# HG changeset patch # User Andrew John Hughes # Date 1453343958 0 # Node ID 680136982d3cff78884eb7f58cf5020ad932848c # Parent 8554f062d23d3806b894c64ea703bfd93eefa225 Update to build against the b38 tarball & January 2016 security fixes. Upstream changes: - OPENJDK6-69: Windows build broken after b37 changes - OPENJDK6-70: Allow versions of ALSA >= 1.1.0 - S4898461: Support for ECB and CBC/PKCS5Padding - S6720721: CRL check with circular depency support needed - S6852744: PIT b61: PKI test suite fails because self signed certificates are being rejected [Tests only] - S6867345: Turkish regional options cause NPE in sun.security.x509.AlgorithmId.algOID - S7166570: JSSE certificate validation has started to fail for certificate chains - S7167988: PKIX CertPathBuilder in reverse mode doesn't work if more than one trust anchor is specified - S7171223: Building ExtensionSubtables.cpp should use -fno-strict-aliasing - S8059054: Better URL processing - S8068761: [TEST_BUG] java/nio/channels/ServerSocketChannel/AdaptServerSocket.java failed with SocketTimeoutException - S8074068: Cleanup in src/share/classes/sun/security/x509/ - S8075773: jps running as root fails after the fix of JDK-8050807 - S8081297: SSL Problem with Tomcat - S8130710: Better attributes processing - S8133962: More general limits - S8134605: Partial rework of the fix for 8081297 - S8135307: CompletionFailure thrown when calling FieldDoc.type, if the field's type is missing - S8137060: JMX memory management improvements - S8138716: (tz) Support tzdata2015g - S8139012: Better font substitutions - S8139017: More stable image decoding - S8140543: Arrange font actions - S8141213: [Parfait]Potentially blocking function GetArrayLength called in JNI critical region at line 239 of jdk/src/share/native/sun/awt/image/jpeg/jpegdecoder.c in function GET_ARRAYS - S8141287: Add MD5 to jdk.certpath.disabledAlgorithms - Take 2 - S8142928: [TEST_BUG] sun/security/provider/certpath/ReverseBuilder/ReverseBuild.java 8u71 failure - S8143185: Cleanup for handling proxies - S8143941: Update splashscreen displays - S8144955: Wrong changes were pushed with 8143942 - S8145551: Test failed with Crash for Improved font lookups - S8147466: Add -fno-strict-overflow to IndicRearrangementProcessor{,2}.cpp 2016-01-20 Andrew John Hughes * Makefile.am: (OPENJDK_DATE): Bump to b38 creation date; 20th of January, 2016. (OPENJDK_SHA256SUM): Update for b38 tarball. 2016-01-19 Andrew John Hughes * patches/openjdk/p11cipher-4898461-support_ecb_and_cbc.patch, * patches/openjdk/p11cipher-6867345-turkish_regional_options_cause_npe_in_algoid.patch: Removed; added upstream in OpenJDK 6 b38. * Makefile.am: (ICEDTEA_PATCHES): Remove above patches. * NEWS: Updated. * patches/openjdk/6799141-split_out_versions.patch: Regenerated following OPENJDK6-70. 2015-11-26 Andrew John Hughes * Makefile.am: (OPENJDK_VERSION): Bump to next release, b38. diff -r 8554f062d23d -r 680136982d3c ChangeLog --- a/ChangeLog Thu Jan 21 01:22:57 2016 +0000 +++ b/ChangeLog Thu Jan 21 02:39:18 2016 +0000 @@ -1,3 +1,26 @@ +2016-01-20 Andrew John Hughes + + * Makefile.am: + (OPENJDK_DATE): Bump to b38 creation date; + 20th of January, 2016. + (OPENJDK_SHA256SUM): Update for b38 tarball. + +2016-01-19 Andrew John Hughes + + * patches/openjdk/p11cipher-4898461-support_ecb_and_cbc.patch, + * patches/openjdk/p11cipher-6867345-turkish_regional_options_cause_npe_in_algoid.patch: + Removed; added upstream in OpenJDK 6 b38. + * Makefile.am: + (ICEDTEA_PATCHES): Remove above patches. + * NEWS: Updated. + * patches/openjdk/6799141-split_out_versions.patch: + Fixed to apply against OPENJDK6-70. + +2015-11-26 Andrew John Hughes + + * Makefile.am: + (OPENJDK_VERSION): Bump to next release, b38. + 2016-01-19 Andrew John Hughes * Makefile.am: diff -r 8554f062d23d -r 680136982d3c Makefile.am --- a/Makefile.am Thu Jan 21 01:22:57 2016 +0000 +++ b/Makefile.am Thu Jan 21 02:39:18 2016 +0000 @@ -1,8 +1,8 @@ # Dependencies -OPENJDK_DATE = 11_nov_2015 -OPENJDK_SHA256SUM = 462ac2c28f6dbfb4a18eb46efca232b907d6027f7618715cbc4de5dd73b89e8d -OPENJDK_VERSION = b37 +OPENJDK_DATE = 20_jan_2016 +OPENJDK_SHA256SUM = ff88dbcbda6c3c7d80b7cbd28065a455cdb009de9874fcf9ff9ca8205d38a257 +OPENJDK_VERSION = b38 OPENJDK_URL = https://java.net/downloads/openjdk6/ CACAO_VERSION = 68fe50ac34ec @@ -463,11 +463,9 @@ patches/remove-gcm-test.patch \ patches/skip_wrap_mode.patch \ patches/remove_multicatch_in_testrsa.patch \ - patches/openjdk/p11cipher-4898461-support_ecb_and_cbc.patch \ patches/openjdk/p11cipher-6682411-fix_indexoutofboundsexception.patch \ patches/openjdk/p11cipher-6682417-fix_decrypted_data_not_multiple_of_blocks.patch \ patches/openjdk/p11cipher-6812738-native_cleanup.patch \ - patches/openjdk/p11cipher-6867345-turkish_regional_options_cause_npe_in_algoid.patch \ patches/openjdk/p11cipher-6687725-throw_illegalblocksizeexception.patch \ patches/openjdk/p11cipher-6924489-ckr_operation_not_initialized.patch \ patches/openjdk/p11cipher-6604496-support_ckm_aes_ctr.patch \ diff -r 8554f062d23d -r 680136982d3c NEWS --- a/NEWS Thu Jan 21 01:22:57 2016 +0000 +++ b/NEWS Thu Jan 21 02:39:18 2016 +0000 @@ -14,6 +14,37 @@ New in release 1.13.10 (2016-01-XX): +* Security fixes + - S8059054, CVE-2016-0402: Better URL processing + - S8130710, CVE-2016-0448: Better attributes processing + - S8133962, CVE-2016-0466: More general limits + - S8137060: JMX memory management improvements + - S8139012: Better font substitutions + - S8139017, CVE-2016-0483: More stable image decoding + - S8140543, CVE-2016-0494: Arrange font actions + - S8143185: Cleanup for handling proxies + - S8143941, CVE-2015-8126, CVE-2015-8472: Update splashscreen displays +* Import of OpenJDK6 b38 + - OJ69: Windows build broken after b37 changes + - OJ70: Allow versions of ALSA >= 1.1.0 + - S6720721: CRL check with circular depency support needed + - S6852744: PIT b61: PKI test suite fails because self signed certificates are being rejected [Tests only] + - S7166570: JSSE certificate validation has started to fail for certificate chains + - S7167988: PKIX CertPathBuilder in reverse mode doesn't work if more than one trust anchor is specified + - S7171223: Building ExtensionSubtables.cpp should use -fno-strict-aliasing + - S8068761: [TEST_BUG] java/nio/channels/ServerSocketChannel/AdaptServerSocket.java failed with SocketTimeoutException + - S8074068: Cleanup in src/share/classes/sun/security/x509/ + - S8075773: jps running as root fails after the fix of JDK-8050807 + - S8081297: SSL Problem with Tomcat + - S8134605: Partial rework of the fix for 8081297 + - S8135307: CompletionFailure thrown when calling FieldDoc.type, if the field's type is missing + - S8138716: (tz) Support tzdata2015g + - S8141213: [Parfait]Potentially blocking function GetArrayLength called in JNI critical region at line 239 of jdk/src/share/native/sun/awt/image/jpeg/jpegdecoder.c in function GET_ARRAYS + - S8141287: Add MD5 to jdk.certpath.disabledAlgorithms - Take 2 + - S8142928: [TEST_BUG] sun/security/provider/certpath/ReverseBuilder/ReverseBuild.java 8u71 failure + - S8144955: Wrong changes were pushed with 8143942 + - S8145551: Test failed with Crash for Improved font lookups + - S8147466: Add -fno-strict-overflow to IndicRearrangementProcessor{,2}.cpp * Backports - S7169111, PR2757: Unreadable menu bar with Ambiance theme in GTK L&F - S8140620, PR2711: Find and load default.sf2 as the default soundbank on Linux diff -r 8554f062d23d -r 680136982d3c patches/openjdk/6799141-split_out_versions.patch --- a/patches/openjdk/6799141-split_out_versions.patch Thu Jan 21 01:22:57 2016 +0000 +++ b/patches/openjdk/6799141-split_out_versions.patch Thu Jan 21 02:39:18 2016 +0000 @@ -447,7 +447,7 @@ - endif - ifneq ($(ARCH), ia64) - # ALSA 0.9.1 and above -- REQUIRED_ALSA_VERSION = ^((0[.]9[.][1-9])|(1[.]0[.][0-9]))[0-9]* +- REQUIRED_ALSA_VERSION = ^((0[.]9[.][1-9])|(1[.][0-9][.][0-9]))[0-9]* - endif # How much RAM does this machine have: MB_OF_MEMORY := $(shell free -m | fgrep Mem: | sed -e 's@\ \ *@ @g' | cut -d' ' -f2) diff -r 8554f062d23d -r 680136982d3c patches/openjdk/p11cipher-4898461-support_ecb_and_cbc.patch --- a/patches/openjdk/p11cipher-4898461-support_ecb_and_cbc.patch Thu Jan 21 01:22:57 2016 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,1169 +0,0 @@ -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java ---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java 2012-10-23 18:00:58.332289584 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java 2012-10-23 18:10:13.013034333 +0100 -@@ -22,10 +22,10 @@ - * or visit www.oracle.com if you need additional information or have any - * questions. - */ -- - package sun.security.pkcs11; - - import java.nio.ByteBuffer; -+import java.util.Arrays; - - import java.security.*; - import java.security.spec.*; -@@ -34,7 +34,6 @@ - import javax.crypto.spec.*; - - import sun.nio.ch.DirectBuffer; -- - import sun.security.pkcs11.wrapper.*; - import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - -@@ -43,8 +42,8 @@ - * DES, DESede, AES, ARCFOUR, and Blowfish. - * - * This class is designed to support ECB and CBC with NoPadding and -- * PKCS5Padding for both. However, currently only CBC/NoPadding (and -- * ECB/NoPadding for stream ciphers) is functional. -+ * PKCS5Padding for both. It will use its own padding impl if the -+ * native mechanism does not support padding. - * - * Note that PKCS#11 current only supports ECB and CBC. There are no - * provisions for other modes such as CFB, OFB, PCBC, or CTR mode. -@@ -62,10 +61,56 @@ - private final static int MODE_CBC = 4; - - // padding constant for NoPadding -- private final static int PAD_NONE = 5; -+ private final static int PAD_NONE = 5; - // padding constant for PKCS5Padding - private final static int PAD_PKCS5 = 6; - -+ private static interface Padding { -+ // ENC: format the specified buffer with padding bytes and return the -+ // actual padding length -+ int setPaddingBytes(byte[] paddingBuffer, int padLen); -+ -+ // DEC: return the length of trailing padding bytes given the specified -+ // padded data -+ int unpad(byte[] paddedData, int ofs, int len) -+ throws BadPaddingException; -+ } -+ -+ private static class PKCS5Padding implements Padding { -+ -+ private final int blockSize; -+ -+ PKCS5Padding(int blockSize) -+ throws NoSuchPaddingException { -+ if (blockSize == 0) { -+ throw new NoSuchPaddingException -+ ("PKCS#5 padding not supported with stream ciphers"); -+ } -+ this.blockSize = blockSize; -+ } -+ -+ public int setPaddingBytes(byte[] paddingBuffer, int padLen) { -+ Arrays.fill(paddingBuffer, 0, padLen, (byte) (padLen & 0x007f)); -+ return padLen; -+ } -+ -+ public int unpad(byte[] paddedData, int ofs, int len) -+ throws BadPaddingException { -+ byte padValue = paddedData[ofs + len - 1]; -+ if (padValue < 1 || padValue > blockSize) { -+ throw new BadPaddingException("Invalid pad value!"); -+ } -+ // sanity check padding bytes -+ int padStartIndex = ofs + len - padValue; -+ for (int i = padStartIndex; i < len; i++) { -+ if (paddedData[i] != padValue) { -+ throw new BadPaddingException("Invalid pad bytes!"); -+ } -+ } -+ return padValue; -+ } -+ } -+ - // token instance - private final Token token; - -@@ -99,64 +144,92 @@ - // padding type, on of PAD_* above (PAD_NONE for stream ciphers) - private int paddingType; - -+ // when the padding is requested but unsupported by the native mechanism, -+ // we use the following to do padding and necessary data buffering. -+ // padding object which generate padding and unpad the decrypted data -+ private Padding paddingObj; -+ // buffer for holding back the block which contains padding bytes -+ private byte[] padBuffer; -+ private int padBufferLen; -+ - // original IV, if in MODE_CBC - private byte[] iv; - -- // total number of bytes processed -- private int bytesProcessed; -+ // number of bytes buffered internally by the native mechanism and padBuffer -+ // if we do the padding -+ private int bytesBuffered; - - P11Cipher(Token token, String algorithm, long mechanism) -- throws PKCS11Exception { -+ throws PKCS11Exception, NoSuchAlgorithmException { - super(); - this.token = token; - this.algorithm = algorithm; - this.mechanism = mechanism; -- keyAlgorithm = algorithm.split("/")[0]; -+ -+ String algoParts[] = algorithm.split("/"); -+ keyAlgorithm = algoParts[0]; -+ - if (keyAlgorithm.equals("AES")) { - blockSize = 16; -- blockMode = MODE_CBC; -- // XXX change default to PKCS5Padding -- paddingType = PAD_NONE; -- } else if (keyAlgorithm.equals("RC4") || keyAlgorithm.equals("ARCFOUR")) { -+ } else if (keyAlgorithm.equals("RC4") || -+ keyAlgorithm.equals("ARCFOUR")) { - blockSize = 0; -- blockMode = MODE_ECB; -- paddingType = PAD_NONE; - } else { // DES, DESede, Blowfish - blockSize = 8; -- blockMode = MODE_CBC; -- // XXX change default to PKCS5Padding -- paddingType = PAD_NONE; -+ } -+ this.blockMode = -+ (algoParts.length > 1 ? parseMode(algoParts[1]) : MODE_ECB); -+ -+ String defPadding = (blockSize == 0 ? "NoPadding" : "PKCS5Padding"); -+ String paddingStr = -+ (algoParts.length > 2 ? algoParts[2] : defPadding); -+ try { -+ engineSetPadding(paddingStr); -+ } catch (NoSuchPaddingException nspe) { -+ // should not happen -+ throw new ProviderException(nspe); - } - } - - protected void engineSetMode(String mode) throws NoSuchAlgorithmException { -+ // Disallow change of mode for now since currently it's explicitly -+ // defined in transformation strings -+ throw new NoSuchAlgorithmException("Unsupported mode " + mode); -+ } -+ -+ private int parseMode(String mode) throws NoSuchAlgorithmException { - mode = mode.toUpperCase(); -+ int result; - if (mode.equals("ECB")) { -- this.blockMode = MODE_ECB; -+ result = MODE_ECB; - } else if (mode.equals("CBC")) { - if (blockSize == 0) { - throw new NoSuchAlgorithmException - ("CBC mode not supported with stream ciphers"); - } -- this.blockMode = MODE_CBC; -+ result = MODE_CBC; - } else { - throw new NoSuchAlgorithmException("Unsupported mode " + mode); - } -+ return result; - } - - // see JCE