diff --git a/.gitignore b/.gitignore index 3d565ae..d4c4324 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u222-b10.tar.xz +SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u232-b09.tar.xz SOURCES/systemtap_3.2_tapsets_hg-icedtea8-9d464368e06d.tar.xz diff --git a/.java-1.8.0-openjdk.metadata b/.java-1.8.0-openjdk.metadata index c741be4..03bd636 100644 --- a/.java-1.8.0-openjdk.metadata +++ b/.java-1.8.0-openjdk.metadata @@ -1,2 +1,2 @@ -8afea3219e33f6fa067152aee13da2f4096e60cc SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u222-b10.tar.xz +ca59ed55769893ca7a5bcff04612141f696ea2e9 SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u232-b09.tar.xz cd8bf91753b9eb1401cfc529e78517105fc66011 SOURCES/systemtap_3.2_tapsets_hg-icedtea8-9d464368e06d.tar.xz diff --git a/SOURCES/8223219-fstack-protector-hotspot.patch b/SOURCES/8223219-fstack-protector-hotspot.patch deleted file mode 100644 index ec69944..0000000 --- a/SOURCES/8223219-fstack-protector-hotspot.patch +++ /dev/null @@ -1,35 +0,0 @@ -diff --git openjdk.orig/hotspot/make/bsd/makefiles/gcc.make openjdk/hotspot/make/bsd/makefiles/gcc.make ---- openjdk.orig/hotspot/make/bsd/makefiles/gcc.make -+++ openjdk/hotspot/make/bsd/makefiles/gcc.make -@@ -190,7 +190,7 @@ - CFLAGS += -fno-exceptions - ifeq ($(USE_CLANG),) - CFLAGS += -pthread -- CFLAGS += -fcheck-new -fstack-protector -+ CFLAGS += -fcheck-new - # version 4 and above support fvisibility=hidden (matches jni_x86.h file) - # except 4.1.2 gives pointless warnings that can't be disabled (afaik) - ifneq "$(shell expr \( $(CC_VER_MAJOR) \> 4 \) \| \( \( $(CC_VER_MAJOR) = 4 \) \& \( $(CC_VER_MINOR) \>= 3 \) \))" "0" -diff --git openjdk.orig/hotspot/make/linux/makefiles/gcc.make openjdk/hotspot/make/linux/makefiles/gcc.make ---- openjdk.orig/hotspot/make/linux/makefiles/gcc.make -+++ openjdk/hotspot/make/linux/makefiles/gcc.make -@@ -150,7 +150,7 @@ - CFLAGS += -fno-exceptions - CFLAGS += -D_REENTRANT - ifeq ($(USE_CLANG),) -- CFLAGS += -fcheck-new -fstack-protector -+ CFLAGS += -fcheck-new - # version 4 and above support fvisibility=hidden (matches jni_x86.h file) - # except 4.1.2 gives pointless warnings that can't be disabled (afaik) - ifneq "$(shell expr \( $(CC_VER_MAJOR) \> 4 \) \| \( \( $(CC_VER_MAJOR) = 4 \) \& \( $(CC_VER_MINOR) \>= 3 \) \))" "0" -diff --git openjdk.orig/hotspot/make/solaris/makefiles/gcc.make openjdk/hotspot/make/solaris/makefiles/gcc.make ---- openjdk.orig/hotspot/make/solaris/makefiles/gcc.make -+++ openjdk/hotspot/make/solaris/makefiles/gcc.make -@@ -75,7 +75,6 @@ - CFLAGS += -fno-exceptions - CFLAGS += -D_REENTRANT - CFLAGS += -fcheck-new --CFLAGS += -fstack-protector - - ARCHFLAG = $(ARCHFLAG/$(BUILDARCH)) - diff --git a/SOURCES/8223219-fstack-protector-root.patch b/SOURCES/8223219-fstack-protector-root.patch deleted file mode 100644 index a73761c..0000000 --- a/SOURCES/8223219-fstack-protector-root.patch +++ /dev/null @@ -1,33 +0,0 @@ -diff --git a/common/autoconf/flags.m4 b/common/autoconf/flags.m4 ---- openjdk.orig/common/autoconf/flags.m4 -+++ openjdk/common/autoconf/flags.m4 -@@ -388,16 +388,8 @@ - CFLAGS_JDK="${CFLAGS_JDK} -qchars=signed -q64 -qfullpath -qsaveopt" - CXXFLAGS_JDK="${CXXFLAGS_JDK} -qchars=signed -q64 -qfullpath -qsaveopt" - elif test "x$TOOLCHAIN_TYPE" = xgcc; then -- case $OPENJDK_TARGET_CPU_ARCH in -- x86 ) -- LEGACY_EXTRA_CFLAGS="$LEGACY_EXTRA_CFLAGS -fstack-protector" -- LEGACY_EXTRA_CXXFLAGS="$LEGACY_EXTRA_CXXFLAGS -fstack-protector" -- ;; -- x86_64 ) -- LEGACY_EXTRA_CFLAGS="$LEGACY_EXTRA_CFLAGS -fstack-protector" -- LEGACY_EXTRA_CXXFLAGS="$LEGACY_EXTRA_CXXFLAGS -fstack-protector" -- ;; -- esac -+ LEGACY_EXTRA_CFLAGS="$LEGACY_EXTRA_CFLAGS -fstack-protector" -+ LEGACY_EXTRA_CXXFLAGS="$LEGACY_EXTRA_CXXFLAGS -fstack-protector" - if test "x$OPENJDK_TARGET_OS" != xmacosx; then - LDFLAGS_JDK="$LDFLAGS_JDK -Wl,-z,relro" - LEGACY_EXTRA_LDFLAGS="$LEGACY_EXTRA_LDFLAGS -Wl,-z,relro" -@@ -464,10 +456,6 @@ - ppc ) - # on ppc we don't prevent gcc to omit frame pointer nor strict-aliasing - ;; -- x86 ) -- CCXXFLAGS_JDK="$CCXXFLAGS_JDK -fno-omit-frame-pointer -fstack-protector" -- CFLAGS_JDK="${CFLAGS_JDK} -fno-strict-aliasing -fstack-protector" -- ;; - * ) - CCXXFLAGS_JDK="$CCXXFLAGS_JDK -fno-omit-frame-pointer" - CFLAGS_JDK="${CFLAGS_JDK} -fno-strict-aliasing" diff --git a/SOURCES/jdk8141570-pr3548-fix_zero_interpreter_build_for_disable_precompiled_headers.patch b/SOURCES/jdk8141570-pr3548-fix_zero_interpreter_build_for_disable_precompiled_headers.patch deleted file mode 100644 index c9ef36b..0000000 --- a/SOURCES/jdk8141570-pr3548-fix_zero_interpreter_build_for_disable_precompiled_headers.patch +++ /dev/null @@ -1,55 +0,0 @@ -# HG changeset patch -# User coleenp -# Date 1525713256 -3600 -# Mon May 07 18:14:16 2018 +0100 -# Node ID bcbc64dfb629c5f188bbf59b8f986ad95963ed60 -# Parent 07a1135a327362f157955d470fad5df07cc35164 -8141570, PR3548: Fix Zero interpreter build for --disable-precompiled-headers -Summary: change to include atomic.inline.hpp and allocation.inline.hpp only in .cpp files and some build fixes from Kim to build on ubuntu without devkits -Reviewed-by: kbarrett, sgehwolf, erikj - -diff --git openjdk.orig/hotspot/make/linux/makefiles/zeroshark.make openjdk/hotspot/make/linux/makefiles/zeroshark.make ---- openjdk.orig/hotspot/make/linux/makefiles/zeroshark.make -+++ openjdk/hotspot/make/linux/makefiles/zeroshark.make -@@ -1,5 +1,5 @@ - # --# Copyright (c) 2003, 2005, Oracle and/or its affiliates. All rights reserved. -+# Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved. - # Copyright 2007, 2008 Red Hat, Inc. - # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - # -@@ -25,8 +25,15 @@ - - # Setup common to Zero (non-Shark) and Shark versions of VM - --# override this from the main file because some version of llvm do not like -Wundef --WARNING_FLAGS = -Wpointer-arith -Wsign-compare -Wunused-function -Wunused-value -+# Some versions of llvm do not like -Wundef -+ifeq ($(USE_CLANG), true) -+ WARNING_FLAGS += -Wno-undef -+endif -+# Suppress some warning flags that are normally turned on for hotspot, -+# because some of the zero code has not been updated accordingly. -+WARNING_FLAGS += -Wno-return-type \ -+ -Wno-format-nonliteral -Wno-format-security \ -+ -Wno-maybe-uninitialized - - # If FDLIBM_CFLAGS is non-empty it holds CFLAGS needed to be passed to - # the compiler so as to be able to produce optimized objects -@@ -48,5 +55,3 @@ - ifeq ($(ARCH_DATA_MODEL), 64) - CFLAGS += -D_LP64=1 - endif -- --OPT_CFLAGS/compactingPermGenGen.o = -O1 -diff --git openjdk.orig/hotspot/src/share/vm/runtime/java.cpp openjdk/hotspot/src/share/vm/runtime/java.cpp ---- openjdk.orig/hotspot/src/share/vm/runtime/java.cpp -+++ openjdk/hotspot/src/share/vm/runtime/java.cpp -@@ -45,6 +45,7 @@ - #include "runtime/arguments.hpp" - #include "runtime/biasedLocking.hpp" - #include "runtime/compilationPolicy.hpp" -+#include "runtime/deoptimization.hpp" - #include "runtime/fprofiler.hpp" - #include "runtime/init.hpp" - #include "runtime/interfaceSupport.hpp" diff --git a/SOURCES/jdk8143245-pr3548-zero_build_requires_disabled_warnings.patch b/SOURCES/jdk8143245-pr3548-zero_build_requires_disabled_warnings.patch index 792b04a..298bbd3 100644 --- a/SOURCES/jdk8143245-pr3548-zero_build_requires_disabled_warnings.patch +++ b/SOURCES/jdk8143245-pr3548-zero_build_requires_disabled_warnings.patch @@ -8,7 +8,6 @@ Reviewed-by: dholmes, coleenp diff --git openjdk.orig/hotspot/make/linux/makefiles/zeroshark.make openjdk/hotspot/make/linux/makefiles/zeroshark.make -diff --git openjdk.orig/hotspot/make/linux/makefiles/zeroshark.make openjdk/hotspot/make/linux/makefiles/zeroshark.make --- openjdk.orig/hotspot/make/linux/makefiles/zeroshark.make +++ openjdk/hotspot/make/linux/makefiles/zeroshark.make @@ -1,5 +1,5 @@ @@ -18,8 +17,8 @@ diff --git openjdk.orig/hotspot/make/linux/makefiles/zeroshark.make openjdk/hots # Copyright 2007, 2008 Red Hat, Inc. # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. # -@@ -29,11 +29,6 @@ - ifeq ($(USE_CLANG), true) +@@ -29,12 +29,7 @@ + ifeq ($(JVM_VARIANT_ZEROSHARK), true) WARNING_FLAGS += -Wno-undef endif -# Suppress some warning flags that are normally turned on for hotspot, @@ -27,6 +26,8 @@ diff --git openjdk.orig/hotspot/make/linux/makefiles/zeroshark.make openjdk/hots -WARNING_FLAGS += -Wno-return-type \ - -Wno-format-nonliteral -Wno-format-security \ - -Wno-maybe-uninitialized +- ++ # If FDLIBM_CFLAGS is non-empty it holds CFLAGS needed to be passed to # the compiler so as to be able to produce optimized objects diff --git a/SOURCES/jdk8210761-rh1632174-libjsig_is_being_compiled_without_optimization.patch b/SOURCES/jdk8210761-rh1632174-libjsig_is_being_compiled_without_optimization.patch deleted file mode 100644 index be2650b..0000000 --- a/SOURCES/jdk8210761-rh1632174-libjsig_is_being_compiled_without_optimization.patch +++ /dev/null @@ -1,29 +0,0 @@ -# HG changeset patch -# User sgehwolf -# Date 1537541916 -7200 -# Fri Sep 21 16:58:36 2018 +0200 -# Node ID 4010c90156d1bfeaf988dbfeb01520f2e3a66ea8 -# Parent 54afe70c50b6a6685763d00883e5173c0ba3a19d -8210761: libjsig is being compiled without optimization -Reviewed-by: erikj, ihse - -diff --git openjdk.orig/hotspot/make/linux/makefiles/jsig.make openjdk/hotspot/make/linux/makefiles/jsig.make ---- openjdk.orig/hotspot/make/linux/makefiles/jsig.make -+++ openjdk/hotspot/make/linux/makefiles/jsig.make -@@ -51,10 +51,15 @@ - JSIG_DEBUG_CFLAGS = -g - endif - -+# Optimize jsig lib at level -O3 unless it's a slowdebug build -+ifneq ($(DEBUG_LEVEL), slowdebug) -+ JSIG_OPT_FLAGS = $(OPT_CFLAGS) -+endif -+ - $(LIBJSIG): $(JSIGSRCDIR)/jsig.c $(LIBJSIG_MAPFILE) - @echo Making signal interposition lib... - $(QUIETLY) $(CC) $(SYMFLAG) $(ARCHFLAG) $(SHARED_FLAG) $(PICFLAG) \ -- $(LFLAGS_JSIG) $(JSIG_DEBUG_CFLAGS) $(EXTRA_CFLAGS) -o $@ $< -ldl -+ $(LFLAGS_JSIG) $(JSIG_DEBUG_CFLAGS) $(JSIG_OPT_FLAGS) $(EXTRA_CFLAGS) -o $@ $< -ldl - ifeq ($(ENABLE_FULL_DEBUG_SYMBOLS),1) - ifneq ($(STRIP_POLICY),no_strip) - $(QUIETLY) $(OBJCOPY) --only-keep-debug $@ $(LIBJSIG_DEBUGINFO) diff --git a/SOURCES/nss.fips.cfg.in b/SOURCES/nss.fips.cfg.in new file mode 100644 index 0000000..ead27be --- /dev/null +++ b/SOURCES/nss.fips.cfg.in @@ -0,0 +1,6 @@ +name = NSS-FIPS +nssLibraryDirectory = @NSS_LIBDIR@ +nssSecmodDirectory = @NSS_SECMOD@ +nssDbMode = readOnly +nssModule = fips + diff --git a/SOURCES/pr1834-rh1022017-reduce_ellipticcurvesextension_to_provide_only_three_nss_supported_nist_curves_23_24_25.patch b/SOURCES/pr1834-rh1022017-reduce_ellipticcurvesextension_to_provide_only_three_nss_supported_nist_curves_23_24_25.patch deleted file mode 100644 index 8165340..0000000 --- a/SOURCES/pr1834-rh1022017-reduce_ellipticcurvesextension_to_provide_only_three_nss_supported_nist_curves_23_24_25.patch +++ /dev/null @@ -1,28 +0,0 @@ -diff --git a/src/share/classes/sun/security/ssl/EllipticCurvesExtension.java b/src/share/classes/sun/security/ssl/EllipticCurvesExtension.java ---- openjdk/jdk/src/share/classes/sun/security/ssl/EllipticCurvesExtension.java -+++ openjdk/jdk/src/share/classes/sun/security/ssl/EllipticCurvesExtension.java -@@ -168,20 +168,10 @@ - "contains no supported elliptic curves"); - } - } else { // default curves -- int[] ids; -- if (requireFips) { -- ids = new int[] { -- // only NIST curves in FIPS mode -- 23, 24, 25, 9, 10, 11, 12, 13, 14, -- }; -- } else { -- ids = new int[] { -- // NIST curves first -- 23, 24, 25, 9, 10, 11, 12, 13, 14, -- // non-NIST curves -- 22, -- }; -- } -+ int[] ids = new int[] { -+ // NSS currently only supports these three NIST curves -+ 23, 24, 25 -+ }; - - idList = new ArrayList<>(ids.length); - for (int curveId : ids) { diff --git a/SOURCES/rh1655466-global_crypto_and_fips.patch b/SOURCES/rh1655466-global_crypto_and_fips.patch new file mode 100644 index 0000000..7987abb --- /dev/null +++ b/SOURCES/rh1655466-global_crypto_and_fips.patch @@ -0,0 +1,208 @@ +diff --git a/src/share/classes/javopenjdk.orig/jdk/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java +--- openjdk.orig/jdk/src/share/classes/java/security/Security.java ++++ openjdk/jdk/src/share/classes/java/security/Security.java +@@ -191,27 +191,7 @@ + if (disableSystemProps == null && + "true".equalsIgnoreCase(props.getProperty + ("security.useSystemPropertiesFile"))) { +- +- // now load the system file, if it exists, so its values +- // will win if they conflict with the earlier values +- try (BufferedInputStream bis = +- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { +- props.load(bis); +- loadedProps = true; +- +- if (sdebug != null) { +- sdebug.println("reading system security properties file " + +- SYSTEM_PROPERTIES); +- sdebug.println(props.toString()); +- } +- } catch (IOException e) { +- if (sdebug != null) { +- sdebug.println +- ("unable to load security properties from " + +- SYSTEM_PROPERTIES); +- e.printStackTrace(); +- } +- } ++ loadedProps = loadedProps && SystemConfigurator.configure(props); + } + + if (!loadedProps) { +diff --git a/src/share/classes/javopenjdk.orig/jdk/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java +new file mode 100644 +--- /dev/null ++++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java +@@ -0,0 +1,153 @@ ++/* ++ * Copyright (c) 2019, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package java.security; ++ ++import java.io.BufferedInputStream; ++import java.io.FileInputStream; ++import java.io.IOException; ++ ++import java.nio.file.Files; ++import java.nio.file.FileSystems; ++import java.nio.file.Path; ++ ++import java.util.Iterator; ++import java.util.Map.Entry; ++import java.util.Properties; ++import java.util.function.Consumer; ++import java.util.regex.Matcher; ++import java.util.regex.Pattern; ++ ++import sun.security.util.Debug; ++ ++/** ++ * Internal class to align OpenJDK with global