date: Thu, 14 Jan 2010 01:40:51 +0000 Subject: [security-dev 01513]: hg: jdk7/tl/langtools: 6472751: SourcePositions.getStartPos returns incorrect value for enum constants; ... Message-ID: <20100114014056.3BB944142C@hg.openjdk.java.net> Changeset: ccd51af119b4 Author: jjg Date: 2010-01-13 17:39 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/langtools/rev/ccd51af119b4 6472751: SourcePositions.getStartPos returns incorrect value for enum constants 6567414: javac compiler reports no source file or line on enum constant declaration error Reviewed-by: darcy ! src/share/classes/com/sun/tools/javac/parser/JavacParser.java + test/tools/javac/T6472751.java + test/tools/javac/T6567414.java + test/tools/javac/T6567414.out From jonathan.gibbons at sun.com Thu Jan 14 17:20:04 2010 From: jonathan.gibbons at sun.com (jonathan.gibbons at sun.com) Date: Fri, 15 Jan 2010 01:20:04 +0000 Subject: [security-dev 01514]: hg: jdk7/tl/langtools: 6917122: provide utility method to find the inner most type of a type tree Message-ID: <20100115012007.9287B415EE@hg.openjdk.java.net> Changeset: b96ad32c004a Author: jjg Date: 2010-01-14 17:18 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/langtools/rev/b96ad32c004a 6917122: provide utility method to find the inner most type of a type tree Reviewed-by: darcy, jjg Contributed-by: mali at csail.mit.edu, mernst at cs.washington.edu ! src/share/classes/com/sun/tools/javac/tree/Pretty.java ! src/share/classes/com/sun/tools/javac/tree/TreeInfo.java From jonathan.gibbons at sun.com Thu Jan 14 17:24:41 2010 From: jonathan.gibbons at sun.com (jonathan.gibbons at sun.com) Date: Fri, 15 Jan 2010 01:24:41 +0000 Subject: [security-dev 01515]: hg: jdk7/tl/langtools: 6916986: handle spaces in langtools launcher path Message-ID: <20100115012443.CFF61415F0@hg.openjdk.java.net> Changeset: 2d0f4e7b44b2 Author: jjg Date: 2010-01-14 17:23 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/langtools/rev/2d0f4e7b44b2 6916986: handle spaces in langtools launcher path Reviewed-by: darcy, jjg Contributed-by: mali at csail.mit.edu, mernst at cs.washington.edu ! src/share/bin/launcher.sh-template From joe.darcy at sun.com Thu Jan 14 20:05:52 2010 From: joe.darcy at sun.com (joe.darcy at sun.com) Date: Fri, 15 Jan 2010 04:05:52 +0000 Subject: [security-dev 01516]: hg: jdk7/tl/jdk: 6908218: java.lang.Deprecated should have explicit @Target meta-annotation. Message-ID: <20100115040610.BB6484162B@hg.openjdk.java.net> Changeset: fa0cb25202d8 Author: darcy Date: 2010-01-14 20:05 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/fa0cb25202d8 6908218: java.lang.Deprecated should have explicit @Target meta-annotation. Reviewed-by: mernst ! src/share/classes/java/lang/Deprecated.java ! src/share/classes/java/lang/SuppressWarnings.java From sean.mullan at sun.com Fri Jan 15 07:05:56 2010 From: sean.mullan at sun.com (sean.mullan at sun.com) Date: Fri, 15 Jan 2010 15:05:56 +0000 Subject: [security-dev 01517]: hg: jdk7/tl/jdk: 2 new changesets Message-ID: <20100115150635.0A79041705@hg.openjdk.java.net> Changeset: 51d62db10c93 Author: mullan Date: 2010-01-15 09:48 -0500 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/51d62db10c93 6915939: Exception should be thrown if OCSP SingleResponses contain unresolved critical extensions Reviewed-by: xuelei ! src/share/classes/sun/security/provider/certpath/OCSPResponse.java Changeset: 074f79397dda Author: mullan Date: 2010-01-15 09:58 -0500 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/074f79397dda Merge From christopher.hegarty at sun.com Fri Jan 15 08:31:49 2010 From: christopher.hegarty at sun.com (christopher.hegarty at sun.com) Date: Fri, 15 Jan 2010 16:31:49 +0000 Subject: [security-dev 01518]: hg: jdk7/tl/jdk: 6916922: (sctp) SO_RCVBUF & SO_SNDBUF returns twice the value set Message-ID: <20100115163208.4D1864171E@hg.openjdk.java.net> Changeset: b019cdae32dd Author: chegar Date: 2010-01-15 16:31 +0000 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/b019cdae32dd 6916922: (sctp) SO_RCVBUF & SO_SNDBUF returns twice the value set Reviewed-by: alanb ! src/solaris/native/sun/nio/ch/SctpNet.c ! test/com/sun/nio/sctp/SctpChannel/SocketOptionTests.java From lana.steuck at sun.com Fri Jan 15 16:34:02 2010 From: lana.steuck at sun.com (lana.steuck at sun.com) Date: Sat, 16 Jan 2010 00:34:02 +0000 Subject: [security-dev 01519]: hg: jdk7/tl: Added tag jdk7-b79 for changeset 20aeeb517139 Message-ID: <20100116003403.09BDC417AB@hg.openjdk.java.net> Changeset: b1952d19290d Author: katleman Date: 2010-01-14 15:48 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/rev/b1952d19290d Added tag jdk7-b79 for changeset 20aeeb517139 ! .hgtags From lana.steuck at sun.com Fri Jan 15 16:34:09 2010 From: lana.steuck at sun.com (lana.steuck at sun.com) Date: Sat, 16 Jan 2010 00:34:09 +0000 Subject: [security-dev 01520]: hg: jdk7/tl/corba: Added tag jdk7-b79 for changeset ec0421b5703b Message-ID: <20100116003410.5CF59417AC@hg.openjdk.java.net> Changeset: fdbc85b2d15c Author: katleman Date: 2010-01-14 15:48 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/corba/rev/fdbc85b2d15c Added tag jdk7-b79 for changeset ec0421b5703b ! .hgtags From lana.steuck at sun.com Fri Jan 15 16:36:20 2010 From: lana.steuck at sun.com (lana.steuck at sun.com) Date: Sat, 16 Jan 2010 00:36:20 +0000 Subject: [security-dev 01521]: hg: jdk7/tl/hotspot: 74 new changesets Message-ID: <20100116004010.99A7F417B0@hg.openjdk.java.net> Changeset: f334aec453a1 Author: kvn Date: 2009-10-29 16:57 -0700 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/f334aec453a1 6896084: VM does not reserve protected page below heap for compressed oops implicit null checks Summary: Set narrow_oop_base and narrow_oop_use_implicit_null_checks in Universe::preferred_heap_base(). Reviewed-by: twisti, jcoomes ! src/share/vm/memory/universe.cpp Changeset: 73a726751507 Author: cfang Date: 2009-10-30 10:12 -0700 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/73a726751507 6852078: HSX 14/16 in jdk 5.0: api/javax_management api/org_omg jck tests crashes or make tnameserv crash Summary: Disable SuperWord optimization for unsafe read/write Reviewed-by: kvn, phh ! src/share/vm/opto/superword.cpp + test/compiler/6852078/Test6852078.java Changeset: 389049f3f393 Author: jrose Date: 2009-10-30 16:22 -0700 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/389049f3f393 6858164: invokedynamic code needs some cleanup (post-6655638) Summary: Fix several crashers, remove needless paths for boxed-style bootstrap method call, refactor & simplify APIs for rewriter constantPoolOop, remove sun.dyn.CallSiteImpl Reviewed-by: kvn ! src/cpu/sparc/vm/templateInterpreter_sparc.cpp ! src/cpu/x86/vm/templateInterpreter_x86_32.cpp ! src/cpu/x86/vm/templateInterpreter_x86_64.cpp ! src/cpu/x86/vm/templateTable_x86_32.cpp ! src/share/vm/ci/ciEnv.cpp ! src/share/vm/classfile/javaClasses.cpp ! src/share/vm/classfile/javaClasses.hpp ! src/share/vm/classfile/systemDictionary.cpp ! src/share/vm/classfile/systemDictionary.hpp ! src/share/vm/classfile/verifier.cpp ! src/share/vm/classfile/vmSymbols.hpp ! src/share/vm/includeDB_core ! src/share/vm/interpreter/bytecodeTracer.cpp ! src/share/vm/interpreter/interpreter.cpp ! src/share/vm/interpreter/interpreterRuntime.cpp ! src/share/vm/interpreter/interpreterRuntime.hpp ! src/share/vm/interpreter/linkResolver.cpp ! src/share/vm/interpreter/rewriter.cpp ! src/share/vm/interpreter/rewriter.hpp ! src/share/vm/interpreter/templateInterpreter.cpp ! src/share/vm/interpreter/templateInterpreter.hpp ! src/share/vm/interpreter/templateInterpreterGenerator.hpp ! src/share/vm/oops/constantPoolOop.cpp ! src/share/vm/oops/constantPoolOop.hpp ! src/share/vm/oops/cpCacheOop.cpp ! src/share/vm/oops/cpCacheOop.hpp ! src/share/vm/oops/generateOopMap.cpp ! src/share/vm/oops/instanceKlassKlass.cpp ! src/share/vm/prims/jvm.cpp ! src/share/vm/prims/methodHandles.cpp Changeset: 323bd24c6520 Author: roland Date: 2009-11-02 11:17 +0100 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/323bd24c6520 6769124: various 64-bit fixes for c1 Reviewed-by: never ! src/cpu/sparc/vm/c1_LIRAssembler_sparc.cpp ! src/cpu/sparc/vm/c1_LIRGenerator_sparc.cpp ! src/cpu/x86/vm/assembler_x86.cpp ! src/cpu/x86/vm/assembler_x86.hpp ! src/cpu/x86/vm/c1_LIRAssembler_x86.cpp ! src/cpu/x86/vm/c1_LIRGenerator_x86.cpp ! src/cpu/x86/vm/vm_version_x86.cpp ! src/share/vm/c1/c1_GraphBuilder.cpp ! src/share/vm/c1/c1_LIRGenerator.cpp ! src/share/vm/c1/c1_LinearScan.cpp ! src/share/vm/runtime/arguments.cpp + test/compiler/6769124/TestArrayCopy6769124.java + test/compiler/6769124/TestDeoptInt6769124.java + test/compiler/6769124/TestUnalignedLoad6769124.java Changeset: 09572fede9d1 Author: kvn Date: 2009-11-04 14:16 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/09572fede9d1 6896370: CTW fails share/vm/opto/matcher.cpp:1475 "duplicating node that's already been matched" Summary: Move DecodeN code outside the memory nodes only code. Reviewed-by: never ! src/share/vm/opto/matcher.cpp Changeset: dcdcc8c16e20 Author: kvn Date: 2009-11-04 14:43 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/dcdcc8c16e20 6896352: CTW fails hotspot/src/share/vm/opto/escape.cpp:1155 Summary: Always call C->get_alias_index(phase->type(address)) during parsing. Reviewed-by: never ! src/share/vm/opto/escape.cpp ! src/share/vm/opto/memnode.cpp Changeset: 2f1ec89b9995 Author: cfang Date: 2009-11-10 17:00 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/2f1ec89b9995 Merge ! src/cpu/x86/vm/assembler_x86.cpp ! src/cpu/x86/vm/assembler_x86.hpp Changeset: 473cce303f13 Author: phh Date: 2009-10-28 16:25 -0400 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/473cce303f13 6887571: Increase default heap config sizes Summary: Apply modification of existing server heap size ergo to all collectors except CMS. Reviewed-by: jmasa, ysr, xlu ! src/cpu/sparc/vm/c1_globals_sparc.hpp ! src/cpu/sparc/vm/c2_globals_sparc.hpp ! src/cpu/sparc/vm/globals_sparc.hpp ! src/cpu/x86/vm/c1_globals_x86.hpp ! src/cpu/x86/vm/c2_globals_x86.hpp ! src/cpu/x86/vm/globals_x86.hpp ! src/cpu/zero/vm/globals_zero.hpp ! src/os_cpu/linux_x86/vm/globals_linux_x86.hpp ! src/os_cpu/solaris_x86/vm/globals_solaris_x86.hpp ! src/os_cpu/windows_x86/vm/globals_windows_x86.hpp ! src/share/vm/gc_implementation/parallelScavenge/psGCAdaptivePolicyCounters.cpp ! src/share/vm/memory/collectorPolicy.cpp ! src/share/vm/runtime/arguments.cpp ! src/share/vm/runtime/arguments.hpp ! src/share/vm/runtime/globals.cpp ! src/share/vm/runtime/globals.hpp ! src/share/vm/runtime/globals_extension.hpp ! src/share/vm/services/management.cpp Changeset: c4ecde2f6b3c Author: xlu Date: 2009-10-30 17:24 -0700 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/c4ecde2f6b3c Merge Changeset: 97b36138b494 Author: kamg Date: 2009-11-06 15:04 -0500 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/97b36138b494 Merge Changeset: ba7ea42fc66e Author: phh Date: 2009-11-04 16:49 -0500 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/ba7ea42fc66e 6898160: Need serviceability support for new vm argument type 'uint64_t' Summary: Add serviceability support for uint64_t. Flags of unknown type assert in debug builds and are ignored in product builds. Reviewed-by: never, xlu, mchung, dcubed ! src/share/vm/runtime/globals.cpp ! src/share/vm/services/attachListener.cpp ! src/share/vm/services/management.cpp Changeset: db0d21039f34 Author: kamg Date: 2009-11-06 16:05 -0500 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/db0d21039f34 Merge Changeset: fb4c00faa9da Author: kamg Date: 2009-11-11 09:13 -0500 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/fb4c00faa9da Merge ! src/share/vm/runtime/arguments.cpp Changeset: 87b2fdd4bf98 Author: never Date: 2009-11-11 23:39 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/87b2fdd4bf98 6892079: live value must not be garbage failure after fix for 6854812 Reviewed-by: kvn ! src/share/vm/opto/parse1.cpp Changeset: b18963243361 Author: twisti Date: 2009-11-19 03:41 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/b18963243361 6902000: use ShouldNotReachHere() for btos/ctos/stos in TemplateInterpreterGenerator::set_short_entry_points Summary: set_entry_point is only ever used with the tos states of bytecode templates in templateTable.cpp and none of those use the subword tos states like btos, ctos and stos. Reviewed-by: kvn ! src/share/vm/interpreter/templateInterpreter.cpp Changeset: 7ef1d2e14917 Author: kvn Date: 2009-11-19 14:32 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/7ef1d2e14917 6902036: WorldWind asserts on escape.cpp:1153: assert(addr->is_AddP(),"AddP required") Summary: Remove the assert. Reviewed-by: twisti ! src/share/vm/opto/escape.cpp Changeset: de44705e6b33 Author: cfang Date: 2009-11-24 11:49 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/de44705e6b33 Merge Changeset: 84cb6f20afb3 Author: phh Date: 2009-11-20 16:22 -0500 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/84cb6f20afb3 6900899: vm fails to start when -Xmx value is less than OldSize + NewSize Summary: Set minimum heap size to min(OldSize + NewSize, MaxHeapSize) in Arguments::set_heap_size(). Reviewed-by: kvn, ysr, tonyp ! src/share/vm/runtime/arguments.cpp Changeset: a75edfd400ea Author: acorn Date: 2009-11-11 15:49 -0500 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/a75edfd400ea 6893504: LinkageError for bootstrap duplicate class definitions. Reviewed-by: kamg, xlu ! src/share/vm/classfile/systemDictionary.cpp ! src/share/vm/classfile/systemDictionary.hpp Changeset: 1920bd911283 Author: acorn Date: 2009-11-23 16:24 -0500 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/1920bd911283 Merge ! src/share/vm/classfile/systemDictionary.cpp ! src/share/vm/classfile/systemDictionary.hpp Changeset: e1fb452ad949 Author: kamg Date: 2009-11-25 09:03 -0500 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/e1fb452ad949 Merge Changeset: 8e7adf982378 Author: twisti Date: 2009-11-27 07:56 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/8e7adf982378 6896043: first round of zero fixes Reviewed-by: kvn Contributed-by: Gary Benson ! src/cpu/zero/vm/cppInterpreter_zero.cpp ! src/cpu/zero/vm/frame_zero.cpp ! src/cpu/zero/vm/frame_zero.hpp ! src/cpu/zero/vm/globals_zero.hpp ! src/cpu/zero/vm/sharedRuntime_zero.cpp ! src/cpu/zero/vm/sharkFrame_zero.hpp ! src/share/vm/interpreter/bytecodeInterpreter.cpp ! src/share/vm/prims/jni.cpp ! src/share/vm/prims/jvmtiManageCapabilities.cpp ! src/share/vm/runtime/os.hpp Changeset: 6400f475effe Author: iveresov Date: 2009-12-01 14:49 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/6400f475effe Merge Changeset: 7c57aead6d3e Author: never Date: 2009-11-12 09:24 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/7c57aead6d3e 6892658: C2 should optimize some stringbuilder patterns Reviewed-by: kvn, twisti ! src/share/vm/ci/ciEnv.cpp ! src/share/vm/ci/ciEnv.hpp ! src/share/vm/ci/ciInstanceKlass.cpp ! src/share/vm/ci/ciInstanceKlass.hpp ! src/share/vm/ci/ciObjectFactory.cpp ! src/share/vm/classfile/systemDictionary.hpp ! src/share/vm/classfile/vmSymbols.cpp ! src/share/vm/classfile/vmSymbols.hpp ! src/share/vm/includeDB_compiler2 ! src/share/vm/includeDB_core ! src/share/vm/memory/universe.cpp ! src/share/vm/memory/universe.hpp ! src/share/vm/opto/c2_globals.cpp ! src/share/vm/opto/c2_globals.hpp ! src/share/vm/opto/callGenerator.cpp ! src/share/vm/opto/callGenerator.hpp ! src/share/vm/opto/callnode.cpp ! src/share/vm/opto/callnode.hpp ! src/share/vm/opto/compile.cpp ! src/share/vm/opto/compile.hpp ! src/share/vm/opto/doCall.cpp ! src/share/vm/opto/graphKit.cpp ! src/share/vm/opto/graphKit.hpp ! src/share/vm/opto/macro.cpp ! src/share/vm/opto/memnode.cpp ! src/share/vm/opto/node.hpp ! src/share/vm/opto/parseHelper.cpp ! src/share/vm/opto/phase.hpp ! src/share/vm/opto/phaseX.hpp + src/share/vm/opto/stringopts.cpp + src/share/vm/opto/stringopts.hpp ! src/share/vm/opto/type.hpp ! src/share/vm/runtime/globals.cpp ! src/share/vm/runtime/globals_extension.hpp ! src/share/vm/utilities/growableArray.hpp Changeset: bd12fff78df5 Author: cfang Date: 2009-11-25 12:09 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/bd12fff78df5 6904191: OptimizeStringConcat should be product instead of experimental Summary: Make OptimizeStringConcat a product VM option(contributed by never) Reviewed-by: never ! src/share/vm/opto/c2_globals.hpp Changeset: facbc74580c3 Author: iveresov Date: 2009-12-01 22:11 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/facbc74580c3 Merge ! src/share/vm/classfile/systemDictionary.hpp Changeset: 8b22f86d1740 Author: cfang Date: 2009-12-02 13:29 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/8b22f86d1740 6901572: JVM 1.6.16 crash on loops: assert(has_node(i),"") Summary: Skip the secondary induction variable handling if it is dead Reviewed-by: never, kvn ! src/share/vm/opto/loopnode.cpp + test/compiler/6901572/Test.java Changeset: 5f932a151fd4 Author: johnc Date: 2009-11-06 11:10 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/5f932a151fd4 6895788: G1: SATB and update buffer allocation code allocates too much space Summary: The type in the NEW_C_HEAP_ARRRY and FREE_C_HEAP_ARRAY calls in the buffer allocation code was changed from void* to char as the size argument had already been mulitipled by the byte size of an object pointer. Reviewed-by: ysr, tonyp ! src/share/vm/gc_implementation/g1/ptrQueue.cpp Changeset: 0e2d7ae2bc67 Author: jmasa Date: 2009-11-10 11:32 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/0e2d7ae2bc67 6898857: [Regression] -XX:NewRatio with -XX:+UseConcMarkSweepGC causes fatal error Summary: Use CollectorPolicy information instead of MaxNewSize Reviewed-by: ysr, jcoomes ! src/share/vm/gc_implementation/concurrentMarkSweep/concurrentMarkSweepGeneration.cpp Changeset: 89f1b9ae8991 Author: ysr Date: 2009-11-13 11:55 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/89f1b9ae8991 6898948: G1: forensic instrumentation for out-of-bounds recent_avg_pause_time_ratio() Summary: Added instrumentation and (temporary) assert in non-product mode; clipped the value when found out-of-bounds in product mode. Fix of original issue will follow collection of data from this instrumentation. Reviewed-by: jcoomes, tonyp ! src/share/vm/gc_implementation/g1/g1CollectorPolicy.cpp ! src/share/vm/utilities/numberSeq.cpp ! src/share/vm/utilities/numberSeq.hpp Changeset: 23b9a8d315fc Author: ysr Date: 2009-11-19 10:19 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/23b9a8d315fc 6902701: G1: protect debugging code related to 6898948 with a debug flag Summary: Protected stats dump with a new develop flag; other than for the dump, reconciled product and non-product behaviour in face of the error. Reviewed-by: tonyp ! src/share/vm/gc_implementation/g1/g1CollectorPolicy.cpp ! src/share/vm/gc_implementation/g1/g1_globals.hpp Changeset: 3fc996d4edd2 Author: ysr Date: 2009-11-19 13:43 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/3fc996d4edd2 6902303: G1: ScavengeALot should cause an incremental, rather than a full, collection Summary: ScavengeALot now causes an incremental (but possibly partially young, in the G1 sense) collection. Some such collections may be abandoned on account of MMU specs. Band-aided a native leak associated with abandoned pauses, as well as an MMU tracker overflow related to frequent scavenge events in the face of a large MMU denominator interval; the latter is protected by a product flag that defaults to false. Reviewed-by: tonyp ! src/share/vm/gc_implementation/g1/g1CollectedHeap.cpp ! src/share/vm/gc_implementation/g1/g1CollectorPolicy.cpp ! src/share/vm/gc_implementation/g1/g1MMUTracker.cpp ! src/share/vm/gc_implementation/g1/g1MMUTracker.hpp ! src/share/vm/gc_implementation/g1/g1_globals.hpp ! src/share/vm/gc_implementation/g1/vm_operations_g1.cpp ! src/share/vm/gc_implementation/g1/vm_operations_g1.hpp ! src/share/vm/memory/sharedHeap.hpp Changeset: db0d5eba9d20 Author: tonyp Date: 2009-11-20 14:47 -0500 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/db0d5eba9d20 6815790: G1: Missing MemoryPoolMXBeans with -XX:+UseG1GC Summary: It introduces the necessary memory pools for G1. Reviewed-by: mchung, ysr ! src/share/vm/gc_implementation/g1/g1CollectedHeap.cpp ! src/share/vm/gc_implementation/includeDB_gc_g1 + src/share/vm/services/g1MemoryPool.cpp + src/share/vm/services/g1MemoryPool.hpp ! src/share/vm/services/memoryManager.cpp ! src/share/vm/services/memoryManager.hpp ! src/share/vm/services/memoryService.cpp ! src/share/vm/services/memoryService.hpp Changeset: fa357420e7d2 Author: johnc Date: 2009-11-24 15:19 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/fa357420e7d2 6899058: G1: Internal error in ptrQueue.cpp:201 in nightly tests Summary: Fixes a race on the dirty card queue completed buffer list between worker thread(s) performing a flush of a deferred store barrier (enqueueing a newly completed buffer) and worker thread(s) in the RSet updating code claiming completed buffers. Removed the routine that removes elements from the completed update buffer queue using a CAS. Reviewed-by: ysr, tonyp ! src/share/vm/gc_implementation/g1/dirtyCardQueue.cpp ! src/share/vm/gc_implementation/g1/dirtyCardQueue.hpp Changeset: 6aa7255741f3 Author: ysr Date: 2009-12-03 15:01 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/6aa7255741f3 6906727: UseCompressedOops: some card-marking fixes related to object arrays Summary: Introduced a new write_ref_array(HeapWords* start, size_t count) method that does the requisite MemRegion range calculation so (some of the) clients of the erstwhile write_ref_array(MemRegion mr) do not need to worry. This removed all external uses of array_size(), which was also simplified and made private. Asserts were added to catch other possible issues. Further, less essential, fixes stemming from this investigation are deferred to CR 6904516 (to follow shortly in hs17). Reviewed-by: kvn, coleenp, jmasa ! src/share/vm/classfile/javaClasses.cpp ! src/share/vm/includeDB_core ! src/share/vm/memory/barrierSet.cpp ! src/share/vm/memory/barrierSet.hpp ! src/share/vm/memory/barrierSet.inline.hpp ! src/share/vm/memory/cardTableModRefBS.cpp ! src/share/vm/oops/objArrayKlass.cpp ! src/share/vm/oops/objArrayOop.hpp Changeset: ed52bcc32739 Author: tonyp Date: 2009-12-04 07:44 -0500 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/ed52bcc32739 6880903: G1: G1 reports incorrect Runtime.maxMemory() Summary: G1 reports committed memory instead of reserved memory from the Runtime.maxMemory() method Reviewed-by: ysr, jmasa ! src/share/vm/gc_implementation/g1/g1CollectedHeap.cpp ! src/share/vm/gc_implementation/g1/g1CollectedHeap.hpp ! src/share/vm/services/g1MemoryPool.cpp ! src/share/vm/services/g1MemoryPool.hpp Changeset: afc30fccf324 Author: tonyp Date: 2009-12-04 07:44 -0500 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/afc30fccf324 6906565: G1: deal with compilation warning in g1MemoryPool.hpp Summary: size_t max_size() hides size_t max_size() const. Reviewed-by: jmasa, ysr ! src/share/vm/services/g1MemoryPool.cpp ! src/share/vm/services/g1MemoryPool.hpp Changeset: 9118860519b6 Author: tonyp Date: 2009-12-07 14:22 -0500 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/9118860519b6 6904967: G1: some CollectionUsageThreshold tests fail Summary: ensure that max and committed are non-zero (currently: at least as large as the region size). Reviewed-by: iveresov, mchung ! src/share/vm/services/g1MemoryPool.cpp Changeset: 7bfd295ec074 Author: ysr Date: 2009-12-08 15:12 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/7bfd295ec074 6908208: UseCompressedOops: array_size() returns incorrect size for MAX_INT object array following 6906727 Summary: In array_size() cast to an unsigned to avoid overflow of intermediate value. Reviewed-by: kvn, tonyp, jmasa, jcoomes, coleenp ! src/share/vm/oops/objArrayOop.hpp Changeset: 84a2da7f454c Author: jmasa Date: 2009-12-11 08:39 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/84a2da7f454c Merge ! src/share/vm/classfile/javaClasses.cpp ! src/share/vm/includeDB_core Changeset: 74e00f62c726 Author: trims Date: 2009-12-11 16:38 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/74e00f62c726 Merge Changeset: 61b46f7853d4 Author: trims Date: 2009-12-22 16:32 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/61b46f7853d4 Merge Changeset: c5d3d979ae27 Author: never Date: 2009-12-08 16:27 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/c5d3d979ae27 6908167: jbb2005, OptimizeStringConcat causes assert in EA Reviewed-by: kvn ! src/share/vm/opto/graphKit.cpp Changeset: f96a1a986f7b Author: kvn Date: 2009-12-09 16:40 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/f96a1a986f7b 6895383: JCK test throws NPE for method compiled with Escape Analysis Summary: Add missing checks for MemBar nodes in EA. Reviewed-by: never ! src/share/vm/opto/compile.cpp ! src/share/vm/opto/escape.cpp ! src/share/vm/opto/escape.hpp ! src/share/vm/opto/lcm.cpp ! src/share/vm/opto/macro.cpp ! src/share/vm/opto/memnode.cpp ! src/share/vm/opto/memnode.hpp ! src/share/vm/opto/node.hpp ! src/share/vm/opto/parse3.cpp + test/compiler/6895383/Test.java Changeset: 7fee0a6cc6d4 Author: kvn Date: 2009-12-09 19:50 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/7fee0a6cc6d4 6896727: nsk/logging/LoggingPermission/LoggingPermission/logperm002 fails with G1, EscapeAnalisys Summary: Move instance store's memory users to corresponding memory slices when updating its memory edge. Reviewed-by: never ! src/share/vm/opto/escape.cpp ! src/share/vm/opto/escape.hpp + test/compiler/6896727/Test.java Changeset: 6dc5471e0f66 Author: iveresov Date: 2009-12-15 17:19 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/6dc5471e0f66 Merge Changeset: 9dc2adf2cbe0 Author: johnc Date: 2009-12-09 23:51 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/9dc2adf2cbe0 6908215: G1: SEGV with G1PolicyVerbose=2 debug flag Summary: Change CollectionSetChooser::printSortedHeapRegions to handle null entries in _markedRegions growable array. Reviewed-by: jmasa, tonyp, iveresov ! src/share/vm/gc_implementation/g1/collectionSetChooser.cpp Changeset: 27f9477e879b Author: jmasa Date: 2009-12-11 09:30 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/27f9477e879b Merge Changeset: cf9a9a50e763 Author: jmasa Date: 2009-12-17 07:02 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/cf9a9a50e763 Merge Changeset: 22e4972db0a6 Author: trims Date: 2009-12-22 16:33 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/22e4972db0a6 Merge Changeset: 920875ae1277 Author: trims Date: 2009-12-22 16:35 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/920875ae1277 6912782: Bump the HS17 build number to 06 Summary: Update the HS17 build number to 06 Reviewed-by: jcoomes ! make/hotspot_version Changeset: 85f13cdfbc1d Author: twisti Date: 2009-12-16 12:48 +0100 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/85f13cdfbc1d 6829192: JSR 292 needs to support 64-bit x86 Summary: changes for method handles and invokedynamic Reviewed-by: kvn ! src/cpu/x86/vm/assembler_x86.cpp ! src/cpu/x86/vm/interp_masm_x86_32.cpp ! src/cpu/x86/vm/interp_masm_x86_64.cpp ! src/cpu/x86/vm/interp_masm_x86_64.hpp ! src/cpu/x86/vm/interpreter_x86_64.cpp ! src/cpu/x86/vm/methodHandles_x86.cpp ! src/cpu/x86/vm/stubGenerator_x86_64.cpp ! src/cpu/x86/vm/templateInterpreter_x86_64.cpp ! src/cpu/x86/vm/templateTable_x86_32.cpp ! src/cpu/x86/vm/templateTable_x86_64.cpp ! src/cpu/x86/vm/templateTable_x86_64.hpp ! src/share/vm/classfile/classFileParser.cpp Changeset: 032260830071 Author: never Date: 2009-12-16 22:15 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/032260830071 5057818: codecache full and compiler disabled in bigapps fastdebug run Reviewed-by: kvn ! src/share/vm/code/nmethod.cpp ! src/share/vm/code/nmethod.hpp Changeset: 1ea456c6f2b7 Author: iveresov Date: 2009-12-22 17:56 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/1ea456c6f2b7 Merge Changeset: 44f61c24ddab Author: iveresov Date: 2009-12-16 15:12 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/44f61c24ddab 6862387: tune concurrent refinement further Summary: Reworked the concurrent refinement: threads activation, feedback-based threshold adjustment, other miscellaneous fixes. Reviewed-by: apetrusenko, tonyp ! src/share/vm/gc_implementation/g1/concurrentG1Refine.cpp ! src/share/vm/gc_implementation/g1/concurrentG1Refine.hpp ! src/share/vm/gc_implementation/g1/concurrentG1RefineThread.cpp ! src/share/vm/gc_implementation/g1/concurrentG1RefineThread.hpp ! src/share/vm/gc_implementation/g1/concurrentMark.cpp ! src/share/vm/gc_implementation/g1/dirtyCardQueue.cpp ! src/share/vm/gc_implementation/g1/dirtyCardQueue.hpp ! src/share/vm/gc_implementation/g1/g1CollectedHeap.cpp ! src/share/vm/gc_implementation/g1/g1CollectorPolicy.cpp ! src/share/vm/gc_implementation/g1/g1CollectorPolicy.hpp ! src/share/vm/gc_implementation/g1/g1_globals.hpp ! src/share/vm/gc_implementation/g1/ptrQueue.cpp ! src/share/vm/gc_implementation/g1/ptrQueue.hpp ! src/share/vm/gc_implementation/g1/satbQueue.cpp ! src/share/vm/gc_implementation/g1/satbQueue.hpp ! src/share/vm/gc_implementation/includeDB_gc_g1 Changeset: cc0ca4f00e89 Author: jmasa Date: 2009-12-22 22:35 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/cc0ca4f00e89 Merge Changeset: 7ac7d558e895 Author: jmasa Date: 2009-12-23 00:47 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/7ac7d558e895 Merge Changeset: 9749fbc4859b Author: trims Date: 2009-12-23 02:57 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/9749fbc4859b Merge Changeset: 4b966d9946a3 Author: mchung Date: 2009-11-25 08:37 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/4b966d9946a3 6888880: JKernel VM to inject the sun.jkernel.DownloadManager as a boot classloader hook Summary: Call sun.jkernel.DownloadManager.setBootClassLoaderHook during the kernel VM initialization Reviewed-by: alanb, coleenp, acorn ! src/share/vm/classfile/vmSymbols.hpp ! src/share/vm/runtime/thread.cpp Changeset: 0018cf203583 Author: coleenp Date: 2009-12-02 07:59 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/0018cf203583 Merge Changeset: 95e9083cf4a7 Author: dholmes Date: 2009-12-01 22:29 -0500 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/95e9083cf4a7 6822370: ReentrantReadWriteLock: threads hung when there are no threads holding onto the lock (Netra x4450) Summary: This day one bug is caused by missing memory barriers in various Parker::park() paths that can result in lost wakeups and hangs. Reviewed-by: dice, acorn ! src/os/linux/vm/os_linux.cpp ! src/os/solaris/vm/os_solaris.cpp Changeset: 3115100553b5 Author: dholmes Date: 2009-12-02 20:32 -0500 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/3115100553b5 Merge Changeset: 547f81740344 Author: minqi Date: 2009-12-11 11:09 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/547f81740344 6361589: Print out stack trace for target thread of GC crash Summary: If GC crashed with java thread involved, print out the java stack trace in error report Reviewed-by: never, ysr, coleenp, dholmes ! src/share/vm/runtime/frame.cpp ! src/share/vm/runtime/globals.hpp ! src/share/vm/runtime/thread.cpp ! src/share/vm/runtime/thread.hpp ! src/share/vm/runtime/vmStructs.cpp ! src/share/vm/runtime/vmThread.cpp ! src/share/vm/runtime/vmThread.hpp ! src/share/vm/utilities/vmError.cpp Changeset: 9127aa69352e Author: dcubed Date: 2009-12-14 09:51 -0700 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/9127aa69352e 6648438: 4/4 src/share/vm/prims/jvmtiEnv.cpp:457 assert(phase == JVMTI_PHASE_LIVE,"sanity check") Summary: Return error on invalid JVMTI_PHASE instead of asserting. Reviewed-by: dholmes, ohair ! src/share/vm/prims/jvmtiEnv.cpp Changeset: 98cd9901c161 Author: dcubed Date: 2009-12-14 10:05 -0700 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/98cd9901c161 6849968: 3/2 JVMTI tests fails on jdk5.0 with hs14 Summary: If a JVMTI agent asks for version 1.0, then it should get version 1.0 semantics. Reviewed-by: dholmes, ohair ! src/share/vm/prims/jvmtiEnv.cpp ! src/share/vm/prims/jvmtiEnvBase.cpp ! src/share/vm/prims/jvmtiEnvBase.hpp ! src/share/vm/prims/jvmtiExport.cpp ! src/share/vm/prims/jvmtiExport.hpp ! src/share/vm/prims/jvmtiHpp.xsl Changeset: dcb15a6f342d Author: dcubed Date: 2009-12-14 13:26 -0700 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/dcb15a6f342d Merge ! src/share/vm/prims/jvmtiEnv.cpp ! src/share/vm/prims/jvmtiEnvBase.cpp ! src/share/vm/prims/jvmtiEnvBase.hpp ! src/share/vm/prims/jvmtiExport.cpp Changeset: 167c2986d91b Author: phh Date: 2009-12-16 12:54 -0500 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/167c2986d91b 6843629: Make current hotspot build part of jdk5 control build Summary: Source changes for older compilers plus makefile changes. Reviewed-by: xlu ! make/linux/makefiles/debug.make ! make/linux/makefiles/fastdebug.make ! make/linux/makefiles/jsig.make ! make/linux/makefiles/jvmg.make ! make/linux/makefiles/launcher.make ! make/linux/makefiles/saproc.make ! make/linux/makefiles/vm.make ! make/solaris/makefiles/debug.make ! make/solaris/makefiles/dtrace.make ! make/solaris/makefiles/fastdebug.make ! make/solaris/makefiles/jsig.make ! make/solaris/makefiles/jvmg.make ! make/solaris/makefiles/launcher.make ! make/solaris/makefiles/saproc.make ! make/solaris/makefiles/sparcWorks.make ! make/solaris/makefiles/vm.make ! src/os/linux/vm/os_linux.cpp ! src/os/solaris/dtrace/libjvm_db.c ! src/os/solaris/vm/os_solaris.cpp ! src/os/windows/vm/os_windows.cpp ! src/share/vm/ci/bcEscapeAnalyzer.hpp ! src/share/vm/code/dependencies.cpp ! src/share/vm/code/dependencies.hpp ! src/share/vm/memory/heap.cpp ! src/share/vm/memory/referenceProcessor.cpp ! src/share/vm/oops/instanceRefKlass.cpp ! src/share/vm/oops/oop.hpp ! src/share/vm/runtime/os.hpp Changeset: 2e8bdfdd3ba2 Author: xlu Date: 2009-12-16 13:16 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/2e8bdfdd3ba2 6899467: System property java.class.version out-of-sync with VM for jdk 5.0 with HS 16 in nightly build Reviewed-by: kvn, never, dholmes, ysr ! src/share/vm/classfile/classFileParser.cpp Changeset: d48983315b71 Author: xlu Date: 2009-12-16 13:19 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/d48983315b71 Merge Changeset: 933a3e806ce6 Author: xlu Date: 2009-12-16 14:27 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/933a3e806ce6 6895168: JCK api/signaturetest/sigtest.basic.html#basic test fails for jdk 5.0 with HS 16 in nightly build Reviewed-by: dholmes, acorn, jrose ! src/share/vm/oops/instanceKlass.cpp ! src/share/vm/oops/instanceKlass.hpp ! src/share/vm/prims/jvm.cpp Changeset: ba60f0a5d714 Author: xlu Date: 2009-12-16 15:44 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/ba60f0a5d714 Merge Changeset: 6952ed8677bf Author: xlu Date: 2009-12-17 01:19 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/6952ed8677bf Merge Changeset: a5a6adfca6ec Author: trims Date: 2009-12-23 03:12 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/a5a6adfca6ec Merge ! src/share/vm/classfile/classFileParser.cpp ! src/share/vm/classfile/vmSymbols.hpp Changeset: 1bc68593a110 Author: katleman Date: 2010-01-14 15:48 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/1bc68593a110 Added tag jdk7-b79 for changeset a5a6adfca6ec ! .hgtags From lana.steuck at sun.com Fri Jan 15 16:42:16 2010 From: lana.steuck at sun.com (lana.steuck at sun.com) Date: Sat, 16 Jan 2010 00:42:16 +0000 Subject: [security-dev 01522]: hg: jdk7/tl/jaxp: Added tag jdk7-b79 for changeset b1005c504358 Message-ID: <20100116004216.A2E9B417B2@hg.openjdk.java.net> Changeset: 9219574db593 Author: katleman Date: 2010-01-14 15:48 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jaxp/rev/9219574db593 Added tag jdk7-b79 for changeset b1005c504358 ! .hgtags From lana.steuck at sun.com Fri Jan 15 16:42:22 2010 From: lana.steuck at sun.com (lana.steuck at sun.com) Date: Sat, 16 Jan 2010 00:42:22 +0000 Subject: [security-dev 01523]: hg: jdk7/tl/jaxws: Added tag jdk7-b79 for changeset c08894f5b6e5 Message-ID: <20100116004222.80255417B3@hg.openjdk.java.net> Changeset: 447767dee56a Author: katleman Date: 2010-01-14 15:48 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jaxws/rev/447767dee56a Added tag jdk7-b79 for changeset c08894f5b6e5 ! .hgtags From lana.steuck at sun.com Fri Jan 15 16:42:38 2010 From: lana.steuck at sun.com (lana.steuck at sun.com) Date: Sat, 16 Jan 2010 00:42:38 +0000 Subject: [security-dev 01524]: hg: jdk7/tl/jdk: 7 new changesets Message-ID: <20100116004451.ACEFC417B4@hg.openjdk.java.net> Changeset: 9c352f7ed4a3 Author: jrose Date: 2009-10-21 23:19 -0700 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/9c352f7ed4a3 6891770: JSR 292 API needs initial unit tests Summary: backport working mlvm regression test to M3 implementation of JSR 292; requires jtreg 4.1 Reviewed-by: twisti + test/java/dyn/MethodHandlesTest.java Changeset: fc3d21b50545 Author: jrose Date: 2010-01-06 16:50 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/fc3d21b50545 Merge Changeset: dbcf6cafa65c Author: jrose Date: 2010-01-07 16:16 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/dbcf6cafa65c 6914665: update jdk code for JSR 292 (post 6858164) Summary: Fill in missing API implementations, fix numerous bugs, adjust APIs towards EG design. Reviewed-by: twisti ! src/share/classes/java/dyn/CallSite.java ! src/share/classes/java/dyn/InvokeDynamic.java ! src/share/classes/java/dyn/InvokeDynamicBootstrapError.java ! src/share/classes/java/dyn/JavaMethodHandle.java ! src/share/classes/java/dyn/Linkage.java ! src/share/classes/java/dyn/LinkagePermission.java ! src/share/classes/java/dyn/MethodHandle.java ! src/share/classes/java/dyn/MethodHandles.java ! src/share/classes/java/dyn/MethodType.java ! src/share/classes/java/dyn/package-info.java ! src/share/classes/sun/dyn/AdapterMethodHandle.java ! src/share/classes/sun/dyn/BoundMethodHandle.java ! src/share/classes/sun/dyn/CallSiteImpl.java ! src/share/classes/sun/dyn/FilterGeneric.java ! src/share/classes/sun/dyn/FilterOneArgument.java ! src/share/classes/sun/dyn/FromGeneric.java ! src/share/classes/sun/dyn/Invokers.java ! src/share/classes/sun/dyn/MemberName.java ! src/share/classes/sun/dyn/MethodHandleImpl.java ! src/share/classes/sun/dyn/MethodHandleNatives.java ! src/share/classes/sun/dyn/MethodTypeImpl.java + src/share/classes/sun/dyn/SpreadGeneric.java ! src/share/classes/sun/dyn/ToGeneric.java ! src/share/classes/sun/dyn/empty/Empty.java + src/share/classes/sun/dyn/util/BytecodeDescriptor.java ! src/share/classes/sun/dyn/util/BytecodeName.java - src/share/classes/sun/dyn/util/BytecodeSignature.java ! src/share/classes/sun/dyn/util/ValueConversions.java ! src/share/classes/sun/dyn/util/VerifyAccess.java ! src/share/classes/sun/dyn/util/VerifyType.java ! src/share/classes/sun/dyn/util/Wrapper.java ! test/java/dyn/MethodHandlesTest.java Changeset: 918920710d65 Author: jcoomes Date: 2010-01-13 15:16 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/918920710d65 Merge - src/share/classes/sun/dyn/util/BytecodeSignature.java Changeset: 756ab2266ffb Author: katleman Date: 2010-01-14 15:48 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/756ab2266ffb Added tag jdk7-b79 for changeset 918920710d65 ! .hgtags Changeset: b428c8f80209 Author: jgodinez Date: 2010-01-15 09:06 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/b428c8f80209 6915906: tests in closed/javax/print/ should not be calling System.exit() Reviewed-by: igor, prr ! test/ProblemList.txt + test/javax/print/DialogMargins.java + test/javax/print/StreamPrintingOrientation.java + test/javax/print/attribute/AttributeTest.java + test/javax/print/attribute/ServiceDialogTest.java ! test/javax/print/attribute/SidesPageRangesTest.java Changeset: 64f7b789aecc Author: lana Date: 2010-01-15 15:36 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/64f7b789aecc Merge - src/share/classes/sun/dyn/util/BytecodeSignature.java From lana.steuck at sun.com Fri Jan 15 16:49:29 2010 From: lana.steuck at sun.com (lana.steuck at sun.com) Date: Sat, 16 Jan 2010 00:49:29 +0000 Subject: [security-dev 01525]: hg: jdk7/tl/langtools: 2 new changesets Message-ID: <20100116004934.E6A48417B6@hg.openjdk.java.net> Changeset: f0074aa48d4e Author: katleman Date: 2010-01-14 15:48 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/langtools/rev/f0074aa48d4e Added tag jdk7-b79 for changeset ac5b4c5644ce ! .hgtags Changeset: a84062774f0e Author: lana Date: 2010-01-15 15:37 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/langtools/rev/a84062774f0e Merge From Weijun.Wang at Sun.COM Fri Jan 15 21:07:19 2010 From: Weijun.Wang at Sun.COM (Max (Weijun) Wang) Date: Sat, 16 Jan 2010 13:07:19 +0800 Subject: [security-dev 01526]: Re: RFC: keytab automatic refresh in Java In-Reply-To: <2a4a34ad1001130708l7e04b1edk19a20ed7f3e94ade@mail.gmail.com> References: <2a4a34ad1001130708l7e04b1edk19a20ed7f3e94ade@mail.gmail.com> Message-ID: <4BA5B2CF-549B-45B6-8FCB-7D752EB57BCD@Sun.COM> Hi Security-dev Here is the draft of the new proposal: 6894072: always refresh keytab State: draft Problem: Currently JAAS's Krb5LoginModule reads the content of a keytab file at the commit time and never touches it again. This means during the whole lifetime of the Kerberos service, there is no chance to renew or revoke keys for it. The only way to let it read the keytab again is to restart the JAAS login/commit process. Also, this means keys must be created before the JAAS login. The reason is that we now store KerberosKey objects as private credentials in the JAAS Subject. MIT and Solaris Kerberos re-reads the keytab whenever it needs to use a key from it. Solution: When keytab is used, instead of KerberosKey objects, we store a KeyTab object into the private credentials set of the JAAS Subject. There is still a getKeys() method for the new KeyTab class, and this method makes sure that the output always reflects the current content of the keytab source file. Interface summary: exported external class javax.security.auth.kerberos.KeyTab 3 methods Specification: /** * This class encapsulates a keytab source.

* * A Kerberos JAAS login module that obtains long term secret keys from a * keytab source should use this class. The login module will store * an instance of this class in the private credential set of a * {@link javax.security.auth.Subject Subject} during the commit phase of the * authentication process.

* * The readKeys method can be used to retrieve secret keys for a * given service. This class should make sure that the returned keys must match * the latest status of the keytab source. Therefore, applications are not * advised to call the method pre-maturely or cache the result.

* * It might be necessary for the application to be granted a * {@link javax.security.auth.PrivateCredentialPermission * PrivateCredentialPermission} if it needs to access the KerberosKey * instance from a Subject. This permission is not needed when the * application depends on the default JGSS Kerberos mechanism to access the * KerberosKey. In that case, however, the application will need an * appropriate * {@link javax.security.auth.kerberos.ServicePermission ServicePermission}. * Permissions. * * @since 1.7 */ public final class KeyTab implements Serializable { /** * The src of this keytab. * * @serial */ private final String src; /** * Returns a KeyTab instance. The result is never null even * if the source is missing. In this case, its isMissing * method returns true. * * @param src the source of the keytab to be returned, say, a file name. * @return the keytab instance (never null) */ public static KeyTab getInstance(String src); /** * Returns keys for the given Kerberos principal. The result can be modified * by caller without damaging the keytab object. Callers are advised to * destroy the result keys after they are used. * * @param principal the Kerberos principal * @return the keys (never null, may be empty) */ public KerberosKey[] getKeys(KerberosPrincipal principal); /** * Returns if the keytab source is missing. Users can use the result to * determine if they should fallback to another mechanism to get the keys. * @return true if the keytab source is missing. */ public boolean isMissing(); } Also, make the following change to the current classdoc of javax.security.auth.kerberos.KerberosKey class: * All Kerberos JAAS login modules that obtain a principal's password and - * generate the secret key from it should use this class. Where available, - * the login module might even read this secret key directly from a - * Kerberos "keytab". Sometimes, such as when authenticating a server in + * generate the secret key from it should use this class. + * Sometimes, such as when authenticating a server in * the absence of user-to-user authentication, the login module will store * an instance of this class in the private credential set of a * {@link javax.security.auth.Subject Subject} during the commit phase of the * authentication process.

* + * A Kerberos service using a keytab to read secret keys are advised to use + * the {@link KeyTab} class, where latest keys can be read at needed. + * Compatibility risk: minimal History 2010-01-03 21:16:21 weijun.wang create 2010-01-03 21:42:17 weijun.wang update Thanks Max On Jan 13, 2010, at 11:08 PM, Mathieu Gervais (IDEAS) wrote: > Hi Max, > > Is there a publicly accessible version of http://ccc.sfbay.sun.com/6894072 > so we can review it as well? > (is this the code, or a design document?) > > Thanks, > > -mathieu > > > On Mon, Jan 4, 2010 at 15:00, request at openjdk.java.net> wrote: > Date: Mon, 04 Jan 2010 13:47:13 +0800 > From: "Max (Weijun) Wang" > Subject: [security-dev 01488]: Re: RFC: keytab automatic refresh in > Java > To: OpenJDK Dev list > Cc: Nicolas Williams > Message-ID: > Content-Type: text/plain; CHARSET=US-ASCII; delsp=yes; format=flowed > > Hi > > Please take a review at the CCC: > > http://ccc.sfbay.sun.com/6894072 > > Thanks > Max > > On Dec 22, 2009, at 12:25 PM, Max (Weijun) Wang wrote: > > > Hi All > > > > I'm planning to support keytab refresh in Java, which means the > > keytab's content is always reloaded right after AP-REQ is received > > on the acceptor side. > > > > One benefit is that when the service is started, the keytab file > > needn't include the keys for the service, or, it can simply be non- > > existent. More benefits are key refresh, key revocation, etc, etc. > > > > Currently, when useKeyTab is specified in the JAAS login config > > file, if keys for the service name cannot be found inside the > > keytab, JAAS automatically fallback to username/password prompt, and > > if they cannot be provided, the login fails. In my plan, when keytab > > refresh is supported, keytab will always be used even if it does not > > exist, because there's a chance that it will contain the proper keys > > later. > > > > So this introduces a behavior change, and I want to know how big the > > risk is. > > > > Do you know if any customer relies on the current fallback? That is > > to say, they manually config useKeyTab=true in the JAAS login > > config, but (sometimes) does not provide a keytab file with correct > > keys, and they expect username and password will be prompted for. > > > > The behavior change also means that if there is really something > > wrong with the keytab config (say, wrong path name), currently an > > app fails as soon as it starts, but with keytab refresh, it only > > fails when AP-REQ is received. > > > > How does Solaris deal with keytab changes? Does it accept an empty > > (or non-existent) keytab? > > > > Thanks > > Max > > > > > > End of security-dev Digest, Vol 31, Issue 1 > ******************************************* From Alan.Bateman at Sun.COM Mon Jan 18 02:19:39 2010 From: Alan.Bateman at Sun.COM (Alan Bateman) Date: Mon, 18 Jan 2010 10:19:39 +0000 Subject: [security-dev 01527]: Re: Please review changes in regression test test/java/security/Provider/Turkish.java In-Reply-To: <4B54334B.7030305@redhat.com> References: <4B54334B.7030305@redhat.com> Message-ID: <4B5435BB.6080003@sun.com> Pavel Tisnovsky wrote: > Hi, > > please review changes in regression test > jtest/java/security/Provider/Turkish.java. > > Webrev is available at http://cr.openjdk.java.net/~ptisnovs/Turkish/ > > We already discussed similar issue on jdk6-dev mailing list, > concretely in this thread: > http://mail.openjdk.java.net/pipermail/jdk6-dev/2009-December/thread.html#1056 > > > Thanks in advance > Pavel Tisnovsky > Red Hat QA > Looks good to me. I've cc'ed security-dev, as this test is "owned" by the security group. You'll need a bugID for this so I have created: 6917663: test/java/security/Provider/Turkish.java not samevm friendly Regards, -Alan. From Xuelei.Fan at Sun.COM Mon Jan 18 03:56:19 2010 From: Xuelei.Fan at Sun.COM (Xuelei Fan) Date: Mon, 18 Jan 2010 19:56:19 +0800 Subject: [security-dev 01528]: Re: Please review changes in regression test test/java/security/Provider/Turkish.java In-Reply-To: <4B5435BB.6080003@sun.com> References: <4B54334B.7030305@redhat.com> <4B5435BB.6080003@sun.com> Message-ID: <4B544C63.5030202@Sun.COM> Alan Bateman wrote: > Pavel Tisnovsky wrote: >> Hi, >> >> please review changes in regression test >> jtest/java/security/Provider/Turkish.java. >> >> Webrev is available at http://cr.openjdk.java.net/~ptisnovs/Turkish/ >> >> We already discussed similar issue on jdk6-dev mailing list, >> concretely in this thread: >> http://mail.openjdk.java.net/pipermail/jdk6-dev/2009-December/thread.html#1056 >> >> >> Thanks in advance >> Pavel Tisnovsky >> Red Hat QA >> > Looks good to me. I've cc'ed security-dev, as this test is "owned" by > the security group. > Looks good to me, too. Regards, Xuelei > You'll need a bugID for this so I have created: > 6917663: test/java/security/Provider/Turkish.java not samevm friendly > > Regards, > > -Alan. From christopher.hegarty at sun.com Mon Jan 18 06:02:37 2010 From: christopher.hegarty at sun.com (christopher.hegarty at sun.com) Date: Mon, 18 Jan 2010 14:02:37 +0000 Subject: [security-dev 01529]: hg: jdk7/tl/jdk: 6916890: (sctp) SctpChannel.send may cause IAE if given a heap buffer with an offset Message-ID: <20100118140339.1638341B9C@hg.openjdk.java.net> Changeset: 680d7d312a30 Author: chegar Date: 2010-01-18 14:01 +0000 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/680d7d312a30 6916890: (sctp) SctpChannel.send may cause IAE if given a heap buffer with an offset Reviewed-by: alanb ! src/solaris/classes/sun/nio/ch/SctpChannelImpl.java ! src/solaris/classes/sun/nio/ch/SctpMultiChannelImpl.java ! test/com/sun/nio/sctp/SctpChannel/Send.java ! test/com/sun/nio/sctp/SctpMultiChannel/Send.java From christopher.hegarty at sun.com Mon Jan 18 06:56:49 2010 From: christopher.hegarty at sun.com (christopher.hegarty at sun.com) Date: Mon, 18 Jan 2010 14:56:49 +0000 Subject: [security-dev 01530]: hg: jdk7/tl/jdk: 6917317: (sctp) Remove dependency on handleSocketError Message-ID: <20100118145708.8291541BAE@hg.openjdk.java.net> Changeset: e0870a19b09e Author: chegar Date: 2010-01-18 14:56 +0000 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/e0870a19b09e 6917317: (sctp) Remove dependency on handleSocketError Reviewed-by: alanb ! src/solaris/native/sun/nio/ch/SctpNet.c ! test/com/sun/nio/sctp/SctpChannel/Connect.java From alan.bateman at sun.com Mon Jan 18 07:26:04 2010 From: alan.bateman at sun.com (alan.bateman at sun.com) Date: Mon, 18 Jan 2010 15:26:04 +0000 Subject: [security-dev 01531]: hg: jdk7/tl/jdk: 6917021: (file) copyTo/moveTo can overrwrite existing file when target associated with custom provider Message-ID: <20100118152623.49B9141BB8@hg.openjdk.java.net> Changeset: 42894ae6671c Author: alanb Date: 2010-01-18 15:21 +0000 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/42894ae6671c 6917021: (file) copyTo/moveTo can overrwrite existing file when target associated with custom provider Reviewed-by: chegar ! src/share/classes/sun/nio/fs/AbstractPath.java ! test/java/nio/file/Path/CopyAndMove.java + test/java/nio/file/Path/PassThroughFileSystem.java ! test/java/nio/file/TestUtil.java From ptisnovs at redhat.com Mon Jan 18 08:54:07 2010 From: ptisnovs at redhat.com (ptisnovs at redhat.com) Date: Mon, 18 Jan 2010 16:54:07 +0000 Subject: [security-dev 01532]: hg: jdk7/tl/jdk: 6917663: test/java/security/Provider/Turkish.java not samevm friendly Message-ID: <20100118165426.4B6B241BCF@hg.openjdk.java.net> Changeset: 7f2b99bd5123 Author: ptisnovs Date: 2010-01-18 17:53 +0100 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/7f2b99bd5123 6917663: test/java/security/Provider/Turkish.java not samevm friendly Summary: Added othervm flag to ensure that this test will run in isolation. Reviewed-by: alanb ! test/java/security/Provider/Turkish.java From gnu_andrew at member.fsf.org Mon Jan 18 09:13:10 2010 From: gnu_andrew at member.fsf.org (Andrew John Hughes) Date: Mon, 18 Jan 2010 17:13:10 +0000 Subject: [security-dev 01533]: Re: Please review changes in regression test test/java/security/Provider/Turkish.java In-Reply-To: <4B5435BB.6080003@sun.com> References: <4B54334B.7030305@redhat.com> <4B5435BB.6080003@sun.com> Message-ID: <17c6771e1001180913w6d3df03dy6aae4076d19d2e94@mail.gmail.com> 2010/1/18 Alan Bateman : > Pavel Tisnovsky wrote: >> >> Hi, >> >> please review changes in regression test >> jtest/java/security/Provider/Turkish.java. >> >> Webrev is available at http://cr.openjdk.java.net/~ptisnovs/Turkish/ >> >> We already discussed similar issue on jdk6-dev mailing list, concretely in >> this thread: >> http://mail.openjdk.java.net/pipermail/jdk6-dev/2009-December/thread.html#1056 >> >> Thanks in advance >> Pavel Tisnovsky >> Red Hat QA >> > Looks good to me. I've cc'ed security-dev, as this test is "owned" by the > security group. > > You'll need a bugID for this so I have created: > ?6917663: test/java/security/Provider/Turkish.java not samevm friendly > > Regards, > > -Alan. > As mentioned by Joe (http://mail.openjdk.java.net/pipermail/jdk6-dev/2010-January/001135.html) patches for jdk6 should be sent to the jdk6-dev list before being pushed to the jdk6 tree. -- Andrew :-) Free Java Software Engineer Red Hat, Inc. (http://www.redhat.com) Support Free Java! Contribute to GNU Classpath and the OpenJDK http://www.gnu.org/software/classpath http://openjdk.java.net PGP Key: 94EFD9D8 (http://subkeys.pgp.net) Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8 From Alan.Bateman at