Add patches to allow the SunEC provider to be built with the system NSS install.

Re-generate source tarball so it includes ecc_impl.h.
Adjust tarball generation script to allow ecc_impl.h to be included.
Bring over NSS changes from java-1.7.0-openjdk spec file (NSS_CFLAGS/NSS_LIBS)
Remove patch which disables the SunEC provider as it is now usable.
Correct spelling mistakes in tarball generation script.
Resolves: rhbz#1019554

.gitignore

@@ -51,3 +51,4 @@
 /aarch64-port-jdk8u60-aarch64-jdk8u65-b17.tar.xz
 /aarch64-jdk8u71-b15.tar.xz
 /aarch64-port-jdk8u-aarch64-jdk8u72-b15.tar.xz
+/aarch64-port-jdk8u-aarch64-jdk8u72-b15-ec.tar.xz

generate_source_tarball.sh

@@ -2,7 +2,7 @@
 # Generates the 'source tarball' for JDK 8 projects.
 #
 # Example:
-# When used from local repo set REPO_ROOT pointing to file:// wth your repo
+# When used from local repo set REPO_ROOT pointing to file:// with your repo
 # if your local repo follows upstream forests conventions, you may be enough by setting OPENJDK_URL
 # if you wont to use local copy of patch PR2126 set path to it to PR2126 variable
 #
@@ -29,7 +29,7 @@ if [ "x$1" = "xhelp" ] ; then
     echo "VERSION - the version of the specified OpenJDK project"
     echo "PROJECT_NAME -- the name of the OpenJDK project being archived (optional; only needed by defaults)"
     echo "REPO_NAME - the name of the OpenJDK repository (optional; only needed by defaults)"
-    echo "OPENJDK_URL - the URL to retrive code from (optional; defaults to ${OPENJDK_URL_DEFAULT})"
+    echo "OPENJDK_URL - the URL to retrieve code from (optional; defaults to ${OPENJDK_URL_DEFAULT})"
     echo "COMPRESSION - the compression type to use (optional; defaults to ${COMPRESSION_DEFAULT})"
     echo "FILE_NAME_ROOT - name of the archive, minus extensions (optional; defaults to PROJECT_NAME-REPO_NAME-VERSION)"
     echo "REPO_ROOT - the location of the Mercurial repository to archive (optional; defaults to OPENJDK_URL/PROJECT_NAME/REPO_NAME)"
@@ -98,7 +98,11 @@ done
 
 
 echo "Removing EC source code we don't build"
+
+mv -v jdk/src/share/native/sun/security/ec/impl/ecc_impl.h .
 rm -vrf jdk/src/share/native/sun/security/ec/impl
+mkdir jdk/src/share/native/sun/security/ec/impl
+mv -v ecc_impl.h jdk/src/share/native/sun/security/ec/impl
 
 echo "Syncing EC list with NSS"
 if [ "x$PR2126" = "x" ] ; then
@@ -113,7 +117,7 @@ else
 fi;
 
 popd
-echo "Compresing remaining forest"
+echo "Compressing remaining forest"
 if [ "X$COMPRESSION" = "Xxz" ] ; then
     tar --exclude-vcs -cJf ${FILE_NAME_ROOT}.tar.${COMPRESSION} openjdk
 else
@@ -122,6 +126,6 @@ fi
 
 mv ${FILE_NAME_ROOT}.tar.${COMPRESSION}  ..
 popd
-echo "Done, you may wont to remove freshly cloned repo..."
+echo "Done. You may want to remove the uncompressed version."
 
 

java-1.8.0-openjdk.spec

@@ -82,6 +82,8 @@
 #looks liekopenjdk RPM specific bug
 # Always set this so the nss.cfg file is not broken
 %global NSS_LIBDIR %(pkg-config --variable=libdir nss)
+%global NSS_LIBS %(pkg-config --libs nss)
+%global NSS_CFLAGS %(pkg-config --cflags nss-softokn)
 
 # fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349
 %global _privatelibs libmawt[.]so.*
@@ -735,7 +737,7 @@ Obsoletes: java-1.7.0-openjdk-accessibility%1
 
 Name:    java-%{javaver}-%{origin}
 Version: %{javaver}.%{updatever}
-Release: 10.%{buildver}%{?dist}
+Release: 11.%{buildver}%{?dist}
 # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons,
 # and this change was brought into RHEL-4.  java-1.5.0-ibm packages
 # also included the epoch in their virtual provides.  This created a
@@ -755,9 +757,9 @@ URL:      http://openjdk.java.net/
 
 # aarch64-port now contains integration forest of both aarch64 and normal jdk
 # Source from upstream OpenJDK8 project. To regenerate, use
-# VERSION=aarch64-jdk8u71-b15 FILE_NAME_ROOT=${VERSION}
+# VERSION=aarch64-jdk8u72-b15 FILE_NAME_ROOT=aarch64-port-jdk8u-${VERSION}-ec
 # REPO_ROOT=<path to checked-out repository> generate_source_tarball.sh
-Source0: %{project}-%{repo}-%{revision}.tar.xz
+Source0: %{project}-%{repo}-%{revision}-ec.tar.xz
 
 # Custom README for -src subpackage
 Source2:  README.src
@@ -800,10 +802,18 @@ Patch3: java-atk-wrapper-security.patch
 Patch5: multiple-pkcs11-library-init.patch
 # PR2095, RH1163501: 2048-bit DH upper bound too small for Fedora infrastructure (sync with IcedTea 2.x)
 Patch504: rh1163501.patch
-# S4890063, PR2304, RH1214835: HPROF: default text truncated when using doe=n option (upstreaming post-CPU 2015/07)
+# S4890063, PR2304, RH1214835: HPROF: default text truncated when using doe=n option
 Patch511: rh1214835.patch
 # Turn off strict overflow on IndicRearrangementProcessor{,2}.cpp following 8140543: Arrange font actions
 Patch512: no_strict_overflow.patch
+# Support for building the SunEC provider with the system NSS installation
+# PR1983: Support using the system installation of NSS with the SunEC provider
+# PR2127: SunEC provider crashes when built using system NSS
+# PR2815: Race condition in SunEC provider with system NSS
+Patch513: pr1983-jdk.patch
+Patch514: pr1983-root.patch
+Patch515: pr2127.patch
+Patch516: pr2815.patch
 
 # Arch-specific upstreamable patches
 # PR2415: JVM -Xmx requirement is too high on s390
@@ -818,6 +828,8 @@ Patch103: s390-size_t_format_flags.patch
 Patch104: remove_aarch64_jvm.cfg_divergence.patch
 # RH1300630, 8147805: aarch64: C1 segmentation fault due to inline Unsafe.getAndSetObject
 Patch105: rh1300630.patch
+# Remove template in AArch64 port which causes issues with GCC 6
+Patch106: remove_aarch64_template_for_gcc6.patch
 
 # Patches which need backporting to 8u
 # S8073139, RH1191652; fix name of ppc64le architecture
@@ -852,8 +864,6 @@ Patch505: 8143855.patch
 Patch201: system-libjpeg.patch
 
 # Local fixes
-# Turns off ECC support as we don't ship the SunEC provider currently
-Patch12: removeSunEcProvider-RH1154143.patch
 
 # Non-OpenJDK fixes
 Patch300: jstack-pr1845.patch
@@ -892,6 +902,9 @@ BuildRequires: libffi-devel
 BuildRequires: tzdata-java >= 2015d
 # Earlier versions have a bug in tree vectorization on PPC
 BuildRequires: gcc >= 4.8.3-8
+# Build requirements for SunEC system NSS support
+BuildRequires: nss-softokn-freebl-devel >= 3.16.1
+
 # cacerts build requirement.
 BuildRequires: openssl
 %if %{with_systemtap}
@@ -1109,7 +1122,6 @@ sh %{SOURCE12}
 %patch3
 %patch5
 %patch7
-%patch12
 
