From e74e6c1a19ba89fb5ca59def7025ea00596e5700 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 09 2021 10:36:42 +0000 Subject: import java-1.8.0-openjdk-1.8.0.302.b08-3.module+el8.5.0+12446+59af0ebd --- diff --git a/.gitignore b/.gitignore index 28181b7..022af8b 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u282-b08-4curve.tar.xz +SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u302-b08-4curve.tar.xz SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/.java-1.8.0-openjdk.metadata b/.java-1.8.0-openjdk.metadata index 9832ba2..35ed263 100644 --- a/.java-1.8.0-openjdk.metadata +++ b/.java-1.8.0-openjdk.metadata @@ -1,2 +1,2 @@ -de58a4f646ca65cafbd2166d7d08eb330adaf4e6 SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u282-b08-4curve.tar.xz +72250f55a8932ac5b53e4d2dba0d7c5644201ef0 SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u302-b08-4curve.tar.xz 7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/SOURCES/NEWS b/SOURCES/NEWS index ee1e724..1cb973a 100644 --- a/SOURCES/NEWS +++ b/SOURCES/NEWS @@ -3,6 +3,543 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 8u302 (2021-07-20): +=========================================== +Live versions of these release notes can be found at: + * https://bitly.com/openjdk8u302 + * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u302.txt + +* Security fixes + - JDK-8256157: Improve bytecode assembly + - JDK-8256491: Better HTTP transport + - JDK-8258432, CVE-2021-2341: Improve file transfers + - JDK-8260453: Improve Font Bounding + - JDK-8260960: Signs of jarsigner signing + - JDK-8260967, CVE-2021-2369: Better jar file validation + - JDK-8262380: Enhance XML processing passes + - JDK-8262403: Enhanced data transfer + - JDK-8262410: Enhanced rules for zones + - JDK-8262477: Enhance String Conclusions + - JDK-8262967: Improve Zip file support + - JDK-8264066, CVE-2021-2388: Enhance compiler validation + - JDK-8264079: Improve abstractions + - JDK-8264460: Improve NTLM support +* Other changes + - JDK-6878250: (so) IllegalBlockingModeException thrown when reading from a closed SocketChannel's InputStream + - JDK-6990210: [TEST_BUG] EventDispatchThread/HandleExceptionOnEDT/HandleExceptionOnEDT.java fails on gnome + - JDK-7059970: Test case: javax/imageio/plugins/png/ITXtTest.java is not closing a file + - JDK-7106851: Test should not use System.exit + - JDK-8019470: Changes needed to compile JDK 8 on MacOS with clang compiler + - JDK-8028618: [TEST BUG] javax/swing/JScrollBar/bug4202954/bug4202954.java fails + - JDK-8030123: java/beans/Introspector/Test8027648.java fails + - JDK-8032050: Clean up for java/rmi/activation/Activatable/shutdownGracefully/ShutdownGracefully.java + - JDK-8033289: clang: clean up unused function warning + - JDK-8034856: gcc warnings compiling src/solaris/native/sun/security/pkcs11 + - JDK-8034857: gcc warnings compiling src/solaris/native/sun/management + - JDK-8035000: clean up ActivationLibrary.DestroyThread + - JDK-8035054: JarFacade.c should not include ctype.h + - JDK-8035287: gcc warnings compiling various libraries files + - JDK-8036095: RMI tests using testlibrary.RMID and testlibrary.JavaVM do not pass through vmoptions + - JDK-8037825: Fix warnings and enable "warnings as errors" in serviceability native libraries + - JDK-8042891: Format issues embedded in macros for two g1 source files + - JDK-8043264: hsdis library not picked up correctly on expected paths + - JDK-8043646: libosxapp.dylib fails to build on Mac OS 10.9 with clang + - JDK-8047939: [TESTBUG] Rewrite test/runtime/8001071/Test8001071.sh + - JDK-8055754: filemap.cpp does not compile with clang + - JDK-8064909: FragmentMetaspace.java got OutOfMemoryError + - JDK-8066508: JTReg tests timeout on slow devices when run using JPRT + - JDK-8066807: langtools/test/Makefile should use -agentvm not -samevm + - JDK-8071374: -XX:+PrintAssembly -XX:+PrintSignatureHandlers crash fastdebug VM with assert(limit == __null || limit <= nm->code_end()) in RelocIterator::initialize + - JDK-8073446: TimeZone getOffset API does not return a dst offset between years 2038-2137 + - JDK-8074835: Resolve disabled warnings for libj2gss + - JDK-8074836: Resolve disabled warnings for libosxkrb5 + - JDK-8075071: [TEST_BUG] TimSortStackSize2.java: OOME: Java heap space: MaxHeap shrinked by MaxRAMFraction + - JDK-8077364: "if( !this )" construct prevents build on Xcode 6.3 + - JDK-8078855: [TEST_BUG] javax/swing/JComboBox/8032878/bug8032878.java fails in WindowsClassicLookAndFeel + - JDK-8081764: [TEST_BUG] Test javax/swing/plaf/aqua/CustomComboBoxFocusTest.java fails on Windows, Solaris Sparcv9 and Linux but passes on MacOSX + - JDK-8129511: PlatformMidi.c:83 uses malloc without malloc header + - JDK-8130308: Too low memory usage in TestPromotionFromSurvivorToTenuredAfterMinorGC.java + - JDK-8130430: [TEST_BUG] remove unnecessary internal calls from javax/swing/JRadioButton/8075609/bug8075609.java + - JDK-8132148: G1 hs_err region dump legend out of sync with region values + - JDK-8132709: [TESTBUG] gc/g1/TestHumongousShrinkHeap.java might fail on embedded + - JDK-8134672: [TEST_BUG] Some tests should check isDisplayChangeSupported + - JDK-8134883: C1 hard crash in range check elimination in Nashorn test262parallel + - JDK-8136592: [TEST_BUG] Fix 2 platform-specific closed regtests for jigsaw + - JDK-8138820: JDK Hotspot build fails with Xcode 7.0.1 + - JDK-8151786: [TESTBUG] java/beans/XMLEncoder/Test4625418.java timed out intermittently + - JDK-8159898: Negative array size in java/beans/Introspector/Test8027905.java + - JDK-8166046: [TESTBUG] compiler/stringopts/TestStringObjectInitialization.java fails with OOME + - JDK-8166724: gc/g1/TestHumongousShrinkHeap.java fails with OOME + - JDK-8172188: JDI tests fail due to "permission denied" when creating temp file + - JDK-8177809: File.lastModified() is losing milliseconds (always ends in 000) + - JDK-8178403: DirectAudio in JavaSound may hang and leak + - JDK-8180478: tools/launcher/MultipleJRE.sh fails on Windows because of extra-'' + - JDK-8183910: gc/arguments/TestAggressiveHeap.java fails intermittently + - JDK-8190332: PngReader throws NegativeArraySizeException/OOM error when IHDR width is very large + - JDK-8190679: java/util/Arrays/TimSortStackSize2.java fails with "Initial heap size set to a larger value than the maximum heap size" + - JDK-8191955: AArch64: incorrect prefetch distance causes an internal error + - JDK-8196092: javax/swing/JComboBox/8032878/bug8032878.java fails + - JDK-8199265: java/util/Arrays/TimSortStackSize2.java fails with OOM + - JDK-8200550: Xcode 9.3 produce warning -Wexpansion-to-defined + - JDK-8202299: Java Keystore fails to load PKCS12/PFX certificates created in WindowsServer2016 + - JDK-8203196: C1 emits incorrect code due to integer overflow in _tableswitch keys + - JDK-8205014: com/sun/jndi/ldap/DeadSSLLdapTimeoutTest.java failed with "Read timed out" + - JDK-8206243: java -XshowSettings fails if memory.limit_in_bytes overflows LONG.max + - JDK-8206925: Support the certificate_authorities extension + - JDK-8209996: [PPC64] Fix JFR profiling + - JDK-8214345: infinite recursion while checking super class + - JDK-8217230: assert(t == t_no_spec) failure in NodeHash::check_no_speculative_types() + - JDK-8217348: assert(thread->is_Java_thread()) failed: just checking + - JDK-8225081: Remove Telia Company CA certificate expiring in April 2021 + - JDK-8225116: Test OwnedWindowsLeak.java intermittently fails + - JDK-8228757: Fail fast if the handshake type is unknown + - JDK-8230428: Cleanup dead CastIP node code in formssel.cpp + - JDK-8231631: sun/net/ftp/FtpURLConnectionLeak.java fails intermittently with NPE + - JDK-8231841: AArch64: debug.cpp help() is missing an AArch64 line for pns + - JDK-8231949: [PPC64, s390]: Make async profiling more reliable + - JDK-8234011: (zipfs) Memory leak in ZipFileSystem.releaseDeflater() + - JDK-8239053: [8u] clean up undefined-var-template warnings + - JDK-8239400: [8u] clean up undefined-var-template warnings + - JDK-8241649: Optimize Character.toString + - JDK-8241829: Cleanup the code for PrinterJob on windows + - JDK-8242565: Policy initialization issues when the denyAfter constraint is enabled + - JDK-8243559: Remove root certificates with 1024-bit keys + - JDK-8247350: [aarch64] assert(false) failed: wrong size of mach node + - JDK-8249142: java/awt/FontClass/CreateFont/DeleteFont.sh is unstable + - JDK-8249278: Revert JDK-8226253 which breaks the spec of AccessibleState.SHOWING for JList + - JDK-8250876: Fix issues with cross-compile on macos + - JDK-8252883: AccessDeniedException caused by delayed file deletion on Windows + - JDK-8253375: OSX build fails with Xcode 12.0 (12A7209) + - JDK-8254631: Better support ALPN byte wire values in SunJSSE + - JDK-8255086: Update the root locale display names + - JDK-8255734: VM should ignore SIGXFSZ on ppc64, s390 too + - JDK-8256818: SSLSocket that is never bound or connected leaks socket resources + - JDK-8257039: [8u] GenericTaskQueue destructor is incorrect + - JDK-8257670: sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java reports leaks + - JDK-8257884: Re-enable sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java as automatic test + - JDK-8257997: sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java again reports leaks after JDK-8257884 + - JDK-8257999: Parallel GC crash in gc/parallel/TestDynShrinkHeap.java: new region is not in covered_region + - JDK-8258419: RSA cipher buffer cleanup + - JDK-8258669: fastdebug jvm crashes when do event based tracing for monitor inflation + - JDK-8258753: StartTlsResponse.close() hangs due to synchronization issues + - JDK-8259271: gc/parallel/TestDynShrinkHeap.java still fails "assert(covered_region.contains(new_memregion)) failed: new region is not in covered_region" + - JDK-8259619: C1: 3-arg StubAssembler::call_RT stack-use condition is incorrect + - JDK-8259886: Improve SSL session cache performance and scalability + - JDK-8260029: aarch64: fix typo in verify_oop_array + - JDK-8260236: better init AnnotationCollector _contended_group + - JDK-8260255: C1: LoopInvariantCodeMotion constructor can leave some fields uninitialized + - JDK-8260484: CheckExamples.java / NoJavaLangTest.java fail with jtreg 4.2 + - JDK-8260704: ParallelGC: oldgen expansion needs release-store for _end + - JDK-8261355: No data buffering in SunPKCS11 Cipher encryption when the underlying mechanism has no padding + - JDK-8261867: Backport relevant test changes & additions from JDK-8130125 + - JDK-8262110: DST starts from incorrect time in 2038 + - JDK-8262446: DragAndDrop hangs on Windows + - JDK-8262726: AArch64: C1 StubAssembler::call_RT can corrupt stack + - JDK-8262730: Enable jdk8u MacOS external debug symbols + - JDK-8262864: No debug symbols in image for Windows --with-native-debug-symbols=external + - JDK-8263061: copy wrong unpack200 debuginfo to bin directory after 8252395 + - JDK-8263504: Some OutputMachOpcodes fields are uninitialized + - JDK-8263600: change rmidRunning to a simple lookup + - JDK-8264509: jdk8u MacOS zipped debug symbols won't build + - JDK-8264562: assert(verify_field_bit(1)) failed: Attempting to write an uninitialized event field: type + - JDK-8264640: CMS ParScanClosure misses a barrier + - JDK-8264816: Weak handles leak causes GC to take longer + - JDK-8265462: Handle multiple slots in the NSS Internal Module from SunPKCS11's Secmod + - JDK-8265666: Enable AIX build platform to make external debug symbols + - JDK-8265832: runtime/StackGap/testme.sh fails to compile in 8u + - JDK-8265988: Fix sun/text/IntHashtable/Bug4170614 