# HG changeset patch # User Andrew John Hughes # Date 1437158977 -3600 # Node ID de1a34f4a1a01d1b9f3a4b01a48daa0b8f379f23 # Parent 95e61307e07ca65eb3401e2b8eba3a3b2aa3d7dd PR2390: Make elliptic curve removal optional 2015-07-13 Andrew John Hughes PR2390: Make elliptic curve removal optional * INSTALL: Document --enable-non-nss-curves. * Makefile.am: (ICEDTEA_PATCHES): Only apply the RH1022017 patch when non-NSS curves are not enabled. * NEWS: Updated. * acinclude.m4: (IT_ENABLE_NON_NSS_CURVES): New macro to allow non-NSS curves to be turned on. * configure.ac: Invoke IT_ENABLE_NON_NSS_CURVES. * fsg.sh.in: Don't alter the curve list when non-NSS curves are enabled. diff -r 95e61307e07c -r de1a34f4a1a0 ChangeLog --- a/ChangeLog Thu Jul 16 00:38:16 2015 +0100 +++ b/ChangeLog Fri Jul 17 19:49:37 2015 +0100 @@ -1,3 +1,24 @@ +2015-07-13 Andrew John Hughes + + PR2390: Make elliptic curve removal + optional + * INSTALL: + Document --enable-non-nss-curves. + * Makefile.am: + (ICEDTEA_PATCHES): Only apply + the RH1022017 patch when non-NSS + curves are not enabled. + * NEWS: Updated. + * acinclude.m4: + (IT_ENABLE_NON_NSS_CURVES): New + macro to allow non-NSS curves to + be turned on. + * configure.ac: + Invoke IT_ENABLE_NON_NSS_CURVES. + * fsg.sh.in: + Don't alter the curve list when + non-NSS curves are enabled. + 2015-07-13 Andrew John Hughes * AUTHORS: Add James. diff -r 95e61307e07c -r de1a34f4a1a0 INSTALL --- a/INSTALL Thu Jul 16 00:38:16 2015 +0100 +++ b/INSTALL Fri Jul 17 19:49:37 2015 +0100 @@ -194,6 +194,7 @@ * --enable-native-debuginfo: Include debuginfo in native binaries. * --enable-java-debuginfo: Include debuginfo in Java class files. * --enable-infinality: Use fontconfig for better font rendering +* --enable-non-nss-curves: Define curves beyond the three specified by NSS (NIST P-{256,384,521}) Testing ======= diff -r 95e61307e07c -r de1a34f4a1a0 Makefile.am --- a/Makefile.am Thu Jul 16 00:38:16 2015 +0100 +++ b/Makefile.am Fri Jul 17 19:49:37 2015 +0100 @@ -285,15 +285,12 @@ endif if ENABLE_NSS -ICEDTEA_PATCHES += patches/nss-config.patch \ - patches/rh1022017.patch +ICEDTEA_PATCHES += patches/nss-config.patch endif -if ENABLE_SUNEC -if !ENABLE_NSS +if !USE_NON_NSS_CURVES ICEDTEA_PATCHES += patches/rh1022017.patch endif -endif ICEDTEA_PATCHES += $(DISTRIBUTION_PATCHES) diff -r 95e61307e07c -r de1a34f4a1a0 NEWS --- a/NEWS Thu Jul 16 00:38:16 2015 +0100 +++ b/NEWS Fri Jul 17 19:49:37 2015 +0100 @@ -29,6 +29,7 @@ - PR2328: GCJ uses ppc64el named libarch directory on ppc64le - PR2341: Update README & INSTALL files - PR2367: 7 no longer builds with 6 - Util is not public in sun.management + - PR2390: Make elliptic curve removal optional - PR2395: Path to jvm.cfg is wrong in add-systemtap-boot * CACAO - PR2380: Raise javadoc and JAVAC_FLAGS memory limits for CACAO diff -r 95e61307e07c -r de1a34f4a1a0 acinclude.m4 --- a/acinclude.m4 Thu Jul 16 00:38:16 2015 +0100 +++ b/acinclude.m4 Fri Jul 17 19:49:37 2015 +0100 @@ -2957,3 +2957,19 @@ AM_CONDITIONAL([JAVAC_LACKS_UNDERSCORED_LITERALS], test x"${it_cv_underscore}" = "xyes") AC_PROVIDE([$0])dnl ]) + +AC_DEFUN_ONCE([IT_ENABLE_NON_NSS_CURVES], +[ + AC_MSG_CHECKING([whether to enable elliptic curves beyond those supported by NSS]) + AC_ARG_ENABLE([non-nss-curves], + [AS_HELP_STRING(--enable-non-nss-curves,register curves beyond the 3 NSS defines [[default=no]])], + [ + ENABLE_NON_NSS_CURVES="${enableval}" + ], + [ + ENABLE_NON_NSS_CURVES="no" + ]) + AC_MSG_RESULT(${ENABLE_NON_NSS_CURVES}) + AM_CONDITIONAL(USE_NON_NSS_CURVES, test x"${ENABLE_NON_NSS_CURVES}" = "xyes") + AC_SUBST(ENABLE_NON_NSS_CURVES) +]) diff -r 95e61307e07c -r de1a34f4a1a0 configure.ac --- a/configure.ac Thu Jul 16 00:38:16 2015 +0100 +++ b/configure.ac Fri Jul 17 19:49:37 2015 +0100 @@ -185,6 +185,7 @@ IT_ENABLE_JAR_COMPRESSION IT_CHECK_ADDITIONAL_VMS IT_ENABLE_ARM32JIT +IT_ENABLE_NON_NSS_CURVES IT_WITH_VERSION_SUFFIX IT_ENABLE_HG diff -r 95e61307e07c -r de1a34f4a1a0 fsg.sh.in --- a/fsg.sh.in Thu Jul 16 00:38:16 2015 +0100 +++ b/fsg.sh.in Fri Jul 17 19:49:37 2015 +0100 @@ -108,6 +108,7 @@ echo "Removing EC source code we don't build" rm -rvf openjdk/jdk/src/share/native/sun/security/ec/impl -echo "Syncing EC list with NSS" -patch -Np0 < @abs_top_srcdir@/patches/pr2124.patch - +if test "x@ENABLE_NON_NSS_CURVES@" = "xno"; then + echo "Syncing EC list with NSS" + patch -Np0 < @abs_top_srcdir@/patches/pr2124.patch +fi