From b0d8aee10952569ea40cf2d0381514fb0fc4cf7f Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 10 2022 07:33:20 +0000 Subject: import java-1.8.0-openjdk-1.8.0.312.b02-0.1.ea.module+el8.6.0+14068+401a9a93 --- diff --git a/.gitignore b/.gitignore index 5f70416..06c16b8 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/openjdk-shenandoah-jdk8u-aarch64-shenandoah-jdk8u322-b06-4curve.tar.xz +SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u312-b02-4curve.tar.xz SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/.java-1.8.0-openjdk.metadata b/.java-1.8.0-openjdk.metadata index dd9d11c..b9c2a06 100644 --- a/.java-1.8.0-openjdk.metadata +++ b/.java-1.8.0-openjdk.metadata @@ -1,2 +1,2 @@ -c54dd40b6deb5defa8d4d7132d650080d0e300f4 SOURCES/openjdk-shenandoah-jdk8u-aarch64-shenandoah-jdk8u322-b06-4curve.tar.xz +873cb707016be925eecfe741b891f1f01de48dea SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u312-b02-4curve.tar.xz 7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/SOURCES/NEWS b/SOURCES/NEWS index e911b13..3cf6136 100644 --- a/SOURCES/NEWS +++ b/SOURCES/NEWS @@ -3,171 +3,15 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY -New in release OpenJDK 8u322 (2022-01-18): -=========================================== -Live versions of these release notes can be found at: - * https://bitly.com/openjdk8u322 - * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u322.txt - -* Security fixes - - JDK-8264934, CVE-2022-21248: Enhance cross VM serialization - - JDK-8268488: More valuable DerValues - - JDK-8268494: Better inlining of inlined interfaces - - JDK-8268512: More content for ContentInfo - - JDK-8268795: Enhance digests of Jar files - - JDK-8268801: Improve PKCS attribute handling - - JDK-8268813, CVE-2022-21283: Better String matching - - JDK-8269151: Better construction of EncryptedPrivateKeyInfo - - JDK-8269944: Better HTTP transport redux - - JDK-8270392, CVE-2022-21293: Improve String constructions - - JDK-8270416, CVE-2022-21294: Enhance construction of Identity maps - - JDK-8270492, CVE-2022-21282: Better resolution of URIs - - JDK-8270498, CVE-2022-21296: Improve SAX Parser configuration management - - JDK-8270646, CVE-2022-21299: Improved scanning of XML entities - - JDK-8271962: Better TrueType font loading - - JDK-8271968: Better canonical naming - - JDK-8271987: Manifest improved manifest entries - - JDK-8272014, CVE-2022-21305: Better array indexing - - JDK-8272026, CVE-2022-21340: Verify Jar Verification - - JDK-8272236, CVE-2022-21341: Improve serial forms for transport - - JDK-8272272: Enhance jcmd communication - - JDK-8272462: Enhance image handling - - JDK-8273290: Enhance sound handling - - JDK-8273748, CVE-2022-21349: Improve Solaris font rendering - - JDK-8273756, CVE-2022-21360: Enhance BMP image support - - JDK-8273838, CVE-2022-21365: Enhanced BMP processing -* Other changes - - JDK-6801613: Cross-platform pageDialog and printDialog top margin entry broken - - JDK-8011541: [TEST_BUG] closed/javax/swing/plaf/metal/MetalUtils/bug6190373.java fails NPE since 7u25b03 - - JDK-8025430: [TEST_BUG] javax/swing/JEditorPane/5076514/bug5076514.java failed since jdk8b108 - - JDK-8041928: MouseEvent.getModifiersEx gives wrong result - - JDK-8042199: The build of J2DBench via makefile is broken after the JDK-8005402 - - JDK-8044365: (dc) MulticastSendReceiveTests.java failing with ENOMEM when joining group (OS X 10.9) - - JDK-8048021: Remove @version tag in jaxp repo - - JDK-8049348: compiler/intrinsics/bmi/verifycode tests on lzcnt and tzcnt use incorrect assumption about REXB prefix usage - - JDK-8060027: Tests java/beans/XMLEncoder/Test4903007.java and java/beans/XMLEncoder/java_awt_GridBagLayout.java - - JDK-8066588: javax/management/remote/mandatory/connection/RMIConnector_NPETest.java fails to compile - - JDK-8066652: Default TimeZone is GMT not local if user.timezone is invalid on Mac OS - - JDK-8069034: gc/g1/TestEagerReclaimHumongousRegionsClearMarkBits.java nightly failure - - JDK-8077590: windows_i586_6.2-product-c2-runThese8_Xcomp_vm failing after win compiler upgrade - - JDK-8080287: The image of BufferedImage.TYPE_INT_ARGB and BufferedImage.TYPE_INT_ARGB_PRE is blank - - JDK-8140329: [TEST_BUG] test FullScreenAfterSplash.java failed because image was not generated - - JDK-8140472: java/net/ipv6tests/TcpTest.java failed intermittently with java.net.BindException: Address already in use: NET_Bind - - JDK-8147051: StaxEntityResolverWrapper should create StaxXMLInputSource with a resolver indicator - - JDK-8148915: Intermittent failures of bug6400879.java - - JDK-8176837: SunPKCS11 provider needs to check more details on PKCS11 Mechanism - - JDK-8177393: Result of RescaleOp for 4BYTE_ABGR images may be 25% black - - JDK-8177536: Avoid Apple Peer-to-Peer interfaces in networking tests - - JDK-8182036: Load from initializing arraycopy uses wrong memory state - - JDK-8183369: RFC unconformity of HttpURLConnection with proxy - - JDK-8183543: Aarch64: C2 compilation often fails with "failed spill-split-recycle sanity check" - - JDK-8187450: JNI local refs exceeds capacity warning in NetworkInterface::getAll - - JDK-8187649: ArrayIndexOutOfBoundsException in java.util.JapaneseImperialCalendar - - JDK-8190482: InnocuousThread creation should not require the caller to possess enableContextClassLoaderOverride - - JDK-8190793: Httpserver does not detect truncated request body - - JDK-8196572: Tests ColConvCCMTest.java and MTColConvTest.java fail - - JDK-8202788: Explicitly reclaim cached thread-local direct buffers at thread exit - - JDK-8210058: Algorithmic Italic font leans opposite angle in Printing - - JDK-8220150: macos10.14 Mojave returns anti-aliased glyphs instead of aliased B&W glyphs - - JDK-8225082: Remove IdenTrust certificate that is expiring in September 2021 - - JDK-8225083: Remove Google certificate that is expiring in December 2021 - - JDK-8226806: [macOS 10.14] Methods of Java Robot should be called from appropriate thread - - JDK-8231254: (fs) Add test for macOS Catalina changes to protect system software - - JDK-8231438: [macOS] Dark mode for the desktop is not supported - - JDK-8232178: MacVolumesTest failed after upgrade to MacOS Catalina - - JDK-8232226: [macos 10.15] test/jdk/java/awt/color/EqualityTest/EqualityTest.java may fail - - JDK-8235153: [TESTBUG] [macos 10.15] java/awt/Graphics/DrawImageBG/SystemBgColorTest.java fails - - JDK-8236897: Fix the copyright header for pkcs11gcm2.h - - JDK-8237499: JFR: Include stack trace in the ThreadStart event - - JDK-8239886: Minimal VM build fails after JDK-8237499 - - JDK-8261397: Try Catch Method Failing to Work When Dividing An Integer By 0 - - JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print" - - JDK-8272342: [TEST_BUG] java/awt/print/PrinterJob/PageDialogMarginTest.java catches all exceptions - - JDK-8273308: PatternMatchTest.java fails on CI - - JDK-8273342: Null pointer dereference in classFileParser.cpp:2817 - - JDK-8273826: Correct Manifest file name and NPE checks - - JDK-8273968: JCK javax_xml tests fail in CI - - JDK-8274407: (tz) Update Timezone Data to 2021c - - JDK-8274467: TestZoneInfo310.java fails with tzdata2021b - - JDK-8274468: TimeZoneTest.java fails with tzdata2021b - - JDK-8274595: DisableRMIOverHTTPTest failed: connection refused - - JDK-8274779: HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST - - JDK-8275766: (tz) Update Timezone Data to 2021e - - JDK-8275849: TestZoneInfo310.java fails with tzdata2021e - - JDK-8276536: Update TimeZoneNames files to follow the changes made by JDK-8275766 - -Notes on individual issues: -=========================== - -security-libs/java.security: - -JDK-8271434: Removed IdenTrust Root Certificate -=============================================== -The following root certificate from IdenTrust has been removed from -the `cacerts` keystore: - -Alias Name: identrustdstx3 [jdk] -Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co. - -JDK-8272535: Removed Google's GlobalSign Root Certificate -========================================================= -The following root certificate from Google has been removed from the -`cacerts` keystore: - -Alias Name: globalsignr2ca [jdk] -Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2 - -core-libs/java.time: - -JDK-8274857: Update Timezone Data to 2021c -=========================================== -IANA Time Zone Database, on which JDK's Date/Time libraries are based, -has been updated to version 2021c -(https://mm.icann.org/pipermail/tz-announce/2021-October/000067.html). Note -that with this update, some of the time zone rules prior to the year -1970 have been modified according to the changes which were introduced -with 2021b. For more detail, refer to the announcement of 2021b -(https://mm.icann.org/pipermail/tz-announce/2021-September/000066.html) - New in release OpenJDK 8u312 (2021-10-19): =========================================== Live versions of these release notes can be found at: * https://bitly.com/openjdk8u312 * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u312.txt -* Security fixes - - JDK-8130183, CVE-2021-35588: InnerClasses: VM permits wrong Throw ClassFormatError if InnerClasses attribute's inner_class_info_index is 0 - - JDK-8161016: Strange behavior of URLConnection with proxy - - JDK-8163326, CVE-2021-35550: Update the default enabled cipher suites preference - - JDK-8254967, CVE-2021-35565: com.sun.net.HttpsServer spins on TLS session close - - JDK-8263314: Enhance XML Dsig modes - - JDK-8265167, CVE-2021-35556: Richer Text Editors - - JDK-8265574: Improve handling of sheets - - JDK-8265580, CVE-2021-35559: Enhanced style for RTF kit - - JDK-8265776: Improve Stream handling for SSL - - JDK-8266097, CVE-2021-35561: Better hashing support - - JDK-8266103: Better specified spec values - - JDK-8266109: More Resilient Classloading - - JDK-8266115: More Manifest Jar Loading - - JDK-8266137, CVE-2021-35564: Improve Keystore integrity - - JDK-8266689, CVE-2021-35567: More Constrained Delegation - - JDK-8267086: ArrayIndexOutOfBoundsException in java.security.KeyFactory.generatePublic - - JDK-8267712: Better LDAP reference processing - - JDK-8267729, CVE-2021-35578: Improve TLS client handshaking - - JDK-8267735, CVE-2021-35586: Better BMP support - - JDK-8268193: Improve requests of certificates - - JDK-8268199: Correct certificate requests - - JDK-8268506: More Manifest Digests - - JDK-8269618, CVE-2021-35603: Better session identification - - JDK-8269624: Enhance method selection support - - JDK-8270398: Enhance canonicalization - - JDK-8270404: Better canonicalization * Other changes - - JDK-6847157: java.lang.NullPointerException: HDC for component at sun.java2d.loops.Blit.Blit - JDK-7146776: deadlock between URLStreamHandler.getHostAddress and file.Handler.openconnection - - JDK-7188942: Remove support of pbuffers in OGL Java2d pipeline - JDK-8004148: NPE in sun.awt.SunToolkit.getWindowDeactivationTime - - JDK-8022323: [JavaSecurityScanner] review package com.sun.management.* Native methods should be private - JDK-8027154: [TESTBUG] Test java/awt/Mouse/GetMousePositionTest/GetMousePositionWithPopup.java fails - JDK-8035001: TEST_BUG: the retry logic in RMID.start() should check that the subprocess hasn't terminated - JDK-8035424: (reflect) Performance problem in sun.reflect.generics.parser.SignatureParser @@ -178,82 +22,33 @@ Live versions of these release notes can be found at: - JDK-8079891: Store configure log in $BUILD/configure.log - JDK-8080082: configure fails if you create an empty directory and then run configure from it - JDK-8086003: Test fails on OSX with java.lang.RuntimeException 'Narrow klass base: 0x0000000000000000, Narrow klass shift: 3' missing - - JDK-8131062: aarch64: add support for GHASH acceleration - - JDK-8134869: AARCH64: GHASH intrinsic is not optimal - JDK-8134989: java/net/MulticastSocket/TestInterfaces.java failed due to unexpected IP address - JDK-8156584: Initialization race in sun.security.x509.AlgorithmId.get - - JDK-8157404: Unable to read certain PKCS12 keystores from SequenceInputStream - JDK-8166673: The new implementation of Robot.waitForIdle() may hang - JDK-8170467: (reflect) Optimize SignatureParser's use of StringBuilders - - JDK-8194246: JVM crashes when calling getStackTrace if stack contains a method that is a member of a very large class - JDK-8196181: sun/java2d/GdiRendering/InsetClipping.java fails - JDK-8202837: PBES2 AlgorithmId encoding error in PKCS12 KeyStore - JDK-8206189: sun/security/pkcs12/EmptyPassword.java fails with Sequence tag error - JDK-8214418: half-closed SSLEngine