diff options
| author | J. Duke <duke@openjdk.org> | 2021-09-14 11:41:11 -0700 |
|---|---|---|
| committer | J. Duke <duke@openjdk.org> | 2021-09-14 11:41:11 -0700 |
| commit | 842d57776d5d2aed52f08f90af78da20ff283a8c (patch) | |
| tree | 7c26fbd1141c32665ab8dbdc51dd7268b7e4251b | |
| parent | 4b32e1c516c9c812cb31b0f3866032630944b5b5 (diff) | |
| parent | 45926ef10da9c560bcd0151656e4baf88a05fc00 (diff) | |
| download | libcore-842d57776d5d2aed52f08f90af78da20ff283a8c.tar.gz | |
Merge
37 files changed, 1327 insertions, 331 deletions
diff --git a/.hgtags-top-repo b/.hgtags-top-repo index d2a0e9d6c2c..a20a230a044 100644 --- a/.hgtags-top-repo +++ b/.hgtags-top-repo @@ -1054,3 +1054,4 @@ d89ef3a0713fde8aafb81bacb78d11f92c6acdce jdk8u292-b07 120809c21ad7f2ba826948edc8b392ce2d6403da jdk8u302-b00 f0e279d45d49a08815606b99698cc27dc6394714 jdk8u302-b01 156403f25b046c586fb6752801bd7494d79ba1be jdk8u302-b02 +82610be662bc4636c689e4c5e7a7270006dda989 jdk8u302-b03 diff --git a/common/autoconf/generated-configure.sh b/common/autoconf/generated-configure.sh index 29b2c10743b..55c85dbdbca 100644 --- a/common/autoconf/generated-configure.sh +++ b/common/autoconf/generated-configure.sh @@ -3927,7 +3927,7 @@ pkgadd_help() { # -# Copyright (c) 2011, 2020, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2011, 2021, Oracle and/or its affiliates. All rights reserved. # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. # # This code is free software; you can redistribute it and/or modify it @@ -4394,7 +4394,7 @@ VS_SDK_PLATFORM_NAME_2017= #CUSTOM_AUTOCONF_INCLUDE # Do not change or remove the following line, it is needed for consistency checks: -DATE_WHEN_GENERATED=1620850472 +DATE_WHEN_GENERATED=1621590864 ############################################################################### # @@ -42534,8 +42534,8 @@ $as_echo_n "checking if we should generate debug symbols... " >&6; } # Default is on if objcopy is found if test "x$OBJCOPY" != x; then ENABLE_DEBUG_SYMBOLS=true - # MacOS X and Windows don't use objcopy but default is on for those OSes - elif test "x$OPENJDK_TARGET_OS" = xmacosx || test "x$OPENJDK_TARGET_OS" = xwindows; then + # AIX, MacOS X and Windows don't use objcopy but default is on for those OSes + elif test "x$OPENJDK_TARGET_OS" = xaix || test "x$OPENJDK_TARGET_OS" = xmacosx || test "x$OPENJDK_TARGET_OS" = xwindows; then ENABLE_DEBUG_SYMBOLS=true else ENABLE_DEBUG_SYMBOLS=false @@ -42581,11 +42581,6 @@ $as_echo_n "checking what type of native debug symbols to use (this will overrid # Check whether --with-native-debug-symbols was given. if test "${with_native_debug_symbols+set}" = set; then : withval=$with_native_debug_symbols; - if test "x$OPENJDK_TARGET_OS" = xaix; then - if test "x$with_native_debug_symbols" = xexternal || test "x$with_native_debug_symbols" = xzipped; then - as_fn_error $? "AIX only supports the parameters 'none' and 'internal' for --with-native-debug-symbols" "$LINENO" 5 - fi - fi else diff --git a/common/autoconf/jdk-options.m4 b/common/autoconf/jdk-options.m4 index b1917664a3d..18ba585209b 100644 --- a/common/autoconf/jdk-options.m4 +++ b/common/autoconf/jdk-options.m4 @@ -1,5 +1,5 @@ # -# Copyright (c) 2011, 2020, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2011, 2021, Oracle and/or its affiliates. All rights reserved. # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. # # This code is free software; you can redistribute it and/or modify it @@ -659,8 +659,8 @@ AC_DEFUN_ONCE([JDKOPT_SETUP_DEBUG_SYMBOLS], # Default is on if objcopy is found if test "x$OBJCOPY" != x; then ENABLE_DEBUG_SYMBOLS=true - # MacOS X and Windows don't use objcopy but default is on for those OSes - elif test "x$OPENJDK_TARGET_OS" = xmacosx || test "x$OPENJDK_TARGET_OS" = xwindows; then + # AIX, MacOS X and Windows don't use objcopy but default is on for those OSes + elif test "x$OPENJDK_TARGET_OS" = xaix || test "x$OPENJDK_TARGET_OS" = xmacosx || test "x$OPENJDK_TARGET_OS" = xwindows; then ENABLE_DEBUG_SYMBOLS=true else ENABLE_DEBUG_SYMBOLS=false @@ -698,11 +698,6 @@ AC_DEFUN_ONCE([JDKOPT_SETUP_DEBUG_SYMBOLS], [AS_HELP_STRING([--with-native-debug-symbols], [set the native debug symbol configuration (none, internal, external, zipped) @<:@varying@:>@])], [ - if test "x$OPENJDK_TARGET_OS" = xaix; then - if test "x$with_native_debug_symbols" = xexternal || test "x$with_native_debug_symbols" = xzipped; then - AC_MSG_ERROR([AIX only supports the parameters 'none' and 'internal' for --with-native-debug-symbols]) - fi - fi ], [ # Default to unset for backwards compatibility diff --git a/corba/.hgtags b/corba/.hgtags index f5ddd097e53..6453cf56218 100644 --- a/corba/.hgtags +++ b/corba/.hgtags @@ -1127,3 +1127,4 @@ fa3e1caed3f0c0e64667ad4ba03c5fba566ddd89 jdk8u292-ga cae05a72a1f7ca2256af496acd34cd6ed2edcac1 jdk8u302-b00 24d18884b6fcfac96f2c5a0a1602bd9ee8d8465c jdk8u302-b01 905a5d49c86814de3dd3b4b36b855addf938a134 jdk8u302-b02 +f0175096381abe39a54ce573c8b5bcf41d325205 jdk8u302-b03 diff --git a/hotspot/.hgtags b/hotspot/.hgtags index 7f6bd45be69..82e008c2d9d 100644 --- a/hotspot/.hgtags +++ b/hotspot/.hgtags @@ -1360,3 +1360,4 @@ f206e4bfcef993ce5a75ed54612f045ca047abd3 jdk8u292-b07 a435c913c8ce30f0487d05cfec1d9be3fcc57f10 jdk8u302-b00 d24969e49a6af3353c84b9a0f9aedd4736156b66 jdk8u302-b01 8a152c8e9f14e3bdeebd7bf4e8eb2a6e8f9bbb7c jdk8u302-b02 +99e4a82f17e8debc5225d1c8834acdac673aa676 jdk8u302-b03 diff --git a/hotspot/make/aix/makefiles/defs.make b/hotspot/make/aix/makefiles/defs.make index 64746ab67d5..b12c9c8df22 100644 --- a/hotspot/make/aix/makefiles/defs.make +++ b/hotspot/make/aix/makefiles/defs.make @@ -1,5 +1,5 @@ # -# Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2006, 2021, Oracle and/or its affiliates. All rights reserved. # Copyright 2012, 2013 SAP AG. All rights reserved. # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. # @@ -142,36 +142,28 @@ ifeq ($(JDK6_OR_EARLIER),0) OBJCOPY=$(shell test -x $(ALT_OBJCOPY) && echo $(ALT_OBJCOPY)) endif - ifeq ($(OBJCOPY),) - _JUNK_ := $(shell \ - echo >&2 "INFO: no objcopy cmd found so cannot create .debuginfo files. You may need to set ALT_OBJCOPY.") - ENABLE_FULL_DEBUG_SYMBOLS=0 - _JUNK_ := $(shell \ - echo >&2 "INFO: ENABLE_FULL_DEBUG_SYMBOLS=$(ENABLE_FULL_DEBUG_SYMBOLS)") - else - _JUNK_ := $(shell \ - echo >&2 "INFO: $(OBJCOPY) cmd found so will create .debuginfo files.") - - # Library stripping policies for .debuginfo configs: - # all_strip - strips everything from the library - # min_strip - strips most stuff from the library; leaves minimum symbols - # no_strip - does not strip the library at all - # - # Oracle security policy requires "all_strip". A waiver was granted on - # 2011.09.01 that permits using "min_strip" in the Java JDK and Java JRE. - # - # Currently, STRIP_POLICY is only used when Full Debug Symbols is enabled. - # - STRIP_POLICY ?= min_strip - - _JUNK_ := $(shell \ - echo >&2 "INFO: STRIP_POLICY=$(STRIP_POLICY)") - - ZIP_DEBUGINFO_FILES ?= 1 - - _JUNK_ := $(shell \ - echo >&2 "INFO: ZIP_DEBUGINFO_FILES=$(ZIP_DEBUGINFO_FILES)") - endif + _JUNK_ := $(shell \ + echo >&2 "INFO: AIX .debuginfo files will be produced by copying debug object.") + + # Library stripping policies for .debuginfo configs: + # all_strip - strips everything from the library + # min_strip - strips most stuff from the library; leaves minimum symbols + # no_strip - does not strip the library at all + # + # Oracle security policy requires "all_strip". A waiver was granted on + # 2011.09.01 that permits using "min_strip" in the Java JDK and Java JRE. + # + # Currently, STRIP_POLICY is only used when Full Debug Symbols is enabled. + # + STRIP_POLICY ?= min_strip + + _JUNK_ := $(shell \ + echo >&2 "INFO: STRIP_POLICY=$(STRIP_POLICY)") + + ZIP_DEBUGINFO_FILES ?= 1 + + _JUNK_ := $(shell \ + echo >&2 "INFO: ZIP_DEBUGINFO_FILES=$(ZIP_DEBUGINFO_FILES)") endif # ENABLE_FULL_DEBUG_SYMBOLS=1 endif # BUILD_FLAVOR endif # JDK_6_OR_EARLIER @@ -185,13 +177,13 @@ EXPORT_LIST += $(EXPORT_DOCS_DIR)/platform/jvmti/jvmti.html # client and server subdirectories have symbolic links to ../libjsig.so EXPORT_LIST += $(EXPORT_JRE_LIB_ARCH_DIR)/libjsig.$(LIBRARY_SUFFIX) -#ifeq ($(ENABLE_FULL_DEBUG_SYMBOLS),1) -# ifeq ($(ZIP_DEBUGINFO_FILES),1) -# EXPORT_LIST += $(EXPORT_JRE_LIB_ARCH_DIR)/libjsig.diz -# else -# EXPORT_LIST += $(EXPORT_JRE_LIB_ARCH_DIR)/libjsig.debuginfo -# endif -#endif +ifeq ($(ENABLE_FULL_DEBUG_SYMBOLS),1) + ifeq ($(ZIP_DEBUGINFO_FILES),1) + EXPORT_LIST += $(EXPORT_JRE_LIB_ARCH_DIR)/libjsig.diz + else + EXPORT_LIST += $(EXPORT_JRE_LIB_ARCH_DIR)/libjsig.debuginfo + endif +endif EXPORT_SERVER_DIR = $(EXPORT_JRE_LIB_ARCH_DIR)/server EXPORT_CLIENT_DIR = $(EXPORT_JRE_LIB_ARCH_DIR)/client EXPORT_MINIMAL_DIR = $(EXPORT_JRE_LIB_ARCH_DIR)/minimal @@ -199,25 +191,25 @@ EXPORT_MINIMAL_DIR = $(EXPORT_JRE_LIB_ARCH_DIR)/minimal ifeq ($(findstring true, $(JVM_VARIANT_SERVER) $(JVM_VARIANT_ZERO) $(JVM_VARIANT_ZEROSHARK) $(JVM_VARIANT_CORE)), true) EXPORT_LIST += $(EXPORT_SERVER_DIR)/Xusage.txt EXPORT_LIST += $(EXPORT_SERVER_DIR)/libjvm.$(LIBRARY_SUFFIX) -# ifeq ($(ENABLE_FULL_DEBUG_SYMBOLS),1) -# ifeq ($(ZIP_DEBUGINFO_FILES),1) -# EXPORT_LIST += $(EXPORT_SERVER_DIR)/libjvm.diz -# else -# EXPORT_LIST += $(EXPORT_SERVER_DIR)/libjvm.debuginfo -# endif -# endif + ifeq ($(ENABLE_FULL_DEBUG_SYMBOLS),1) + ifeq ($(ZIP_DEBUGINFO_FILES),1) + EXPORT_LIST += $(EXPORT_SERVER_DIR)/libjvm.diz + else + EXPORT_LIST += $(EXPORT_SERVER_DIR)/libjvm.debuginfo + endif + endif endif ifeq ($(JVM_VARIANT_CLIENT),true) EXPORT_LIST += $(EXPORT_CLIENT_DIR)/Xusage.txt EXPORT_LIST += $(EXPORT_CLIENT_DIR)/libjvm.