 # s390 build fixes
 %patch100
@@ -1119,6 +1131,7 @@ sh %{SOURCE12}
 # aarch64 build fixes
 %patch104
 %patch105
+%patch106
 
 # Zero PPC fixes.
 %patch403
@@ -1136,6 +1149,10 @@ sh %{SOURCE12}
 %patch507
 %patch511
 %patch512
+%patch513
+%patch514
+%patch515
+%patch516
 
 # Extract systemtap tapsets
 %if %{with_systemtap}
@@ -1218,6 +1235,8 @@ fi
 mkdir -p %{buildoutputdir $suffix}
 pushd %{buildoutputdir $suffix}
 
+NSS_LIBS="%{NSS_LIBS} -lfreebl" \
+NSS_CFLAGS="%{NSS_CFLAGS}" \
 bash ../../configure \
 %ifnarch %{jit_arches}
     --with-jvm-variants=zero \
@@ -1229,6 +1248,7 @@ bash ../../configure \
     --with-boot-jdk=/usr/lib/jvm/java-openjdk \
     --with-debug-level=$debugbuild \
     --enable-unlimited-crypto \
+    --enable-system-nss \
     --with-zlib=system \
     --with-libjpeg=system \
     --with-giflib=system \
@@ -1696,6 +1716,16 @@ require "copy_jdk_configs.lua"
 %endif
 
 %changelog
+* Wed Feb 24 2016 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.72-11.b15
+- Add patches to allow the SunEC provider to be built with the system NSS install.
+- Re-generate source tarball so it includes ecc_impl.h.
+- Adjust tarball generation script to allow ecc_impl.h to be included.
+- Bring over NSS changes from java-1.7.0-openjdk spec file (NSS_CFLAGS/NSS_LIBS)
+- Remove patch which disables the SunEC provider as it is now usable.
+- Correct spelling mistakes in tarball generation script.
+- Move completely unrelated AArch64 gcc 6 patch into separate file.
+- Resolves: rhbz#1019554 (fedora bug)
+
 * Tue Feb 23 2016 jvanek <jvanek@redhat.com> - 1:1.8.0.72-10.b15
 - returning accidentlay removed hunk from renamed and so wrongly merged remove_aarch64_jvm.cfg_divergence.patch
 

