From b66e592e094111997f2abd7b609f3dbcdaf446a8 Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Thu, 15 Aug 2019 22:01:36 +0100 Subject: [PATCH] Switch to in-tree SunEC code, dropping NSS runtime dependencies and patches to link against it. --- java-1.8.0-openjdk-remove-intree-libraries.sh | 7 - java-1.8.0-openjdk.spec | 34 +- ..._of_nss_with_the_sunec_provider_jdk8.patch | 699 ------------------ ...of_nss_with_the_sunec_provider_root8.patch | 89 --- ...e_of_nss_memory_management_functions.patch | 178 ----- ...n_sunec_provider_with_system_nss_fix.patch | 189 ----- ..._as_they_dont_fully_process_the_seed.patch | 24 - ...er_generator_and_feed_the_seed_to_it.patch | 91 --- ...es_leading_to_premature_nss_shutdown.patch | 67 -- 9 files changed, 4 insertions(+), 1374 deletions(-) delete mode 100644 pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk8.patch delete mode 100644 pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_root8.patch delete mode 100644 pr2127-sunec_provider_crashes_when_built_using_system_nss_thus_use_of_nss_memory_management_functions.patch delete mode 100644 pr2815-race_condition_in_sunec_provider_with_system_nss_fix.patch delete mode 100644 pr2899-dont_use_withseed_versions_of_nss_functions_as_they_dont_fully_process_the_seed.patch delete mode 100644 pr2934-sunec_provider_throwing_keyexception_withine.separator_current_nss_thus_initialise_the_random_number_generator_and_feed_the_seed_to_it.patch delete mode 100644 pr3479-rh1486025-sunec_provider_can_have_multiple_instances_leading_to_premature_nss_shutdown.patch diff --git a/java-1.8.0-openjdk-remove-intree-libraries.sh b/java-1.8.0-openjdk-remove-intree-libraries.sh index b52d016..201a220 100644 --- a/java-1.8.0-openjdk-remove-intree-libraries.sh +++ b/java-1.8.0-openjdk-remove-intree-libraries.sh @@ -129,10 +129,3 @@ rm -vf ${LCMS_SRC}/lcms2.h rm -vf ${LCMS_SRC}/lcms2_internal.h rm -vf ${LCMS_SRC}/lcms2_plugin.h fi - -# Get rid of in-tree SunEC until RH1656676 is implemented -echo "Removing SunEC native code" -mv -v openjdk/jdk/src/share/native/sun/security/ec/impl/ecc_impl.h . -rm -vrf openjdk/jdk/src/share/native/sun/security/ec/impl -mkdir openjdk/jdk/src/share/native/sun/security/ec/impl -mv -v ecc_impl.h openjdk/jdk/src/share/native/sun/security/ec/impl diff --git a/java-1.8.0-openjdk.spec b/java-1.8.0-openjdk.spec index 10542c8..cd2b92d 100644 --- a/java-1.8.0-openjdk.spec +++ b/java-1.8.0-openjdk.spec @@ -234,7 +234,7 @@ %global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u}) # eg jdk8u60-b27 -> b27 %global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-}) -%global rpmrelease 2 +%global rpmrelease 3 # Define milestone (EA for pre-releases, GA ("fcs") for releases) # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, @@ -897,9 +897,6 @@ Requires: javapackages-filesystem Requires: tzdata-java >= 2015d # libsctp.so.1 is being `dlopen`ed on demand Requires: lksctp-tools%{?_isa} -# there is a need to depend on the exact version of NSS -Requires: nss%{?_isa} %{NSS_BUILDTIME_VERSION} -Requires: nss-softokn%{?_isa} %{NSSSOFTOKN_BUILDTIME_VERSION} # tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it, # not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be # considered as regression @@ -1115,20 +1112,6 @@ Patch529: rh1566890-CVE_2018_3639-speculative_store_bypass.patch Patch531: rh1566890-CVE_2018_3639-speculative_store_bypass_toggle.patch # PR3601: Fix additional -Wreturn-type issues introduced by 8061651 Patch530: pr3601-fix_additional_Wreturn_type_issues_introduced_by_8061651_for_prims_jvm_cpp.patch -# Support for building the SunEC provider with the system NSS installation -# PR1983: Support using the system installation of NSS with the SunEC provider -# PR2127: SunEC provider crashes when built using system NSS -# PR2815: Race condition in SunEC provider with system NSS -# PR2899: Don't use WithSeed versions of NSS functions as they don't fully process the seed -# PR2934: SunEC provider throwing KeyException with current NSS -# PR3479, RH1486025: ECC and NSS JVM crash -Patch513: pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk8.patch -Patch514: pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_root8.patch -Patch515: pr2127-sunec_provider_crashes_when_built_using_system_nss_thus_use_of_nss_memory_management_functions.patch -Patch516: pr2815-race_condition_in_sunec_provider_with_system_nss_fix.patch -Patch517: pr2899-dont_use_withseed_versions_of_nss_functions_as_they_dont_fully_process_the_seed.patch -Patch518: pr2934-sunec_provider_throwing_keyexception_withine.separator_current_nss_thus_initialise_the_random_number_generator_and_feed_the_seed_to_it.patch -Patch519: pr3479-rh1486025-sunec_provider_can_have_multiple_instances_leading_to_premature_nss_shutdown.patch # PR2888: OpenJDK should check for system cacerts database (e.g. /etc/pki/java/cacerts) # PR3575, RH1567204: System cacerts database handling should not affect jssecacerts Patch539: pr2888-openjdk_should_check_for_system_cacerts_database_eg_etc_pki_java_cacerts.patch @@ -1285,8 +1268,6 @@ BuildRequires: libffi-devel BuildRequires: tzdata-java >= 2015d # Earlier versions have a bug in tree vectorization on PPC BuildRequires: gcc >= 4.8.3-8 -# Build requirements for SunEC system NSS support -BuildRequires: nss-softokn-freebl-devel >= 3.16.1 %if %{with_systemtap} BuildRequires: systemtap-sdt-devel @@ -1557,13 +1538,6 @@ sh %{SOURCE12} %patch502 %patch504 %patch512 -%patch513 -%patch514 -%patch515 -%patch516 -%patch517 -%patch518 -%patch519 %patch400 %patch523 %patch528 @@ -1688,8 +1662,6 @@ top_dir_abs_path=$(pwd)/%{top_level_dir_name} mkdir -p %{buildoutputdir -- $suffix} pushd %{buildoutputdir -- $suffix} -NSS_LIBS="%{NSS_LIBS} -lfreebl" \ -NSS_CFLAGS="%{NSS_CFLAGS}" \ bash ../../configure \ %ifnarch %{jit_arches} --with-jvm-variants=zero \ @@ -1701,7 +1673,6 @@ bash ../../configure \ --with-boot-jdk=/usr/lib/jvm/java-openjdk \ --with-debug-level=$debugbuild \ --enable-unlimited-crypto \ - --enable-system-nss \ --with-zlib=system \ --with-libjpeg=system \ --with-giflib=system \ @@ -2225,6 +2196,9 @@ require "copy_jdk_configs.lua" %endif %changelog +* Thu Aug 15 2019 Andrew Hughes - 1:1.8.0.222.b10-3 +- Switch to in-tree SunEC code, dropping NSS runtime dependencies and patches to link against it. + * Thu Aug 08 2019 Andrew Hughes - 1:1.8.0.222.b10-2 - Drop unnecessary build requirement on gtk2-devel, as OpenJDK searches for Gtk+ at runtime. - Add missing build requirements for libXext-devel and libXrender-devel, previously masked by Gtk2+ dependency. diff --git a/pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk8.patch b/pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk8.patch deleted file mode 100644 index 31c285b..0000000 --- a/pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk8.patch +++ /dev/null @@ -1,699 +0,0 @@ -# HG changeset patch -# User andrew -# Date 1453863246 0 -# Wed Jan 27 02:54:06 2016 +0000 -# Node ID 48c15869ecd568263249af4b9a4e98d4e57f9a8f -# Parent afd392dfaed501ac674a7cc3e37353ce300969c7 -PR1983: Support using the system installation of NSS with the SunEC provider -Summary: Apply code changes from PR1699 & PR1742 & forward-port Makefile changes to the new build. -Updated 2017/07/04 to accomodate 8175110 - -diff -r 984a4af2ed4e make/lib/SecurityLibraries.gmk ---- openjdk/jdk/make/lib/SecurityLibraries.gmk -+++ openjdk/jdk/make/lib/SecurityLibraries.gmk -@@ -218,8 +218,17 @@ - - ifeq ($(ENABLE_INTREE_EC), yes) - -- BUILD_LIBSUNEC_FLAGS := -I$(JDK_TOPDIR)/src/share/native/sun/security/ec \ -+ BUILD_LIBSUNEC_FLAGS := -I$(JDK_TOPDIR)/src/share/native/sun/security/ec -+ -+ ifeq ($(USE_EXTERNAL_NSS), true) -+ BUILD_LIBSUNEC_IMPL_DIR := -+ BUILD_LIBSUNEC_FLAGS += $(NSS_CFLAGS) -DSYSTEM_NSS -DNSS_ENABLE_ECC -+ else -+ BUILD_LIBSUNEC_IMPL_DIR := \ -+ $(JDK_TOPDIR)/src/share/native/sun/security/ec/impl -+ BUILD_LIBSUNEC_FLAGS += \ - -I$(JDK_TOPDIR)/src/share/native/sun/security/ec/impl -+ endif - - # - # On sol-sparc...all libraries are compiled with -xregs=no%appl -@@ -235,8 +244,8 @@ - $(eval $(call SetupNativeCompilation,BUILD_LIBSUNEC, \ - LIBRARY := sunec, \ - OUTPUT_DIR := $(INSTALL_LIBRARIES_HERE), \ -- SRC := $(JDK_TOPDIR)/src/share/native/sun/security/ec \ -- $(JDK_TOPDIR)/src/share/native/sun/security/ec/impl, \ -+ SRC := $(JDK_TOPDIR)/src/share/native/sun/security/ec/ECC_JNI.cpp \ -+ $(BUILD_LIBSUNEC_IMPL_DIR), \ - LANG := C++, \ - OPTIMIZATION := LOW, \ - CFLAGS := $(filter-out $(ECC_JNI_SOLSPARC_FILTER), $(CFLAGS_JDKLIB)) \ -@@ -245,11 +254,12 @@ - CXXFLAGS := $(filter-out $(ECC_JNI_SOLSPARC_FILTER), $(CXXFLAGS_JDKLIB)) \ - $(BUILD_LIBSUNEC_FLAGS), \ - MAPFILE := $(JDK_TOPDIR)/make/mapfiles/libsunec/mapfile-vers, \ -- LDFLAGS := $(LDFLAGS_JDKLIB) $(LDFLAGS_CXX_JDK), \ -+ LDFLAGS := $(subst -Xlinker --as-needed,, \ -+ $(subst -Wl$(COMMA)--as-needed,, $(LDFLAGS_JDKLIB))) $(LDFLAGS_CXX_JDK), \ - LDFLAGS_macosx := $(call SET_SHARED_LIBRARY_ORIGIN), \ - LDFLAGS_SUFFIX := $(LIBCXX), \ -- LDFLAGS_SUFFIX_linux := -lc, \ -- LDFLAGS_SUFFIX_solaris := -lc, \ -+ LDFLAGS_SUFFIX_linux := -lc $(NSS_LIBS), \ -+ LDFLAGS_SUFFIX_solaris := -lc $(NSS_LIBS), \ - VERSIONINFO_RESOURCE := $(JDK_TOPDIR)/src/windows/resource/version.rc, \ - RC_FLAGS := $(RC_FLAGS) \ - -D "JDK_FNAME=sunec.dll" \ -diff -r 984a4af2ed4e src/share/native/sun/security/ec/ECC_JNI.cpp ---- openjdk/jdk/src/share/native/sun/security/ec/ECC_JNI.cpp -+++ openjdk/jdk/src/share/native/sun/security/ec/ECC_JNI.cpp -@@ -24,7 +24,7 @@ - */ - - #include --#include "impl/ecc_impl.h" -+#include "ecc_impl.h" - - #define ILLEGAL_STATE_EXCEPTION "java/lang/IllegalStateException" - #define INVALID_ALGORITHM_PARAMETER_EXCEPTION \ -@@ -89,7 +89,7 @@ - */ - JNIEXPORT jobjectArray - JNICALL Java_sun_security_ec_ECKeyPairGenerator_generateECKeyPair -- (JNIEnv *env, jclass clazz, jint keySize, jbyteArray encodedParams, jbyteArray seed) -+ (JNIEnv *env, jclass UNUSED(clazz), jint UNUSED(keySize), jbyteArray encodedParams, jbyteArray seed) - { - ECPrivateKey *privKey = NULL; // contains both public and private values - ECParams *ecparams = NULL; -@@ -190,7 +190,7 @@ - */ - JNIEXPORT jbyteArray - JNICALL Java_sun_security_ec_ECDSASignature_signDigest -- (JNIEnv *env, jclass clazz, jbyteArray digest, jbyteArray privateKey, jbyteArray encodedParams, jbyteArray seed, jint timing) -+ (JNIEnv *env, jclass UNUSED(clazz), jbyteArray digest, jbyteArray privateKey, jbyteArray encodedParams, jbyteArray seed, jint timing) - { - jbyte* pDigestBuffer = NULL; - jint jDigestLength = env->GetArrayLength(digest); -@@ -299,7 +299,7 @@ - */ - JNIEXPORT jboolean - JNICALL Java_sun_security_ec_ECDSASignature_verifySignedDigest -- (JNIEnv *env, jclass clazz, jbyteArray signedDigest, jbyteArray digest, jbyteArray publicKey, jbyteArray encodedParams) -+ (JNIEnv *env, jclass UNUSED(clazz), jbyteArray signedDigest, jbyteArray digest, jbyteArray publicKey, jbyteArray encodedParams) - { - jboolean isValid = false; - -@@ -384,7 +384,7 @@ - */ - JNIEXPORT jbyteArray - JNICALL Java_sun_security_ec_ECDHKeyAgreement_deriveKey -- (JNIEnv *env, jclass clazz, jbyteArray privateKey, jbyteArray publicKey, jbyteArray encodedParams) -+ (JNIEnv *env, jclass UNUSED(clazz), jbyteArray privateKey, jbyteArray publicKey, jbyteArray encodedParams) - { - jbyteArray jSecret = NULL; - ECParams *ecparams = NULL; -diff -r 984a4af2ed4e src/share/native/sun/security/ec/ecc_impl.h ---- /dev/null -+++ openjdk/jdk/src/share/native/sun/security/ec/ecc_impl.h -@@ -0,0 +1,298 @@ -+/* -+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved. -+ * Use is subject to license terms. -+ * -+ * This library is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public -+ * License as published by the Free Software Foundation; either -+ * version 2.1 of the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public License -+ * along with this library; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+/* ********************************************************************* -+ * -+ * The Original Code is the Netscape security libraries. -+ * -+ * The Initial Developer of the Original Code is -+ * Netscape Communications Corporation. -+ * Portions created by the Initial Developer are Copyright (C) 1994-2000 -+ * the Initial Developer. All Rights