Re: RFR: 8241248: NullPointerException in sun.security.ssl.HKDF.extract(HKDF.java:93) [v4]

2021-05-08 Thread Alexey Bakhtin
> Hello All, > > Could you please review the fix for the JDK-8241248? > The issue happens during the TLSv1.3 handshake without server stateless > session resumption in case of server receives several parallel requests with > the same pre_shared_key. > The main idea of the fix is to remove resumi

Re: RFR: 8241248: NullPointerException in sun.security.ssl.HKDF.extract(HKDF.java:93) [v3]

2021-05-08 Thread Alexey Bakhtin
On Sat, 8 May 2021 00:21:54 GMT, Xue-Lei Andrew Fan wrote: >> Alexey Bakhtin has updated the pull request incrementally with one >> additional commit since the last revision: >> >> Add Cache.pull method > > src/java.base/share/classes/sun/security/ssl/PreSharedKeyExtension.java line > 377: >

Re: RFR: 8241248: NullPointerException in sun.security.ssl.HKDF.extract(HKDF.java:93) [v3]

2021-05-08 Thread Xue-Lei Andrew Fan
On Sat, 8 May 2021 19:10:50 GMT, Alexey Bakhtin wrote: >> src/java.base/share/classes/sun/security/util/Cache.java line 442: >> >>> 440: entry.invalidate(); >>> 441: return value; >>> 442: } >> >> I may adjust the lines a little bit so as to avoid duplicated operations >> (

Re: RFR: 8241248: NullPointerException in sun.security.ssl.HKDF.extract(HKDF.java:93) [v5]

2021-05-08 Thread Alexey Bakhtin
> Hello All, > > Could you please review the fix for the JDK-8241248? > The issue happens during the TLSv1.3 handshake without server stateless > session resumption in case of server receives several parallel requests with > the same pre_shared_key. > The main idea of the fix is to remove resumi

Re: RFR: 8241248: NullPointerException in sun.security.ssl.HKDF.extract(HKDF.java:93) [v3]

2021-05-08 Thread Alexey Bakhtin
On Sat, 8 May 2021 19:48:39 GMT, Xue-Lei Andrew Fan wrote: >> I'd like to keep my code as-is. We still need invalidate() if entry is not >> valid (see remove() operation). > > Did you notice that entry.isValid() implementation has already call > invalidate() if the entry is not valid? I didn't

Re: JEP411: Missing use-case: Monitoring / restricting libraries

2021-05-08 Thread Peter Firmstone
Ron, Thanks for the discussion.  Although we have different opinions, I do appreciate that you took the time to reply. -- Regards, Peter Firmstone Zeus Project Services Pty Ltd.

Re: RFR: 8241248: NullPointerException in sun.security.ssl.HKDF.extract(HKDF.java:93) [v5]

2021-05-08 Thread Xue-Lei Andrew Fan
On Sat, 8 May 2021 20:30:31 GMT, Alexey Bakhtin wrote: >> Hello All, >> >> Could you please review the fix for the JDK-8241248? >> The issue happens during the TLSv1.3 handshake without server stateless >> session resumption in case of server receives several parallel requests with >> the same

Re: JEP411: Restricting/logging library usages using a SecurityManager

2021-05-08 Thread Peter Firmstone
Just some references regarding Roel's original argument below: https://techbeacon.com/security/third-party-libraries-are-one-most-insecure-parts-application https://debricked.com/blog/2021/01/02/vulnerabilities-in-dependencies/ https://www.tripwire.com/state-of-security/vulnerability-management