$(LIBRARY_SUFFIX) -# ifeq ($(ENABLE_FULL_DEBUG_SYMBOLS),1) -# ifeq ($(ZIP_DEBUGINFO_FILES),1) -# EXPORT_LIST += $(EXPORT_CLIENT_DIR)/libjvm.diz -# else -# EXPORT_LIST += $(EXPORT_CLIENT_DIR)/libjvm.debuginfo -# endif -# endif + ifeq ($(ENABLE_FULL_DEBUG_SYMBOLS),1) + ifeq ($(ZIP_DEBUGINFO_FILES),1) + EXPORT_LIST += $(EXPORT_CLIENT_DIR)/libjvm.diz + else + EXPORT_LIST += $(EXPORT_CLIENT_DIR)/libjvm.debuginfo + endif + endif endif # Serviceability Binaries diff --git a/hotspot/make/aix/makefiles/jsig.make b/hotspot/make/aix/makefiles/jsig.make index ae453f2d9ef..688f416ca41 100644 --- a/hotspot/make/aix/makefiles/jsig.make +++ b/hotspot/make/aix/makefiles/jsig.make @@ -1,5 +1,5 @@ # -# Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2005, 2021, Oracle and/or its affiliates. All rights reserved. # Copyright 2012, 2013 SAP AG. All rights reserved. # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. # @@ -64,9 +64,9 @@ $(LIBJSIG): $(JSIGSRCDIR)/jsig.c $(LIBJSIG_MAPFILE) $(QUIETLY) $(CXX) $(SYMFLAG) $(ARCHFLAG) $(SHARED_FLAG) $(PICFLAG) \ $(LFLAGS_JSIG) $(JSIG_DEBUG_CFLAGS) $(JSIG_OPT_FLAGS) -o $@ $< -ldl -#ifeq ($(ENABLE_FULL_DEBUG_SYMBOLS),1) -# $(QUIETLY) $(OBJCOPY) --only-keep-debug $@ $(LIBJSIG_DEBUGINFO) -# $(QUIETLY) $(OBJCOPY) --add-gnu-debuglink=$(LIBJSIG_DEBUGINFO) $@ +ifeq ($(ENABLE_FULL_DEBUG_SYMBOLS),1) + # AIX produces .debuginfo from copy of -g compiled object prior to strip + $(QUIETLY) $(CP) $@ $(LIBJSIG_DEBUGINFO) # ifeq ($(STRIP_POLICY),all_strip) # $(QUIETLY) $(STRIP) $@ # else @@ -75,11 +75,13 @@ $(LIBJSIG): $(JSIGSRCDIR)/jsig.c $(LIBJSIG_MAPFILE) # # implied else here is no stripping at all # endif # endif -# ifeq ($(ZIP_DEBUGINFO_FILES),1) -# $(ZIPEXE) -q -y $(LIBJSIG_DIZ) $(LIBJSIG_DEBUGINFO) -# $(RM) $(LIBJSIG_DEBUGINFO) -# endif -#endif + ifneq ($(STRIP_POLICY),no_strip) + ifeq ($(ZIP_DEBUGINFO_FILES),1) + $(ZIPEXE) -q -y $(LIBJSIG_DIZ) $(LIBJSIG_DEBUGINFO) + $(RM) $(LIBJSIG_DEBUGINFO) + endif + endif +endif install_jsig: $(LIBJSIG) @echo "Copying $(LIBJSIG) to $(DEST_JSIG)" diff --git a/hotspot/make/aix/makefiles/saproc.make b/hotspot/make/aix/makefiles/saproc.make index d515ac2d8de..e829d90a55a 100644 --- a/hotspot/make/aix/makefiles/saproc.make +++ b/hotspot/make/aix/makefiles/saproc.make @@ -1,5 +1,5 @@ # -# Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2005, 2021, Oracle and/or its affiliates. All rights reserved. # Copyright 2012, 2013 SAP AG. All rights reserved. # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. # @@ -88,16 +88,16 @@ $(LIBSAPROC): $(SASRCFILES) $(SAMAPFILE) -o $@ \ -lthread_db ifeq ($(ENABLE_FULL_DEBUG_SYMBOLS),1) - $(QUIETLY) $(OBJCOPY) --only-keep-debug $@ $(LIBSAPROC_DEBUGINFO) - $(QUIETLY) $(OBJCOPY) --add-gnu-debuglink=$(LIBSAPROC_DEBUGINFO) $@ - ifeq ($(STRIP_POLICY),all_strip) - $(QUIETLY) $(STRIP) $@ - else - ifeq ($(STRIP_POLICY),min_strip) - $(QUIETLY) $(STRIP) -g $@ - # implied else here is no stripping at all - endif - endif + # AIX produces .debuginfo from copy of -g compiled object prior to strip + $(QUIETLY) $(CP) $@ $(LIBJSIG_DEBUGINFO) +# ifeq ($(STRIP_POLICY),all_strip) +# $(QUIETLY) $(STRIP) $@ +# else +# ifeq ($(STRIP_POLICY),min_strip) +# $(QUIETLY) $(STRIP) -g $@ +# # implied else here is no stripping at all +# endif +# endif ifeq ($(ZIP_DEBUGINFO_FILES),1) $(ZIPEXE) -q -y $(LIBSAPROC_DIZ) $(LIBSAPROC_DEBUGINFO) $(RM) $(LIBSAPROC_DEBUGINFO) diff --git a/hotspot/make/aix/makefiles/vm.make b/hotspot/make/aix/makefiles/vm.make index 35b8031f336..1b77de6d050 100644 --- a/hotspot/make/aix/makefiles/vm.make +++ b/hotspot/make/aix/makefiles/vm.make @@ -1,5 +1,5 @@ # -# Copyright (c) 1999, 2019, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 1999, 2021, Oracle and/or its affiliates. All rights reserved. # Copyright (c) 2012, 2020 SAP SE. All rights reserved. # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. # @@ -329,9 +329,9 @@ $(LIBJVM): $(LIBJVM.o) $(LIBJVM_MAPFILE) $(LD_SCRIPT) # fi \ # } -#ifeq ($(ENABLE_FULL_DEBUG_SYMBOLS),1) -# $(QUIETLY) $(OBJCOPY) --only-keep-debug $@ $(LIBJVM_DEBUGINFO) -# $(QUIETLY) $(OBJCOPY) --add-gnu-debuglink=$(LIBJVM_DEBUGINFO) $@ +ifeq ($(ENABLE_FULL_DEBUG_SYMBOLS),1) + # AIX produces .debuginfo from copy of -g compiled object prior to strip + $(QUIETLY) $(CP) $@ $(LIBJVM_DEBUGINFO) # ifeq ($(STRIP_POLICY),all_strip) # $(QUIETLY) $(STRIP) $@ # else @@ -340,11 +340,13 @@ $(LIBJVM): $(LIBJVM.o) $(LIBJVM_MAPFILE) $(LD_SCRIPT) # # implied else here is no stripping at all # endif # endif -# ifeq ($(ZIP_DEBUGINFO_FILES),1) -# $(ZIPEXE) -q -y $(LIBJVM_DIZ) $(LIBJVM_DEBUGINFO) -# $(RM) $(LIBJVM_DEBUGINFO) -# endif -#endif + ifneq ($(STRIP_POLICY),no_strip) + ifeq ($(ZIP_DEBUGINFO_FILES),1) + $(ZIPEXE) -q -y $(LIBJVM_DIZ) $(LIBJVM_DEBUGINFO) + $(RM) $(LIBJVM_DEBUGINFO) + endif + endif +endif DEST_SUBDIR = $(JDK_LIBDIR)/$(VM_SUBDIR) DEST_JVM = $(DEST_SUBDIR)/$(LIBJVM) diff --git a/hotspot/src/share/vm/compiler/disassembler.cpp b/hotspot/src/share/vm/compiler/disassembler.cpp index a0246535ffd..dfdd5f77e79 100644 --- a/hotspot/src/share/vm/compiler/disassembler.cpp +++ b/hotspot/src/share/vm/compiler/disassembler.cpp @@ -89,7 +89,7 @@ bool Disassembler::load_library() { { // Match "jvm[^/]*" in jvm_path. const char* base = buf; - const char* p = strrchr(buf, '/'); + const char* p = strrchr(buf, *os::file_separator()); if (p != NULL) lib_offset = p - base + 1; p = strstr(p ? p : base, "jvm"); if (p != NULL) jvm_offset = p - base; @@ -114,7 +114,7 @@ bool Disassembler::load_library() { if (_library == NULL) { // 3. <home>/jre/lib/<arch>/hsdis-<arch>.so buf[lib_offset - 1] = '\0'; - const char* p = strrchr(buf, '/'); + const char* p = strrchr(buf, *os::file_separator()); if (p != NULL) { lib_offset = p - buf + 1; strcpy(&buf[lib_offset], hsdis_library_name); diff --git a/hotspot/src/share/vm/runtime/sharedRuntime.cpp b/hotspot/src/share/vm/runtime/sharedRuntime.cpp index 1eb732e08c3..5f540247f9b 100644 --- a/hotspot/src/share/vm/runtime/sharedRuntime.cpp +++ b/hotspot/src/share/vm/runtime/sharedRuntime.cpp @@ -2634,8 +2634,8 @@ void AdapterHandlerLibrary::create_native_wrapper(methodHandle method) { BufferBlob* buf = buffer_blob(); // the temporary code buffer in CodeCache if (buf != NULL) { CodeBuffer buffer(buf); - double locs_buf[20]; - buffer.insts()->initialize_shared_locs((relocInfo*)locs_buf, sizeof(locs_buf) / sizeof(relocInfo)); + struct { double data[20]; } locs_buf; + buffer.insts()->initialize_shared_locs((relocInfo*)&locs_buf, sizeof(locs_buf) / sizeof(relocInfo)); MacroAssembler _masm(&buffer); // Fill in the signature array, for the calling-convention call. diff --git a/hotspot/src/share/vm/utilities/taskqueue.hpp b/hotspot/src/share/vm/utilities/taskqueue.hpp index a53a8919806..bc06caccb46 100644 --- a/hotspot/src/share/vm/utilities/taskqueue.hpp +++ b/hotspot/src/share/vm/utilities/taskqueue.hpp @@ -430,9 +430,7 @@ bool GenericTaskQueue<E, F, N>::pop_global(volatile E& t) { } template<class E, MEMFLAGS F, unsigned int N> -GenericTaskQueue<E, F, N>::~GenericTaskQueue() { - FREE_C_HEAP_ARRAY(E, _elems, F); -} +GenericTaskQueue<E, F, N>::~GenericTaskQueue() {} // OverflowTaskQueue is a TaskQueue that also includes an overflow stack for // elements that do not fit in the TaskQueue. diff --git a/jdk/.hgtags b/jdk/.hgtags index 9d89b85837e..15db2c43a32 100644 --- a/jdk/.hgtags +++ b/jdk/.hgtags @@ -1086,3 +1086,4 @@ d103481ecd91690051bbd06e4eb4d3f3b4938dfc jdk8u292-b08 7c8bbbfe6acbe08eadae04e1ec46d94e9f98b743 jdk8u302-b00 73584fe56769e5aefc6ecb752a4df786c03d6780 jdk8u302-b01 04fb823d2094591cc63418967b8cfcc1b23dc516 jdk8u302-b02 +0056610eefad4cffedcc1443efdff8145d2a0135 jdk8u302-b03 diff --git a/jdk/src/linux/classes/jdk/internal/platform/cgroupv1/SubSystem.java b/jdk/src/linux/classes/jdk/internal/platform/cgroupv1/SubSystem.java index 2dd605899fc..251815523f1 100644 --- a/jdk/src/linux/classes/jdk/internal/platform/cgroupv1/SubSystem.java +++ b/jdk/src/linux/classes/jdk/internal/platform/cgroupv1/SubSystem.java @@ -27,6 +27,7 @@ package jdk.internal.platform.cgroupv1; import java.io.BufferedReader; import java.io.IOException; +import java.math.BigInteger; import java.io.UncheckedIOException; import java.nio.file.Files; import java.nio.file.Path; @@ -156,7 +157,18 @@ public class SubSystem { public static long convertStringToLong(String strval) { if (strval == null) return 0L; - long retval = Long.parseLong(strval); + long retval = 0; + + try { + retval = Long.parseLong(strval); + } catch (NumberFormatException e) { + // For some properties (e.g. memory.limit_in_bytes) we may overflow the range of signed long. + // In this case, return Long.max + BigInteger b = new BigInteger(strval); + if (b.compareTo(BigInteger.valueOf(Long.MAX_VALUE)) > 0) { + return Long.MAX_VALUE; + } + } return retval; } diff --git a/jdk/src/share/classes/sun/security/jca/Providers.java b/jdk/src/share/classes/sun/security/jca/Providers.java index b0c39bf12d3..a7c6c2caecb 100644 --- a/jdk/src/share/classes/sun/security/jca/Providers.java +++ b/jdk/src/share/classes/sun/security/jca/Providers.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -86,6 +86,7 @@ public class Providers { // Note: SunEC *is* in a signed JAR file, but it's not signed // by EC itself. So it's still safe to be listed here. "sun.security.ec.SunEC", + "com.sun.crypto.provider.SunJCE", BACKUP_PROVIDER_CLASSNAME, }; diff --git a/jdk/src/share/classes/sun/security/ssl/CertificateAuthoritiesExtension.java b/jdk/src/share/classes/sun/security/ssl/CertificateAuthoritiesExtension.java new file mode 100644 index 00000000000..ff0561b2ad3 --- /dev/null +++ b/jdk/src/share/classes/sun/security/ssl/CertificateAuthoritiesExtension.java @@ -0,0 +1,406 @@ +/* + * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.ssl; + +import java.io.IOException; +import java.nio.ByteBuffer; +import java.security.cert.X509Certificate; +import java.text.MessageFormat; +import java.util.