Mercurial > hg > icedtea6
changeset 3228:412e3ce4141e
S8076221, PR2808: Disable RC4 cipher suites
2016-01-25 Andrew John Hughes <gnu.andrew@redhat.com>
* Makefile.am:
(ICEDTEA_PATCHES): Add new patches.
* NEWS: Updated.
* patches/openjdk/8076221-pr2808-disable_rc4_cipher_suites.patch:
Backport of 8076221 to OpenJDK 6 b38.
* patches/openjdk/8078823-disabledalgorithms_fails_intermittently.patch:
Improve reliability of DisabledAlgorithms test.
* patches/pr2808-fix_disabled_algorithms_test.patch:
Remove Java 7 features from new DisabledAlgorithms test.
| author | Andrew John Hughes <gnu.andrew@redhat.com> |
|---|---|
| date | Mon, 25 Jan 2016 22:06:42 +0000 |
| parents | 33e9441c53fc |
| children | e9935e163815 9e1c6190ff58 |
| files | ChangeLog Makefile.am NEWS patches/openjdk/8076221-pr2808-disable_rc4_cipher_suites.patch patches/openjdk/8078823-disabledalgorithms_fails_intermittently.patch patches/pr2808-fix_disabled_algorithms_test.patch |
| diffstat | 6 files changed, 854 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Mon Jan 25 19:10:54 2016 +0000 +++ b/ChangeLog Mon Jan 25 22:06:42 2016 +0000 @@ -1,3 +1,15 @@ +2016-01-25 Andrew John Hughes <gnu.andrew@redhat.com> + + * Makefile.am: + (ICEDTEA_PATCHES): Add new patches. + * NEWS: Updated. + * patches/openjdk/8076221-pr2808-disable_rc4_cipher_suites.patch: + Backport of 8076221 to OpenJDK 6 b38. + * patches/openjdk/8078823-disabledalgorithms_fails_intermittently.patch: + Improve reliability of DisabledAlgorithms test. + * patches/pr2808-fix_disabled_algorithms_test.patch: + Remove Java 7 features from new DisabledAlgorithms test. + 2016-01-25 Andrew John Hughes <gnu.andrew@redhat.com> * NEWS: Add 1.13.10 release notes.
--- a/Makefile.am Mon Jan 25 19:10:54 2016 +0000 +++ b/Makefile.am Mon Jan 25 22:06:42 2016 +0000 @@ -647,7 +647,10 @@ patches/openjdk/6929479-pr363-disable_mmap_zip.patch \ patches/pr2513-layoutengine_reset.patch \ patches/openjdk/7169111-pr2757-unreadable_menu_bar_with_ambiance_theme.patch \ - patches/openjdk/8140620-pr2711-find_default.sf2.patch + patches/openjdk/8140620-pr2711-find_default.sf2.patch \ + patches/openjdk/8076221-pr2808-disable_rc4_cipher_suites.patch \ + patches/openjdk/8078823-disabledalgorithms_fails_intermittently.patch \ + patches/pr2808-fix_disabled_algorithms_test.patch if WITH_RHINO ICEDTEA_PATCHES += \
--- a/NEWS Mon Jan 25 19:10:54 2016 +0000 +++ b/NEWS Mon Jan 25 22:06:42 2016 +0000 @@ -22,6 +22,7 @@ - S7151089: PS NUMA: NUMA allocator should not attempt to free pages when using SHM large pages - S8013057: Detect mmap() commit failures in Linux and Solaris os::commit_memory() impls and call vm_exit_out_of_memory() - S8026887: Make issues due to failed large pages allocations easier to debug + - S8076221, PR2808: Disable RC4 cipher suites * Bug fixes - PR1886: IcedTea does not checksum supplied tarballs - PR2083: Add support for building Zero on AArch64
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/openjdk/8076221-pr2808-disable_rc4_cipher_suites.patch Mon Jan 25 22:06:42 2016 +0000 @@ -0,0 +1,553 @@ +# HG changeset patch +# User xuelei +# Date 1429096621 0 +# Wed Apr 15 11:17:01 2015 +0000 +# Node ID 6a24fc5e32a359335538bfa453040fc2d9ba13e9 +# Parent fe93a8cd20a56dc59e5f2464d7e6bd0d52b807b3 +8076221: Disable RC4 cipher suites +Reviewed-by: xuelei, wetmore + +diff -Nru openjdk.orig/jdk/src/share/lib/security/java.security-linux openjdk/jdk/src/share/lib/security/java.security-linux +--- openjdk.orig/jdk/src/share/lib/security/java.security-linux 2016-01-20 01:47:58.000000000 +0000 ++++ openjdk/jdk/src/share/lib/security/java.security-linux 2016-01-25 20:25:35.722972332 +0000 +@@ -451,7 +451,7 @@ + # + # Example: + # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 +-jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768 ++jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768 + + # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) + # processing in JSSE implementation. +diff -Nru openjdk.orig/jdk/src/share/lib/security/java.security-solaris openjdk/jdk/src/share/lib/security/java.security-solaris +--- openjdk.orig/jdk/src/share/lib/security/java.security-solaris 2016-01-20 01:47:58.000000000 +0000 ++++ openjdk/jdk/src/share/lib/security/java.security-solaris 2016-01-25 20:24:27.088115212 +0000 +@@ -411,7 +411,7 @@ + # + # Example: + # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 +-jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768 ++jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768 + + # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) + # processing in JSSE implementation. +diff -Nru openjdk.orig/jdk/src/share/lib/security/java.security-windows openjdk/jdk/src/share/lib/security/java.security-windows +--- openjdk.orig/jdk/src/share/lib/security/java.security-windows 2016-01-20 01:47:58.000000000 +0000 ++++ openjdk/jdk/src/share/lib/security/java.security-windows 2016-01-25 20:23:50.300727758 +0000 +@@ -428,7 +428,7 @@ + # + # Example: + # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 +-jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768 ++jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768 + + # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) + # processing in JSSE implementation. +diff -Nru openjdk.orig/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java openjdk/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java +--- openjdk.orig/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java 1970-01-01 01:00:00.000000000 +0100 ++++ openjdk/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java 2016-01-25 20:17:49.902742622 +0000 +@@ -0,0 +1,362 @@ ++/* ++ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++import java.io.BufferedInputStream; ++import java.io.BufferedOutputStream; ++import java.io.IOException; ++import java.io.InputStream; ++import java.io.OutputStream; ++import java.security.NoSuchAlgorithmException; ++import java.security.Security; ++import java.util.concurrent.TimeUnit; ++import javax.net.ssl.SSLContext; ++import javax.net.ssl.SSLHandshakeException; ++import javax.net.ssl.SSLServerSocket; ++import javax.net.ssl.SSLServerSocketFactory; ++import javax.net.ssl.SSLSocket; ++import javax.net.ssl.SSLSocketFactory; ++ ++/** ++ * @test ++ * @bug 8076221 ++ * @summary Check if weak cipher suites are disabled ++ * @run main/othervm DisabledAlgorithms default ++ * @run main/othervm DisabledAlgorithms empty ++ */ ++public class DisabledAlgorithms { ++ ++ private static final String pathToStores = ++ "../../../../sun/security/ssl/etc"; ++ private static final String keyStoreFile = "keystore"; ++ private static final String trustStoreFile = "truststore"; ++ private static final String passwd = "passphrase"; ++ ++ private static final String keyFilename = ++ System.getProperty("test.src", "./") + "/" + pathToStores + ++ "/" + keyStoreFile; ++ ++ private static final String trustFilename = ++ System.getProperty("test.src", "./") + "/" + pathToStores + ++ "/" + trustStoreFile; ++ ++ // supported RC4 cipher suites ++ // it does not contain KRB5 cipher suites because they need a KDC ++ private static final String[] rc4_ciphersuites = new String[] { ++ "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", ++ "TLS_ECDHE_RSA_WITH_RC4_128_SHA", ++ "SSL_RSA_WITH_RC4_128_SHA", ++ "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", ++ "TLS_ECDH_RSA_WITH_RC4_128_SHA", ++ "SSL_RSA_WITH_RC4_128_MD5", ++ "TLS_ECDH_anon_WITH_RC4_128_SHA", ++ "SSL_DH_anon_WITH_RC4_128_MD5" ++ }; ++ ++ public static void main(String[] args) throws Exception { ++ if (args.length < 1) { ++ throw new RuntimeException("No parameters specified"); ++ } ++ ++ System.setProperty("javax.net.ssl.keyStore", keyFilename); ++ System.setProperty("javax.net.ssl.keyStorePassword", passwd); ++ System.setProperty("javax.net.ssl.trustStore", trustFilename); ++ System.setProperty("javax.net.ssl.trustStorePassword", passwd); ++ ++ switch (args[0]) { ++ case "default": ++ // use default jdk.tls.disabledAlgorithms ++ System.out.println("jdk.tls.disabledAlgorithms = " ++ + Security.getProperty("jdk.tls.disabledAlgorithms")); ++ ++ // check if RC4 cipher suites can't be used by default ++ checkFailure(rc4_ciphersuites); ++ break; ++ case "empty": ++ // reset jdk.tls.disabledAlgorithms ++ Security.setProperty("jdk.tls.disabledAlgorithms", ""); ++ System.out.println("jdk.tls.disabledAlgorithms = " ++ + Security.getProperty("jdk.tls.disabledAlgorithms")); ++ ++ // check if RC4 cipher suites can be used ++ // if jdk.tls.disabledAlgorithms is empty ++ checkSuccess(rc4_ciphersuites); ++ break; ++ default: ++ throw new RuntimeException("Wrong parameter: " + args[0]); ++ } ++ } ++ ++ /* ++ * Checks if that specified cipher suites cannot be used. ++ */ ++ private static void checkFailure(String[] ciphersuites) throws Exception { ++ try (SSLServer server = SSLServer.init(ciphersuites)) { ++ startNewThread(server); ++ while (!server.isRunning()) { ++ sleep(); ++ } ++ ++ int port = server.getPort(); ++ for (String ciphersuite : ciphersuites) { ++ try (SSLClient client = SSLClient.init(port, ciphersuite)) { ++ client.connect(); ++ throw new RuntimeException("Expected SSLHandshakeException " ++ + "not thrown"); ++ } catch (SSLHandshakeException e) { ++ System.out.println("Expected exception on client side: " ++ + e); ++ } ++ } ++ ++ server.stop(); ++ while (server.isRunning()) { ++ sleep(); ++ } ++ ++ if (!server.sslError()) { ++ throw new RuntimeException("Expected SSL exception " ++ + "not thrown on server side"); ++ } ++ } ++ ++ } ++ ++ /* ++ * Checks if specified cipher suites can be used. ++ */ ++ private static void checkSuccess(String[] ciphersuites) throws Exception { ++ try (SSLServer server = SSLServer.init(ciphersuites)) { ++ startNewThread(server); ++ while (!server.isRunning()) { ++ sleep(); ++ } ++ ++ int port = server.getPort(); ++ for (String ciphersuite : ciphersuites) { ++ try (SSLClient client = SSLClient.init(port, ciphersuite)) { ++ client.connect(); ++ String negotiated = client.getNegotiatedCipherSuite(); ++ System.out.println("Negotiated cipher suite: " ++ + negotiated); ++ if (!negotiated.equals(ciphersuite)) { ++ throw new RuntimeException("Unexpected cipher suite: " ++ + negotiated); ++ } ++ } ++ } ++ ++ server.stop(); ++ while (server.isRunning()) { ++ sleep(); ++ } ++ ++ if (server.error()) { ++ throw new RuntimeException("Unexpected error on server side"); ++ } ++ } ++ ++ } ++ ++ private static Thread startNewThread(SSLServer server) { ++ Thread serverThread = new Thread(server, "SSL server thread"); ++ serverThread.setDaemon(true); ++ serverThread.start(); ++ return serverThread; ++ } ++ ++ private static void sleep() { ++ try { ++ TimeUnit.MILLISECONDS.sleep(50); ++ } catch (InterruptedException e) { ++ // do nothing ++ } ++ } ++ ++ static class SSLServer implements Runnable, AutoCloseable { ++ ++ private final SSLServerSocket ssocket; ++ private volatile boolean stopped = false; ++ private volatile boolean running = false; ++ private volatile boolean sslError = false; ++ private volatile boolean otherError = false; ++ ++ private SSLServer(SSLServerSocket ssocket) { ++ this.ssocket = ssocket; ++ } ++ ++ @Override ++ public void run() { ++ System.out.println("Server: started"); ++ running = true; ++ while (!stopped) { ++ try (SSLSocket socket = (SSLSocket) ssocket.accept()) { ++ System.out.println("Server: accepted client connection"); ++ InputStream in = socket.getInputStream(); ++ OutputStream out = socket.getOutputStream(); ++ int b = in.read(); ++ if (b < 0) { ++ throw new IOException("Unexpected EOF"); ++ } ++ System.out.println("Server: send data: " + b); ++ out.write(b); ++ out.flush(); ++ socket.getSession().invalidate(); ++ } catch (SSLHandshakeException e) { ++ System.out.println("Server: run: " + e); ++ sslError = true; ++ } catch (IOException e) { ++ if (!stopped) { ++ System.out.println("Server: run: " + e); ++ e.printStackTrace(); ++ otherError = true; ++ } ++ } ++ } ++ ++ System.out.println("Server: finished"); ++ running = false; ++ } ++ ++ int getPort() { ++ return ssocket.getLocalPort(); ++ } ++ ++ String[] getEnabledCiperSuites() { ++ return ssocket.getEnabledCipherSuites(); ++ } ++ ++ boolean isRunning() { ++ return running; ++ } ++ ++ boolean sslError() { ++ return sslError; ++ } ++ ++ boolean error() { ++ return sslError || otherError; ++ } ++ ++ void stop() { ++ stopped = true; ++ if (!ssocket.isClosed()) { ++ try { ++ ssocket.close(); ++ } catch (IOException e) { ++ System.out.println("Server: close: " + e); ++ } ++ } ++ } ++ ++ @Override ++ public void close() { ++ stop(); ++ } ++ ++ static SSLServer init(String[] ciphersuites) ++ throws IOException { ++ SSLServerSocketFactory ssf = (SSLServerSocketFactory) ++ SSLServerSocketFactory.getDefault(); ++ SSLServerSocket ssocket = (SSLServerSocket) ++ ssf.createServerSocket(0); ++ ++ if (ciphersuites != null) { ++ System.out.println("Server: enable cipher suites: " ++ + java.util.Arrays.toString(ciphersuites)); ++ ssocket.setEnabledCipherSuites(ciphersuites); ++ } ++ ++ return new SSLServer(ssocket); ++ } ++ } ++ ++ static class SSLClient implements AutoCloseable { ++ ++ private final SSLSocket socket; ++ ++ private SSLClient(SSLSocket socket) { ++ this.socket = socket; ++ } ++ ++ void connect() throws IOException { ++ System.out.println("Client: connect to server"); ++ try ( ++ BufferedInputStream bis = new BufferedInputStream( ++ socket.getInputStream()); ++ BufferedOutputStream bos = new BufferedOutputStream( ++ socket.getOutputStream())) { ++ bos.write('x'); ++ bos.flush(); ++ ++ int read = bis.read(); ++ if (read < 0) { ++ throw new IOException("Client: couldn't read a response"); ++ } ++ socket.getSession().invalidate(); ++ } ++ } ++ ++ String[] getEnabledCiperSuites() { ++ return socket.getEnabledCipherSuites(); ++ } ++ ++ String getNegotiatedCipherSuite() { ++ return socket.getSession().getCipherSuite(); ++ } ++ ++ @Override ++ public void close() throws Exception { ++ if (!socket.isClosed()) { ++ try { ++ socket.close(); ++ } catch (IOException e) { ++ System.out.println("Client: close: " + e); ++ } ++ } ++ } ++ ++ static SSLClient init(int port) ++ throws NoSuchAlgorithmException, IOException { ++ return init(port, null); ++ } ++ ++ static SSLClient init(int port, String ciphersuite) ++ throws NoSuchAlgorithmException, IOException { ++ SSLContext context = SSLContext.getDefault(); ++ SSLSocketFactory ssf = (SSLSocketFactory) ++ context.getSocketFactory(); ++ SSLSocket socket = (SSLSocket) ssf.createSocket("localhost", port); ++ ++ if (ciphersuite != null) { ++ System.out.println("Client: enable cipher suite: " ++ + ciphersuite); ++ socket.setEnabledCipherSuites(new String[] { ciphersuite }); ++ } ++ ++ return new SSLClient(socket); ++ } ++ ++ } ++ ++ ++} +diff -Nru openjdk.orig/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java +--- openjdk.orig/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java 2016-01-20 01:42:21.000000000 +0000 ++++ openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java 2016-01-25 20:23:28.749086605 +0000 +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2001, 2002, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2001, 2015, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -30,7 +30,7 @@ + */ + + import java.io.*; +-import java.net.*; ++import java.security.Security; + import javax.net.ssl.*; + + public class CipherSuiteOrder { +@@ -192,6 +192,10 @@ + volatile Exception clientException = null; + + public static void main(String[] args) throws Exception { ++ // reset the security property to make sure that the algorithms ++ // and keys used in this test are not disabled. ++ Security.setProperty("jdk.tls.disabledAlgorithms", ""); ++ + String keyFilename = + System.getProperty("test.src", "./") + "/" + pathToStores + + "/" + keyStoreFile; +diff -Nru openjdk.orig/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java +--- openjdk.orig/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java 2016-01-25 20:15:46.384811880 +0000 ++++ openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java 2016-01-25 20:17:49.902742622 +0000 +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -102,10 +102,10 @@ + import java.nio.