diff --git a/.gitignore b/.gitignore
index 831c2a7..06c16b8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u302-b05-4curve.tar.xz
+SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u312-b02-4curve.tar.xz
SOURCES/tapsets-icedtea-3.15.0.tar.xz
diff --git a/.java-1.8.0-openjdk.metadata b/.java-1.8.0-openjdk.metadata
index 30fcc73..b9c2a06 100644
--- a/.java-1.8.0-openjdk.metadata
+++ b/.java-1.8.0-openjdk.metadata
@@ -1,2 +1,2 @@
-4f9408282a6fea81415d1aaf84e1f80fe30e83b0 SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u302-b05-4curve.tar.xz
+873cb707016be925eecfe741b891f1f01de48dea SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u312-b02-4curve.tar.xz
7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz
diff --git a/SOURCES/NEWS b/SOURCES/NEWS
index 734417e..3cf6136 100644
--- a/SOURCES/NEWS
+++ b/SOURCES/NEWS
@@ -3,6 +3,53 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
+New in release OpenJDK 8u312 (2021-10-19):
+===========================================
+Live versions of these release notes can be found at:
+ * https://bitly.com/openjdk8u312
+ * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u312.txt
+
+* Other changes
+ - JDK-7146776: deadlock between URLStreamHandler.getHostAddress and file.Handler.openconnection
+ - JDK-8004148: NPE in sun.awt.SunToolkit.getWindowDeactivationTime
+ - JDK-8027154: [TESTBUG] Test java/awt/Mouse/GetMousePositionTest/GetMousePositionWithPopup.java fails
+ - JDK-8035001: TEST_BUG: the retry logic in RMID.start() should check that the subprocess hasn't terminated
+ - JDK-8035424: (reflect) Performance problem in sun.reflect.generics.parser.SignatureParser
+ - JDK-8042557: compiler/uncommontrap/TestSpecTrapClassUnloading.java fails with: GC triggered before VM initialization completed
+ - JDK-8054118: java/net/ipv6tests/UdpTest.java failed intermittently
+ - JDK-8065215: Print warning summary at end of configure
+ - JDK-8072767: DefaultCellEditor for comboBox creates ActionEvent with wrong source object
+ - JDK-8079891: Store configure log in $BUILD/configure.log
+ - JDK-8080082: configure fails if you create an empty directory and then run configure from it
+ - JDK-8086003: Test fails on OSX with java.lang.RuntimeException 'Narrow klass base: 0x0000000000000000, Narrow klass shift: 3' missing
+ - JDK-8134989: java/net/MulticastSocket/TestInterfaces.java failed due to unexpected IP address
+ - JDK-8156584: Initialization race in sun.security.x509.AlgorithmId.get
+ - JDK-8166673: The new implementation of Robot.waitForIdle() may hang
+ - JDK-8170467: (reflect) Optimize SignatureParser's use of StringBuilders
+ - JDK-8196181: sun/java2d/GdiRendering/InsetClipping.java fails
+ - JDK-8202837: PBES2 AlgorithmId encoding error in PKCS12 KeyStore
+ - JDK-8206189: sun/security/pkcs12/EmptyPassword.java fails with Sequence tag error
+ - JDK-8214418: half-closed SSLEngine status may cause application dead loop
+ - JDK-8214513: A PKCS12 keystore from Java 8 using custom PBE parameters cannot be read in Java 11
+ - JDK-8220786: Create new switch to redirect error reporting output to stdout or stderr
+ - JDK-8229243: SunPKCS11-Solaris provider tests failing on Solaris 11.4
+ - JDK-8231222: fix pkcs11 P11_DEBUG guarded native traces
+ - JDK-8238567: SoftMainMixer.processAudioBuffers(): Wrong handling of stoppedMixers
+ - JDK-8240518: Incorrect JNU_ReleaseStringPlatformChars in Windows Print
+ - JDK-8241248: NullPointerException in sun.security.ssl.HKDF.extract(HKDF.java:93)
+ - JDK-8247469: getSystemCpuLoad() returns -1 on linux when some offline cpus are present and cpusets.effective_cpus is not available
+ - JDK-8248901: Signed immediate support in .../share/assembler.hpp is broken.
