diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec index c93ac0f..5062dbf 100644 --- a/java-latest-openjdk.spec +++ b/java-latest-openjdk.spec @@ -143,14 +143,6 @@ # looks like openjdk RPM specific bug # Always set this so the nss.cfg file is not broken %global NSS_LIBDIR %(pkg-config --variable=libdir nss) -%global NSS_LIBS %(pkg-config --libs nss) -%global NSS_CFLAGS %(pkg-config --cflags nss-softokn) -# see https://bugzilla.redhat.com/show_bug.cgi?id=1332456 -%global NSSSOFTOKN_BUILDTIME_NUMBER %(pkg-config --modversion nss-softokn || : ) -%global NSS_BUILDTIME_NUMBER %(pkg-config --modversion nss || : ) -# this is workaround for processing of requires during srpm creation -%global NSSSOFTOKN_BUILDTIME_VERSION %(if [ "x%{NSSSOFTOKN_BUILDTIME_NUMBER}" == "x" ] ; then echo "" ;else echo ">= %{NSSSOFTOKN_BUILDTIME_NUMBER}" ;fi) -%global NSS_BUILDTIME_VERSION %(if [ "x%{NSS_BUILDTIME_NUMBER}" == "x" ] ; then echo "" ;else echo ">= %{NSS_BUILDTIME_NUMBER}" ;fi) # In some cases, the arch used by the JDK does # not match _arch. @@ -227,7 +219,7 @@ %global top_level_dir_name %{origin} %global minorver 0 %global buildver 33 -%global rpmrelease 4 +%global rpmrelease 5 # priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk %global priority %( printf '%02d%02d%02d%02d' %{majorver} %{minorver} %{securityver} %{buildver} ) @@ -867,9 +859,6 @@ Requires: ca-certificates Requires: javapackages-filesystem # Require zone-info data provided by tzdata-java sub-package Requires: tzdata-java >= 2015d -# there is a need to depend on the exact version of NSS -Requires: nss%{?_isa} %{NSS_BUILDTIME_VERSION} -Requires: nss-softokn%{?_isa} %{NSSSOFTOKN_BUILDTIME_VERSION} # tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it, # not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be # considered as regression @@ -1049,8 +1038,6 @@ Patch2: rh1648644-java_access_bridge_privileged_security.patch Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch # Follow system wide crypto policy RHBZ#1249083 Patch4: pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch -# System NSS via SunEC Provider -Patch5: pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk12.patch # Depend on pcs-lite-libs instead of pcs-lite-devel as this is only in optional repo Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch @@ -1092,8 +1079,6 @@ BuildRequires: libffi-devel BuildRequires: tzdata-java >= 2015d # Earlier versions have a bug in tree vectorization on PPC BuildRequires: gcc >= 4.8.3-8 -# Build requirements for SunEC system NSS support -BuildRequires: nss-softokn-freebl-devel >= 3.16.1 %if %{with_systemtap} BuildRequires: systemtap-sdt-devel @@ -1280,7 +1265,6 @@ pushd %{top_level_dir_name} %patch2 -p1 %patch3 -p1 %patch4 -p1 -%patch5 -p1 %patch6 -p1 popd # openjdk @@ -1388,7 +1372,6 @@ bash ../configure \ --with-debug-level=$debugbuild \ --with-native-debug-symbols=internal \ --enable-unlimited-crypto \ - --enable-system-nss \ --with-zlib=system \ --with-libjpeg=system \ --with-giflib=system \ @@ -1819,6 +1802,9 @@ require "copy_jdk_configs.lua" %changelog +* Wed Oct 02 2019 Andrew Hughes - 1:13.0.0.33-5.rolling +- Switch to in-tree SunEC code, dropping NSS runtime dependencies and patches to link against it. + * Wed Oct 02 2019 