--- a/jdk/make/rmic/Rmic-java.rmi.gmk Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/make/rmic/Rmic-java.rmi.gmk Thu Jul 13 21:34:07 2017 -0700
@@ -40,16 +40,9 @@
RUN_V12 := true))
GENCLASSES += $(RMI_12)
-$(eval $(call SetupRMICompilation,RMI_11, \
- CLASSES := sun.rmi.registry.RegistryImpl \
- sun.rmi.transport.DGCImpl, \
- CLASSES_DIR := $(CLASSES_DIR)/java.rmi, \
- STUB_CLASSES_DIR := $(STUB_CLASSES_DIR)/java.rmi, \
- RUN_V11 := true))
-GENCLASSES += $(RMI_11)
################################################################################
-all: $(RMI_11) $(RMI_12)
+all: $(RMI_12)
.PHONY: all
--- a/jdk/src/java.base/share/classes/java/security/CodeSource.java Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/java.base/share/classes/java/security/CodeSource.java Thu Jul 13 21:34:07 2017 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -560,6 +560,7 @@
{
CertificateFactory cf;
Hashtable<String, CertificateFactory> cfs = null;
+ List<java.security.cert.Certificate> certList = null;
ois.defaultReadObject(); // location
@@ -569,7 +570,7 @@
// we know of 3 different cert types: X.509, PGP, SDSI, which
// could all be present in the stream at the same time
cfs = new Hashtable<>(3);
- this.certs = new java.security.cert.Certificate[size];
+ certList = new ArrayList<>(size > 20 ? 20 : size);
}
for (int i = 0; i < size; i++) {
@@ -600,13 +601,17 @@
ois.readFully(encoded);
ByteArrayInputStream bais = new ByteArrayInputStream(encoded);
try {
- this.certs[i] = cf.generateCertificate(bais);
+ certList.add(cf.generateCertificate(bais));
} catch (CertificateException ce) {
throw new IOException(ce.getMessage());
}
bais.close();
}
+ if (certList != null) {
+ this.certs = certList.toArray(
+ new java.security.cert.Certificate[size]);
+ }
// Deserialize array of code signers (if any)
try {
this.signers = ((CodeSigner[])ois.readObject()).clone();
--- a/jdk/src/java.base/share/classes/java/util/concurrent/ThreadPoolExecutor.java Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/java.base/share/classes/java/util/concurrent/ThreadPoolExecutor.java Thu Jul 13 21:34:07 2017 -0700
@@ -35,6 +35,9 @@
package java.util.concurrent;
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.ConcurrentModificationException;
import java.util.HashSet;
@@ -584,6 +587,9 @@
private static final RuntimePermission shutdownPerm =
new RuntimePermission("modifyThread");
+ /* The context to be used when executing the finalizer, or null. */
+ private final AccessControlContext acc;
+
/**
* Class Worker mainly maintains interrupt control state for
* threads running tasks, along with other minor bookkeeping.
@@ -1326,6 +1332,9 @@
throw new IllegalArgumentException();
if (workQueue == null || threadFactory == null || handler == null)
throw new NullPointerException();
+ this.acc = System.getSecurityManager() == null ?
+ null :
+ AccessController.getContext();
this.corePoolSize = corePoolSize;
this.maximumPoolSize = maximumPoolSize;
this.workQueue = workQueue;
@@ -1491,6 +1500,9 @@
* Invokes {@code shutdown} when this executor is no longer
* referenced and it has no threads.
*
+ * <p>This method is invoked with privileges that are restricted by
+ * the security context of the caller that invokes the constructor.
+ *
* @deprecated The {@code finalize} method has been deprecated.
* Subclasses that override {@code finalize} in order to perform cleanup
* should be modified to use alternative cleanup mechanisms and
@@ -1502,7 +1514,13 @@
*/
@Deprecated(since="9")
protected void finalize() {
- shutdown();
+ SecurityManager sm = System.getSecurityManager();
+ if (sm == null || acc == null) {
+ shutdown();
+ } else {
+ PrivilegedAction<Void> pa = () -> { shutdown(); return null; };
+ AccessController.doPrivileged(pa, acc);
+ }
}
/**
--- a/jdk/src/java.base/share/classes/java/util/jar/JarVerifier.java Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/java.base/share/classes/java/util/jar/JarVerifier.java Thu Jul 13 21:34:07 2017 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -180,10 +180,12 @@
// only set the jev object for entries that have a signature
// (either verified or not)
- if (sigFileSigners.get(name) != null ||
- verifiedSigners.get(name) != null) {
- mev.setEntry(name, je);
- return;
+ if (!name.equals(JarFile.MANIFEST_NAME)) {
+ if (sigFileSigners.get(name) != null ||
+ verifiedSigners.get(name) != null) {
+ mev.setEntry(name, je);
+ return;
+ }
}
// don't compute the digest for this entry
--- a/jdk/src/java.base/share/classes/sun/nio/ch/AsynchronousChannelGroupImpl.java Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/java.base/share/classes/sun/nio/ch/AsynchronousChannelGroupImpl.java Thu Jul 13 21:34:07 2017 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2008, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2008, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -246,13 +246,16 @@
abstract void shutdownHandlerTasks();
private void shutdownExecutors() {
- AccessController.doPrivileged(new PrivilegedAction<>() {
- public Void run() {
- pool.executor().shutdown();
- timeoutExecutor.shutdown();
- return null;
- }
- });
+ AccessController.doPrivileged(
+ new PrivilegedAction<>() {
+ public Void run() {
+ pool.executor().shutdown();
+ timeoutExecutor.shutdown();
+ return null;
+ }
+ },
+ null,
+ new RuntimePermission("modifyThread"));
}
@Override
--- a/jdk/src/java.base/share/classes/sun/security/pkcs/PKCS8Key.java Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/java.base/share/classes/sun/security/pkcs/PKCS8Key.java Thu Jul 13 21:34:07 2017 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -32,6 +32,7 @@
import java.security.KeyRep;
import java.security.PrivateKey;
import java.security.KeyFactory;
+import java.security.MessageDigest;
import java.security.Security;
import java.security.Provider;
import java.security.InvalidKeyException;
@@ -419,18 +420,9 @@
// that encoding
byte[] b2 = ((Key)object).getEncoded();
- // do the comparison
- int i;
- if (b1.length != b2.length)
- return false;
- for (i = 0; i < b1.length; i++) {
- if (b1[i] != b2[i]) {
- return false;
- }
- }
- return true;
+ // time-constant comparison
+ return MessageDigest.isEqual(b1, b2);
}
-
return false;
}
--- a/jdk/src/java.base/share/classes/sun/security/pkcs/SignerInfo.java Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/java.base/share/classes/sun/security/pkcs/SignerInfo.java Thu Jul 13 21:34:07 2017 -0700
@@ -323,6 +323,12 @@
data = content.getContentBytes();
}
+ Timestamp timestamp = null;
+ try {
+ timestamp = getTimestamp();
+ } catch (Exception ignore) {
+ }
+
ConstraintsParameters cparams =
new ConstraintsParameters(timestamp);
String digestAlgname = getDigestAlgorithmId().getName();
--- a/jdk/src/java.base/share/classes/sun/security/provider/DSA.java Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/java.base/share/classes/sun/security/provider/DSA.java Thu Jul 13 21:34:07 2017 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -64,6 +64,13 @@
/* Are we debugging? */
private static final boolean debug = false;
+ /* The number of bits used in exponent blinding */
+ private static final int BLINDING_BITS = 7;
+
+ /* The constant component of the exponent blinding value */
+ private static final BigInteger BLINDING_CONSTANT =
+ BigInteger.valueOf(1 << BLINDING_BITS);
+
/* The parameter object */
private DSAParams params;
@@ -368,8 +375,19 @@
return null;
}
+
private BigInteger generateR(BigInteger p, BigInteger q, BigInteger g,
BigInteger k) {
+
+ // exponent blinding to hide information from timing channel
+ SecureRandom random = getSigningRandom();
+ // start with a random blinding component
+ BigInteger blindingValue = new BigInteger(BLINDING_BITS, random);
+ // add the fixed blinding component
+ blindingValue = blindingValue.add(BLINDING_CONSTANT);
+ // replace k with a blinded value that is congruent (mod q)
+ k = k.add(q.multiply(blindingValue));
+
BigInteger temp = g.modPow(k, p);
return temp.mod(q);
}
@@ -434,43 +452,8 @@
byte[] kValue = new byte[(q.bitLength() + 7)/8 + 8];
random.nextBytes(kValue);
- BigInteger k = new BigInteger(1, kValue).mod(
+ return new BigInteger(1, kValue).mod(
q.subtract(BigInteger.ONE)).add(BigInteger.ONE);
-
- // Using an equivalent exponent of fixed length (same as q or 1 bit
- // less than q) to keep the kG timing relatively constant.
- //
- // Note that this is an extra step on top of the approach defined in
- // FIPS 186-4 AppendixB.2.1 so as to make a fixed length K.
- k = k.add(q).divide(BigInteger.TWO);
-
- // An alternative implementation based on FIPS 186-4 AppendixB2.2
- // with fixed-length K.
- //
- // Please keep it here as we may need to switch to it in the future.
- //
- // SecureRandom random = getSigningRandom();
- // byte[] kValue = new byte[(q.bitLength() + 7)/8];
- // BigInteger d = q.subtract(BigInteger.TWO);
- // BigInteger k;
- // do {
- // random.nextBytes(kValue);
- // BigInteger c = new BigInteger(1, kValue);
- // if (c.compareTo(d) <= 0) {
- // k = c.add(BigInteger.ONE);
- // // Using an equivalent exponent of fixed length to keep
- // // the g^k timing relatively constant.
- // //
- // // Note that this is an extra step on top of the approach
- // // defined in FIPS 186-4 AppendixB.2.2 so as to make a
- // // fixed length K.
- // if (k.bitLength() >= q.bitLength()) {
- // break;
- // }
- // }
- // } while (true);
-
- return k;
}
// Use the application-specified SecureRandom Object if provided.
--- a/jdk/src/java.base/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/java.base/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java Thu Jul 13 21:34:07 2017 -0700
@@ -344,7 +344,7 @@
// add the algorithm checker
checkers.add(new AlgorithmChecker(builder.trustAnchor,
- buildParams.date(), null));
+ buildParams.date(), buildParams.variant()));
BasicChecker basicChecker = null;
if (nextState.keyParamsNeeded()) {
--- a/jdk/src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java Thu Jul 13 21:34:07 2017 -0700
@@ -703,7 +703,6 @@
private int minSize; // the minimal available key size
private int maxSize; // the maximal available key size
private int prohibitedSize = -1; // unavailable key sizes
- private int size;
public KeySizeConstraint(String algo, Operator operator, int length) {
algorithm = algo;
@@ -761,8 +760,9 @@
return;
}
throw new CertPathValidatorException(
- "Algorithm constraints check failed on keysize limits. "
- + algorithm + " " + size + "bit key" + extendedMsg(cp),
+ "Algorithm constraints check failed on keysize limits. " +
+ algorithm + " " + KeyUtil.getKeySize(key) + "bit key" +
+ extendedMsg(cp),
null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
}
@@ -789,7 +789,7 @@
return true;
}
- size = KeyUtil.getKeySize(key);
+ int size = KeyUtil.getKeySize(key);
if (size == 0) {
return false; // we don't allow any key of size 0.
} else if (size > 0) {
--- a/jdk/src/java.base/share/classes/sun/security/util/HostnameChecker.java Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/java.base/share/classes/sun/security/util/HostnameChecker.java Thu Jul 13 21:34:07 2017 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -32,6 +32,7 @@
import java.security.cert.*;
import java.util.*;
import javax.security.auth.x500.X500Principal;
+import javax.net.ssl.SNIHostName;
import sun.net.util.IPAddressUtil;
import sun.security.ssl.ClientKeyExchangeService;
@@ -201,6 +202,15 @@
private void matchDNS(String expectedName, X509Certificate cert,
boolean chainsToPublicCA)
throws CertificateException {
+ // Check that the expected name is a valid domain name.
+ try {
+ // Using the checking implemented in SNIHostName
+ SNIHostName sni = new SNIHostName(expectedName);
+ } catch (IllegalArgumentException iae) {
+ throw new CertificateException(
+ "Illegal given domain name: " + expectedName, iae);
+ }
+
Collection<List<?>> subjAltNames = cert.getSubjectAlternativeNames();
if (subjAltNames != null) {
boolean foundDNS = false;
@@ -277,6 +287,19 @@
if (hasIllegalWildcard(name, template, chainsToPublicCA)) {
return false;
}
+
+ // check the validity of the domain name template.
+ try {
+ // Replacing wildcard character '*' with 'x' so as to check
+ // the domain name template validity.
+ //
+ // Using the checking implemented in SNIHostName
+ SNIHostName sni = new SNIHostName(template.replace('*', 'x'));
+ } catch (IllegalArgumentException iae) {
+ // It would be nice to add debug log if not matching.
+ return false;
+ }
+
if (checkType == TYPE_TLS) {
return matchAllWildcards(name, template);
} else if (checkType == TYPE_LDAP) {
--- a/jdk/src/java.base/share/classes/sun/security/util/ManifestEntryVerifier.java Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/java.base/share/classes/sun/security/util/ManifestEntryVerifier.java Thu Jul 13 21:34:07 2017 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -107,6 +107,8 @@
/* get the headers from the manifest for this entry */
/* if there aren't any, we can't verify any digests for this entry */
+ skip = false;
+
Attributes attr = man.getAttributes(name);
if (attr == null) {
// ugh. we should be able to remove this at some point.
@@ -141,7 +143,6 @@
}
if (digest != null) {
- skip = false;
digest.reset();
digests.add(digest);
manifestHashes.add(
@@ -197,6 +198,10 @@
return null;
}
+ if (digests.isEmpty()) {
+ throw new SecurityException("digest missing for " + name);
+ }
+
if (signers != null)
return signers;
--- a/jdk/src/java.base/share/conf/security/java.security Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/java.base/share/conf/security/java.security Thu Jul 13 21:34:07 2017 -0700
@@ -545,21 +545,21 @@
# jdkCA
# This constraint prohibits the specified algorithm only if the
# algorithm is used in a certificate chain that terminates at a marked
-# trust anchor in the lib/security/cacerts keystore. If the jdkCA
-# constraint is not set, then all chains using the specified algorithm
+# trust anchor in the lib/security/cacerts keystore. If the jdkCA
+# constraint is not set, then all chains using the specified algorithm
# are restricted. jdkCA may only be used once in a DisabledAlgorithm
# expression.
-# Example: To apply this constraint to SHA-1 certificates, include
-# the following: "SHA1 jdkCA"
+# Example: To apply this constraint to SHA-1 certificates, include
+# the following: "SHA1 jdkCA"
#
# DenyAfterConstraint:
# denyAfter YYYY-MM-DD
# This constraint prohibits a certificate with the specified algorithm
# from being used after the date regardless of the certificate's
-# validity. JAR files that are signed and timestamped before the
+# validity. JAR files that are signed and timestamped before the
# constraint date with certificates containing the disabled algorithm
-# will not be restricted. The date is processed in the UTC timezone.
-# This constraint can only be used once in a DisabledAlgorithm
+# will not be restricted. The date is processed in the UTC timezone.
+# This constraint can only be used once in a DisabledAlgorithm
# expression.
# Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020,
# use the following: "RSA keySize == 2048 & denyAfter 2020-02-03"
--- a/jdk/src/java.base/share/native/libverify/check_code.c Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/java.base/share/native/libverify/check_code.c Thu Jul 13 21:34:07 2017 -0700
@@ -459,6 +459,8 @@
static fullinfo_type cp_index_to_class_fullinfo(context_type *, int, int);
+static const char* get_result_signature(const char* signature);
+
static char signature_to_fieldtype(context_type *context,
const char **signature_p, fullinfo_type *info);
@@ -2789,7 +2791,7 @@
operand);
const char *result_signature;
check_and_push(context, signature, VM_STRING_UTF);
- result_signature = strchr(signature, JVM_SIGNATURE_ENDFUNC);
+ result_signature = get_result_signature(signature);
if (result_signature++ == NULL) {
CCerror(context, "Illegal signature %s", signature);
}
@@ -3712,6 +3714,42 @@
longjmp(context->jump_buffer, 1);
}
+/*
+ * Need to scan the entire signature to find the result type because
+ * types in the arg list and the result type could contain embedded ')'s.
+ */
+static const char* get_result_signature(const char* signature) {
+ const char *p;
+ for (p = signature; *p != JVM_SIGNATURE_ENDFUNC; p++) {
+ switch (*p) {
+ case JVM_SIGNATURE_BOOLEAN:
+ case JVM_SIGNATURE_BYTE:
+ case JVM_SIGNATURE_CHAR:
+ case JVM_SIGNATURE_SHORT:
+ case JVM_SIGNATURE_INT:
+ case JVM_SIGNATURE_FLOAT:
+ case JVM_SIGNATURE_DOUBLE:
+ case JVM_SIGNATURE_LONG:
+ case JVM_SIGNATURE_FUNC: /* ignore initial (, if given */
+ break;
+ case JVM_SIGNATURE_CLASS:
+ while (*p != JVM_SIGNATURE_ENDCLASS) p++;
+ break;
+ case JVM_SIGNATURE_ARRAY:
+ while (*p == JVM_SIGNATURE_ARRAY) p++;
+ /* If an array of classes, skip over class name, too. */
+ if (*p == JVM_SIGNATURE_CLASS) {
+ while (*p != JVM_SIGNATURE_ENDCLASS) p++;
+ }
+ break;
+ default:
+ /* Indicate an error. */
+ return NULL;
+ }
+ }
+ return p++; /* skip over ')'. */
+}
+
static char
signature_to_fieldtype(context_type *context,
const char **signature_p, fullinfo_type *full_info_p)
--- a/jdk/src/java.desktop/share/classes/com/sun/imageio/plugins/jpeg/JPEGImageReader.java Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/java.desktop/share/classes/com/sun/imageio/plugins/jpeg/JPEGImageReader.java Thu Jul 13 21:34:07 2017 -0700
@@ -392,6 +392,17 @@
}
}
+ private void skipPastImage(int imageIndex) {
+ cbLock.lock();
+ try {
+ gotoImage(imageIndex);
+ skipImage();
+ } catch (IOException | IndexOutOfBoundsException e) {
+ } finally {
+ cbLock.unlock();
+ }
+ }
+
@SuppressWarnings("fallthrough")
private int getNumImagesOnThread(boolean allowSearch)
throws IOException {
@@ -1340,7 +1351,8 @@
* just a 1-line intermediate data transfer buffer that will not
* affect the acceleration of the resulting image.