for JDK 8u + - JDK-8266191: Missing aarch64 parts of JDK-8181872 (C1: possible overflow when strength reducing integer multiply by constant) + - JDK-8266723: JFR periodic events are causing extra allocations + - JDK-8266929: Unable to use algorithms from 3p providers + - JDK-8267235: [macos_aarch64] InterpreterRuntime::throw_pending_exception messing up LR results in crash + - JDK-8267426: MonitorVmStartTerminate test timed out on Embedded VM + - JDK-8267545: [8u] Enable Xcode 12 builds on macOS + - JDK-8267689: [aarch64] Crash due to bad shift in indirect addressing mode + - JDK-8268444: keytool -v -list print is incorrect after backport JDK-8141457 + - JDK-8269388: Default build of OpenJDK 8 fails on newer GCCs with warnings as errors on format-overflow + - JDK-8269468: JDK-8269388 breaks the build on older GCCs + - JDK-8270533: AArch64: size_fits_all_mem_uses should return false if its output is a CAS +* Shenandoah + - [backport] JDK-8259580: Shenandoah: uninitialized label in VerifyThreadGCState + - [backport] JDK-8259954: gc/shenandoah/mxbeans tests fail with -Xcomp + - [backport] JDK-8261251: Shenandoah: Use object size for full GC humongous + - [backport] JDK-8261413: Shenandoah: Disable class-unloading in I-U mode + - [backport] JDK-8265239: Shenandoah: Shenandoah heap region count could be off by 1 + - [backport] JDK-8266802: Shenandoah: Round up region size to page size unconditionally + - [backport] JDK-8267561: Shenandoah: Reference processing not properly setup for outside of cycle degenerated GC + - [backport] JDK-8268127: Shenandoah: Heap size may be too small for region to align to large page size + - [backport] JDK-8268699: Shenandoah: Add test for JDK-8268127 + - Shenandoah: Process weak roots during class unloading cycle + +Notes on individual issues: +=========================== + +security-libs/java.security: + +JDK-8256902: Removed Root Certificates with 1024-bit Keys +========================================================= +The following root certificates with weak 1024-bit RSA public keys +have been removed from the `cacerts` keystore: + +Alias Name: thawtepremiumserverca [jdk] +Distinguished Name: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA + +Alias Name: verisignclass2g2ca [jdk] +Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US + +Alias Name: verisignclass3ca [jdk] +Distinguished Name: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US + +Alias Name: verisignclass3g2ca [jdk] +Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US + +Alias Name: verisigntsaca [jdk] +Distinguished Name: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA + +JDK-8261361: Removed Telia Company's Sonera Class2 CA certificate +================================================================= + +The following root certificate have been removed from the cacerts truststore: + +Alias Name: soneraclass2ca +Distinguished Name: CN=Sonera Class2 CA, O=Sonera, C=FI + +security-libs/javax.net.ssl: + +JDK-8257548: Improve Encoding of TLS Application-Layer Protocol Negotiation (ALPN) Values +========================================================================================= +Certain TLS ALPN values couldn't be properly read or written by the +SunJSSE provider. This is due to the choice of Strings as the API +interface and the undocumented internal use of the UTF-8 Character Set +which converts characters larger than U+00007F (7-bit ASCII) into +multi-byte arrays that may not be expected by a peer. + +ALPN values are now represented using the network byte representation +expected by the peer, which should require no modification for +standard 7-bit ASCII-based character Strings. However, SunJSSE now +encodes/decodes String characters as 8-bit ISO_8859_1/LATIN-1 +characters. This means applications that used characters above +U+000007F that were previously encoded using UTF-8 may need to either +be modified to perform the UTF-8 conversion, or set the Java security +property `jdk.tls.alpnCharset` to "UTF-8" revert the behavior. + +See the updated guide at +https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/alpn.html +for more information. + +JDK-8244460: Support for certificate_authorities Extension +========================================================== +The "certificate_authorities" extension is an optional extension +introduced in TLS 1.3. It is used to indicate the certificate +authorities (CAs) that an endpoint supports and should be used by the +receiving endpoint to guide certificate selection. + +With this JDK release, the "certificate_authorities" extension is +supported for TLS 1.3 in both the client and the server sides. This +extension is always present for client certificate selection, while it +is optional for server certificate selection. + +Applications can enable this extension for server certificate +selection by setting the `jdk.tls.client.enableCAExtension` system +property to `true`. The default value of the property is `false`. + +Note that if the client trusts more CAs than the size limit of the +extension (less than 2^16 bytes), the extension is not enabled. Also, +some server implementations do not allow handshake messages to exceed +2^14 bytes. Consequently, there may be interoperability issues when +`jdk.tls.client.enableCAExtension` is set to `true` and the client +trusts more CAs than the server implementation limit. + +New in release OpenJDK 8u292 (2021-04-20): +=========================================== +Live versions of these release notes can be found at: + * https://bitly.com/openjdk8u292 + * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u292.txt + +* Security fixes + - JDK-8227467: Better class method invocations + - JDK-8244473: Contextualize registration for JNDI + - JDK-8244543: Enhanced handling of abstract classes + - JDK-8249906, CVE-2021-2163: Enhance opening JARs + - JDK-8250568, CVE-2021-2161: Less ambiguous processing + - JDK-8253799: Make lists of normal filenames +* Other changes + - JDK-6345095: regression test EmptyClipRenderingTest fails + - JDK-6896810: TEST_BUG: java/lang/ref/SoftReference/Pin.java fails with OOME during System.out.println + - JDK-6949753: [TEST BUG]: java/awt/print/PageFormat/PDialogTest.java needs update by removing a infinite loop + - JDK-7107012: sun.jvm.hotspot.code.CompressedReadStream readDouble() conversion to long mishandled + - JDK-7112454: TEST_BUG: java/awt/Choice/PopdownGeneratesMouseEvents/PopdownGeneratesMouseEvents.html failed + - JDK-7131835: [TEST_BUG] Test does not consider that the rounded edges of the window in Mac OS 10.7 + - JDK-7185221: [macosx] Regtest should not throw exception if a suitable display mode found + - JDK-8031126: java/lang/management/ThreadMXBean/ThreadUserTime.java fails intermittently + - JDK-8035166: Remove dependency on EC classes from pkcs11 provider + - JDK-8035186: j2se_jdk/jdk/test/java/lang/invoke/lambda/LogGeneratedClassesTest.java - assertion error + - JDK-8038723: Openup some PrinterJob tests + - JDK-8041464: [TEST_BUG] CustomClassLoaderTransferTest does not support OS X + - JDK-8041561: Inconsistent opacity behaviour between JCheckBox and JRadioButton + - JDK-8061777: (zipfs) IllegalArgumentException in ZipCoder.toString when using Shitft_JIS + - JDK-8078024: javac, several incorporation steps are silently failing when an error should be reported + - JDK-8078450: Implement consistent process for quarantine of tests + - JDK-8078614: WindowsClassicLookAndFeel MetalComboBoxUI.getbaseLine fails with IllegalArgumentException + - JDK-8080953: [TEST_BUG]Test java/awt/FontClass/DebugFonts.java fails due to wrongly typed bugid + - JDK-8081547: Prepare client libs regression tests for running in a concurrent, headless jtreg environment + - JDK-8129626: G1: set_in_progress() and clear_started() needs a barrier on non-TSO platforms + - JDK-8141457: keytool default cert fingerprint algorithm should be SHA-256 + - JDK-8145051: Wrong parameter name in synthetic lambda method leads to verifier error + - JDK-8150204: (fs) Enhance java/nio/file/Files/probeContentType/Basic.java debugging output + - JDK-8158525: Update a few java/net tests to use the loopback address instead of the host address + - JDK-8160217: JavaSound should clean up resources better + - JDK-8167281: IIOMetadataNode bugs in getElementsByTagName and NodeList.item methods + - JDK-8168996: C2 crash at postaloc.cpp:140 : assert(false) failed: unexpected yanked node + - JDK-8171410: aarch64: long multiplyExact shifts by 31 instead of 63 + - JDK-8172404: Tools should warn if weak algorithms are used before restricting them + - JDK-8185934: keytool shows "Signature algorithm: SHA1withECDSA, -1-bit key" + - JDK-8191915: JCK tests produce incorrect results with C2 + - JDK-8198334: java/awt/FileDialog/8003399/bug8003399.java fails in headless mode + - JDK-8202343: Disable TLS 1.0 and 1.1 + - JDK-8209333: Socket reset issue for TLS 1.3 socket close + - JDK-8211301: [macos] support full window content options + - JDK-8211339: NPE during SSL handshake caused by HostnameChecker + - JDK-8216987: ciMethodData::load_data() unpacks MDOs with non-atomic copy + - JDK-8217338: [Containers] Improve systemd slice memory limit support + - JDK-8219991: New fix of the deadlock in sun.security.ssl.SSLSocketImpl + - JDK-8221408: Windows 32bit build build errors/warnings in hotspot + - JDK-8223186: HotSpot compile warnings from GCC 9 + - JDK-8225435: Upgrade IANA Language Subtag Registry to the latest for JDK14 + - JDK-8225805: Java Access Bridge does not close the logger + - JDK-8226899: Problemlist compiler/rtm tests + - JDK-8227642: [TESTBUG] Make docker tests podman compatible + - JDK-8228434: jdk/net/Sockets/Test.java fails after JDK-8227642 + - JDK-8229284: jdk/internal/platform/cgroup/TestCgroupMetrics.java fails for - memory:getMemoryUsage + - JDK-8230388: Problemlist additional compiler/rtm tests + - JDK-8233228: Disable weak named curves by default in TLS, CertPath, and Signed JAR + - JDK-8234727: sun/security/ssl/X509TrustManagerImpl tests support TLSv1.3 + - JDK-8234728: Some security tests should support TLSv1.3 + - JDK-8235263: Revert TLS 1.3 change that wrapped IOExceptions + - JDK-8235311: Tag mismatch may alert bad_record_mac + - JDK-8235874: The ordering of Cipher Suites is not maintained provided through jdk.tls.client.cipherSuites and jdk.tls.server.cipherSuites system property. + - JDK-8236500: Windows ucrt.dll should be looked up in versioned WINSDK subdirectory + - JDK-8238579: HttpsURLConnection drops the timeout and hangs forever in read + - JDK-8239091: Reversed arguments in call to strstr in freetype "debug" code. + - JDK-8240353: AArch64: missing support for -XX:+ExtendedDTraceProbes in C1 + - JDK-8240827: Downport SSLSocketImpl.java from "8221882: Use fiber-friendly java.util.concurrent.locks in JSSE" + - JDK-8242141: New System Properties to configure the TLS signature schemes + - JDK-8244621: [macos10.15] Garbled FX printing plus CoreText warnings on Catalina when building with Xcode 11 + - JDK-8248336: AArch64: C2: offset overflow in BoxLockNode::emit + - JDK-8249183: JVM crash in "AwtFrame::WmSize" method + - JDK-8249251: [dark_mode ubuntu 20.04] The selected menu is not highlighted in GTKLookAndFeel + - JDK-8249588: libwindowsaccessbridge issues on 64bit Windows + - JDK-8250582: Revert Principal Name type to NT-UNKNOWN when requesting TGS Kerberos tickets + - JDK-8250984: Memory Docker tests fail on some Linux kernels w/o cgroupv1 swap limit capabilities + - JDK-8251397: NPE on ClassValue.ClassValueMap.cacheArray + - JDK-8252470: java/awt/dnd/DisposeFrameOnDragCrash/DisposeFrameOnDragTest.java