diff --git a/.gitignore b/.gitignore index 7ba5754..fc72544 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,4 @@ SOURCES/class-rewriter.tar.gz -SOURCES/openjdk-icedtea-2.6.8.tar.xz +SOURCES/openjdk-icedtea-2.6.9.tar.xz SOURCES/pulseaudio.tar.gz SOURCES/systemtap-tapset-2016-07-20.tar.xz diff --git a/.java-1.7.0-openjdk.metadata b/.java-1.7.0-openjdk.metadata index dff9f27..6db2a35 100644 --- a/.java-1.7.0-openjdk.metadata +++ b/.java-1.7.0-openjdk.metadata @@ -1,4 +1,4 @@ fcc167de17354efb6e52cb387eb3e7dbb0316b53 SOURCES/class-rewriter.tar.gz -4679bc029f4c62f3f6fcef82b5418429f215048c SOURCES/openjdk-icedtea-2.6.8.tar.xz +ab167e7666de62316bdbee393b3628479b35206b SOURCES/openjdk-icedtea-2.6.9.tar.xz fb72b6b1f4735ad9b5799d0b5058b0b1dec67b17 SOURCES/pulseaudio.tar.gz 99b0cc8fa222bc6339374cfb8f8560d911613502 SOURCES/systemtap-tapset-2016-07-20.tar.xz diff --git a/SOURCES/fsg.sh b/SOURCES/fsg.sh index b5513eb..7325163 100644 --- a/SOURCES/fsg.sh +++ b/SOURCES/fsg.sh @@ -130,3 +130,5 @@ else echo "Applying ${PR2124}" patch -Np0 < $PR2124 fi; +echo "Cleaning up after patch application" +find . -name '*.orig' | xargs rm -vf diff --git a/SOURCES/pr2809.patch b/SOURCES/pr2809.patch index 32f1c39..5163bd6 100644 --- a/SOURCES/pr2809.patch +++ b/SOURCES/pr2809.patch @@ -1,63 +1,55 @@ -# HG changeset patch -# User xuelei -# Date 1453868482 0 -# Wed Jan 27 04:21:22 2016 +0000 -# Node ID 8d589911411743fa38badf69c10aa067eaa996b7 -# Parent ceb95f0d38d7ab09762dd7ff33bb855f3088a6b5 -8076221, PR2809: Disable RC4 cipher suites -Reviewed-by: wetmore - -diff -r 88b089373a3c src/share/lib/security/java.security-linux ---- openjdk/jdk/src/share/lib/security/java.security-linux Mon Apr 18 06:49:52 2016 +0100 -+++ openjdk/jdk/src/share/lib/security/java.security-linux Mon Apr 18 07:48:12 2016 +0100 -@@ -437,7 +437,7 @@ +diff --git a/src/share/lib/security/java.security-linux b/src/share/lib/security/java.security-linux +--- openjdk/jdk/src/share/lib/security/java.security-linux ++++ openjdk/jdk/src/share/lib/security/java.security-linux +@@ -501,7 +501,7 @@ # # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 --jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 768 -+jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768 +-jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 768, \ ++jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, \ + EC keySize < 224 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) - # processing in JSSE implementation. -diff -r 88b089373a3c src/share/lib/security/java.security-macosx ---- openjdk/jdk/src/share/lib/security/java.security-macosx Mon Apr 18 06:49:52 2016 +0100 -+++ openjdk/jdk/src/share/lib/security/java.security-macosx Mon Apr 18 07:48:12 2016 +0100 -@@ -442,7 +442,7 @@ +diff --git a/src/share/lib/security/java.security-macosx b/src/share/lib/security/java.security-macosx +--- openjdk/jdk/src/share/lib/security/java.security-macosx ++++ openjdk/jdk/src/share/lib/security/java.security-macosx +@@ -506,7 +506,7 @@ # # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 --jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 768 -+jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768 +-jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 768, \ ++jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, \ + EC keySize < 224 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) - # processing in JSSE implementation. -diff -r 88b089373a3c src/share/lib/security/java.security-solaris ---- openjdk/jdk/src/share/lib/security/java.security-solaris Mon Apr 18 06:49:52 2016 +0100 -+++ openjdk/jdk/src/share/lib/security/java.security-solaris Mon Apr 18 07:48:12 2016 +0100 -@@ -441,7 +441,7 @@ +diff --git a/src/share/lib/security/java.security-solaris b/src/share/lib/security/java.security-solaris +--- openjdk/jdk/src/share/lib/security/java.security-solaris ++++ openjdk/jdk/src/share/lib/security/java.security-solaris +@@ -505,7 +505,7 @@ # # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 --jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 768 -+jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768 +-jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 768, \ ++jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, \ + EC keySize < 224 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) - # processing in JSSE implementation. -diff -r 88b089373a3c src/share/lib/security/java.security-windows ---- openjdk/jdk/src/share/lib/security/java.security-windows Mon Apr 18 06:49:52 2016 +0100 -+++ openjdk/jdk/src/share/lib/security/java.security-windows Mon Apr 18 07:48:12 2016 +0100 -@@ -442,7 +442,7 @@ +diff --git a/src/share/lib/security/java.security-windows b/src/share/lib/security/java.security-windows +--- openjdk/jdk/src/share/lib/security/java.security-windows ++++ openjdk/jdk/src/share/lib/security/java.security-windows +@@ -506,7 +506,7 @@ # # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 --jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 768 -+jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768 +-jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 768, \ ++jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, \ + EC keySize < 224 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) - # processing in JSSE implementation. -diff -r 88b089373a3c test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java ---- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ openjdk/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java Mon Apr 18 07:48:12 2016 +0100 +diff --git a/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java b/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java +new file mode 100644 +--- /dev/null ++++ openjdk/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java @@ -0,0 +1,362 @@ +/* + * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. @@ -421,9 +413,9 @@ diff -r 88b089373a3c test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java + + +} -diff -r 88b089373a3c test/sun/security/krb5/auto/SSL.java ---- openjdk/jdk/test/sun/security/krb5/auto/SSL.java Mon Apr 18 06:49:52 2016 +0100 -+++ openjdk/jdk/test/sun/security/krb5/auto/SSL.java Mon Apr 18 07:48:12 2016 +0100 +diff --git a/test/sun/security/krb5/auto/SSL.java b/test/sun/security/krb5/auto/SSL.java +--- openjdk/jdk/test/sun/security/krb5/auto/SSL.java ++++ openjdk/jdk/test/sun/security/krb5/auto/SSL.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2009, 2011, Oracle and/or its affiliates. All rights reserved. @@ -449,9 +441,9 @@ diff -r 88b089373a3c test/sun/security/krb5/auto/SSL.java krb5Cipher = args[0]; -diff -r 88b089373a3c test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java ---- openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java Mon Apr 18 06:49:52 2016 +0100 -+++ openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java Mon Apr 18 07:48:12 2016 +0100 +diff --git a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java +--- openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java ++++ openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2001, 2002, Oracle and/or its affiliates. All rights reserved. @@ -479,11 +471,11 @@ diff -r 88b089373a3c test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHa String keyFilename = System.getProperty("test.src", "./") + "/" + pathToStores + "/" + keyStoreFile; -diff -r 88b089373a3c test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java ---- openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java Mon Apr 18 06:49:52 2016 +0100 -+++ openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java Mon Apr 18 07:48:12 2016 +0100 -@@ -102,10 +102,10 @@ - import java.nio.