diff --git a/.gitignore b/.gitignore index 831c2a7..06c16b8 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u302-b05-4curve.tar.xz +SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u312-b02-4curve.tar.xz SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/.java-1.8.0-openjdk.metadata b/.java-1.8.0-openjdk.metadata index 30fcc73..b9c2a06 100644 --- a/.java-1.8.0-openjdk.metadata +++ b/.java-1.8.0-openjdk.metadata @@ -1,2 +1,2 @@ -4f9408282a6fea81415d1aaf84e1f80fe30e83b0 SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u302-b05-4curve.tar.xz +873cb707016be925eecfe741b891f1f01de48dea SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u312-b02-4curve.tar.xz 7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/SOURCES/NEWS b/SOURCES/NEWS index 734417e..3cf6136 100644 --- a/SOURCES/NEWS +++ b/SOURCES/NEWS @@ -3,6 +3,53 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 8u312 (2021-10-19): +=========================================== +Live versions of these release notes can be found at: + * https://bitly.com/openjdk8u312 + * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u312.txt + +* Other changes + - JDK-7146776: deadlock between URLStreamHandler.getHostAddress and file.Handler.openconnection + - JDK-8004148: NPE in sun.awt.SunToolkit.getWindowDeactivationTime + - JDK-8027154: [TESTBUG] Test java/awt/Mouse/GetMousePositionTest/GetMousePositionWithPopup.java fails + - JDK-8035001: TEST_BUG: the retry logic in RMID.start() should check that the subprocess hasn't terminated + - JDK-8035424: (reflect) Performance problem in sun.reflect.generics.parser.SignatureParser + - JDK-8042557: compiler/uncommontrap/TestSpecTrapClassUnloading.java fails with: GC triggered before VM initialization completed + - JDK-8054118: java/net/ipv6tests/UdpTest.java failed intermittently + - JDK-8065215: Print warning summary at end of configure + - JDK-8072767: DefaultCellEditor for comboBox creates ActionEvent with wrong source object + - JDK-8079891: Store configure log in $BUILD/configure.log + - JDK-8080082: configure fails if you create an empty directory and then run configure from it + - JDK-8086003: Test fails on OSX with java.lang.RuntimeException 'Narrow klass base: 0x0000000000000000, Narrow klass shift: 3' missing + - JDK-8134989: java/net/MulticastSocket/TestInterfaces.java failed due to unexpected IP address + - JDK-8156584: Initialization race in sun.security.x509.AlgorithmId.get + - JDK-8166673: The new implementation of Robot.waitForIdle() may hang + - JDK-8170467: (reflect) Optimize SignatureParser's use of StringBuilders + - JDK-8196181: sun/java2d/GdiRendering/InsetClipping.java fails + - JDK-8202837: PBES2 AlgorithmId encoding error in PKCS12 KeyStore + - JDK-8206189: sun/security/pkcs12/EmptyPassword.java fails with Sequence tag error + - JDK-8214418: half-closed SSLEngine status may cause application dead loop + - JDK-8214513: A PKCS12 keystore from Java 8 using custom PBE parameters cannot be read in Java 11 + - JDK-8220786: Create new switch to redirect error reporting output to stdout or stderr + - JDK-8229243: SunPKCS11-Solaris provider tests failing on Solaris 11.4 + - JDK-8231222: fix pkcs11 P11_DEBUG guarded native traces + - JDK-8238567: SoftMainMixer.processAudioBuffers(): Wrong handling of stoppedMixers + - JDK-8240518: Incorrect JNU_ReleaseStringPlatformChars in Windows Print + - JDK-8241248: NullPointerException in sun.security.ssl.HKDF.extract(HKDF.java:93) + - JDK-8247469: getSystemCpuLoad() returns -1 on linux when some offline cpus are present and cpusets.effective_cpus is not available + - JDK-8248901: Signed immediate support in .../share/assembler.hpp is broken. + - JDK-8259338: Add expiry exception for identrustdstx3 alias to VerifyCACerts.java test + - JDK-8262000: jdk/jfr/event/gc/detailed/TestPromotionFailedEventWithParallelScavenge.java failed with "OutOfMemoryError: Java heap space" + - JDK-8262829: Native crash in