+ - JDK-8259338: Add expiry exception for identrustdstx3 alias to VerifyCACerts.java test
+ - JDK-8262000: jdk/jfr/event/gc/detailed/TestPromotionFailedEventWithParallelScavenge.java failed with "OutOfMemoryError: Java heap space"
+ - JDK-8262829: Native crash in Win32PrintServiceLookup.getAllPrinterNames()
+ - JDK-8263311: Watch registry changes for remote printers update instead of polling
+ - JDK-8265238: [8u] [macos] build failure in OpenJDK8u after JDK-8211301 in older xcode
+ - JDK-8265836: OperatingSystemImpl.getCpuLoad() returns incorrect CPU load inside a container
+ - JDK-8265978: make test should look for more locations when searching for exit code
+ - JDK-8269810: [8u] Update generated_configure.sh after JDK-8250876 backport
+ - JDK-8269953: config.log is not in build directory after 8u backport of JDK-8079891
+ - JDK-8271466: StackGap test fails on aarch64 due to "-m64"
+
New in release OpenJDK 8u302 (2021-07-20):
===========================================
Live versions of these release notes can be found at:
@@ -10,6 +57,20 @@ Live versions of these release notes can be found at:
* https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u302.txt
* Security fixes
+ - JDK-8256157: Improve bytecode assembly
+ - JDK-8256491: Better HTTP transport
+ - JDK-8258432, CVE-2021-2341: Improve file transfers
+ - JDK-8260453: Improve Font Bounding
+ - JDK-8260960: Signs of jarsigner signing
+ - JDK-8260967, CVE-2021-2369: Better jar file validation
+ - JDK-8262380: Enhance XML processing passes
+ - JDK-8262403: Enhanced data transfer
+ - JDK-8262410: Enhanced rules for zones
+ - JDK-8262477: Enhance String Conclusions
+ - JDK-8262967: Improve Zip file support
+ - JDK-8264066, CVE-2021-2388: Enhance compiler validation
+ - JDK-8264079: Improve abstractions
+ - JDK-8264460: Improve NTLM support
* Other changes
- JDK-6878250: (so) IllegalBlockingModeException thrown when reading from a closed SocketChannel's InputStream
- JDK-6990210: [TEST_BUG] EventDispatchThread/HandleExceptionOnEDT/HandleExceptionOnEDT.java fails on gnome
@@ -139,7 +200,12 @@ Live versions of these release notes can be found at:
- JDK-8266929: Unable to use algorithms from 3p providers
- JDK-8267235: [macos_aarch64] InterpreterRuntime::throw_pending_exception messing up LR results in crash
- JDK-8267426: MonitorVmStartTerminate test timed out on Embedded VM
+ - JDK-8267545: [8u] Enable Xcode 12 builds on macOS
- JDK-8267689: [aarch64] Crash due to bad shift in indirect addressing mode
+ - JDK-8268444: keytool -v -list print is incorrect after backport JDK-8141457
+ - JDK-8269388: Default build of OpenJDK 8 fails on newer GCCs with warnings as errors on format-overflow
+ - JDK-8269468: JDK-8269388 breaks the build on older GCCs
+ - JDK-8270533: AArch64: size_fits_all_mem_uses should return false if its output is a CAS
* Shenandoah
- [backport] JDK-8259580: Shenandoah: uninitialized label in VerifyThreadGCState
- [backport] JDK-8259954: gc/shenandoah/mxbeans tests fail with -Xcomp
@@ -171,7 +237,7 @@ Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
Alias Name: verisignclass3ca [jdk]
Distinguished Name: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
-Alias Name: verisignclass3g2caÂ[jdk]
+Alias Name: verisignclass3g2ca [jdk]
Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
Alias Name: verisigntsaca [jdk]
@@ -204,6 +270,10 @@ U+000007F that were previously encoded using UTF-8 may need to either
be modified to perform the UTF-8 conversion, or set the Java security
property `jdk.tls.alpnCharset` to "UTF-8" revert the behavior.
+See the updated guide at
+https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/alpn.html
+for more information.