crypto-policies. ++ * Called from java.security.Security class initialization, ++ * during startup. ++ * ++ */ ++ ++class SystemConfigurator { ++ ++ private static final Debug sdebug = ++ Debug.getInstance("properties"); ++ ++ private static final String CRYPTO_POLICIES_BASE_DIR = ++ "/etc/crypto-policies"; ++ ++ private static final String CRYPTO_POLICIES_JAVA_CONFIG = ++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; ++ ++ private static final String CRYPTO_POLICIES_CONFIG = ++ CRYPTO_POLICIES_BASE_DIR + "/config"; ++ ++ private static final class SecurityProviderInfo { ++ int number; ++ String key; ++ String value; ++ SecurityProviderInfo(int number, String key, String value) { ++ this.number = number; ++ this.key = key; ++ this.value = value; ++ } ++ } ++ ++ /* ++ * Invoked when java.security.Security class is initialized, if ++ * java.security.disableSystemPropertiesFile property is not set and ++ * security.useSystemPropertiesFile is true. ++ */ ++ static boolean configure(Properties props) { ++ boolean loadedProps = false; ++ ++ try (BufferedInputStream bis = ++ new BufferedInputStream( ++ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { ++ props.load(bis); ++ loadedProps = true; ++ if (sdebug != null) { ++ sdebug.println("reading system security properties file " + ++ CRYPTO_POLICIES_JAVA_CONFIG); ++ sdebug.println(props.toString()); ++ } ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load security properties from " + ++ CRYPTO_POLICIES_JAVA_CONFIG); ++ e.printStackTrace(); ++ } ++ } ++ ++ try { ++ if (enableFips()) { ++ if (sdebug != null) { sdebug.println("FIPS mode detected"); } ++ loadedProps = false; ++ // Remove all security providers ++ Iterator> i = props.entrySet().iterator(); ++ while (i.hasNext()) { ++ Entry e = i.next(); ++ if (((String) e.getKey()).startsWith("security.provider")) { ++ if (sdebug != null) { sdebug.println("Removing provider: " + e); } ++ i.remove(); ++ } ++ } ++ // Add FIPS security providers ++ String fipsProviderValue = null; ++ for (int n = 1; ++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { ++ String fipsProviderKey = "security.provider." + n; ++ if (sdebug != null) { ++ sdebug.println("Adding provider " + n + ": " + ++ fipsProviderKey + "=" + fipsProviderValue); ++ } ++ props.put(fipsProviderKey, fipsProviderValue); ++ } ++ loadedProps = true; ++ } ++ } catch (Exception e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load FIPS configuration"); ++ e.printStackTrace(); ++ } ++ } ++ return loadedProps; ++ } ++ ++ /* ++ * FIPS is enabled only if crypto-policies are set to "FIPS" ++ * and the com.redhat.fips property is true. ++ */ ++ private static boolean enableFips() throws Exception { ++ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "false")); ++ if (fipsEnabled) { ++ Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG); ++ String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath)); ++ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } ++ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE); ++ return pattern.matcher(cryptoPoliciesConfig).find(); ++ } else { ++ return false; ++ } ++ } ++} +diff --git openjdk.orig/jdk/src/share/lib/security/java.security-linux openjdk/jdk/src/share/lib/security/java.security-linux +--- openjdk.orig/jdk/src/share/lib/security/java.security-linux ++++ openjdk/jdk/src/share/lib/security/java.security-linux +@@ -77,6 +77,14 @@ + #security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg + + # ++# Security providers used when global crypto-policies are set to FIPS. ++# ++fips.