Win32PrintServiceLookup.getAllPrinterNames() + - JDK-8263311: Watch registry changes for remote printers update instead of polling + - JDK-8265238: [8u] [macos] build failure in OpenJDK8u after JDK-8211301 in older xcode + - JDK-8265836: OperatingSystemImpl.getCpuLoad() returns incorrect CPU load inside a container + - JDK-8265978: make test should look for more locations when searching for exit code + - JDK-8269810: [8u] Update generated_configure.sh after JDK-8250876 backport + - JDK-8269953: config.log is not in build directory after 8u backport of JDK-8079891 + - JDK-8271466: StackGap test fails on aarch64 due to "-m64" + New in release OpenJDK 8u302 (2021-07-20): =========================================== Live versions of these release notes can be found at: @@ -10,6 +57,20 @@ Live versions of these release notes can be found at: * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u302.txt * Security fixes + - JDK-8256157: Improve bytecode assembly + - JDK-8256491: Better HTTP transport + - JDK-8258432, CVE-2021-2341: Improve file transfers + - JDK-8260453: Improve Font Bounding + - JDK-8260960: Signs of jarsigner signing + - JDK-8260967, CVE-2021-2369: Better jar file validation + - JDK-8262380: Enhance XML processing passes + - JDK-8262403: Enhanced data transfer + - JDK-8262410: Enhanced rules for zones + - JDK-8262477: Enhance String Conclusions + - JDK-8262967: Improve Zip file support + - JDK-8264066, CVE-2021-2388: Enhance compiler validation + - JDK-8264079: Improve abstractions + - JDK-8264460: Improve NTLM support * Other changes - JDK-6878250: (so) IllegalBlockingModeException thrown when reading from a closed SocketChannel's InputStream - JDK-6990210: [TEST_BUG] EventDispatchThread/HandleExceptionOnEDT/HandleExceptionOnEDT.java fails on gnome @@ -139,7 +200,12 @@ Live versions of these release notes can be found at: - JDK-8266929: Unable to use algorithms from 3p providers - JDK-8267235: [macos_aarch64] InterpreterRuntime::throw_pending_exception messing up LR results in crash - JDK-8267426: MonitorVmStartTerminate test timed out on Embedded VM + - JDK-8267545: [8u] Enable Xcode 12 builds on macOS - JDK-8267689: [aarch64] Crash due to bad shift in indirect addressing mode + - JDK-8268444: keytool -v -list print is incorrect after backport JDK-8141457 + - JDK-8269388: Default build of OpenJDK 8 fails on newer GCCs with warnings as errors on format-overflow + - JDK-8269468: JDK-8269388 breaks the build on older GCCs + - JDK-8270533: AArch64: size_fits_all_mem_uses should return false if its output is a CAS * Shenandoah - [backport] JDK-8259580: Shenandoah: uninitialized label in VerifyThreadGCState - [backport] JDK-8259954: gc/shenandoah/mxbeans tests fail with -Xcomp @@ -171,7 +237,7 @@ Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For Alias Name: verisignclass3ca [jdk] Distinguished Name: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US -Alias Name: verisignclass3g2caÂ[jdk] +Alias Name: verisignclass3g2ca [jdk] Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US Alias Name: verisigntsaca [jdk] @@ -204,6 +270,10 @@ U+000007F that were previously encoded using UTF-8 may need to either be modified to perform the UTF-8 conversion, or set the Java security property `jdk.tls.alpnCharset` to "UTF-8" revert the behavior. +See the updated guide at +https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/alpn.html +for more information. + JDK-8244460: Support for certificate_authorities Extension ========================================================== The "certificate_authorities" extension is an optional extension diff --git a/SOURCES/rh1929465-improve_system_FIPS_detection-jdk.patch b/SOURCES/rh1929465-improve_system_FIPS_detection-jdk.patch new file mode 100644 index 0000000..1461be8 --- /dev/null +++ b/SOURCES/rh1929465-improve_system_FIPS_detection-jdk.patch @@ -0,0 +1,344 @@ +diff --git openjdk.orig/jdk/make/lib/SecurityLibraries.gmk