fails on Windows + - JDK-8253368: TLS connection always receives close_notify exception + - JDK-8253476: TestUseContainerSupport.java fails on some Linux kernels w/o swap limit capabilities + - JDK-8253932: SSL debug log prints incorrect caller info + - JDK-8254854: [cgroups v1] Metric limits not properly detected on some join controller combinations + - JDK-8255880: UI of Swing components is not redrawn after their internal state changed + - JDK-8255908: ExceptionInInitializerError due to UncheckedIOException while initializing cgroupv1 subsystem + - JDK-8255937: Better cleanup for test/jdk/javax/imageio/stream/StreamFlush.java + - JDK-8256421: Add 2 HARICA roots to cacerts truststore + - JDK-8256642: [TEST_BUG] jdk/test/javax/sound/midi/MidiSystem/DefaultProperties.java failed + - JDK-8258079: Eliminate ParNew's use of klass_or_null() + - JDK-8256682: JDK-8202343 is incomplete + - JDK-8257746: Regression introduced with JDK-8250984 - memory might be null in some machines + - JDK-8258241: [8u] Missing doPrivileged() hunks from JDK-8226575 + - JDK-8258247: Couple of issues in fix for JDK-8249906 + - JDK-8258396: SIGILL in jdk.jfr.internal.PlatformRecorder.rotateDisk() + - JDK-8258430: 8u backport of JDK-8063107 missing test/javax/swing/JRadioButton/8041561/bug8041561.java changes + - JDK-8258833: Cancel multi-part cipher operations in SunPKCS11 after failures + - JDK-8258933: G1 needs klass_or_null_acquire + - JDK-8259048: (tz) Upgrade time-zone data to tzdata2020f + - JDK-8259312: VerifyCACerts.java fails as soneraclass2ca cert will + - JDK-8259384: CUP version wrong in THIRD_PARTY_README after JDK-8233548 + - JDK-8259428: AlgorithmId.getEncodedParams() should return copy + - JDK-8259568: PPC64 builds broken after JDK-8221408 8u backport + - JDK-8260349: Cannot programmatically retrieve Metaspace max set via JAVA_TOOL_OPTIONS + - JDK-8260356: (tz) Upgrade time-zone data to tzdata2021a + - JDK-8260930: AARCH64: Invalid value passed to critical JNI function + - JDK-8261183: Follow on to Make lists of normal filenames + - JDK-8261231: Windows IME was disabled after DnD operation + - JDK-8261766: [8u] hotspot needs to recognise cl.exe 19.16 to build with VS2017 + - JDK-8262073: assert(allocates2(pc)) failed: not in CodeBuffer memory + - JDK-8262075: sun/security/krb5/auto/UseCacheAndStoreKey.java timed out intermittently + - JDK-8263008: AARCH64: Add debug info for libsaproc.so + - JDK-8264171: Missing aarch64 parts of JDK-8236179 (C1 register allocation failure with T_ADDRESS) +* Shenandoah + - Normalise whitespace in AArch64 sources prior to merge of upstreamed version in 8u292-b01. + - Revert differences against upstream 8u + - [backport] 8202976: Add C1 lea patching support for x86 + - [backport] 8221507: Implement JFR Events for Shenandoah + - [backport] 8224573: Fix windows build after JDK-8221507 + - [backport] 8228369: Shenandoah: Refactor LRB C1 stubs + - [backport] 8229474: Shenandoah: Cleanup CM::update_roots() + - [backport] 8229709: x86_32 build and test failures after JDK-8228369 (Shenandoah: Refactor LRB C1 stubs) + - [backport] 8231087: Shenandoah: Self-fixing load reference barriers for C1/C2 + - [backport] 8232747: Shenandoah: Concurrent GC should deactivate SATB before processing weak roots + - [backport] 8232992: Shenandoah: Implement self-fixing interpreter LRB + - [backport] 8233021: Shenandoah: SBSC2::is_shenandoah_lrb_call should match all LRB shapes + - [backport] 8233165: Shenandoah:SBSA::gen_load_reference_barrier_stub() should use pointer register for address on aarch64 + - [backport] 8233574: Shenandoah: build is broken without jfr + - [backport] 8237837: Shenandoah: assert(mem == __null) failed: only one safepoint + - [backport] 8238153: CTW: C2 (Shenandoah) compilation fails with "Unknown node in get_load_addr: CreateEx" + - [backport] 8238851: Shenandoah: C1: Resolve into registers of correct type + - [backport] 8240315: Shenandoah: Rename ShLBN::get_barrier_strength() + - [backport] 8240751: Shenandoah: fold ShenandoahTracer definition + - [backport] 8241765: Shenandoah: AARCH64 need to save/restore call clobbered registers before calling keepalive barrier + - [backport] 8244510: Shenandoah: invert SHC2Support::is_in_cset condition + - [backport] 8244663: Shenandoah: C2 assertion fails in Matcher::collect_null_checks + - [backport] 8244721: CTW: C2 (Shenandoah) compilation fails with "unexpected infinite loop graph shape" + - [backport] 8251451: Shenandoah: Remark ObjectSynchronizer roots with I-U + - [backport] 8252660: Shenandoah: support manageable SoftMaxHeapSize option + - [backport] 8253224: Shenandoah: ShenandoahStrDedupQueue destructor calls virtual num_queues() + - [backport] 8253778: ShenandoahSafepoint::is_at_shenandoah_safepoint should not access VMThread state from other threads + - [backport] 8255457: Shenandoah: cleanup ShenandoahMarkTask + - [backport] 8255760: Shenandoah: match constants style in ShenandoahMarkTask fallback + - [backport] 8256806: Shenandoah: optimize shenandoah/jni/TestPinnedGarbage.java test + - [backport] 8257641: Shenandoah: Query is_at_shenandoah_safepoint() from control thread should return false + - Fix register allocation for thread register is 32bit LRB + - Fix Shenandoah bindings in ADLC formssel + - Shenandoah: Backed out weak roots cleaning during full gc + +Notes on individual issues: +=========================== + +security-libs/java.security: + +JDK-8260597: Added 2 HARICA Root CA Certificates +================================================ + +The following root certificates have been added to the cacerts truststore: + +Alias Name: haricarootca2015 +Distinguished Name: CN=Hellenic Academic and Research Institutions RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR + +Alias Name: haricaeccrootca2015 +Distinguished Name: CN=Hellenic Academic and Research Institutions ECC RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR + +JDK-8236730: Weak Named Curves in TLS, CertPath, and Signed JAR Disabled by Default +=================================================================================== +Weak named curves are disabled by default by adding them to the +following `disabledAlgorithms` security properties: + +* jdk.tls.disabledAlgorithms +* jdk.certpath.disabledAlgorithms +* jdk.jar.disabledAlgorithms + +Red Hat has always disabled many of the curves provided by upstream, +so the only addition in this release is: + +* secp256k1 + +The curves that remain enabled are: + +* secp256r1 +* secp384r1 +* secp521r1 +* X25519 +* X448 + +When large numbers of weak named curves need to be disabled, adding +individual named curves to each `disabledAlgorithms` property would be +overwhelming. To relieve this, a new security property, +`jdk.disabled.namedCurves`, is implemented that can list the named +curves common to all of the `disabledAlgorithms` properties. To use +the new property in the `disabledAlgorithms` properties, precede the +full property name with the keyword `include`. Users can still add +individual named curves to `disabledAlgorithms` properties separate +from this new property. No other properties can be included in the +`disabledAlgorithms` properties. + +To restore the named curves, remove the `include +jdk.disabled.namedCurves` either from specific or from all +`disabledAlgorithms` security properties. To restore one or more +curves, remove the specific named curve(s) from the +`jdk.disabled.namedCurves` property. + +JDK-8244286: Tools Warn If Weak Algorithms Are Used +=================================================== +The `keytool` and `jarsigner` tools have been updated to warn users +when weak cryptographic algorithms are used in keys, certificates, and +signed JARs before they are disabled. The weak algorithms are set in +the `jdk.security.legacyAlgorithms` security property in the +`java.security` configuration file. In this release, the tools issue +warnings for the SHA-1 hash algorithm and 1024-bit RSA/DSA keys. + +security-libs/javax.net.ssl: + +JDK-8256490: Disable TLS 1.0 and 1.1 +==================================== +TLS 1.0 and 1.1 are versions of the TLS protocol that are no longer +considered secure and have been superseded by more secure and modern +versions (TLS 1.2 and 1.3). + +These versions have now been disabled by default. If you encounter +issues, you can, at your own risk, re-enable the versions by removing +"TLSv1" and/or "TLSv1.1" from the `jdk.tls.disabledAlgorithms` +security property in the `java.security` configuration file. + +JDK-8242147: New System Properties to Configure the TLS Signature Schemes +========================================================================= +Two new system properties have been added to customize the TLS +signature schemes in JDK. `jdk.tls.client.SignatureSchemes` has been +added for the TLS client side, and `jdk.tls.server.SignatureSchemes` +has been added for the server side. + +Each system property contains a comma-separated list of supported +signature scheme names specifying the signature schemes that could be +used for the TLS connections. + +The names are described in the "Signature Schemes" section of the +*Java Security Standard Algorithm Names Specification*. + +tools/javac: + +JDK-8177368: Several incorporation steps are silently failing when an error should be reported +============================================================================================== +Reporting previously silent errors found during incorporation, JLS +8§18.3, was supposed to be a clean-up with performance only +implications. But consider the test case: + +import java.util.Arrays; +import java.util.List; + +class Klass { + public static List> foo(List... lists) { + return foo(Arrays.asList(lists)); + } + + public static List> foo(List> lists) { + return null; + } +} + +This code was not accepted before the patch for [1], but after this +patch the compiler is accepting it. Accepting this code is the right +behavior as not reporting incorporation errors was a bug in the +compiler. While determining the applicability of method: +List> foo(List> lists) for which +we have the constraints: b <: Object t <: List t<:Object +List <: t first, inference variable b is selected for +instantiation: b = CAP1 of ? extends A so this implies that: t <: +List t<: Object List <: t + +Now all the bounds are checked for consistency. While checking if +List is a subtype of List +a bound error is reported. Before the compiler was just swallowing +it. As now the error is reported while inference variable b is being +instantiated, the bound set is rolled back to it's initial state, 'b' +is instantiated to Object, and with this instantiation the constraint +set is solvable, the method is applicable, it's the only applicable +one and the code is accepted as correct. The compiler behavior in this +case is defined at JLS 8 §18.4 + +This fix has source compatibility impact, right now code that wasn't +being accepted is now being accepted by the javac compiler. Currently +there are no reports of any other kind of incompatibility. + +[1] https://bugs.openjdk.java.net/browse/JDK-8078024 + New in release OpenJDK 8u282 (2021-01-19): =========================================== Live versions of these release notes can be found at: diff --git a/SOURCES/TestSecurityProperties.java b/SOURCES/TestSecurityProperties.java new file mode 100644 index 0000000..06a0b07 --- /dev/null +++ b/SOURCES/TestSecurityProperties.java @@ -0,0 +1,43 @@ +import java.io.File; +import java.io.FileInputStream; +import java.security.Security; +import java.util.Properties; + +public