*; +import javax.net.ssl.SSLProtocolException; +import javax.security.auth.x500.X500Principal; +import sun.security.ssl.SSLExtension.ExtensionConsumer; +import sun.security.ssl.SSLExtension.SSLExtensionSpec; +import sun.security.ssl.SSLHandshake.HandshakeMessage; + +/** + * Pack of the "certificate_authorities" extensions. + */ +final class CertificateAuthoritiesExtension { + static final HandshakeProducer chNetworkProducer = + new CHCertificateAuthoritiesProducer(); + static final ExtensionConsumer chOnLoadConsumer = + new CHCertificateAuthoritiesConsumer(); + + static final HandshakeProducer crNetworkProducer = + new CRCertificateAuthoritiesProducer(); + static final ExtensionConsumer crOnLoadConsumer = + new CRCertificateAuthoritiesConsumer(); + + static final SSLStringizer ssStringizer = + new CertificateAuthoritiesStringizer(); + + /** + * The "certificate_authorities" extension. + */ + static final class CertificateAuthoritiesSpec implements SSLExtensionSpec { + final List<byte[]> authorities; // certificate authorities + + private CertificateAuthoritiesSpec(List<byte[]> authorities) { + this.authorities = authorities; + } + + private CertificateAuthoritiesSpec(ByteBuffer m) throws IOException { + if (m.remaining() < 3) { // 2: the length of the list + // 1: at least one byte authorities + throw new SSLProtocolException( + "Invalid certificate_authorities extension: " + + "insufficient data"); + } + + int listLen = Record.getInt16(m); + if (listLen == 0) { + throw new SSLProtocolException( + "Invalid certificate_authorities extension: " + + "no certificate authorities"); + } + + if (listLen > m.remaining()) { + throw new SSLProtocolException( + "Invalid certificate_authorities extension: " + + "insufficient data"); + } + + this.authorities = new LinkedList<>(); + while (listLen > 0) { + // opaque DistinguishedName<1..2^16-1>; + byte[] encoded = Record.getBytes16(m); + listLen -= (2 + encoded.length); + authorities.add(encoded); + } + } + + private static List<byte[]> getEncodedAuthorities( + X509Certificate[] trustedCerts) { + List<byte[]> authorities = new ArrayList<>(trustedCerts.length); + int sizeAccount = 0; + for (X509Certificate cert : trustedCerts) { + X500Principal x500Principal = cert.getSubjectX500Principal(); + byte[] encodedPrincipal = x500Principal.getEncoded(); + sizeAccount += encodedPrincipal.length; + if (sizeAccount > 0xFFFF) { // the size limit of this extension + // If there too many trusts CAs such that they exceed the + // size limit of the extension, enabling this extension + // does not really make sense as there is no way to + // indicate the peer certificate selection accurately. + // In such cases, the extension is just ignored, rather + // than fatal close, for better compatibility and + // interoperability. + return Collections.emptyList(); + } + + if (encodedPrincipal.length != 0) { + authorities.add(encodedPrincipal); + } + } + + return authorities; + } + + X500Principal[] getAuthorities() { + X500Principal[] principals = new X500Principal[authorities.size()]; + int i = 0; + for (byte[] encoded : authorities) { + principals[i++] = new X500Principal(encoded); + } + + return principals; + } + + @Override + public String toString() { + MessageFormat messageFormat = new MessageFormat( + "\"certificate authorities\": '['\n{0}']'", Locale.ENGLISH); + StringBuilder builder = new StringBuilder(512); + for (byte[] encoded : authorities) { + X500Principal principal = new X500Principal(encoded); + builder.append(principal.toString()); + builder.append("\n"); + } + Object[] messageFields = { + Utilities.indent(builder.toString()) + }; + + return messageFormat.format(messageFields); + } + } + + private static final + class CertificateAuthoritiesStringizer implements SSLStringizer { + @Override + public String toString(ByteBuffer buffer) { + try { + return (new CertificateAuthoritiesSpec(buffer)) + .toString(); + } catch (IOException ioe) { + // For debug logging only, so please swallow exceptions. + return ioe.getMessage(); + } + } + } + + /** + * Network data producer of a "certificate_authorities" extension in + * the ClientHello handshake message. + */ + private static final + class CHCertificateAuthoritiesProducer implements HandshakeProducer { + + // Prevent instantiation of this class. + private CHCertificateAuthoritiesProducer() { + // blank + } + + @Override + public byte[] produce(ConnectionContext context, + HandshakeMessage message) throws IOException { + // The producing happens in client side only. + ClientHandshakeContext chc = (ClientHandshakeContext)context; + + // Is it a supported and enabled extension? + if (!chc.sslConfig.isAvailable( + SSLExtension.CH_CERTIFICATE_AUTHORITIES)) { + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + SSLLogger.fine( + "Ignore unavailable " + + "certificate_authorities extension"); + } + + return null; // ignore the extension + } + + // Produce the extension. + X509Certificate[] caCerts = + chc.sslContext.getX509TrustManager().getAcceptedIssuers(); + if (caCerts.length == 0) { + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + SSLLogger.fine( + "No available certificate authorities"); + } + + return null; // ignore the extension + } + + List<byte[]> encodedCAs = + CertificateAuthoritiesSpec.getEncodedAuthorities(caCerts); + if (encodedCAs.isEmpty()) { + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + SSLLogger.warning( + "The number of CAs exceeds the maximum size" + + "of the certificate_authorities extension"); + } + + return null; // ignore the extension + } + + CertificateAuthoritiesSpec spec = + new CertificateAuthoritiesSpec(encodedCAs); + + int vectorLen = 0; + for (byte[] encoded : spec.authorities) { + vectorLen += encoded.length + 2; + } + + byte[] extData = new byte[vectorLen + 2]; + ByteBuffer m = ByteBuffer.wrap(extData); + Record.putInt16(m, vectorLen); + for (byte[] encoded : spec.authorities) { + Record.putBytes16(m, encoded); + } + + // Update the context. + chc.handshakeExtensions.put( + SSLExtension.CH_CERTIFICATE_AUTHORITIES, spec); + + return extData; + } + } + + /** + * Network data consumer of a "certificate_authorities" extension in + * the ClientHello handshake message. + */ + private static final + class CHCertificateAuthoritiesConsumer implements ExtensionConsumer { + + // Prevent instantiation of this class. + private CHCertificateAuthoritiesConsumer() { + // blank + } + + @Override + public void consume(ConnectionContext context, + HandshakeMessage message, ByteBuffer buffer) throws IOException { + + // The consuming happens in server side only. + ServerHandshakeContext shc = (ServerHandshakeContext)context; + + // Is it a supported and enabled extension? + if (!shc.sslConfig.isAvailable( + SSLExtension.CH_CERTIFICATE_AUTHORITIES)) { + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + SSLLogger.fine( + "Ignore unavailable " + + "certificate_authorities extension"); + } + + return; // ignore the extension + } + + // Parse the extension. + CertificateAuthoritiesSpec spec = + new CertificateAuthoritiesSpec(buffer); + + // Update the context. + shc.peerSupportedAuthorities = spec.getAuthorities(); + shc.handshakeExtensions.put( + SSLExtension.CH_CERTIFICATE_AUTHORITIES, spec); + + // No impact on session resumption. + } + } + + /** + * Network data producer of a "certificate_authorities" extension in + * the CertificateRequest handshake message. + */ + private static final + class CRCertificateAuthoritiesProducer implements HandshakeProducer { + + // Prevent instantiation of this class. + private CRCertificateAuthoritiesProducer() { + // blank + } + + @Override + public byte[] produce(ConnectionContext context, + HandshakeMessage message) throws IOException { + // The producing happens in server side only. + ServerHandshakeContext shc = (ServerHandshakeContext)context; + + // Is it a supported and enabled extension? + if (!shc.sslConfig.isAvailable( + SSLExtension.CR_CERTIFICATE_AUTHORITIES)) { + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + SSLLogger.fine( + "Ignore unavailable " + + "certificate_authorities extension"); + } + + return null; // ignore the extension + } + + // Produce the extension. + X509Certificate[] caCerts = + shc.sslContext.getX509TrustManager().getAcceptedIssuers(); + if (caCerts.length == 0) { + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + SSLLogger.fine( + "No available certificate authorities"); + } + + return null; // ignore the extension + } + + List<byte[]> encodedCAs = + CertificateAuthoritiesSpec.getEncodedAuthorities(caCerts); + if (encodedCAs.isEmpty()) { + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + SSLLogger.warning( + "Too many certificate authorities to use " + + "the certificate_authorities extension"); + } + + return null; // ignore the extension + } + + CertificateAuthoritiesSpec spec = + new CertificateAuthoritiesSpec(encodedCAs); + + int vectorLen = 0; + for (byte[] encoded : spec.authorities) { + vectorLen += encoded.length + 2; + } + + byte[] extData = new byte[vectorLen + 2]; + ByteBuffer m = ByteBuffer.wrap(extData); + Record.putInt16(m, vectorLen); + for (byte[] encoded : spec.authorities) { + Record.putBytes16(m, encoded); + } + + // Update the context. + shc.handshakeExtensions.put( + SSLExtension.CR_CERTIFICATE_AUTHORITIES, spec); + + return