Skip to content

Commit

Permalink
Merge pull request #623 from ibmruntimes/openj9
Browse files Browse the repository at this point in the history 
Merge jdk-11.0.19+3, +4 and OpenSSL Version granularity update to 0.38
  • Loading branch information
@JasonFengJ9
JasonFengJ9 committed Mar 13, 2023
2 parents ab70f2b + 8292b21 commit 23d2c3b
Show file tree
Hide file tree
Showing 146 changed files with 3,784 additions and 1,336 deletions.
26 changes: 20 additions & 6 deletions closed/autoconf/custom-spec.gmk.in
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# ===========================================================================
# (c) Copyright IBM Corp. 2017, 2022 All Rights Reserved
# (c) Copyright IBM Corp. 2017, 2023 All Rights Reserved
# ===========================================================================
# This code is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 only, as
Expand Down Expand Up @@ -118,12 +118,26 @@ endif
# Usage: $(call CodesignFile, files ...)
ifeq (,$(CODESIGN))
CodesignFile =
else ifeq (debug, $(MACOSX_CODESIGN_MODE))
define CodesignFile
$(CODESIGN) --remove-signature $1
$(CODESIGN) --sign - \
--entitlements $(TOPDIR)/make/data/macosxsigning/default-debug.plist \
--force \
$1
endef
else ifeq (hardened, $(MACOSX_CODESIGN_MODE))
define CodesignFile
$(CODESIGN) --remove-signature $1
$(CODESIGN) --sign "$(MACOSX_CODESIGN_IDENTITY)" \
--entitlements $(TOPDIR)/make/data/macosxsigning/default.plist \
--force \
--options runtime \
--timestamp \
$1
endef
else
CodesignFile = $(CODESIGN) --sign "$(MACOSX_CODESIGN_IDENTITY)" \
--entitlements $(TOPDIR)/make/data/macosxsigning/default.plist \
--options runtime \
--timestamp \
$1
CodesignFile =
endif

# Archive from which to import Health Center content.
Expand Down
2 changes: 1 addition & 1 deletion closed/openjdk-tag.gmk
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
OPENJDK_TAG := jdk-11.0.19+2
OPENJDK_TAG := jdk-11.0.19+4
25 changes: 16 additions & 9 deletions closed/src/java.base/share/classes/jdk/crypto/jniprovider/NativeCrypto.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,10 @@ public class NativeCrypto {
public static final int SHA5_384 = 3;
public static final int SHA5_512 = 4;

public static final long OPENSSL_VERSION_1_0_0 = 0x1_00_00_000L;
public static final long OPENSSL_VERSION_1_1_0 = 0x1_01_00_000L;
public static final long OPENSSL_VERSION_3_0_0 = 0x3_00_00_000L;

private static final Cleaner ECKeyCleaner = CleanerFactory.cleaner();

private static final boolean useNativeCrypto = Boolean.parseBoolean(
Expand All @@ -60,14 +64,13 @@ private static final class InstanceHolder {
private static final NativeCrypto instance = new NativeCrypto();
}

//ossl_vers:
//ossl_vers will be either:
// -1 : library load failed
// 0 : openssl 1.0.x
// 1 : openssl 1.1.x or newer
private final int ossl_ver;
// or one of the OPENSSL_VERSION_x_x_x constants
private final long ossl_ver;

private static int loadCryptoLibraries() {
int osslVersion;
private static long loadCryptoLibraries() {
long osslVersion;

try {
// load jncrypto JNI library
Expand All @@ -91,7 +94,7 @@ private static int loadCryptoLibraries() {

@SuppressWarnings("removal")
private NativeCrypto() {
ossl_ver = AccessController.doPrivileged((PrivilegedAction<Integer>) () -> loadCryptoLibraries()).intValue();
ossl_ver = AccessController.doPrivileged((PrivilegedAction<Long>) () -> loadCryptoLibraries()).longValue();
}

