diff --git a/SOURCES/pr2808.patch b/SOURCES/pr2808.patch new file mode 100644 index 0000000..3cf3288 --- /dev/null +++ b/SOURCES/pr2808.patch @@ -0,0 +1,869 @@ +# HG changeset patch +# User Andrew John Hughes +# Date 1453759602 0 +# Mon Jan 25 22:06:42 2016 +0000 +# Node ID 412e3ce4141e2ddb01c8fb099fc0823d783e7b3d +# Parent 33e9441c53fc29f1aa1f496eedda845b6e405473 +S8076221, PR2808: Disable RC4 cipher suites + +2016-01-25 Andrew John Hughes + + * Makefile.am: + (ICEDTEA_PATCHES): Add new patches. + * NEWS: Updated. + * patches/openjdk/8076221-pr2808-disable_rc4_cipher_suites.patch: + Backport of 8076221 to OpenJDK 6 b38. + * patches/openjdk/8078823-disabledalgorithms_fails_intermittently.patch: + Improve reliability of DisabledAlgorithms test. + * patches/pr2808-fix_disabled_algorithms_test.patch: + Remove Java 7 features from new DisabledAlgorithms test. + +diff -r 33e9441c53fc -r 412e3ce4141e patches/openjdk/8076221-pr2808-disable_rc4_cipher_suites.patch +--- /dev/null Thu Jan 01 00:00:00 1970 +0000 ++++ b/patches/openjdk/8076221-pr2808-disable_rc4_cipher_suites.patch Mon Jan 25 22:06:42 2016 +0000 +@@ -0,0 +1,553 @@ ++# HG changeset patch ++# User xuelei ++# Date 1429096621 0 ++# Wed Apr 15 11:17:01 2015 +0000 ++# Node ID 6a24fc5e32a359335538bfa453040fc2d9ba13e9 ++# Parent fe93a8cd20a56dc59e5f2464d7e6bd0d52b807b3 ++8076221: Disable RC4 cipher suites ++Reviewed-by: xuelei, wetmore ++ ++diff -Nru openjdk.orig/jdk/src/share/lib/security/java.security-linux openjdk/jdk/src/share/lib/security/java.security-linux ++--- openjdk.orig/jdk/src/share/lib/security/java.security-linux 2016-01-20 01:47:58.000000000 +0000 +++++ openjdk/jdk/src/share/lib/security/java.security-linux 2016-01-25 20:25:35.722972332 +0000 ++@@ -451,7 +451,7 @@ ++ # ++ # Example: ++ # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 ++-jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768 +++jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768 ++ ++ # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) ++ # processing in JSSE implementation. ++diff -Nru openjdk.orig/jdk/src/share/lib/security/java.security-solaris openjdk/jdk/src/share/lib/security/java.security-solaris ++--- openjdk.orig/jdk/src/share/lib/security/java.security-solaris 2016-01-20 01:47:58.000000000 +0000 +++++ openjdk/jdk/src/share/lib/security/java.security-solaris 2016-01-25 20:24:27.088115212 +0000 ++@@ -411,7 +411,7 @@ ++ # ++ # Example: ++ # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 ++-jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768 +++jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768 ++ ++ # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) ++ # processing in JSSE implementation. ++diff -Nru openjdk.orig/jdk/src/share/lib/security/java.security-windows openjdk/jdk/src/share/lib/security/java.security-windows ++--- openjdk.orig/jdk/src/share/lib/security/java.security-windows 2016-01-20 01:47:58.000000000 +0000 +++++ openjdk/jdk/src/share/lib/security/java.security-windows 2016-01-25 20:23:50.300727758 +0000 ++@@ -428,7 +428,7 @@ ++ # ++ # Example: ++ # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 ++-jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768 +++jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768 ++ ++ # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) ++ # processing in JSSE implementation. ++diff -Nru openjdk.orig/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java openjdk/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java ++--- openjdk.orig/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java 1970-01-01 01:00:00.000000000 +0100 +++++ openjdk/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java 2016-01-25 20:17:49.902742622 +0000 ++@@ -0,0 +1,362 @@ +++/* +++ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. +++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +++ * +++ * This code is free software; you can redistribute it and/or modify it +++ * under the terms of the GNU General Public License version 2 only, as +++ * published by the Free Software Foundation. +++ * +++ * This code is distributed in the hope that it will be useful, but WITHOUT +++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +++ * version 2 for more details (a copy is included in the LICENSE file that +++ * accompanied this code). +++ * +++ * You should have received a copy of the GNU General Public License version +++ * 2 along