Andrew John Hughes - 1:13.0.0.33-4.rolling - Drop unnecessary build requirement on gtk3-devel, as OpenJDK searches for Gtk+ at runtime. - Add missing build requirement for libXrender-devel, previously masked by Gtk3+ dependency diff --git a/pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk12.patch b/pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk12.patch deleted file mode 100644 index edd3480..0000000 --- a/pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk12.patch +++ /dev/null @@ -1,649 +0,0 @@ -diff --git a/make/autoconf/jdk-options.m4 b/make/autoconf/jdk-options.m4 ---- a/make/autoconf/jdk-options.m4 -+++ b/make/autoconf/jdk-options.m4 -@@ -267,9 +267,10 @@ - # - AC_DEFUN_ONCE([JDKOPT_DETECT_INTREE_EC], - [ -+ AC_REQUIRE([LIB_SETUP_MISC_LIBS]) - AC_MSG_CHECKING([if elliptic curve crypto implementation is present]) - -- if test -d "${TOPDIR}/src/jdk.crypto.ec/share/native/libsunec/impl"; then -+ if test "x${system_nss}" = "xyes" -o -d "${TOPDIR}/src/jdk.crypto.ec/share/native/libsunec/impl"; then - ENABLE_INTREE_EC=true - AC_MSG_RESULT([yes]) - else -diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4 ---- a/make/autoconf/libraries.m4 -+++ b/make/autoconf/libraries.m4 -@@ -178,6 +178,48 @@ - AC_SUBST(LIBDL) - LIBS="$save_LIBS" - -+ ############################################################################### -+ # -+ # Check for the NSS libraries -+ # -+ -+ AC_MSG_CHECKING([whether to build the Sun EC provider against the system NSS libraries]) -+ -+ # default is bundled -+ DEFAULT_SYSTEM_NSS=no -+ -+ AC_ARG_ENABLE([system-nss], [AS_HELP_STRING([--enable-system-nss], -+ [build the SunEC provider using the system NSS libraries @<:@disabled@:>@])], -+ [ -+ case "${enableval}" in -+ yes) -+ system_nss=yes -+ ;; -+ *) -+ system_nss=no -+ ;; -+ esac -+ ], -+ [ -+ system_nss=${DEFAULT_SYSTEM_NSS} -+ ]) -+ AC_MSG_RESULT([$system_nss]) -+ -+ if test "x${system_nss}" = "xyes"; then -+ PKG_CHECK_MODULES(NSS_SOFTTKN, nss-softokn >= 3.16.1, [NSS_SOFTOKN_FOUND=yes], [NSS_SOFTOKN_FOUND=no]) -+ PKG_CHECK_MODULES(NSS, nss >= 3.16.1, [NSS_FOUND=yes], [NSS_FOUND=no]) -+ if test "x${NSS_SOFTOKN_FOUND}" = "xyes" -a "x${NSS_FOUND}" = "xyes"; then -+ NSS_LIBS="$NSS_SOFTOKN_LIBS $NSS_LIBS -lfreebl"; -+ USE_EXTERNAL_NSS=true -+ else -+ AC_MSG_ERROR([--enable-system-nss specified, but NSS not found.]) -+ fi -+ else -+ USE_EXTERNAL_NSS=false -+ fi -+ AC_SUBST(USE_EXTERNAL_NSS) -+ -+ - # Control if libzip can use mmap. Available for purposes of overriding. - LIBZIP_CAN_USE_MMAP=true - AC_SUBST(LIBZIP_CAN_USE_MMAP) -diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in ---- a/make/autoconf/spec.gmk.in -+++ b/make/autoconf/spec.gmk.in -@@ -795,6 +795,10 @@ - # Libraries - # - -+USE_EXTERNAL_NSS:=@USE_EXTERNAL_NSS@ -+NSS_LIBS:=@NSS_LIBS@ -+NSS_CFLAGS:=@NSS_CFLAGS@ -+ - USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@ - LCMS_CFLAGS:=@LCMS_CFLAGS@ - LCMS_LIBS:=@LCMS_LIBS@ -diff --git a/make/lib/Lib-jdk.crypto.ec.gmk b/make/lib/Lib-jdk.crypto.ec.gmk ---- a/make/lib/Lib-jdk.crypto.ec.gmk -+++ b/make/lib/Lib-jdk.crypto.ec.gmk -@@ -28,19 +28,26 @@ - ################################################################################ - - ifeq ($(ENABLE_INTREE_EC), true) -+ ifeq ($(USE_EXTERNAL_NSS), true) -+ BUILD_LIBSUNEC_CFLAGS_JDKLIB := $(NSS_CFLAGS) -DSYSTEM_NSS -DNSS_ENABLE_ECC -+ BUILD_LIBSUNEC_CXXFLAGS_JDKLIB := $(NSS_CFLAGS) -DSYSTEM_NSS -DNSS_ENABLE_ECC -+ endif -+ - $(eval $(call SetupJdkLibrary, BUILD_LIBSUNEC, \ - NAME := sunec, \ - TOOLCHAIN := TOOLCHAIN_LINK_CXX, \ - OPTIMIZATION := LOW, \ -- CFLAGS := $(CFLAGS_JDKLIB) \ -+ CFLAGS := $(BUILD_LIBSUNEC_CFLAGS_JDKLIB) $(CFLAGS_JDKLIB) \ - -DMP_API_COMPATIBLE -DNSS_ECC_MORE_THAN_SUITE_B, \ -- CXXFLAGS := $(CXXFLAGS_JDKLIB), \ -+ CXXFLAGS := $(BUILD_LIBSUNEC_CXXFLAGS_JDKLIB) $(CXXFLAGS_JDKLIB), \ - DISABLED_WARNINGS_gcc := sign-compare implicit-fallthrough unused-value, \ - DISABLED_WARNINGS_clang := sign-compare, \ - DISABLED_WARNINGS_microsoft := 4101 4244 4146 4018, \ -- LDFLAGS := $(LDFLAGS_JDKLIB) $(LDFLAGS_CXX_JDK), \ -+ LDFLAGS := $(subst -Xlinker --as-needed,, \ -+ $(subst -Wl$(COMMA)--as-needed,, $(LDFLAGS_JDKLIB))) $(LDFLAGS_CXX_JDK), \ - LDFLAGS_macosx := $(call SET_SHARED_LIBRARY_ORIGIN), \ - LIBS := $(LIBCXX), \ -+ LIBS_linux := -lc $(NSS_LIBS), \ - )) - - TARGETS += $(BUILD_LIBSUNEC) -diff --git a/src/java.base/unix/native/include/jni_md.h b/src/java.base/unix/native/include/jni_md.h ---- a/src/java.base/unix/native/include/jni_md.h -+++ b/src/java.base/unix/native/include/jni_md.h -@@ -41,6 +41,11 @@ - #define JNIEXPORT - #define JNIIMPORT - #endif -+#if (defined(__GNUC__)) || __has_attribute(unused) -+ #define UNUSED(x) UNUSED_ ## x __attribute__((__unused__)) -+#else -+ #define UNUSED(x) UNUSED_ ## x -+#endif - - #define JNICALL - -diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java ---- a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java -+++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java -@@ -61,6 +61,7 @@ - AccessController.doPrivileged(new PrivilegedAction() { - public Void run() { - System.loadLibrary("sunec"); // check for native library -+ initialize(); - return null; - } - }); -@@ -293,6 +294,11 @@ - "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS)); - } - -+ /** -+ * Initialize the native code. -+ */ -+ private static native void initialize(); -+ - private void putXDHEntries() { - - HashMap ATTRS = new HashMap<>(1); -diff --git a/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp b/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp ---- a/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp -+++ b/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp -@@ -25,7 +25,11 @@ - - #include - #include "jni_util.h" -+#ifdef SYSTEM_NSS -+#include "ecc_impl.h" -+#else - #include "impl/ecc_impl.h" -+#endif - #include "sun_security_ec_ECDHKeyAgreement.h" - #include "sun_security_ec_ECKeyPairGenerator.h" - #include "sun_security_ec_ECDSASignature.h" -@@ -33,6 +37,13 @@ - #define INVALID_PARAMETER_EXCEPTION \ - "java/security/InvalidParameterException" - #define KEY_EXCEPTION "java/security/KeyException" -+#define INTERNAL_ERROR "java/lang/InternalError" -+ -+#ifdef SYSTEM_NSS -+#define SYSTEM_UNUSED(x) UNUSED(x) -+#else -+#define SYSTEM_UNUSED(x) x -+#endif - - extern "C" { - -@@ -55,8 +66,13 @@ - /* - * Deep free of the ECParams struct - */ --void FreeECParams(ECParams *ecparams, jboolean freeStruct) -+void FreeECParams(ECParams *ecparams, jboolean SYSTEM_UNUSED(freeStruct)) - { -+#ifdef