/**
Expand All @@ -112,7 +115,7 @@ public static final boolean isAllowedAndLoaded() {
*
* @return the OpenSSL library version if it is available
*/
public static final int getVersionIfAvailable() {
public static final long getVersionIfAvailable() {
/*[IF CRIU_SUPPORT]*/
if (InternalCRIUSupport.isCheckpointAllowed()) {
return -1;
Expand Down Expand Up @@ -185,7 +188,8 @@ public void run() {
}

/* Native digest interfaces */
private static final native int loadCrypto(boolean traceEnabled);

private static final native long loadCrypto(boolean trace);

public final native long DigestCreateContext(long nativeBuffer,
int algoIndex);
Expand All @@ -208,6 +212,7 @@ public final native int DigestComputeAndReset(long context,
public final native void DigestReset(long context);

/* Native interfaces shared by CBC and ChaCha20 */

public final native long CreateContext();

public final native int DestroyContext(long context);
Expand Down Expand Up @@ -236,6 +241,7 @@ public final native int CBCFinalEncrypt(long context,
int outputOffset);

/* Native GCM interfaces */

public final native int GCMEncrypt(byte[] key,
int keylen,
byte[] iv,
Expand Down Expand Up @@ -263,6 +269,7 @@ public final native int GCMDecrypt(byte[] key,
int tagLen);

/* Native RSA interfaces */

public final native long createRSAPublicKey(byte[] n,
int nLen,
byte[] e,
Expand Down
80 changes: 56 additions & 24 deletions closed/src/java.base/share/native/libjncrypto/NativeCrypto.c
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
/*
* ===========================================================================
* (c) Copyright IBM Corp. 2018, 2022 All Rights Reserved
* (c) Copyright IBM Corp. 2018, 2023 All Rights Reserved
* ===========================================================================
*
* This code is free software; you can redistribute it and/or modify it
Expand Down Expand Up @@ -29,6 +29,7 @@
#include <openssl/ecdh.h>
#include <openssl/pkcs12.h>

#include <ctype.h>
#include <jni.h>
#include <stdio.h>
#include <stdint.h>
Expand All @@ -38,10 +39,15 @@
#include "jdk_crypto_jniprovider_NativeCrypto.h"
#include "NativeCrypto_md.h"

#define OPENSSL_VERSION_1_0 "OpenSSL 1.0."
#define OPENSSL_VERSION_1_1 "OpenSSL 1.1."
#define OPENSSL_VERSION_CODE(major, minor, fix, patch) \
((((jlong)(major)) << 28) | ((minor) << 20) | ((fix) << 12) | (patch))

#define OPENSSL_VERSION_1_0_0 OPENSSL_VERSION_CODE(1, 0, 0, 0)
#define OPENSSL_VERSION_1_1_0 OPENSSL_VERSION_CODE(1, 1, 0, 0)
#define OPENSSL_VERSION_2_0_0 OPENSSL_VERSION_CODE(2, 0, 0, 0)
/* Per new OpenSSL naming convention starting from OpenSSL 3, all major versions are ABI and API compatible. */
#define OPENSSL_VERSION_3_X "OpenSSL 3."
#define OPENSSL_VERSION_3_0_0 OPENSSL_VERSION_CODE(3, 0, 0, 0)
#define OPENSSL_VERSION_4_0_0 OPENSSL_VERSION_CODE(4, 0, 0, 0)

/* needed for OpenSSL 1.0.2 Thread handling routines */
# define CRYPTO_LOCK 1
Expand Down Expand Up @@ -261,13 +267,39 @@ static void printErrors(void) {
fflush(stderr);
}

