diff --git a/.gitignore b/.gitignore index c6d9c14..1019c09 100644 --- a/.gitignore +++ b/.gitignore @@ -51,3 +51,4 @@ /aarch64-port-jdk8u60-aarch64-jdk8u65-b17.tar.xz /aarch64-jdk8u71-b15.tar.xz /aarch64-port-jdk8u-aarch64-jdk8u72-b15.tar.xz +/aarch64-port-jdk8u-aarch64-jdk8u72-b15-ec.tar.xz diff --git a/generate_source_tarball.sh b/generate_source_tarball.sh index 8ed2b21..c6be068 100755 --- a/generate_source_tarball.sh +++ b/generate_source_tarball.sh @@ -2,7 +2,7 @@ # Generates the 'source tarball' for JDK 8 projects. # # Example: -# When used from local repo set REPO_ROOT pointing to file:// wth your repo +# When used from local repo set REPO_ROOT pointing to file:// with your repo # if your local repo follows upstream forests conventions, you may be enough by setting OPENJDK_URL # if you wont to use local copy of patch PR2126 set path to it to PR2126 variable # @@ -29,7 +29,7 @@ if [ "x$1" = "xhelp" ] ; then echo "VERSION - the version of the specified OpenJDK project" echo "PROJECT_NAME -- the name of the OpenJDK project being archived (optional; only needed by defaults)" echo "REPO_NAME - the name of the OpenJDK repository (optional; only needed by defaults)" - echo "OPENJDK_URL - the URL to retrive code from (optional; defaults to ${OPENJDK_URL_DEFAULT})" + echo "OPENJDK_URL - the URL to retrieve code from (optional; defaults to ${OPENJDK_URL_DEFAULT})" echo "COMPRESSION - the compression type to use (optional; defaults to ${COMPRESSION_DEFAULT})" echo "FILE_NAME_ROOT - name of the archive, minus extensions (optional; defaults to PROJECT_NAME-REPO_NAME-VERSION)" echo "REPO_ROOT - the location of the Mercurial repository to archive (optional; defaults to OPENJDK_URL/PROJECT_NAME/REPO_NAME)" @@ -98,7 +98,11 @@ done echo "Removing EC source code we don't build" + +mv -v jdk/src/share/native/sun/security/ec/impl/ecc_impl.h . rm -vrf jdk/src/share/native/sun/security/ec/impl +mkdir jdk/src/share/native/sun/security/ec/impl +mv -v ecc_impl.h jdk/src/share/native/sun/security/ec/impl echo "Syncing EC list with NSS" if [ "x$PR2126" = "x" ] ; then @@ -113,7 +117,7 @@ else fi; popd -echo "Compresing remaining forest" +echo "Compressing remaining forest" if [ "X$COMPRESSION" = "Xxz" ] ; then tar --exclude-vcs -cJf ${FILE_NAME_ROOT}.tar.${COMPRESSION} openjdk else @@ -122,6 +126,6 @@ fi mv ${FILE_NAME_ROOT}.tar.${COMPRESSION} .. popd -echo "Done, you may wont to remove freshly cloned repo..." +echo "Done. You may want to remove the uncompressed version." diff --git a/java-1.8.0-openjdk.spec b/java-1.8.0-openjdk.spec index 6c2e345..131894c 100644 --- a/java-1.8.0-openjdk.spec +++ b/java-1.8.0-openjdk.spec @@ -82,6 +82,8 @@ #looks liekopenjdk RPM specific bug # Always set this so the nss.cfg file is not broken %global NSS_LIBDIR %(pkg-config --variable=libdir nss) +%global NSS_LIBS %(pkg-config --libs nss) +%global NSS_CFLAGS %(pkg-config --cflags nss-softokn) # fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349 %global _privatelibs libmawt[.]so.* @@ -735,7 +737,7 @@ Obsoletes: java-1.7.0-openjdk-accessibility%1 Name: java-%{javaver}-%{origin} Version: %{javaver}.%{updatever} -Release: 10.%{buildver}%{?dist} +Release: 11.%{buildver}%{?dist} # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons, # and this change was brought into RHEL-4. java-1.5.0-ibm packages # also included the epoch in their virtual provides. This created a @@ -755,9 +757,9 @@ URL: http://openjdk.java.net/ # aarch64-port now contains integration forest of both aarch64 and normal jdk # Source from upstream OpenJDK8 project. To regenerate, use -# VERSION=aarch64-jdk8u71-b15 FILE_NAME_ROOT=${VERSION} +# VERSION=aarch64-jdk8u72-b15 FILE_NAME_ROOT=aarch64-port-jdk8u-${VERSION}-ec # REPO_ROOT= generate_source_tarball.sh -Source0: %{project}-%{repo}-%{revision}.tar.xz +Source0: %{project}-%{repo}-%{revision}-ec.tar.xz # Custom README for -src subpackage Source2: README.src @@ -800,10 +802,18 @@ Patch3: java-atk-wrapper-security.patch Patch5: multiple-pkcs11-library-init.patch # PR2095, RH1163501: 2048-bit DH upper bound too small for Fedora infrastructure (sync with IcedTea 2.x) Patch504: rh1163501.patch -# S4890063, PR2304, RH1214835: HPROF: default text truncated when using doe=n option (upstreaming post-CPU 2015/07) +# S4890063, PR2304, RH1214835: HPROF: default text truncated when using doe=n option Patch511: rh1214835.patch # Turn off strict overflow on IndicRearrangementProcessor{,2}.cpp following 8140543: Arrange font actions Patch512: no_strict_overflow.patch +# Support for building the SunEC provider with the system NSS installation +# PR1983: Support using the system installation of NSS with the SunEC provider +# PR2127: SunEC provider crashes when built using system NSS +# PR2815: Race condition in SunEC provider with system NSS +Patch513: pr1983-jdk.patch +Patch514: pr1983-root.patch +Patch515: pr2127.patch +Patch516: pr2815.patch # Arch-specific upstreamable patches # PR2415: JVM -Xmx requirement is too high on s390 @@ -818,6 +828,8 @@ Patch103: s390-size_t_format_flags.patch Patch104: remove_aarch64_jvm.cfg_divergence.patch # RH1300630, 8147805: aarch64: C1 segmentation fault due to inline Unsafe.getAndSetObject Patch105: rh1300630.patch +# Remove template in AArch64 port which causes issues with GCC 6 +Patch106: remove_aarch64_template_for_gcc6.patch # Patches which need backporting to 8u # S8073139, RH1191652; fix name of ppc64le architecture @@ -852,8 +864,6 @@ Patch505: 8143855.patch Patch201: system-libjpeg.patch # Local fixes -# Turns off ECC support as we don't ship the SunEC provider currently -Patch12: removeSunEcProvider-RH1154143.patch # Non-OpenJDK fixes Patch300: jstack-pr1845.patch @@ -892,6 +902,9 @@ BuildRequires: libffi-devel BuildRequires: tzdata-java >= 2015d # Earlier versions have a