!592 Extending-the-IV-Length-Supported-by-KAEProvider-AES/GCM

From: @kuenking111 
Reviewed-by: @alexanderbill 
Signed-off-by: @alexanderbill

8137165-Tests-fail-in-SR_Handler-because-thread-is-n.patch

@@ -0,0 +1,72 @@
+From 11116ea71b22635302759817b43c555ded53f882 Mon Sep 17 00:00:00 2001
+Subject: 8137165: Tests fail in SR_Handler because thread is not VMThread or JavaThread
+
+---
+ hotspot/src/os/linux/vm/os_linux.cpp | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/hotspot/src/os/linux/vm/os_linux.cpp b/hotspot/src/os/linux/vm/os_linux.cpp
+index 6ee49eedc..773c746af 100644
+--- a/hotspot/src/os/linux/vm/os_linux.cpp
++++ b/hotspot/src/os/linux/vm/os_linux.cpp
+@@ -1070,6 +1070,13 @@ void os::free_thread(OSThread* osthread) {
+   assert(osthread != NULL, "osthread not set");
+
+   if (Thread::current()->osthread() == osthread) {
++#ifdef ASSERT
++    sigset_t current;
++    sigemptyset(&current);
++    pthread_sigmask(SIG_SETMASK, NULL, &current);
++    assert(!sigismember(&current, SR_signum), "SR signal should not be blocked!");
++#endif
++
+     // Restore caller's signal mask
+     sigset_t sigmask = osthread->caller_sigmask();
+     pthread_sigmask(SIG_SETMASK, &sigmask, NULL);
+@@ -4723,7 +4730,8 @@ static void SR_handler(int sig, siginfo_t* siginfo, ucontext_t* context) {
+   // after sigsuspend.
+   int old_errno = errno;
+
+-  Thread* thread = Thread::current();
++  Thread* thread = Thread::current_or_null();
++  assert(thread != NULL, "Missing current thread in SR_handler");
+   OSThread* osthread = thread->osthread();
+   assert(thread->is_VM_thread() || thread->is_Java_thread(), "Must be VMThread or JavaThread");
+
+@@ -4735,7 +4743,7 @@ static void SR_handler(int sig, siginfo_t* siginfo, ucontext_t* context) {
+     os::SuspendResume::State state = osthread->sr.suspended();
+     if (state == os::SuspendResume::SR_SUSPENDED) {
+       sigset_t suspend_set;  // signals for sigsuspend()
+-
++      sigemptyset(&suspend_set);
+       // get current set of blocked signals and unblock resume signal
+       pthread_sigmask(SIG_BLOCK, NULL, &suspend_set);
+       sigdelset(&suspend_set, SR_signum);
+@@ -5025,6 +5033,7 @@ static bool call_chained_handler(struct sigaction *actp, int sig,
+
+     // try to honor the signal mask
+     sigset_t oset;
++    sigemptyset(&oset);
+     pthread_sigmask(SIG_SETMASK, &(actp->sa_mask), &oset);
+
+     // call into the chained handler
+@@ -5035,7 +5044,7 @@ static bool call_chained_handler(struct sigaction *actp, int sig,
+     }
+
+     // restore the signal mask
+-    pthread_sigmask(SIG_SETMASK, &oset, 0);
++    pthread_sigmask(SIG_SETMASK, &oset, NULL);
+   }
+   // Tell jvm's signal handler the signal is taken care of.
+   return true;
+@@ -6699,6 +6708,7 @@ void Parker::park(bool isAbsolute, jlong time) {
+   // Don't catch signals while blocked; let the running threads have the signals.
+   // (This allows a debugger to break into the running thread.)
+   sigset_t oldsigs;
++  sigemptyset(&oldsigs);
+   sigset_t* allowdebug_blocked = os::Linux::allowdebug_blocked_signals();
+   pthread_sigmask(SIG_BLOCK, allowdebug_blocked, &oldsigs);
+ #endif
+-- 
+2.19.1
+

