Merge develop

CHANGELOG.md

@@ -2,6 +2,42 @@
 
 The following sections describe the changes for each release of Amazon Corretto 8.
 
+## Corretto version: 8.392.08.1
+Release Date: October 17, 2023
+
+**Target Platforms <sup>1</sup>**
+
++ RPM-based Linux using glibc 2.12 or later, x86_64
++ Debian-based Linux using glibc 2.12 or later, x86_64
++ RPM-based Linux using glibc 2.17 or later, aarch64
++ Debian-based Linux using glibc 2.17 or later, aarch64
++ Alpine-based Linux, x86_64
++ Alpine-based Linux, aarch64
++ Windows 10 or later, x86, x86_64
++ macOS 11.0 and later, x86_64
++ macOS 11.0 and later, aarch64
+
+**1.** This is the platform targeted by the build. See [Using Amazon Corretto](https://aws.amazon.com/corretto/faqs/#Using_Amazon_Corretto)
+in the Amazon Corretto FAQ for supported platforms
+
+The following issues are addressed in 8.392.08.1:
+
+| Issue Name                                        | Platform | Description                                                                | Link                                                                       |
+|---------------------------------------------------|----------|----------------------------------------------------------------------------|----------------------------------------------------------------------------|
+| Import jdk8u392-b08                               | All                | Updates Corretto baseline to OpenJDK 8u392-b08                             | [jdk8u392-b08](https://github.com/openjdk/jdk8u/releases/tag/jdk8u392-b08) |
+| Backport of JDK-8139348                     | All                | Deprecate 3DES and RC4 in Kerberos                             | [JDK-8139348](https://bugs.openjdk.org/browse/JDK-8139348) |
+
+
+
+The following CVEs are addressed in 8.392.08.1:
+
+| CVE            | CVSS | Component                   |
+|----------------|------|-----------------------------|
+| CVE-2023-22067 | 5.3  | other-libs/corba            |
+| CVE-2023-22081 | 5.3  | security-libs/javax.net.ssl |
+
+
+
 ## Corretto version: 8.382.05.1
 Release Date: July 18, 2023
 

corba/src/share/classes/com/sun/corba/se/impl/orbutil/IORCheckImpl.java

@@ -0,0 +1,109 @@
+/*
+ * Copyright (c) 2023, Azul Systems, Inc. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+package com.sun.corba.se.impl.orbutil;
+
+import java.io.InvalidObjectException;
+import java.security.AccessController;
+import java.util.*;
+
+import sun.security.action.GetPropertyAction;
+
+public final class IORCheckImpl {
+
+    private static final Set<String> stubsToCheck;
+
+    static {
+        boolean checkLocalStubs =
+            !getBooleanProperty(ORBConstants.DISABLE_IOR_CHECK_FOR_LOCAL_STUBS,
+                getBooleanProperty(ORBConstants.ALLOW_DESERIALIZE_OBJECT, false));
+
+        boolean checkRemoteStubs =
+            getBooleanProperty(ORBConstants.ENABLE_IOR_CHECK_FOR_REMOTE_STUBS, false);
+
+        stubsToCheck = getStubsToCheck(checkLocalStubs, checkRemoteStubs);
+    }
+
+    private static Set<String> getStubsToCheck(boolean checkLocalStubs, boolean checkRemoteStubs) {
+        if (!checkLocalStubs && !checkRemoteStubs) {
+            return Collections.emptySet();
+        }
+        List<String> stubs = new ArrayList<>();
+        if (checkLocalStubs) {
+            stubs.addAll(getLocalStubs());
+        }
+        if (checkRemoteStubs) {
+            stubs.addAll(getRemoteStubs());
+        }
+        return Collections.unmodifiableSet(new HashSet<>(stubs));
+    }
+
+    private static List<String> getLocalStubs() {
+        String[] localStubs = {
+            "org.omg.DynamicAny._DynAnyFactoryStub",
+            "org.omg.DynamicAny._DynAnyStub",
+            "org.omg.DynamicAny._DynArrayStub",
+            "org.omg.DynamicAny._DynEnumStub",
+            "org.omg.DynamicAny._DynFixedStub",
+            "org.omg.DynamicAny._DynSequenceStub",
+            "org.omg.DynamicAny._DynStructStub",
+            "org.omg.DynamicAny._DynUnionStub",
+            "org.omg.DynamicAny._DynValueStub"
+        };
+        return Arrays.asList(localStubs);
+    }
+
+    private static List<String> getRemoteStubs() {
+        String[] remoteStubs = {
+            "com.sun.corba.se.spi.activation._ActivatorStub",
+            "com.sun.corba.se.spi.activation._InitialNameServiceStub",
+            "com.sun.corba.se.spi.activation._LocatorStub",
+            "com.sun.corba.se.spi.activation._RepositoryStub",
+            "com.sun.corba.se.spi.activation._ServerManagerStub",
+            "com.sun.corba.se.spi.activation._ServerStub",
+            "org.omg.CosNaming._BindingIteratorStub",
+            "org.omg.CosNaming._NamingContextExtStub",
+            "org.omg.CosNaming._NamingContextStub",
+            "org.omg.PortableServer._ServantActivatorStub",
+            "org.omg.PortableServer._ServantLocatorStub"
+        };
+        return Arrays.asList(remoteStubs);
+    }
+
+    /*
+     * The str parameter is expected to start with "IOR:".
+     * Otherwise, the method throws the InvalidObjectException exception.
+     */
+    public static void check(String str, String stubClassName) throws InvalidObjectException {
+        if (stubsToCheck.contains(stubClassName) && !str.startsWith(ORBConstants.STRINGIFY_PREFIX)) {
+            throw new InvalidObjectException("IOR: expected");
+        }
+    }
+
+    private static boolean getBooleanProperty(String property, boolean defaultValue) {
+        String value = AccessController.doPrivileged(
+            new GetPropertyAction(property, String.valueOf(defaultValue)));
+        return "true".equalsIgnoreCase(value);
+    }
+}