bug in tree vectorization on PPC BuildRequires: gcc >= 4.8.3-8 +# Build requirements for SunEC system NSS support +BuildRequires: nss-softokn-freebl-devel >= 3.16.1 + # cacerts build requirement. BuildRequires: openssl %if %{with_systemtap} @@ -1109,7 +1122,6 @@ sh %{SOURCE12} %patch3 %patch5 %patch7 -%patch12 # s390 build fixes %patch100 @@ -1119,6 +1131,7 @@ sh %{SOURCE12} # aarch64 build fixes %patch104 %patch105 +%patch106 # Zero PPC fixes. %patch403 @@ -1136,6 +1149,10 @@ sh %{SOURCE12} %patch507 %patch511 %patch512 +%patch513 +%patch514 +%patch515 +%patch516 # Extract systemtap tapsets %if %{with_systemtap} @@ -1218,6 +1235,8 @@ fi mkdir -p %{buildoutputdir $suffix} pushd %{buildoutputdir $suffix} +NSS_LIBS="%{NSS_LIBS} -lfreebl" \ +NSS_CFLAGS="%{NSS_CFLAGS}" \ bash ../../configure \ %ifnarch %{jit_arches} --with-jvm-variants=zero \ @@ -1229,6 +1248,7 @@ bash ../../configure \ --with-boot-jdk=/usr/lib/jvm/java-openjdk \ --with-debug-level=$debugbuild \ --enable-unlimited-crypto \ + --enable-system-nss \ --with-zlib=system \ --with-libjpeg=system \ --with-giflib=system \ @@ -1696,6 +1716,16 @@ require "copy_jdk_configs.lua" %endif %changelog +* Wed Feb 24 2016 Andrew Hughes - 1:1.8.0.72-11.b15 +- Add patches to allow the SunEC provider to be built with the system NSS install. +- Re-generate source tarball so it includes ecc_impl.h. +- Adjust tarball generation script to allow ecc_impl.h to be included. +- Bring over NSS changes from java-1.7.0-openjdk spec file (NSS_CFLAGS/NSS_LIBS) +- Remove patch which disables the SunEC provider as it is now usable. +- Correct spelling mistakes in tarball generation script. +- Move completely unrelated AArch64 gcc 6 patch into separate file. +- Resolves: rhbz#1019554 (fedora bug) + * Tue Feb 23 2016 jvanek - 1:1.8.0.72-10.b15 - returning accidentlay removed hunk from renamed and so wrongly merged remove_aarch64_jvm.cfg_divergence.patch diff --git a/pr1983-jdk.patch b/pr1983-jdk.patch new file mode 100644 index 0000000..a0b4e1a --- /dev/null +++ b/pr1983-jdk.patch @@ -0,0 +1,693 @@ +# HG changeset patch +# User andrew +# Date 1453863246 0 +# Wed Jan 27 02:54:06 2016 +0000 +# Node ID 48c15869ecd568263249af4b9a4e98d4e57f9a8f +# Parent afd392dfaed501ac674a7cc3e37353ce300969c7 +PR1983: Support using the system installation of NSS with the SunEC provider +Summary: Apply code changes from PR1699 & PR1742 & forward-port Makefile changes to the new build. + +diff -r afd392dfaed5 -r 48c15869ecd5 make/lib/SecurityLibraries.gmk +--- openjdk/jdk/make/lib/SecurityLibraries.gmk Tue Jan 26 22:26:26 2016 +0000 ++++ openjdk/jdk/make/lib/SecurityLibraries.gmk Wed Jan 27 02:54:06 2016 +0000 +@@ -218,8 +218,17 @@ + + ifeq ($(ENABLE_INTREE_EC), yes) + +- BUILD_LIBSUNEC_FLAGS := -I$(JDK_TOPDIR)/src/share/native/sun/security/ec \ ++ BUILD_LIBSUNEC_FLAGS := -I$(JDK_TOPDIR)/src/share/native/sun/security/ec ++ ++ ifeq ($(USE_EXTERNAL_NSS), true) ++ BUILD_LIBSUNEC_IMPL_DIR := ++ BUILD_LIBSUNEC_FLAGS += $(NSS_CFLAGS) -DSYSTEM_NSS -DNSS_ENABLE_ECC ++ else ++ BUILD_LIBSUNEC_IMPL_DIR := \ ++ $(JDK_TOPDIR)/src/share/native/sun/security/ec/impl ++ BUILD_LIBSUNEC_FLAGS += \ + -I$(JDK_TOPDIR)/src/share/native/sun/security/ec/impl ++ endif + + # + # On sol-sparc...all libraries are compiled with -xregs=no%appl +@@ -235,8 +244,8 @@ + $(eval $(call SetupNativeCompilation,BUILD_LIBSUNEC, \ + LIBRARY := sunec, \ + OUTPUT_DIR := $(INSTALL_LIBRARIES_HERE), \ +- SRC := $(JDK_TOPDIR)/src/share/native/sun/security/ec \ +- $(JDK_TOPDIR)/src/share/native/sun/security/ec/impl, \ ++ SRC := $(JDK_TOPDIR)/src/share/native/sun/security/ec/ECC_JNI.cpp \ ++ $(BUILD_LIBSUNEC_IMPL_DIR), \ + LANG := C++, \ + OPTIMIZATION := LOW, \ + CFLAGS := $(filter-out $(ECC_JNI_SOLSPARC_FILTER), $(CFLAGS_JDKLIB)) \ +@@ -248,8 +257,8 @@ + LDFLAGS := $(LDFLAGS_JDKLIB) $(LDFLAGS_CXX_JDK), \ + LDFLAGS_macosx := $(call SET_SHARED_LIBRARY_ORIGIN), \ + LDFLAGS_SUFFIX := $(LIBCXX), \ +- LDFLAGS_SUFFIX_linux := -lc, \ +- LDFLAGS_SUFFIX_solaris := -lc, \ ++ LDFLAGS_SUFFIX_linux := -lc $(NSS_LIBS), \ ++ LDFLAGS_SUFFIX_solaris := -lc $(NSS_LIBS), \ + VERSIONINFO_RESOURCE := $(JDK_TOPDIR)/src/windows/resource/version.rc, \ + RC_FLAGS := $(RC_FLAGS) \ + -D "JDK_FNAME=sunec.dll" \ +diff -r afd392dfaed5 -r 48c15869ecd5 src/share/native/sun/security/ec/ECC_JNI.cpp +--- openjdk/jdk/src/share/native/sun/security/ec/ECC_JNI.cpp Tue Jan 26 22:26:26 2016 +0000 ++++ openjdk/jdk/src/share/native/sun/security/ec/ECC_JNI.cpp Wed Jan 27 02:54:06 2016 +0000 +@@ -24,7 +24,7 @@ + */ + + #include +-#include "impl/ecc_impl.h" ++#include "ecc_impl.h" + + #define ILLEGAL_STATE_EXCEPTION "java/lang/IllegalStateException" + #define INVALID_ALGORITHM_PARAMETER_EXCEPTION \ +@@ -89,7 +89,7 @@ + */ + JNIEXPORT jobjectArray + JNICALL Java_sun_security_ec_ECKeyPairGenerator_generateECKeyPair +- (JNIEnv *env, jclass clazz, jint keySize, jbyteArray encodedParams, jbyteArray seed) ++ (JNIEnv *env, jclass UNUSED(clazz), jint UNUSED(keySize), jbyteArray encodedParams, jbyteArray seed) + { + ECPrivateKey *privKey = NULL; // contains both public and private values + ECParams *ecparams = NULL; +@@ -190,7 +190,7 @@ + */ + JNIEXPORT jbyteArray + JNICALL Java_sun_security_ec_ECDSASignature_signDigest +- (JNIEnv *env, jclass clazz, jbyteArray digest, jbyteArray privateKey, jbyteArray encodedParams, jbyteArray seed) ++ (JNIEnv *env, jclass UNUSED(clazz), jbyteArray digest, jbyteArray privateKey, jbyteArray encodedParams, jbyteArray seed) + { + jbyte* pDigestBuffer = NULL; + jint jDigestLength = env->GetArrayLength(digest); +@@ -299,7 +299,7 @@ + */ + JNIEXPORT jboolean + JNICALL Java_sun_security_ec_ECDSASignature_verifySignedDigest +- (JNIEnv *env, jclass clazz, jbyteArray signedDigest, jbyteArray digest, jbyteArray publicKey, jbyteArray encodedParams) ++ (JNIEnv *env, jclass