extData; + } + } + + /** + * Network data consumer of a "certificate_authorities" extension in + * the CertificateRequest handshake message. + */ + private static final + class CRCertificateAuthoritiesConsumer implements ExtensionConsumer { + + // Prevent instantiation of this class. + private CRCertificateAuthoritiesConsumer() { + // blank + } + + @Override + public void consume(ConnectionContext context, + HandshakeMessage message, ByteBuffer buffer) throws IOException { + + // The consuming happens in client side only. + ClientHandshakeContext chc = (ClientHandshakeContext)context; + + // Is it a supported and enabled extension? + if (!chc.sslConfig.isAvailable( + SSLExtension.CR_CERTIFICATE_AUTHORITIES)) { + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + SSLLogger.fine( + "Ignore unavailable " + + "certificate_authorities extension"); + } + + return; // ignore the extension + } + + // Parse the extension. + CertificateAuthoritiesSpec spec = + new CertificateAuthoritiesSpec(buffer); + + // Update the context. + chc.peerSupportedAuthorities = spec.getAuthorities(); + chc.handshakeExtensions.put( + SSLExtension.CR_CERTIFICATE_AUTHORITIES, spec); + + // No impact on session resumption. + } + } +} diff --git a/jdk/src/share/classes/sun/security/ssl/CertificateRequest.java b/jdk/src/share/classes/sun/security/ssl/CertificateRequest.java index 6c6c9449682..4bef1eabb86 100644 --- a/jdk/src/share/classes/sun/security/ssl/CertificateRequest.java +++ b/jdk/src/share/classes/sun/security/ssl/CertificateRequest.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2015, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -200,14 +200,13 @@ final class CertificateRequest { } X500Principal[] getAuthorities() { - List<X500Principal> principals = - new ArrayList<>(authorities.size()); + X500Principal[] principals = new X500Principal[authorities.size()]; + int i = 0; for (byte[] encoded : authorities) { - X500Principal principal = new X500Principal(encoded); - principals.add(principal); + principals[i++] = new X500Principal(encoded); } - return principals.toArray(new X500Principal[0]); + return principals; } @Override @@ -504,14 +503,13 @@ final class CertificateRequest { } X500Principal[] getAuthorities() { - List<X500Principal> principals = - new ArrayList<>(authorities.size()); + X500Principal[] principals = new X500Principal[authorities.size()]; + int i = 0; for (byte[] encoded : authorities) { - X500Principal principal = new X500Principal(encoded); - principals.add(principal); + principals[i++] = new X500Principal(encoded); } - return principals.toArray(new X500Principal[0]); + return principals; } @Override diff --git a/jdk/src/share/classes/sun/security/ssl/SSLEngineInputRecord.java b/jdk/src/share/classes/sun/security/ssl/SSLEngineInputRecord.java index 7b34cfe5641..6016cdbfe9c 100644 --- a/jdk/src/share/classes/sun/security/ssl/SSLEngineInputRecord.java +++ b/jdk/src/share/classes/sun/security/ssl/SSLEngineInputRecord.java @@ -287,8 +287,15 @@ final class SSLEngineInputRecord extends InputRecord implements SSLRecord { } handshakeFrag.mark(); - // skip the first byte: handshake type + + // Fail fast for unknown handshake message. byte handshakeType = handshakeFrag.get(); + if (!SSLHandshake.isKnown(handshakeType)) { + throw new SSLProtocolException( + "Unknown handshake type size, Handshake.msg_type = " + + (handshakeType & 0xFF)); + } + int handshakeBodyLen = Record.getInt24(handshakeFrag); if (handshakeBodyLen > SSLConfiguration.maxHandshakeMessageSize) { throw new SSLProtocolException( diff --git a/jdk/src/share/classes/sun/security/ssl/SSLExtension.java b/jdk/src/share/classes/sun/security/ssl/SSLExtension.java index 1b4fa7b937a..a4b14c08499 100644 --- a/jdk/src/share/classes/sun/security/ssl/SSLExtension.java +++ b/jdk/src/share/classes/sun/security/ssl/SSLExtension.java @@ -387,7 +387,27 @@ enum SSLExtension implements SSLStringizer { null, PskKeyExchangeModesExtension.chOnTradeAbsence, PskKeyExchangeModesExtension.pkemStringizer), - CERTIFICATE_AUTHORITIES (0x002F, "certificate_authorities"), + + CH_CERTIFICATE_AUTHORITIES (0x002F, "certificate_authorities", + SSLHandshake.CLIENT_HELLO, + ProtocolVersion.PROTOCOLS_OF_13, + CertificateAuthoritiesExtension.chNetworkProducer, + CertificateAuthoritiesExtension.chOnLoadConsumer, + null, + null, + null, + CertificateAuthoritiesExtension.ssStringizer), + + CR_CERTIFICATE_AUTHORITIES (0x002F, "certificate_authorities", + SSLHandshake.CERTIFICATE_REQUEST, + ProtocolVersion.PROTOCOLS_OF_13, + CertificateAuthoritiesExtension.crNetworkProducer, + CertificateAuthoritiesExtension.crOnLoadConsumer, + null, + null, + null, + CertificateAuthoritiesExtension.ssStringizer), + OID_FILTERS (0x0030, "oid_filters"), POST_HANDSHAKE_AUTH (0x0030, "post_handshake_auth"), @@ -683,6 +703,50 @@ enum SSLExtension implements SSLStringizer { extensions.remove(CH_MAX_FRAGMENT_LENGTH); } + // To switch on certificate_authorities extension in ClientHello. + // + // Note: Please be careful to enable this extension in ClientHello. + // + // In practice, if the server certificate cannot be validated by + // the underlying programs, the user may manually check the + // certificate in order to access the service. The certificate + // could be accepted manually, and the handshake continues. For + // example, the browsers provide the manual option to accept + // untrusted server certificate. If this extension is enabled in + // the ClientHello handshake message, and the server's certificate + // does not chain back to any of the CAs in the extension, then the + // server will terminate the handshake and close the connection. + // There is no chance for the client to perform the manual check. + // Therefore, enabling this extension in ClientHello may lead to + // unexpected compatibility issues for such cases. + // + // According to TLS 1.3 specification [RFC 8446] the maximum size + // of the certificate_authorities extension is 2^16 bytes. The + // maximum TLS record size is 2^14 bytes. If the handshake + // message is bigger than maximum TLS record size, it should be + // splitted into several records. In fact, some server + // implementations do not allow ClientHello messages bigger than + // the maximum TLS record size and will immediately abort the + // connection with a fatal alert. Therefore, if the client trusts + // too many certificate authorities, there may be unexpected + // interoperability issues. + // + // Furthermore, if the client trusts more CAs such that it exceeds + // the size limit of the extension, enabling this extension in + // client side does not really make sense any longer as there is + // no way to indicate the server certificate selection accurately. + // + // In general, a server does not use multiple certificates issued + // from different CAs. It is not expected to use this extension a + // lot in practice. When there is a need to use this extension + // in ClientHello handshake message, please take care of the + // potential compatibility and interoperability issues above. + enableExtension = Utilities.getBooleanProperty( + "jdk.tls.client.enableCAExtension", false); + if (!enableExtension) { + extensions.remove(CH_CERTIFICATE_AUTHORITIES); + } + defaults = Collections.unmodifiableCollection(extensions); } } diff --git a/jdk/src/share/classes/sun/security/ssl/SSLHandshake.java b/jdk/src/share/classes/sun/security/ssl/SSLHandshake.java index a7c4b1b87a5..ee632a4545e 100644 --- a/jdk/src/share/classes/sun/security/ssl/SSLHandshake.java +++ b/jdk/src/share/classes/sun/security/ssl/SSLHandshake.java @@ -478,6 +478,16 @@ enum SSLHandshake implements SSLConsumer, HandshakeProducer { return "UNKNOWN-HANDSHAKE-MESSAGE(" + id + ")"; } + static boolean isKnown(byte id) { + for (SSLHandshake hs : SSLHandshake.values()) { + if (hs.id == id && id != NOT_APPLICABLE.id) { + return true; + } + } + + return false; + } + static final void kickstart(HandshakeContext context) throws IOException { if (context instanceof ClientHandshakeContext) { // For initial handshaking, including session resumption, diff --git a/jdk/src/share/classes/sun/security/ssl/SSLSocketInputRecord.java b/jdk/src/share/classes/sun/security/ssl/SSLSocketInputRecord.java index 04f7a19e65d..401822759d8 100644 --- a/jdk/src/share/classes/sun/security/ssl/SSLSocketInputRecord.java +++ b/jdk/src/share/classes/sun/security/ssl/SSLSocketInputRecord.java @@ -302,8 +302,15 @@ final class SSLSocketInputRecord extends InputRecord implements SSLRecord { } handshakeFrag.mark(); - // skip the first byte: handshake type + + // Fail fast for unknown handshake message. byte handshakeType = handshakeFrag.get(); + if (!SSLHandshake.isKnown(handshakeType)) { + throw new SSLProtocolException( + "Unknown handshake type size, Handshake.msg_type = " + + (handshakeType & 0xFF)); + } + int handshakeBodyLen = Record.getInt24(handshakeFrag); if (handshakeBodyLen > SSLConfiguration.maxHandshakeMessageSize) { throw new SSLProtocolException( diff --git a/jdk/src/share/classes/sun/security/ssl/X509Authentication.java b/jdk/src/share/classes/sun/security/ssl/X509Authentication.java index aa0141914fa..abf998e76ca 100644 --- a/jdk/src/share/classes/sun/security/ssl/X509Authentication.java +++ b/jdk/src/share/classes/sun/security/ssl/X509Authentication.