Re: RFR: 8274205: Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC
On Thu, 23 Sep 2021 19:31:32 GMT, Weijun Wang wrote:
>> The code change handles KDC_ERR_SVC_UNAVAILABLE error code (29) received
>> from KDC and resends the initial request to the next KDC in the list. It
>> aligns error code handling with the MIT Kerberos implementation.
>> sun/security/krb5 tests passed
>
> Here it is. Feel free to modify
> it.`test/jdk/sun/security/krb5/auto/Unavailable.java`:
>
>
> /*
> * Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved.
> * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
> *
> * This code is free software; you can redistribute it and/or modify it
> * under the terms of the GNU General Public License version 2 only, as
> * published by the Free Software Foundation.
> *
> * This code is distributed in the hope that it will be useful, but WITHOUT
> * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
> * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
> * version 2 for more details (a copy is included in the LICENSE file that
> * accompanied this code).
> *
> * You should have received a copy of the GNU General Public License version
> * 2 along with this work; if not, write to the Free Software Foundation,
> * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
> *
> * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
> * or visit www.oracle.com if you need additional information or have any
> * questions.
> */
>
> /*
> * @test
> * @bug 8274205
> * @summary Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC
> * @library /test/lib
> * @compile -XDignore.symbol.file Unavailable.java
> * @run main jdk.test.lib.FileInstaller TestHosts TestHosts
> * @run main/othervm -Djdk.net.hosts.file=TestHosts Unavailable
> */
>
> import sun.security.krb5.Config;
> import sun.security.krb5.PrincipalName;
> import sun.security.krb5.internal.KRBError;
> import sun.security.krb5.internal.KerberosTime;
>
> import java.nio.file.Files;
> import java.nio.file.Path;
> import java.util.Locale;
>
> public class Unavailable {
>
> public static void main(String[] args) throws Exception {
>
> // Good KDC
> KDC kdc1 = KDC.create(OneKDC.REALM);
> kdc1.addPrincipal(OneKDC.USER, OneKDC.PASS);
> kdc1.addPrincipalRandKey("krbtgt/" + OneKDC.REALM);
>
> // The "not available" KDC
> KDC kdc2 = new KDC(OneKDC.REALM, "kdc." +
> OneKDC.REALM.toLowerCase(Locale.US), 0, true) {
> @Override
> protected byte[] processAsReq(byte[] in) throws Exception {
> KRBError err = new KRBError(null, null, null,
> KerberosTime.now(), 0,
> 29, // KDC_ERR_SVC_UNAVAILABLE
> null, new PrincipalName("krbtgt/" + OneKDC.REALM),
> null, null);
> return err.asn1Encode();
> }
> };
>
> Files.write(Path.of(OneKDC.KRB5_CONF), String.format("""
> [libdefaults]
> default_realm = RABBIT.HOLE
>
> [realms]
> RABBIT.HOLE = {
> kdc = kdc.rabbit.hole:%d
> kdc = kdc.rabbit.hole:%d
> }
> """, kdc2.getPort(), kdc1.getPort()).getBytes());
> System.setProperty("java.security.krb5.conf", OneKDC.KRB5_CONF);
> Config.refresh();
>
> Context.fromUserPass(OneKDC.USER, OneKDC.PASS, false);
> }
> }
@wangweij Thank you a lot for the quick review and test
-
PR: https://git.openjdk.java.net/jdk/pull/5658
Re: RFR: 8274205: Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC [v2]