pr1983-jdk.patch

@@ -0,0 +1,693 @@
+# HG changeset patch
+# User andrew
+# Date 1453863246 0
+#      Wed Jan 27 02:54:06 2016 +0000
+# Node ID 48c15869ecd568263249af4b9a4e98d4e57f9a8f
+# Parent  afd392dfaed501ac674a7cc3e37353ce300969c7
+PR1983: Support using the system installation of NSS with the SunEC provider
+Summary: Apply code changes from PR1699 & PR1742 & forward-port Makefile changes to the new build.
+
+diff -r afd392dfaed5 -r 48c15869ecd5 make/lib/SecurityLibraries.gmk
+--- openjdk/jdk/make/lib/SecurityLibraries.gmk	Tue Jan 26 22:26:26 2016 +0000
++++ openjdk/jdk/make/lib/SecurityLibraries.gmk	Wed Jan 27 02:54:06 2016 +0000
+@@ -218,8 +218,17 @@
+ 
+ ifeq ($(ENABLE_INTREE_EC), yes)
+ 
+-  BUILD_LIBSUNEC_FLAGS := -I$(JDK_TOPDIR)/src/share/native/sun/security/ec \
++  BUILD_LIBSUNEC_FLAGS := -I$(JDK_TOPDIR)/src/share/native/sun/security/ec
++
++  ifeq ($(USE_EXTERNAL_NSS), true)
++    BUILD_LIBSUNEC_IMPL_DIR :=
++    BUILD_LIBSUNEC_FLAGS += $(NSS_CFLAGS) -DSYSTEM_NSS -DNSS_ENABLE_ECC
++  else
++    BUILD_LIBSUNEC_IMPL_DIR := \
++      $(JDK_TOPDIR)/src/share/native/sun/security/ec/impl
++    BUILD_LIBSUNEC_FLAGS += \
+       -I$(JDK_TOPDIR)/src/share/native/sun/security/ec/impl
++  endif
+ 
+   #
+   # On sol-sparc...all libraries are compiled with -xregs=no%appl
+@@ -235,8 +244,8 @@
+   $(eval $(call SetupNativeCompilation,BUILD_LIBSUNEC, \
+       LIBRARY := sunec, \
+       OUTPUT_DIR := $(INSTALL_LIBRARIES_HERE), \
+-      SRC := $(JDK_TOPDIR)/src/share/native/sun/security/ec \
+-          $(JDK_TOPDIR)/src/share/native/sun/security/ec/impl, \
++      SRC := $(JDK_TOPDIR)/src/share/native/sun/security/ec/ECC_JNI.cpp \
++          $(BUILD_LIBSUNEC_IMPL_DIR), \
+       LANG := C++, \
+       OPTIMIZATION := LOW, \
+       CFLAGS := $(filter-out $(ECC_JNI_SOLSPARC_FILTER), $(CFLAGS_JDKLIB)) \
+@@ -248,8 +257,8 @@
+       LDFLAGS := $(LDFLAGS_JDKLIB) $(LDFLAGS_CXX_JDK), \
+       LDFLAGS_macosx := $(call SET_SHARED_LIBRARY_ORIGIN), \
+       LDFLAGS_SUFFIX := $(LIBCXX), \
+-      LDFLAGS_SUFFIX_linux := -lc, \
+-      LDFLAGS_SUFFIX_solaris := -lc, \
++      LDFLAGS_SUFFIX_linux := -lc $(NSS_LIBS), \
++      LDFLAGS_SUFFIX_solaris := -lc $(NSS_LIBS), \
+       VERSIONINFO_RESOURCE := $(JDK_TOPDIR)/src/windows/resource/version.rc, \
+       RC_FLAGS := $(RC_FLAGS) \
+           -D "JDK_FNAME=sunec.dll" \
+diff -r afd392dfaed5 -r 48c15869ecd5 src/share/native/sun/security/ec/ECC_JNI.cpp
+--- openjdk/jdk/src/share/native/sun/security/ec/ECC_JNI.cpp	Tue Jan 26 22:26:26 2016 +0000
++++ openjdk/jdk/src/share/native/sun/security/ec/ECC_JNI.cpp	Wed Jan 27 02:54:06 2016 +0000
+@@ -24,7 +24,7 @@
+  */
+ 
+ #include <jni.h>
+-#include "impl/ecc_impl.h"
++#include "ecc_impl.h"
+ 
+ #define ILLEGAL_STATE_EXCEPTION "java/lang/IllegalStateException"
+ #define INVALID_ALGORITHM_PARAMETER_EXCEPTION \
+@@ -89,7 +89,7 @@
+  */
+ JNIEXPORT jobjectArray
+ JNICALL Java_sun_security_ec_ECKeyPairGenerator_generateECKeyPair
+-  (JNIEnv *env, jclass clazz, jint keySize, jbyteArray encodedParams, jbyteArray seed)
++  (JNIEnv *env, jclass UNUSED(clazz), jint UNUSED(keySize), jbyteArray encodedParams, jbyteArray seed)
+ {
+     ECPrivateKey *privKey = NULL; // contains both public and private values
+     ECParams *ecparams = NULL;
+@@ -190,7 +190,7 @@
+  */
+ JNIEXPORT jbyteArray
+ JNICALL Java_sun_security_ec_ECDSASignature_signDigest
+-  (JNIEnv *env, jclass clazz, jbyteArray digest, jbyteArray privateKey, jbyteArray encodedParams, jbyteArray seed)
++  (JNIEnv *env, jclass UNUSED(clazz), jbyteArray digest, jbyteArray privateKey, jbyteArray encodedParams, jbyteArray seed)
+ {
+     jbyte* pDigestBuffer = NULL;
+     jint jDigestLength = env->GetArrayLength(digest);
+@@ -299,7 +299,7 @@
+  */
+ JNIEXPORT jboolean
+ JNICALL Java_sun_security_ec_ECDSASignature_verifySignedDigest
+-  (JNIEnv *env, jclass clazz, jbyteArray signedDigest, jbyteArray digest, jbyteArray publicKey, jbyteArray encodedParams)
++  (JNIEnv *env, jclass UNUSED(clazz), jbyteArray signedDigest, jbyteArray digest, jbyteArray publicKey, jbyteArray encodedParams)
+ {
+     jboolean isValid = false;
+ 
+@@ -384,7 +384,7 @@
+  */
+ JNIEXPORT jbyteArray
+ JNICALL Java_sun_security_ec_ECDHKeyAgreement_deriveKey
+-  (JNIEnv *env, jclass clazz, jbyteArray privateKey, jbyteArray publicKey, jbyteArray encodedParams)
++  (JNIEnv *env, jclass UNUSED(clazz), jbyteArray privateKey, jbyteArray publicKey, jbyteArray encodedParams)
+ {
+     jbyteArray jSecret = NULL;
+     ECParams *ecparams = NULL;
+diff -r afd392dfaed5 -r 48c15869ecd5 src/share/native/sun/security/ec/ecc_impl.h
+--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
++++ openjdk/jdk/src/share/native/sun/security/ec/ecc_impl.h	Wed Jan 27 02:54:06 2016 +0000
+@@ -0,0 +1,298 @@
++/*
++ * Copyright (c) 2007, 2013, Oracle and/or its affiliates. All rights reserved.
++ * Use is subject to license terms.
++ *
++ * This library is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU Lesser General Public
++ * License as published by the Free Software Foundation; either
++ * version 2.1 of the License, or (at your option) any later version.
++ *
++ * This library is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public License
++ * along with this library; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++/* *********************************************************************
++ *
++ * The Original Code is the Netscape security libraries.
++ *
++ * The Initial Developer of the Original Code is
++ * Netscape Communications Corporation.
++ * Portions created by the Initial Developer are Copyright (C) 1994-2000
++ * the Initial Developer. All Rights Reserved.
++ *
++ * Contributor(s):
++ *   Dr Vipul Gupta <vipul.gupta@sun.com> and
++ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
++ *
++ * Last Modified Date from the Original Code: November 2013
++ *********************************************************************** */
++
++#ifndef _ECC_IMPL_H
++#define _ECC_IMPL_H
++
++#ifdef __cplusplus
++extern "C" {
++#endif
++
++#include <sys/types.h>
++
++#ifdef SYSTEM_NSS
++#include <secitem.h>
++#include <secerr.h>
++#include <keythi.h>
++#ifdef LEGACY_NSS
++#include <softoken.h>
++#else
++#include <blapi.h>
++#endif
++#else
++#include "ecl-exp.h"
++#endif
++
++/*
++ * Multi-platform definitions
++ */
++#ifdef __linux__
++#define B_FALSE FALSE
++#define B_TRUE TRUE
++typedef unsigned char uint8_t;
++typedef unsigned long ulong_t;
++typedef enum { B_FALSE, B_TRUE } boolean_t;
++#endif /* __linux__ */
++
++#ifdef _ALLBSD_SOURCE
++#include <stdint.h>
++#define B_FALSE FALSE
++#define B_TRUE TRUE
++typedef unsigned long ulong_t;
++typedef enum boolean { B_FALSE, B_TRUE } boolean_t;
++#endif /* _ALLBSD_SOURCE */
++
++#ifdef AIX
++#define B_FALSE FALSE
++#define B_TRUE TRUE
++typedef unsigned char uint8_t;
++typedef unsigned long ulong_t;
++#endif /* AIX */
++
++#ifdef _WIN32
++typedef unsigned char uint8_t;
++typedef unsigned long ulong_t;
++typedef enum boolean { B_FALSE, B_TRUE } boolean_t;
++#define strdup _strdup          /* Replace POSIX name with ISO C++ name */
++#endif /* _WIN32 */
++
++#ifndef _KERNEL
++#include <stdlib.h>
++#endif  /* _KERNEL */
++
++#define EC_MAX_DIGEST_LEN 1024  /* max digest that can be signed */
++#define EC_MAX_POINT_LEN 145    /* max len of DER encoded Q */
++#define EC_MAX_VALUE_LEN 72     /* max len of ANSI X9.62 private value d */
++#define EC_MAX_SIG_LEN 144      /* max signature len for supported curves */
++#define EC_MIN_KEY_LEN  112     /* min key length in bits */
++#define EC_MAX_KEY_LEN  571     /* max key length in bits */
++#define EC_MAX_OID_LEN 10       /* max length of OID buffer */
++
++/*
++ * Various structures and definitions from NSS are here.
++ */
++
++#ifndef SYSTEM_NSS
++#ifdef _KERNEL
++#define PORT_ArenaAlloc(a, n, f)        kmem_alloc((n), (f))
++#define PORT_ArenaZAlloc(a, n, f)       kmem_zalloc((n), (f))
++#define PORT_ArenaGrow(a, b, c, d)      NULL