corba/src/share/classes/com/sun/corba/se/impl/orbutil/ORBConstants.java

@@ -317,8 +317,14 @@ public static int makePersistent( int scid )
     public static final String DYNAMIC_STUB_FACTORY_FACTORY_CLASS =
         SUN_PREFIX + "ORBDynamicStubFactoryFactoryClass" ;
 
+    // This property is provided for backward compatibility reasons
     public static final String ALLOW_DESERIALIZE_OBJECT = SUN_PREFIX + "ORBAllowDeserializeObject" ;
 
+    // Disables the IOR check for the ORB constrained stubs
+    public static final String DISABLE_IOR_CHECK_FOR_LOCAL_STUBS = ORG_OMG_PREFIX + "DynamicAny.disableIORCheck" ;
+    // Enables the IOR check for the Remote CORBA services stubs
+    public static final String ENABLE_IOR_CHECK_FOR_REMOTE_STUBS = ORG_OMG_CORBA_PREFIX + "IDL.Stubs.enableIORCheck";
+
     // Constants for NameService properties ************************************
 
     public static final int DEFAULT_INITIAL_PORT                 = 900;

corba/src/share/classes/com/sun/tools/corba/se/idl/toJavaPortable/Stub.java

@@ -101,6 +101,7 @@ protected void openStream ()
       Util.mkdir (pkg);
       name = pkg + '/' + name;
     }
+    stubClassName = name.replace('/', '.');
     stream = Util.getStream (name.replace ('/', File.separatorChar) + ".java", i);
   } // openStream
 
@@ -342,11 +343,7 @@ protected void writeSerializationMethods ()
     stream.println ("  private void readObject (java.io.ObjectInputStream s) throws java.io.IOException");
     stream.println ("  {");
     stream.println ("     String str = s.readUTF ();");
-    if ("DynAnyFactory".equals (i.name ())) {
-      stream.println ("     if (!str.startsWith(com.sun.corba.se.impl.orbutil.ORBConstants.STRINGIFY_PREFIX) &&");
-      stream.println ("         !Boolean.getBoolean(com.sun.corba.se.impl.orbutil.ORBConstants.ALLOW_DESERIALIZE_OBJECT))");
-      stream.println ("       throw new java.io.InvalidObjectException(\"IOR: expected\");");
-    }
+    stream.println ("     com.sun.corba.se.impl.orbutil.IORCheckImpl.check(str, \"" + stubClassName + "\");");
     stream.println ("     String[] args = null;");
     stream.println ("     java.util.Properties props = null;");
     stream.println ("     org.omg.CORBA.ORB orb = org.omg.CORBA.ORB.init (args, props);");
@@ -382,4 +379,5 @@ protected void writeSerializationMethods ()
   protected String         classSuffix = "";
   protected boolean        localStub = false;
   private   boolean        isAbstract = false;
+  private   String         stubClassName = null;
 } // class Stub

jdk/src/share/classes/com/sun/crypto/provider/DESKey.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,8 @@
 
 package com.sun.crypto.provider;
 
+import java.io.IOException;
+import java.io.InvalidObjectException;
 import java.security.MessageDigest;
 import java.security.KeyRep;
 import java.security.InvalidKeyException;
@@ -40,7 +42,7 @@
 
 final class DESKey implements SecretKey {
 
-    static final long serialVersionUID = 7724971015953279128L;
+    private static final long serialVersionUID = 7724971015953279128L;
 
     private byte[] key;
 