*; + import java.security.KeyStore; + import java.security.KeyFactory; ++import java.security.Security; + import java.security.cert.Certificate; + import java.security.cert.CertificateFactory; + import java.security.spec.PKCS8EncodedKeySpec; +-import java.security.spec.*; + import java.security.interfaces.*; + import java.util.Base64; + +@@ -367,6 +367,10 @@ + } + + public static void main(String args[]) throws Exception { ++ // reset the security property to make sure that the algorithms ++ // and keys used in this test are not disabled. ++ Security.setProperty("jdk.tls.disabledAlgorithms", ""); ++ + if (args.length != 4) { + System.out.println( + "Usage: java DHEKeySizing cipher-suite " + +diff -Nru openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java +--- openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java 2016-01-20 01:42:24.000000000 +0000 ++++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java 2016-01-25 20:17:49.902742622 +0000 +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -622,6 +622,9 @@ + } + + public static void main(String args[]) throws Exception { ++ // reset the security property to make sure that the algorithms ++ // and keys used in this test are not disabled. ++ Security.setProperty("jdk.tls.disabledAlgorithms", ""); + + CheckStatus cs; + +diff -Nru openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java +--- openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java 2016-01-20 01:42:24.000000000 +0000 ++++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java 2016-01-25 20:20:24.580152890 +0000 +@@ -33,6 +33,8 @@ + * The code could certainly be tightened up a lot. + * + * @author Brad Wetmore ++ * ++ * @run main/othervm ConnectionTest + */ + + import javax.net.ssl.*; +@@ -672,6 +674,10 @@ + } + + public static void main(String args[]) throws Exception { ++ // reset the security property to make sure that the algorithms ++ // and keys used in this test are not disabled. ++ Security.setProperty("jdk.tls.disabledAlgorithms", ""); ++ + ConnectionTest ct = new ConnectionTest(); + ct.test(); + } +diff -Nru openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java +--- openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java 2016-01-20 01:42:24.000000000 +0000 ++++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java 2016-01-25 20:19:17.305278447 +0000 +@@ -180,6 +180,9 @@ + } + + public static void main(String args[]) throws Exception { ++ // reset the security property to make sure that the algorithms ++ // and keys used in this test are not disabled. ++ Security.setProperty("jdk.tls.disabledAlgorithms", ""); + + LargeBufs test; + +diff -Nru openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java openjdk/jdk/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java +--- openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java 2016-01-20 01:42:25.000000000 +0000 ++++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java 2016-01-25 20:18:53.009685445 +0000 +@@ -33,7 +33,7 @@ + */ + + import java.io.*; +-import java.net.*; ++import java.security.Security; + import javax.net.ssl.*; + + public class GenericStreamCipher { +@@ -161,6 +161,10 @@ + volatile Exception clientException = null; + + public static void main(String[] args) throws Exception { ++ // reset the security property to make sure that the algorithms ++ // and keys used in this test are not disabled. ++ Security.setProperty("jdk.tls.disabledAlgorithms", ""); ++ + String keyFilename = + System.getProperty("test.src", ".") + "/" + pathToStores + + "/" + keyStoreFile;