Sun.COM Mon Jan 18 09:32:15 2010 From: Alan.Bateman at Sun.COM (Alan Bateman) Date: Mon, 18 Jan 2010 17:32:15 +0000 Subject: [security-dev 01534]: Re: Please review changes in regression test test/java/security/Provider/Turkish.java In-Reply-To: <17c6771e1001180913w6d3df03dy6aae4076d19d2e94@mail.gmail.com> References: <4B54334B.7030305@redhat.com> <4B5435BB.6080003@sun.com> <17c6771e1001180913w6d3df03dy6aae4076d19d2e94@mail.gmail.com> Message-ID: <4B549B1F.7020402@sun.com> Andrew John Hughes wrote: > : > As mentioned by Joe > (http://mail.openjdk.java.net/pipermail/jdk6-dev/2010-January/001135.html) > patches for jdk6 should be sent to the jdk6-dev list before being > pushed to the jdk6 tree. > It might be good to also ping the mailing list for the area (as I don't think everyone is subscribed to jdk6-dev). -Alan. From gnu_andrew at member.fsf.org Mon Jan 18 10:45:02 2010 From: gnu_andrew at member.fsf.org (Andrew John Hughes) Date: Mon, 18 Jan 2010 18:45:02 +0000 Subject: [security-dev 01535]: Re: Please review changes in regression test test/java/security/Provider/Turkish.java In-Reply-To: <4B549B1F.7020402@sun.com> References: <4B54334B.7030305@redhat.com> <4B5435BB.6080003@sun.com> <17c6771e1001180913w6d3df03dy6aae4076d19d2e94@mail.gmail.com> <4B549B1F.7020402@sun.com> Message-ID: <17c6771e1001181045o5691efbbu470ceea1d86adb84@mail.gmail.com> 2010/1/18 Alan Bateman : > Andrew John Hughes wrote: >> >> : >> As mentioned by Joe >> (http://mail.openjdk.java.net/pipermail/jdk6-dev/2010-January/001135.html) >> patches for jdk6 should be sent to the jdk6-dev list before being >> pushed to the jdk6 tree. >> > > It might be good to also ping the mailing list for the area (as I don't > think everyone is subscribed to jdk6-dev). > > -Alan. > > Yes, sorry, I meant that jdk6-dev should be in addition to the normal area list, if the patch is also intended for OpenJDK6. -- Andrew :-) Free Java Software Engineer Red Hat, Inc. (http://www.redhat.com) Support Free Java! Contribute to GNU Classpath and the OpenJDK http://www.gnu.org/software/classpath http://openjdk.java.net PGP Key: 94EFD9D8 (http://subkeys.pgp.net) Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8 From mandy.chung at sun.com Mon Jan 18 15:24:16 2010 From: mandy.chung at sun.com (mandy.chung at sun.com) Date: Mon, 18 Jan 2010 23:24:16 +0000 Subject: [security-dev 01536]: hg: jdk7/tl/jdk: 6916217: make/modules/Makefile requires ALT_JDK_IMPORT_PATH Message-ID: <20100118232435.C6F1841C37@hg.openjdk.java.net> Changeset: 056d88d0f4d4 Author: mchung Date: 2010-01-18 15:23 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/056d88d0f4d4 6916217: make/modules/Makefile requires ALT_JDK_IMPORT_PATH Summary: build modules not depending on ALT_JDK_IMPORT_PATH being set Reviewed-by: alanb ! make/common/Defs.gmk ! make/common/Modules.gmk ! make/modules/Makefile ! make/modules/optional.depconfig ! make/modules/tools/Makefile From Weijun.Wang at Sun.COM Mon Jan 18 17:31:32 2010 From: Weijun.Wang at Sun.COM (Max (Weijun) Wang) Date: Tue, 19 Jan 2010 09:31:32 +0800 Subject: [security-dev 01537]: Code review request: 6917791 KeyTabEntry, when the byte value smaller then 16, the string drop '0'. References: <29378544.1263859360543.JavaMail.sbladm@swsblss3-new> Message-ID: Please take a review: http://cr.openjdk.java.net/~weijun/6917791/webrev.00 Before the fix, the hexdump of a keytab only encodes one character for byte smaller than 16. This means 0x12 can be {1,2} or {12}. After the fix, a byte is always encoded in 2 characters. Thanks Max Begin forwarded message: > *Synopsis*: KeyTabEntry, when the byte value smaller then 16, the > string drop '0'. > > *Change Request ID*: 6917791 > > *Synopsis*: KeyTabEntry, when the byte value smaller then 16, the > string drop '0'. > > Product: java > Category: jgss > Subcategory: krb5plugin > Type: Defect > > === *Description* > ============================================================ > FULL PRODUCT VERSION : > > A DESCRIPTION OF THE PROBLEM : > sun.security.krb5.internal.ktab.KeyTabEntry > > public String getKeyString() { > StringBuffer sb = new StringBuffer("0x"); > for (int i = 0; i < keyblock.length; i++) { > sb.append(Integer.toHexString(keyblock[i] & 0xff)); > } > return sb.toString(); > } > > when the byte value smaller then 16, the string drop '0'. > > > REPRODUCIBILITY : > This bug can be reproduced always. From weijun.wang at sun.com Mon Jan 18 19:45:27 2010 From: weijun.wang at sun.com (weijun.wang at sun.com) Date: Tue, 19 Jan 2010 03:45:27 +0000 Subject: [security-dev 01538]: hg: jdk7/tl/jdk: 6917791: KeyTabEntry, when the byte value smaller then 16, the string drop '0' Message-ID: <20100119034546.1648241C7D@hg.openjdk.java.net> Changeset: 8339fd49bf6b Author: weijun Date: 2010-01-19 11:43 +0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/8339fd49bf6b 6917791: KeyTabEntry, when the byte value smaller then 16, the string drop '0' Reviewed-by: xuelei ! src/share/classes/sun/security/krb5/internal/ktab/KeyTabEntry.java + test/sun/security/krb5/ktab/KeyString.java From jonathan.gibbons at sun.com Tue Jan 19 14:29:49 2010 From: jonathan.gibbons at sun.com (jonathan.gibbons at sun.com) Date: Tue, 19 Jan 2010 22:29:49 +0000 Subject: [security-dev 01539]: hg: jdk7/tl/langtools: 6917067: refactor type annotations code from TransTypes into new TypeAnnotations class Message-ID: <20100119222957.6AB1341DBA@hg.openjdk.java.net> Changeset: f23b985beb78 Author: jjg Date: 2010-01-19 14:28 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/langtools/rev/f23b985beb78 6917067: refactor type annotations code from TransTypes into new TypeAnnotations class Reviewed-by: jjg, darcy Contributed-by: mali at csail.mit.edu, mernst at cs.washington.edu + src/share/classes/com/sun/tools/javac/code/TypeAnnotations.java ! src/share/classes/com/sun/tools/javac/comp/TransTypes.java From xuelei.fan at sun.com Wed Jan 20 05:44:32 2010 From: xuelei.fan at sun.com (xuelei.fan at sun.com) Date: Wed, 20 Jan 2010 13:44:32 +0000 Subject: [security-dev 01540]: hg: jdk7/tl/jdk: 6862064: incorrect implementation of PKIXParameters.clone() Message-ID: <20100120134513.2F5B541EB0@hg.openjdk.java.net> Changeset: dca3a251a001 Author: xuelei Date: 2010-01-20 21:38 +0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/dca3a251a001 6862064: incorrect implementation of PKIXParameters.clone() Reviewed-by: weijun, mullan ! src/share/classes/java/security/cert/PKIXParameters.java From mstjohns at comcast.net Wed Jan 20 10:05:28 2010 From: mstjohns at comcast.net (Michael StJohns) Date: Wed, 20 Jan 2010 13:05:28 -0500 Subject: [security-dev 01541]: Re: PING: [PATCH FOR REVIEW]: 6763530: Fix breakage of NSS-based Elliptic Curve Cryptography in OpenJDK6 In-Reply-To: <4ABBAD55.7070206@sun.com> References: <17c6771e0909220318l4cdecc25v54844e73c7916708@mail.gmail.com> <4ABBAD55.7070206@sun.com> Message-ID: <20100120180532.909D064A2@mail.openjdk.java.net> Hi - this seems to have stalled out again. Any chance of revival? Mike At 12:33 PM 9/24/2009, Vincent Ryan wrote: >Hello Andrew, > >I'll need a little more time to come up to speed on this fix. I'm concerned that >there may be interoperability or backwards compatibility issues. > > > >Andrew John Hughes wrote: >> 2009/9/2 Andrew John Hughes : >>> 2009/9/2 Michael StJohns : >>>> At 09:38 PM 9/1/2009, Andrew John Hughes wrote: >>>>> 2009/9/2 Michael StJohns : >>>>>> ?? This appears to be related specifically to PKCS11.?? Specifically, PKCS11 >>>>>> v2.20 has some ambiguity of the representation of an EC point (which is >>>>>> different in the text than an ASN1 ECPoint). >>>>>> >>>>>> This is being clarified in v2.30 with the unencoded point format (e.g.the >>>>>> format described in?? X9.62, where the first octet indicates the encoding and >>>>>> there are either N or 2N octets following)?? being the expected value, but >>>>>> with PKCS11 providers allowed - legacy - to accept either. >>>>>> >>>>>> One of the reasons for going that way was how the JDK PKCS11 provider had >>>>>> interpreted the issue and implemented its code. >>>>>> >>>>>> I don't support this fix - among other things, this fix only deals with 1/2 >>>>>> of the problem.?? The other half is related to encoding the value.?? Also, >>>>>> changing the code at decodePoint seems further into the stack than needed >>>>>> and may affect other uses of that method. >>>>>> >>>>> That's really too vague to be of much help in improving the patch. >>>>> You seem to be saying little more than 'I don't like it'. >>>> Sorry about that. My point was that your patch didn't completely solve the problem and that the point at where you were fixing it could have some bad side effects for anyone calling decodePoint directly. >>>> >>>> >>>>>> There's an existing JDK bug on this coming at it from a different direction >>>>>> - 6763530 ... and there may be considerations at >>>>>> >>>>>> https://bugzilla.mozilla.org/show_bug.cgi?id=480280 >>>>>> >>>>> It seems likely that's the NSS change that causes the current failure. >>>>> The fix I submitted here is based on the way this is handle in NSS. >>>>> In fact, the code is similar enough to suggest that one was developed >>>> >from the other. >>>>>> ?? that should be looked at. >>>>> The JDK bug is not really 'from a different direction', it's reporting >>>>> exactly the same error but from a less trivial example (I get the same >>>>> failure while trying to create an example key, while this seems to >>>>> require specific hardware if I'm reading it correctly). >>>> Not exactly. You're using the NSS as a PKCS11 module - this problem would occur with any PKCS11 module that implements EC stuff. >>>> >>>> >>>>> Also see 6779460 which is mostly a duplicate of >>>>>> 6763530. >>>>>> >>>>> The patch on 6779460 seems wrong. It means that the method will >>>>> return a DER-encoded value where it would either have returned an >>>>> uncompressed value before or failed. >>>> My point exactly as I mentioned in the comments. :-) >>>> >>>> >>>>>> It's probable that the fix I suggested at 6763530?? (in comments submitted 29 >>>>>> Nov 08) may be a better approach given the NSS fixes.?? I believe it will fix >>>>>> the keytool problem noted in the original message. >>>>>> >>>>> Ok, I can see the logic in the fix and it would appear to work, though >>>>> I haven't tested it. >>>>> Given the patch was written nine months ago, why has it not been >>>>> applied? If it had, it would have saved me hours having to debug this >>>>> same issue again. >>>> Yup. I did do a search for PKCS11 related bugs when I encountered the same problem and did find the original error. >>>> >>>>> Do you have an SCA with Sun? If so, I'll create a webrev based on your >>>>> patch and we can finally get this fixed. Without it, NSS support is >>>>> completely broken in OpenJDK6 which makes me wonder why this is a low >>>>> priority bug! >>>> I do have an SCA on file. Note that the recommendation from the NSS guys was to raise the priority. >>>> >>>> The reason I haven't submitted this is because I submitted a different EC fix https://bugs.openjdk.java.net/show_bug.cgi?id=100048 per the documented process >>>> and was waiting on progress there before continuing. I've got a number of EC and PKCS11 related fixes I'd like to submit, but I was trying for a worked example before proceeding. And then I got busy with some other things... >>>> >>>> Mike >>>> >>>> >>>> >>>> >>>> >>>>>> Mike >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> At 04:39 PM 9/1/2009, Joe Darcy wrote: >>>>>> >>>>>> Andrew John Hughes wrote: >>>>>> >>>>>> 2009/8/28 Andrew John Hughes : >>>>>> >>>>>> In OpenJDK6, the elliptic curve cryptography algorithms are available >>>>>> if the PKCS11 provider is configured to point to NSS. See: >>>>>> >>>>>> http://blogs.sun.com/andreas/entry/the_java_pkcs_11_provider >>>>>> >>>>>> If NSS is configured as specified in this blog, keytool can be used to >>>>>> generate a key as follows: >>>>>> >>>>>> Hello. >>>>>> >>>>>> Allowing keytool and friends to work in more cases if the provider is >>>>>> capable seems fine to me. >>>>>> >>>>>> Security team, do you have concerns about this patch? >>>>>> >>>>>> Thanks, >>>>>> >>>>>> -Joe >>>>>> >>>>> >>>>> >>>>> -- >>>>> Andrew :-) >>>>> >>>>> Free Java Software Engineer >>>>> Red Hat, Inc. (http://www.redhat.com) >>>>> >>>>> Support Free Java! >>>>> Contribute to GNU Classpath and the OpenJDK >>>>> http://www.gnu.org/software/classpath >>>>> http://openjdk.java.net >>>>> >>>>> PGP Key: 94EFD9D8 (http://subkeys.pgp.net) >>>>> Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8 >>>> >>>> >>> Ok here is a new webrev: >>> >>> http://cr.openjdk.java.net/~andrew/6763530/webrev.02/ >>> >>> with a slightly revised version of your change (you can't throw a >>> PKCS11Exception which only takes a long ID from the native code, so I >>> changed this to an IllegalArgumentException). >>> >>> Security team, does this look ok to push? >>> -- >>> Andrew :-) >>> >>> Free Java Software Engineer >>> Red Hat, Inc. (http://www.redhat.com) >>> >>> Support Free Java! >>> Contribute to GNU Classpath and the OpenJDK >>> http://www.gnu.org/software/classpath >>> http://openjdk.java.net >>> >>> PGP Key: 94EFD9D8 (http://subkeys.pgp.net) >>> Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8 >>> >> >> Ping! Security developers, any thoughts on this patch: >> >> http://cr.openjdk.java.net/~andrew/6763530/webrev.02/ >> >> Does it look ok to push? >> >> Thanks, From gnu_andrew at member.fsf.org Wed Jan 20 10:06:43 2010 From: gnu_andrew at member.fsf.org (Andrew John Hughes) Date: Wed, 20 Jan 2010 18:06:43 +0000 Subject: [security-dev 01542]: Re: PING: [PATCH FOR REVIEW]: 6763530: Fix breakage of NSS-based Elliptic Curve Cryptography in OpenJDK6 In-Reply-To: <4b5745f0.8f53f10a.4f8d.ffff8f81SMTPIN_ADDED@mx.google.com> References: <17c6771e0909220318l4cdecc25v54844e73c7916708@mail.gmail.com> <4ABBAD55.7070206@sun.com> <4b5745f0.8f53f10a.4f8d.ffff8f81SMTPIN_ADDED@mx.google.com> Message-ID: <17c6771e1001201006l3cb4046uc49c2ebd2e2714c0@mail.gmail.com> 2010/1/20 Michael StJohns : > Hi - this seems to have stalled out again. ?Any chance of revival? > Never mind stalled, it doesn't appear to have even started to begin with! We do ship the patch with IcedTea6. If Sun don't want the fix for OpenJDK itself, I guess that's their problem. > Mike > > > At 12:33 PM 9/24/2009, Vincent Ryan wrote: >>Hello Andrew, >> >>I'll need a little more time to come up to speed on this fix. I'm concerned that >>there may be interoperability or backwards compatibility issues. >> >> >> >>Andrew John Hughes wrote: >>> 2009/9/2 Andrew John Hughes : >>>> 2009/9/2 Michael StJohns : >>>>> At 09:38 PM 9/1/2009, Andrew John Hughes wrote: >>>>>> 2009/9/2 Michael StJohns : >>>>>>> ?? This appears to be related specifically to PKCS11.?? ?Specifically, PKCS11 >>>>>>> v2.20 has some ambiguity of the representation of an EC point (which is >>>>>>> different in the text than an ASN1 ECPoint). >>>>>>> >>>>>>> This is being clarified in v2.30 with the unencoded point format (e.g.the >>>>>>> format described in?? ?X9.62, where the first octet indicates the encoding and >>>>>>> there are either N or 2N octets following)?? ?being the expected value, but >>>>>>> with PKCS11 providers allowed - legacy - to accept either. >>>>>>> >>>>>>> One of the reasons for going that way was how the JDK PKCS11 provider had >>>>>>> interpreted the issue and implemented its code. >>>>>>> >>>>>>> I don't support this fix - among other things, this fix only deals with 1/2 >>>>>>> of the problem.?? ?The other half is related to encoding the value.?? ?Also, >>>>>>> changing the code at decodePoint seems further into the stack than needed >>>>>>> and may affect other uses of that method. >>>>>>> >>>>>> That's really too vague to be of much help in improving the patch. >>>>>> You seem to be saying little more than 'I don't like it'. >>>>> Sorry about that. ?My point was that your patch didn't completely solve the problem and that the point at where you were fixing it could have some bad side effects for anyone calling decodePoint directly. >>>>> >>>>> >>>>>>> There's an existing JDK bug on this coming at it from a different direction >>>>>>> - 6763530 ... and there may be considerations at >>>>>>> >>>>>>> https://bugzilla.mozilla.org/show_bug.cgi?id=480280 >>>>>>> >>>>>> It seems likely that's the NSS change that causes the current failure. >>>>>> The fix I submitted here is based on the way this is handle in NSS. >>>>>> In fact, the code is similar enough to suggest that one was developed >>>>> >from the other. >>>>>>> ?? that should be looked at. >>>>>> The JDK bug is not really 'from a different direction', it's reporting >>>>>> exactly the same error but from a less trivial example (I get the same >>>>>> failure while trying to create an example key, while this seems to >>>>>> require specific hardware if I'm reading it correctly). >>>>> Not exactly. ?You're using the NSS as a PKCS11 module - this problem would occur with any PKCS11 module that implements EC stuff. >>>>> >>>>> >>>>>> Also see 6779460 which is mostly a duplicate of >>>>>>> 6763530. >>>>>>> >>>>>> The patch on 6779460 seems wrong. ?It means that the method will >>>>>> return a DER-encoded value where it would either have returned an >>>>>> uncompressed value before or failed. >>>>> My point exactly as I mentioned in the comments. ?:-) >>>>> >>>>> >>>>>>> It's probable that the fix I suggested at 6763530?? ?(in comments submitted 29 >>>>>>> Nov 08) may be a better approach given the NSS fixes.?? ?I believe it will fix >>>>>>> the keytool problem noted in the original message. >>>>>>> >>>>>> Ok, I can see the logic in the fix and it would appear to work, though >>>>>> I haven't tested it. >>>>>> Given the patch was written nine months ago, why has it not been >>>>>> applied? ?If it had, it would have saved me hours having to debug this >>>>>> same issue again. >>>>> Yup. ?I did do a search for PKCS11 related bugs when I encountered the same problem and did find the original error. >>>>> >>>>>> Do you have an SCA with Sun? If so, I'll create a webrev based on your >>>>>> patch and we can finally get this fixed. ?Without it, NSS support is >>>>>> completely broken in OpenJDK6 which makes me wonder why this is a low >>>>>> priority bug! >>>>> I do have an SCA on file. ?Note that the recommendation from the NSS guys was to raise the priority. >>>>> >>>>> The reason I haven't submitted this is because I submitted a different EC fix ?https://bugs.openjdk.java.net/show_bug.cgi?id=100048 per the documented process >>>>> ?and was waiting on progress there before continuing. ?I've got a number of EC and PKCS11 related fixes I'd like to submit, but I was trying for a worked example before proceeding. ?And then I got busy with some other things... >>>>> >>>>> Mike >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>> Mike >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> At 04:39 PM 9/1/2009, Joe Darcy wrote: >>>>>>> >>>>>>> Andrew John Hughes wrote: >>>>>>> >>>>>>> 2009/8/28 Andrew John Hughes : >>>>>>> >>>>>>> In OpenJDK6, the elliptic curve cryptography algorithms are available >>>>>>> if the PKCS11 provider is configured to point to NSS. See: >>>>>>> >>>>>>> http://blogs.sun.com/andreas/entry/the_java_pkcs_11_provider >>>>>>> >>>>>>> If NSS is configured as specified in this blog, keytool can be used to >>>>>>> generate a key as follows: >>>>>>> >>>>>>> Hello. >>>>>>> >>>>>>> Allowing keytool and friends to work in more cases if the provider is >>>>>>> capable seems fine to me. >>>>>>> >>>>>>> Security team, do you have concerns about this patch? >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> -Joe >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Andrew :-) >>>>>> >>>>>> Free Java Software Engineer >>>>>> Red Hat, Inc. (http://www.redhat.com) >>>>>> >>>>>> Support Free Java! >>>>>> Contribute to GNU Classpath and the OpenJDK >>>>>> http://www.gnu.org/software/classpath >>>>>> http://openjdk.java.net >>>>>> >>>>>> PGP Key: 94EFD9D8 (http://subkeys.pgp.net) >>>>>> Fingerprint: F8EF F1EA 401E 2E60 15FA ?7927 142C 2591 94EF D9D8 >>>>> >>>>> >>>> Ok here is a new webrev: >>>> >>>> http://cr.openjdk.java.net/~andrew/6763530/webrev.02/ >>>> >>>> with a slightly revised version of your change (you can't throw a >>>> PKCS11Exception which only takes a long ID from the native code, so I >>>> changed this to an IllegalArgumentException). >>>> >>>> Security team, does this look ok to push? >>>> -- >>>> Andrew :-) >>>> >>>> Free Java Software Engineer >>>> Red Hat, Inc. (http://www.redhat.com) >>>> >>>> Support Free Java! >>>> Contribute to GNU Classpath and the OpenJDK >>>> http://www.gnu.org/software/classpath >>>> http://openjdk.java.net >>>> >>>> PGP Key: 94EFD9D8 (http://subkeys.pgp.net) >>>> Fingerprint: F8EF F1EA 401E 2E60 15FA ?7927 142C 2591 94EF D9D8 >>>> >>> >>> Ping! Security developers, any thoughts on this patch: >>> >>> http://cr.openjdk.java.net/~andrew/6763530/webrev.02/ >>> >>> Does it look ok to push? >>> >>> Thanks, > > > -- Andrew :-) Free Java Software Engineer Red Hat, Inc. (http://www.redhat.com) Support Free Java! Contribute to GNU Classpath and the OpenJDK http://www.gnu.org/software/classpath http://openjdk.java.net PGP Key: 94EFD9D8 (http://subkeys.pgp.net) Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8 From tomas at primekey.se Wed Jan 20 11:00:09 2010 From: tomas at primekey.se (Tomas Gustavsson) Date: Wed, 20 Jan 2010 20:00:09 +0100 (CET) Subject: [security-dev 01543]: Re: PING: [PATCH FOR REVIEW]: 6763530: Fix breakage of NSS-based Elliptic Curve Cryptography in OpenJDK6 In-Reply-To: <20100120180532.909D064A2@mail.openjdk.java.net> References: <17c6771e0909220318l4cdecc25v54844e73c7916708@mail.gmail.com> <4ABBAD55.7070206@sun.com> <20100120180532.909D064A2@mail.openjdk.java.net> Message-ID: I'll second this request. This is a critical patch and many production installations have to live with this manually patched now. I know of no pkcs11 implementation that works with the current code. Regards, Tomas Gustavsson PrimeKey Solutions AB On Wed, 20 Jan 2010, Michael StJohns wrote: > Hi - this seems to have stalled out again. Any chance of revival? > > Mike > > > At 12:33 PM 9/24/2009, Vincent Ryan wrote: >> Hello Andrew, >> >> I'll need a little more time to come up to speed on this fix. I'm concerned that >> there may be interoperability or backwards compatibility issues. >> >> >> >> Andrew John Hughes wrote: >>> 2009/9/2 Andrew John Hughes : >>>> 2009/9/2 Michael StJohns : >>>>> At 09:38 PM 9/1/2009, Andrew John Hughes wrote: >>>>>> 2009/9/2 Michael StJohns : >>>>>>> ?? This appears to be related specifically to PKCS11.?? Specifically, PKCS11 >>>>>>> v2.20 has some ambiguity of the representation of an EC point (which is >>>>>>> different in the text than an ASN1 ECPoint). >>>>>>> >>>>>>> This is being clarified in v2.30 with the unencoded point format (e.g.the >>>>>>> format described in?? X9.62, where the first octet indicates the encoding and >>>>>>> there are either N or 2N octets following)?? being the expected value, but >>>>>>> with PKCS11 providers allowed - legacy - to accept either. >>>>>>> >>>>>>> One of the reasons for going that way was how the JDK PKCS11 provider had >>>>>>> interpreted the issue and implemented its code. >>>>>>> >>>>>>> I don't support this fix - among other things, this fix only deals with 1/2 >>>>>>> of the problem.?? The other half is related to encoding the value.?? Also, >>>>>>> changing the code at decodePoint seems further into the stack than needed >>>>>>> and may affect other uses of that method. >>>>>>> >>>>>> That's really too vague to be of much help in improving the patch. >>>>>> You seem to be saying little more than 'I don't like it'. >>>>> Sorry about that. My point was that your patch didn't completely solve the problem and that the point at where you were fixing it could have some bad side effects for anyone calling decodePoint directly. >>>>> >>>>> >>>>>>> There's an existing JDK bug on this coming at it from a different direction >>>>>>> - 6763530 ... and there may be considerations at >>>>>>> >>>>>>> https://bugzilla.mozilla.org/show_bug.cgi?id=480280 >>>>>>> >>>>>> It seems likely that's the NSS change that causes the current failure. >>>>>> The fix I submitted here is based on the way this is handle in NSS. >>>>>> In fact, the code is similar enough to suggest that one was developed >>>>>> from the other. >>>>>>> ?? that should be looked at. >>>>>> The JDK bug is not really 'from a different direction', it's reporting >>>>>> exactly the same error but from a less trivial example (I get the same >>>>>> failure while trying to create an example key, while this seems to >>>>>> require specific hardware if I'm reading it correctly). >>>>> Not exactly. You're using the NSS as a PKCS11 module - this problem would occur with any PKCS11 module that implements EC stuff. >>>>> >>>>> >>>>>> Also see 6779460 which is mostly a duplicate of >>>>>>> 6763530. >>>>>>> >>>>>> The patch on 6779460 seems wrong. It means that the method will >>>>>> return a DER-encoded value where it would either have returned an >>>>>> uncompressed value before or failed. >>>>> My point exactly as I mentioned in the comments. :-) >>>>> >>>>> >>>>>>> It's probable that the fix I suggested at 6763530?? (in comments submitted 29 >>>>>>> Nov 08) may be a better approach given the NSS fixes.?? I believe it will fix >>>>>>> the keytool problem noted in the original message. >>>>>>> >>>>>> Ok, I can see the logic in the fix and it would appear to work, though >>>>>> I haven't tested it. >>>>>> Given the patch was written nine months ago, why has it not been >>>>>> applied? If it had, it would have saved me hours having to debug this >>>>>> same issue again. >>>>> Yup. I did do a search for PKCS11 related bugs when I encountered the same problem and did find the original error. >>>>> >>>>>> Do you have an SCA with Sun? If so, I'll create a webrev based on your >>>>>> patch and we can finally get this fixed. Without it, NSS support is >>>>>> completely broken in OpenJDK6 which makes me wonder why this is a low >>>>>> priority bug! >>>>> I do have an SCA on file. Note that the recommendation from the NSS guys was to raise the priority. >>>>> >>>>> The reason I haven't submitted this is because I submitted a different EC fix https://bugs.openjdk.java.net/show_bug.cgi?id=100048 per the documented process >>>>> and was waiting on progress there before continuing. I've got a number of EC and PKCS11 related fixes I'd like to submit, but I was trying for a worked example before proceeding. And then I got busy with some other things... >>>>> >>>>> Mike >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>> Mike >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> At 04:39 PM 9/1/2009, Joe Darcy wrote: >>>>>>> >>>>>>> Andrew John Hughes wrote: >>>>>>> >>>>>>> 2009/8/28 Andrew John Hughes : >>>>>>> >>>>>>> In OpenJDK6, the elliptic curve cryptography algorithms are available >>>>>>> if the PKCS11 provider is configured to point to NSS. See: >>>>>>> >>>>>>> http://blogs.sun.com/andreas/entry/the_java_pkcs_11_provider >>>>>>> >>>>>>> If NSS is