| |
@@ -1,434 +0,0 @@
|
| |
- diff --git a/make/autoconf/jdk-options.m4 b/make/autoconf/jdk-options.m4
|
| |
- --- a/make/autoconf/jdk-options.m4
|
| |
- +++ b/make/autoconf/jdk-options.m4
|
| |
- @@ -267,9 +267,10 @@
|
| |
- #
|
| |
- AC_DEFUN_ONCE([JDKOPT_DETECT_INTREE_EC],
|
| |
- [
|
| |
- + AC_REQUIRE([LIB_SETUP_MISC_LIBS])
|
| |
- AC_MSG_CHECKING([if elliptic curve crypto implementation is present])
|
| |
-
|
| |
- - if test -d "${TOPDIR}/src/jdk.crypto.ec/share/native/libsunec/impl"; then
|
| |
- + if test "x${system_nss}" = "xyes" -o -d "${TOPDIR}/src/jdk.crypto.ec/share/native/libsunec/impl"; then
|
| |
- ENABLE_INTREE_EC=true
|
| |
- AC_MSG_RESULT([yes])
|
| |
- else
|
| |
- diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4
|
| |
- --- a/make/autoconf/libraries.m4
|
| |
- +++ b/make/autoconf/libraries.m4
|
| |
- @@ -178,6 +178,48 @@
|
| |
- AC_SUBST(LIBDL)
|
| |
- LIBS="$save_LIBS"
|
| |
-
|
| |
- + ###############################################################################
|
| |
- + #
|
| |
- + # Check for the NSS libraries
|
| |
- + #
|
| |
- +
|
| |
- + AC_MSG_CHECKING([whether to build the Sun EC provider against the system NSS libraries])
|
| |
- +
|
| |
- + # default is bundled
|
| |
- + DEFAULT_SYSTEM_NSS=no
|
| |
- +
|
| |
- + AC_ARG_ENABLE([system-nss], [AS_HELP_STRING([--enable-system-nss],
|
| |
- + [build the SunEC provider using the system NSS libraries @<:@disabled@:>@])],
|
| |
- + [
|
| |
- + case "${enableval}" in
|
| |
- + yes)
|
| |
- + system_nss=yes
|
| |
- + ;;
|
| |
- + *)
|
| |
- + system_nss=no
|
| |
- + ;;
|
| |
- + esac
|
| |
- + ],
|
| |
- + [
|
| |
- + system_nss=${DEFAULT_SYSTEM_NSS}
|
| |
- + ])
|
| |
- + AC_MSG_RESULT([$system_nss])
|
| |
- +
|
| |
- + if test "x${system_nss}" = "xyes"; then
|
| |
- + PKG_CHECK_MODULES(NSS_SOFTTKN, nss-softokn >= 3.16.1, [NSS_SOFTOKN_FOUND=yes], [NSS_SOFTOKN_FOUND=no])
|
| |
- + PKG_CHECK_MODULES(NSS, nss >= 3.16.1, [NSS_FOUND=yes], [NSS_FOUND=no])
|
| |
- + if test "x${NSS_SOFTOKN_FOUND}" = "xyes" -a "x${NSS_FOUND}" = "xyes"; then
|
| |
- + NSS_LIBS="$NSS_SOFTOKN_LIBS $NSS_LIBS -lfreebl";
|
| |
- + USE_EXTERNAL_NSS=true
|
| |
- + else
|
| |
- + AC_MSG_ERROR([--enable-system-nss specified, but NSS not found.])
