------------------------------------------------------------
revno: 614
committer: Matthias Klose <d...@ubuntu.com>
branch nick: openjdk7
timestamp: Tue 2017-05-16 21:47:17 -0700
message:
openjdk-7 (7u131-2.6.9-2) experimental; urgency=high
[ Tiago Stürmer Daitx ]
* Fix JDK regression introduced by 7u131 upgrade: (LP: #1691126)
- d/p/jdk-S8173783-fix-illegalargumentexception-regression.patch:
fix "IllegalArgumentException: jdk.tls.namedGroups" backported
from http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/f5d0aadb4d1c
-- Matthias Klose <d...@ubuntu.com> Tue, 16 May 2017 21:42:12 -0700
added:
patches/jdk-S8173783-fix-illegalargumentexception-regression.patch
modified:
changelog
rules
--
lp:~openjdk/openjdk/openjdk7
https://code.launchpad.net/~openjdk/openjdk/openjdk7
Your team Debian Java Maintainers is subscribed to branch
lp:~openjdk/openjdk/openjdk7.
To unsubscribe from this branch go to
https://code.launchpad.net/~openjdk/openjdk/openjdk7/+edit-subscription
=== modified file 'changelog'
--- changelog 2017-05-16 21:00:26 +0000
+++ changelog 2017-05-17 04:47:17 +0000
@@ -1,3 +1,13 @@
+openjdk-7 (7u131-2.6.9-2) experimental; urgency=high
+
+ [ Tiago Stürmer Daitx ]
+ * Fix JDK regression introduced by 7u131 upgrade: (LP: #1691126)
+ - d/p/jdk-S8173783-fix-illegalargumentexception-regression.patch:
+ fix "IllegalArgumentException: jdk.tls.namedGroups" backported
+ from http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/f5d0aadb4d1c
+
+ -- Matthias Klose <d...@ubuntu.com> Tue, 16 May 2017 21:42:12 -0700
+
openjdk-7 (7u131-2.6.9-1) experimental; urgency=high
[ Tiago Stürmer Daitx ]
=== added file 'patches/jdk-S8173783-fix-illegalargumentexception-regression.patch'
--- patches/jdk-S8173783-fix-illegalargumentexception-regression.patch 1970-01-01 00:00:00 +0000
+++ patches/jdk-S8173783-fix-illegalargumentexception-regression.patch 2017-05-17 04:47:17 +0000
@@ -0,0 +1,356 @@
+
+# HG changeset patch
+# User coffeys
+# Date 1486555800 0
+# Node ID f5d0aadb4d1ca74eda4e98cc0030f1618ef4c870
+# Parent 8a2c97926e639a341396cee3364b51bdf28ee350
+8173783: IllegalArgumentException: jdk.tls.namedGroups
+Reviewed-by: xuelei, wetmore
+
+--- openjdk/jdk/src/share/classes/sun/security/ssl/SupportedEllipticCurvesExtension.java.orig
++++ openjdk/jdk/src/share/classes/sun/security/ssl/SupportedEllipticCurvesExtension.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2006, 2011, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 2006, 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+@@ -43,6 +43,9 @@ import sun.security.action.GetPropertyAc
+
+ final class SupportedEllipticCurvesExtension extends HelloExtension {
+
++ /* Class and subclass dynamic debugging support */
++ private static final Debug debug = Debug.getInstance("ssl");
++
+ private static final int ARBITRARY_PRIME = 0xff01;
+ private static final int ARBITRARY_CHAR2 = 0xff02;
+
+@@ -136,6 +139,11 @@ final class SupportedEllipticCurvesExten
+ } // ignore unknown curves
+ }
+ }
++ if (idList.isEmpty() && JsseJce.isEcAvailable()) {
++ throw new IllegalArgumentException(
++ "System property jdk.tls.namedGroups(" + property + ") " +
++ "contains no supported elliptic curves");
++ }
+ } else { // default curves
+ int[] ids = new int[] {
+ // NSS currently only supports these three NIST curves
+@@ -150,18 +158,19 @@ final class SupportedEllipticCurvesExten
+ }
+ }
+
+- if (idList.isEmpty()) {
+- throw new IllegalArgumentException(
+- "System property jdk.tls.namedGroups(" + property + ") " +
+- "contains no supported elliptic curves");
+- } else {
++ if (debug != null && idList.isEmpty()) {
++ debug.println(
++ "Initialized [jdk.tls.namedGroups|default] list contains " +
++ "no available elliptic curves. " +
++ (property != null ? "(" + property + ")" : "[Default]"));
++ }
++
+ supportedCurveIds = new int[idList.size()];
+ int i = 0;
+ for (Integer id : idList) {
+ supportedCurveIds[i++] = id;
+ }
+ }
+- }
+
+ // check whether the curve is supported by the underlying providers
+ private static boolean isAvailableCurve(int curveId) {
+--- /dev/null
++++ openjdk/jdk/test/sun/security/ssl/ServerHandshaker/HelloExtensionsTest.java
+@@ -0,0 +1,287 @@
++/*
++ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++/*
++ * @test
++ * @bug 8173783
++ * @summary 6u141 IllegalArgumentException: jdk.tls.namedGroups
++ * run main/othervm HelloExtensionsTest
++ * run main/othervm HelloExtensionsTest -Djdk.tls.namedGroups="bug, bug"
++ * run main/othervm HelloExtensionsTest -Djdk.tls.namedGroups="secp521r1"
++ *
++ */
++import javax.crypto.*;
++import javax.net.ssl.*;
++import javax.net.ssl.SSLEngineResult.*;
++import java.io.*;
++import java.nio.*;
++import java.security.*;
++
++public class HelloExtensionsTest {
++
++ private static boolean debug = false;
++ private static boolean proceed = true;
++ private static boolean EcAvailable = isEcAvailable();
++
++ static String pathToStores = "../etc";
