[PATCH FOR REVIEW] Allow OpenJDK to be built with the unlimited crypto policy

Andrew Hughes gnu.andrew at redhat.com
Thu Sep 20 14:57:29 UTC 2012 

----- Original Message -----
> > But I think someone from the security team should chime in on this.
> 
> I plan to look closer at this.  On the surface, it looks acceptable
> to
> me, but I've been heads down in the SNI code: likely for one more
> day.
> Wanted to also run this by one of my other colleagues.
> 
> One thought:  I'm wondering if we might want to have this switch in
> both
> Open and Closed.  As long as default is off, I don't immediately see
> a
> reason to not have it.
> 

I've no problem with that.  I just placed it within the OPENJDK ifdef so it
won't interfere with the proprietary build at all, as obviously I can't
test it ;-)

But, either way, if it's not set, there's no change in behaviour.

> Brad
> 
> 
> 
> On 9/19/2012 7:34 PM, Kelly O'Hair wrote:
> > It seems fine with me.
> > But I think someone from the security team should chime in on this.
> >
> > -kto
> >
> > On Sep 18, 2012, at 7:39 AM, Andrew Hughes wrote:
> >
> >> This is an issue that has been with us for a while.  See:
> >>
> >> https://bugs.openjdk.java.net/show_bug.cgi?id=100062
> >> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7188845
> >>
> >> for some background.
> >>
> >> The original proposed patch goes to far in removing most of the
> >> infrastructure for restricting crypto levels and signing of crypto
> >> jars.
> >>
> >> The following simple webrev will achieve what I think is needed:
> >>
> >> http://cr.openjdk.java.net/~andrew/100062/webrev.01/
> >>
> >> allowing OpenJDK to be built with the unlimited rather than
> >> limited
> >> crypto policy in place.
> >>
> >> The build is only altered if both an OpenJDK build is being
> >> performed
> >> and UNLIMITED_CRYPTO is defined.  In this case, the
> >> install-unlimited
> >> rule is used to install policies.  Without UNLIMITED_CRYPTO being
> >> set,
> >> OpenJDK builds still depend on install-limited as now.
> >>
> >> I believe this is a fairly unintrusive change which should allow
> >> GNU/Linux
> >> distros to ship without crypto restrictions while still using
> >> upstream
> >> OpenJDK rather than a variant with several classes removed.
> >>
> >> It's not clear to me why this approach wasn't taken before, so I
> >> hope I haven't
> >> missed something.
> >>
> >> If this looks ok, I'll push it as the resolution for bug 7188845.
> >> --
> >> Andrew :)
> >>
> >> Free Java Software Engineer
> >> Red Hat, Inc. (http://www.redhat.com)
> >>
> >> PGP Key: 248BDC07 (https://keys.indymedia.org/)
> >> Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
> >>
> >
> 

-- 
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07

More information about the security-dev mailing list