*/
- boolean aborted = readImage(structPointer,
+ boolean aborted = readImage(imageIndex,
+ structPointer,
buffer.getData(),
numRasterBands,
srcBands,
@@ -1502,7 +1514,8 @@
/**
* Returns {@code true} if the read was aborted.
*/
- private native boolean readImage(long structPointer,
+ private native boolean readImage(int imageIndex,
+ long structPointer,
byte [] buffer,
int numRasterBands,
int [] srcBands,
--- a/jdk/src/java.desktop/share/classes/javax/imageio/spi/ServiceRegistry.java Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/java.desktop/share/classes/javax/imageio/spi/ServiceRegistry.java Thu Jul 13 21:34:07 2017 -0700
@@ -26,6 +26,9 @@
package javax.imageio.spi;
import java.io.File;
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
@@ -755,13 +758,14 @@
Class<?> category;
- // Provider Objects organized by partial oridering
- PartiallyOrderedSet<Object> poset = new PartiallyOrderedSet<>();
+ // Provider Objects organized by partial ordering
+ final PartiallyOrderedSet<Object> poset = new PartiallyOrderedSet<>();
// Class -> Provider Object of that class
// No way to express heterogeneous map, we want
// Map<Class<T>, T>, where T is ?
- Map<Class<?>, Object> map = new HashMap<>();
+ final Map<Class<?>, Object> map = new HashMap<>();
+ final Map<Class<?>, AccessControlContext> accMap = new HashMap<>();
public SubRegistry(ServiceRegistry registry, Class<?> category) {
this.registry = registry;
@@ -776,6 +780,7 @@
deregisterServiceProvider(oprovider);
}
map.put(provider.getClass(), provider);
+ accMap.put(provider.getClass(), AccessController.getContext());
poset.add(provider);
if (provider instanceof RegisterableService) {
RegisterableService rs = (RegisterableService)provider;
@@ -800,6 +805,7 @@
if (provider == oprovider) {
map.remove(provider.getClass());
+ accMap.remove(provider.getClass());
poset.remove(provider);
if (provider instanceof RegisterableService) {
RegisterableService rs = (RegisterableService)provider;
@@ -849,10 +855,17 @@
if (provider instanceof RegisterableService) {
RegisterableService rs = (RegisterableService)provider;
- rs.onDeregistration(registry, category);
+ AccessControlContext acc = accMap.get(provider.getClass());
+ if (acc != null || System.getSecurityManager() == null) {
+ AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
+ rs.onDeregistration(registry, category);
+ return null;
+ }, acc);
+ }
}
}
poset.clear();
+ accMap.clear();
}
@SuppressWarnings("deprecation")
--- a/jdk/src/java.desktop/share/classes/sun/awt/image/ImageWatched.java Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/java.desktop/share/classes/sun/awt/image/ImageWatched.java Thu Jul 13 21:34:07 2017 -0700
@@ -29,6 +29,10 @@
import java.awt.Image;
import java.awt.image.ImageObserver;
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+
public abstract class ImageWatched {
public static Link endlink = new Link();
@@ -85,16 +89,26 @@
}
}
+ static class AccWeakReference<T> extends WeakReference<T> {
+
+ private final AccessControlContext acc;
+
+ AccWeakReference(T ref) {
+ super(ref);
+ acc = AccessController.getContext();
+ }
+ }
+
/*
* Standard Link implementation to manage a Weak Reference
* to an ImageObserver.
*/
public static class WeakLink extends Link {
- private WeakReference<ImageObserver> myref;
+ private final AccWeakReference<ImageObserver> myref;
private Link next;
public WeakLink(ImageObserver obs, Link next) {
- myref = new WeakReference<ImageObserver>(obs);
+ myref = new AccWeakReference<ImageObserver>(obs);
this.next = next;
}
@@ -120,6 +134,19 @@
return this;
}
+ private static boolean update(ImageObserver iw, AccessControlContext acc,
+ Image img, int info,
+ int x, int y, int w, int h) {
+
+ if (acc != null || System.getSecurityManager() != null) {
+ return AccessController.doPrivileged(
+ (PrivilegedAction<Boolean>) () -> {
+ return iw.imageUpdate(img, info, x, y, w, h);
+ }, acc);
+ }
+ return false;
+ }
+
public boolean newInfo(Image img, int info,
int x, int y, int w, int h)
{
@@ -129,7 +156,7 @@
if (myiw == null) {
// My referent is null so we must prune in a second pass.
ret = true;
- } else if (myiw.imageUpdate(img, info, x, y, w, h) == false) {
+ } else if (update(myiw, myref.acc, img, info, x, y, w, h) == false) {
// My referent has lost interest so clear it and ask
// for a pruning pass to remove it later.
myref.clear();
--- a/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c Thu Jul 13 21:34:07 2017 -0700
@@ -72,6 +72,7 @@
static jmethodID JPEGImageReader_pushBackID;
static jmethodID JPEGImageReader_passStartedID;
static jmethodID JPEGImageReader_passCompleteID;
+static jmethodID JPEGImageReader_skipPastImageID;
static jmethodID JPEGImageWriter_writeOutputDataID;
static jmethodID JPEGImageWriter_warningOccurredID;
static jmethodID JPEGImageWriter_warningWithMessageID;
@@ -1472,6 +1473,10 @@
cls,
"pushBack",
"(I)V"));
+ CHECK_NULL(JPEGImageReader_skipPastImageID = (*env)->GetMethodID(env,
+ cls,
+ "skipPastImage",
+ "(I)V"));
CHECK_NULL(JPEGQTable_tableID = (*env)->GetFieldID(env,
qTableClass,
"qTable",
@@ -1853,6 +1858,7 @@
Java_com_sun_imageio_plugins_jpeg_JPEGImageReader_readImage
(JNIEnv *env,
jobject this,
+ jint imageIndex,
jlong ptr,
jbyteArray buffer,
jint numBands,
@@ -2181,12 +2187,23 @@
* We are done, but we might not have read all the lines, or all
* the passes, so use jpeg_abort instead of jpeg_finish_decompress.
*/
- if (cinfo->output_scanline == cinfo->output_height) {
- // if ((cinfo->output_scanline == cinfo->output_height) &&
- //(jpeg_input_complete(cinfo))) { // We read the whole file
+ if ((cinfo->output_scanline != cinfo->output_height) ||
+ data->abortFlag == JNI_TRUE)
+ {
+ jpeg_abort_decompress(cinfo);
+ } else if ((!jpeg_input_complete(cinfo)) &&
+ (progressive &&
+ (cinfo->input_scan_number > maxProgressivePass))) {
+ /* We haven't reached EOI, but we need to skip to there */
+ (*cinfo->src->term_source) (cinfo);
+ /* We can use jpeg_abort to release memory and reset global_state */
+ jpeg_abort((j_common_ptr) cinfo);
+ (*env)->CallVoidMethod(env,
+ this,
+ JPEGImageReader_skipPastImageID,
+ imageIndex);
+ } else {
jpeg_finish_decompress(cinfo);
- } else {
- jpeg_abort_decompress(cinfo);
}
free(scanLinePtr);
--- a/jdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapClient.java Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapClient.java Thu Jul 13 21:34:07 2017 -0700
@@ -1234,6 +1234,7 @@
static final int LDAP_REF_FOLLOW = 0x01; // follow referrals
static final int LDAP_REF_THROW = 0x02; // throw referral ex.
static final int LDAP_REF_IGNORE = 0x03; // ignore referrals
+ static final int LDAP_REF_FOLLOW_SCHEME = 0x04; // follow referrals of the same scheme
static final String LDAP_URL = "ldap://"; // LDAPv3
static final String LDAPS_URL = "ldaps://"; // LDAPv3
--- a/jdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtx.java Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtx.java Thu Jul 13 21:34:07 2017 -0700
@@ -2414,6 +2414,9 @@
// First determine the referral mode
if (ref != null) {
switch (ref) {
+ case "follow-scheme":
+ handleReferrals = LdapClient.LDAP_REF_FOLLOW_SCHEME;
+ break;
case "follow":
handleReferrals = LdapClient.LDAP_REF_FOLLOW;
break;
@@ -2979,8 +2982,23 @@
r = new LdapReferralException(resolvedName, resolvedObj, remainName,
msg, envprops, fullDN, handleReferrals, reqCtls);
// only one set of URLs is present
- r.setReferralInfo(res.referrals == null ? null :
- res.referrals.elementAt(0), false);
+ Vector<String> refs;
+ if (res.referrals == null) {
+ refs = null;
+ } else if (handleReferrals == LdapClient.LDAP_REF_FOLLOW_SCHEME) {
+ refs = new Vector<>();
+ for (String s : res.referrals.elementAt(0)) {
+ if (s.startsWith("ldap:")) {
+ refs.add(s);
+ }
+ }
+ if (refs.isEmpty()) {
+ refs = null;
+ }
+ } else {
+ refs = res.referrals.elementAt(0);
+ }
+ r.setReferralInfo(refs, false);
if (hopCount > 1) {
r.setHopCount(hopCount);
--- a/jdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapReferralException.java Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapReferralException.java Thu Jul 13 21:34:07 2017 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1999, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -117,7 +117,8 @@
// If following referral, request controls are passed to referral ctx
this.reqCtls =
- (handleReferrals == LdapClient.LDAP_REF_FOLLOW ? reqCtls : null);
+ (handleReferrals == LdapClient.LDAP_REF_FOLLOW ||
+ handleReferrals == LdapClient.LDAP_REF_FOLLOW_SCHEME ? reqCtls : null);
}
/**
--- a/jdk/src/java.naming/share/classes/javax/naming/directory/BasicAttribute.java Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/java.naming/share/classes/javax/naming/directory/BasicAttribute.java Thu Jul 13 21:34:07 2017 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1999, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -515,7 +515,7 @@
throws java.io.IOException, ClassNotFoundException {
s.defaultReadObject(); // read in the attrID
int n = s.readInt(); // number of values
- values = new Vector<>(n);
+ values = new Vector<>(Math.min(1024, n));
while (--n >= 0) {
values.addElement(s.readObject());
}
--- a/jdk/src/java.naming/share/classes/sun/security/provider/certpath/ldap/LDAPCertStoreImpl.java Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/java.naming/share/classes/sun/security/provider/certpath/ldap/LDAPCertStoreImpl.java Thu Jul 13 21:34:07 2017 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -186,7 +186,7 @@
*/
Hashtable<?,?> currentEnv = ctx.getEnvironment();
if (currentEnv.get(Context.REFERRAL) == null) {
- ctx.addToEnvironment(Context.REFERRAL, "follow");
+ ctx.addToEnvironment(Context.REFERRAL, "follow-scheme");
}
} catch (NamingException e) {
if (debug != null) {
--- a/jdk/src/java.rmi/share/classes/java/rmi/activation/ActivationID.java Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/java.rmi/share/classes/java/rmi/activation/ActivationID.java Thu Jul 13 21:34:07 2017 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -40,6 +40,12 @@
import java.rmi.server.RemoteObjectInvocationHandler;
import java.rmi.server.RemoteRef;
import java.rmi.server.UID;
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.Permissions;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import java.security.ProtectionDomain;
/**
* Activation makes use of special identifiers to denote remote
@@ -81,6 +87,14 @@
/** indicate compatibility with the Java 2 SDK v1.2 version of class */
private static final long serialVersionUID = -4608673054848209235L;
+ /** an AccessControlContext with no permissions */
+ private static final AccessControlContext NOPERMS_ACC;
+ static {
+ Permissions perms = new Permissions();
+ ProtectionDomain[] pd = { new ProtectionDomain(null, perms) };
+ NOPERMS_ACC = new AccessControlContext(pd);
+ }
+
/**
* The constructor for <code>ActivationID</code> takes a single
* argument, activator, that specifies a remote reference to the
@@ -116,13 +130,19 @@
try {
MarshalledObject<? extends Remote> mobj =
activator.activate(this, force);
- return mobj.get();
- } catch (RemoteException e) {
- throw e;
- } catch (IOException e) {
- throw new UnmarshalException("activation failed", e);
- } catch (ClassNotFoundException e) {
- throw new UnmarshalException("activation failed", e);
+ return AccessController.doPrivileged(
+ new PrivilegedExceptionAction<Remote>() {
+ public Remote run() throws IOException, ClassNotFoundException {
+ return mobj.get();
+ }
+ }, NOPERMS_ACC);
+ } catch (PrivilegedActionException pae) {
+ Exception ex = pae.getException();
+ if (ex instanceof RemoteException) {
+ throw (RemoteException) ex;
+ } else {
+ throw new UnmarshalException("activation failed", ex);
+ }
}
}
--- a/jdk/src/java.rmi/share/classes/sun/rmi/registry/RegistryImpl.java Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/java.rmi/share/classes/sun/rmi/registry/RegistryImpl.java Thu Jul 13 21:34:07 2017 -0700
@@ -75,6 +75,10 @@
* registry.
*
* The LocateRegistry class is used to obtain registry for different hosts.
+ * <p>
+ * The default RegistryImpl exported restricts access to clients on the local host
+ * for the methods {@link #bind}, {@link #rebind}, {@link #unbind} by checking
+ * the client host in the skeleton.
*
* @see java.rmi.registry.LocateRegistry
*/
@@ -144,13 +148,27 @@
RMIServerSocketFactory ssf)
throws RemoteException
{
+ this(port, csf, ssf, RegistryImpl::registryFilter);
+ }
+
+
+ /**
+ * Construct a new RegistryImpl on the specified port with the
+ * given custom socket factory pair and ObjectInputFilter.
+ */
+ public RegistryImpl(int port,
+ RMIClientSocketFactory csf,
+ RMIServerSocketFactory ssf,
+ ObjectInputFilter serialFilter)
+ throws RemoteException
+ {
if (port == Registry.REGISTRY_PORT && System.getSecurityManager() != null) {
// grant permission for default port only.
try {
AccessController.doPrivileged(new PrivilegedExceptionAction<Void>() {
public Void run() throws RemoteException {
LiveRef lref = new LiveRef(id, port, csf, ssf);
- setup(new UnicastServerRef2(lref, RegistryImpl::registryFilter));
+ setup(new UnicastServerRef2(lref, serialFilter));
return null;
}
}, null, new SocketPermission("localhost:"+port, "listen,accept"));
@@ -226,7 +244,8 @@
public void bind(String name, Remote obj)
throws RemoteException, AlreadyBoundException, AccessException
{
- checkAccess("Registry.bind");
+ // The access check preventing remote access is done in the skeleton
+ // and is not applicable to local access.
synchronized (bindings) {
Remote curr = bindings.get(name);
if (curr != null)
@@ -243,7 +262,8 @@
public void unbind(String name)
throws RemoteException, NotBoundException, AccessException
{
- checkAccess("Registry.unbind");
+ // The access check preventing remote access is done in the skeleton
+ // and is not applicable to local access.
synchronized (bindings) {
Remote obj = bindings.get(name);
if (obj == null)
@@ -259,7 +279,8 @@
public void rebind(String name, Remote obj)
throws RemoteException, AccessException
{
- checkAccess("Registry.rebind");
+ // The access check preventing remote access is done in the skeleton
+ // and is not applicable to local access.
bindings.put(name, obj);
}
@@ -312,7 +333,7 @@
if (clientHost.isAnyLocalAddress()) {
throw new AccessException(
- "Registry." + op + " disallowed; origin unknown");
+ op + " disallowed; origin unknown");
}
try {
@@ -335,7 +356,7 @@
// must have been an IOException
throw new AccessException(
- "Registry." + op + " disallowed; origin " +
+ op + " disallowed; origin " +
clientHost + " is non-local host");
}
}
@@ -344,8 +365,7 @@
* Local call from this VM: allow access.
*/
} catch (java.net.UnknownHostException ex) {
- throw new AccessException("Registry." + op +
- " disallowed; origin is unknown host");
+ throw new AccessException(op + " disallowed; origin is unknown host");
}
}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/src/java.rmi/share/classes/sun/rmi/registry/RegistryImpl_Skel.java Thu Jul 13 21:34:07 2017 -0700
@@ -0,0 +1,177 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+
+package sun.rmi.registry;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.rmi.AccessException;
+import java.rmi.server.RemoteCall;
+
+import sun.rmi.transport.Connection;
+import sun.rmi.transport.StreamRemoteCall;
+import sun.rmi.transport.tcp.TCPConnection;
+
+/**
+ * Skeleton to dispatch RegistryImpl methods.
+ * Originally generated by RMIC but frozen to match the stubs.