configured as specified in this blog, keytool can be used to >>>>>>> generate a key as follows: >>>>>>> >>>>>>> Hello. >>>>>>> >>>>>>> Allowing keytool and friends to work in more cases if the provider is >>>>>>> capable seems fine to me. >>>>>>> >>>>>>> Security team, do you have concerns about this patch? >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> -Joe >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Andrew :-) >>>>>> >>>>>> Free Java Software Engineer >>>>>> Red Hat, Inc. (http://www.redhat.com) >>>>>> >>>>>> Support Free Java! >>>>>> Contribute to GNU Classpath and the OpenJDK >>>>>> http://www.gnu.org/software/classpath >>>>>> http://openjdk.java.net >>>>>> >>>>>> PGP Key: 94EFD9D8 (http://subkeys.pgp.net) >>>>>> Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8 >>>>> >>>>> >>>> Ok here is a new webrev: >>>> >>>> http://cr.openjdk.java.net/~andrew/6763530/webrev.02/ >>>> >>>> with a slightly revised version of your change (you can't throw a >>>> PKCS11Exception which only takes a long ID from the native code, so I >>>> changed this to an IllegalArgumentException). >>>> >>>> Security team, does this look ok to push? >>>> -- >>>> Andrew :-) >>>> >>>> Free Java Software Engineer >>>> Red Hat, Inc. (http://www.redhat.com) >>>> >>>> Support Free Java! >>>> Contribute to GNU Classpath and the OpenJDK >>>> http://www.gnu.org/software/classpath >>>> http://openjdk.java.net >>>> >>>> PGP Key: 94EFD9D8 (http://subkeys.pgp.net) >>>> Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8 >>>> >>> >>> Ping! Security developers, any thoughts on this patch: >>> >>> http://cr.openjdk.java.net/~andrew/6763530/webrev.02/ >>> >>> Does it look ok to push? >>> >>> Thanks, > > From gnu_andrew at member.fsf.org Wed Jan 20 14:16:59 2010 From: gnu_andrew at member.fsf.org (Andrew John Hughes) Date: Wed, 20 Jan 2010 22:16:59 +0000 Subject: [security-dev 01544]: Re: PING: [PATCH FOR REVIEW]: 6763530: Fix breakage of NSS-based Elliptic Curve Cryptography in OpenJDK6 In-Reply-To: References: <17c6771e0909220318l4cdecc25v54844e73c7916708@mail.gmail.com> <4ABBAD55.7070206@sun.com> <20100120180532.909D064A2@mail.openjdk.java.net> Message-ID: <17c6771e1001201416m4d44ab72o58bf51ffd453827a@mail.gmail.com> 2010/1/20 Tomas Gustavsson : > > I'll second this request. This is a critical patch and many production > installations have to live with this manually patched now. > > I know of no pkcs11 implementation that works with the current code. > It has four votes: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6763530 I don't know how many they need to wake up and review the patch. The new release of IcedTea6 1.7 is imminent and will include the fix so it should at least be resolved on the next version shipping with most GNU/Linux distributions. > Regards, > Tomas Gustavsson > PrimeKey Solutions AB > > > On Wed, 20 Jan 2010, Michael StJohns wrote: > >> Hi - this seems to have stalled out again. ?Any chance of revival? >> >> Mike >> >> >> At 12:33 PM 9/24/2009, Vincent Ryan wrote: >>> >>> Hello Andrew, >>> >>> I'll need a little more time to come up to speed on this fix. I'm >>> concerned that >>> there may be interoperability or backwards compatibility issues. >>> >>> >>> >>> Andrew John Hughes wrote: >>>> >>>> 2009/9/2 Andrew John Hughes : >>>>> >>>>> 2009/9/2 Michael StJohns : >>>>>> >>>>>> At 09:38 PM 9/1/2009, Andrew John Hughes wrote: >>>>>>> >>>>>>> 2009/9/2 Michael StJohns : >>>>>>>> >>>>>>>> ?? This appears to be related specifically to PKCS11.?? >>>>>>>> ?Specifically, PKCS11 >>>>>>>> v2.20 has some ambiguity of the representation of an EC point (which >>>>>>>> is >>>>>>>> different in the text than an ASN1 ECPoint). >>>>>>>> >>>>>>>> This is being clarified in v2.30 with the unencoded point format >>>>>>>> (e.g.the >>>>>>>> format described in?? ?X9.62, where the first octet indicates the >>>>>>>> encoding and >>>>>>>> there are either N or 2N octets following)?? ?being the expected >>>>>>>> value, but >>>>>>>> with PKCS11 providers allowed - legacy - to accept either. >>>>>>>> >>>>>>>> One of the reasons for going that way was how the JDK PKCS11 >>>>>>>> provider had >>>>>>>> interpreted the issue and implemented its code. >>>>>>>> >>>>>>>> I don't support this fix - among other things, this fix only deals >>>>>>>> with 1/2 >>>>>>>> of the problem.?? ?The other half is related to encoding the >>>>>>>> value.?? ?Also, >>>>>>>> changing the code at decodePoint seems further into the stack than >>>>>>>> needed >>>>>>>> and may affect other uses of that method. >>>>>>>> >>>>>>> That's really too vague to be of much help in improving the patch. >>>>>>> You seem to be saying little more than 'I don't like it'. >>>>>> >>>>>> Sorry about that. ?My point was that your patch didn't completely >>>>>> solve the problem and that the point at where you were fixing it could have >>>>>> some bad side effects for anyone calling decodePoint directly. >>>>>> >>>>>> >>>>>>>> There's an existing JDK bug on this coming at it from a different >>>>>>>> direction >>>>>>>> - 6763530 ... and there may be considerations at >>>>>>>> >>>>>>>> https://bugzilla.mozilla.org/show_bug.cgi?id=480280 >>>>>>>> >>>>>>> It seems likely that's the NSS change that causes the current >>>>>>> failure. >>>>>>> The fix I submitted here is based on the way this is handle in NSS. >>>>>>> In fact, the code is similar enough to suggest that one was developed >>>>>>> from the other. >>>>>>>> >>>>>>>> ?? that should be looked at. >>>>>>> >>>>>>> The JDK bug is not really 'from a different direction', it's >>>>>>> reporting >>>>>>> exactly the same error but from a less trivial example (I get the >>>>>>> same >>>>>>> failure while trying to create an example key, while this seems to >>>>>>> require specific hardware if I'm reading it correctly). >>>>>> >>>>>> Not exactly. ?You're using the NSS as a PKCS11 module - this problem >>>>>> would occur with any PKCS11 module that implements EC stuff. >>>>>> >>>>>> >>>>>>> Also see 6779460 which is mostly a duplicate of >>>>>>>> >>>>>>>> 6763530. >>>>>>>> >>>>>>> The patch on 6779460 seems wrong. ?It means that the method will >>>>>>> return a DER-encoded value where it would either have returned an >>>>>>> uncompressed value before or failed. >>>>>> >>>>>> My point exactly as I mentioned in the comments. ?:-) >>>>>> >>>>>> >>>>>>>> It's probable that the fix I suggested at 6763530?? ?(in comments >>>>>>>> submitted 29 >>>>>>>> Nov 08) may be a better approach given the NSS fixes.?? ?I believe >>>>>>>> it will fix >>>>>>>> the keytool problem noted in the original message. >>>>>>>> >>>>>>> Ok, I can see the logic in the fix and it would appear to work, >>>>>>> though >>>>>>> I haven't tested it. >>>>>>> Given the patch was written nine months ago, why has it not been >>>>>>> applied? ?If it had, it would have saved me hours having to debug >>>>>>> this >>>>>>> same issue again. >>>>>> >>>>>> Yup. ?I did do a search for PKCS11 related bugs when I encountered the >>>>>> same problem and did find the original error. >>>>>> >>>>>>> Do you have an SCA with Sun? If so, I'll create a webrev based on >>>>>>> your >>>>>>> patch and we can finally get this fixed. ?Without it, NSS support is >>>>>>> completely broken in OpenJDK6 which makes me wonder why this is a low >>>>>>> priority bug! >>>>>> >>>>>> I do have an SCA on file. ?Note that the recommendation from the NSS >>>>>> guys was to raise the priority. >>>>>> >>>>>> The reason I haven't submitted this is because I submitted a different >>>>>> EC fix ?https://bugs.openjdk.java.net/show_bug.cgi?id=100048 per the >>>>>> documented process >>>>>> ?and was waiting on progress there before continuing. ?I've got a >>>>>> number of EC and PKCS11 related fixes I'd like to submit, but I was trying >>>>>> for a worked example before proceeding. ?And then I got busy with some other >>>>>> things... >>>>>> >>>>>> Mike >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>>> Mike >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> At 04:39 PM 9/1/2009, Joe Darcy wrote: >>>>>>>> >>>>>>>> Andrew John Hughes wrote: >>>>>>>> >>>>>>>> 2009/8/28 Andrew John Hughes : >>>>>>>> >>>>>>>> In OpenJDK6, the elliptic curve cryptography algorithms are >>>>>>>> available >>>>>>>> if the PKCS11 provider is configured to point to NSS. See: >>>>>>>> >>>>>>>> http://blogs.sun.com/andreas/entry/the_java_pkcs_11_provider >>>>>>>> >>>>>>>> If NSS is configured as specified in this blog, keytool can be used >>>>>>>> to >>>>>>>> generate a key as follows: >>>>>>>> >>>>>>>> Hello. >>>>>>>> >>>>>>>> Allowing keytool and friends to work in more cases if the provider >>>>>>>> is >>>>>>>> capable seems fine to me. >>>>>>>> >>>>>>>> Security team, do you have concerns about this patch? >>>>>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> -Joe >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Andrew :-) >>>>>>> >>>>>>> Free Java Software Engineer >>>>>>> Red Hat, Inc. (http://www.redhat.com) >>>>>>> >>>>>>> Support Free Java! >>>>>>> Contribute to GNU Classpath and the OpenJDK >>>>>>> http://www.gnu.org/software/classpath >>>>>>> http://openjdk.java.net >>>>>>> >>>>>>> PGP Key: 94EFD9D8 (http://subkeys.pgp.net) >>>>>>> Fingerprint: F8EF F1EA 401E 2E60 15FA ?7927 142C 2591 94EF D9D8 >>>>>> >>>>>> >>>>> Ok here is a new webrev: >>>>> >>>>> http://cr.openjdk.java.net/~andrew/6763530/webrev.02/ >>>>> >>>>> with a slightly revised version of your change (you can't throw a >>>>> PKCS11Exception which only takes a long ID from the native code, so I >>>>> changed this to an IllegalArgumentException). >>>>> >>>>> Security team, does this look ok to push? >>>>> -- >>>>> Andrew :-) >>>>> >>>>> Free Java Software Engineer >>>>> Red Hat, Inc. (http://www.redhat.com) >>>>> >>>>> Support Free Java! >>>>> Contribute to GNU Classpath and the OpenJDK >>>>> http://www.gnu.org/software/classpath >>>>> http://openjdk.java.net >>>>> >>>>> PGP Key: 94EFD9D8 (http://subkeys.pgp.net) >>>>> Fingerprint: F8EF F1EA 401E 2E60 15FA ?7927 142C 2591 94EF D9D8 >>>>> >>>> >>>> Ping! Security developers, any thoughts on this patch: >>>> >>>> http://cr.openjdk.java.net/~andrew/6763530/webrev.02/ >>>> >>>> Does it look ok to push? >>>> >>>> Thanks, >> > -- Andrew :-) Free Java Software Engineer Red Hat, Inc. (http://www.redhat.com) Support Free Java! Contribute to GNU Classpath and the OpenJDK http://www.gnu.org/software/classpath http://openjdk.java.net PGP Key: 94EFD9D8 (http://subkeys.pgp.net) Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8 From daniel.daugherty at sun.com Wed Jan 20 15:19:50 2010 From: daniel.daugherty at sun.com (daniel.daugherty at sun.com) Date: Wed, 20 Jan 2010 23:19:50 +0000 Subject: [security-dev 01545]: hg: jdk7/tl/jdk: 6580131: 3/4 CompiledMethodLoad events don't produce the expected extra notifications to describe inlining Message-ID: <20100120232009.5BE3B41F53@hg.openjdk.java.net> Changeset: b19cd193245e Author: dcubed Date: 2010-01-20 12:09 -0700 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/b19cd193245e 6580131: 3/4 CompiledMethodLoad events don't produce the expected extra notifications to describe inlining Summary: Add support for additional implementation specific info to the JVM/TI CompiledMethodLoad event via the compile_info parameter. Reviewed-by: never, ohair, tbell, tdeneau Contributed-by: Vasanth Venkatachalam ! make/common/shared/Sanity.gmk ! make/java/jvm/Makefile ! make/mkdemo/jvmti/Makefile ! make/mkdemo/jvmti/README.txt + make/mkdemo/jvmti/compiledMethodLoad/Makefile + src/share/demo/jvmti/compiledMethodLoad/README.txt + src/share/demo/jvmti/compiledMethodLoad/compiledMethodLoad.c + src/share/demo/jvmti/compiledMethodLoad/sample.makefile.txt ! src/share/demo/jvmti/index.html + src/share/javavm/export/jvmticmlr.h + test/demo/jvmti/compiledMethodLoad/CompiledMethodLoadTest.java ! test/demo/jvmti/heapTracker/HeapTrackerTest.java ! test/demo/jvmti/hprof/CpuTimesDefineClassTest.java ! test/demo/jvmti/hprof/CpuTimesTest.java ! test/demo/jvmti/minst/MinstTest.java ! test/demo/jvmti/mtrace/TraceJFrame.java From jonathan.gibbons at sun.com Wed Jan 20 16:13:27 2010 From: jonathan.gibbons at sun.com (jonathan.gibbons at sun.com) Date: Thu, 21 Jan 2010 00:13:27 +0000 Subject: [security-dev 01546]: hg: jdk7/tl/langtools: 6918127: improve handling of TypeAnnotationPosition fields Message-ID: <20100121001329.CEC7541F61@hg.openjdk.java.net> Changeset: 0eaf89e08564 Author: jjg Date: 2010-01-20 16:12 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/langtools/rev/0eaf89e08564 6918127: improve handling of TypeAnnotationPosition fields Reviewed-by: jjg, darcy Contributed-by: mali at csail.mit.edu, mernst at cs.washington.edu ! src/share/classes/com/sun/tools/classfile/ExtendedAnnotation.java ! src/share/classes/com/sun/tools/javac/code/TypeAnnotationPosition.java ! src/share/classes/com/sun/tools/javac/jvm/Code.java ! src/share/classes/com/sun/tools/javac/jvm/Gen.java From Vincent.Ryan at Sun.COM Thu Jan 21 02:12:25 2010 From: Vincent.Ryan at Sun.COM (Vincent Ryan) Date: Thu, 21 Jan 2010 10:12:25 +0000 Subject: [security-dev 01547]: Re: PING: [PATCH FOR REVIEW]: 6763530: Fix breakage of NSS-based Elliptic Curve Cryptography in OpenJDK6 In-Reply-To: <4B5805DD.8060101@primekey.se> References: <17c6771e0909220318l4cdecc25v54844e73c7916708@mail.gmail.com> <4ABBAD55.7070206@sun.com> <20100120180532.909D064A2@mail.openjdk.java.net> <17c6771e1001201416m4d44ab72o58bf51ffd453827a@mail.gmail.com> <4B5805DD.8060101@primekey.se> Message-ID: <4B582889.6080903@sun.com> I hear ya. Sorry for the delay on this. I'll push the fix for OpenJDK today. On 21/01/2010 07:44, Tomas Gustavsson wrote: > > Now it has one more vote. > > /Tomas > > Andrew John Hughes wrote: >> 2010/1/20 Tomas Gustavsson : >>> I'll second this request. This is a critical patch and many production >>> installations have to live with this manually patched now. >>> >>> I know of no pkcs11 implementation that works with the current code. >>> >> >> It has four votes: >> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6763530 >> I don't know how many they need to wake up and review the patch. >> >> The new release of IcedTea6 1.7 is imminent and will include the fix >> so it should at least be resolved on the next version shipping with >> most GNU/Linux distributions. >> >>> Regards, >>> Tomas Gustavsson >>> PrimeKey Solutions AB >>> >>> >>> On Wed, 20 Jan 2010, Michael StJohns wrote: >>> >>>> Hi - this seems to have stalled out again. Any chance of revival? >>>> >>>> Mike >>>> >>>> >>>> At 12:33 PM 9/24/2009, Vincent Ryan wrote: >>>>> Hello Andrew, >>>>> >>>>> I'll need a little more time to come up to speed on this fix. I'm >>>>> concerned that >>>>> there may be interoperability or backwards compatibility issues. >>>>> >>>>> >>>>> >>>>> Andrew John Hughes wrote: >>>>>> 2009/9/2 Andrew John Hughes : >>>>>>> 2009/9/2 Michael StJohns : >>>>>>>> At 09:38 PM 9/1/2009, Andrew John Hughes wrote: >>>>>>>>> 2009/9/2 Michael StJohns : >>>>>>>>>> ?? This appears to be related specifically to PKCS11.?? >>>>>>>>>> Specifically, PKCS11 >>>>>>>>>> v2.20 has some ambiguity of the representation of an EC point >>>>>>>>>> (which >>>>>>>>>> is >>>>>>>>>> different in the text than an ASN1 ECPoint). >>>>>>>>>> >>>>>>>>>> This is being clarified in v2.30 with the unencoded point format >>>>>>>>>> (e.g.the >>>>>>>>>> format described in?? X9.62, where the first octet indicates the >>>>>>>>>> encoding and >>>>>>>>>> there are either N or 2N octets following)?? being the expected >>>>>>>>>> value, but >>>>>>>>>> with PKCS11 providers allowed - legacy - to accept either. >>>>>>>>>> >>>>>>>>>> One of the reasons for going that way was how the JDK PKCS11 >>>>>>>>>> provider had >>>>>>>>>> interpreted the issue and implemented its code. >>>>>>>>>> >>>>>>>>>> I don't support this fix - among other things, this fix only >>>>>>>>>> deals >>>>>>>>>> with 1/2 >>>>>>>>>> of the problem.?? The other half is related to encoding the >>>>>>>>>> value.?? Also, >>>>>>>>>> changing the code at decodePoint seems further into the stack >>>>>>>>>> than >>>>>>>>>> needed >>>>>>>>>> and may affect other uses of that method. >>>>>>>>>> >>>>>>>>> That's really too vague to be of much help in improving the patch. >>>>>>>>> You seem to be saying little more than 'I don't like it'. >>>>>>>> Sorry about that. My point was that your patch didn't completely >>>>>>>> solve the problem and that the point at where you were fixing it >>>>>>>> could have >>>>>>>> some bad side effects for anyone calling decodePoint directly. >>>>>>>> >>>>>>>> >>>>>>>>>> There's an existing JDK bug on this coming at it from a different >>>>>>>>>> direction >>>>>>>>>> - 6763530 ... and there may be considerations at >>>>>>>>>> >>>>>>>>>> https://bugzilla.mozilla.org/show_bug.cgi?id=480280 >>>>>>>>>> >>>>>>>>> It seems likely that's the NSS change that causes the current >>>>>>>>> failure. >>>>>>>>> The fix I submitted here is based on the way this is handle in >>>>>>>>> NSS. >>>>>>>>> In fact, the code is similar enough to suggest that one was >>>>>>>>> developed >>>>>>>>> from the other. >>>>>>>>>> ?? that should be looked at. >>>>>>>>> The JDK bug is not really 'from a different direction', it's >>>>>>>>> reporting >>>>>>>>> exactly the same error but from a less trivial example (I get the >>>>>>>>> same >>>>>>>>> failure while trying to create an example key, while this seems to >>>>>>>>> require specific hardware if I'm reading it correctly). >>>>>>>> Not exactly. You're using the NSS as a PKCS11 module - this >>>>>>>> problem >>>>>>>> would occur with any PKCS11 module that implements EC stuff. >>>>>>>> >>>>>>>> >>>>>>>>> Also see 6779460 which is mostly a duplicate of >>>>>>>>>> 6763530. >>>>>>>>>> >>>>>>>>> The patch on 6779460 seems wrong. It means that the method will >>>>>>>>> return a DER-encoded value where it would either have returned an >>>>>>>>> uncompressed value before or failed. >>>>>>>> My point exactly as I mentioned in the comments. :-) >>>>>>>> >>>>>>>> >>>>>>>>>> It's probable that the fix I suggested at 6763530?? (in comments >>>>>>>>>> submitted 29 >>>>>>>>>> Nov 08) may be a better approach given the NSS fixes.?? I >>>>>>>>>> believe >>>>>>>>>> it will fix >>>>>>>>>> the keytool problem noted in the original message. >>>>>>>>>> >>>>>>>>> Ok, I can see the logic in the fix and it would appear to work, >>>>>>>>> though >>>>>>>>> I haven't tested it. >>>>>>>>> Given the patch was written nine months ago, why has it not been >>>>>>>>> applied? If it had, it would have saved me hours having to debug >>>>>>>>> this >>>>>>>>> same issue again. >>>>>>>> Yup. I did do a search for PKCS11 related bugs when I >>>>>>>> encountered the >>>>>>>> same problem and did find the original error. >>>>>>>> >>>>>>>>> Do you have an SCA with Sun? If so, I'll create a webrev based on >>>>>>>>> your >>>>>>>>> patch and we can finally get this fixed. Without it, NSS >>>>>>>>> support is >>>>>>>>> completely broken in OpenJDK6 which makes me wonder why this is >>>>>>>>> a low >>>>>>>>> priority bug! >>>>>>>> I do have an SCA on file. Note that the recommendation from the >>>>>>>> NSS >>>>>>>> guys was to raise the priority. >>>>>>>> >>>>>>>> The reason I haven't submitted this is because I submitted a >>>>>>>> different >>>>>>>> EC fix https://bugs.openjdk.java.net/show_bug.cgi?id=100048 per >>>>>>>> the >>>>>>>> documented process >>>>>>>> and was waiting on progress there before continuing. I've got a >>>>>>>> number of EC and PKCS11 related fixes I'd like to submit, but I >>>>>>>> was trying >>>>>>>> for a worked example before proceeding. And then I got busy >>>>>>>> with some other >>>>>>>> things... >>>>>>>> >>>>>>>> Mike >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>> Mike >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> At 04:39 PM 9/1/2009, Joe Darcy wrote: >>>>>>>>>> >>>>>>>>>> Andrew John Hughes wrote: >>>>>>>>>> >>>>>>>>>> 2009/8/28 Andrew John Hughes : >>>>>>>>>> >>>>>>>>>> In OpenJDK6, the elliptic curve cryptography algorithms are >>>>>>>>>> available >>>>>>>>>> if the PKCS11 provider is configured to point to NSS. See: >>>>>>>>>> >>>>>>>>>> http://blogs.sun.com/andreas/entry/the_java_pkcs_11_provider >>>>>>>>>> >>>>>>>>>> If NSS is configured as specified in this blog, keytool can be >>>>>>>>>> used >>>>>>>>>> to >>>>>>>>>> generate a key as follows: >>>>>>>>>> >>>>>>>>>> Hello. >>>>>>>>>> >>>>>>>>>> Allowing keytool and friends to work in more cases if the >>>>>>>>>> provider >>>>>>>>>> is >>>>>>>>>> capable seems fine to me. >>>>>>>>>> >>>>>>>>>> Security team, do you have concerns about this patch? >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> >>>>>>>>>> -Joe >>>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Andrew :-) >>>>>>>>> >>>>>>>>> Free Java Software Engineer >>>>>>>>> Red Hat, Inc. (http://www.redhat.com) >>>>>>>>> >>>>>>>>> Support Free Java! >>>>>>>>> Contribute to GNU Classpath and the OpenJDK >>>>>>>>> http://www.gnu.org/software/classpath >>>>>>>>> http://openjdk.java.net >>>>>>>>> >>>>>>>>> PGP Key: 94EFD9D8 (http://subkeys.pgp.net) >>>>>>>>> Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8 >>>>>>>> >>>>>>> Ok here is a new webrev: >>>>>>> >>>>>>> http://cr.openjdk.java.net/~andrew/6763530/webrev.02/ >>>>>>> >>>>>>> with a slightly revised version of your change (you can't throw a >>>>>>> PKCS11Exception which only takes a long ID from the native code, >>>>>>> so I >>>>>>> changed this to an IllegalArgumentException). >>>>>>> >>>>>>> Security team, does this look ok to push? >>>>>>> -- >>>>>>> Andrew :-) >>>>>>> >>>>>>> Free Java Software Engineer >>>>>>> Red Hat, Inc. (http://www.redhat.com) >>>>>>> >>>>>>> Support Free Java! >>>>>>> Contribute to GNU Classpath and the OpenJDK >>>>>>> http://www.gnu.org/software/classpath >>>>>>> http://openjdk.java.net >>>>>>> >>>>>>> PGP Key: 94EFD9D8 (http://subkeys.pgp.net) >>>>>>> Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8 >>>>>>> >>>>>> Ping! Security developers, any thoughts on this patch: >>>>>> >>>>>> http://cr.openjdk.java.net/~andrew/6763530/webrev.02/ >>>>>> >>>>>> Does it look ok to push? >>>>>> >>>>>> Thanks, >> >> >> From tomasg at primekey.se Thu Jan 21 02:24:15 2010 From: tomasg at primekey.se (Tomas Gustavsson) Date: Thu, 21 Jan 2010 11:24:15 +0100 Subject: [security-dev 01548]: Re: PING: [PATCH FOR REVIEW]: 6763530: Fix breakage of NSS-based Elliptic Curve Cryptography in OpenJDK6 In-Reply-To: <4B582889.6080903@sun.com> References: <17c6771e0909220318l4cdecc25v54844e73c7916708@mail.gmail.com> <4ABBAD55.7070206@sun.com> <20100120180532.909D064A2@mail.openjdk.java.net> <17c6771e1001201416m4d44ab72o58bf51ffd453827a@mail.gmail.com> <4B5805DD.8060101@primekey.se> <4B582889.6080903@sun.com> Message-ID: <4B582B4F.5040207@primekey.se> Wonderful! Thanks! Cheers, Tomas Vincent Ryan wrote: > I hear ya. Sorry for the delay on this. I'll push the fix for OpenJDK today. > > > On 21/01/2010 07:44, Tomas Gustavsson wrote: >> Now it has one more vote. >> >> /Tomas >> >> Andrew John Hughes wrote: >>> 2010/1/20 Tomas Gustavsson : >>>> I'll second this request. This is a critical patch and many production >>>> installations have to live with this manually patched now. >>>> >>>> I know of no pkcs11 implementation that works with the current code. >>>> >>> It has four votes: >>> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6763530 >>> I don't know how many they need to wake up and review the patch. >>> >>> The new release of IcedTea6 1.7 is imminent and will include the fix >>> so it should at least be resolved on the next version shipping with >>> most GNU/Linux distributions. >>> >>>> Regards, >>>> Tomas Gustavsson >>>> PrimeKey Solutions AB >>>> >>>> >>>> On Wed, 20 Jan 2010, Michael StJohns wrote: >>>> >>>>> Hi - this seems to have stalled out again. Any chance of revival? >>>>> >>>>> Mike >>>>> >>>>> >>>>> At 12:33 PM 9/24/2009, Vincent Ryan wrote: >>>>>> Hello Andrew, >>>>>> >>>>>> I'll need a little more time to come up to speed on this fix. I'm >>>>>> concerned that >>>>>> there may be interoperability or backwards compatibility issues. >>>>>> >>>>>> >>>>>> >>>>>> Andrew John Hughes wrote: >>>>>>> 2009/9/2 Andrew John Hughes : >>>>>>>> 2009/9/2 Michael StJohns : >>>>>>>>> At 09:38 PM 9/1/2009, Andrew John Hughes wrote: >>>>>>>>>> 2009/9/2 Michael StJohns : >>>>>>>>>>> ?? This appears to be related specifically to PKCS11.?? >>>>>>>>>>> Specifically, PKCS11 >>>>>>>>>>> v2.20 has some ambiguity of the representation of an EC point >>>>>>>>>>> (which >>>>>>>>>>> is >>>>>>>>>>> different in the text than an ASN1 ECPoint). >>>>>>>>>>> >>>>>>>>>>> This is being clarified in v2.30 with the unencoded point format >>>>>>>>>>> (e.g.the >>>>>>>>>>> format described in?? X9.62, where the first octet indicates the >>>>>>>>>>> encoding and >>>>>>>>>>> there are either N or 2N octets following)?? being the expected >>>>>>>>>>> value, but >>>>>>>>>>> with PKCS11 providers allowed - legacy - to accept either. >>>>>>>>>>> >>>>>>>>>>> One of the reasons for going that way was how the JDK PKCS11 >>>>>>>>>>> provider had >>>>>>>>>>> interpreted the issue and implemented its code. >>>>>>>>>>> >>>>>>>>>>> I don't support this fix - among other things, this fix only >>>>>>>>>>> deals >>>>>>>>>>> with 1/2 >>>>>>>>>>> of the problem.?? The other half is related to encoding the >>>>>>>>>>> value.?? Also, >>>>>>>>>>> changing the code at decodePoint seems further into the stack >>>>>>>>>>> than >>>>>>>>>>> needed >>>>>>>>>>> and may affect other uses of that method. >>>>>>>>>>> >>>>>>>>>> That's really too vague to be of much help in improving the patch. >>>>>>>>>> You seem to be saying little more than 'I don't like it'. >>>>>>>>> Sorry about that. My point was that your patch didn't completely >>>>>>>>> solve the problem and that the point at where you were fixing it >>>>>>>>> could have >>>>>>>>> some bad side effects for anyone calling decodePoint directly. >>>>>>>>> >>>>>>>>> >>>>>>>>>>> There's an existing JDK bug on this coming at it from a different >>>>>>>>>>> direction >>>>>>>>>>> - 6763530 ... and there may be considerations at >>>>>>>>>>> >>>>>>>>>>> https://bugzilla.mozilla.org/show_bug.cgi?id=480280 >>>>>>>>>>> >>>>>>>>>> It seems likely that's the NSS change that causes the current >>>>>>>>>> failure. >>>>>>>>>> The fix I submitted here is based on the way this is handle in >>>>>>>>>> NSS. >>>>>>>>>> In fact, the code is similar enough to suggest that one was >>>>>>>>>> developed >>>>>>>>>> from the other. >>>>>>>>>>> ?? that should be looked at. >>>>>>>>>> The JDK bug is not really 'from a different direction', it's >>>>>>>>>> reporting >>>>>>>>>> exactly the same error but from a less trivial example (I get the >>>>>>>>>> same >>>>>>>>>> failure while trying to create an example key, while this seems to >>>>>>>>>> require specific hardware if I'm reading it correctly). >>>>>>>>> Not exactly. You're using the NSS as a PKCS11 module - this >>>>>>>>> problem >>>>>>>>> would occur with any PKCS11 module that implements EC stuff. >>>>>>>>> >>>>>>>>> >>>>>>>>>> Also see 6779460 which is mostly a duplicate of >>>>>>>>>>> 6763530. >>>>>>>>>>> >>>>>>>>>> The patch on 6779460 seems wrong. It means that the method will >>>>>>>>>> return a DER-encoded value where it would either have returned an >>>>>>>>>> uncompressed value before or failed. >>>>>>>>> My point exactly as I mentioned in the comments. :-) >>>>>>>>> >>>>>>>>> >>>>>>>>>>> It's probable that the fix I suggested at 6763530?? (in comments >>>>>>>>>>> submitted 29 >>>>>>>>>>> Nov 08) may be a better approach given the NSS fixes.?? I >>>>>>>>>>> believe >>>>>>>>>>> it will fix >>>>>>>>>>> the keytool problem noted in the original message. >>>>>>>>>>> >>>>>>>>>> Ok, I can see the logic in the fix and it would appear to work, >>>>>>>>>> though >>>>>>>>>> I haven't tested it. >>>>>>>>>> Given the patch was written nine months ago, why has it not been >>>>>>>>>> applied? If it had, it would have saved me hours having to debug >>>>>>>>>> this >>>>>>>>>> same issue again. >>>>>>>>> Yup. I did do a search for PKCS11 related bugs when I >>>>>>>>> encountered the >>>>>>>>> same problem and did find the original error. >>>>>>>>> >>>>>>>>>> Do you have an SCA with Sun? If so, I'll create a webrev based on >>>>>>>>>> your >>>>>>>>>> patch and we can finally get this fixed. Without it, NSS >>>>>>>>>> support is >>>>>>>>>> completely broken in OpenJDK6 which makes me wonder why this is >>>>>>>>>> a low >>>>>>>>>> priority bug! >>>>>>>>> I do have an SCA on file. Note that the recommendation from the >>>>>>>>> NSS >>>>>>>>> guys was to raise the priority. >>>>>>>>> >>>>>>>>> The reason I haven't submitted this is because I submitted a >>>>>>>>> different >>>>>>>>> EC fix https://bugs.openjdk.java.net/show_bug.cgi?id=100048 per >>>>>>>>> the >>>>>>>>> documented process >>>>>>>>> and was waiting on progress there before continuing. I've got a >>>>>>>>> number of EC and PKCS11 related fixes I'd like to submit, but I >>>>>>>>> was trying >>>>>>>>> for a worked example before proceeding. And then I got busy >>>>>>>>> with some other >>>>>>>>> things... >>>>>>>>> >>>>>>>>> Mike >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>>> Mike >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> At 04:39 PM 9/1/2009, Joe Darcy wrote: >>>>>>>>>>> >>>>>>>>>>> Andrew John Hughes wrote: >>>>>>>>>>> >>>>>>>>>>> 2009/8/28 Andrew John Hughes : >>>>>>>>>>> >>>>>>>>>>> In OpenJDK6, the elliptic curve cryptography algorithms are >>>>>>>>>>> available >>>>>>>>>>> if the PKCS11 provider is configured to point to NSS. See: >>>>>>>>>>> >>>>>>>>>>> http://blogs.sun.com/andreas/entry/the_java_pkcs_11_provider >>>>>>>>>>> >>>>>>>>>>> If NSS is configured as specified in this blog, keytool can be >>>>>>>>>>> used >>>>>>>>>>> to >>>>>>>>>>> generate a key as follows: >>>>>>>>>>> >>>>>>>>>>> Hello. >>>>>>>>>>> >>>>>>>>>>> Allowing keytool and friends to work in more cases if the >>>>>>>>>>> provider >>>>>>>>>>> is >>>>>>>>>>> capable seems fine to me. >>>>>>>>>>> >>>>>>>>>>> Security team, do you have concerns about this patch? >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> >>>>>>>>>>> -Joe >>>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Andrew :-) >>>>>>>>>> >>>>>>>>>> Free Java Software Engineer >>>>>>>>>> Red Hat, Inc. (http://www.redhat.com) >>>>>>>>>> >>>>>>>>>> Support Free Java! >>>>>>>>>> Contribute to GNU Classpath and the OpenJDK >>>>>>>>>> http://www.gnu.org/software/classpath >>>>>>>>>> http://openjdk.java.net >>>>>>>>>> >>>>>>>>>> PGP Key: 94EFD9D8 (http://subkeys.pgp.net) >>>>>>>>>> Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8 >>>>>>>> Ok here is a new webrev: >>>>>>>> >>>>>>>> http://cr.openjdk.java.net/~andrew/6763530/webrev.02/ >>>>>>>> >>>>>>>> with a slightly revised version of your change (you can't throw a >>>>>>>> PKCS11Exception which only takes a long ID from the native code, >>>>>>>> so I >>>>>>>> changed this to an IllegalArgumentException). >>>>>>>> >>>>>>>> Security team, does this look ok to push? >>>>>>>> -- >>>>>>>> Andrew :-) >>>>>>>> >>>>>>>> Free Java Software Engineer >>>>>>>> Red Hat, Inc. (http://www.redhat.com) >>>>>>>> >>>>>>>> Support Free Java! >>>>>>>> Contribute to GNU Classpath and the OpenJDK >>>>>>>> http://www.gnu.org/software/classpath >>>>>>>> http://openjdk.java.net >>>>>>>> >>>>>>>> PGP Key: 94EFD9D8 (http://subkeys.pgp.net) >>>>>>>> Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8 >>>>>>>> >>>>>>> Ping! Security developers, any thoughts on this patch: >>>>>>> >>>>>>> http://cr.openjdk.java.net/~andrew/6763530/webrev.02/ >>>>>>> >>>>>>> Does it look ok to push? >>>>>>> >>>>>>> Thanks, >>> >>> From mstjohns at comcast.net Thu Jan 21 09:28:02 2010 From: mstjohns at comcast.net (Michael StJohns) Date: Thu, 21 Jan 2010 12:28:02 -0500 Subject: [security-dev 01549]: Re: PING: [PATCH FOR REVIEW]: 6763530: Fix breakage of NSS-based Elliptic Curve Cryptography in OpenJDK6 In-Reply-To: <4B582889.6080903@sun.com> References: <17c6771e0909220318l4cdecc25v54844e73c7916708@mail.gmail.com> <4ABBAD55.7070206@sun.com> <20100120180532.909D064A2@mail.openjdk.java.net> <17c6771e1001201416m4d44ab72o58bf51ffd453827a@mail.gmail.com> <4B5805DD.8060101@primekey.se> <4B582889.6080903@sun.com> Message-ID: <20100121172807.8E36E6AC7@mail.openjdk.java.net> At 05:12 AM 1/21/2010, Vincent Ryan wrote: >I hear ya. Sorry for the delay on this. I'll push the fix for OpenJDK today. I don't suppose I could get a two-fer and get this one done as well? It's been sitting around for even longer. >>>>>>>>> The reason I haven't submitted this is because I submitted a >>>>>>>>> different >>>>>>>>> EC fix https://bugs.openjdk.java.net/show_bug.cgi?id=100048 per >>>>>>>>> the Mike >On 21/01/2010 07:44, Tomas Gustavsson wrote: >> >> Now it has one more vote. >> >> /Tomas >> >> Andrew John Hughes wrote: >>> 2010/1/20 Tomas Gustavsson : >>>> I'll second this request. This is a critical patch and many production >>>> installations have to live with this manually patched now. >>>> >>>> I know of no pkcs11 implementation that works with the current code. >>>> >>> >>> It has four votes: >>> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6763530 >>> I don't know how many they need to wake up and review the patch. >>> >>> The new release of IcedTea6 1.7 is imminent and will include the fix >>> so it should at least be resolved on the next version shipping with >>> most GNU/Linux distributions. >>> >>>> Regards, >>>> Tomas Gustavsson >>>> PrimeKey Solutions AB >>>> >>>> >>>> On Wed, 20 Jan 2010, Michael StJohns wrote: >>>> >>>>> Hi - this seems to have stalled out again. Any chance of revival? >>>>> >>>>> Mike >>>>> >>>>> >>>>> At 12:33 PM 9/24/2009, Vincent Ryan wrote: >>>>>> Hello Andrew, >>>>>> >>>>>> I'll need a little more time to come up to speed on this fix. I'm >>>>>> concerned that >>>>>> there may be interoperability or backwards compatibility issues. >>>>>> >>>>>> >>>>>> >>>>>> Andrew John Hughes wrote: >>>>>>> 2009/9/2 Andrew John Hughes : >>>>>>>> 2009/9/2 Michael StJohns : >>>>>>>>> At 09:38 PM 9/1/2009, Andrew John Hughes wrote: >>>>>>>>>> 2009/9/2 Michael StJohns : >>>>>>>>>>> ??? This appears to be related specifically to PKCS11.??? >? >>>>>>>>>>> Specifically, PKCS11 >>>>>>>>>>> v2.20 has some ambiguity of the representation of an EC point >>>>>>>>>>> (which >>>>>>>>>>> is >>>>>>>>>>> different in the text than an ASN1 ECPoint). >>>>>>>>>>> >>>>>>>>>>> This is being clarified in v2.30 with the unencoded point format >>>>>>>>>>> (e.g.the >>>>>>>>>>> format described in??? X9.62, where the first octet indicates the >>>>>>>>>>> encoding and >>>>>>>>>>> there are either N or 2N octets following)??? being the expected >>>>>>>>>>> value, but >>>>>>>>>>> with PKCS11 providers allowed - legacy - to accept either. >>>>>>>>>>> >>>>>>>>>>> One of the reasons for going that way was how the JDK PKCS11 >>>>>>>>>>> provider had >>>>>>>>>>> interpreted the issue and implemented its code. >>>>>>>>>>> >>>>>>>>>>> I don't support this fix - among other things, this fix only >>>>>>>>>>> deals >>>>>>>>>>> with 1/2 >>>>>>>>>>> of the problem.??? The other half is related to encoding the >>>>>>>>>>> value.??? Also, >>>>>>>>>>> changing the code at decodePoint seems further into the stack >>>>>>>>>>> than >>>>>>>>>>> needed >>>>>>>>>>> and may affect other uses of that method. >>>>>>>>>>> >>>>>>>>>> That's really too vague to be of much help in improving the patch. >>>>>>>>>> You seem to be saying little more than 'I don't like it'. >>>>>>>>> Sorry about that. My point was that your patch didn't completely >>>>>>>>> solve the problem and that the point at where you were fixing it >>>>>>>>> could have >>>>>>>>> some bad side effects for anyone calling decodePoint directly. >>>>>>>>> >>>>>>>>> >>>>>>>>>>> There's an existing JDK bug on this coming at it from a different >>>>>>>>>>> direction >>>>>>>>>>> - 6763530 ... and there may be considerations at >>>>>>>>>>> >>>>>>>>>>> https://bugzilla.mozilla.org/show_bug.cgi?id=480280 >>>>>>>>>>> >>>>>>>>>> It seems likely that's the NSS change that causes the current >>>>>>>>>> failure. >>>>>>>>>> The fix I submitted here is based on the way this is handle in >>>>>>>>>> NSS. >>>>>>>>>> In fact, the code is similar enough to suggest that one was >>>>>>>>>> developed >>>>>>>>>> from the other. >>>>>>>>>>> ??? that should be looked at. >>>>>>>>>> The JDK bug is not really 'from a different direction', it's >>>>>>>>>> reporting >>>>>>>>>> exactly the same error but from a less trivial example (I get the >>>>>>>>>> same >>>>>>>>>> failure while trying to create an example key, while this seems to >>>>>>>>>> require specific hardware if I'm reading it correctly). >>>>>>>>> Not exactly. You're using the NSS as a PKCS11 module - this >>>>>>>>> problem >>>>>>>>> would occur with any PKCS11 module that implements EC stuff. >>>>>>>>> >>>>>>>>> >>>>>>>>>> Also see 6779460 which is mostly a duplicate of >>>>>>>>>>> 6763530. >>>>>>>>>>> >>>>>>>>>> The patch on 6779460 seems wrong. It means that the method will >>>>>>>>>> return a DER-encoded value where it would either have returned an >>>>>>>>>> uncompressed value before or failed. >>>>>>>>> My point exactly as I mentioned in the comments. :-) >>>>>>>>> >>>>>>>>> >>>>>>>>>>> It's probable that the fix I suggested at 6763530??? (in comments >>>>>>>>>>> submitted 29 >>>>>>>>>>> Nov 08) may be a better approach given the NSS fixes.??? I >>>>>>>>>>> believe >>>>>>>>>>> it will fix >>>>>>>>>>> the keytool problem noted in the original message. >>>>>>>>>>> >>>>>>>>>> Ok, I can see the logic in the fix and it would appear to work, >>>>>>>>>> though >>>>>>>>>> I haven't tested it. >>>>>>>>>> Given the patch was written nine months ago, why has it not been >>>>>>>>>> applied? If it had, it would have saved me hours having to debug >>>>>>>>>> this >>>>>>>>>> same issue again. >>>>>>>>> Yup. I did do a search for PKCS11 related bugs when I >>>>>>>>> encountered the >>>>>>>>> same problem and did find the original error. >>>>>>>>> >>>>>>>>>> Do you have an SCA with Sun? If so, I'll create a webrev based on >>>>>>>>>> your >>>>>>>>>> patch and we can finally get this fixed. Without it, NSS >>>>>>>>>> support is >>>>>>>>>> completely broken in OpenJDK6 which makes me wonder why this is >>>>>>>>>> a low >>>>>>>>>> priority bug! >>>>>>>>> I do have an SCA on file. Note that the recommendation from the >>>>>>>>> NSS >>>>>>>>> guys was to raise the priority. >>>>>>>>> >>>>>>>>> The reason I haven't submitted this is because I submitted a >>>>>>>>> different >>>>>>>>> EC fix https://bugs.openjdk.java.net/show_bug.cgi?id=100048 per >>>>>>>>> the >>>>>>>>> documented process >>>>>>>>> and was waiting on progress there before continuing. I've got a >>>>>>>>> number of EC and PKCS11 related fixes I'd like to submit, but I >>>>>>>>> was trying >>>>>>>>> for a worked example before proceeding. And then I got busy >>>>>>>>> with some other >>>>>>>>> things... >>>>>>>>> >>>>>>>>> Mike >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>>> Mike >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> At 04:39 PM 9/1/2009, Joe Darcy wrote: >>>>>>>>>>> >>>>>>>>>>> Andrew John Hughes wrote: >>>>>>>>>>> >>>>>>>>>>> 2009/8/28 Andrew John Hughes : >>>>>>>>>>> >>>>>>>>>>> In OpenJDK6, the elliptic curve cryptography algorithms are >>>>>>>>>>> available >>>>>>>>>>> if the PKCS11 provider is configured to point to NSS. See: >>>>>>>>>>> >>>>>>>>>>> http://blogs.sun.com/andreas/entry/the_java_pkcs_11_provider >>>>>>>>>>> >>>>>>>>>>> If NSS is configured as specified in this blog, keytool can be >>>>>>>>>>> used >>>>>>>>>>> to >>>>>>>>>>> generate a key as follows: >>>>>>>>>>> >>>>>>>>>>> Hello. >>>>>>>>>>> >>>>>>>>>>> Allowing keytool and friends to work in more cases if the >>>>>>>>>>> provider >>>>>>>>>>> is >>>>>>>>>>> capable seems fine to me. >>>>>>>>>>> >>>>>>>>>>> Security team, do you have concerns about this patch? >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> >>>>>>>>>>> -Joe >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Andrew :-) >>>>>>>>>> >>>>>>>>>> Free Java Software Engineer >>>>>>>>>> Red Hat, Inc. (http://www.redhat.com) >>>>>>>>>> >>>>>>>>>> Support Free Java! >>>>>>>>>> Contribute to GNU Classpath and the OpenJDK >>>>>>>>>> http://www.gnu.org/software/classpath >>>>>>>>>> http://openjdk.java.net >>>>>>>>>> >>>>>>>>>> PGP Key: 94EFD9D8 (http://subkeys.pgp.net) >>>>>>>>>> Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8 >>>>>>>>> >>>>>>>> Ok here is a new webrev: >>>>>>>> >>>>>>>> http://cr.openjdk.java.net/~andrew/6763530/webrev.02/ >>>>>>>> >>>>>>>> with a slightly revised version of your change (you can't throw a >>>>>>>> PKCS11Exception which only takes a long ID from the native code, >>>>>>>> so I >>>>>>>> changed this to an IllegalArgumentException). >>>>>>>> >>>>>>>> Security team, does this look ok to push? >>>>>>>> -- >>>>>>>> Andrew :-) >>>>>>>> >>>>>>>> Free Java Software Engineer >>>>>>>> Red Hat, Inc. (http://www.redhat.com) >>>>>>>> >>>>>>>> Support Free Java! >>>>>>>> Contribute to GNU Classpath and the OpenJDK >>>>>>>> http://www.gnu.org/software/classpath >>>>>>>> http://openjdk.java.net >>>>>>>> >>>>>>>> PGP Key: 94EFD9D8 (http://subkeys.pgp.net) >>>>>>>> Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8 >>>>>>>> >>>>>>> Ping! Security developers, any thoughts on this patch: >>>>>>> >>>>>>> http://cr.openjdk.java.net/~andrew/6763530/webrev.02/ >>>>>>> >>>>>>> Does it look ok to push? >>>>>>> >>>>>>> Thanks, >>> >>> >>> From tomasg at primekey.se Thu Jan 21 09:33:46 2010 From: tomasg at primekey.se (Tomas Gustavsson) Date: Thu, 21 Jan 2010 18:33:46 +0100 Subject: [security-dev 01550]: Re: PING: [PATCH FOR REVIEW]: 6763530: Fix breakage of NSS-based Elliptic Curve Cryptography in OpenJDK6 In-Reply-To: <20100121172807.8E36E6AC7@mail.openjdk.java.net> References: <17c6771e0909220318l4cdecc25v54844e73c7916708@mail.gmail.com> <4ABBAD55.7070206@sun.com> <20100120180532.909D064A2@mail.openjdk.java.net> <17c6771e1001201416m4d44ab72o58bf51ffd453827a@mail.gmail.com> <4B5805DD.8060101@primekey.se> <4B582889.6080903@sun.com> <20100121172807.8E36E6AC7@mail.openjdk.java.net> Message-ID: <4B588FFA.8030209@primekey.se> Second that one too, that is the same as: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6738532 And I have voted for that one as well, actually I used up all my bug votes on ECC stuff. Cheers; Tomas Michael StJohns wrote: > At 05:12 AM 1/21/2010, Vincent Ryan wrote: >> I hear ya. Sorry for the delay on this. I'll push the fix for OpenJDK today. > > > I don't suppose I could get a two-fer and get this one done as well? It's been sitting around for even longer. > >>>>>>>>>> The reason I haven't submitted this is because I submitted a >>>>>>>>>> different >>>>>>>>>> EC fix https://bugs.openjdk.java.net/show_bug.cgi?id=100048 per >>>>>>>>>> the > > Mike > > > > >> On 21/01/2010 07:44, Tomas Gustavsson wrote: >>> Now it has one more vote. >>> >>> /Tomas >>> >>> Andrew John Hughes wrote: >>>> 2010/1/20 Tomas Gustavsson : >>>>> I'll second this request. This is a critical patch and many production >>>>> installations have to live with this manually patched now. >>>>> >>>>> I know of no pkcs11 implementation that works with the current code. >>>>> >>>> It has four votes: >>>> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6763530 >>>> I don't know how many they need to wake up and review the patch. >>>> >>>> The new release of IcedTea6 1.7 is imminent and will include the fix >>>> so it should at least be resolved on the next version shipping with >>>> most GNU/Linux distributions. >>>> >>>>> Regards, >>>>> Tomas Gustavsson >>>>> PrimeKey Solutions AB >>>>> >>>>> >>>>> On Wed, 20 Jan 2010, Michael StJohns wrote: >>>>> >>>>>> Hi - this seems to have stalled out again. Any chance of revival? >>>>>> >>>>>> Mike >>>>>> >>>>>> >>>>>> At 12:33 PM 9/24/2009, Vincent Ryan wrote: >>>>>>> Hello Andrew, >>>>>>> >>>>>>> I'll need a little more time to come up to speed on this fix. I'm >>>>>>> concerned that >>>>>>> there may be interoperability or backwards compatibility issues. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Andrew John Hughes wrote: >>>>>>>> 2009/9/2 Andrew John Hughes : >>>>>>>>> 2009/9/2 Michael StJohns : >>>>>>>>>> At 09:38 PM 9/1/2009, Andrew John Hughes wrote: >>>>>>>>>>> 2009/9/2 Michael StJohns : >>>>>>>>>>>> ??? This appears to be related specifically to PKCS11.??? >> ? >>>>>>>>>>>> Specifically, PKCS11 >>>>>>>>>>>> v2.20 has some ambiguity of the representation of an EC point >>>>>>>>>>>> (which >>>>>>>>>>>> is >>>>>>>>>>>> different in the text than an ASN1 ECPoint). >>>>>>>>>>>> >>>>>>>>>>>> This is being clarified in v2.30 with the unencoded point format >>>>>>>>>>>> (e.g.the >>>>>>>>>>>> format described in??? X9.62, where the first octet indicates the >>>>>>>>>>>> encoding and >>>>>>>>>>>> there are either N or 2N octets following)??? being the expected >>>>>>>>>>>> value, but >>>>>>>>>>>> with PKCS11 providers allowed - legacy - to accept either. >>>>>>>>>>>> >>>>>>>>>>>> One of the reasons for going that way was how the JDK PKCS11 >>>>>>>>>>>> provider had >>>>>>>>>>>> interpreted the issue and implemented its code. >>>>>>>>>>>> >>>>>>>>>>>> I don't support this fix - among other things, this fix only >>>>>>>>>>>> deals >>>>>>>>>>>> with 1/2 >>>>>>>>>>>> of the problem.??? The other half is related to encoding the >>>>>>>>>>>> value.??? Also, >>>>>>>>>>>> changing the code at decodePoint seems further into the stack >>>>>>>>>>>> than >>>>>>>>>>>> needed >>>>>>>>>>>> and may affect other uses of that method. >>>>>>>>>>>> >>>>>>>>>>> That's really too vague to be of much help in improving the patch. >>>>>>>>>>> You seem to be saying little more than 'I don't like it'. >>>>>>>>>> Sorry about that. My point was that your patch didn't completely >>>>>>>>>> solve the problem and that the point at where you were fixing it >>>>>>>>>> could have >>>>>>>>>> some bad side effects for anyone calling decodePoint directly. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>>> There's an existing JDK bug on this coming at it from a different >>>>>>>>>>>> direction >>>>>>>>>>>> - 6763530 ... and there may be considerations at >>>>>>>>>>>> >>>>>>>>>>>> https://bugzilla.mozilla.org/show_bug.cgi?id=480280 >>>>>>>>>>>> >>>>>>>>>>> It seems likely that's the NSS change that causes the current >>>>>>>>>>> failure. >>>>>>>>>>> The fix I submitted here is based on the way this is handle in >>>>>>>>>>> NSS. >>>>>>>>>>> In fact, the code is similar enough to suggest that one was >>>>>>>>>>> developed >>>>>>>>>>> from the other. >>>>>>>>>>>> ??? that should be looked at. >>>>>>>>>>> The JDK bug is not really 'from a different direction', it's >>>>>>>>>>> reporting >>>>>>>>>>> exactly the same error but from a less trivial example (I get the >>>>>>>>>>> same >>>>>>>>>>> failure while trying to create an example key, while this seems to >>>>>>>>>>> require specific hardware if I'm reading it correctly). >>>>>>>>>> Not exactly. You're using the NSS as a PKCS11 module - this >>>>>>>>>> problem >>>>>>>>>> would occur with any PKCS11 module that implements EC stuff. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> Also see 6779460 which is mostly a duplicate of >>>>>>>>>>>> 6763530. >>>>>>>>>>>> >>>>>>>>>>> The patch on 6779460 seems wrong. It means that the method will >>>>>>>>>>> return a DER-encoded value where it would either have returned an >>>>>>>>>>> uncompressed value before or failed. >>>>>>>>>> My point exactly as I mentioned in the comments. :-) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>>> It's probable that the fix I suggested at 6763530??? (in comments >>>>>>>>>>>> submitted 29 >>>>>>>>>>>> Nov 08) may be a better approach given the NSS fixes.??? I >>>>>>>>>>>> believe >>>>>>>>>>>> it will fix >>>>>>>>>>>> the keytool problem noted in the original message. >>>>>>>>>>>> >>>>>>>>>>> Ok, I can see the logic in the fix and it would appear to work, >>>>>>>>>>> though >>>>>>>>>>> I haven't tested it. >>>>>>>>>>> Given the patch was written nine months ago, why has it not been >>>>>>>>>>> applied? If it had, it would have saved me hours having to debug >>>>>>>>>>> this >>>>>>>>>>> same issue again. >>>>>>>>>> Yup. I did do a search for PKCS11 related bugs when I >>>>>>>>>> encountered the >>>>>>>>>> same problem and did find the original error. >>>>>>>>>> >>>>>>>>>>> Do you have an SCA with Sun? If so, I'll create a webrev based on >>>>>>>>>>> your >>>>>>>>>>> patch and we can finally get this fixed. Without it, NSS >>>>>>>>>>> support is >>>>>>>>>>> completely broken in OpenJDK6 which makes me wonder why this is >>>>>>>>>>> a low >>>>>>>>>>> priority bug! >>>>>>>>>> I do have an SCA on file. Note that the recommendation from the >>>>>>>>>> NSS >>>>>>>>>> guys was to raise the priority. >>>>>>>>>> >>>>>>>>>> The reason I haven't submitted this is because I submitted a >>>>>>>>>> different >>>>>>>>>> EC fix https://bugs.openjdk.java.net/show_bug.cgi?id=100048 per >>>>>>>>>> the >>>>>>>>>> documented process >>>>>>>>>> and was waiting on progress there before continuing. I've got a >>>>>>>>>> number of EC and PKCS11 related fixes I'd like to submit, but I >>>>>>>>>> was trying >>>>>>>>>> for a worked example before proceeding. And then I got busy >>>>>>>>>> with some other >>>>>>>>>> things... >>>>>>>>>> >>>>>>>>>> Mike >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>>> Mike >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> At 04:39 PM 9/1/2009, Joe Darcy wrote: >>>>>>>>>>>> >>>>>>>>>>>> Andrew John Hughes wrote: >>>>>>>>>>>> >>>>>>>>>>>> 2009/8/28 Andrew John Hughes : >>>>>>>>>>>> >>>>>>>>>>>> In OpenJDK6, the elliptic curve cryptography algorithms are >>>>>>>>>>>> available >>>>>>>>>>>> if the PKCS11 provider is configured to point to NSS. See: >>>>>>>>>>>> >>>>>>>>>>>> http://blogs.sun.com/andreas/entry/the_java_pkcs_11_provider >>>>>>>>>>>> >>>>>>>>>>>> If NSS is configured as specified in this blog, keytool can be >>>>>>>>>>>> used >>>>>>>>>>>> to >>>>>>>>>>>> generate a key as follows: >>>>>>>>>>>> >>>>>>>>>>>> Hello. >>>>>>>>>>>> >>>>>>>>>>>> Allowing keytool and friends to work in more cases if the >>>>>>>>>>>> provider >>>>>>>>>>>> is >>>>>>>>>>>> capable seems fine to me. >>>>>>>>>>>> >>>>>>>>>>>> Security team, do you have concerns about this patch? >>>>>>>>>>>> >>>>>>>>>>>> Thanks, >>>>>>>>>>>> >>>>>>>>>>>> -Joe >>>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Andrew :-) >>>>>>>>>>> >>>>>>>>>>> Free Java Software Engineer >>>>>>>>>>> Red Hat, Inc. (http://www.redhat.com) >>>>>>>>>>> >>>>>>>>>>> Support Free Java! >>>>>>>>>>> Contribute to GNU Classpath and the OpenJDK >>>>>>>>>>> http://www.gnu.org/software/classpath >>>>>>>>>>> http://openjdk.java.net >>>>>>>>>>> >>>>>>>>>>> PGP Key: 94EFD9D8 (http://subkeys.pgp.net) >>>>>>>>>>> Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8 >>>>>>>>> Ok here is a new webrev: >>>>>>>>> >>>>>>>>> http://cr.openjdk.java.net/~andrew/6763530/webrev.02/ >>>>>>>>> >>>>>>>>> with a slightly revised version of your change (you can't throw a >>>>>>>>> PKCS11Exception which only takes a long ID from the native code, >>>>>>>>> so I >>>>>>>>> changed this to an IllegalArgumentException). >>>>>>>>> >>>>>>>>> Security team, does this look ok to push? >>>>>>>>> -- >>>>>>>>> Andrew :-) >>>>>>>>> >>>>>>>>> Free Java Software Engineer >>>>>>>>> Red Hat, Inc. (http://www.redhat.com) >>>>>>>>> >>>>>>>>> Support Free Java! >>>>>>>>> Contribute to GNU Classpath and the OpenJDK >>>>>>>>> http://www.gnu.org/software/classpath >>>>>>>>> http://openjdk.java.net >>>>>>>>> >>>>>>>>> PGP Key: 94EFD9D8 (http://subkeys.pgp.net) >>>>>>>>> Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8 >>>>>>>>> >>>>>>>> Ping! Security developers, any thoughts on this patch: >>>>>>>> >>>>>>>> http://cr.openjdk.java.net/~andrew/6763530/webrev.02/ >>>>>>>> >>>>>>>> Does it look ok to push? >>>>>>>> >>>>>>>> Thanks, >>>> >>>> > From tomas at primekey.se Wed Jan 20 23:44:29 2010 From: tomas at primekey.se (Tomas Gustavsson) Date: Thu, 21 Jan 2010 08:44:29 +0100 Subject: [security-dev 01551]: Re: PING: [PATCH FOR REVIEW]: 6763530: Fix breakage of NSS-based Elliptic Curve Cryptography in OpenJDK6 In-Reply-To: <17c6771e1001201416m4d44ab72o58bf51ffd453827a@mail.gmail.com> References: <17c6771e0909220318l4cdecc25v54844e73c7916708@mail.gmail.com> <4ABBAD55.7070206@sun.com> <20100120180532.909D064A2@mail.openjdk.java.net> <17c6771e1001201416m4d44ab72o58bf51ffd453827a@mail.gmail.com> Message-ID: <4B5805DD.8060101@primekey.se> Now it has one more vote. /Tomas Andrew John Hughes wrote: > 2010/1/20 Tomas Gustavsson : >> I'll second this request. This is a critical patch and many production >> installations have to live with this manually patched now. >> >> I know of no pkcs11 implementation that works with the current code. >> > > It has four votes: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6763530 > I don't know how many they need to wake up and review the patch. > > The new release of IcedTea6 1.7 is imminent and will include the fix > so it should at least be resolved on the next version shipping with > most GNU/Linux distributions. > >> Regards, >> Tomas Gustavsson >> PrimeKey Solutions AB >> >> >> On Wed, 20 Jan 2010, Michael StJohns wrote: >> >>> Hi - this seems to have stalled out again. Any chance of revival? >>> >>> Mike >>> >>> >>> At 12:33 PM 9/24/2009, Vincent Ryan wrote: >>>> Hello Andrew, >>>> >>>> I'll need a little more time to come up to speed on this fix. I'm >>>> concerned that >>>> there may be interoperability or backwards compatibility issues. >>>> >>>> >>>> >>>> Andrew John Hughes wrote: >>>>> 2009/9/2 Andrew John Hughes : >>>>>> 2009/9/2 Michael StJohns : >>>>>>> At 09:38 PM 9/1/2009, Andrew John Hughes wrote: >>>>>>>> 2009/9/2 Michael StJohns : >>>>>>>>> ?? This appears to be related specifically to PKCS11.?? >>>>>>>>> Specifically, PKCS11 >>>>>>>>> v2.20 has some ambiguity of the representation of an EC point (which >>>>>>>>> is >>>>>>>>> different in the text than an ASN1 ECPoint). >>>>>>>>> >>>>>>>>> This is being clarified in v2.30 with the unencoded point format >>>>>>>>> (e.g.the >>>>>>>>> format described in?? X9.62, where the first octet indicates the >>>>>>>>> encoding and >>>>>>>>> there are either N or 2N octets following)?? being the expected >>>>>>>>> value, but >>>>>>>>> with PKCS11 providers allowed - legacy - to accept