|
| |
- + fi
|
| |
- + else
|
| |
- + USE_EXTERNAL_NSS=false
|
| |
- + fi
|
| |
- + AC_SUBST(USE_EXTERNAL_NSS)
|
| |
- +
|
| |
- +
|
| |
- # Deprecated libraries, keep the flags for backwards compatibility
|
| |
- if test "x$OPENJDK_TARGET_OS" = "xwindows"; then
|
| |
- BASIC_DEPRECATED_ARG_WITH([dxsdk])
|
| |
- diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in
|
| |
- --- a/make/autoconf/spec.gmk.in
|
| |
- +++ b/make/autoconf/spec.gmk.in
|
| |
- @@ -795,6 +795,10 @@
|
| |
- # Libraries
|
| |
- #
|
| |
-
|
| |
- +USE_EXTERNAL_NSS:=@USE_EXTERNAL_NSS@
|
| |
- +NSS_LIBS:=@NSS_LIBS@
|
| |
- +NSS_CFLAGS:=@NSS_CFLAGS@
|
| |
- +
|
| |
- USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
|
| |
- LCMS_CFLAGS:=@LCMS_CFLAGS@
|
| |
- LCMS_LIBS:=@LCMS_LIBS@
|
| |
- diff --git a/make/lib/Lib-jdk.crypto.ec.gmk b/make/lib/Lib-jdk.crypto.ec.gmk
|
| |
- --- a/make/lib/Lib-jdk.crypto.ec.gmk
|
| |
- +++ b/make/lib/Lib-jdk.crypto.ec.gmk
|
| |
- @@ -38,6 +38,11 @@
|
| |
- BUILD_LIBSUNEC_CXXFLAGS_JDKLIB := $(CXXFLAGS_JDKLIB)
|
| |
- endif
|
| |
-
|
| |
- + ifeq ($(USE_EXTERNAL_NSS), true)
|
| |
- + BUILD_LIBSUNEC_CFLAGS_JDKLIB += $(NSS_CFLAGS) -DSYSTEM_NSS -DNSS_ENABLE_ECC
|
| |
- + BUILD_LIBSUNEC_CXXFLAGS_JDKLIB += $(NSS_CFLAGS) -DSYSTEM_NSS -DNSS_ENABLE_ECC
|
| |
- + endif
|
| |
- +
|
| |
- $(eval $(call SetupJdkLibrary, BUILD_LIBSUNEC, \
|
| |
- NAME := sunec, \
|
| |
- TOOLCHAIN := TOOLCHAIN_LINK_CXX, \
|
| |
- @@ -47,9 +52,11 @@
|
| |
- CXXFLAGS := $(BUILD_LIBSUNEC_CXXFLAGS_JDKLIB), \
|
| |
- DISABLED_WARNINGS_gcc := sign-compare implicit-fallthrough, \
|
| |
- DISABLED_WARNINGS_microsoft := 4101 4244 4146 4018, \
|
| |
- - LDFLAGS := $(LDFLAGS_JDKLIB) $(LDFLAGS_CXX_JDK), \
|
| |
- + LDFLAGS := $(subst -Xlinker --as-needed,, \
|
| |
- + $(subst -Wl$(COMMA)--as-needed,, $(LDFLAGS_JDKLIB))) $(LDFLAGS_CXX_JDK), \
|
| |
- LDFLAGS_macosx := $(call SET_SHARED_LIBRARY_ORIGIN), \
|
| |
- LIBS := $(LIBCXX), \
|
| |
- + LIBS_linux := -lc $(NSS_LIBS), \
|
| |
- ))
|
| |
-
|
| |
- TARGETS += $(BUILD_LIBSUNEC)
|
| |
- diff --git a/src/java.base/unix/native/include/jni_md.h b/src/java.base/unix/native/include/jni_md.h
|
| |
- --- a/src/java.base/unix/native/include/jni_md.h
|
| |
- +++ b/src/java.base/unix/native/include/jni_md.h
|
| |
- @@ -41,6 +41,11 @@
|
| |
- #define JNIEXPORT
|
| |
- #define JNIIMPORT
|
| |
- #endif
|
| |
- +#if (defined(__GNUC__)) || __has_attribute(unused)
|
| |
- + #define UNUSED(x) UNUSED_ ## x __attribute__((__unused__))
|
| |
- +#else
|
| |
- + #define UNUSED(x) UNUSED_ ## x
|
| |
- +#endif
|
| |
-
|
| |
- #define JNICALL
|
| |
-
|
| |
- diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
|
| |
- --- a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
|
| |
- +++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
|
| |
- @@ -61,6 +61,7 @@
|
| |
- AccessController.doPrivileged(new PrivilegedAction<Void>() {
|
| |
- public Void run() {
|
| |
- System.loadLibrary("sunec"); // check for native library
|
| |
- + initialize();
|
| |
- return null;
|
| |
- }
|
| |
- });
|
| |
- @@ -293,6 +294,11 @@
|
| |
- "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
|
| |
- }
|
| |
-
|
| |
- + /**
|
| |
- + * Initialize the native code.