> The code change handles KDC_ERR_SVC_UNAVAILABLE error code (29) received from > KDC and resends the initial request to the next KDC in the list. It aligns > error code handling with the MIT Kerberos implementation. > sun/security/krb5 tests passed Alexey Bakhtin has updated the pull request incrementally with one additional commit since the last revision: Added Unavailable test - Changes: - all: https://git.openjdk.java.net/jdk/pull/5658/files - new: https://git.openjdk.java.net/jdk/pull/5658/files/6bf7dfc0..96774140 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5658&range=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5658&range=00-01 Stats: 80 lines in 1 file changed: 80 ins; 0 del; 0 mod Patch: https://git.openjdk.java.net/jdk/pull/5658.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5658/head:pull/5658 PR: https://git.openjdk.java.net/jdk/pull/5658
Re: RFR: 8273670: Remove weak etypes from default krb5 etype list
On Thu, 23 Sep 2021 14:32:01 GMT, Weijun Wang wrote: > This code change removes weak etypes from the default list so it's safer to > enable one of them. See the corresponding CSR at > https://bugs.openjdk.java.net/browse/JDK-8274207 for more explanation. BTW, > please review the CSR as well. I will take a look, thanks~ - PR: https://git.openjdk.java.net/jdk/pull/5654
Re: RFR: 8273297: AES/GCM non-AVX512+VAES CPUs suffer after 8267125 [v5]
On Wed, 22 Sep 2021 22:48:32 GMT, Smita Kamath wrote: >> Performance dropped up to 10% for 1k data after 8267125 for CPUs that do not >> support the new intrinsic. Tests run were crypto.full.AESGCMBench and >> crypto.full.AESGCMByteBuffer from the jmh micro benchmarks. >> >> The problem is each instance of GHASH allocates 96 extra longs for the >> AVX512+VAES intrinsic regardless if the intrinsic is used. This extra table >> space should be allocated differently so that non-supporting CPUs do not >> suffer this penalty. This issue also affects non-Intel CPUs too. > > Smita Kamath has updated the pull request incrementally with one additional > commit since the last revision: > > Added htbl_entries constant to other architectures Hotspot changes look good. - PR: https://git.openjdk.java.net/jdk/pull/5402
Re: RFR: 8273297: AES/GCM non-AVX512+VAES CPUs suffer after 8267125 [v2]
On Mon, 20 Sep 2021 16:44:58 GMT, Anthony Scarpino wrote: >> Smita Kamath has updated the pull request incrementally with one additional >> commit since the last revision: >> >> Added a wrapper around aes-gcm intrinsic, changed data size in TestAESMain >> and added a new constant for htbl entries > > I approve the jdk changes. You'll need a hotspot reviewer to approve the > other changes @ascarpino Is it okay to integrate this patch? - PR: https://git.openjdk.java.net/jdk/pull/5402
RFR: 8274237: Replace 'for' cycles with iterator with enhanced-for in java.base
There are few places in code where manual `for` loop is used with Iterator to iterate over Collection. Instead of manual `for` cycles it's preferred to use enhanced-for cycle instead: it's less verbose, makes code easier to read and it's less error-prone. Sometimes we even don't need cycle at all: we can just create one ArrayList as a copy of another. It doesn't have any performance impact: java compiler generates similar code when compiling enhanced-for cycle. This is continuation of [JDK-8273261](https://bugs.openjdk.java.net/browse/JDK-8273261) - Commit messages: - [PATCH] Replace 'for' cycles with iterator with enhanced-for in java.base Changes: https://git.openjdk.java.net/jdk/pull/5665/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=5665&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8274237 Stats: 32 lines in 4 files changed: 0 ins; 14 del; 18 mod Patch: https://git.openjdk.java.net/jdk/pull/5665.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5665/head:pull/5665 PR: https://git.openjdk.java.net/jdk/pull/5665
Re: RFR: 8273299: Unnecessary Vector usage in java.security.jgss [v2]