/*
* We use a 8 digit map (ABBCCDDD) to represent the version of openssl.
* A is the major version,
* BB is the minor version,
* CC is the fix,
* DDD is the patch that could be present in any version.
* For example, if an openssl version is in this scheme 1.2.3.d
* where major is 1, minor is 2, fix is 3 and patch is d -> 4.
* So the result would be 0x10203004, where A is 1, BB is 02, CC is 03, DDD is 004.
*/
static jlong extractVersionToJlong(const char *astring)
{
long major = 0;
long minor = 0;
long fix = 0;
long patch = 0;
char patch_char = 0;
if (sscanf(astring, "OpenSSL %ld.%ld.%ld%c", &major, &minor, &fix, &patch_char) < 3) {
return -1;
}
if (isalpha(patch_char)) {
patch = tolower(patch_char) - 'a' + 1;
}
return (jlong)OPENSSL_VERSION_CODE(major, minor, fix, patch);
}

static void *crypto_library = NULL;
/*
* Class: jdk_crypto_jniprovider_NativeCrypto
* Method: loadCrypto
* Signature: (Z)V
* Signature: (Z)J
*/
JNIEXPORT jint JNICALL Java_jdk_crypto_jniprovider_NativeCrypto_loadCrypto
JNIEXPORT jlong JNICALL Java_jdk_crypto_jniprovider_NativeCrypto_loadCrypto
(JNIEnv *env, jclass thisObj, jboolean traceEnabled)
{

Expand All @@ -277,7 +309,7 @@ JNIEXPORT jint JNICALL Java_jdk_crypto_jniprovider_NativeCrypto_loadCrypto
/* Determine the version of OpenSSL. */
OSSL_version_t* OSSL_version;
const char * openssl_version;
int ossl_ver;
jlong ossl_ver = 0;

/* Load OpenSSL Crypto library */
crypto_library = load_crypto_library(traceEnabled);
Expand Down Expand Up @@ -311,7 +343,8 @@ JNIEXPORT jint JNICALL Java_jdk_crypto_jniprovider_NativeCrypto_loadCrypto
} else {
openssl_version = (*OSSL_version)(0); /* get OPENSSL_VERSION */
/* Ensure the OpenSSL version is "OpenSSL 1.0.x" */
if (0 != strncmp(openssl_version, OPENSSL_VERSION_1_0, strlen(OPENSSL_VERSION_1_0))) {
ossl_ver = extractVersionToJlong(openssl_version);
if (!((OPENSSL_VERSION_1_0_0 <= ossl_ver) && (ossl_ver < OPENSSL_VERSION_1_1_0))) {
if (traceEnabled) {
fprintf(stderr, "Unsupported OpenSSL version: %s\n", openssl_version);
fflush(stderr);
Expand All @@ -320,13 +353,13 @@ JNIEXPORT jint JNICALL Java_jdk_crypto_jniprovider_NativeCrypto_loadCrypto
crypto_library = NULL;
return -1;
}
ossl_ver = 0;
}
} else {
openssl_version = (*OSSL_version)(0); /* get OPENSSL_VERSION */
/* Ensure the OpenSSL version is "OpenSSL 1.1.x" or "OpenSSL 3.x.x". */
if ((0 != strncmp(openssl_version, OPENSSL_VERSION_1_1, strlen(OPENSSL_VERSION_1_1)))
&& (0 != strncmp(openssl_version, OPENSSL_VERSION_3_X, strlen(OPENSSL_VERSION_3_X)))
ossl_ver = extractVersionToJlong(openssl_version);
if (!((OPENSSL_VERSION_1_1_0 <= ossl_ver) && (ossl_ver < OPENSSL_VERSION_2_0_0))
&& !((OPENSSL_VERSION_3_0_0 <= ossl_ver) && (ossl_ver < OPENSSL_VERSION_4_0_0))
) {
if (traceEnabled) {
fprintf(stderr, "Unsupported OpenSSL version: %s\n", openssl_version);
Expand All @@ -336,7 +369,6 @@ JNIEXPORT jint JNICALL Java_jdk_crypto_jniprovider_NativeCrypto_loadCrypto
crypto_library = NULL;
return -1;
}
ossl_ver = 1;
}

if (traceEnabled) {
Expand All @@ -350,7 +382,7 @@ JNIEXPORT jint JNICALL Java_jdk_crypto_jniprovider_NativeCrypto_loadCrypto
OSSL_get_error = (OSSL_get_error_t*)find_crypto_symbol(crypto_library, "ERR_get_error");