SYSTEM_NSS -+ // Needs to be freed using the matching method to the one -+ // that allocated it. PR_TRUE means the memory is zeroed. -+ PORT_FreeArena(ecparams->arena, PR_TRUE); -+#else - // Use B_FALSE to free the SECItem->data element, but not the SECItem itself - // Use B_TRUE to free both - -@@ -70,6 +86,7 @@ - SECITEM_FreeItem(&ecparams->curveOID, B_FALSE); - if (freeStruct) - free(ecparams); -+#endif - } - - jbyteArray getEncodedBytes(JNIEnv *env, SECItem *hSECItem) -@@ -139,7 +156,7 @@ - */ - JNIEXPORT jobjectArray - JNICALL Java_sun_security_ec_ECKeyPairGenerator_generateECKeyPair -- (JNIEnv *env, jclass clazz, jint keySize, jbyteArray encodedParams, jbyteArray seed) -+ (JNIEnv *env, jclass UNUSED(clazz), jint UNUSED(keySize), jbyteArray encodedParams, jbyteArray seed) - { - ECPrivateKey *privKey = NULL; // contains both public and private values - ECParams *ecparams = NULL; -@@ -171,8 +188,17 @@ - env->GetByteArrayRegion(seed, 0, jSeedLength, pSeedBuffer); - - // Generate the new keypair (using the supplied seed) -+#ifdef SYSTEM_NSS -+ if (RNG_RandomUpdate((unsigned char *) pSeedBuffer, jSeedLength) -+ != SECSuccess) { -+ ThrowException(env, KEY_EXCEPTION); -+ goto cleanup; -+ } -+ if (EC_NewKey(ecparams, &privKey) != SECSuccess) { -+#else - if (EC_NewKey(ecparams, &privKey, (unsigned char *) pSeedBuffer, - jSeedLength, 0) != SECSuccess) { -+#endif - ThrowException(env, KEY_EXCEPTION); - goto cleanup; - } -@@ -219,10 +245,15 @@ - } - if (privKey) { - FreeECParams(&privKey->ecParams, false); -+#ifndef SYSTEM_NSS -+ // The entire ECPrivateKey is allocated in the arena -+ // when using system NSS, so only the in-tree version -+ // needs to clear these manually. - SECITEM_FreeItem(&privKey->version, B_FALSE); - SECITEM_FreeItem(&privKey->privateValue, B_FALSE); - SECITEM_FreeItem(&privKey->publicValue, B_FALSE); - free(privKey); -+#endif - } - - if (pSeedBuffer) { -@@ -240,7 +271,7 @@ - */ - JNIEXPORT jbyteArray - JNICALL Java_sun_security_ec_ECDSASignature_signDigest -- (JNIEnv *env, jclass clazz, jbyteArray digest, jbyteArray privateKey, jbyteArray encodedParams, jbyteArray seed, jint timing) -+ (JNIEnv *env, jclass UNUSED(clazz), jbyteArray digest, jbyteArray privateKey, jbyteArray encodedParams, jbyteArray seed, jint timing) - { - jbyte* pDigestBuffer = NULL; - jint jDigestLength = env->GetArrayLength(digest); -@@ -299,8 +330,18 @@ - env->GetByteArrayRegion(seed, 0, jSeedLength, pSeedBuffer); - - // Sign the digest (using the supplied seed) -+#ifdef SYSTEM_NSS -+ if (RNG_RandomUpdate((unsigned char *) pSeedBuffer, jSeedLength) -+ != SECSuccess) { -+ ThrowException(env, KEY_EXCEPTION); -+ goto cleanup; -+ } -+ if (ECDSA_SignDigest(&privKey, &signature_item, &digest_item) -+ != SECSuccess) { -+#else - if (ECDSA_SignDigest(&privKey, &signature_item, &digest_item, - (unsigned char *) pSeedBuffer, jSeedLength, 0, timing) != SECSuccess) { -+#endif - ThrowException(env, KEY_EXCEPTION); - goto cleanup; - } -@@ -349,7 +390,7 @@ - */ - JNIEXPORT jboolean - JNICALL Java_sun_security_ec_ECDSASignature_verifySignedDigest -- (JNIEnv *env, jclass clazz, jbyteArray signedDigest, jbyteArray digest, jbyteArray publicKey, jbyteArray encodedParams) -+ (JNIEnv *env, jclass UNUSED(clazz), jbyteArray signedDigest, jbyteArray