class TestSecurityProperties { + // JDK 11 + private static final String JDK_PROPS_FILE_JDK_11 = System.getProperty("java.home") + "/conf/security/java.security"; + // JDK 8 + private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security"; + + public static void main(String[] args) { + Properties jdkProps = new Properties(); + loadProperties(jdkProps); + for (Object key: jdkProps.keySet()) { + String sKey = (String)key; + String securityVal = Security.getProperty(sKey); + String jdkSecVal = jdkProps.getProperty(sKey); + if (!securityVal.equals(jdkSecVal)) { + String msg = "Expected value '" + jdkSecVal + "' for key '" + + sKey + "'" + " but got value '" + securityVal + "'"; + throw new RuntimeException("Test failed! " + msg); + } else { + System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected."); + } + } + System.out.println("TestSecurityProperties PASSED!"); + } + + private static void loadProperties(Properties props) { + String javaVersion = System.getProperty("java.version"); + System.out.println("Debug: Java version is " + javaVersion); + String propsFile = JDK_PROPS_FILE_JDK_11; + if (javaVersion.startsWith("1.8.0")) { + propsFile = JDK_PROPS_FILE_JDK_8; + } + try (FileInputStream fin = new FileInputStream(new File(propsFile))) { + props.load(fin); + } catch (Exception e) { + throw new RuntimeException("Test failed!", e); + } + } +} diff --git a/SOURCES/jdk8203030-zero_s390_31_bit_size_t_type_conflicts_in_shared_code.patch b/SOURCES/jdk8203030-zero_s390_31_bit_size_t_type_conflicts_in_shared_code.patch index 53bceec..4098bdc 100644 --- a/SOURCES/jdk8203030-zero_s390_31_bit_size_t_type_conflicts_in_shared_code.patch +++ b/SOURCES/jdk8203030-zero_s390_31_bit_size_t_type_conflicts_in_shared_code.patch @@ -1,7 +1,7 @@ -diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/concurrentMarkSweep/compactibleFreeListSpace.cpp openjdk/hotspot/src/share/vm/gc_implementation/concurrentMarkSweep/compactibleFreeListSpace.cpp ---- openjdk.orig/hotspot/src/share/vm/gc_implementation/concurrentMarkSweep/compactibleFreeListSpace.cpp -+++ openjdk/hotspot/src/share/vm/gc_implementation/concurrentMarkSweep/compactibleFreeListSpace.cpp -@@ -2659,7 +2659,7 @@ +diff -r 4689eaf1a5c9 src/share/vm/gc_implementation/concurrentMarkSweep/compactibleFreeListSpace.cpp +--- openjdk.orig/hotspot/src/share/vm/gc_implementation/concurrentMarkSweep/compactibleFreeListSpace.cpp Mon Aug 31 07:09:56 2020 +0100 ++++ openjdk/hotspot/src/share/vm/gc_implementation/concurrentMarkSweep/compactibleFreeListSpace.cpp Tue Sep 08 22:20:44 2020 -0400 +@@ -2689,7 +2689,7 @@ if (ResizeOldPLAB && CMSOldPLABResizeQuicker) { size_t multiple = _num_blocks[word_sz]/(CMSOldPLABToleranceFactor*CMSOldPLABNumRefills*n_blks); n_blks += CMSOldPLABReactivityFactor*multiple*n_blks; @@ -10,10 +10,10 @@ diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/concurrentMarkSwe } assert(n_blks > 0, "Error"); _cfls->par_get_chunk_of_blocks(word_sz, n_blks, fl); -diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/concurrentMarkSweep/concurrentMarkSweepGeneration.cpp openjdk/hotspot/src/share/vm/gc_implementation/concurrentMarkSweep/concurrentMarkSweepGeneration.cpp ---- openjdk.orig/hotspot/src/share/vm/gc_implementation/concurrentMarkSweep/concurrentMarkSweepGeneration.cpp -+++ openjdk/hotspot/src/share/vm/gc_implementation/concurrentMarkSweep/concurrentMarkSweepGeneration.cpp -@@ -957,7 +957,7 @@ +diff -r 4689eaf1a5c9 src/share/vm/gc_implementation/concurrentMarkSweep/concurrentMarkSweepGeneration.cpp +--- openjdk.orig/hotspot/src/share/vm/gc_implementation/concurrentMarkSweep/concurrentMarkSweepGeneration.cpp Mon Aug 31 07:09:56 2020 +0100 ++++ openjdk/hotspot/src/share/vm/gc_implementation/concurrentMarkSweep/concurrentMarkSweepGeneration.cpp Tue Sep 08 22:20:44 2020 -0400 +@@ -961,7 +961,7 @@ if (free_percentage < desired_free_percentage) { size_t desired_capacity = (size_t)(used() / ((double) 1 - desired_free_percentage)); assert(desired_capacity >= capacity(), "invalid expansion size"); @@ -22,7 +22,7 @@ diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/concurrentMarkSwe if (PrintGCDetails && Verbose) { size_t desired_capacity = (size_t)(used() / ((double) 1 - desired_free_percentage)); gclog_or_tty->print_cr("\nFrom compute_new_size: "); -@@ -6577,7 +6577,7 @@ +@@ -6591,7 +6591,7 @@ HeapWord* curAddr = _markBitMap.startWord(); while (curAddr < _markBitMap.endWord()) { size_t remaining = pointer_delta(_markBitMap.endWord(), curAddr); @@ -31,7 +31,7 @@ diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/concurrentMarkSwe _markBitMap.clear_large_range(chunk); if (ConcurrentMarkSweepThread::should_yield() && !foregroundGCIsActive() && -@@ -6875,7 +6875,7 @@ +@@ -6889,7 +6889,7 @@ return; } // Double capacity if possible @@ -40,30 +40,34 @@ diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/concurrentMarkSwe // Do not give up existing stack until we have managed to // get the double capacity that we desired. ReservedSpace rs(ReservedSpace::allocation_align_size_up( -diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/concurrentMark.cpp openjdk/hotspot/src/share/vm/gc_implementation/g1/concurrentMark.cpp ---- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/concurrentMark.cpp -+++ openjdk/hotspot/src/share/vm/gc_implementation/g1/concurrentMark.cpp -@@ -3902,7 +3902,7 @@ +diff -r 4689eaf1a5c9 src/share/vm/gc_implementation/g1/concurrentMark.cpp +--- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/concurrentMark.cpp Mon Aug 31 07:09:56 2020 +0100 ++++ openjdk/hotspot/src/share/vm/gc_implementation/g1/concurrentMark.cpp Tue Sep 08 22:20:44 2020 -0400 +@@ -3916,7 +3916,7 @@ // of things to do) or totally (at the very end). size_t target_size; if (partially) { - target_size = MIN2((size_t)_task_queue->max_elems()/3, GCDrainStackTargetSize); -+ target_size = MIN2((size_t)(_task_queue->max_elems()/3), (size_t) GCDrainStackTargetSize); ++ target_size = MIN2((size_t)_task_queue->max_elems()/3, (size_t)GCDrainStackTargetSize); } else { target_size = 0; } -@@ -4706,7 +4706,7 @@ - // The > 0 check is to deal with the prev and next live bytes which - // could be 0. - if (*hum_bytes > 0) { -- bytes = MIN2(HeapRegion::GrainBytes, *hum_bytes); -+ bytes = MIN2(HeapRegion::GrainBytes, (size_t)*hum_bytes); - *hum_bytes -= bytes; +diff -r 4689eaf1a5c9 src/share/vm/gc_implementation/g1/g1BiasedArray.hpp +--- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1BiasedArray.hpp Mon Aug 31 07:09:56 2020 +0100 ++++ openjdk/hotspot/src/share/vm/gc_implementation/g1/g1BiasedArray.hpp Tue Sep 08 22:20:44 2020 -0400 +@@ -78,7 +78,8 @@ + size_t num_target_elems = pointer_delta(end, bottom, mapping_granularity_in_bytes); + idx_t bias = (uintptr_t)bottom / mapping_granularity_in_bytes; + address base = create_new_base_array(num_target_elems, target_elem_size_in_bytes); +- initialize_base(base, num_target_elems, bias, target_elem_size_in_bytes, log2_intptr(mapping_granularity_in_bytes)); ++ initialize_base(base, num_target_elems, bias, target_elem_size_in_bytes, ++ log2_intptr((uintptr_t)mapping_granularity_in_bytes)); } - return bytes; -diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1CollectedHeap.cpp openjdk/hotspot/src/share/vm/gc_implementation/g1/g1CollectedHeap.cpp ---- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1CollectedHeap.cpp -+++ openjdk/hotspot/src/share/vm/gc_implementation/g1/g1CollectedHeap.cpp + + size_t bias() const { return _bias; } +diff -r 4689eaf1a5c9 src/share/vm/gc_implementation/g1/g1CollectedHeap.cpp +--- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1CollectedHeap.cpp Mon Aug 31 07:09:56 2020 +0100 ++++ openjdk/hotspot/src/share/vm/gc_implementation/g1/g1CollectedHeap.cpp Tue Sep 08 22:20:44 2020 -0400 @@ -1729,7 +1729,7 @@ verify_region_sets_optional(); @@ -73,21 +77,33 @@ diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1CollectedHea ergo_verbose1(ErgoHeapSizing, "attempt heap expansion", ergo_format_reason("allocation request failed") -diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1PageBasedVirtualSpace.cpp openjdk/hotspot/src/share/vm/gc_implementation/g1/g1PageBasedVirtualSpace.cpp ---- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1PageBasedVirtualSpace.cpp -+++ openjdk/hotspot/src/share/vm/gc_implementation/g1/g1PageBasedVirtualSpace.cpp -@@ -117,7 +117,7 @@ - return reserved_size() - committed_size(); +diff -r 4689eaf1a5c9 src/share/vm/gc_implementation/g1/g1ConcurrentMarkObjArrayProcessor.cpp +--- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1ConcurrentMarkObjArrayProcessor.cpp Mon Aug 31 07:09:56 2020 +0100 ++++ openjdk/hotspot/src/share/vm/gc_implementation/g1/g1ConcurrentMarkObjArrayProcessor.cpp Tue Sep 08 22:20:44 2020 -0400 +@@ -41,7 +41,7 @@ } --size_t G1PageBasedVirtualSpace::addr_to_page_index(char* addr) const { -+uintptr_t G1PageBasedVirtualSpace::addr_to_page_index(char* addr) const { - return (addr - _low_boundary) / _page_size; - } + size_t G1CMObjArrayProcessor::process_array_slice(objArrayOop obj, HeapWord* start_from, size_t remaining) { +- size_t words_to_scan = MIN2(remaining, ObjArrayMarkingStride); ++ size_t words_to_scan = MIN2(remaining, (size_t)ObjArrayMarkingStride); + + if (remaining > ObjArrayMarkingStride) { + push_array_slice(start_from + ObjArrayMarkingStride); +diff -r 4689eaf1a5c9 src/share/vm/gc_implementation/g1/g1PageBasedVirtualSpace.hpp +--- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1PageBasedVirtualSpace.hpp Mon Aug 31 07:09:56 2020 +0100 ++++ openjdk/hotspot/src/share/vm/gc_implementation/g1/g1PageBasedVirtualSpace.hpp Tue Sep 08 22:20:44 2020 -0400 +@@ -89,7 +89,7 @@ + void pretouch_internal(size_t start_page, size_t end_page); + + // Returns the index of the page which contains the given address. +- uintptr_t addr_to_page_index(char* addr) const; ++ size_t addr_to_page_index(char* addr) const; + // Returns the address of the given page index. + char* page_start(size_t index) const; -diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1StringDedupQueue.cpp openjdk/hotspot/src/share/vm/gc_implementation/g1/g1StringDedupQueue.cpp ---- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1StringDedupQueue.cpp -+++ openjdk/hotspot/src/share/vm/gc_implementation/g1/g1StringDedupQueue.cpp +diff -r 4689eaf1a5c9 src/share/vm/gc_implementation/g1/g1StringDedupQueue.cpp +--- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1StringDedupQueue.cpp Mon Aug 31 07:09:56 2020 +0100 ++++ openjdk/hotspot/src/share/vm/gc_implementation/g1/g1StringDedupQueue.cpp Tue Sep 08 22:20:44 2020 -0400 @@ -38,7 +38,7 @@ _cancel(false), _empty(true), @@ -97,9 +113,9 @@ diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1StringDedupQ _queues = NEW_C_HEAP_ARRAY(G1StringDedupWorkerQueue, _nqueues, mtGC); for (size_t i = 0; i < _nqueues; i++) { new (_queues + i) G1StringDedupWorkerQueue(G1StringDedupWorkerQueue::default_segment_size(), _max_cache_size, _max_size); -diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1StringDedupTable.cpp openjdk/hotspot/src/share/vm/gc_implementation/g1/g1StringDedupTable.cpp ---- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1StringDedupTable.cpp -+++ openjdk/hotspot/src/share/vm/gc_implementation/g1/g1StringDedupTable.cpp +diff -r 4689eaf1a5c9 src/share/vm/gc_implementation/g1/g1StringDedupTable.cpp +--- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1StringDedupTable.cpp Mon Aug 31 07:09:56 2020 +0100 ++++ openjdk/hotspot/src/share/vm/gc_implementation/g1/g1StringDedupTable.cpp Tue Sep 08 22:20:44 2020 -0400 @@ -120,7 +120,7 @@ }; @@ -109,10 +125,10 @@ diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1StringDedupT _max_list_length(0), _cached(PaddedArray::create_unfreeable((uint)_nlists)), _overflowed(PaddedArray::create_unfreeable((uint)_nlists)) { -diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/heapRegion.cpp openjdk/hotspot/src/share/vm/gc_implementation/g1/heapRegion.cpp ---- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/heapRegion.cpp -+++ openjdk/hotspot/src/share/vm/gc_implementation/g1/heapRegion.cpp -@@ -109,7 +109,7 @@ +diff -r 4689eaf1a5c9 src/share/vm/gc_implementation/g1/heapRegion.cpp +--- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/heapRegion.cpp Mon Aug 31 07:09:56 2020 +0100 ++++ openjdk/hotspot/src/share/vm/gc_implementation/g1/heapRegion.cpp Tue Sep 08 22:20:44 2020 -0400 +@@ -110,7 +110,7 @@ if (FLAG_IS_DEFAULT(G1HeapRegionSize)) { size_t average_heap_size = (initial_heap_size + max_heap_size) / 2; region_size = MAX2(average_heap_size / HeapRegionBounds::target_number(), @@ -121,9 +137,9 @@ diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/heapRegion.cpp } int region_size_log = log2_long((jlong) region_size); -diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/parNew/parNewGeneration.cpp openjdk/hotspot/src/share/vm/gc_implementation/parNew/parNewGeneration.cpp ---- openjdk.orig/hotspot/src/share/vm/gc_implementation/parNew/parNewGeneration.cpp -+++ openjdk/hotspot/src/share/vm/gc_implementation/parNew/parNewGeneration.cpp +diff -r 4689eaf1a5c9 src/share/vm/gc_implementation/parNew/parNewGeneration.cpp +--- openjdk.orig/hotspot/src/share/vm/gc_implementation/parNew/parNewGeneration.cpp Mon Aug 31 07:09:56 2020 +0100 ++++ openjdk/hotspot/src/share/vm/gc_implementation/parNew/parNewGeneration.cpp Tue Sep 08 22:20:44 2020 -0400 @@ -194,7 +194,7 @@ const size_t num_overflow_elems = of_stack->size(); const size_t space_available = queue->max_elems() - queue->size(); @@ -133,29 +149,27 @@ diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/parNew/parNewGene num_overflow_elems); // Transfer the most recent num_take_elems from the overflow // stack to our work queue. -diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/parallelScavenge/psParallelCompact.cpp openjdk/hotspot/src/share/vm/gc_implementation/parallelScavenge/psParallelCompact.cpp ---- openjdk.orig/hotspot/src/share/vm/gc_implementation/parallelScavenge/psParallelCompact.cpp -+++ openjdk/hotspot/src/share/vm/gc_implementation/parallelScavenge/psParallelCompact.cpp -@@ -910,8 +910,8 @@ +diff -r 4689eaf1a5c9 src/share/vm/gc_implementation/parallelScavenge/psParallelCompact.cpp +--- openjdk.orig/hotspot/src/share/vm/gc_implementation/parallelScavenge/psParallelCompact.cpp Mon Aug 31 07:09:56 2020 +0100 ++++ openjdk/hotspot/src/share/vm/gc_implementation/parallelScavenge/psParallelCompact.cpp Tue Sep 08 22:20:44 2020 -0400 +@@ -912,7 +912,7 @@ + void PSParallelCompact::initialize_dead_wood_limiter() { - const size_t max = 100; -- _dwl_mean = double(MIN2(ParallelOldDeadWoodLimiterMean, max)) / 100.0; -- _dwl_std_dev = double(MIN2(ParallelOldDeadWoodLimiterStdDev, max)) / 100.0; -+ _dwl_mean = double(MIN2((size_t)ParallelOldDeadWoodLimiterMean, max)) / 100.0; -+ _dwl_std_dev = double(MIN2((size_t)ParallelOldDeadWoodLimiterStdDev, max)) / 100.0; +- const size_t max = 100; ++ const uintx max = 100; + _dwl_mean = double(MIN2(ParallelOldDeadWoodLimiterMean, max)) / 100.0; + _dwl_std_dev = double(MIN2(ParallelOldDeadWoodLimiterStdDev, max)) / 100.0; _dwl_first_term = 1.0 / (sqrt(2.0 * M_PI) * _dwl_std_dev); - DEBUG_ONLY(_dwl_initialized = true;) - _dwl_adjustment = normal_distribution(1.0); -diff --git openjdk.orig/hotspot/src/share/vm/memory/collectorPolicy.cpp openjdk/hotspot/src/share/vm/memory/collectorPolicy.cpp ---- openjdk.orig/hotspot/src/share/vm/memory/collectorPolicy.cpp -+++ openjdk/hotspot/src/share/vm/memory/collectorPolicy.cpp +diff -r 4689eaf1a5c9 src/share/vm/memory/collectorPolicy.cpp +--- openjdk.orig/hotspot/src/share/vm/memory/collectorPolicy.cpp Mon Aug 31 07:09:56 2020 +0100 ++++ openjdk/hotspot/src/share/vm/memory/collectorPolicy.cpp Tue Sep 08 22:20:44 2020 -0400 @@ -385,7 +385,7 @@ uintx calculated_size = NewSize + OldSize; double shrink_factor = (double) MaxHeapSize / calculated_size; uintx smaller_new_size = align_size_down((uintx)(NewSize * shrink_factor), _gen_alignment); - FLAG_SET_ERGO(uintx, NewSize, MAX2(young_gen_size_lower_bound(), smaller_new_size)); -+ FLAG_SET_ERGO(uintx, NewSize, MAX2(young_gen_size_lower_bound(), (size_t)smaller_new_size)); ++ FLAG_SET_ERGO(uintx, NewSize, MAX2((uintx)young_gen_size_lower_bound(), smaller_new_size)); _initial_gen0_size = NewSize; // OldSize is already aligned because above we aligned MaxHeapSize to @@ -168,7 +182,7 @@ diff --git openjdk.orig/hotspot/src/share/vm/memory/collectorPolicy.cpp openjdk/ } assert(max_new_size > 0, "All paths should set max_new_size"); -@@ -455,24 +455,23 @@ +@@ -455,23 +455,25 @@ // lower limit. _min_gen0_size = NewSize; desired_new_size = NewSize; @@ -190,15 +204,16 @@ diff --git openjdk.orig/hotspot/src/share/vm/memory/collectorPolicy.cpp openjdk/ // NewRatio is overly large, the resulting sizes can be too // small. - _min_gen0_size = MAX2(scale_by_NewRatio_aligned(_min_heap_byte_size), NewSize); -+ _min_gen0_size = MAX2(scale_by_NewRatio_aligned(_min_heap_byte_size), (size_t)NewSize); ++ _min_gen0_size = MAX2(scale_by_NewRatio_aligned(_min_heap_byte_size), ++ (size_t)NewSize); desired_new_size = - MAX2(scale_by_NewRatio_aligned(_initial_heap_byte_size), NewSize); -- } -+ MAX2(scale_by_NewRatio_aligned(_initial_heap_byte_size), (size_t)NewSize); } ++ MAX2(scale_by_NewRatio_aligned(_initial_heap_byte_size), ++ (size_t)NewSize); + } assert(_min_gen0_size > 0, "Sanity check"); - _initial_gen0_size = desired_new_size; -@@ -573,7 +572,7 @@ +@@ -573,7 +575,7 @@ } else { // It's been explicitly set on the command line. Use the // OldSize and then determine the consequences. @@ -207,9 +222,9 @@ diff --git openjdk.orig/hotspot/src/share/vm/memory/collectorPolicy.cpp openjdk/ _initial_gen1_size = OldSize; // If the user has explicitly set an OldSize that is inconsistent -diff --git openjdk.orig/hotspot/src/share/vm/memory/metaspace.cpp openjdk/hotspot/src/share/vm/memory/metaspace.cpp ---- openjdk.orig/hotspot/src/share/vm/memory/metaspace.cpp -+++ openjdk/hotspot/src/share/vm/memory/metaspace.cpp +diff -r 4689eaf1a5c9 src/share/vm/memory/metaspace.cpp +--- openjdk.orig/hotspot/src/share/vm/memory/metaspace.cpp Mon Aug 31 07:09:56 2020 +0100 ++++ openjdk/hotspot/src/share/vm/memory/metaspace.cpp Tue Sep 08 22:20:44 2020 -0400 @@ -1482,7 +1482,7 @@ void MetaspaceGC::post_initialize() { @@ -237,38 +252,18 @@ diff --git openjdk.orig/hotspot/src/share/vm/memory/metaspace.cpp openjdk/hotspo if (PrintGCDetails && Verbose) { gclog_or_tty->print_cr(" " " maximum_free_percentage: %6.2f" -@@ -3361,7 +3361,7 @@ +@@ -3320,7 +3320,7 @@ + // Make the first class chunk bigger than a medium chunk so it's not put // on the medium chunk list. The next chunk will be small and progress // from there. This size calculated by -version. - _first_class_chunk_word_size = MIN2((size_t)MediumChunk*6, -- (CompressedClassSpaceSize/BytesPerWord)*2); -+ (size_t)(CompressedClassSpaceSize/BytesPerWord)*2); +- _first_class_chunk_word_size = MIN2((size_t)MediumChunk*6, ++ _first_class_chunk_word_size = MIN2((uintx)MediumChunk*6, + (CompressedClassSpaceSize/BytesPerWord)*2); _first_class_chunk_word_size = align_word_size_up(_first_class_chunk_word_size); // Arbitrarily set the initial virtual space to a multiple - // of the boot class loader size. -diff --git openjdk.orig/hotspot/src/share/vm/memory/threadLocalAllocBuffer.cpp openjdk/hotspot/src/share/vm/memory/threadLocalAllocBuffer.cpp ---- openjdk.orig/hotspot/src/share/vm/memory/threadLocalAllocBuffer.cpp -+++ openjdk/hotspot/src/share/vm/memory/threadLocalAllocBuffer.cpp -@@ -250,13 +250,13 @@ - size_t init_sz = 0; - - if (TLABSize > 0) { -- init_sz = TLABSize / HeapWordSize; -+ init_sz = (size_t)(TLABSize / HeapWordSize); - } else if (global_stats() != NULL) { - // Initial size is a function of the average number of allocating threads. - unsigned nof_threads = global_stats()->allocating_threads_avg(); - -- init_sz = (Universe::heap()->tlab_capacity(myThread()) / HeapWordSize) / -- (nof_threads * target_refills()); -+ init_sz = (size_t)((Universe::heap()->tlab_capacity(myThread()) / HeapWordSize) / -+ (nof_threads * target_refills())); - init_sz = align_object_size(init_sz); - } - init_sz = MIN2(MAX2(init_sz, min_size()), max_size()); -diff --git openjdk.orig/hotspot/src/share/vm/oops/objArrayKlass.inline.hpp openjdk/hotspot/src/share/vm/oops/objArrayKlass.inline.hpp ---- openjdk.orig/hotspot/src/share/vm/oops/objArrayKlass.inline.hpp -+++ openjdk/hotspot/src/share/vm/oops/objArrayKlass.inline.hpp +diff -r 4689eaf1a5c9 src/share/vm/oops/objArrayKlass.inline.hpp +--- openjdk.orig/hotspot/src/share/vm/oops/objArrayKlass.inline.hpp Mon Aug 31 07:09:56 2020 +0100 ++++ openjdk/hotspot/src/share/vm/oops/objArrayKlass.inline.hpp Tue Sep 08 22:20:44 2020 -0400 @@ -48,7 +48,7 @@ const size_t beg_index = size_t(index); assert(beg_index < len || len == 0, "index too large"); @@ -287,10 +282,10 @@ diff --git openjdk.orig/hotspot/src/share/vm/oops/objArrayKlass.inline.hpp openj const size_t end_index = beg_index + stride; T* const base = (T*)a->base(); T* const beg = base + beg_index; -diff --git openjdk.orig/hotspot/src/share/vm/runtime/arguments.cpp openjdk/hotspot/src/share/vm/runtime/arguments.cpp ---- openjdk.orig/hotspot/src/share/vm/runtime/arguments.cpp -+++ openjdk/hotspot/src/share/vm/runtime/arguments.cpp -@@ -1289,7 +1289,7 @@ +diff -r 4689eaf1a5c9 src/share/vm/runtime/arguments.cpp +--- openjdk.orig/hotspot/src/share/vm/runtime/arguments.cpp Mon Aug 31 07:09:56 2020 +0100 ++++ openjdk/hotspot/src/share/vm/runtime/arguments.cpp Tue Sep 08 22:20:44 2020 -0400 +@@ -1301,7 +1301,7 @@ // NewSize was set on the command line and it is larger than // preferred_max_new_size. if (!FLAG_IS_DEFAULT(NewSize)) { // NewSize explicitly set at command-line @@ -299,7 +294,7 @@ diff --git openjdk.orig/hotspot/src/share/vm/runtime/arguments.cpp openjdk/hotsp } else { FLAG_SET_ERGO(uintx, MaxNewSize, preferred_max_new_size); } -@@ -1314,8 +1314,8 @@ +@@ -1326,8 +1326,8 @@ // Unless explicitly requested otherwise, make young gen // at least min_new, and at most preferred_max_new_size. if (FLAG_IS_DEFAULT(NewSize)) { @@ -310,7 +305,7 @@ diff --git openjdk.orig/hotspot/src/share/vm/runtime/arguments.cpp openjdk/hotsp if (PrintGCDetails && Verbose) { // Too early to use gclog_or_tty tty->print_cr("CMS ergo set NewSize: " SIZE_FORMAT, NewSize); -@@ -1325,7 +1325,7 @@ +@@ -1337,7 +1337,7 @@ // so it's NewRatio x of NewSize. if (FLAG_IS_DEFAULT(OldSize)) { if (max_heap > NewSize) { @@ -319,25 +314,15 @@ diff --git openjdk.orig/hotspot/src/share/vm/runtime/arguments.cpp openjdk/hotsp if (PrintGCDetails && Verbose) { // Too early to use gclog_or_tty tty->print_cr("CMS ergo set OldSize: " SIZE_FORMAT, OldSize); -diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1ConcurrentMarkObjArrayProcessor.cpp openjdk/hotspot/src/share/vm/gc_implementation/g1/g1ConcurrentMarkObjArrayProcessor.cpp ---- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1ConcurrentMarkObjArrayProcessor.cpp -+++ openjdk/hotspot/src/share/vm/gc_implementation/g1/g1ConcurrentMarkObjArrayProcessor.cpp -@@ -41,7 +41,7 @@ +diff -r 4689eaf1a5c9 src/share/vm/runtime/os.cpp +--- openjdk.orig/hotspot/src/share/vm/runtime/os.cpp Mon Aug 31 07:09:56 2020 +0100 ++++ openjdk/hotspot/src/share/vm/runtime/os.cpp