+
JDK-8244460: Support for certificate_authorities Extension
==========================================================
The "certificate_authorities" extension is an optional extension
diff --git a/SOURCES/rh1929465-improve_system_FIPS_detection-jdk.patch b/SOURCES/rh1929465-improve_system_FIPS_detection-jdk.patch
new file mode 100644
index 0000000..1461be8
--- /dev/null
+++ b/SOURCES/rh1929465-improve_system_FIPS_detection-jdk.patch
@@ -0,0 +1,344 @@
+diff --git openjdk.orig/jdk/make/lib/SecurityLibraries.gmk openjdk/jdk/make/lib/SecurityLibraries.gmk
+--- openjdk.orig/jdk/make/lib/SecurityLibraries.gmk
++++ openjdk/jdk/make/lib/SecurityLibraries.gmk
+@@ -289,3 +289,34 @@
+
+ endif
+ endif
++
++################################################################################
++# Create the systemconf library
++
++LIBSYSTEMCONF_CFLAGS :=
++LIBSYSTEMCONF_CXXFLAGS :=
++
++ifeq ($(USE_SYSCONF_NSS), true)
++ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
++ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
++endif
++
++ifeq ($(OPENJDK_BUILD_OS), linux)
++ $(eval $(call SetupNativeCompilation,BUILD_LIBSYSTEMCONF, \
++ LIBRARY := systemconf, \
++ OUTPUT_DIR := $(INSTALL_LIBRARIES_HERE), \
++ SRC := $(JDK_TOPDIR)/src/$(OPENJDK_TARGET_OS_API_DIR)/native/java/security, \
++ LANG := C, \
++ OPTIMIZATION := LOW, \
++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \
++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \
++ MAPFILE := $(JDK_TOPDIR)/make/mapfiles/libsystemconf/mapfile-vers, \
++ LDFLAGS := $(LDFLAGS_JDKLIB) \
++ $(call SET_SHARED_LIBRARY_ORIGIN), \
++ LDFLAGS_SUFFIX := $(LIBDL) $(NSS_LIBS), \
++ OBJECT_DIR := $(JDK_OUTPUTDIR)/objs/libsystemconf, \
++ DEBUG_SYMBOLS := $(DEBUG_ALL_BINARIES)))
++
++ BUILD_LIBRARIES += $(BUILD_LIBSYSTEMCONF)
++endif
++
+diff --git openjdk.orig/jdk/make/mapfiles/libsystemconf/mapfile-vers openjdk/jdk/make/mapfiles/libsystemconf/mapfile-vers
+new file mode 100644
+--- /dev/null
++++ openjdk/jdk/make/mapfiles/libsystemconf/mapfile-vers
+@@ -0,0 +1,35 @@
++#
++# Copyright (c) 2021, Red Hat, Inc.
++# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++#
++# This code is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License version 2 only, as
++# published by the Free Software Foundation. Oracle designates this
++# particular file as subject to the "Classpath" exception as provided
++# by Oracle in the LICENSE file that accompanied this code.
++#
++# This code is distributed in the hope that it will be useful, but WITHOUT
++# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++# version 2 for more details (a copy is included in the LICENSE file that
++# accompanied this code).
++#
++# You should have received a copy of the GNU General Public License version
++# 2 along with this work; if not, write to the Free Software Foundation,
++# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++#
++# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++# or visit www.oracle.com if you need additional information or have any
++# questions.
++#
++
++# Define public interface.
++
++SUNWprivate_1.1 {
++ global:
++ DEF_JNI_OnLoad;
++ DEF_JNI_OnUnLoad;
++ Java_java_security_SystemConfigurator_getSystemFIPSEnabled;
++ local:
++ *;
++};
+diff --git openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
+--- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java
++++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2019, 2020, Red Hat, Inc.
++ * Copyright (c) 2019, 2021, Red Hat, Inc.
+ *
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+@@ -30,14 +30,9 @@
+ import java.io.FileInputStream;
+ import java.io.IOException;
+
+-import java.nio.file.Files;
+-import java.nio.file.FileSystems;
+-import java.nio.file.Path;
+-
+ import java.util.Iterator;
+ import java.util.Map.Entry;
+ import java.util.Properties;
+-import java.util.regex.Pattern;
+
+ import sun.security.util.Debug;
+
+@@ -59,10 +54,21 @@
+ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
+
+- private static final String CRYPTO_POLICIES_CONFIG =
+- CRYPTO_POLICIES_BASE_DIR + "/config";
++ private static boolean systemFipsEnabled = false;
++
++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
++
++ private static native boolean getSystemFIPSEnabled()
++ throws IOException;
+
+- private static boolean systemFipsEnabled = false;
++ static {
++ AccessController.doPrivileged(new PrivilegedAction<Void>() {
++ public Void run() {
++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
++ return null;
++ }
++ });
++ }
+
+ /*
+ * Invoked when java.security.Security class is initialized, if
+@@ -171,17 +177,34 @@
+ }
+
+ /*
+- * FIPS is enabled only if crypto-policies are set to "FIPS"
+- * and the com.redhat.fips property is true.
++ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
++ * system property is true (default) and the system is in FIPS mode.
++ *
++ * There are 2 possible ways in which OpenJDK detects that the system
++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
++ * available at OpenJDK's built-time, it is called; 2) otherwise, the
++ * /proc/sys/crypto/fips_enabled file is read.