+ */
+@SuppressWarnings({"deprecation", "serial"})
+public final class RegistryImpl_Skel
+ implements java.rmi.server.Skeleton {
+ private static final java.rmi.server.Operation[] operations = {
+ new java.rmi.server.Operation("void bind(java.lang.String, java.rmi.Remote)"),
+ new java.rmi.server.Operation("java.lang.String list()[]"),
+ new java.rmi.server.Operation("java.rmi.Remote lookup(java.lang.String)"),
+ new java.rmi.server.Operation("void rebind(java.lang.String, java.rmi.Remote)"),
+ new java.rmi.server.Operation("void unbind(java.lang.String)")
+ };
+
+ private static final long interfaceHash = 4905912898345647071L;
+
+ public java.rmi.server.Operation[] getOperations() {
+ return operations.clone();
+ }
+
+ public void dispatch(java.rmi.Remote obj, java.rmi.server.RemoteCall call, int opnum, long hash)
+ throws java.lang.Exception {
+ if (hash != interfaceHash)
+ throw new java.rmi.server.SkeletonMismatchException("interface hash mismatch");
+
+ sun.rmi.registry.RegistryImpl server = (sun.rmi.registry.RegistryImpl) obj;
+ switch (opnum) {
+ case 0: // bind(String, Remote)
+ {
+ // Check access before reading the arguments
+ RegistryImpl.checkAccess("Registry.bind");
+
+ java.lang.String $param_String_1;
+ java.rmi.Remote $param_Remote_2;
+ try {
+ java.io.ObjectInput in = call.getInputStream();
+ $param_String_1 = (java.lang.String) in.readObject();
+ $param_Remote_2 = (java.rmi.Remote) in.readObject();
+ } catch (java.io.IOException | java.lang.ClassNotFoundException e) {
+ throw new java.rmi.UnmarshalException("error unmarshalling arguments", e);
+ } finally {
+ call.releaseInputStream();
+ }
+ server.bind($param_String_1, $param_Remote_2);
+ try {
+ call.getResultStream(true);
+ } catch (java.io.IOException e) {
+ throw new java.rmi.MarshalException("error marshalling return", e);
+ }
+ break;
+ }
+
+ case 1: // list()
+ {
+ call.releaseInputStream();
+ java.lang.String[] $result = server.list();
+ try {
+ java.io.ObjectOutput out = call.getResultStream(true);
+ out.writeObject($result);
+ } catch (java.io.IOException e) {
+ throw new java.rmi.MarshalException("error marshalling return", e);
+ }
+ break;
+ }
+
+ case 2: // lookup(String)
+ {
+ java.lang.String $param_String_1;
+ try {
+ java.io.ObjectInput in = call.getInputStream();
+ $param_String_1 = (java.lang.String) in.readObject();
+ } catch (java.io.IOException | java.lang.ClassNotFoundException e) {
+ throw new java.rmi.UnmarshalException("error unmarshalling arguments", e);
+ } finally {
+ call.releaseInputStream();
+ }
+ java.rmi.Remote $result = server.lookup($param_String_1);
+ try {
+ java.io.ObjectOutput out = call.getResultStream(true);
+ out.writeObject($result);
+ } catch (java.io.IOException e) {
+ throw new java.rmi.MarshalException("error marshalling return", e);
+ }
+ break;
+ }
+
+ case 3: // rebind(String, Remote)
+ {
+ // Check access before reading the arguments
+ RegistryImpl.checkAccess("Registry.rebind");
+
+ java.lang.String $param_String_1;
+ java.rmi.Remote $param_Remote_2;
+ try {
+ java.io.ObjectInput in = call.getInputStream();
+ $param_String_1 = (java.lang.String) in.readObject();
+ $param_Remote_2 = (java.rmi.Remote) in.readObject();
+ } catch (java.io.IOException | java.lang.ClassNotFoundException e) {
+ throw new java.rmi.UnmarshalException("error unmarshalling arguments", e);
+ } finally {
+ call.releaseInputStream();
+ }
+ server.rebind($param_String_1, $param_Remote_2);
+ try {
+ call.getResultStream(true);
+ } catch (java.io.IOException e) {
+ throw new java.rmi.MarshalException("error marshalling return", e);
+ }
+ break;
+ }
+
+ case 4: // unbind(String)
+ {
+ // Check access before reading the arguments
+ RegistryImpl.checkAccess("Registry.unbind");
+
+ java.lang.String $param_String_1;
+ try {
+ java.io.ObjectInput in = call.getInputStream();
+ $param_String_1 = (java.lang.String) in.readObject();
+ } catch (java.io.IOException | java.lang.ClassNotFoundException e) {
+ throw new java.rmi.UnmarshalException("error unmarshalling arguments", e);
+ } finally {
+ call.releaseInputStream();
+ }
+ server.unbind($param_String_1);
+ try {
+ call.getResultStream(true);
+ } catch (java.io.IOException e) {
+ throw new java.rmi.MarshalException("error marshalling return", e);
+ }
+ break;
+ }
+
+ default:
+ throw new java.rmi.UnmarshalException("invalid method number");
+ }
+ }
+}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/src/java.rmi/share/classes/sun/rmi/registry/RegistryImpl_Stub.java Thu Jul 13 21:34:07 2017 -0700
@@ -0,0 +1,189 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.rmi.registry;
+/**
+ * Stubs to invoke RegistryImpl remote methods.
+ * Originally generated from RMIC but frozen to match RegistryImpl_Skel.
+ */
+@SuppressWarnings({"deprecation", "serial"})
+public final class RegistryImpl_Stub
+ extends java.rmi.server.RemoteStub
+ implements java.rmi.registry.Registry, java.rmi.Remote {
+ private static final java.rmi.server.Operation[] operations = {
+ new java.rmi.server.Operation("void bind(java.lang.String, java.rmi.Remote)"),
+ new java.rmi.server.Operation("java.lang.String list()[]"),
+ new java.rmi.server.Operation("java.rmi.Remote lookup(java.lang.String)"),
+ new java.rmi.server.Operation("void rebind(java.lang.String, java.rmi.Remote)"),
+ new java.rmi.server.Operation("void unbind(java.lang.String)")
+ };
+
+ private static final long interfaceHash = 4905912898345647071L;
+
+ // constructors
+ public RegistryImpl_Stub() {
+ super();
+ }
+
+ public RegistryImpl_Stub(java.rmi.server.RemoteRef ref) {
+ super(ref);
+ }
+
+ // methods from remote interfaces
+
+ // implementation of bind(String, Remote)
+ public void bind(java.lang.String $param_String_1, java.rmi.Remote $param_Remote_2)
+ throws java.rmi.AccessException, java.rmi.AlreadyBoundException, java.rmi.RemoteException {
+ try {
+ java.rmi.server.RemoteCall call = ref.newCall((java.rmi.server.RemoteObject) this, operations, 0, interfaceHash);
+ try {
+ java.io.ObjectOutput out = call.getOutputStream();
+ out.writeObject($param_String_1);
+ out.writeObject($param_Remote_2);
+ } catch (java.io.IOException e) {
+ throw new java.rmi.MarshalException("error marshalling arguments", e);
+ }
+ ref.invoke(call);
+ ref.done(call);
+ } catch (java.lang.RuntimeException e) {
+ throw e;
+ } catch (java.rmi.RemoteException e) {
+ throw e;
+ } catch (java.rmi.AlreadyBoundException e) {
+ throw e;
+ } catch (java.lang.Exception e) {
+ throw new java.rmi.UnexpectedException("undeclared checked exception", e);
+ }
+ }
+
+ // implementation of list()
+ public java.lang.String[] list()
+ throws java.rmi.AccessException, java.rmi.RemoteException {
+ try {
+ java.rmi.server.RemoteCall call = ref.newCall((java.rmi.server.RemoteObject) this, operations, 1, interfaceHash);
+ ref.invoke(call);
+ java.lang.String[] $result;
+ try {
+ java.io.ObjectInput in = call.getInputStream();
+ $result = (java.lang.String[]) in.readObject();
+ } catch (java.io.IOException e) {
+ throw new java.rmi.UnmarshalException("error unmarshalling return", e);
+ } catch (java.lang.ClassNotFoundException e) {
+ throw new java.rmi.UnmarshalException("error unmarshalling return", e);
+ } finally {
+ ref.done(call);
+ }
+ return $result;
+ } catch (java.lang.RuntimeException e) {
+ throw e;
+ } catch (java.rmi.RemoteException e) {
+ throw e;
+ } catch (java.lang.Exception e) {
+ throw new java.rmi.UnexpectedException("undeclared checked exception", e);
+ }
+ }
+
+ // implementation of lookup(String)
+ public java.rmi.Remote lookup(java.lang.String $param_String_1)
+ throws java.rmi.AccessException, java.rmi.NotBoundException, java.rmi.RemoteException {
+ try {
+ java.rmi.server.RemoteCall call = ref.newCall((java.rmi.server.RemoteObject) this, operations, 2, interfaceHash);
+ try {
+ java.io.ObjectOutput out = call.getOutputStream();
+ out.writeObject($param_String_1);
+ } catch (java.io.IOException e) {
+ throw new java.rmi.MarshalException("error marshalling arguments", e);
+ }
+ ref.invoke(call);
+ java.rmi.Remote $result;
+ try {
+ java.io.ObjectInput in = call.getInputStream();
+ $result = (java.rmi.Remote) in.readObject();
+ } catch (java.io.IOException e) {
+ throw new java.rmi.UnmarshalException("error unmarshalling return", e);
+ } catch (java.lang.ClassNotFoundException e) {
+ throw new java.rmi.UnmarshalException("error unmarshalling return", e);
+ } finally {
+ ref.done(call);
+ }
+ return $result;
+ } catch (java.lang.RuntimeException e) {
+ throw e;
+ } catch (java.rmi.RemoteException e) {
+ throw e;
+ } catch (java.rmi.NotBoundException e) {
+ throw e;
+ } catch (java.lang.Exception e) {
+ throw new java.rmi.UnexpectedException("undeclared checked exception", e);
+ }
+ }
+
+ // implementation of rebind(String, Remote)
+ public void rebind(java.lang.String $param_String_1, java.rmi.Remote $param_Remote_2)
+ throws java.rmi.AccessException, java.rmi.RemoteException {
+ try {
+ java.rmi.server.RemoteCall call = ref.newCall((java.rmi.server.RemoteObject) this, operations, 3, interfaceHash);
+ try {
+ java.io.ObjectOutput out = call.getOutputStream();
+ out.writeObject($param_String_1);
+ out.writeObject($param_Remote_2);
+ } catch (java.io.IOException e) {
+ throw new java.rmi.MarshalException("error marshalling arguments", e);
+ }
+ ref.invoke(call);
+ ref.done(call);
+ } catch (java.lang.RuntimeException e) {
+ throw e;
+ } catch (java.rmi.RemoteException e) {
+ throw e;
+ } catch (java.lang.Exception e) {
+ throw new java.rmi.UnexpectedException("undeclared checked exception", e);
+ }
+ }
+
+ // implementation of unbind(String)
+ public void unbind(java.lang.String $param_String_1)
+ throws java.rmi.AccessException, java.rmi.NotBoundException, java.rmi.RemoteException {
+ try {
+ java.rmi.server.RemoteCall call = ref.newCall((java.rmi.server.RemoteObject) this, operations, 4, interfaceHash);
+ try {
+ java.io.ObjectOutput out = call.getOutputStream();
+ out.writeObject($param_String_1);
+ } catch (java.io.IOException e) {
+ throw new java.rmi.MarshalException("error marshalling arguments", e);
+ }
+ ref.invoke(call);
+ ref.done(call);
+ } catch (java.lang.RuntimeException e) {
+ throw e;
+ } catch (java.rmi.RemoteException e) {
+ throw e;
+ } catch (java.rmi.NotBoundException e) {
+ throw e;
+ } catch (java.lang.Exception e) {
+ throw new java.rmi.UnexpectedException("undeclared checked exception", e);
+ }
+ }
+}
--- a/jdk/src/java.rmi/share/classes/sun/rmi/server/Activation.java Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/java.rmi/share/classes/sun/rmi/server/Activation.java Thu Jul 13 21:34:07 2017 -0700
@@ -30,6 +30,7 @@
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
+import java.io.ObjectInput;
import java.io.ObjectInputStream;
import java.io.OutputStream;
import java.io.PrintStream;
@@ -105,7 +106,6 @@
import sun.rmi.log.ReliableLog;
import sun.rmi.registry.RegistryImpl;
import sun.rmi.runtime.NewThreadAction;
-import sun.rmi.server.UnicastServerRef;
import sun.rmi.transport.LiveRef;
import sun.security.provider.PolicyFile;
import com.sun.rmi.rmid.ExecPermission;
@@ -375,6 +375,7 @@
throw new AccessException(
"binding ActivationSystem is disallowed");
} else {
+ RegistryImpl.checkAccess("ActivationSystem.bind");
super.bind(name, obj);
}
}
@@ -386,6 +387,7 @@
throw new AccessException(
"unbinding ActivationSystem is disallowed");
} else {
+ RegistryImpl.checkAccess("ActivationSystem.unbind");
super.unbind(name);
}
}
@@ -398,6 +400,7 @@
throw new AccessException(
"binding ActivationSystem is disallowed");
} else {
+ RegistryImpl.checkAccess("ActivationSystem.rebind");
super.rebind(name, obj);
}
}
@@ -488,6 +491,33 @@
}
+ /**
+ * SameHostOnlyServerRef checks that access is from a local client
+ * before the parameters are deserialized. The unmarshalCustomCallData
+ * hook is used to check the network address of the caller
+ * with RegistryImpl.checkAccess().
+ * The kind of access is retained for an exception if one is thrown.
+ */
+ static class SameHostOnlyServerRef extends UnicastServerRef {
+ private static final long serialVersionUID = 1234L;
+ private String accessKind; // an exception message
+
+ /**
+ * Construct a new SameHostOnlyServerRef from a LiveRef.
+ * @param lref a LiveRef
+ */
+ SameHostOnlyServerRef(LiveRef lref, String accessKind) {
+ super(lref);
+ this.accessKind = accessKind;
+ }
+
+ @Override
+ protected void unmarshalCustomCallData(ObjectInput in) throws IOException, ClassNotFoundException {
+ RegistryImpl.checkAccess(accessKind);
+ super.unmarshalCustomCallData(in);
+ }
+ }
+
class ActivationSystemImpl
extends RemoteServer
implements ActivationSystem
@@ -505,7 +535,8 @@
* 'this' can be exported.
*/
LiveRef lref = new LiveRef(new ObjID(4), port, null, ssf);
- UnicastServerRef uref = new UnicastServerRef(lref);
+ UnicastServerRef uref = new SameHostOnlyServerRef(lref,
+ "ActivationSystem.nonLocalAccess");
ref = uref;
uref.exportObject(this, null);
}
@@ -514,8 +545,8 @@
throws ActivationException, UnknownGroupException, RemoteException
{
checkShutdown();
- RegistryImpl.checkAccess("ActivationSystem.registerObject");
-
+ // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef
+ // during unmarshallCustomData and is not applicable to local access.
ActivationGroupID groupID = desc.getGroupID();
ActivationID id = new ActivationID(activatorStub);
getGroupEntry(groupID).registerObject(id, desc, true);
@@ -526,7 +557,8 @@
throws ActivationException, UnknownObjectException, RemoteException
{
checkShutdown();
- RegistryImpl.checkAccess("ActivationSystem.unregisterObject");
+ // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef
+ // during unmarshallCustomData and is not applicable to local access.
getGroupEntry(id).unregisterObject(id, true);
}
@@ -534,7 +566,8 @@
throws ActivationException, RemoteException
{
checkShutdown();
- RegistryImpl.checkAccess("ActivationSystem.registerGroup");
+ // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef
+ // during unmarshallCustomData and is not applicable to local access.
checkArgs(desc, null);
ActivationGroupID id = new ActivationGroupID(systemStub);
@@ -551,7 +584,8 @@
throws ActivationException, UnknownGroupException, RemoteException
{
checkShutdown();
- RegistryImpl.checkAccess("ActivationSystem.activeGroup");
+ // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef
+ // during unmarshallCustomData and is not applicable to local access.
getGroupEntry(id).activeGroup(group, incarnation);
return monitor;
@@ -561,7 +595,8 @@
throws ActivationException, UnknownGroupException, RemoteException
{
checkShutdown();
- RegistryImpl.checkAccess("ActivationSystem.unregisterGroup");
+ // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef
+ // during unmarshallCustomData and is not applicable to local access.
// remove entry before unregister so state is updated before
// logged
@@ -573,7 +608,8 @@
throws ActivationException, UnknownObjectException, RemoteException
{
checkShutdown();
- RegistryImpl.checkAccess("ActivationSystem.setActivationDesc");
+ // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef
+ // during unmarshallCustomData and is not applicable to local access.
if (!getGroupID(id).equals(desc.getGroupID())) {
throw new ActivationException(
@@ -587,8 +623,8 @@
throws ActivationException, UnknownGroupException, RemoteException
{
checkShutdown();
- RegistryImpl.checkAccess(
- "ActivationSystem.setActivationGroupDesc");
+ // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef
+ // during unmarshallCustomData and is not applicable to local access.
checkArgs(desc, null);
return getGroupEntry(id).setActivationGroupDesc(id, desc, true);
@@ -598,7 +634,8 @@
throws ActivationException, UnknownObjectException, RemoteException
{
checkShutdown();
- RegistryImpl.checkAccess("ActivationSystem.getActivationDesc");
+ // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef
+ // during unmarshallCustomData and is not applicable to local access.
return getGroupEntry(id).getActivationDesc(id);
}
@@ -607,8 +644,8 @@
throws ActivationException, UnknownGroupException, RemoteException
{
checkShutdown();
- RegistryImpl.checkAccess
- ("ActivationSystem.getActivationGroupDesc");
+ // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef
+ // during unmarshallCustomData and is not applicable to local access.
return getGroupEntry(id).desc;
}
@@ -618,7 +655,8 @@
* the activation daemon and exits the activation daemon.
*/
public void shutdown() throws AccessException {
- RegistryImpl.checkAccess("ActivationSystem.shutdown");
+ // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef
+ // during unmarshallCustomData and is not applicable to local access.
