Re: Code Review Request: 7107611 sun.security.pkcs11.SessionManager is scalability blocker

Tony, I like this version better - a local "instance" session pool for P11Cipher is a bit excessive I think. One thing that I noticed with this change is that by switching to the ConcurrentLinkedQueue, you are retrieving sessions from the head and put them back at the end. This is different

Re: CipherInputStream for AEAD modes is insecure (GCM, etc.): ciphertext tampering without detection possible

Hello again, I think the implementation of GCM cipher should respect the > specification of GCM mode. Before authentication tag get checked, no > plaintext should be released to application. See section 7.0 of GCM spec > (NIST SP-800-38D). > Wow! Strictly speaking, it seems like the GCM spec act

Re: Code Review Request: 7107611 sun.security.pkcs11.SessionManager is scalability blocker

On 03/06/2014 11:24 AM, Valerie (Yu-Ching) Peng wrote: Tony, I like this version better - a local "instance" session pool for P11Cipher is a bit excessive I think. One thing that I noticed with this change is that by switching to the ConcurrentLinkedQueue, you are retrieving sessions from the h

Re: CipherInputStream for AEAD modes is insecure (GCM, etc.): ciphertext tampering without detection possible

Am Thu, 6 Mar 2014 21:14:06 +0100 schrieb Philipp Heckel : > - Using org.bouncycaslte.crypto.io.CipherInputStream with a cipher in > GCM mode and the BC provider is secure and can be used for large > files. However it does not work exactly like the GCM spec defined; > namely, it returns unauthenti

Re: Code review request: 8036543 Parfait JNI pending exceptions for j2secmod.c, j2secmod_md.c, and p11_md.c

webrev updated at: http://cr.openjdk.java.net/~ascarpino/8036543/webrev.01/ On 03/05/2014 04:02 PM, Anthony Scarpino wrote: Sure.. I debated that piece of code before the review too. Tony On 03/05/2014 03:52 PM, Valerie (Yu-Ching) Peng wrote: line 133 - 138, I think it's better to take the

Re: CipherInputStream for AEAD modes is insecure (GCM, etc.): ciphertext tampering without detection possible

On 3/7/2014 4:14 AM, Philipp Heckel wrote: > - Using org.bouncycaslte.crypto.io.CipherInputStream with a cipher in > GCM mode and the BC provider is secure and can be used for large files. > However it does not work exactly like the GCM spec defined; namely, it > returns unauthenticated data before

Re: CipherInputStream for AEAD modes is insecure (GCM, etc.): ciphertext tampering without detection possible

On Thu, Mar 06, 2014 at 10:01:57PM +0100, Bernd Eckenfels wrote: > My thinking was, that the "streamed" mode is usefull, but the "secure" > mode is also usefull. At least for BC I would recommend to have two > different cipher specs. A /GCM/ and a /GCMSTREAM/ mode. The later one > would not be enab

Re: Code Review Request: 7107611 sun.security.pkcs11.SessionManager is scalability blocker

Last time when I was debugging/observing the session pools, it's not just one or two sessions in the queue. It's at least hundreds possibly thousands when I ran one of the SSL stress tests. 1) line 273, do you really mean to return when the oldestSession.isLive() returns false?? 2) line 275

Re: Code review request: 8036543 Parfait JNI pending exceptions for j2secmod.c, j2secmod_md.c, and p11_md.c

How about line 223, there may be a pending exception thrown as well and this is inside a loop? Valerie On 03/06/14 14:37, Anthony Scarpino wrote: webrev updated at: http://cr.openjdk.java.net/~ascarpino/8036543/webrev.01/ On 03/05/2014 04:02 PM, Anthony Scarpino wrote: Sure.. I debated tha

Re: CipherInputStream for AEAD modes is insecure (GCM, etc.): ciphertext tampering without detection possible

Hello Matthew, List, Am Thu, 6 Mar 2014 15:44:27 -0800 schrieb Matthew Hall : > On Thu, Mar 06, 2014 at 10:01:57PM +0100, Bernd Eckenfels wrote: > > My thinking was, that the "streamed" mode is usefull, but the > > "secure" mode is also usefull. At least for BC I would recommend to > > have two d

[9] Request for Review: 8036844: test failures due to wrong keystore paths

Please review this fix for 8036844, which updates the path to a keystore used in a couple of tests. The path is no longer accurate after the recent changes to the JSSE test hierarchy. This webrev also includes a patch from Max for an enhancement to printssl.sh to correctly handle a failure in P

Re: [9] Request for Review: 8036844: test failures due to wrong keystore paths

Change looks fine. *Xuelei*: Remember to run all tests next time. At least a JPRT. Thanks Max On Mar 7, 2014, at 10:25, Jason Uh wrote: > Please review this fix for 8036844, which updates the path to a keystore used > in a couple of tests. The path is no longer accurate after the recent chang

Re: Code Review Request: 7107611 sun.security.pkcs11.SessionManager is scalability blocker

On 03/06/2014 04:12 PM, Valerie (Yu-Ching) Peng wrote: Last time when I was debugging/observing the session pools, it's not just one or two sessions in the queue. It's at least hundreds possibly thousands when I ran one of the SSL stress tests. 1) line 273, do you really mean to return when the

Re: Code review request: 8036543 Parfait JNI pending exceptions for j2secmod.c, j2secmod_md.c, and p11_md.c

Don't think parfait caught that one.. updated http://cr.openjdk.java.net/~ascarpino/8036543/webrev.02/ On 03/06/2014 04:32 PM, Valerie (Yu-Ching) Peng wrote: How about line 223, there may be a pending exception thrown as well and this is inside a loop? Valerie On 03/06/14 14:37, Anthony S

RFR 8035963: The failed Kerberos tests due to timeouts

Hi All Please take a review of http://cr.openjdk.java.net/~weijun/8035963/webrev.00/ I've added a ratio variable to these timeout related tests. The ratio is now set to 2 (one exception, 3 for BadKdc2). This is mainly an experiment to how if they can be more stable when running slower. We w