RFR 8157308: DRBG serialization fix
Sean Mullan
sean.mullan at oracle.com
Fri Jun 3 14:02:50 UTC 2016
On 06/03/2016 02:12 AM, Wang Weijun wrote:
> Webrev updated at
>
> http://cr.openjdk.java.net/~weijun/8157308/webrev.01/
>
> AbstractDrbg is an internal class so I have to patch the JDK itself.
Hmm, ok, but why didn't you need to do that for the previous version of
this test?
--Sean
>
> Thanks
> Max
>
>> On Jun 3, 2016, at 12:09 AM, Sean Mullan <sean.mullan at oracle.com> wrote:
>>
>> For the test/sun/security/provider/SecureRandom/AbstractDrbgSpec.java that was removed, are you still getting adequate test coverage somewhere else on the SecureRandom API tests this test was checking?
>>
>> Otherwise this looks good, though may I suggest you adjust the bug synopsis to be less generic? How about: "Make AbstractDrbg non-Serializable".
>>
>> --Sean
>>
>> On 05/23/2016 06:39 PM, Wang Weijun wrote:
>>> Ping again.
>>>
>>>> 在 2016年5月19日,16:21,Wang Weijun <weijun.wang at oracle.com> 写道:
>>>>
>>>> Please take a review at
>>>>
>>>> http://cr.openjdk.java.net/~weijun/8157308/webrev.00/
>>>>
>>>> Now that DRBG does not save any internal state during
>>>> serialization, all DRBG implementations (HashDrbg, HmacDrbg,
>>>> CtrDrbg) still extends SecureRandomSpi and contain quite some
>>>> @serial fields. If some of them is corrupted a deserialized DRBG
>>>> may run expectedly, it also prevents class evolution.
>>>>
>>>> The fix is to make AbstractDrbg no more a SecureRandomSpi child so
>>>> no more serializable. DRBG is still a SecureRandomSpi child and its
>>>> only @serial field is MoreDrbgParameters mdp. MoreDrbgParamaters is
>>>> also made serializable.
>>>>
>>>> One new test is added. Since AbstractDrbg is no longer a
>>>> SecureRandomSpi, its child class can no longer be registered in a
>>>> SecureRandom provider, and the AbstractDrbgSpec.java test is
>>>> removed.
>>>>
>>>> Thanks Max
>>>>
>>>
>
More information about the security-dev
mailing list