++#define PORT_ZAlloc(n, f)               kmem_zalloc((n), (f))
++#define PORT_Alloc(n, f)                kmem_alloc((n), (f))
++#else
++#define PORT_ArenaAlloc(a, n, f)        malloc((n))
++#define PORT_ArenaZAlloc(a, n, f)       calloc(1, (n))
++#define PORT_ArenaGrow(a, b, c, d)      NULL
++#define PORT_ZAlloc(n, f)               calloc(1, (n))
++#define PORT_Alloc(n, f)                malloc((n))
++#endif
++
++#define PORT_NewArena(b)                (char *)12345
++#define PORT_ArenaMark(a)               NULL
++#define PORT_ArenaUnmark(a, b)
++#define PORT_ArenaRelease(a, m)
++#define PORT_FreeArena(a, b)
++#define PORT_Strlen(s)                  strlen((s))
++#define PORT_SetError(e)
++
++#define PRBool                          boolean_t
++#define PR_TRUE                         B_TRUE
++#define PR_FALSE                        B_FALSE
++
++#ifdef _KERNEL
++#define PORT_Assert                     ASSERT
++#define PORT_Memcpy(t, f, l)            bcopy((f), (t), (l))
++#else
++#define PORT_Assert                     assert
++#define PORT_Memcpy(t, f, l)            memcpy((t), (f), (l))
++#endif
++
++#endif
++
++#define CHECK_OK(func) if (func == NULL) goto cleanup
++#define CHECK_SEC_OK(func) if (SECSuccess != (rv = func)) goto cleanup
++
++#ifndef SYSTEM_NSS
++typedef enum {
++        siBuffer = 0,
++        siClearDataBuffer = 1,
++        siCipherDataBuffer = 2,
++        siDERCertBuffer = 3,
++        siEncodedCertBuffer = 4,
++        siDERNameBuffer = 5,
++        siEncodedNameBuffer = 6,
++        siAsciiNameString = 7,
++        siAsciiString = 8,
++        siDEROID = 9,
++        siUnsignedInteger = 10,
++        siUTCTime = 11,
++        siGeneralizedTime = 12
++} SECItemType;
++
++typedef struct SECItemStr SECItem;
++
++struct SECItemStr {
++        SECItemType type;
++        unsigned char *data;
++        unsigned int len;
++};
++
++typedef SECItem SECKEYECParams;
++
++typedef enum { ec_params_explicit,
++               ec_params_named
++} ECParamsType;
++
++typedef enum { ec_field_GFp = 1,
++               ec_field_GF2m
++} ECFieldType;
++
++struct ECFieldIDStr {
++    int         size;   /* field size in bits */
++    ECFieldType type;
++    union {
++        SECItem  prime; /* prime p for (GFp) */
++        SECItem  poly;  /* irreducible binary polynomial for (GF2m) */
++    } u;
++    int         k1;     /* first coefficient of pentanomial or
++                         * the only coefficient of trinomial
++                         */
++    int         k2;     /* two remaining coefficients of pentanomial */
++    int         k3;
++};
++typedef struct ECFieldIDStr ECFieldID;
++
++struct ECCurveStr {
++        SECItem a;      /* contains octet stream encoding of
++                         * field element (X9.62 section 4.3.3)
++                         */
++        SECItem b;
++        SECItem seed;
++};
++typedef struct ECCurveStr ECCurve;
++
++typedef void PRArenaPool;
++
++struct ECParamsStr {
++    PRArenaPool * arena;
++    ECParamsType  type;
++    ECFieldID     fieldID;
++    ECCurve       curve;
++    SECItem       base;
++    SECItem       order;
++    int           cofactor;
++    SECItem       DEREncoding;
++    ECCurveName   name;
++    SECItem       curveOID;
++};
++typedef struct ECParamsStr ECParams;
++
++struct ECPublicKeyStr {
++    ECParams ecParams;
++    SECItem publicValue;   /* elliptic curve point encoded as
++                            * octet stream.
++                            */
++};
++typedef struct ECPublicKeyStr ECPublicKey;
++
++struct ECPrivateKeyStr {
++    ECParams ecParams;
++    SECItem publicValue;   /* encoded ec point */
++    SECItem privateValue;  /* private big integer */
++    SECItem version;       /* As per SEC 1, Appendix C, Section C.4 */
++};
++typedef struct ECPrivateKeyStr ECPrivateKey;
++
++typedef enum _SECStatus {
++        SECBufferTooSmall = -3,
++        SECWouldBlock = -2,
++        SECFailure = -1,
++        SECSuccess = 0
++} SECStatus;
++#endif
++
++#ifdef _KERNEL
++#define RNG_GenerateGlobalRandomBytes(p,l) ecc_knzero_random_generator((p), (l))
++#else
++/*
++ This function is no longer required because the random bytes are now
++ supplied by the caller. Force a failure.
++*/
++#define RNG_GenerateGlobalRandomBytes(p,l) SECFailure
++#endif
++#define CHECK_MPI_OK(func) if (MP_OKAY > (err = func)) goto cleanup
++#define MP_TO_SEC_ERROR(err)
++
++#define SECITEM_TO_MPINT(it, mp)                                        \
++        CHECK_MPI_OK(mp_read_unsigned_octets((mp), (it).data, (it).len))
++
++extern int ecc_knzero_random_generator(uint8_t *, size_t);
++extern ulong_t soft_nzero_random_generator(uint8_t *, ulong_t);
++
++#ifdef SYSTEM_NSS
++#define EC_DecodeParams(a,b,c) EC_DecodeParams(a,b)
++#define EC_NewKey(a,b,c,d,e) EC_NewKeyFromSeed(a,b,c,d)
++#define ECDSA_SignDigest(a,b,c,d,e,f) ECDSA_SignDigestWithSeed(a,b,c,d,e)
++#define ECDSA_VerifyDigest(a,b,c,d) ECDSA_VerifyDigest(a,b,c)
++#define ECDH_Derive(a,b,c,d,e,f) ECDH_Derive(a,b,c,d,e)
++#else
++extern SECStatus EC_DecodeParams(const SECItem *, ECParams **, int);
++
++extern SECItem * SECITEM_AllocItem(PRArenaPool *, SECItem *, unsigned int, int);
++extern SECStatus SECITEM_CopyItem(PRArenaPool *, SECItem *, const SECItem *,
++    int);
++extern void SECITEM_FreeItem(SECItem *, boolean_t);
++
++/* This function has been modified to accept an array of random bytes */
++extern SECStatus EC_NewKey(ECParams *ecParams, ECPrivateKey **privKey,
++    const unsigned char* random, int randomlen, int);
++/* This function has been modified to accept an array of random bytes */
++extern SECStatus ECDSA_SignDigest(ECPrivateKey *, SECItem *, const SECItem *,
++    const unsigned char* random, int randomlen, int);
++extern SECStatus ECDSA_VerifyDigest(ECPublicKey *, const SECItem *,
++    const SECItem *, int);
++extern SECStatus ECDH_Derive(SECItem *, ECParams *, SECItem *, boolean_t,
++    SECItem *, int);
++#endif
++
++#ifdef  __cplusplus
++}
++#endif
++
++#endif /* _ECC_IMPL_H */
+diff -r afd392dfaed5 -r 48c15869ecd5 src/share/native/sun/security/ec/impl/ecc_impl.h
+--- openjdk/jdk/src/share/native/sun/security/ec/impl/ecc_impl.h	Tue Jan 26 22:26:26 2016 +0000
++++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
+@@ -1,271 +0,0 @@
+-/*
+- * Copyright (c) 2007, 2013, Oracle and/or its affiliates. All rights reserved.
+- * Use is subject to license terms.
+- *
+- * This library is free software; you can redistribute it and/or
+- * modify it under the terms of the GNU Lesser General Public
+- * License as published by the Free Software Foundation; either
+- * version 2.1 of the License, or (at your option) any later version.
+- *
+- * This library is distributed in the hope that it will be useful,
+- * but WITHOUT ANY WARRANTY; without even the implied warranty of
+- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+- * Lesser General Public License for more details.
+- *
+- * You should have received a copy of the GNU Lesser General Public License
+- * along with this library; if not, write to the Free Software Foundation,
+- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+- *
+- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+- * or visit www.oracle.com if you need additional information or have any
+- * questions.
+- */
+-
+-/* *********************************************************************
+- *
+- * The Original Code is the Netscape security libraries.
+- *
+- * The Initial Developer of the Original Code is
+- * Netscape Communications Corporation.
+- * Portions created by the Initial Developer are Copyright (C) 1994-2000
+- * the Initial Developer. All Rights Reserved.
+- *
+- * Contributor(s):
+- *   Dr Vipul Gupta <vipul.gupta@sun.com> and
+- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+- *
+- * Last Modified Date from the Original Code: November 2013
+- *********************************************************************** */