+ */
+- private static boolean enableFips() throws Exception {
++ private static boolean enableFips() throws IOException {
+ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
+ if (shouldEnable) {
+- Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG);
+- String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath));
+- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
+- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
+- return pattern.matcher(cryptoPoliciesConfig).find();
++ if (sdebug != null) {
++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
++ }
++ try {
++ shouldEnable = getSystemFIPSEnabled();
++ if (sdebug != null) {
++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
++ + shouldEnable);
++ }
++ return shouldEnable;
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
++ sdebug.println(e.getMessage());
++ }
++ throw e;
++ }
+ } else {
+ return false;
+ }
+diff --git openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c openjdk/jdk/src/solaris/native/java/security/systemconf.c
+new file mode 100644
+--- /dev/null
++++ openjdk/jdk/src/solaris/native/java/security/systemconf.c
+@@ -0,0 +1,168 @@
++/*
++ * Copyright (c) 2021, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++#include <dlfcn.h>
++#include <jni.h>
++#include <jni_util.h>
++#include <stdio.h>
++
++#ifdef SYSCONF_NSS
++#include <nss3/pk11pub.h>
++#endif //SYSCONF_NSS
++
++#include "java_security_SystemConfigurator.h"
++
++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
++#define MSG_MAX_SIZE 96
++
++static jmethodID debugPrintlnMethodID = NULL;
++static jobject debugObj = NULL;
++
++static void throwIOException(JNIEnv *env, const char *msg);
++static void dbgPrint(JNIEnv *env, const char* msg);
++
++/*
++ * Class: java_security_SystemConfigurator
++ * Method: JNI_OnLoad
++ */
++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
++{
++ JNIEnv *env;
++ jclass sysConfCls, debugCls;
++ jfieldID sdebugFld;
++
++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
++ return JNI_EVERSION; /* JNI version not supported */
++ }
++
++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
++ if (sysConfCls == NULL) {
++ printf("libsystemconf: SystemConfigurator class not found\n");
++ return JNI_ERR;
++ }
++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
++ "sdebug", "Lsun/security/util/Debug;");
++ if (sdebugFld == NULL) {
++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
++ return JNI_ERR;
++ }
++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
++ if (debugObj != NULL) {
++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
++ if (debugCls == NULL) {
++ printf("libsystemconf: Debug class not found\n");
++ return JNI_ERR;
++ }
++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
++ "println", "(Ljava/lang/String;)V");
++ if (debugPrintlnMethodID == NULL) {
++ printf("libsystemconf: Debug::println(String) method not found\n");
++ return JNI_ERR;
++ }
++ debugObj = (*env)->NewGlobalRef(env, debugObj);
++ }
++
++ return (*env)->GetVersion(env);
++}
++
++/*
++ * Class: java_security_SystemConfigurator
++ * Method: JNI_OnUnload
++ */
++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
++{
++ JNIEnv *env;
++
++ if (debugObj != NULL) {
++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
++ return; /* Should not happen */
++ }
++ (*env)->DeleteGlobalRef(env, debugObj);
++ }
++}
++
++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
++ (JNIEnv *env, jclass cls)
++{
++ int fips_enabled;
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++
++#ifdef SYSCONF_NSS
++
++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
++ fips_enabled = SECMOD_GetSystemFIPSEnabled();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
++ dbgPrint(env, msg);
++ } else {
++ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
++ " SECMOD_GetSystemFIPSEnabled return value");
++ }
++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
++
++#else // SYSCONF_NSS
++
++ FILE *fe;
++
++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
++ }
++ fips_enabled = fgetc(fe);
++ fclose(fe);
++ if (fips_enabled == EOF) {
++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
++ }
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " read character is '%c'", fips_enabled);
++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
++ dbgPrint(env, msg);
++ } else {
++ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
++ " read character");
++ }
++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
++
++#endif // SYSCONF_NSS
++}
++
++static void throwIOException(JNIEnv *env, const char *msg)
++{
++ jclass cls = (*env)->FindClass(env, "java/io/IOException");
++ if (cls != 0)
++ (*env)->ThrowNew(env, cls, msg);
++}
++
++static void dbgPrint(JNIEnv *env, const char* msg)
++{
++ jstring jMsg;
++ if (debugObj != NULL) {
++ jMsg = (*env)->NewStringUTF(env, msg);
++ CHECK_NULL(jMsg);
++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
++ }
++}
diff --git a/SOURCES/rh1929465-improve_system_FIPS_detection-root.patch b/SOURCES/rh1929465-improve_system_FIPS_detection-root.patch
new file mode 100644
index 0000000..64d8ac0
--- /dev/null
+++ b/SOURCES/rh1929465-improve_system_FIPS_detection-root.patch
@@ -0,0 +1,152 @@
+diff --git openjdk.orig/common/autoconf/configure.ac openjdk/common/autoconf/configure.ac
+--- openjdk.orig/common/autoconf/configure.ac
++++ openjdk/common/autoconf/configure.ac
+@@ -212,6 +212,7 @@
+ LIB_SETUP_ALSA
+ LIB_SETUP_FONTCONFIG
+ LIB_SETUP_MISC_LIBS
++LIB_SETUP_SYSCONF_LIBS
+ LIB_SETUP_STATIC_LINK_LIBSTDCPP
+ LIB_SETUP_ON_WINDOWS
+
+diff --git openjdk.orig/common/autoconf/libraries.m4 openjdk/common/autoconf/libraries.m4
+--- openjdk.orig/common/autoconf/libraries.m4
++++ openjdk/common/autoconf/libraries.m4
+@@ -1067,3 +1067,63 @@
+ BASIC_DEPRECATED_ARG_WITH([dxsdk-include])
+ fi
+ ])
++
++################################################################################
++# Setup system configuration libraries
++################################################################################
++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
++[
++ ###############################################################################
++ #
++ # Check for the NSS library
++ #
++
++ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
++
++ # default is not available
++ DEFAULT_SYSCONF_NSS=no
++
++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
++ [
++ case "${enableval}" in
++ yes)
++ sysconf_nss=yes
++ ;;
++ *)
++ sysconf_nss=no
++ ;;
++ esac
++ ],
++ [
++ sysconf_nss=${DEFAULT_SYSCONF_NSS}
++ ])
++ AC_MSG_RESULT([$sysconf_nss])
++
++ USE_SYSCONF_NSS=false
++ if test "x${sysconf_nss}" = "xyes"; then
++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
++ if test "x${NSS_FOUND}" = "xyes"; then
++ AC_MSG_CHECKING([for system FIPS support in NSS])
++ saved_libs="${LIBS}"
++ saved_cflags="${CFLAGS}"
++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
++ LIBS="${LIBS} ${NSS_LIBS}"
++ AC_LANG_PUSH([C])
++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <nss3/pk11pub.h>]],
++ [[SECMOD_GetSystemFIPSEnabled()]])],
++ [AC_MSG_RESULT([yes])],
++ [AC_MSG_RESULT([no])
++ AC_MSG_ERROR([System NSS FIPS detection unavailable])])
++ AC_LANG_POP([C])
++ CFLAGS="${saved_cflags}"
++ LIBS="${saved_libs}"
++ USE_SYSCONF_NSS=true
++ else
++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
++ dnl in nss3/pk11pub.h.
++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
++ fi
++ fi
++ AC_SUBST(USE_SYSCONF_NSS)
++])
+diff --git openjdk.orig/common/autoconf/spec.gmk.in openjdk/common/autoconf/spec.gmk.in
