You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@harmony.apache.org by Stefano Mazzocchi <st...@apache.org> on 2006/11/09 21:15:46 UTC
[crypto] SHA-1 not implemented?
from Robin's latest runs
http://cs.anu.edu.au/people/Robin.Garner/dacapo/regression/results-20061110/DRLVM/eclipse.small.log
there are a bunch of log messages that indicate that harmony doesn't
implement SHA-1.
Is that true?
--
Stefano.
Re: [crypto] SHA-1 not implemented?
Posted by Alexey Petrenko <al...@gmail.com>.
2006/11/13, Yuri Dolgov <do...@gmail.com>:
> Sure, see https://issues.apache.org/jira/browse/HARMONY-2163
Unit test is also welcome ;)
> On 11/10/06, Tim Ellison <t....@gmail.com> wrote:
> >
> > Good catch Yuri -- please log it into JIRA.
> >
> > Regards,
> > Tim
> >
> > Yuri Dolgov wrote:
> > > Hello,
> > >
> > > I've made an investigation and found out the root of the problem.
> > >
> > > It seems that "eclipse" test in DaCapo benchmarks canges value of *
> > > java.home* system property to ".\scratch\dummyjre". It affects
> > > initialization of Security class in java.security module which loads
> > > java.security file from *java.home*/lib/security directory.
> > >
> > > This is potential security gap since a person could change *java.home*
> > > value
> > > before Security class initialization and load malicious java.securityfile.
> > >
> > > The following test demonstrates the described behavior:
> > >
> > >
> > > import java.security.MessageDigest;
> > > public class Test {
> > > public static void main (String[] args) {
> > > try {
> > > System.setProperty("java.home", "foo/path");
> > > MessageDigest md = MessageDigest.getInstance ("SHA-1");
> > > } catch (Exception e) {
> > > e.printStackTrace();
> > > }
> > > }
> > > }
> > >
> > > Yuri Dolgov
> > >
> > >
> > > On 11/10/06, Tim Ellison <t....@gmail.com> wrote:
> > >>
> > >> Robin Garner wrote:
> > >> > Stefano Mazzocchi wrote:
> > >> >> from Robin's latest runs
> > >> >>
> > >>
> > http://cs.anu.edu.au/people/Robin.Garner/dacapo/regression/results-20061110/DRLVM/eclipse.small.log
> > >>
> > >> >>
> > >> >>
> > >> >> there are a bunch of log messages that indicate that harmony doesn't
> > >> >> implement SHA-1.
> > >> >>
> > >> >> Is that true?
> > >> >>
> > >> >
> > >> > It can't be true, because _all_ the DaCapo benchmarks rely on SHA-1
> > for
> > >> > validation. I raised JIRA Harmony-2135 on this issue. Looks like
> > >> after
> > >> > eclipse has run, drlvm forgets how to access the SHA-1 algorithm :(
> > >>
> > >> Yep, the SHA-1 code is still there [1].
> > >>
> > >> [1]
> > >>
> > >>
> > http://svn.apache.org/viewvc/incubator/harmony/enhanced/classlib/trunk/modules/security/src/main/java/common/org/apache/harmony/security/provider/crypto/SHA1Impl.java?view=markup
> > >>
> > >>
> > >> Regards,
> > >> Tim
> > >>
> > >> --
> > >>
> > >> Tim Ellison (t.p.ellison@gmail.com)
> > >> IBM Java technology centre, UK.
> > >>
> > >
> >
> > --
> >
> > Tim Ellison (t.p.ellison@gmail.com)
> > IBM Java technology centre, UK.
> >
>
>
Re: [crypto] SHA-1 not implemented?
Posted by Yuri Dolgov <do...@gmail.com>.
Sure, see https://issues.apache.org/jira/browse/HARMONY-2163
Thanks,
Yuri.
On 11/10/06, Tim Ellison <t....@gmail.com> wrote:
>
> Good catch Yuri -- please log it into JIRA.
>
> Regards,
> Tim
>
> Yuri Dolgov wrote:
> > Hello,
> >
> > I've made an investigation and found out the root of the problem.
> >
> > It seems that "eclipse" test in DaCapo benchmarks canges value of *
> > java.home* system property to ".\scratch\dummyjre". It affects
> > initialization of Security class in java.security module which loads
> > java.security file from *java.home*/lib/security directory.