digest, jbyteArray publicKey, jbyteArray encodedParams) - { - jboolean isValid = false; - -@@ -406,9 +447,10 @@ - - cleanup: - { -- if (params_item.data) -+ if (params_item.data) { - env->ReleaseByteArrayElements(encodedParams, - (jbyte *) params_item.data, JNI_ABORT); -+ } - - if (pubKey.publicValue.data) - env->ReleaseByteArrayElements(publicKey, -@@ -434,7 +476,7 @@ - */ - JNIEXPORT jbyteArray - JNICALL Java_sun_security_ec_ECDHKeyAgreement_deriveKey -- (JNIEnv *env, jclass clazz, jbyteArray privateKey, jbyteArray publicKey, jbyteArray encodedParams) -+ (JNIEnv *env, jclass UNUSED(clazz), jbyteArray privateKey, jbyteArray publicKey, jbyteArray encodedParams) - { - jbyteArray jSecret = NULL; - ECParams *ecparams = NULL; -@@ -510,9 +552,10 @@ - env->ReleaseByteArrayElements(publicKey, - (jbyte *) publicValue_item.data, JNI_ABORT); - -- if (params_item.data) -+ if (params_item.data) { - env->ReleaseByteArrayElements(encodedParams, - (jbyte *) params_item.data, JNI_ABORT); -+ } - - if (ecparams) - FreeECParams(ecparams, true); -@@ -521,4 +564,28 @@ - return jSecret; - } - -+JNIEXPORT void -+JNICALL Java_sun_security_ec_SunEC_initialize -+ (JNIEnv *env, jclass UNUSED(clazz)) -+{ -+#ifdef SYSTEM_NSS -+ if (SECOID_Init() != SECSuccess) { -+ ThrowException(env, INTERNAL_ERROR); -+ } -+ if (RNG_RNGInit() != SECSuccess) { -+ ThrowException(env, INTERNAL_ERROR); -+ } -+#endif -+} -+ -+JNIEXPORT void -+JNICALL JNI_OnUnload -+ (JavaVM *vm, void *reserved) -+{ -+#ifdef SYSTEM_NSS -+ RNG_RNGShutdown(); -+ SECOID_Shutdown(); -+#endif -+} -+ - } /* extern "C" */ -diff --git a/src/jdk.crypto.ec/share/native/libsunec/ecc_impl.h b/src/jdk.crypto.ec/share/native/libsunec/ecc_impl.h -new file mode 100644 ---- /dev/null -+++ b/src/jdk.crypto.ec/share/native/libsunec/ecc_impl.h -@@ -0,0 +1,298 @@ -+/* -+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved. -+ * Use is subject to license terms. -+ * -+ * This library is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public -+ * License as published by the Free Software Foundation; either -+ * version 2.1 of the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public License -+ * along with this library; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+/* ********************************************************************* -+ * -+ * The Original Code is the Netscape security libraries. -+ * -+ * The Initial Developer of the Original Code is -+ * Netscape Communications Corporation. -+ * Portions created by the Initial Developer are Copyright (C) 1994-2000 -+ * the Initial Developer. All Rights Reserved. -+ * -+ * Contributor(s): -+ * Dr Vipul Gupta and -+ * Douglas Stebila , Sun Microsystems Laboratories -+ * -+ * Last Modified Date from the Original Code: May 2017 -+ *********************************************************************** */ -+ -+#ifndef _ECC_IMPL_H -+#define _ECC_IMPL_H -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+#include -+ -+#ifdef SYSTEM_NSS -+#include -+#include -+#include -+#ifdef LEGACY_NSS -+#include -+#else -+#include -+#endif -+#else -+#include "ecl-exp.h" -+#endif -+ -+/* -+ * Multi-platform definitions -+ */ -+#ifdef __linux__ -+#define B_FALSE FALSE -+#define B_TRUE TRUE -+typedef unsigned char uint8_t; -+typedef unsigned