Extending-the-IV-Length-Supported-by-KAEProvider-AES.patch

@@ -0,0 +1,135 @@
+From f4b0357c01f51e813642c3ac5c8ff33c1576eb72 Mon Sep 17 00:00:00 2001
+Subject: Extending the IV Length Supported by KAEProvider AES/Gcm
+---
+ .../security/openssl/kae_symmetric_cipher.c   | 23 ++++++--
+ .../security/openssl/KAEGcmIvLenTest.java     | 52 +++++++++++++++++++
+ 2 files changed, 72 insertions(+), 3 deletions(-)
+ create mode 100644 jdk/test/org/openeuler/security/openssl/KAEGcmIvLenTest.java
+
+diff --git a/jdk/src/solaris/native/org/openeuler/security/openssl/kae_symmetric_cipher.c b/jdk/src/solaris/native/org/openeuler/security/openssl/kae_symmetric_cipher.c
+index ec8894f1a..7618d6e16 100644
+--- a/jdk/src/solaris/native/org/openeuler/security/openssl/kae_symmetric_cipher.c
++++ b/jdk/src/solaris/native/org/openeuler/security/openssl/kae_symmetric_cipher.c
+@@ -146,6 +146,7 @@ Java_org_openeuler_security_openssl_KAESymmetricCipherBase_nativeInit(JNIEnv* en
+     const EVP_CIPHER* cipher = NULL;
+     ENGINE* kaeEngine = NULL;
+     int keyLength = (*env)->GetArrayLength(env, key);
++    int ivLength = 0;
+ 
+     const char* algo = (*env)->GetStringUTFChars(env, cipherType, 0);
+     if (StartsWith("aes", algo)) {
+@@ -158,7 +159,6 @@ Java_org_openeuler_security_openssl_KAESymmetricCipherBase_nativeInit(JNIEnv* en
+ 
+     KAE_TRACE("KAESymmetricCipherBase_nativeInit: kaeEngine => %p", kaeEngine);
+ 
+-    (*env)->ReleaseStringUTFChars(env, cipherType, algo);
+     if (cipher == NULL) {
+         KAE_ThrowOOMException(env, "create EVP_CIPHER fail");
+         goto cleanup;
+@@ -170,19 +170,35 @@ Java_org_openeuler_security_openssl_KAESymmetricCipherBase_nativeInit(JNIEnv* en
+ 
+     if (iv != NULL) {
+         ivBytes = (*env)->GetByteArrayElements(env, iv, NULL);
++        ivLength = (*env)->GetArrayLength(env, iv);
+     }
+     if (key != NULL) {
+         keyBytes = (*env)->GetByteArrayElements(env, key, NULL);
+     }
+ 
+-    if (!EVP_CipherInit_ex(ctx, cipher, kaeEngine, (const unsigned char*)keyBytes,
+-            (const unsigned char*)ivBytes, encrypt ? 1 : 0)) {
++    if (!EVP_CipherInit_ex(ctx, cipher, kaeEngine, NULL,
++            NULL, encrypt ? 1 : 0)) {
+         KAE_ThrowFromOpenssl(env, "EVP_CipherInit_ex failed", KAE_ThrowRuntimeException);
+         goto cleanup;
+     }
+ 
++    if (strcasecmp(algo + 8, "gcm") == 0) {
++        /* Set IV length if default 12 bytes (96 bits) is not appropriate */
++        if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, ivLength, NULL)) {
++            KAE_ThrowFromOpenssl(env, "EVP_CIPHER_CTX_ctrl failed", KAE_ThrowRuntimeException);
++            goto cleanup;
++        }
++    }
++
++    if (!EVP_CipherInit_ex(ctx, NULL, kaeEngine, (const unsigned char*)keyBytes,
++            (const unsigned char*)ivBytes, encrypt ? 1 : 0)) {
++        KAE_ThrowFromOpenssl(env, "EVP_CipherInit_ex int key & iv failed", KAE_ThrowRuntimeException);
++        goto cleanup;
++    }
++
+     EVP_CIPHER_CTX_set_padding(ctx, padding ? 1 : 0);
+ 
++    (*env)->ReleaseStringUTFChars(env, cipherType, algo);
+     FreeMemoryFromInit(env, iv, ivBytes, key, keyBytes, keyLength);
+     return (jlong)ctx;
+ 
+@@ -190,6 +206,7 @@ cleanup:
+     if (ctx != NULL) {
+         EVP_CIPHER_CTX_free(ctx);
+     }
++    (*env)->ReleaseStringUTFChars(env, cipherType, algo);
+     FreeMemoryFromInit(env, iv, ivBytes, key, keyBytes, keyLength);
+     return 0;
+ }
+diff --git a/jdk/test/org/openeuler/security/openssl/KAEGcmIvLenTest.java b/jdk/test/org/openeuler/security/openssl/KAEGcmIvLenTest.java
+new file mode 100644
+index 000000000..c9e2257aa
+--- /dev/null
++++ b/jdk/test/org/openeuler/security/openssl/KAEGcmIvLenTest.java
+@@ -0,0 +1,52 @@
++import org.openeuler.security.openssl.KAEProvider;
++
++import javax.crypto.Cipher;
++import javax.crypto.spec.GCMParameterSpec;
++import javax.crypto.spec.SecretKeySpec;
++import java.nio.charset.StandardCharsets;
++import java.security.Security;
++import java.util.Arrays;
++
++/**
++ * @test
++ * @summary Basic test for AES/GCM Iv
++ * @requires os.arch=="aarch64"
++ * @run main KAEGcmIvLenTest
++ */
++public class KAEGcmIvLenTest {
++    private static String plainText = "helloworldhellow";  // 16bytes for NoPadding
++    private static String shortPlainText = "helloworld"; // 5 bytes for padding
++    private static SecretKeySpec ks = new SecretKeySpec("AESEncryptionKey".getBytes(StandardCharsets.UTF_8), "AES");  // key has 16 bytes
++    private static int[] ivLens = {12, 16};
++    public static void main(String[] args) throws Exception {
++        Security.addProvider(new KAEProvider());
++        for (int ivLen : ivLens) {
++            testGcm(plainText,"AES/GCM/NoPadding", "KAEProvider", "SunJCE", ivLen);
++            testGcm(plainText,"AES/GCM/NoPadding", "SunJCE", "KAEProvider", ivLen);
++            testGcm(shortPlainText,"AES/GCM/PKCS5Padding", "KAEProvider", "SunJCE", ivLen);
++            testGcm(shortPlainText,"AES/GCM/PKCS5Padding", "SunJCE", "KAEProvider", ivLen);
++        }
++
++    }
++
++    private static void testGcm(String plainText, String algo, String encryptProvider, String decryptProvider, int ivLen) throws Exception {
++        Cipher enCipher = Cipher.getInstance(algo, encryptProvider);
++        enCipher.init(Cipher.ENCRYPT_MODE, ks, getIv(ivLen));
++        byte[] cipherText = enCipher.doFinal(plainText.getBytes());
++
++        Cipher deCipher = Cipher.getInstance(algo, decryptProvider);
++        deCipher.init(Cipher.DECRYPT_MODE, ks, getIv(ivLen));
++        byte[] origin = deCipher.doFinal(cipherText);
++
++        if (!Arrays.equals(plainText.getBytes(), origin)) {
++            throw new RuntimeException("gcm decryption failed, algo = " + algo);
++        }
++    }
++
++    private static GCMParameterSpec getIv(int ivLen) {
++        if (ivLen == 16) {
++            return new GCMParameterSpec(128, "abcdefghabcdefgh".getBytes(StandardCharsets.UTF_8));
++        }
++        return new GCMParameterSpec(96, "abcdefghabcd".getBytes(StandardCharsets.UTF_8));
++    }
++}
+-- 
+2.19.1
+

