diff --git a/.gitignore b/.gitignore index cf98633..0492ba8 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u272-b10-4curve.tar.xz +SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u275-b01-4curve.tar.xz SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/.java-1.8.0-openjdk.metadata b/.java-1.8.0-openjdk.metadata index d554ae2..0ebcc7c 100644 --- a/.java-1.8.0-openjdk.metadata +++ b/.java-1.8.0-openjdk.metadata @@ -1,2 +1,2 @@ -6fdff31687c0ac7a4dd7f49619748c7209602cb1 SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u272-b10-4curve.tar.xz +757112cab68326cd4b4329ea6c8833ae696d837c SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u275-b01-4curve.tar.xz 7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/SOURCES/NEWS b/SOURCES/NEWS index 1c1d679..0a93663 100644 --- a/SOURCES/NEWS +++ b/SOURCES/NEWS @@ -3,6 +3,18 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 8u275 (2020-11-05): +=========================================== +Live versions of these release notes can be found at: + * https://bitly.com/openjdk8u275 + * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u275.txt + +* Regression fixes + - JDK-8214440: ldap over a TLS connection negotiate failed with "javax.net.ssl.SSLPeerUnverifiedException: hostname of the server '' does not match the hostname in the server's certificate" + - JDK-8223940: Private key not supported by chosen signature algorithm + - JDK-8236512: PKCS11 Connection closed after Cipher.doFinal and NoPadding + - JDK-8250861: Crash in MinINode::Ideal(PhaseGVN*, bool) + New in release OpenJDK 8u272 (2020-10-20): =========================================== Live versions of these release notes can be found at: diff --git a/SOURCES/jdk8236512-rh1889414-pkcs11_incorrrect_session_closure.patch b/SOURCES/jdk8236512-rh1889414-pkcs11_incorrrect_session_closure.patch deleted file mode 100644 index f99fb13..0000000 --- a/SOURCES/jdk8236512-rh1889414-pkcs11_incorrrect_session_closure.patch +++ /dev/null @@ -1,467 +0,0 @@ -# HG changeset patch -# User valeriep -# Date 1581468987 0 -# Wed Feb 12 00:56:27 2020 +0000 -# Node ID e47d22d82b0464720ccb7641e290080972b6ce88 -# Parent 5c41dc4c48f85e5a1e1ce6e3836b54674f273367 -8236512: PKCS11 Connection closed after Cipher.doFinal and NoPadding -Summary: Removed killSession() calls in certain impl classes when cancelling operations -Reviewed-by: xuelei - ---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11AEADCipher.java 2020-10-08 06:03:20.018533399 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11AEADCipher.java 2020-10-08 06:03:19.908532219 +0100 -@@ -1,4 +1,5 @@ --/* Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. -+/* -+ * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -331,25 +332,25 @@ - } - - private void cancelOperation() { -+ // cancel operation by finishing it; avoid killSession as some -+ // hardware vendors may require re-login -+ int bufLen = doFinalLength(0); -+ byte[] buffer = new byte[bufLen]; -+ byte[] in = dataBuffer.toByteArray(); -+ int inLen = in.length; - try { -- if (session.hasObjects() == false) { -- session = token.killSession(session); -- return; -+ if (encrypt) { -+ token.p11.C_Encrypt(session.id(), 0, in, 0, inLen, -+ 0, buffer, 0, bufLen); - } else { -- // cancel operation by finishing it -- int bufLen = doFinalLength(0); -- byte[] buffer = new byte[bufLen]; -- -- if (encrypt) { -- token.p11.C_Encrypt(session.id(), 0, buffer, 0, bufLen, -- 0, buffer, 0, bufLen); -- } else { -- token.p11.C_Decrypt(session.id(), 0, buffer, 0, bufLen, -- 0, buffer, 0, bufLen); -- } -+ token.p11.C_Decrypt(session.id(), 0, in, 0, inLen, -+ 0, buffer, 0, bufLen); - } - } catch (PKCS11Exception e) { -- throw new ProviderException("Cancel failed", e); -+ if (encrypt) { -+ throw new ProviderException("Cancel failed", e); -+ } -+ // ignore failure for decryption - } - } - -@@ -432,18 +433,21 @@ - if (!initialized) { - return; - } -+ initialized = false; -+ - try { - if (session == null) { - return; - } -+ - if (doCancel && token.explicitCancel) { - cancelOperation(); - } - } finally { - p11Key.releaseKeyID(); - session = token.releaseSession(session); -+ dataBuffer.reset(); - } -- initialized = false; - } - - // see JCE spec ---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java 2020-10-08 06:03:20.450538032 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java 2020-10-08 06:03:20.330536745 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -409,10 +409,12 @@ - return; - } - initialized = false; -+ - try { - if (session == null) { - return; - } -+ - if (doCancel && token.explicitCancel) { - cancelOperation(); - } -@@ -426,22 +428,21 @@ - - private void cancelOperation() { - token.ensureValid(); -- if (session.hasObjects() == false) { -- session = token.killSession(session); -- return; -- } else { -- try { -- // cancel operation by finishing it -- int bufLen = doFinalLength(0); -- byte[] buffer = new byte[bufLen]; -- if (encrypt) { -- token.p11.C_EncryptFinal(session.id(), 0, buffer, 0, bufLen); -- } else { -- token.p11.C_DecryptFinal(session.id(), 0, buffer, 0, bufLen); -- } -- } catch (PKCS11Exception e) { -+ // cancel operation by finishing it; avoid killSession as some -+ // hardware vendors may require re-login -+ try { -+ int bufLen = doFinalLength(0); -+ byte[] buffer = new byte[bufLen]; -+ if (encrypt) { -+ token.p11.C_EncryptFinal(session.id(), 0, buffer, 0, bufLen); -+ } else { -+ token.p11.C_DecryptFinal(session.id(), 0, buffer, 0, bufLen); -+ } -+ } catch (PKCS11Exception e) { -+ if (encrypt) { - throw new ProviderException("Cancel failed", e); - } -+ // ignore failure for decryption - } - } - ---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Mac.java 2020-10-08 06:03:20.893542782 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Mac.java 2020-10-08 06:03:20.780541571 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -122,10 +122,12 @@ - return; - } - initialized = false; -+ - try { - if (session == null) { - return; - } -+ - if (doCancel && token.explicitCancel) { - cancelOperation(); - } -@@ -137,15 +139,12 @@ - - private void cancelOperation() { - token.ensureValid(); -- if (session.hasObjects() == false) { -- session = token.killSession(session); -- return; -- } else { -- try { -- token.p11.C_SignFinal(session.id(), 0); -- } catch (PKCS11Exception e) { -- throw new ProviderException("Cancel failed", e); -- } -+ // cancel operation by finishing it; avoid killSession as some -+ // hardware vendors may require re-login -+ try { -+ token.p11.C_SignFinal(session.id(), 0); -+ } catch (PKCS11Exception e) { -+ throw new ProviderException("Cancel failed", e); - } - } - -@@ -207,7 +206,6 @@ - ensureInitialized(); - return token.p11.C_SignFinal(session.id(), 0); - } catch (PKCS11Exception e) { -- reset(true); - throw new ProviderException("doFinal() failed", e); - } finally { - reset(false); ---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11PSSSignature.java 2020-10-08 06:03:21.314547298 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11PSSSignature.java 2020-10-08 06:03:21.202546096 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -223,10 +223,12 @@ - return; - } - initialized = false; -+ - try { - if (session == null) { - return; - } -+ - if (doCancel && token.explicitCancel) { - cancelOperation(); - } -@@ -242,14 +244,10 @@ - token.ensureValid(); - if (DEBUG) System.out.print("Cancelling operation"); - -- if (session.hasObjects() == false) { -- if (DEBUG) System.out.println(" by killing session"); -- session = token.killSession(session); -- return; -- } -- // "cancel" operation by finishing it -- if (mode == M_SIGN) { -- try { -+ // cancel operation by finishing it; avoid killSession as some -+ // hardware vendors may require re-login -+ try { -+ if (mode == M_SIGN) { - if (type == T_UPDATE) { - if (DEBUG) System.out.println(" by C_SignFinal"); - token.p11.C_SignFinal(session.id(), 0); -@@ -259,11 +257,7 @@ - if (DEBUG) System.out.println(" by C_Sign"); - token.p11.C_Sign(session.id(), digest); - } -- } catch (PKCS11Exception e) { -- throw new ProviderException("cancel failed", e); -- } -- } else { // M_VERIFY -- try { -+ } else { // M_VERIFY - byte[] signature = - new byte[(p11Key.length() + 7) >> 3]; - if (type == T_UPDATE) { -@@ -275,10 +269,12 @@ - if (DEBUG) System.out.println(" by C_Verify"); - token.p11.C_Verify(session.id(), digest, signature); - } -- } catch (PKCS11Exception e) { -- // will fail since the signature is incorrect -- // XXX check error code - } -+ } catch (PKCS11Exception e) { -+ if (mode == M_SIGN) { -+ throw new ProviderException("cancel failed", e); -+ } -+ // ignore failure for verification - } - } - ---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11RSACipher.java 2020-10-08 06:03:21.749551962 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11RSACipher.java 2020-10-08 06:03:21.633550718 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -246,10 +246,12 @@ - return; - } - initialized = false; -+ - try { - if (session == null) { - return; - } -+ - if (doCancel && token.explicitCancel) { - cancelOperation(); - } -@@ -263,36 +265,33 @@ - // state variables such as "initialized" - private void cancelOperation() { - token.ensureValid(); -- if (session.hasObjects() == false) { -- session = token.killSession(session); -- return; -- } else { -- try { -- PKCS11 p11 = token.p11; -- int inLen = maxInputSize; -- int outLen = buffer.length; -- long sessId = session.id(); -- switch (mode) { -- case MODE_ENCRYPT: -- p11.C_Encrypt(sessId, 0, buffer, 0, inLen, 0, buffer, 0, outLen); -- break; -- case MODE_DECRYPT: -- p11.C_Decrypt(sessId, 0, buffer, 0, inLen, 0, buffer, 0, outLen); -- break; -- case MODE_SIGN: -- byte[] tmpBuffer = new byte[maxInputSize]; -- p11.C_Sign(sessId, tmpBuffer); -- break; -- case MODE_VERIFY: -- p11.C_VerifyRecover(sessId, buffer, 0, inLen, buffer, -- 0, outLen); -- break; -- default: -- throw new ProviderException("internal error"); -- } -- } catch (PKCS11Exception e) { -- // XXX ensure this always works, ignore error -+ // cancel operation by finishing it; avoid killSession as some -+ // hardware vendors may require re-login -+ try { -+ PKCS11 p11 = token.p11; -+ int inLen = maxInputSize; -+ int outLen = buffer.length; -+ long sessId = session.id(); -+ switch (mode) { -+ case MODE_ENCRYPT: -+ p11.C_Encrypt(sessId, 0, buffer, 0, inLen, 0, buffer, 0, outLen); -+ break; -+ case MODE_DECRYPT: -+ p11.C_Decrypt(sessId, 0, buffer, 0, inLen, 0, buffer, 0, outLen); -+ break; -+ case MODE_SIGN: -+ byte[] tmpBuffer = new byte[maxInputSize]; -+ p11.C_Sign(sessId, tmpBuffer); -+ break; -+ case MODE_VERIFY: -+ p11.C_VerifyRecover(sessId, buffer, 0, inLen, buffer, -+ 0, outLen); -+ break; -+ default: -+ throw new ProviderException("internal error"); - } -+ } catch (PKCS11Exception e) { -+ // XXX ensure this always works, ignore error - } - } - -@@ -361,6 +360,7 @@ - private int implDoFinal(byte[] out, int outOfs, int outLen) - throws BadPaddingException, IllegalBlockSizeException { - if (bufOfs > maxInputSize) { -+ reset(true); - throw new IllegalBlockSizeException("Data must not be longer " - + "than " + maxInputSize + " bytes"); - } ---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Signature.java 2020-10-08 06:03:22.163556402 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Signature.java 2020-10-08 06:03:22.050555191 +0100 -@@ -245,10 +245,12 @@ - return; - } - initialized = false; -+ - try { - if (session == null) { - return; - } -+ - if (doCancel && token.explicitCancel) { - cancelOperation(); - } -@@ -259,59 +261,51 @@ - } - - private void cancelOperation() { -- - token.ensureValid(); -- if (session.hasObjects() == false) { -- session = token.killSession(session); -- return; -- } else { -- // "cancel" operation by finishing it -- // XXX make sure all this always works correctly -+ // cancel operation by finishing it; avoid killSession as some -+ // hardware vendors may require re-login -+ try { - if (mode == M_SIGN) { -- try { -- if (type == T_UPDATE) { -- token.p11.C_SignFinal(session.id(), 0); -- } else { -- byte[] digest; -- if (type == T_DIGEST) { -- digest = md.digest(); -- } else { // T_RAW -- digest = buffer; -- } -- token.p11.C_Sign(session.id(), digest); -+ if (type == T_UPDATE) { -+ token.p11.C_SignFinal(session.id(), 0); -+ } else { -+ byte[] digest; -+ if (type == T_DIGEST) { -+ digest = md.digest(); -+ } else { // T_RAW -+ digest = buffer; - } -- } catch (PKCS11Exception e) { -- throw new ProviderException("cancel failed", e); -+ token.p11.C_Sign(session.id(), digest); - } - } else { // M_VERIFY - byte[] signature; -- try { -- if (keyAlgorithm.equals("DSA")) { -- signature = new byte[40]; -- } else { -- signature = new byte[(p11Key.length() + 7) >> 3]; -- } -- if (type == T_UPDATE) { -- token.p11.C_VerifyFinal(session.id(), signature); -- } else { -- byte[] digest; -- if (type == T_DIGEST) { -- digest = md.digest(); -- } else { // T_RAW -- digest = buffer; -- } -- token.p11.C_Verify(session.id(), digest, signature); -- } -- } catch (PKCS11Exception e) { -- long errorCode = e.getErrorCode(); -- if ((errorCode == CKR_SIGNATURE_INVALID) || -- (errorCode == CKR_SIGNATURE_LEN_RANGE)) { -- // expected since signature is incorrect -- return; -+ if (keyAlgorithm.equals("DSA")) { -+ signature = new byte[40]; -+ } else { -+ signature = new byte[(p11Key.length() + 7) >> 3]; -+ } -+ if (type == T_UPDATE) { -+ token.p11.C_VerifyFinal(session.id(), signature); -+ } else { -+ byte[] digest; -+ if (type == T_DIGEST) { -+ digest = md.digest(); -+ } else { // T_RAW -+ digest = buffer; - } -- throw new ProviderException("cancel failed", e); -+ token.p11.C_Verify(session.id(), digest, signature); -+ } -+ } -+ } catch (PKCS11Exception e) { -+ if (mode == M_VERIFY) { -+ long errorCode = e.getErrorCode(); -+ if ((errorCode == CKR_SIGNATURE_INVALID) || -+ (errorCode == CKR_SIGNATURE_LEN_RANGE)) { -+ // expected since signature is incorrect -+ return; - } - } -+ throw new ProviderException("cancel failed", e); - } - } - diff --git a/SPECS/java-1.8.0-openjdk.spec b/SPECS/java-1.8.0-openjdk.spec index a3b9402..864fbf2 100644 --- a/SPECS/java-1.8.0-openjdk.spec +++ b/SPECS/java-1.8.0-openjdk.spec @@ -249,7 +249,7 @@ # note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there. %global shenandoah_project aarch64-port %global shenandoah_repo jdk8u-shenandoah -%global shenandoah_revision aarch64-shenandoah-jdk8u272-b10 +%global shenandoah_revision aarch64-shenandoah-jdk8u275-b01 # Define old aarch64/jdk8u tree variables for compatibility %global project %{shenandoah_project} %global repo %{shenandoah_repo} @@ -265,7 +265,7 @@ %global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u}) # eg jdk8u60-b27 -> b27 %global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-}) -%global rpmrelease 3 +%global rpmrelease 1 # Define milestone (EA for pre-releases, GA ("fcs") for releases) # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, @@ -1266,8 +1266,6 @@ Patch580: jdk8195607-pr3776-rh1760437-nss_sqlite_db_config.patch Patch13: jdk8254177-tzdata2020b.patch # JDK-8215727, RH1889532: Restore JFR thread sampler loop to old / previous behavior Patch14: jdk8215727-rh1889532-restore_jfr_thread_sampler_loop.patch -# JDK-8236512, RH1889414: PKCS11 Connection closed after Cipher.doFinal and NoPadding -Patch15: jdk8236512-rh1889414-pkcs11_incorrrect_session_closure.patch ############################################# # @@ -1691,7 +1689,6 @@ sh %{SOURCE12} %patch540 %patch13 %patch14 -%patch15 # RPM-only fixes %patch1000 @@ -2401,6 +2398,17 @@ require "copy_jdk_configs.lua" %endif %changelog +* Fri Nov 06 2020 Andrew Hughes - 1:1.8.0.275.b01-1 +- Update to aarch64-shenandoah-jdk8u275-b01 (GA) +- Update release notes for 8u275. +- Remove JDK-8223940/RH1892216 backport now included in upstream 8u275. +- Remove JDK-8236512/RH1889414 backport now included in upstream 8u275. +- Resolves: rhbz#1895060 + +* Fri Oct 30 2020 Andrew Hughes - 1:1.8.0.272.b10-4 +- Add backport of JDK-8223940: "Private key not supported by chosen signature algorithm" to handle lack of provider RSAPSS support +- Resolves: rhbz#1892216 + * Wed Oct 21 2020 Andrew Hughes - 1:1.8.0.272.b10-3 - Add backport of JDK-8236512 to correct use of killSession - Resolves: rhbz#1889414