Object lock = startupLock;
if (lock != null) {
--- a/jdk/src/java.rmi/share/classes/sun/rmi/server/UnicastRef.java Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/java.rmi/share/classes/sun/rmi/server/UnicastRef.java Thu Jul 13 21:34:07 2017 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -32,7 +32,6 @@
import java.rmi.MarshalException;
import java.rmi.Remote;
import java.rmi.RemoteException;
-import java.rmi.ServerException;
import java.rmi.UnmarshalException;
import java.rmi.server.Operation;
import java.rmi.server.RemoteCall;
@@ -187,14 +186,11 @@
return returnValue;
- } catch (IOException e) {
+ } catch (IOException | ClassNotFoundException e) {
+ // disable saving any refs in the inputStream for GC
+ ((StreamRemoteCall)call).discardPendingRefs();
clientRefLog.log(Log.BRIEF,
- "IOException unmarshalling return: ", e);
- throw new UnmarshalException("error unmarshalling return", e);
- } catch (ClassNotFoundException e) {
- clientRefLog.log(Log.BRIEF,
- "ClassNotFoundException unmarshalling return: ", e);
-
+ e.getClass().getName() + " unmarshalling return: ", e);
throw new UnmarshalException("error unmarshalling return", e);
} finally {
try {
--- a/jdk/src/java.rmi/share/classes/sun/rmi/server/UnicastServerRef.java Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/java.rmi/share/classes/sun/rmi/server/UnicastServerRef.java Thu Jul 13 21:34:07 2017 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -33,6 +33,7 @@
import java.io.ObjectStreamClass;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
+import java.rmi.AccessException;
import java.rmi.MarshalException;
import java.rmi.Remote;
import java.rmi.RemoteException;
@@ -57,6 +58,7 @@
import java.util.concurrent.atomic.AtomicInteger;
import sun.rmi.runtime.Log;
import sun.rmi.transport.LiveRef;
+import sun.rmi.transport.StreamRemoteCall;
import sun.rmi.transport.Target;
import sun.rmi.transport.tcp.TCPTransport;
@@ -287,20 +289,25 @@
try {
in = call.getInputStream();
num = in.readInt();
- if (num >= 0) {
- if (skel != null) {
- oldDispatch(obj, call, num);
- return;
- } else {
- throw new UnmarshalException(
- "skeleton class not found but required " +
- "for client version");
- }
+ } catch (Exception readEx) {
+ throw new UnmarshalException("error unmarshalling call header",
+ readEx);
+ }
+ if (num >= 0) {
+ if (skel != null) {
+ oldDispatch(obj, call, num);
+ return;
+ } else {
+ throw new UnmarshalException(
+ "skeleton class not found but required " +
+ "for client version");
}
+ }
+ try {
op = in.readLong();
} catch (Exception readEx) {
throw new UnmarshalException("error unmarshalling call header",
- readEx);
+ readEx);
}
/*
@@ -328,10 +335,14 @@
try {
unmarshalCustomCallData(in);
params = unmarshalParameters(obj, method, marshalStream);
- } catch (java.io.IOException e) {
- throw new UnmarshalException(
- "error unmarshalling arguments", e);
- } catch (ClassNotFoundException e) {
+ } catch (AccessException aex) {
+ // For compatibility, AccessException is not wrapped in UnmarshalException
+ // disable saving any refs in the inputStream for GC
+ ((StreamRemoteCall) call).discardPendingRefs();
+ throw aex;
+ } catch (java.io.IOException | ClassNotFoundException e) {
+ // disable saving any refs in the inputStream for GC
+ ((StreamRemoteCall) call).discardPendingRefs();
throw new UnmarshalException(
"error unmarshalling arguments", e);
} finally {
@@ -365,6 +376,7 @@
*/
}
} catch (Throwable e) {
+ Throwable origEx = e;
logCallException(e);
ObjectOutput out = call.getResultStream(false);
@@ -380,6 +392,12 @@
clearStackTraces(e);
}
out.writeObject(e);
+
+ // AccessExceptions should cause Transport.serviceCall
+ // to flag the connection as unusable.
+ if (origEx instanceof AccessException) {
+ throw new IOException("Connection is not reusable", origEx);
+ }
} finally {
call.releaseInputStream(); // in case skeleton doesn't
call.releaseOutputStream();
@@ -408,62 +426,41 @@
* Handle server-side dispatch using the RMI 1.1 stub/skeleton
* protocol, given a non-negative operation number that has
* already been read from the call stream.
+ * Exceptions are handled by the caller to be sent to the remote client.
*
* @param obj the target remote object for the call
* @param call the "remote call" from which operation and
* method arguments can be obtained.
* @param op the operation number
- * @exception IOException if unable to marshal return result or
+ * @throws Exception if unable to marshal return result or
* release input or output streams
*/
- public void oldDispatch(Remote obj, RemoteCall call, int op)
- throws IOException
+ private void oldDispatch(Remote obj, RemoteCall call, int op)
+ throws Exception
{
long hash; // hash for matching stub with skeleton
+ // read remote call header
+ ObjectInput in;
+ in = call.getInputStream();
try {
- // read remote call header
- ObjectInput in;
- try {
- in = call.getInputStream();
- try {
- Class<?> clazz = Class.forName("sun.rmi.transport.DGCImpl_Skel");
- if (clazz.isAssignableFrom(skel.getClass())) {
- ((MarshalInputStream)in).useCodebaseOnly();
- }
- } catch (ClassNotFoundException ignore) { }
- hash = in.readLong();
- } catch (Exception readEx) {
- throw new UnmarshalException("error unmarshalling call header",
- readEx);
+ Class<?> clazz = Class.forName("sun.rmi.transport.DGCImpl_Skel");
+ if (clazz.isAssignableFrom(skel.getClass())) {
+ ((MarshalInputStream)in).useCodebaseOnly();
}
+ } catch (ClassNotFoundException ignore) { }
- // if calls are being logged, write out object id and operation
- logCall(obj, skel.getOperations()[op]);
- unmarshalCustomCallData(in);
- // dispatch to skeleton for remote object
- skel.dispatch(obj, call, op, hash);
-
- } catch (Throwable e) {
- logCallException(e);
+ try {
+ hash = in.readLong();
+ } catch (Exception ioe) {
+ throw new UnmarshalException("error unmarshalling call header", ioe);
+ }
- ObjectOutput out = call.getResultStream(false);
- if (e instanceof Error) {
- e = new ServerError(
- "Error occurred in server thread", (Error) e);
- } else if (e instanceof RemoteException) {
- e = new ServerException(
- "RemoteException occurred in server thread",
- (Exception) e);
- }
- if (suppressStackTraces) {
- clearStackTraces(e);
- }
- out.writeObject(e);
- } finally {
- call.releaseInputStream(); // in case skeleton doesn't
- call.releaseOutputStream();
- }
+ // if calls are being logged, write out object id and operation
+ logCall(obj, skel.getOperations()[op]);
+ unmarshalCustomCallData(in);
+ // dispatch to skeleton for remote object
+ skel.dispatch(obj, call, op, hash);
}
/**
--- a/jdk/src/java.rmi/share/classes/sun/rmi/transport/ConnectionInputStream.java Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/java.rmi/share/classes/sun/rmi/transport/ConnectionInputStream.java Thu Jul 13 21:34:07 2017 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -82,6 +82,14 @@
}
/**
+ * Discard the saved incoming refs so there is nothing to register
+ * when {@code registerRefs} is called.
+ */
+ void discardRefs() {
+ incomingRefTable.clear();
+ }
+
+ /**
* Add references to DGC table (and possibly send dirty call).
* RegisterRefs now calls DGCClient.referenced on all
* refs with the same endpoint at once to achieve batching of
--- a/jdk/src/java.rmi/share/classes/sun/rmi/transport/DGCClient.java Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/java.rmi/share/classes/sun/rmi/transport/DGCClient.java Thu Jul 13 21:34:07 2017 -0700
@@ -24,9 +24,11 @@
*/
package sun.rmi.transport;
+import java.io.InvalidClassException;
import java.lang.ref.PhantomReference;
import java.lang.ref.ReferenceQueue;
import java.net.SocketPermission;
+import java.rmi.UnmarshalException;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.HashMap;
@@ -41,6 +43,8 @@
import java.rmi.dgc.Lease;
import java.rmi.dgc.VMID;
import java.rmi.server.ObjID;
+
+import sun.rmi.runtime.Log;
import sun.rmi.runtime.NewThreadAction;
import sun.rmi.server.UnicastRef;
import sun.rmi.server.Util;
@@ -388,6 +392,12 @@
synchronized (this) {
dirtyFailures++;
+ if (e instanceof UnmarshalException
+ && e.getCause() instanceof InvalidClassException) {
+ DGCImpl.dgcLog.log(Log.BRIEF, "InvalidClassException exception in DGC dirty call", e);
+ return; // protocol error, do not register these refs
+ }
+
if (dirtyFailures == 1) {
/*
* If this was the first recent failed dirty call,
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/src/java.rmi/share/classes/sun/rmi/transport/DGCImpl_Skel.java Thu Jul 13 21:34:07 2017 -0700
@@ -0,0 +1,112 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.rmi.transport;
+
+/**
+ * Skeleton to dispatch DGC methods.
+ * Originally generated by RMIC but frozen to match the stubs.
+ */
+@SuppressWarnings({"deprecation", "serial"})
+public final class DGCImpl_Skel
+ implements java.rmi.server.Skeleton {
+ private static final java.rmi.server.Operation[] operations = {
+ new java.rmi.server.Operation("void clean(java.rmi.server.ObjID[], long, java.rmi.dgc.VMID, boolean)"),
+ new java.rmi.server.Operation("java.rmi.dgc.Lease dirty(java.rmi.server.ObjID[], long, java.rmi.dgc.Lease)")
+ };
+
+ private static final long interfaceHash = -669196253586618813L;
+
+ public java.rmi.server.Operation[] getOperations() {
+ return operations.clone();
+ }
+
+ public void dispatch(java.rmi.Remote obj, java.rmi.server.RemoteCall call, int opnum, long hash)
+ throws java.lang.Exception {
+ if (hash != interfaceHash)
+ throw new java.rmi.server.SkeletonMismatchException("interface hash mismatch");
+
+ sun.rmi.transport.DGCImpl server = (sun.rmi.transport.DGCImpl) obj;
+ switch (opnum) {
+ case 0: // clean(ObjID[], long, VMID, boolean)
+ {
+ java.rmi.server.ObjID[] $param_arrayOf_ObjID_1;
+ long $param_long_2;
+ java.rmi.dgc.VMID $param_VMID_3;
+ boolean $param_boolean_4;
+ try {
+ java.io.ObjectInput in = call.getInputStream();
+ $param_arrayOf_ObjID_1 = (java.rmi.server.ObjID[]) in.readObject();
+ $param_long_2 = in.readLong();
+ $param_VMID_3 = (java.rmi.dgc.VMID) in.readObject();
+ $param_boolean_4 = in.readBoolean();
+ } catch (java.io.IOException e) {
+ throw new java.rmi.UnmarshalException("error unmarshalling arguments", e);
+ } catch (java.lang.ClassNotFoundException e) {
+ throw new java.rmi.UnmarshalException("error unmarshalling arguments", e);
+ } finally {
+ call.releaseInputStream();
+ }
+ server.clean($param_arrayOf_ObjID_1, $param_long_2, $param_VMID_3, $param_boolean_4);
+ try {
+ call.getResultStream(true);
+ } catch (java.io.IOException e) {
+ throw new java.rmi.MarshalException("error marshalling return", e);
+ }
+ break;
+ }
+
+ case 1: // dirty(ObjID[], long, Lease)
+ {
+ java.rmi.server.ObjID[] $param_arrayOf_ObjID_1;
+ long $param_long_2;
+ java.rmi.dgc.Lease $param_Lease_3;
+ try {
+ java.io.ObjectInput in = call.getInputStream();
+ $param_arrayOf_ObjID_1 = (java.rmi.server.ObjID[]) in.readObject();
+ $param_long_2 = in.readLong();
+ $param_Lease_3 = (java.rmi.dgc.Lease) in.readObject();
+ } catch (java.io.IOException e) {
+ throw new java.rmi.UnmarshalException("error unmarshalling arguments", e);
+ } catch (java.lang.ClassNotFoundException e) {
+ throw new java.rmi.UnmarshalException("error unmarshalling arguments", e);
+ } finally {
+ call.releaseInputStream();
+ }
+ java.rmi.dgc.Lease $result = server.dirty($param_arrayOf_ObjID_1, $param_long_2, $param_Lease_3);
+ try {
+ java.io.ObjectOutput out = call.getResultStream(true);
+ out.writeObject($result);
+ } catch (java.io.IOException e) {
+ throw new java.rmi.MarshalException("error marshalling return", e);
+ }
+ break;
+ }
+
+ default:
+ throw new java.rmi.UnmarshalException("invalid method number");
+ }
+ }
+}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/src/java.rmi/share/classes/sun/rmi/transport/DGCImpl_Stub.java Thu Jul 13 21:34:07 2017 -0700
@@ -0,0 +1,183 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.rmi.transport;
+
+import java.io.ObjectInputFilter;
+import java.io.ObjectInputStream;
+import java.rmi.dgc.Lease;
+import java.rmi.dgc.VMID;
+import java.rmi.server.UID;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+
+import sun.rmi.server.UnicastRef;
+import sun.rmi.transport.tcp.TCPConnection;
+
+/**
+ * Stubs to invoke DGC remote methods.
+ * Originally generated from RMIC but frozen to insert serialFilter.
+ */
+@SuppressWarnings({"deprecation", "serial"})
+public final class DGCImpl_Stub
+ extends java.rmi.server.RemoteStub
+ implements java.rmi.dgc.DGC {
+ private static final java.rmi.server.Operation[] operations = {
+ new java.rmi.server.Operation("void clean(java.rmi.server.ObjID[], long, java.rmi.dgc.VMID, boolean)"),
+ new java.rmi.server.Operation("java.rmi.dgc.Lease dirty(java.rmi.server.ObjID[], long, java.rmi.dgc.Lease)")
+ };
+
+ private static final long interfaceHash = -669196253586618813L;
+
+ /** Registry max depth of remote invocations. **/
+ private static int DGCCLIENT_MAX_DEPTH = 6;
+
+ /** Registry maximum array size in remote invocations. **/
+ private static int DGCCLIENT_MAX_ARRAY_SIZE = 10000;
+
+ // constructors
+ public DGCImpl_Stub() {
+ super();
+ }
+
+ public DGCImpl_Stub(java.rmi.server.RemoteRef ref) {
+ super(ref);
+ }
+
+ // methods from remote interfaces
+
+ // implementation of clean(ObjID[], long, VMID, boolean)
+ public void clean(java.rmi.server.ObjID[] $param_arrayOf_ObjID_1, long $param_long_2, java.rmi.dgc.VMID $param_VMID_3, boolean $param_boolean_4)
+ throws java.rmi.RemoteException {
+ try {
+ java.rmi.server.RemoteCall call = ref.newCall((java.rmi.server.RemoteObject) this, operations, 0, interfaceHash);
+ try {
+ java.io.ObjectOutput out = call.getOutputStream();
+ out.writeObject($param_arrayOf_ObjID_1);
+ out.writeLong($param_long_2);
+ out.writeObject($param_VMID_3);
+ out.writeBoolean($param_boolean_4);
+ } catch (java.io.IOException e) {
+ throw new java.rmi.MarshalException("error marshalling arguments", e);
+ }
+ ref.invoke(call);
+ ref.done(call);
+ } catch (java.lang.RuntimeException e) {
+ throw e;
+ } catch (java.rmi.RemoteException e) {
+ throw e;
+ } catch (java.lang.Exception e) {
+ throw new java.rmi.UnexpectedException("undeclared checked exception", e);
+ }
+ }
+
+ // implementation of dirty(ObjID[], long, Lease)
+ public java.rmi.dgc.Lease dirty(java.rmi.server.ObjID[] $param_arrayOf_ObjID_1, long $param_long_2, java.rmi.dgc.Lease $param_Lease_3)
+ throws java.rmi.RemoteException {
+ try {
+ java.rmi.server.RemoteCall call = ref.newCall((java.rmi.server.RemoteObject) this, operations, 1, interfaceHash);
+ try {
+ java.io.ObjectOutput out = call.getOutputStream();
+ out.writeObject($param_arrayOf_ObjID_1);
+ out.writeLong($param_long_2);
+ out.writeObject($param_Lease_3);
+ } catch (java.io.IOException e) {
+ throw new java.rmi.MarshalException("error marshalling arguments", e);
+ }
+ ref.invoke(call);
+ java.rmi.dgc.Lease $result;
+ Connection connection = ((StreamRemoteCall) call).getConnection();
+ try {
+ java.io.ObjectInput in = call.getInputStream();
+
+ if (in instanceof ObjectInputStream) {
+ /**
+ * Set a filter on the stream for the return value.
+ */
+ ObjectInputStream ois = (ObjectInputStream) in;
+ AccessController.doPrivileged((PrivilegedAction<Void>)() -> {
+ ois.setObjectInputFilter(DGCImpl_Stub::leaseFilter);
+ return null;
+ });
+ }
+ $result = (java.rmi.dgc.Lease) in.readObject();
+ } catch (java.io.IOException | java.lang.ClassNotFoundException e) {
+ if (connection instanceof TCPConnection) {
+ // Modified to prevent re-use of the connection after an exception
+ ((TCPConnection) connection).getChannel().free(connection, false);
+ }
+ throw new java.rmi.UnmarshalException("error unmarshalling return", e);
+ } finally {
+ ref.done(call);
+ }
+ return $result;
+ } catch (java.lang.RuntimeException e) {
+ throw e;
+ } catch (java.rmi.RemoteException e) {
+ throw e;
+ } catch (java.lang.Exception e) {
+ throw new java.rmi.UnexpectedException("undeclared checked exception", e);
+ }
+ }
+
+ /**
+ * ObjectInputFilter to filter DGCClient return value (a Lease).