> Usage of thread-safe collection Vector is unnecessary. It's recommended to > use ArrayList if a thread-safe implementation is not needed. Andrey Turbanov has updated the pull request incrementally with one additional commit since the last revision: 8273299: Unnecessary Vector usage in java.security.jgss use result of toArray to make sure our array is properly filled - Changes: - all: https://git.openjdk.java.net/jdk/pull/5264/files - new: https://git.openjdk.java.net/jdk/pull/5264/files/6ce045aa..91bfda89 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5264&range=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5264&range=00-01 Stats: 26 lines in 11 files changed: 0 ins; 13 del; 13 mod Patch: https://git.openjdk.java.net/jdk/pull/5264.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5264/head:pull/5264 PR: https://git.openjdk.java.net/jdk/pull/5264
Re: RFR: 8273299: Unnecessary Vector usage in java.security.jgss [v2]
On Thu, 26 Aug 2021 20:37:59 GMT, Andrey Turbanov wrote: >> src/java.security.jgss/share/classes/sun/security/krb5/internal/ccache/FileCredentialsCache.java >> line 574: >> >>> 572: v.add(st.nextToken()); >>> 573: } >>> 574: final String[] command = new String[v.size()]; >> >> Could probably simplify most of these .toArray to simply `var variable = >> myarraylist.toArray(new ArrayType[0])` > > I think it's better to leave it to separate cleanup issue. Simplified - PR: https://git.openjdk.java.net/jdk/pull/5264
Integrated: 8273261: Replace 'while' cycles with iterator with enhanced-for in java.base
On Wed, 1 Sep 2021 07:37:53 GMT, Andrey Turbanov wrote: > There are few places in code where manual while loop is used with Iterator to > iterate over Collection. > Instead of manual while cycles it's preferred to use enhanced-for cycle > instead: it's less verbose, makes code easier to read and it's less > error-prone. > It doesn't have any performance impact: java compiler generates similar code > when compiling enhanced-for cycle. > > Similar cleanups: > * https://bugs.openjdk.java.net/browse/JDK-8258006 > * https://bugs.openjdk.java.net/browse/JDK-8257912 This pull request has now been integrated. Changeset: 56b8b352 Author:Andrey Turbanov Committer: Roger Riggs URL: https://git.openjdk.java.net/jdk/commit/56b8b35286634f2d2224ca445bc9f32ff284ae74 Stats: 93 lines in 11 files changed: 1 ins; 50 del; 42 mod 8273261: Replace 'while' cycles with iterator with enhanced-for in java.base Reviewed-by: dfuchs, rriggs, iris, mullan - PR: https://git.openjdk.java.net/jdk/pull/5328
Re: RFR: 8273261: Replace 'while' cycles with iterator with enhanced-for in java.base
On Wed, 1 Sep 2021 07:37:53 GMT, Andrey Turbanov wrote: > There are few places in code where manual while loop is used with Iterator to > iterate over Collection. > Instead of manual while cycles it's preferred to use enhanced-for cycle > instead: it's less verbose, makes code easier to read and it's less > error-prone. > It doesn't have any performance impact: java compiler generates similar code > when compiling enhanced-for cycle. > > Similar cleanups: > * https://bugs.openjdk.java.net/browse/JDK-8258006 > * https://bugs.openjdk.java.net/browse/JDK-8257912 Can someone sponsor changes, please? I believe we have enough approvals. - PR: https://git.openjdk.java.net/jdk/pull/5328
Re: RFR: 8274205: Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC
On Thu, 23 Sep 2021 16:52:07 GMT, Alexey Bakhtin wrote:
> The code change handles KDC_ERR_SVC_UNAVAILABLE error code (29) received from
> KDC and resends the initial request to the next KDC in the list. It aligns
> error code handling with the MIT Kerberos implementation.
