hg: jdk7/tl/jdk: 7034700: (unpack200) build fails with fastdebug builds
Changeset: 587e968b03ee Author:ksrini Date: 2011-04-07 17:08 -0700 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/587e968b03ee 7034700: (unpack200) build fails with fastdebug builds Reviewed-by: ohair ! make/com/sun/java/pack/Makefile
Re: code review request: 7030180: AES 128/256 decrypt exception
The change looks fine. Well, I am fine w/ only provide the workaround for this MIT bug in jdk7 Valerie On 03/31/11 09:38 PM, Weijun Wang wrote: Hi Valerie http://cr.openjdk.java.net/~weijun/7030180/webrev.00/ A bug in MIT krb5 1.8 triggers this exception (read evaluation below). They will fix it in 1.8.4 and 1.9. At the mean time, we can check both the session key and the subkey on the acceptor side. I think this does not deserve a backport to 6u releases. Your opinion? Thanks Max Original Message *Change Request ID*: 7030180 *Synopsis*: AES 128/256 decrypt exception === *Description* I tried to use SPNEGO. When I use DES3 It works for a principal. When I try to use AES 128/256 It crashes. ERROR MESSAGES/STACK TRACES THAT OCCUR : GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed) at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741) === *Evaluation* = The customer is using krb5 1.8 on the client side. There is a known issue that KRB-CRED inside AP-REQ is encrypted with the authenticator subkey instead of the ticket session key: http://krbdev.mit.edu/rt/Ticket/Display.html?id=6768&user=guest&pass=guest At the same time, we can try both the session key and the sub key in Java, this is also what MIT and Heimdal have done for years.
hg: jdk7/tl/jdk: 7029048: (launcher) fence the launcher against LD_LIBRARY_PATH
Changeset: d8dfd1a0bd8d Author:ksrini Date: 2011-04-07 12:06 -0700 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/d8dfd1a0bd8d 7029048: (launcher) fence the launcher against LD_LIBRARY_PATH Reviewed-by: mchung, ohair ! src/share/bin/jli_util.h ! src/solaris/bin/java_md.c ! test/tools/launcher/ExecutionEnvironment.java + test/tools/launcher/Test7029048.java ! test/tools/launcher/TestHelper.java
Re: Review 7031343: Provide API changes to support future GCM AEAD ciphers
Thanks for looking at this again. On 4/7/2011 12:46 AM, Xuelei Fan wrote: > Looks fine to me. > > A few very minor suggestions: > > Cipher.java > == > C1: > > 98 * authenticity tag (checksum). This tag is appended to the ciphertext > > > I think "authentication tag" is more formal . Ok. > I'm not sure whether the > "checksum" is a misleading comment to the readers. To me, checksum means > none-key-hash operations. I debated putting that in thinking that it might help someone who knows JCE but is not familiar with GCM. Mac would be a better choice. I'll likely use that (or take it out completely). > C2: > > 112 * // If the GCMParameterSpec is needed again > 113 * cipher.getParameters().getParameterSpec( > 114 * GCMParameterSpec.class).getTLen(...); > > This block may be not necessary any more. There is no set-methods for > GCMParameterSpec. If you want to keep the block, I want suggest to > return the GCMParameterSpec rather than the Tag length. Point taken. > GCMParameterSpec .java > == > C3: > I would suggest you use "authentication tag" rather than "tag" in the > spec, as would make it friendly to search engine. Ok. I'll wait to see if there are further comments, and will be submitting for internal review later today. Thanks Andrew! Brad On 4/6/2011 9:46 PM, Brad Wetmore wrote: Hi Xuelei/Valerie, Our JDK 7 freeze window is fast closing and I'd like to get this in for b140, so will need a quick turnaround to make this happen. 