openjdk/jdk/make/lib/SecurityLibraries.gmk +--- openjdk.orig/jdk/make/lib/SecurityLibraries.gmk ++++ openjdk/jdk/make/lib/SecurityLibraries.gmk +@@ -289,3 +289,34 @@ + + endif + endif ++ ++################################################################################ ++# Create the systemconf library ++ ++LIBSYSTEMCONF_CFLAGS := ++LIBSYSTEMCONF_CXXFLAGS := ++ ++ifeq ($(USE_SYSCONF_NSS), true) ++ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++endif ++ ++ifeq ($(OPENJDK_BUILD_OS), linux) ++ $(eval $(call SetupNativeCompilation,BUILD_LIBSYSTEMCONF, \ ++ LIBRARY := systemconf, \ ++ OUTPUT_DIR := $(INSTALL_LIBRARIES_HERE), \ ++ SRC := $(JDK_TOPDIR)/src/$(OPENJDK_TARGET_OS_API_DIR)/native/java/security, \ ++ LANG := C, \ ++ OPTIMIZATION := LOW, \ ++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ ++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ ++ MAPFILE := $(JDK_TOPDIR)/make/mapfiles/libsystemconf/mapfile-vers, \ ++ LDFLAGS := $(LDFLAGS_JDKLIB) \ ++ $(call SET_SHARED_LIBRARY_ORIGIN), \ ++ LDFLAGS_SUFFIX := $(LIBDL) $(NSS_LIBS), \ ++ OBJECT_DIR := $(JDK_OUTPUTDIR)/objs/libsystemconf, \ ++ DEBUG_SYMBOLS := $(DEBUG_ALL_BINARIES))) ++ ++ BUILD_LIBRARIES += $(BUILD_LIBSYSTEMCONF) ++endif ++ +diff --git openjdk.orig/jdk/make/mapfiles/libsystemconf/mapfile-vers openjdk/jdk/make/mapfiles/libsystemconf/mapfile-vers +new file mode 100644 +--- /dev/null ++++ openjdk/jdk/make/mapfiles/libsystemconf/mapfile-vers +@@ -0,0 +1,35 @@ ++# ++# Copyright (c) 2021, Red Hat, Inc. ++# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++# ++# This code is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License version 2 only, as ++# published by the Free Software Foundation. Oracle designates this ++# particular file as subject to the "Classpath" exception as provided ++# by Oracle in the LICENSE file that accompanied this code. ++# ++# This code is distributed in the hope that it will be useful, but WITHOUT ++# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++# version 2 for more details (a copy is included in the LICENSE file that ++# accompanied this code). ++# ++# You should have received a copy of the GNU General Public License version ++# 2 along with this work; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++# ++# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++# or visit www.oracle.com if you need additional information or have any ++# questions. ++# ++ ++# Define public interface. ++ ++SUNWprivate_1.1 { ++ global: ++ DEF_JNI_OnLoad; ++ DEF_JNI_OnUnLoad; ++ Java_java_security_SystemConfigurator_getSystemFIPSEnabled; ++ local: ++ *; ++}; +diff --git openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java +--- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java ++++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2019, 2020, Red Hat, Inc. ++ * Copyright (c) 2019, 2021, Red Hat, Inc. + * + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * +@@ -30,14 +30,9 @@ + import java.io.FileInputStream; + import java.io.IOException; + +-import java.nio.file.Files; +-import java.nio.file.FileSystems; +-import java.nio.file.Path; +- + import java.util.Iterator; + import java.util.Map.Entry; + import java.util.Properties; +-import java.util.regex.Pattern; + + import sun.security.util.Debug; + +@@ -59,10 +54,21 @@ + private static final String CRYPTO_POLICIES_JAVA_CONFIG = + CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; + +- private static final String CRYPTO_POLICIES_CONFIG = +- CRYPTO_POLICIES_BASE_DIR + "/config"; ++ private static boolean systemFipsEnabled = false; ++ ++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; ++ ++ private static native boolean getSystemFIPSEnabled() ++ throws IOException; + +- private static boolean systemFipsEnabled = false; ++ static { ++ AccessController.doPrivileged(new PrivilegedAction() { ++ public Void run() { ++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); ++ return null; ++ } ++ }); ++ } + + /* + * Invoked when java.security.Security class is initialized, if +@@ -171,17 +177,34 @@ + } + + /* +- * FIPS is enabled only if crypto-policies are set to "FIPS" +- * and the com.redhat.fips property is true. ++ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips ++ * system property is true (default) and the system is in FIPS mode. ++ * ++ * There are 2 possible ways in which OpenJDK detects that the system ++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is ++ * available at OpenJDK's built-time, it is called; 2) otherwise, the ++ * /proc/sys/crypto/fips_enabled file is read. + */ +- private static boolean enableFips() throws Exception { ++ private static boolean enableFips() throws IOException { + boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); + if (shouldEnable) { +- Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG); +- String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath)); +- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } +- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE); +- return pattern.matcher(cryptoPoliciesConfig).find(); ++ if (sdebug != null) { ++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); ++ } ++ try { ++ shouldEnable = getSystemFIPSEnabled(); ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " ++ + shouldEnable); ++ } ++ return shouldEnable; ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); ++ sdebug.println(e.getMessage()); ++ } ++ throw e; ++ } + } else { + return false; + } +diff --git openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c openjdk/jdk/src/solaris/native/java/security/systemconf.c +new file mode 100644 +--- /dev/null ++++ openjdk/jdk/src/solaris/native/java/security/systemconf.c +@@ -0,0 +1,168 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++#include ++#include ++#include ++#include ++ ++#ifdef SYSCONF_NSS ++#include ++#endif //SYSCONF_NSS ++ ++#include "java_security_SystemConfigurator.h" ++ ++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++#define MSG_MAX_SIZE 96 ++ ++static jmethodID debugPrintlnMethodID = NULL; ++static jobject debugObj = NULL; ++ ++static void throwIOException(JNIEnv *env, const char *msg); ++static void dbgPrint(JNIEnv *env, const char* msg); ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnLoad ++ */ ++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ jclass sysConfCls, debugCls; ++ jfieldID sdebugFld; ++ ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return JNI_EVERSION; /* JNI version not supported */ ++ } ++ ++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); ++ if (sysConfCls == NULL) { ++ printf("libsystemconf: SystemConfigurator class not found\n"); ++ return JNI_ERR; ++ } ++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, ++ "sdebug", "Lsun/security/util/Debug;"); ++ if (sdebugFld == NULL) { ++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); ++ if (debugObj != NULL) { ++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); ++ if (debugCls == NULL) { ++ printf("libsystemconf: Debug class not found\n"); ++ return JNI_ERR; ++ } ++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, ++ "println", "(Ljava/lang/String;)V"); ++ if (debugPrintlnMethodID == NULL) { ++ printf("libsystemconf: Debug::println(String) method not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->NewGlobalRef(env, debugObj); ++ } ++ ++ return (*env)->GetVersion(env); ++} ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnUnload ++ */ ++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ ++ if (debugObj != NULL) { ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return; /* Should not happen */ ++ } ++ (*env)->DeleteGlobalRef(env, debugObj); ++ } ++} ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ int fips_enabled; ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ ++#ifdef SYSCONF_NSS ++ ++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); ++ fips_enabled = SECMOD_GetSystemFIPSEnabled(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ ++ " SECMOD_GetSystemFIPSEnabled return value"); ++ } ++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); ++ ++#else // SYSCONF_NSS ++ ++ FILE *fe; ++ ++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); ++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { ++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); ++ } ++ fips_enabled = fgetc(fe); ++ fclose(fe); ++ if (fips_enabled == EOF) { ++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); ++ } ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " read character is '%c'", fips_enabled); ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ ++ " read character"); ++ } ++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); ++ ++#endif // SYSCONF_NSS ++} ++ ++static void throwIOException(JNIEnv *env, const char *msg) ++{ ++ jclass cls = (*env)->FindClass(env, "java/io/IOException"); ++ if (cls != 0) ++ (*env)->ThrowNew(env, cls, msg); ++} ++ ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} diff --git a/SOURCES/rh1929465-improve_system_FIPS_detection-root.patch b/SOURCES/rh1929465-improve_system_FIPS_detection-root.patch new file mode 100644 index 0000000..64d8ac0 --- /dev/null +++ b/SOURCES/rh1929465-improve_system_FIPS_detection-root.patch @@ -0,0 +1,152 @@ +diff --git openjdk.orig/common/autoconf/configure.ac openjdk/common/autoconf/configure.ac +--- openjdk.orig/common/autoconf/configure.ac ++++ openjdk/common/autoconf/configure.ac +@@ -212,6 +212,7 @@ + LIB_SETUP_ALSA + LIB_SETUP_FONTCONFIG + LIB_SETUP_MISC_LIBS ++LIB_SETUP_SYSCONF_LIBS + LIB_SETUP_STATIC_LINK_LIBSTDCPP + LIB_SETUP_ON_WINDOWS + +diff --git openjdk.orig/common/autoconf/libraries.m4 openjdk/common/autoconf/libraries.m4 +--- openjdk.orig/common/autoconf/libraries.m4 ++++ openjdk/common/autoconf/libraries.m4 +@@ -1067,3 +1067,63 @@ + BASIC_DEPRECATED_ARG_WITH([dxsdk-include]) + fi + ]) ++ ++################################################################################ ++# Setup system configuration libraries ++################################################################################ ++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], ++[ ++ ############################################################################### ++ # ++ # Check for the NSS library ++ # ++ ++ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)]) ++ ++ # default is not available ++ DEFAULT_SYSCONF_NSS=no ++ ++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], ++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], ++ [ ++ case "${enableval}" in ++ yes) ++ sysconf_nss=yes ++ ;; ++ *) ++ sysconf_nss=no ++ ;; ++ esac ++ ], ++ [ ++ sysconf_nss=${DEFAULT_SYSCONF_NSS} ++ ]) ++ AC_MSG_RESULT([$sysconf_nss]) ++ ++ USE_SYSCONF_NSS=false ++ if test "x${sysconf_nss}" = "xyes"; then ++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) ++ if test "x${NSS_FOUND}" = "xyes"; then ++ AC_MSG_CHECKING([for system FIPS support in NSS]) ++ saved_libs="${LIBS}" ++ saved_cflags="${CFLAGS}" ++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" ++ LIBS="${LIBS} ${NSS_LIBS}" ++ AC_LANG_PUSH([C]) ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], ++ [[SECMOD_GetSystemFIPSEnabled()]])], ++ [AC_MSG_RESULT([yes])], ++ [AC_MSG_RESULT([no]) ++ AC_MSG_ERROR([System NSS FIPS detection unavailable])]) ++ AC_LANG_POP([C]) ++ CFLAGS="${saved_cflags}" ++ LIBS="${saved_libs}" ++ USE_SYSCONF_NSS=true ++ else ++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API ++ dnl in nss3/pk11pub.h. ++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) ++ fi ++ fi ++ AC_SUBST(USE_SYSCONF_NSS) ++]) +diff --git openjdk.orig/common/autoconf/spec.gmk.in openjdk/common/autoconf/spec.gmk.in +--- openjdk.orig/common/autoconf/spec.gmk.in ++++ openjdk/common/autoconf/spec.gmk.in +@@ -312,6 +312,10 @@ + ALSA_LIBS:=@ALSA_LIBS@ + ALSA_CFLAGS:=@ALSA_CFLAGS@ + ++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ ++NSS_LIBS:=@NSS_LIBS@ ++NSS_CFLAGS:=@NSS_CFLAGS@ ++ + PACKAGE_PATH=@PACKAGE_PATH@ + + # Source file for cacerts +diff --git openjdk.orig/common/bin/compare_exceptions.sh.incl openjdk/common/bin/compare_exceptions.sh.incl +--- openjdk.orig/common/bin/compare_exceptions.sh.incl ++++ openjdk/common/bin/compare_exceptions.sh.incl +@@ -280,6 +280,7 @@ + ./jre/lib/i386/libsplashscreen.so + ./jre/lib/i386/libsunec.so + ./jre/lib/i386/libsunwjdga.so ++./jre/lib/i386/libsystemconf.so + ./jre/lib/i386/libt2k.so + ./jre/lib/i386/libunpack.so + ./jre/lib/i386/libverify.so +@@ -433,6 +434,7 @@ + ./jre/lib/amd64/libsplashscreen.so + ./jre/lib/amd64/libsunec.so + ./jre/lib/amd64/libsunwjdga.so ++//jre/lib/amd64/libsystemconf.so + ./jre/lib/amd64/libt2k.so + ./jre/lib/amd64/libunpack.so + ./jre/lib/amd64/libverify.so +@@ -587,6 +589,7 @@ + ./jre/lib/sparc/libsplashscreen.so + ./jre/lib/sparc/libsunec.so + ./jre/lib/sparc/libsunwjdga.so ++./jre/lib/sparc/libsystemconf.so + ./jre/lib/sparc/libt2k.so + ./jre/lib/sparc/libunpack.so + ./jre/lib/sparc/libverify.so +@@ -741,6 +744,7 @@ + ./jre/lib/sparcv9/libsplashscreen.so + ./jre/lib/sparcv9/libsunec.so + ./jre/lib/sparcv9/libsunwjdga.so ++./jre/lib/sparcv9/libsystemconf.so + ./jre/lib/sparcv9/libt2k.so + ./jre/lib/sparcv9/libunpack.so + ./jre/lib/sparcv9/libverify.so +diff --git openjdk.orig/common/nb_native/nbproject/configurations.xml openjdk/common/nb_native/nbproject/configurations.xml +--- openjdk.orig/common/nb_native/nbproject/configurations.xml ++++ openjdk/common/nb_native/nbproject/configurations.xml +@@ -53,6 +53,9 @@ + jvmtiEnterTrace.cpp + + ++ ++ systemconf.c ++ + + + +@@ -12772,6 +12775,11 @@ + tool="0" + flavor2="0"> + ++ ++ + b27 %global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-}) -%global rpmrelease 0 +%global rpmrelease 1 # Define milestone (EA for pre-releases, GA ("fcs") for releases) # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, @@ -745,6 +743,7 @@ exit 0 %endif %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libsctp.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libsunec.so +%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libsystemconf.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libunpack.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libverify.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libzip.so @@ -979,8 +978,6 @@ OrderWithRequires: copy-jdk-configs %endif # for printing support Requires: cups-libs -# for FIPS PKCS11 provider -Requires: nss # Post requires alternatives to install tool alternatives Requires(post): %{alternatives_requires} # in version 1.7 and higher for --family switch @@ -1197,6 +1194,11 @@ Patch1002: rh1760838-fips_default_keystore_type.patch Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch # RH1906862: Always initialise JavaSecuritySystemConfiguratorAccess Patch1005: rh1906862-always_initialise_configurator_access.patch +# RH1929465: Improve system FIPS detection +Patch1006: rh1929465-improve_system_FIPS_detection-root.patch +Patch1007: rh1929465-improve_system_FIPS_detection-jdk.patch +# RH1996182: Login to the NSS software token in FIPS mode +Patch1008: rh1996182-login_to_nss_software_token.patch ############################################# # @@ -1337,8 +1339,8 @@ BuildRequires: libXinerama-devel BuildRequires: libXrender-devel BuildRequires: libXt-devel BuildRequires: libXtst-devel -# Requirements for setting up the nss.cfg -BuildRequires: nss-devel +# Requirements for setting up the nss.cfg and FIPS support +BuildRequires: nss-devel >= 3.53 BuildRequires: pkgconfig BuildRequires: xorg-x11-proto-devel BuildRequires: zip @@ -1539,7 +1541,7 @@ The %{compatiblename}-src-fastdebug sub-package contains the complete %{origin_n Summary: %{origin_nice} %{majorver} API documentation Group: Documentation Requires: javapackages-filesystem -Obsoletes: javadoc-debug +Obsoletes: javadoc-slowdebug < 1:1.8.0.212.b04-4 BuildArch: noarch %{java_javadoc_rpo %{nil}} @@ -1551,7 +1553,7 @@ The %{origin_nice} %{majorver} API documentation. Summary: %{origin_nice} %{majorver} API documentation compressed in a single archive Group: Documentation Requires: javapackages-filesystem -Obsoletes: javadoc-zip-debug +Obsoletes: javadoc-zip-slowdebug < 1:1.8.0.212.b04-4 BuildArch: noarch %{java_javadoc_rpo %{nil}} @@ -1626,10 +1628,6 @@ if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{includ echo "You have disabled all builds (normal,fastdebug,debug). That is a no go." exit 14 fi -if [ %{include_normal_build} -eq 0 ] ; then - echo "You have disabled the normal build, but this is required to provide docs for the debug build." - exit 15 -fi echo "Update version: %{updatever}" echo "Build number: %{buildver}" @@ -1701,6 +1699,9 @@ sh %{SOURCE12} %patch1003 %patch1004 %patch1005 +%patch1006 +%patch1007 +%patch1008 # RHEL-only patches %if ! 0%{?fedora} && 0%{?rhel} <= 7 @@ -1835,6 +1836,7 @@ function buildjdk() { --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \ --with-boot-jdk=${buildjdk} \ --with-debug-level=${debuglevel} \ + --enable-sysconf-nss \ --enable-unlimited-crypto \ --with-zlib=system \ --with-libjpeg=system \ @@ -1927,7 +1929,7 @@ done %check # We test debug first as it will give better diagnostics on a crash -for suffix in %{rev_build_loop} ; do +for suffix in %{build_loop} ; do export JAVA_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{jdkimage} @@ -2422,6 +2424,66 @@ cjc.mainProgram(args) %endif %changelog +* Sun Sep 19 2021 Andrew Hughes - 1:1.8.0.312.b02-0.1.ea +- Update to aarch64-shenandoah-jdk8u312-b02 (EA) +- Update release notes for 8u312-b02. +- Related: rhbz#1999937 + +* Mon Sep 13 2021 Andrew Hughes - 1:1.8.0.312.b01-0.1.ea +- Update to aarch64-shenandoah-jdk8u312-b01 (EA) +- Update release notes for 8u312-b01. +- Switch to EA mode. +- Remove "-clean" suffix as no 8u312 builds are unclean. +- Related: rhbz#1999937 + +* Fri Sep 10 2021 Andrew Hughes - 1:1.8.0.302.b08-4 +- Remove non-Free test and demo files from source tarball. +- Related: rhbz#1999937 + +* Fri Aug 27 2021 Andrew Hughes - 1:1.8.0.302.b08-3 +- Add patch to login to the NSS software token when in FIPS mode. +- Resolves: rhbz#1997358 + +* Fri Aug 27 2021 Andrew Hughes - 1:1.8.0.302.b08-2 +- Fix path to libsystemconf.so on 8u. +- Resolves: rhbz#1971679 + +* Fri Aug 27 2021 Andrew Hughes - 1:1.8.0.302.b08-2 +- Port FIPS system detection support to OpenJDK 8u +- Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure. +- Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM. +- Resolves: rhbz#1971679 + +* Fri Aug 27 2021 Martin Balao - 1:1.8.0.302.b08-2 +- Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library. +- Resolves: rhbz#1971679 + +* Fri Jul 16 2021 Andrew Hughes - 1:1.8.0.302.b08-1 +- Update to aarch64-shenandoah-jdk8u302-b08 (EA) +- Update release notes for 8u302-b08. +- Switch to GA mode for final release. +- This tarball is embargoed until 2021-07-20 @ 1pm PT. +- Resolves: rhbz#1972395 + +* Thu Jul 08 2021 Andrew Hughes - 1:1.8.0.302.b07-0.0.ea +- Update to aarch64-shenandoah-jdk8u302-b07 (EA) +- Update release notes for 8u302-b07. +- Resolves: rhbz#1967812 + +* Tue Jul 06 2021 Andrew Hughes - 1:1.8.0.302.b06-0.0.ea +- Update to aarch64-shenandoah-jdk8u302-b06 (EA) +- Update release notes for 8u302-b06. +- Resolves: rhbz#1967812 + +* Tue Jul 06 2021 Andrew Hughes - 1:1.8.0.302.b05-0.2.ea +- Remove restriction on disabling product build, as debug packages no longer have javadoc packages. +- Fix name of javadoc debug packages in Obsoletes declarations and add version where it was removed. +- Resolves: rhbz#1966233 + +* Mon Jul 05 2021 Andrew Hughes - 1:1.8.0.302.b05-0.1.ea +- Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics. +- Resolves: rhbz#1966233 + * Fri Jul 02 2021 Andrew Hughes - 1:1.8.0.302.b05-0.0.ea - Update to aarch64-shenandoah-jdk8u302-b05 (EA) - Update release notes for 8u302-b05.