+--- openjdk.orig/common/autoconf/spec.gmk.in
++++ openjdk/common/autoconf/spec.gmk.in
+@@ -312,6 +312,10 @@
+ ALSA_LIBS:=@ALSA_LIBS@
+ ALSA_CFLAGS:=@ALSA_CFLAGS@
+
++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
++NSS_LIBS:=@NSS_LIBS@
++NSS_CFLAGS:=@NSS_CFLAGS@
++
+ PACKAGE_PATH=@PACKAGE_PATH@
+
+ # Source file for cacerts
+diff --git openjdk.orig/common/bin/compare_exceptions.sh.incl openjdk/common/bin/compare_exceptions.sh.incl
+--- openjdk.orig/common/bin/compare_exceptions.sh.incl
++++ openjdk/common/bin/compare_exceptions.sh.incl
+@@ -280,6 +280,7 @@
+ ./jre/lib/i386/libsplashscreen.so
+ ./jre/lib/i386/libsunec.so
+ ./jre/lib/i386/libsunwjdga.so
++./jre/lib/i386/libsystemconf.so
+ ./jre/lib/i386/libt2k.so
+ ./jre/lib/i386/libunpack.so
+ ./jre/lib/i386/libverify.so
+@@ -433,6 +434,7 @@
+ ./jre/lib/amd64/libsplashscreen.so
+ ./jre/lib/amd64/libsunec.so
+ ./jre/lib/amd64/libsunwjdga.so
++//jre/lib/amd64/libsystemconf.so
+ ./jre/lib/amd64/libt2k.so
+ ./jre/lib/amd64/libunpack.so
+ ./jre/lib/amd64/libverify.so
+@@ -587,6 +589,7 @@
+ ./jre/lib/sparc/libsplashscreen.so
+ ./jre/lib/sparc/libsunec.so
+ ./jre/lib/sparc/libsunwjdga.so
++./jre/lib/sparc/libsystemconf.so
+ ./jre/lib/sparc/libt2k.so
+ ./jre/lib/sparc/libunpack.so
+ ./jre/lib/sparc/libverify.so
+@@ -741,6 +744,7 @@
+ ./jre/lib/sparcv9/libsplashscreen.so
+ ./jre/lib/sparcv9/libsunec.so
+ ./jre/lib/sparcv9/libsunwjdga.so
++./jre/lib/sparcv9/libsystemconf.so
+ ./jre/lib/sparcv9/libt2k.so
+ ./jre/lib/sparcv9/libunpack.so
+ ./jre/lib/sparcv9/libverify.so
+diff --git openjdk.orig/common/nb_native/nbproject/configurations.xml openjdk/common/nb_native/nbproject/configurations.xml
+--- openjdk.orig/common/nb_native/nbproject/configurations.xml
++++ openjdk/common/nb_native/nbproject/configurations.xml
+@@ -53,6 +53,9 @@
+ <in>jvmtiEnterTrace.cpp</in>
+ </df>
+ </df>
++ <df name="libsystemconf">
++ <in>systemconf.c</in>
++ </df>
+ </df>
+ </df>
+ <df name="jdk">
+@@ -12772,6 +12775,11 @@
+ tool="0"
+ flavor2="0">
+ </item>
++ <item path="../../jdk/src/solaris/native/java/security/systemconf.c"
++ ex="false"
++ tool="0"
++ flavor2="0">
++ </item>
+ <item path="../../jdk/src/share/native/java/util/TimeZone.c"
+ ex="false"
+ tool="0"
diff --git a/SOURCES/rh1996182-login_to_nss_software_token.patch b/SOURCES/rh1996182-login_to_nss_software_token.patch
new file mode 100644
index 0000000..341e092
--- /dev/null
+++ b/SOURCES/rh1996182-login_to_nss_software_token.patch
@@ -0,0 +1,55 @@
+# HG changeset patch
+# User mbalao
+# Date 1630103180 -3600
+# Fri Aug 27 23:26:20 2021 +0100
+# Node ID b3bd3119fab9bc5adfd7073377aca12bb1af80b3
+# Parent c90394a76ee02a689f95199559d5724824b4b25e
+RH1996182: Login to the NSS Software Token in FIPS Mode
+
+diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
+--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
++++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
+@@ -42,6 +42,8 @@
+ import javax.security.auth.callback.PasswordCallback;
+ import javax.security.auth.callback.TextOutputCallback;
+
++import sun.misc.SharedSecrets;
++
+ import sun.security.util.Debug;
+ import sun.security.util.ResourcesMgr;
+
+@@ -58,6 +60,9 @@
+ */
+ public final class SunPKCS11 extends AuthProvider {
+
++ private static final boolean systemFipsEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
++
+ private static final long serialVersionUID = -1354835039035306505L;
+
+ static final Debug debug = Debug.getInstance("sunpkcs11");
+@@ -368,6 +373,24 @@
+ if (nssModule != null) {
+ nssModule.setProvider(this);
+ }
++ if (systemFipsEnabled) {
++ // The NSS Software Token in FIPS 140-2 mode requires a user
++ // login for most operations. See sftk_fipsCheck. The NSS DB
++ // (/etc/pki/nssdb) PIN is empty.