Reserved. -+ * -+ * Contributor(s): -+ * Dr Vipul Gupta and -+ * Douglas Stebila , Sun Microsystems Laboratories -+ * -+ * Last Modified Date from the Original Code: May 2017 -+ *********************************************************************** */ -+ -+#ifndef _ECC_IMPL_H -+#define _ECC_IMPL_H -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+#include -+ -+#ifdef SYSTEM_NSS -+#include -+#include -+#include -+#ifdef LEGACY_NSS -+#include -+#else -+#include -+#endif -+#else -+#include "ecl-exp.h" -+#endif -+ -+/* -+ * Multi-platform definitions -+ */ -+#ifdef __linux__ -+#define B_FALSE FALSE -+#define B_TRUE TRUE -+typedef unsigned char uint8_t; -+typedef unsigned long ulong_t; -+typedef enum { B_FALSE, B_TRUE } boolean_t; -+#endif /* __linux__ */ -+ -+#ifdef _ALLBSD_SOURCE -+#include -+#define B_FALSE FALSE -+#define B_TRUE TRUE -+typedef unsigned long ulong_t; -+typedef enum boolean { B_FALSE, B_TRUE } boolean_t; -+#endif /* _ALLBSD_SOURCE */ -+ -+#ifdef AIX -+#define B_FALSE FALSE -+#define B_TRUE TRUE -+typedef unsigned char uint8_t; -+typedef unsigned long ulong_t; -+#endif /* AIX */ -+ -+#ifdef _WIN32 -+typedef unsigned char uint8_t; -+typedef unsigned long ulong_t; -+typedef enum boolean { B_FALSE, B_TRUE } boolean_t; -+#define strdup _strdup /* Replace POSIX name with ISO C++ name */ -+#endif /* _WIN32 */ -+ -+#ifndef _KERNEL -+#include -+#endif /* _KERNEL */ -+ -+#define EC_MAX_DIGEST_LEN 1024 /* max digest that can be signed */ -+#define EC_MAX_POINT_LEN 145 /* max len of DER encoded Q */ -+#define EC_MAX_VALUE_LEN 72 /* max len of ANSI X9.62 private value d */ -+#define EC_MAX_SIG_LEN 144 /* max signature len for supported curves */ -+#define EC_MIN_KEY_LEN 112 /* min key length in bits */ -+#define EC_MAX_KEY_LEN 571 /* max key length in bits */ -+#define EC_MAX_OID_LEN 10 /* max length of OID buffer */ -+ -+/* -+ * Various structures and definitions from NSS are here. -+ */ -+ -+#ifndef SYSTEM_NSS -+#ifdef _KERNEL -+#define PORT_ArenaAlloc(a, n, f) kmem_alloc((n), (f)) -+#define PORT_ArenaZAlloc(a, n, f) kmem_zalloc((n), (f)) -+#define PORT_ArenaGrow(a, b, c, d) NULL -+#define PORT_ZAlloc(n, f) kmem_zalloc((n), (f)) -+#define PORT_Alloc(n, f) kmem_alloc((n), (f)) -+#else -+#define PORT_ArenaAlloc(a, n, f) malloc((n)) -+#define PORT_ArenaZAlloc(a, n, f) calloc(1, (n)) -+#define PORT_ArenaGrow(a, b, c, d) NULL -+#define PORT_ZAlloc(n, f) calloc(1, (n)) -+#define PORT_Alloc(n, f) malloc((n)) -+#endif -+ -+#define PORT_NewArena(b) (char *)12345 -+#define PORT_ArenaMark(a) NULL -+#define PORT_ArenaUnmark(a, b) -+#define PORT_ArenaRelease(a, m) -+#define PORT_FreeArena(a, b) -+#define PORT_Strlen(s) strlen((s)) -+#define PORT_SetError(e) -+ -+#define PRBool boolean_t -+#define PR_TRUE B_TRUE -+#define PR_FALSE B_FALSE -+ -+#ifdef _KERNEL -+#define PORT_Assert ASSERT -+#define PORT_Memcpy(t, f, l) bcopy((f), (t), (l)) -+#else -+#define PORT_Assert assert -+#define PORT_Memcpy(t, f, l) memcpy((t), (f), (l)) -+#endif -+ -+#endif -+ -+#define CHECK_OK(func) if (func == NULL) goto cleanup -+#define CHECK_SEC_OK(func) if (SECSuccess != (rv = func)) goto cleanup -+ -+#ifndef SYSTEM_NSS -+typedef enum { -+ siBuffer = 0, -+ siClearDataBuffer = 1, -+ siCipherDataBuffer = 2, -+ siDERCertBuffer = 3, -+ siEncodedCertBuffer = 4, -+ siDERNameBuffer = 5, -+ siEncodedNameBuffer = 6, -+ siAsciiNameString = 7, -+ siAsciiString = 8, -+ siDEROID = 9, -+ siUnsignedInteger = 10, -+ siUTCTime = 11, -+ siGeneralizedTime = 12 -+} SECItemType; -+ -+typedef struct SECItemStr SECItem; -+ -+struct SECItemStr { -+ SECItemType type; -+ unsigned char *data; -+ unsigned int len; -+}; -+ -+typedef SECItem SECKEYECParams; -+ -+typedef enum { ec_params_explicit, -+ ec_params_named -+} ECParamsType; -+ -+typedef enum { ec_field_GFp = 1, -+ ec_field_GF2m -+} ECFieldType; -+ -+struct ECFieldIDStr { -+ int size; /* field size in bits */ -+ ECFieldType type; -+ union { -+ SECItem prime; /* prime p for (GFp) */ -+ SECItem poly; /* irreducible binary polynomial for (GF2m) */ -+ } u; -+ int k1; /* first coefficient of pentanomial or -+ * the only coefficient of trinomial -+ */ -+ int k2; /* two remaining coefficients of pentanomial */ -+ int k3; -+}; -+typedef struct ECFieldIDStr ECFieldID; -+ -+struct ECCurveStr { -+ SECItem a; /* contains octet stream encoding of -+ * field element (X9.62 section 4.3.3) -+ */ -+ SECItem b; -+ SECItem seed; -+}; -+typedef struct ECCurveStr ECCurve; -+ -+typedef void PRArenaPool; -+ -+struct ECParamsStr { -+ PRArenaPool * arena; -+ ECParamsType type; -+ ECFieldID fieldID; -+ ECCurve curve; -+ SECItem base; -+ SECItem order; -+ int cofactor; -+ SECItem DEREncoding; -+ ECCurveName name; -+ SECItem curveOID; -+}; -+typedef struct ECParamsStr ECParams; -+ -+struct ECPublicKeyStr { -+ ECParams ecParams; -+ SECItem publicValue; /* elliptic curve point encoded as -+ * octet stream. -+ */ -+}; -+typedef struct ECPublicKeyStr ECPublicKey; -+ -+struct ECPrivateKeyStr { -+ ECParams ecParams; -+ SECItem publicValue; /* encoded ec point */ -+ SECItem privateValue; /* private big integer */ -+ SECItem version; /* As per SEC 1, Appendix C, Section C.4 */ -+}; -+typedef struct ECPrivateKeyStr ECPrivateKey; -+ -+typedef enum _SECStatus { -+ SECBufferTooSmall = -3, -+ SECWouldBlock = -2, -+ SECFailure = -1, -+ SECSuccess = 0 -+} SECStatus; -+#endif -+ -+#ifdef _KERNEL -+#define RNG_GenerateGlobalRandomBytes(p,l) ecc_knzero_random_generator((p), (l)) -+#else -+/* -+ This function is no longer required because the random bytes are now -+ supplied by the caller. Force a failure. -+*/ -+#define RNG_GenerateGlobalRandomBytes(p,l) SECFailure -+#endif -+#define CHECK_MPI_OK(func) if (MP_OKAY > (err = func)) goto cleanup -+#define MP_TO_SEC_ERROR(err) -+ -+#define SECITEM_TO_MPINT(it, mp) \ -+ CHECK_MPI_OK(mp_read_unsigned_octets((mp), (it).data, (it).len)) -+ -+extern int ecc_knzero_random_generator(uint8_t *, size_t); -+extern ulong_t soft_nzero_random_generator(uint8_t *, ulong_t); -+ -+#ifdef SYSTEM_NSS -+#define EC_DecodeParams(a,b,c) EC_DecodeParams(a,b) -+#define EC_NewKey(a,b,c,d,e) EC_NewKeyFromSeed(a,b,c,d) -+#define