+-
+-#ifndef _ECC_IMPL_H
+-#define _ECC_IMPL_H
+-
+-#ifdef __cplusplus
+-extern "C" {
+-#endif
+-
+-#include <sys/types.h>
+-#include "ecl-exp.h"
+-
+-/*
+- * Multi-platform definitions
+- */
+-#ifdef __linux__
+-#define B_FALSE FALSE
+-#define B_TRUE TRUE
+-typedef unsigned char uint8_t;
+-typedef unsigned long ulong_t;
+-typedef enum { B_FALSE, B_TRUE } boolean_t;
+-#endif /* __linux__ */
+-
+-#ifdef _ALLBSD_SOURCE
+-#include <stdint.h>
+-#define B_FALSE FALSE
+-#define B_TRUE TRUE
+-typedef unsigned long ulong_t;
+-typedef enum boolean { B_FALSE, B_TRUE } boolean_t;
+-#endif /* _ALLBSD_SOURCE */
+-
+-#ifdef AIX
+-#define B_FALSE FALSE
+-#define B_TRUE TRUE
+-typedef unsigned char uint8_t;
+-typedef unsigned long ulong_t;
+-#endif /* AIX */
+-
+-#ifdef _WIN32
+-typedef unsigned char uint8_t;
+-typedef unsigned long ulong_t;
+-typedef enum boolean { B_FALSE, B_TRUE } boolean_t;
+-#define strdup _strdup          /* Replace POSIX name with ISO C++ name */
+-#endif /* _WIN32 */
+-
+-#ifndef _KERNEL
+-#include <stdlib.h>
+-#endif  /* _KERNEL */
+-
+-#define EC_MAX_DIGEST_LEN 1024  /* max digest that can be signed */
+-#define EC_MAX_POINT_LEN 145    /* max len of DER encoded Q */
+-#define EC_MAX_VALUE_LEN 72     /* max len of ANSI X9.62 private value d */
+-#define EC_MAX_SIG_LEN 144      /* max signature len for supported curves */
+-#define EC_MIN_KEY_LEN  112     /* min key length in bits */
+-#define EC_MAX_KEY_LEN  571     /* max key length in bits */
+-#define EC_MAX_OID_LEN 10       /* max length of OID buffer */
+-
+-/*
+- * Various structures and definitions from NSS are here.
+- */
+-
+-#ifdef _KERNEL
+-#define PORT_ArenaAlloc(a, n, f)        kmem_alloc((n), (f))
+-#define PORT_ArenaZAlloc(a, n, f)       kmem_zalloc((n), (f))
+-#define PORT_ArenaGrow(a, b, c, d)      NULL
+-#define PORT_ZAlloc(n, f)               kmem_zalloc((n), (f))
+-#define PORT_Alloc(n, f)                kmem_alloc((n), (f))
+-#else
+-#define PORT_ArenaAlloc(a, n, f)        malloc((n))
+-#define PORT_ArenaZAlloc(a, n, f)       calloc(1, (n))
+-#define PORT_ArenaGrow(a, b, c, d)      NULL
+-#define PORT_ZAlloc(n, f)               calloc(1, (n))
+-#define PORT_Alloc(n, f)                malloc((n))
+-#endif
+-
+-#define PORT_NewArena(b)                (char *)12345
+-#define PORT_ArenaMark(a)               NULL
+-#define PORT_ArenaUnmark(a, b)
+-#define PORT_ArenaRelease(a, m)
+-#define PORT_FreeArena(a, b)
+-#define PORT_Strlen(s)                  strlen((s))
+-#define PORT_SetError(e)
+-
+-#define PRBool                          boolean_t
+-#define PR_TRUE                         B_TRUE
+-#define PR_FALSE                        B_FALSE
+-
+-#ifdef _KERNEL
+-#define PORT_Assert                     ASSERT
+-#define PORT_Memcpy(t, f, l)            bcopy((f), (t), (l))
+-#else
+-#define PORT_Assert                     assert
+-#define PORT_Memcpy(t, f, l)            memcpy((t), (f), (l))
+-#endif
+-
+-#define CHECK_OK(func) if (func == NULL) goto cleanup
+-#define CHECK_SEC_OK(func) if (SECSuccess != (rv = func)) goto cleanup
+-
+-typedef enum {
+-        siBuffer = 0,
+-        siClearDataBuffer = 1,
+-        siCipherDataBuffer = 2,
+-        siDERCertBuffer = 3,
+-        siEncodedCertBuffer = 4,
+-        siDERNameBuffer = 5,
+-        siEncodedNameBuffer = 6,
+-        siAsciiNameString = 7,
+-        siAsciiString = 8,
+-        siDEROID = 9,
+-        siUnsignedInteger = 10,
+-        siUTCTime = 11,
+-        siGeneralizedTime = 12
+-} SECItemType;
+-
+-typedef struct SECItemStr SECItem;
+-
+-struct SECItemStr {
+-        SECItemType type;
+-        unsigned char *data;
+-        unsigned int len;
+-};
+-
+-typedef SECItem SECKEYECParams;
+-
+-typedef enum { ec_params_explicit,
+-               ec_params_named
+-} ECParamsType;
+-
+-typedef enum { ec_field_GFp = 1,
+-               ec_field_GF2m
+-} ECFieldType;
+-
+-struct ECFieldIDStr {
+-    int         size;   /* field size in bits */
+-    ECFieldType type;
+-    union {
+-        SECItem  prime; /* prime p for (GFp) */
+-        SECItem  poly;  /* irreducible binary polynomial for (GF2m) */
+-    } u;
+-    int         k1;     /* first coefficient of pentanomial or
+-                         * the only coefficient of trinomial
+-                         */
+-    int         k2;     /* two remaining coefficients of pentanomial */
+-    int         k3;
+-};
+-typedef struct ECFieldIDStr ECFieldID;
+-
+-struct ECCurveStr {
+-        SECItem a;      /* contains octet stream encoding of
+-                         * field element (X9.62 section 4.3.3)
+-                         */
+-        SECItem b;
+-        SECItem seed;
+-};
+-typedef struct ECCurveStr ECCurve;
+-
+-typedef void PRArenaPool;
+-
+-struct ECParamsStr {
+-    PRArenaPool * arena;
+-    ECParamsType  type;
+-    ECFieldID     fieldID;
+-    ECCurve       curve;
+-    SECItem       base;
+-    SECItem       order;
+-    int           cofactor;
+-    SECItem       DEREncoding;
+-    ECCurveName   name;
+-    SECItem       curveOID;
+-};
+-typedef struct ECParamsStr ECParams;
+-
+-struct ECPublicKeyStr {
+-    ECParams ecParams;
+-    SECItem publicValue;   /* elliptic curve point encoded as
+-                            * octet stream.
+-                            */
+-};
+-typedef struct ECPublicKeyStr ECPublicKey;
+-
+-struct ECPrivateKeyStr {
+-    ECParams ecParams;
+-    SECItem publicValue;   /* encoded ec point */
+-    SECItem privateValue;  /* private big integer */
+-    SECItem version;       /* As per SEC 1, Appendix C, Section C.4 */
+-};
+-typedef struct ECPrivateKeyStr ECPrivateKey;
+-
+-typedef enum _SECStatus {
+-        SECBufferTooSmall = -3,
+-        SECWouldBlock = -2,
+-        SECFailure = -1,
+-        SECSuccess = 0
+-} SECStatus;
+-
+-#ifdef _KERNEL
+-#define RNG_GenerateGlobalRandomBytes(p,l) ecc_knzero_random_generator((p), (l))
+-#else
+-/*
+- This function is no longer required because the random bytes are now
+- supplied by the caller. Force a failure.
+-*/
+-#define RNG_GenerateGlobalRandomBytes(p,l) SECFailure
+-#endif
+-#define CHECK_MPI_OK(func) if (MP_OKAY > (err = func)) goto cleanup
+-#define MP_TO_SEC_ERROR(err)
+-
+-#define SECITEM_TO_MPINT(it, mp)                                        \
+-        CHECK_MPI_OK(mp_read_unsigned_octets((mp), (it).data, (it).len))
+-
+-extern int ecc_knzero_random_generator(uint8_t *, size_t);
+-extern ulong_t soft_nzero_random_generator(uint8_t *, ulong_t);
+-
+-extern SECStatus EC_DecodeParams(const SECItem *, ECParams **, int);
+-extern SECItem * SECITEM_AllocItem(PRArenaPool *, SECItem *, unsigned int, int);
+-extern SECStatus SECITEM_CopyItem(PRArenaPool *, SECItem *, const SECItem *,
+-    int);
+-extern void SECITEM_FreeItem(SECItem *, boolean_t);
+-/* This function has been modified to accept an array of random bytes */
+-extern SECStatus EC_NewKey(ECParams *ecParams, ECPrivateKey **privKey,
+-    const unsigned char* random, int randomlen, int);
+-/* This function has been modified to accept an array of random bytes */
+-extern SECStatus ECDSA_SignDigest(ECPrivateKey *, SECItem *, const SECItem *,
+-    const unsigned char* random, int randomlen, int);
+-extern SECStatus ECDSA_VerifyDigest(ECPublicKey *, const SECItem *,
+-    const SECItem *, int);
+-extern SECStatus ECDH_Derive(SECItem *, ECParams *, SECItem *, boolean_t,
+-    SECItem *, int);
+-
+-#ifdef  __cplusplus
+-}
+-#endif
+-
+-#endif /* _ECC_IMPL_H */
+diff -r afd392dfaed5 -r 48c15869ecd5 src/solaris/javavm/export/jni_md.h
+--- openjdk/jdk/src/solaris/javavm/export/jni_md.h	Tue Jan 26 22:26:26 2016 +0000
++++ openjdk/jdk/src/solaris/javavm/export/jni_md.h	Wed Jan 27 02:54:06 2016 +0000
+@@ -36,6 +36,11 @@
+   #define JNIEXPORT
+   #define JNIIMPORT
+ #endif
++#if (defined(__GNUC__)) || __has_attribute(unused)
++  #define UNUSED(x) UNUSED_ ## x __attribute__((__unused__))
++#else
++  #define UNUSED(x) UNUSED_ ## x
++#endif
+ 
+ #define JNICALL
+ 