|
| |
- + */
|
| |
- + private static native void initialize();
|
| |
- +
|
| |
- private void putXDHEntries() {
|
| |
-
|
| |
- HashMap<String, String> ATTRS = new HashMap<>(1);
|
| |
- diff --git a/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp b/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp
|
| |
- --- a/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp
|
| |
- +++ b/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp
|
| |
- @@ -25,7 +25,11 @@
|
| |
-
|
| |
- #include <jni.h>
|
| |
- #include "jni_util.h"
|
| |
- +#ifdef SYSTEM_NSS
|
| |
- +#include "ecc_impl.h"
|
| |
- +#else
|
| |
- #include "impl/ecc_impl.h"
|
| |
- +#endif
|
| |
- #include "sun_security_ec_ECDHKeyAgreement.h"
|
| |
- #include "sun_security_ec_ECKeyPairGenerator.h"
|
| |
- #include "sun_security_ec_ECDSASignature.h"
|
| |
- @@ -33,6 +37,13 @@
|
| |
- #define INVALID_PARAMETER_EXCEPTION \
|
| |
- "java/security/InvalidParameterException"
|
| |
- #define KEY_EXCEPTION "java/security/KeyException"
|
| |
- +#define INTERNAL_ERROR "java/lang/InternalError"
|
| |
- +
|
| |
- +#ifdef SYSTEM_NSS
|
| |
- +#define SYSTEM_UNUSED(x) UNUSED(x)
|
| |
- +#else
|
| |
- +#define SYSTEM_UNUSED(x) x
|
| |
- +#endif
|
| |
-
|
| |
- extern "C" {
|
| |
-
|
| |
- @@ -55,8 +66,13 @@
|
| |
- /*
|
| |
- * Deep free of the ECParams struct
|
| |
- */
|
| |
- -void FreeECParams(ECParams *ecparams, jboolean freeStruct)
|
| |
- +void FreeECParams(ECParams *ecparams, jboolean SYSTEM_UNUSED(freeStruct))
|
| |
- {
|
| |
- +#ifdef SYSTEM_NSS
|
| |
- + // Needs to be freed using the matching method to the one
|
| |
- + // that allocated it. PR_TRUE means the memory is zeroed.
|
| |
- + PORT_FreeArena(ecparams->arena, PR_TRUE);
|
| |
- +#else
|
| |
- // Use B_FALSE to free the SECItem->data element, but not the SECItem itself
|
| |
- // Use B_TRUE to free both
|
| |
-
|
| |
- @@ -70,6 +86,7 @@
|
| |
- SECITEM_FreeItem(&ecparams->curveOID, B_FALSE);
|
| |
- if (freeStruct)
|
| |
- free(ecparams);
|
| |
- +#endif
|
| |
- }
|
| |
-
|
| |
- jbyteArray getEncodedBytes(JNIEnv *env, SECItem *hSECItem)
|
| |
- @@ -139,7 +156,7 @@
|
| |
- */
|
| |
- JNIEXPORT jobjectArray
|
| |
- JNICALL Java_sun_security_ec_ECKeyPairGenerator_generateECKeyPair
|
| |
- - (JNIEnv *env, jclass clazz, jint keySize, jbyteArray encodedParams, jbyteArray seed)
|
| |
- + (JNIEnv *env, jclass UNUSED(clazz), jint UNUSED(keySize), jbyteArray encodedParams, jbyteArray seed)
|
| |
- {
|
| |
- ECPrivateKey *privKey = NULL; // contains both public and private values
|
| |
- ECParams *ecparams = NULL;
|
| |
- @@ -171,8 +188,17 @@
|
| |
- env->GetByteArrayRegion(seed, 0, jSeedLength, pSeedBuffer);
|
| |
-
|
| |
- // Generate the new keypair (using the supplied seed)
|
| |
- +#ifdef SYSTEM_NSS
|
| |
- + if (RNG_RandomUpdate((unsigned char *) pSeedBuffer, jSeedLength)
|
| |
- + != SECSuccess) {
|
| |
- + ThrowException(env, KEY_EXCEPTION);
|
| |
- + goto cleanup;
|
| |
- + }
|
| |
- + if (EC_NewKey(ecparams, &privKey) != SECSuccess) {
|
| |
- +#else
|
| |
- if (EC_NewKey(ecparams, &privKey, (unsigned char *) pSeedBuffer,
|
| |
- jSeedLength, 0) != SECSuccess) {
|
| |
- +#endif
|
| |
- ThrowException(env, KEY_EXCEPTION);
|
| |
- goto cleanup;
|
| |
- }
|
| |
- @@ -219,10 +245,15 @@
|
| |
- }
|
| |
- if (privKey) {
|
| |
- FreeECParams(&privKey->ecParams, false);
|
| |
- +#ifndef SYSTEM_NSS
|
| |
- + // The entire ECPrivateKey is allocated in the arena
|
| |
- + // when using system NSS, so only the in-tree version
|
| |
- + // needs to clear these manually.