UNUSED(clazz), jbyteArray signedDigest, jbyteArray digest, jbyteArray publicKey, jbyteArray encodedParams) + { + jboolean isValid = false; + +@@ -384,7 +384,7 @@ + */ + JNIEXPORT jbyteArray + JNICALL Java_sun_security_ec_ECDHKeyAgreement_deriveKey +- (JNIEnv *env, jclass clazz, jbyteArray privateKey, jbyteArray publicKey, jbyteArray encodedParams) ++ (JNIEnv *env, jclass UNUSED(clazz), jbyteArray privateKey, jbyteArray publicKey, jbyteArray encodedParams) + { + jbyteArray jSecret = NULL; + ECParams *ecparams = NULL; +diff -r afd392dfaed5 -r 48c15869ecd5 src/share/native/sun/security/ec/ecc_impl.h +--- /dev/null Thu Jan 01 00:00:00 1970 +0000 ++++ openjdk/jdk/src/share/native/sun/security/ec/ecc_impl.h Wed Jan 27 02:54:06 2016 +0000 +@@ -0,0 +1,298 @@ ++/* ++ * Copyright (c) 2007, 2013, Oracle and/or its affiliates. All rights reserved. ++ * Use is subject to license terms. ++ * ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public License ++ * along with this library; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++/* ********************************************************************* ++ * ++ * The Original Code is the Netscape security libraries. ++ * ++ * The Initial Developer of the Original Code is ++ * Netscape Communications Corporation. ++ * Portions created by the Initial Developer are Copyright (C) 1994-2000 ++ * the Initial Developer. All Rights Reserved. ++ * ++ * Contributor(s): ++ * Dr Vipul Gupta and ++ * Douglas Stebila , Sun Microsystems Laboratories ++ * ++ * Last Modified Date from the Original Code: November 2013 ++ *********************************************************************** */ ++ ++#ifndef _ECC_IMPL_H ++#define _ECC_IMPL_H ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++#include ++ ++#ifdef SYSTEM_NSS ++#include ++#include ++#include ++#ifdef LEGACY_NSS ++#include ++#else ++#include ++#endif ++#else ++#include "ecl-exp.h" ++#endif ++ ++/* ++ * Multi-platform definitions ++ */ ++#ifdef __linux__ ++#define B_FALSE FALSE ++#define B_TRUE TRUE ++typedef unsigned char uint8_t; ++typedef unsigned long ulong_t; ++typedef enum { B_FALSE, B_TRUE } boolean_t; ++#endif /* __linux__ */ ++ ++#ifdef _ALLBSD_SOURCE ++#include ++#define B_FALSE FALSE ++#define B_TRUE TRUE ++typedef unsigned long ulong_t; ++typedef enum boolean { B_FALSE, B_TRUE } boolean_t; ++#endif /* _ALLBSD_SOURCE */ ++ ++#ifdef AIX ++#define B_FALSE FALSE ++#define B_TRUE TRUE ++typedef unsigned char uint8_t; ++typedef unsigned long ulong_t; ++#endif /* AIX */ ++ ++#ifdef _WIN32 ++typedef unsigned char uint8_t; ++typedef unsigned long ulong_t; ++typedef enum boolean { B_FALSE, B_TRUE } boolean_t; ++#define strdup _strdup /* Replace POSIX name with ISO C++ name */ ++#endif /* _WIN32 */ ++ ++#ifndef _KERNEL ++#include ++#endif /* _KERNEL */ ++ ++#define EC_MAX_DIGEST_LEN 1024 /* max digest that can be signed */ ++#define EC_MAX_POINT_LEN 145 /* max len of DER encoded Q */ ++#define EC_MAX_VALUE_LEN 72 /* max len of ANSI X9.62 private value d */ ++#define EC_MAX_SIG_LEN 144 /* max signature len for supported curves */ ++#define EC_MIN_KEY_LEN 112 /* min key length in bits */ ++#define EC_MAX_KEY_LEN 571 /* max key length in bits */ ++#define EC_MAX_OID_LEN 10 /* max length of OID buffer */ ++ ++/* ++ * Various structures and definitions from NSS are here. ++ */ ++ ++#ifndef SYSTEM_NSS ++#ifdef _KERNEL ++#define PORT_ArenaAlloc(a, n, f) kmem_alloc((n), (f)) ++#define PORT_ArenaZAlloc(a, n, f) kmem_zalloc((n), (f)) ++#define PORT_ArenaGrow(a, b, c, d) NULL ++#define PORT_ZAlloc(n, f) kmem_zalloc((n), (f)) ++#define PORT_Alloc(n, f) kmem_alloc((n), (f)) ++#else ++#define PORT_ArenaAlloc(a, n, f) malloc((n)) ++#define PORT_ArenaZAlloc(a, n, f) calloc(1, (n)) ++#define PORT_ArenaGrow(a, b, c, d) NULL ++#define PORT_ZAlloc(n, f) calloc(1, (n)) ++#define PORT_Alloc(n, f) malloc((n)) ++#endif ++ ++#define PORT_NewArena(b) (char *)12345 ++#define PORT_ArenaMark(a) NULL ++#define PORT_ArenaUnmark(a, b) ++#define PORT_ArenaRelease(a, m) ++#define PORT_FreeArena(a, b) ++#define PORT_Strlen(s) strlen((s)) ++#define PORT_SetError(e) ++ ++#define PRBool boolean_t ++#define PR_TRUE B_TRUE ++#define PR_FALSE B_FALSE ++ ++#ifdef _KERNEL ++#define PORT_Assert ASSERT ++#define PORT_Memcpy(t, f, l) bcopy((f), (t), (l)) ++#else ++#define PORT_Assert assert ++#define PORT_Memcpy(t, f, l) memcpy((t), (f), (l)) ++#endif ++ ++#endif ++ ++#define CHECK_OK(func) if (func == NULL) goto cleanup ++#define CHECK_SEC_OK(func) if (SECSuccess != (rv = func)) goto cleanup ++ ++#ifndef SYSTEM_NSS ++typedef enum { ++ siBuffer = 0, ++ siClearDataBuffer = 1, ++ siCipherDataBuffer = 2, ++ siDERCertBuffer = 3, ++ siEncodedCertBuffer = 4, ++ siDERNameBuffer = 5, ++ siEncodedNameBuffer = 6, ++ siAsciiNameString = 7, ++ siAsciiString = 8, ++ siDEROID = 9, ++ siUnsignedInteger = 10, ++ siUTCTime = 11, ++ siGeneralizedTime = 12 ++} SECItemType; ++ ++typedef struct SECItemStr SECItem; ++ ++struct SECItemStr { ++ SECItemType type; ++ unsigned char *data; ++ unsigned int len; ++}; ++ ++typedef SECItem SECKEYECParams; ++ ++typedef enum { ec_params_explicit, ++ ec_params_named ++} ECParamsType; ++ ++typedef enum { ec_field_GFp = 1, ++ ec_field_GF2m ++} ECFieldType; ++ ++struct ECFieldIDStr { ++ int size; /* field size in bits */ ++ ECFieldType type; ++ union { ++ SECItem prime; /* prime p for (GFp) */ ++ SECItem poly; /* irreducible binary polynomial for (GF2m) */ ++ } u; ++ int k1; /* first coefficient of pentanomial or ++ * the only coefficient of trinomial ++ */ ++ int k2; /* two remaining coefficients of pentanomial */ ++ int k3; ++}; ++typedef struct ECFieldIDStr ECFieldID; ++ ++struct ECCurveStr { ++ SECItem a; /* contains octet stream encoding of ++ * field element (X9.62 section 4.3.3) ++ */ ++ SECItem b; ++ SECItem