++ Session session = null;
++ try {
++ session = token.getOpSession();
++ p11.C_Login(session.id(), CKU_USER, new char[] {});
++ } catch (PKCS11Exception p11e) {
++ if (debug != null) {
++ debug.println("Error during token login: " +
++ p11e.getMessage());
++ }
++ throw p11e;
++ } finally {
++ token.releaseSession(session);
++ }
++ }
+ } catch (Exception e) {
+ if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
+ throw new UnsupportedOperationException
diff --git a/SPECS/java-1.8.0-openjdk.spec b/SPECS/java-1.8.0-openjdk.spec
index 3db5b1f..f7040ce 100644
--- a/SPECS/java-1.8.0-openjdk.spec
+++ b/SPECS/java-1.8.0-openjdk.spec
@@ -118,10 +118,8 @@
%endif
# If you disable both builds, then the build fails
-# Note that the debug build requires the normal build for docs
-%global build_loop %{normal_build} %{fastdebug_build} %{slowdebug_build}
-# Test slowdebug first as it provides the best diagnostics
-%global rev_build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build}
+# Build and test slowdebug first as it provides the best diagnostics
+%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build}
%ifarch %{bootstrap_arches}
%global bootstrap_build 1
@@ -163,7 +161,7 @@
# as to why some libraries *cannot* be excluded. In particular,
# these are:
# libjsig.so, libjava.so, libjawt.so, libjvm.so and libverify.so
-%global _privatelibs libatk-wrapper[.]so.*|libattach[.]so.*|libawt_headless[.]so.*|libawt[.]so.*|libawt_xawt[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libhprof[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas_unix[.]so.*|libjava_crw_demo[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjli[.]so.*|libjsdt[.]so.*|libjsoundalsa[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libnpt[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsplashscreen[.]so.*|libsunec[.]so.*|libunpack[.]so.*|libzip[.]so.*|lib[.]so\\(SUNWprivate_.*
+%global _privatelibs libatk-wrapper[.]so.*|libattach[.]so.*|libawt_headless[.]so.*|libawt[.]so.*|libawt_xawt[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libhprof[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas_unix[.]so.*|libjava_crw_demo[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjli[.]so.*|libjsdt[.]so.*|libjsoundalsa[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libnpt[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsplashscreen[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*|lib[.]so\\(SUNWprivate_.*
%global __provides_exclude ^(%{_privatelibs})$
%global __requires_exclude ^(%{_privatelibs})$
@@ -265,7 +263,7 @@
# note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there.
%global shenandoah_project aarch64-port
%global shenandoah_repo jdk8u-shenandoah
-%global shenandoah_revision aarch64-shenandoah-jdk8u302-b05
+%global shenandoah_revision aarch64-shenandoah-jdk8u312-b02
# Define old aarch64/jdk8u tree variables for compatibility
%global project %{shenandoah_project}
%global repo %{shenandoah_repo}
@@ -281,7 +279,7 @@
%global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u})
# eg jdk8u60-b27 -> b27
%global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-})
-%global rpmrelease 0
+%global rpmrelease 1
# Define milestone (EA for pre-releases, GA ("fcs") for releases)
# Release will be (where N is usually a number starting at 1):
# - 0.N%%{?extraver}%%{?dist} for EA releases,
@@ -745,6 +743,7 @@ exit 0
%endif
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libsctp.so
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libsunec.so
+%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libsystemconf.so
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libunpack.so
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libverify.so
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libzip.so
@@ -979,8 +978,6 @@ OrderWithRequires: copy-jdk-configs
%endif
# for printing support
Requires: cups-libs
-# for FIPS PKCS11 provider
-Requires: nss
# Post requires alternatives to install tool alternatives
Requires(post): %{alternatives_requires}
# in version 1.7 and higher for --family switch
@@ -1197,6 +1194,11 @@ Patch1002: rh1760838-fips_default_keystore_type.patch
Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch
# RH1906862: Always initialise JavaSecuritySystemConfiguratorAccess
Patch1005: rh1906862-always_initialise_configurator_access.patch
+# RH1929465: Improve system FIPS detection
+Patch1006: rh1929465-improve_system_FIPS_detection-root.patch
+Patch1007: rh1929465-improve_system_FIPS_detection-jdk.patch
+# RH1996182: Login to the NSS software token in FIPS mode
+Patch1008: rh1996182-login_to_nss_software_token.patch
#############################################
#
@@ -1337,8 +1339,8 @@ BuildRequires: libXinerama-devel
BuildRequires: libXrender-devel
BuildRequires: libXt-devel
BuildRequires: libXtst-devel
-# Requirements for setting up the nss.cfg
-BuildRequires: nss-devel
+# Requirements for setting up the nss.cfg and FIPS support
+BuildRequires: nss-devel >= 3.53
BuildRequires: pkgconfig
BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
@@ -1539,7 +1541,7 @@ The %{compatiblename}-src-fastdebug sub-package contains the complete %{origin_n
Summary: %{origin_nice} %{majorver} API documentation
Group: Documentation
Requires: javapackages-filesystem
-Obsoletes: javadoc-debug
+Obsoletes: javadoc-slowdebug < 1:1.8.0.212.b04-4
BuildArch: noarch
%{java_javadoc_rpo %{nil}}
@@ -1551,7 +1553,7 @@ The %{origin_nice} %{majorver} API documentation.
