Mercurial > hg > icedtea12

--- a/ChangeLog	Fri Jan 29 14:24:16 2016 +0000
+++ b/ChangeLog	Fri Jan 29 17:41:08 2016 +0000
@@ -1,3 +1,73 @@
+2016-01-29  Andrew John Hughes  <gnu.andrew@member.fsf.org>
+
+	PR1983: Support using the system installation
+	of NSS with the SunEC provider
+	* INSTALL: Fix header from 'IcedTea7' to 'IcedTea'.
+	* Makefile.am:
+	(ICEDTEA_PATCHES): Make disable-intree-ec patch
+	conditional on whether or not the SunEC provider
+	is enabled. Add new variants of the NSS/PKCS11
+	configuration patch for cases where it is not applied.
+	(ICEDTEA_CONFIGURE): Pass --enable-system-nss or
+	--disable-system-nss, depending on whether or
+	not the SunEC provider is enabled.
+	(ICEDTEA_ENV): Remove DISABLE_INTREE_EC which
+	is not applicable in OpenJDK 8.
+	* README: Fix header from 'IcedTea7' to 'IcedTea'.
+	* patches/nss-config-with-sunec.patch,
+	* patches/nss-not-enabled-config-with-sunec.patch:
+	New variants of nss-config.patch and nss-not-enabled-config.patch
+	which apply when the SunEC provider is also enabled.
+
+2015-07-06  Andrew John Hughes  <gnu.andrew@member.fsf.org>
+
+	* INSTALL: Document the SunEC provider.
+
+2014-05-09  Andrew John Hughes  <gnu.andrew@member.fsf.org>
+
+	PR1762: Undefined references when building with NSS 3.16.1
+	* acinclude.m4:
+	(IT_ENABLE_SUNEC): For NSS >= 3.16.1, add -lfreebl
+	to SUNEC_LIBS, not SUNEC_CFLAGS, and use NSS_LIBS as
+	the base, not NSS_SOFTOKN_LIBS.
+
+2014-04-23  Andrew John Hughes  <gnu.andrew@member.fsf.org>
+
+	PR1742: Allow SunEC provider to be built with changes
+	in NSS >= 3.16.1
+	* Makefile.am:
+	(ICEDTEA_ENV): Use SUNEC_LIBS and SUNEC_CFLAGS
+	instead of NSS_LIBS and NSS_CFLAGS respectively.
+	* acinclude.m4:
+	(IT_ENABLE_SUNEC): Use SUNEC_CFLAGS and SUNEC_LIBS
+	for clarity as NSS_CFLAGS and NSS_LIBS are also set
+	by the NSS detection.
+
+2014-04-18  Andrew John Hughes  <gnu.andrew@member.fsf.org>
+
+	PR1699: Support building the SunEC provider
+	with system NSS
+	* Makefile.am:
+	(ICEDTEA_ENV): Set NSS_LIBS and NSS_CFLAGS
+	when ENABLE_SUNEC is set.
+	* acinclude.m4:
+	(IT_LOCATE_NSS): Fix wording to make it clear that
+	this is the PKCS11 provider, using NSS as the
+	implementation.
+	(IT_ENABLE_SUNEC): Allow the Sun elliptic curve
+	crypto provider to be enabled.
+	* configure.ac:
+	Replace IT_LOCATE_NSS with IT_ENABLE_SUNEC (which
+	depends on the former).
+	* fsg.sh.in:
+	Only delete the SunEC implementation code at this
+	level. This is the part that is legally dubious,
+	due to the use of many more elliptic curves than
+	those provided by the NSS version.
+	* remove-intree-libraries.sh.in:
+	Include the remaining SunEC deletion from fsg.sh
+	here and make it optional.
+
 2016-01-29  Andrew John Hughes  <gnu.andrew@member.fsf.org>

 	PR2768: Move SystemTap GCC 4.5 patch to OpenJDK
--- a/INSTALL	Fri Jan 29 14:24:16 2016 +0000
+++ b/INSTALL	Fri Jan 29 17:41:08 2016 +0000
@@ -1,5 +1,5 @@
-Building IcedTea7
-=================
+Building IcedTea
+================

 For convenience we've provided make targets that automatically
 download, extract and patch the source code from the IcedTea forest
@@ -159,6 +159,7 @@
 * --with-hotspot-build: The HotSpot to use, defaulting to 'original' i.e. hs14 as bundled with OpenJDK.
 * --with-additional-vms=vm-list: Additional VMs to build using the system described
   below.
+* --enable-sunec: Build the SunEC crypto provider against system NSS.