|
| |
- SECITEM_FreeItem(&privKey->version, B_FALSE);
|
| |
- SECITEM_FreeItem(&privKey->privateValue, B_FALSE);
|
| |
- SECITEM_FreeItem(&privKey->publicValue, B_FALSE);
|
| |
- free(privKey);
|
| |
- +#endif
|
| |
- }
|
| |
-
|
| |
- if (pSeedBuffer) {
|
| |
- @@ -240,7 +271,7 @@
|
| |
- */
|
| |
- JNIEXPORT jbyteArray
|
| |
- JNICALL Java_sun_security_ec_ECDSASignature_signDigest
|
| |
- - (JNIEnv *env, jclass clazz, jbyteArray digest, jbyteArray privateKey, jbyteArray encodedParams, jbyteArray seed, jint timing)
|
| |
- + (JNIEnv *env, jclass UNUSED(clazz), jbyteArray digest, jbyteArray privateKey, jbyteArray encodedParams, jbyteArray seed, jint timing)
|
| |
- {
|
| |
- jbyte* pDigestBuffer = NULL;
|
| |
- jint jDigestLength = env->GetArrayLength(digest);
|
| |
- @@ -299,8 +330,18 @@
|
| |
- env->GetByteArrayRegion(seed, 0, jSeedLength, pSeedBuffer);
|
| |
-
|
| |
- // Sign the digest (using the supplied seed)
|
| |
- +#ifdef SYSTEM_NSS
|
| |
- + if (RNG_RandomUpdate((unsigned char *) pSeedBuffer, jSeedLength)
|
| |
- + != SECSuccess) {
|
| |
- + ThrowException(env, KEY_EXCEPTION);
|
| |
- + goto cleanup;
|
| |
- + }
|
| |
- + if (ECDSA_SignDigest(&privKey, &signature_item, &digest_item)
|
| |
- + != SECSuccess) {
|
| |
- +#else
|
| |
- if (ECDSA_SignDigest(&privKey, &signature_item, &digest_item,
|
| |
- (unsigned char *) pSeedBuffer, jSeedLength, 0, timing) != SECSuccess) {
|
| |
- +#endif
|
| |
- ThrowException(env, KEY_EXCEPTION);
|
| |
- goto cleanup;
|
| |
- }
|
| |
- @@ -349,7 +390,7 @@
|
| |
- */
|
| |
- JNIEXPORT jboolean
|
| |
- JNICALL Java_sun_security_ec_ECDSASignature_verifySignedDigest
|
| |
- - (JNIEnv *env, jclass clazz, jbyteArray signedDigest, jbyteArray digest, jbyteArray publicKey, jbyteArray encodedParams)
|
| |
- + (JNIEnv *env, jclass UNUSED(clazz), jbyteArray signedDigest, jbyteArray digest, jbyteArray publicKey, jbyteArray encodedParams)
|
| |
- {
|
| |
- jboolean isValid = false;
|
| |
-
|
| |
- @@ -406,9 +447,10 @@
|
| |
-
|
| |
- cleanup:
|
| |
- {
|
| |
- - if (params_item.data)
|
| |
- + if (params_item.data) {
|
| |
- env->ReleaseByteArrayElements(encodedParams,
|
| |
- (jbyte *) params_item.data, JNI_ABORT);
|
| |
- + }
|
| |
-
|
| |
- if (pubKey.publicValue.data)
|
| |
- env->ReleaseByteArrayElements(publicKey,