seed; ++}; ++typedef struct ECCurveStr ECCurve; ++ ++typedef void PRArenaPool; ++ ++struct ECParamsStr { ++ PRArenaPool * arena; ++ ECParamsType type; ++ ECFieldID fieldID; ++ ECCurve curve; ++ SECItem base; ++ SECItem order; ++ int cofactor; ++ SECItem DEREncoding; ++ ECCurveName name; ++ SECItem curveOID; ++}; ++typedef struct ECParamsStr ECParams; ++ ++struct ECPublicKeyStr { ++ ECParams ecParams; ++ SECItem publicValue; /* elliptic curve point encoded as ++ * octet stream. ++ */ ++}; ++typedef struct ECPublicKeyStr ECPublicKey; ++ ++struct ECPrivateKeyStr { ++ ECParams ecParams; ++ SECItem publicValue; /* encoded ec point */ ++ SECItem privateValue; /* private big integer */ ++ SECItem version; /* As per SEC 1, Appendix C, Section C.4 */ ++}; ++typedef struct ECPrivateKeyStr ECPrivateKey; ++ ++typedef enum _SECStatus { ++ SECBufferTooSmall = -3, ++ SECWouldBlock = -2, ++ SECFailure = -1, ++ SECSuccess = 0 ++} SECStatus; ++#endif ++ ++#ifdef _KERNEL ++#define RNG_GenerateGlobalRandomBytes(p,l) ecc_knzero_random_generator((p), (l)) ++#else ++/* ++ This function is no longer required because the random bytes are now ++ supplied by the caller. Force a failure. ++*/ ++#define RNG_GenerateGlobalRandomBytes(p,l) SECFailure ++#endif ++#define CHECK_MPI_OK(func) if (MP_OKAY > (err = func)) goto cleanup ++#define MP_TO_SEC_ERROR(err) ++ ++#define SECITEM_TO_MPINT(it, mp) \ ++ CHECK_MPI_OK(mp_read_unsigned_octets((mp), (it).data, (it).len)) ++ ++extern int ecc_knzero_random_generator(uint8_t *, size_t); ++extern ulong_t soft_nzero_random_generator(uint8_t *, ulong_t); ++ ++#ifdef SYSTEM_NSS ++#define EC_DecodeParams(a,b,c) EC_DecodeParams(a,b) ++#define EC_NewKey(a,b,c,d,e) EC_NewKeyFromSeed(a,b,c,d) ++#define ECDSA_SignDigest(a,b,c,d,e,f) ECDSA_SignDigestWithSeed(a,b,c,d,e) ++#define ECDSA_VerifyDigest(a,b,c,d) ECDSA_VerifyDigest(a,b,c) ++#define ECDH_Derive(a,b,c,d,e,f) ECDH_Derive(a,b,c,d,e) ++#else ++extern SECStatus EC_DecodeParams(const SECItem *, ECParams **, int); ++ ++extern SECItem * SECITEM_AllocItem(PRArenaPool *, SECItem *, unsigned int, int); ++extern SECStatus SECITEM_CopyItem(PRArenaPool *, SECItem *, const SECItem *, ++ int); ++extern void SECITEM_FreeItem(SECItem *, boolean_t); ++ ++/* This function has been modified to accept an array of random bytes */ ++extern SECStatus EC_NewKey(ECParams *ecParams, ECPrivateKey **privKey, ++ const unsigned char* random, int randomlen, int); ++/* This function has been modified to accept an array of random bytes */ ++extern SECStatus ECDSA_SignDigest(ECPrivateKey *, SECItem *, const SECItem *, ++ const unsigned char* random, int randomlen, int); ++extern SECStatus ECDSA_VerifyDigest(ECPublicKey *, const SECItem *, ++ const SECItem *, int); ++extern SECStatus ECDH_Derive(SECItem *, ECParams *, SECItem *, boolean_t, ++ SECItem *, int); ++#endif ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif /* _ECC_IMPL_H */ +diff -r afd392dfaed5 -r 48c15869ecd5 src/share/native/sun/security/ec/impl/ecc_impl.h +--- openjdk/jdk/src/share/native/sun/security/ec/impl/ecc_impl.h Tue Jan 26 22:26:26 2016 +0000 ++++ /dev/null Thu Jan 01 00:00:00 1970 +0000 +@@ -1,271 +0,0 @@ +-/* +- * Copyright (c) 2007, 2013, Oracle and/or its affiliates. All rights reserved. +- * Use is subject to license terms. +- * +- * This library is free software; you can redistribute it and/or +- * modify it under the terms of the GNU Lesser General Public +- * License as published by the Free Software Foundation; either +- * version 2.1 of the License, or (at your option) any later version. +- * +- * This library is distributed in the hope that it will be useful, +- * but WITHOUT ANY WARRANTY; without even the implied warranty of +- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +- * Lesser General Public License for more details. +- * +- * You should have received a copy of the GNU Lesser General Public License +- * along with this library; if not, write to the Free Software Foundation, +- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +- * +- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA +- * or visit www.oracle.com if you need additional information or have any +- * questions. +- */ +- +-/* ********************************************************************* +- * +- * The Original Code is the Netscape security libraries. +- * +- * The Initial Developer of the Original Code is +- * Netscape Communications Corporation. +- * Portions created by the Initial Developer are Copyright (C) 1994-2000 +- * the Initial Developer. All Rights Reserved. +- * +- * Contributor(s): +- * Dr Vipul Gupta and +- * Douglas Stebila , Sun Microsystems Laboratories +- * +- * Last Modified Date from the Original Code: November 2013 +- *********************************************************************** */ +- +-#ifndef _ECC_IMPL_H +-#define _ECC_IMPL_H +- +-#ifdef __cplusplus +-extern "C" { +-#endif +- +-#include +-#include "ecl-exp.h" +- +-/* +- * Multi-platform definitions +- */ +-#ifdef __linux__ +-#define B_FALSE FALSE +-#define B_TRUE TRUE +-typedef unsigned char uint8_t; +-typedef unsigned long ulong_t; +-typedef enum { B_FALSE, B_TRUE } boolean_t; +-#endif /* __linux__ */ +- +-#ifdef _ALLBSD_SOURCE +-#include +-#define B_FALSE FALSE +-#define B_TRUE TRUE +-typedef unsigned long ulong_t; +-typedef enum boolean { B_FALSE, B_TRUE } boolean_t; +-#endif /* _ALLBSD_SOURCE */ +- +-#ifdef AIX +-#define B_FALSE FALSE +-#define B_TRUE TRUE +-typedef unsigned char uint8_t; +-typedef unsigned long ulong_t; +-#endif /* AIX */ +- +-#ifdef _WIN32 +-typedef unsigned char uint8_t; +-typedef unsigned long ulong_t; +-typedef enum boolean { B_FALSE, B_TRUE } boolean_t; +-#define strdup _strdup /* Replace POSIX name with ISO C++ name */ +-#endif /* _WIN32 */ +- +-#ifndef _KERNEL +-#include +-#endif /* _KERNEL */ +- +-#define EC_MAX_DIGEST_LEN 1024 /* max digest that can be signed */ +-#define EC_MAX_POINT_LEN 145 /* max len of DER encoded Q */ +-#define EC_MAX_VALUE_LEN 72 /* max len of ANSI X9.62 private value d */ +-#define EC_MAX_SIG_LEN 144 /* max signature len for supported curves */ +-#define EC_MIN_KEY_LEN 112 /* min key length in bits */ +-#define EC_MAX_KEY_LEN 571 /* max key length in bits */ +-#define EC_MAX_OID_LEN 10 /* max length of OID buffer */ +- +-/* +- * Various structures and definitions from NSS are here. +- */ +- +-#ifdef _KERNEL +-#define PORT_ArenaAlloc(a, n, f) kmem_alloc((n), (f)) +-#define PORT_ArenaZAlloc(a, n, f) kmem_zalloc((n), (f)) +-#define PORT_ArenaGrow(a, b, c, d) NULL +-#define PORT_ZAlloc(n, f) kmem_zalloc((n), (f)) +-#define PORT_Alloc(n, f) kmem_alloc((n), (f)) +-#else +-#define PORT_ArenaAlloc(a, n, f) malloc((n)) +-#define PORT_ArenaZAlloc(a, n, f) calloc(1, (n)) +-#define PORT_ArenaGrow(a, b, c, d) NULL +-#define PORT_ZAlloc(n, f) calloc(1, (n)) +-#define PORT_Alloc(n, f) malloc((n)) +-#endif +- +-#define PORT_NewArena(b) (char *)12345 +-#define PORT_ArenaMark(a) NULL +-#define PORT_ArenaUnmark(a, b) +-#define PORT_ArenaRelease(a, m) +-#define PORT_FreeArena(a, b) +-#define PORT_Strlen(s) strlen((s)) +-#define PORT_SetError(e) +- +-#define PRBool boolean_t +-#define PR_TRUE B_TRUE +-#define PR_FALSE B_FALSE +- +-#ifdef _KERNEL +-#define PORT_Assert ASSERT +-#define PORT_Memcpy(t, f, l) bcopy((f), (t), (l)) +-#else +-#define PORT_Assert assert +-#define PORT_Memcpy(t, f, l) memcpy((t), (f), (l)) +-#endif +- +-#define CHECK_OK(func) if (func == NULL) goto cleanup +-#define CHECK_SEC_OK(func) if (SECSuccess != (rv = func)) goto cleanup +- +-typedef enum { +- siBuffer = 0, +- siClearDataBuffer = 1, +- siCipherDataBuffer = 2, +- siDERCertBuffer = 3, +- siEncodedCertBuffer = 4, +- siDERNameBuffer = 5, +- siEncodedNameBuffer = 6, +- siAsciiNameString = 7, +- siAsciiString = 8, +- siDEROID = 9, +- siUnsignedInteger = 10, +- siUTCTime = 11, +- siGeneralizedTime = 12 +-} SECItemType; +- +-typedef struct SECItemStr SECItem; +- +-struct SECItemStr { +- SECItemType type; +- unsigned char *data; +- unsigned int len; +-}; +- +-typedef SECItem SECKEYECParams; +- +-typedef enum { ec_params_explicit, +- ec_params_named +-} ECParamsType; +- +-typedef enum { ec_field_GFp = 1, +- ec_field_GF2m +-} ECFieldType; +- +-struct ECFieldIDStr { +- int size; /* field size in bits */ +- ECFieldType type; +- union { +- SECItem prime; /* prime p for (GFp) */ +- SECItem poly; /* irreducible binary polynomial for (GF2m) */ +- } u; +- int k1; /* first coefficient of pentanomial or +- * the only coefficient of trinomial +- */ +- int k2; /* two remaining coefficients of pentanomial */ +- int k3; +-}; +-typedef struct ECFieldIDStr ECFieldID; +- +-struct ECCurveStr { +- SECItem a; /* contains octet stream encoding of +- * field element (X9.62 section 4.3.3) +- */ +- SECItem b; +- SECItem seed; +-}; +-typedef struct ECCurveStr ECCurve; +- +-typedef void PRArenaPool; +- +-struct ECParamsStr { +- PRArenaPool * arena; +- ECParamsType type; +- ECFieldID fieldID; +- ECCurve curve; +- SECItem base; +- SECItem order; +- int cofactor; +- SECItem DEREncoding; +- ECCurveName name; +- SECItem curveOID; +-}; +-typedef struct ECParamsStr ECParams; +- +-struct ECPublicKeyStr { +- ECParams ecParams; +- SECItem publicValue; /* elliptic curve point encoded as +- * octet stream. +- */ +-}; +-typedef struct ECPublicKeyStr ECPublicKey; +- +-struct ECPrivateKeyStr { +- ECParams ecParams; +- SECItem publicValue; /* encoded ec point */ +- SECItem privateValue; /* private big integer */ +- SECItem version; /* As per SEC 1, Appendix C, Section C.4 */ +-}; +-typedef struct ECPrivateKeyStr ECPrivateKey; +- +-typedef enum _SECStatus { +- SECBufferTooSmall = -3, +- SECWouldBlock = -2, +- SECFailure = -1, +- SECSuccess = 0 +-} SECStatus; +- +-#ifdef _KERNEL +-#define RNG_GenerateGlobalRandomBytes(p,l) ecc_knzero_random_generator((p), (l)) +-#else +-/* +- This function is no longer required because the random bytes are now +- supplied by the caller. Force a failure. +-*/ +-#define RNG_GenerateGlobalRandomBytes(p,l) SECFailure +-#endif +-#define CHECK_MPI_OK(func) if (MP_OKAY > (err = func)) goto cleanup +-#define MP_TO_SEC_ERROR(err) +- +-#define SECITEM_TO_MPINT(it, mp) \ +- CHECK_MPI_OK(mp_read_unsigned_octets((mp), (it).data, (it).len)) +- +-extern int ecc_knzero_random_generator(uint8_t *, size_t); +-extern ulong_t soft_nzero_random_generator(uint8_t *, ulong_t); +- +-extern SECStatus EC_DecodeParams(const SECItem *, ECParams **, int); +-extern SECItem * SECITEM_AllocItem(PRArenaPool *, SECItem *, unsigned int, int); +-extern SECStatus SECITEM_CopyItem(PRArenaPool *, SECItem *, const SECItem *, +- int); +-extern void SECITEM_FreeItem(SECItem *, boolean_t); +-/* This function has been modified to accept an array of random bytes */ +-extern SECStatus EC_NewKey(ECParams *ecParams, ECPrivateKey **privKey, +- const unsigned char* random, int randomlen, int); +-/* This function has been modified to accept an array of random bytes */ +-extern SECStatus ECDSA_SignDigest(ECPrivateKey *, SECItem *, const SECItem *, +- const unsigned char* random, int randomlen, int); +-extern SECStatus ECDSA_VerifyDigest(ECPublicKey *, const SECItem *, +- const SECItem *, int); +-extern SECStatus ECDH_Derive(SECItem *, ECParams *, SECItem *, boolean_t, +- SECItem *, int); +- +-#ifdef __cplusplus +-} +-#endif +- +-#endif /* _ECC_IMPL_H */ +diff -r afd392dfaed5 -r 48c15869ecd5 src/solaris/javavm/export/jni_md.h +--- openjdk/jdk/src/solaris/javavm/export/jni_md.h Tue Jan 26 22:26:26 2016 +0000 ++++ openjdk/jdk/src/solaris/javavm/export/jni_md.h Wed Jan 27 02:54:06 2016 +0000 +@@ -36,6 +36,11 @@ + #define JNIEXPORT + #define JNIIMPORT + #endif ++#if (defined(__GNUC__)) || __has_attribute(unused) ++ #define UNUSED(x) UNUSED_ ## x __attribute__((__unused__)) ++#else ++ #define UNUSED(x) UNUSED_ ## x ++#endif + + #define JNICALL + diff --git a/pr1983-root.patch b/pr1983-root.patch new file mode 100644 index 0000000..100472b --- /dev/null +++ b/pr1983-root.patch @@ -0,0 +1,89 @@ +# HG changeset patch +# User andrew +# Date 1453863007 0 +# Wed Jan 27 02:50:07 2016 +0000 +# Node ID f0635543beb309c4da1bb88c906a76ee4b75e16d +# Parent 4a5a0d4e1ae0feec2f47d17be380d6fcd5eff126 +PR1983: Support using the system installation of NSS with the SunEC provider +Summary: Add new configure option --enable-system-nss + +diff -r 92af9369869f common/autoconf/jdk-options.m4 +--- openjdk/common/autoconf/jdk-options.m4 Thu Jan 21 22:17:02 2016 +0000 ++++ openjdk/common/autoconf/jdk-options.m4 Wed Jan 27 05:32:12 2016 +0000 +@@ -414,9 +414,10 @@ + # + AC_DEFUN_ONCE([JDKOPT_DETECT_INTREE_EC], + [ +- AC_MSG_CHECKING([if elliptic curve crypto implementation is present]) ++ AC_REQUIRE([LIB_SETUP_MISC_LIBS]) ++ AC_MSG_CHECKING([if the elliptic curve crypto implementation is present]) + +- if test -d "${SRC_ROOT}/jdk/src/share/native/sun/security/ec/impl"; then ++ if test "x${system_nss}" = "xyes" -o -d "${SRC_ROOT}/jdk/src/share/native/sun/security/ec/impl"; then + ENABLE_INTREE_EC=yes + AC_MSG_RESULT([yes]) + else +diff -r 92af9369869f common/autoconf/libraries.m4 +--- openjdk/common/autoconf/libraries.m4 Thu Jan 21 22:17:02 2016 +0000 ++++ openjdk/common/autoconf/libraries.m4 Wed Jan 27 05:32:12 2016 +0000 +@@ -731,6 +731,47 @@ + LIBDL="$LIBS" + AC_SUBST(LIBDL) + LIBS="$save_LIBS" ++ ++ ############################################################################### ++ # ++ # Check for the NSS libraries ++ # ++ ++ AC_MSG_CHECKING([whether to build the Sun EC provider against the system NSS libraries]) ++ ++ # default is bundled ++ DEFAULT_SYSTEM_NSS=no ++ ++ AC_ARG_ENABLE([system-nss], [AS_HELP_STRING([--enable-system-nss], ++ [build the SunEC provider using the system NSS libraries @<:@disabled@:>@])], ++ [ ++ case "${enableval}" in ++ yes) ++ system_nss=yes ++ ;; ++ *) ++ system_nss=no ++ ;; ++ esac ++ ], ++ [ ++ system_nss=${DEFAULT_SYSTEM_NSS} ++ ]) ++ AC_MSG_RESULT([$system_nss]) ++ ++ if test "x${system_nss}" = "xyes"; then ++ PKG_CHECK_MODULES(NSS, nss-softokn >= 3.16.1, [NSS_SOFTOKN_FOUND=yes], [NSS_SOFTOKN_FOUND=no]) ++ if test "x${NSS_SOFTOKN_FOUND}" = "xyes"; then ++ NSS_LIBS="$NSS_LIBS -lfreebl"; ++ USE_EXTERNAL_NSS=true ++ else ++ AC_MSG_ERROR([--enable-system-nss specified, but NSS not found.]) ++ fi ++ else ++ USE_EXTERNAL_NSS=false ++ fi ++ AC_SUBST(USE_EXTERNAL_NSS) ++ + ]) + + AC_DEFUN_ONCE([LIB_SETUP_STATIC_LINK_LIBSTDCPP], +diff -r 92af9369869f common/autoconf/spec.gmk.in +--- openjdk/common/autoconf/spec.gmk.in Thu Jan 21 22:17:02 2016 +0000 ++++ openjdk/common/autoconf/spec.gmk.in Wed Jan 27 05:32:12 2016 +0000 +@@ -647,6 +647,9 @@ + # Read-only single-machine data + INSTALL_SYSCONFDIR=@sysconfdir@ + ++USE_EXTERNAL_NSS:=@USE_EXTERNAL_NSS@ ++NSS_LIBS:=@NSS_LIBS@ ++NSS_CFLAGS:=@NSS_CFLAGS@ + + #################################################### + # diff --git a/pr2127.patch b/pr2127.patch new file mode 100644 index 0000000..b08822a --- /dev/null +++ b/pr2127.patch @@ -0,0 +1,178 @@ +# HG changeset patch +# User andrew +# Date 1453866306 0 +# Wed Jan 27 03:45:06 2016 +0000 +# Node ID 0ff7720931e8dbf7de25720bdc93b18527ab89e8 +# Parent 48c15869ecd568263249af4b9a4e98d4e57f9a8f +PR2127: SunEC provider crashes when built using system NSS +Summary: Use NSS memory management functions + +diff -r 48c15869ecd5 -r 0ff7720931e8 src/share/native/sun/security/ec/ECC_JNI.cpp +--- openjdk/jdk/src/share/native/sun/security/ec/ECC_JNI.cpp Wed Jan 27 02:54:06 2016 +0000 ++++ openjdk/jdk/src/share/native/sun/security/ec/ECC_JNI.cpp Wed Jan 27 03:45:06 2016 +0000 +@@ -32,6 +32,13 @@ + #define INVALID_PARAMETER_EXCEPTION \ + "java/security/InvalidParameterException" + #define KEY_EXCEPTION "java/security/KeyException" ++#define INTERNAL_ERROR "java/lang/InternalError" ++ ++#ifdef SYSTEM_NSS ++#define SYSTEM_UNUSED(x) UNUSED(x) ++#else ++#define SYSTEM_UNUSED(x) x ++#endif + + extern "C" { + +@@ -49,8 +56,13 @@ + /* + * Deep free of the ECParams struct + */ +-void FreeECParams(ECParams *ecparams, jboolean freeStruct) ++void FreeECParams(ECParams *ecparams, jboolean SYSTEM_UNUSED(freeStruct)) + { ++#ifdef SYSTEM_NSS ++ // Needs to be freed using the matching method to the one ++ // that allocated it. PR_TRUE means the memory is zeroed. ++ PORT_FreeArena(ecparams->arena, PR_TRUE); ++#else + // Use B_FALSE to free the SECItem->data element, but not the SECItem itself + // Use B_TRUE to free both + +@@ -64,6 +76,7 @@ + SECITEM_FreeItem(&ecparams->curveOID, B_FALSE); + if (freeStruct) + free(ecparams); ++#endif + } + + jbyteArray getEncodedBytes(JNIEnv *env, SECItem *hSECItem) +@@ -108,6 +121,13 @@ + goto cleanup; + } + ++#ifdef SYSTEM_NSS ++ if (SECOID_Init() != SECSuccess) { ++ ThrowException(env, INTERNAL_ERROR); ++ goto cleanup; ++ } ++#endif ++ + // Fill a new ECParams using the supplied OID + if (EC_DecodeParams(¶ms_item, &ecparams, 0) != SECSuccess) { + /* bad curve OID */ +@@ -163,16 +183,26 @@ + if (params_item.data) { + env->ReleaseByteArrayElements(encodedParams, + (jbyte *) params_item.data, JNI_ABORT); ++#ifdef SYSTEM_NSS ++ if (SECOID_Shutdown() != SECSuccess) { ++ ThrowException(env, INTERNAL_ERROR); ++ } ++#endif + } + if (ecparams) { + FreeECParams(ecparams, true); + } + if (privKey) { + FreeECParams(&privKey->ecParams, false); ++#ifndef SYSTEM_NSS ++ // The entire ECPrivateKey is allocated in the arena ++ // when using system NSS, so only the in-tree version ++ // needs to clear these