with this work; if not, write to the Free Software Foundation, +++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. +++ * +++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA +++ * or visit www.oracle.com if you need additional information or have any +++ * questions. +++ */ +++ +++import java.io.BufferedInputStream; +++import java.io.BufferedOutputStream; +++import java.io.IOException; +++import java.io.InputStream; +++import java.io.OutputStream; +++import java.security.NoSuchAlgorithmException; +++import java.security.Security; +++import java.util.concurrent.TimeUnit; +++import javax.net.ssl.SSLContext; +++import javax.net.ssl.SSLHandshakeException; +++import javax.net.ssl.SSLServerSocket; +++import javax.net.ssl.SSLServerSocketFactory; +++import javax.net.ssl.SSLSocket; +++import javax.net.ssl.SSLSocketFactory; +++ +++/** +++ * @test +++ * @bug 8076221 +++ * @summary Check if weak cipher suites are disabled +++ * @run main/othervm DisabledAlgorithms default +++ * @run main/othervm DisabledAlgorithms empty +++ */ +++public class DisabledAlgorithms { +++ +++ private static final String pathToStores = +++ "../../../../sun/security/ssl/etc"; +++ private static final String keyStoreFile = "keystore"; +++ private static final String trustStoreFile = "truststore"; +++ private static final String passwd = "passphrase"; +++ +++ private static final String keyFilename = +++ System.getProperty("test.src", "./") + "/" + pathToStores + +++ "/" + keyStoreFile; +++ +++ private static final String trustFilename = +++ System.getProperty("test.src", "./") + "/" + pathToStores + +++ "/" + trustStoreFile; +++ +++ // supported RC4 cipher suites +++ // it does not contain KRB5 cipher suites because they need a KDC +++ private static final String[] rc4_ciphersuites = new String[] { +++ "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", +++ "TLS_ECDHE_RSA_WITH_RC4_128_SHA", +++ "SSL_RSA_WITH_RC4_128_SHA", +++ "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", +++ "TLS_ECDH_RSA_WITH_RC4_128_SHA", +++ "SSL_RSA_WITH_RC4_128_MD5", +++ "TLS_ECDH_anon_WITH_RC4_128_SHA", +++ "SSL_DH_anon_WITH_RC4_128_MD5" +++ }; +++ +++ public static void main(String[] args) throws Exception { +++ if (args.length < 1) { +++ throw new RuntimeException("No parameters specified"); +++ } +++ +++ System.setProperty("javax.net.ssl.keyStore", keyFilename); +++ System.setProperty("javax.net.ssl.keyStorePassword", passwd); +++ System.setProperty("javax.net.ssl.trustStore", trustFilename); +++ System.setProperty("javax.net.ssl.trustStorePassword", passwd); +++ +++ switch (args[0]) { +++ case "default": +++ // use default jdk.tls.disabledAlgorithms +++ System.out.println("jdk.tls.disabledAlgorithms = " +++ + Security.getProperty("jdk.tls.disabledAlgorithms")); +++ +++ // check if RC4 cipher suites can't be used by default +++ checkFailure(rc4_ciphersuites); +++ break; +++ case "empty": +++ // reset jdk.tls.disabledAlgorithms +++ Security.setProperty("jdk.tls.disabledAlgorithms", ""); +++ System.out.println("jdk.tls.disabledAlgorithms = " +++ + Security.getProperty("jdk.tls.disabledAlgorithms")); +++ +++ // check if RC4 cipher suites can be used +++ // if jdk.tls.disabledAlgorithms is empty +++ checkSuccess(rc4_ciphersuites); +++ break; +++ default: +++ throw new RuntimeException("Wrong parameter: " + args[0]); +++ } +++ } +++ +++ /* +++ * Checks if that specified cipher suites cannot be used. +++ */ +++ private static void checkFailure(String[] ciphersuites) throws Exception { +++ try (SSLServer server = SSLServer.init(ciphersuites)) { +++ startNewThread(server); +++ while (!server.isRunning()) { +++ sleep(); +++ } +++ +++ int port = server.getPort(); +++ for (String ciphersuite : ciphersuites) { +++ try (SSLClient client = SSLClient.init(port, ciphersuite)) { +++ client.connect(); +++ throw new RuntimeException("Expected SSLHandshakeException " +++ + "not thrown"); +++ } catch (SSLHandshakeException e) { +++ System.out.println("Expected exception on client side: " +++ + e); +++ } +++ } +++ +++ server.stop(); +++ while (server.isRunning()) { +++ sleep(); +++ } +++ +++ if (!server.sslError()) { +++ throw new RuntimeException("Expected SSL exception " +++ + "not thrown on server side"); +++ } +++ } +++ +++ } +++ +++ /* +++ * Checks if specified cipher suites can be used. +++ */ +++ private static void checkSuccess(String[] ciphersuites) throws Exception { +++ try (SSLServer server = SSLServer.init(ciphersuites)) { +++ startNewThread(server); +++ while (!server.isRunning()) { +++ sleep(); +++ } +++ +++ int port = server.getPort(); +++ for (String ciphersuite : ciphersuites) { +++ try (SSLClient client = SSLClient.init(port, ciphersuite)) { +++ client.connect(); +++ String negotiated = client.getNegotiatedCipherSuite(); +++ System.out.println("Negotiated cipher suite: " +++ + negotiated); +++ if (!negotiated.equals(ciphersuite)) { +++ throw new RuntimeException("Unexpected cipher suite: " +++ + negotiated); +++ } +++ } +++ } +++ +++ server.stop(); +++ while (server.isRunning()) { +++ sleep(); +++ } +++ +++ if (server.error()) { +++ throw new RuntimeException("Unexpected error on server side"); +++ } +++ } +++ +++ } +++ +++ private static Thread startNewThread(SSLServer server) { +++ Thread serverThread = new Thread(server, "SSL server thread"); +++ serverThread.setDaemon(true); +++ serverThread.start(); +++ return serverThread; +++ } +++ +++ private static void sleep() { +++ try { +++ TimeUnit.MILLISECONDS.sleep(50); +++ } catch (InterruptedException e) { +++ // do nothing +++ } +++ } +++ +++ static class SSLServer implements Runnable, AutoCloseable { +++ +++ private final SSLServerSocket ssocket; +++ private volatile boolean stopped = false; +++ private volatile boolean running = false; +++ private volatile boolean sslError = false; +++ private volatile boolean otherError = false; +++ +++ private SSLServer(SSLServerSocket ssocket) { +++ this.ssocket = ssocket; +++ } +++ +++ @Override +++ public void run() { +++ System.out.println("Server: started"); +++ running = true; +++ while (!stopped) { +++ try (SSLSocket socket = (SSLSocket) ssocket.accept()) { +++ System.out.println("Server: accepted client connection"); +++ InputStream in = socket.getInputStream(); +++ OutputStream out = socket.getOutputStream(); +++ int b = in.read(); +++ if (b < 0) { +++ throw new IOException("Unexpected EOF"); +++ } +++ System.out.println("Server: send data: " + b); +++ out.write(b); +++ out.flush(); +++ socket.getSession().invalidate(); +++ } catch (SSLHandshakeException e) { +++ System.out.println("Server: run: " + e); +++ sslError = true; +++ } catch (IOException e) { +++ if (!stopped) { +++ System.out.println("Server: run: " + e); +++ e.printStackTrace(); +++ otherError = true; +++ } +++ } +++ } +++ +++ System.out.println("Server: finished"); +++ running = false; +++ } +++ +++ int getPort() { +++ return ssocket.getLocalPort(); +++ } +++ +++ String[] getEnabledCiperSuites() { +++ return ssocket.getEnabledCipherSuites(); +++ } +++ +++ boolean isRunning() { +++ return running; +++ } +++ +++ boolean sslError() { +++ return sslError; +++ } +++ +++ boolean error() { +++ return sslError || otherError; +++ } +++ +++ void stop() { +++ stopped = true; +++ if (!ssocket.isClosed()) { +++ try { +++ ssocket.close(); +++ } catch (IOException e) { +++ System.out.println("Server: close: " + e); +++ } +++ } +++ } +++ +++ @Override +++ public void close() { +++ stop(); +++ } +++ +++ static SSLServer init(String[] ciphersuites) +++ throws IOException { +++ SSLServerSocketFactory ssf = (SSLServerSocketFactory) +++ SSLServerSocketFactory.getDefault(); +++ SSLServerSocket ssocket = (SSLServerSocket) +++ ssf.createServerSocket(0); +++ +++ if (ciphersuites != null) { +++ System.out.println("Server: enable cipher suites: " +++ + java.util.Arrays.toString(ciphersuites)); +++ ssocket.setEnabledCipherSuites(ciphersuites); +++ } +++ +++ return new SSLServer(ssocket); +++ } +++ } +++ +++ static class SSLClient implements AutoCloseable { +++ +++ private final SSLSocket socket; +++ +++ private SSLClient(SSLSocket socket) { +++ this.socket = socket; +++ } +++ +++ void connect() throws IOException { +++ System.out.println("Client: connect to server"); +++ try ( +++ BufferedInputStream bis = new BufferedInputStream( +++ socket.getInputStream()); +++ BufferedOutputStream bos = new BufferedOutputStream( +++ socket.getOutputStream())) { +++ bos.write('x'); +++ bos.flush(); +++ +++ int read = bis.read(); +++ if (read < 0) { +++ throw new IOException("Client: couldn't read a response"); +++ } +++ socket.getSession().invalidate(); +++ } +++ } +++ +++ String[] getEnabledCiperSuites() { +++ return socket.getEnabledCipherSuites(); +++ } +++ +++ String getNegotiatedCipherSuite() { +++ return socket.getSession().getCipherSuite(); +++ } +++ +++ @Override +++ public void close() throws Exception { +++ if (!socket.isClosed()) { +++ try { +++ socket.close(); +++ } catch (IOException e) { +++ System.out.println("Client: close: " + e); +++ } +++ } +++ } +++ +++ static SSLClient init(int port) +++ throws NoSuchAlgorithmException, IOException { +++ return init(port, null); +++ } +++ +++ static SSLClient init(int port, String ciphersuite) +++ throws NoSuchAlgorithmException, IOException { +++ SSLContext context = SSLContext.getDefault(); +++ SSLSocketFactory ssf = (SSLSocketFactory) +++ context.getSocketFactory(); +++ SSLSocket socket = (SSLSocket) ssf.createSocket("localhost", port); +++ +++ if (ciphersuite != null) { +++ System.out.println("Client: enable cipher suite: " +++ + ciphersuite); +++ socket.setEnabledCipherSuites(new String[] { ciphersuite }); +++ } +++ +++ return new SSLClient(socket); +++ } +++ +++ } +++ +++ +++} ++diff -Nru openjdk.orig/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java ++--- openjdk.orig/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java 2016-01-20 01:42:21.000000000 +0000 +++++ openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java 2016-01-25 20:23:28.749086605 +0000 ++@@ -1,5 +1,5 @@ ++ /* ++- * Copyright (c) 2001, 2002, Oracle and/or its affiliates. All rights reserved. +++ * Copyright (c) 2001, 2015, Oracle and/or its affiliates. All rights reserved. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++@@ -30,7 +30,7 @@ ++ */ ++ ++ import java.io.*; ++-import java.net.*; +++import java.security.Security; ++ import javax.net.ssl.*; ++ ++ public class CipherSuiteOrder { ++@@ -192,6 +192,10 @@ ++ volatile Exception clientException = null; ++ ++ public static void main(String[] args) throws Exception { +++ // reset the security property to make sure that the algorithms +++ // and keys used in this test are not disabled. +++ Security.setProperty("jdk.tls.disabledAlgorithms", ""); +++ ++ String keyFilename = ++ System.getProperty("test.src", "./") + "/" + pathToStores + ++ "/" + keyStoreFile; ++diff -Nru openjdk.orig/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java ++--- openjdk.orig/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java 2016-01-25 20:15:46.384811880 +0000 +++++ openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java 2016-01-25 20:17:49.902742622 +0000 ++@@ -1,5 +1,5 @@ ++ /* ++- * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. +++ * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++@@ -102,10 +102,10 @@ ++ import java.nio.*; ++ import java.security.KeyStore; ++ import java.security.KeyFactory; +++import java.security.Security; ++ import java.security.cert.Certificate; ++ import java.security.cert.CertificateFactory; ++ import java.security.spec.PKCS8EncodedKeySpec; ++-import java.security.spec.*; ++ import java.security.interfaces.*; ++ import java.util.Base64; ++ ++@@ -367,6 +367,10 @@ ++ } ++ ++ public static void main(String args[]) throws Exception { +++ // reset the security property to make sure that the algorithms +++ // and keys used in this test are not disabled. +++ Security.setProperty("jdk.tls.disabledAlgorithms", ""); +++ ++ if (args.length != 4) { ++ System.out.println( ++ "Usage: java DHEKeySizing cipher-suite " + ++diff -Nru openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java ++--- openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java 2016-01-20 01:42:24.000000000 +0000 +++++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java 2016-01-25 20:17:49.902742622 +0000 ++@@ -1,5 +1,5 @@ ++ /* ++- * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. +++ * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++@@ -622,6 +622,9 @@ ++ } ++ ++ public static void main(String args[]) throws Exception { +++ // reset the security property to make sure that the algorithms +++ // and keys used in this test are not disabled. +++ Security.setProperty("jdk.tls.disabledAlgorithms", ""); ++ ++ CheckStatus cs; ++ ++diff -Nru openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java ++--- openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java 2016-01-20 01:42:24.000000000 +0000 +++++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java 2016-01-25 20:20:24.580152890 +0000 ++@@ -33,6 +33,8 @@ ++ * The code could certainly be tightened up a lot. ++ * ++ * @author Brad Wetmore +++ * +++ * @run main/othervm ConnectionTest ++ */ ++ ++ import javax.net.ssl.