7031343: Provide API changes to support future GCM AEAD ciphers As we talked about, as part of the National Security Agency's Suite B effort [1] (modernization of the national crypto infrastructure), the JDK will soon need to support the Galois Counter Mode (GCM) cipher mode [2] for ciphers like AES. (e.g. GCM is also being used in some new TLS ciphersuites [3][4]). We will not be able to provide a full implementation of GCM in JDK 7 FCS, but we would like to be able to add this as a potential enhancement in a future JDK 7 Update Release (UR). Adding GCM in an JDK 7 UR will require API changes in JDK 7 now. The changes are fairly small, low risk, and localized. There are some minor changes to Cipher/CipherSpi, and two new classes for an AEAD Exception and a GCMParameterSpec. http://cr.openjdk.java.net/~wetmore/7031343/javadocs.00/ http://cr.openjdk.java.net/~wetmore/7031343/webrev.00/ A few points worth calling out: 1) The API's were designed with an eye to both CCM and GCM. GCM is the important one now from the Suite B perspective. We'll probably add similar CCM Parameters in JDK 8. 2) If algorithm parameters are not derivable from the supplied inputs, Cipher.init() will normally trigger the generation of algorithm parameters based on provider-specific default values. But note that XML GCM is using 128 bit tags, and TLS 1.2 is using 96 bit tags, so there really isn't a completely clear-cut default. And in GCM for IV, that would push IV generation down into the CSP provider, which means the provider must keep track of all previously used IV's, which could be perceived as a 128-bit memory leak for each GCM operation on reused Cipher objects. Language was added to allow providers to select IV if they really want to, but in most cases and for interoperability, the caller really should be specifying the tagLen/IV in a GCMParameterSpec. 3) AEAD (GCM/CCM) tags are appended to the ciphertext on encryption, and verified/removed during decryption, as is done in RFC 5116[5], and is reflected in other GCM APIs. Because Ciphers are reset after each doFinal(), we would have had to create an intermediate state/getTag(), or add some kind of outbound data structure. Appending was far cleaner. 4) AEADBadTagException is a subclass of BadPaddingException, which is a checked exception currently thrown by the doFinal methods. While it's not exactly BadPadding in the true sense of padding, it is close and was the best option for a checked Exception. A RunTimeException really should be reserved for programming mistakes, not normal operations. 5) AAD can be supplied to the cipher in chunks, and is not restricted to a single shot as in PKCS11. This will allow applications with huge AADs the flexibility to not have to store everything in memory (media files). Also, the underlying GCM/CCM algorithms process all AAD before the plain/ciphertext, so we require updateAAD() to be called before plain/ciphertext is handled. 6) As usual for adding new methods to these engine classes, for backwards source and binary compatibility with older providers, the new updateAAD() methods in CipherSpi will throw UnsupportedOperationExceptions unless the provider overrides the method. Thanks, Brad [1]: http://www.nsa.gov/ia/programs/suiteb_cryptography/ [2]: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf [3]: http://www.rfc-editor.org/info/rfc5288 [4]: http://www.rfc-editor.org/info/rfc5289 [5]:
hg: jdk7/tl/jdk: 7034656: Address lint warnings for DriverManager
Changeset: 5137806a3e34 Author:lancea Date: 2011-04-07 11:25 -0400 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/5137806a3e34 7034656: Address lint warnings for DriverManager Reviewed-by: alanb, forax, ohair ! src/share/classes/java/sql/DriverManager.java
hg: jdk7/tl/jdk: 7034657: Update Creative Commons license URL in legal notices
Changeset: 31619dfa6a4a Author:dl Date: 2011-04-07 15:06 +0100 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/31619dfa6a4a 7034657: Update Creative Commons license URL in legal notices Reviewed-by: chegar ! src/share/classes/java/util/AbstractQueue.java ! src/share/classes/java/util/ArrayDeque.java ! src/share/classes/java/util/Deque.java ! src/share/classes/java/util/NavigableMap.java ! src/share/classes/java/util/NavigableSet.java ! src/share/classes/java/util/Queue.java ! src/share/classes/java/util/concurrent/AbstractExecutorService.java ! src/share/classes/java/util/concurrent/ArrayBlockingQueue.java ! src/share/classes/java/util/concurrent/BlockingDeque.java ! src/share/classes/java/util/concurrent/BlockingQueue.java ! src/share/classes/java/util/concurrent/BrokenBarrierException.java ! src/share/classes/java/util/concurrent/Callable.java ! src/share/classes/java/util/concurrent/CancellationException.java ! src/share/classes/java/util/concurrent/CompletionService.java ! src/share/classes/java/util/concurrent/ConcurrentHashMap.java ! src/share/classes/java/util/concurrent/ConcurrentLinkedDeque.java ! src/share/classes/java/util/concurrent/ConcurrentLinkedQueue.java ! src/share/classes/java/util/concurrent/ConcurrentMap.java ! src/share/classes/java/util/concurrent/ConcurrentNavigableMap.java ! src/share/classes/java/util/concurrent/ConcurrentSkipListMap.java ! src/share/classes/java/util/concurrent/ConcurrentSkipListSet.java ! src/share/classes/java/util/concurrent/CopyOnWriteArraySet.java ! src/share/classes/java/util/concurrent/CountDownLatch.java ! src/share/classes/java/util/concurrent/CyclicBarrier.java ! src/share/classes/java/util/concurrent/DelayQueue.java ! src/share/classes/java/util/concurrent/Delayed.java ! src/share/classes/java/util/concurrent/Exchanger.java ! src/share/classes/java/util/concurrent/ExecutionException.java ! src/share/classes/java/util/concurrent/Executor.java ! src/share/classes/java/util/concurrent/ExecutorCompletionService.java ! src/share/classes/java/util/concurrent/ExecutorService.java ! src/share/classes/java/util/concurrent/Executors.java ! src/share/classes/java/util/concurrent/ForkJoinPool.java ! src/share/classes/java/util/concurrent/ForkJoinTask.java ! src/share/classes/java/util/concurrent/ForkJoinWorkerThread.java ! src/share/classes/java/util/concurrent/Future.java ! src/share/classes/java/util/concurrent/FutureTask.java ! src/share/classes/java/util/concurrent/LinkedBlockingDeque.java ! src/share/classes/java/util/concurrent/LinkedBlockingQueue.java ! src/share/classes/java/util/concurrent/LinkedTransferQueue.java ! src/share/classes/java/util/concurrent/Phaser.java ! src/share/classes/java/util/concurrent/PriorityBlockingQueue.java ! src/share/classes/java/util/concurrent/RecursiveAction.java ! src/share/classes/java/util/concurrent/RecursiveTask.java ! src/share/classes/java/util/concurrent/RejectedExecutionException.java ! src/share/classes/java/util/concurrent/RejectedExecutionHandler.java ! src/share/classes/java/util/concurrent/RunnableFuture.java ! src/share/classes/java/util/concurrent/RunnableScheduledFuture.java ! src/share/classes/java/util/concurrent/ScheduledExecutorService.java ! src/share/classes/java/util/concurrent/ScheduledFuture.java ! src/share/classes/java/util/concurrent/ScheduledThreadPoolExecutor.java ! src/share/classes/java/util/concurrent/Semaphore.java ! src/share/classes/java/util/concurrent/SynchronousQueue.java ! src/share/classes/java/util/concurrent/ThreadFactory.java ! src/share/classes/java/util/concurrent/ThreadLocalRandom.java ! src/share/classes/java/util/concurrent/ThreadPoolExecutor.java ! src/share/classes/java/util/concurrent/TimeUnit.java ! src/share/classes/java/util/concurrent/TimeoutException.java ! src/share/classes/java/util/concurrent/TransferQueue.java ! src/share/classes/java/util/concurrent/atomic/AtomicBoolean.java ! src/share/classes/java/util/concurrent/atomic/AtomicInteger.java ! src/share/classes/java/util/concurrent/atomic/AtomicIntegerArray.java ! src/share/classes/java/util/concurrent/atomic/AtomicIntegerFieldUpdater.java ! src/share/classes/java/util/concurrent/atomic/AtomicLong.java ! src/share/classes/java/util/concurrent/atomic/AtomicLongArray.java ! src/share/classes/java/util/concurrent/atomic/AtomicLongFieldUpdater.java ! src/share/classes/java/util/concurrent/atomic/AtomicMarkableReference.java ! src/share/classes/java/util/concurrent/atomic/AtomicReference.java ! src/share/classes/java/util/concurrent/atomic/AtomicReferenceArray.java ! src/share/classes/java/util/concurrent/atomic/AtomicReferenceFieldUpdater.java ! src/share/classes/java/util/concurrent/atomic/AtomicStampedReference.java ! src/share/classes/java/util/concurrent/atomic/package-info.java ! src/share/classes/java/util/concurrent/locks/AbstractOwnableSynchronizer.java ! src/share/classes/java/util/concurrent/locks/AbstractQueuedLongSynchronizer.java ! src/share/classes/java/util/concurrent/locks/AbstractQue