From a421a46438d333a3784056f52020395aaa04b745 Mon Sep 17 00:00:00 2001 From: Jiri Vanek Date: Fri, 20 Apr 2018 19:39:49 +0200 Subject: [PATCH] Sync with rawhide --- .gitignore | 1 + README.md | 11 + java-openjdk.spec | 67 +-- removeSunEcProvider-RH1154143.patch | 19 - sources | 2 +- system-nss-ec-rh1565658.patch | 654 ++++++++++++++++++++++++++++ update_package.sh | 6 +- 7 files changed, 707 insertions(+), 53 deletions(-) create mode 100644 README.md delete mode 100644 removeSunEcProvider-RH1154143.patch create mode 100644 system-nss-ec-rh1565658.patch diff --git a/.gitignore b/.gitignore index ee1bc2b..0801e98 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ *.rpm /systemtap-tapset-3.6.0pre02.tar.xz /jdk-jdk10-jdk-10+46.tar.xz +/jdk-updates-jdk10u-jdk-10.0.1+10.tar.xz diff --git a/README.md b/README.md new file mode 100644 index 0000000..e3ebf0c --- /dev/null +++ b/README.md @@ -0,0 +1,11 @@ +Rolling release of (usually) STSs OpenJDK +OpenJDK have release cadence of 6 months. but 3/4 of them are Short Term Supported for 6 months only. This package is designed to harbore them. Currently it is build on openJDK 10. LTSs (next is 11) will go as separate packages. + +JDK10 is next major release of Java platform. It is bringing many cool improvements - http://openjdk.java.net/projects/jdk/10/ and is landing to your Fedora. Where it will be maintained for f27 and newer. Unluckily, it is STS (short term support) version. Between individual LTS will be always several STS. Again, please See announcement: http://mail.openjdk.java.net/pipermail/discuss/2017-September/004281.html and See java SIG plans: https://jvanek.fedorapeople.org/devconf/2018/changesInjavaReleaseProcess.pdf . So this is rolling release of all STSs to come. Its fate during the release of fresh LTS is yet to be decided. You will always be allowed to install Used LTS in fedora build root, alongside with latest STS via alternatives. + + +See announcement: http://mail.openjdk.java.net/pipermail/discuss/2017-September/004281.html +See java SIG plans: https://jvanek.fedorapeople.org/devconf/2018/changesInjavaReleaseProcess.pdf + +https://bugzilla.redhat.com/show_bug.cgi?id=1557371#c0 +https://fedoraproject.org/wiki/Changes/java-openjdk-10 diff --git a/java-openjdk.spec b/java-openjdk.spec index 2795023..db412b5 100644 --- a/java-openjdk.spec +++ b/java-openjdk.spec @@ -143,14 +143,14 @@ # New Version-String scheme-style defines %global majorver 10 -%global securityver 0 +%global securityver 1 # Standard JPackage naming and versioning defines %global origin openjdk %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global minorver 0 -%global buildver 46 +%global buildver 10 # priority must be 7 digits in total # setting to 1, so debug ones can have 0 %global priority 00000%{minorver}1 @@ -524,6 +524,7 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/librmi.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsaproc.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsunec.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libunpack.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libverify.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libzip.so @@ -696,16 +697,13 @@ OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release Provides: java-%{javaver}-%{origin} = %{epoch}:%{version}-%{release} # Standard JPackage base provides -Provides: jre-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: jre = %{javaver}%{?1} Provides: jre-%{origin}%{?1} = %{epoch}:%{version}-%{release} Provides: jre-%{javaver}%{?1} = %{epoch}:%{version}-%{release} +Provides: jre-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release} Provides: java-%{javaver}%{?1} = %{epoch}:%{version}-%{release} -Provides: jre = %{javaver}%{?1} Provides: java-%{origin}%{?1} = %{epoch}:%{version}-%{release} Provides: java%{?1} = %{epoch}:%{javaver} -# Standard JPackage extensions provides -Provides: java-fonts%{?1} = %{epoch}:%{version} - } %define