status may cause application dead loop - JDK-8214513: A PKCS12 keystore from Java 8 using custom PBE parameters cannot be read in Java 11 - JDK-8220786: Create new switch to redirect error reporting output to stdout or stderr - - JDK-8222751: closed/test/jdk/sun/security/util/DerIndefLenConverter/IndefBerPkcs12.java fail - JDK-8229243: SunPKCS11-Solaris provider tests failing on Solaris 11.4 - JDK-8231222: fix pkcs11 P11_DEBUG guarded native traces - - JDK-8237495: Java MIDI fails with a dereferenced memory error when asked to send a raw 0xF7 - JDK-8238567: SoftMainMixer.processAudioBuffers(): Wrong handling of stoppedMixers - JDK-8240518: Incorrect JNU_ReleaseStringPlatformChars in Windows Print - JDK-8241248: NullPointerException in sun.security.ssl.HKDF.extract(HKDF.java:93) - - JDK-8244154: Update SunPKCS11 provider with PKCS11 v3.0 header files - JDK-8247469: getSystemCpuLoad() returns -1 on linux when some offline cpus are present and cpusets.effective_cpus is not available - JDK-8248901: Signed immediate support in .../share/assembler.hpp is broken. - JDK-8259338: Add expiry exception for identrustdstx3 alias to VerifyCACerts.java test - JDK-8262000: jdk/jfr/event/gc/detailed/TestPromotionFailedEventWithParallelScavenge.java failed with "OutOfMemoryError: Java heap space" - JDK-8262829: Native crash in Win32PrintServiceLookup.getAllPrinterNames() - JDK-8263311: Watch registry changes for remote printers update instead of polling - - JDK-8263382: java/util/logging/ParentLoggersTest.java failed with "checkLoggers: getLoggerNames() returned unexpected loggers" - - JDK-8264752: SIGFPE crash with option FlightRecorderOptions:threadbuffersize=30M - JDK-8265238: [8u] [macos] build failure in OpenJDK8u after JDK-8211301 in older xcode - JDK-8265836: OperatingSystemImpl.getCpuLoad() returns incorrect CPU load inside a container - JDK-8265978: make test should look for more locations when searching for exit code - - JDK-8266206: Build failure after JDK-8264752 with older GCCs - - JDK-8268103: JNI functions incorrectly return a double after JDK-8265836 - - JDK-8268965: TCP Connection Reset when connecting simple socket to SSL server - - JDK-8269594: assert(_handle_mark_nesting > 1) failed: memory leak: allocating handle outside HandleMark - - JDK-8269763: The JEditorPane is blank after JDK-8265167 - JDK-8269810: [8u] Update generated_configure.sh after JDK-8250876 backport - - JDK-8269851: OperatingSystemMXBean getProcessCpuLoad reports incorrect process cpu usage in containers - - JDK-8269859: BacktraceBuilder._cprefs needs to be accessed as unsigned short - - JDK-8269882: stack-use-after-scope in NewObjectA - JDK-8269953: config.log is not in build directory after 8u backport of JDK-8079891 - - JDK-8270137: Kerberos Credential Retrieval from Cache not Working in Cross-Realm Setup - JDK-8271466: StackGap test fails on aarch64 due to "-m64" - - JDK-8272124: Cgroup v1 initialization causes NullPointerException when cgroup path contains colon - - JDK-8272214: [8u] Build failure after backport of JDK-8248901 - - JDK-8272714: [8u] Build failure after backport of JDK-8248901 with MSVC 2013 -* Shenandoah - - [backport] JDK-8269661: JNI_GetStringCritical does not lock char array - - Re-cast JNI critical strings patch to be Shenandoah-specific - -Notes on individual issues: -=========================== - -core-libs/java.net: - -JDK-8164200: Modified HttpURLConnection behavior when no suitable proxy is found -================================================================================ -The behavior of HttpURLConnection when using a ProxySelector has been -modified with this JDK release. HttpURLConnection used to fall back to -a DIRECT connection attempt if the configured proxy(s) failed to make -a connection. This release introduces a change whereby no DIRECT -connection will be attempted in such a scenario. Instead, the -HttpURLConnection.connect() method will fail and throw an IOException -which occurred from the last proxy tested. - -security-libs/javax.net.ssl: - -JDK-8219551: Updated the Default Enabled Cipher Suites Preference -================================================================= -The preference of the default enabled cipher suites has been -changed. The compatibility impact should be minimal. If needed, -applications can customize the enabled cipher suites and the -preference. For more details, refer to the SunJSSE provider -documentation and the JSSE Reference Guide documentation. New in release OpenJDK 8u302 (2021-07-20): =========================================== diff --git a/SOURCES/jdk8279077-missing_crash_protector_ppc.patch b/SOURCES/jdk8279077-missing_crash_protector_ppc.patch deleted file mode 100644 index 0ab462e..0000000 --- a/SOURCES/jdk8279077-missing_crash_protector_ppc.patch +++ /dev/null @@ -1,23 +0,0 @@ -# HG changeset patch -# User zgu -# Date 1641313782 0 -# Tue Jan 04 16:29:42 2022 +0000 -# Node ID b694a28adaa2a602fedbc4aeba69b9c2350e7409 -# Parent 3177fc2314df6deb4d4771148f27934a597dd1d7 -8279077: JFR crashes on Linux ppc due to missing crash protector in signal handler -Reviewed-by: phh - -diff --git openjdk.orig/hotspot/src/os_cpu/linux_ppc/vm/os_linux_ppc.cpp openjdk/hotspot/src/os_cpu/linux_ppc/vm/os_linux_ppc.cpp ---- openjdk.orig/hotspot/src/os_cpu/linux_ppc/vm/os_linux_ppc.cpp -+++ openjdk/hotspot/src/os_cpu/linux_ppc/vm/os_linux_ppc.cpp -@@ -176,6 +176,10 @@ - - Thread* t = ThreadLocalStorage::get_thread_slow(); - -+ // Must do this before SignalHandlerMark, if crash protection installed we will longjmp away -+ // (no destructors can be run) -+ os::ThreadCrashProtection::check_crash_protection(sig, t); -+ - SignalHandlerMark shm(t); - - // Note: it's not uncommon that JNI code uses signal/sigset to install diff --git a/SOURCES/rh1991003-enable_fips_keys_import.patch b/SOURCES/rh1991003-enable_fips_keys_import.patch deleted file mode 100644 index 028769d..0000000 --- a/SOURCES/rh1991003-enable_fips_keys_import.patch +++ /dev/null @@ -1,583 +0,0 @@ -diff --git openjdk.orig/jdk/src/share/classes/java/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java ---- openjdk.orig/jdk/src/share/classes/java/security/Security.java -+++ openjdk/jdk/src/share/classes/java/security/Security.java -@@ -78,6 +78,10 @@ - public boolean isSystemFipsEnabled() { - return