/* Load Threading routines for OpenSSL 1.0.2 */
if (0 == ossl_ver) {
if(ossl_ver < OPENSSL_VERSION_1_1_0) {
OSSL_CRYPTO_num_locks = (OSSL_CRYPTO_num_locks_t*)find_crypto_symbol(crypto_library, "CRYPTO_num_locks");
OSSL_CRYPTO_THREADID_set_numeric = (OSSL_CRYPTO_THREADID_set_numeric_t*)find_crypto_symbol(crypto_library, "CRYPTO_THREADID_set_numeric");
OSSL_OPENSSL_malloc = (OSSL_OPENSSL_malloc_t*)find_crypto_symbol(crypto_library, "CRYPTO_malloc");
Expand All @@ -366,7 +398,7 @@ JNIEXPORT jint JNICALL Java_jdk_crypto_jniprovider_NativeCrypto_loadCrypto
OSSL_sha384 = (OSSL_sha_t*)find_crypto_symbol(crypto_library, "EVP_sha384");
OSSL_sha512 = (OSSL_sha_t*)find_crypto_symbol(crypto_library, "EVP_sha512");

if (1 == ossl_ver) {
if(ossl_ver >= OPENSSL_VERSION_1_1_0) {
OSSL_MD_CTX_new = (OSSL_MD_CTX_new_t*)find_crypto_symbol(crypto_library, "EVP_MD_CTX_new");
OSSL_MD_CTX_reset = (OSSL_MD_CTX_reset_t*)find_crypto_symbol(crypto_library, "EVP_MD_CTX_reset");
OSSL_MD_CTX_free = (OSSL_MD_CTX_free_t*)find_crypto_symbol(crypto_library, "EVP_MD_CTX_free");
Expand Down Expand Up @@ -400,7 +432,7 @@ JNIEXPORT jint JNICALL Java_jdk_crypto_jniprovider_NativeCrypto_loadCrypto
OSSL_DecryptFinal = (OSSL_DecryptFinal_t*)find_crypto_symbol(crypto_library, "EVP_DecryptFinal");

/* Load the functions symbols for OpenSSL ChaCha20 algorithms. (Need OpenSSL 1.1.x or above) */
if (1 == ossl_ver) {
if(ossl_ver >= OPENSSL_VERSION_1_1_0) {
OSSL_chacha20 = (OSSL_cipher_t*)find_crypto_symbol(crypto_library, "EVP_chacha20");
OSSL_chacha20_poly1305 = (OSSL_cipher_t*)find_crypto_symbol(crypto_library, "EVP_chacha20_poly1305");
} else {
Expand All @@ -411,7 +443,7 @@ JNIEXPORT jint JNICALL Java_jdk_crypto_jniprovider_NativeCrypto_loadCrypto
/* Load the functions symbols for OpenSSL RSA algorithm. */
OSSL_RSA_new = (OSSL_RSA_new_t*)find_crypto_symbol(crypto_library, "RSA_new");