java_headless_rpo() %{expand: @@ -735,24 +733,14 @@ Requires(postun): %{_sbindir}/alternatives Requires(postun): chkconfig >= 1.7 # Standard JPackage base provides +Provides: jre-headless%{?1} = %{epoch}:%{javaver} Provides: jre-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} Provides: jre-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} Provides: jre-%{javaver}-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} Provides: java-%{javaver}-headless%{?1} = %{epoch}:%{version}-%{release} -Provides: jre-headless%{?1} = %{epoch}:%{javaver} Provides: java-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} Provides: java-headless%{?1} = %{epoch}:%{javaver} -# Standard JPackage extensions provides -Provides: jndi%{?1} = %{epoch}:%{version} -Provides: jndi-ldap%{?1} = %{epoch}:%{version} -Provides: jndi-cos%{?1} = %{epoch}:%{version} -Provides: jndi-rmi%{?1} = %{epoch}:%{version} -Provides: jndi-dns%{?1} = %{epoch}:%{version} -Provides: jaas%{?1} = %{epoch}:%{version} -Provides: jsse%{?1} = %{epoch}:%{version} -Provides: jce%{?1} = %{epoch}:%{version} -Provides: jdbc-stdext%{?1} = 4.1 -Provides: java-sasl%{?1} = %{epoch}:%{version} # https://bugzilla.redhat.com/show_bug.cgi?id=1312019 Provides: /usr/bin/jjs @@ -778,6 +766,7 @@ Provides: java-sdk-%{javaver}%{?1} = %{epoch}:%{version} #Provides: java-sdk-%%{origin}%%{?1} = %%{epoch}:%%{version} #Provides: java-sdk%%{?1} = %%{epoch}:%%{javaver} Provides: java-%{javaver}-devel%{?1} = %{epoch}:%{version} +Provides: java-%{javaver}-%{origin}-devel%{?1} = %{epoch}:%{version} #Provides: java-devel-%%{origin}%%{?1} = %%{epoch}:%%{version} #Provides: java-devel%%{?1} = %%{epoch}:%%{javaver} @@ -789,7 +778,9 @@ Provides: java-%{javaver}-devel%{?1} = %{epoch}:%{version} Requires: %{name}-devel%{?1} = %{epoch}:%{version}-%{release} OrderWithRequires: %{name}-headless%{?1} = %{epoch}:%{version}-%{release} -Provides: java-%{javaver}-%{origin}-jmods = %{epoch}:%{version}-%{release} +Provides: java-jmods%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-jmods%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-jmods%{?1} = %{epoch}:%{version}-%{release} } @@ -797,7 +788,9 @@ Provides: java-%{javaver}-%{origin}-jmods = %{epoch}:%{version}-%{release} Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release} OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} -Provides: java-%{javaver}-%{origin}-demo = %{epoch}:%{version}-%{release} +Provides: java-demo%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-demo%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release} } @@ -832,7 +825,7 @@ Provides: java-%{javaver}-%{origin}-src%{?1} = %{epoch}:%{version}-%{release} Name: java-%{origin} Version: %{newjavaver}.%{buildver} -Release: 10%{?dist} +Release: 1%{?dist} # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons # and this change was brought into RHEL-4. java-1.5.0-ibm packages # also included the epoch in their virtual provides. This created a @@ -850,7 +843,7 @@ Group: Development/Languages License: ASL 1.1 and ASL 2.0 and GPL+ and GPLv2 and GPLv2 with exceptions and GPL+ and LGPLv2 and MPLv1.0 and MPLv1.1 and Public Domain and W3C URL: http://openjdk.java.net/ -Source0: jdk-jdk%{majorver}-jdk-%{majorver}+%{buildver}.tar.xz +Source0: jdk-updates-jdk%{majorver}u-jdk-%{newjavaver}+%{buildver}.tar.xz # Use 'generate_tarballs.sh' to generate the following tarballs # They are based on code contained in the IcedTea7 project @@ -885,7 +878,7 @@ Patch3: java-atk-wrapper-security.patch Patch4: PStack-808293.patch # Allow multiple initialization of PKCS11 libraries Patch5: multiple-pkcs11-library-init.patch -Patch12: removeSunEcProvider-RH1154143.patch +Patch12: system-nss-ec-rh1565658.patch Patch13: libjpeg-turbo-1.4-compat.patch # follow system wide crypto policy RHBZ#1249083 Patch14: systemCryptoPolicyPR3183.patch @@ -934,7 +927,7 @@ BuildRequires: nss-devel BuildRequires: pkgconfig BuildRequires: xorg-x11-proto-devel BuildRequires: zip -BuildRequires: java-9-openjdk-devel +BuildRequires: java-openjdk-devel # Zero-assembler build requirement %ifnarch %{jit_arches} BuildRequires: libffi-devel @@ -1284,10 +1277,11 @@ bash ../configure \ --with-version-build=%{buildver} \ --with-version-pre="" \ --with-version-opt="" \ - --with-boot-jdk=/usr/lib/jvm/java-9-openjdk \ + --with-boot-jdk=/usr/lib/jvm/java-%{majorver}-openjdk \ --with-debug-level=$debugbuild \ --with-native-debug-symbols=internal \ --enable-unlimited-crypto \ + --enable-system-nss \ --with-zlib=system \ --with-libjpeg=system \ --with-giflib=system \ @@ -1351,8 +1345,7 @@ $JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLev # Check ECC is working $JAVA_HOME/bin/javac -d . %{SOURCE14} -# FIXME make it run after system NSS support? -$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") || true +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") # Check debug symbols are present and can identify code find "$JAVA_HOME" -iname '*.so' -print0 | while read -d $'\0' lib @@ -1495,7 +1488,7 @@ popd # Install Javadoc documentation install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir} cp -a %{buildoutputdir -- $suffix}/images/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix} -cp -a %{buildoutputdir -- $suffix}/bundles/jdk-%{majorver}+%{buildver}-docs.zip $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip +cp -a %{buildoutputdir -- $suffix}/bundles/jdk-%{newjavaver}+%{buildver}-docs.zip $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip # Install icons and menu entries for s in 16 24 32 48 ; do @@ -1735,8 +1728,22 @@ require "copy_jdk_configs.lua" %changelog +* Fri Apr 20 2018 Jiri Vanek - 1:10.0.1.10-1 +- updated to security update 1 +- jexec unlinked from path +- used java-openjdk as boot jdk +- aligned provides/requires +- renamed zip javadoc + +* Tue Apr 10 2018 Severin Gehwolf - 1:10.0.0.46-12 +- Enable basic EC ciphers test in %check. + +* Tue Apr 10 2018 Severin Gehwolf - 1:10.0.0.46-11 +- Port Martin Balao's JDK 9 patch for system NSS support to JDK 10. +- Resolves RHBZ#1565658 + * Mon Apr 09 2018 Jiri Vanek - 1:10.0.0.46-10 -- fixed stap instal for i686(i386) and arm(armv7hl) +- jexec linked to path * Fri Apr 06 2018 Jiri Vanek - 1:10.0.0.46-9 - subpackage(s) replaced by sub-package(s) and other cosmetic changes diff --git a/removeSunEcProvider-RH1154143.patch b/removeSunEcProvider-RH1154143.patch deleted file mode 100644 index e128232..0000000 --- a/removeSunEcProvider-RH1154143.patch +++ /dev/null @@ -1,19 +0,0 @@ ---- openjdk/src/java.base/share/conf/security/java.security.orig 2018-01-18 12:22:46.148339081 +0100 -+++ openjdk/src/java.base/share/conf/security/java.security 2018-01-18 12:25:12.225469321 +0100 -@@ -66,7 +66,6 @@ - #endif - security.provider.tbd=SUN - security.provider.tbd=SunRsaSign --security.provider.tbd=SunEC - security.provider.tbd=SunJSSE - security.provider.tbd=SunJCE - security.provider.tbd=SunJGSS -@@ -681,7 +680,7 @@ - # Example: - # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 - jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \ -- EC keySize < 224, DES40_CBC, RC4_40 -+ EC, ECDHE, ECDH, DES40_CBC, RC4_40 - - # - # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) diff --git a/sources b/sources index e5f4ee4..31d2e7a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (systemtap-tapset-3.6.0pre02.tar.xz) = 848f42ef7ca751e723fd50e3a6da14c0965ad4da37ea3331568658e27497b7a7e4b9aad3dedd264ad0bb5566c37a92302b905f10258a4e2c89dc4ba609e55481 -SHA512 (jdk-jdk10-jdk-10+46.tar.xz) = 6412a0cf2cfcce0a6df35f9250964d2b1f9edc110534e905a9add4a036ba6884506f5f5990d1e1d1e2db406180dae8e20097c5cf44a15c7b7b60558b95049359 +SHA512 (jdk-updates-jdk10u-jdk-10.0.1+10.tar.xz) = e57810a4208bb12a6b37f5e8313e30c489e6611ec6be8e7a8fb3c0ae9f1842803a3775bc7cc1f597064444fb4fabae5798a4447712fbf547f7021dd0da384613 diff --git a/system-nss-ec-rh1565658.patch b/system-nss-ec-rh1565658.patch