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -199,12 +199,14 @@ enum X509Authentication implements SSLAuthentication { if (chc.conContext.transport instanceof SSLSocketImpl) { clientAlias = km.chooseClientAlias( new String[] { keyType }, - chc.peerSupportedAuthorities, + chc.peerSupportedAuthorities == null ? null : + chc.peerSupportedAuthorities.clone(), (SSLSocket)chc.conContext.transport); } else if (chc.conContext.transport instanceof SSLEngineImpl) { clientAlias = km.chooseEngineClientAlias( new String[] { keyType }, - chc.peerSupportedAuthorities, + chc.peerSupportedAuthorities == null ? null : + chc.peerSupportedAuthorities.clone(), (SSLEngine)chc.conContext.transport); } @@ -253,10 +255,14 @@ enum X509Authentication implements SSLAuthentication { String serverAlias = null; if (shc.conContext.transport instanceof SSLSocketImpl) { serverAlias = km.chooseServerAlias(keyType, - null, (SSLSocket)shc.conContext.transport); + shc.peerSupportedAuthorities == null ? null : + shc.peerSupportedAuthorities.clone(), + (SSLSocket)shc.conContext.transport); } else if (shc.conContext.transport instanceof SSLEngineImpl) { serverAlias = km.chooseEngineServerAlias(keyType, - null, (SSLEngine)shc.conContext.transport); + shc.peerSupportedAuthorities == null ? null : + shc.peerSupportedAuthorities.clone(), + (SSLEngine)shc.conContext.transport); } if (serverAlias == null) { diff --git a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java index 2ce57232013..fcc77786da1 100644 --- a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java +++ b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -39,6 +39,7 @@ import java.security.cert.X509Certificate; import java.text.Collator; import java.util.Locale; +import java.util.ResourceBundle; /** * <p> This class provides several utilities to <code>KeyStore</code>. @@ -53,12 +54,6 @@ public class KeyStoreUtil { private static final String JKS = "jks"; - private static final Collator collator = Collator.getInstance(); - static { - // this is for case insensitive string comparisons - collator.setStrength(Collator.PRIMARY); - }; - /** * Returns true if the certificate is self-signed, false otherwise. */ @@ -123,7 +118,8 @@ public class KeyStoreUtil { } public static char[] getPassWithModifier(String modifier, String arg, - java.util.ResourceBundle rb) { + ResourceBundle rb, + Collator collator) { if (modifier == null) { return arg.toCharArray(); } else if (collator.compare(modifier, "env") == 0) { diff --git a/jdk/src/share/classes/sun/security/tools/jarsigner/Main.java b/jdk/src/share/classes/sun/security/tools/jarsigner/Main.java index 557d5830872..0b45f77dcc2 100644 --- a/jdk/src/share/classes/sun/security/tools/jarsigner/Main.java +++ b/jdk/src/share/classes/sun/security/tools/jarsigner/Main.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -521,7 +521,8 @@ public class Main { } static char[] getPass(String modifier, String arg) { - char[] output = KeyStoreUtil.getPassWithModifier(modifier, arg, rb); + char[] output = + KeyStoreUtil.getPassWithModifier(modifier, arg, rb, collator); if (output != null) return output; usage(); return null; // Useless, usage() already exit diff --git a/jdk/src/share/classes/sun/security/tools/keytool/Main.java b/jdk/src/share/classes/sun/security/tools/keytool/Main.java index b9b255455f8..089960c3a95 100644 --- a/jdk/src/share/classes/sun/security/tools/keytool/Main.java +++ b/jdk/src/share/classes/sun/security/tools/keytool/Main.java @@ -4526,7 +4526,8 @@ public final class Main { } private char[] getPass(String modifier, String arg) { - char[] output = KeyStoreUtil.getPassWithModifier(modifier, arg, rb); + char[] output = + KeyStoreUtil.getPassWithModifier(modifier, arg, rb, collator); if (output != null) return output; tinyHelp(); return null; // Useless, tinyHelp() already exits. diff --git a/jdk/src/windows/native/sun/windows/awt_DnDDT.cpp b/jdk/src/windows/native/sun/windows/awt_DnDDT.cpp index 8739fc8f576..c3e45748bc1 100644 --- a/jdk/src/windows/native/sun/windows/awt_DnDDT.cpp +++ b/jdk/src/windows/native/sun/windows/awt_DnDDT.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2021, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -133,6 +133,7 @@ ULONG __stdcall AwtDropTarget::Release() { HRESULT __stdcall AwtDropTarget::DragEnter(IDataObject __RPC_FAR *pDataObj, DWORD grfKeyState, POINTL pt, DWORD __RPC_FAR *pdwEffect) { TRY; + AwtToolkit::GetInstance().isInDoDragDropLoop = TRUE; if (NULL != m_pIDropTargetHelper) { m_pIDropTargetHelper->DragEnter( m_window, @@ -152,6 +153,7 @@ HRESULT __stdcall AwtDropTarget::DragEnter(IDataObject __RPC_FAR *pDataObj, DWOR (IsLocalDnD() && !IsLocalDataObject(pDataObj))) { *pdwEffect = retEffect; + AwtToolkit::GetInstance().isInDoDragDropLoop = FALSE; return ret; } @@ -163,6 +165,7 @@ HRESULT __stdcall AwtDropTarget::DragEnter(IDataObject __RPC_FAR *pDataObj, DWOR } if (JNU_IsNull(env, m_dtcp) || !JNU_IsNull(env, safe_ExceptionOccurred(env))) { + AwtToolkit::GetInstance().isInDoDragDropLoop = FALSE; return ret; } @@ -188,10 +191,12 @@ HRESULT __stdcall AwtDropTarget::DragEnter(IDataObject __RPC_FAR *pDataObj, DWOR env->ExceptionDescribe(); env->ExceptionClear(); actions = java_awt_dnd_DnDConstants_ACTION_NONE; + AwtToolkit::GetInstance().isInDoDragDropLoop = FALSE; } } catch (std::bad_alloc&) { retEffect = ::convertActionsToDROPEFFECT(actions); *pdwEffect = retEffect; + AwtToolkit::GetInstance().isInDoDragDropLoop = FALSE; throw; } @@ -405,6 +410,7 @@ void AwtDropTarget::DropDone(jboolean success, jint action) { m_dropSuccess = success; m_dropActions = action; AwtToolkit::GetInstance().QuitMessageLoop(AwtToolkit::EXIT_ENCLOSING_LOOP); + AwtToolkit::GetInstance().isInDoDragDropLoop = FALSE; } /** @@ -1119,6 +1125,7 @@ void AwtDropTarget::UnloadCache() { void AwtDropTarget::DragCleanup(void) { UnloadCache(); + AwtToolkit::GetInstance().isInDoDragDropLoop = FALSE; } BOOL AwtDropTarget::IsLocalDataObject(IDataObject __RPC_FAR *pDataObject) { diff --git a/jdk/test/java/rmi/activation/Activatable/shutdownGracefully/ShutdownGracefully.java b/jdk/test/java/rmi/activation/Activatable/shutdownGracefully/ShutdownGracefully.java index b6ede1d316a..f5c04829291 100644 --- a/jdk/test/java/rmi/activation/Activatable/shutdownGracefully/ShutdownGracefully.java +++ b/jdk/test/java/rmi/activation/Activatable/shutdownGracefully/ShutdownGracefully.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2014, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -22,7 +22,7 @@ */ /* @test - * @bug 4183169 + * @bug 4183169 8032050 * @summary Minor problem with the way ReliableLog handles IOExceptions. * * @author Laird Dornin; code borrowed from Ann Wollrath @@ -36,6 +36,7 @@ import java.rmi.activation.*; import java.rmi.*; import java.util.Properties; +import java.util.concurrent.TimeoutException; /** * The test creates an rmid with a special security manager. After @@ -51,7 +52,7 @@ import java.util.Properties; * (after that time, the test will fail). */ public class ShutdownGracefully - extends Activatable implements Runnable, RegisteringActivatable + extends Activatable implements RegisteringActivatable { private static RegisteringActivatable registering = null; @@ -61,6 +62,8 @@ public class ShutdownGracefully RMID rmid = null; + // Save exception if there is a exception or expected behavior + Exception exception = null; System.err.println("\nRegression test for bug/rfe 4183169\n"); try { @@ -132,101 +135,37 @@ public class ShutdownGracefully desc = new ActivationDesc(secondGroupID, "ShutdownGracefully", null, null); + /* + * registration request is expected to be failed. succeeded case + * should be recorded. And raise error after clean up rmid. + */ try { registering = (RegisteringActivatable) Activatable.register(desc); - - System.err.println("second activate and deactivate " + - "object via method call"); + System.err.println("The registration request succeeded unexpectedly"); + exception = new RuntimeException("The registration request succeeded unexpectedly"); } catch (ActivationException e) { System.err.println("received exception from registration " + "call that should have failed..."); - } - - /* - * no longer needed because the security manager - * throws an exception during snapshot - */ - /* - try { - registering.shutdown(); - - System.err.println("received exception from remote " + - "call that should have failed..."); - } catch (RemoteException e) { - } - */ - - } catch (Exception e) { - TestLibrary.bomb("\nfailure: unexpected exception ", e); - } finally { - try { - Thread.sleep(4000); - } catch (InterruptedException e) { - } - - registering = null; - - // Need to make sure that rmid goes away by itself - JavaVM rmidProcess = rmid; - if (rmidProcess != null) { + // Need wait rmid process terminates. try { - Runnable waitThread = - new ShutdownDetectThread(rmidProcess); - - synchronized (waitThread) { - (new Thread(waitThread)).start(); - waitThread.wait(SHUTDOWN_TIMEOUT); - System.err.println("rmid has shutdown"); - - if (!rmidDone) { - // ensure that this rmid does not infect - // other tests. - rmidProcess.destroy(); - TestLibrary.bomb("rmid did not shutdown " + - "gracefully in time"); - } - } - } catch (Exception e) { - TestLibrary.bomb("exception waiting for rmid " + - "to shut down"); + int exitCode = rmid.waitFor(SHUTDOWN_TIMEOUT); + System.err.println("RMID has exited gracefully with exitcode:" + exitCode); + rmid = null; + } catch (TimeoutException te) { + System.err.println("RMID process has not exited in given time"); + exception = te; } } - // else rmid should be down - } - - System.err.println - ("\nsuccess: ShutdownGracefully test passed "); - } - - private static boolean rmidDone = false; - - /** - * class that waits for rmid to exit - */ - private static class ShutdownDetectThread implements Runnable { - private JavaVM rmidProcess = null; - - ShutdownDetectThread(JavaVM rmidProcess) { - this.rmidProcess = rmidProcess; - } - public void run() { - System.err.println("waiting for rmid to shutdown"); - - try { - rmidProcess.waitFor(); - } catch (InterruptedException e) { - // should not happen - } - - synchronized (this) { - // notify parent thread when rmid has exited - this.notify(); - rmidDone = true; - } - - RMID.removeLog(); + } catch (Exception e) { + System.err.println("Exception thrown:" + e); + exception = e; + } finally { + if (rmid != null) + rmid.destroy(); } + if (exception != null) + TestLibrary.bomb("\nexception thrown in test: ", exception); } /** @@ -240,23 +179,12 @@ public class ShutdownGracefully } /** - * Spawns a thread to deactivate the object. + * Deactivates the object. We need to unexport forcibly because this call + * in-progress on this object, which is the same object that we are trying + * to deactivate. */ public void shutdown() throws Exception { - (new Thread(this, "ShutdownGracefully")).start(); - } - - /** - * Thread to deactivate object. First attempts to make object - * inactive (via the inactive method). If that fails (the - * object may still have pending/executing calls), then - * unexport the object forcibly. - */ - public void run() { - try { - Thread.sleep(50 * 1000); - } catch (InterruptedException e) { - } + Activatable.unexportObject(this, true); ActivationLibrary.deactivate(this, getID()); } } diff --git a/jdk/test/java/rmi/testlibrary/JavaVM.java b/jdk/test/java/rmi/testlibrary/JavaVM.java index 5c93208ebaa..0fbe7c76955 100644 --- a/jdk/test/java/rmi/testlibrary/JavaVM.java +++ b/jdk/test/java/rmi/testlibrary/JavaVM.java @@ -26,6 +26,7 @@ import java.io.IOException; import java.io.OutputStream; import java.util.Arrays; import java.util.StringTokenizer; +import java.util.concurrent.TimeoutException; /** * RMI regression test utility class that uses Runtime.exec to spawn a @@ -189,6 +190,40 @@ public class JavaVM { } /** + * Causes the current thread to wait the vm process to exit, if necessary, + * wait until the vm process has terminated, or the specified waiting time + * elapses. Release allocated input/output after vm process has terminated. + * @param timeout the maximum milliseconds to wait. + * @return exit value for vm process. + * @throws InterruptedException if the current thread is interrupted + * while waiting. + * @throws TimeoutException if subprocess does not end after timeout + * milliseconds passed + */ + public int waitFor(long timeout) + throws InterruptedException, TimeoutException { + if (vm == null) + throw new IllegalStateException("can't wait for JavaVM that isn't running"); + long startTime = System.currentTimeMillis(); + long rem = timeout; + + do { + try { + int status = vm.exitValue(); + outPipe.join(); + errPipe.join(); + return status; + } catch (IllegalThreadStateException ex) { + if (rem > 0) { + Thread.sleep(Math.min(rem, 100)); + } + } + rem = timeout - (System.currentTimeMillis() - startTime); + } while (rem > 0); + throw new TimeoutException(); + } + + /** * Starts the subprocess, waits for it to exit, and returns its exit status. */ public int execute() throws IOException, InterruptedException { diff --git a/jdk/test/java/security/Policy/SignedJar/SignedJarTest.java b/jdk/test/java/security/Policy/SignedJar/SignedJarTest.java index 715a96c4e1d..e7cbf68b719 100644 --- a/jdk/test/java/security/Policy/SignedJar/SignedJarTest.java +++ b/jdk/test/java/security/Policy/SignedJar/SignedJarTest.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2015, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -32,7 +32,7 @@ import jdk.testlibrary.ProcessTools; /** * @test - * @bug 8048360 + * @bug 8048360 8242565 * @summary test policy entry with signedBy alias * @library /lib/testlibrary * @run main/othervm SignedJarTest @@ -52,6 +52,7 @@ public class SignedJarTest { private static final String POLICY2 = "SignedJarTest_2.policy"; private static final String KEYSTORE1 = "both.jks"; private static final String KEYSTORE2 = "first.jks"; + private static final String SECPROPS = TESTSRC + FS + "java.security"; public static void main(String args[]) throws Throwable { //copy PrivilegeTest.class, policy files and keystore password file into current direcotry @@ -147,6 +148,7 @@ public class SignedJarTest { "-classpath", classpath, "-Djava.security.manager", "-Djava.security.policy=" + policy, + "-Djava.security.properties=" + SECPROPS, "PrivilegeTest", arg1, arg2}; return cmd; diff --git a/jdk/test/java/security/Policy/SignedJar/java.security b/jdk/test/java/security/Policy/SignedJar/java.security new file mode 100644 index 00000000000..75e7cec7013 --- /dev/null +++ b/jdk/test/java/security/Policy/SignedJar/java.security @@ -0,0 +1,3 @@ +jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ + DSA keySize < 1024, include jdk.disabled.namedCurves, \ + SHA1 jdkCA & denyAfter 2019-01-01 diff --git a/jdk/test/javax/net/ssl/templates/SSLContextTemplate.java b/jdk/test/javax/net/ssl/templates/SSLContextTemplate.java index fdfe64f1462..cdd4e97b407 100644 --- a/jdk/test/javax/net/ssl/templates/SSLContextTemplate.java +++ b/jdk/test/javax/net/ssl/templates/SSLContextTemplate.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -34,9 +34,7 @@ import java.security.cert.Certificate; import java.security.cert.CertificateFactory; import java.security.spec.PKCS8EncodedKeySpec; import java.util.Base64; -import javax.net.ssl.KeyManagerFactory; -import javax.net.ssl.SSLContext; -import javax.net.ssl.TrustManagerFactory; +import javax.net.ssl.*; /** * SSLContext template to speed up JSSE tests. @@ -46,10 +44,9 @@ public interface SSLContextTemplate { * Create an instance of SSLContext for client use. */ default SSLContext createClientSSLContext() throws Exception { - return createSSLContext(trustedCertStrs, - endEntityCertStrs, endEntityPrivateKeys, - endEntityPrivateKeyAlgs, - endEntityPrivateKeyNames, + return createSSLContext( + createClientKeyManager(), + createClientTrustManager(), getClientContextParameters()); } @@ -57,14 +54,54 @@ public interface SSLContextTemplate { * Create an instance of SSLContext for server use. */ default SSLContext createServerSSLContext() throws Exception { - return createSSLContext(trustedCertStrs, - endEntityCertStrs, endEntityPrivateKeys, + return createSSLContext( + createServerKeyManager(), + createServerTrustManager(), + getServerContextParameters()); + } + + /* + * Create an instance of KeyManager for client use. + */ + default KeyManager createClientKeyManager() throws Exception { + return createKeyManager( + endEntityCertStrs, + endEntityPrivateKeys, + endEntityPrivateKeyAlgs, + endEntityPrivateKeyNames, + getServerContextParameters()); + } + + /* + * Create an instance of TrustManager for client use. + */ + default TrustManager createClientTrustManager() throws Exception { + return createTrustManager( + trustedCertStrs, + getServerContextParameters()); + } + /* + * Create an instance of KeyManager for server use. + */ + default KeyManager createServerKeyManager() throws Exception { + return createKeyManager( + endEntityCertStrs, + endEntityPrivateKeys, endEntityPrivateKeyAlgs, endEntityPrivateKeyNames, getServerContextParameters()); } /* + * Create an instance of TrustManager for server use. + */ + default TrustManager createServerTrustManager() throws Exception { + return createTrustManager( + trustedCertStrs, + getServerContextParameters()); + } + + /* * The parameters used to configure SSLContext. */ static final class ContextParameters { @@ -421,80 +458,107 @@ public interface SSLContextTemplate { * Create an instance of SSLContext with the specified trust/key materials. */ default SSLContext createSSLContext( - String[] trustedMaterials, + KeyManager keyManager, + TrustManager trustManager, + ContextParameters params) throws Exception { + + SSLContext context = SSLContext.getInstance(params.contextProtocol); + context.init( + new KeyManager[] { + keyManager + }, + new TrustManager[] { + trustManager + }, + null); + + return context; + } + + /* + * Create an instance of KeyManager with the specified key materials. + */ + default KeyManager createKeyManager( String[] keyMaterialCerts, String[] keyMaterialKeys, String[] keyMaterialKeyAlgs, String[] keyMaterialKeyNames, ContextParameters params) throws Exception { - KeyStore ts = null; // trust store - KeyStore ks = null; // key store - char passphrase[] = "passphrase".toCharArray(); + char[] passphrase = "passphrase".toCharArray(); // Generate certificate from cert string. CertificateFactory cf = CertificateFactory.getInstance("X.509"); - // Import the trused certs. - ByteArrayInputStream is; - if (trustedMaterials != null && trustedMaterials.length != 0) { - ts = KeyStore.getInstance("JKS"); - ts.load(null, null); - - Certificate[] trustedCert = - new Certificate[trustedMaterials.length]; - for (int i = 0; i < trustedMaterials.length; i++) { - String trustedCertStr = trustedMaterials[i]; - - is = new ByteArrayInputStream(trustedCertStr.getBytes()); - try { - trustedCert[i] = cf.generateCertificate(is); - } finally { - is.close(); - } - - ts.setCertificateEntry("trusted-cert-" + i, trustedCert[i]); - } - } - // Import the key materials. // - // Note that certification pathes bigger than one are not supported yet. - boolean hasKeyMaterials = - (keyMaterialCerts != null) && (keyMaterialCerts.length != 0) && - (keyMaterialKeys != null) && (keyMaterialKeys.length != 0) && - (keyMaterialKeyAlgs != null) && (keyMaterialKeyAlgs.length != 0) && - (keyMaterialCerts.length == keyMaterialKeys.length) && - (keyMaterialCerts.length == keyMaterialKeyAlgs.length); - if (hasKeyMaterials) { - ks = KeyStore.getInstance("JKS"); - ks.load(null, null); - - for (int i = 0; i < keyMaterialCerts.length; i++) { - String keyCertStr = keyMaterialCerts[i]; - - // generate the private key. - PKCS8EncodedKeySpec priKeySpec = new PKCS8EncodedKeySpec( + // Note that certification paths bigger than one are not supported yet. + KeyStore ks = KeyStore.getInstance("JKS"); + ks.load(null, null); + ByteArrayInputStream is; + for (int i = 0; i < keyMaterialCerts.length; i++) { + String keyCertStr = keyMaterialCerts[i]; + + // generate the private key. + PKCS8EncodedKeySpec priKeySpec = new PKCS8EncodedKeySpec( Base64.getMimeDecoder().decode(keyMaterialKeys[i])); - KeyFactory kf = + KeyFactory kf = KeyFactory.getInstance(keyMaterialKeyAlgs[i]); - PrivateKey priKey = kf.generatePrivate(priKeySpec); - - // generate certificate chain - is = new ByteArrayInputStream(keyCertStr.getBytes()); - Certificate keyCert = null; - try { - keyCert = cf.generateCertificate(is); - } finally { - is.close(); - } - - Certificate[] chain = new Certificate[] { keyCert }; - - // import the key entry. - ks.setKeyEntry("cert-" + keyMaterialKeyNames[i], - priKey, passphrase, chain); + PrivateKey priKey = kf.generatePrivate(priKeySpec); + + // generate certificate chain + is = new ByteArrayInputStream(keyCertStr.getBytes()); + Certificate keyCert = null; + try { + keyCert = cf.generateCertificate(is); + } finally { + is.close(); + } + + Certificate[] chain = new Certificate[] { keyCert }; + + // import the key entry. + ks.setKeyEntry("cert-" + keyMaterialKeyNames[i], + priKey, passphrase, chain); + } + + KeyManagerFactory kmf = + KeyManagerFactory.getInstance(params.kmAlgorithm); + kmf.init(ks, passphrase); + + KeyManager[] km = kmf.getKeyManagers(); + + return km[0]; + } + + /* + * Create an instance of TrustManager with the specified trust materials. + */ + default TrustManager createTrustManager( + String[] trustedMaterials, + ContextParameters params) throws Exception { + + // Generate certificate from cert string. + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + // Import the trusted certs. + KeyStore ts = KeyStore.getInstance("PKCS12"); + ts.load(null, null); + + Certificate[] trustedCert = + new Certificate[trustedMaterials.length]; + ByteArrayInputStream is; + for (int i = 0; i < trustedMaterials.length; i++) { + String trustedCertStr = trustedMaterials[i]; + + is = new ByteArrayInputStream(trustedCertStr.getBytes()); + try { + trustedCert[i] = cf.generateCertificate(is); + } finally { + is.close(); } + + ts.setCertificateEntry("trusted-cert-" + i, trustedCert[i]); } // Create an SSLContext object. @@ -502,17 +566,7 @@ public interface SSLContextTemplate { TrustManagerFactory.getInstance(params.tmAlgorithm); tmf.init(ts); - SSLContext context = SSLContext.getInstance(params.contextProtocol); - if (hasKeyMaterials && ks != null) { - KeyManagerFactory kmf = - KeyManagerFactory.getInstance(params.kmAlgorithm); - kmf.init(ks, passphrase); - - context.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); - } else { - context.init(null, tmf.getTrustManagers(), null); - } - - return context; + TrustManager[] tms = tmf.getTrustManagers(); + return tms[0]; } } diff --git a/jdk/test/javax/swing/JRadioButton/8075609/bug8075609.java b/jdk/test/javax/swing/JRadioButton/8075609/bug8075609.java index 9bffc80ce88..6cd17215be4 100644 --- a/jdk/test/javax/swing/JRadioButton/8075609/bug8075609.java +++ b/jdk/test/javax/swing/JRadioButton/8075609/bug8075609.java @@ -35,11 +35,9 @@ import javax.swing.*; import javax.swing.event.*; import java.awt.event.*; import java.awt.*; -import sun.awt.SunToolkit; public class bug8075609 { private static Robot robot; - private static SunToolkit toolkit; private static JTextField textField; public static void main(String args[]) throws Throwable { @@ -53,7 +51,6 @@ public class bug8075609 { Thread.sleep(100); robot.setAutoDelay(100); - toolkit = (SunToolkit) Toolkit.getDefaultToolkit(); // Radio button group tab key test runTest1(); @@ -96,10 +93,10 @@ public class bug8075609 { private static void runTest1() throws Exception{ hitKey(robot, KeyEvent.VK_TAB); - robot.setAutoDelay(1000 ); + robot.delay(1000 ); SwingUtilities.invokeAndWait(new Runnable() { public void run() { - if (textField.hasFocus()) { + if (!textField.hasFocus()) { System.out.println("Radio Button Group Go To Next Component through Tab Key failed"); throw new RuntimeException("Focus is not on textField as Expected"); } @@ -110,6 +107,6 @@ public class bug8075609 { private static void hitKey(Robot robot, int keycode) { robot.keyPress(keycode); robot.keyRelease(keycode); - toolkit.realSync(); + robot.waitForIdle(); } } diff --git a/jdk/test/sun/security/ssl/X509KeyManager/CertificateAuthorities.java b/jdk/test/sun/security/ssl/X509KeyManager/CertificateAuthorities.java new file mode 100644 index 00000000000..8bb2f1323e0 --- /dev/null +++ b/jdk/test/sun/security/ssl/X509KeyManager/CertificateAuthorities.java @@ -0,0 +1,92 @@ +/* + * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +// +// SunJSSE does not support dynamic system properties, no way to re-use +// system properties in samevm/agentvm mode. +// + +/* + * @test + * @bug 8206925 + * @summary Support the "certificate_authorities" extension + * @library /javax/net/ssl/templates + * @run main/othervm CertificateAuthorities + * @run main/othervm -Djdk.tls.client.enableCAExtension=false + * CertificateAuthorities + * @run main/othervm -Djdk.tls.client.enableCAExtension=true + * CertificateAuthorities + * + * @run main/othervm CertificateAuthorities NEED_CLIENT_AUTH + * @run main/othervm -Djdk.tls.client.enableCAExtension=false + * CertificateAuthorities NEED_CLIENT_AUTH + * @run main/othervm -Djdk.tls.client.enableCAExtension=true + * CertificateAuthorities NEED_CLIENT_AUTH + * + * @run main/othervm CertificateAuthorities WANT_CLIENT_AUTH + * @run main/othervm -Djdk.tls.client.enableCAExtension=false + * CertificateAuthorities WANT_CLIENT_AUTH + * @run main/othervm -Djdk.tls.client.enableCAExtension=true + * CertificateAuthorities WANT_CLIENT_AUTH + */ + +import javax.net.ssl.SSLServerSocket; + +public final class CertificateAuthorities extends SSLSocketTemplate { + final ClientAuthMode clientAuthMode; + + /* + * Run the test case. + */ + public static void main(String[] args) throws Exception { + CertificateAuthorities testCase; + if (args.length != 0) { + testCase = new CertificateAuthorities( + ClientAuthMode.valueOf(args[0])); + } else { + testCase = new CertificateAuthorities( + ClientAuthMode.NO_CLIENT_AUTH); + } + + testCase.run(); + } + + CertificateAuthorities(ClientAuthMode mode) { + this.clientAuthMode = mode; + } + + @Override + protected void configureServerSocket(SSLServerSocket socket) { + if (clientAuthMode == ClientAuthMode.NEED_CLIENT_AUTH) { + socket.setNeedClientAuth(true); + } else if (clientAuthMode == ClientAuthMode.WANT_CLIENT_AUTH) { + socket.setWantClientAuth(true); + } + } + + private static enum ClientAuthMode { + NEED_CLIENT_AUTH, + WANT_CLIENT_AUTH, + NO_CLIENT_AUTH + } +} diff --git a/jdk/test/sun/security/ssl/X509TrustManagerImpl/CacertsLimit.java b/jdk/test/sun/security/ssl/X509TrustManagerImpl/CacertsLimit.java new file mode 100644 index 00000000000..e8a3871c5bb --- /dev/null +++ b/jdk/test/sun/security/ssl/X509TrustManagerImpl/CacertsLimit.java @@ -0,0 +1,87 @@ +/* + * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 8206925 + * @library /javax/net/ssl/templates + * @summary Support the certificate_authorities extension + */ +import javax.net.ssl.TrustManager; +import javax.net.ssl.TrustManagerFactory; +import javax.net.ssl.X509TrustManager; +import javax.security.auth.x500.X500Principal; +import java.security.KeyStore; +import java.security.cert.X509Certificate; + +public class CacertsLimit { + public static void main(String[] args) throws Exception { + for (String algorithm : new String[] {"SunX509", "PKIX"}) { + CacertsLimit.ensureLimit(algorithm); + } + } + + private static void ensureLimit(String algorithm) throws Exception { + TrustManagerFactory tmf = TrustManagerFactory.getInstance(algorithm); + tmf.init((KeyStore)null); + TrustManager[] tms = tmf.getTrustManagers(); + + if (tms == null || tms.length == 0) { + throw new Exception("No default key store used for trust manager"); + } + + if (!(tms[0] instanceof X509TrustManager)) { + throw new Exception( + "The trust manger is not an instance of X509TrustManager"); + } + + checkLimit(((X509TrustManager)tms[0]).getAcceptedIssuers()); + } + + private static void checkLimit( + X509Certificate[] trustedCerts) throws Exception { + int sizeAccount = 0; + for (X509Certificate cert : trustedCerts) { + X500Principal x500Principal = cert.getSubjectX500Principal(); + byte[] encodedPrincipal = x500Principal.getEncoded(); + sizeAccount += encodedPrincipal.length; + if (sizeAccount > 0xFFFF) { + throw new Exception( + "There are too many trusted CAs in cacerts. The " + + "certificate_authorities extension cannot be used " + + "for TLS connections. Please rethink about the size" + + "of the cacerts, or have a release note for the " + + "impacted behaviors"); + } else if (sizeAccount > 0x4000) { + throw new Exception( + "There are too many trusted CAs in cacerts. The " + + "certificate_authorities extension cannot be " + + "packaged in one TLS record, which would result in " + + "interoperability issues. Please rethink about the " + + "size of the cacerts, or have a release note for " + + "the impacted behaviors"); + } + } + } +} + diff --git a/jdk/test/sun/security/ssl/X509TrustManagerImpl/TooManyCAs.java b/jdk/test/sun/security/ssl/X509TrustManagerImpl/TooManyCAs.java new file mode 100644 index 00000000000..7929fde1b79 --- /dev/null +++ b/jdk/test/sun/security/ssl/X509TrustManagerImpl/TooManyCAs.java @@ -0,0 +1,282 @@ +/* + * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 8206925 + * @library /javax/net/ssl/templates + * @summary Support the certificate_authorities extension + * @run main/othervm -Djdk.tls.client.protocols=TLSv1.3 TooManyCAs + * @run main/othervm -Djdk.tls.client.protocols=TLSv1.3 -Djdk.tls.client.enableCAExtension=true TooManyCAs + */ +import javax.net.ssl.