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/openjdk/8078823-disabledalgorithms_fails_intermittently.patch Mon Jan 25 22:06:42 2016 +0000 @@ -0,0 +1,58 @@ +# HG changeset patch +# User asmotrak +# Date 1435145895 -10800 +# Wed Jun 24 14:38:15 2015 +0300 +# Node ID 66bf77932d57ef00e0c68c19c5e45e0b1de80fad +# Parent fddcb008fd1d285ed7d84011a43cdf556ab16bcb +8078823: javax/net/ssl/ciphersuites/DisabledAlgorithms.java fails intermittently +Reviewed-by: xuelei + +diff -r fddcb008fd1d -r 66bf77932d57 test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java +--- openjdk/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java Tue Jun 23 15:07:18 2015 +0100 ++++ openjdk/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java Wed Jun 24 14:38:15 2015 +0300 +@@ -104,6 +104,8 @@ + default: + throw new RuntimeException("Wrong parameter: " + args[0]); + } ++ ++ System.out.println("Test passed"); + } + + /* +@@ -128,7 +130,6 @@ + } + } + +- server.stop(); + while (server.isRunning()) { + sleep(); + } +@@ -224,11 +225,19 @@ + } catch (SSLHandshakeException e) { + System.out.println("Server: run: " + e); + sslError = true; ++ stopped = true; + } catch (IOException e) { + if (!stopped) { +- System.out.println("Server: run: " + e); ++ System.out.println("Server: run: unexpected exception: " ++ + e); + e.printStackTrace(); + otherError = true; ++ stopped = true; ++ } else { ++ System.out.println("Server: run: " + e); ++ System.out.println("The exception above occurred " ++ + "because socket was closed, " ++ + "please ignore it"); + } + } + } +@@ -261,6 +270,7 @@ + stopped = true; + if (!ssocket.isClosed()) { + try { ++ System.out.println("Server: close socket"); + ssocket.close(); + } catch (IOException e) { + System.out.println("Server: close: " + e);
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/pr2808-fix_disabled_algorithms_test.patch Mon Jan 25 22:06:42 2016 +0000 @@ -0,0 +1,226 @@ +--- openjdk.orig/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java 2015-10-21 05:20:57.910156611 +0100 ++++ openjdk/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java 2016-01-25 21:58:39.334103875 +0000 +@@ -82,16 +82,14 @@ + System.setProperty("javax.net.ssl.trustStore", trustFilename); + System.setProperty("javax.net.ssl.trustStorePassword", passwd); + +- switch (args[0]) { +- case "default": ++ if ("default".equals(args[0])) { + // use default jdk.tls.disabledAlgorithms + System.out.println("jdk.tls.disabledAlgorithms = " + + Security.getProperty("jdk.tls.disabledAlgorithms")); + + // check if RC4 cipher suites can't be used by default + checkFailure(rc4_ciphersuites); +- break; +- case "empty": ++ } else if ("empty".equals(args[0])) { + // reset jdk.tls.disabledAlgorithms + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + System.out.println("jdk.tls.disabledAlgorithms = " +@@ -100,19 +98,19 @@ + // check if RC4 cipher suites can be used + // if jdk.tls.disabledAlgorithms is empty + checkSuccess(rc4_ciphersuites); +- break; +- default: ++ } else { + throw new RuntimeException("Wrong parameter: " + args[0]); + } +- +- System.out.println("Test passed"); + } + + /* + * Checks if that specified cipher suites cannot be used. + */ + private static void checkFailure(String[] ciphersuites) throws Exception { +- try (SSLServer server = SSLServer.init(ciphersuites)) { ++ SSLServer server = null; ++ ++ try { ++ server = SSLServer.init(ciphersuites); + startNewThread(server); + while (!server.isRunning()) { + sleep(); +@@ -120,16 +118,21 @@ + + int port = server.getPort(); + for (String ciphersuite : ciphersuites) { +- try (SSLClient client = SSLClient.init(port, ciphersuite)) { ++ SSLClient client = null; ++ try { ++ client = SSLClient.init(port, ciphersuite); + client.connect(); + throw new RuntimeException("Expected SSLHandshakeException " + + "not thrown"); + } catch (SSLHandshakeException e) { + System.out.println("Expected exception on client side: " + + e); ++ } finally { ++ if (client != null) { client.close(); } + } + } + ++ server.stop(); + while (server.isRunning()) { + sleep(); + } +@@ -138,15 +141,18 @@ + throw new RuntimeException("Expected SSL exception " + + "not thrown on server side"); + } ++ } finally { ++ if (server != null ) { server.close(); } + } +- + } + + /* + * Checks if specified cipher suites can be used. + */ + private static void checkSuccess(String[] ciphersuites) throws Exception { +- try (SSLServer server = SSLServer.init(ciphersuites)) { ++ SSLServer server = null; ++ try { ++ server = SSLServer.init(ciphersuites); + startNewThread(server); + while (!server.isRunning()) { + sleep(); +@@ -154,7 +160,9 @@ + + int port = server.getPort(); + for (String ciphersuite : ciphersuites) { +- try (SSLClient client = SSLClient.init(port, ciphersuite)) { ++ SSLClient client = null; ++ try { ++ client = SSLClient.init(port, ciphersuite); + client.connect(); + String negotiated = client.getNegotiatedCipherSuite(); + System.out.println("Negotiated cipher suite: " +@@ -163,6 +171,8 @@ + throw new RuntimeException("Unexpected cipher suite: " + + negotiated); + } ++ } finally { ++ if (client != null) { client.close(); } + } + } + +@@ -174,6 +184,8 @@ + if (server.error()) { + throw new RuntimeException("Unexpected error on server side"); + } ++ } finally { ++ if (server != null) { server.close(); } + } + + } +@@ -193,7 +205,7 @@ + } + } + +- static class SSLServer implements Runnable, AutoCloseable { ++ static class SSLServer implements Runnable { + + private final SSLServerSocket ssocket; + private volatile boolean stopped = false; +@@ -210,7 +222,9 @@ + System.out.println("Server: started"); + running = true; + while (!stopped) { +- try (SSLSocket socket = (SSLSocket) ssocket.accept()) { ++ SSLSocket socket = null; ++ try { ++ socket = (SSLSocket) ssocket.accept(); + System.out.println("Server: accepted client connection"); + InputStream in = socket.getInputStream(); + OutputStream out = socket.getOutputStream(); +@@ -225,19 +239,16 @@ + } catch (SSLHandshakeException e) { + System.out.println("Server: run: " + e); + sslError = true; +- stopped = true; + } catch (IOException e) { + if (!stopped) { +- System.out.println("Server: run: unexpected exception: " +- + e); ++ System.out.println("Server: run: " + e); + e.printStackTrace(); + otherError = true; +- stopped = true; +- } else { +- System.out.println("Server: run: " + e); +- System.out.println("The exception above occurred " +- + "because socket was closed, " +- + "please ignore it"); ++ } ++ } finally { ++ if (socket != null ) { ++ try { socket.close(); } ++ catch (IOException e) { } + } + } + } +@@ -270,7 +281,6 @@ + stopped = true; + if (!ssocket.isClosed()) { + try { +- System.out.println("Server: close socket"); + ssocket.close(); + } catch (IOException e) { + System.out.println("Server: close: " + e); +@@ -278,7 +288,6 @@ + } + } + +- @Override + public void close() { + stop(); + } +@@ -300,7 +309,7 @@ + } + } + +- static class SSLClient implements AutoCloseable { ++ static class SSLClient { + + private final SSLSocket socket; + +@@ -310,11 +319,12 @@ + + void connect() throws IOException { + System.out.println("Client: connect to server"); +- try ( +- BufferedInputStream bis = new BufferedInputStream( +- socket.getInputStream()); +- BufferedOutputStream bos = new BufferedOutputStream( +- socket.getOutputStream())) { ++ BufferedInputStream bis = null; ++ BufferedOutputStream bos = null; ++ try { ++ bis = new BufferedInputStream(socket.getInputStream()); ++ bos = new BufferedOutputStream(socket.getOutputStream()); ++ + bos.write('x'); + bos.flush(); + +@@ -323,6 +333,9 @@ + throw new IOException("Client: couldn't read a response"); + } + socket.getSession().invalidate(); ++ } finally { ++ if (bis != null) { bis.close(); } ++ if (bos != null) { bos.close(); } + } + } + +@@ -334,7 +347,6 @@ + return socket.getSession().getCipherSuite(); + } + +- @Override + public void close() throws Exception { + if (!socket.isClosed()) { + try {