+ * The list of acceptable classes is very short and explicit.
+ * The depth and array sizes are limited.
+ *
+ * @param filterInfo access to class, arrayLength, etc.
+ * @return {@link ObjectInputFilter.Status#ALLOWED} if allowed,
+ * {@link ObjectInputFilter.Status#REJECTED} if rejected,
+ * otherwise {@link ObjectInputFilter.Status#UNDECIDED}
+ */
+ private static ObjectInputFilter.Status leaseFilter(ObjectInputFilter.FilterInfo filterInfo) {
+
+ if (filterInfo.depth() > DGCCLIENT_MAX_DEPTH) {
+ return ObjectInputFilter.Status.REJECTED;
+ }
+ Class<?> clazz = filterInfo.serialClass();
+ if (clazz != null) {
+ while (clazz.isArray()) {
+ if (filterInfo.arrayLength() >= 0 && filterInfo.arrayLength() > DGCCLIENT_MAX_ARRAY_SIZE) {
+ return ObjectInputFilter.Status.REJECTED;
+ }
+ // Arrays are allowed depending on the component type
+ clazz = clazz.getComponentType();
+ }
+ if (clazz.isPrimitive()) {
+ // Arrays of primitives are allowed
+ return ObjectInputFilter.Status.ALLOWED;
+ }
+ return (clazz == UID.class ||
+ clazz == VMID.class ||
+ clazz == Lease.class)
+ ? ObjectInputFilter.Status.ALLOWED
+ : ObjectInputFilter.Status.REJECTED;
+ }
+ // Not a class, not size limited
+ return ObjectInputFilter.Status.UNDECIDED;
+ }
+
+}
--- a/jdk/src/java.rmi/share/classes/sun/rmi/transport/StreamRemoteCall.java Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/java.rmi/share/classes/sun/rmi/transport/StreamRemoteCall.java Thu Jul 13 21:34:07 2017 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -168,6 +168,13 @@
}
/**
+ * Discard any post-processing of refs the InputStream.
+ */
+ public void discardPendingRefs() {
+ in.discardRefs();
+ }
+
+ /**
* Returns an output stream (may put out header information
* relating to the success of the call).
* @param success If true, indicates normal return, else indicates
--- a/jdk/src/jdk.crypto.ec/share/classes/sun/security/ec/ECDSASignature.java Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/jdk.crypto.ec/share/classes/sun/security/ec/ECDSASignature.java Thu Jul 13 21:34:07 2017 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2009, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -370,9 +370,15 @@
}
random.nextBytes(seed);
+ // random bits needed for timing countermeasures
+ int timingArgument = random.nextInt();
+ // values must be non-zero to enable countermeasures
+ timingArgument |= 1;
+
byte[] sig;
try {
- sig = signDigest(getDigestValue(), s, encodedParams, seed);
+ sig = signDigest(getDigestValue(), s, encodedParams, seed,
+ timingArgument);
} catch (GeneralSecurityException e) {
throw new SignatureException("Could not sign data", e);
}
@@ -509,11 +515,19 @@
* @param s the private key's S value.
* @param encodedParams the curve's DER encoded object identifier.
* @param seed the random seed.
+ * @param timing When non-zero, the implmentation will use timing
+ * countermeasures to hide secrets from timing channels. The EC
+ * implementation will disable the countermeasures when this value is
+ * zero, because the underlying EC functions are shared by several
+ * crypto operations, some of which do not use the countermeasures.
+ * The high-order 31 bits must be uniformly random. The entropy from
+ * these bits is used by the countermeasures.
*
* @return byte[] the signature.
*/
private static native byte[] signDigest(byte[] digest, byte[] s,
- byte[] encodedParams, byte[] seed) throws GeneralSecurityException;
+ byte[] encodedParams, byte[] seed, int timing)
+ throws GeneralSecurityException;
/**
* Verifies the signed digest using the public key.
--- a/jdk/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp Thu Jul 13 21:34:07 2017 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2009, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -196,7 +196,7 @@
*/
JNIEXPORT jbyteArray
JNICALL Java_sun_security_ec_ECDSASignature_signDigest
- (JNIEnv *env, jclass clazz, jbyteArray digest, jbyteArray privateKey, jbyteArray encodedParams, jbyteArray seed)
+ (JNIEnv *env, jclass clazz, jbyteArray digest, jbyteArray privateKey, jbyteArray encodedParams, jbyteArray seed, jint timing)
{
jbyte* pDigestBuffer = NULL;
jint jDigestLength = env->GetArrayLength(digest);
@@ -256,7 +256,7 @@
// Sign the digest (using the supplied seed)
if (ECDSA_SignDigest(&privKey, &signature_item, &digest_item,
- (unsigned char *) pSeedBuffer, jSeedLength, 0) != SECSuccess) {
+ (unsigned char *) pSeedBuffer, jSeedLength, 0, timing) != SECSuccess) {
ThrowException(env, KEY_EXCEPTION);
goto cleanup;
}
--- a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ec.c Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ec.c Thu Jul 13 21:34:07 2017 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2007, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
* Use is subject to license terms.
*
* This library is free software; you can redistribute it and/or
@@ -34,7 +34,7 @@
* Dr Vipul Gupta <vipul.gupta@sun.com> and
* Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
*
- * Last Modified Date from the Original Code: November 2016
+ * Last Modified Date from the Original Code: May 2017
*********************************************************************** */
#include "mplogic.h"
@@ -87,7 +87,7 @@
*/
SECStatus
ec_points_mul(const ECParams *params, const mp_int *k1, const mp_int *k2,
- const SECItem *pointP, SECItem *pointQ, int kmflag)
+ const SECItem *pointP, SECItem *pointQ, int kmflag, int timing)
{
mp_int Px, Py, Qx, Qy;
mp_int Gx, Gy, order, irreducible, a, b;
@@ -199,9 +199,9 @@
goto cleanup;
if ((k2 != NULL) && (pointP != NULL)) {
- CHECK_MPI_OK( ECPoints_mul(group, k1, k2, &Px, &Py, &Qx, &Qy) );
+ CHECK_MPI_OK( ECPoints_mul(group, k1, k2, &Px, &Py, &Qx, &Qy, timing) );
} else {
- CHECK_MPI_OK( ECPoints_mul(group, k1, NULL, NULL, NULL, &Qx, &Qy) );
+ CHECK_MPI_OK( ECPoints_mul(group, k1, NULL, NULL, NULL, &Qx, &Qy, timing) );
}
/* Construct the SECItem representation of point Q */
@@ -333,7 +333,8 @@
CHECK_MPI_OK( mp_read_unsigned_octets(&k, key->privateValue.data,
(mp_size) len) );
- rv = ec_points_mul(ecParams, &k, NULL, NULL, &(key->publicValue), kmflag);
+ /* key generation does not support timing mitigation */
+ rv = ec_points_mul(ecParams, &k, NULL, NULL, &(key->publicValue), kmflag, /*timing*/ 0);
if (rv != SECSuccess) goto cleanup;
*privKey = key;
@@ -610,7 +611,8 @@
}
/* Multiply our private key and peer's public point */
- if ((ec_points_mul(ecParams, NULL, &k, publicValue, &pointQ, kmflag) != SECSuccess) ||
+ /* ECDH doesn't support timing mitigation */
+ if ((ec_points_mul(ecParams, NULL, &k, publicValue, &pointQ, kmflag, /*timing*/ 0) != SECSuccess) ||
ec_point_at_infinity(&pointQ))
goto cleanup;
@@ -645,7 +647,8 @@
*/
SECStatus
ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature,
- const SECItem *digest, const unsigned char *kb, const int kblen, int kmflag)
+ const SECItem *digest, const unsigned char *kb, const int kblen, int kmflag,
+ int timing)
{
SECStatus rv = SECFailure;
mp_int x1;
@@ -715,16 +718,6 @@
}
/*
- * Using an equivalent exponent of fixed length (same as n or 1 bit less
- * than n) to keep the kG timing relatively constant.
- *
- * Note that this is an extra step on top of the approach defined in
- * ANSI X9.62 so as to make a fixed length K.
- */
- CHECK_MPI_OK( mp_add(&k, &n, &k) );
- CHECK_MPI_OK( mp_div_2(&k, &k) );
-
- /*
** ANSI X9.62, Section 5.3.2, Step 2
**
** Compute kG
@@ -732,7 +725,7 @@
kGpoint.len = 2*flen + 1;
kGpoint.data = PORT_Alloc(2*flen + 1, kmflag);
if ((kGpoint.data == NULL) ||
- (ec_points_mul(ecParams, &k, NULL, NULL, &kGpoint, kmflag)
+ (ec_points_mul(ecParams, &k, NULL, NULL, &kGpoint, kmflag, timing)
!= SECSuccess))
goto cleanup;
@@ -854,7 +847,7 @@
*/
SECStatus
ECDSA_SignDigest(ECPrivateKey *key, SECItem *signature, const SECItem *digest,
- const unsigned char* random, int randomLen, int kmflag)
+ const unsigned char* random, int randomLen, int kmflag, int timing)
{
SECStatus rv = SECFailure;
int len;
@@ -872,7 +865,7 @@
if (kBytes == NULL) goto cleanup;
/* Generate ECDSA signature with the specified k value */
- rv = ECDSA_SignDigestWithSeed(key, signature, digest, kBytes, len, kmflag);
+ rv = ECDSA_SignDigestWithSeed(key, signature, digest, kBytes, len, kmflag, timing);
cleanup:
if (kBytes) {
@@ -1018,7 +1011,8 @@
** Here, A = u1.G B = u2.Q and C = A + B
** If the result, C, is the point at infinity, reject the signature
*/
- if (ec_points_mul(ecParams, &u1, &u2, &key->publicValue, &pointC, kmflag)
+ /* verification does not support timing mitigation */
+ if (ec_points_mul(ecParams, &u1, &u2, &key->publicValue, &pointC, kmflag, /*timing*/ 0)
!= SECSuccess) {
rv = SECFailure;
goto cleanup;
--- a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ec2.h Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ec2.h Thu Jul 13 21:34:07 2017 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
* Use is subject to license terms.
*
* This library is free software; you can redistribute it and/or
@@ -33,6 +33,7 @@
* Contributor(s):
* Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
*
+ * Last Modified Date from the Original Code: May 2017
*********************************************************************** */
#ifndef _EC2_H
@@ -79,7 +80,7 @@
* determines the field GF2m. Uses Montgomery projective coordinates. */
mp_err ec_GF2m_pt_mul_mont(const mp_int *n, const mp_int *px,
const mp_int *py, mp_int *rx, mp_int *ry,
- const ECGroup *group);
+ const ECGroup *group, int timing);
#ifdef ECL_ENABLE_GF2M_PROJ
/* Converts a point P(px, py) from affine coordinates to projective
--- a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ec2_aff.c Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ec2_aff.c Thu Jul 13 21:34:07 2017 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
* Use is subject to license terms.
*
* This library is free software; you can redistribute it and/or
@@ -33,6 +33,7 @@
* Contributor(s):
* Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
*
+ * Last Modified Date from the Original Code: May 2017
*********************************************************************** */
#include "ec2.h"
@@ -329,7 +330,8 @@
/* 4: Verify that the order of the curve times the publicValue
* is the point at infinity.
*/
- MP_CHECKOK( ECPoint_mul(group, &group->order, px, py, &pxt, &pyt) );
+ /* timing mitigation is not supported */
+ MP_CHECKOK( ECPoint_mul(group, &group->order, px, py, &pxt, &pyt, /*timing*/ 0) );
if (ec_GF2m_pt_is_inf_aff(&pxt, &pyt) != MP_YES) {
res = MP_NO;
goto CLEANUP;
--- a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ec2_mont.c Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ec2_mont.c Thu Jul 13 21:34:07 2017 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
* Use is subject to license terms.
*
* This library is free software; you can redistribute it and/or
@@ -35,6 +35,7 @@
* Stephen Fung <fungstep@hotmail.com>, and
* Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories.
*
+ * Last Modified Date from the Original Code: May 2017
*********************************************************************** */
#include "ec2.h"
@@ -181,10 +182,12 @@
/* Computes R = nP based on algorithm 2P of Lopex, J. and Dahab, R. "Fast
* multiplication on elliptic curves over GF(2^m) without
* precomputation". Elliptic curve points P and R can be identical. Uses
- * Montgomery projective coordinates. */
+ * Montgomery projective coordinates. The timing parameter is ignored
+ * because this algorithm resists timing attacks by default. */
mp_err
ec_GF2m_pt_mul_mont(const mp_int *n, const mp_int *px, const mp_int *py,
- mp_int *rx, mp_int *ry, const ECGroup *group)
+ mp_int *rx, mp_int *ry, const ECGroup *group,
+ int timing)
{
mp_err res = MP_OKAY;
mp_int x1, x2, z1, z2;
--- a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecc_impl.h Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecc_impl.h Thu Jul 13 21:34:07 2017 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2007, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
* Use is subject to license terms.
*
* This library is free software; you can redistribute it and/or
@@ -34,7 +34,7 @@
* Dr Vipul Gupta <vipul.gupta@sun.com> and
* Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
*
- * Last Modified Date from the Original Code: November 2013
+ * Last Modified Date from the Original Code: May 2017
*********************************************************************** */
#ifndef _ECC_IMPL_H
@@ -258,7 +258,7 @@
const unsigned char* random, int randomlen, int);
/* This function has been modified to accept an array of random bytes */
extern SECStatus ECDSA_SignDigest(ECPrivateKey *, SECItem *, const SECItem *,
- const unsigned char* random, int randomlen, int);
+ const unsigned char* random, int randomlen, int, int timing);
extern SECStatus ECDSA_VerifyDigest(ECPublicKey *, const SECItem *,
const SECItem *, int);
extern SECStatus ECDH_Derive(SECItem *, ECParams *, SECItem *, boolean_t,
--- a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecl-priv.h Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecl-priv.h Thu Jul 13 21:34:07 2017 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
* Use is subject to license terms.
*
* This library is free software; you can redistribute it and/or
@@ -34,6 +34,7 @@
* Stephen Fung <fungstep@hotmail.com> and
* Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
*
+ * Last Modified Date from the Original Code: May 2017
*********************************************************************** */
#ifndef _ECL_PRIV_H
@@ -193,12 +194,13 @@
mp_int *ry, const ECGroup *group);
mp_err (*point_mul) (const mp_int *n, const mp_int *px,
const mp_int *py, mp_int *rx, mp_int *ry,
- const ECGroup *group);
+ const ECGroup *group, int timing);
mp_err (*base_point_mul) (const mp_int *n, mp_int *rx, mp_int *ry,
const ECGroup *group);
mp_err (*points_mul) (const mp_int *k1, const mp_int *k2,
const mp_int *px, const mp_int *py, mp_int *rx,
- mp_int *ry, const ECGroup *group);
+ mp_int *ry, const ECGroup *group,
+ int timing);
mp_err (*validate_point) (const mp_int *px, const mp_int *py, const ECGroup *group);
/* Extra storage for implementation-specific data. Any memory
* allocated to these extra fields will be cleared by extra_free. */
@@ -262,10 +264,12 @@
/* point multiplication */
mp_err ec_pts_mul_basic(const mp_int *k1, const mp_int *k2,
const mp_int *px, const mp_int *py, mp_int *rx,
- mp_int *ry, const ECGroup *group);
+ mp_int *ry, const ECGroup *group,
+ int timing);
mp_err ec_pts_mul_simul_w2(const mp_int *k1, const mp_int *k2,
const mp_int *px, const mp_int *py, mp_int *rx,
- mp_int *ry, const ECGroup *group);
+ mp_int *ry, const ECGroup *group,
+ int timing);
/* Computes the windowed non-adjacent-form (NAF) of a scalar. Out should
* be an array of signed char's to output to, bitsize should be the number
--- a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecl.h Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecl.h Thu Jul 13 21:34:07 2017 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
* Use is subject to license terms.
*
* This library is free software; you can redistribute it and/or
@@ -33,6 +33,7 @@
* Contributor(s):
* Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
*
+ * Last Modified Date from the Original Code: May 2017
*********************************************************************** */
#ifndef _ECL_H
@@ -70,7 +71,8 @@
* of the group of points on the elliptic curve. Input and output values
* are assumed to be NOT field-encoded. */
mp_err ECPoint_mul(const ECGroup *group, const mp_int *k, const mp_int *px,
- const mp_int *py, mp_int *qx, mp_int *qy);
+ const mp_int *py, mp_int *qx, mp_int *qy,
+ int timing);
/* Elliptic curve scalar-point multiplication. Computes Q(x, y) = k1 * G +
* k2 * P(x, y), where G is the generator (base point) of the group of
@@ -78,7 +80,7 @@
* be NOT field-encoded. */
mp_err ECPoints_mul(const ECGroup *group, const mp_int *k1,
const mp_int *k2, const mp_int *px, const mp_int *py,
- mp_int *qx, mp_int *qy);
+ mp_int *qx, mp_int *qy, int timing);
/* Validates an EC public key as described in Section 5.2.2 of X9.62.
* Returns MP_YES if the public key is valid, MP_NO if the public key
--- a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecl_mult.c Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecl_mult.c Thu Jul 13 21:34:07 2017 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2007, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
* Use is subject to license terms.