|
| |
- @@ -434,7 +476,7 @@
|
| |
- */
|
| |
- JNIEXPORT jbyteArray
|
| |
- JNICALL Java_sun_security_ec_ECDHKeyAgreement_deriveKey
|
| |
- - (JNIEnv *env, jclass clazz, jbyteArray privateKey, jbyteArray publicKey, jbyteArray encodedParams)
|
| |
- + (JNIEnv *env, jclass UNUSED(clazz), jbyteArray privateKey, jbyteArray publicKey, jbyteArray encodedParams)
|
| |
- {
|
| |
- jbyteArray jSecret = NULL;
|
| |
- ECParams *ecparams = NULL;
|
| |
- @@ -510,9 +552,10 @@
|
| |
- env->ReleaseByteArrayElements(publicKey,
|
| |
- (jbyte *) publicValue_item.data, JNI_ABORT);
|
| |
-
|
| |
- - if (params_item.data)
|
| |
- + if (params_item.data) {
|
| |
- env->ReleaseByteArrayElements(encodedParams,
|
| |
- (jbyte *) params_item.data, JNI_ABORT);
|
| |
- + }
|
| |
-
|
| |
- if (ecparams)
|
| |
- FreeECParams(ecparams, true);
|
| |
- @@ -521,4 +564,28 @@
|
| |
- return jSecret;
|
| |
- }
|
| |
-
|
| |
- +JNIEXPORT void
|
| |
- +JNICALL Java_sun_security_ec_SunEC_initialize
|
| |
- + (JNIEnv *env, jclass UNUSED(clazz))
|
| |
- +{
|
| |
- +#ifdef SYSTEM_NSS
|
| |
- + if (SECOID_Init() != SECSuccess) {
|
| |
- + ThrowException(env, INTERNAL_ERROR);
|
| |
- + }
|
| |
- + if (RNG_RNGInit() != SECSuccess) {
|
| |
- + ThrowException(env, INTERNAL_ERROR);
|
| |
- + }
|
| |
- +#endif
|
| |
- +}
|
| |
- +
|
| |
- +JNIEXPORT void
|
| |
- +JNICALL JNI_OnUnload
|
| |
- + (JavaVM *vm, void *reserved)
|
| |
- +{
|
| |
- +#ifdef SYSTEM_NSS
|
| |
- + RNG_RNGShutdown();
|
| |
- + SECOID_Shutdown();
|
| |
- +#endif
|
| |
- +}
|
| |
- +
|
| |
- } /* extern "C" */
|
| |
- --- a/src/jdk.crypto.ec/share/native/libsunec/ecc_impl.h 2019-01-11 00:01:25.000000000 -0500
|
| |
- +++ b/src/jdk.crypto.ec/share/native/libsunec/ecc_impl.h 2019-01-14 03:52:54.145695946 -0500
|
| |
- @@ -45,7 +45,19 @@
|
| |
- #endif
|
| |
-
|
| |
- #include <sys/types.h>
|
| |
- +
|
| |
- +#ifdef SYSTEM_NSS
|
| |
- +#include <secitem.h>
|
| |
- +#include <secerr.h>
|
| |
- +#include <keythi.h>
|
| |
- +#ifdef LEGACY_NSS
|
| |
- +#include <softoken.h>
|
| |
- +#else
|
| |
- +#include <blapi.h>
|
| |
- +#endif
|
| |
- +#else
|
| |
- #include "ecl-exp.h"
|
| |
- +#endif
|
| |
-
|
| |
- /*
|
| |
- * Multi-platform definitions
|
| |
- @@ -96,6 +108,7 @@
|
| |
- * Various structures and definitions from NSS are here.