SystemConfigurator.isSystemFipsEnabled(); - } -+ @Override -+ public boolean isPlainKeySupportEnabled() { -+ return SystemConfigurator.isPlainKeySupportEnabled(); -+ } - }); - - // doPrivileged here because there are multiple -diff --git openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java ---- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java -+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java -@@ -55,6 +55,7 @@ - CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; - - private static boolean systemFipsEnabled = false; -+ private static boolean plainKeySupportEnabled = false; - - private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; - -@@ -149,6 +150,16 @@ - } - loadedProps = true; - systemFipsEnabled = true; -+ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport", -+ "true"); -+ plainKeySupportEnabled = !"false".equals(plainKeySupport); -+ if (sdebug != null) { -+ if (plainKeySupportEnabled) { -+ sdebug.println("FIPS support enabled with plain key support"); -+ } else { -+ sdebug.println("FIPS support enabled without plain key support"); -+ } -+ } - } - } catch (Exception e) { - if (sdebug != null) { -@@ -176,6 +187,19 @@ - return systemFipsEnabled; - } - -+ /** -+ * Returns {@code true} if system FIPS alignment is enabled -+ * and plain key support is allowed. Plain key support is -+ * enabled by default but can be disabled with -+ * {@code -Dcom.redhat.fips.plainKeySupport=false}. -+ * -+ * @return a boolean indicating whether plain key support -+ * should be enabled. -+ */ -+ static boolean isPlainKeySupportEnabled() { -+ return plainKeySupportEnabled; -+ } -+ - /* - * OpenJDK FIPS mode will be enabled only if the com.redhat.fips - * system property is true (default) and the system is in FIPS mode. -diff --git openjdk.orig/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java ---- openjdk.orig/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java -+++ openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java -@@ -27,4 +27,5 @@ - - public interface JavaSecuritySystemConfiguratorAccess { - boolean isSystemFipsEnabled(); -+ boolean isPlainKeySupportEnabled(); - } -diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java openjdk/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java -new file mode 100644 ---- /dev/null -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java -@@ -0,0 +1,290 @@ -+/* -+ * Copyright (c) 2021, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package sun.security.pkcs11; -+ -+import java.math.BigInteger; -+import java.security.KeyFactory; -+import java.security.Provider; -+import java.security.Security; -+import java.util.HashMap; -+import java.util.Map; -+import java.util.concurrent.locks.ReentrantLock; -+ -+import javax.crypto.Cipher; -+import javax.crypto.spec.DHPrivateKeySpec; -+import javax.crypto.spec.IvParameterSpec; -+ -+import sun.security.jca.JCAUtil; -+import sun.security.pkcs11.TemplateManager; -+import sun.security.pkcs11.wrapper.CK_ATTRIBUTE; -+import sun.security.pkcs11.wrapper.CK_MECHANISM; -+import static sun.security.pkcs11.wrapper.PKCS11Constants.*; -+import sun.security.pkcs11.wrapper.PKCS11Exception; -+import sun.security.rsa.RSAUtil.KeyType; -+import sun.security.util.Debug; -+import sun.security.util.ECUtil; -+ -+final class FIPSKeyImporter { -+ -+ private static final Debug debug = -+ Debug.getInstance("sunpkcs11"); -+ -+ private static P11Key importerKey = null; -+ private static final ReentrantLock importerKeyLock = new ReentrantLock(); -+ private static CK_MECHANISM importerKeyMechanism = null; -+ private static Cipher importerCipher = null; -+ -+ private static Provider sunECProvider = null; -+ private static final ReentrantLock sunECProviderLock = new ReentrantLock(); -+ -+ private static KeyFactory DHKF = null; -+ private static final ReentrantLock DHKFLock = new ReentrantLock(); -+ -+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) -+ throws PKCS11Exception { -+ long keyID = -1; -+ Token token = sunPKCS11.getToken(); -+ if (debug != null) { -+ debug.println("Private or Secret key will be imported in" + -+ " system FIPS mode."); -+ } -+ if (importerKey == null) { -+ importerKeyLock.lock(); -+ try { -+ if (importerKey == null) { -+ if (importerKeyMechanism == null) { -+ // Importer Key creation has not been tried yet. Try it. -+ createImporterKey(token); -+ } -+ if (importerKey == null || importerCipher == null) { -+ if (debug != null) { -+ debug.println("Importer Key could not be" + -+ " generated."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ if (debug != null) { -+ debug.println("Importer Key successfully" + -+ " generated."); -+ } -+ } -+ } finally { -+ importerKeyLock.unlock(); -+ } -+ } -+ long importerKeyID = importerKey.getKeyID(); -+ try { -+ byte[] keyBytes = null; -+ byte[] encKeyBytes = null; -+ long keyClass = 0L; -+ long keyType = 0L; -+ Map attrsMap = new HashMap<>(); -+ for (CK_ATTRIBUTE attr : attributes) { -+ if (attr.type == CKA_CLASS) { -+ keyClass = attr.getLong(); -+ } else if (attr.type == CKA_KEY_TYPE) { -+ keyType = attr.getLong(); -+ } -+ attrsMap.put(attr.type, attr); -+ } -+ BigInteger v = null; -+ if (keyClass == CKO_PRIVATE_KEY) { -+ if (keyType == CKK_RSA) { -+ if (debug != null) { -+ debug.println("Importing an RSA private key..."); -+ } -+ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey( -+ KeyType.RSA, -+ null, -+ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null) -+ ? v : BigInteger.ZERO -+ ).getEncoded(); -+ } else if (keyType == CKK_DSA) { -+ if (debug != null) { -+ debug.println("Importing a DSA private key..."); -+ } -+ keyBytes = new sun.security.provider.DSAPrivateKey( -+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO -+ ).getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } -+ } else if (keyType == CKK_EC) { -+ if (debug != null) { -+ debug.println("Importing an EC private key..."); -+ } -+ if (sunECProvider == null) { -+ sunECProviderLock.lock(); -+ try { -+ if (sunECProvider == null) { -+ sunECProvider = Security.getProvider("SunEC"); -+ } -+ } finally { -+ sunECProviderLock.unlock(); -+ } -+ } -+ keyBytes = P11ECUtil.generateECPrivateKey( -+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ECUtil.getECParameterSpec(sunECProvider, -+ attrsMap.get(CKA_EC_PARAMS).getByteArray())) -+ .getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } -+ } else if (keyType == CKK_DH) { -+ if (debug != null) { -+ debug.println("Importing a Diffie-Hellman private key..."); -+ } -+ if (DHKF == null) { -+ DHKFLock.lock(); -+ try { -+ if (DHKF == null) { -+ DHKF = KeyFactory.getInstance( -+ "DH", P11Util.getSunJceProvider()); -+ } -+ } finally { -+ DHKFLock.unlock(); -+ } -+ } -+ DHPrivateKeySpec spec = new DHPrivateKeySpec -+ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO); -+ keyBytes = DHKF.generatePrivate(spec).getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } -+ } else { -+ if (debug != null) { -+ debug.println("Unrecognized private key type."