spec - protected void engineSetPadding(String padding) - throws NoSuchPaddingException { -- if (padding.equalsIgnoreCase("NoPadding")) { -+ paddingObj = null; -+ padBuffer = null; -+ padding = padding.toUpperCase(); -+ if (padding.equals("NOPADDING")) { - paddingType = PAD_NONE; -- } else if (padding.equalsIgnoreCase("PKCS5Padding")) { -- if (blockSize == 0) { -- throw new NoSuchPaddingException -- ("PKCS#5 padding not supported with stream ciphers"); -- } -+ } else if (padding.equals("PKCS5PADDING")) { - paddingType = PAD_PKCS5; -- // XXX PKCS#5 not yet implemented -- throw new NoSuchPaddingException("pkcs5"); -+ if (mechanism != CKM_DES_CBC_PAD && mechanism != CKM_DES3_CBC_PAD && -+ mechanism != CKM_AES_CBC_PAD) { -+ // no native padding support; use our own padding impl -+ paddingObj = new PKCS5Padding(blockSize); -+ padBuffer = new byte[blockSize]; -+ } - } else { - throw new NoSuchPaddingException("Unsupported padding " + padding); - } -@@ -174,7 +247,7 @@ - - // see JCE spec - protected byte[] engineGetIV() { -- return (iv == null) ? null : (byte[])iv.clone(); -+ return (iv == null) ? null : (byte[]) iv.clone(); - } - - // see JCE spec -@@ -184,8 +257,9 @@ - } - IvParameterSpec ivSpec = new IvParameterSpec(iv); - try { -- AlgorithmParameters params = AlgorithmParameters.getInstance -- (keyAlgorithm, P11Util.getSunJceProvider()); -+ AlgorithmParameters params = -+ AlgorithmParameters.getInstance(keyAlgorithm, -+ P11Util.getSunJceProvider()); - params.init(ivSpec); - return params; - } catch (GeneralSecurityException e) { -@@ -209,38 +283,38 @@ - protected void engineInit(int opmode, Key key, - AlgorithmParameterSpec params, SecureRandom random) - throws InvalidKeyException, InvalidAlgorithmParameterException { -- byte[] iv; -+ byte[] ivValue; - if (params != null) { - if (params instanceof IvParameterSpec == false) { - throw new InvalidAlgorithmParameterException - ("Only IvParameterSpec supported"); - } -- IvParameterSpec ivSpec = (IvParameterSpec)params; -- iv = ivSpec.getIV(); -+ IvParameterSpec ivSpec = (IvParameterSpec) params; -+ ivValue = ivSpec.getIV(); - } else { -- iv = null; -+ ivValue = null; - } -- implInit(opmode, key, iv, random); -+ implInit(opmode, key, ivValue, random); - } - - // see JCE spec - protected void engineInit(int opmode, Key key, AlgorithmParameters params, - SecureRandom random) - throws InvalidKeyException, InvalidAlgorithmParameterException { -- byte[] iv; -+ byte[] ivValue; - if (params != null) { - try { - IvParameterSpec ivSpec = (IvParameterSpec) - params.getParameterSpec(IvParameterSpec.class); -- iv = ivSpec.getIV(); -+ ivValue = ivSpec.getIV(); - } catch (InvalidParameterSpecException e) { - throw new InvalidAlgorithmParameterException - ("Could not decode IV", e); - } - } else { -- iv = null; -+ ivValue = null; - } -- implInit(opmode, key, iv, random); -+ implInit(opmode, key, ivValue, random); - } - - // actual init() implementation -@@ -249,31 +323,31 @@ - throws InvalidKeyException, InvalidAlgorithmParameterException { - cancelOperation(); - switch (opmode) { -- case Cipher.ENCRYPT_MODE: -- encrypt = true; -- break; -- case Cipher.DECRYPT_MODE: -- encrypt = false; -- break; -- default: -- throw new InvalidAlgorithmParameterException -- ("Unsupported mode: " + opmode); -+ case Cipher.ENCRYPT_MODE: -+ encrypt = true; -+ break; -+ case Cipher.DECRYPT_MODE: -+ encrypt = false; -+ break; -+ default: -+ throw new InvalidAlgorithmParameterException -+ ("Unsupported mode: " + opmode); - } - if (blockMode == MODE_ECB) { // ECB or stream cipher - if (iv != null) { - if (blockSize == 0) { - throw new InvalidAlgorithmParameterException -- ("IV not used with stream ciphers"); -+ ("IV not used with stream ciphers"); - } else { - throw new InvalidAlgorithmParameterException -- ("IV not used in ECB mode"); -+ ("IV not used in ECB mode"); - } - } - } else { // MODE_CBC - if (iv == null) { - if (encrypt == false) { - throw new InvalidAlgorithmParameterException -- ("IV must be specified for decryption in CBC mode"); -+ ("IV must be specified for decryption in CBC mode"); - } - // generate random IV - if (random == null) { -@@ -284,7 +358,7 @@ - } else { - if (iv.length != blockSize) { - throw new InvalidAlgorithmParameterException -- ("IV length must match block size"); -+ ("IV length must match block size"); - } - } - } -@@ -330,63 +404,43 @@ - session = token.getOpSession(); - } - if (encrypt) { -- token.p11.C_EncryptInit -- (session.id(), new CK_MECHANISM(mechanism, iv), p11Key.keyID); -+ token.p11.C_EncryptInit(session.id(), -+ new CK_MECHANISM(mechanism, iv), p11Key.keyID); - } else { -- token.p11.C_DecryptInit -- (session.id(), new CK_MECHANISM(mechanism, iv), p11Key.keyID); -+ token.p11.C_DecryptInit(session.id(), -+ new CK_MECHANISM(mechanism, iv), p11Key.keyID); - } -- bytesProcessed = 0; -+ bytesBuffered = 0; -+ padBufferLen = 0; - initialized = true; - } - -- // XXX the calculations below assume the PKCS#11 implementation is smart. -- // conceivably, not all implementations are and we may need to estimate -- // more conservatively -- -- private int bytesBuffered(int totalLen) { -- if (paddingType == PAD_NONE) { -- // with NoPadding, buffer only the current unfinished block -- return totalLen & (blockSize - 1); -- } else { // PKCS5 -- // with PKCS5Padding in decrypt mode, the buffer must never -- // be empty. Buffer a full block instead of nothing. -- int buffered = totalLen & (blockSize - 1); -- if ((buffered == 0) && (encrypt == false)) { -- buffered = blockSize; -- } -- return buffered; -- } -- } -- - // if update(inLen) is called, how big does the output buffer have to be? - private int updateLength(int inLen) { - if (inLen <= 0) { - return 0; - } -- if (blockSize == 0) { -- return inLen; -- } else { -- // bytes that need to be buffered now -- int buffered = bytesBuffered(bytesProcessed); -- // bytes that need to be buffered after this update -- int newBuffered = bytesBuffered(bytesProcessed + inLen); -- return inLen + buffered - newBuffered; -+ -+ int result = inLen + bytesBuffered; -+ if (blockSize != 0) { -+ // minus the number of bytes in the last incomplete block. -+ result -= (result & (blockSize - 1)); - } -+ return result; - } - - // if doFinal(inLen) is called, how big does the output buffer have to be? - private int doFinalLength(int inLen) { -- if (paddingType == PAD_NONE) { -- return updateLength(inLen); -- } - if (inLen < 0) { - return 0; - } -- int buffered = bytesBuffered(bytesProcessed); -- int newProcessed = bytesProcessed + inLen; -- int paddedProcessed = (newProcessed + blockSize) & ~(blockSize - 1); -- return paddedProcessed - bytesProcessed + buffered; -+ -+ int result = inLen + bytesBuffered; -+ if (blockSize != 0 && encrypt && paddingType != PAD_NONE) { -+ // add the number of bytes to make the last block complete. -+ result += (blockSize - (result & (blockSize - 1))); -+ } -+ return result; - } - - // see JCE spec -@@ -396,6 +450,7 @@ - int n = engineUpdate(in, inOfs, inLen, out, 0); - return P11Util.convert(out, 