|
| |
- */
|
| |
-
|
| |
- +#ifndef SYSTEM_NSS
|
| |
- #ifdef _KERNEL
|
| |
- #define PORT_ArenaAlloc(a, n, f) kmem_alloc((n), (f))
|
| |
- #define PORT_ArenaZAlloc(a, n, f) kmem_zalloc((n), (f))
|
| |
- @@ -130,9 +143,12 @@
|
| |
- #define PORT_Memcpy(t, f, l) memcpy((t), (f), (l))
|
| |
- #endif
|
| |
-
|
| |
- +#endif
|
| |
- +
|
| |
- #define CHECK_OK(func) if (func == NULL) goto cleanup
|
| |
- #define CHECK_SEC_OK(func) if (SECSuccess != (rv = func)) goto cleanup
|
| |
-
|
| |
- +#ifndef SYSTEM_NSS
|
| |
- typedef enum {
|
| |
- siBuffer = 0,
|
| |
- siClearDataBuffer = 1,
|
| |
- @@ -229,6 +245,7 @@
|
| |
- SECFailure = -1,
|
| |
- SECSuccess = 0
|
| |
- } SECStatus;
|
| |
- +#endif
|
| |
-
|
| |
- #ifdef _KERNEL
|
| |
- #define RNG_GenerateGlobalRandomBytes(p,l) ecc_knzero_random_generator((p), (l))
|
| |
- @@ -237,8 +254,10 @@
|
| |
- This function is no longer required because the random bytes are now
|
| |
- supplied by the caller. Force a failure.
|
| |
- */
|
| |
- +#ifndef SYSTEM_NSS
|
| |
- #define RNG_GenerateGlobalRandomBytes(p,l) SECFailure
|
| |
- #endif
|
| |
- +#endif
|
| |
- #define CHECK_MPI_OK(func) if (MP_OKAY > (err = func)) goto cleanup
|
| |
- #define MP_TO_SEC_ERROR(err)
|
| |
-
|
| |
- @@ -248,11 +267,18 @@
|
| |
- extern int ecc_knzero_random_generator(uint8_t *, size_t);
|
| |
- extern ulong_t soft_nzero_random_generator(uint8_t *, ulong_t);
|
| |
-
|
| |
- +#ifdef SYSTEM_NSS
|
| |
- +#define EC_DecodeParams(a,b,c) EC_DecodeParams(a,b)
|
| |
- +#define ECDSA_VerifyDigest(a,b,c,d) ECDSA_VerifyDigest(a,b,c)
|
| |
- +#define ECDH_Derive(a,b,c,d,e,f) ECDH_Derive(a,b,c,d,e)
|
| |
- +#else
|
| |
- extern SECStatus EC_DecodeParams(const SECItem *, ECParams **, int);
|
| |
- +
|
| |
- extern SECItem * SECITEM_AllocItem(PRArenaPool *, SECItem *, unsigned int, int);
|
| |
- extern SECStatus SECITEM_CopyItem(PRArenaPool *, SECItem *, const SECItem *,
|
| |
- int);
|
| |
- extern void SECITEM_FreeItem(SECItem *, boolean_t);
|
| |
- +
|
| |
- /* This function has been modified to accept an array of random bytes */
|
| |
- extern SECStatus EC_NewKey(ECParams *ecParams, ECPrivateKey **privKey,
|
| |
- const unsigned char* random, int randomlen, int);
|
| |
- @@ -263,9 +289,10 @@
|
| |
- const SECItem *, int);
|
| |
- extern SECStatus ECDH_Derive(SECItem *, ECParams *, SECItem *, boolean_t,
|
| |
- SECItem *, int);
|
| |
- +#endif
|
| |
-
|
| |
- #ifdef __cplusplus
|
| |
- }
|
| |
- #endif
|
| |
-
|
| |
- -#endif /* _ECC_IMPL_H */
|
| |
- +#endif /* _ECC_IMPL_H */
|
| |
ahughes
commented 4 years ago
The SunEC provider is now built entirely from in-tree code, without runtime dependencies on the NSS libraries.
We still remove certain curves that aren't supported in Fedora.