 Testing
 =======
@@ -205,8 +206,8 @@
 /usr/lib/jvm/java-1.6.0-openjdk, then you should specify
 --with-abs-install-dir=/usr/lib/jvm/java-1.6.0-openjdk.

-NSS Security Provider
-=====================
+The NSS PKCS11 Security Provider and Elliptic Curve Cryptography
+================================================================

 OpenJDK includes an NSS-based security provider in the form of
 sun.security.pkcs11.SunPKCS11.  However, as this needs to know the
@@ -217,6 +218,14 @@
 this configuration will be turned on in lib/security/java.security.
 This can also be done manually at a later date.

+The PKCS11 option was originally added as it was the only way that
+elliptic curve cryptography support could be provided. From OpenJDK 7
+onwards, there is another provider, SunEC. This also utilises NSS, but
+directly via its ECC functions rather than the PKCS11 interface.
+Specifying --enable-sunec will build this provider, linked against
+NSS. Version 3.16.1 or later of NSS is required so that the
+appropriate softokn ABI is available to the provider.
+
 CACAO
 =====
--- a/Makefile.am	Fri Jan 29 14:24:16 2016 +0000
+++ b/Makefile.am	Fri Jan 29 17:41:08 2016 +0000
@@ -229,8 +229,7 @@
 ICEDTEA_PATCHES = \
 	patches/memory-limits.patch \
 	patches/override-redirect-metacity.patch \
-	patches/rh1022017.patch \
-	patches/disable-intree-ec.patch
+	patches/rh1022017.patch

 # Conditional patches

@@ -260,11 +259,24 @@
 	patches/jamvm/find_class_from_caller.patch
 endif

+if !ENABLE_SUNEC
+ICEDTEA_PATCHES += \
+	patches/disable-intree-ec.patch
+endif
+
 if ENABLE_NSS
+if ENABLE_SUNEC
+ICEDTEA_PATCHES += patches/nss-config-with-sunec.patch
+else
 ICEDTEA_PATCHES += patches/nss-config.patch
+endif
+else
+if ENABLE_SUNEC
+ICEDTEA_PATCHES += patches/nss-not-enabled-config-with-sunec.patch
 else
 ICEDTEA_PATCHES += patches/nss-not-enabled-config.patch
 endif
+endif

 ICEDTEA_PATCHES += $(DISTRIBUTION_PATCHES)

@@ -345,6 +357,14 @@
 	--with-giflib=bundled
 endif

+if ENABLE_SUNEC
+ICEDTEA_CONFIGURE += \
+	--enable-system-nss
+else
+ICEDTEA_CONFIGURE += \
+	--disable-system-nss
+endif
+
 if ZERO_BUILD
 ICEDTEA_CONFIGURE += \
 	--with-jvm-variants=zero
@@ -390,7 +410,6 @@
 	DERIVATIVE_ID="$(ICEDTEA_NAME) $(PACKAGE_VERSION)$(ICEDTEA_REV)" \
 	DEBUG_CLASSFILES="true" \
 	DEBUG_BINARIES="true" \
-	DISABLE_INTREE_EC="true" \
 	LOG="debug" SCTP_WERROR= \
 	POST_STRIP_CMD= STRIP_POLICY="no_strip" \
 	JOBS="$(PARALLEL_JOBS)"
@@ -459,6 +478,12 @@
 	GIF_CFLAGS="${GIF_CFLAGS}"
 endif