0, n); - } catch (ShortBufferException e) { -+ // convert since the output length is calculated by updateLength() - throw new ProviderException(e); - } - } -@@ -408,6 +463,7 @@ - } - - // see JCE spec -+ @Override - protected int engineUpdate(ByteBuffer inBuffer, ByteBuffer outBuffer) - throws ShortBufferException { - return implUpdate(inBuffer, outBuffer); -@@ -421,14 +477,15 @@ - int n = engineDoFinal(in, inOfs, inLen, out, 0); - return P11Util.convert(out, 0, n); - } catch (ShortBufferException e) { -+ // convert since the output length is calculated by doFinalLength() - throw new ProviderException(e); - } - } - - // see JCE spec - protected int engineDoFinal(byte[] in, int inOfs, int inLen, byte[] out, -- int outOfs) throws ShortBufferException, IllegalBlockSizeException { -- // BadPaddingException { -+ int outOfs) throws ShortBufferException, IllegalBlockSizeException, -+ BadPaddingException { - int n = 0; - if ((inLen != 0) && (in != null)) { - n = engineUpdate(in, inOfs, inLen, out, outOfs); -@@ -439,8 +496,10 @@ - } - - // see JCE spec -+ @Override - protected int engineDoFinal(ByteBuffer inBuffer, ByteBuffer outBuffer) -- throws ShortBufferException, IllegalBlockSizeException, BadPaddingException { -+ throws ShortBufferException, IllegalBlockSizeException, -+ BadPaddingException { - int n = engineUpdate(inBuffer, outBuffer); - n += implDoFinal(outBuffer); - return n; -@@ -453,18 +512,55 @@ - } - try { - ensureInitialized(); -- int k; -+ int k = 0; - if (encrypt) { -- k = token.p11.C_EncryptUpdate -- (session.id(), 0, in, inOfs, inLen, 0, out, outOfs, outLen); -+ k = token.p11.C_EncryptUpdate(session.id(), 0, in, inOfs, inLen, -+ 0, out, outOfs, outLen); - } else { -- k = token.p11.C_DecryptUpdate -- (session.id(), 0, in, inOfs, inLen, 0, out, outOfs, outLen); -+ int newPadBufferLen = 0; -+ if (paddingObj != null) { -+ if (padBufferLen != 0) { -+ // NSS throws up when called with data not in multiple -+ // of blocks. Try to work around this by holding the -+ // extra data in padBuffer. -+ if (padBufferLen != padBuffer.length) { -+ int bufCapacity = padBuffer.length - padBufferLen; -+ if (inLen > bufCapacity) { -+ bufferInputBytes(in, inOfs, bufCapacity); -+ inOfs += bufCapacity; -+ inLen -= bufCapacity; -+ } else { -+ bufferInputBytes(in, inOfs, inLen); -+ return 0; -+ } -+ } -+ k = token.p11.C_DecryptUpdate(session.id(), -+ 0, padBuffer, 0, padBufferLen, -+ 0, out, outOfs, outLen); -+ padBufferLen = 0; -+ } -+ newPadBufferLen = inLen & (blockSize - 1); -+ if (newPadBufferLen == 0) { -+ newPadBufferLen = padBuffer.length; -+ } -+ inLen -= newPadBufferLen; -+ } -+ if (inLen > 0) { -+ k += token.p11.C_DecryptUpdate(session.id(), 0, in, inOfs, -+ inLen, 0, out, (outOfs + k), (outLen - k)); -+ } -+ // update 'padBuffer' if using our own padding impl. -+ if (paddingObj != null) { -+ bufferInputBytes(in, inOfs + inLen, newPadBufferLen); -+ } - } -- bytesProcessed += inLen; -+ bytesBuffered += (inLen - k); - return k; - } catch (PKCS11Exception e) { -- // XXX throw correct exception -+ if (e.getErrorCode() == CKR_BUFFER_TOO_SMALL) { -+ throw (ShortBufferException) -+ (new ShortBufferException().initCause(e)); -+ } - throw new ProviderException("update() failed", e); - } - } -@@ -480,101 +576,167 @@ - if (outLen < updateLength(inLen)) { - throw new ShortBufferException(); - } -- boolean inPosChanged = false; -+ int origPos = inBuffer.position(); - try { - ensureInitialized(); - - long inAddr = 0; -- int inOfs = inBuffer.position(); -+ int inOfs = 0; - byte[] inArray = null; -+ - if (inBuffer instanceof DirectBuffer) { -- inAddr = ((DirectBuffer)inBuffer).address(); -- } else { -- if (inBuffer.hasArray()) { -- inArray = inBuffer.array(); -- inOfs += inBuffer.arrayOffset(); -- } else { -- inArray = new byte[inLen]; -- inBuffer.get(inArray); -- inOfs = 0; -- inPosChanged = true; -- } -+ inAddr = ((DirectBuffer) inBuffer).address(); -+ inOfs = origPos; -+ } else if (inBuffer.hasArray()) { -+ inArray = inBuffer.array(); -+ inOfs = (origPos + inBuffer.arrayOffset()); - } - - long outAddr = 0; -- int outOfs = outBuffer.position(); -+ int outOfs = 0; - byte[] outArray = null; - if (outBuffer instanceof DirectBuffer) { -- outAddr = ((DirectBuffer)outBuffer).address(); -+ outAddr = ((DirectBuffer) outBuffer).address(); -+ outOfs = outBuffer.position(); - } else { - if (outBuffer.hasArray()) { - outArray = outBuffer.array(); -- outOfs += outBuffer.arrayOffset(); -+ outOfs = (outBuffer.position() + outBuffer.arrayOffset()); - } else { - outArray = new byte[outLen]; -- outOfs = 0; - } - } - -- int k; -+ int k = 0; - if (encrypt) { -- k = token.p11.C_EncryptUpdate -- (session.id(), inAddr, inArray, inOfs, inLen, -- outAddr, outArray, outOfs, outLen); -- } else { -- k = token.p11.C_DecryptUpdate -- (session.id(), inAddr, inArray, inOfs, inLen, -- outAddr, outArray, outOfs, outLen); -- } -- bytesProcessed += inLen; -- if (!inPosChanged) { -- inBuffer.position(inBuffer.position() + inLen); -+ if (inAddr == 0 && inArray == null) { -+ inArray = new byte[inLen]; -+ inBuffer.get(inArray); -+ } else { -+ inBuffer.position(origPos + inLen); -+ } -+ k = token.p11.C_EncryptUpdate(session.id(), -+ inAddr, inArray, inOfs, inLen, -+ outAddr, outArray, outOfs, outLen); -+ } else { -+ int newPadBufferLen = 0; -+ if (paddingObj != null) { -+ if (padBufferLen != 0) { -+ // NSS throws up when called with data not in multiple -+ // of blocks. Try to work around this by holding the -+ // extra data in padBuffer. -+ if (padBufferLen != padBuffer.length) { -+ int bufCapacity = padBuffer.length - padBufferLen; -+ if (inLen > bufCapacity) { -+ bufferInputBytes(inBuffer, bufCapacity); -+ inOfs += bufCapacity; -+ inLen -= bufCapacity; -+ } else { -+ bufferInputBytes(inBuffer, inLen); -+ return 0; -+ } -+ } -+ k = token.p11.C_DecryptUpdate(session.id(), 0, -+ padBuffer, 0, padBufferLen, outAddr, outArray, -+ outOfs, outLen); -+ padBufferLen = 0; -+ } -+ newPadBufferLen = inLen & (blockSize - 1); -+ if (newPadBufferLen == 0) { -+ newPadBufferLen = padBuffer.length; -+ } -+ inLen -= newPadBufferLen; -+ } -+ if (inLen > 0) { -+ if (inAddr == 0 && inArray == null) { -+ inArray = new byte[inLen]; -+ inBuffer.get(inArray); -+ } else { -+ inBuffer.position(inBuffer.position() + inLen); -+ } -+ k += token.p11.C_DecryptUpdate(session.id(), inAddr, -+ inArray, inOfs, inLen, outAddr, outArray, -+ (outOfs + k), (outLen - k)); -+ } -+ // update 'padBuffer' if using our own padding impl. -+ if (paddingObj != null && newPadBufferLen != 0) { -+ bufferInputBytes(inBuffer, newPadBufferLen); -+ } - } -+ bytesBuffered += (inLen - k); - if (!