------------------------------------------------------------ revno: 614 committer: Matthias Klose <d...@ubuntu.com> branch nick: openjdk7 timestamp: Tue 2017-05-16 21:47:17 -0700 message: openjdk-7 (7u131-2.6.9-2) experimental; urgency=high [ Tiago Stürmer Daitx ] * Fix JDK regression introduced by 7u131 upgrade: (LP: #1691126) - d/p/jdk-S8173783-fix-illegalargumentexception-regression.patch: fix "IllegalArgumentException: jdk.tls.namedGroups" backported from http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/f5d0aadb4d1c -- Matthias Klose <d...@ubuntu.com> Tue, 16 May 2017 21:42:12 -0700 added: patches/jdk-S8173783-fix-illegalargumentexception-regression.patch modified: changelog rules
-- lp:~openjdk/openjdk/openjdk7 https://code.launchpad.net/~openjdk/openjdk/openjdk7 Your team Debian Java Maintainers is subscribed to branch lp:~openjdk/openjdk/openjdk7. To unsubscribe from this branch go to https://code.launchpad.net/~openjdk/openjdk/openjdk7/+edit-subscription
=== modified file 'changelog' --- changelog 2017-05-16 21:00:26 +0000 +++ changelog 2017-05-17 04:47:17 +0000 @@ -1,3 +1,13 @@ +openjdk-7 (7u131-2.6.9-2) experimental; urgency=high + + [ Tiago Stürmer Daitx ] + * Fix JDK regression introduced by 7u131 upgrade: (LP: #1691126) + - d/p/jdk-S8173783-fix-illegalargumentexception-regression.patch: + fix "IllegalArgumentException: jdk.tls.namedGroups" backported + from http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/f5d0aadb4d1c + + -- Matthias Klose <d...@ubuntu.com> Tue, 16 May 2017 21:42:12 -0700 + openjdk-7 (7u131-2.6.9-1) experimental; urgency=high [ Tiago Stürmer Daitx ] === added file 'patches/jdk-S8173783-fix-illegalargumentexception-regression.patch' --- patches/jdk-S8173783-fix-illegalargumentexception-regression.patch 1970-01-01 00:00:00 +0000 +++ patches/jdk-S8173783-fix-illegalargumentexception-regression.patch 2017-05-17 04:47:17 +0000 @@ -0,0 +1,356 @@ + +# HG changeset patch +# User coffeys +# Date 1486555800 0 +# Node ID f5d0aadb4d1ca74eda4e98cc0030f1618ef4c870 +# Parent 8a2c97926e639a341396cee3364b51bdf28ee350 +8173783: IllegalArgumentException: jdk.tls.namedGroups +Reviewed-by: xuelei, wetmore + +--- openjdk/jdk/src/share/classes/sun/security/ssl/SupportedEllipticCurvesExtension.java.orig ++++ openjdk/jdk/src/share/classes/sun/security/ssl/SupportedEllipticCurvesExtension.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2006, 2011, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2006, 2017, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -43,6 +43,9 @@ import sun.security.action.GetPropertyAc + + final class SupportedEllipticCurvesExtension extends HelloExtension { + ++ /* Class and subclass dynamic debugging support */ ++ private static final Debug debug = Debug.getInstance("ssl"); ++ + private static final int ARBITRARY_PRIME = 0xff01; + private static final int ARBITRARY_CHAR2 = 0xff02; + +@@ -136,6 +139,11 @@ final class SupportedEllipticCurvesExten + } // ignore unknown curves + } + } ++ if (idList.isEmpty() && JsseJce.isEcAvailable()) { ++ throw new IllegalArgumentException( ++ "System property jdk.tls.namedGroups(" + property + ") " + ++ "contains no supported elliptic curves"); ++ } + } else { // default curves + int[] ids = new int[] { + // NSS currently only supports these three NIST curves +@@ -150,18 +158,19 @@ final class SupportedEllipticCurvesExten + } + } + +- if (idList.isEmpty()) { +- throw new IllegalArgumentException( +- "System property jdk.tls.namedGroups(" + property + ") " + +- "contains no supported elliptic curves"); +- } else { ++ if (debug != null && idList.isEmpty()) { ++ debug.println( ++ "Initialized [jdk.tls.namedGroups|default] list contains " + ++ "no available elliptic curves. " + ++ (property != null ? "(" + property + ")" : "[Default]")); ++ } ++ + supportedCurveIds = new int[idList.size()]; + int i = 0; + for (Integer id : idList) { + supportedCurveIds[i++] = id; + } + } +- } + + // check whether the curve is supported by the underlying providers + private static boolean isAvailableCurve(int curveId) { +--- /dev/null ++++ openjdk/jdk/test/sun/security/ssl/ServerHandshaker/HelloExtensionsTest.java +@@ -0,0 +1,287 @@ ++/* ++ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++/* ++ * @test ++ * @bug 8173783 ++ * @summary 6u141 IllegalArgumentException: jdk.tls.namedGroups ++ * run main/othervm HelloExtensionsTest ++ * run main/othervm HelloExtensionsTest -Djdk.tls.namedGroups="bug, bug" ++ * run main/othervm HelloExtensionsTest -Djdk.tls.namedGroups="secp521r1" ++ * ++ */ ++import javax.crypto.*; ++import javax.net.ssl.*; ++import javax.net.ssl.SSLEngineResult.