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.fips.cfg ++fips.provider.2=sun.security.provider.Sun ++fips.provider.3=sun.security.ec.SunEC ++fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS ++ ++# + # Sun Provider SecureRandom seed source. + # + # Select the primary source of seed data for the "SHA1PRNG" and diff --git a/SPECS/java-1.8.0-openjdk.spec b/SPECS/java-1.8.0-openjdk.spec index 8820724..29cd1bc 100644 --- a/SPECS/java-1.8.0-openjdk.spec +++ b/SPECS/java-1.8.0-openjdk.spec @@ -198,7 +198,7 @@ # note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there. %global shenandoah_project aarch64-port %global shenandoah_repo jdk8u-shenandoah -%global shenandoah_revision aarch64-shenandoah-jdk8u222-b10 +%global shenandoah_revision aarch64-shenandoah-jdk8u232-b09 # Define old aarch64/jdk8u tree variables for compatibility %global project %{shenandoah_project} %global repo %{shenandoah_repo} @@ -212,7 +212,7 @@ %global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u}) # eg jdk8u60-b27 -> b27 %global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-}) -%global rpmrelease 1 +%global rpmrelease 2 # Define milestone (EA for pre-releases, GA ("fcs") for releases) # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, @@ -388,7 +388,9 @@ alternatives \\ --install %{_bindir}/javac javac %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{name}.%{_arch} \\ --slave %{_jvmdir}/java java_sdk %{_jvmdir}/%{sdkdir -- %{?1}} \\ --slave %{_bindir}/appletviewer appletviewer %{sdkbindir -- %{?1}}/appletviewer \\ + --slave %{_bindir}/clhsdb clhsdb %{sdkbindir -- %{?1}}/clhsdb \\ --slave %{_bindir}/extcheck extcheck %{sdkbindir -- %{?1}}/extcheck \\ + --slave %{_bindir}/hsdb hsdb %{sdkbindir -- %{?1}}/hsdb \\ --slave %{_bindir}/idlj idlj %{sdkbindir -- %{?1}}/idlj \\ --slave %{_bindir}/jar jar %{sdkbindir -- %{?1}}/jar \\ --slave %{_bindir}/jarsigner jarsigner %{sdkbindir -- %{?1}}/jarsigner \\ @@ -567,8 +569,6 @@ exit 0 %dir %{_jvmdir}/%{jredir -- %{?1}} %dir %{_jvmdir}/%{jredir -- %{?1}}/bin %dir %{_jvmdir}/%{jredir -- %{?1}}/lib -%{_jvmdir}/%{jredir -- %{?1}}/bin/clhsdb -%{_jvmdir}/%{jredir -- %{?1}}/bin/hsdb %{_jvmdir}/%{jredir -- %{?1}}/bin/java %{_jvmdir}/%{jredir -- %{?1}}/bin/jjs %{_jvmdir}/%{jredir -- %{?1}}/bin/keytool @@ -612,7 +612,9 @@ exit 0 %{_mandir}/man1/unpack200-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/policytool-%{uniquesuffix -- %{?1}}.1* %{_jvmdir}/%{jredir -- %{?1}}/lib/security/nss.cfg +%{_jvmdir}/%{jredir -- %{?1}}/lib/security/nss.fips.cfg %config(noreplace) %{etcjavadir -- %{?1}}/lib/security/nss.cfg +%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/nss.fips.cfg %ifarch %{jit_arches} %ifnarch %{power64} %attr(444, root, root) %ghost %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/server/classes.jsa @@ -1049,6 +1051,9 @@ Source13: TestCryptoLevel.java # Ensure ECDSA is working Source14: TestECDSA.java +# nss fips configuration file +Source15: nss.fips.cfg.in + Source20: repackReproduciblePolycies.sh # New versions of config files with aarch64 support. This is not upstream yet. @@ -1069,12 +1074,12 @@ Source101: config.sub Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch # Restrict access to java-atk-wrapper classes Patch3: rh1648644-java_access_bridge_privileged_security.patch -# PR1834, RH1022017: Reduce curves