pr1983-root.patch

@@ -0,0 +1,89 @@
+# HG changeset patch
+# User andrew
+# Date 1453863007 0
+#      Wed Jan 27 02:50:07 2016 +0000
+# Node ID f0635543beb309c4da1bb88c906a76ee4b75e16d
+# Parent  4a5a0d4e1ae0feec2f47d17be380d6fcd5eff126
+PR1983: Support using the system installation of NSS with the SunEC provider
+Summary: Add new configure option --enable-system-nss
+
+diff -r 92af9369869f common/autoconf/jdk-options.m4
+--- openjdk/common/autoconf/jdk-options.m4	Thu Jan 21 22:17:02 2016 +0000
++++ openjdk/common/autoconf/jdk-options.m4	Wed Jan 27 05:32:12 2016 +0000
+@@ -414,9 +414,10 @@
+   #
+   AC_DEFUN_ONCE([JDKOPT_DETECT_INTREE_EC],
+   [
+-    AC_MSG_CHECKING([if elliptic curve crypto implementation is present])
++    AC_REQUIRE([LIB_SETUP_MISC_LIBS])
++    AC_MSG_CHECKING([if the elliptic curve crypto implementation is present])
+ 
+-    if test -d "${SRC_ROOT}/jdk/src/share/native/sun/security/ec/impl"; then
++    if test "x${system_nss}" = "xyes" -o -d "${SRC_ROOT}/jdk/src/share/native/sun/security/ec/impl"; then
+       ENABLE_INTREE_EC=yes
+       AC_MSG_RESULT([yes])
+     else
+diff -r 92af9369869f common/autoconf/libraries.m4
+--- openjdk/common/autoconf/libraries.m4	Thu Jan 21 22:17:02 2016 +0000
++++ openjdk/common/autoconf/libraries.m4	Wed Jan 27 05:32:12 2016 +0000
+@@ -731,6 +731,47 @@
+   LIBDL="$LIBS"
+   AC_SUBST(LIBDL)
+   LIBS="$save_LIBS"
++
++  ###############################################################################
++  #
++  # Check for the NSS libraries
++  #
++
++  AC_MSG_CHECKING([whether to build the Sun EC provider against the system NSS libraries])
++
++  # default is bundled
++  DEFAULT_SYSTEM_NSS=no
++
++  AC_ARG_ENABLE([system-nss], [AS_HELP_STRING([--enable-system-nss],
++     [build the SunEC provider using the system NSS libraries @<:@disabled@:>@])],
++  [
++    case "${enableval}" in
++      yes)
++        system_nss=yes
++        ;;
++      *)
++        system_nss=no
++        ;;
++    esac
++  ],
++  [
++    system_nss=${DEFAULT_SYSTEM_NSS}
++  ])
++  AC_MSG_RESULT([$system_nss])
++
++  if test "x${system_nss}" = "xyes"; then
++      PKG_CHECK_MODULES(NSS, nss-softokn >= 3.16.1, [NSS_SOFTOKN_FOUND=yes], [NSS_SOFTOKN_FOUND=no])
++      if test "x${NSS_SOFTOKN_FOUND}" = "xyes"; then
++          NSS_LIBS="$NSS_LIBS -lfreebl";
++	  USE_EXTERNAL_NSS=true
++      else
++	  AC_MSG_ERROR([--enable-system-nss specified, but NSS not found.])
++      fi
++  else
++      USE_EXTERNAL_NSS=false
++  fi
++  AC_SUBST(USE_EXTERNAL_NSS)
++
+ ])
+ 
+ AC_DEFUN_ONCE([LIB_SETUP_STATIC_LINK_LIBSTDCPP],
+diff -r 92af9369869f common/autoconf/spec.gmk.in
+--- openjdk/common/autoconf/spec.gmk.in	Thu Jan 21 22:17:02 2016 +0000
++++ openjdk/common/autoconf/spec.gmk.in	Wed Jan 27 05:32:12 2016 +0000
+@@ -647,6 +647,9 @@
+ # Read-only single-machine data
+ INSTALL_SYSCONFDIR=@sysconfdir@
+ 
++USE_EXTERNAL_NSS:=@USE_EXTERNAL_NSS@
++NSS_LIBS:=@NSS_LIBS@
++NSS_CFLAGS:=@NSS_CFLAGS@
+ 
+ ####################################################
+ #