new file mode 100644 index 0000000..7b1d4aa --- /dev/null +++ b/system-nss-ec-rh1565658.patch @@ -0,0 +1,654 @@ +diff --git openjdk/make/autoconf/jdk-options.m4 openjdk/make/autoconf/jdk-options.m4 +--- openjdk/make/autoconf/jdk-options.m4 ++++ openjdk/make/autoconf/jdk-options.m4 +@@ -264,9 +264,10 @@ + # + AC_DEFUN_ONCE([JDKOPT_DETECT_INTREE_EC], + [ ++ AC_REQUIRE([LIB_SETUP_MISC_LIBS]) + AC_MSG_CHECKING([if elliptic curve crypto implementation is present]) + +- if test -d "${TOPDIR}/src/jdk.crypto.ec/share/native/libsunec/impl"; then ++ if test "x${system_nss}" = "xyes" -o -d "${TOPDIR}/src/jdk.crypto.ec/share/native/libsunec/impl"; then + ENABLE_INTREE_EC=true + AC_MSG_RESULT([yes]) + else +diff --git openjdk/make/autoconf/libraries.m4 openjdk/make/autoconf/libraries.m4 +--- openjdk/make/autoconf/libraries.m4 ++++ openjdk/make/autoconf/libraries.m4 +@@ -175,6 +175,48 @@ + AC_SUBST(LIBDL) + LIBS="$save_LIBS" + ++ ############################################################################### ++ # ++ # Check for the NSS libraries ++ # ++ ++ AC_MSG_CHECKING([whether to build the Sun EC provider against the system NSS libraries]) ++ ++ # default is bundled ++ DEFAULT_SYSTEM_NSS=no ++ ++ AC_ARG_ENABLE([system-nss], [AS_HELP_STRING([--enable-system-nss], ++ [build the SunEC provider using the system NSS libraries @<:@disabled@:>@])], ++ [ ++ case "${enableval}" in ++ yes) ++ system_nss=yes ++ ;; ++ *) ++ system_nss=no ++ ;; ++ esac ++ ], ++ [ ++ system_nss=${DEFAULT_SYSTEM_NSS} ++ ]) ++ AC_MSG_RESULT([$system_nss]) ++ ++ if test "x${system_nss}" = "xyes"; then ++ PKG_CHECK_MODULES(NSS_SOFTTKN, nss-softokn >= 3.16.1, [NSS_SOFTOKN_FOUND=yes], [NSS_SOFTOKN_FOUND=no]) ++ PKG_CHECK_MODULES(NSS, nss >= 3.16.1, [NSS_FOUND=yes], [NSS_FOUND=no]) ++ if test "x${NSS_SOFTOKN_FOUND}" = "xyes" -a "x${NSS_FOUND}" = "xyes"; then ++ NSS_LIBS="$NSS_SOFTOKN_LIBS $NSS_LIBS -lfreebl"; ++ USE_EXTERNAL_NSS=true ++ else ++ AC_MSG_ERROR([--enable-system-nss specified, but NSS not found.]) ++ fi ++ else ++ USE_EXTERNAL_NSS=false ++ fi ++ AC_SUBST(USE_EXTERNAL_NSS) ++ ++ + # Deprecated libraries, keep the flags for backwards compatibility + if test "x$OPENJDK_TARGET_OS" = "xwindows"; then + BASIC_DEPRECATED_ARG_WITH([dxsdk]) +diff --git openjdk/make/autoconf/spec.gmk.in openjdk/make/autoconf/spec.gmk.in +--- openjdk/make/autoconf/spec.gmk.in ++++ openjdk/make/autoconf/spec.gmk.in +@@ -764,6 +764,10 @@ + # Libraries + # + ++USE_EXTERNAL_NSS:=@USE_EXTERNAL_NSS@ ++NSS_LIBS:=@NSS_LIBS@ ++NSS_CFLAGS:=@NSS_CFLAGS@ ++ + USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@ + LCMS_CFLAGS:=@LCMS_CFLAGS@ + LCMS_LIBS:=@LCMS_LIBS@ +diff --git openjdk/make/lib/Lib-jdk.crypto.ec.gmk openjdk/make/lib/Lib-jdk.crypto.ec.gmk +--- openjdk/make/lib/Lib-jdk.crypto.ec.gmk ++++ openjdk/make/lib/Lib-jdk.crypto.ec.gmk +@@ -29,9 +29,15 @@ + + ifeq ($(ENABLE_INTREE_EC), true) + +- LIBSUNEC_SRC := $(TOPDIR)/src/jdk.crypto.ec/share/native/libsunec + BUILD_LIBSUNEC_FLAGS := $(addprefix -I, $(SUNEC_SRC)) + ++ ifeq ($(USE_EXTERNAL_NSS), true) ++ LIBSUNEC_SRC := $(TOPDIR)/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp ++ BUILD_LIBSUNEC_FLAGS += $(NSS_CFLAGS) -DSYSTEM_NSS -DNSS_ENABLE_ECC ++ else ++ LIBSUNEC_SRC := $(TOPDIR)/src/jdk.crypto.ec/share/native/libsunec ++ endif ++ + # + # On sol-sparc...all libraries are compiled with -xregs=no%appl + # (set in CFLAGS_REQUIRED_sparc) +@@ -60,7 +66,7 @@ + LDFLAGS := $(LDFLAGS_JDKLIB) $(LDFLAGS_CXX_JDK), \ + LDFLAGS_macosx := $(call SET_SHARED_LIBRARY_ORIGIN), \ + LIBS := $(LIBCXX), \ +- LIBS_linux := -lc, \ ++ LIBS_linux := -lc $(NSS_LIBS), \ + LIBS_solaris := -lc, \ + VERSIONINFO_RESOURCE := $(GLOBAL_VERSION_INFO_RESOURCE), \ + RC_FLAGS := $(RC_FLAGS) \ +diff --git openjdk/make/mapfiles/libsunec/mapfile-vers openjdk/make/mapfiles/libsunec/mapfile-vers +--- openjdk/make/mapfiles/libsunec/mapfile-vers ++++ openjdk/make/mapfiles/libsunec/mapfile-vers +@@ -31,6 +31,7 @@ + Java_sun_security_ec_ECDSASignature_signDigest; + Java_sun_security_ec_ECDSASignature_verifySignedDigest; + Java_sun_security_ec_ECDHKeyAgreement_deriveKey; ++ Java_sun_security_ec_SunEC_initialize; + local: + *; + }; +diff --git openjdk/src/java.base/unix/native/include/jni_md.h openjdk/src/java.base/unix/native/include/jni_md.h +--- openjdk/src/java.base/unix/native/include/jni_md.h ++++ openjdk/src/java.base/unix/native/include/jni_md.h +@@ -36,6 +36,11 @@ + #define JNIEXPORT + #define JNIIMPORT + #endif ++#if (defined(__GNUC__)) || __has_attribute(unused) ++ #define UNUSED(x) UNUSED_ ## x __attribute__((__unused__)) ++#else ++ #define UNUSED(x) UNUSED_ ## x ++#endif + + #define JNICALL + +diff --git openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java +--- openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java ++++ openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java +@@ -61,6 +61,7 @@ + AccessController.doPrivileged(new PrivilegedAction() { + public Void run() { + System.loadLibrary("sunec"); // check for native library ++ initialize(); + return null; + } + }); +@@ -272,4 +273,9 @@ + putService(new ProviderService(this, "KeyAgreement", + "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS)); + } ++ ++ /** ++ * Initialize the native code. ++ */ ++ private static native void initialize(); + } +diff --git openjdk/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp openjdk/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp +--- openjdk/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp ++++ openjdk/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp +@@ -25,7 +25,11 @@ + + #include + #include "jni_util.h" ++#ifdef SYSTEM_NSS ++#include "ecc_impl.h" ++#else + #include "impl/ecc_impl.h" ++#endif + + #define ILLEGAL_STATE_EXCEPTION "java/lang/IllegalStateException" + #define INVALID_ALGORITHM_PARAMETER_EXCEPTION \ +@@ -33,6 +37,13 @@ + #define INVALID_PARAMETER_EXCEPTION \ + "java/security/InvalidParameterException" + #define KEY_EXCEPTION "java/security/KeyException" ++#define INTERNAL_ERROR "java/lang/InternalError" ++ ++#ifdef SYSTEM_NSS ++#define SYSTEM_UNUSED(x) UNUSED(x) ++#else ++#define SYSTEM_UNUSED(x) x ++#endif + + extern "C" { + +@@ -55,8 +66,13 @@ + /* + * Deep free of the ECParams struct + */ +-void FreeECParams(ECParams *ecparams, jboolean freeStruct) ++void FreeECParams(ECParams *ecparams, jboolean SYSTEM_UNUSED(freeStruct)) + { ++#ifdef SYSTEM_NSS ++ // Needs to be freed using the matching method to the one ++ // that allocated it. PR_TRUE means the memory is zeroed. ++ PORT_FreeArena(ecparams->arena, PR_TRUE); ++#else + // Use B_FALSE to free the SECItem->data element, but not the SECItem itself + // Use B_TRUE to free both + +@@ -70,6 +86,7 @@ + SECITEM_FreeItem(&ecparams->curveOID, B_FALSE); + if (freeStruct) + free(ecparams); ++#endif + } + + jbyteArray getEncodedBytes(JNIEnv *env, SECItem *hSECItem) +@@ -95,7 +112,7 @@ + */ + JNIEXPORT jobjectArray + JNICALL Java_sun_security_ec_ECKeyPairGenerator_generateECKeyPair +- (JNIEnv *env, jclass clazz, jint keySize, jbyteArray encodedParams, jbyteArray seed) ++ (JNIEnv *env, jclass UNUSED(clazz), jint UNUSED(keySize), jbyteArray encodedParams, jbyteArray seed) + { + ECPrivateKey *privKey = NULL; // contains both public and private values + ECParams *ecparams = NULL; +@@ -127,8 +144,17 @@ + env->GetByteArrayRegion(seed, 0, jSeedLength, pSeedBuffer); + + // Generate the new keypair (using the supplied seed) ++#ifdef SYSTEM_NSS ++ if (RNG_RandomUpdate((unsigned char *) pSeedBuffer, jSeedLength) ++ != SECSuccess) { ++ ThrowException(env, KEY_EXCEPTION); ++ goto cleanup; ++ } ++ if (EC_NewKey(ecparams, &privKey) != SECSuccess) { ++#else + if (EC_NewKey(ecparams, &privKey, (unsigned char *) pSeedBuffer, + jSeedLength, 0) != SECSuccess) { ++#endif + ThrowException(env, KEY_EXCEPTION); + goto cleanup; + } +@@ -175,10 +201,15 @@ + } + if (privKey) { + FreeECParams(&privKey->ecParams, false); ++#ifndef