reported by SSL to those in NSS -# Not currently suitable to go upstream as it disables curves -# for all providers unconditionally -Patch525: pr1834-rh1022017-reduce_ellipticcurvesextension_to_provide_only_three_nss_supported_nist_curves_23_24_25.patch # Turn on AssumeMP by default on RHEL systems Patch534: rh1648246-always_instruct_vm_to_assume_multiple_processors_are_available.patch +# RH1648249: Add PKCS11 provider to java.security +Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch +# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider +Patch1001: rh1655466-global_crypto_and_fips.patch ############################################# # @@ -1143,8 +1148,6 @@ Patch502: pr2462-resolve_disabled_warnings_for_libunpack_and_the_unpack200_binar Patch400: jdk8154313-generated_javadoc_scattered_all_over_the_place.patch # PR3591: Fix for bug 3533 doesn't add -mstackrealign to JDK code Patch571: jdk8199936-pr3591-enable_mstackrealign_on_x86_linux_as_well_as_x86_mac_os_x_jdk.patch -# 8141570, PR3548: Fix Zero interpreter build for --disable-precompiled-headers -Patch573: jdk8141570-pr3548-fix_zero_interpreter_build_for_disable_precompiled_headers.patch # 8143245, PR3548: Zero build requires disabled warnings Patch574: jdk8143245-pr3548-zero_build_requires_disabled_warnings.patch # 8197981, PR3548: Missing return statement in __sync_val_compare_and_swap_8 @@ -1157,12 +1160,6 @@ Patch102: jdk8203030-zero_s390_31_bit_size_t_type_conflicts_in_shared_code.patch Patch202: jdk8035341-allow_using_system_installed_libpng.patch # 8042159: Allow using a system-installed lcms2 Patch203: jdk8042159-allow_using_system_installed_lcms2.patch -# 8210761: libjsig is being compiled without optimization -Patch620: jdk8210761-rh1632174-libjsig_is_being_compiled_without_optimization.patch -# JDK-8223219: Backport of JDK-8199552 to OpenJDK 8 leads to duplicate -fstack-protector flags, -# overriding --with-extra-cflags -Patch626: 8223219-fstack-protector-root.patch -Patch627: 8223219-fstack-protector-hotspot.patch ############################################# # @@ -1201,7 +1198,6 @@ Patch201: jdk8043805-allow_using_system_installed_libjpeg.patch # This section includes patches to code other # that from OpenJDK. ############################################# -Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch ############################################# # @@ -1504,18 +1500,14 @@ sh %{SOURCE12} %patch531 %patch530 %patch571 -%patch573 %patch574 %patch575 %patch577 -%patch620 -%patch626 -%patch627 # RPM-only fixes -%patch525 %patch539 %patch1000 +%patch1001 # RHEL-only patches %if ! 0%{?fedora} && 0%{?rhel} <= 7 @@ -1568,6 +1560,9 @@ done # Setup nss.cfg sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg +# Setup nss.fips.cfg +sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE15} > nss.fips.cfg +sed -i -e "s:@NSS_SECMOD@:/etc/pki/nssdb:g" nss.fips.cfg %build # How many CPU's do we have? @@ -1675,6 +1670,9 @@ export JAVA_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{jdkimage} # Install nss.cfg right away as we will be using the JRE above install -m 644 nss.cfg $JAVA_HOME/jre/lib/security/ +# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) +install -m 644 nss.fips.cfg $JAVA_HOME/jre/lib/security/ + # Use system-wide tzdata rm $JAVA_HOME/jre/lib/tzdb.dat ln -s %{_datadir}/javazi-1.8/tzdb.dat $JAVA_HOME/jre/lib/tzdb.dat @@ -1914,7 +1912,7 @@ touch -t 201401010000 $RPM_BUILD_ROOT/%{_jvmdir}/%{jredir -- $suffix}/lib/securi # moving config files to /etc mkdir -p $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/lib/security/policy/unlimited/ mkdir -p $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/lib/security/policy/limited/ -for file in lib/security/cacerts lib/security/policy/unlimited/US_export_policy.jar lib/security/policy/unlimited/local_policy.jar lib/security/policy/limited/US_export_policy.jar lib/security/policy/limited/local_policy.jar lib/security/java.policy lib/security/java.security lib/security/blacklisted.certs lib/logging.properties lib/calendars.properties lib/security/nss.cfg ; do +for file in lib/security/cacerts lib/security/policy/unlimited/US_export_policy.jar lib/security/policy/unlimited/local_policy.jar lib/security/policy/limited/US_export_policy.jar lib/security/policy/limited/local_policy.jar lib/security/java.policy lib/security/java.security lib/security/blacklisted.certs lib/logging.properties lib/calendars.properties lib/security/nss.cfg lib/security/nss.fips.cfg ; do mv $RPM_BUILD_ROOT/%{_jvmdir}/%{jredir -- $suffix}/$file $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/$file ln -sf %{etcjavadir -- $suffix}/$file $RPM_BUILD_ROOT/%{_jvmdir}/%{jredir -- $suffix}/$file done @@ -2096,6 +2094,56 @@ require "copy_jdk_configs.lua" %endif %changelog +* Fri Oct 25 2019 Andrew John Hughes - 1:1.8.0.232.b09-2 +- Disable FIPS mode support unless com.redhat.fips is set to "true". +- Resolves: rhbz#1655466 + +* Fri Oct 11 2019 Andrew Hughes - 1:1.8.0.232.b09-1 +- Update to aarch64-shenandoah-jdk8u232-b09. +- Switch to GA mode for final release. +- Remove PR1834/RH1022017 which is now handled by JDK-8228825 upstream. +- Resolves: rhbz#1753423 + +* Fri Oct 11 2019 Andrew Hughes - 1:1.8.0.232.b08-0.1.ea +- Update to aarch64-shenandoah-jdk8u232-b08. +- Resolves: rhbz#1753423 + +* Fri Oct 11 2019 Andrew Hughes - 1:1.8.0.232.b05-0.2.ea +- Update to aarch64-shenandoah-jdk8u232-b05-shenandoah-merge-2019-09-09. +- Resolves: rhbz#1753423 + +* Thu Oct 10 2019 Andrew Hughes - 1:1.8.0.232.b05-0.1.ea +- Update to aarch64-shenandoah-jdk8u232-b05. +- Drop upstreamed patch JDK-8141570/PR3548. +- Adjust context of JDK-8143245/PR3548 to apply against upstream JDK-8141570. +- Resolves: rhbz#1753423 + +* Mon Oct 07 2019 Andrew Hughes - 1:1.8.0.232.b01-0.1.ea +- Update to aarch64-shenandoah-jdk8u232-b01. +- Switch to EA mode. +- Drop JDK-8210761/RH1632174 as now upstream. +- Drop JDK-8223219 as now upstream. +- JDK-8226870 removed clhsdb and hdsdb from the JRE bin directory, so we should do likewise. +- Add alternatives support for these two new SDK binaries. +- Resolves: rhbz#1753423 + +* Fri Sep 27 2019 Andrew Hughes - 1:1.8.0.222.b10-3 +- SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file. +- Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg. +- Resolves: rhbz#1750752 + +* Wed Aug 21 2019 Andrew Hughes - 1:1.8.0.222.b10-2 +- nss.fips.cfg needs to be moved to %%{etcjavadir} and symlinked into the JDK, like nss.cfg +- Resolves: rhbz#1655466 + +* Thu Aug 15 2019 Andrew Hughes - 1:1.8.0.222.b10-2 +- Backport FIPS mode patch to java-1.8.0-openjdk, simplifying provider removal. +- Resolves: rhbz#1655466 + +* Thu Aug 15 2019 Martin Balao - 1:1.8.0.222.b10-2 +- Support the FIPS mode crypto policy on RHEL 8. +- Resolves: rhbz#1655466 + * Thu Jul 11 2019 Andrew Hughes - 1:1.8.0.222.b10-1 - Update to aarch64-shenandoah-jdk8u222-b10. - Resolves: rhbz#1724452