manually. + SECITEM_FreeItem(&privKey->version, B_FALSE); + SECITEM_FreeItem(&privKey->privateValue, B_FALSE); + SECITEM_FreeItem(&privKey->publicValue, B_FALSE); + free(privKey); ++#endif + } + + if (pSeedBuffer) { +@@ -223,6 +253,13 @@ + goto cleanup; + } + ++#ifdef SYSTEM_NSS ++ if (SECOID_Init() != SECSuccess) { ++ ThrowException(env, INTERNAL_ERROR); ++ goto cleanup; ++ } ++#endif ++ + // Fill a new ECParams using the supplied OID + if (EC_DecodeParams(¶ms_item, &ecparams, 0) != SECSuccess) { + /* bad curve OID */ +@@ -270,6 +307,11 @@ + if (params_item.data) { + env->ReleaseByteArrayElements(encodedParams, + (jbyte *) params_item.data, JNI_ABORT); ++#ifdef SYSTEM_NSS ++ if (SECOID_Shutdown() != SECSuccess) { ++ ThrowException(env, INTERNAL_ERROR); ++ } ++#endif + } + if (privKey.privateValue.data) { + env->ReleaseByteArrayElements(privateKey, +@@ -336,6 +378,13 @@ + goto cleanup; + } + ++#ifdef SYSTEM_NSS ++ if (SECOID_Init() != SECSuccess) { ++ ThrowException(env, INTERNAL_ERROR); ++ goto cleanup; ++ } ++#endif ++ + // Fill a new ECParams using the supplied OID + if (EC_DecodeParams(¶ms_item, &ecparams, 0) != SECSuccess) { + /* bad curve OID */ +@@ -356,9 +405,15 @@ + + cleanup: + { +- if (params_item.data) ++ if (params_item.data) { + env->ReleaseByteArrayElements(encodedParams, + (jbyte *) params_item.data, JNI_ABORT); ++#ifdef SYSTEM_NSS ++ if (SECOID_Shutdown() != SECSuccess) { ++ ThrowException(env, INTERNAL_ERROR); ++ } ++#endif ++ } + + if (pubKey.publicValue.data) + env->ReleaseByteArrayElements(publicKey, +@@ -419,6 +474,13 @@ + goto cleanup; + } + ++#ifdef SYSTEM_NSS ++ if (SECOID_Init() != SECSuccess) { ++ ThrowException(env, INTERNAL_ERROR); ++ goto cleanup; ++ } ++#endif ++ + // Fill a new ECParams using the supplied OID + if (EC_DecodeParams(¶ms_item, &ecparams, 0) != SECSuccess) { + /* bad curve OID */ +@@ -460,9 +522,15 @@ + env->ReleaseByteArrayElements(publicKey, + (jbyte *) publicValue_item.data, JNI_ABORT); + +- if (params_item.data) ++ if (params_item.data) { + env->ReleaseByteArrayElements(encodedParams, + (jbyte *) params_item.data, JNI_ABORT); ++#ifdef SYSTEM_NSS ++ if (SECOID_Shutdown() != SECSuccess) { ++ ThrowException(env, INTERNAL_ERROR); ++ } ++#endif ++ } + + if (ecparams) + FreeECParams(ecparams, true); diff --git a/pr2815.patch b/pr2815.patch new file mode 100644 index 0000000..db14f10 --- /dev/null +++ b/pr2815.patch @@ -0,0 +1,189 @@ +# HG changeset patch +# User andrew +# Date 1453867347 0 +# Wed Jan 27 04:02:27 2016 +0000 +# Node ID 26e2e029ee256e9815fdc324831a03d8582255e1 +# Parent 0ff7720931e8dbf7de25720bdc93b18527ab89e8 +PR2815: Race condition in SunEC provider with system NSS +Summary: Perform initialisation and shutdown only when library is loaded or SunEC is finalized respectively + +diff -r 0ff7720931e8 -r 26e2e029ee25 make/mapfiles/libsunec/mapfile-vers +--- openjdk/jdk/make/mapfiles/libsunec/mapfile-vers Wed Jan 27 03:45:06 2016 +0000 ++++ openjdk/jdk/make/mapfiles/libsunec/mapfile-vers Wed Jan 27 04:02:27 2016 +0000 +@@ -31,6 +31,8 @@ + Java_sun_security_ec_ECDSASignature_signDigest; + Java_sun_security_ec_ECDSASignature_verifySignedDigest; + Java_sun_security_ec_ECDHKeyAgreement_deriveKey; ++ Java_sun_security_ec_SunEC_initialize; ++ Java_sun_security_ec_SunEC_cleanup; + local: + *; + }; +diff -r 0ff7720931e8 -r 26e2e029ee25 src/share/classes/sun/security/ec/SunEC.java +--- openjdk/jdk/src/share/classes/sun/security/ec/SunEC.java Wed Jan 27 03:45:06 2016 +0000 ++++ openjdk/jdk/src/share/classes/sun/security/ec/SunEC.java Wed Jan 27 04:02:27 2016 +0000 +@@ -58,6 +58,7 @@ + AccessController.doPrivileged(new PrivilegedAction() { + public Void run() { + System.loadLibrary("sunec"); // check for native library ++ initialize(); + return null; + } + }); +@@ -81,4 +82,22 @@ + } + } + ++ /** ++ * Cleanup native resources during finalisation. ++ */ ++ @Override ++ protected void finalize() { ++ cleanup(); ++ } ++ ++ /** ++ * Initialize the native code. ++ */ ++ private static native void initialize(); ++ ++ /** ++ * Cleanup in the native layer. ++ */ ++ private static native void cleanup(); ++ + } +diff -r 0ff7720931e8 -r 26e2e029ee25 src/share/native/sun/security/ec/ECC_JNI.cpp +--- openjdk/jdk/src/share/native/sun/security/ec/ECC_JNI.cpp Wed Jan 27 03:45:06 2016 +0000 ++++ openjdk/jdk/src/share/native/sun/security/ec/ECC_JNI.cpp Wed Jan 27 04:02:27 2016 +0000 +@@ -121,13 +121,6 @@ + goto cleanup; + } + +-#ifdef SYSTEM_NSS +- if (SECOID_Init() != SECSuccess) { +- ThrowException(env, INTERNAL_ERROR); +- goto cleanup; +- } +-#endif +- + // Fill a new ECParams using the supplied OID + if (EC_DecodeParams(¶ms_item, &ecparams, 0) != SECSuccess) { + /* bad curve OID */ +@@ -183,11 +176,6 @@ + if (params_item.data) { + env->ReleaseByteArrayElements(encodedParams, + (jbyte *) params_item.data, JNI_ABORT); +-#ifdef SYSTEM_NSS +- if (SECOID_Shutdown() != SECSuccess) { +- ThrowException(env, INTERNAL_ERROR); +- } +-#endif + } + if (ecparams) { + FreeECParams(ecparams, true); +@@ -253,13 +241,6 @@ + goto cleanup; + } + +-#ifdef SYSTEM_NSS +- if (SECOID_Init() != SECSuccess) { +- ThrowException(env, INTERNAL_ERROR); +- goto cleanup; +- } +-#endif +- + // Fill a new ECParams using the supplied OID + if (EC_DecodeParams(¶ms_item, &ecparams, 0) != SECSuccess) { + /* bad curve OID */ +@@ -307,11 +288,6 @@ + if (params_item.data) { + env->ReleaseByteArrayElements(encodedParams, + (jbyte *) params_item.data, JNI_ABORT); +-#ifdef SYSTEM_NSS +- if (SECOID_Shutdown() != SECSuccess) { +- ThrowException(env, INTERNAL_ERROR); +- } +-#endif + } + if (privKey.privateValue.data) { + env->ReleaseByteArrayElements(privateKey, +@@ -378,13 +354,6 @@ + goto cleanup; + } + +-#ifdef SYSTEM_NSS +- if (SECOID_Init() != SECSuccess) { +- ThrowException(env, INTERNAL_ERROR); +- goto cleanup; +- } +-#endif +- + // Fill a new ECParams using