SYSTEM_NSS ++ // The entire ECPrivateKey is allocated in the arena ++ // when using system NSS, so only the in-tree version ++ // needs to clear these manually. + SECITEM_FreeItem(&privKey->version, B_FALSE); + SECITEM_FreeItem(&privKey->privateValue, B_FALSE); + SECITEM_FreeItem(&privKey->publicValue, B_FALSE); + free(privKey); ++#endif + } + + if (pSeedBuffer) { +@@ -196,7 +227,7 @@ + */ + JNIEXPORT jbyteArray + JNICALL Java_sun_security_ec_ECDSASignature_signDigest +- (JNIEnv *env, jclass clazz, jbyteArray digest, jbyteArray privateKey, jbyteArray encodedParams, jbyteArray seed, jint timing) ++ (JNIEnv *env, jclass UNUSED(clazz), jbyteArray digest, jbyteArray privateKey, jbyteArray encodedParams, jbyteArray seed, jint timing) + { + jbyte* pDigestBuffer = NULL; + jint jDigestLength = env->GetArrayLength(digest); +@@ -255,8 +286,18 @@ + env->GetByteArrayRegion(seed, 0, jSeedLength, pSeedBuffer); + + // Sign the digest (using the supplied seed) ++#ifdef SYSTEM_NSS ++ if (RNG_RandomUpdate((unsigned char *) pSeedBuffer, jSeedLength) ++ != SECSuccess) { ++ ThrowException(env, KEY_EXCEPTION); ++ goto cleanup; ++ } ++ if (ECDSA_SignDigest(&privKey, &signature_item, &digest_item) ++ != SECSuccess) { ++#else + if (ECDSA_SignDigest(&privKey, &signature_item, &digest_item, + (unsigned char *) pSeedBuffer, jSeedLength, 0, timing) != SECSuccess) { ++#endif + ThrowException(env, KEY_EXCEPTION); + goto cleanup; + } +@@ -305,7 +346,7 @@ + */ + JNIEXPORT jboolean + JNICALL Java_sun_security_ec_ECDSASignature_verifySignedDigest +- (JNIEnv *env, jclass clazz, jbyteArray signedDigest, jbyteArray digest, jbyteArray publicKey, jbyteArray encodedParams) ++ (JNIEnv *env, jclass UNUSED(clazz), jbyteArray signedDigest, jbyteArray digest, jbyteArray publicKey, jbyteArray encodedParams) + { + jboolean isValid = false; + +@@ -362,9 +403,10 @@ + + cleanup: + { +- if (params_item.data) ++ if (params_item.data) { + env->ReleaseByteArrayElements(encodedParams, + (jbyte *) params_item.data, JNI_ABORT); ++ } + + if (pubKey.publicValue.data) + env->ReleaseByteArrayElements(publicKey, +@@ -390,7 +432,7 @@ + */ + JNIEXPORT jbyteArray + JNICALL Java_sun_security_ec_ECDHKeyAgreement_deriveKey +- (JNIEnv *env, jclass clazz, jbyteArray privateKey, jbyteArray publicKey, jbyteArray encodedParams) ++ (JNIEnv *env, jclass UNUSED(clazz), jbyteArray privateKey, jbyteArray publicKey, jbyteArray encodedParams) + { + jbyteArray jSecret = NULL; + ECParams *ecparams = NULL; +@@ -466,9 +508,10 @@ + env->ReleaseByteArrayElements(publicKey, + (jbyte *) publicValue_item.data, JNI_ABORT); + +- if (params_item.data) ++ if (params_item.data) { + env->ReleaseByteArrayElements(encodedParams, + (jbyte *) params_item.data, JNI_ABORT); ++ } + + if (ecparams) + FreeECParams(ecparams, true); +@@ -477,4 +520,28 @@ + return jSecret; + } + ++JNIEXPORT void ++JNICALL Java_sun_security_ec_SunEC_initialize ++ (JNIEnv *env, jclass UNUSED(clazz)) ++{ ++#ifdef SYSTEM_NSS ++ if (SECOID_Init() != SECSuccess) { ++ ThrowException(env, INTERNAL_ERROR); ++ } ++ if (RNG_RNGInit() != SECSuccess) { ++ ThrowException(env, INTERNAL_ERROR); ++ } ++#endif ++} ++ ++JNIEXPORT void ++JNICALL JNI_OnUnload ++ (JavaVM *vm, void *reserved) ++{ ++#ifdef SYSTEM_NSS ++ RNG_RNGShutdown(); ++ SECOID_Shutdown(); ++#endif ++} ++ + } /* extern "C" */ +diff --git openjdk/src/jdk.crypto.ec/share/native/libsunec/ecc_impl.h openjdk/src/jdk.crypto.ec/share/native/libsunec/ecc_impl.h +new file mode 100644 +--- /dev/null ++++ openjdk/src/jdk.crypto.ec/share/native/libsunec/ecc_impl.h +@@ -0,0 +1,298 @@ ++/* ++ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved. ++ * Use is subject to license terms. ++ * ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public License ++ * along with this library; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++/* ********************************************************************* ++ * ++ * The Original Code is the