ECDSA_SignDigest(a,b,c,d,e,f,g) ECDSA_SignDigestWithSeed(a,b,c,d,e) -+#define ECDSA_VerifyDigest(a,b,c,d) ECDSA_VerifyDigest(a,b,c) -+#define ECDH_Derive(a,b,c,d,e,f) ECDH_Derive(a,b,c,d,e) -+#else -+extern SECStatus EC_DecodeParams(const SECItem *, ECParams **, int); -+ -+extern SECItem * SECITEM_AllocItem(PRArenaPool *, SECItem *, unsigned int, int); -+extern SECStatus SECITEM_CopyItem(PRArenaPool *, SECItem *, const SECItem *, -+ int); -+extern void SECITEM_FreeItem(SECItem *, boolean_t); -+ -+/* This function has been modified to accept an array of random bytes */ -+extern SECStatus EC_NewKey(ECParams *ecParams, ECPrivateKey **privKey, -+ const unsigned char* random, int randomlen, int); -+/* This function has been modified to accept an array of random bytes */ -+extern SECStatus ECDSA_SignDigest(ECPrivateKey *, SECItem *, const SECItem *, -+ const unsigned char* random, int randomlen, int, int timing); -+extern SECStatus ECDSA_VerifyDigest(ECPublicKey *, const SECItem *, -+ const SECItem *, int); -+extern SECStatus ECDH_Derive(SECItem *, ECParams *, SECItem *, boolean_t, -+ SECItem *, int); -+#endif -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* _ECC_IMPL_H */ -diff -r 984a4af2ed4e src/share/native/sun/security/ec/impl/ecc_impl.h ---- openjdk/jdk/src/share/native/sun/security/ec/impl/ecc_impl.h -+++ /dev/null -@@ -1,271 +0,0 @@ --/* -- * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved. -- * Use is subject to license terms. -- * -- * This library is free software; you can redistribute it and/or -- * modify it under the terms of the GNU Lesser General Public -- * License as published by the Free Software Foundation; either -- * version 2.1 of the License, or (at your option) any later version. -- * -- * This library is distributed in the hope that it will be useful, -- * but WITHOUT ANY WARRANTY; without even the implied warranty of -- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -- * Lesser General Public License for more details. -- * -- * You should have received a copy of the GNU Lesser General Public License -- * along with this library; if not, write to the Free Software Foundation, -- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -- * -- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -- * or visit www.oracle.com if you need additional information or have any -- * questions. -- */ -- --/* ********************************************************************* -- * -- * The Original Code is the Netscape security libraries. -- * -- * The Initial Developer of the Original Code is -- * Netscape Communications Corporation. -- * Portions created by the Initial Developer are Copyright (C) 1994-2000 -- * the Initial Developer. All Rights Reserved. -- * -- * Contributor(s): -- * Dr Vipul Gupta and -- * Douglas Stebila , Sun Microsystems Laboratories -- * -- * Last Modified Date from the Original Code: May 2017 -- *********************************************************************** */ -- --#ifndef _ECC_IMPL_H --#define _ECC_IMPL_H -- --#ifdef __cplusplus --extern "C" { --#endif -- --#include --#include "ecl-exp.h" -- --/* -- * Multi-platform definitions -- */ --#ifdef __linux__ --#define B_FALSE FALSE --#define B_TRUE TRUE --typedef unsigned char uint8_t; --typedef unsigned long ulong_t; --typedef enum { B_FALSE, B_TRUE } boolean_t; --#endif /* __linux__ */ -- --#ifdef _ALLBSD_SOURCE --#include --#define B_FALSE FALSE --#define B_TRUE TRUE --typedef unsigned long ulong_t; --typedef enum boolean { B_FALSE, B_TRUE } boolean_t; --#endif /* _ALLBSD_SOURCE */ -- --#ifdef AIX --#define B_FALSE FALSE --#define B_TRUE TRUE --typedef unsigned char uint8_t; --typedef unsigned long ulong_t; --#endif /* AIX */ -- --#ifdef _WIN32 --typedef unsigned char uint8_t; --typedef unsigned long ulong_t; --typedef enum boolean { B_FALSE, B_TRUE } boolean_t; --#define strdup _strdup /* Replace POSIX name with ISO C++ name */ --#endif /* _WIN32 */ -- --#ifndef _KERNEL --#include --#endif /* _KERNEL */ -- --#define EC_MAX_DIGEST_LEN 1024 /* max digest that can be signed */ --#define EC_MAX_POINT_LEN 145 /* max len of DER encoded Q */ --#define EC_MAX_VALUE_LEN 72 /* max len of ANSI X9.62 private value d */ --#define EC_MAX_SIG_LEN 144 /* max signature len for supported curves */ --#define EC_MIN_KEY_LEN 112 /* min key length in bits */ --#define EC_MAX_KEY_LEN 571 /* max key length in bits */ --#define EC_MAX_OID_LEN 10 /* max length of OID buffer */ -- --/* -- * Various structures and definitions from NSS are here. -- */ -- --#ifdef _KERNEL --#define PORT_ArenaAlloc(a, n, f) kmem_alloc((n), (f)) --#define PORT_ArenaZAlloc(a, n, f) kmem_zalloc((n), (f)) --#define PORT_ArenaGrow(a, b, c, d) NULL --#define PORT_ZAlloc(n, f) kmem_zalloc((n), (f)) --#define PORT_Alloc(n, f) kmem_alloc((n), (f)) --#else --#define PORT_ArenaAlloc(a, n, f) malloc((n)) --#define PORT_ArenaZAlloc(a, n, f) calloc(1, (n)) --#define PORT_ArenaGrow(a, b, c, d) NULL --#define PORT_ZAlloc(n, f) calloc(1, (n)) --#define PORT_Alloc(n, f) malloc((n)) --#endif -- --#define PORT_NewArena(b) (char *)12345 --#define PORT_ArenaMark(a) NULL --#define PORT_ArenaUnmark(a, b) --#define PORT_ArenaRelease(a, m) --#define PORT_FreeArena(a, b) --#define PORT_Strlen(s) strlen((s)) --#define PORT_SetError(e) -- --#define PRBool boolean_t --#define PR_TRUE B_TRUE --#define PR_FALSE B_FALSE -- --#ifdef _KERNEL --#define PORT_Assert ASSERT --#define PORT_Memcpy(t, f, l) bcopy((f), (t), (l)) --#else --#define PORT_Assert assert --#define PORT_Memcpy(t, f, l) memcpy((t), (f), (l)) --#endif -- --#define CHECK_OK(func) if (func == NULL) goto cleanup --#define CHECK_SEC_OK(func) if (SECSuccess != (rv = func)) goto cleanup -- --typedef enum { -- siBuffer = 0, -- siClearDataBuffer = 1, -- siCipherDataBuffer = 2, -- siDERCertBuffer = 3, -- siEncodedCertBuffer = 4, -- siDERNameBuffer = 5, -- siEncodedNameBuffer = 6, -- siAsciiNameString = 7, -- siAsciiString = 8, -- siDEROID = 9, -- siUnsignedInteger = 10, -- siUTCTime = 11, -- siGeneralizedTime = 12 --} SECItemType; -- --typedef struct SECItemStr SECItem; -- --struct SECItemStr { -- SECItemType type; -- unsigned char *data; -- unsigned