Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

8328785: IOException: Symbol not found: C_GetInterface for PKCS11 interface prior to V3.0 #18588

Closed
wants to merge 4 commits into from

Conversation

valeriepeng
Copy link

@valeriepeng valeriepeng commented Apr 3, 2024

This PR fixes a problem regarding the usage of dlerror() where an earlier error message causes a premature error out. Added extra code to clear out earlier error message and made minor code refactoring.

No regression test as this can't be reproduced using the NSS library from artifactory and thus the noreg-hard label.

Thanks!


Progress

  • Change must be properly reviewed (1 review required, with at least 1 Reviewer)
  • Change must not contain extraneous whitespace
  • Commit message must refer to an issue

Issue

  • JDK-8328785: IOException: Symbol not found: C_GetInterface for PKCS11 interface prior to V3.0 (Bug - P3)

Reviewers

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/18588/head:pull/18588
$ git checkout pull/18588

Update a local copy of the PR:
$ git checkout pull/18588
$ git pull https://git.openjdk.org/jdk.git pull/18588/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 18588

View PR using the GUI difftool:
$ git pr show -t 18588

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/18588.diff

Webrev

Link to Webrev Comment

@bridgekeeper
Copy link

bridgekeeper bot commented Apr 3, 2024

👋 Welcome back valeriep! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

@openjdk
Copy link

openjdk bot commented Apr 3, 2024

@valeriepeng This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8328785: IOException: Symbol not found: C_GetInterface for PKCS11 interface prior to V3.0

Reviewed-by: djelinski, weijun

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 137 new commits pushed to the master branch:

  • fbc1e66: 8328181: C2: assert(MaxVectorSize >= 32) failed: vector length should be >= 32
  • a887fd2: 8316991: Reduce nullable allocation merges
  • e702646: 8200566: DistributionPointFetcher fails to fetch CRLs if the DistributionPoints field contains more than one DistributionPoint and the first one fails
  • 7e5ef79: 8323116: [REDO] Computational test more than 2x slower when AVX instructions are used
  • 9467720: 8329875: Serial: Move preservedMarks.inline.hpp to serialFullGC.cpp
  • a4dd2e9: 8329766: Serial: Refactor SerialBlockOffsetTable API
  • 212a253: 8329623: NegativeArraySizeException encoding large String to UTF-8
  • dd930c5: 8329787: Fix typo in CLDRConverter
  • 115f419: 8329659: Serial: Extract allowed_dead_ratio from ContiguousSpace
  • 9ac3b77: 8329775: Serial: Remove unused declarations in serialFullGC.hpp
  • ... and 127 more: https://git.openjdk.org/jdk/compare/892b8bb6d1725119e4c9ada8f2617c15f8af674e...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

@openjdk openjdk bot added the rfr Pull request is ready for review label Apr 3, 2024
@openjdk
Copy link

openjdk bot commented Apr 3, 2024

@valeriepeng The following label will be automatically applied to this pull request:

  • security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

@openjdk openjdk bot added the security security-dev@openjdk.org label Apr 3, 2024
@mlbridge
Copy link

mlbridge bot commented Apr 3, 2024

Webrevs

C_GetInterface = (CK_C_GetInterface) dlsym(hModule, "C_GetInterface");
if ((C_GetInterface != NULL) && (dlerror() == NULL)) {
if (C_GetInterface != NULL) {
TRACE0("Connect: Found C_GetInterface func\n");
rv = (C_GetInterface)(NULL, NULL, &interface, 0L);
if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) {
goto setModuleData;
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need an else goto cleanup here?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not really, the intention is to continue with the C_GetFunctionList (or the method named by "getFunctionListStr").

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if that's the intention, then you shouldn't be using ckAssertReturnValueOK, which throws an exception if rv is anything other than CK_ASSERT_OK

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, I will change it.

@@ -91,7 +91,7 @@ JNIEXPORT jobject JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_connect
jobject globalPKCS11ImplementationReference;
char *systemErrorMessage;
char *exceptionMessage;
const char *getFunctionListStr = NULL;
const char *getFunctionListStr = "C_GetFunctionList";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this value ever gets used by ReleaseStringUTFChars, the failure will be spectacular 🍿

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do have checks for jGetFunctionList != NULL before calling ReleaseStringUTFChars() with it. So, this shouldn't be an issue?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this will be an issue if jGetFunctionList != NULL and dlopen fails, resulting in goto cleanup before getFunctionListStr is reassigned.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, ok, I will change it. Thanks~

Copy link
Member

@djelinski djelinski left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. One nit, feel free to ignore.

dlerror(); // clear any old error message not fetched
C_GetFunctionList = (CK_C_GetFunctionList) dlsym(hModule,
getFunctionListStr);
if ((systemErrorMessage = dlerror()) != NULL){
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it make sense to move this check under if (C_GetFunctionList == NULL)? If C_GetFunctionList is non-null, do we care about the value of dlerror?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, makes sense, I'll change it.

@openjdk openjdk bot added the ready Pull request is ready to be integrated label Apr 4, 2024
@valeriepeng
Copy link
Author

@djelinski Thanks much for the review!
I'll integrate once I got one more reviewer from my team.

TRACE0("Connect: Found C_GetFunctionList func\n");
TRACE1("Connect: No %s func\n", getFunctionListStr);
p11ThrowIOException(env, "ERROR: C_GetFunctionList == NULL");
goto cleanup;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a small comment. The dlerror is only for debugging purpose but the code above looks like it is used to determine whether to goto cleanup.

How about this:

    if (C_GetFunctionList == NULL) {
        if ((systemErrorMessage = dlerror()) != NULL){
            p11ThrowIOException(env, systemErrorMessage);
        } else {
            TRACE1("Connect: No %s func\n", getFunctionListStr);
            p11ThrowIOException(env, "ERROR: C_GetFunctionList == NULL");
        }
        goto cleanup;
    }

Also, why is TRACE1 not called when dlerror is not NULL?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, thanks for the suggestion. I'll change and re-run the tests.

@valeriepeng
Copy link
Author

/integrate

@openjdk
Copy link

openjdk bot commented Apr 9, 2024

Going to push as commit 6276789.
Since your change was applied there have been 163 commits pushed to the master branch:

Your commit was automatically rebased without conflicts.

@openjdk openjdk bot added the integrated Pull request has been integrated label Apr 9, 2024
@openjdk openjdk bot closed this Apr 9, 2024
@openjdk openjdk bot removed ready Pull request is ready to be integrated rfr Pull request is ready for review labels Apr 9, 2024
@openjdk
Copy link

openjdk bot commented Apr 9, 2024

@valeriepeng Pushed as commit 6276789.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.

@valeriepeng valeriepeng deleted the JDK-8328785 branch April 9, 2024 21:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
integrated Pull request has been integrated security security-dev@openjdk.org
3 participants