*; +diff --git a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java +--- openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java ++++ openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java +@@ -103,10 +103,10 @@ + import java.security.Security; import java.security.KeyStore; import java.security.KeyFactory; +import java.security.Security; @@ -492,11 +484,11 @@ diff -r 88b089373a3c test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExc import java.security.spec.PKCS8EncodedKeySpec; -import java.security.spec.*; import java.security.interfaces.*; - import java.util.Base64; + import sun.misc.BASE64Decoder; -diff -r 88b089373a3c test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java ---- openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java Mon Apr 18 06:49:52 2016 +0100 -+++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java Mon Apr 18 07:48:12 2016 +0100 +diff --git a/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java b/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java +--- openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java ++++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. @@ -514,9 +506,9 @@ diff -r 88b089373a3c test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/Check CheckStatus cs; -diff -r 88b089373a3c test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java ---- openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java Mon Apr 18 06:49:52 2016 +0100 -+++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java Mon Apr 18 07:48:12 2016 +0100 +diff --git a/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java b/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java +--- openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java ++++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java @@ -33,6 +33,8 @@ * The code could certainly be tightened up a lot. * @@ -537,9 +529,9 @@ diff -r 88b089373a3c test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/Conne ConnectionTest ct = new ConnectionTest(); ct.test(); } -diff -r 88b089373a3c test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java ---- openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java Mon Apr 18 06:49:52 2016 +0100 -+++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java Mon Apr 18 07:48:12 2016 +0100 +diff --git a/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java b/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java +--- openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java ++++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java @@ -180,6 +180,9 @@ } @@ -550,9 +542,9 @@ diff -r 88b089373a3c test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/Large LargeBufs test; -diff -r 88b089373a3c test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java ---- openjdk/jdk/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java Mon Apr 18 06:49:52 2016 +0100 -+++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java Mon Apr 18 07:48:12 2016 +0100 +diff --git a/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java b/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java +--- openjdk/jdk/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java ++++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java @@ -37,7 +37,7 @@ */ diff --git a/SOURCES/rh1022017.patch b/SOURCES/rh1022017.patch index 3468779..3585029 100644 --- a/SOURCES/rh1022017.patch +++ b/SOURCES/rh1022017.patch @@ -1,44 +1,28 @@ -diff -r cdfd161703ed src/share/classes/sun/security/ssl/HelloExtensions.java ---- openjdk/jdk/src/share/classes/sun/security/ssl/HelloExtensions.java Wed Oct 23 05:22:55 2013 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/ssl/HelloExtensions.java Thu Nov 07 12:41:45 2013 +0000 -@@ -435,25 +435,11 @@ - // the extension value to send in the ClientHello message - static final SupportedEllipticCurvesExtension DEFAULT; - -- private static final boolean fips; -- - static { -- int[] ids; -- fips = SunJSSE.isFIPS(); -- if (fips == false) { -- ids = new int[] { -- // NIST curves first -- // prefer NIST P-256, rest in order of increasing key length -- 23, 1, 3, 19, 21, 6, 7, 9, 10, 24, 11, 12, 25, 13, 14, -- // non-NIST curves -- 15, 16, 17, 2, 18, 4, 5, 20, 8, 22, -- }; -- } else { -- ids = new int[] { -- // same as above, but allow only NIST curves in FIPS mode -- 23, 1, 3, 19, 21, 6, 7, 9, 10, 24, 11, 12, 25, 13, 14, -- }; -- } -+ int[] ids = new int[] { -+ // NSS currently only supports these three NIST curves -+ 23, 24, 25 -+ }; - DEFAULT = new SupportedEllipticCurvesExtension(ids); - } - -@@ -545,10 +531,6 @@ - if ((index <= 0) || (index >= NAMED_CURVE_OID_TABLE.length)) { - return false; - } -- if (fips == false) { -- // in non-FIPS mode, we support all valid indices -- return true; -- } - return DEFAULT.contains(index); - } +diff --git a/src/share/classes/sun/security/ssl/SupportedEllipticCurvesExtension.java b/src/share/classes/sun/security/ssl/SupportedEllipticCurvesExtension.java +--- openjdk/jdk/src/share/classes/sun/security/ssl/SupportedEllipticCurvesExtension.java ++++ openjdk/jdk/src/share/classes/sun/security/ssl/SupportedEllipticCurvesExtension.java +@@ -160,20 +160,10 @@ + } + } + } else { // default curves +- int[] ids; +- if (requireFips) { +- ids = new int[] { +- // only NIST curves in FIPS mode +- 23, 24, 25, 9, 10, 11, 12, 13, 14, +- }; +- } else { +- ids = new int[] { +- // NIST curves first +- 23, 24, 25, 9, 10, 11, 12, 13, 14, +- // non-NIST curves +- 22, +- }; +- } ++ int[] ids = new int[] { ++ // NSS currently only supports these three NIST curves ++ 23, 24, 25 ++ }; + idList = new ArrayList<>(ids.length); + for (int curveId : ids) { diff --git a/SPECS/java-1.7.0-openjdk.spec b/SPECS/java-1.7.0-openjdk.spec index 6d8679d..61d2c68 100644 --- a/SPECS/java-1.7.0-openjdk.spec +++ b/SPECS/java-1.7.0-openjdk.spec @@ -5,7 +5,7 @@ # conflicting) files in the -debuginfo package %undefine _missing_build_ids_terminate_build -%global icedtea_version 2.6.8 +%global icedtea_version 2.6.9 %global hg_tag icedtea-{icedtea_version} %global aarch64 aarch64 arm64 armv8 @@ -138,7 +138,7 @@ # Standard JPackage naming and versioning defines. %global origin openjdk -%global updatever 121 +%global updatever 131 %global buildver 00 # Keep priority on 7digits in case updatever>9 %global priority 1700%{updatever} @@ -1118,7 +1118,8 @@ if [ "$1" -gt 1 ]; then "${sum}" = '9b517554fffe801f6894dfa0e8169cb1' -o \ "${sum}" = '795b59e52fe426f59d76d43defafabab' -o \ "${sum}" = 'ec53f8629ce93fd2d8cdb1a143cbefdf' -o \ - "${sum}" = '7969a8d2dbc8db1ee232097cd0375d65' ]; then + "${sum}" = '7969a8d2dbc8db1ee232097cd0375d65' -o \ + "${sum}" = '8576d747a8d0811c3df016b421c38d32' ]; then if [ -f "${javasecurity}.rpmnew" ]; then mv -f "${javasecurity}.rpmnew" "${javasecurity}" fi @@ -1372,6 +1373,7 @@ exit 0 %config(noreplace) %{_jvmdir}/%{jredir}/lib/security/local_policy.jar %config(noreplace) %{_jvmdir}/%{jredir}/lib/security/java.policy %config(noreplace) %{_jvmdir}/%{jredir}/lib/security/java.security +%config(noreplace) %{_jvmdir}/%{jredir}/lib/security/blacklisted.certs %config(noreplace) %{_jvmdir}/%{jredir}/lib/logging.properties %{_mandir}/man1/java-%{uniquesuffix}.1* %{_mandir}/man1/keytool-%{uniquesuffix}.1* @@ -1470,6 +1472,17 @@ exit 0 %{_jvmdir}/%{jredir}/lib/accessibility.properties %changelog +* Tue Feb 07 2017 Andrew Hughes - 1:1.7.0.131-2.6.9.0 +- Add blacklisted.certs to installation file list. +- Resolves: rhbz#1410612 + +* Tue Feb 07 2017 Andrew Hughes - 1:1.7.0.131-2.6.9.0 +- Bump to 2.6.9 and u131b00. +- Remove patch application debris in fsg.sh. +- Re-generate PR2809 and RH1022017 against 2.6.9. +- Update md5sum list with checksum for the new java.security file. +- Resolves: rhbz#1410612 + * Mon Oct 31 2016 Andrew Hughes - 1:1.7.0.121-2.6.8.0 - Turn off HotSpot bootstrap to see if it resolves build issues. - Resolves: rhbz#1381990