> sun/security/krb5 tests passed
Here it is. Feel free to modify
it.`test/jdk/sun/security/krb5/auto/Unavailable.java`:
/*
* Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/*
* @test
* @bug 8274205
* @summary Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC
* @library /test/lib
* @compile -XDignore.symbol.file Unavailable.java
* @run main jdk.test.lib.FileInstaller TestHosts TestHosts
* @run main/othervm -Djdk.net.hosts.file=TestHosts Unavailable
*/
import sun.security.krb5.Config;
import sun.security.krb5.PrincipalName;
import sun.security.krb5.internal.KRBError;
import sun.security.krb5.internal.KerberosTime;
import java.nio.file.Files;
import java.nio.file.Path;
import java.util.Locale;
public class Unavailable {
public static void main(String[] args) throws Exception {
// Good KDC
KDC kdc1 = KDC.create(OneKDC.REALM);
kdc1.addPrincipal(OneKDC.USER, OneKDC.PASS);
kdc1.addPrincipalRandKey("krbtgt/" + OneKDC.REALM);
// The "not available" KDC
KDC kdc2 = new KDC(OneKDC.REALM, "kdc." +
OneKDC.REALM.toLowerCase(Locale.US), 0, true) {
@Override
protected byte[] processAsReq(byte[] in) throws Exception {
KRBError err = new KRBError(null, null, null,
KerberosTime.now(), 0,
29, // KDC_ERR_SVC_UNAVAILABLE
null, new PrincipalName("krbtgt/" + OneKDC.REALM),
null, null);
return err.asn1Encode();
}
};
Files.write(Path.of(OneKDC.KRB5_CONF), String.format("""
[libdefaults]
default_realm = RABBIT.HOLE
[realms]
RABBIT.HOLE = {
kdc = kdc.rabbit.hole:%d
kdc = kdc.rabbit.hole:%d
}
""", kdc2.getPort(), kdc1.getPort()).getBytes());
System.setProperty("java.security.krb5.conf", OneKDC.KRB5_CONF);
Config.refresh();
Context.fromUserPass(OneKDC.USER, OneKDC.PASS, false);
}
}
-
PR: https://git.openjdk.java.net/jdk/pull/5658
Re: RFR: 8274205: Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC
On Thu, 23 Sep 2021 16:52:07 GMT, Alexey Bakhtin wrote: > The code change handles KDC_ERR_SVC_UNAVAILABLE error code (29) received from > KDC and resends the initial request to the next KDC in the list. It aligns > error code handling with the MIT Kerberos implementation. > sun/security/krb5 tests passed The code change looks fine to me. I'd like to contribute a regression test. Please wait for several hours. - PR: https://git.openjdk.java.net/jdk/pull/5658
RFR: 8274205: Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC
The code change handles KDC_ERR_SVC_UNAVAILABLE error code (29) received from KDC and resends the initial request to the next KDC in the list. It aligns error code handling with the MIT Kerberos implementation. sun/security/krb5 tests passed - Commit messages: - 8274205: Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC Changes: https://git.openjdk.java.net/jdk/pull/5658/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=5658&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8274205 Stats: 8 lines in 2 files changed: 6 ins; 0 del; 2 mod Patch: https://git.openjdk.java.net/jdk/pull/5658.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5658/head:pull/5658 PR: https://git.openjdk.java.net/jdk/pull/5658
RFR: 8273670: Remove weak etypes from default krb5 etype list
This code change removes weak etypes from the default list so it's safer to enable one of them. See the corresponding CSR at https://bugs.openjdk.java.net/browse/JDK-8274207 for more explanation. BTW, please review the CSR as well. - Commit messages: - 8273670: Remove weak etypes from default krb5 etype list Changes: https://git.openjdk.java.net/jdk/pull/5654/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=5654&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8273670 Stats: 186 lines in 7 files changed: 86 ins; 61 del; 39 mod Patch: https://git.openjdk.java.net/jdk/pull/5654.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5654/head:pull/5654 PR: https://git.openjdk.java.net/jdk/pull/5654
Integrated: 8274075: Fix miscellaneous typos in java.base
On Tue, 21 Sep 2021 12:26:25 GMT, Pavel Rappo wrote: > 8274075: Fix miscellaneous typos in java.base This pull request has now been integrated. Changeset: 87998565 Author:Pavel Rappo URL: https://git.openjdk.java.net/jdk/commit/8799856528f5804b616b734caed3fc4ba9811bfa Stats: 26 lines in 9 files changed: 0 ins; 1 del; 25 mod 8274075: Fix miscellaneous typos in java.base Reviewed-by: dfuchs, darcy, iris, lancea, bpb - PR: https://git.openjdk.java.net/jdk/pull/5610