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ } else if (keyClass == CKO_SECRET_KEY) { -+ if (debug != null) { -+ debug.println("Importing a secret key..."); -+ } -+ keyBytes = attrsMap.get(CKA_VALUE).getByteArray(); -+ } -+ if (keyBytes == null || keyBytes.length == 0) { -+ if (debug != null) { -+ debug.println("Private or secret key plain bytes could" + -+ " not be obtained. Import failed."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey, -+ new IvParameterSpec((byte[])importerKeyMechanism.pParameter), -+ null); -+ attributes = new CK_ATTRIBUTE[attrsMap.size()]; -+ attrsMap.values().toArray(attributes); -+ encKeyBytes = importerCipher.doFinal(keyBytes); -+ attributes = token.getAttributes(TemplateManager.O_IMPORT, -+ keyClass, keyType, attributes); -+ keyID = token.p11.C_UnwrapKey(hSession, -+ importerKeyMechanism, importerKeyID, encKeyBytes, attributes); -+ if (debug != null) { -+ debug.println("Imported key ID: " + keyID); -+ } -+ } catch (Throwable t) { -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } finally { -+ importerKey.releaseKeyID(); -+ } -+ return Long.valueOf(keyID); -+ } -+ -+ private static void createImporterKey(Token token) { -+ if (debug != null) { -+ debug.println("Generating Importer Key..."); -+ } -+ byte[] iv = new byte[16]; -+ JCAUtil.getSecureRandom().nextBytes(iv); -+ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); -+ try { -+ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE, -+ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] { -+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), -+ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)}); -+ Session s = null; -+ try { -+ s = token.getObjSession(); -+ long keyID = token.p11.C_GenerateKey( -+ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN), -+ attributes); -+ if (debug != null) { -+ debug.println("Importer Key ID: " + keyID); -+ } -+ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES", -+ 256 >> 3, null); -+ } catch (PKCS11Exception e) { -+ // best effort -+ } finally { -+ token.releaseSession(s); -+ } -+ if (importerKey != null) { -+ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); -+ } -+ } catch (Throwable t) { -+ // best effort -+ importerKey = null; -+ importerCipher = null; -+ // importerKeyMechanism value is kept initialized to indicate that -+ // Importer Key creation has been tried and failed. -+ } -+ } -+} -diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java ---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java -@@ -26,6 +26,9 @@ - package sun.security.pkcs11; - - import java.io.*; -+import java.lang.invoke.MethodHandle; -+import java.lang.invoke.MethodHandles; -+import java.lang.invoke.MethodType; - import java.util.*; - - import java.security.*; -@@ -63,6 +66,26 @@ - private static final boolean systemFipsEnabled = SharedSecrets - .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); - -+ private static final boolean plainKeySupportEnabled = SharedSecrets -+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); -+ -+ private static final MethodHandle fipsImportKey; -+ static { -+ MethodHandle fipsImportKeyTmp = null; -+ if (plainKeySupportEnabled) { -+ try { -+ fipsImportKeyTmp = MethodHandles.lookup().findStatic( -+ FIPSKeyImporter.class, "importKey", -+ MethodType.methodType(Long.class, SunPKCS11.class, -+ long.class, CK_ATTRIBUTE[].class)); -+ } catch (Throwable t) { -+ throw new SecurityException("FIPS key importer initialization" + -+ " failed", t); -+ } -+ } -+ fipsImportKey = fipsImportKeyTmp; -+ } -+ - private static final long serialVersionUID = -1354835039035306505L; - - static final Debug debug = Debug.getInstance("sunpkcs11"); -@@ -314,10 +337,15 @@ - // request multithreaded access first - initArgs.flags = CKF_OS_LOCKING_OK; - PKCS11 tmpPKCS11; -+ MethodHandle fipsKeyImporter = null; -+ if (plainKeySupportEnabled) { -+ fipsKeyImporter = MethodHandles.insertArguments( -+ fipsImportKey, 0, this); -+ } - try { - tmpPKCS11 = PKCS11.getInstance( - library, functionList, initArgs, -- config.getOmitInitialize()); -+ config.getOmitInitialize(), fipsKeyImporter); - } catch (PKCS11Exception e) { - if (debug != null) { - debug.println("Multi-threaded initialization failed: " + e); -@@ -333,7 +361,7 @@ - initArgs.flags = 0; - } - tmpPKCS11 = PKCS11.getInstance(library, -- functionList, initArgs, config.getOmitInitialize()); -+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter); - } - p11 = tmpPKCS11; - -diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java ---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java -@@ -49,6 +49,7 @@ - - import java.io.File; - import java.io.IOException; -+import java.lang.invoke.MethodHandle; - import java.util.