long ulong_t; -+typedef enum { B_FALSE, B_TRUE } boolean_t; -+#endif /* __linux__ */ -+ -+#ifdef _ALLBSD_SOURCE -+#include -+#define B_FALSE FALSE -+#define B_TRUE TRUE -+typedef unsigned long ulong_t; -+typedef enum boolean { B_FALSE, B_TRUE } boolean_t; -+#endif /* _ALLBSD_SOURCE */ -+ -+#ifdef AIX -+#define B_FALSE FALSE -+#define B_TRUE TRUE -+typedef unsigned char uint8_t; -+typedef unsigned long ulong_t; -+#endif /* AIX */ -+ -+#ifdef _WIN32 -+typedef unsigned char uint8_t; -+typedef unsigned long ulong_t; -+typedef enum boolean { B_FALSE, B_TRUE } boolean_t; -+#define strdup _strdup /* Replace POSIX name with ISO C++ name */ -+#endif /* _WIN32 */ -+ -+#ifndef _KERNEL -+#include -+#endif /* _KERNEL */ -+ -+#define EC_MAX_DIGEST_LEN 1024 /* max digest that can be signed */ -+#define EC_MAX_POINT_LEN 145 /* max len of DER encoded Q */ -+#define EC_MAX_VALUE_LEN 72 /* max len of ANSI X9.62 private value d */ -+#define EC_MAX_SIG_LEN 144 /* max signature len for supported curves */ -+#define EC_MIN_KEY_LEN 112 /* min key length in bits */ -+#define EC_MAX_KEY_LEN 571 /* max key length in bits */ -+#define EC_MAX_OID_LEN 10 /* max length of OID buffer */ -+ -+/* -+ * Various structures and definitions from NSS are here. -+ */ -+ -+#ifndef SYSTEM_NSS -+#ifdef _KERNEL -+#define PORT_ArenaAlloc(a, n, f) kmem_alloc((n), (f)) -+#define PORT_ArenaZAlloc(a, n, f) kmem_zalloc((n), (f)) -+#define PORT_ArenaGrow(a, b, c, d) NULL -+#define PORT_ZAlloc(n, f) kmem_zalloc((n), (f)) -+#define PORT_Alloc(n, f) kmem_alloc((n), (f)) -+#else -+#define PORT_ArenaAlloc(a, n, f) malloc((n)) -+#define PORT_ArenaZAlloc(a, n, f) calloc(1, (n)) -+#define PORT_ArenaGrow(a, b, c, d) NULL -+#define PORT_ZAlloc(n, f) calloc(1, (n)) -+#define PORT_Alloc(n, f) malloc((n)) -+#endif -+ -+#define PORT_NewArena(b) (char *)12345 -+#define PORT_ArenaMark(a) NULL -+#define PORT_ArenaUnmark(a, b) -+#define PORT_ArenaRelease(a, m) -+#define PORT_FreeArena(a, b) -+#define PORT_Strlen(s) strlen((s)) -+#define PORT_SetError(e) -+ -+#define PRBool boolean_t -+#define PR_TRUE B_TRUE -+#define PR_FALSE B_FALSE -+ -+#ifdef _KERNEL -+#define PORT_Assert ASSERT -+#define PORT_Memcpy(t, f, l) bcopy((f), (t), (l)) -+#else -+#define PORT_Assert assert -+#define PORT_Memcpy(t, f, l) memcpy((t), (f), (l)) -+#endif -+ -+#endif -+ -+#define CHECK_OK(func) if (func == NULL) goto cleanup -+#define CHECK_SEC_OK(func) if (SECSuccess != (rv = func)) goto cleanup -+ -+#ifndef SYSTEM_NSS -+typedef enum { -+ siBuffer = 0, -+ siClearDataBuffer = 1, -+ siCipherDataBuffer = 2, -+ siDERCertBuffer = 3, -+ siEncodedCertBuffer = 4, -+ siDERNameBuffer = 5, -+ siEncodedNameBuffer = 6, -+ siAsciiNameString = 7, -+ siAsciiString = 8, -+ siDEROID = 9, -+ siUnsignedInteger = 10, -+ siUTCTime = 11, -+ siGeneralizedTime = 12 -+} SECItemType; -+ -+typedef struct SECItemStr SECItem; -+ -+struct SECItemStr { -+ SECItemType type; -+ unsigned char *data; -+ unsigned int len; -+}; -+ -+typedef SECItem SECKEYECParams; -+ -+typedef enum { ec_params_explicit, -+ ec_params_named -+} ECParamsType; -+ -+typedef enum { ec_field_GFp = 1, -+ ec_field_GF2m -+} ECFieldType; -+ -+struct ECFieldIDStr { -+ int size; /* field size in bits */ -+ ECFieldType type; -+ union { -+ SECItem prime; /* prime