either. >>>>>>>>> >>>>>>>>> One of the reasons for going that way was how the JDK PKCS11 >>>>>>>>> provider had >>>>>>>>> interpreted the issue and implemented its code. >>>>>>>>> >>>>>>>>> I don't support this fix - among other things, this fix only deals >>>>>>>>> with 1/2 >>>>>>>>> of the problem.?? The other half is related to encoding the >>>>>>>>> value.?? Also, >>>>>>>>> changing the code at decodePoint seems further into the stack than >>>>>>>>> needed >>>>>>>>> and may affect other uses of that method. >>>>>>>>> >>>>>>>> That's really too vague to be of much help in improving the patch. >>>>>>>> You seem to be saying little more than 'I don't like it'. >>>>>>> Sorry about that. My point was that your patch didn't completely >>>>>>> solve the problem and that the point at where you were fixing it could have >>>>>>> some bad side effects for anyone calling decodePoint directly. >>>>>>> >>>>>>> >>>>>>>>> There's an existing JDK bug on this coming at it from a different >>>>>>>>> direction >>>>>>>>> - 6763530 ... and there may be considerations at >>>>>>>>> >>>>>>>>> https://bugzilla.mozilla.org/show_bug.cgi?id=480280 >>>>>>>>> >>>>>>>> It seems likely that's the NSS change that causes the current >>>>>>>> failure. >>>>>>>> The fix I submitted here is based on the way this is handle in NSS. >>>>>>>> In fact, the code is similar enough to suggest that one was developed >>>>>>>> from the other. >>>>>>>>> ?? that should be looked at. >>>>>>>> The JDK bug is not really 'from a different direction', it's >>>>>>>> reporting >>>>>>>> exactly the same error but from a less trivial example (I get the >>>>>>>> same >>>>>>>> failure while trying to create an example key, while this seems to >>>>>>>> require specific hardware if I'm reading it correctly). >>>>>>> Not exactly. You're using the NSS as a PKCS11 module - this problem >>>>>>> would occur with any PKCS11 module that implements EC stuff. >>>>>>> >>>>>>> >>>>>>>> Also see 6779460 which is mostly a duplicate of >>>>>>>>> 6763530. >>>>>>>>> >>>>>>>> The patch on 6779460 seems wrong. It means that the method will >>>>>>>> return a DER-encoded value where it would either have returned an >>>>>>>> uncompressed value before or failed. >>>>>>> My point exactly as I mentioned in the comments. :-) >>>>>>> >>>>>>> >>>>>>>>> It's probable that the fix I suggested at 6763530?? (in comments >>>>>>>>> submitted 29 >>>>>>>>> Nov 08) may be a better approach given the NSS fixes.?? I believe >>>>>>>>> it will fix >>>>>>>>> the keytool problem noted in the original message. >>>>>>>>> >>>>>>>> Ok, I can see the logic in the fix and it would appear to work, >>>>>>>> though >>>>>>>> I haven't tested it. >>>>>>>> Given the patch was written nine months ago, why has it not been >>>>>>>> applied? If it had, it would have saved me hours having to debug >>>>>>>> this >>>>>>>> same issue again. >>>>>>> Yup. I did do a search for PKCS11 related bugs when I encountered the >>>>>>> same problem and did find the original error. >>>>>>> >>>>>>>> Do you have an SCA with Sun? If so, I'll create a webrev based on >>>>>>>> your >>>>>>>> patch and we can finally get this fixed. Without it, NSS support is >>>>>>>> completely broken in OpenJDK6 which makes me wonder why this is a low >>>>>>>> priority bug! >>>>>>> I do have an SCA on file. Note that the recommendation from the NSS >>>>>>> guys was to raise the priority. >>>>>>> >>>>>>> The reason I haven't submitted this is because I submitted a different >>>>>>> EC fix https://bugs.openjdk.java.net/show_bug.cgi?id=100048 per the >>>>>>> documented process >>>>>>> and was waiting on progress there before continuing. I've got a >>>>>>> number of EC and PKCS11 related fixes I'd like to submit, but I was trying >>>>>>> for a worked example before proceeding. And then I got busy with some other >>>>>>> things... >>>>>>> >>>>>>> Mike >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>>> Mike >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> At 04:39 PM 9/1/2009, Joe Darcy wrote: >>>>>>>>> >>>>>>>>> Andrew John Hughes wrote: >>>>>>>>> >>>>>>>>> 2009/8/28 Andrew John Hughes : >>>>>>>>> >>>>>>>>> In OpenJDK6, the elliptic curve cryptography algorithms are >>>>>>>>> available >>>>>>>>> if the PKCS11 provider is configured to point to NSS. See: >>>>>>>>> >>>>>>>>> http://blogs.sun.com/andreas/entry/the_java_pkcs_11_provider >>>>>>>>> >>>>>>>>> If NSS is configured as specified in this blog, keytool can be used >>>>>>>>> to >>>>>>>>> generate a key as follows: >>>>>>>>> >>>>>>>>> Hello. >>>>>>>>> >>>>>>>>> Allowing keytool and friends to work in more cases if the provider >>>>>>>>> is >>>>>>>>> capable seems fine to me. >>>>>>>>> >>>>>>>>> Security team, do you have concerns about this patch? >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> >>>>>>>>> -Joe >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Andrew :-) >>>>>>>> >>>>>>>> Free Java Software Engineer >>>>>>>> Red Hat, Inc. (http://www.redhat.com) >>>>>>>> >>>>>>>> Support Free Java! >>>>>>>> Contribute to GNU Classpath and the OpenJDK >>>>>>>> http://www.gnu.org/software/classpath >>>>>>>> http://openjdk.java.net >>>>>>>> >>>>>>>> PGP Key: 94EFD9D8 (http://subkeys.pgp.net) >>>>>>>> Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8 >>>>>>> >>>>>> Ok here is a new webrev: >>>>>> >>>>>> http://cr.openjdk.java.net/~andrew/6763530/webrev.02/ >>>>>> >>>>>> with a slightly revised version of your change (you can't throw a >>>>>> PKCS11Exception which only takes a long ID from the native code, so I >>>>>> changed this to an IllegalArgumentException). >>>>>> >>>>>> Security team, does this look ok to push? >>>>>> -- >>>>>> Andrew :-) >>>>>> >>>>>> Free Java Software Engineer >>>>>> Red Hat, Inc. (http://www.redhat.com) >>>>>> >>>>>> Support Free Java! >>>>>> Contribute to GNU Classpath and the OpenJDK >>>>>> http://www.gnu.org/software/classpath >>>>>> http://openjdk.java.net >>>>>> >>>>>> PGP Key: 94EFD9D8 (http://subkeys.pgp.net) >>>>>> Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8 >>>>>> >>>>> Ping! Security developers, any thoughts on this patch: >>>>> >>>>> http://cr.openjdk.java.net/~andrew/6763530/webrev.02/ >>>>> >>>>> Does it look ok to push? >>>>> >>>>> Thanks, > > > From vincent.ryan at sun.com Thu Jan 21 16:01:21 2010 From: vincent.ryan at sun.com (vincent.ryan at sun.com) Date: Fri, 22 Jan 2010 00:01:21 +0000 Subject: [security-dev 01552]: hg: jdk7/tl/jdk: 2 new changesets Message-ID: <20100122000247.BA6A341483@hg.openjdk.java.net> Changeset: 117b245b5bb9 Author: vinnie Date: 2010-01-21 23:59 +0000 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/117b245b5bb9 6763530: Cannot decode PublicKey (Proider SunPKCS11, curve prime256v1) Reviewed-by: andrew ! src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java ! src/share/classes/sun/security/pkcs11/P11Key.java Changeset: c94ac5522d01 Author: vinnie Date: 2010-01-22 00:02 +0000 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/c94ac5522d01 Merge From gnu_andrew at member.fsf.org Thu Jan 21 17:38:25 2010 From: gnu_andrew at member.fsf.org (Andrew John Hughes) Date: Fri, 22 Jan 2010 01:38:25 +0000 Subject: [security-dev 01553]: Re: PING: [PATCH FOR REVIEW]: 6763530: Fix breakage of NSS-based Elliptic Curve Cryptography in OpenJDK6 In-Reply-To: <4B582889.6080903@sun.com> References: <17c6771e0909220318l4cdecc25v54844e73c7916708@mail.gmail.com> <4ABBAD55.7070206@sun.com> <20100120180532.909D064A2@mail.openjdk.java.net> <17c6771e1001201416m4d44ab72o58bf51ffd453827a@mail.gmail.com> <4B5805DD.8060101@primekey.se> <4B582889.6080903@sun.com> Message-ID: <17c6771e1001211738w6137d2b8s2160e5515c43bac2@mail.gmail.com> 2010/1/21 Vincent Ryan : > I hear ya. Sorry for the delay on this. I'll push the fix for OpenJDK today. > Thanks! Would this be suitable for OpenJDK6 as well? CCing the jdk6-dev list on that. > > On 21/01/2010 07:44, Tomas Gustavsson wrote: >> >> Now it has one more vote. >> >> /Tomas >> >> Andrew John Hughes wrote: >>> 2010/1/20 Tomas Gustavsson : >>>> I'll second this request. This is a critical patch and many production >>>> installations have to live with this manually patched now. >>>> >>>> I know of no pkcs11 implementation that works with the current code. >>>> >>> >>> It has four votes: >>> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6763530 >>> I don't know how many they need to wake up and review the patch. >>> >>> The new release of IcedTea6 1.7 is imminent and will include the fix >>> so it should at least be resolved on the next version shipping with >>> most GNU/Linux distributions. >>> >>>> Regards, >>>> Tomas Gustavsson >>>> PrimeKey Solutions AB >>>> >>>> >>>> On Wed, 20 Jan 2010, Michael StJohns wrote: >>>> >>>>> Hi - this seems to have stalled out again. ?Any chance of revival? >>>>> >>>>> Mike >>>>> >>>>> >>>>> At 12:33 PM 9/24/2009, Vincent Ryan wrote: >>>>>> Hello Andrew, >>>>>> >>>>>> I'll need a little more time to come up to speed on this fix. I'm >>>>>> concerned that >>>>>> there may be interoperability or backwards compatibility issues. >>>>>> >>>>>> >>>>>> >>>>>> Andrew John Hughes wrote: >>>>>>> 2009/9/2 Andrew John Hughes : >>>>>>>> 2009/9/2 Michael StJohns : >>>>>>>>> At 09:38 PM 9/1/2009, Andrew John Hughes wrote: >>>>>>>>>> 2009/9/2 Michael StJohns : >>>>>>>>>>> ?? This appears to be related specifically to PKCS11.?? >>>>>>>>>>> ?Specifically, PKCS11 >>>>>>>>>>> v2.20 has some ambiguity of the representation of an EC point >>>>>>>>>>> (which >>>>>>>>>>> is >>>>>>>>>>> different in the text than an ASN1 ECPoint). >>>>>>>>>>> >>>>>>>>>>> This is being clarified in v2.30 with the unencoded point format >>>>>>>>>>> (e.g.the >>>>>>>>>>> format described in?? ?X9.62, where the first octet indicates the >>>>>>>>>>> encoding and >>>>>>>>>>> there are either N or 2N octets following)?? ?being the expected >>>>>>>>>>> value, but >>>>>>>>>>> with PKCS11 providers allowed - legacy - to accept either. >>>>>>>>>>> >>>>>>>>>>> One of the reasons for going that way was how the JDK PKCS11 >>>>>>>>>>> provider had >>>>>>>>>>> interpreted the issue and implemented its code. >>>>>>>>>>> >>>>>>>>>>> I don't support this fix - among other things, this fix only >>>>>>>>>>> deals >>>>>>>>>>> with 1/2 >>>>>>>>>>> of the problem.?? ?The other half is related to encoding the >>>>>>>>>>> value.?? ?Also, >>>>>>>>>>> changing the code at decodePoint seems further into the stack >>>>>>>>>>> than >>>>>>>>>>> needed >>>>>>>>>>> and may affect other uses of that method. >>>>>>>>>>> >>>>>>>>>> That's really too vague to be of much help in improving the patch. >>>>>>>>>> You seem to be saying little more than 'I don't like it'. >>>>>>>>> Sorry about that. ?My point was that your patch didn't completely >>>>>>>>> solve the problem and that the point at where you were fixing it >>>>>>>>> could have >>>>>>>>> some bad side effects for anyone calling decodePoint directly. >>>>>>>>> >>>>>>>>> >>>>>>>>>>> There's an existing JDK bug on this coming at it from a different >>>>>>>>>>> direction >>>>>>>>>>> - 6763530 ... and there may be considerations at >>>>>>>>>>> >>>>>>>>>>> https://bugzilla.mozilla.org/show_bug.cgi?id=480280 >>>>>>>>>>> >>>>>>>>>> It seems likely that's the NSS change that causes the current >>>>>>>>>> failure. >>>>>>>>>> The fix I submitted here is based on the way this is handle in >>>>>>>>>> NSS. >>>>>>>>>> In fact, the code is similar enough to suggest that one was >>>>>>>>>> developed >>>>>>>>>> from the other. >>>>>>>>>>> ?? that should be looked at. >>>>>>>>>> The JDK bug is not really 'from a different direction', it's >>>>>>>>>> reporting >>>>>>>>>> exactly the same error but from a less trivial example (I get the >>>>>>>>>> same >>>>>>>>>> failure while trying to create an example key, while this seems to >>>>>>>>>> require specific hardware if I'm reading it correctly). >>>>>>>>> Not exactly. ?You're using the NSS as a PKCS11 module - this >>>>>>>>> problem >>>>>>>>> would occur with any PKCS11 module that implements EC stuff. >>>>>>>>> >>>>>>>>> >>>>>>>>>> Also see 6779460 which is mostly a duplicate of >>>>>>>>>>> 6763530. >>>>>>>>>>> >>>>>>>>>> The patch on 6779460 seems wrong. ?It means that the method will >>>>>>>>>> return a DER-encoded value where it would either have returned an >>>>>>>>>> uncompressed value before or failed. >>>>>>>>> My point exactly as I mentioned in the comments. ?:-) >>>>>>>>> >>>>>>>>> >>>>>>>>>>> It's probable that the fix I suggested at 6763530?? ?(in comments >>>>>>>>>>> submitted 29 >>>>>>>>>>> Nov 08) may be a better approach given the NSS fixes.?? ?I >>>>>>>>>>> believe >>>>>>>>>>> it will fix >>>>>>>>>>> the keytool problem noted in the original message. >>>>>>>>>>> >>>>>>>>>> Ok, I can see the logic in the fix and it would appear to work, >>>>>>>>>> though >>>>>>>>>> I haven't tested it. >>>>>>>>>> Given the patch was written nine months ago, why has it not been >>>>>>>>>> applied? ?If it had, it would have saved me hours having to debug >>>>>>>>>> this >>>>>>>>>> same issue again. >>>>>>>>> Yup. ?I did do a search for PKCS11 related bugs when I >>>>>>>>> encountered the >>>>>>>>> same problem and did find the original error. >>>>>>>>> >>>>>>>>>> Do you have an SCA with Sun? If so, I'll create a webrev based on >>>>>>>>>> your >>>>>>>>>> patch and we can finally get this fixed. ?Without it, NSS >>>>>>>>>> support is >>>>>>>>>> completely broken in OpenJDK6 which makes me wonder why this is >>>>>>>>>> a low >>>>>>>>>> priority bug! >>>>>>>>> I do have an SCA on file. ?Note that the recommendation from the >>>>>>>>> NSS >>>>>>>>> guys was to raise the priority. >>>>>>>>> >>>>>>>>> The reason I haven't submitted this is because I submitted a >>>>>>>>> different >>>>>>>>> EC fix ?https://bugs.openjdk.java.net/show_bug.cgi?id=100048 per >>>>>>>>> the >>>>>>>>> documented process >>>>>>>>> ?and was waiting on progress there before continuing. ?I've got a >>>>>>>>> number of EC and PKCS11 related fixes I'd like to submit, but I >>>>>>>>> was trying >>>>>>>>> for a worked example before proceeding. ?And then I got busy >>>>>>>>> with some other >>>>>>>>> things... >>>>>>>>> >>>>>>>>> Mike >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>>> Mike >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> At 04:39 PM 9/1/2009, Joe Darcy wrote: >>>>>>>>>>> >>>>>>>>>>> Andrew John Hughes wrote: >>>>>>>>>>> >>>>>>>>>>> 2009/8/28 Andrew John Hughes : >>>>>>>>>>> >>>>>>>>>>> In OpenJDK6, the elliptic curve cryptography algorithms are >>>>>>>>>>> available >>>>>>>>>>> if the PKCS11 provider is configured to point to NSS. See: >>>>>>>>>>> >>>>>>>>>>> http://blogs.sun.com/andreas/entry/the_java_pkcs_11_provider >>>>>>>>>>> >>>>>>>>>>> If NSS is configured as specified in this blog, keytool can be >>>>>>>>>>> used >>>>>>>>>>> to >>>>>>>>>>> generate a key as follows: >>>>>>>>>>> >>>>>>>>>>> Hello. >>>>>>>>>>> >>>>>>>>>>> Allowing keytool and friends to work in more cases if the >>>>>>>>>>> provider >>>>>>>>>>> is >>>>>>>>>>> capable seems fine to me. >>>>>>>>>>> >>>>>>>>>>> Security team, do you have concerns about this patch? >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> >>>>>>>>>>> -Joe >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Andrew :-) >>>>>>>>>> >>>>>>>>>> Free Java Software Engineer >>>>>>>>>> Red Hat, Inc. (http://www.redhat.com) >>>>>>>>>> >>>>>>>>>> Support Free Java! >>>>>>>>>> Contribute to GNU Classpath and the OpenJDK >>>>>>>>>> http://www.gnu.org/software/classpath >>>>>>>>>> http://openjdk.java.net >>>>>>>>>> >>>>>>>>>> PGP Key: 94EFD9D8 (http://subkeys.pgp.net) >>>>>>>>>> Fingerprint: F8EF F1EA 401E 2E60 15FA ?7927 142C 2591 94EF D9D8 >>>>>>>>> >>>>>>>> Ok here is a new webrev: >>>>>>>> >>>>>>>> http://cr.openjdk.java.net/~andrew/6763530/webrev.02/ >>>>>>>> >>>>>>>> with a slightly revised version of your change (you can't throw a >>>>>>>> PKCS11Exception which only takes a long ID from the native code, >>>>>>>> so I >>>>>>>> changed this to an IllegalArgumentException). >>>>>>>> >>>>>>>> Security team, does this look ok to push? >>>>>>>> -- >>>>>>>> Andrew :-) >>>>>>>> >>>>>>>> Free Java Software Engineer >>>>>>>> Red Hat, Inc. (http://www.redhat.com) >>>>>>>> >>>>>>>> Support Free Java! >>>>>>>> Contribute to GNU Classpath and the OpenJDK >>>>>>>> http://www.gnu.org/software/classpath >>>>>>>> http://openjdk.java.net >>>>>>>> >>>>>>>> PGP Key: 94EFD9D8 (http://subkeys.pgp.net) >>>>>>>> Fingerprint: F8EF F1EA 401E 2E60 15FA ?7927 142C 2591 94EF D9D8 >>>>>>>> >>>>>>> Ping! Security developers, any thoughts on this patch: >>>>>>> >>>>>>> http://cr.openjdk.java.net/~andrew/6763530/webrev.02/ >>>>>>> >>>>>>> Does it look ok to push? >>>>>>> >>>>>>> Thanks, >>> >>> >>> > -- Andrew :-) Free Java Software Engineer Red Hat, Inc. (http://www.redhat.com) Support Free Java! Contribute to GNU Classpath and the OpenJDK http://www.gnu.org/software/classpath http://openjdk.java.net PGP Key: 94EFD9D8 (http://subkeys.pgp.net) Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8 From Vincent.Ryan at Sun.COM Fri Jan 22 10:53:37 2010 From: Vincent.Ryan at Sun.COM (Vincent Ryan) Date: Fri, 22 Jan 2010 18:53:37 +0000 Subject: [security-dev 01554]: Re: PING: [PATCH FOR REVIEW]: 6763530: Fix breakage of NSS-based Elliptic Curve Cryptography in OpenJDK6 In-Reply-To: <17c6771e1001211738w6137d2b8s2160e5515c43bac2@mail.gmail.com> References: <17c6771e0909220318l4cdecc25v54844e73c7916708@mail.gmail.com> <4ABBAD55.7070206@sun.com> <20100120180532.909D064A2@mail.openjdk.java.net> <17c6771e1001201416m4d44ab72o58bf51ffd453827a@mail.gmail.com> <4B5805DD.8060101@primekey.se> <4B582889.6080903@sun.com> <17c6771e1001211738w6137d2b8s2160e5515c43bac2@mail.gmail.com> Message-ID: <4B59F431.1030307@sun.com> On 22/01/2010 01:38, Andrew John Hughes wrote: > 2010/1/21 Vincent Ryan : >> I hear ya. Sorry for the delay on this. I'll push the fix for OpenJDK today. >> > > Thanks! Would this be suitable for OpenJDK6 as well? CCing the > jdk6-dev list on that. Yes. The patch should be applied to OpenJDK6 too. > >> >> On 21/01/2010 07:44, Tomas Gustavsson wrote: >>> >>> Now it has one more vote. >>> >>> /Tomas >>> >>> Andrew John Hughes wrote: >>>> 2010/1/20 Tomas Gustavsson : >>>>> I'll second this request. This is a critical patch and many production >>>>> installations have to live with this manually patched now. >>>>> >>>>> I know of no pkcs11 implementation that works with the current code. >>>>> >>>> >>>> It has four votes: >>>> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6763530 >>>> I don't know how many they need to wake up and review the patch. >>>> >>>> The new release of IcedTea6 1.7 is imminent and will include the fix >>>> so it should at least be resolved on the next version shipping with >>>> most GNU/Linux distributions. >>>> >>>>> Regards, >>>>> Tomas Gustavsson >>>>> PrimeKey Solutions AB >>>>> >>>>> >>>>> On Wed, 20 Jan 2010, Michael StJohns wrote: >>>>> >>>>>> Hi - this seems to have stalled out again. Any chance of revival? >>>>>> >>>>>> Mike >>>>>> >>>>>> >>>>>> At 12:33 PM 9/24/2009, Vincent Ryan wrote: >>>>>>> Hello Andrew, >>>>>>> >>>>>>> I'll need a little more time to come up to speed on this fix. I'm >>>>>>> concerned that >>>>>>> there may be interoperability or backwards compatibility issues. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Andrew John Hughes wrote: >>>>>>>> 2009/9/2 Andrew John Hughes : >>>>>>>>> 2009/9/2 Michael StJohns : >>>>>>>>>> At 09:38 PM 9/1/2009, Andrew John Hughes wrote: >>>>>>>>>>> 2009/9/2 Michael StJohns : >>>>>>>>>>>> ?? This appears to be related specifically to PKCS11.?? >>>>>>>>>>>> Specifically, PKCS11 >>>>>>>>>>>> v2.20 has some ambiguity of the representation of an EC point >>>>>>>>>>>> (which >>>>>>>>>>>> is >>>>>>>>>>>> different in the text than an ASN1 ECPoint). >>>>>>>>>>>> >>>>>>>>>>>> This is being clarified in v2.30 with the unencoded point format >>>>>>>>>>>> (e.g.the >>>>>>>>>>>> format described in?? X9.62, where the first octet indicates the >>>>>>>>>>>> encoding and >>>>>>>>>>>> there are either N or 2N octets following)?? being the expected >>>>>>>>>>>> value, but >>>>>>>>>>>> with PKCS11 providers allowed - legacy - to accept either. >>>>>>>>>>>> >>>>>>>>>>>> One of the reasons for going that way was how the JDK PKCS11 >>>>>>>>>>>> provider had >>>>>>>>>>>> interpreted the issue and implemented its code. >>>>>>>>>>>> >>>>>>>>>>>> I don't support this fix - among other things, this fix only >>>>>>>>>>>> deals >>>>>>>>>>>> with 1/2 >>>>>>>>>>>> of the problem.?? The other half is related to encoding the >>>>>>>>>>>> value.?? Also, >>>>>>>>>>>> changing the code at decodePoint seems further into the stack >>>>>>>>>>>> than >>>>>>>>>>>> needed >>>>>>>>>>>> and may affect other uses of that method. >>>>>>>>>>>> >>>>>>>>>>> That's really too vague to be of much help in improving the patch. >>>>>>>>>>> You seem to be saying little more than 'I don't like it'. >>>>>>>>>> Sorry about that. My point was that your patch didn't completely >>>>>>>>>> solve the problem and that the point at where you were fixing it >>>>>>>>>> could have >>>>>>>>>> some bad side effects for anyone calling decodePoint directly. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>>> There's an existing JDK bug on this coming at it from a different >>>>>>>>>>>> direction >>>>>>>>>>>> - 6763530 ... and there may be considerations at >>>>>>>>>>>> >>>>>>>>>>>> https://bugzilla.mozilla.org/show_bug.cgi?id=480280 >>>>>>>>>>>> >>>>>>>>>>> It seems likely that's the NSS change that causes the current >>>>>>>>>>> failure. >>>>>>>>>>> The fix I submitted here is based on the way this is handle in >>>>>>>>>>> NSS. >>>>>>>>>>> In fact, the code is similar enough to suggest that one was >>>>>>>>>>> developed >>>>>>>>>>> from the other. >>>>>>>>>>>> ?? that should be looked at. >>>>>>>>>>> The JDK bug is not really 'from a different direction', it's >>>>>>>>>>> reporting >>>>>>>>>>> exactly the same error but from a less trivial example (I get the >>>>>>>>>>> same >>>>>>>>>>> failure while trying to create an example key, while this seems to >>>>>>>>>>> require specific hardware if I'm reading it correctly). >>>>>>>>>> Not exactly. You're using the NSS as a PKCS11 module - this >>>>>>>>>> problem >>>>>>>>>> would occur with any PKCS11 module that implements EC stuff. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> Also see 6779460 which is mostly a duplicate of >>>>>>>>>>>> 6763530. >>>>>>>>>>>> >>>>>>>>>>> The patch on 6779460 seems wrong. It means that the method will >>>>>>>>>>> return a DER-encoded value where it would either have returned an >>>>>>>>>>> uncompressed value before or failed. >>>>>>>>>> My point exactly as I mentioned in the comments. :-) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>>> It's probable that the fix I suggested at 6763530?? (in comments >>>>>>>>>>>> submitted 29 >>>>>>>>>>>> Nov 08) may be a better approach given the NSS fixes.?? I >>>>>>>>>>>> believe >>>>>>>>>>>> it will fix >>>>>>>>>>>> the keytool problem noted in the original message. >>>>>>>>>>>> >>>>>>>>>>> Ok, I can see the logic in the fix and it would appear to work, >>>>>>>>>>> though >>>>>>>>>>> I haven't tested it. >>>>>>>>>>> Given the patch was written nine months ago, why has it not been >>>>>>>>>>> applied? If it had, it would have saved me hours having to debug >>>>>>>>>>> this >>>>>>>>>>> same issue again. >>>>>>>>>> Yup. I did do a search for PKCS11 related bugs when I >>>>>>>>>> encountered the >>>>>>>>>> same problem and did find the original error. >>>>>>>>>> >>>>>>>>>>> Do you have an SCA with Sun? If so, I'll create a webrev based on >>>>>>>>>>> your >>>>>>>>>>> patch and we can finally get this fixed. Without it, NSS >>>>>>>>>>> support is >>>>>>>>>>> completely broken in OpenJDK6 which makes me wonder why this is >>>>>>>>>>> a low >>>>>>>>>>> priority bug! >>>>>>>>>> I do have an SCA on file. Note that the recommendation from the >>>>>>>>>> NSS >>>>>>>>>> guys was to raise the priority. >>>>>>>>>> >>>>>>>>>> The reason I haven't submitted this is because I submitted a >>>>>>>>>> different >>>>>>>>>> EC fix https://bugs.openjdk.java.net/show_bug.cgi?id=100048 per >>>>>>>>>> the >>>>>>>>>> documented process >>>>>>>>>> and was waiting on progress there before continuing. I've got a >>>>>>>>>> number of EC and PKCS11 related fixes I'd like to submit, but I >>>>>>>>>> was trying >>>>>>>>>> for a worked example before proceeding. And then I got busy >>>>>>>>>> with some other >>>>>>>>>> things... >>>>>>>>>> >>>>>>>>>> Mike >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>>> Mike >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> At 04:39 PM 9/1/2009, Joe Darcy wrote: >>>>>>>>>>>> >>>>>>>>>>>> Andrew John Hughes wrote: >>>>>>>>>>>> >>>>>>>>>>>> 2009/8/28 Andrew John Hughes : >>>>>>>>>>>> >>>>>>>>>>>> In OpenJDK6, the elliptic curve cryptography algorithms are >>>>>>>>>>>> available >>>>>>>>>>>> if the PKCS11 provider is configured to point to NSS. See: >>>>>>>>>>>> >>>>>>>>>>>> http://blogs.sun.com/andreas/entry/the_java_pkcs_11_provider >>>>>>>>>>>> >>>>>>>>>>>> If NSS is configured as specified in this blog, keytool can be >>>>>>>>>>>> used >>>>>>>>>>>> to >>>>>>>>>>>> generate a key as follows: >>>>>>>>>>>> >>>>>>>>>>>> Hello. >>>>>>>>>>>> >>>>>>>>>>>> Allowing keytool and friends to work in more cases if the >>>>>>>>>>>> provider >>>>>>>>>>>> is >>>>>>>>>>>> capable seems fine to me. >>>>>>>>>>>> >>>>>>>>>>>> Security team, do you have concerns about this patch? >>>>>>>>>>>> >>>>>>>>>>>> Thanks, >>>>>>>>>>>> >>>>>>>>>>>> -Joe >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Andrew :-) >>>>>>>>>>> >>>>>>>>>>> Free Java Software Engineer >>>>>>>>>>> Red Hat, Inc. (http://www.redhat.com) >>>>>>>>>>> >>>>>>>>>>> Support Free Java! >>>>>>>>>>> Contribute to GNU Classpath and the OpenJDK >>>>>>>>>>> http://www.gnu.org/software/classpath >>>>>>>>>>> http://openjdk.java.net >>>>>>>>>>> >>>>>>>>>>> PGP Key: 94EFD9D8 (http://subkeys.pgp.net) >>>>>>>>>>> Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8 >>>>>>>>>> >>>>>>>>> Ok here is a new webrev: >>>>>>>>> >>>>>>>>> http://cr.openjdk.java.net/~andrew/6763530/webrev.02/ >>>>>>>>> >>>>>>>>> with a slightly revised version of your change (you can't throw a >>>>>>>>> PKCS11Exception which only takes a long ID from the native code, >>>>>>>>> so I >>>>>>>>> changed this to an IllegalArgumentException). >>>>>>>>> >>>>>>>>> Security team, does this look ok to push? >>>>>>>>> -- >>>>>>>>> Andrew :-) >>>>>>>>> >>>>>>>>> Free Java Software Engineer >>>>>>>>> Red Hat, Inc. (http://www.redhat.com) >>>>>>>>> >>>>>>>>> Support Free Java! >>>>>>>>> Contribute to GNU Classpath and the OpenJDK >>>>>>>>> http://www.gnu.org/software/classpath >>>>>>>>> http://openjdk.java.net >>>>>>>>> >>>>>>>>> PGP Key: 94EFD9D8 (http://subkeys.pgp.net) >>>>>>>>> Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8 >>>>>>>>> >>>>>>>> Ping! Security developers, any thoughts on this patch: >>>>>>>> >>>>>>>> http://cr.openjdk.java.net/~andrew/6763530/webrev.02/ >>>>>>>> >>>>>>>> Does it look ok to push? >>>>>>>> >>>>>>>> Thanks, >>>> >>>> >>>> >> > > > From Joe.Darcy at Sun.COM Fri Jan 22 11:04:04 2010 From: Joe.Darcy at Sun.COM (Joseph D. Darcy) Date: Fri, 22 Jan 2010 11:04:04 -0800 