*
* This library is free software; you can redistribute it and/or
@@ -33,7 +33,7 @@
* Contributor(s):
* Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
*
- * Last Modified Date from the Original Code: Nov 2016
+ * Last Modified Date from the Original Code: May 2017
*********************************************************************** */
#include "mpi.h"
@@ -50,7 +50,8 @@
* are assumed to be NOT field-encoded. */
mp_err
ECPoint_mul(const ECGroup *group, const mp_int *k, const mp_int *px,
- const mp_int *py, mp_int *rx, mp_int *ry)
+ const mp_int *py, mp_int *rx, mp_int *ry,
+ int timing)
{
mp_err res = MP_OKAY;
mp_int kt;
@@ -76,16 +77,16 @@
kt.flag = (mp_sign)0;
MP_CHECKOK(group->
point_mul(&kt, &group->genx, &group->geny, rx, ry,
- group));
+ group, timing));
}
} else {
if (group->meth->field_enc) {
MP_CHECKOK(group->meth->field_enc(px, rx, group->meth));
MP_CHECKOK(group->meth->field_enc(py, ry, group->meth));
- MP_CHECKOK(group->point_mul(&kt, rx, ry, rx, ry, group));
+ MP_CHECKOK(group->point_mul(&kt, rx, ry, rx, ry, group, timing));
} else {
kt.flag = (mp_sign)0;
- MP_CHECKOK(group->point_mul(&kt, px, py, rx, ry, group));
+ MP_CHECKOK(group->point_mul(&kt, px, py, rx, ry, group, timing));
}
}
if (group->meth->field_dec) {
@@ -107,7 +108,7 @@
mp_err
ec_pts_mul_basic(const mp_int *k1, const mp_int *k2, const mp_int *px,
const mp_int *py, mp_int *rx, mp_int *ry,
- const ECGroup *group)
+ const ECGroup *group, int timing)
{
mp_err res = MP_OKAY;
mp_int sx, sy;
@@ -119,9 +120,9 @@
/* if some arguments are not defined used ECPoint_mul */
if (k1 == NULL) {
- return ECPoint_mul(group, k2, px, py, rx, ry);
+ return ECPoint_mul(group, k2, px, py, rx, ry, timing);
} else if ((k2 == NULL) || (px == NULL) || (py == NULL)) {
- return ECPoint_mul(group, k1, NULL, NULL, rx, ry);
+ return ECPoint_mul(group, k1, NULL, NULL, rx, ry, timing);
}
MP_DIGITS(&sx) = 0;
@@ -129,8 +130,8 @@
MP_CHECKOK(mp_init(&sx, FLAG(k1)));
MP_CHECKOK(mp_init(&sy, FLAG(k1)));
- MP_CHECKOK(ECPoint_mul(group, k1, NULL, NULL, &sx, &sy));
- MP_CHECKOK(ECPoint_mul(group, k2, px, py, rx, ry));
+ MP_CHECKOK(ECPoint_mul(group, k1, NULL, NULL, &sx, &sy, timing));
+ MP_CHECKOK(ECPoint_mul(group, k2, px, py, rx, ry, timing));
if (group->meth->field_enc) {
MP_CHECKOK(group->meth->field_enc(&sx, &sx, group->meth));
@@ -162,7 +163,7 @@
mp_err
ec_pts_mul_simul_w2(const mp_int *k1, const mp_int *k2, const mp_int *px,
const mp_int *py, mp_int *rx, mp_int *ry,
- const ECGroup *group)
+ const ECGroup *group, int timing)
{
mp_err res = MP_OKAY;
mp_int precomp[4][4][2];
@@ -177,9 +178,9 @@
/* if some arguments are not defined used ECPoint_mul */
if (k1 == NULL) {
- return ECPoint_mul(group, k2, px, py, rx, ry);
+ return ECPoint_mul(group, k2, px, py, rx, ry, timing);
} else if ((k2 == NULL) || (px == NULL) || (py == NULL)) {
- return ECPoint_mul(group, k1, NULL, NULL, rx, ry);
+ return ECPoint_mul(group, k1, NULL, NULL, rx, ry, timing);
}
/* initialize precomputation table */
@@ -311,7 +312,8 @@
* Input and output values are assumed to be NOT field-encoded. */
mp_err
ECPoints_mul(const ECGroup *group, const mp_int *k1, const mp_int *k2,
- const mp_int *px, const mp_int *py, mp_int *rx, mp_int *ry)
+ const mp_int *px, const mp_int *py, mp_int *rx, mp_int *ry,
+ int timing)
{
mp_err res = MP_OKAY;
mp_int k1t, k2t;
@@ -348,9 +350,9 @@
/* if points_mul is defined, then use it */
if (group->points_mul) {
- res = group->points_mul(k1p, k2p, px, py, rx, ry, group);
+ res = group->points_mul(k1p, k2p, px, py, rx, ry, group, timing);
} else {
- res = ec_pts_mul_simul_w2(k1p, k2p, px, py, rx, ry, group);
+ res = ec_pts_mul_simul_w2(k1p, k2p, px, py, rx, ry, group, timing);
}
CLEANUP:
--- a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecp.h Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecp.h Thu Jul 13 21:34:07 2017 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
* Use is subject to license terms.
*
* This library is free software; you can redistribute it and/or
@@ -33,6 +33,7 @@
* Contributor(s):
* Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
*
+ * Last Modified Date from the Original Code: May 2017
*********************************************************************** */
#ifndef _ECP_H
@@ -122,7 +123,7 @@
mp_err
ec_GFp_pts_mul_jac(const mp_int *k1, const mp_int *k2, const mp_int *px,
const mp_int *py, mp_int *rx, mp_int *ry,
- const ECGroup *group);
+ const ECGroup *group, int timing);
/* Computes R = nP where R is (rx, ry) and P is the base point. Elliptic
* curve points P and R can be identical. Uses mixed Modified-Jacobian
@@ -131,9 +132,13 @@
* returns output that is still field-encoded. Uses 5-bit window NAF
* method (algorithm 11) for scalar-point multiplication from Brown,
* Hankerson, Lopez, Menezes. Software Implementation of the NIST Elliptic
- * Curves Over Prime Fields. */
+ * Curves Over Prime Fields. The implementation includes a countermeasure
+ * that attempts to hide the size of n from timing channels. This counter-
+ * measure is enabled using the timing argument. The high-rder bits of timing
+ * must be uniformly random in order for this countermeasure to work. */
mp_err
ec_GFp_pt_mul_jm_wNAF(const mp_int *n, const mp_int *px, const mp_int *py,
- mp_int *rx, mp_int *ry, const ECGroup *group);
+ mp_int *rx, mp_int *ry, const ECGroup *group,
+ int timing);
#endif /* _ECP_H */
--- a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecp_aff.c Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecp_aff.c Thu Jul 13 21:34:07 2017 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
* Use is subject to license terms.
*
* This library is free software; you can redistribute it and/or
@@ -38,6 +38,7 @@
* Nils Larsch <nla@trustcenter.de>, and
* Lenka Fibikova <fibikova@exp-math.uni-essen.de>, the OpenSSL Project
*
+ * Last Modified Date from the Original Code: May 2017
*********************************************************************** */
#include "ecp.h"
@@ -340,7 +341,8 @@
/* 4: Verify that the order of the curve times the publicValue
* is the point at infinity.
*/
- MP_CHECKOK( ECPoint_mul(group, &group->order, px, py, &pxt, &pyt) );
+ /* timing mitigation is not supported */
+ MP_CHECKOK( ECPoint_mul(group, &group->order, px, py, &pxt, &pyt, /*timing*/ 0) );
if (ec_GFp_pt_is_inf_aff(&pxt, &pyt) != MP_YES) {
res = MP_NO;
goto CLEANUP;
--- a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecp_jac.c Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecp_jac.c Thu Jul 13 21:34:07 2017 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
* Use is subject to license terms.
*
* This library is free software; you can redistribute it and/or
@@ -38,6 +38,7 @@
* Nils Larsch <nla@trustcenter.de>, and
* Lenka Fibikova <fibikova@exp-math.uni-essen.de>, the OpenSSL Project
*
+ * Last Modified Date from the Original Code: May 2017
*********************************************************************** */
#include "ecp.h"
@@ -180,6 +181,15 @@
MP_CHECKOK(group->meth->field_mul(&A, qx, &A, group->meth));
MP_CHECKOK(group->meth->field_mul(&B, qy, &B, group->meth));
+ /*
+ * Additional checks for point equality and point at infinity
+ */
+ if (mp_cmp(px, &A) == 0 && mp_cmp(py, &B) == 0) {
+ /* POINT_DOUBLE(P) */
+ MP_CHECKOK(ec_GFp_pt_dbl_jac(px, py, pz, rx, ry, rz, group));
+ goto CLEANUP;
+ }
+
/* C = A - px, D = B - py */
MP_CHECKOK(group->meth->field_sub(&A, px, &C, group->meth));
MP_CHECKOK(group->meth->field_sub(&B, py, &D, group->meth));
@@ -406,7 +416,7 @@
mp_err
ec_GFp_pts_mul_jac(const mp_int *k1, const mp_int *k2, const mp_int *px,
const mp_int *py, mp_int *rx, mp_int *ry,
- const ECGroup *group)
+ const ECGroup *group, int timing)
{
mp_err res = MP_OKAY;
mp_int precomp[4][4][2];
@@ -430,9 +440,9 @@
/* if some arguments are not defined used ECPoint_mul */
if (k1 == NULL) {
- return ECPoint_mul(group, k2, px, py, rx, ry);
+ return ECPoint_mul(group, k2, px, py, rx, ry, timing);
} else if ((k2 == NULL) || (px == NULL) || (py == NULL)) {
- return ECPoint_mul(group, k1, NULL, NULL, rx, ry);
+ return ECPoint_mul(group, k1, NULL, NULL, rx, ry, timing);
}
/* initialize precomputation table */
--- a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecp_jm.c Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecp_jm.c Thu Jul 13 21:34:07 2017 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
* Use is subject to license terms.
*
* This library is free software; you can redistribute it and/or
@@ -33,6 +33,7 @@
* Contributor(s):
* Stephen Fung <fungstep@hotmail.com>, Sun Microsystems Laboratories
*
+ * Last Modified Date from the Original Code: May 2017
*********************************************************************** */
#include "ecp.h"
@@ -165,6 +166,16 @@
MP_CHECKOK(group->meth->field_mul(A, qx, A, group->meth));
MP_CHECKOK(group->meth->field_mul(B, qy, B, group->meth));
+ /*
+ * Additional checks for point equality and point at infinity
+ */
+ if (mp_cmp(px, A) == 0 && mp_cmp(py, B) == 0) {
+ /* POINT_DOUBLE(P) */
+ MP_CHECKOK(ec_GFp_pt_dbl_jm(px, py, pz, paz4, rx, ry, rz, raz4,
+ scratch, group));
+ goto CLEANUP;
+ }
+
/* C = A - px, D = B - py */
MP_CHECKOK(group->meth->field_sub(A, px, C, group->meth));
MP_CHECKOK(group->meth->field_sub(B, py, D, group->meth));
@@ -213,19 +224,23 @@
* Curves Over Prime Fields. */
mp_err
ec_GFp_pt_mul_jm_wNAF(const mp_int *n, const mp_int *px, const mp_int *py,
- mp_int *rx, mp_int *ry, const ECGroup *group)
+ mp_int *rx, mp_int *ry, const ECGroup *group,
+ int timing)
{
mp_err res = MP_OKAY;
- mp_int precomp[16][2], rz, tpx, tpy;
- mp_int raz4;
+ mp_int precomp[16][2], rz, tpx, tpy, tpz;
+ mp_int raz4, tpaz4;
mp_int scratch[MAX_SCRATCH];
signed char *naf = NULL;
int i, orderBitSize;
+ int numDoubles, numAdds, extraDoubles, extraAdds;
MP_DIGITS(&rz) = 0;
MP_DIGITS(&raz4) = 0;
MP_DIGITS(&tpx) = 0;
MP_DIGITS(&tpy) = 0;
+ MP_DIGITS(&tpz) = 0;
+ MP_DIGITS(&tpaz4) = 0;
for (i = 0; i < 16; i++) {
MP_DIGITS(&precomp[i][0]) = 0;
MP_DIGITS(&precomp[i][1]) = 0;
@@ -239,7 +254,9 @@
/* initialize precomputation table */
MP_CHECKOK(mp_init(&tpx, FLAG(n)));
- MP_CHECKOK(mp_init(&tpy, FLAG(n)));;
+ MP_CHECKOK(mp_init(&tpy, FLAG(n)));
+ MP_CHECKOK(mp_init(&tpz, FLAG(n)));
+ MP_CHECKOK(mp_init(&tpaz4, FLAG(n)));
MP_CHECKOK(mp_init(&rz, FLAG(n)));
MP_CHECKOK(mp_init(&raz4, FLAG(n)));
@@ -295,19 +312,64 @@
/* Compute 5NAF */
ec_compute_wNAF(naf, orderBitSize, n, 5);
+ numAdds = 0;
+ numDoubles = orderBitSize;
/* wNAF method */
for (i = orderBitSize; i >= 0; i--) {
+
+ if (ec_GFp_pt_is_inf_jac(rx, ry, &rz) == MP_YES) {
+ numDoubles--;
+ }
+
/* R = 2R */
ec_GFp_pt_dbl_jm(rx, ry, &rz, &raz4, rx, ry, &rz,
&raz4, scratch, group);
+
if (naf[i] != 0) {
ec_GFp_pt_add_jm_aff(rx, ry, &rz, &raz4,
&precomp[(naf[i] + 15) / 2][0],
&precomp[(naf[i] + 15) / 2][1], rx, ry,
&rz, &raz4, scratch, group);
+ numAdds++;
}
}
+ /* extra operations to make timing less dependent on secrets */
+ if (timing) {
+ /* low-order bit of timing argument contains no entropy */
+ timing >>= 1;
+
+ MP_CHECKOK(ec_GFp_pt_set_inf_jac(&tpx, &tpy, &tpz));
+ mp_zero(&tpaz4);
+
+ /* Set the temp value to a non-infinite point */
+ ec_GFp_pt_add_jm_aff(&tpx, &tpy, &tpz, &tpaz4,
+ &precomp[8][0],
+ &precomp[8][1], &tpx, &tpy,
+ &tpz, &tpaz4, scratch, group);
+
+ /* two bits of extra adds */
+ extraAdds = timing & 0x3;
+ timing >>= 2;
+ /* Window size is 5, so the maximum number of additions is ceil(orderBitSize/5) */
+ /* This is the same as (orderBitSize + 4) / 5 */
+ for(i = numAdds; i <= (orderBitSize + 4) / 5 + extraAdds; i++) {
+ ec_GFp_pt_add_jm_aff(&tpx, &tpy, &tpz, &tpaz4,
+ &precomp[9 + (i % 3)][0],
+ &precomp[9 + (i % 3)][1], &tpx, &tpy,
+ &tpz, &tpaz4, scratch, group);
+ }
+
+ /* two bits of extra doubles */
+ extraDoubles = timing & 0x3;
+ timing >>= 2;
+ for(i = numDoubles; i <= orderBitSize + extraDoubles; i++) {
+ ec_GFp_pt_dbl_jm(&tpx, &tpy, &tpz, &tpaz4, &tpx, &tpy, &tpz,
+ &tpaz4, scratch, group);
+ }
+
+ }
+
/* convert result S to affine coordinates */
MP_CHECKOK(ec_GFp_pt_jac2aff(rx, ry, &rz, rx, ry, group));
@@ -321,6 +383,8 @@
}
mp_clear(&tpx);
mp_clear(&tpy);
+ mp_clear(&tpz);
+ mp_clear(&tpaz4);
mp_clear(&rz);
mp_clear(&raz4);
#ifdef _KERNEL
--- a/jdk/src/jdk.management.agent/share/classes/sun/management/jmxremote/SingleEntryRegistry.java Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/jdk.management.agent/share/classes/sun/management/jmxremote/SingleEntryRegistry.java Thu Jul 13 21:34:07 2017 -0700
@@ -32,6 +32,7 @@
package sun.management.jmxremote;
+import java.io.ObjectInputFilter;
import java.rmi.AccessException;
import java.rmi.NotBoundException;
import java.rmi.Remote;
@@ -56,7 +57,7 @@
String name,
Remote object)
throws RemoteException {
- super(port, csf, ssf);
+ super(port, csf, ssf, SingleEntryRegistry::singleRegistryFilter);
this.name = name;
this.object = object;
}
@@ -84,6 +85,23 @@
throw new AccessException("Cannot modify this registry");
}
+ /**
+ * ObjectInputFilter to check parameters to SingleEntryRegistry.
+ * Since it is a read-only Registry, no classes are accepted.
+ * String arguments are accepted without passing them to the serialFilter.
+ *
+ * @param info a reference to the serialization filter information
+ * @return Status.REJECTED if parameters are out of range
+ */
+ private static ObjectInputFilter.Status singleRegistryFilter(ObjectInputFilter.FilterInfo info) {
+ return (info.serialClass() != null ||
+ info.depth() > 2 ||
+ info.references() > 4 ||
+ info.arrayLength() >= 0)
+ ? ObjectInputFilter.Status.REJECTED
+ : ObjectInputFilter.Status.ALLOWED;
+ }
+
private final String name;
private final Remote object;
--- a/jdk/src/jdk.management/share/classes/com/sun/management/HotSpotDiagnosticMXBean.java Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/jdk.management/share/classes/com/sun/management/HotSpotDiagnosticMXBean.java Thu Jul 13 21:34:07 2017 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -61,9 +61,10 @@
* @param outputFile the system-dependent filename
* @param live if {@code true} dump only <i>live</i> objects
* i.e. objects that are reachable from others
- * @throws IOException if the {@code outputFile}
+ * @throws IOException if the {@code outputFile} already exists,
* cannot be created, opened, or written to.
* @throws UnsupportedOperationException if this operation is not supported.
+ * @throws IllegalArgumentException if {@code outputFile} does not end with ".hprof" suffix.
* @throws NullPointerException if {@code outputFile} is {@code null}.