if (1 == ossl_ver) {
if(ossl_ver >= OPENSSL_VERSION_1_1_0) {
OSSL_RSA_set0_key = (OSSL_RSA_set0_key_t*)find_crypto_symbol(crypto_library, "RSA_set0_key");
OSSL_RSA_set0_factors = (OSSL_RSA_set0_factors_t*)find_crypto_symbol(crypto_library, "RSA_set0_factors");
OSSL_RSA_set0_crt_params = (OSSL_RSA_set0_key_t*)find_crypto_symbol(crypto_library, "RSA_set0_crt_params");
Expand Down Expand Up @@ -530,21 +562,21 @@ JNIEXPORT jint JNICALL Java_jdk_crypto_jniprovider_NativeCrypto_loadCrypto
(NULL == OSSL_EC_KEY_check_key) ||
(NULL == OSSL_PKCS12_key_gen) ||
/* Check symbols that are only available in OpenSSL 1.1.x and above */
((1 == ossl_ver) && ((NULL == OSSL_chacha20) || (NULL == OSSL_chacha20_poly1305))) ||
((ossl_ver >= OPENSSL_VERSION_1_1_0) && ((NULL == OSSL_chacha20) || (NULL == OSSL_chacha20_poly1305))) ||
/* Check symbols that are only available in OpenSSL 1.0.x and above */
((NULL == OSSL_CRYPTO_num_locks) && (0 == ossl_ver)) ||
((NULL == OSSL_CRYPTO_THREADID_set_numeric) && (0 == ossl_ver)) ||
((NULL == OSSL_OPENSSL_malloc) && (0 == ossl_ver)) ||
((NULL == OSSL_OPENSSL_free) && (0 == ossl_ver)) ||
((NULL == OSSL_CRYPTO_THREADID_set_callback) && (0 == ossl_ver)) ||
((NULL == OSSL_CRYPTO_set_locking_callback) && (0 == ossl_ver))) {
((NULL == OSSL_CRYPTO_num_locks) && (ossl_ver < OPENSSL_VERSION_1_1_0)) ||
((NULL == OSSL_CRYPTO_THREADID_set_numeric) && (ossl_ver < OPENSSL_VERSION_1_1_0)) ||
((NULL == OSSL_OPENSSL_malloc) && (ossl_ver < OPENSSL_VERSION_1_1_0)) ||
((NULL == OSSL_OPENSSL_free) && (ossl_ver < OPENSSL_VERSION_1_1_0)) ||
((NULL == OSSL_CRYPTO_THREADID_set_callback) && (ossl_ver < OPENSSL_VERSION_1_1_0)) ||
((NULL == OSSL_CRYPTO_set_locking_callback) && (ossl_ver < OPENSSL_VERSION_1_1_0))) {
/* fprintf(stderr, "One or more of the required symbols are missing in the crypto library\n"); */
/* fflush(stderr); */
unload_crypto_library(crypto_library);
crypto_library = NULL;
return -1;
} else {
if (0 == ossl_ver) {
if(ossl_ver < OPENSSL_VERSION_1_1_0) {
if (0 != thread_setup()) {
unload_crypto_library(crypto_library);
crypto_library = NULL;
Expand Down
9 changes: 9 additions & 0 deletions doc/building.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,9 @@ <h1 class="title">Building the JDK</h1>
<li><a href="#make-control-variables">Make Control Variables</a></li>
</ul></li>
<li><a href="#running-tests">Running Tests</a></li>
<li><a href="#signing">Signing</a><ul>
<li><a href="#macos-1">macOS</a></li>
</ul></li>
<li><a href="#cross-compiling">Cross-compiling</a><ul>
<li><a href="#cross-compiling-the-easy-way-with-openjdk-devkits">Cross compiling the easy way with OpenJDK devkits</a></li>
<li><a href="#boot-jdk-and-build-jdk">Boot JDK and Build JDK</a></li>
Expand Down Expand Up @@ -583,6 +586,12 @@ <h2 id="running-tests">Running Tests</h2>
<p>To execute the most basic tests (tier 1), use:</p>
<pre><code>make run-test-tier1</code></pre>
<p>For more details on how to run tests, please see <strong>Testing the JDK</strong> (<a href="testing.html">html</a>, <a href="testing.md">markdown</a>).</p>
<h2 id="signing">Signing</h2>
<h3 id="macos-1">macOS</h3>
<p>Modern versions of macOS require applications to be signed and notarizied before distribution. See Apple's documentation for more background on what this means and how it works. To help support this, the JDK build can be configured to automatically sign all native binaries, and the JDK bundle, with all the options needed for successful notarization, as well as all the entitlements required by the JDK. To enable <code>hardened</code> signing, use configure parameter <code>--with-macosx-codesign=hardened</code> and configure the signing identity you wish to use with <code>--with-macosx-codesign-identity=&lt;identity&gt;</code>. The identity refers to a signing identity from Apple that needs to be preinstalled on the build host.</p>
<p>When not signing for distribution with the hardened option, the JDK build will still attempt to perform <code>adhoc</code> signing to add the special entitlement <code>com.apple.security.get-task-allow</code> to each binary. This entitlement is required to be able to dump core files from a process. Note that adding this entitlement makes the build invalid for notarization, so it is only added when signing in <code>debug</code> mode. To explicitly enable this kind of adhoc signing, use configure parameter <code>--with-macosx-codesign=debug</code>. It will be enabled by default in most cases.</p>
<p>It's also possible to completely disable any explicit codesign operations done by the JDK build using the configure parameter <code>--without-macosx-codesign</code>. The exact behavior then depends on the architecture. For macOS on x64, it (at least at the time of this writing) results in completely unsigned binaries that should still work fine for development and debugging purposes. On aarch64, the Xcode linker will apply a default &quot;adhoc&quot; signing, without any entitlements. Such a build does not allow dumping core files.</p>
<p>The default mode &quot;auto&quot; will try for <code>hardened</code> signing if the debug level is <code>release</code> and either the default identity or the specified identity is valid. If hardened isn't possible, then <code>debug</code> signing is chosen if it works. If nothing works, the codesign build step is disabled.</p>
<h2 id="cross-compiling">Cross-compiling</h2>
<p>Cross-compiling means using one platform (the <em>build</em> platform) to generate output that can ran on another platform (the <em>target</em> platform).</p>
<p>The typical reason for cross-compiling is that the build is performed on a more powerful desktop computer, but the resulting binaries will be able to run on a different, typically low-performing system. Most of the complications that arise when building for embedded is due to this separation of <em>build</em> and <em>target</em> systems.</p>
Expand Down
36 changes: 36 additions & 0 deletions doc/building.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -876,6 +876,42 @@ make run-test-tier1
For more details on how to run tests, please see **Testing the JDK**
([html](testing.html), [markdown](testing.md)).