p for (GFp) */ -+ SECItem poly; /* irreducible binary polynomial for (GF2m) */ -+ } u; -+ int k1; /* first coefficient of pentanomial or -+ * the only coefficient of trinomial -+ */ -+ int k2; /* two remaining coefficients of pentanomial */ -+ int k3; -+}; -+typedef struct ECFieldIDStr ECFieldID; -+ -+struct ECCurveStr { -+ SECItem a; /* contains octet stream encoding of -+ * field element (X9.62 section 4.3.3) -+ */ -+ SECItem b; -+ SECItem seed; -+}; -+typedef struct ECCurveStr ECCurve; -+ -+typedef void PRArenaPool; -+ -+struct ECParamsStr { -+ PRArenaPool * arena; -+ ECParamsType type; -+ ECFieldID fieldID; -+ ECCurve curve; -+ SECItem base; -+ SECItem order; -+ int cofactor; -+ SECItem DEREncoding; -+ ECCurveName name; -+ SECItem curveOID; -+}; -+typedef struct ECParamsStr ECParams; -+ -+struct ECPublicKeyStr { -+ ECParams ecParams; -+ SECItem publicValue; /* elliptic curve point encoded as -+ * octet stream. -+ */ -+}; -+typedef struct ECPublicKeyStr ECPublicKey; -+ -+struct ECPrivateKeyStr { -+ ECParams ecParams; -+ SECItem publicValue; /* encoded ec point */ -+ SECItem privateValue; /* private big integer */ -+ SECItem version; /* As per SEC 1, Appendix C, Section C.4 */ -+}; -+typedef struct ECPrivateKeyStr ECPrivateKey; -+ -+typedef enum _SECStatus { -+ SECBufferTooSmall = -3, -+ SECWouldBlock = -2, -+ SECFailure = -1, -+ SECSuccess = 0 -+} SECStatus; -+#endif -+ -+#ifdef _KERNEL -+#define RNG_GenerateGlobalRandomBytes(p,l) ecc_knzero_random_generator((p), (l)) -+#else -+/* -+ This function is no longer required because the random bytes are now -+ supplied by the caller. Force a failure. -+*/ -+#ifndef SYSTEM_NSS -+#define RNG_GenerateGlobalRandomBytes(p,l) SECFailure -+#endif -+#endif -+#define CHECK_MPI_OK(func) if (MP_OKAY > (err = func)) goto cleanup -+#define MP_TO_SEC_ERROR(err) -+ -+#define SECITEM_TO_MPINT(it, mp) \ -+ CHECK_MPI_OK(mp_read_unsigned_octets((mp), (it).data, (it).len)) -+ -+extern int ecc_knzero_random_generator(uint8_t *, size_t); -+extern ulong_t soft_nzero_random_generator(uint8_t *, ulong_t); -+ -+#ifdef SYSTEM_NSS -+#define EC_DecodeParams(a,b,c) EC_DecodeParams(a,b) -+#define ECDSA_VerifyDigest(a,b,c,d) ECDSA_VerifyDigest(a,b,c) -+#define ECDH_Derive(a,b,c,d,e,f) ECDH_Derive(a,b,c,d,e) -+#else -+extern SECStatus EC_DecodeParams(const SECItem *, ECParams **, int); -+ -+extern SECItem * SECITEM_AllocItem(PRArenaPool *, SECItem *, unsigned int, int); -+extern SECStatus SECITEM_CopyItem(PRArenaPool *, SECItem *, const SECItem *, -+ int); -+extern void SECITEM_FreeItem(SECItem *, boolean_t); -+ -+/* This function has been modified to accept an array of random bytes */ -+extern SECStatus EC_NewKey(ECParams *ecParams, ECPrivateKey **privKey, -+ const unsigned char* random, int randomlen, int); -+/* This function has been modified to accept an array of random bytes */ -+extern SECStatus ECDSA_SignDigest(ECPrivateKey *, SECItem *, const SECItem *, -+ const unsigned char* random, int randomlen, int, int timing); -+extern SECStatus ECDSA_VerifyDigest(ECPublicKey *, const SECItem *, -+ const SECItem *, int); -+extern SECStatus ECDH_Derive(SECItem *, ECParams *, SECItem *, boolean_t, -+ SECItem *, int); -+#endif -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* _ECC_IMPL_H */