Summary: %{origin_nice} %{majorver} API documentation compressed in a single archive
Group: Documentation
Requires: javapackages-filesystem
-Obsoletes: javadoc-zip-debug
+Obsoletes: javadoc-zip-slowdebug < 1:1.8.0.212.b04-4
BuildArch: noarch
%{java_javadoc_rpo %{nil}}
@@ -1626,10 +1628,6 @@ if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{includ
echo "You have disabled all builds (normal,fastdebug,debug). That is a no go."
exit 14
fi
-if [ %{include_normal_build} -eq 0 ] ; then
- echo "You have disabled the normal build, but this is required to provide docs for the debug build."
- exit 15
-fi
echo "Update version: %{updatever}"
echo "Build number: %{buildver}"
@@ -1701,6 +1699,9 @@ sh %{SOURCE12}
%patch1003
%patch1004
%patch1005
+%patch1006
+%patch1007
+%patch1008
# RHEL-only patches
%if ! 0%{?fedora} && 0%{?rhel} <= 7
@@ -1835,6 +1836,7 @@ function buildjdk() {
--with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \
--with-boot-jdk=${buildjdk} \
--with-debug-level=${debuglevel} \
+ --enable-sysconf-nss \
--enable-unlimited-crypto \
--with-zlib=system \
--with-libjpeg=system \
@@ -1927,7 +1929,7 @@ done
%check
# We test debug first as it will give better diagnostics on a crash
-for suffix in %{rev_build_loop} ; do
+for suffix in %{build_loop} ; do
export JAVA_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{jdkimage}
@@ -2422,6 +2424,66 @@ cjc.mainProgram(args)
%endif
%changelog
+* Sun Sep 19 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b02-0.1.ea
+- Update to aarch64-shenandoah-jdk8u312-b02 (EA)
+- Update release notes for 8u312-b02.
+- Related: rhbz#1999937
+
+* Mon Sep 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b01-0.1.ea
+- Update to aarch64-shenandoah-jdk8u312-b01 (EA)
+- Update release notes for 8u312-b01.
+- Switch to EA mode.
+- Remove "-clean" suffix as no 8u312 builds are unclean.
+- Related: rhbz#1999937
+
+* Fri Sep 10 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b08-4
+- Remove non-Free test and demo files from source tarball.
+- Related: rhbz#1999937
+
+* Fri Aug 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b08-3
+- Add patch to login to the NSS software token when in FIPS mode.
+- Resolves: rhbz#1997358
+
+* Fri Aug 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b08-2
+- Fix path to libsystemconf.so on 8u.
+- Resolves: rhbz#1971679
+
+* Fri Aug 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b08-2
+- Port FIPS system detection support to OpenJDK 8u
+- Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure.
+- Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM.
+- Resolves: rhbz#1971679
+
+* Fri Aug 27 2021 Martin Balao <mbalao@redhat.com> - 1:1.8.0.302.b08-2
+- Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library.
+- Resolves: rhbz#1971679
+
+* Fri Jul 16 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b08-1
+- Update to aarch64-shenandoah-jdk8u302-b08 (EA)
+- Update release notes for 8u302-b08.
+- Switch to GA mode for final release.
+- This tarball is embargoed until 2021-07-20 @ 1pm PT.
+- Resolves: rhbz#1972395
+
+* Thu Jul 08 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b07-0.0.ea
+- Update to aarch64-shenandoah-jdk8u302-b07 (EA)
+- Update release notes for 8u302-b07.
+- Resolves: rhbz#1967812
+
+* Tue Jul 06 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b06-0.0.ea
+- Update to aarch64-shenandoah-jdk8u302-b06 (EA)
+- Update release notes for 8u302-b06.
+- Resolves: rhbz#1967812
+
+* Tue Jul 06 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b05-0.2.ea
+- Remove restriction on disabling product build, as debug packages no longer have javadoc packages.
+- Fix name of javadoc debug packages in Obsoletes declarations and add version where it was removed.
+- Resolves: rhbz#1966233
+
+* Mon Jul 05 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b05-0.1.ea
+- Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics.
+- Resolves: rhbz#1966233
+
* Fri Jul 02 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b05-0.0.ea
- Update to aarch64-shenandoah-jdk8u302-b05 (EA)
- Update release notes for 8u302-b05.