Mercurial > hg > icedtea10
changeset 2558:04327567ef0a
PR1834, RH1022017: Report elliptic curves supported by NSS, not the SunEC library
2014-06-10 Andrew John Hughes <gnu.andrew@member.fsf.org>
PR1834, RH1022017: Report elliptic curves
supported by NSS, not the SunEC library
* Makefile.am:
(ICEDTEA_PATCHES): Add new patch so
that the NSS set of curves are announced
via SSL.
* NEWS: Updated.
* patches/rh1022017.patch:
Reduce number of curves announced over SSL
to just those supported by NSS.
author | Andrew John Hughes <gnu_andrew@member.fsf.org> |
---|---|
date | Thu, 14 May 2015 04:03:46 +0100 |
parents | 82ddf394f5d9 |
children | d7956e879a00 |
files | ChangeLog Makefile.am NEWS patches/rh1022017.patch |
diffstat | 4 files changed, 60 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Thu May 14 03:43:26 2015 +0100 +++ b/ChangeLog Thu May 14 04:03:46 2015 +0100 @@ -1,3 +1,16 @@ +2014-06-10 Andrew John Hughes <gnu.andrew@member.fsf.org> + + PR1834, RH1022017: Report elliptic curves + supported by NSS, not the SunEC library + * Makefile.am: + (ICEDTEA_PATCHES): Add new patch so + that the NSS set of curves are announced + via SSL. + * NEWS: Updated. + * patches/rh1022017.patch: + Reduce number of curves announced over SSL + to just those supported by NSS. + 2015-05-13 Andrew John Hughes <gnu_andrew@member.fsf.org> PR2355: CACAO build fails to use JRE layout
--- a/Makefile.am Thu May 14 03:43:26 2015 +0100 +++ b/Makefile.am Thu May 14 04:03:46 2015 +0100 @@ -214,7 +214,8 @@ ICEDTEA_PATCHES = \ patches/memory-limits.patch \ - patches/override-redirect-metacity.patch + patches/override-redirect-metacity.patch \ + patches/rh1022017.patch # Conditional patches
--- a/NEWS Thu May 14 03:43:26 2015 +0100 +++ b/NEWS Thu May 14 04:03:46 2015 +0100 @@ -46,6 +46,7 @@ - PR1806: Support Debian/Ubuntu 7 & 8 OpenJDK Installs as Boot JDK - PR1812: Unable to locate HotSpot checksum when downloading - PR1813: HotSpot URL should be used with --enable-hg + - PR1834, RH1022017: Report elliptic curves supported by NSS, not the SunEC library - PR1845: jstack.stp in OpenJDK8 is broken - PR1935: HotSpot extraction needs to depend on the tarball being downloaded - PR1938: Zero broken by enforced use of -Werror
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/rh1022017.patch Thu May 14 04:03:46 2015 +0100 @@ -0,0 +1,44 @@ +diff -r a5c3d9643077 src/share/classes/sun/security/ssl/SupportedEllipticCurvesExtension.java +--- openjdk/jdk/src/share/classes/sun/security/ssl/SupportedEllipticCurvesExtension.java Tue Feb 10 16:24:28 2015 +0000 ++++ openjdk/jdk/src/share/classes/sun/security/ssl/SupportedEllipticCurvesExtension.java Thu May 14 04:01:02 2015 +0100 +@@ -37,25 +37,11 @@ + // the extension value to send in the ClientHello message + static final SupportedEllipticCurvesExtension DEFAULT; + +- private static final boolean fips; +- + static { +- int[] ids; +- fips = SunJSSE.isFIPS(); +- if (fips == false) { +- ids = new int[] { +- // NIST curves first +- // prefer NIST P-256, rest in order of increasing key length +- 23, 1, 3, 19, 21, 6, 7, 9, 10, 24, 11, 12, 25, 13, 14, +- // non-NIST curves +- 15, 16, 17, 2, 18, 4, 5, 20, 8, 22, +- }; +- } else { +- ids = new int[] { +- // same as above, but allow only NIST curves in FIPS mode +- 23, 1, 3, 19, 21, 6, 7, 9, 10, 24, 11, 12, 25, 13, 14, +- }; +- } ++ int[] ids = new int[] { ++ // NSS currently only supports these three NIST curves ++ 23, 24, 25 ++ }; + DEFAULT = new SupportedEllipticCurvesExtension(ids); + } + +@@ -150,10 +136,6 @@ + if ((index <= 0) || (index >= NAMED_CURVE_OID_TABLE.length)) { + return false; + } +- if (fips == false) { +- // in non-FIPS mode, we support all valid indices +- return true; +- } + return DEFAULT.contains(index); + } +