int len; --}; -- --typedef SECItem SECKEYECParams; -- --typedef enum { ec_params_explicit, -- ec_params_named --} ECParamsType; -- --typedef enum { ec_field_GFp = 1, -- ec_field_GF2m --} ECFieldType; -- --struct ECFieldIDStr { -- int size; /* field size in bits */ -- ECFieldType type; -- union { -- SECItem prime; /* prime p for (GFp) */ -- SECItem poly; /* irreducible binary polynomial for (GF2m) */ -- } u; -- int k1; /* first coefficient of pentanomial or -- * the only coefficient of trinomial -- */ -- int k2; /* two remaining coefficients of pentanomial */ -- int k3; --}; --typedef struct ECFieldIDStr ECFieldID; -- --struct ECCurveStr { -- SECItem a; /* contains octet stream encoding of -- * field element (X9.62 section 4.3.3) -- */ -- SECItem b; -- SECItem seed; --}; --typedef struct ECCurveStr ECCurve; -- --typedef void PRArenaPool; -- --struct ECParamsStr { -- PRArenaPool * arena; -- ECParamsType type; -- ECFieldID fieldID; -- ECCurve curve; -- SECItem base; -- SECItem order; -- int cofactor; -- SECItem DEREncoding; -- ECCurveName name; -- SECItem curveOID; --}; --typedef struct ECParamsStr ECParams; -- --struct ECPublicKeyStr { -- ECParams ecParams; -- SECItem publicValue; /* elliptic curve point encoded as -- * octet stream. -- */ --}; --typedef struct ECPublicKeyStr ECPublicKey; -- --struct ECPrivateKeyStr { -- ECParams ecParams; -- SECItem publicValue; /* encoded ec point */ -- SECItem privateValue; /* private big integer */ -- SECItem version; /* As per SEC 1, Appendix C, Section C.4 */ --}; --typedef struct ECPrivateKeyStr ECPrivateKey; -- --typedef enum _SECStatus { -- SECBufferTooSmall = -3, -- SECWouldBlock = -2, -- SECFailure = -1, -- SECSuccess = 0 --} SECStatus; -- --#ifdef _KERNEL --#define RNG_GenerateGlobalRandomBytes(p,l) ecc_knzero_random_generator((p), (l)) --#else --/* -- This function is no longer required because the random bytes are now -- supplied by the caller. Force a failure. --*/ --#define RNG_GenerateGlobalRandomBytes(p,l) SECFailure --#endif --#define CHECK_MPI_OK(func) if (MP_OKAY > (err = func)) goto cleanup --#define MP_TO_SEC_ERROR(err) -- --#define SECITEM_TO_MPINT(it, mp) \ -- CHECK_MPI_OK(mp_read_unsigned_octets((mp), (it).data, (it).len)) -- --extern int ecc_knzero_random_generator(uint8_t *, size_t); --extern ulong_t soft_nzero_random_generator(uint8_t *, ulong_t); -- --extern SECStatus EC_DecodeParams(const SECItem *, ECParams **, int); --extern SECItem * SECITEM_AllocItem(PRArenaPool *, SECItem *, unsigned int, int); --extern SECStatus SECITEM_CopyItem(PRArenaPool *, SECItem *, const SECItem *, -- int); --extern void SECITEM_FreeItem(SECItem *, boolean_t); --/* This function has been modified to accept an array of random bytes */ --extern SECStatus EC_NewKey(ECParams *ecParams, ECPrivateKey **privKey, -- const unsigned char* random, int randomlen, int); --/* This function has been modified to accept an array of random bytes */ --extern SECStatus ECDSA_SignDigest(ECPrivateKey *, SECItem *, const SECItem *, -- const unsigned char* random, int randomlen, int, int timing); --extern SECStatus ECDSA_VerifyDigest(ECPublicKey *, const SECItem *, -- const SECItem *, int); --extern SECStatus ECDH_Derive(SECItem *, ECParams *, SECItem *, boolean_t, -- SECItem *, int); -- --#ifdef __cplusplus --} --#endif -- --#endif /* _ECC_IMPL_H */ -diff -r 984a4af2ed4e src/solaris/javavm/export/jni_md.h ---- openjdk/jdk/src/solaris/javavm/export/jni_md.h -+++ openjdk/jdk/src/solaris/javavm/export/jni_md.h -@@ -36,6 +36,11 @@ - #define JNIEXPORT - #define JNIIMPORT - #endif -+#if (defined(__GNUC__)) || __has_attribute(unused) -+ #define UNUSED(x) UNUSED_ ## x __attribute__((__unused__)) -+#else -+ #define UNUSED(x) UNUSED_ ## x -+#endif - - #define JNICALL - diff --git a/pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_root8.patch b/pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_root8.patch deleted file mode 100644 index 100472b..0000000 --- a/pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_root8.patch +++ /dev/null @@ -1,89 +0,0 @@ -# HG changeset patch -# User andrew -# Date 1453863007 0 -# Wed Jan 27 02:50:07 2016 +0000 -# Node ID f0635543beb309c4da1bb88c906a76ee4b75e16d -# Parent 4a5a0d4e1ae0feec2f47d17be380d6fcd5eff126 -PR1983: Support using the system installation of NSS with the SunEC provider -Summary: Add new configure option --enable-system-nss - -diff -r 92af9369869f common/autoconf/jdk-options.m4 ---- openjdk/common/autoconf/jdk-options.m4 Thu Jan 21 22:17:02 2016 +0000 -+++ openjdk/common/autoconf/jdk-options.m4 Wed Jan 27 05:32:12 2016 +0000 -@@ -414,9 +414,10 @@ - # - AC_DEFUN_ONCE([JDKOPT_DETECT_INTREE_EC], - [ -- AC_MSG_CHECKING([if elliptic curve crypto implementation is present]) -+ AC_REQUIRE([LIB_SETUP_MISC_LIBS]) -+ AC_MSG_CHECKING([if the elliptic curve crypto implementation is present]) - -- if test -d "${SRC_ROOT}/jdk/src/share/native/sun/security/ec/impl"; then -+ if test "x${system_nss}" = "xyes" -o -d "${SRC_ROOT}/jdk/src/share/native/sun/security/ec/impl"; then - ENABLE_INTREE_EC=yes - AC_MSG_RESULT([yes]) - else -diff -r 92af9369869f common/autoconf/libraries.m4 ---- openjdk/common/autoconf/libraries.m4 Thu Jan 21 22:17:02 2016 +0000 -+++ openjdk/common/autoconf/libraries.m4 Wed Jan 27 05:32:12 2016 +0000 -@@ -731,6 +731,47 @@ - LIBDL="$LIBS" - AC_SUBST(LIBDL) - LIBS="$save_LIBS" -+ -+ ############################################################################### -+ # -+ # Check for the NSS libraries -+ # -+ -+ AC_MSG_CHECKING([whether to build the Sun EC provider against the system NSS libraries]) -+ -+ # default is bundled -+ DEFAULT_SYSTEM_NSS=no -+ -+ AC_ARG_ENABLE([system-nss], [AS_HELP_STRING([--enable-system-nss], -+ [build the SunEC provider using the system NSS libraries @<:@disabled@:>@])], -+ [ -+ case "${enableval}" in -+ yes) -+ system_nss=yes -+ ;; -+ *) -+ system_nss=no -+ ;; -+ esac -+ ], -+ [ -+ system_nss=${DEFAULT_SYSTEM_NSS} -+ ]) -+ AC_MSG_RESULT([$system_nss]) -+ -+ if test "x${system_nss}" = "xyes"; then -+ PKG_CHECK_MODULES(NSS, nss-softokn >= 3.16.1, [NSS_SOFTOKN_FOUND=yes], [NSS_SOFTOKN_FOUND=no]) -+ if test "x${NSS_SOFTOKN_FOUND}" = "xyes"; then -+ NSS_LIBS="$NSS_LIBS -lfreebl"; -+ USE_EXTERNAL_NSS=true -+ else -+ AC_MSG_ERROR([--enable-system-nss specified, but NSS not found.]) -+ fi -+ else -+ USE_EXTERNAL_NSS=false -+ fi -+ AC_SUBST(USE_EXTERNAL_NSS) -+ - ]) - - AC_DEFUN_ONCE([LIB_SETUP_STATIC_LINK_LIBSTDCPP], -diff -r 92af9369869f common/autoconf/spec.gmk.in ---- openjdk/common/autoconf/spec.gmk.in Thu Jan 21 22:17:02 2016 +0000 -+++ openjdk/common/autoconf/spec.gmk.in Wed Jan 27 05:32:12 2016 +0000 -@@ -647,6 +647,9 @@ - # Read-only single-machine data - INSTALL_SYSCONFDIR=@sysconfdir@ - -+USE_EXTERNAL_NSS:=@USE_EXTERNAL_NSS@ -+NSS_LIBS:=@NSS_LIBS@ -+NSS_CFLAGS:=@NSS_CFLAGS@ - - #################################################### - # diff --git a/pr2127-sunec_provider_crashes_when_built_using_system_nss_thus_use_of_nss_memory_management_functions.patch b/pr2127-sunec_provider_crashes_when_built_using_system_nss_thus_use_of_nss_memory_management_functions.patch deleted file mode 100644 index b08822a..0000000 --- a/pr2127-sunec_provider_crashes_when_built_using_system_nss_thus_use_of_nss_memory_management_functions.patch +++ /dev/null @@ -1,178 +0,0 @@ -# HG changeset patch -# User andrew -# Date 1453866306 0 -# Wed Jan 27 03:45:06 2016 +0000 -# Node ID 0ff7720931e8dbf7de25720bdc93b18527ab89e8 -# Parent 48c15869ecd568263249af4b9a4e98d4e57f9a8f -PR2127: SunEC provider crashes when built using system NSS -Summary: Use NSS memory management functions - -diff -r 48c15869ecd5 -r 0ff7720931e8 src/share/native/sun/security/ec/ECC_JNI.cpp ---- openjdk/jdk/src/share/native/sun/security/ec/ECC_JNI.cpp Wed Jan 27 02:54:06 2016 +0000 -+++ openjdk/jdk/src/share/native/sun/security/ec/ECC_JNI.cpp Wed Jan 27 03:45:06 2016 +0000 -@@ -32,6 +32,13 @@ - #define INVALID_PARAMETER_EXCEPTION \ - "java/security/InvalidParameterException" - #define KEY_EXCEPTION "java/security/KeyException" -+#define INTERNAL_ERROR "java/lang/InternalError" -+ -+#ifdef SYSTEM_NSS -+#define SYSTEM_UNUSED(x) UNUSED(x) -+#else -+#define SYSTEM_UNUSED(x) x -+#endif - - extern "C" { - -@@ -49,8 +56,13 @@ - /* - * Deep free of the ECParams struct - */ --void FreeECParams(ECParams *ecparams, jboolean freeStruct) -+void FreeECParams(ECParams *ecparams, jboolean SYSTEM_UNUSED(freeStruct)) - { -+#ifdef SYSTEM_NSS -+ // Needs to be freed using the matching method to the one -+ // that allocated it. PR_TRUE means the memory is zeroed. -+ PORT_FreeArena(ecparams->arena, PR_TRUE); -+#else - // Use B_FALSE to free the SECItem->data element, but not the SECItem itself - // Use B_TRUE to free both - -@@ -64,6 +76,7 @@ - SECITEM_FreeItem(&ecparams->curveOID, B_FALSE); - if (freeStruct) - free(ecparams); -+#endif - } - - jbyteArray getEncodedBytes(JNIEnv *env, SECItem *hSECItem) -@@ -108,6 +121,13 @@ - goto cleanup; - } - -+#ifdef SYSTEM_NSS -+ if (SECOID_Init() != SECSuccess) { -+ ThrowException(env, INTERNAL_ERROR); -+ goto cleanup; -+ } -+#endif -+ - // Fill a new ECParams using the supplied OID - if (EC_DecodeParams(¶ms_item, &ecparams, 0) != SECSuccess) { - /* bad curve OID */ -@@ -163,16 +183,26 @@ - if (params_item.data) { - env->ReleaseByteArrayElements(encodedParams, - (jbyte *) params_item.data, JNI_ABORT); -+#ifdef SYSTEM_NSS -+ if (SECOID_Shutdown() != SECSuccess) { -+ ThrowException(env, INTERNAL_ERROR); -+ } -+#endif - } - if (ecparams) { - FreeECParams(ecparams, true); - } - if (privKey) { - FreeECParams(&privKey->ecParams, false); -+#ifndef SYSTEM_NSS -+ // The entire ECPrivateKey is allocated in the arena -+ // when using system NSS, so only the in-tree version -+ // needs to clear these manually. - SECITEM_FreeItem(&privKey->version, B_FALSE); - SECITEM_FreeItem(&privKey->privateValue, B_FALSE); - SECITEM_FreeItem(&privKey->publicValue, B_FALSE); - free(privKey); -+#endif - } - - if (pSeedBuffer) { -@@ -223,6 +253,13 @@ - goto cleanup; - } - -+#ifdef SYSTEM_NSS -+ if (SECOID_Init() != SECSuccess) { -+ ThrowException(env, INTERNAL_ERROR); -+ goto cleanup; -+ } -+#endif -+ - // Fill a new ECParams using the supplied OID - if (EC_DecodeParams(¶ms_item, &ecparams, 0) != SECSuccess) { - /* bad curve OID */ -@@ -270,6 +307,11 @@ - if (params_item.data) { - env->ReleaseByteArrayElements(encodedParams, - (jbyte *) params_item.data, JNI_ABORT); -+#ifdef SYSTEM_NSS -+ if (SECOID_Shutdown() != SECSuccess) { -+ ThrowException(env, INTERNAL_ERROR); -+ } -+#endif - } - if (privKey.privateValue.data) { - env->ReleaseByteArrayElements(privateKey, -@@ -336,6 +378,13 @@ - goto cleanup; - } - -+#ifdef SYSTEM_NSS -+ if (SECOID_Init() != SECSuccess) { -+ ThrowException(env, INTERNAL_ERROR); -+ goto cleanup; -+ } -+#endif -+ - // Fill a new ECParams using the supplied OID - if (EC_DecodeParams(¶ms_item, &ecparams, 0) != SECSuccess) { - /* bad curve OID */ -@@ -356,9 +405,15 @@ - - cleanup: - { -- if (params_item.data) -+ if (params_item.data) { - env->ReleaseByteArrayElements(encodedParams, - (jbyte *) params_item.data, JNI_ABORT); -+#ifdef SYSTEM_NSS -+ if (SECOID_Shutdown() != SECSuccess) { -+ ThrowException(env, INTERNAL_ERROR); -+ } -+#endif -+ } - - if (pubKey.publicValue.data) - env->ReleaseByteArrayElements(publicKey, -@@ -419,6 +474,13 @@ - goto cleanup; - } - -+#ifdef SYSTEM_NSS -+ if (SECOID_Init() != SECSuccess) { -+ ThrowException(env, INTERNAL_ERROR); -+ goto cleanup; -+ } -+#endif -+ - // Fill a new ECParams using the supplied OID - if (EC_DecodeParams(¶ms_item, &ecparams, 0) != SECSuccess) { - /* bad curve OID */ -@@ -460,9 +522,15 @@ - env->ReleaseByteArrayElements(publicKey, - (jbyte *) publicValue_item.data, JNI_ABORT); - -- if (params_item.data) -+ if (params_item.data) { - env->ReleaseByteArrayElements(encodedParams, - (jbyte *) params_item.data, JNI_ABORT); -+#ifdef SYSTEM_NSS -+ if (SECOID_Shutdown() != SECSuccess) { -+ ThrowException(env, INTERNAL_ERROR); -+ } -+#endif -+ } - - if (ecparams) - FreeECParams(ecparams, true); diff --git a/pr2815-race_condition_in_sunec_provider_with_system_nss_fix.patch b/pr2815-race_condition_in_sunec_provider_with_system_nss_fix.patch deleted file mode 100644 index db14f10..0000000 --- a/pr2815-race_condition_in_sunec_provider_with_system_nss_fix.patch +++ /dev/null @@ -1,189 +0,0 @@ -# HG changeset patch -# User andrew -# Date 1453867347 0 -# Wed Jan 27 04:02:27 2016 +0000 -# Node ID 26e2e029ee256e9815fdc324831a03d8582255e1 -# Parent 0ff7720931e8dbf7de25720bdc93b18527ab89e8 -PR2815: Race condition in SunEC provider with system NSS -Summary: Perform initialisation and shutdown only when library is loaded or SunEC is finalized respectively - -diff -r 0ff7720931e8 -r 26e2e029ee25 make/mapfiles/libsunec/mapfile-vers ---- openjdk/jdk/make/mapfiles/libsunec/mapfile-vers Wed Jan 27 03:45:06 2016 +0000 -+++ openjdk/jdk/make/mapfiles/libsunec/mapfile-vers Wed Jan 27 04:02:27 2016 +0000 -@@ -31,6 +31,8 @@ - Java_sun_security_ec_ECDSASignature_signDigest; - Java_sun_security_ec_ECDSASignature_verifySignedDigest; - Java_sun_security_ec_ECDHKeyAgreement_deriveKey; -+ Java_sun_security_ec_SunEC_initialize; -+ Java_sun_security_ec_SunEC_cleanup; - local: - *; - }; -diff -r 0ff7720931e8 -r 26e2e029ee25 src/share/classes/sun/security/ec/SunEC.java ---- openjdk/jdk/src/share/classes/sun/security/ec/SunEC.java Wed Jan 27 03:45:06 2016 +0000 -+++ openjdk/jdk/src/share/classes/sun/security/ec/SunEC.java Wed Jan 27 04:02:27 2016 +0000 -@@ -58,6 +58,7 @@ - AccessController.doPrivileged(new PrivilegedAction() { - public Void run() { - System.loadLibrary("sunec"); // check for native library -+ initialize(); - return null; - } - }); -@@ -81,4 +82,22 @@ - } - } - -+ /** -+ * Cleanup native resources during finalisation. -+ */ -+ @Override -+ protected void finalize() { -+ cleanup(); -+ } -+ -+ /** -+ * Initialize the native code. -+ */ -+ private static native void initialize(); -+ -+ /** -+ * Cleanup in the native layer. -+ */ -+ private static native void cleanup(); -+ - } -diff -r 0ff7720931e8 -r 26e2e029ee25 src/share/native/sun/security/ec/ECC_JNI.cpp ---- openjdk/jdk/src/share/native/sun/security/ec/ECC_JNI.cpp Wed Jan 27 03:45:06 2016 +0000 -+++ openjdk/jdk/src/share/native/sun/security/ec/ECC_JNI.cpp Wed Jan 27 04:02:27 2016 +0000 -@@ -121,13 +121,6 @@ - goto cleanup; - } - --#ifdef SYSTEM_NSS -- if (SECOID_Init() != SECSuccess) { -- ThrowException(env, INTERNAL_ERROR); -- goto cleanup; -- } --#endif -- - // Fill a new ECParams using the supplied OID - if (EC_DecodeParams(¶ms_item, &ecparams, 0) != SECSuccess) { - /* bad curve OID */ -@@ -183,11 +176,6 @@ - if (params_item.data) { - env->ReleaseByteArrayElements(encodedParams, - (jbyte *) params_item.data, JNI_ABORT); --#ifdef SYSTEM_NSS -- if (SECOID_Shutdown() != SECSuccess) { -- ThrowException(env, INTERNAL_ERROR); -- } --#endif - } - if (ecparams) { - FreeECParams(ecparams, true); -@@ -253,13 +241,6 @@ - goto cleanup; - } - --#ifdef SYSTEM_NSS -- if (SECOID_Init() != SECSuccess) { -- ThrowException(env, INTERNAL_ERROR); -- goto cleanup; -- } --#endif -- - // Fill a new ECParams using the supplied OID - if (EC_DecodeParams(¶ms_item, &ecparams, 0) != SECSuccess) { - /* bad curve OID */ -@@ -307,11 +288,6 @@ - if (params_item.data) { - env->ReleaseByteArrayElements(encodedParams, - (jbyte *) params_item.data, JNI_ABORT); --#ifdef SYSTEM_NSS -- if (SECOID_Shutdown() != SECSuccess) { -- ThrowException(env, INTERNAL_ERROR); -- } --#endif - } - if (privKey.privateValue.data) { - env->ReleaseByteArrayElements(privateKey, -@@ -378,13 +354,6 @@ - goto cleanup; - } - --#ifdef SYSTEM_NSS -- if (SECOID_Init() != SECSuccess) { -- ThrowException(env, INTERNAL_ERROR); -- goto cleanup; -- } --#endif -- - // Fill a new ECParams using the supplied OID - if (EC_DecodeParams(¶ms_item, &ecparams, 0) != SECSuccess) { - /* bad curve OID */ -@@ -408,11 +377,6 @@ - if (params_item.data) { - env->ReleaseByteArrayElements(encodedParams, - (jbyte *) params_item.data, JNI_ABORT); --#ifdef SYSTEM_NSS -- if (SECOID_Shutdown() != SECSuccess) { -- ThrowException(env, INTERNAL_ERROR); -- } --#endif - } - - if (pubKey.publicValue.data) -@@ -474,13 +438,6 @@ - goto cleanup; - } - --#ifdef SYSTEM_NSS -- if (SECOID_Init() != SECSuccess) { -- ThrowException(env, INTERNAL_ERROR); -- goto cleanup; -- } --#endif -- - // Fill a new ECParams using the supplied OID - if (EC_DecodeParams(¶ms_item, &ecparams, 0) != SECSuccess) { - /* bad curve OID */ -@@ -525,11 +482,6 @@ - if (params_item.data) { - env->ReleaseByteArrayElements(encodedParams, - (jbyte *) params_item.data, JNI_ABORT); --#ifdef SYSTEM_NSS -- if (SECOID_Shutdown() != SECSuccess) { -- ThrowException(env, INTERNAL_ERROR); -- } --#endif - } - - if (ecparams) -@@ -539,4 +491,26 @@ - return jSecret; - } - -+JNIEXPORT void -+JNICALL Java_sun_security_ec_SunEC_initialize -+ (JNIEnv *env, jclass UNUSED(clazz)) -+{ -+#ifdef SYSTEM_NSS -+ if (SECOID_Init() != SECSuccess) { -+ ThrowException(env, INTERNAL_ERROR); -+ } -+#endif -+} -+ -+JNIEXPORT void -+JNICALL Java_sun_security_ec_SunEC_cleanup -+ (JNIEnv *env, jclass UNUSED(clazz)) -+{ -+#ifdef SYSTEM_NSS -+ if (SECOID_Shutdown() != SECSuccess) { -+ ThrowException(env, INTERNAL_ERROR); -+ } -+#endif -+} -+ - } /* extern "C" */ diff --git a/pr2899-dont_use_withseed_versions_of_nss_functions_as_they_dont_fully_process_the_seed.patch b/pr2899-dont_use_withseed_versions_of_nss_functions_as_they_dont_fully_process_the_seed.patch deleted file mode 100644 index ffdefb0..0000000 --- a/pr2899-dont_use_withseed_versions_of_nss_functions_as_they_dont_fully_process_the_seed.patch +++ /dev/null @@ -1,24 +0,0 @@ -# HG changeset patch -# User andrew -# Date 1459313680 -3600 -# Wed Mar 30 05:54:40 2016 +0100 -# Node ID 9dc0eca5fa8926e6a952fa4f1931e78aa1f52443 -# Parent 8957aff589013e671f02d38023d5ff245ef27e87 -PR2899: Don't use WithSeed versions of NSS functions as they don't fully process the seed -Contributed-by: Alex Kashchenko -Updated 2017/07/04 to accomodate 8175110 by Andrew Hughes - -diff -r e5fdbb82bd49 src/share/native/sun/security/ec/ecc_impl.h ---- openjdk/jdk/src/share/native/sun/security/ec/ecc_impl.h -+++ openjdk/jdk/src/share/native/sun/security/ec/ecc_impl.h -@@ -267,8 +267,8 @@ - - #ifdef SYSTEM_NSS - #define EC_DecodeParams(a,b,c) EC_DecodeParams(a,b) --#define EC_NewKey(a,b,c,d,e) EC_NewKeyFromSeed(a,b,c,d) --#define