[CAUTION] [11u] RFR: 8233954: UnsatisfiedLinkError or NoSuchAlgorithmException after removing sunec.dll
Lindenmaier, Goetz
goetz.lindenmaier at sap.com
Fri Dec 13 08:11:45 UTC 2019
Hi Christoph,
I tested your proposeal, all test pass, as well as the one from
the bug description (after removing libsunec from the jdk).
http://cr.openjdk.java.net/~goetz/wr19/8233954-UnsatisfiedLink_in_EC-jdk11/02/
And you are right, in case of
NamedGroupType.NAMED_GROUP_ARBITRARY
the original change does not check the availability of the
algorithm.
So these non-elliptic encryptions are processed by other code
and not the libsunec?
Or is just the test not excercising this case?
Best regards,
Goetz.
> -----Original Message-----
> From: Langer, Christoph <christoph.langer at sap.com>
> Sent: Wednesday, December 11, 2019 8:29 PM
> To: Lindenmaier, Goetz <goetz.lindenmaier at sap.com>; jdk-updates-
> dev at openjdk.java.net
> Subject: RE: [CAUTION] [11u] RFR: 8233954: UnsatisfiedLinkError or
> NoSuchAlgorithmException after removing sunec.dll
>
> Hi Goetz,
>
> Wow, that was a bit more than just apply/trivial resolve.
>
> I'm wondering whether in line 346 one should go with "this.isEcAvailable =
> true;" since this constructor is used for
> NamedGroupType.NAMED_GROUP_ARBITRARY. And JDK-8233954 does the
> mediator check only for NamedGroupSpec.NAMED_GROUP_ECDHE which is
> covered in line 306. So, this would probably match the behavior of JDK-
> 8233954 more precisely.
>
> Best regards
> Christoph
>
> > -----Original Message-----
> > From: jdk-updates-dev <jdk-updates-dev-bounces at openjdk.java.net> On
> > Behalf Of Lindenmaier, Goetz
> > Sent: Montag, 9. Dezember 2019 12:27
> > To: jdk-updates-dev at openjdk.java.net
> > Subject: [CAUTION] [11u] RFR: 8233954: UnsatisfiedLinkError or
> > NoSuchAlgorithmException after removing sunec.dll
> >
> > Hi,
> >
> > this change was just recently pushed to 11.0.6-oracle and I would
> > like to downport it to 11.0.6 (repo jdk11u).
> >
> > Unfortunately it does not apply well in 11u and I had to implement
> > parts anew.
> > webrev: http://cr.openjdk.java.net/~goetz/wr19/8233954-
> > UnsatisfiedLink_in_EC-jdk11/01/
> > bug: https://bugs.openjdk.java.net/browse/JDK-8233954
> > orig. change: https://hg.openjdk.java.net/jdk/jdk/rev/e7df7c86eda1
> >
> > The patch to file NamedGroup.java did not apply.
> > File NamedGroup.java was only introduced with
> > https://bugs.openjdk.java.net/browse/JDK-8171279: "8171279: Support
> > X25519 and X448 in TLS"
> > Before, the code lived in SupportedGroupsExtension.java.
> > 8171279 added a new constructor to NamedGroup.
> > After introducing NamedGroup.java,
> > https://bugs.openjdk.java.net/browse/JDK-8226374 "8226374: Restrict TLS
> > signature schemes and named groups"
> > changed the new constructor.
> > I had to implement this anew.
> > There are two constructors for "EC" NamedGroups.
> > In these, I check for JsseJce.isEcAvailable().
> > If this is not available, I mark the whole NamedGroup as
> > not available in new boolean isEcAvailable.
> >
> > The original patch sets 'mediator' which then is
> > assigned to NamedGroup.isAvailable. This field again
> > is checked in the two isAvailable(...) functions.
> >
> > Field NamedGroup.isAvailable is not implemented in 11.
> > Therefor I added a similar check for my field isEcAvailable in these
> > functions. I chose a different name to distinguish from 14's
> > isAvailable because that is used in other contexts, too.
> >
> > For SignatureScheme.java I had to do some adaptions to apply the change.
> >
> > signAlgParamSpec was renamed to signAlgParams in 14, see
> > https://bugs.openjdk.java.net/browse/JDK-8226374: "8226374: Restrict TLS
> > signature schemes and named groups"
> > I had to undo the renaming in the patch.
> >
> > JsseJce.getSignature() was renamed to Signature.getInstance in
> > https://bugs.openjdk.java.net/browse/JDK-8217835: "8217835: Remove
> the
> > experimental SunJSSE FIPS compliant mode"
> > I had to undo this in the patch, too.
> >
> > I ran the test that is patched into the bug description. It fails without my
> > adapted change, and passes with it.
> >
> > Please review.
> >
> > Best regards,
> > Goetz.
> >
> >
More information about the jdk-updates-dev
mailing list