*; +import javax.security.auth.x500.X500Principal; +import java.io.*; +import java.net.InetAddress; +import java.net.Socket; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.util.Arrays; + +/** + * Check if the connection can be established if the client or server trusts + * more CAs such that it exceeds the size limit of the certificate_authorities + * extension (2^16). + */ +public class TooManyCAs implements SSLContextTemplate { + + private static final String[][][] protocols = { + {{"TLSv1.3"}, {"TLSv1.3"}}, + {{"TLSv1.3", "TLSv1.2"}, {"TLSv1.3"}}, + {{"TLSv1.3"}, {"TLSv1.3", "TLSv1.2"}}, + }; + + private final String[] clientProtocols; + private final String[] serverProtocols; + private final boolean needClientAuth; + + TooManyCAs(int index, boolean needClientAuth) { + this.clientProtocols = protocols[index][0]; + this.serverProtocols = protocols[index][1]; + this.needClientAuth = needClientAuth; + } + + // Servers are configured before clients, increment test case after. + void configureClientSocket(SSLSocket clientSocket) { + System.err.print("Setting client protocol(s): "); + Arrays.stream(clientProtocols).forEachOrdered(System.err::print); + System.err.println(); + + clientSocket.setEnabledProtocols(clientProtocols); + } + + void configureServerSocket(SSLServerSocket serverSocket) { + System.err.print("Setting server protocol(s): "); + Arrays.stream(serverProtocols).forEachOrdered(System.err::print); + System.err.println(); + + serverSocket.setEnabledProtocols(serverProtocols); + if (needClientAuth) { + serverSocket.setNeedClientAuth(true); + } + } + + @Override + public TrustManager createClientTrustManager() throws Exception { + TrustManager trustManager = + SSLContextTemplate.super.createClientTrustManager(); + return new BogusX509TrustManager( + (X509TrustManager)trustManager); + } + + @Override + public TrustManager createServerTrustManager() throws Exception { + TrustManager trustManager = + SSLContextTemplate.super.createServerTrustManager(); + return new BogusX509TrustManager( + (X509TrustManager)trustManager); + } + + /* + * Run the test case. + */ + public static void main(String[] args) throws Exception { + for (int i = 0; i < protocols.length; i++) { + (new TooManyCAs(i, false)).run(); + (new TooManyCAs(i, true)).run(); + } + } + + private void run() throws Exception { + SSLServerSocket listenSocket = null; + SSLSocket serverSocket = null; + ClientSocket clientSocket = null; + try { + SSLServerSocketFactory serversocketfactory = + createServerSSLContext().getServerSocketFactory(); + listenSocket = + (SSLServerSocket)serversocketfactory.createServerSocket(0); + listenSocket.setNeedClientAuth(false); + listenSocket.setEnableSessionCreation(true); + listenSocket.setUseClientMode(false); + configureServerSocket(listenSocket); + + System.err.println("Starting client"); + clientSocket = new ClientSocket(listenSocket.getLocalPort()); + clientSocket.start(); + + System.err.println("Accepting client requests"); + serverSocket = (SSLSocket)listenSocket.accept(); + + if (!clientSocket.isDone) { + System.err.println("Waiting 3 seconds for client "); + Thread.sleep(3000); + } + + System.err.println("Sending data to client ..."); + String serverData = "Hi, I am server"; + BufferedWriter os = new BufferedWriter( + new OutputStreamWriter(serverSocket.getOutputStream())); + os.write(serverData, 0, serverData.length()); + os.newLine(); + os.flush(); + } finally { + if (listenSocket != null) { + listenSocket.close(); + } + + if (serverSocket != null) { + serverSocket.close(); + } + } + + if (clientSocket != null && clientSocket.clientException != null) { + throw clientSocket.clientException; + } + } + + private class ClientSocket extends Thread{ + boolean isDone = false; + int serverPort = 0; + Exception clientException; + + public ClientSocket(int serverPort) { + this.serverPort = serverPort; + } + + @Override + public void run() { + SSLSocket clientSocket = null; + String clientData = "Hi, I am client"; + try { + System.err.println( + "Connecting to server at port " + serverPort); + SSLSocketFactory sslSocketFactory = + createClientSSLContext().getSocketFactory(); + clientSocket = (SSLSocket)sslSocketFactory.createSocket( + InetAddress.getLocalHost(), serverPort); + configureClientSocket(clientSocket); + + System.err.println("Sending data to server ..."); + + BufferedWriter os = new BufferedWriter( + new OutputStreamWriter(clientSocket.getOutputStream())); + os.write(clientData, 0, clientData.length()); + os.newLine(); + os.flush(); + + System.err.println("Reading data from server"); + BufferedReader is = new BufferedReader( + new InputStreamReader(clientSocket.getInputStream())); + String data = is.readLine(); + System.err.println("Received Data from server: " + data); + } catch (Exception e) { + clientException = e; + System.err.println("unexpected client exception: " + e); + } finally { + if (clientSocket != null) { + try { + clientSocket.close(); + System.err.println("client socket closed"); + } catch (IOException ioe) { + clientException = ioe; + } + } + + isDone = true; + } + } + } + + // Construct a bogus trust manager which has more CAs such that exceed + // the size limit of the certificate_authorities extension (2^16). + private static final class BogusX509TrustManager + extends X509ExtendedTrustManager implements X509TrustManager { + private final X509ExtendedTrustManager tm; + + private BogusX509TrustManager(X509TrustManager trustManager) { + this.tm = (X509ExtendedTrustManager)trustManager; + } + + @Override + public void checkClientTrusted(X509Certificate[] chain, + String authType, Socket socket) throws CertificateException { + tm.checkClientTrusted(chain, authType, socket); + } + + @Override + public void checkServerTrusted(X509Certificate[] chain, + String authType, Socket socket) throws CertificateException { + tm.checkServerTrusted(chain, authType, socket); + } + + @Override + public void checkClientTrusted(X509Certificate[] chain, + String authType, SSLEngine sslEngine) throws CertificateException { + + tm.checkClientTrusted(chain, authType, sslEngine); + } + + @Override + public void checkServerTrusted(X509Certificate[] chain, + String authType, SSLEngine sslEngine) throws CertificateException { + + tm.checkServerTrusted(chain, authType, sslEngine); + } + + @Override + public void checkClientTrusted(X509Certificate[] chain, + String authType) throws CertificateException { + tm.checkServerTrusted(chain, authType); + } + + @Override + public void checkServerTrusted(X509Certificate[] chain, + String authType) throws CertificateException { + tm.checkServerTrusted(chain, authType); + } + + @Override + public X509Certificate[] getAcceptedIssuers() { + X509Certificate[] trustedCerts = tm.getAcceptedIssuers(); + int sizeAccount = 0; + for (X509Certificate cert: trustedCerts) { + X500Principal x500Principal = cert.getSubjectX500Principal(); + byte[] encodedPrincipal = x500Principal.getEncoded(); + sizeAccount += encodedPrincipal.length; + } + + // 0xFFFF: the size limit of the certificate_authorities extension + int duplicated = (0xFFFF + sizeAccount) / sizeAccount; + X509Certificate[] returnedCAs = + new X509Certificate[trustedCerts.length * duplicated]; + for (int i = 0; i < duplicated; i++) { + System.arraycopy(trustedCerts, 0, + returnedCAs, + i * trustedCerts.length + 0, trustedCerts.length); + } + + return returnedCAs; + } + } +} diff --git a/make/common/NativeCompilation.gmk b/make/common/NativeCompilation.gmk index 37e1d8f118d..31de9cf5908 100644 --- a/make/common/NativeCompilation.gmk +++ b/make/common/NativeCompilation.gmk @@ -1,5 +1,5 @@ # -# Copyright (c) 2011, 2018, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2011, 2021, Oracle and/or its affiliates. All rights reserved. # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. # # This code is free software; you can redistribute it and/or modify it @@ -501,6 +501,17 @@ define SetupNativeCompilation $(CD) $$(@D) && $(OBJCOPY) --add-gnu-debuglink=$$(@F) $$< $(TOUCH) $$@ endif + else ifeq ($(OPENJDK_TARGET_OS), aix) + ifneq ($$($1_STRIP_POLICY), no_strip) + # AIX does not provide the equivalent of OBJCOPY to extract debug symbols, + # so we copy the compiled object with symbols to the .debuginfo file, which + # happens prior to the STRIP on the original target object file. + $1_DEBUGINFO_FILES := $$($1_OBJECT_DIR)/$$($1_NOSUFFIX).debuginfo + $$($1_DEBUGINFO_FILES): $$($1_TARGET) + $(RM) $$@ + $(CP) $$< $$@ + $(TOUCH) $$@ + endif else ifeq ($(OPENJDK_TARGET_OS), macosx) ifneq ($$($1_STRIP_POLICY), no_strip) $1_DEBUGINFO_FILES := $$($1_OBJECT_DIR)/$$($1_BASENAME).dSYM/Contents/Info.plist \ diff --git a/nashorn/.hgtags b/nashorn/.hgtags index b67ccad737f..d1303d986ab 100644 --- a/nashorn/.hgtags +++ b/nashorn/.hgtags @@ -1126,3 +1126,4 @@ ecf358a276e9bac63cc89f2f2949fecc59a53890 jdk8u292-ga 5ee81f2d75ed549102b38ed095e0487087608780 jdk8u302-b00 018538b21eeea91dd074a1ad9766dd85c8113b65 jdk8u302-b01 e34f57517f19d9fea00ecd4997824277b934feaf jdk8u302-b02 +4785cae180650adc363ed24fab579bfae659f21e jdk8u302-b03 |