(outBuffer instanceof DirectBuffer) && -- !outBuffer.hasArray()) { -+ !outBuffer.hasArray()) { - outBuffer.put(outArray, outOfs, k); - } else { - outBuffer.position(outBuffer.position() + k); - } - return k; - } catch (PKCS11Exception e) { -- // Un-read the bytes back to input buffer -- if (inPosChanged) { -- inBuffer.position(inBuffer.position() - inLen); -+ // Reset input buffer to its original position for -+ inBuffer.position(origPos); -+ if (e.getErrorCode() == CKR_BUFFER_TOO_SMALL) { -+ throw (ShortBufferException) -+ (new ShortBufferException().initCause(e)); - } -- // XXX throw correct exception - throw new ProviderException("update() failed", e); - } - } - - private int implDoFinal(byte[] out, int outOfs, int outLen) -- throws ShortBufferException, IllegalBlockSizeException { -- if (outLen < doFinalLength(0)) { -+ throws ShortBufferException, IllegalBlockSizeException, -+ BadPaddingException { -+ int requiredOutLen = doFinalLength(0); -+ if (outLen < requiredOutLen) { - throw new ShortBufferException(); - } - try { - ensureInitialized(); -+ int k = 0; - if (encrypt) { -- return token.p11.C_EncryptFinal -- (session.id(), 0, out, outOfs, outLen); -+ if (paddingObj != null) { -+ int actualPadLen = paddingObj.setPaddingBytes(padBuffer, -+ requiredOutLen - bytesBuffered); -+ k = token.p11.C_EncryptUpdate(session.id(), -+ 0, padBuffer, 0, actualPadLen, -+ 0, out, outOfs, outLen); -+ } -+ k += token.p11.C_EncryptFinal(session.id(), -+ 0, out, (outOfs + k), (outLen - k)); - } else { -- return token.p11.C_DecryptFinal -- (session.id(), 0, out, outOfs, outLen); -+ if (paddingObj != null) { -+ if (padBufferLen != 0) { -+ k = token.p11.C_DecryptUpdate(session.id(), 0, -+ padBuffer, 0, padBufferLen, 0, padBuffer, 0, -+ padBuffer.length); -+ } -+ k += token.p11.C_DecryptFinal(session.id(), 0, padBuffer, k, -+ padBuffer.length - k); -+ int actualPadLen = paddingObj.unpad(padBuffer, 0, k); -+ k -= actualPadLen; -+ System.arraycopy(padBuffer, 0, out, outOfs, k); -+ } else { -+ k = token.p11.C_DecryptFinal(session.id(), 0, out, outOfs, -+ outLen); -+ } - } -+ return k; - } catch (PKCS11Exception e) { - handleException(e); - throw new ProviderException("doFinal() failed", e); - } finally { - initialized = false; -- bytesProcessed = 0; -+ bytesBuffered = 0; -+ padBufferLen = 0; - session = token.releaseSession(session); - } - } - - private int implDoFinal(ByteBuffer outBuffer) -- throws ShortBufferException, IllegalBlockSizeException { -+ throws ShortBufferException, IllegalBlockSizeException, -+ BadPaddingException { - int outLen = outBuffer.remaining(); -- if (outLen < doFinalLength(0)) { -+ int requiredOutLen = doFinalLength(0); -+ if (outLen < requiredOutLen) { - throw new ShortBufferException(); - } - -@@ -582,30 +744,54 @@ - ensureInitialized(); - - long outAddr = 0; -- int outOfs = outBuffer.position(); - byte[] outArray = null; -+ int outOfs = 0; - if (outBuffer instanceof DirectBuffer) { -- outAddr = ((DirectBuffer)outBuffer).address(); -+ outAddr = ((DirectBuffer) outBuffer).address(); -+ outOfs = outBuffer.position(); - } else { - if (outBuffer.hasArray()) { - outArray = outBuffer.array(); -- outOfs += outBuffer.arrayOffset(); -+ outOfs = outBuffer.position() + outBuffer.arrayOffset(); - } else { - outArray = new byte[outLen]; -- outOfs = 0; - } - } - -- int k; -+ int k = 0; -+ - if (encrypt) { -- k = token.p11.C_EncryptFinal -- (session.id(), outAddr, outArray, outOfs, outLen); -+ if (paddingObj != null) { -+ int actualPadLen = paddingObj.setPaddingBytes(padBuffer, -+ requiredOutLen - bytesBuffered); -+ k = token.p11.C_EncryptUpdate(session.id(), -+ 0, padBuffer, 0, actualPadLen, -+ outAddr, outArray, outOfs, outLen); -+ } -+ k += token.p11.C_EncryptFinal(session.id(), -+ outAddr, outArray, (outOfs + k), (outLen - k)); - } else { -- k = token.p11.C_DecryptFinal -- (session.id(), outAddr, outArray, outOfs, outLen); -+ if (paddingObj != null) { -+ if (padBufferLen != 0) { -+ k = token.p11.C_DecryptUpdate(session.id(), -+ 0, padBuffer, 0, padBufferLen, -+ 0, padBuffer, 0, padBuffer.length); -+ padBufferLen = 0; -+ } -+ k += token.p11.C_DecryptFinal(session.id(), -+ 0, padBuffer, k, padBuffer.length - k); -+ int actualPadLen = paddingObj.unpad(padBuffer, 0, k); -+ k -= actualPadLen; -+ outArray = padBuffer; -+ outOfs = 0; -+ } else { -+ k = token.p11.C_DecryptFinal(session.id(), -+ outAddr, outArray, outOfs, outLen); -+ } - } -- if (!(outBuffer instanceof DirectBuffer) && -- !outBuffer.hasArray()) { -+ if ((!encrypt && paddingObj != null) || -+ (!(outBuffer instanceof DirectBuffer) && -+ !outBuffer.hasArray())) { - outBuffer.put(outArray, outOfs, k); - } else { - outBuffer.position(outBuffer.position() + k); -@@ -616,20 +802,21 @@ - throw new ProviderException("doFinal() failed", e); - } finally { - initialized = false; -- bytesProcessed = 0; -+ bytesBuffered = 0; - session = token.releaseSession(session); - } - } - - private void handleException(PKCS11Exception e) -- throws IllegalBlockSizeException { -+ throws ShortBufferException, IllegalBlockSizeException { - long errorCode = e.getErrorCode(); -- // XXX better check -- if (errorCode == CKR_DATA_LEN_RANGE) { -- throw (IllegalBlockSizeException)new -- IllegalBlockSizeException(e.toString()).initCause(e); -+ if (errorCode == CKR_BUFFER_TOO_SMALL) { -+ throw (ShortBufferException) -+ (new ShortBufferException().initCause(e)); -+ } else if (errorCode == CKR_DATA_LEN_RANGE) { -+ throw (IllegalBlockSizeException) -+ (new IllegalBlockSizeException(e.toString()).initCause(e)); - } -- - } - - // see JCE spec -@@ -648,9 +835,22 @@ - } - - // see JCE spec -+ @Override - protected int engineGetKeySize(Key key) throws InvalidKeyException { - int n = P11SecretKeyFactory.convertKey - (token, key, keyAlgorithm).length(); - return n; - } -+ -+ private final void bufferInputBytes(byte[] in, int inOfs, int len) { -+ System.arraycopy(in, inOfs, padBuffer, padBufferLen, len); -+ padBufferLen += len; -+ bytesBuffered += len; -+ } -+ -+ private final void bufferInputBytes(ByteBuffer inBuffer, int len) { -+ inBuffer.get(padBuffer, padBufferLen, len); -+ padBufferLen += len; -+ bytesBuffered += len; -+ } - } -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java ---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java 2012-09-21 20:03:48.000000000 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java 2012-10-23 18:09:25.964291180 +0100 -@@ -601,14 +601,26 @@ - // XXX attributes for Ciphers (supported modes, padding) - d(CIP, "ARCFOUR", P11Cipher, s("RC4"), - m(CKM_RC4)); -- // XXX only CBC/NoPadding for block ciphers - d(CIP, "DES/CBC/NoPadding", P11Cipher, - m(CKM_DES_CBC)); -+ d(CIP, "DES/CBC/PKCS5Padding", P11Cipher, -+ m(CKM_DES_CBC_PAD, CKM_DES_CBC)); -+ d(CIP, "DES/ECB", P11Cipher, s("DES"), -+ m(CKM_DES_ECB)); -+ - d(CIP, "DESede/CBC/NoPadding", P11Cipher, - m(CKM_DES3_CBC)); -+ d(CIP, "DESede/CBC/PKCS5Padding", P11Cipher, -+ m(CKM_DES3_CBC_PAD, CKM_DES3_CBC)); -+ d(CIP, "DESede/ECB", P11Cipher, s("DESede"), -+ m(CKM_DES3_ECB)); - d(CIP, "AES/CBC/NoPadding", P11Cipher, - m(CKM_AES_CBC)); -- d(CIP, "Blowfish/CBC/NoPadding", P11Cipher, -+ d(CIP, "AES/CBC/PKCS5Padding", P11Cipher, -+ m(CKM_AES_CBC_PAD, CKM_AES_CBC)); -+ d(CIP, "AES/ECB", P11Cipher, s("AES"), -+ m(CKM_AES_ECB)); -+ d(CIP, "Blowfish/CBC", P11Cipher, - m(CKM_BLOWFISH_CBC)); - - // XXX RSA_X_509, RSA_OAEP not yet supported -diff -Nru openjdk.orig/jdk/test/sun/security/pkcs11/Cipher/TestSymmCiphers.java openjdk/jdk/test/sun/security/pkcs11/Cipher/TestSymmCiphers.java ---- openjdk.orig/jdk/test/sun/security/pkcs11/Cipher/TestSymmCiphers.java 1970-01-01 01:00:00.000000000 +0100 -+++ openjdk/jdk/test/sun/security/pkcs11/Cipher/TestSymmCiphers.java 2012-10-23 18:09:25.976291370 +0100 -@@ -0,0 +1,282 @@ -+/* -+ * Copyright 2008 Sun Microsystems, Inc. All Rights Reserved. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modi -+fy it -+ * under the terms of the GNU General Public License version 2 onl -+y, as -+ * published by the Free Software Foundation. -+ * -+ * This code is distributed in the hope that it will be useful, bu -+t WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABIL -+ITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public L -+icense -+ * version 2 for more details (a copy is included in the LICENSE f -+ile that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public Licen -+se version -+ * 2 along with this work; if not, write to the Free Software Foun -+dation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, San -+ta Clara, -+ * CA 95054 USA or visit www.sun.com if you need additional inform -+ation or -+ * have any questions. -+ */ -+ -+/** -+ * @test %I% %E% -+ * @bug 4898461 -+ * @summary basic test for symmetric ciphers with padding -+ * @author Valerie Peng -+ * @library .. -+ */ -+import java.io.*; -+import java.nio.*; -+import java.util.*; -+ -+import java.security.*; -+import java.security.spec.AlgorithmParameterSpec; -+ -+import javax.crypto.*; -+import javax.crypto.spec.IvParameterSpec; -+ -+public class TestSymmCiphers extends PKCS11Test { -+ -+ private static class CI { // class for holding Cipher Information -+ -+ String transformation; -+ String keyAlgo; -+ int dataSize; -+ -+ CI(String transformation, String keyAlgo, int dataSize) { -+ this.transformation = transformation; -+ this.keyAlgo = keyAlgo; -+ this.dataSize = dataSize; -+ } -+ } -+ private static final CI[] TEST_LIST = { -+ new CI("ARCFOUR", "ARCFOUR", 400), -+ new CI("RC4", "RC4", 401), -+ new CI("DES/CBC/NoPadding", "DES", 400), -+ new CI("DESede/CBC/NoPadding", "DESede", 160), -+ new CI("AES/CBC/NoPadding", "AES", 4800), -+ new CI("Blowfish/CBC/NoPadding", "Blowfish", 24), -+ new CI("DES/cbc/PKCS5Padding", "DES", 6401), -+ new CI("DESede/CBC/PKCS5Padding", "DESede", 402), -+ new CI("AES/CBC/PKCS5Padding", "AES", 30), -+ new CI("Blowfish/CBC/PKCS5Padding", "Blowfish", 19), -+ new CI("DES/ECB/NoPadding", "DES", 400), -+ new CI("DESede/ECB/NoPadding", "DESede", 160), -+ new CI("AES/ECB/NoPadding", "AES", 4800), -+ new CI("DES/ECB/PKCS5Padding", "DES", 32), -+ new CI("DES/ECB/PKCS5Padding", "DES", 6400), -+ new CI("DESede/ECB/PKCS5Padding", "DESede", 400), -+ new CI("AES/ECB/PKCS5Padding", "AES", 64), -+ new CI("DES", "DES", 6400), -+ new CI("DESede", "DESede", 408), -+ new CI("AES", "AES", 128) -+ }; -+ private static StringBuffer debugBuf = new StringBuffer(); -+ -+ public void main(Provider p) throws Exception { -+ // NSS reports CKR_DEVICE_ERROR when the data passed to -+ // its EncryptUpdate/DecryptUpdate is not multiple of blocks -+ int firstBlkSize = 16; -+ boolean status = true; -+ Random random = new Random(); -+ try { -+ for (int i = 0; i < TEST_LIST.length; i++) { -+ CI currTest = TEST_LIST[i]; -+ System.out.println("===" + currTest.transformation + "==="); -+ try { -+ KeyGenerator kg = -+ KeyGenerator.getInstance(currTest.keyAlgo, p); -+ SecretKey key = kg.generateKey(); -+ Cipher c1 = Cipher.getInstance(currTest.transformation, p); -+ Cipher c2 = Cipher.getInstance(currTest.transformation, -+ "SunJCE"); -+ -+ byte[] plainTxt = new byte[currTest.dataSize]; -+ random.nextBytes(plainTxt); -+ System.out.println("Testing inLen = " + plainTxt.length); -+ -+ c2.init(Cipher.ENCRYPT_MODE, key); -+ AlgorithmParameters params = c2.getParameters(); -+ byte[] answer = c2.doFinal(plainTxt); -+ System.out.println("Encryption tests: START"); -+ test(c1, Cipher.ENCRYPT_MODE, key, params, firstBlkSize, -+ plainTxt, answer); -+ System.out.println("Encryption tests: DONE"); -+ c2.init(Cipher.DECRYPT_MODE, key, params); -+ byte[] answer2 = c2.doFinal(answer); -+ System.out.println("Decryption tests: START"); -+ test(c1, Cipher.DECRYPT_MODE, key, params, firstBlkSize, -+ answer, answer2); -+ System.out.println("Decryption tests: DONE"); -+ } catch (NoSuchAlgorithmException nsae) { -+ System.out.println("Skipping unsupported algorithm: " + -+ nsae); -+ } -+ } -+ } catch (Exception ex) { -+ // print out debug info when exception is encountered -+ if (debugBuf != null) { -+ System.out.println(debugBuf.toString()); -+ debugBuf = new StringBuffer(); -+ } -+ throw ex; -+ } -+ } -+ -+ private static void test(Cipher cipher, int mode, SecretKey key, -+ AlgorithmParameters params, int firstBlkSize, -+ byte[] in, byte[] answer) throws Exception { -+ // test setup -+ long startTime, endTime; -+ cipher.init(mode, key, params); -+ int outLen = cipher.getOutputSize(in.length); -+ //debugOut("Estimated output size = " + outLen + "\n"); -+ -+ // test data preparation -+ ByteBuffer inBuf = ByteBuffer.allocate(in.length); -+ inBuf.put(in); -+ inBuf.position(0); -+ ByteBuffer inDirectBuf = ByteBuffer.allocateDirect(in.length); -+ inDirectBuf.put(in); -+ inDirectBuf.position(0); -+ ByteBuffer outBuf = ByteBuffer.allocate(outLen); -+ ByteBuffer outDirectBuf = ByteBuffer.allocateDirect(outLen); -+ -+ // test#1: byte[] in + byte[] out -+ //debugOut("Test#1:\n"); -+ -+ ByteArrayOutputStream baos = new ByteArrayOutputStream(); -+ -+ startTime = System.nanoTime(); -+ byte[] temp = cipher.update(in, 0, firstBlkSize); -+ if (temp != null && temp.length > 0) { -+ baos.write(temp, 0, temp.length); -+ } -+ temp = cipher.doFinal(in, firstBlkSize, in.length - firstBlkSize); -+ if (temp != null && temp.length > 0) { -+ baos.write(temp, 0, temp.length); -+ } -+ byte[] testOut1 = baos.toByteArray(); -+ endTime = System.nanoTime(); -+ perfOut("stream InBuf + stream OutBuf: " + -+ (endTime - startTime)); -+ match(testOut1, answer); -+ -+ // test#2: Non-direct Buffer in + non-direct Buffer out -+ //debugOut("Test#2:\n"); -+ //debugOut("inputBuf: " + inBuf + "\n"); -+ //debugOut("outputBuf: " + outBuf + "\n"); -+ -+ startTime = System.nanoTime(); -+ cipher.update(inBuf, outBuf); -+ cipher.doFinal(inBuf, outBuf); -+ endTime = System.nanoTime(); -+ perfOut("non-direct InBuf + non-direct OutBuf: " + -+ (endTime - startTime)); -+ match(outBuf, answer); -+ -+ // test#3: Direct Buffer in + direc Buffer out -+ //debugOut("Test#3:\n"); -+ //debugOut("(pre) inputBuf: " + inDirectBuf + "\n"); -+ //debugOut("(pre) outputBuf: " + outDirectBuf + "\n"); -+ -+ startTime = System.nanoTime(); -+ cipher.update(inDirectBuf, outDirectBuf); -+ cipher.doFinal(inDirectBuf, outDirectBuf); -+ endTime = System.nanoTime(); -+ perfOut("direct InBuf + direct OutBuf: " + -+ (endTime - startTime)); -+ -+ //debugOut("(post) inputBuf: " + inDirectBuf + "\n"); -+ //debugOut("(post) outputBuf: " + outDirectBuf + "\n"); -+ match(outDirectBuf, answer); -+ -+ // test#4: Direct Buffer in + non-direct Buffer out -+ //debugOut("Test#4:\n"); -+ inDirectBuf.position(0); -+ outBuf.position(0); -+ //debugOut("inputBuf: " + inDirectBuf + "\n"); -+ //debugOut("outputBuf: " + outBuf + "\n"); -+ -+ startTime = System.nanoTime(); -+ cipher.update(inDirectBuf, outBuf); -+ cipher.doFinal(inDirectBuf, outBuf); -+ endTime = System.nanoTime(); -+ perfOut("direct InBuf + non-direct OutBuf: " + -+ (endTime - startTime)); -+ match(outBuf, answer); -+ -+ // test#5: Non-direct Buffer in + direct Buffer out -+ //debugOut("Test#5:\n"); -+ inBuf.position(0); -+ outDirectBuf.position(0); -+ -+ //debugOut("(pre) inputBuf: " + inBuf + "\n"); -+ //debugOut("(pre) outputBuf: " + outDirectBuf + "\n"); -+ -+ startTime = System.nanoTime(); -+ cipher.update(inBuf, outDirectBuf); -+ cipher.doFinal(inBuf, outDirectBuf); -+ endTime = System.nanoTime(); -+ perfOut("non-direct InBuf + direct OutBuf: " + -+ (endTime - startTime)); -+ -+ //debugOut("(post) inputBuf: " + inBuf + "\n"); -+ //debugOut("(post) outputBuf: " + outDirectBuf + "\n"); -+ match(outDirectBuf, answer); -+ -+ debugBuf = null; -+ } -+ -+ private static void perfOut(String msg) { -+ if (debugBuf != null) { -+ debugBuf.append("PERF>" + msg); -+ } -+ } -+ -+ private static void debugOut(String msg) { -+ if (debugBuf != null) { -+ debugBuf.append(msg); -+ } -+ } -+ -+ private static void match(byte[] b1, byte[] b2) throws Exception { -+ if (b1.length != b2.length) { -+ debugOut("got len : " + b1.length + "\n"); -+ debugOut("expect len: " + b2.length + "\n"); -+ throw new Exception("mismatch - different length! got: " + b1.length + ", expect: " + b2.length + "\n"); -+ } else { -+ for (int i = 0; i < b1.length; i++) { -+ if (b1[i] != b2[i]) { -+ debugOut("got : " + toString(b1) + "\n"); -+ debugOut("expect: " + toString(b2) + "\n"); -+ throw new Exception("mismatch"); -+ } -+ } -+ } -+ } -+ -+ private static void match(ByteBuffer bb, byte[] answer) throws Exception { -+ byte[] bbTemp = new byte[bb.position()]; -+ bb.position(0); -+ bb.get(bbTemp, 0, bbTemp.length); -+ match(bbTemp, answer); -+ } -+ -+ public static void main(String[] args) throws Exception { -+ main(new TestSymmCiphers()); -+ } -+} diff -r 8554f062d23d -r 680136982d3c patches/openjdk/p11cipher-6867345-turkish_regional_options_cause_npe_in_algoid.patch --- a/patches/openjdk/p11cipher-6867345-turkish_regional_options_cause_npe_in_algoid.patch Thu Jan 21 01:22:57 2016 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,328 +0,0 @@ -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/krb5/Credentials.java openjdk/jdk/src/share/classes/sun/security/krb5/Credentials.java ---- openjdk.orig/jdk/src/share/classes/sun/security/krb5/Credentials.java 2015-10-26 18:40:10.645524086 +0000 -+++ openjdk/jdk/src/share/classes/sun/security/krb5/Credentials.java 2015-10-27 01:13:22.017703153 +0000 -@@ -35,6 +35,7 @@ - import sun.security.krb5.internal.crypto.EType; - import java.io.IOException; - import java.util.Date; -+import java.util.Locale; - import java.net.InetAddress; - - /** -@@ -268,7 +269,7 @@ - // The default ticket cache on Windows is not a file. - String os = java.security.AccessController.doPrivileged( - new sun.security.action.GetPropertyAction("os.name")); -- if (os.toUpperCase().startsWith("WINDOWS")) { -+ if (os.toUpperCase(Locale.ENGLISH).startsWith("WINDOWS")) { - Credentials creds = acquireDefaultCreds(); - if (creds == null) { - if (DEBUG) { -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs/PKCS9Attribute.java openjdk/jdk/src/share/classes/sun/security/pkcs/PKCS9Attribute.java ---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs/PKCS9Attribute.java 2015-10-26 18:40:10.741522482 +0000 -+++ openjdk/jdk/src/share/classes/sun/security/pkcs/PKCS9Attribute.java 2015-10-27 01:13:09.697910241 +0000 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 1997, 2006, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -28,6 +28,7 @@ - import java.io.IOException; - import java.io.OutputStream; - import java.security.cert.CertificateException; -+import java.util.Locale; - import java.util.Date; - import java.util.Hashtable; - import sun.security.x509.CertificateExtensions; -@@ -742,7 +743,7 @@ - * the name. - */ - public static ObjectIdentifier getOID(String name) { -- return NAME_OID_TABLE.get(name.toLowerCase()); -+ return NAME_OID_TABLE.get(name.toLowerCase(Locale.ENGLISH)); - } - - /** -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java ---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java 2015-10-27 00:25:34.802092132 +0000 -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java 2015-10-27 01:13:09.701910173 +0000 -@@ -26,6 +26,7 @@ - - import java.nio.ByteBuffer; - import java.util.Arrays; -+import java.util.Locale; - - import java.security.*; - import java.security.spec.*; -@@ -201,7 +202,7 @@ - } - - private int parseMode(String mode) throws NoSuchAlgorithmException { -- mode = mode.toUpperCase(); -+ mode = mode.toUpperCase(Locale.ENGLISH); - int result; - if (mode.equals("ECB")) { - result = MODE_ECB; -@@ -222,7 +223,7 @@ - throws NoSuchPaddingException { - paddingObj = null; - padBuffer = null; -- padding = padding.toUpperCase(); -+ padding = padding.toUpperCase(Locale.ENGLISH); - if (padding.equals("NOPADDING")) { - paddingType = PAD_NONE; - } else if (padding.equals("PKCS5PADDING")) { -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11RSACipher.java openjdk/jdk/src/share/classes/sun/security/pkcs11/P11RSACipher.java ---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11RSACipher.java 2015-10-27 00:25:35.530079682 +0000 -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11RSACipher.java 2015-10-27 01:13:09.701910173 +0000 -@@ -29,6 +29,8 @@ - import java.security.spec.AlgorithmParameterSpec; - import java.security.spec.*; - -+import java.util.Locale; -+ - import javax.crypto.*; - import javax.crypto.spec.*; - -@@ -118,7 +120,7 @@ - - protected void engineSetPadding(String padding) - throws NoSuchPaddingException { -- String lowerPadding = padding.toLowerCase(); -+ String lowerPadding = padding.toLowerCase(Locale.ENGLISH); - if (lowerPadding.equals("pkcs1Padding")) { - // empty - } else { -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/provider/certpath/URICertStore.java openjdk/jdk/src/share/classes/sun/security/provider/certpath/URICertStore.java ---- openjdk.orig/jdk/src/share/classes/sun/security/provider/certpath/URICertStore.java 2015-10-26 18:40:10.833520945 +0000 -+++ openjdk/jdk/src/share/classes/sun/security/provider/certpath/URICertStore.java 2015-10-27 01:13:09.701910173 +0000 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2006, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2006, 2010 Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -50,6 +50,7 @@ - import java.util.Collection; - import java.util.Collections; - import java.util.List; -+import java.util.Locale; - import sun.security.x509.AccessDescription; - import sun.security.x509.GeneralNameInterface; - import