> >
> > This is potential security gap since a person could change *java.home*
> > value
> > before Security class initialization and load malicious java.securityfile.
> >
> > The following test demonstrates the described behavior:
> >
> >
> > import java.security.MessageDigest;
> > public class Test {
> > public static void main (String[] args) {
> > try {
> > System.setProperty("java.home", "foo/path");
> > MessageDigest md = MessageDigest.getInstance ("SHA-1");
> > } catch (Exception e) {
> > e.printStackTrace();
> > }
> > }
> > }
> >
> > Yuri Dolgov
> >
> >
> > On 11/10/06, Tim Ellison <t....@gmail.com> wrote:
> >>
> >> Robin Garner wrote:
> >> > Stefano Mazzocchi wrote:
> >> >> from Robin's latest runs
> >> >>
> >>
> http://cs.anu.edu.au/people/Robin.Garner/dacapo/regression/results-20061110/DRLVM/eclipse.small.log
> >>
> >> >>
> >> >>
> >> >> there are a bunch of log messages that indicate that harmony doesn't
> >> >> implement SHA-1.
> >> >>
> >> >> Is that true?
> >> >>
> >> >
> >> > It can't be true, because _all_ the DaCapo benchmarks rely on SHA-1
> for
> >> > validation. I raised JIRA Harmony-2135 on this issue. Looks like
> >> after
> >> > eclipse has run, drlvm forgets how to access the SHA-1 algorithm :(
> >>
> >> Yep, the SHA-1 code is still there [1].
> >>
> >> [1]
> >>
> >>
> http://svn.apache.org/viewvc/incubator/harmony/enhanced/classlib/trunk/modules/security/src/main/java/common/org/apache/harmony/security/provider/crypto/SHA1Impl.java?view=markup
> >>
> >>
> >> Regards,
> >> Tim
> >>
> >> --
> >>
> >> Tim Ellison (t.p.ellison@gmail.com)
> >> IBM Java technology centre, UK.
> >>
> >
>
> --
>
> Tim Ellison (t.p.ellison@gmail.com)
> IBM Java technology centre, UK.
>
Re: [crypto] SHA-1 not implemented?
Posted by Tim Ellison <t....@gmail.com>.
Good catch Yuri -- please log it into JIRA.
Regards,
Tim
Yuri Dolgov wrote:
> Hello,
>
> I've made an investigation and found out the root of the problem.
>
> It seems that "eclipse" test in DaCapo benchmarks canges value of *
> java.home* system property to ".\scratch\dummyjre". It affects
> initialization of Security class in java.security module which loads
> java.security file from *java.home*/lib/security directory.
>
> This is potential security gap since a person could change *java.home*
> value
> before Security class initialization and load malicious java.security file.
>
> The following test demonstrates the described behavior:
>
>
> import java.security.MessageDigest;
> public class Test {
> public static void main (String[] args) {
> try {
> System.setProperty("java.home", "foo/path");
> MessageDigest md = MessageDigest.getInstance ("SHA-1");
> } catch (Exception e) {
> e.printStackTrace();
> }
> }
> }
>
> Yuri Dolgov
>
>
> On 11/10/06, Tim Ellison <t....@gmail.com> wrote:
>>
>> Robin Garner wrote:
>> > Stefano Mazzocchi wrote:
>> >> from Robin's latest runs
>> >>
>> http://cs.anu.edu.au/people/Robin.Garner/dacapo/regression/results-20061110/DRLVM/eclipse.small.log
>>
>> >>
>> >>
>> >> there are a bunch of log messages that indicate that harmony doesn't
>> >> implement SHA-1.
>> >>
>> >> Is that true?
>> >>
>> >
>> > It can't be true, because _all_ the DaCapo benchmarks rely on SHA-1 for
>> > validation. I raised JIRA Harmony-2135 on this issue. Looks like
>> after
>> > eclipse has run, drlvm forgets how to access the SHA-1 algorithm :(
>>
>> Yep, the SHA-1 code is still there [1].