pr2127.patch

@@ -0,0 +1,178 @@
+# HG changeset patch
+# User andrew
+# Date 1453866306 0
+#      Wed Jan 27 03:45:06 2016 +0000
+# Node ID 0ff7720931e8dbf7de25720bdc93b18527ab89e8
+# Parent  48c15869ecd568263249af4b9a4e98d4e57f9a8f
+PR2127: SunEC provider crashes when built using system NSS
+Summary: Use NSS memory management functions
+
+diff -r 48c15869ecd5 -r 0ff7720931e8 src/share/native/sun/security/ec/ECC_JNI.cpp
+--- openjdk/jdk/src/share/native/sun/security/ec/ECC_JNI.cpp	Wed Jan 27 02:54:06 2016 +0000
++++ openjdk/jdk/src/share/native/sun/security/ec/ECC_JNI.cpp	Wed Jan 27 03:45:06 2016 +0000
+@@ -32,6 +32,13 @@
+ #define INVALID_PARAMETER_EXCEPTION \
+         "java/security/InvalidParameterException"
+ #define KEY_EXCEPTION   "java/security/KeyException"
++#define INTERNAL_ERROR "java/lang/InternalError"
++
++#ifdef SYSTEM_NSS
++#define SYSTEM_UNUSED(x) UNUSED(x)
++#else
++#define SYSTEM_UNUSED(x) x
++#endif
+ 
+ extern "C" {
+ 
+@@ -49,8 +56,13 @@
+ /*
+  * Deep free of the ECParams struct
+  */
+-void FreeECParams(ECParams *ecparams, jboolean freeStruct)
++void FreeECParams(ECParams *ecparams, jboolean SYSTEM_UNUSED(freeStruct))
+ {
++#ifdef SYSTEM_NSS
++    // Needs to be freed using the matching method to the one
++    // that allocated it. PR_TRUE means the memory is zeroed.
++    PORT_FreeArena(ecparams->arena, PR_TRUE);
++#else
+     // Use B_FALSE to free the SECItem->data element, but not the SECItem itself
+     // Use B_TRUE to free both
+ 
+@@ -64,6 +76,7 @@
+     SECITEM_FreeItem(&ecparams->curveOID, B_FALSE);
+     if (freeStruct)
+         free(ecparams);
++#endif
+ }
+ 
+ jbyteArray getEncodedBytes(JNIEnv *env, SECItem *hSECItem)
+@@ -108,6 +121,13 @@
+         goto cleanup;
+     }
+ 
++#ifdef SYSTEM_NSS
++    if (SECOID_Init() != SECSuccess) {
++	ThrowException(env, INTERNAL_ERROR);
++	goto cleanup;
++    }
++#endif
++
+     // Fill a new ECParams using the supplied OID
+     if (EC_DecodeParams(&params_item, &ecparams, 0) != SECSuccess) {
+         /* bad curve OID */
+@@ -163,16 +183,26 @@
+         if (params_item.data) {
+             env->ReleaseByteArrayElements(encodedParams,
+                 (jbyte *) params_item.data, JNI_ABORT);
++#ifdef SYSTEM_NSS
++	    if (SECOID_Shutdown() != SECSuccess) {
++		ThrowException(env, INTERNAL_ERROR);
++	    }
++#endif
+         }
+         if (ecparams) {
+             FreeECParams(ecparams, true);
+         }
+         if (privKey) {
+             FreeECParams(&privKey->ecParams, false);
++#ifndef SYSTEM_NSS
++	    // The entire ECPrivateKey is allocated in the arena
++	    // when using system NSS, so only the in-tree version
++	    // needs to clear these manually.
+             SECITEM_FreeItem(&privKey->version, B_FALSE);
+             SECITEM_FreeItem(&privKey->privateValue, B_FALSE);
+             SECITEM_FreeItem(&privKey->publicValue, B_FALSE);
+             free(privKey);
++#endif
+         }
+ 
+         if (pSeedBuffer) {
+@@ -223,6 +253,13 @@
+         goto cleanup;
+     }
+ 
++#ifdef SYSTEM_NSS
++    if (SECOID_Init() != SECSuccess) {
++	ThrowException(env, INTERNAL_ERROR);
++	goto cleanup;
++    }
++#endif
++
+     // Fill a new ECParams using the supplied OID
+     if (EC_DecodeParams(&params_item, &ecparams, 0) != SECSuccess) {
+         /* bad curve OID */
+@@ -270,6 +307,11 @@
+         if (params_item.data) {
+             env->ReleaseByteArrayElements(encodedParams,
+                 (jbyte *) params_item.data, JNI_ABORT);
++#ifdef SYSTEM_NSS
++	    if (SECOID_Shutdown() != SECSuccess) {
++		ThrowException(env, INTERNAL_ERROR);
++	    }
++#endif
+         }
+         if (privKey.privateValue.data) {
+             env->ReleaseByteArrayElements(privateKey,
+@@ -336,6 +378,13 @@
+         goto cleanup;
+     }
+ 
++#ifdef SYSTEM_NSS
++    if (SECOID_Init() != SECSuccess) {
++	ThrowException(env, INTERNAL_ERROR);
++	goto cleanup;
++    }
++#endif
++
+     // Fill a new ECParams using the supplied OID
+     if (EC_DecodeParams(&params_item, &ecparams, 0) != SECSuccess) {
+         /* bad curve OID */
+@@ -356,9 +405,15 @@
+ 
+ cleanup:
+     {
+-        if (params_item.data)
++        if (params_item.data) {
+             env->ReleaseByteArrayElements(encodedParams,
+                 (jbyte *) params_item.data, JNI_ABORT);
++#ifdef SYSTEM_NSS
++	    if (SECOID_Shutdown() != SECSuccess) {
++		ThrowException(env, INTERNAL_ERROR);
++	    }
++#endif
++	}
+ 
+         if (pubKey.publicValue.data)
+             env->ReleaseByteArrayElements(publicKey,
+@@ -419,6 +474,13 @@
+         goto cleanup;
+     }
+ 
++#ifdef SYSTEM_NSS
++    if (SECOID_Init() != SECSuccess) {
++	ThrowException(env, INTERNAL_ERROR);
++	goto cleanup;
++    }
++#endif
++
+     // Fill a new ECParams using the supplied OID
+     if (EC_DecodeParams(&params_item, &ecparams, 0) != SECSuccess) {
+         /* bad curve OID */
+@@ -460,9 +522,15 @@
+             env->ReleaseByteArrayElements(publicKey,
+                 (jbyte *) publicValue_item.data, JNI_ABORT);
+ 
+-        if (params_item.data)
++        if (params_item.data) {
+             env->ReleaseByteArrayElements(encodedParams,
+                 (jbyte *) params_item.data, JNI_ABORT);
++#ifdef SYSTEM_NSS
++	    if (SECOID_Shutdown() != SECSuccess) {
++		ThrowException(env, INTERNAL_ERROR);
++	    }
++#endif
++	}
+ 
+         if (ecparams)
+             FreeECParams(ecparams, true);

pr2815.patch

@@ -0,0 +1,189 @@
+# HG changeset patch
+# User andrew
+# Date 1453867347 0
+#      Wed Jan 27 04:02:27 2016 +0000
+# Node ID 26e2e029ee256e9815fdc324831a03d8582255e1
+# Parent  0ff7720931e8dbf7de25720bdc93b18527ab89e8
+PR2815: Race condition in SunEC provider with system NSS
+Summary: Perform initialisation and shutdown only when library is loaded or SunEC is finalized respectively
+
+diff -r 0ff7720931e8 -r 26e2e029ee25 make/mapfiles/libsunec/mapfile-vers
+--- openjdk/jdk/make/mapfiles/libsunec/mapfile-vers	Wed Jan 27 03:45:06 2016 +0000
++++ openjdk/jdk/make/mapfiles/libsunec/mapfile-vers	Wed Jan 27 04:02:27 2016 +0000
+@@ -31,6 +31,8 @@
+                 Java_sun_security_ec_ECDSASignature_signDigest;
+                 Java_sun_security_ec_ECDSASignature_verifySignedDigest;
+                 Java_sun_security_ec_ECDHKeyAgreement_deriveKey;
++		Java_sun_security_ec_SunEC_initialize;
++		Java_sun_security_ec_SunEC_cleanup;
+         local:
+                 *;
+ };
+diff -r 0ff7720931e8 -r 26e2e029ee25 src/share/classes/sun/security/ec/SunEC.java
+--- openjdk/jdk/src/share/classes/sun/security/ec/SunEC.java	Wed Jan 27 03:45:06 2016 +0000
++++ openjdk/jdk/src/share/classes/sun/security/ec/SunEC.java	Wed Jan 27 04:02:27 2016 +0000
+@@ -58,6 +58,7 @@
+             AccessController.doPrivileged(new PrivilegedAction<Void>() {
+                 public Void run() {
+                     System.loadLibrary("sunec"); // check for native library
++                    initialize();
+                     return null;
+                 }
+             });
+@@ -81,4 +82,22 @@
+         }
+     }
+ 
++    /**
++     * Cleanup native resources during finalisation.
++     */
++    @Override
++    protected void finalize() {
++        cleanup();
++    }
++
++    /**
++     * Initialize the native code.
++     */
++    private static native void initialize();
++
++    /**
++     * Cleanup in the native layer.
++     */
++    private static native void cleanup();
++
+ }
+diff -r 0ff7720931e8 -r 26e2e029ee25 src/share/native/sun/security/ec/ECC_JNI.cpp
+--- openjdk/jdk/src/share/native/sun/security/ec/ECC_JNI.cpp	Wed Jan 27 03:45:06 2016 +0000
++++ openjdk/jdk/src/share/native/sun/security/ec/ECC_JNI.cpp	Wed Jan 27 04:02:27 2016 +0000
+@@ -121,13 +121,6 @@
+         goto cleanup;
+     }
+ 
+-#ifdef SYSTEM_NSS
+-    if (SECOID_Init() != SECSuccess) {
+-	ThrowException(env, INTERNAL_ERROR);
+-	goto cleanup;
+-    }
+-#endif
+-
+     // Fill a new ECParams using the supplied OID
+     if (EC_DecodeParams(&params_item, &ecparams, 0) != SECSuccess) {
+         /* bad curve OID */
+@@ -183,11 +176,6 @@
+         if (params_item.data) {
+             env->ReleaseByteArrayElements(encodedParams,
+                 (jbyte *) params_item.data, JNI_ABORT);
+-#ifdef SYSTEM_NSS
+-	    if (SECOID_Shutdown() != SECSuccess) {
+-		ThrowException(env, INTERNAL_ERROR);
+-	    }
+-#endif
+         }
+         if (ecparams) {
+             FreeECParams(ecparams, true);
+@@ -253,13 +241,6 @@
+         goto cleanup;
+     }
+ 
+-#ifdef SYSTEM_NSS
+-    if (SECOID_Init() != SECSuccess) {
+-	ThrowException(env, INTERNAL_ERROR);
+-	goto cleanup;
+-    }
+-#endif
+-
+     // Fill a new ECParams using the supplied OID
+     if (EC_DecodeParams(&params_item, &ecparams, 0) != SECSuccess) {
+         /* bad curve OID */
+@@ -307,11 +288,6 @@
+         if (params_item.data) {
+             env->ReleaseByteArrayElements(encodedParams,
+                 (jbyte *) params_item.data, JNI_ABORT);
+-#ifdef SYSTEM_NSS
+-	    if (SECOID_Shutdown() != SECSuccess) {
+-		ThrowException(env, INTERNAL_ERROR);
+-	    }
+-#endif
+         }
+         if (privKey.privateValue.data) {
+             env->ReleaseByteArrayElements(privateKey,
+@@ -378,13 +354,6 @@
+         goto cleanup;
+     }
+ 
+-#ifdef SYSTEM_NSS
+-    if (SECOID_Init() != SECSuccess) {
+-	ThrowException(env, INTERNAL_ERROR);
+-	goto cleanup;
+-    }
+-#endif
+-
+     // Fill a new ECParams using the supplied OID
+     if (EC_DecodeParams(&params_item, &ecparams, 0) != SECSuccess) {
+         /* bad curve OID */
+@@ -408,11 +377,6 @@
+         if (params_item.data) {
+             env->ReleaseByteArrayElements(encodedParams,
+                 (jbyte *) params_item.data, JNI_ABORT);
+-#ifdef SYSTEM_NSS
+-	    if (SECOID_Shutdown() != SECSuccess) {
+-		ThrowException(env, INTERNAL_ERROR);
+-	    }
+-#endif
+ 	}
+ 
+         if (pubKey.publicValue.data)
+@@ -474,13 +438,6 @@
+         goto cleanup;
+     }
+ 
+-#ifdef SYSTEM_NSS
+-    if (SECOID_Init() != SECSuccess) {
+-	ThrowException(env, INTERNAL_ERROR);
+-	goto cleanup;
+-    }
+-#endif
+-
+     // Fill a new ECParams using the supplied OID
+     if (EC_DecodeParams(&params_item, &ecparams, 0) != SECSuccess) {
+         /* bad curve OID */
+@@ -525,11 +482,6 @@
+         if (params_item.data) {
+             env->ReleaseByteArrayElements(encodedParams,
+                 (jbyte *) params_item.data, JNI_ABORT);
+-#ifdef SYSTEM_NSS
+-	    if (SECOID_Shutdown() != SECSuccess) {
+-		ThrowException(env, INTERNAL_ERROR);
+-	    }
+-#endif
+ 	}
+ 
+         if (ecparams)
+@@ -539,4 +491,26 @@
+     return jSecret;
+ }
+ 
++JNIEXPORT void
++JNICALL Java_sun_security_ec_SunEC_initialize
++  (JNIEnv *env, jclass UNUSED(clazz))
++{
++#ifdef SYSTEM_NSS
++    if (SECOID_Init() != SECSuccess) {
++	ThrowException(env, INTERNAL_ERROR);
++    }
++#endif
++}
++
++JNIEXPORT void
++JNICALL Java_sun_security_ec_SunEC_cleanup
++  (JNIEnv *env, jclass UNUSED(clazz))
++{
++#ifdef SYSTEM_NSS
++    if (SECOID_Shutdown() != SECSuccess) {
++	ThrowException(env, INTERNAL_ERROR);
++    }
++#endif
++}
++
+ } /* extern "C" */

