From 140246c631db8199699600cd37da66e86eb6a997 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jul 14 2020 01:27:40 +0000 Subject: import java-11-openjdk-11.0.8.6-0.1.ea.el8 --- diff --git a/.gitignore b/.gitignore index 5cfc0ab..34497c3 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.8+1-4curve.tar.xz +SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.8+6-4curve.tar.xz SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/.java-11-openjdk.metadata b/.java-11-openjdk.metadata index df6c284..bf680fc 100644 --- a/.java-11-openjdk.metadata +++ b/.java-11-openjdk.metadata @@ -1,2 +1,2 @@ -e79f444ab44a84f8d51d5a5782c42a6fc558ebef SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.8+1-4curve.tar.xz +675c2ab8b8793ab87d0cf9b77b2196b71f4afbca SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.8+6-4curve.tar.xz 7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/SOURCES/rh1655466-global_crypto_and_fips.patch b/SOURCES/rh1655466-global_crypto_and_fips.patch index 1c67c83..8bf1ced 100644 --- a/SOURCES/rh1655466-global_crypto_and_fips.patch +++ b/SOURCES/rh1655466-global_crypto_and_fips.patch @@ -1,6 +1,6 @@ diff --git a/src/java.base/share/classes/javopenjdk.orig///security/Security.java openjdk///src/java.base/share/classes/java/security/Security.java ---- openjdk.orig///src/java.base/share/classes/java/security/Security.java -+++ openjdk///src/java.base/share/classes/java/security/Security.java +--- openjdk.orig/src/java.base/share/classes/java/security/Security.java ++++ openjdk/src/java.base/share/classes/java/security/Security.java @@ -196,26 +196,8 @@ if (disableSystemProps == null && "true".equalsIgnoreCase(props.getProperty @@ -32,7 +32,7 @@ diff --git a/src/java.base/share/classes/javopenjdk.orig///security/Security.jav diff --git a/src/java.base/share/classes/javopenjdk.orig///security/SystemConfigurator.java openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java new file mode 100644 --- /dev/null -+++ openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java @@ -0,0 +1,151 @@ +/* + * Copyright (c) 2019, Red Hat, Inc. @@ -174,7 +174,7 @@ new file mode 100644 + * and the com.redhat.fips property is true. + */ + private static boolean enableFips() throws Exception { -+ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "false")); ++ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); + if (fipsEnabled) { + String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG))); + if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } @@ -186,8 +186,8 @@ new file mode 100644 + } +} diff --git openjdk.orig///src/java.base/share/conf/security/java.security openjdk///src/java.base/share/conf/security/java.security ---- openjdk.orig///src/java.base/share/conf/security/java.security -+++ openjdk///src/java.base/share/conf/security/java.security +--- openjdk.orig/src/java.base/share/conf/security/java.security ++++ openjdk/src/java.base/share/conf/security/java.security @@ -87,6 +87,14 @@ #security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg diff --git a/SOURCES/rh1818909-fips_default_keystore_type.patch b/SOURCES/rh1818909-fips_default_keystore_type.patch new file mode 100644 index 0000000..ff34f3e --- /dev/null +++ b/SOURCES/rh1818909-fips_default_keystore_type.patch @@ -0,0 +1,52 @@ +diff -r 6efbd7b35a10 src/share/classes/java/security/SystemConfigurator.java +--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300 ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Mon Mar 02 19:20:17 2020 -0300 +@@ -123,6 +123,33 @@ + } + props.put(fipsProviderKey, fipsProviderValue); + } ++ // Add other security properties ++ String keystoreTypeValue = (String) props.get("fips.keystore.type"); ++ if (keystoreTypeValue != null) { ++ String nonFipsKeystoreType = props.getProperty("keystore.type"); ++ props.put("keystore.type", keystoreTypeValue); ++ if (keystoreTypeValue.equals("PKCS11")) { ++ // If keystore.type is PKCS11, javax.net.ssl.keyStore ++ // must be "NONE". See JDK-8238264. ++ System.setProperty("javax.net.ssl.keyStore", "NONE"); ++ } ++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { ++ // If no trustStoreType has been set, use the ++ // previous keystore.type under FIPS mode. In ++ // a default configuration, the Trust Store will ++ // be 'cacerts' (JKS type). ++ System.setProperty("javax.net.ssl.trustStoreType", ++ nonFipsKeystoreType); ++ } ++ if (sdebug != null) { ++ sdebug.println("FIPS mode default keystore.type = " + ++ keystoreTypeValue); ++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + ++ System.getProperty("javax.net.ssl.keyStore", "")); ++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + ++ System.getProperty("javax.net.ssl.trustStoreType", "")); ++ } ++ } + loadedProps = true; + } + } catch (Exception e) { +diff -r 6efbd7b35a10 src/share/lib/security/java.security-linux +--- openjdk.orig/src/java.base/share/conf/security/java.security Thu Jan 23 18:22:31 2020 -0300 ++++ openjdk/src/java.base/share/conf/security/java.security Mon Mar 02 19:20:17 2020 -0300 +@@ -299,6 +299,11 @@ + keystore.type=pkcs12 + + # ++# Default keystore type used when global crypto-policies are set to FIPS. ++# ++fips.keystore.type=PKCS11 ++ ++# + # Controls compatibility mode for JKS and PKCS12 keystore types. + # + # When set to 'true', both JKS and PKCS12 keystore types support loading diff --git a/SPECS/java-11-openjdk.spec b/SPECS/java-11-openjdk.spec index 8194598..4d1c0d0 100644 --- a/SPECS/java-11-openjdk.spec +++ b/SPECS/java-11-openjdk.spec @@ -21,6 +21,9 @@ # Enable release builds by default on relevant arches. %bcond_without release +# Workaround for stripping of debug symbols from static libraries +%define __brp_strip_static_archive %{nil} + # The -g flag says to use strip -g instead of full strip on DSOs or EXEs. # This fixes detailed NMT and other tools which need minimal debug info. # See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879 @@ -121,12 +124,12 @@ %endif %if %{bootstrap_build} -%global release_targets bootcycle-images docs-zip +%global release_targets bootcycle-images static-libs-image docs-zip %else -%global release_targets images docs-zip +%global release_targets images docs-zip static-libs-image %endif # No docs nor bootcycle for debug builds -%global debug_targets images +%global debug_targets images static-libs-image # Filter out flags from the optflags macro that cause problems with the OpenJDK build @@ -237,7 +240,7 @@ %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global minorver 0 -%global buildver 1 +%global buildver 6 %global rpmrelease 1 #%%global tagsuffix %%{nil} # priority must be 8 digits in total; untill openjdk 1.8 we were using 18..... so when moving to 11 we had to add another digit @@ -271,8 +274,9 @@ # parametrized macros are order-sensitive %global compatiblename java-%{majorver}-%{origin} %global fullversion %{compatiblename}-%{version}-%{release} -# images stub -%global jdkimage jdk +# images directories from upstream build +%global jdkimage jdk +%global static_libs_image static-libs # output dir stub %define buildoutputdir() %{expand:openjdk/build%{?1}} # we can copy the javadoc to not arched dir, or make it not noarch @@ -820,6 +824,25 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/src.zip } +%define files_static_libs() %{expand: +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pkcs11.a +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.a +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnio.a +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libprefs.a +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjava.a +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjli.a +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnet.a +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjimage.a +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjaas.a +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfdlibm.a +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.a +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsunec.a +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsig.a +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libextnet.a +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libverify.a +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libzip.a +} + %define files_javadoc() %{expand: %doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}} %license %{buildoutputdir -- %{?1}}/images/%{jdkimage}/legal @@ -875,7 +898,9 @@ Requires: ca-certificates # Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros Requires: javapackages-filesystem # Require zone-info data provided by tzdata-java sub-package -Requires: tzdata-java >= 2015d +# 2020a required as of JDK-8243541 in 11.0.8+4 +Requires: tzdata-java >= 2020a +# for support of kernel stream control # libsctp.so.1 is being `dlopen`ed on demand Requires: lksctp-tools%{?