* @throws SecurityException
* If a security manager exists and its {@link
--- a/jdk/src/jdk.management/share/classes/com/sun/management/internal/HotSpotDiagnostic.java Thu Jul 13 19:34:42 2017 +0000
+++ b/jdk/src/jdk.management/share/classes/com/sun/management/internal/HotSpotDiagnostic.java Thu Jul 13 21:34:07 2017 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -22,7 +22,6 @@
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
-
package com.sun.management.internal;
import java.io.IOException;
@@ -32,6 +31,8 @@
import com.sun.management.HotSpotDiagnosticMXBean;
import com.sun.management.VMOption;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
import sun.management.Util;
/**
@@ -43,6 +44,14 @@
@Override
public void dumpHeap(String outputFile, boolean live) throws IOException {
+
+ String propertyName = "jdk.management.heapdump.allowAnyFileSuffix";
+ PrivilegedAction<Boolean> pa = () -> Boolean.parseBoolean(System.getProperty(propertyName, "false"));
+ boolean allowAnyFileSuffix = AccessController.doPrivileged(pa);
+ if (!allowAnyFileSuffix && !outputFile.endsWith(".hprof")) {
+ throw new IllegalArgumentException("heapdump file must have .hprof extention");
+ }
+
SecurityManager security = System.getSecurityManager();
if (security != null) {
security.checkWrite(outputFile);
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/java/rmi/activation/nonLocalActivation/NonLocalActivationTest.java Thu Jul 13 21:34:07 2017 -0700
@@ -0,0 +1,181 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.net.InetAddress;
+import java.rmi.AccessException;
+import java.rmi.activation.ActivationSystem;
+import java.rmi.registry.LocateRegistry;
+import java.rmi.registry.Registry;
+import java.util.Set;
+
+/*
+ * @test
+ * @bug 8174770
+ * @summary Verify that ActivationSystem rejects non-local access.
+ * The test is manual because the (non-local) host running rmid must be supplied as a property.
+ * @run main/manual/othervm -Dactivation.host=rmid-host NonLocalActivationTest
+ */
+
+/**
+ * Lookup the ActivationSystem on a different host and invoke its remote interface methods.
+ * They should all throw an exception, non-local access is prohibited.
+ *
+ * This test is a manual test and uses rmid running on a *different* host.
+ * The default port (1098) for the Activation System is ok and expected.
+ * Login or ssh to the different host and invoke {@code $JDK_HOME/bin/rmid}.
+ * It will not show any output.
+ *
+ * On the first host modify the @run command above to replace "rmid-host"
+ * with the hostname or IP address of the different host and run the test with jtreg.
+ */
+public class NonLocalActivationTest
+{
+ public static void main(String[] args) throws Exception {
+
+ String host = System.getProperty("activation.host");
+ if (host == null || host.isEmpty()) {
+ throw new RuntimeException("Specify host with system property: -Dactivation.host=<host>");
+ }
+
+ // Check if running the test on a local system; it only applies to remote
+ String myHostName = InetAddress.getLocalHost().getHostName();
+ Set<InetAddress> myAddrs = Set.of(InetAddress.getAllByName(myHostName));
+ Set<InetAddress> hostAddrs = Set.of(InetAddress.getAllByName(host));
+ if (hostAddrs.stream().anyMatch(i -> myAddrs.contains(i))
+ || hostAddrs.stream().anyMatch(h -> h.isLoopbackAddress())) {
+ throw new RuntimeException("Error: property 'activation.host' must not be the local host%n");
+ }
+
+ // Locate the registry operated by the ActivationSystem
+ // Test SystemRegistryImpl
+ Registry registry = LocateRegistry.getRegistry(host, ActivationSystem.SYSTEM_PORT);
+ try {
+ // Verify it is an ActivationSystem registry
+ registry.lookup("java.rmi.activation.ActivationSystem");
+ } catch (Exception nf) {
+ throw new RuntimeException("Not a ActivationSystem registry, does not contain java.rmi.activation.ActivationSystem", nf);
+ }
+
+ try {
+ registry.bind("foo", null);
+ throw new RuntimeException("Remote access should not succeed for method: bind");
+ } catch (Exception e) {
+ assertIsAccessException(e, "Registry.bind");
+ }
+
+ try {
+ registry.rebind("foo", null);
+ throw new RuntimeException("Remote access should not succeed for method: rebind");
+ } catch (Exception e) {
+ assertIsAccessException(e, "Registry.rebind");
+ }
+
+ try {
+ registry.unbind("foo");
+ throw new RuntimeException("Remote access should not succeed for method: unbind");
+ } catch (Exception e) {
+ assertIsAccessException(e, "Registry.unbind");
+ }
+
+
+ // Locate the ActivationSystem on the specified host and default port.
+ // Test each of the ActivationSystem methods
+ ActivationSystem as = (ActivationSystem) registry.lookup("java.rmi.activation.ActivationSystem");
+
+ // Argument is not material, access check is before arg processing
+
+ try {
+ as.registerGroup(null);
+ } catch (Exception aex) {
+ assertIsAccessException(aex, "ActivationSystem.nonLocalAccess");
+ }
+
+ try {
+ as.getActivationDesc(null);
+ } catch (Exception aex) {
+ assertIsAccessException(aex, "ActivationSystem.nonLocalAccess");
+ }
+
+ try {
+ as.getActivationGroupDesc(null);
+ } catch (Exception aex) {
+ assertIsAccessException(aex, "ActivationSystem.nonLocalAccess");
+ }
+
+ try {
+ as.registerObject(null);
+ } catch (Exception aex) {
+ assertIsAccessException(aex, "ActivationSystem.nonLocalAccess");
+ }
+
+ try {
+ as.unregisterGroup(null);
+ } catch (Exception aex) {
+ assertIsAccessException(aex, "ActivationSystem.nonLocalAccess");
+ }
+
+ try {
+ as.unregisterObject(null);
+ } catch (Exception aex) {
+ assertIsAccessException(aex, "ActivationSystem.nonLocalAccess");
+ }
+
+ try {
+ as.setActivationDesc(null, null);
+ } catch (Exception aex) {
+ assertIsAccessException(aex, "ActivationSystem.nonLocalAccess");
+ }
+
+ try {
+ as.setActivationGroupDesc(null, null);
+ } catch (Exception aex) {
+ assertIsAccessException(aex, "ActivationSystem.nonLocalAccess");
+ }
+ }
+
+ /**
+ * Check the exception chain for the expected AccessException and message.
+ * @param ex the exception from the remote invocation.
+ */
+ private static void assertIsAccessException(Exception ex, String msg1) {
+ Throwable t = ex;
+ System.out.println();
+ while (!(t instanceof AccessException) && t.getCause() != null) {
+ t = t.getCause();
+ }
+ if (t instanceof AccessException) {
+ String msg = t.getMessage();
+ int asIndex = msg.indexOf(msg1);
+ int disallowIndex = msg.indexOf("disallowed");
+ int nonLocalHostIndex = msg.indexOf("non-local host");
+ if (asIndex < 0 ||
+ disallowIndex < 0 ||
+ nonLocalHostIndex < 0 ) {
+ throw new RuntimeException("exception message is malformed", t);
+ }
+ System.out.printf("Found expected AccessException: %s%n", t);
+ } else {
+ throw new RuntimeException("AccessException did not occur", ex);
+ }
+ }
+}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/java/rmi/registry/nonLocalRegistry/NonLocalRegistryTest.java Thu Jul 13 21:34:07 2017 -0700
@@ -0,0 +1,120 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.net.InetAddress;
+import java.rmi.AccessException;
+import java.rmi.registry.LocateRegistry;
+import java.rmi.registry.Registry;
+import java.util.Set;
+
+/* @test
+ * @bug 8174770
+ * @summary Verify that Registry rejects non-local access for bind, unbind, rebind.
+ * The test is manual because the (non-local) host running rmiregistry must be supplied as a property.
+ * @run main/othervm/manual -Dregistry.host=rmi-registry-host NonLocalRegistryTest
+ */
+
+/**
+ * Verify that access checks for Registry.bind(), .rebind(), and .unbind()
+ * are prevented on remote access to the registry.
+ *
+ * This test is a manual test and uses a standard rmiregistry running
+ * on a *different* host.
+ * The test verifies that the access check is performed *before* the object to be
+ * bound or rebound is deserialized.
+ *
+ * Login or ssh to the different host and invoke {@code $JDK_HOME/bin/rmiregistry}.
+ * It will not show any output.
+ *
+ * On the first host modify the @run command above to replace "rmi-registry-host"
+ * with the hostname or IP address of the different host and run the test with jtreg.
+ */
+public class NonLocalRegistryTest {
+
+ public static void main(String[] args) throws Exception {
+
+ String host = System.getProperty("registry.host");
+ if (host == null || host.isEmpty()) {
+ throw new RuntimeException("Specify host with system property: -Dregistry.host=<host>");
+ }
+
+ // Check if running the test on a local system; it only applies to remote
+ String myHostName = InetAddress.getLocalHost().getHostName();
+ Set<InetAddress> myAddrs = Set.of(InetAddress.getAllByName(myHostName));
+ Set<InetAddress> hostAddrs = Set.of(InetAddress.getAllByName(host));
+ if (hostAddrs.stream().anyMatch(i -> myAddrs.contains(i))
+ || hostAddrs.stream().anyMatch(h -> h.isLoopbackAddress())) {
+ throw new RuntimeException("Error: property 'registry.host' must not be the local host%n");
+ }
+
+ Registry registry = LocateRegistry.getRegistry(host, Registry.REGISTRY_PORT);
+
+ try {
+ registry.bind("foo", null);
+ throw new RuntimeException("Remote access should not succeed for method: bind");
+ } catch (Exception e) {
+ assertIsAccessException(e);
+ }
+
+ try {
+ registry.rebind("foo", null);
+ throw new RuntimeException("Remote access should not succeed for method: rebind");
+ } catch (Exception e) {
+ assertIsAccessException(e);
+ }
+
+ try {
+ registry.unbind("foo");
+ throw new RuntimeException("Remote access should not succeed for method: unbind");
+ } catch (Exception e) {
+ assertIsAccessException(e);
+ }
+ }
+
+ /**
+ * Check the exception chain for the expected AccessException and message.
+ * @param ex the exception from the remote invocation.
+ */
+ private static void assertIsAccessException(Throwable ex) {
+ Throwable t = ex;
+ while (!(t instanceof AccessException) && t.getCause() != null) {
+ t = t.getCause();
+ }
+ if (t instanceof AccessException) {
+ String msg = t.getMessage();
+ int asIndex = msg.indexOf("Registry");
+ int rrIndex = msg.indexOf("Registry.Registry"); // Obsolete error text
+ int disallowIndex = msg.indexOf("disallowed");
+ int nonLocalHostIndex = msg.indexOf("non-local host");
+ if (asIndex < 0 ||
+ rrIndex != -1 ||
+ disallowIndex < 0 ||
+ nonLocalHostIndex < 0 ) {
+ throw new RuntimeException("exception message is malformed", t);
+ }
+ System.out.printf("Found expected AccessException: %s%n%n", t);
+ } else {
+ throw new RuntimeException("AccessException did not occur when expected", ex);
+ }
+ }
+}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/java/rmi/testlibrary/TestSocketFactory.java Thu Jul 13 21:34:07 2017 -0700
@@ -0,0 +1,602 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.io.ByteArrayOutputStream;
+import java.io.FilterInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.Serializable;
+import java.net.InetAddress;
+import java.net.ServerSocket;
+import java.net.Socket;
+import java.net.SocketAddress;
+import java.net.SocketException;
+import java.net.SocketOption;
+import java.nio.channels.ServerSocketChannel;
+import java.nio.channels.SocketChannel;
+import java.rmi.server.RMIClientSocketFactory;
+import java.rmi.server.RMIServerSocketFactory;
+import java.rmi.server.RMISocketFactory;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+import java.util.Objects;
+import java.util.Set;
+
+import org.testng.Assert;
+import org.testng.TestNG;
+import org.testng.annotations.Test;
+import org.testng.annotations.DataProvider;
+
+
+/**
+ * A RMISocketFactory utility factory to log RMI stream contents and to
+ * match and replace output stream contents to simulate failures.
+ */
+public class TestSocketFactory extends RMISocketFactory
+ implements RMIClientSocketFactory, RMIServerSocketFactory, Serializable {
+
+ private static final long serialVersionUID = 1L;
+
+ private volatile transient byte[] matchBytes;
+
+ private volatile transient byte[] replaceBytes;
+
+ private transient final List<InterposeSocket> sockets = new ArrayList<>();
+
+ private transient final List<InterposeServerSocket> serverSockets = new ArrayList<>();
+
+ public static final boolean DEBUG = false;
+
+ /**
+ * Debugging output can be synchronized with logging of RMI actions.
+ *
+ * @param format a printf format
+ * @param args any args
+ */
+ private static void DEBUG(String format, Object... args) {
+ if (DEBUG) {
+ System.err.printf(format, args);
+ }
+ }
+
+ /**
+ * Create a socket factory that creates InputStreams that log
+ * and OutputStreams that log .
+ */
+ public TestSocketFactory() {
+ this.matchBytes = new byte[0];
+ this.replaceBytes = this.matchBytes;
+ System.out.printf("Creating TestSocketFactory()%n");
+ }
+
+ public void setMatchReplaceBytes(byte[] matchBytes, byte[] replaceBytes) {
+ this.matchBytes = Objects.requireNonNull(matchBytes, "matchBytes");
+ this.replaceBytes = Objects.requireNonNull(replaceBytes, "replaceBytes");
+ sockets.forEach( s -> s.setMatchReplaceBytes(matchBytes, replaceBytes));
+ serverSockets.forEach( s -> s.setMatchReplaceBytes(matchBytes, replaceBytes));
+
+ }
+
+ @Override
+ public Socket createSocket(String host, int port) throws IOException {
+ Socket socket = RMISocketFactory.getDefaultSocketFactory()
+ .createSocket(host, port);
+ InterposeSocket s = new InterposeSocket(socket, matchBytes, replaceBytes);
+ sockets.add(s);
+ return s;
+ }
+
+ /**
+ * Return the current list of sockets.
+ * @return Return a snapshot of the current list of sockets
+ */
+ public List<InterposeSocket> getSockets() {
+ List<InterposeSocket> snap = new ArrayList<>(sockets);
+ return snap;
+ }
+
+ @Override
+ public ServerSocket createServerSocket(int port) throws IOException {
+
+ ServerSocket serverSocket = RMISocketFactory.getDefaultSocketFactory()
+ .createServerSocket(port);
+ InterposeServerSocket ss = new InterposeServerSocket(serverSocket, matchBytes, replaceBytes);
+ serverSockets.add(ss);
+ return ss;
+ }
+
+ /**
+ * Return the current list of server sockets.
+ * @return Return a snapshot of the current list of server sockets
+ */
+ public List<InterposeServerSocket> getServerSockets() {
+ List<InterposeServerSocket> snap = new ArrayList<>(serverSockets);
+ return snap;
+ }
+
+ /**
+ * An InterposeSocket wraps a socket that produces InputStreams
+ * and OutputStreams that log the traffic.
+ * The OutputStreams it produces match an array of bytes and replace them.
+ * Useful for injecting protocol and content errors.
+ */
+ public static class InterposeSocket extends Socket {
+ private final Socket socket;
+ private InputStream in;
+ private MatchReplaceOutputStream out;
+ private volatile byte[] matchBytes;
+ private volatile byte[] replaceBytes;
+ private final ByteArrayOutputStream inLogStream;
+ private final ByteArrayOutputStream outLogStream;
+ private final String name;
+ private static volatile int num = 0; // index for created InterposeSockets
+
+ public InterposeSocket(Socket socket, byte[] matchBytes, byte[] replaceBytes) {
+ this.socket = socket;
+ this.matchBytes = Objects.requireNonNull(matchBytes, "matchBytes");
+ this.replaceBytes = Objects.requireNonNull(replaceBytes, "replaceBytes");
+ this.inLogStream = new ByteArrayOutputStream();
+ this.outLogStream = new ByteArrayOutputStream();
+ this.name = "IS" + ++num + "::"
+ + Thread.currentThread().getName() + ": "
+ + socket.getLocalPort() + " < " + socket.getPort();
+ }
+
+ public void setMatchReplaceBytes(byte[] matchBytes, byte[] replaceBytes) {
+ this.matchBytes = matchBytes;
+ this.replaceBytes = replaceBytes;
+ out.setMatchReplaceBytes(matchBytes, replaceBytes);
+ }
+
+ @Override
+ public void connect(SocketAddress endpoint) throws IOException {
+ socket.connect(endpoint);
+ }
+
+ @Override
+ public void connect(SocketAddress endpoint, int timeout) throws IOException {
+ socket.connect(endpoint, timeout);
+ }
+
+ @Override
+ public void bind(SocketAddress bindpoint) throws IOException {
+ socket.bind(bindpoint);
+ }
+
+ @Override
+ public InetAddress getInetAddress() {
+ return socket.getInetAddress();
+ }
+
+ @Override
+ public InetAddress getLocalAddress() {
+ return socket.getLocalAddress();
+ }
+
+ @Override
+ public int getPort() {
+ return socket.getPort();
+ }
+
+ @Override
+ public int getLocalPort() {
+ return socket.getLocalPort();
+ }
+
+ @Override
+ public SocketAddress getRemoteSocketAddress() {
+ return socket.getRemoteSocketAddress();
+ }
+
+ @Override
+ public SocketAddress getLocalSocketAddress() {
+ return socket.getLocalSocketAddress();
+ }
+
+ @Override
+ public SocketChannel getChannel() {
+ return socket.getChannel();
+ }
+
+ @Override
+ public synchronized void close() throws IOException {
+ socket.close();
+ }
+
+ @Override
+ public String toString() {
+ return "InterposeSocket " + name + ": " + socket.toString();
+ }
+
+ @Override
+ public boolean isConnected() {
+ return socket.isConnected();
+ }
+
+ @Override
+ public boolean isBound() {
+ return socket.isBound();
+ }
+
+ @Override
+ public boolean isClosed() {
+ return socket.isClosed();
+ }
+
+ @Override
+ public <T> Socket setOption(SocketOption<T> name, T value) throws IOException {
+ return socket.setOption(name, value);
+ }
+
+ @Override
+ public <T> T getOption(SocketOption<T> name) throws IOException {
+ return socket.getOption(name);
+ }
+
+ @Override
+ public Set<SocketOption<?>> supportedOptions() {
+ return socket.supportedOptions();
+ }
+
+ @Override
+ public synchronized InputStream getInputStream() throws IOException {
+ if (in == null) {
+ in = socket.getInputStream();
+ String name = Thread.currentThread().getName() + ": "
+ + socket.getLocalPort() + " < " + socket.getPort();
+ in = new LoggingInputStream(in, name, inLogStream);
+ DEBUG("Created new InterposeInputStream: %s%n", name);
+ }
+ return in;
+ }
+
+ @Override
+ public synchronized OutputStream getOutputStream() throws IOException {
+ if (out == null) {
+ OutputStream o = socket.getOutputStream();
+ String name = Thread.currentThread().getName() + ": "
+ + socket.getLocalPort() + " > " + socket.getPort();
+ out = new MatchReplaceOutputStream(o, name, outLogStream, matchBytes, replaceBytes);
+ DEBUG("Created new MatchReplaceOutputStream: %s%n", name);
+ }
+ return out;
+ }
+
+ /**
+ * Return the bytes logged from the input stream.