openjdk-1.8.0.spec

@@ -943,7 +943,7 @@ Provides: java-%{javaver}-%{origin}-accessibility%{?1} = %{epoch}:%{version}-%{r
 
 Name:    java-%{javaver}-%{origin}
 Version: %{javaver}.%{updatever}.%{buildver}
-Release: 3
+Release: 4
 # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
 # and this change was brought into RHEL-4. java-1.5.0-ibm packages
 # also included the epoch in their virtual provides. This created a
@@ -1339,9 +1339,13 @@ Patch438: Huawei-Add-Aggressive-CDS.patch
 Patch439: Backport-8151845-Comment-in-globals.hpp-for-MetaspaceSize-is-.patch
 Patch440: Backport-8210706-G1-may-deadlock-when-starting-a-concurrent-c.patch
 Patch441: Backport-8318889-Backport-Important-Fixed-Issues-in-Later-Ver.patch
+
+#422
 Patch442: Huawei-Keep-objects-when-remove-unshareable-info.patch
 Patch443: The-fast-serialization-function-of-sun.rmi.transport.patch
 Patch444: Fix-the-ActiveProcessorCount-function-of-the-spark-s.patch
+Patch445: Extending-the-IV-Length-Supported-by-KAEProvider-AES.patch
+Patch446: 8137165-Tests-fail-in-SR_Handler-because-thread-is-n.patch
 #############################################
 #
 # Upstreamable patches
@@ -1999,6 +2003,8 @@ pushd %{top_level_dir_name}
 %patch442 -p1
 %patch443 -p1
 %patch444 -p1
+%patch445 -p1
+%patch446 -p1
 %endif
 
 %ifarch loongarch64
@@ -2664,6 +2670,10 @@ cjc.mainProgram(args) -- the returns from copy_jdk_configs.lua should not affect
 %endif
 
 %changelog
+* Sat Aug 3 2024 kuenking111 <wangkun49@huawei.com> -1:1.8.0.422-b05.4
+- Add 8137165-Tests-fail-in-SR_Handler-because-thread-is-n.patch
+- Extending-the-IV-Length-Supported-by-KAEProvider-AES.patch
+
 * Tue Jul 30 2024 benshuai5D <zhangyunbo7@huawei.com> -1:1.8.0.422-b05.3
 - Fix-the-ActiveProcessorCount-function-of-the-spark-s.patch