Netscape security libraries. ++ * ++ * The Initial Developer of the Original Code is ++ * Netscape Communications Corporation. ++ * Portions created by the Initial Developer are Copyright (C) 1994-2000 ++ * the Initial Developer. All Rights Reserved. ++ * ++ * Contributor(s): ++ * Dr Vipul Gupta and ++ * Douglas Stebila , Sun Microsystems Laboratories ++ * ++ * Last Modified Date from the Original Code: May 2017 ++ *********************************************************************** */ ++ ++#ifndef _ECC_IMPL_H ++#define _ECC_IMPL_H ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++#include ++ ++#ifdef SYSTEM_NSS ++#include ++#include ++#include ++#ifdef LEGACY_NSS ++#include ++#else ++#include ++#endif ++#else ++#include "ecl-exp.h" ++#endif ++ ++/* ++ * Multi-platform definitions ++ */ ++#ifdef __linux__ ++#define B_FALSE FALSE ++#define B_TRUE TRUE ++typedef unsigned char uint8_t; ++typedef unsigned long ulong_t; ++typedef enum { B_FALSE, B_TRUE } boolean_t; ++#endif /* __linux__ */ ++ ++#ifdef _ALLBSD_SOURCE ++#include ++#define B_FALSE FALSE ++#define B_TRUE TRUE ++typedef unsigned long ulong_t; ++typedef enum boolean { B_FALSE, B_TRUE } boolean_t; ++#endif /* _ALLBSD_SOURCE */ ++ ++#ifdef AIX ++#define B_FALSE FALSE ++#define B_TRUE TRUE ++typedef unsigned char uint8_t; ++typedef unsigned long ulong_t; ++#endif /* AIX */ ++ ++#ifdef _WIN32 ++typedef unsigned char uint8_t; ++typedef unsigned long ulong_t; ++typedef enum boolean { B_FALSE, B_TRUE } boolean_t; ++#define strdup _strdup /* Replace POSIX name with ISO C++ name */ ++#endif /* _WIN32 */ ++ ++#ifndef _KERNEL ++#include ++#endif /* _KERNEL */ ++ ++#define EC_MAX_DIGEST_LEN 1024 /* max digest that can be signed */ ++#define EC_MAX_POINT_LEN 145 /* max len of DER encoded Q */ ++#define EC_MAX_VALUE_LEN 72 /* max len of ANSI X9.62 private value d */ ++#define EC_MAX_SIG_LEN 144 /* max signature len for supported curves */ ++#define EC_MIN_KEY_LEN 112 /* min key length in bits */ ++#define EC_MAX_KEY_LEN 571 /* max key length in bits */ ++#define EC_MAX_OID_LEN 10 /* max length of OID buffer */ ++ ++/* ++ * Various structures and definitions from NSS are here. ++ */ ++ ++#ifndef SYSTEM_NSS ++#ifdef _KERNEL ++#define PORT_ArenaAlloc(a, n, f) kmem_alloc((n), (f)) ++#define PORT_ArenaZAlloc(a, n, f) kmem_zalloc((n), (f)) ++#define PORT_ArenaGrow(a, b, c, d) NULL ++#define PORT_ZAlloc(n, f) kmem_zalloc((n), (f)) ++#define PORT_Alloc(n, f) kmem_alloc((n), (f)) ++#else ++#define PORT_ArenaAlloc(a, n, f) malloc((n)) ++#define PORT_ArenaZAlloc(a, n, f) calloc(1, (n)) ++#define PORT_ArenaGrow(a, b, c, d) NULL ++#define PORT_ZAlloc(n, f) calloc(1, (n)) ++#define PORT_Alloc(n, f) malloc((n)) ++#endif ++ ++#define PORT_NewArena(b) (char *)12345 ++#define PORT_ArenaMark(a) NULL ++#define PORT_ArenaUnmark(a, b) ++#define PORT_ArenaRelease(a, m) ++#define PORT_FreeArena(a, b) ++#define PORT_Strlen(s) strlen((s)) ++#define PORT_SetError(e) ++ ++#define PRBool boolean_t ++#define PR_TRUE B_TRUE ++#define PR_FALSE B_FALSE ++ ++#ifdef _KERNEL ++#define PORT_Assert ASSERT ++#define PORT_Memcpy(t, f, l) bcopy((f), (t), (l)) ++#else ++#define PORT_Assert assert ++#define PORT_Memcpy(t, f, l) memcpy((t), (f), (l)) ++#endif ++ ++#endif ++ ++#define CHECK_OK(func) if (func == NULL) goto cleanup ++#define CHECK_SEC_OK(func) if (SECSuccess != (rv = func)) goto cleanup ++ ++#ifndef SYSTEM_NSS ++typedef enum { ++ siBuffer = 0, ++ siClearDataBuffer = 1, ++ siCipherDataBuffer = 2, ++ siDERCertBuffer = 3, ++ siEncodedCertBuffer = 4, ++ siDERNameBuffer = 5, ++ siEncodedNameBuffer = 6, ++ siAsciiNameString = 7, ++ siAsciiString = 8, ++ siDEROID = 9, ++ siUnsignedInteger = 10, ++ siUTCTime = 11, ++ siGeneralizedTime = 12 ++} SECItemType; ++ ++typedef struct SECItemStr SECItem; ++ ++struct SECItemStr { ++ SECItemType type; ++ unsigned char *data; ++ unsigned int len; ++}; ++ ++typedef SECItem SECKEYECParams; ++ ++typedef enum { ec_params_explicit, ++ ec_params_named ++} ECParamsType; ++ ++typedef enum { ec_field_GFp = 1, ++ ec_field_GF2m ++} ECFieldType; ++ ++struct ECFieldIDStr { ++ int size; /* field size in bits */ ++ ECFieldType type; ++ union { ++ SECItem prime; /* prime p for (GFp) */ ++ SECItem poly; /* irreducible binary polynomial for (GF2m) */ ++ } u; ++ int k1; /* first coefficient of pentanomial or ++ * the only coefficient of trinomial ++ */ ++ int k2; /* two remaining coefficients of pentanomial */ ++ int k3; ++}; ++typedef struct ECFieldIDStr ECFieldID; ++ ++struct ECCurveStr { ++ SECItem a; /* contains octet stream encoding of ++ * field element (X9.62 section 4.3.3) ++ */ ++ SECItem b; ++ SECItem seed; ++}; ++typedef struct ECCurveStr ECCurve; ++ ++typedef void PRArenaPool; ++ ++struct ECParamsStr { ++ PRArenaPool * arena; ++ ECParamsType type; ++ ECFieldID fieldID; ++ ECCurve curve; ++ SECItem base; ++ SECItem order; ++ int cofactor; ++ SECItem DEREncoding; ++ ECCurveName name; ++ SECItem curveOID; ++}; ++typedef struct ECParamsStr ECParams; ++ ++struct ECPublicKeyStr { ++ ECParams ecParams; ++ SECItem publicValue; /* elliptic curve point encoded as ++ * octet stream. ++ */ ++}; ++typedef struct ECPublicKeyStr ECPublicKey; ++ ++struct ECPrivateKeyStr { ++ ECParams ecParams; ++ SECItem publicValue; /* encoded ec point */ ++ SECItem privateValue; /* private big integer */ ++ SECItem version; /* As per SEC 1, Appendix C, Section C.4 */ ++}; ++typedef struct ECPrivateKeyStr ECPrivateKey; ++ ++typedef enum _SECStatus { ++ SECBufferTooSmall = -3, ++ SECWouldBlock = -2, ++ SECFailure = -1, ++ SECSuccess = 0 ++} SECStatus; ++#endif ++ ++#ifdef _KERNEL ++#define RNG_GenerateGlobalRandomBytes(p,l) ecc_knzero_random_generator((p), (l)) ++#else ++/* ++ This function is no longer required because the random bytes are now ++ supplied by the caller. Force a failure. ++*/ ++#ifndef SYSTEM_NSS ++#define RNG_GenerateGlobalRandomBytes(p,l) SECFailure ++#endif ++#endif ++#define CHECK_MPI_OK(func) if (MP_OKAY > (err = func)) goto cleanup ++#define MP_TO_SEC_ERROR(err) ++ ++#define SECITEM_TO_MPINT(it, mp) \ ++ CHECK_MPI_OK(mp_read_unsigned_octets((mp), (it).data, (it).len)) ++ ++extern int ecc_knzero_random_generator(uint8_t *, size_t); ++extern ulong_t soft_nzero_random_generator(uint8_t *, ulong_t); ++ ++#ifdef SYSTEM_NSS ++#define EC_DecodeParams(a,b,c) EC_DecodeParams(a,b) ++#define ECDSA_VerifyDigest(a,b,c,d) ECDSA_VerifyDigest(a,b,c) ++#define ECDH_Derive(a,b,c,d,e,f) ECDH_Derive(a,b,c,d,e) ++#else ++extern SECStatus EC_DecodeParams(const SECItem *, ECParams **, int); ++ ++extern SECItem * SECITEM_AllocItem(PRArenaPool *, SECItem *, unsigned int, int); ++extern SECStatus SECITEM_CopyItem(PRArenaPool *, SECItem *, const SECItem *, ++ int); ++extern void SECITEM_FreeItem(SECItem *, boolean_t); ++ ++/* This function has been modified to accept an array of random bytes */ ++extern SECStatus EC_NewKey(ECParams *ecParams, ECPrivateKey **privKey, ++ const unsigned char* random, int randomlen, int); ++/* This function has been modified to accept an array of random bytes */ ++extern SECStatus ECDSA_SignDigest(ECPrivateKey *, SECItem *, const SECItem *, ++ const unsigned char* random, int randomlen, int, int timing); ++extern SECStatus ECDSA_VerifyDigest(ECPublicKey *, const SECItem *, ++ const SECItem *, int); ++extern SECStatus ECDH_Derive(SECItem *, ECParams *, SECItem *, boolean_t, ++ SECItem *, int); ++#endif ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif /* _ECC_IMPL_H */ diff --git a/update_package.sh b/update_package.sh index 3d513b9..5d0f330 100644 --- a/update_package.sh +++ b/update_package.sh @@ -25,13 +25,13 @@ fi set -e if [ "x$PROJECT_NAME" = "x" ] ; then - PROJECT_NAME="jdk" + PROJECT_NAME="jdk-updates" fi if [ "x$REPO_NAME" = "x" ] ; then - REPO_NAME="jdk10" + REPO_NAME="jdk10u" fi if [ "x$VERSION" = "x" ] ; then - VERSION="jdk-10+46" + VERSION="jdk-10.0.1+10" fi if [ "x$COMPRESSION" = "x" ] ; then