Tue Sep 08 22:20:44 2020 -0400 +@@ -1272,7 +1272,7 @@ } - size_t G1CMObjArrayProcessor::process_array_slice(objArrayOop obj, HeapWord* start_from, size_t remaining) { -- size_t words_to_scan = MIN2(remaining, ObjArrayMarkingStride); -+ size_t words_to_scan = MIN2(remaining, (size_t) ObjArrayMarkingStride); - - if (remaining > ObjArrayMarkingStride) { - push_array_slice(start_from + ObjArrayMarkingStride); -diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahUtils.cpp openjdk/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahUtils.cpp ---- openjdk.orig/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahUtils.cpp -+++ openjdk/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahUtils.cpp -@@ -150,5 +150,5 @@ - return value; - } - -- return (size_t)1 << (log2_intptr(value) + 1); -+ return (size_t)1 << (log2_intptr((uintptr_t) value) + 1); - } + void os::set_memory_serialize_page(address page) { +- int count = log2_intptr(sizeof(class JavaThread)) - log2_int(64); ++ int count = log2_intptr((uintptr_t)sizeof(class JavaThread)) - log2_int(64); + _mem_serialize_page = (volatile int32_t *)page; + // We initialize the serialization page shift count here + // We assume a cache line size of 64 bytes diff --git a/SOURCES/pr3593-s390_use_z_format_specifier_for_size_t_arguments_as_size_t_not_equals_to_int.patch b/SOURCES/pr3593-s390_use_z_format_specifier_for_size_t_arguments_as_size_t_not_equals_to_int.patch index e1e7214..a980895 100644 --- a/SOURCES/pr3593-s390_use_z_format_specifier_for_size_t_arguments_as_size_t_not_equals_to_int.patch +++ b/SOURCES/pr3593-s390_use_z_format_specifier_for_size_t_arguments_as_size_t_not_equals_to_int.patch @@ -141,3 +141,26 @@ diff --git openjdk.orig/hotspot/src/share/vm/utilities/globalDefinitions.hpp ope #define INTX_FORMAT "%" PRIdPTR #define UINTX_FORMAT "%" PRIuPTR +diff --git openjdk.orig/hotspot/src/share/vm/runtime/memprofiler.cpp openjdk/hotspot/src/share/vm/runtime/memprofiler.cpp +--- openjdk.orig/hotspot/src/share/vm/runtime/memprofiler.cpp ++++ openjdk/hotspot/src/share/vm/runtime/memprofiler.cpp +@@ -117,16 +117,16 @@ + } + + // Print trace line in log +- fprintf(_log_fp, "%6.1f,%5d,%5d," UINTX_FORMAT_W(6) "," UINTX_FORMAT_W(6) ",", ++ fprintf(_log_fp, "%6.1f,%5d,%5d," SIZE_FORMAT_W(6) "," SIZE_FORMAT_W(6) ",", + os::elapsedTime(), + Threads::number_of_threads(), + SystemDictionary::number_of_classes(), + Universe::heap()->used() / K, + Universe::heap()->capacity() / K); + +- fprintf(_log_fp, UINTX_FORMAT_W(6) ",", CodeCache::capacity() / K); ++ fprintf(_log_fp, SIZE_FORMAT_W(6) ",", CodeCache::capacity() / K); + +- fprintf(_log_fp, UINTX_FORMAT_W(6) "," UINTX_FORMAT_W(6) "," UINTX_FORMAT_W(6) "\n", ++ fprintf(_log_fp, SIZE_FORMAT_W(6) "," SIZE_FORMAT_W(6) "," SIZE_FORMAT_W(6) "\n", + handles_memory_usage / K, + resource_memory_usage / K, + OopMapCache::memory_usage() / K); diff --git a/SOURCES/rh1750419-redhat_alt_java.patch b/SOURCES/rh1750419-redhat_alt_java.patch index bdb67b3..4789f0b 100644 --- a/SOURCES/rh1750419-redhat_alt_java.patch +++ b/SOURCES/rh1750419-redhat_alt_java.patch @@ -1,12 +1,13 @@ diff --git openjdk.orig/jdk/make/CompileLaunchers.gmk openjdk/jdk/make/CompileLaunchers.gmk --- openjdk.orig/jdk/make/CompileLaunchers.gmk +++ openjdk/jdk/make/CompileLaunchers.gmk -@@ -255,6 +255,32 @@ +@@ -255,6 +255,33 @@ endif endif ++# -Wno-error=cpp is present to allow commented warning in ifdef part of main.c +$(eval $(call SetupLauncher,alt-java, \ -+ -DEXPAND_CLASSPATH_WILDCARDS -DREDHAT_ALT_JAVA,,,user32.lib comctl32.lib, \ ++ -DEXPAND_CLASSPATH_WILDCARDS -DREDHAT_ALT_JAVA -Wno-error=cpp,,,user32.lib comctl32.lib, \ + $(JDK_OUTPUTDIR)/objs/jli_static.lib, $(JAVA_RC_FLAGS), \ + $(JDK_TOPDIR)/src/windows/resource/java.rc, $(JDK_OUTPUTDIR)/objs/java_objs,true)) + @@ -115,12 +116,16 @@ new file mode 100644 diff --git openjdk.orig/jdk/src/share/bin/main.c openjdk/jdk/src/share/bin/main.c --- openjdk.orig/jdk/src/share/bin/main.c +++ openjdk/jdk/src/share/bin/main.c -@@ -32,6 +32,10 @@ +@@ -32,6 +32,14 @@ #include "defines.h" -+#if defined(linux) && defined(__x86_64) ++#ifdef REDHAT_ALT_JAVA ++#if defined(__linux__) && defined(__x86_64__) +#include "alt_main.h" ++#else ++#warning alt-java requested but SSB mitigation not available on this platform. ++#endif +#endif + #ifdef _MSC_VER diff --git a/SOURCES/rh1868759-pkcs11_cancel_on_failure.patch b/SOURCES/rh1868759-pkcs11_cancel_on_failure.patch deleted file mode 100644 index e578e00..0000000 --- a/SOURCES/rh1868759-pkcs11_cancel_on_failure.patch +++ /dev/null @@ -1,20 +0,0 @@ ---- openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java Mon Aug 31 06:57:19 2020 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java Mon Aug 31 15:56:48 2020 -0300 -@@ -627,7 +627,7 @@ - throw (ShortBufferException) - (new ShortBufferException().initCause(e)); - } -- reset(false); -+ reset(true); - throw new ProviderException("update() failed", e); - } - } -@@ -745,7 +745,7 @@ - throw (ShortBufferException) - (new ShortBufferException().initCause(e)); - } -- reset(false); -+ reset(true); - throw new ProviderException("update() failed", e); - } - } diff --git a/SOURCES/rh1929465-improve_system_FIPS_detection-jdk.patch b/SOURCES/rh1929465-improve_system_FIPS_detection-jdk.patch new file mode 100644 index 0000000..1461be8 --- /dev/null +++ b/SOURCES/rh1929465-improve_system_FIPS_detection-jdk.patch @@ -0,0 +1,344 @@ +diff --git openjdk.orig/jdk/make/lib/SecurityLibraries.gmk openjdk/jdk/make/lib/SecurityLibraries.gmk +--- openjdk.orig/jdk/make/lib/SecurityLibraries.gmk ++++ openjdk/jdk/make/lib/SecurityLibraries.gmk +@@ -289,3 +289,34 @@ + + endif + endif ++ ++################################################################################ ++# Create the systemconf library ++ ++LIBSYSTEMCONF_CFLAGS := ++LIBSYSTEMCONF_CXXFLAGS := ++ ++ifeq ($(USE_SYSCONF_NSS), true) ++ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++endif ++ ++ifeq ($(OPENJDK_BUILD_OS), linux) ++ $(eval $(call SetupNativeCompilation,BUILD_LIBSYSTEMCONF, \ ++ LIBRARY := systemconf, \ ++ OUTPUT_DIR := $(INSTALL_LIBRARIES_HERE), \ ++ SRC := $(JDK_TOPDIR)/src/$(OPENJDK_TARGET_OS_API_DIR)/native/java/security, \ ++ LANG := C, \ ++ OPTIMIZATION := LOW, \ ++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ ++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ ++ MAPFILE := $(JDK_TOPDIR)/make/mapfiles/libsystemconf/mapfile-vers, \ ++ LDFLAGS := $(LDFLAGS_JDKLIB) \ ++ $(call SET_SHARED_LIBRARY_ORIGIN), \ ++ LDFLAGS_SUFFIX := $(LIBDL) $(NSS_LIBS), \ ++ OBJECT_DIR := $(JDK_OUTPUTDIR)/objs/libsystemconf, \ ++ DEBUG_SYMBOLS := $(DEBUG_ALL_BINARIES))) ++ ++ BUILD_LIBRARIES += $(BUILD_LIBSYSTEMCONF) ++endif ++ +diff --git openjdk.orig/jdk/make/mapfiles/libsystemconf/mapfile-vers openjdk/jdk/make/mapfiles/libsystemconf/mapfile-vers +new file mode 100644 +--- /dev/null ++++ openjdk/jdk/make/mapfiles/libsystemconf/mapfile-vers +@@ -0,0 +1,35 @@ ++# ++# Copyright (c) 2021, Red Hat, Inc. ++# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++# ++# This code is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License version 2 only, as ++# published by the Free Software Foundation. Oracle designates this ++# particular file as subject to the "Classpath" exception as provided ++# by Oracle in the LICENSE file that accompanied this code. ++# ++# This code is distributed in the hope that it will be useful, but WITHOUT ++# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++# version 2 for more details (a copy is included in the LICENSE file that ++# accompanied this code). ++# ++# You should have received a copy of the GNU General Public License version ++# 2 along with this work; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++# ++# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++# or visit www.oracle.com if you need additional information or have any ++# questions. ++# ++ ++# Define public interface. ++ ++SUNWprivate_1.1 { ++ global: ++ DEF_JNI_OnLoad; ++ DEF_JNI_OnUnLoad; ++ Java_java_security_SystemConfigurator_getSystemFIPSEnabled; ++ local: ++ *; ++}; +diff --git openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java +--- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java ++++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2019, 2020, Red Hat, Inc. ++ * Copyright (c) 2019, 2021, Red Hat, Inc. + * + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * +@@ -30,14 +30,9 @@ + import java.io.FileInputStream; + import java.io.IOException; + +-import java.nio.file.Files; +-import java.nio.file.FileSystems; +-import java.nio.file.Path; +- + import java.util.Iterator; + import java.util.Map.Entry; + import java.util.Properties; +-import java.util.regex.Pattern; + + import sun.security.util.Debug; + +@@ -59,10 +54,21 @@ + private static final String CRYPTO_POLICIES_JAVA_CONFIG = + CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; + +- private static final String CRYPTO_POLICIES_CONFIG = +- CRYPTO_POLICIES_BASE_DIR + "/config"; ++ private static boolean systemFipsEnabled = false; ++ ++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; ++ ++ private static native boolean getSystemFIPSEnabled() ++ throws IOException; + +- private static boolean systemFipsEnabled = false; ++ static { ++ AccessController.doPrivileged(new PrivilegedAction() { ++ public Void run() { ++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); ++ return null; ++ } ++ }); ++ } + + /* + * Invoked when java.security.Security class is initialized, if +@@ -171,17 +177,34 @@ + } + + /* +- * FIPS is enabled only if crypto-policies are set to "FIPS" +- * and the com.redhat.fips property is true. ++ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips ++ * system property is true (default) and the system is in FIPS mode. ++ * ++ * There are 2 possible ways in which OpenJDK detects that the system ++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is ++ * available at OpenJDK's built-time, it is called; 2) otherwise, the ++ * /proc/sys/crypto/fips_enabled file is read. + */ +- private static boolean enableFips() throws Exception { ++ private static boolean enableFips() throws IOException { + boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); + if (shouldEnable) { +- Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG); +- String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath)); +- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } +- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE); +- return pattern.matcher(cryptoPoliciesConfig).find(); ++ if (sdebug != null) { ++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); ++ } ++ try { ++ shouldEnable = getSystemFIPSEnabled(); ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " ++ + shouldEnable); ++ } ++ return shouldEnable; ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); ++ sdebug.println(e.getMessage()); ++ } ++ throw e; ++ } + } else { + return false; + } +diff --git openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c openjdk/jdk/src/solaris/native/java/security/systemconf.c +new file mode 100644 +--- /dev/null ++++ openjdk/jdk/src/solaris/native/java/security/systemconf.c +@@ -0,0 +1,168 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++#include ++#include ++#include ++#include ++ ++#ifdef SYSCONF_NSS ++#include ++#endif //SYSCONF_NSS ++ ++#include "java_security_SystemConfigurator.h" ++ ++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++#define MSG_MAX_SIZE 96 ++ ++static jmethodID debugPrintlnMethodID = NULL; ++static jobject debugObj = NULL; ++ ++static void throwIOException(JNIEnv *env, const char *msg); ++static void dbgPrint(JNIEnv *env, const char* msg); ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnLoad ++ */ ++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ jclass sysConfCls, debugCls; ++ jfieldID sdebugFld; ++ ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return JNI_EVERSION; /* JNI version not supported */ ++ } ++ ++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); ++ if (sysConfCls == NULL) { ++ printf("libsystemconf: SystemConfigurator class not found\n"); ++ return JNI_ERR; ++ } ++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, ++ "sdebug", "Lsun/security/util/Debug;"); ++ if (sdebugFld == NULL) { ++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); ++ if (debugObj != NULL) { ++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); ++ if (debugCls == NULL) { ++ printf("libsystemconf: Debug class not found\n"); ++ return JNI_ERR; ++ } ++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, ++ "println", "(Ljava/lang/String;)V"); ++ if (debugPrintlnMethodID == NULL) { ++ printf("libsystemconf: Debug::println(String) method not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->NewGlobalRef(env, debugObj); ++ } ++ ++ return (*env)->GetVersion(env); ++} ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnUnload ++ */ ++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ ++ if (debugObj != NULL) { ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return; /* Should not happen */ ++ } ++ (*env)->DeleteGlobalRef(env, debugObj); ++ } ++} ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ int fips_enabled; ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ ++#ifdef SYSCONF_NSS ++ ++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); ++ fips_enabled = SECMOD_GetSystemFIPSEnabled(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ ++ " SECMOD_GetSystemFIPSEnabled return value"); ++ } ++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); ++ ++#else // SYSCONF_NSS ++ ++ FILE *fe; ++ ++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); ++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { ++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); ++ } ++ fips_enabled = fgetc(fe); ++ fclose(fe); ++ if (fips_enabled == EOF) { ++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); ++ } ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " read character is '%c'", fips_enabled); ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ ++ " read character"); ++ } ++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); ++ ++#endif // SYSCONF_NSS ++} ++ ++static void throwIOException(JNIEnv *env, const char *msg) ++{ ++ jclass cls = (*env)->FindClass(env, "java/io/IOException"); ++ if (cls != 0) ++ (*env)->ThrowNew(env, cls, msg); ++} ++ ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} diff --git a/SOURCES/rh1929465-improve_system_FIPS_detection-root.patch b/SOURCES/rh1929465-improve_system_FIPS_detection-root.patch new file mode 100644 index 0000000..64d8ac0 --- /dev/null +++ b/SOURCES/rh1929465-improve_system_FIPS_detection-root.patch @@ -0,0 +1,152 @@ +diff --git openjdk.orig/common/autoconf/configure.ac openjdk/common/autoconf/configure.ac +--- openjdk.orig/common/autoconf/configure.ac ++++ openjdk/common/autoconf/configure.ac +@@ -212,6 +212,7 @@ + LIB_SETUP_ALSA + LIB_SETUP_FONTCONFIG + LIB_SETUP_MISC_LIBS ++LIB_SETUP_SYSCONF_LIBS + LIB_SETUP_STATIC_LINK_LIBSTDCPP + LIB_SETUP_ON_WINDOWS + +diff --git openjdk.orig/common/autoconf/libraries.m4 openjdk/common/autoconf/libraries.m4 +--- openjdk.orig/common/autoconf/libraries.m4 ++++ openjdk/common/autoconf/libraries.m4 +@@ -1067,3 +1067,63 @@ + BASIC_DEPRECATED_ARG_WITH([dxsdk-include]) + fi + ]) ++ ++################################################################################ ++# Setup system configuration libraries ++################################################################################ ++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], ++[ ++ ############################################################################### ++ # ++ # Check for the NSS library ++ # ++ ++ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)]) ++ ++ # default is not available ++ DEFAULT_SYSCONF_NSS=no ++ ++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], ++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], ++ [ ++ case "${enableval}" in ++ yes) ++ sysconf_nss=yes ++ ;; ++ *) ++ sysconf_nss=no ++ ;; ++ esac ++ ], ++ [ ++ sysconf_nss=${DEFAULT_SYSCONF_NSS} ++ ]) ++ AC_MSG_RESULT([$sysconf_nss]) ++ ++ USE_SYSCONF_NSS=false ++ if test "x${sysconf_nss}" = "xyes"; then ++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) ++ if test "x${NSS_FOUND}" = "xyes"; then ++ AC_MSG_CHECKING([for system FIPS support in NSS]) ++ saved_libs="${LIBS}" ++ saved_cflags="${CFLAGS}" ++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" ++ LIBS="${LIBS} ${NSS_LIBS}" ++ AC_LANG_PUSH([C]) ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], ++ [[SECMOD_GetSystemFIPSEnabled()]])], ++ [AC_MSG_RESULT([yes])], ++ [AC_MSG_RESULT([no]) ++ AC_MSG_ERROR([System NSS FIPS detection unavailable])]) ++ AC_LANG_POP([C]) ++ CFLAGS="${saved_cflags}" ++ LIBS="${saved_libs}" ++ USE_SYSCONF_NSS=true ++ else ++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API ++ dnl in nss3/pk11pub.h. ++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) ++ fi ++ fi ++ AC_SUBST(USE_SYSCONF_NSS) ++]) +diff --git openjdk.orig/common/autoconf/spec.gmk.in openjdk/common/autoconf/spec.gmk.in +--- openjdk.orig/common/autoconf/spec.gmk.in ++++ openjdk/common/autoconf/spec.gmk.in +@@ -312,6 +312,10 @@ + ALSA_LIBS:=@ALSA_LIBS@ + ALSA_CFLAGS:=@ALSA_CFLAGS@ + ++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ ++NSS_LIBS:=@NSS_LIBS@ ++NSS_CFLAGS:=@NSS_CFLAGS@ ++ + PACKAGE_PATH=@PACKAGE_PATH@ + + # Source file for cacerts +diff --git openjdk.orig/common/bin/compare_exceptions.sh.incl openjdk/common/bin/compare_exceptions.sh.incl +--- openjdk.orig/common/bin/compare_exceptions.sh.incl ++++ openjdk/common/bin/compare_exceptions.sh.incl +@@ -280,6 +280,7 @@ + ./jre/lib/i386/libsplashscreen.so + ./jre/lib/i386/libsunec.so + ./jre/lib/i386/libsunwjdga.so ++./jre/lib/i386/libsystemconf.so + ./jre/lib/i386/libt2k.so + ./jre/lib/i386/libunpack.so + ./jre/lib/i386/libverify.so +@@ -433,6 +434,7 @@ + ./jre/lib/amd64/libsplashscreen.so + ./jre/lib/amd64/libsunec.so + ./jre/lib/amd64/libsunwjdga.so ++//jre/lib/amd64/libsystemconf.so + ./jre/lib/amd64/libt2k.so + ./jre/lib/amd64/libunpack.so + ./jre/lib/amd64/libverify.so +@@ -587,6 +589,7 @@ + ./jre/lib/sparc/libsplashscreen.so + ./jre/lib/sparc/libsunec.so + ./jre/lib/sparc/libsunwjdga.so ++./jre/lib/sparc/libsystemconf.so + ./jre/lib/sparc/libt2k.so + ./jre/lib/sparc/libunpack.so + ./jre/lib/sparc/libverify.so +@@ -741,6 +744,7 @@ + ./jre/lib/sparcv9/libsplashscreen.so + ./jre/lib/sparcv9/libsunec.so + ./jre/lib/sparcv9/libsunwjdga.so ++./jre/lib/sparcv9/libsystemconf.so + ./jre/lib/sparcv9/libt2k.so + ./jre/lib/sparcv9/libunpack.so + ./jre/lib/sparcv9/libverify.so +diff --git openjdk.orig/common/nb_native/nbproject/configurations.xml openjdk/common/nb_native/nbproject/configurations.xml +--- openjdk.orig/common/nb_native/nbproject/configurations.xml ++++ openjdk/common/nb_native/nbproject/configurations.xml +@@ -53,6 +53,9 @@ + jvmtiEnterTrace.cpp + + ++ ++ systemconf.c ++ + + + +@@ -12772,6 +12775,11 @@ + tool="0" + flavor2="0"> + ++ ++ + /dev/null 2>/dev/null %endif -%endif PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then @@ -687,12 +696,10 @@ exit 0 %{_jvmdir}/%{jredir -- %{?1}}/lib/security/nss.fips.cfg %config(noreplace) %{etcjavadir -- %{?1}}/lib/security/nss.cfg %config(noreplace) %{etcjavadir -- %{?1}}/lib/security/nss.fips.cfg -%ifarch %{jit_arches} -%ifnarch %{power64} +%ifarch %{share_arches} %attr(444, root, root) %ghost %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/server/classes.jsa %attr(444, root, root) %ghost %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/client/classes.jsa %endif -%endif %dir %{etcjavasubdir} %dir %{etcjavadir -- %{?1}} %dir %{etcjavadir -- %{?1}}/lib @@ -736,6 +743,7 @@ exit 0 %endif %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libsctp.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libsunec.so +%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libsystemconf.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libunpack.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libverify.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libzip.so @@ -957,19 +965,19 @@ Requires: ca-certificates # Require javapackages-filesystem for ownership of /usr/lib/jvm/ Requires: javapackages-filesystem # Require zoneinfo data provided by tzdata-java subpackage. -# 2020b required as of JDK-8254177 in October CPU -Requires: tzdata-java >= 2020b +# 2021a required as of JDK-8260356 in April CPU +Requires: tzdata-java >= 2021a # libsctp.so.1 is being `dlopen`ed on demand Requires: lksctp-tools%{?_isa} +%if ! 0%{?flatpak} # tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it, # not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be # considered as regression -Requires: copy-jdk-configs >= 3.3 +Requires: copy-jdk-configs >= 4.0 OrderWithRequires: copy-jdk-configs +%endif # for printing support Requires: cups-libs -# for FIPS PKCS11 provider -Requires: nss # Post requires alternatives to install tool alternatives Requires(post): %{alternatives_requires} # in version 1.7 and higher for --family switch @@ -1141,8 +1149,14 @@ Source13: TestCryptoLevel.java # Ensure ECDSA is working Source14: TestECDSA.java +# Verify system crypto (policy) can be disabled via a property +Source15: TestSecurityProperties.java + +# Ensure vendor settings are correct +Source16: CheckVendor.java + # nss fips configuration file -Source15: nss.fips.cfg.in +Source17: nss.fips.cfg.in Source20: repackReproduciblePolycies.sh @@ -1150,9 +1164,6 @@ Source20: repackReproduciblePolycies.sh Source100: config.guess Source101: config.sub -# Ensure vendor settings are correct -Source16: CheckVendor.java - ############################################ # # RPM/distribution specific patches @@ -1183,6 +1194,11 @@ Patch1002: rh1760838-fips_default_keystore_type.patch Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch # RH1906862: Always initialise JavaSecuritySystemConfiguratorAccess Patch1005: rh1906862-always_initialise_configurator_access.patch +# RH1929465: Improve system FIPS detection +Patch1006: rh1929465-improve_system_FIPS_detection-root.patch +Patch1007: rh1929465-improve_system_FIPS_detection-jdk.patch +# RH1996182: Login to the NSS software token in FIPS mode +Patch1008: rh1996182-login_to_nss_software_token.patch ############################################# # @@ -1209,8 +1225,6 @@ Patch539: pr2888-openjdk_should_check_for_system_cacerts_database_eg_etc_pki_jav Patch400: pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch # PR3655: Allow use of system crypto policy to be disabled by the user Patch401: pr3655-toggle_system_crypto_policy.patch -# RH1868759: FIPS: Ciphers remain in broken state (unusable), after being supplied with wrongly sized buffer -Patch540: rh1868759-pkcs11_cancel_on_failure.patch # enable build of speculative store bypass hardened alt-java Patch600: rh1750419-redhat_alt_java.patch @@ -1325,8 +1339,8 @@ BuildRequires: libXinerama-devel BuildRequires: libXrender-devel BuildRequires: libXt-devel BuildRequires: libXtst-devel -# Requirements for setting up the nss.cfg -BuildRequires: nss-devel +# Requirements for setting up the nss.cfg and FIPS support +BuildRequires: nss-devel >= 3.53 