## Signing

### macOS

Modern versions of macOS require applications to be signed and notarizied before
distribution. See Apple's documentation for more background on what this means
and how it works. To help support this, the JDK build can be configured to
automatically sign all native binaries, and the JDK bundle, with all the options
needed for successful notarization, as well as all the entitlements required by
the JDK. To enable `hardened` signing, use configure parameter
`--with-macosx-codesign=hardened` and configure the signing identity you wish to
use with `--with-macosx-codesign-identity=<identity>`. The identity refers to a
signing identity from Apple that needs to be preinstalled on the build host.

When not signing for distribution with the hardened option, the JDK build will
still attempt to perform `adhoc` signing to add the special entitlement
`com.apple.security.get-task-allow` to each binary. This entitlement is required
to be able to dump core files from a process. Note that adding this entitlement
makes the build invalid for notarization, so it is only added when signing in
`debug` mode. To explicitly enable this kind of adhoc signing, use configure
parameter `--with-macosx-codesign=debug`. It will be enabled by default in most
cases.

It's also possible to completely disable any explicit codesign operations done
by the JDK build using the configure parameter `--without-macosx-codesign`.
The exact behavior then depends on the architecture. For macOS on x64, it (at
least at the time of this writing) results in completely unsigned binaries that
should still work fine for development and debugging purposes. On aarch64, the
Xcode linker will apply a default "adhoc" signing, without any entitlements.
Such a build does not allow dumping core files.

The default mode "auto" will try for `hardened` signing if the debug level is
`release` and either the default identity or the specified identity is valid.
If hardened isn't possible, then `debug` signing is chosen if it works. If
nothing works, the codesign build step is disabled.

## Cross-compiling

Cross-compiling means using one platform (the *build* platform) to generate
Expand Down
Loading

0 comments on commit 23d2c3b

Please sign in to comment.