++ private static String keyStoreFile = "keystore";
++ private static String trustStoreFile = "truststore";
++ private static String passwd = "passphrase";
++
++ private static String keyFilename =
++ System.getProperty("test.src", "./") + "/" + pathToStores +
++ "/" + keyStoreFile;
++ private static String trustFilename =
++ System.getProperty("test.src", "./") + "/" + pathToStores +
++ "/" + trustStoreFile;
++
++ private static void checkDone(SSLEngine ssle) throws Exception {
++ if (!ssle.isInboundDone()) {
++ throw new Exception("isInboundDone isn't done");
++ }
++ if (!ssle.isOutboundDone()) {
++ throw new Exception("isOutboundDone isn't done");
++ }
++ }
++
++ private static void runTest(SSLEngine ssle) throws Exception {
++
++ /*
++
++ A client hello message captured via wireshark by selecting
++ a TLSv1.2 Client Hello record and clicking through to the
++ TLSv1.2 Record Layer line and then selecting the hex stream
++ via "copy -> bytes -> hex stream".
++
++ For Record purposes, here's the ClientHello :
++
++ *** ClientHello, TLSv1.2
++ RandomCookie: GMT: 1469560450 bytes = { 108, 140, 12, 202,
++ 2, 213, 10, 236, 143, 223, 58, 162, 228, 155, 239, 3, 98,
++ 232, 89, 41, 116, 120, 13, 37, 105, 153, 97, 241 }
++ Session ID: {}
++ Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
++ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256,
++ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
++ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
++ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
++ TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
++ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
++ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
++ TLS_RSA_WITH_AES_128_CBC_SHA,
++ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
++ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
++ TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
++ TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
++ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
++ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
++ TLS_RSA_WITH_AES_128_GCM_SHA256,
++ TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
++ TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
++ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
++ TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
++ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
++ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
++ SSL_RSA_WITH_3DES_EDE_CBC_SHA,
++ TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
++ TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
++ SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
++ SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
++ TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
++ Compression Methods: { 0 }
++ Extension elliptic_curves, curve names: {secp256r1,
++ sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1,
++ sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1,
++ sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1,
++ secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
++ Extension ec_point_formats, formats: [uncompressed]
++ Extension signature_algorithms, signature_algorithms:
++ SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA,
++ SHA256withECDSA, SHA256withRSA, Unknown (hash:0x3, signature:0x3),
++ Unknown (hash:0x3, signature:0x1), SHA1withECDSA,
++ SHA1withRSA, SHA1withDSA
++ Extension server_name, server_name:
++ [host_name: bugs.openjdk.java.net]
++ */
++
++ String hello = "16030300df010000db03035898b7826c8c0cc" +
++ "a02d50aec8fdf3aa2e49bef0362e8592974780d25699961f" +
++ "100003ac023c027003cc025c02900670040c009c013002fc" +
++ "004c00e00330032c02bc02f009cc02dc031009e00a2c008c" +
++ "012000ac003c00d0016001300ff01000078000a003400320" +
++ "0170001000300130015000600070009000a0018000b000c0" +
++ "019000d000e000f001000110002001200040005001400080" +
++ "016000b00020100000d00180016060306010503050104030" +
++ "401030303010203020102020000001a00180000156275677" +
++ "32e6f70656e6a646b2e6a6176612e6e6574";
++
++ byte[] msg_clihello = hexStringToByteArray(hello);
++ ByteBuffer bf_clihello = ByteBuffer.wrap(msg_clihello);
++
++ SSLSession session = ssle.getSession();
++ int appBufferMax = session.getApplicationBufferSize();
++ int netBufferMax = session.getPacketBufferSize();
++
++ ByteBuffer serverIn = ByteBuffer.allocate(appBufferMax + 50);
++ ByteBuffer serverOut = ByteBuffer.wrap("I'm Server".getBytes());
++ ByteBuffer sTOc = ByteBuffer.allocate(netBufferMax);
++
++ ssle.beginHandshake();
++
++ // unwrap the clientHello message.
++ SSLEngineResult result = ssle.unwrap(bf_clihello, serverIn);
++ System.out.println("server unwrap " + result);
++ runDelegatedTasks(result, ssle);
++
++ if (!proceed) {
++ //expected exception occurred. Don't process anymore
++ return;
++ }
++
++ // one more step, ensure the clientHello message is parsed.