+if ENABLE_SUNEC
+ICEDTEA_ENV += \
+	NSS_LIBS="${SUNEC_LIBS}" \
+	NSS_CFLAGS="${SUNEC_CFLAGS}"
+endif
+
 # OpenJDK boot build environment.
 ICEDTEA_CONFIGURE_BOOT = $(ICEDTEA_CONFIGURE)
 ICEDTEA_ENV_BOOT = $(ICEDTEA_ENV) \
--- a/README	Fri Jan 29 14:24:16 2016 +0000
+++ b/README	Fri Jan 29 17:41:08 2016 +0000
@@ -1,5 +1,5 @@
-IcedTea7
-========
+IcedTea
+=======

 The IcedTea project provides a harness to build the source code from
 openjdk.java.net using Free Software tools and dependencies.
--- a/acinclude.m4	Fri Jan 29 14:24:16 2016 +0000
+++ b/acinclude.m4	Fri Jan 29 17:41:08 2016 +0000
@@ -1396,10 +1396,10 @@
 AC_DEFUN_ONCE([IT_LOCATE_NSS],
 [
 AC_REQUIRE([IT_OBTAIN_DEFAULT_LIBDIR])
-AC_MSG_CHECKING([whether to enable the NSS-based security provider])
+AC_MSG_CHECKING([whether to enable the PKCS11 crypto provider using NSS])
 AC_ARG_ENABLE([nss],
 	      [AS_HELP_STRING([--enable-nss],
-	      		      [Enable inclusion of NSS security provider])],
+	      		      [Enable inclusion of PKCS11 crypto provider using NSS])],
 	      [ENABLE_NSS="${enableval}"], [ENABLE_NSS='no'])
 AM_CONDITIONAL([ENABLE_NSS], [test x$ENABLE_NSS = xyes])
 if test "x${ENABLE_NSS}" = "xyes"
@@ -1943,3 +1943,40 @@
   AC_MSG_RESULT([$has_native_hotspot_port])
 ])

+AC_DEFUN_ONCE([IT_ENABLE_SUNEC],
+[
+  AC_REQUIRE([IT_LOCATE_NSS])
+  AC_MSG_CHECKING([whether to enable the Sun elliptic curve crypto provider])
+  AC_ARG_ENABLE([sunec],
+                [AS_HELP_STRING(--enable-sunec,build the Sun elliptic curve crypto provider [[default=no]])],
+  [
+    case "${enableval}" in
+      yes)
+        enable_sunec=yes
+        ;;
+      *)
+        enable_sunec=no
+        ;;
+    esac
+  ],
+  [
+    enable_sunec=no
+  ])
+  AC_MSG_RESULT([$enable_sunec])
+  AM_CONDITIONAL([ENABLE_SUNEC], test x"${enable_sunec}" = "xyes")
+  if test x"${enable_sunec}" = "xyes"; then
+    PKG_CHECK_MODULES(NSS_SOFTOKN, nss-softokn >= 3.16.1, [NSS_SOFTOKN_FOUND=yes], [NSS_SOFTOKN_FOUND=no])
+    PKG_CHECK_MODULES(NSS_JAVA, nss-java, [NSS_JAVA_FOUND=yes], [NSS_JAVA_FOUND=no])
+    if test "x${NSS_SOFTOKN_FOUND}" = "xyes"; then
+      SUNEC_CFLAGS=$NSS_SOFTOKN_CFLAGS;
+      SUNEC_LIBS="$NSS_LIBS -lfreebl";
+   elif test "x${NSS_JAVA_FOUND}" = "xyes"; then
+      SUNEC_CFLAGS="$NSS_JAVA_CFLAGS -DLEGACY_NSS";
+      SUNEC_LIBS=$NSS_JAVA_LIBS;
+    else
+      AC_MSG_ERROR([Could not find a suitable NSS installation to use for the SunEC provider.])
+    fi
+    AC_SUBST(SUNEC_CFLAGS)
+    AC_SUBST(SUNEC_LIBS)
+  fi
+])
--- a/configure.ac	Fri Jan 29 14:24:16 2016 +0000
+++ b/configure.ac	Fri Jan 29 17:41:08 2016 +0000
@@ -58,6 +58,7 @@
 IT_DISABLE_HOTSPOT_TESTS
 IT_DISABLE_LANGTOOLS_TESTS
 IT_DISABLE_JDK_TESTS
+IT_ENABLE_SUNEC