BuildRequires: pkgconfig BuildRequires: xorg-x11-proto-devel BuildRequires: zip @@ -1343,8 +1357,8 @@ BuildRequires: java-1.8.0-openjdk-devel %ifnarch %{jit_arches} BuildRequires: libffi-devel %endif -# 2020b required as of JDK-8254177 in October CPU -BuildRequires: tzdata-java >= 2020b +# 2021a required as of JDK-8260356 in April CPU +BuildRequires: tzdata-java >= 2021a # Earlier versions have a bug in tree vectorization on PPC BuildRequires: gcc >= 4.8.3-8 @@ -1527,7 +1541,7 @@ The %{compatiblename}-src-fastdebug sub-package contains the complete %{origin_n Summary: %{origin_nice} %{majorver} API documentation Group: Documentation Requires: javapackages-filesystem -Obsoletes: javadoc-debug +Obsoletes: javadoc-slowdebug < 1:1.8.0.212.b04-4 BuildArch: noarch %{java_javadoc_rpo %{nil}} @@ -1539,7 +1553,7 @@ The %{origin_nice} %{majorver} API documentation. Summary: %{origin_nice} %{majorver} API documentation compressed in a single archive Group: Documentation Requires: javapackages-filesystem -Obsoletes: javadoc-zip-debug +Obsoletes: javadoc-zip-slowdebug < 1:1.8.0.212.b04-4 BuildArch: noarch %{java_javadoc_rpo %{nil}} @@ -1614,10 +1628,6 @@ if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{includ echo "You have disabled all builds (normal,fastdebug,debug). That is a no go." exit 14 fi -if [ %{include_normal_build} -eq 0 ] ; then - echo "You have disabled the normal build, but this is required to provide docs for the debug build." - exit 15 -fi echo "Update version: %{updatever}" echo "Build number: %{buildver}" @@ -1680,7 +1690,6 @@ sh %{SOURCE12} %patch574 %patch580 %patch539 -%patch540 # RPM-only fixes %patch600 @@ -1690,6 +1699,9 @@ sh %{SOURCE12} %patch1003 %patch1004 %patch1005 +%patch1006 +%patch1007 +%patch1008 # RHEL-only patches %if ! 0%{?fedora} && 0%{?rhel} <= 7 @@ -1749,7 +1761,7 @@ done sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg # Setup nss.fips.cfg -sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE15} > nss.fips.cfg +sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg sed -i -e "s:@NSS_SECMOD@:/etc/pki/nssdb:g" nss.fips.cfg %build @@ -1824,6 +1836,7 @@ function buildjdk() { --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \ --with-boot-jdk=${buildjdk} \ --with-debug-level=${debuglevel} \ + --enable-sysconf-nss \ --enable-unlimited-crypto \ --with-zlib=system \ --with-libjpeg=system \ @@ -1916,7 +1929,7 @@ done %check # We test debug first as it will give better diagnostics on a crash -for suffix in %{rev_build_loop} ; do +for suffix in %{build_loop} ; do export JAVA_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{jdkimage} @@ -1928,10 +1941,25 @@ $JAVA_HOME/bin/java TestCryptoLevel $JAVA_HOME/bin/javac -d . %{SOURCE14} $JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") +# Check system crypto (policy) can be disabled +$JAVA_HOME/bin/javac -d . %{SOURCE15} +$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||") + # Check correct vendor values have been set $JAVA_HOME/bin/javac -d . %{SOURCE16} $JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" %{oj_vendor_url} %{oj_vendor_bug_url} +# Check java launcher has no SSB mitigation +if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi + +# Check alt-java launcher has SSB mitigation on supported architectures +%ifarch %{ssbd_arches} +nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation +%else +if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi +%endif + + # Check debug symbols are present and can identify code find "$JAVA_HOME" -iname '*.so' -print0 | while read -d $'\0' lib do @@ -2187,7 +2215,13 @@ done -- whether copy-jdk-configs is installed or not. If so, then configs are copied -- (copy_jdk_configs from %%{_libexecdir} used) or not copied at all local posix = require "posix" -local debug = false + +if (os.getenv("debug") == "true") then + debug = true; + print("cjc: in spec debug is on") +else + debug = false; +end SOURCE1 = "%{rpm_state_dir}/copy_jdk_configs.lua" SOURCE2 = "%{_libexecdir}/copy_jdk_configs.lua" @@ -2215,9 +2249,10 @@ else return end end --- run content of included file with fake args -arg = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"} -require "copy_jdk_configs.lua" +arg = nil ; -- it is better to null the arg up, no meter if they exists or not, and use cjc as module in unified way, instead of relaying on "main" method during require "copy_jdk_configs.lua" +cjc = require "copy_jdk_configs.lua" +args = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"} +cjc.mainProgram(args) %post %{post_script %{nil}} @@ -2389,6 +2424,176 @@ require "copy_jdk_configs.lua" %endif %changelog +* Fri Aug 27 2021 Andrew Hughes - 1:1.8.0.302.b08-3 +- Add patch to login to the NSS software token when in FIPS mode. +- Resolves: rhbz#1997358 + +* Fri Aug 27 2021 Andrew Hughes - 1:1.8.0.302.b08-2 +- Fix path to libsystemconf.so on 8u. +- Resolves: rhbz#1971679 + +* Fri Aug 27 2021 Andrew Hughes - 1:1.8.0.302.b08-2 +- Port FIPS system detection support to OpenJDK 8u +- Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure. +- Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM. +- Resolves: rhbz#1971679 + +* Fri Aug 27 2021 Martin Balao - 1:1.8.0.302.b08-2 +- Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library. +- Resolves: rhbz#1971679 + +* Fri Jul 16 2021 Andrew Hughes - 1:1.8.0.302.b08-1 +- Update to aarch64-shenandoah-jdk8u302-b08 (EA) +- Update release notes for 8u302-b08. +- Switch to GA mode for final release. +- This tarball is embargoed until 2021-07-20 @ 1pm PT. +- Resolves: rhbz#1972395 + +* Thu Jul 08 2021 Andrew Hughes - 1:1.8.0.302.b07-0.0.ea +- Update to aarch64-shenandoah-jdk8u302-b07 (EA) +- Update release notes for 8u302-b07. +- Resolves: rhbz#1967812 + +* Tue Jul 06 2021 Andrew Hughes - 1:1.8.0.302.b06-0.0.ea +- Update to aarch64-shenandoah-jdk8u302-b06 (EA) +- Update release notes for 8u302-b06. +- Resolves: rhbz#1967812 + +* Tue Jul 06 2021 Andrew Hughes - 1:1.8.0.302.b05-0.2.ea +- Remove restriction on disabling product build, as debug packages no longer have javadoc packages. +- Fix name of javadoc debug packages in Obsoletes declarations and add version where it was removed. +- Resolves: rhbz#1966233 + +* Mon Jul 05 2021 Andrew Hughes - 1:1.8.0.302.b05-0.1.ea +- Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics. +- Resolves: rhbz#1966233 + +* Fri Jul 02 2021 Andrew Hughes - 1:1.8.0.302.b05-0.0.ea +- Update to aarch64-shenandoah-jdk8u302-b05 (EA) +- Update release notes for 8u302-b05. +- Resolves: rhbz#1967812 + +* Wed Jun 30 2021 Andrew Hughes - 1:1.8.0.302.b04-0.0.ea +- Update to aarch64-shenandoah-jdk8u302-b04 (EA) +- Update release notes for 8u302-b04. +- Resolves: rhbz#1967812 + +* Tue Jun 29 2021 Andrew Hughes - 1:1.8.0.302.b03-0.3.ea +- Introduced nm based check to verify alt-java on x86_64 is patched, and no other alt-java or java is patched +- Patch600, rh1750419-redhat_alt_java.patch, amended to die, if it is used wrongly +- Introduced ssbd_arches with currently only valid arch of x86_64 to separate real alt-java architectures +- Resolves: rhbz#1966233 + +* Mon Jun 28 2021 Andrew Hughes - 1:1.8.0.302.b03-0.2.ea +- Re-order source files to sync with Fedora. +- Resolves: rhbz#1966233 + +* Mon Jun 28 2021 Severin Gehwolf - 1:1.8.0.302.b03-0.2.ea +- Add a test verifying system crypto policies can be disabled +- Resolves: rhbz#1966233 + +* Mon Jun 28 2021 Andrew Hughes - 1:1.8.0.302.b03-0.1.ea +- Update to aarch64-shenandoah-jdk8u302-b03-shenandoah-merge-2021-06-23 (EA) +- Update release notes for 8u302-b03-shenandoah-merge-2021-06-23. +- Resolves: rhbz#1967812 + +* Sun Jun 27 2021 Andrew Hughes - 1:1.8.0.302.b03-0.0.ea +- Update to aarch64-shenandoah-jdk8u302-b03 (EA) +- Update release notes for 8u302-b03. +- Resolves: rhbz#1967812 + +* Sat Jun 26 2021 Andrew Hughes - 1:1.8.0.302.b02-0.0.ea +- Update to aarch64-shenandoah-jdk8u302-b02 (EA) +- Update release notes for 8u302-b02. +- Resolves: rhbz#1967812 + +* Mon Jun 21 2021 Andrew Hughes - 1:1.8.0.302.b01-0.3.ea +- Add ppc64le and aarch64 to fastdebug_arches +- Resolves: rhbz#1969254 + +* Fri Jun 18 2021 Andrew Hughes - 1:1.8.0.302.b01-0.2.ea +- Cleanup architecture handling in preparation for extending set of fastdebug architectures +- Fixed not-including fastdebug build in case of --without fastdebug +- Resolves: rhbz#1969254 + +* Wed Jun 16 2021 Jiri Vanek - 1:1.8.0.302.b01-0.1.ea +- adapted to newst cjc to fix issue with rpm 4.17 +- Disable copy-jdk-configs for Flatpak builds +- removed cjc backward comaptiblity, to fix when both rpm 4.16 and 4.17 are in transaction +- Resolves: rhbz#1953923 + +* Sat May 22 2021 Andrew Hughes - 1:1.8.0.302.b01-0.0.ea +- Update to aarch64-shenandoah-jdk8u302-b01 (EA) +- Update release notes for 8u302-b01. +- Switch to EA mode. +- Resolves: rhbz#1967812 + +* Tue Apr 13 2021 Andrew Hughes - 1:1.8.0.292.b10-2 +- Update to aarch64-shenandoah-jdk8u292-b10 (GA) +- Update release notes for 8u292-b10. +- This tarball is embargoed until 2021-04-20 @ 1pm PT. +- Resolves: rhbz#1938201 + +* Tue Apr 13 2021 Andrew Hughes - 1:1.8.0.292.b09-0.2.ea +- Update to aarch64-shenandoah-jdk8u292-b09 (EA) +- Update release notes for 8u292-b09. +- Resolves: rhbz#1942306 + +* Mon Apr 12 2021 Andrew Hughes - 1:1.8.0.292.b08-0.2.ea +- Update to aarch64-shenandoah-jdk8u292-b08 (EA) +- Update release notes for 8u292-b08. +- Require tzdata 2021a due to JDK-8260356 +- Resolves: rhbz#1942306 + +* Mon Apr 12 2021 Andrew Hughes - 1:1.8.0.292.b07-0.2.ea +- Update to aarch64-shenandoah-jdk8u292-b07 (EA) +- Update release notes for 8u292-b07. +- Resolves: rhbz#1942306 + +* Sun Apr 11 2021 Andrew Hughes - 1:1.8.0.292.b06-0.2.ea +- Update to aarch64-shenandoah-jdk8u292-b06 (EA) +- Update release notes for 8u292-b06. +- Require tzdata 2020f due to JDK-8259048 +- Resolves: rhbz#1942306 + +* Sat Apr 10 2021 Andrew Hughes - 1:1.8.0.292.b05-0.3.ea +- Update to aarch64-shenandoah-jdk8u292-b05-shenandoah-merge-2021-03-11 (EA) +- Update release notes for 8u292-b05-shenandoah-merge-2021-03-11. +- Re-organise S/390 patches for upstream submission, separating 8u upstream from Shenandoah fixes. +- Add new formatting case found in memprofiler.cpp on debug builds to PR3593 patch. +- Extend s390 patch to fix issue caused by JDK-8252660 backport and lack of JDK-8188813 in 8u. +- Revise JDK-8252660 s390 failure to make _soft_max_size a jlong so pointer types are accurate. +- Resolves: rhbz#1942306 + +* Fri Apr 09 2021 Andrew Hughes - 1:1.8.0.292.b05-0.2.ea +- Update to aarch64-shenandoah-jdk8u292-b05 (EA) +- Update release notes for 8u292-b05. +- Resolves: rhbz#1942306 + +* Fri Apr 09 2021 Andrew Hughes - 1:1.8.0.292.b04-0.2.ea +- Update to aarch64-shenandoah-jdk8u292-b04 (EA) +- Update release notes for 8u292-b04. +- Resolves: rhbz#1942306 + +* Fri Apr 09 2021 Andrew Hughes - 1:1.8.0.292.b03-0.2.ea +- Update to aarch64-shenandoah-jdk8u292-b03 (EA) +- Update release notes for 8u292-b03. +- Resolves: rhbz#1942306 + +* Sat Mar 27 2021 Andrew Hughes - 1:1.8.0.292.b02-0.2.ea +- Update to aarch64-shenandoah-jdk8u292-b02 (EA) +- Update release notes for 8u292-b02. +- Remove RH1868759 patch as this is now resolved upstream by JDK-8258833. +- Resolves: rhbz#1942306 + +* Thu Mar 25 2021 Andrew Hughes - 1:1.8.0.292.b01-0.2.ea +- Update to aarch64-shenandoah-jdk8u292-b01 (EA) +- Update release notes for 8u292-b01. +- Switch to EA mode. +- Update tarball generation script to use PR3822 which handles + JDK-8233228 & JDK-8035166 changes +- Resolves: rhbz#1942306 + * Wed Feb 17 2021 Stephan Bergmann - 1:1.8.0.282.b08-4 - Resolves: rhbz#1896014 Hardcode /usr/sbin/alternatives for Flatpak builds