*; - - import java.security.AccessController; -@@ -147,16 +148,28 @@ - - public static synchronized PKCS11 getInstance(String pkcs11ModulePath, - String functionList, CK_C_INITIALIZE_ARGS pInitArgs, -- boolean omitInitialize) throws IOException, PKCS11Exception { -+ boolean omitInitialize, MethodHandle fipsKeyImporter) -+ throws IOException, PKCS11Exception { - // we may only call C_Initialize once per native .so/.dll - // so keep a cache using the (non-canonicalized!) path - PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath); - if (pkcs11 == null) { -+ boolean nssFipsMode = fipsKeyImporter != null; - if ((pInitArgs != null) - && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) { -- pkcs11 = new PKCS11(pkcs11ModulePath, functionList); -+ if (nssFipsMode) { -+ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList, -+ fipsKeyImporter); -+ } else { -+ pkcs11 = new PKCS11(pkcs11ModulePath, functionList); -+ } - } else { -- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); -+ if (nssFipsMode) { -+ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath, -+ functionList, fipsKeyImporter); -+ } else { -+ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); -+ } - } - if (omitInitialize == false) { - try { -@@ -1905,4 +1918,69 @@ - super.C_GenerateRandom(hSession, randomData); - } - } -+ -+// PKCS11 subclass that allows using plain private or secret keys in -+// FIPS-configured NSS Software Tokens. Only used when System FIPS -+// is enabled. -+static class FIPSPKCS11 extends PKCS11 { -+ private MethodHandle fipsKeyImporter; -+ FIPSPKCS11(String pkcs11ModulePath, String functionListName, -+ MethodHandle fipsKeyImporter) throws IOException { -+ super(pkcs11ModulePath, functionListName); -+ this.fipsKeyImporter = fipsKeyImporter; -+ } -+ -+ public synchronized long C_CreateObject(long hSession, -+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { -+ // Creating sensitive key objects from plain key material in a -+ // FIPS-configured NSS Software Token is not allowed. We apply -+ // a key-unwrapping scheme to achieve so. -+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { -+ try { -+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) -+ .longValue(); -+ } catch (Throwable t) { -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ } -+ return super.C_CreateObject(hSession, pTemplate); -+ } - } -+ -+// FIPSPKCS11 synchronized counterpart. -+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 { -+ private MethodHandle fipsKeyImporter; -+ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName, -+ MethodHandle fipsKeyImporter) throws IOException { -+ super(pkcs11ModulePath, functionListName); -+ this.fipsKeyImporter = fipsKeyImporter; -+ } -+ -+ public synchronized long C_CreateObject(long hSession, -+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { -+ // See FIPSPKCS11::C_CreateObject. -+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { -+ try { -+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) -+ .longValue(); -+ } catch (Throwable t) { -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ } -+ return super.C_CreateObject(hSession, pTemplate); -+ } -+} -+ -+private static class FIPSPKCS11Helper { -+ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) { -+ for (CK_ATTRIBUTE attr : pTemplate) { -+ if (attr.type == CKA_CLASS && -+ (attr.getLong() == CKO_PRIVATE_KEY || -+ attr.getLong() == CKO_SECRET_KEY)) { -+ return true; -+ } -+ } -+ return false; -+ } -+} -+} -diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java openjdk/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java ---- openjdk.orig/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java -+++ openjdk/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java -@@ -33,8 +33,13 @@ - - import javax.net.ssl.*; - -+import sun.misc.SharedSecrets; -+ - abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { - -+ private static final boolean plainKeySupportEnabled = SharedSecrets -+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); -+ - X509ExtendedKeyManager keyManager; - boolean isInitialized; - -@@ -62,7 +67,8 @@ - KeyStoreException, NoSuchAlgorithmException, - UnrecoverableKeyException { - if ((ks != null) && SunJSSE.isFIPS()) { -- if (ks.getProvider() != SunJSSE.cryptoProvider) { -+ if (ks.getProvider() != SunJSSE.cryptoProvider && -+ !plainKeySupportEnabled) { - throw new KeyStoreException("FIPS mode: KeyStore must be " - + "from provider " + SunJSSE.cryptoProvider.getName()); - } -@@ -91,8 +97,8 @@ - keyManager = new X509KeyManagerImpl( - Collections.emptyList()); - } else { -- if (SunJSSE.isFIPS() && -- (ks.getProvider() != SunJSSE.cryptoProvider)) { -+ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider) -+ && !plainKeySupportEnabled) { - throw new KeyStoreException( - "FIPS mode: KeyStore must be " + - "from provider " + SunJSSE.cryptoProvider.getName()); diff --git a/SOURCES/rh2021263-fips_ensure_security_initialised.patch b/SOURCES/rh2021263-fips_ensure_security_initialised.patch deleted file mode 100644 index 5aa9ec7..0000000 --- a/SOURCES/rh2021263-fips_ensure_security_initialised.patch +++ /dev/null @@ -1,28 +0,0 @@ -commit 06c2decab204fcce5aca2d285953fcac1820b1ae -Author: Andrew John Hughes -Date: Mon Jan 24 01:23:28 2022 +0000 - - RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance - -diff --git openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java -index 40ca609e02..0dafe6f59c 100644 ---- openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java -+++ openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java -@@ -31,6 +31,7 @@ import java.io.Console; - import java.io.FileDescriptor; - import java.io.ObjectInputStream; - import java.security.ProtectionDomain; -+import java.security.Security; - import java.security.Signature; - - import java.security.AccessController; -@@ -255,6 +256,9 @@ public class SharedSecrets { - } - - public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { -+ if (javaSecuritySystemConfiguratorAccess == null) { -+ unsafe.ensureClassInitialized(Security.class); -+ } - return javaSecuritySystemConfiguratorAccess; - } - } diff --git a/SOURCES/rh2021263-fips_missing_native_returns.patch b/SOURCES/rh2021263-fips_missing_native_returns.patch deleted file mode 100644 index 90cc44e..0000000 --- a/SOURCES/rh2021263-fips_missing_native_returns.patch +++ /dev/null @@ -1,24 +0,0 @@ -commit 7f58a05104138ebdfd3b7b968ed67ea4c8573073 -Author: Fridrich Strba -Date: Mon Jan 24 01:10:57 2022 +0000 - - RH2021263: Return in C code after having generated Java exception - -diff --git openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c openjdk/jdk/src/solaris/native/java/security/systemconf.c -index 6f4656bfcb..34d0ff0ce9 100644 ---- openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c -+++ openjdk/jdk/src/solaris/native/java/security/systemconf.c -@@ -131,11 +131,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn - dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); - if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { - throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); -+ return JNI_FALSE; - } - fips_enabled = fgetc(fe); - fclose(fe); - if (fips_enabled == EOF) { - throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); -+ return JNI_FALSE; - } - msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ - " read character is '%c'", fips_enabled); diff --git a/SPECS/java-1.8.0-openjdk.spec b/SPECS/java-1.8.0-openjdk.spec index 40fb8c9..f7040ce 100644 --- a/SPECS/java-1.8.0-openjdk.spec +++ b/SPECS/java-1.8.0-openjdk.spec @@ -19,8 +19,6 @@ %bcond_without slowdebug # Enable release builds by default on relevant arches. %bcond_without release -# Remove build artifacts by default -%bcond_with artifacts # The -g flag says to use strip -g instead of full strip on DSOs or EXEs. # This fixes detailed NMT and other tools which need minimal debug info. @@ -70,10 +68,8 @@ %global fastdebug_arches x86_64 ppc64le aarch64 # Set of architectures with a Just-In-Time (JIT) compiler %global jit_arches %{debug_arches} -# Set of architectures which use the Zero assembler port (!jit_arches) -%global zero_arches %{arm} ppc s390 s390x # Set of architectures which run a full bootstrap cycle -%global bootstrap_arches %{jit_arches} %{zero_arches} +%global bootstrap_arches %{jit_arches} # Set of architectures which support SystemTap tapsets %global systemtap_arches %{jit_arches} # Set of architectures which support the serviceability agent @@ -126,9 +122,9 @@ %global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} %ifarch %{bootstrap_arches} -%global bootstrap_build true +%global bootstrap_build 1 %else -%global bootstrap_build false +%global bootstrap_build 1 %endif %global bootstrap_targets images @@ -265,9 +261,9 @@ %endif # note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there. -%global shenandoah_project openjdk -%global shenandoah_repo shenandoah-jdk8u -%global shenandoah_revision aarch64-shenandoah-jdk8u322-b06 +%global shenandoah_project aarch64-port +%global shenandoah_repo jdk8u-shenandoah +%global shenandoah_revision aarch64-shenandoah-jdk8u312-b02 # Define old aarch64/jdk8u tree variables for compatibility %global project %{shenandoah_project} %global repo %{shenandoah_repo} @@ -283,12 +279,12 @@ %global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u}) # eg jdk8u60-b27 -> b27 %global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-}) -%global rpmrelease 2 +%global rpmrelease 1 # Define milestone (EA for pre-releases, GA ("fcs") for releases) # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, # - N%%{?extraver}{?dist} for GA releases -%global is_ga 1 +%global is_ga 0 %if %{is_ga} %global milestone fcs %global milestone_version %{nil} @@ -312,7 +308,6 @@ %global jdkimage j2sdk-image # output dir stub %define buildoutputdir() %{expand:build/jdk8.build%{?1}} -%define installoutputdir() %{expand:install/jdk8.install%{?1}} # we can copy the javadoc to not arched dir, or make it not noarch %define uniquejavadocdir() %{expand:%{fullversion}%{?1}} # main id and dir of this jdk @@ -910,7 +905,7 @@ exit 0 %define files_demo() %{expand: %defattr(-,root,root,-) -%license %{installoutputdir -- %{?1}}/images/%{jdkimage}/jre/LICENSE +%license %{buildoutputdir -- %{?1}}/images/%{jdkimage}/jre/LICENSE } %define files_src() %{expand: @@ -922,13 +917,13 @@ exit 0 %define files_javadoc() %{expand: %defattr(-,root,root,-) %doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}} -%license %{installoutputdir -- %{?1}}/images/%{jdkimage}/jre/LICENSE +%license %{buildoutputdir -- %{?1}}/images/%{jdkimage}/jre/LICENSE } %define files_javadoc_zip() %{expand: %defattr(-,root,root,-) %doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip -%license %{installoutputdir -- %{?1}}/images/%{jdkimage}/jre/LICENSE +%license %{buildoutputdir -- %{?1}}/images/%{jdkimage}/jre/LICENSE } %define files_accessibility() %{expand: @@ -970,8 +965,8 @@ Requires: ca-certificates # Require javapackages-filesystem for ownership of /usr/lib/jvm/ Requires: javapackages-filesystem # Require zoneinfo data provided by tzdata-java subpackage. -# 2021e required as of JDK-8275766 in January 2022 CPU -Requires: tzdata-java >= 2021e +# 2021a required as of JDK-8260356 in April CPU +Requires: tzdata-java >= 2021a # libsctp.so.1 is being `dlopen`ed on demand Requires: lksctp-tools%{?_isa} %if ! 0%{?flatpak} @@ -1204,11 +1199,6 @@ Patch1006: rh1929465-improve_system_FIPS_detection-root.patch Patch1007: rh1929465-improve_system_FIPS_detection-jdk.patch # RH1996182: Login to the NSS software token in FIPS mode Patch1008: rh1996182-login_to_nss_software_token.patch -# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false -Patch1011: rh1991003-enable_fips_keys_import.patch -# RH2021263: Resolve outstanding FIPS issues -Patch1014: rh2021263-fips_ensure_security_initialised.patch -Patch1015: rh2021263-fips_missing_native_returns.patch ############################################# # @@ -1284,14 +1274,13 @@ Patch580: jdk8195607-pr3776-rh1760437-nss_sqlite_db_config.patch ############################################# # -# Patches appearing in 8u332 +# Patches appearing in 8u282 # # This section includes patches which are present # in the listed OpenJDK 8u release and should be # able to be removed once that release is out # and used by this RPM. ############################################# -Patch700: jdk8279077-missing_crash_protector_ppc.patch ############################################# # @@ -1368,8 +1357,8 @@ BuildRequires: java-1.8.0-openjdk-devel %ifnarch %{jit_arches} BuildRequires: libffi-devel %endif -# 2021e required as of JDK-8275766 in January 2022 CPU -BuildRequires: tzdata-java >= 2021e +# 2021a required as of JDK-8260356 in April CPU +BuildRequires: tzdata-java >= 2021a # Earlier versions have a bug in tree vectorization on PPC BuildRequires: gcc >= 4.8.3-8 @@ -1702,9 +1691,6 @@ sh %{SOURCE12} %patch580 %patch539 -# Upstreamed fixes -%patch700 - # RPM-only fixes %patch600 %patch1000 @@ -1716,9 +1702,6 @@ sh %{SOURCE12} %patch1006 %patch1007 %patch1008 -%patch1011 -%patch1014 -%patch1015 # RHEL-only patches %if ! 