Subject: [security-dev 01555]: Re: PING: [PATCH FOR REVIEW]: 6763530: Fix breakage of NSS-based Elliptic Curve Cryptography in OpenJDK6 In-Reply-To: <4B59F431.1030307@sun.com> References: <17c6771e0909220318l4cdecc25v54844e73c7916708@mail.gmail.com> <4ABBAD55.7070206@sun.com> <20100120180532.909D064A2@mail.openjdk.java.net> <17c6771e1001201416m4d44ab72o58bf51ffd453827a@mail.gmail.com> <4B5805DD.8060101@primekey.se> <4B582889.6080903@sun.com> <17c6771e1001211738w6137d2b8s2160e5515c43bac2@mail.gmail.com> <4B59F431.1030307@sun.com> Message-ID: <4B59F6A4.4000405@sun.com> Vincent Ryan wrote: > On 22/01/2010 01:38, Andrew John Hughes wrote: > >> 2010/1/21 Vincent Ryan : >> >>> I hear ya. Sorry for the delay on this. I'll push the fix for OpenJDK today. >>> >>> >> Thanks! Would this be suitable for OpenJDK6 as well? CCing the >> jdk6-dev list on that. >> > > > Yes. The patch should be applied to OpenJDK6 too. > > I hereby authorize you do push the fix to OpenJDK 6 too :-) Repositories are under http://hg.openjdk.java.net/jdk6/jdk6/ -Joe From Weijun.Wang at Sun.COM Sun Jan 24 21:07:11 2010 From: Weijun.Wang at Sun.COM (Max (Weijun) Wang) Date: Mon, 25 Jan 2010 13:07:11 +0800 Subject: [security-dev 01556]: Code review request: 6919610 KeyTabInputStream uses static field for per-instance value In-Reply-To: <9575056.1264395098164.JavaMail.sbladm@swsblss3-new> References: <9575056.1264395098164.JavaMail.sbladm@swsblss3-new> Message-ID: Hi All Please take a review at -- http://cr.openjdk.java.net/~weijun/6919610/webrev.00 Bug description follows. Thanks Max > *Change Request ID*: 6919610 > > *Synopsis*: KeyTabInputStream uses static field for per-instance value > > Product: java > Category: jgss > Subcategory: krb5plugin > Type: Defect > Priority: 3-Medium > > === *Description* > ============================================================ > This is a bug in the internal sun.security.krb5.internal.ktab package. > > KrbTabInputStream#readEntry(length,kvno) reads length of bytes into > a KeyTabEntry. A variable "index" is used to store how many bytes > are left unread to determine if there are enough (or more) for this > entry. The variable should be per-read or at least per-instance > (since a KrbTabInputStream should be read sequentially and thus not > multi-thread enabled). However, it's per-class (static) now. > > This means when multiple threads are calling the method at the same > time (for example, both refreshing a keytab), the value might be > modified by another thread during the execution of the method. If it > goes bigger, a false skip() will be called, otherwise, it triggers a > keytab corruption error. Both lead to the keytab singleton object to > be null. > > *** (#1 of 1): 2010-01-25 04:36:30 GMT+00:00 weijun.wang at sun.com From Sean.Mullan at Sun.COM Mon Jan 25 07:13:38 2010 From: Sean.Mullan at Sun.COM (Sean Mullan) Date: Mon, 25 Jan 2010 10:13:38 -0500 Subject: [security-dev 01557]: Re: Code review request: 6919610 KeyTabInputStream uses static field for per-instance value In-Reply-To: References: <9575056.1264395098164.JavaMail.sbladm@swsblss3-new> Message-ID: <4B5DB522.2010603@sun.com> Looks fine to me. --Sean Max (Weijun) Wang wrote: > Hi All > > Please take a review at -- > > http://cr.openjdk.java.net/~weijun/6919610/webrev.00 > > Bug description follows. > > Thanks > Max > > >> *Change Request ID*: 6919610 >> >> *Synopsis*: KeyTabInputStream uses static field for per-instance value >> >> Product: java >> Category: jgss >> Subcategory: krb5plugin >> Type: Defect >> Priority: 3-Medium >> >> === *Description* >> ============================================================ >> This is a bug in the internal sun.security.krb5.internal.ktab package. >> >> KrbTabInputStream#readEntry(length,kvno) reads length of bytes into a >> KeyTabEntry. A variable "index" is used to store how many bytes are >> left unread to determine if there are enough (or more) for this entry. >> The variable should be per-read or at least per-instance (since a >> KrbTabInputStream should be read sequentially and thus not >> multi-thread enabled). However, it's per-class (static) now. >> >> This means when multiple threads are calling the method at the same >> time (for example, both refreshing a keytab), the value might be >> modified by another thread during the execution of the method. If it >> goes bigger, a false skip() will be called, otherwise, it triggers a >> keytab corruption error. Both lead to the keytab singleton object to >> be null. >> >> *** (#1 of 1): 2010-01-25 04:36:30 GMT+00:00 weijun.wang at sun.com > From christopher.hegarty at sun.com Mon Jan 25 07:43:28 2010 From: christopher.hegarty at sun.com (christopher.hegarty at sun.com) Date: Mon, 25 Jan 2010 15:43:28 +0000 Subject: [security-dev 01558]: hg: jdk7/tl/jdk: 6707289: InterfaceAddress.getNetworkPrefixLength() does not conform to Javadoc Message-ID: <20100125154347.4C6CE41A8B@hg.openjdk.java.net> Changeset: e67bf9abc6a5 Author: chegar Date: 2010-01-25 15:41 +0000 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/e67bf9abc6a5 6707289: InterfaceAddress.getNetworkPrefixLength() does not conform to Javadoc Reviewed-by: michaelm ! src/windows/native/java/net/NetworkInterface_winXP.c + test/java/net/InterfaceAddress/NetworkPrefixLength.java From weijun.wang at sun.com Tue Jan 26 01:05:00 2010 From: weijun.wang at sun.com (weijun.wang at sun.com) Date: Tue, 26 Jan 2010 09:05:00 +0000 Subject: [security-dev 01559]: hg: jdk7/tl/jdk: 6919610: KeyTabInputStream uses static field for per-instance value Message-ID: <20100126090519.87BF541BA7@hg.openjdk.java.net> Changeset: 558f2a424bfa Author: weijun Date: 2010-01-26 17:03 +0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/558f2a424bfa 6919610: KeyTabInputStream uses static field for per-instance value Reviewed-by: mullan ! src/share/classes/sun/security/krb5/internal/ktab/KeyTabInputStream.java + test/sun/security/krb5/ktab/KeyTabIndex.java From jean-christophe.collet at sun.com Tue Jan 26 02:44:29 2010 From: jean-christophe.collet at sun.com (jean-christophe.collet at sun.com) Date: Tue, 26 Jan 2010 10:44:29 +0000 Subject: [security-dev 01560]: hg: jdk7/tl/jdk: 6919185: test/closed/sun/net/ftp/FtpTests fails to compile Message-ID: <20100126104532.DBD6541BC2@hg.openjdk.java.net> Changeset: f544825d0976 Author: jccollet Date: 2010-01-26 11:39 +0100 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/f544825d0976 6919185: test/closed/sun/net/ftp/FtpTests fails to compile Summary: Fixed a couple of regressions in FtpClient and updated the test. Reviewed-by: chegar ! src/share/classes/sun/net/ftp/impl/FtpClient.java From jonathan.gibbons at sun.com Tue Jan 26 11:16:57 2010 From: jonathan.gibbons at sun.com (jonathan.gibbons at sun.com) Date: Tue, 26 Jan 2010 19:16:57 +0000 Subject: [security-dev 01561]: hg: jdk7/tl/langtools: 6919944: incorrect position given for duplicate annotation value error Message-ID: <20100126191701.B537541C4C@hg.openjdk.java.net> Changeset: da0e3e2dd3ef Author: jjg Date: 2010-01-26 11:15 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/langtools/rev/da0e3e2dd3ef 6919944: incorrect position given for duplicate annotation value error Reviewed-by: darcy ! src/share/classes/com/sun/tools/javac/comp/Check.java ! test/tools/javac/typeAnnotations/failures/common/arrayclass/DuplicateAnnotationValue.java ! test/tools/javac/typeAnnotations/failures/common/arrayclass/DuplicateAnnotationValue.out ! test/tools/javac/typeAnnotations/failures/common/arrays/DuplicateAnnotationValue.java ! test/tools/javac/typeAnnotations/failures/common/arrays/DuplicateAnnotationValue.out ! test/tools/javac/typeAnnotations/failures/common/innertypeparams/DuplicateAnnotationValue.java ! test/tools/javac/typeAnnotations/failures/common/innertypeparams/DuplicateAnnotationValue.out ! test/tools/javac/typeAnnotations/failures/common/newarray/DuplicateAnnotationValue.java ! test/tools/javac/typeAnnotations/failures/common/newarray/DuplicateAnnotationValue.out ! test/tools/javac/typeAnnotations/failures/common/parambounds/DuplicateAnnotationValue.java ! test/tools/javac/typeAnnotations/failures/common/parambounds/DuplicateAnnotationValue.out ! test/tools/javac/typeAnnotations/failures/common/receiver/DuplicateAnnotationValue.java ! test/tools/javac/typeAnnotations/failures/common/receiver/DuplicateAnnotationValue.out ! test/tools/javac/typeAnnotations/failures/common/typeArgs/DuplicateAnnotationValue.java ! test/tools/javac/typeAnnotations/failures/common/typeArgs/DuplicateAnnotationValue.out ! test/tools/javac/typeAnnotations/failures/common/typeparams/DuplicateAnnotationValue.java ! test/tools/javac/typeAnnotations/failures/common/typeparams/DuplicateAnnotationValue.out ! test/tools/javac/typeAnnotations/failures/common/wildcards/DuplicateAnnotationValue.java ! test/tools/javac/typeAnnotations/failures/common/wildcards/DuplicateAnnotationValue.out From jonathan.gibbons at sun.com Tue Jan 26 11:25:05 2010 From: jonathan.gibbons at sun.com (jonathan.gibbons at sun.com) Date: Tue, 26 Jan 2010 19:25:05 +0000 Subject: [security-dev 01562]: hg: jdk7/tl/langtools: 6917130: should test that annotations that have been optimized away are not emitted to classfile Message-ID: <20100126192512.0E31841C51@hg.openjdk.java.net> Changeset: 59167312ed4e Author: jjg Date: 2010-01-26 11:23 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/langtools/rev/59167312ed4e 6917130: should test that annotations that have been optimized away are not emitted to classfile Reviewed-by: jjg, darcy Contributed-by: mali at csail.mit.edu, mernst at cs.washington.edu + test/tools/javac/typeAnnotations/classfile/DeadCode.java From Bradford.Wetmore at Sun.COM Tue Jan 26 12:15:52 2010 From: Bradford.Wetmore at Sun.COM (Brad Wetmore) Date: Tue, 26 Jan 2010 12:15:52 -0800 Subject: [security-dev 01563]: Subject lines in security-dev. Message-ID: <4B5F4D78.9000700@sun.com> Looking for opinions as to whether the current subject line format of the security-dev at o.j.n emails is useful: Subject: [security-dev 01800]: The Real subject. I note a lot of the client (e.g. sounds, swing) lists have just the list name, and a lot of the server lists (e.g. tl, hotspot) don't have either. security-dev is the only one doing both the list name and the message number. It's not as useful as I originally thought when I configured it, but I could be talked into it either way. If you have an opinion, especially for keeping it the same, let me know privately, no need to clutter everyone's email. But I'm thinking I may just remove the topic/number. If I see a clear/obvious preference for keeping one or both, I'll certainly take that into consideration. Thanks, Brad security-dev admin From Xuelei.Fan at Sun.COM Tue Jan 26 20:27:26 2010 From: Xuelei.Fan at Sun.COM (Xuelei Fan) Date: Wed, 27 Jan 2010 12:27:26 +0800 Subject: [security-dev 01564]: Re: Code review request: 6919610 KeyTabInputStream uses static field for per-instance value In-Reply-To: References: <9575056.1264395098164.JavaMail.sbladm@swsblss3-new> Message-ID: <4B5FC0AE.9000004@Sun.COM> Looks fine to me. Xuelei On 1/25/2010 1:07 PM, Max (Weijun) Wang wrote: > Hi All > > Please take a review at -- > > http://cr.openjdk.java.net/~weijun/6919610/webrev.00 > > Bug description follows. > > Thanks > Max > > >> *Change Request ID*: 6919610 >> >> *Synopsis*: KeyTabInputStream uses static field for per-instance value >> >> Product: java >> Category: jgss >> Subcategory: krb5plugin >> Type: Defect >> Priority: 3-Medium >> >> === *Description* >> ============================================================ >> This is a bug in the internal sun.security.krb5.internal.ktab package. >> >> KrbTabInputStream#readEntry(length,kvno) reads length of bytes into a >> KeyTabEntry. A variable "index" is used to store how many bytes are >> left unread to determine if there are enough (or more) for this >> entry. The variable should be per-read or at least per-instance >> (since a KrbTabInputStream should be read sequentially and thus not >> multi-thread enabled). However, it's per-class (static) now. >> >> This means when multiple threads are calling the method at the same >> time (for example, both refreshing a keytab), the value might be >> modified by another thread during the execution of the method. If it >> goes bigger, a false skip() will be called, otherwise, it triggers a >> keytab corruption error. Both lead to the keytab singleton object to >> be null. >> >> *** (#1 of 1): 2010-01-25 04:36:30 GMT+00:00 weijun.wang at sun.com > From christopher.hegarty at sun.com Wed Jan 27 08:29:18 2010 From: christopher.hegarty at sun.com (christopher.hegarty at sun.com) Date: Wed, 27 Jan 2010 16:29:18 +0000 Subject: [security-dev 01565]: hg: jdk7/tl/jdk: 6905552: libnet/nio portability issues Message-ID: <20100127163008.0B6E041DB1@hg.openjdk.java.net> Changeset: 8df0ffac7f4d Author: chegar Date: 2010-01-27 16:11 +0000 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/8df0ffac7f4d 6905552: libnet/nio portability issues Reviewed-by: alanb ! src/share/native/java/net/net_util.c ! src/solaris/native/java/net/Inet4AddressImpl.c ! src/solaris/native/java/net/Inet6AddressImpl.c ! src/solaris/native/java/net/NetworkInterface.c ! src/solaris/native/java/net/PlainDatagramSocketImpl.c ! src/solaris/native/java/net/net_util_md.c ! src/solaris/native/java/net/net_util_md.h ! src/solaris/native/sun/net/spi/SdpProvider.c ! src/solaris/native/sun/nio/ch/Net.c ! src/solaris/native/sun/nio/ch/SctpNet.c From ptisnovs at redhat.com Wed Jan 27 08:48:35 2010 From: ptisnovs at redhat.com (ptisnovs at redhat.com) Date: Wed, 27 Jan 2010 16:48:35 +0000 Subject: [security-dev 01566]: hg: jdk7/tl/jdk: 6920143: test/java/awt/TestArea/UsingWithMouse.java needs realSync() Message-ID: <20100127164854.6255941DBA@hg.openjdk.java.net> Changeset: 4192f6edbbf4 Author: ptisnovs Date: 2010-01-27 17:47 +0100 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/4192f6edbbf4 6920143: test/java/awt/TestArea/UsingWithMouse.java needs realSync() Summary: Added small delay to make sure that TextArea animation have finished Reviewed-by: anthony ! test/java/awt/TextArea/UsingWithMouse/SelectionAutoscrollTest.java From lana.steuck at sun.com Wed Jan 27 18:48:34 2010 From: lana.steuck at sun.com (lana.steuck at sun.com) Date: Thu, 28 Jan 2010 02:48:34 +0000 Subject: [security-dev 01567]: hg: jdk7/tl: 3 new changesets Message-ID: <20100128024834.7ABE641E5A@hg.openjdk.java.net> Changeset: 432cbbdc44bc Author: andrew Date: 2010-01-07 23:17 +0000 URL: http://hg.openjdk.java.net/jdk7/tl/rev/432cbbdc44bc 6914986: Make sure openjdk doc generation not turned off with JDK_UPDATE_VERSION Summary: Only turn off documentation for updates when not building OpenJDK Reviewed-by: ohair ! make/Defs-internal.gmk Changeset: a3242906c774 Author: mikejwre Date: 2010-01-20 17:09 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/rev/a3242906c774 Merge Changeset: 8403096d1fe7 Author: mikejwre Date: 2010-01-21 11:12 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/rev/8403096d1fe7 Added tag jdk7-b80 for changeset a3242906c774 ! .hgtags From lana.steuck at sun.com Wed Jan 27 18:48:42 2010 From: lana.steuck at sun.com (lana.steuck at sun.com) Date: Thu, 28 Jan 2010 02:48:42 +0000 Subject: [security-dev 01568]: hg: jdk7/tl/corba: 3 new changesets Message-ID: <20100128024847.A2F4141E5B@hg.openjdk.java.net> Changeset: d4c077d44a64 Author: andrew Date: 2010-01-16 01:04 +0000 URL: http://hg.openjdk.java.net/jdk7/tl/corba/rev/d4c077d44a64 6917485: Corba doc warnings Summary: Fix warnings generated by javadoc Reviewed-by: darcy ! src/share/classes/com/sun/tools/corba/se/idl/constExpr/Expression.java ! src/share/classes/javax/rmi/PortableRemoteObject.java ! src/share/classes/org/omg/CORBA/SetOverrideType.java ! src/share/classes/org/omg/CORBA/TCKind.java ! src/share/classes/org/omg/CORBA/UnknownUserException.java ! src/share/classes/org/omg/CORBA/portable/ServantObject.java ! src/share/classes/org/omg/CosNaming/nameservice.idl ! src/share/classes/org/omg/PortableInterceptor/Interceptors.idl Changeset: 0336e70ca0ae Author: mikejwre Date: 2010-01-20 17:09 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/corba/rev/0336e70ca0ae Merge Changeset: e08a42a2a94d Author: mikejwre Date: 2010-01-21 11:12 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/corba/rev/e08a42a2a94d Added tag jdk7-b80 for changeset 0336e70ca0ae ! .hgtags From lana.steuck at sun.com Wed Jan 27 18:51:16 2010 From: lana.steuck at sun.com (lana.steuck at sun.com) Date: Thu, 28 Jan 2010 02:51:16 +0000 Subject: [security-dev 01569]: hg: jdk7/tl/hotspot: 34 new changesets Message-ID: <20100128025307.314BA41E5D@hg.openjdk.java.net> Changeset: 40e7c1d24e4a Author: twisti Date: 2010-01-04 00:22 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/40e7c1d24e4a 6909153: Fix broken options on Zero Summary: Smaller fixes to ensure that Zero still works with non-standard options. Reviewed-by: twisti Contributed-by: Gary Benson ! src/share/vm/compiler/compileBroker.cpp ! src/share/vm/runtime/arguments.cpp Changeset: 896da934748c Author: twisti Date: 2010-01-04 03:34 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/896da934748c 6913869: Zero assert fix Summary: Zero currently won't build on zSeries or PowerPC machines with assertions turned on. Reviewed-by: twisti Contributed-by: Gary Benson ! src/share/vm/prims/jni.cpp Changeset: aa62b9388fce Author: twisti Date: 2010-01-04 15:52 +0100 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/aa62b9388fce 6894206: JVM needs a way to traverse method handle structures Summary: We need a way to walk chained method handles in the JVM to call the right methods and to generate required bytecode adapters for the compilers. Reviewed-by: kvn ! src/cpu/x86/vm/methodHandles_x86.cpp ! src/share/vm/classfile/javaClasses.cpp ! src/share/vm/classfile/javaClasses.hpp ! src/share/vm/classfile/vmSymbols.cpp ! src/share/vm/classfile/vmSymbols.hpp ! src/share/vm/includeDB_core + src/share/vm/prims/methodHandleWalk.cpp + src/share/vm/prims/methodHandleWalk.hpp Changeset: 0910903272e5 Author: twisti Date: 2010-01-04 07:04 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/0910903272e5 Merge Changeset: e66fd840cb6b Author: twisti Date: 2010-01-04 18:38 +0100 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/e66fd840cb6b 6893081: method handle & invokedynamic code needs additional cleanup (post 6815692, 6858164) Summary: During the work for 6829187 we have fixed a number of basic bugs which are logically grouped with 6815692 and 6858164 but which must be reviewed and pushed separately. Reviewed-by: kvn, never ! src/cpu/x86/vm/frame_x86.cpp ! src/cpu/x86/vm/methodHandles_x86.cpp ! src/cpu/x86/vm/runtime_x86_32.cpp ! src/cpu/x86/vm/sharedRuntime_x86_64.cpp ! src/cpu/x86/vm/templateInterpreter_x86_32.cpp ! src/cpu/x86/vm/templateInterpreter_x86_64.cpp ! src/share/vm/c1/c1_IR.hpp ! src/share/vm/ci/ciStreams.cpp ! src/share/vm/classfile/javaClasses.hpp ! src/share/vm/classfile/systemDictionary.cpp ! src/share/vm/classfile/systemDictionary.hpp ! src/share/vm/classfile/vmSymbols.hpp ! src/share/vm/code/codeBlob.hpp ! src/share/vm/code/debugInfoRec.cpp ! src/share/vm/code/debugInfoRec.hpp ! src/share/vm/code/nmethod.cpp ! src/share/vm/code/nmethod.hpp ! src/share/vm/code/pcDesc.hpp ! src/share/vm/compiler/methodLiveness.cpp ! src/share/vm/interpreter/bytecode.cpp ! src/share/vm/interpreter/bytecode.hpp ! src/share/vm/interpreter/bytecodes.cpp ! src/share/vm/interpreter/interpreter.cpp ! src/share/vm/interpreter/linkResolver.cpp ! src/share/vm/interpreter/linkResolver.hpp ! src/share/vm/opto/doCall.cpp ! src/share/vm/opto/output.cpp ! src/share/vm/opto/runtime.cpp ! src/share/vm/runtime/arguments.cpp ! src/share/vm/runtime/sharedRuntime.cpp ! src/share/vm/runtime/thread.cpp ! src/share/vm/runtime/thread.hpp Changeset: 4b84186a8248 Author: kvn Date: 2010-01-04 15:21 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/4b84186a8248 6913075: EA identifies escape state incorrectly after 6895383 fix Summary: EA incorrectly identifies escape state of an allocation passed as call argument. Reviewed-by: never ! src/share/vm/opto/escape.cpp Changeset: 97125851f396 Author: twisti Date: 2010-01-05 13:05 +0100 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/97125851f396 6829187: compiler optimizations required for JSR 292 Summary: C2 implementation for invokedynamic support. Reviewed-by: kvn, never ! src/cpu/sparc/vm/sparc.ad ! src/cpu/x86/vm/frame_x86.inline.hpp ! src/cpu/x86/vm/x86_32.ad ! src/cpu/x86/vm/x86_64.ad + src/share/vm/ci/ciCPCache.cpp + src/share/vm/ci/ciCPCache.hpp ! src/share/vm/ci/ciClassList.hpp ! src/share/vm/ci/ciEnv.cpp ! src/share/vm/ci/ciEnv.hpp ! src/share/vm/ci/ciMethod.cpp ! src/share/vm/ci/ciMethod.hpp ! src/share/vm/ci/ciObject.hpp ! src/share/vm/ci/ciObjectFactory.cpp ! src/share/vm/ci/ciStreams.cpp ! src/share/vm/ci/ciStreams.hpp ! src/share/vm/ci/ciTypeFlow.cpp ! src/share/vm/includeDB_compiler2 ! src/share/vm/includeDB_core ! src/share/vm/opto/bytecodeInfo.cpp ! src/share/vm/opto/callGenerator.cpp ! src/share/vm/opto/callGenerator.hpp ! src/share/vm/opto/callnode.hpp ! src/share/vm/opto/doCall.cpp ! src/share/vm/opto/graphKit.cpp ! src/share/vm/opto/lcm.cpp ! src/share/vm/opto/machnode.cpp ! src/share/vm/opto/machnode.hpp ! src/share/vm/opto/matcher.cpp ! src/share/vm/opto/matcher.hpp ! src/share/vm/opto/output.cpp ! src/share/vm/opto/type.cpp Changeset: dd57230ba8fe Author: twisti Date: 2010-01-05 15:21 +0100 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/dd57230ba8fe 6893268: additional dynamic language related optimizations in C2 Summary: C2 needs some additional optimizations to be able to handle MethodHandle invokes and invokedynamic instructions at the best performance. Reviewed-by: kvn, never ! src/share/vm/ci/ciCPCache.cpp + src/share/vm/ci/ciCallSite.cpp + src/share/vm/ci/ciCallSite.hpp ! src/share/vm/ci/ciClassList.hpp ! src/share/vm/ci/ciEnv.cpp ! src/share/vm/ci/ciEnv.hpp ! src/share/vm/ci/ciExceptionHandler.cpp ! src/share/vm/ci/ciField.cpp ! src/share/vm/ci/ciField.hpp ! src/share/vm/ci/ciInstanceKlass.cpp ! src/share/vm/ci/ciInstanceKlass.hpp ! src/share/vm/ci/ciKlass.cpp ! src/share/vm/ci/ciKlass.hpp ! src/share/vm/ci/ciMethod.hpp + src/share/vm/ci/ciMethodHandle.cpp + src/share/vm/ci/ciMethodHandle.hpp ! src/share/vm/ci/ciObject.hpp ! src/share/vm/ci/ciObjectFactory.cpp ! src/share/vm/ci/ciStreams.cpp ! src/share/vm/ci/ciStreams.hpp ! src/share/vm/ci/ciSymbol.cpp ! src/share/vm/ci/ciSymbol.hpp ! src/share/vm/classfile/classFileParser.cpp ! src/share/vm/classfile/vmSymbols.cpp ! src/share/vm/classfile/vmSymbols.hpp ! src/share/vm/code/nmethod.cpp ! src/share/vm/includeDB_compiler2 ! src/share/vm/includeDB_core ! src/share/vm/interpreter/bytecode.hpp ! src/share/vm/interpreter/bytecodeTracer.cpp ! src/share/vm/interpreter/interpreterRuntime.cpp ! src/share/vm/interpreter/rewriter.cpp ! src/share/vm/interpreter/rewriter.hpp ! src/share/vm/oops/constMethodOop.hpp ! src/share/vm/oops/constantPoolOop.hpp ! src/share/vm/oops/generateOopMap.cpp ! src/share/vm/oops/methodOop.hpp ! src/share/vm/oops/symbolOop.cpp ! src/share/vm/oops/symbolOop.hpp ! src/share/vm/opto/bytecodeInfo.cpp ! src/share/vm/opto/callGenerator.cpp ! src/share/vm/opto/callGenerator.hpp ! src/share/vm/opto/doCall.cpp ! src/share/vm/opto/parse3.cpp ! src/share/vm/prims/methodHandleWalk.cpp ! src/share/vm/prims/methodHandleWalk.hpp ! src/share/vm/prims/methodHandles.cpp ! src/share/vm/runtime/frame.cpp ! src/share/vm/runtime/frame.hpp ! src/share/vm/runtime/sharedRuntime.cpp ! src/share/vm/runtime/sharedRuntime.hpp ! src/share/vm/utilities/constantTag.hpp Changeset: b6f06e395428 Author: never Date: 2010-01-05 11:14 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/b6f06e395428 6908267: Zero fails to unlock synchronized native methods on exception Reviewed-by: never Contributed-by: Gary Benson ! src/cpu/zero/vm/cppInterpreter_zero.cpp Changeset: 1f6d42899c3a Author: never Date: 2010-01-05 11:16 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/1f6d42899c3a Merge Changeset: b1f619d38249 Author: never Date: 2010-01-05 16:12 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/b1f619d38249 6914002: unsigned compare problem after 5057818 Reviewed-by: kvn, twisti ! src/share/vm/code/nmethod.cpp ! src/share/vm/code/nmethod.hpp Changeset: 4ce7240d622c Author: never Date: 2010-01-06 14:22 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/4ce7240d622c 6914300: ciEnv should export all well known classes Reviewed-by: kvn, twisti ! agent/src/share/classes/sun/jvm/hotspot/memory/SystemDictionary.java ! src/share/vm/c1/c1_Runtime1.cpp ! src/share/vm/ci/ciEnv.cpp ! src/share/vm/ci/ciEnv.hpp ! src/share/vm/ci/ciField.cpp ! src/share/vm/ci/ciInstance.cpp ! src/share/vm/ci/ciInstanceKlass.cpp ! src/share/vm/ci/ciObjectFactory.cpp ! src/share/vm/ci/ciType.cpp ! src/share/vm/ci/ciUtilities.hpp ! src/share/vm/classfile/classFileParser.cpp ! src/share/vm/classfile/classLoader.cpp ! src/share/vm/classfile/javaAssertions.cpp ! src/share/vm/classfile/javaClasses.cpp ! src/share/vm/classfile/javaClasses.hpp ! src/share/vm/classfile/systemDictionary.cpp ! src/share/vm/classfile/systemDictionary.hpp ! src/share/vm/classfile/verifier.cpp ! src/share/vm/gc_interface/collectedHeap.cpp ! src/share/vm/interpreter/interpreterRuntime.cpp ! src/share/vm/interpreter/linkResolver.cpp ! src/share/vm/memory/classify.cpp ! src/share/vm/memory/dump.cpp ! src/share/vm/memory/referenceProcessor.cpp ! src/share/vm/memory/space.cpp ! src/share/vm/memory/universe.cpp ! src/share/vm/oops/arrayKlass.cpp ! src/share/vm/oops/arrayKlass.hpp ! src/share/vm/oops/constantPoolOop.cpp ! src/share/vm/oops/instanceKlass.cpp ! src/share/vm/oops/instanceRefKlass.cpp ! src/share/vm/oops/klass.cpp ! src/share/vm/oops/methodOop.cpp ! src/share/vm/oops/objArrayKlass.cpp ! src/share/vm/oops/objArrayKlassKlass.cpp ! src/share/vm/opto/runtime.cpp ! src/share/vm/prims/jni.cpp ! src/share/vm/prims/jniCheck.cpp ! src/share/vm/prims/jvm.cpp ! src/share/vm/prims/jvmtiEnter.xsl ! src/share/vm/prims/jvmtiEnv.cpp ! src/share/vm/prims/jvmtiEnvBase.cpp ! src/share/vm/prims/jvmtiExport.cpp ! src/share/vm/prims/jvmtiRedefineClasses.cpp ! src/share/vm/prims/jvmtiTagMap.cpp ! src/share/vm/prims/methodHandleWalk.cpp ! src/share/vm/prims/methodHandles.cpp ! src/share/vm/prims/nativeLookup.cpp ! src/share/vm/runtime/jniHandles.cpp ! src/share/vm/runtime/os.cpp ! src/share/vm/runtime/reflection.cpp ! src/share/vm/runtime/reflectionUtils.cpp ! src/share/vm/runtime/sharedRuntime.cpp ! src/share/vm/runtime/statSampler.cpp ! src/share/vm/runtime/thread.cpp ! src/share/vm/runtime/vframe.cpp ! src/share/vm/runtime/vmStructs.cpp ! src/share/vm/services/attachListener.cpp ! src/share/vm/services/heapDumper.cpp ! src/share/vm/services/lowMemoryDetector.cpp ! src/share/vm/services/management.cpp ! src/share/vm/services/serviceUtil.hpp ! src/share/vm/services/threadService.cpp ! src/share/vm/utilities/exceptions.cpp Changeset: aad340e07bc4 Author: never Date: 2010-01-06 14:25 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/aad340e07bc4 Merge Changeset: 9b9c1ee9b3f6 Author: iveresov Date: 2010-01-06 22:21 