removeSunEcProvider-RH1154143.patch

@@ -1,33 +0,0 @@
-diff -r 1fe56343ecc8 src/share/lib/security/java.security-linux
---- openjdk/jdk/src/share/lib/security/java.security-linux	Tue Jan 12 21:01:12 2016 +0000
-+++ openjdk/jdk/src/share/lib/security/java.security-linux	Tue Jan 12 23:59:19 2016 +0000
-@@ -67,13 +67,13 @@
- #
- security.provider.1=sun.security.provider.Sun
- security.provider.2=sun.security.rsa.SunRsaSign
--security.provider.3=sun.security.ec.SunEC
--security.provider.4=com.sun.net.ssl.internal.ssl.Provider
--security.provider.5=com.sun.crypto.provider.SunJCE
--security.provider.6=sun.security.jgss.SunProvider
--security.provider.7=com.sun.security.sasl.Provider
--security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
--security.provider.9=sun.security.smartcardio.SunPCSC
-+security.provider.3=com.sun.net.ssl.internal.ssl.Provider
-+security.provider.4=com.sun.crypto.provider.SunJCE
-+security.provider.5=sun.security.jgss.SunProvider
-+security.provider.6=com.sun.security.sasl.Provider
-+security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI
-+security.provider.8=sun.security.smartcardio.SunPCSC
-+
- 
- #
- # Sun Provider SecureRandom seed source.
-@@ -509,7 +509,7 @@
- #
- # Example:
- #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
--jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
-+jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, EC, ECDHE, ECDH
- 
- # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
- # processing in JSSE implementation.

remove_aarch64_jvm.cfg_divergence.patch

@@ -1,18 +1,3 @@
-diff --git openjdk/hotspot/src/cpu/aarch64/vm/sharedRuntime_aarch64.cpp b/java-1.8.0-openjdk-1.8.0.72-5.b15.fc24.x86_64/openjdk/hotspot/src/cpu/aarch64/vm/sharedRuntime_aarch64.cpp
-index ef50802..9d604d5 100644
---- openjdk/hotspot/src/cpu/aarch64/vm/sharedRuntime_aarch64.cpp
-+++ openjdk/hotspot/src/cpu/aarch64/vm/sharedRuntime_aarch64.cpp
-@@ -194,10 +194,6 @@ static int reg2offset_out(VMReg r) {
-   return (r->reg2stack() + SharedRuntime::out_preserve_stack_slots()) * VMRegImpl::stack_slot_size;
- }
- 
--template <class T> static const T& min (const T& a, const T& b) {
--  return (a > b) ? b : a;
--}
--
- // ---------------------------------------------------------------------------
- // Read the array of BasicTypes from a signature, and compute where the
- // arguments should go.  Values in the VMRegPair regs array refer to 4-byte
 diff -r 57824090cf28 src/share/bin/java.c
 --- openjdk/jdk/src/share/bin/java.c	Fri Feb 05 17:41:45 2016 +0000
 +++ openjdk/jdk/src/share/bin/java.c	Thu Feb 18 03:43:51 2016 +0000

remove_aarch64_template_for_gcc6.patch

@@ -0,0 +1,15 @@
+diff --git openjdk/hotspot/src/cpu/aarch64/vm/sharedRuntime_aarch64.cpp b/java-1.8.0-openjdk-1.8.0.72-5.b15.fc24.x86_64/openjdk/hotspot/src/cpu/aarch64/vm/sharedRuntime_aarch64.cpp
+index ef50802..9d604d5 100644
+--- openjdk/hotspot/src/cpu/aarch64/vm/sharedRuntime_aarch64.cpp
++++ openjdk/hotspot/src/cpu/aarch64/vm/sharedRuntime_aarch64.cpp
+@@ -194,10 +194,6 @@ static int reg2offset_out(VMReg r) {
+   return (r->reg2stack() + SharedRuntime::out_preserve_stack_slots()) * VMRegImpl::stack_slot_size;
+ }
+ 
+-template <class T> static const T& min (const T& a, const T& b) {
+-  return (a > b) ? b : a;
+-}
+-
+ // ---------------------------------------------------------------------------
+ // Read the array of BasicTypes from a signature, and compute where the
+ // arguments should go.  Values in the VMRegPair regs array refer to 4-byte

sources

@@ -1,2 +1,2 @@
 94ca5a45c3cb3b85c4577d0891166007  systemtap-tapset.tar.gz
-a21f6b0591cd79ab10192c69cf85cd3f  aarch64-port-jdk8u-aarch64-jdk8u72-b15.tar.xz
+29b804c787abbbf2e2dc4189c83c982c  aarch64-port-jdk8u-aarch64-jdk8u72-b15-ec.tar.xz