*; ++@@ -672,6 +674,10 @@ ++ } ++ ++ public static void main(String args[]) throws Exception { +++ // reset the security property to make sure that the algorithms +++ // and keys used in this test are not disabled. +++ Security.setProperty("jdk.tls.disabledAlgorithms", ""); +++ ++ ConnectionTest ct = new ConnectionTest(); ++ ct.test(); ++ } ++diff -Nru openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java ++--- openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java 2016-01-20 01:42:24.000000000 +0000 +++++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java 2016-01-25 20:19:17.305278447 +0000 ++@@ -180,6 +180,9 @@ ++ } ++ ++ public static void main(String args[]) throws Exception { +++ // reset the security property to make sure that the algorithms +++ // and keys used in this test are not disabled. +++ Security.setProperty("jdk.tls.disabledAlgorithms", ""); ++ ++ LargeBufs test; ++ ++diff -Nru openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java openjdk/jdk/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java ++--- openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java 2016-01-20 01:42:25.000000000 +0000 +++++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java 2016-01-25 20:18:53.009685445 +0000 ++@@ -33,7 +33,7 @@ ++ */ ++ ++ import java.io.*; ++-import java.net.*; +++import java.security.Security; ++ import javax.net.ssl.*; ++ ++ public class GenericStreamCipher { ++@@ -161,6 +161,10 @@ ++ volatile Exception clientException = null; ++ ++ public static void main(String[] args) throws Exception { +++ // reset the security property to make sure that the algorithms +++ // and keys used in this test are not disabled. +++ Security.setProperty("jdk.tls.disabledAlgorithms", ""); +++ ++ String keyFilename = ++ System.getProperty("test.src", ".") + "/" + pathToStores + ++ "/" + keyStoreFile; +diff -r 33e9441c53fc -r 412e3ce4141e patches/openjdk/8078823-disabledalgorithms_fails_intermittently.patch +--- /dev/null Thu Jan 01 00:00:00 1970 +0000 ++++ b/patches/openjdk/8078823-disabledalgorithms_fails_intermittently.patch Mon Jan 25 22:06:42 2016 +0000 +@@ -0,0 +1,58 @@ ++# HG changeset patch ++# User asmotrak ++# Date 1435145895 -10800 ++# Wed Jun 24 14:38:15 2015 +0300 ++# Node ID 66bf77932d57ef00e0c68c19c5e45e0b1de80fad ++# Parent fddcb008fd1d285ed7d84011a43cdf556ab16bcb ++8078823: javax/net/ssl/ciphersuites/DisabledAlgorithms.java fails intermittently ++Reviewed-by: xuelei ++ ++diff -r fddcb008fd1d -r 66bf77932d57 test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java ++--- openjdk/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java Tue Jun 23 15:07:18 2015 +0100 +++++ openjdk/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java Wed Jun 24 14:38:15 2015 +0300 ++@@ -104,6 +104,8 @@ ++ default: ++ throw new RuntimeException("Wrong parameter: " + args[0]); ++ } +++ +++ System.out.println("Test passed"); ++ } ++ ++ /* ++@@ -128,7 +130,6 @@ ++ } ++ } ++ ++- server.stop(); ++ while (server.isRunning()) { ++ sleep(); ++ } ++@@ -224,11 +225,19 @@ ++ } catch (SSLHandshakeException e) { ++ System.out.println("Server: run: " + e); ++ sslError = true; +++ stopped = true; ++ } catch (IOException e) { ++ if (!stopped) { ++- System.out.println("Server: run: " + e); +++ System.out.println("Server: run: unexpected exception: " +++ + e); ++ e.printStackTrace(); ++ otherError = true; +++ stopped = true; +++ } else { +++ System.out.println("Server: run: " + e); +++ System.out.println("The exception above occurred " +++ + "because socket was closed, " +++ + "please ignore it"); ++ } ++ } ++ } ++@@ -261,6 +270,7 @@ ++ stopped = true; ++ if (!ssocket.isClosed()) { ++ try { +++ System.out.println("Server: close socket"); ++ ssocket.close(); ++ } catch (IOException e) { ++ System.out.println("Server: close: " + e); +diff -r 33e9441c53fc -r 412e3ce4141e patches/pr2808-fix_disabled_algorithms_test.patch +--- /dev/null Thu Jan 01 00:00:00 1970 +0000 ++++ b/patches/pr2808-fix_disabled_algorithms_test.patch Mon Jan 25 22:06:42 2016 +0000 +@@ -0,0 +1,226 @@ ++--- openjdk.orig/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java 2015-10-21 05:20:57.910156611 +0100 +++++ openjdk/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java 2016-01-25 21:58:39.334103875 +0000 ++@@ -82,16 +82,14 @@ ++ System.setProperty("javax.net.ssl.trustStore", trustFilename); ++ System.setProperty("javax.net.ssl.trustStorePassword", passwd); ++ ++- switch (args[0]) { ++- case "default": +++ if ("default".equals(args[0])) { ++ // use