 # Use xvfb-run if found to run gui tests (check-jdk).
 AC_CHECK_PROG(XVFB_RUN_CMD, xvfb-run, [xvfb-run -a -e xvfb-errors], [])
@@ -79,7 +80,6 @@
 AM_CONDITIONAL([ENABLE_DOCS], [test x$ENABLE_DOCS = xyes])
 AC_MSG_RESULT(${ENABLE_DOCS})

-IT_LOCATE_NSS
 IT_GET_PKGVERSION
 IT_GET_LSB_DATA
--- a/fsg.sh.in	Fri Jan 29 14:24:16 2016 +0000
+++ b/fsg.sh.in	Fri Jan 29 17:41:08 2016 +0000
@@ -11,11 +11,7 @@
 rm -rvf openjdk/jdk/test/com/sun/jmx/snmp

 echo "Removing EC source code we don't build"
-rm -vf openjdk/jdk/src/share/classes/sun/security/ec/ECDHKeyAgreement.java
-rm -vf openjdk/jdk/src/share/classes/sun/security/ec/ECDSASignature.java
-rm -vf openjdk/jdk/src/share/classes/sun/security/ec/ECKeyPairGenerator.java
-rm -rvf openjdk/jdk/src/share/native/sun/security/ec
-rm -rvf openjdk/jdk/make/sun/security/ec
+rm -rvf openjdk/jdk/src/share/native/sun/security/ec/impl

 echo "Syncing EC list with NSS"
 patch -Np0 < @abs_top_srcdir@/patches/pr2126.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/nss-config-with-sunec.patch	Fri Jan 29 17:41:08 2016 +0000
@@ -0,0 +1,11 @@
+diff -Nru openjdk.orig/jdk/src/share/lib/security/java.security-linux openjdk/jdk/src/share/lib/security/java.security-linux
+--- openjdk.orig/jdk/src/share/lib/security/java.security-linux	2015-10-27 19:19:15.000000000 +0000
++++ openjdk/jdk/src/share/lib/security/java.security-linux	2016-01-29 15:41:59.434852299 +0000
+@@ -74,6 +74,7 @@
+ security.provider.7=com.sun.security.sasl.Provider
+ security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
+ security.provider.9=sun.security.smartcardio.SunPCSC
++security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
+
+ #
+ # Sun Provider SecureRandom seed source.
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/nss-not-enabled-config-with-sunec.patch	Fri Jan 29 17:41:08 2016 +0000
@@ -0,0 +1,13 @@
+--- openjdk.orig/jdk/src/share/lib/security/java.security-linux	2009-08-25 11:43:59.000000000 +0100
++++ openjdk/jdk/src/share/lib/security/java.security-linux		2009-08-27 14:23:54.000000000 +0100
+@@ -51,6 +51,10 @@
+ security.provider.7=com.sun.security.sasl.Provider
+ security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
+ security.provider.9=sun.security.smartcardio.SunPCSC
++# the NSS security provider was not enabled for this build; it can be enabled
++# if NSS (libnss3) is available on the machine. The nss.cfg file may need
++# editing to reflect the location of the NSS installation.
++#security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
+
+ #
+ # Sun Provider SecureRandom seed source.
--- a/remove-intree-libraries.sh.in	Fri Jan 29 14:24:16 2016 +0000
+++ b/remove-intree-libraries.sh.in	Fri Jan 29 17:41:08 2016 +0000
@@ -114,3 +114,11 @@
   rm -vf ${LCMS_SRC}/lcms2_plugin.h
 fi

+if test "x@ENABLE_SUNEC@" = "xno"; then
+  rm -vf openjdk/jdk/src/share/classes/sun/security/ec/ECDHKeyAgreement.java
+  rm -vf openjdk/jdk/src/share/classes/sun/security/ec/ECDSASignature.java
+  rm -vf openjdk/jdk/src/share/classes/sun/security/ec/ECKeyPairGenerator.java
+  rm -vf openjdk/jdk/src/share/classes/sun/security/ec/SunEC.java
+  rm -vf openjdk/jdk/src/share/classes/sun/security/ec/SunECEntries.java
+  rm -rvf openjdk/jdk/src/share/native/sun/security/ec
+fi