PING 2: [7u80] Request for review for CR 4963723: Implement SHA-224

Andrew Hughes gnu.andrew at redhat.com
Mon Jan 5 16:00:58 UTC 2015 

----- Original Message -----
> Can you elaborate on 'this and a couple of other patches' - is that supposed
> to be all of the corresponding JEP 130? Some part of it?
> 
> Considering that the JEP 130 has legal and docs implications that imply  more
> work having to be done than just back porting a couple of change sets, I
> think you need to try to make a stronger case for the proposed change.
> 
> Is there a specific issue in JBS (or some other bug tracker) this change is
> trying to address?
> 

Specifically, the full set is:

4963723: Implement SHA-224
7044060: Need to support NSA Suite B Cryptography algorithms
8006935: Need to take care of long secret keys in HMAC/PRF computation
8000897: VM crash in CompileBroker

The main one is 7044060, which allows DH key sizes of 2048. Prior to this fix, the
maximum key size for DH is 1024, whereas the Apache web server now defaults to
a minimum of 2048. This leads to a RuntimeException "Could not generate DH keypair"
from the Java side. 4963723 is a per-requisite, not so much for SHA-224 itself,
as to the refactoring included in that change, which 7044060 then builds on.
8006935 and 8000897 fix bugs that arose because of the previous two fixes.

We had a Red Hat bug for this, but I doubt it's fully visible externally:

https://bugzilla.redhat.com/show_bug.cgi?id=1145848

> --
> Oracle <http://www.oracle.com>
> Dalibor Topic | Principal Product Manager
> Phone: +494089091214<tel:+494089091214> |
> Mobile:+491737185961<tel:+491737185961>
> Oracle Java Platform Group
> 
> ORACLE Deutschland B.V. & Co. KG | Kühnehöfe 5 | 22761 Hamburg
> 
> ORACLE Deutschland B.V. & Co. KG
> Hauptverwaltung: Riesstr. 25, D-80992 München
> Registergericht: Amtsgericht München, HRA 95603
> Geschäftsführer: Jürgen Kunz
> 
> Komplementärin: ORACLE Deutschland Verwaltung B.V.
> Hertogswetering 163/167, 3543 AS Utrecht, Niederlande
> Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
> Geschäftsführer: Alexander van der Ven, Astrid Kepper, Val Maher
> 
> Green Oracle <http://www.oracle.com/commitment> Oracle is committed to
> developing practices and products that help protect the environment
> 
> > On 24.12.2014, at 17:09, Andrew Hughes <gnu.andrew at redhat.com> wrote:
> > 
> > ----- Original Message -----
> >> Considering that the issue was a P3 RFE rather than a high priority bug
> >> fix,
> >> it's not clear to me why it would be necessary to backport it into 7u80,
> >> at
> >> the end point in the release cycle.
> >> 
> > 
> > I don't have anything to do with the assignment of such priorities.
> > 
> > From our side, as already explained, backporting this and a couple of other
> > patches
> > yet to come that depend on it is important for retaining the compatibility
> > of OpenJDK
> > web servers with Apache web servers, which have switched to requiring a
> > higher DH key
> > size by default.
> > 
> > Thanks,
> > --
> > Andrew :)
> > 
> > Free Java Software Engineer
> > Red Hat, Inc. (http://www.redhat.com)
> > 
> > PGP Key: 248BDC07 (https://keys.indymedia.org/)
> > Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
> > 
> 

-- 
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222

PGP Key: rsa4096/248BDC07 (hkp://keys.gnupg.net)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07

More information about the security-dev mailing list