0%{?fedora} && 0%{?rhel} <= 7 @@ -1816,10 +1799,9 @@ export EXTRA_CFLAGS EXTRA_ASFLAGS function buildjdk() { local outputdir=${1} - local installdir=${2} - local buildjdk=${3} - local maketargets=${4} - local debuglevel=${5} + local buildjdk=${2} + local maketargets=${3} + local debuglevel=${4} local top_srcdir_abs_path=$(pwd)/%{top_level_dir_name} # Variable used in hs_err hook on build failures @@ -1832,7 +1814,7 @@ function buildjdk() { echo "Using debuglevel: ${debuglevel}" echo "Building 8u%{updatever}-%{buildver}, milestone %{milestone}" - mkdir -p ${outputdir} ${installdir} + mkdir -p ${outputdir} pushd ${outputdir} bash ${top_srcdir_abs_path}/configure \ @@ -1893,23 +1875,6 @@ function buildjdk() { find images/%{jdkimage}/bin/ -exec chmod +x {} \; popd >& /dev/null - - echo "Installing build from ${outputdir} to ${installdir}..." - echo "Installing images..." - mv ${outputdir}/images ${installdir} - if [ -d ${outputdir}/bundles ] ; then - echo "Installing bundles..."; - mv ${outputdir}/bundles ${installdir} ; - fi - if [ -d ${outputdir}/docs ] ; then - echo "Installing docs..."; - mv ${outputdir}/docs ${installdir} ; - fi - -%if !%{with artifacts} - echo "Removing output directory..."; - rm -rf ${outputdir} -%endif } for suffix in %{build_loop} ; do @@ -1923,30 +1888,24 @@ fi systemjdk=/usr/lib/jvm/java-openjdk builddir=%{buildoutputdir -- $suffix} bootbuilddir=boot${builddir} -installdir=%{installoutputdir -- $suffix} -bootinstalldir=boot${installdir} # Debug builds don't need same targets as release for -# build speed-up. We also avoid bootstrapping these -# slower builds. +# build speed-up +maketargets="%{release_targets}" if echo $debugbuild | grep -q "debug" ; then maketargets="%{debug_targets}" - run_bootstrap=false -else - maketargets="%{release_targets}" - run_bootstrap=%{bootstrap_build} fi -if ${run_bootstrap} ; then - buildjdk ${bootbuilddir} ${bootinstalldir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} - buildjdk ${builddir} ${installdir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} - %{!?with_artifacts:rm -rf ${bootinstalldir}} -else - buildjdk ${builddir} ${installdir} ${systemjdk} "${maketargets}" ${debugbuild} -fi +%if %{bootstrap_build} +buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} +buildjdk ${builddir} $(pwd)/${bootbuilddir}/images/%{jdkimage} "${maketargets}" ${debugbuild} +rm -rf ${bootbuilddir} +%else +buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} +%endif # Install nss.cfg right away as we will be using the JRE above -export JAVA_HOME=$(pwd)/%{installoutputdir -- $suffix}/images/%{jdkimage} +export JAVA_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{jdkimage} # Install nss.cfg right away as we will be using the JRE above install -m 644 nss.cfg $JAVA_HOME/jre/lib/security/ @@ -1972,7 +1931,7 @@ done # We test debug first as it will give better diagnostics on a crash for suffix in %{build_loop} ; do -export JAVA_HOME=$(pwd)/%{installoutputdir -- $suffix}/images/%{jdkimage} +export JAVA_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{jdkimage} # Check unlimited policy has been used $JAVA_HOME/bin/javac -d . %{SOURCE13} @@ -2086,7 +2045,7 @@ STRIP_KEEP_SYMTAB=libjvm* for suffix in %{build_loop} ; do # Install the jdk -pushd %{installoutputdir -- $suffix}/images/%{jdkimage} +pushd %{buildoutputdir -- $suffix}/images/%{jdkimage} # Install jsa directories so we can owe them mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix}/lib/%{archinstall}/server/ @@ -2153,9 +2112,9 @@ popd if ! echo $suffix | grep -q "debug" ; then # Install Javadoc documentation install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir} - cp -a %{installoutputdir -- $suffix}/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix} + cp -a %{buildoutputdir -- $suffix}/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix} built_doc_archive=jdk-%{javaver}_%{updatever}%{milestone_version}$suffix-%{buildver}-docs.zip - cp -a %{installoutputdir -- $suffix}/bundles/$built_doc_archive $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip + cp -a %{buildoutputdir -- $suffix}/bundles/$built_doc_archive $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip fi # Install release notes @@ -2465,52 +2424,21 @@ cjc.mainProgram(args) %endif %changelog -* Mon Jan 24 2022 Andrew Hughes - 1:1.8.0.322.b06-2 -- Fix FIPS issues in native code and with initialisation of java.security.Security -- Related: rhbz#2039366 - -* Fri Jan 21 2022 Andrew Hughes - 1:1.8.0.322.b06-1 -- Update to aarch64-shenandoah-jdk8u322-b06 (EA) -- Update release notes for 8u322-b06. -- Switch to GA mode for final release. -- Require tzdata 2021e as of JDK-8275766. -- Update tarball generation script to use git following shenandoah-jdk8u's move to github -- Resolves: rhbz#2039366 - -* Tue Jan 18 2022 Andrew Hughes - 1:1.8.0.322.b04-0.2.ea -- Add backport of JDK-8279077 to fix crash on ppc64 -- Resolves: rhbz#2030399 - -* Mon Jan 10 2022 Andrew Hughes - 1:1.8.0.322.b04-0.1.ea -- Update to aarch64-shenandoah-jdk8u322-b04 (EA) -- Update release notes for 8u322-b04. -- Require tzdata 2021c as of JDK-8274407. +* Sun Sep 19 2021 Andrew Hughes - 1:1.8.0.312.b02-0.1.ea +- Update to aarch64-shenandoah-jdk8u312-b02 (EA) +- Update release notes for 8u312-b02. +- Related: rhbz#1999937 + +* Mon Sep 13 2021 Andrew Hughes - 1:1.8.0.312.b01-0.1.ea +- Update to aarch64-shenandoah-jdk8u312-b01 (EA) +- Update release notes for 8u312-b01. - Switch to EA mode. -- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le. -- Related: rhbz#2039366 +- Remove "-clean" suffix as no 8u312 builds are unclean. +- Related: rhbz#1999937 -* Fri Oct 15 2021 Andrew Hughes - 1:1.8.0.312.b07-2 -- Update to aarch64-shenandoah-jdk8u312-b07 (EA) -- Update release notes for 8u312-b07. -- Switch to GA mode for final release. -- This tarball is embargoed until 2021-10-19 @ 1pm PT. -- Resolves: rhbz#2011826 - -* Thu Oct 14 2021 Andrew Hughes - 1:1.8.0.312.b05-0.2.ea -- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false -- Resolves: rhbz#2014194 - -* Thu Oct 14 2021 Martin Balao - 1:1.8.0.312.b05-0.2.ea -- Add patch to allow plain key import. -- Resolves: rhbz#2014194 - -* Tue Oct 12 2021 Andrew Hughes - 1:1.8.0.312.b05-0.1.ea -- Update to aarch64-shenandoah-jdk8u312-b05-shenandoah-merge-2021-10-07 -- Update release notes for 8u312-b05-shenandoah-merge-2021-10-07. -- Reduce disk footprint by removing build artifacts by default. -- Switch to EA mode. +* Fri Sep 10 2021 Andrew Hughes - 1:1.8.0.302.b08-4 - Remove non-Free test and demo files from source tarball. -- Related: rhbz#2011826 +- Related: rhbz#1999937 * Fri Aug 27 2021 Andrew Hughes - 1:1.8.0.302.b08-3 - Add patch to login to the NSS software token when in FIPS mode.