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/9b9c1ee9b3f6 Merge ! src/share/vm/classfile/classFileParser.cpp ! src/share/vm/classfile/vmSymbols.hpp ! src/share/vm/memory/referenceProcessor.cpp ! src/share/vm/oops/instanceKlass.cpp ! src/share/vm/oops/instanceRefKlass.cpp ! src/share/vm/prims/jvm.cpp ! src/share/vm/prims/jvmtiEnv.cpp ! src/share/vm/prims/jvmtiEnvBase.cpp ! src/share/vm/prims/jvmtiExport.cpp ! src/share/vm/runtime/frame.cpp ! src/share/vm/runtime/thread.cpp ! src/share/vm/runtime/thread.hpp ! src/share/vm/runtime/vmStructs.cpp Changeset: e018e6884bd8 Author: ysr Date: 2009-12-23 09:23 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/e018e6884bd8 6631166: CMS: better heuristics when combatting fragmentation Summary: Autonomic per-worker free block cache sizing, tunable coalition policies, fixes to per-size block statistics, retuned gain and bandwidth of some feedback loop filters to allow quicker reactivity to abrupt changes in ambient demand, and other heuristics to reduce fragmentation of the CMS old gen. Also tightened some assertions, including those related to locking. Reviewed-by: jmasa ! src/share/vm/gc_implementation/concurrentMarkSweep/binaryTreeDictionary.cpp ! src/share/vm/gc_implementation/concurrentMarkSweep/binaryTreeDictionary.hpp ! src/share/vm/gc_implementation/concurrentMarkSweep/cmsLockVerifier.cpp ! src/share/vm/gc_implementation/concurrentMarkSweep/cmsLockVerifier.hpp ! src/share/vm/gc_implementation/concurrentMarkSweep/compactibleFreeListSpace.cpp ! src/share/vm/gc_implementation/concurrentMarkSweep/compactibleFreeListSpace.hpp ! src/share/vm/gc_implementation/concurrentMarkSweep/concurrentMarkSweepGeneration.cpp ! src/share/vm/gc_implementation/concurrentMarkSweep/concurrentMarkSweepGeneration.hpp ! src/share/vm/gc_implementation/concurrentMarkSweep/freeBlockDictionary.hpp ! src/share/vm/gc_implementation/concurrentMarkSweep/freeChunk.cpp ! src/share/vm/gc_implementation/concurrentMarkSweep/freeChunk.hpp ! src/share/vm/gc_implementation/concurrentMarkSweep/freeList.cpp ! src/share/vm/gc_implementation/concurrentMarkSweep/freeList.hpp ! src/share/vm/gc_implementation/includeDB_gc_concurrentMarkSweep ! src/share/vm/gc_implementation/includeDB_gc_serial ! src/share/vm/gc_implementation/parNew/parNewGeneration.cpp ! src/share/vm/gc_implementation/parNew/parNewGeneration.hpp ! src/share/vm/gc_implementation/shared/allocationStats.hpp ! src/share/vm/gc_implementation/shared/gcUtil.cpp ! src/share/vm/gc_implementation/shared/gcUtil.hpp ! src/share/vm/includeDB_gc_parallel ! src/share/vm/memory/defNewGeneration.cpp ! src/share/vm/memory/generation.hpp ! src/share/vm/runtime/arguments.cpp ! src/share/vm/runtime/globals.hpp ! src/share/vm/services/classLoadingService.cpp Changeset: 504830073409 Author: jmasa Date: 2010-01-04 07:58 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/504830073409 Merge ! src/share/vm/runtime/globals.hpp Changeset: 75bd253e25dd Author: ysr Date: 2010-01-04 14:51 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/75bd253e25dd 6637203: Classunloading messages go to stdout rather than Xloggc file, causing hangs when stdout is closed Summary: Decoupled TraceClassUnloading from verbose:gc, JVMTI_VERBOSE_GC and PrintGC[Details], making it settable in a manner identical to TraceClassLoading. Reverted an inadvertent change of TraceClassUnloading output in a previous changeset from gclog back to tty. Reviewed-by: coleenp, dholmes, jmasa, poonam ! src/share/vm/prims/jvmtiEnv.cpp ! src/share/vm/runtime/arguments.cpp ! src/share/vm/services/classLoadingService.cpp Changeset: 05b775309e59 Author: jmasa Date: 2010-01-07 08:14 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/05b775309e59 6912018: CMS: guarantee(head() != 0,"The head of the list cannot be NULL") Summary: Block too small to split was not correctly putback to free lists. Reviewed-by: ysr ! src/share/vm/gc_implementation/concurrentMarkSweep/compactibleFreeListSpace.cpp Changeset: 0579c695832f Author: ysr Date: 2010-01-09 09:01 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/0579c695832f Merge ! src/share/vm/prims/jvmtiEnv.cpp ! src/share/vm/runtime/arguments.cpp Changeset: f62a22282a47 Author: kvn Date: 2010-01-07 16:24 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/f62a22282a47 6914622: Print values of all flags for product VM Summary: Change the flag -XX:+PrintFlagsFinal to product and add new product flag -XX:+PrintFlagsInitial. Reviewed-by: phh, ysr Contributed-by: gbenson at redhat.com ! src/share/vm/runtime/arguments.cpp ! src/share/vm/runtime/globals.cpp ! src/share/vm/runtime/globals.hpp Changeset: 1271af4ec18c Author: kvn Date: 2010-01-07 16:26 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/1271af4ec18c 6912517: JIT bug compiles out (and stops running) code that needs to be run. Causes NPE. Summary: Add missing check that value is used in memory expression in instructions with embedded load. Reviewed-by: never, jrose ! src/share/vm/opto/lcm.cpp + test/compiler/6912517/Test.java Changeset: cd37471eaecc Author: twisti Date: 2010-01-08 11:09 +0100 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/cd37471eaecc 6914206: change way of permission checking for generated MethodHandle adapters Summary: Put generated MH adapter in InvokeDynamic/MethodHandle classes to be able to indentify them easily in the compiler. Reviewed-by: kvn, never, jrose ! src/share/vm/ci/ciMethod.cpp ! src/share/vm/ci/ciMethod.hpp ! src/share/vm/classfile/systemDictionary.hpp ! src/share/vm/includeDB_core ! src/share/vm/oops/methodOop.cpp ! src/share/vm/oops/methodOop.hpp ! src/share/vm/opto/library_call.cpp ! src/share/vm/prims/methodHandleWalk.cpp ! src/share/vm/prims/methodHandleWalk.hpp ! src/share/vm/runtime/reflection.cpp ! src/share/vm/runtime/vframe.cpp Changeset: bea7a22a6f79 Author: kvn Date: 2010-01-08 09:42 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/bea7a22a6f79 6915110: IfNode::up_one_dom moves beyond RootNode bug in src/share/vm/opto/ifnode.cpp Summary: Check RootNode before check Loop in IfNode::up_one_dom(). Reviewed-by: never Contributed-by: kevin.brown at sun.com ! src/share/vm/opto/ifnode.cpp Changeset: 174ade00803b Author: kvn Date: 2010-01-08 09:51 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/174ade00803b 6910484: incorrect integer optimization (loosing and op-r in a given example) Summary: Remove AND operation only if mask is equal to shift. Reviewed-by: never ! src/share/vm/opto/divnode.cpp + test/compiler/6910484/Test.java Changeset: 4e6abf09f540 Author: jrose Date: 2010-01-08 13:47 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/4e6abf09f540 6912062: disassembler plugin needs to produce symbolic information in product mode Summary: More informative disassembly in product mode. Also, a more consistent CompileCommand syntax. Reviewed-by: never ! src/share/vm/code/codeBlob.hpp ! src/share/vm/code/nmethod.cpp ! src/share/vm/code/nmethod.hpp ! src/share/vm/compiler/compilerOracle.cpp ! src/share/vm/compiler/disassembler.cpp ! src/share/vm/includeDB_core ! src/share/vm/memory/genCollectedHeap.cpp ! src/share/vm/oops/arrayKlassKlass.cpp ! src/share/vm/oops/arrayKlassKlass.hpp ! src/share/vm/oops/compiledICHolderKlass.cpp ! src/share/vm/oops/compiledICHolderKlass.hpp ! src/share/vm/oops/constMethodKlass.cpp ! src/share/vm/oops/constMethodKlass.hpp ! src/share/vm/oops/constantPoolKlass.cpp ! src/share/vm/oops/constantPoolKlass.hpp ! src/share/vm/oops/cpCacheKlass.cpp ! src/share/vm/oops/cpCacheKlass.hpp ! src/share/vm/oops/instanceKlass.cpp ! src/share/vm/oops/instanceKlass.hpp ! src/share/vm/oops/instanceKlassKlass.cpp ! src/share/vm/oops/instanceKlassKlass.hpp ! src/share/vm/oops/klass.cpp ! src/share/vm/oops/klass.hpp ! src/share/vm/oops/klassKlass.cpp ! src/share/vm/oops/klassKlass.hpp ! src/share/vm/oops/methodDataKlass.cpp ! src/share/vm/oops/methodDataKlass.hpp ! src/share/vm/oops/methodKlass.cpp ! src/share/vm/oops/methodKlass.hpp ! src/share/vm/oops/objArrayKlass.cpp ! src/share/vm/oops/objArrayKlass.hpp ! src/share/vm/oops/objArrayKlassKlass.cpp ! src/share/vm/oops/objArrayKlassKlass.hpp ! src/share/vm/oops/oop.cpp ! src/share/vm/oops/symbolKlass.cpp ! src/share/vm/oops/symbolKlass.hpp ! src/share/vm/oops/typeArrayKlassKlass.cpp ! src/share/vm/oops/typeArrayKlassKlass.hpp ! src/share/vm/runtime/arguments.cpp Changeset: 136ac23d6ded Author: jrose Date: 2010-01-08 15:17 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/136ac23d6ded Merge Changeset: c3b315a0d58a Author: jrose Date: 2010-01-08 13:58 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/c3b315a0d58a 6912063: inlining parameters need to be adjusted for some uses of the JVM Summary: Put all inline-related switches into product mode, to allow tuning by dynamic language implementors. Reviewed-by: twisti, kvn ! src/share/vm/opto/bytecodeInfo.cpp ! src/share/vm/opto/doCall.cpp ! src/share/vm/opto/parse.hpp ! src/share/vm/runtime/globals.hpp Changeset: f2e64cfc2020 Author: jrose Date: 2010-01-08 18:27 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/f2e64cfc2020 Merge Changeset: 5b06c5db3e89 Author: jrose Date: 2010-01-08 22:02 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/5b06c5db3e89 Merge Changeset: f24201449cac Author: never Date: 2010-01-09 00:59 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/f24201449cac 6909839: missing unsigned compare cases for some cmoves in sparc.ad Reviewed-by: kvn, jrose ! src/cpu/sparc/vm/sparc.ad + test/compiler/6909839/Test6909839.java Changeset: 1fc01a2425ce Author: iveresov Date: 2010-01-12 13:54 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/1fc01a2425ce Merge ! src/share/vm/runtime/arguments.cpp ! src/share/vm/runtime/globals.hpp Changeset: d749b1813f40 Author: trims Date: 2010-01-15 14:25 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/d749b1813f40 Merge Changeset: 3003ddd1d433 Author: trims Date: 2010-01-15 14:28 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/3003ddd1d433 6917463: Bump the HS17 build number to 07 Summary: Update the HS17 build number to 07 Reviewed-by: jcoomes ! make/hotspot_version Changeset: 359445e739ac Author: mikejwre Date: 2010-01-21 11:12 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/359445e739ac Added tag jdk7-b80 for changeset 3003ddd1d433 ! .hgtags From lana.steuck at sun.com Wed Jan 27 18:57:05 2010 From: lana.steuck at sun.com (lana.steuck at sun.com) Date: Thu, 28 Jan 2010 02:57:05 +0000 Subject: [security-dev 01570]: hg: jdk7/tl/jaxp: Added tag jdk7-b80 for changeset 9219574db593 Message-ID: <20100128025705.A71E641E5F@hg.openjdk.java.net> Changeset: 204e59d488cd Author: mikejwre Date: 2010-01-21 11:12 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jaxp/rev/204e59d488cd Added tag jdk7-b80 for changeset 9219574db593 ! .hgtags From lana.steuck at sun.com Wed Jan 27 18:57:11 2010 From: lana.steuck at sun.com (lana.steuck at sun.com) Date: Thu, 28 Jan 2010 02:57:11 +0000 Subject: [security-dev 01571]: hg: jdk7/tl/jaxws: Added tag jdk7-b80 for changeset 447767dee56a Message-ID: <20100128025711.E524941E60@hg.openjdk.java.net> Changeset: f051045fe94a Author: mikejwre Date: 2010-01-21 11:12 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jaxws/rev/f051045fe94a Added tag jdk7-b80 for changeset 447767dee56a ! .hgtags From lana.steuck at sun.com Wed Jan 27 18:58:56 2010 From: lana.steuck at sun.com (lana.steuck at sun.com) Date: Thu, 28 Jan 2010 02:58:56 +0000 Subject: [security-dev 01572]: hg: jdk7/tl/jdk: 28 new changesets Message-ID: <20100128030831.22EE741E65@hg.openjdk.java.net> Changeset: 9956e8d71e06 Author: tbell Date: 2009-12-18 09:40 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/9956e8d71e06 6899737: JDK build fails in make/java/jli because of _vsnprintf macro redefinition Summary: Use stdio.h instead when building with Visual Studio 2008 or later Reviewed-by: art, ohair ! src/share/native/java/util/zip/zlib-1.2.3/zutil.h Changeset: 39b9564ff01c Author: ohair Date: 2010-01-05 15:17 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/39b9564ff01c Merge Changeset: 447c9e535234 Author: ohair Date: 2010-01-13 15:37 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/447c9e535234 Merge Changeset: e0905e36766a Author: yhuang Date: 2009-12-06 22:18 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/e0905e36766a 6868106: Ukrainian currency has wrong format Reviewed-by: yhuang, peytoia ! src/share/classes/sun/text/resources/FormatData_uk.java ! src/share/classes/sun/util/resources/CurrencyNames_uk_UA.properties ! test/sun/text/resources/LocaleData Changeset: d9080b33ba74 Author: yhuang Date: 2009-12-08 21:14 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/d9080b33ba74 6610748: Dateformat - AM-PM indicator in Finnish appears to be from English Reviewed-by: yhuang, peytoia ! src/share/classes/sun/text/resources/FormatData_fi.java ! test/sun/text/resources/LocaleData ! test/sun/text/resources/LocaleDataTest.java Changeset: ac9e284db030 Author: yhuang Date: 2009-12-08 21:19 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/ac9e284db030 6645271: Wrong date format for Croatian (hr) locale Reviewed-by: yhuang, peytoia ! src/share/classes/sun/text/resources/FormatData_hr_HR.java Changeset: 3ab178316aa0 Author: yhuang Date: 2009-12-08 21:26 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/3ab178316aa0 6609737: DateFormat incorrect for German locale Reviewed-by: yhuang, peytoia ! src/share/classes/sun/text/resources/FormatData_de.java ! src/share/classes/sun/util/resources/TimeZoneNames_de.java Changeset: 4910b580a725 Author: yhuang Date: 2009-12-08 21:30 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/4910b580a725 6507067: TimeZone country/area message error Reviewed-by: peytoia ! src/share/classes/sun/util/resources/TimeZoneNames_zh_TW.java Changeset: 06df47459ecf Author: yhuang Date: 2009-12-10 17:26 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/06df47459ecf 6873931: New Turkish currency since 2009 Reviewed-by: yhuang, peytoia ! src/share/classes/sun/util/resources/CurrencyNames_tr_TR.properties ! test/sun/text/resources/LocaleData ! test/sun/text/resources/LocaleDataTest.java Changeset: ddc4a80f25f4 Author: yhuang Date: 2009-12-17 02:00 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/ddc4a80f25f4 6450945: The week day for Saturday and the first week day in Romania locale are incorrect Reviewed-by: yhuang, peytoia ! src/share/classes/sun/text/resources/FormatData_ro.java ! src/share/classes/sun/util/resources/CalendarData_ro.properties ! test/sun/text/resources/LocaleData ! test/sun/text/resources/LocaleDataTest.java Changeset: cd5d46887546 Author: yhuang Date: 2009-12-17 02:12 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/cd5d46887546 6645268: Country/language names with locale fi_FI are incorrect for FRANCE/FRENCH Reviewed-by: yhuang, peytoia ! src/share/classes/sun/util/resources/LocaleNames_fi.properties ! test/sun/text/resources/LocaleData ! test/sun/text/resources/LocaleDataTest.java ! test/sun/util/resources/Locale/Bug4429024.java Changeset: 946a0a09a477 Author: yhuang Date: 2009-12-17 02:28 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/946a0a09a477 6646611: Incorrect spelling of month name in locale for Belarusian language ("be", "BY") Reviewed-by: yhuang, peytoia ! src/share/classes/sun/text/resources/FormatData_be.java ! test/sun/text/resources/LocaleData ! test/sun/text/resources/LocaleDataTest.java Changeset: e8fa2b2cb1e8 Author: yhuang Date: 2009-12-17 22:24 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/e8fa2b2cb1e8 6650730: Lithuanian locale date and number formats mismatch. Reviewed-by: yhuang, peytoia ! src/share/classes/sun/text/resources/FormatData_lt.java ! test/sun/text/resources/LocaleData ! test/sun/text/resources/LocaleDataTest.java Changeset: e9b09f76d281 Author: yhuang Date: 2009-12-17 22:25 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/e9b09f76d281 6645405: Errors in Hungarian local-specific formatting. (L10N part of 6609703) Reviewed-by: yhuang, peytoia ! src/share/classes/sun/text/resources/FormatData_hu_HU.java Changeset: 3b78f3769688 Author: yhuang Date: 2009-12-20 19:31 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/3b78f3769688 6910489: Slovenia Locale, wrong firstDayOfWeek number Reviewed-by: yhuang, peytoia ! src/share/classes/sun/util/resources/CalendarData_sl.properties ! test/sun/text/resources/LocaleData ! test/sun/text/resources/LocaleDataTest.java Changeset: b09e582d09bd Author: yhuang Date: 2009-12-20 19:49 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/b09e582d09bd 6573250: Java.util.Currency.getSymbol(Locale) returns wrong value when locale is not US. Reviewed-by: yhuang, peytoia ! src/share/classes/sun/util/resources/CurrencyNames_en_CA.properties ! test/sun/text/resources/LocaleData ! test/sun/text/resources/LocaleDataTest.java Changeset: 7bf839e2e9ce Author: yhuang Date: 2009-12-24 15:37 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/7bf839e2e9ce 6870908: reopen bug 4244752: month names in Estonian should be lowercase Reviewed-by: yhuang, peytoia ! src/share/classes/sun/text/resources/FormatData_et.java ! test/sun/text/resources/LocaleData ! test/sun/text/resources/LocaleDataTest.java Changeset: 1397ae8dc558 Author: yhuang Date: 2009-12-24 16:26 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/1397ae8dc558 6541350: TimeZone display names localization Reviewed-by: yhuang, peytoia ! src/share/classes/sun/util/resources/TimeZoneNames_de.java ! src/share/classes/sun/util/resources/TimeZoneNames_es.java ! src/share/classes/sun/util/resources/TimeZoneNames_fr.java ! src/share/classes/sun/util/resources/TimeZoneNames_it.java ! src/share/classes/sun/util/resources/TimeZoneNames_ja.java ! src/share/classes/sun/util/resources/TimeZoneNames_ko.java ! src/share/classes/sun/util/resources/TimeZoneNames_sv.java ! src/share/classes/sun/util/resources/TimeZoneNames_zh_CN.java ! src/share/classes/sun/util/resources/TimeZoneNames_zh_TW.java Changeset: 2886607f8bc3 Author: yhuang Date: 2009-12-28 14:58 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/2886607f8bc3 6585666: Spanish language names not compliant with CLDR Reviewed-by: yhuang, peytoia ! src/share/classes/sun/util/resources/LocaleNames_es.properties ! test/sun/text/resources/LocaleData ! test/sun/text/resources/LocaleDataTest.java Changeset: 5ec5337c0298 Author: yhuang Date: 2010-01-05 18:26 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/5ec5337c0298 6716626: Integrate contributed language and country names for NL Reviewed-by: yhuang, peytoia ! src/share/classes/sun/util/resources/LocaleNames_nl.properties ! test/sun/text/resources/LocaleData ! test/sun/text/resources/LocaleDataTest.java Changeset: 8bf6b2173e9f Author: yhuang Date: 2010-01-06 17:52 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/8bf6b2173e9f 6914413: abbreviation name for November is not correct in be_BY Reviewed-by: yhuang, peytoia ! src/share/classes/sun/text/resources/FormatData_be.java ! test/sun/text/resources/LocaleData ! test/sun/text/resources/LocaleDataTest.java Changeset: eea1cc096889 Author: yhuang Date: 2010-01-06 19:32 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/eea1cc096889 6821191: Timezone display name localization Reviewed-by: yhuang, ogino ! src/share/classes/sun/util/resources/TimeZoneNames_de.java ! src/share/classes/sun/util/resources/TimeZoneNames_es.java ! src/share/classes/sun/util/resources/TimeZoneNames_fr.java ! src/share/classes/sun/util/resources/TimeZoneNames_it.java ! src/share/classes/sun/util/resources/TimeZoneNames_ja.java ! src/share/classes/sun/util/resources/TimeZoneNames_ko.java ! src/share/classes/sun/util/resources/TimeZoneNames_sv.java ! src/share/classes/sun/util/resources/TimeZoneNames_zh_CN.java ! src/share/classes/sun/util/resources/TimeZoneNames_zh_TW.java Changeset: eff93f451501 Author: yhuang Date: 2010-01-11 23:25 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/eff93f451501 Merge - make/tools/CharsetMapping/DoubleByte-X.java - make/tools/CharsetMapping/SingleByte-X.java - src/share/classes/javax/swing/plaf/synth/DefaultMenuLayout.java - src/share/classes/sun/awt/ComponentAccessor.java - src/share/classes/sun/awt/WindowAccessor.java - src/share/classes/sun/security/provider/IdentityDatabase.java - src/share/classes/sun/security/provider/SystemIdentity.java - src/share/classes/sun/security/provider/SystemSigner.java - src/share/classes/sun/security/x509/X500Signer.java - src/share/classes/sun/security/x509/X509Cert.java - src/share/classes/sun/swing/plaf/synth/SynthUI.java - src/share/classes/sun/tools/jar/JarVerifierStream.java - src/share/classes/sun/util/CoreResourceBundleControl-XLocales.java - src/share/classes/sun/util/LocaleDataMetaInfo-XLocales.java - test/java/util/Formatter/Basic-X.java - test/sun/tools/native2ascii/test2 - test/tools/launcher/SolarisDataModel.sh - test/tools/launcher/SolarisRunpath.sh - test/tools/launcher/libraryCaller.c - test/tools/launcher/libraryCaller.h - test/tools/launcher/libraryCaller.java Changeset: d91c6bdcc852 Author: yhuang Date: 2010-01-17 18:42 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/d91c6bdcc852 Merge Changeset: 049cfaaa9a73 Author: mikejwre Date: 2010-01-20 17:11 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/049cfaaa9a73 Merge Changeset: 15815a54d930 Author: mikejwre Date: 2010-01-21 11:12 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/15815a54d930 Added tag jdk7-b80 for changeset 049cfaaa9a73 ! .hgtags Changeset: 10b993d417fc Author: lana Date: 2010-01-22 09:34 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/10b993d417fc Merge - make/java/redist/FILES.gmk - make/sun/nio/FILES_java.gmk - src/solaris/classes/sun/nio/ch/SctpSocketDispatcher.java Changeset: 0126effcc249 Author: lana Date: 2010-01-27 14:46 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/0126effcc249 Merge From lana.steuck at sun.com Wed Jan 27 19:19:32 2010 From: lana.steuck at sun.com (lana.steuck at sun.com) Date: Thu, 28 Jan 2010 03:19:32 +0000 Subject: [security-dev 01573]: hg: jdk7/tl/langtools: 3 new changesets Message-ID: <20100128031943.B5BF041E6D@hg.openjdk.java.net> Changeset: 250a580ab046 Author: mikejwre Date: 2010-01-21 11:12 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/langtools/rev/250a580ab046 Added tag jdk7-b80 for changeset f0074aa48d4e ! .hgtags Changeset: cfabfcf9f110 Author: lana Date: 2010-01-22 09:34 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/langtools/rev/cfabfcf9f110 Merge Changeset: ff7a01f9eff3 Author: lana Date: 2010-01-27 14:46 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/langtools/rev/ff7a01f9eff3 Merge From xueming.shen at sun.com Wed Jan 27 19:43:24 2010 From: xueming.shen at sun.com (xueming.shen at sun.com) Date: Thu, 28 Jan 2010 03:43:24 +0000 Subject: [security-dev 01574]: hg: jdk7/tl/jdk: 6920732: opensource test/java/nio/charset Message-ID: <20100128034343.4671241E77@hg.openjdk.java.net> Changeset: 946b30073247 Author: sherman Date: 2010-01-27 19:39 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/946b30073247 6920732: opensource test/java/nio/charset Summary: move the test cases to openjdk Reviewed-by: martin + test/java/nio/charset/Charset/AvailableCharsetNames.java + test/java/nio/charset/Charset/CharsetContainmentTest.java + test/java/nio/charset/Charset/Contains.java + test/java/nio/charset/Charset/Default.java + test/java/nio/charset/Charset/EmptyCharsetName.java + test/java/nio/charset/Charset/EncDec.java + test/java/nio/charset/Charset/IllegalCharsetName.java + test/java/nio/charset/Charset/NIOCharsetAvailabilityTest.java + test/java/nio/charset/Charset/NullCharsetName.java + test/java/nio/charset/Charset/RegisteredCharsets.java + test/java/nio/charset/Charset/default.sh + test/java/nio/charset/CharsetDecoder/AverageMax.java + test/java/nio/charset/CharsetDecoder/EmptyInput.java + test/java/nio/charset/CharsetEncoder/CanEncode.java + test/java/nio/charset/CharsetEncoder/Flush.java + test/java/nio/charset/RemovingSunIO/SunioAlias.java + test/java/nio/charset/RemovingSunIO/TestCOMP.java + test/java/nio/charset/RemovingSunIO/TestUnmappableForLength.java + test/java/nio/charset/coders/BashCache.java + test/java/nio/charset/coders/BashStreams.java + test/java/nio/charset/coders/Check.java + test/java/nio/charset/coders/CheckSJISMappingProp.sh + test/java/nio/charset/coders/Errors.java + test/java/nio/charset/coders/FullRead.java + test/java/nio/charset/coders/IOCoders.java + test/java/nio/charset/coders/IsLegalReplacement.java + test/java/nio/charset/coders/ResetISO2022JP.java + test/java/nio/charset/coders/SJISPropTest.java + test/java/nio/charset/coders/StreamTimeout.java + test/java/nio/charset/coders/Surrogate.java + test/java/nio/charset/coders/Surrogates.java + test/java/nio/charset/coders/Util.java + test/java/nio/charset/coders/ref.shift_jis + test/java/nio/charset/coders/ref.windows-31j + test/java/nio/charset/spi/FooCharset.java + test/java/nio/charset/spi/FooProvider.java + test/java/nio/charset/spi/Test.java + test/java/nio/charset/spi/basic.sh + test/java/nio/charset/spi/charsetProvider.sp + test/java/nio/charset/spi/default-pol From jonathan.gibbons at sun.com Fri Jan 29 16:07:56 2010 From: jonathan.gibbons at sun.com (jonathan.gibbons at sun.com) Date: Sat, 30 Jan 2010 00:07:56 +0000 Subject: [security-dev 01575]: hg: jdk7/tl/langtools: 6919889: assorted position errors in compiler syntax trees Message-ID: <20100130000759.E314C4152E@hg.openjdk.java.net> Changeset: 699ecefbdd4e Author: jjg Date: 2010-01-29 16:06 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/langtools/rev/699ecefbdd4e 6919889: assorted position errors in compiler syntax trees Reviewed-by: darcy ! src/share/classes/com/sun/tools/javac/code/Flags.java ! src/share/classes/com/sun/tools/javac/parser/JavacParser.java ! src/share/classes/com/sun/tools/javac/tree/TreeInfo.java ! src/share/classes/com/sun/tools/javac/tree/TreeMaker.java + test/tools/javac/T6654037.java ! test/tools/javac/generics/diamond/neg/Neg01.out ! test/tools/javac/generics/diamond/neg/Neg02.out ! test/tools/javac/generics/diamond/neg/Neg03.out ! test/tools/javac/generics/diamond/neg/Neg04.out + test/tools/javac/treepostests/TreePosTest.java From jonathan.gibbons at sun.com Fri Jan 29 16:55:59 2010 From: jonathan.gibbons at sun.com (jonathan.gibbons at sun.com) Date: Sat, 30 Jan 2010 00:55:59 +0000 Subject: [security-dev 01576]: hg: jdk7/tl/langtools: 6499119: Created package-info class file modeled improperly; ... Message-ID: <20100130005605.A81D141542@hg.openjdk.java.net> Changeset: 8e638442522a Author: jjg Date: 2010-01-29 16:54 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/langtools/rev/8e638442522a 6499119: Created package-info class file modeled improperly 6920317: package-info.java file has to be specified on the javac cmdline, else it will not be avail. Reviewed-by: darcy ! src/share/classes/com/sun/tools/javac/code/Symbol.java ! src/share/classes/com/sun/tools/javac/comp/Enter.java ! src/share/classes/com/sun/tools/javac/comp/Lower.java ! src/share/classes/com/sun/tools/javac/processing/JavacProcessingEnvironment.java + test/tools/javac/processing/6499119/ClassProcessor.java + test/tools/javac/processing/6499119/package-info.java + test/tools/javac/processing/T6920317.java