*; ++import java.io.*; ++import java.nio.*; ++import java.security.*; ++ ++public class HelloExtensionsTest { ++ ++ private static boolean debug = false; ++ private static boolean proceed = true; ++ private static boolean EcAvailable = isEcAvailable(); ++ ++ static String pathToStores = "../etc"; ++ private static String keyStoreFile = "keystore"; ++ private static String trustStoreFile = "truststore"; ++ private static String passwd = "passphrase"; ++ ++ private static String keyFilename = ++ System.getProperty("test.src", "./") + "/" + pathToStores + ++ "/" + keyStoreFile; ++ private static String trustFilename = ++ System.getProperty("test.src", "./") + "/" + pathToStores + ++ "/" + trustStoreFile; ++ ++ private static void checkDone(SSLEngine ssle) throws Exception { ++ if (!ssle.isInboundDone()) { ++ throw new Exception("isInboundDone isn't done"); ++ } ++ if (!ssle.isOutboundDone()) { ++ throw new Exception("isOutboundDone isn't done"); ++ } ++ } ++ ++ private static void runTest(SSLEngine ssle) throws Exception { ++ ++ /* ++ ++ A client hello message captured via wireshark by selecting ++ a TLSv1.2 Client Hello record and clicking through to the ++ TLSv1.2 Record Layer line and then selecting the hex stream ++ via "copy -> bytes -> hex stream". ++ ++ For Record purposes, here's the ClientHello : ++ ++ *** ClientHello, TLSv1.2 ++ RandomCookie: GMT: 1469560450 bytes = { 108, 140, 12, 202, ++ 2, 213, 10, 236, 143, 223, 58, 162, 228, 155, 239, 3, 98, ++ 232, 89, 41, 116, 120, 13, 37, 105, 153, 97, 241 } ++ Session ID: {} ++ Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, ++ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, ++ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, ++ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, ++ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, ++ TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, ++ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, ++ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, ++ TLS_RSA_WITH_AES_128_CBC_SHA, ++ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, ++ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, ++ TLS_DHE_RSA_WITH_AES_128_CBC_SHA, ++ TLS_DHE_DSS_WITH_AES_128_CBC_SHA, ++ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, ++ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, ++ TLS_RSA_WITH_AES_128_GCM_SHA256, ++ TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, ++ TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, ++ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, ++ TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, ++ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, ++ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, ++ SSL_RSA_WITH_3DES_EDE_CBC_SHA, ++ TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, ++ TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, ++ SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, ++ SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, ++ TLS_EMPTY_RENEGOTIATION_INFO_SCSV] ++ Compression Methods: { 0 } ++ Extension elliptic_curves, curve names: {secp256r1, ++ sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, ++ sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, ++ sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, ++ secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1} ++ Extension ec_point_formats, formats: [uncompressed] ++ Extension signature_algorithms, signature_algorithms: ++ SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, ++ SHA256withECDSA, SHA256withRSA, Unknown (hash:0x3, signature:0x3), ++ Unknown (hash:0x3, signature:0x1), SHA1withECDSA, ++ SHA1withRSA, SHA1withDSA ++ Extension server_name, server_name: ++ [host_name: bugs.openjdk.java.net] ++ */ ++ ++ String hello = "16030300df010000db03035898b7826c8c0cc" + ++ "a02d50aec8fdf3aa2e49bef0362e8592974780d25699961f" + ++ "100003ac023c027003cc025c02900670040c009c013002fc" + ++ "004c00e00330032c02bc02f009cc02dc031009e00a2c008c" + ++ "012000ac003c00d0016001300ff01000078000a003400320" + ++ "0170001000300130015000600070009000a0018000b000c0" + ++ "019000d000e000f001000110002001200040005001400080" + ++ "016000b00020100000d00180016060306010503050104030" + ++ "401030303010203020102020000001a00180000156275677" + ++ "32e6f70656e6a646b2e6a6176612e6e6574"; ++ ++ byte[] msg_clihello = hexStringToByteArray(hello); ++ ByteBuffer bf_clihello = ByteBuffer.wrap(msg_clihello); ++ ++ SSLSession session = ssle.getSession(); ++ int appBufferMax = session.getApplicationBufferSize(); ++ int netBufferMax = session.getPacketBufferSize(); ++ ++ ByteBuffer serverIn = ByteBuffer.allocate(appBufferMax + 50); ++ ByteBuffer serverOut = ByteBuffer.wrap("I'm Server".getBytes()); ++ ByteBuffer sTOc = ByteBuffer.allocate(netBufferMax); ++ ++ ssle.beginHandshake(); ++ ++ // unwrap the clientHello message. ++ SSLEngineResult result = ssle.unwrap(bf_clihello, serverIn); ++ System.out.println("server unwrap " + result); ++ runDelegatedTasks(result, ssle); ++ ++ if (!proceed) { ++ //expected exception occurred. Don't process anymore ++ return; ++ } ++ ++ // one more step, ensure the clientHello message is parsed. ++ SSLEngineResult.HandshakeStatus status = ssle.getHandshakeStatus(); ++ if ( status == HandshakeStatus.NEED_UNWRAP) { ++ result = ssle.unwrap(bf_clihello, serverIn); ++ System.out.println("server unwrap " + result); ++ runDelegatedTasks(result, ssle); ++ } else if ( status == HandshakeStatus.NEED_WRAP) { ++ result = ssle.wrap(serverOut, sTOc); ++ System.out.println("server wrap " + result); ++ runDelegatedTasks(result, ssle); ++ } else { ++ throw new Exception("unexpected handshake status " + status); ++ } ++ ++ // enough, stop ++ } ++ ++ /* ++ * If the result indicates that we have outstanding tasks to do, ++ * go ahead and run them in this thread. ++ */ ++ private static void runDelegatedTasks(SSLEngineResult result, ++ SSLEngine engine) throws Exception { ++ ++ if (result.getHandshakeStatus() == HandshakeStatus.NEED_TASK) { ++ Runnable runnable; ++ try { ++ while ((runnable = engine.getDelegatedTask()) != null) { ++ log("\trunning delegated task..."); ++ runnable.run(); ++ } ++ } catch (ExceptionInInitializerError e) { ++ String v = System.getProperty("jdk.tls.namedGroups"); ++ if (!EcAvailable || v == null) { ++ // we weren't expecting this if no EC providers ++ throw new RuntimeException("Unexpected Error :" + e); ++ } ++ if (v != null && v.contains("bug")) { ++ // OK - we were expecting this Error ++ log("got expected error for bad jdk.tls.namedGroups"); ++ proceed = false; ++ return; ++ } else { ++ System.out.println("Unexpected error. " + ++ "jdk.tls.namedGroups value: " + v); ++ throw e; ++ } ++ } ++ HandshakeStatus hsStatus = engine.getHandshakeStatus(); ++ if (hsStatus == HandshakeStatus.NEED_TASK) { ++ throw new Exception( ++ "handshake shouldn't need additional tasks"); ++ } ++ log("\tnew HandshakeStatus: " + hsStatus); ++ } ++ } ++ ++ private static byte[] hexStringToByteArray(String s) { ++ int len = s.length(); ++ byte[] data = new byte[len / 2]; ++ for (int i = 0; i < len; i += 2) { ++ data[i / 2] = (byte) ((Character.digit(s.charAt(i), 16) << 4) ++ + Character.digit(s.charAt(i+1), 16)); ++ } ++ return data; ++ } ++ ++ private static boolean isEcAvailable() { ++ try { ++ Signature.getInstance("SHA1withECDSA"); ++ Signature.getInstance("NONEwithECDSA"); ++ KeyAgreement.getInstance("ECDH"); ++ KeyFactory.getInstance("EC"); ++ KeyPairGenerator.getInstance("EC"); ++ AlgorithmParameters.getInstance("EC"); ++ } catch (Exception e) { ++ log("EC not available. Received: " + e); ++ return false; ++ } ++ return true; ++ } ++ ++ public static void main(String args[]) throws Exception { ++ SSLEngine ssle = createSSLEngine(keyFilename, trustFilename); ++ runTest(ssle); ++ System.out.println("Test Passed."); ++ } ++ ++ /* ++ * Create an initialized SSLContext to use for this test. ++ */ ++ static private SSLEngine createSSLEngine(String keyFile, String trustFile) ++ throws Exception { ++ ++ SSLEngine ssle; ++ ++ KeyStore ks = KeyStore.getInstance("JKS"); ++ KeyStore ts = KeyStore.getInstance("JKS"); ++ ++ char[] passphrase = "passphrase".toCharArray(); ++ ++ ks.load(new FileInputStream(keyFile), passphrase); ++ ts.load(new FileInputStream(trustFile), passphrase); ++ ++ KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); ++ kmf.init(ks, passphrase); ++ ++ TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); ++ tmf.init(ts); ++ ++ SSLContext sslCtx = SSLContext.getInstance("TLS"); ++ ++ sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); ++ ++ ssle = sslCtx.createSSLEngine(); ++ ssle.setUseClientMode(false); ++ ++ return ssle; ++ } ++ ++ ++ private static void log(String str) { ++ if (debug) { ++ System.out.println(str); ++ } ++ } ++} === modified file 'rules' --- rules 2017-05-16 21:00:26 +0000 +++ rules 2017-05-17 04:47:17 +0000 @@ -429,6 +429,10 @@ debian/patches/sec-webrev-8u131-8171533-jdk.patch \ debian/patches/sec-webrev-8u131-8172299-jdk.patch +# Fix 7u131 regression +DISTRIBUTION_PATCHES += \ + debian/patches/jdk-S8173783-fix-illegalargumentexception-regression.patch + export DISTRIBUTION_PATCHES DISTRIBUTION_BOOT_PATCHES ifeq ($(STAGE1_JAVA),gcj)
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.