>>
>> [1]
>>
>> http://svn.apache.org/viewvc/incubator/harmony/enhanced/classlib/trunk/modules/security/src/main/java/common/org/apache/harmony/security/provider/crypto/SHA1Impl.java?view=markup
>>
>>
>> Regards,
>> Tim
>>
>> --
>>
>> Tim Ellison (t.p.ellison@gmail.com)
>> IBM Java technology centre, UK.
>>
>
--
Tim Ellison (t.p.ellison@gmail.com)
IBM Java technology centre, UK.
Re: [crypto] SHA-1 not implemented?
Posted by Yuri Dolgov <do...@gmail.com>.
Hello,
I've made an investigation and found out the root of the problem.
It seems that "eclipse" test in DaCapo benchmarks canges value of *
java.home* system property to ".\scratch\dummyjre". It affects
initialization of Security class in java.security module which loads
java.security file from *java.home*/lib/security directory.
This is potential security gap since a person could change *java.home* value
before Security class initialization and load malicious java.security file.
The following test demonstrates the described behavior:
import java.security.MessageDigest;
public class Test {
public static void main (String[] args) {
try {
System.setProperty("java.home", "foo/path");
MessageDigest md = MessageDigest.getInstance ("SHA-1");
} catch (Exception e) {
e.printStackTrace();
}
}
}
Yuri Dolgov
On 11/10/06, Tim Ellison <t....@gmail.com> wrote:
>
> Robin Garner wrote:
> > Stefano Mazzocchi wrote:
> >> from Robin's latest runs
> >> http://cs.anu.edu.au/people/Robin.Garner/dacapo/regression/results-20061110/DRLVM/eclipse.small.log
> >>
> >>
> >> there are a bunch of log messages that indicate that harmony doesn't
> >> implement SHA-1.
> >>
> >> Is that true?
> >>
> >
> > It can't be true, because _all_ the DaCapo benchmarks rely on SHA-1 for
> > validation. I raised JIRA Harmony-2135 on this issue. Looks like after
> > eclipse has run, drlvm forgets how to access the SHA-1 algorithm :(
>
> Yep, the SHA-1 code is still there [1].
>
> [1]
>
> http://svn.apache.org/viewvc/incubator/harmony/enhanced/classlib/trunk/modules/security/src/main/java/common/org/apache/harmony/security/provider/crypto/SHA1Impl.java?view=markup
>
> Regards,
> Tim
>
> --
>
> Tim Ellison (t.p.ellison@gmail.com)
> IBM Java technology centre, UK.
>
Re: [crypto] SHA-1 not implemented?
Posted by Tim Ellison <t....@gmail.com>.
Robin Garner wrote:
> Stefano Mazzocchi wrote:
>> from Robin's latest runs
>> http://cs.anu.edu.au/people/Robin.Garner/dacapo/regression/results-20061110/DRLVM/eclipse.small.log
>>
>>
>> there are a bunch of log messages that indicate that harmony doesn't
>> implement SHA-1.
>>
>> Is that true?
>>
>
> It can't be true, because _all_ the DaCapo benchmarks rely on SHA-1 for
> validation. I raised JIRA Harmony-2135 on this issue. Looks like after
> eclipse has run, drlvm forgets how to access the SHA-1 algorithm :(
Yep, the SHA-1 code is still there [1].
[1]
http://svn.apache.org/viewvc/incubator/harmony/enhanced/classlib/trunk/modules/security/src/main/java/common/org/apache/harmony/security/provider/crypto/SHA1Impl.java?view=markup
Regards,
Tim
--
Tim Ellison (t.p.ellison@gmail.com)
IBM Java technology centre, UK.
Re: [crypto] SHA-1 not implemented?
Posted by Robin Garner <ro...@anu.edu.au>.
Stefano Mazzocchi wrote:
> from Robin's latest runs
> http://cs.anu.edu.au/people/Robin.Garner/dacapo/regression/results-20061110/DRLVM/eclipse.small.log
>
> there are a bunch of log messages that indicate that harmony doesn't
> implement SHA-1.
>
> Is that true?
>
It can't be true, because _all_ the DaCapo benchmarks rely on SHA-1 for
validation. I raised JIRA Harmony-2135 on this issue. Looks like after
eclipse has run, drlvm forgets how to access the SHA-1 algorithm :(
--
Robin Garner
Dept. of Computer Science
Australian National University
http://cs.anu.edu.au/people/Robin.Garner/