++ SSLEngineResult.HandshakeStatus status = ssle.getHandshakeStatus();
++ if ( status == HandshakeStatus.NEED_UNWRAP) {
++ result = ssle.unwrap(bf_clihello, serverIn);
++ System.out.println("server unwrap " + result);
++ runDelegatedTasks(result, ssle);
++ } else if ( status == HandshakeStatus.NEED_WRAP) {
++ result = ssle.wrap(serverOut, sTOc);
++ System.out.println("server wrap " + result);
++ runDelegatedTasks(result, ssle);
++ } else {
++ throw new Exception("unexpected handshake status " + status);
++ }
++
++ // enough, stop
++ }
++
++ /*
++ * If the result indicates that we have outstanding tasks to do,
++ * go ahead and run them in this thread.
++ */
++ private static void runDelegatedTasks(SSLEngineResult result,
++ SSLEngine engine) throws Exception {
++
++ if (result.getHandshakeStatus() == HandshakeStatus.NEED_TASK) {
++ Runnable runnable;
++ try {
++ while ((runnable = engine.getDelegatedTask()) != null) {
++ log("\trunning delegated task...");
++ runnable.run();
++ }
++ } catch (ExceptionInInitializerError e) {
++ String v = System.getProperty("jdk.tls.namedGroups");
++ if (!EcAvailable || v == null) {
++ // we weren't expecting this if no EC providers
++ throw new RuntimeException("Unexpected Error :" + e);
++ }
++ if (v != null && v.contains("bug")) {
++ // OK - we were expecting this Error
++ log("got expected error for bad jdk.tls.namedGroups");
++ proceed = false;
++ return;
++ } else {
++ System.out.println("Unexpected error. " +
++ "jdk.tls.namedGroups value: " + v);
++ throw e;
++ }
++ }
++ HandshakeStatus hsStatus = engine.getHandshakeStatus();
++ if (hsStatus == HandshakeStatus.NEED_TASK) {
++ throw new Exception(
++ "handshake shouldn't need additional tasks");
++ }
++ log("\tnew HandshakeStatus: " + hsStatus);
++ }
++ }
++
++ private static byte[] hexStringToByteArray(String s) {
++ int len = s.length();
++ byte[] data = new byte[len / 2];
++ for (int i = 0; i < len; i += 2) {
++ data[i / 2] = (byte) ((Character.digit(s.charAt(i), 16) << 4)
++ + Character.digit(s.charAt(i+1), 16));
++ }
++ return data;
++ }
++
++ private static boolean isEcAvailable() {
++ try {
++ Signature.getInstance("SHA1withECDSA");
++ Signature.getInstance("NONEwithECDSA");
++ KeyAgreement.getInstance("ECDH");
++ KeyFactory.getInstance("EC");
++ KeyPairGenerator.getInstance("EC");
++ AlgorithmParameters.getInstance("EC");
++ } catch (Exception e) {
++ log("EC not available. Received: " + e);
++ return false;
++ }
++ return true;
++ }
++
++ public static void main(String args[]) throws Exception {
++ SSLEngine ssle = createSSLEngine(keyFilename, trustFilename);
++ runTest(ssle);
++ System.out.println("Test Passed.");
++ }
++
++ /*
++ * Create an initialized SSLContext to use for this test.
++ */
++ static private SSLEngine createSSLEngine(String keyFile, String trustFile)
++ throws Exception {
++
++ SSLEngine ssle;
++
++ KeyStore ks = KeyStore.getInstance("JKS");
++ KeyStore ts = KeyStore.getInstance("JKS");
++
++ char[] passphrase = "passphrase".toCharArray();
++
++ ks.load(new FileInputStream(keyFile), passphrase);
++ ts.load(new FileInputStream(trustFile), passphrase);
++
++ KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
++ kmf.init(ks, passphrase);
++
++ TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
++ tmf.init(ts);
++
++ SSLContext sslCtx = SSLContext.getInstance("TLS");
++
++ sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
++
++ ssle = sslCtx.createSSLEngine();
++ ssle.setUseClientMode(false);
++
++ return ssle;
++ }
++
++
++ private static void log(String str) {
++ if (debug) {
++ System.out.println(str);
++ }
++ }
++}
=== modified file 'rules'
--- rules 2017-05-16 21:00:26 +0000
+++ rules 2017-05-17 04:47:17 +0000
@@ -429,6 +429,10 @@
debian/patches/sec-webrev-8u131-8171533-jdk.patch \
debian/patches/sec-webrev-8u131-8172299-jdk.patch
+# Fix 7u131 regression
+DISTRIBUTION_PATCHES += \
+ debian/patches/jdk-S8173783-fix-illegalargumentexception-regression.patch
+
export DISTRIBUTION_PATCHES DISTRIBUTION_BOOT_PATCHES
ifeq ($(STAGE1_JAVA),gcj)
__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
debian-j...@lists.debian.org for discussions and questions.