ECDSA_SignDigest(a,b,c,d,e,f,g) ECDSA_SignDigestWithSeed(a,b,c,d,e) -+#define EC_NewKey(a,b,c,d,e) EC_NewKey(a,b) -+#define ECDSA_SignDigest(a,b,c,d,e,f,g) ECDSA_SignDigest(a,b,c) - #define ECDSA_VerifyDigest(a,b,c,d) ECDSA_VerifyDigest(a,b,c) - #define ECDH_Derive(a,b,c,d,e,f) ECDH_Derive(a,b,c,d,e) - #else diff --git a/pr2934-sunec_provider_throwing_keyexception_withine.separator_current_nss_thus_initialise_the_random_number_generator_and_feed_the_seed_to_it.patch b/pr2934-sunec_provider_throwing_keyexception_withine.separator_current_nss_thus_initialise_the_random_number_generator_and_feed_the_seed_to_it.patch deleted file mode 100644 index 83385da..0000000 --- a/pr2934-sunec_provider_throwing_keyexception_withine.separator_current_nss_thus_initialise_the_random_number_generator_and_feed_the_seed_to_it.patch +++ /dev/null @@ -1,91 +0,0 @@ -# HG changeset patch -# User andrew -# Date 1461349033 -3600 -# Fri Apr 22 19:17:13 2016 +0100 -# Node ID dab76de2f91cf1791c03560a3f45aaa69f8351fd -# Parent 3fa42705acab6d69b6141f47ebba4f85739a338c -PR2934: SunEC provider throwing KeyException with current NSS -Summary: Initialise the random number generator and feed the seed to it. -Updated 2017/07/04 to accomodate 8175110 - -diff -r 8aed1e903a4c src/share/native/sun/security/ec/ECC_JNI.cpp ---- openjdk/jdk/src/share/native/sun/security/ec/ECC_JNI.cpp -+++ openjdk/jdk/src/share/native/sun/security/ec/ECC_JNI.cpp -@@ -134,8 +134,17 @@ - env->GetByteArrayRegion(seed, 0, jSeedLength, pSeedBuffer); - - // Generate the new keypair (using the supplied seed) -+#ifdef SYSTEM_NSS -+ if (RNG_RandomUpdate((unsigned char *) pSeedBuffer, jSeedLength) -+ != SECSuccess) { -+ ThrowException(env, KEY_EXCEPTION); -+ goto cleanup; -+ } -+ if (EC_NewKey(ecparams, &privKey) != SECSuccess) { -+#else - if (EC_NewKey(ecparams, &privKey, (unsigned char *) pSeedBuffer, - jSeedLength, 0) != SECSuccess) { -+#endif - ThrowException(env, KEY_EXCEPTION); - goto cleanup; - } -@@ -267,8 +276,18 @@ - env->GetByteArrayRegion(seed, 0, jSeedLength, pSeedBuffer); - - // Sign the digest (using the supplied seed) -+#ifdef SYSTEM_NSS -+ if (RNG_RandomUpdate((unsigned char *) pSeedBuffer, jSeedLength) -+ != SECSuccess) { -+ ThrowException(env, KEY_EXCEPTION); -+ goto cleanup; -+ } -+ if (ECDSA_SignDigest(&privKey, &signature_item, &digest_item) -+ != SECSuccess) { -+#else - if (ECDSA_SignDigest(&privKey, &signature_item, &digest_item, - (unsigned char *) pSeedBuffer, jSeedLength, 0, timing) != SECSuccess) { -+#endif - ThrowException(env, KEY_EXCEPTION); - goto cleanup; - } -@@ -499,6 +518,9 @@ - if (SECOID_Init() != SECSuccess) { - ThrowException(env, INTERNAL_ERROR); - } -+ if (RNG_RNGInit() != SECSuccess) { -+ ThrowException(env, INTERNAL_ERROR); -+ } - #endif - } - -@@ -507,6 +529,7 @@ - (JNIEnv *env, jclass UNUSED(clazz)) - { - #ifdef SYSTEM_NSS -+ RNG_RNGShutdown(); - if (SECOID_Shutdown() != SECSuccess) { - ThrowException(env, INTERNAL_ERROR); - } -diff -r 8aed1e903a4c src/share/native/sun/security/ec/ecc_impl.h ---- openjdk/jdk/src/share/native/sun/security/ec/ecc_impl.h -+++ openjdk/jdk/src/share/native/sun/security/ec/ecc_impl.h -@@ -254,8 +254,10 @@ - This function is no longer required because the random bytes are now - supplied by the caller. Force a failure. - */ -+#ifndef SYSTEM_NSS - #define RNG_GenerateGlobalRandomBytes(p,l) SECFailure - #endif -+#endif - #define CHECK_MPI_OK(func) if (MP_OKAY > (err = func)) goto cleanup - #define MP_TO_SEC_ERROR(err) - -@@ -267,8 +269,6 @@ - - #ifdef SYSTEM_NSS - #define EC_DecodeParams(a,b,c) EC_DecodeParams(a,b) --#define EC_NewKey(a,b,c,d,e) EC_NewKey(a,b) --#define ECDSA_SignDigest(a,b,c,d,e,f,g) ECDSA_SignDigest(a,b,c) - #define ECDSA_VerifyDigest(a,b,c,d) ECDSA_VerifyDigest(a,b,c) - #define ECDH_Derive(a,b,c,d,e,f) ECDH_Derive(a,b,c,d,e) - #else diff --git a/pr3479-rh1486025-sunec_provider_can_have_multiple_instances_leading_to_premature_nss_shutdown.patch b/pr3479-rh1486025-sunec_provider_can_have_multiple_instances_leading_to_premature_nss_shutdown.patch deleted file mode 100644 index 14c693b..0000000 --- a/pr3479-rh1486025-sunec_provider_can_have_multiple_instances_leading_to_premature_nss_shutdown.patch +++ /dev/null @@ -1,67 +0,0 @@ -# HG changeset patch -# User andrew -# Date 1508194072 -3600 -# Mon Oct 16 23:47:52 2017 +0100 -# Node ID 5dcb55da00c1531264934559c9f10c2e0ae46420 -# Parent bf62c56e3604fee0018b19f65fd56c76dc156630 -PR3479, RH1486025: ECC and NSS JVM crash -Summary: SunEC provider can have multiple instances, leading to premature NSS shutdown -Contributed-by: Martin Balao - -diff --git a/make/mapfiles/libsunec/mapfile-vers b/make/mapfiles/libsunec/mapfile-vers ---- openjdk/jdk/make/mapfiles/libsunec/mapfile-vers -+++ openjdk/jdk/make/mapfiles/libsunec/mapfile-vers -@@ -32,7 +32,6 @@ - Java_sun_security_ec_ECDSASignature_verifySignedDigest; - Java_sun_security_ec_ECDHKeyAgreement_deriveKey; - Java_sun_security_ec_SunEC_initialize; -- Java_sun_security_ec_SunEC_cleanup; - local: - *; - }; -diff --git a/src/share/classes/sun/security/ec/SunEC.java b/src/share/classes/sun/security/ec/SunEC.java ---- openjdk/jdk/src/share/classes/sun/security/ec/SunEC.java -+++ openjdk/jdk/src/share/classes/sun/security/ec/SunEC.java -@@ -83,21 +83,8 @@ - } - - /** -- * Cleanup native resources during finalisation. -- */ -- @Override -- protected void finalize() { -- cleanup(); -- } -- -- /** - * Initialize the native code. - */ - private static native void initialize(); - -- /** -- * Cleanup in the native layer. -- */ -- private static native void cleanup(); -- - } -diff --git a/src/share/native/sun/security/ec/ECC_JNI.cpp b/src/share/native/sun/security/ec/ECC_JNI.cpp ---- openjdk/jdk/src/share/native/sun/security/ec/ECC_JNI.cpp -+++ openjdk/jdk/src/share/native/sun/security/ec/ECC_JNI.cpp -@@ -525,14 +525,12 @@ - } - - JNIEXPORT void --JNICALL Java_sun_security_ec_SunEC_cleanup -- (JNIEnv *env, jclass UNUSED(clazz)) -+JNICALL JNI_OnUnload -+ (JavaVM *vm, void *reserved) - { - #ifdef SYSTEM_NSS - RNG_RNGShutdown(); -- if (SECOID_Shutdown() != SECSuccess) { -- ThrowException(env, INTERNAL_ERROR); -- } -+ SECOID_Shutdown(); - #endif - } -