sun.security.x509.URIName; -@@ -134,7 +135,7 @@ - } - this.uri = ((URICertStoreParameters) params).uri; - // if ldap URI, use an LDAPCertStore to fetch certs and CRLs -- if (uri.getScheme().toLowerCase().equals("ldap")) { -+ if (uri.getScheme().toLowerCase(Locale.ENGLISH).equals("ldap")) { - ldap = true; - ldapCertStore = - LDAPCertStore.getInstance(LDAPCertStore.getParameters(uri)); -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/util/Debug.java openjdk/jdk/src/share/classes/sun/security/util/Debug.java ---- openjdk.orig/jdk/src/share/classes/sun/security/util/Debug.java 2015-10-26 18:40:10.933519274 +0000 -+++ openjdk/jdk/src/share/classes/sun/security/util/Debug.java 2015-10-27 01:13:09.701910173 +0000 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 1998, 2007, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 1998, 2010, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -28,6 +28,7 @@ - import java.math.BigInteger; - import java.util.regex.Pattern; - import java.util.regex.Matcher; -+import java.util.Locale; - - /** - * A utility class for debuging. -@@ -262,7 +263,7 @@ - source = left; - - // convert the rest to lower-case characters -- target.append(source.toString().toLowerCase()); -+ target.append(source.toString().toLowerCase(Locale.ENGLISH)); - - return target.toString(); - } -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/x509/AlgorithmId.java openjdk/jdk/src/share/classes/sun/security/x509/AlgorithmId.java ---- openjdk.orig/jdk/src/share/classes/sun/security/x509/AlgorithmId.java 2015-10-26 18:40:10.973518606 +0000 -+++ openjdk/jdk/src/share/classes/sun/security/x509/AlgorithmId.java 2015-10-27 01:13:09.701910173 +0000 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 1996, 2006, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 1996, 2010, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -541,9 +541,10 @@ - for (Enumeration enum_ = provs[i].keys(); - enum_.hasMoreElements(); ) { - String alias = (String)enum_.nextElement(); -+ String upperCaseAlias = alias.toUpperCase(Locale.ENGLISH); - int index; -- if (alias.toUpperCase().startsWith("ALG.ALIAS") && -- (index=alias.toUpperCase().indexOf("OID.", 0)) != -1) { -+ if (upperCaseAlias.startsWith("ALG.ALIAS") && -+ (index=upperCaseAlias.indexOf("OID.", 0)) != -1) { - index += "OID.".length(); - if (index == alias.length()) { - // invalid alias entry -@@ -553,19 +554,26 @@ - oidTable = new HashMap(); - } - oidString = alias.substring(index); -- String stdAlgName -- = provs[i].getProperty(alias).toUpperCase(); -- if (oidTable.get(stdAlgName) == null) { -+ String stdAlgName = provs[i].getProperty(alias); -+ if (stdAlgName != null) { -+ stdAlgName = stdAlgName.toUpperCase(Locale.ENGLISH); -+ } -+ if (stdAlgName != null && -+ oidTable.get(stdAlgName) == null) { - oidTable.put(stdAlgName, - new ObjectIdentifier(oidString)); - } - } - } - } -+ -+ if (oidTable == null) { -+ oidTable = new HashMap(1); -+ } - initOidTable = true; - } - -- return oidTable.get(name.toUpperCase()); -+ return oidTable.get(name.toUpperCase(Locale.ENGLISH)); - } - - private static ObjectIdentifier oid(int ... values) { -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/x509/AVA.java openjdk/jdk/src/share/classes/sun/security/x509/AVA.java ---- openjdk.orig/jdk/src/share/classes/sun/security/x509/AVA.java 2015-10-26 18:40:10.973518606 +0000 -+++ openjdk/jdk/src/share/classes/sun/security/x509/AVA.java 2015-10-27 01:13:09.701910173 +0000 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 1996, 2006, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 1996, 2010, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -1222,7 +1222,7 @@ - (String keyword, int standard, Map extraKeywordMap) - throws IOException { - -- keyword = keyword.toUpperCase(); -+ keyword = keyword.toUpperCase(Locale.ENGLISH); - if (standard == AVA.RFC2253) { - if (keyword.startsWith(" ") || keyword.endsWith(" ")) { - throw new IOException("Invalid leading or trailing space " + -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/x509/DNSName.java openjdk/jdk/src/share/classes/sun/security/x509/DNSName.java ---- openjdk.orig/jdk/src/share/classes/sun/security/x509/DNSName.java 2015-10-26 18:40:10.985518405 +0000 -+++ openjdk/jdk/src/share/classes/sun/security/x509/DNSName.java 2015-10-27 01:13:09.701910173 +0000 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 1997, 2000, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -26,6 +26,7 @@ - package sun.security.x509; - - import java.io.IOException; -+import java.util.Locale; - - import sun.security.util.*; - -@@ -198,8 +199,9 @@ - else if (inputName.getType() != NAME_DNS) - constraintType = NAME_DIFF_TYPE; - else { -- String inName = (((DNSName)inputName).getName()).toLowerCase(); -- String thisName = name.toLowerCase(); -+ String inName = -+ (((DNSName)inputName).getName()).toLowerCase(Locale.ENGLISH); -+ String thisName = name.toLowerCase(Locale.ENGLISH); - if (inName.equals(thisName)) - constraintType = NAME_MATCH; - else if (thisName.endsWith(inName)) { -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/x509/RFC822Name.java openjdk/jdk/src/share/classes/sun/security/x509/RFC822Name.java ---- openjdk.orig/jdk/src/share/classes/sun/security/x509/RFC822Name.java 2015-10-26 18:40:11.001518138 +0000 -+++ openjdk/jdk/src/share/classes/sun/security/x509/RFC822Name.java 2015-10-27 01:13:09.701910173 +0000 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 1997, 2000, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -26,6 +26,7 @@ - package sun.security.x509; - - import java.io.IOException; -+import java.util.Locale; - - import sun.security.util.*; - -@@ -187,8 +188,9 @@ - constraintType = NAME_DIFF_TYPE; - } else { - //RFC2459 specifies that case is not significant in RFC822Names -- String inName = (((RFC822Name)inputName).getName()).toLowerCase(); -- String thisName = name.toLowerCase(); -+ String inName = -+ (((RFC822Name)inputName).getName()).toLowerCase(Locale.ENGLISH); -+ String thisName = name.toLowerCase(Locale.ENGLISH); - if (inName.equals(thisName)) { - constraintType = NAME_MATCH; - } else if (thisName.endsWith(inName)) { -diff -Nru openjdk.orig/jdk/test/sun/security/x509/AlgorithmId/TurkishRegion.java openjdk/jdk/test/sun/security/x509/AlgorithmId/TurkishRegion.java ---- openjdk.orig/jdk/test/sun/security/x509/AlgorithmId/TurkishRegion.java 1970-01-01 01:00:00.000000000 +0100 -+++ openjdk/jdk/test/sun/security/x509/AlgorithmId/TurkishRegion.java 2015-10-27 01:13:09.701910173 +0000 -@@ -0,0 +1,40 @@ -+/* -+ * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+/* -+ * @test -+ * @bug 6867345 -+ * @summary Turkish regional options cause NPE in -+ * sun.security.x509.AlgorithmId.algOID -+ * @run main/othervm -Duser.language=tr -Duser.region=TR TurkishRegion -+ * @author Xuelei Fan -+ */ -+ -+import sun.security.x509.*; -+ -+public class TurkishRegion { -+ -+ public static void main(String[] args) throws Exception { -+ AlgorithmId algId = AlgorithmId.get("PBEWITHMD5ANDDES"); -+ } -+}