_isa} # tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it, @@ -937,6 +962,11 @@ Provides: java-sdk%{?1} = %{epoch}:%{version}-%{release} %endif } +%define java_static_libs_rpo() %{expand: +Requires: %{name}-devel%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +} + %define java_jmods_rpo() %{expand: # Requires devel package # as jmods are bytecode, they should be OK without any _isa @@ -1073,6 +1103,8 @@ Patch2: rh1648644-java_access_bridge_privileged_security.patch Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch # RH1655466: Support RHEL FIPS mode using SunPKCS11 provider Patch1001: rh1655466-global_crypto_and_fips.patch +# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode +Patch1002: rh1818909-fips_default_keystore_type.patch ############################################# # @@ -1143,7 +1175,8 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel %ifnarch %{jit_arches} BuildRequires: libffi-devel %endif -BuildRequires: tzdata-java >= 2015d +# 2020a required as of JDK-8243541 in 11.0.8+4 +BuildRequires: tzdata-java >= 2020a # Earlier versions have a bug in tree vectorization on PPC BuildRequires: gcc >= 4.8.3-8 @@ -1216,6 +1249,27 @@ The %{origin_nice} development tools %{majorver}. %endif %if %{include_normal_build} +%package static-libs +Summary: %{origin_nice} libraries for static linking %{majorver} + +%{java_static_libs_rpo %{nil}} + +%description static-libs +The %{origin_nice} libraries for static linking %{majorver}. +%endif + +%if %{include_debug_build} +%package static-libs-slowdebug +Summary: %{origin_nice} libraries for static linking %{majorver} %{debug_on} + +%{java_static_libs_rpo -- %{debug_suffix_unquoted}} + +%description static-libs-slowdebug +The %{origin_nice} libraries for static linking %{majorver}. +%{debug_warning} +%endif + +%if %{include_normal_build} %package jmods Summary: JMods for %{origin_nice} %{majorver} Group: Development/Tools @@ -1360,6 +1414,7 @@ popd # openjdk %patch1000 %patch1001 +%patch1002 # Extract systemtap tapsets %if %{with_systemtap} @@ -1547,6 +1602,11 @@ $JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLev $JAVA_HOME/bin/javac -d . %{SOURCE14} $JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") +# Check debug symbols in static libraries (smoke test) +export STATIC_LIBS_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{static_libs_image} +readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c +readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c + # Check debug symbols are present and can identify code find "$JAVA_HOME" -iname '*.so' -print0 | while read -d $'\0' lib do @@ -1680,6 +1740,9 @@ pushd %{buildoutputdir $suffix}/images/%{jdkimage} rm -rf $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/man popd +# Install static libs artefacts +cp -a %{buildoutputdir -- $suffix}/images/%{static_libs_image}/lib/*.a \ + $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib if ! echo $suffix | grep -q "debug" ; then @@ -1863,6 +1926,9 @@ require "copy_jdk_configs.lua" %files devel %{files_devel %{nil}} +%files static-libs +%{files_static_libs %{nil}} + %files jmods %{files_jmods %{nil}} @@ -1893,6 +1959,9 @@ require "copy_jdk_configs.lua" %files devel-slowdebug %{files_devel -- %{debug_suffix_unquoted}} +%files static-libs-slowdebug +%{files_static_libs -- %{debug_suffix_unquoted}} + %files jmods-slowdebug %{files_jmods -- %{debug_suffix_unquoted}} @@ -1905,6 +1974,45 @@ require "copy_jdk_configs.lua" %endif %changelog +* Thu Jun 18 2020 Andrew Hughes - 1:11.0.8.6-0.1.ea +- Update to shenandoah-jdk-11.0.8+6 (EA) +- Resolves: rhbz#1838811 + +* Tue Jun 09 2020 Severin Gehwolf - 1:11.0.8.5-0.2.ea +- Disable stripping of debug symbols for static libraries part of + the -static-libs sub-package. +- Resolves: rhbz#1839084 + +* Sun Jun 07 2020 Andrew Hughes - 1:11.0.8.5-0.1.ea +- Update to shenandoah-jdk-11.0.8+5 (EA) +- Resolves: rhbz#1838811 + +* Tue Jun 02 2020 Andrew John Hughes - 1:11.0.8.4-0.3.ea +- Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable). +- Resolves: rhbz#1725961 + +* Mon Jun 01 2020 Andrew John Hughes - 1:11.0.8.4-0.2.ea +- Use appropriate keystore types when in FIPS mode. +- Resolves: rhbz#1818909 + +* Mon May 25 2020 Andrew Hughes - 1:11.0.8.4-0.1.ea +- Update to shenandoah-jdk-11.0.8+4 (EA) +- Require tzdata 2020a due to resource changes in JDK-8243541 +- Resolves: rhbz#1838811 + +* Mon May 25 2020 Andrew Hughes - 1:11.0.8.3-0.1.ea +- Update to shenandoah-jdk-11.0.8+3 (EA) +- Resolves: rhbz#1838811 + +* Mon May 25 2020 Severin Gehwolf - 1:11.0.8.2-0.2.ea +- Build static-libs-image and add resulting files via -static-libs + sub-package. +- Resolves: rhbz#1839084 + +* Mon May 18 2020 Andrew Hughes - 1:11.0.8.2-0.1.ea +- Update to shenandoah-jdk-11.0.8+2 (EA) +- Resolves: rhbz#1838811 + * Sun May 10 2020 Andrew Hughes - 1:11.0.8.1-0.1.ea - Update to shenandoah-jdk-11.0.8+1 (EA) - Switch to EA mode for 11.0.8 pre-release builds.