the supplied OID + if (EC_DecodeParams(¶ms_item, &ecparams, 0) != SECSuccess) { + /* bad curve OID */ +@@ -408,11 +377,6 @@ + if (params_item.data) { + env->ReleaseByteArrayElements(encodedParams, + (jbyte *) params_item.data, JNI_ABORT); +-#ifdef SYSTEM_NSS +- if (SECOID_Shutdown() != SECSuccess) { +- ThrowException(env, INTERNAL_ERROR); +- } +-#endif + } + + if (pubKey.publicValue.data) +@@ -474,13 +438,6 @@ + goto cleanup; + } + +-#ifdef SYSTEM_NSS +- if (SECOID_Init() != SECSuccess) { +- ThrowException(env, INTERNAL_ERROR); +- goto cleanup; +- } +-#endif +- + // Fill a new ECParams using the supplied OID + if (EC_DecodeParams(¶ms_item, &ecparams, 0) != SECSuccess) { + /* bad curve OID */ +@@ -525,11 +482,6 @@ + if (params_item.data) { + env->ReleaseByteArrayElements(encodedParams, + (jbyte *) params_item.data, JNI_ABORT); +-#ifdef SYSTEM_NSS +- if (SECOID_Shutdown() != SECSuccess) { +- ThrowException(env, INTERNAL_ERROR); +- } +-#endif + } + + if (ecparams) +@@ -539,4 +491,26 @@ + return jSecret; + } + ++JNIEXPORT void ++JNICALL Java_sun_security_ec_SunEC_initialize ++ (JNIEnv *env, jclass UNUSED(clazz)) ++{ ++#ifdef SYSTEM_NSS ++ if (SECOID_Init() != SECSuccess) { ++ ThrowException(env, INTERNAL_ERROR); ++ } ++#endif ++} ++ ++JNIEXPORT void ++JNICALL Java_sun_security_ec_SunEC_cleanup ++ (JNIEnv *env, jclass UNUSED(clazz)) ++{ ++#ifdef SYSTEM_NSS ++ if (SECOID_Shutdown() != SECSuccess) { ++ ThrowException(env, INTERNAL_ERROR); ++ } ++#endif ++} ++ + } /* extern "C" */ diff --git a/removeSunEcProvider-RH1154143.patch b/removeSunEcProvider-RH1154143.patch deleted file mode 100644 index 02955a2..0000000 --- a/removeSunEcProvider-RH1154143.patch +++ /dev/null @@ -1,33 +0,0 @@ -diff -r 1fe56343ecc8 src/share/lib/security/java.security-linux ---- openjdk/jdk/src/share/lib/security/java.security-linux Tue Jan 12 21:01:12 2016 +0000 -+++ openjdk/jdk/src/share/lib/security/java.security-linux Tue Jan 12 23:59:19 2016 +0000 -@@ -67,13 +67,13 @@ - # - security.provider.1=sun.security.provider.Sun - security.provider.2=sun.security.rsa.SunRsaSign --security.provider.3=sun.security.ec.SunEC --security.provider.4=com.sun.net.ssl.internal.ssl.Provider --security.provider.5=com.sun.crypto.provider.SunJCE --security.provider.6=sun.security.jgss.SunProvider --security.provider.7=com.sun.security.sasl.Provider --security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI --security.provider.9=sun.security.smartcardio.SunPCSC -+security.provider.3=com.sun.net.ssl.internal.ssl.Provider -+security.provider.4=com.sun.crypto.provider.SunJCE -+security.provider.5=sun.security.jgss.SunProvider -+security.provider.6=com.sun.security.sasl.Provider -+security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI -+security.provider.8=sun.security.smartcardio.SunPCSC -+ - - # - # Sun Provider SecureRandom seed source. -@@ -509,7 +509,7 @@ - # - # Example: - # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 --jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768 -+jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, EC, ECDHE, ECDH - - # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) - # processing in JSSE implementation. diff --git a/remove_aarch64_jvm.cfg_divergence.patch b/remove_aarch64_jvm.cfg_divergence.patch index 586e6f2..64aeb57 100644 --- a/remove_aarch64_jvm.cfg_divergence.patch +++ b/remove_aarch64_jvm.cfg_divergence.patch @@ -1,18 +1,3 @@ -diff --git openjdk/hotspot/src/cpu/aarch64/vm/sharedRuntime_aarch64.cpp b/java-1.8.0-openjdk-1.8.0.72-5.b15.fc24.x86_64/openjdk/hotspot/src/cpu/aarch64/vm/sharedRuntime_aarch64.cpp -index ef50802..9d604d5 100644 ---- openjdk/hotspot/src/cpu/aarch64/vm/sharedRuntime_aarch64.cpp -+++ openjdk/hotspot/src/cpu/aarch64/vm/sharedRuntime_aarch64.cpp -@@ -194,10 +194,6 @@ static int reg2offset_out(VMReg r) { - return (r->reg2stack() + SharedRuntime::out_preserve_stack_slots()) * VMRegImpl::stack_slot_size; - } - --template static const T& min (const T& a, const T& b) { -- return (a > b) ? b : a; --} -- - // --------------------------------------------------------------------------- - // Read the array of BasicTypes from a signature, and compute where the - // arguments should go. Values in the VMRegPair regs array refer to 4-byte diff -r 57824090cf28 src/share/bin/java.c --- openjdk/jdk/src/share/bin/java.c Fri Feb 05 17:41:45 2016 +0000 +++ openjdk/jdk/src/share/bin/java.c Thu Feb 18 03:43:51 2016 +0000 diff --git a/remove_aarch64_template_for_gcc6.patch b/remove_aarch64_template_for_gcc6.patch new file mode 100644 index 0000000..298badd --- /dev/null +++ b/remove_aarch64_template_for_gcc6.patch @@ -0,0 +1,15 @@ +diff --git openjdk/hotspot/src/cpu/aarch64/vm/sharedRuntime_aarch64.cpp b/java-1.8.0-openjdk-1.8.0.72-5.b15.fc24.x86_64/openjdk/hotspot/src/cpu/aarch64/vm/sharedRuntime_aarch64.cpp +index ef50802..9d604d5 100644 +--- openjdk/hotspot/src/cpu/aarch64/vm/sharedRuntime_aarch64.cpp ++++ openjdk/hotspot/src/cpu/aarch64/vm/sharedRuntime_aarch64.cpp +@@ -194,10 +194,6 @@ static int reg2offset_out(VMReg r) { + return (r->reg2stack() + SharedRuntime::out_preserve_stack_slots()) * VMRegImpl::stack_slot_size; + } + +-template static const T& min (const T& a, const T& b) { +- return (a > b) ? b : a; +-} +- + // --------------------------------------------------------------------------- + // Read the array of BasicTypes from a signature, and compute where the + // arguments should go. Values in the VMRegPair regs array refer to 4-byte diff --git a/sources b/sources index 8131325..1f2907c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 94ca5a45c3cb3b85c4577d0891166007 systemtap-tapset.tar.gz -a21f6b0591cd79ab10192c69cf85cd3f aarch64-port-jdk8u-aarch64-jdk8u72-b15.tar.xz +29b804c787abbbf2e2dc4189c83c982c aarch64-port-jdk8u-aarch64-jdk8u72-b15-ec.tar.xz