default jdk.tls.disabledAlgorithms ++ System.out.println("jdk.tls.disabledAlgorithms = " ++ + Security.getProperty("jdk.tls.disabledAlgorithms")); ++ ++ // check if RC4 cipher suites can't be used by default ++ checkFailure(rc4_ciphersuites); ++- break; ++- case "empty": +++ } else if ("empty".equals(args[0])) { ++ // reset jdk.tls.disabledAlgorithms ++ Security.setProperty("jdk.tls.disabledAlgorithms", ""); ++ System.out.println("jdk.tls.disabledAlgorithms = " ++@@ -100,19 +98,19 @@ ++ // check if RC4 cipher suites can be used ++ // if jdk.tls.disabledAlgorithms is empty ++ checkSuccess(rc4_ciphersuites); ++- break; ++- default: +++ } else { ++ throw new RuntimeException("Wrong parameter: " + args[0]); ++ } ++- ++- System.out.println("Test passed"); ++ } ++ ++ /* ++ * Checks if that specified cipher suites cannot be used. ++ */ ++ private static void checkFailure(String[] ciphersuites) throws Exception { ++- try (SSLServer server = SSLServer.init(ciphersuites)) { +++ SSLServer server = null; +++ +++ try { +++ server = SSLServer.init(ciphersuites); ++ startNewThread(server); ++ while (!server.isRunning()) { ++ sleep(); ++@@ -120,16 +118,21 @@ ++ ++ int port = server.getPort(); ++ for (String ciphersuite : ciphersuites) { ++- try (SSLClient client = SSLClient.init(port, ciphersuite)) { +++ SSLClient client = null; +++ try { +++ client = SSLClient.init(port, ciphersuite); ++ client.connect(); ++ throw new RuntimeException("Expected SSLHandshakeException " ++ + "not thrown"); ++ } catch (SSLHandshakeException e) { ++ System.out.println("Expected exception on client side: " ++ + e); +++ } finally { +++ if (client != null) { client.close(); } ++ } ++ } ++ +++ server.stop(); ++ while (server.isRunning()) { ++ sleep(); ++ } ++@@ -138,15 +141,18 @@ ++ throw new RuntimeException("Expected SSL exception " ++ + "not thrown on server side"); ++ } +++ } finally { +++ if (server != null ) { server.close(); } ++ } ++- ++ } ++ ++ /* ++ * Checks if specified cipher suites can be used. ++ */ ++ private static void checkSuccess(String[] ciphersuites) throws Exception { ++- try (SSLServer server = SSLServer.init(ciphersuites)) { +++ SSLServer server = null; +++ try { +++ server = SSLServer.init(ciphersuites); ++ startNewThread(server); ++ while (!server.isRunning()) { ++ sleep(); ++@@ -154,7 +160,9 @@ ++ ++ int port = server.getPort(); ++ for (String ciphersuite : ciphersuites) { ++- try (SSLClient client = SSLClient.init(port, ciphersuite)) { +++ SSLClient client = null; +++ try { +++ client = SSLClient.init(port, ciphersuite); ++ client.connect(); ++ String negotiated = client.getNegotiatedCipherSuite(); ++ System.out.println("Negotiated cipher suite: " ++@@ -163,6 +171,8 @@ ++ throw new RuntimeException("Unexpected cipher suite: " ++ + negotiated); ++ } +++ } finally { +++ if (client != null) { client.close(); } ++ } ++ } ++ ++@@ -174,6 +184,8 @@ ++ if (server.error()) { ++ throw new RuntimeException("Unexpected error on server side"); ++ } +++ } finally { +++ if (server != null) { server.close(); } ++ } ++ ++ } ++@@ -193,7 +205,7 @@ ++ } ++ } ++ ++- static class SSLServer implements Runnable, AutoCloseable { +++ static class SSLServer implements Runnable { ++ ++ private final SSLServerSocket ssocket; ++ private volatile boolean stopped = false; ++@@ -210,7 +222,9 @@ ++ System.out.println("Server: started"); ++ running = true; ++ while (!stopped) { ++- try (SSLSocket socket = (SSLSocket) ssocket.accept()) { +++ SSLSocket socket = null; +++ try { +++ socket = (SSLSocket) ssocket.accept(); ++ System.out.println("Server: accepted client connection"); ++ InputStream in = socket.getInputStream(); ++ OutputStream out = socket.getOutputStream(); ++@@ -225,19 +239,16 @@ ++ } catch (SSLHandshakeException e) { ++ System.out.println("Server: run: " + e); ++ sslError = true; ++- stopped = true; ++ } catch (IOException e) { ++ if (!stopped) { ++- System.out.println("Server: run: unexpected exception: " ++- + e); +++ System.out.println("Server: run: " + e); ++ e.printStackTrace(); ++ otherError = true; ++- stopped = true; ++- } else { ++- System.out.println("Server: run: " + e); ++- System.out.println("The exception above occurred " ++- + "because socket was closed, " ++- + "please ignore it"); +++ } +++ } finally { +++ if (socket != null ) { +++ try { socket.close(); } +++ catch (IOException e) { } ++ } ++ } ++ } ++@@ -270,7 +281,6 @@ ++ stopped = true; ++ if (!ssocket.isClosed()) { ++ try { ++- System.out.println("Server: close socket"); ++ ssocket.close(); ++ } catch (IOException e) { ++ System.out.println("Server: close: " + e); ++@@ -278,7 +288,6 @@ ++ } ++ } ++ ++- @Override ++ public void close() { ++ stop(); ++ } ++@@ -300,7 +309,7 @@ ++ } ++ } ++ ++- static class SSLClient implements AutoCloseable { +++ static class SSLClient { ++ ++ private final SSLSocket socket; ++ ++@@ -310,11 +319,12 @@ ++ ++ void connect() throws IOException { ++ System.out.println("Client: connect to server"); ++- try ( ++- BufferedInputStream bis = new BufferedInputStream( ++- socket.getInputStream()); ++- BufferedOutputStream bos = new BufferedOutputStream( ++- socket.getOutputStream())) { +++ BufferedInputStream bis = null; +++ BufferedOutputStream bos = null; +++ try { +++ bis = new BufferedInputStream(socket.getInputStream()); +++ bos = new BufferedOutputStream(socket.getOutputStream()); +++ ++ bos.write('x'); ++ bos.flush(); ++ ++@@ -323,6 +333,9 @@ ++ throw new IOException("Client: couldn't read a response"); ++ } ++ socket.getSession().invalidate(); +++ } finally { +++ if (bis != null) { bis.close(); } +++ if (bos != null) { bos.close(); } ++ } ++ } ++ ++@@ -334,7 +347,6 @@ ++ return socket.getSession().getCipherSuite(); ++ } ++ ++- @Override ++ public void close() throws Exception { ++ if (!socket.isClosed()) { ++ try { diff --git a/SOURCES/pr2849.patch b/SOURCES/pr2849.patch new file mode 100644 index 0000000..38b4c73 --- /dev/null +++ b/SOURCES/pr2849.patch @@ -0,0 +1,21 @@ +diff --git a/configure.ac b/configure.ac +--- a/configure.ac ++++ b/configure.ac +@@ -33,7 +33,6 @@ + IT_FIND_TOOL([TAR], [tar]) + IT_FIND_TOOL([CHMOD], [chmod]) + IT_FIND_TOOL([SHA256SUM], [sha256sum]) +-IT_FIND_TOOL([WGET], [wget]) + IT_FIND_TOOL([ZIP], [zip]) + IT_FIND_TOOL([UNZIP], [unzip]) + IT_FIND_TOOL([CPIO], [cpio]) +@@ -268,6 +267,9 @@ + IT_FIND_ECJ_JAR + IT_FIND_TOOL([XSLTPROC], [xsltproc]) + fi ++if test "x$enable_downloading" = "xyes"; then ++ IT_FIND_TOOL([WGET], [wget]) ++fi + IT_USING_CACAO + AC_CONFIG_FILES([javac], [chmod +x javac]) + AC_CONFIG_FILES([javap], [chmod +x javap]) diff --git a/SPECS/java-1.6.0-openjdk.spec b/SPECS/java-1.6.0-openjdk.spec index 83967f8..1fe59ba 100644 --- a/SPECS/java-1.6.0-openjdk.spec +++ b/SPECS/java-1.6.0-openjdk.spec @@ -94,8 +94,7 @@ %define bootstrapopt %{nil} %else %define stapopt %{nil} -#%%define bootstrapopt --disable-bootstrap -%define bootstrapopt %{nil} +%define bootstrapopt --disable-bootstrap %endif # Convert an absolute path to a relative path. Each symbolic link is @@ -159,7 +158,7 @@ Name: java-%{javaver}-%{origin} Version: %{javaver}.%{buildver} -Release: %{icedteaver}.5%{?dist} +Release: %{icedteaver}.9%{?dist} # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons, # and this change was brought into RHEL-4. java-1.5.0-ibm packages # also included the epoch in their virtual provides. This created a @@ -201,7 +200,10 @@ Patch6: %{name}-debuginfo.patch Patch7: no_pr2125.patch # This is a RHEL-specific patch to embed RHEL-specific paths Patch10: add-final-location-rpaths.patch - +# PR2808, RH1302383: Backport "8076221: Disable RC4 cipher suites" +Patch12: pr2808.patch +# PR2849: wget not required when downloading is disabled +Patch13: pr2849.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -220,19 +222,17 @@ BuildRequires: libXt-devel BuildRequires: libXtst-devel BuildRequires: libjpeg-devel BuildRequires: libpng-devel -BuildRequires: wget -BuildRequires: xalan-j2 -BuildRequires: xerces-j2 BuildRequires: xorg-x11-proto-devel -BuildRequires: mercurial BuildRequires: ant BuildRequires: libXinerama-devel BuildRequires: rhino -BuildRequires: redhat-lsb +# Provides lsb_release for generating identification +BuildRequires: redhat-lsb-core %if %{gcjbootstrap} BuildRequires: java-1.5.0-gcj-devel +BuildRequires: libxslt %else -BuildRequires: java6-1.6.0-devel +BuildRequires: java-1.6.0-openjdk-devel >= 1.6.0.40 %endif # Java Access Bridge for GNOME build requirements. BuildRequires: at-spi-devel @@ -366,6 +366,8 @@ The OpenJDK API documentation. %patch0 %patch7 -p1 %patch10 -p1 +%patch12 -p1 +%patch13 -p1 cp %{SOURCE4} . @@ -383,13 +385,16 @@ export ARCH_DATA_MODEL=64 export CFLAGS="$CFLAGS -mieee" %endif ./autogen.sh -%configure %{icedteaopt} %{bootstrapopt} %{stapopt} --with-openjdk-src-zip=%{SOURCE1} \ +%configure %{bootstrapopt} --prefix=%{_jvmdir}/%{sdkdir} --exec-prefix=%{_jvmdir}/%{sdkdir} \ + --bindir=%{_jvmdir}/%{sdkdir}/bin --includedir=%{_jvmdir}/%{sdkdir}/include \ + --docdir=%{_defaultdocdir}/%{name} --mandir=%{_jvmdir}/%{sdkdir}/man \ + --htmldir=%{_javadocdir}/%{name} %{icedteaopt} %{stapopt} --with-openjdk-src-zip=%{SOURCE1} \ --with-pkgversion=rhel-%{release}-%{_arch} --enable-pulse-java \ - --with-abs-install-dir=%{_jvmdir}/%{sdkdir} \ + --with-abs-install-dir=%{_jvmdir}/%{sdkdir} --disable-downloading \ --with-rhino --with-parallel-jobs=$NUM_PROC --disable-lcms2 \ --disable-tests --disable-systemtap-tests -make DISTRIBUTION_PATCHES=patches/add-final-location-rpaths.patch patch +make DISTRIBUTION_PATCHES="patches/add-final-location-rpaths.patch patches/openjdk/8076221-pr2808-disable_rc4_cipher_suites.patch patches/openjdk/8078823-disabledalgorithms_fails_intermittently.patch patches/pr2808-fix_disabled_algorithms_test.patch" patch patch -l -p0 < %{PATCH3} patch -l -p0 < %{PATCH4} @@ -893,29 +898,45 @@ exit 0 %doc %{_javadocdir}/%{name} %changelog -* Mon Aug 22 2016 Andrew Hughes - 1:1.6.0.40-1.13.12.5 +* Mon Sep 05 2016 Andrew Hughes - 1:1.6.0.40-1.13.12.9 +- Require a JDK with RH1334465/PR2956 fixed and turn off bootstrapping for Zero architectures. +- Resolves: rhbz#1350047 + +* Thu Sep 01 2016 Andrew Hughes - 1:1.6.0.40-1.13.12.8 +- Set install directories in configure so that @prefix@ is substituted correctly in tapset +- Resolves: rhbz#1350047 + +* Mon Aug 22 2016 Andrew Hughes - 1:1.6.0.40-1.13.12.7 - Bump source tarballs to try and really fix TCK failures this time. -- Resolves: rhbz#1350046 +- Resolves: rhbz#1350047 -* Mon Aug 22 2016 Andrew Hughes - 1:1.6.0.40-1.13.12.4 +* Mon Aug 22 2016 Andrew Hughes - 1:1.6.0.40-1.13.12.6 - Bump source tarballs to missing -DNDEBUG on JDK native code. -- Resolves: rhbz#1350046 +- Resolves: rhbz#1350047 -* Fri Aug 19 2016 Andrew Hughes - 1:1.6.0.40-1.13.12.3 +* Fri Aug 19 2016 Andrew Hughes - 1:1.6.0.40-1.13.12.5 - Non-JIT architectures have not been bootstrapping, due to RPM reading commented macros -- Resolves: rhbz#1350046 +- Resolves: rhbz#1350047 -* Fri Aug 19 2016 Andrew Hughes - 1:1.6.0.40-1.13.12.2 +* Fri Aug 19 2016 Andrew Hughes - 1:1.6.0.40-1.13.12.4 - Bump source tarballs to fix TCK failures. -- Resolves: rhbz#1350046 +- Resolves: rhbz#1350047 -* Thu Aug 18 2016 Andrew Hughes - 1:1.6.0.40-1.13.12.1 +* Thu Aug 18 2016 Andrew Hughes - 1:1.6.0.40-1.13.12.3 - Separate bootstrap option as it should not be tied to the JDK used. - Enable bootstrapping on JIT architectures going forward. - Temporarily enable bootstrapping on all architectures to work around RH1334465/PR2956. -- Resolves: rhbz#1350046 +- Resolves: rhbz#1350047 + +* Wed Aug 17 2016 Andrew Hughes - 1:1.6.0.40-1.13.12.2 +- Require mailcap at build time as well, so configure finds /etc/mime.types +- Resolves: rhbz#1350047 -* Wed Aug 17 2016 Andrew Hughes - 1:1.6.0.40-1.13.12.0 +* Wed Aug 17 2016 Andrew Hughes - 1:1.6.0.40-1.13.12.1 +- Add RHEL version of b40 tarball. +- Resolves: rhbz#1350047 + +* Wed Aug 17 2016 Andrew Hughes - 1:1.6.0.40-1.13.12.1 - Update to IcedTea 1.13.12 & OpenJDK 6 b40. - Separate SystemTap option from bootstrap options. - Depend on mailcap for /etc/mime.types (PR2800) @@ -923,17 +944,24 @@ exit 0 - Remove redundant patch-ecj target invocation for bootstrap build. - Add check section to run the new tests introduced in 1.13.12. - Fix context for rpath patch following PR3140. -- Add RHEL version of b40 tarball. -- Require mailcap at build time as well, so configure finds /etc/mime.types -- Resolves: rhbz#1350046 +- Resolves: rhbz#1350047 -* Wed May 04 2016 Andrew Hughes - 1:1.6.0.39-1.13.11.0 +* Wed May 04 2016 Andrew Hughes - 1:1.6.0.39-1.13.11.1 - Update to IcedTea 1.13.11 & OpenJDK 6 b39. -- Resolves: rhbz#1325432 +- Resolves: rhbz#1325433 + +* Mon Feb 15 2016 Andrew Hughes - 1:1.6.0.38-1.13.10.3 +- Remove dependencies no longer needed by modern IcedTea 1.x and current RPM build. +- Explicitly disable downloading, removing the need for wget. +- Resolves: rhbz#1308687 + +* Mon Jan 25 2016 Andrew Hughes - 1:1.6.0.38-1.13.10.2 +- Disable RC4 by default. +- Resolves: rhbz#1302383 -* Thu Jan 21 2016 Andrew Hughes - 1:1.6.0.38-1.13.10.0 +* Thu Jan 21 2016 Andrew Hughes - 1:1.6.0.38-1.13.10.1 - Update to IcedTea 1.13.10 & OpenJDK 6 b38. -- Resolves: rhbz#1295775 +- Resolves: rhbz#1295776 * Wed Nov 11 2015 Andrew Hughes - 1:1.6.0.37-1.13.9.5 - Update with new IcedTea & b37 tarballs, including fix for appletviewer regression.