# HG changeset patch
# User Andrew John Hughes <gnu_andrew@member.fsf.org>
# Date 1406074964 -3600
# Node ID 2278e3fd95848b59b6cdfeb5c1d8747c5d8f1d1d
# Parent  cacc6f6b51c0fa2016cef50861cf82d54e56922b
PR1833, RH1022017: Report elliptic curves supported by NSS, not the SunEC library

2014-06-10  Andrew John Hughes  <gnu.andrew@member.fsf.org>

	PR1833, RH1022017: Report elliptic curves
	supported by NSS, not the SunEC library
	* Makefile.am:
	(ICEDTEA_PATCHES): Add new patch when
	PKCS11+NSS is enabled, so that the NSS set
	of curves are announced via SSL.
	* NEWS: Updated.
	* patches/rh1022017.patch:
	Reduce number of curves announced over SSL
	to just those supported by NSS.

diff -r cacc6f6b51c0 -r 2278e3fd9584 ChangeLog
--- a/ChangeLog	Tue Jul 22 20:53:01 2014 +0100
+++ b/ChangeLog	Wed Jul 23 01:22:44 2014 +0100
@@ -1,3 +1,16 @@
+2014-06-10  Andrew John Hughes  <gnu.andrew@member.fsf.org>
+
+	PR1833, RH1022017: Report elliptic curves
+	supported by NSS, not the SunEC library
+	* Makefile.am:
+	(ICEDTEA_PATCHES): Add new patch when
+	PKCS11+NSS is enabled, so that the NSS set
+	of curves are announced via SSL.
+	* NEWS: Updated.
+	* patches/rh1022017.patch:
+	Reduce number of curves announced over SSL
+	to just those supported by NSS.
+
 2014-07-22  Andrew John Hughes  <gnu_andrew@member.fsf.org>
 
 	* Makefile.am:
diff -r cacc6f6b51c0 -r 2278e3fd9584 Makefile.am
--- a/Makefile.am	Tue Jul 22 20:53:01 2014 +0100
+++ b/Makefile.am	Wed Jul 23 01:22:44 2014 +0100
@@ -294,7 +294,8 @@
 endif
 
 if ENABLE_NSS
-ICEDTEA_PATCHES += patches/nss-config.patch
+ICEDTEA_PATCHES += patches/nss-config.patch \
+	patches/rh1022017.patch
 endif
 
 if WITH_ALT_HSBUILD
diff -r cacc6f6b51c0 -r 2278e3fd9584 NEWS
--- a/NEWS	Tue Jul 22 20:53:01 2014 +0100
+++ b/NEWS	Wed Jul 23 01:22:44 2014 +0100
@@ -94,6 +94,7 @@
 * Bug fixes
   - Fix accidental reversion of PR1188 for armel
   - PR1781: NSS PKCS11 provider fails to handle multipart AES encryption
+  - PR1833, RH1022017: Report elliptic curves supported by NSS, not the SunEC library
   - RH905128: [CRASH] OpenJDK-1.7.0 while using NSS security provider and kerberos
 
 New in release 2.4.7 (2014-04-15):
diff -r cacc6f6b51c0 -r 2278e3fd9584 patches/rh1022017.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/rh1022017.patch	Wed Jul 23 01:22:44 2014 +0100
@@ -0,0 +1,44 @@
+diff -r cdfd161703ed src/share/classes/sun/security/ssl/HelloExtensions.java
+--- openjdk/jdk/src/share/classes/sun/security/ssl/HelloExtensions.java	Wed Oct 23 05:22:55 2013 +0100
++++ openjdk/jdk/src/share/classes/sun/security/ssl/HelloExtensions.java	Thu Nov 07 12:41:45 2013 +0000
+@@ -435,25 +435,11 @@
+     // the extension value to send in the ClientHello message
+     static final SupportedEllipticCurvesExtension DEFAULT;
+ 
+-    private static final boolean fips;
+-
+     static {
+-        int[] ids;
+-        fips = SunJSSE.isFIPS();
+-        if (fips == false) {
+-            ids = new int[] {
+-                // NIST curves first
+-                // prefer NIST P-256, rest in order of increasing key length
+-                23, 1, 3, 19, 21, 6, 7, 9, 10, 24, 11, 12, 25, 13, 14,
+-                // non-NIST curves
+-                15, 16, 17, 2, 18, 4, 5, 20, 8, 22,
+-            };
+-        } else {
+-            ids = new int[] {
+-                // same as above, but allow only NIST curves in FIPS mode
+-                23, 1, 3, 19, 21, 6, 7, 9, 10, 24, 11, 12, 25, 13, 14,
+-            };
+-        }
++	int[] ids = new int[] {
++	    // NSS currently only supports these three NIST curves
++	    23, 24, 25
++	};
+         DEFAULT = new SupportedEllipticCurvesExtension(ids);
+     }
+ 
+@@ -545,10 +531,6 @@
+         if ((index <= 0) || (index >= NAMED_CURVE_OID_TABLE.length)) {
+             return false;
+         }
+-        if (fips == false) {
+-            // in non-FIPS mode, we support all valid indices
+-            return true;
+-        }
+         return DEFAULT.contains(index);
+     }
+