@@ -99,7 +101,7 @@ public int hashCode() {
         for (int i = 1; i < this.key.length; i++) {
             retval += this.key[i] * i;
         }
-        return(retval ^= "des".hashCode());
+        return(retval ^ "des".hashCode());
     }
 
     public boolean equals(Object obj) {
@@ -120,14 +122,23 @@ public boolean equals(Object obj) {
     }
 
     /**
-     * readObject is called to restore the state of this key from
-     * a stream.
+     * Restores the state of this object from the stream.
+     *
+     * @param  s the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
      */
     private void readObject(java.io.ObjectInputStream s)
-         throws java.io.IOException, ClassNotFoundException
+         throws IOException, ClassNotFoundException
     {
         s.defaultReadObject();
+        if ((key == null) || (key.length != DESKeySpec.DES_KEY_LEN)) {
+            throw new InvalidObjectException("Wrong key size");
+        }
         key = key.clone();
+
+        DESKeyGenerator.setParityBit(key, 0);
+
     }
 
     /**

jdk/src/share/classes/com/sun/crypto/provider/DESedeKey.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,8 @@
 
 package com.sun.crypto.provider;
 
+import java.io.IOException;
+import java.io.InvalidObjectException;
 import java.security.MessageDigest;
 import java.security.KeyRep;
 import java.security.InvalidKeyException;
@@ -40,7 +42,7 @@
 
 final class DESedeKey implements SecretKey {
 
-    static final long serialVersionUID = 2463986565756745178L;
+    private static final long serialVersionUID = 2463986565756745178L;
 
     private byte[] key;
 
@@ -99,7 +101,7 @@ public int hashCode() {
         for (int i = 1; i < this.key.length; i++) {
             retval += this.key[i] * i;
         }
-        return(retval ^= "desede".hashCode());
+        return(retval ^ "desede".hashCode());
     }
 
     public boolean equals(Object obj) {
@@ -121,14 +123,24 @@ public boolean equals(Object obj) {
     }
 
     /**
-     * readObject is called to restore the state of this key from
-     * a stream.
+     * Restores the state of this object from the stream.
+     *
+     * @param  s the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
      */
     private void readObject(java.io.ObjectInputStream s)
-         throws java.io.IOException, ClassNotFoundException
+         throws IOException, ClassNotFoundException
     {
         s.defaultReadObject();
+        if ((key == null) || (key.length != DESedeKeySpec.DES_EDE_KEY_LEN)) {
+            throw new InvalidObjectException("Wrong key size");
+        }
         key = key.clone();
+
+        DESKeyGenerator.setParityBit(key, 0);
+        DESKeyGenerator.setParityBit(key, 8);
+        DESKeyGenerator.setParityBit(key, 16);
     }
 
     /**

jdk/src/share/classes/com/sun/crypto/provider/DHPrivateKey.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -40,15 +40,13 @@
  * algorithm.
  *
  * @author Jan Luehe
- *
- *
  * @see DHPublicKey
  * @see java.security.KeyAgreement
  */
 final class DHPrivateKey implements PrivateKey,
 javax.crypto.interfaces.DHPrivateKey, Serializable {
 
-    static final long serialVersionUID = 7565477590005668886L;
+    private static final long serialVersionUID = 7565477590005668886L;
 
     // only supported version of PKCS#8 PrivateKeyInfo
     private static final BigInteger PKCS8_VERSION = BigInteger.ZERO;
@@ -63,10 +61,10 @@ final class DHPrivateKey implements PrivateKey,
     private byte[] encodedKey;
 
     // the prime modulus
-    private BigInteger p;
+    private final BigInteger p;
 
     // the base generator
-    private BigInteger g;
+    private final BigInteger g;
 
     // the private-value length (optional)
     private int l;
@@ -319,4 +317,27 @@ private Object writeReplace() throws java.io.ObjectStreamException {
                         getFormat(),
                         getEncoded());
     }
+
+    /**
+     * Restores the state of this object from the stream.
+     * <p>
+     * JDK 1.5+ objects use <code>KeyRep</code>s instead.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        stream.defaultReadObject();
+        if ((key == null) || (key.length == 0)) {
+            throw new InvalidObjectException("key not deserializable");
+        }
+        this.key = key.clone();
+        if ((encodedKey == null) || (encodedKey.length == 0)) {
+            throw new InvalidObjectException(
+                    "encoded key not deserializable");
+        }
+        this.encodedKey = encodedKey.clone();
+    }
 }