+ * @return Return the bytes logged from the input stream.
+ */
+ public byte[] getInLogBytes() {
+ return inLogStream.toByteArray();
+ }
+
+ /**
+ * Return the bytes logged from the output stream.
+ * @return Return the bytes logged from the output stream.
+ */
+ public byte[] getOutLogBytes() {
+ return outLogStream.toByteArray();
+ }
+
+ }
+
+ /**
+ * InterposeServerSocket is a ServerSocket that wraps each Socket it accepts
+ * with an InterposeSocket so that its input and output streams can be monitored.
+ */
+ public static class InterposeServerSocket extends ServerSocket {
+ private final ServerSocket socket;
+ private volatile byte[] matchBytes;
+ private volatile byte[] replaceBytes;
+ private final List<InterposeSocket> sockets = new ArrayList<>();
+
+ public InterposeServerSocket(ServerSocket socket, byte[] matchBytes, byte[] replaceBytes) throws IOException {
+ this.socket = socket;
+ this.matchBytes = Objects.requireNonNull(matchBytes, "matchBytes");
+ this.replaceBytes = Objects.requireNonNull(replaceBytes, "replaceBytes");
+ }
+
+ public void setMatchReplaceBytes(byte[] matchBytes, byte[] replaceBytes) {
+ this.matchBytes = matchBytes;
+ this.replaceBytes = replaceBytes;
+ sockets.forEach(s -> s.setMatchReplaceBytes(matchBytes, replaceBytes));
+ }
+ /**
+ * Return a snapshot of the current list of sockets created from this server socket.
+ * @return Return a snapshot of the current list of sockets
+ */
+ public List<InterposeSocket> getSockets() {
+ List<InterposeSocket> snap = new ArrayList<>(sockets);
+ return snap;
+ }
+
+ @Override
+ public void bind(SocketAddress endpoint) throws IOException {
+ socket.bind(endpoint);
+ }
+
+ @Override
+ public void bind(SocketAddress endpoint, int backlog) throws IOException {
+ socket.bind(endpoint, backlog);
+ }
+
+ @Override
+ public InetAddress getInetAddress() {
+ return socket.getInetAddress();
+ }
+
+ @Override
+ public int getLocalPort() {
+ return socket.getLocalPort();
+ }
+
+ @Override
+ public SocketAddress getLocalSocketAddress() {
+ return socket.getLocalSocketAddress();
+ }
+
+ @Override
+ public Socket accept() throws IOException {
+ Socket s = socket.accept();
+ InterposeSocket socket = new InterposeSocket(s, matchBytes, replaceBytes);
+ sockets.add(socket);
+ return socket;
+ }
+
+ @Override
+ public void close() throws IOException {
+ socket.close();
+ }
+
+ @Override
+ public ServerSocketChannel getChannel() {
+ return socket.getChannel();
+ }
+
+ @Override
+ public boolean isClosed() {
+ return socket.isClosed();
+ }
+
+ @Override
+ public String toString() {
+ return socket.toString();
+ }
+
+ @Override
+ public <T> ServerSocket setOption(SocketOption<T> name, T value) throws IOException {
+ return socket.setOption(name, value);
+ }
+
+ @Override
+ public <T> T getOption(SocketOption<T> name) throws IOException {
+ return socket.getOption(name);
+ }
+
+ @Override
+ public Set<SocketOption<?>> supportedOptions() {
+ return socket.supportedOptions();
+ }
+
+ @Override
+ public synchronized void setSoTimeout(int timeout) throws SocketException {
+ socket.setSoTimeout(timeout);
+ }
+
+ @Override
+ public synchronized int getSoTimeout() throws IOException {
+ return socket.getSoTimeout();
+ }
+ }
+
+ /**
+ * LoggingInputStream is a stream and logs all bytes read to it.
+ * For identification it is given a name.
+ */
+ public static class LoggingInputStream extends FilterInputStream {
+ private int bytesIn = 0;
+ private final String name;
+ private final OutputStream log;
+
+ public LoggingInputStream(InputStream in, String name, OutputStream log) {
+ super(in);
+ this.name = name;
+ this.log = log;
+ }
+
+ @Override
+ public int read() throws IOException {
+ int b = super.read();
+ if (b >= 0) {
+ log.write(b);
+ bytesIn++;
+ }
+ return b;
+ }
+
+ @Override
+ public int read(byte[] b, int off, int len) throws IOException {
+ int bytes = super.read(b, off, len);
+ if (bytes > 0) {
+ log.write(b, off, bytes);
+ bytesIn += bytes;
+ }
+ return bytes;
+ }
+
+ @Override
+ public int read(byte[] b) throws IOException {
+ return read(b, 0, b.length);
+ }
+
+ @Override
+ public void close() throws IOException {
+ super.close();
+ }
+
+ @Override
+ public String toString() {
+ return String.format("%s: In: (%d)", name, bytesIn);
+ }
+ }
+
+ /**
+ * An OutputStream that replaces one string of bytes with another.
+ * If any range matches, the match starts after the partial match.
+ */
+ static class MatchReplaceOutputStream extends OutputStream {
+ private final OutputStream out;
+ private final String name;
+ private volatile byte[] matchBytes;
+ private volatile byte[] replaceBytes;
+ int matchIndex;
+ private int bytesOut = 0;
+ private final OutputStream log;
+
+ MatchReplaceOutputStream(OutputStream out, String name, OutputStream log,
+ byte[] matchBytes, byte[] replaceBytes) {
+ this.out = out;
+ this.name = name;
+ this.matchBytes = Objects.requireNonNull(matchBytes, "matchBytes");
+ this.replaceBytes = Objects.requireNonNull(replaceBytes, "replaceBytes");
+ matchIndex = 0;
+ this.log = log;
+ }
+
+ public void setMatchReplaceBytes(byte[] matchBytes, byte[] replaceBytes) {
+ this.matchBytes = matchBytes;
+ this.replaceBytes = replaceBytes;
+ matchIndex = 0;
+ }
+
+
+ public void write(int b) throws IOException {
+ b = b & 0xff;
+ if (matchBytes.length == 0) {
+ out.write(b);
+ log.write(b);
+ bytesOut++;
+ return;
+ }
+ if (b == (matchBytes[matchIndex] & 0xff)) {
+ if (++matchIndex >= matchBytes.length) {
+ matchIndex = 0;
+ DEBUG( "TestSocketFactory MatchReplace %s replaced %d bytes at offset: %d (x%04x)%n",
+ name, replaceBytes.length, bytesOut, bytesOut);
+ out.write(replaceBytes);
+ log.write(replaceBytes);
+ bytesOut += replaceBytes.length;
+ }
+ } else {
+ if (matchIndex > 0) {
+ // mismatch, write out any that matched already
+ if (matchIndex > 0) // Only non-trivial matches
+ DEBUG( "Partial match %s matched %d bytes at offset: %d (0x%04x), expected: x%02x, actual: x%02x%n",
+ name, matchIndex, bytesOut, bytesOut, matchBytes[matchIndex], b);
+ out.write(matchBytes, 0, matchIndex);
+ log.write(matchBytes, 0, matchIndex);
+ bytesOut += matchIndex;
+ matchIndex = 0;
+ }
+ if (b == (matchBytes[matchIndex] & 0xff)) {
+ matchIndex++;
+ } else {
+ out.write(b);
+ log.write(b);
+ bytesOut++;
+ }
+ }
+ }
+
+ @Override
+ public String toString() {
+ return String.format("%s: Out: (%d)", name, bytesOut);
+ }
+ }
+
+ private static byte[] orig = new byte[]{
+ (byte) 0x80, 0x05,
+ 0x73, 0x72, 0x00, 0x12, // TC_OBJECT, TC_CLASSDESC, length = 18
+ 0x6A, 0x61, 0x76, 0x61, 0x2E, 0x72, 0x6D, 0x69, 0x2E, // "java.rmi."
+ 0x64, 0x67, 0x63, 0x2E, 0x4C, 0x65, 0x61, 0x73, 0x65 // "dgc.Lease"
+ };
+ private static byte[] repl = new byte[]{
+ (byte) 0x80, 0x05,
+ 0x73, 0x72, 0x00, 0x12, // TC_OBJECT, TC_CLASSDESC, length = 18
+ 0x6A, 0x61, 0x76, 0x61, 0x2E, (byte) 'l', (byte) 'a', (byte) 'n', (byte) 'g',
+ 0x2E, (byte) 'R', (byte) 'u', (byte) 'n', (byte) 'n', (byte) 'a', (byte) 'b', (byte) 'l',
+ (byte) 'e'
+ };
+
+ @DataProvider(name = "MatchReplaceData")
+ static Object[][] matchReplaceData() {
+ byte[] empty = new byte[0];
+ byte[] byte1 = new byte[]{1, 2, 3, 4, 5, 6};
+ byte[] bytes2 = new byte[]{1, 2, 4, 3, 5, 6};
+ byte[] bytes3 = new byte[]{6, 5, 4, 3, 2, 1};
+ byte[] bytes4 = new byte[]{1, 2, 0x10, 0x20, 0x30, 0x40, 5, 6};
+ byte[] bytes4a = new byte[]{1, 2, 0x10, 0x20, 0x30, 0x40, 5, 7}; // mostly matches bytes4
+ byte[] bytes5 = new byte[]{0x30, 0x40, 5, 6};
+ byte[] bytes6 = new byte[]{1, 2, 0x10, 0x20, 0x30};
+
+ return new Object[][]{
+ {new byte[]{}, new byte[]{}, empty, empty},
+ {new byte[]{}, new byte[]{}, byte1, byte1},
+ {new byte[]{3, 4}, new byte[]{4, 3}, byte1, bytes2}, //swap bytes
+ {new byte[]{3, 4}, new byte[]{0x10, 0x20, 0x30, 0x40}, byte1, bytes4}, // insert
+ {new byte[]{1, 2, 0x10, 0x20}, new byte[]{}, bytes4, bytes5}, // delete head
+ {new byte[]{0x40, 5, 6}, new byte[]{}, bytes4, bytes6}, // delete tail
+ {new byte[]{0x40, 0x50}, new byte[]{0x60, 0x50}, bytes4, bytes4}, // partial match, replace nothing
+ {bytes4a, bytes3, bytes4, bytes4}, // long partial match, not replaced
+ {orig, repl, orig, repl},
+ };
+ }
+
+ @Test(enabled = true, dataProvider = "MatchReplaceData")
+ static void test3(byte[] match, byte[] replace,
+ byte[] input, byte[] expected) {
+ System.out.printf("match: %s, replace: %s%n", Arrays.toString(match), Arrays.toString(replace));
+ try (ByteArrayOutputStream output = new ByteArrayOutputStream();
+ ByteArrayOutputStream log = new ByteArrayOutputStream();
+ OutputStream out = new MatchReplaceOutputStream(output, "test3",
+ log, match, replace)) {
+ out.write(input);
+ byte[] actual = output.toByteArray();
+ long index = Arrays.mismatch(actual, expected);
+
+ if (index >= 0) {
+ System.out.printf("array mismatch, offset: %d%n", index);
+ System.out.printf("actual: %s%n", Arrays.toString(actual));
+ System.out.printf("expected: %s%n", Arrays.toString(expected));
+ }
+ Assert.assertEquals(actual, expected, "match/replace fail");
+ } catch (IOException ioe) {
+ Assert.fail("unexpected exception", ioe);
+ }
+ }
+
+
+
+}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/javax/management/remote/nonLocalAccess/NonLocalJMXRemoteTest.java Thu Jul 13 21:34:07 2017 -0700
@@ -0,0 +1,133 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.net.InetAddress;
+import java.rmi.AccessException;
+import java.rmi.NotBoundException;
+import java.rmi.registry.LocateRegistry;
+import java.rmi.registry.Registry;
+import java.util.Set;
+
+/* @test
+ * @bug 8174770
+ * @summary Verify that JMX Registry rejects non-local access for bind, unbind, rebind.
+ * The test is manual because the (non-local) host and port running JMX must be supplied as properties.
+ * @run main/othervm/manual -Djmx-registry.host=jmx-registry-host -Djmx-registry.port=jmx-registry-port NonLocalJMXRemoteTest
+ */
+
+/**
+ * Verify that access checks for the Registry exported by JMX Registry.bind(),
+ * .rebind(), and .unbind() are prevented on remote access to the registry.
+ * The test verifies that the access check is performed *before* the object to be
+ * bound or rebound is deserialized.
+ * This tests the SingleEntryRegistry implemented by JMX.
+ * This test is a manual test and uses JMX running on a *different* host.
+ * JMX can be enabled in any Java runtime; for example:
+ * login or ssh to the different host and invoke rmiregistry with arguments below.
+ * It will not show any output.
+ * {@code $JDK_HOME/bin/rmiregistry \
+ * -J-Dcom.sun.management.jmxremote.port=8888 \
+ * -J-Dcom.sun.management.jmxremote.local.only=false \
+ * -J-Dcom.sun.management.jmxremote.ssl=false \
+ * -J-Dcom.sun.management.jmxremote.authenticate=false
+ * }
+ * On the first host modify the @run command above to replace "jmx-registry-host"
+ * with the hostname or IP address of the different host and run the test with jtreg.
+ */
+public class NonLocalJMXRemoteTest {
+
+ public static void main(String[] args) throws Exception {
+
+ String host = System.getProperty("jmx-registry.host");
+ if (host == null || host.isEmpty()) {
+ throw new RuntimeException("Specify host with system property: -Djmx-registry.host=<host>");
+ }
+ int port = Integer.getInteger("jmx-registry.port", -1);
+ if (port <= 0) {
+ throw new RuntimeException("Specify port with system property: -Djmx-registry.port=<port>");
+ }
+
+ // Check if running the test on a local system; it only applies to remote
+ String myHostName = InetAddress.getLocalHost().getHostName();
+ Set<InetAddress> myAddrs = Set.of(InetAddress.getAllByName(myHostName));
+ Set<InetAddress> hostAddrs = Set.of(InetAddress.getAllByName(host));
+ if (hostAddrs.stream().anyMatch(i -> myAddrs.contains(i))
+ || hostAddrs.stream().anyMatch(h -> h.isLoopbackAddress())) {
+ throw new RuntimeException("Error: property 'jmx-registry.host' must not be the local host%n");
+ }
+
+ Registry registry = LocateRegistry.getRegistry(host, port);
+ try {
+ // Verify it is a JMX Registry
+ registry.lookup("jmxrmi");
+ } catch (NotBoundException nf) {
+ throw new RuntimeException("Not a JMX registry, jmxrmi is not bound", nf);
+ }
+
+ try {
+ registry.bind("foo", null);
+ throw new RuntimeException("Remote access should not succeed for method: bind");
+ } catch (Exception e) {
+ assertIsAccessException(e);
+ }
+
+ try {
+ registry.rebind("foo", null);
+ throw new RuntimeException("Remote access should not succeed for method: rebind");
+ } catch (Exception e) {
+ assertIsAccessException(e);
+ }
+
+ try {
+ registry.unbind("foo");
+ throw new RuntimeException("Remote access should not succeed for method: unbind");
+ } catch (Exception e) {
+ assertIsAccessException(e);
+ }
+ }
+
+ /**
+ * Check the exception chain for the expected AccessException and message.
+ * @param ex the exception from the remote invocation.
+ */
+ private static void assertIsAccessException(Throwable ex) {
+ Throwable t = ex;
+ while (!(t instanceof AccessException) && t.getCause() != null) {
+ t = t.getCause();
+ }
+ if (t instanceof AccessException) {
+ String msg = t.getMessage();
+ int asIndex = msg.indexOf("Registry");
+ int disallowIndex = msg.indexOf("disallowed");
+ int nonLocalHostIndex = msg.indexOf("non-local host");
+ if (asIndex < 0 ||
+ disallowIndex < 0 ||
+ nonLocalHostIndex < 0 ) {
+ throw new RuntimeException("exception message is malformed", t);
+ }
+ System.out.printf("Found expected AccessException: %s%n%n", t);
+ } else {
+ throw new RuntimeException("AccessException did not occur when expected", ex);
+ }
+ }
+}