From 9d60fafc399b70fb2fc382bc83529a4ae4edb0e3 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jan 21 2020 22:29:35 +0000 Subject: import java-11-openjdk-11.0.5.10-3.el8 --- diff --git a/.gitignore b/.gitignore index 313df63..f3e363a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.3+7.tar.xz +SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.5+10.tar.xz SOURCES/systemtap_3.2_tapsets_hg-icedtea8-9d464368e06d.tar.xz diff --git a/.java-11-openjdk.metadata b/.java-11-openjdk.metadata index 3aeb008..f6d771b 100644 --- a/.java-11-openjdk.metadata +++ b/.java-11-openjdk.metadata @@ -1,2 +1,2 @@ -f1e75a992a0dc64caf418414a93fed8f99fb4e18 SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.3+7.tar.xz +1e1a7b4b1df7be1b70de37f84ccb0ded61c7e9ea SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.5+10.tar.xz cd8bf91753b9eb1401cfc529e78517105fc66011 SOURCES/systemtap_3.2_tapsets_hg-icedtea8-9d464368e06d.tar.xz diff --git a/SOURCES/jdk8230923-fips_mode_initialisation_failure.patch b/SOURCES/jdk8230923-fips_mode_initialisation_failure.patch new file mode 100644 index 0000000..8a9040e --- /dev/null +++ b/SOURCES/jdk8230923-fips_mode_initialisation_failure.patch @@ -0,0 +1,208 @@ +# HG changeset patch +# User mbalao +# Date 1568305840 10800 +# Thu Sep 12 13:30:40 2019 -0300 +# Node ID b0436c181872b567c5b8906051fc8836c860541c +# Parent 6d947fcb3ea40ca9d40804db2c8c384f4679e10e +8230923: SunJSSE is not properly initialized in FIPS mode from a configuration file +Reviewed-by: andrew + +diff --git a/src/java.base/share/classes/sun/security/jca/ProviderConfig.java b/src/java.base/share/classes/sun/security/jca/ProviderConfig.java +--- a/src/java.base/share/classes/sun/security/jca/ProviderConfig.java ++++ b/src/java.base/share/classes/sun/security/jca/ProviderConfig.java +@@ -179,7 +179,11 @@ + } else if (provName.equals("SunJCE") || provName.equals("com.sun.crypto.provider.SunJCE")) { + p = new com.sun.crypto.provider.SunJCE(); + } else if (provName.equals("SunJSSE") || provName.equals("com.sun.net.ssl.internal.ssl.Provider")) { +- p = new com.sun.net.ssl.internal.ssl.Provider(); ++ if (hasArgument()) { ++ p = new com.sun.net.ssl.internal.ssl.Provider(argument); ++ } else { ++ p = new com.sun.net.ssl.internal.ssl.Provider(); ++ } + } else if (provName.equals("Apple") || provName.equals("apple.security.AppleProvider")) { + // need to use reflection since this class only exists on MacOsx + p = AccessController.doPrivileged(new PrivilegedAction() { +diff --git a/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInit.java b/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInit.java +new file mode 100644 +--- /dev/null ++++ b/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInit.java +@@ -0,0 +1,131 @@ ++/* ++ * Copyright (c) 2019, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++/* ++ * @test ++ * @bug 8230923 ++ * @requires (jdk.version.major == 11) & (os.family == "linux") & (os.arch == "amd64" | os.arch == "x86_64") ++ * @modules java.base/com.sun.net.ssl.internal.ssl ++ * @library /test/lib ++ * @run main/othervm/timeout=30 SunJSSEFIPSInit ++ * @author Martin Balao (mbalao@redhat.com) ++ */ ++ ++import java.io.File; ++import java.io.FileOutputStream; ++import java.io.IOException; ++import java.nio.file.FileVisitResult; ++import java.nio.file.Files; ++import java.nio.file.Path; ++import java.nio.file.SimpleFileVisitor; ++import java.nio.file.attribute.BasicFileAttributes; ++import java.security.Security; ++import java.util.ArrayList; ++import java.util.List; ++ ++import jdk.test.lib.process.OutputAnalyzer; ++import jdk.test.lib.process.ProcessTools; ++ ++public class SunJSSEFIPSInit { ++ private static String lineSep = System.lineSeparator(); ++ private static String javaBinPath = System.getProperty("java.home", ".") + ++ File.separator + "bin" + File.separator + "java"; ++ private static String nssConfigFileName = "nss.cfg"; ++ private static String javaSecConfigFileName = "java.security"; ++ private static Path tmpDirPath; ++ public static void main(String[] args) throws Throwable { ++ tmpDirPath = Files.createTempDirectory("tmpdir"); ++ try { ++ deployConfigFiles(); ++ List cmds = new ArrayList<>(); ++ cmds.add(javaBinPath); ++ cmds.add("-cp"); ++ cmds.add(System.getProperty("test.classes", ".")); ++ cmds.add("-Djava.security.properties=" + tmpDirPath + ++ File.separator + javaSecConfigFileName); ++ cmds.add(SunJSSEFIPSInitClient.class.getName()); ++ OutputAnalyzer out = ProcessTools.executeCommand( ++ cmds.toArray(new String[cmds.size()])); ++ out.stdoutShouldContain("SunJSSE.isFIPS(): true"); ++ System.out.println("TEST PASS - OK"); ++ } finally { ++ deleteDir(tmpDirPath); ++ } ++ } ++ ++ private static void deployConfigFiles() throws IOException { ++ deployJavaSecurityFile(); ++ deployNssConfigFile(); ++ } ++ ++ private static void deployJavaSecurityFile() throws IOException { ++ int numberOfProviders = Security.getProviders().length; ++ StringBuilder sb = new StringBuilder(); ++ sb.append("security.provider.1=SunPKCS11 " + tmpDirPath + ++ File.separator + nssConfigFileName + lineSep); ++ sb.append("security.provider.2=com.sun.net.ssl.internal.ssl.Provider" + ++ " SunPKCS11-NSS" + lineSep); ++ for (int i = 3; i <= numberOfProviders; i++) { ++ sb.append("security.provider." + i + "=\"\"" + lineSep); ++ } ++ writeFile(javaSecConfigFileName, sb.toString()); ++ } ++ ++ private static void deployNssConfigFile() throws IOException { ++ StringBuilder sb = new StringBuilder(); ++ sb.append("name = NSS" + lineSep); ++ sb.append("nssLibraryDirectory = /usr/lib64" + lineSep); ++ sb.append("nssDbMode = noDb" + lineSep); ++ sb.append("nssModule = crypto" + lineSep); ++ writeFile(nssConfigFileName, sb.toString()); ++ } ++ ++ private static void writeFile(String fileName, String fileContent) ++ throws IOException { ++ try (FileOutputStream fos = new FileOutputStream(new File(tmpDirPath + ++ File.separator + fileName))) { ++ fos.write(fileContent.getBytes()); ++ } ++ } ++ ++ private static void deleteDir(Path directory) throws IOException { ++ Files.walkFileTree(directory, new SimpleFileVisitor() { ++ ++ @Override ++ public FileVisitResult visitFile(Path file, ++ BasicFileAttributes attrs) throws IOException { ++ Files.delete(file); ++ return FileVisitResult.CONTINUE; ++ } ++ ++ @Override ++ public FileVisitResult postVisitDirectory(Path dir, IOException exc) ++ throws IOException { ++ Files.delete(dir); ++ return FileVisitResult.CONTINUE; ++ } ++ }); ++ } ++} ++ +diff --git a/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInitClient.java b/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInitClient.java +new file mode 100644 +--- /dev/null ++++ b/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInitClient.java +@@ -0,0 +1,42 @@ ++/* ++ * Copyright (c) 2019, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++import java.security.Provider; ++import java.security.Security; ++ ++public class SunJSSEFIPSInitClient { ++ public static void main(String[] args) throws Exception { ++ boolean isSunJSSEFIPS = false; ++ Provider[] provs = Security.getProviders(); ++ for (Provider p : provs) { ++ if (p.getName().equals("SunJSSE") && ++ p instanceof com.sun.net.ssl.internal.ssl.Provider) { ++ isSunJSSEFIPS = ((com.sun.net.ssl.internal.ssl.Provider)p).isFIPS(); ++ break; ++ } ++ } ++ System.out.println("SunJSSE.isFIPS(): " + isSunJSSEFIPS); ++ } ++} ++ diff --git a/SOURCES/nss.fips.cfg.in b/SOURCES/nss.fips.cfg.in new file mode 100644 index 0000000..ead27be --- /dev/null +++ b/SOURCES/nss.fips.cfg.in @@ -0,0 +1,6 @@ +name = NSS-FIPS +nssLibraryDirectory = @NSS_LIBDIR@ +nssSecmodDirectory = @NSS_SECMOD@ +nssDbMode = readOnly +nssModule = fips + diff --git a/SOURCES/pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch b/SOURCES/pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch deleted file mode 100644 index 999d74e..0000000 --- a/SOURCES/pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch +++ /dev/null @@ -1,434 +0,0 @@ -diff --git a/make/autoconf/jdk-options.m4 b/make/autoconf/jdk-options.m4 ---- a/make/autoconf/jdk-options.m4 -+++ b/make/autoconf/jdk-options.m4 -@@ -267,9 +267,10 @@ - # - AC_DEFUN_ONCE([JDKOPT_DETECT_INTREE_EC], - [ -+ AC_REQUIRE([LIB_SETUP_MISC_LIBS]) - AC_MSG_CHECKING([if elliptic curve crypto implementation is present]) - -- if test -d "${TOPDIR}/src/jdk.crypto.ec/share/native/libsunec/impl"; then -+ if test "x${system_nss}" = "xyes" -o -d "${TOPDIR}/src/jdk.crypto.ec/share/native/libsunec/impl"; then - ENABLE_INTREE_EC=true - AC_MSG_RESULT([yes]) - else -diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4 ---- a/make/autoconf/libraries.m4 -+++ b/make/autoconf/libraries.m4 -@@ -178,6 +178,48 @@ - AC_SUBST(LIBDL) - LIBS="$save_LIBS" - -+ ############################################################################### -+ # -+ # Check for the NSS libraries -+ # -+ -+ AC_MSG_CHECKING([whether to build the Sun EC provider against the system NSS libraries]) -+ -+ # default is bundled -+ DEFAULT_SYSTEM_NSS=no -+ -+ AC_ARG_ENABLE([system-nss], [AS_HELP_STRING([--enable-system-nss], -+ [build the SunEC provider using the system NSS libraries @<:@disabled@:>@])], -+ [ -+ case "${enableval}" in -+ yes) -+ system_nss=yes -+ ;; -+ *) -+ system_nss=no -+ ;; -+ esac -+ ], -+ [ -+ system_nss=${DEFAULT_SYSTEM_NSS} -+ ]) -+ AC_MSG_RESULT([$system_nss]) -+ -+ if test "x${system_nss}" = "xyes"; then -+ PKG_CHECK_MODULES(NSS_SOFTTKN, nss-softokn >= 3.16.1, [NSS_SOFTOKN_FOUND=yes], [NSS_SOFTOKN_FOUND=no]) -+ PKG_CHECK_MODULES(NSS, nss >= 3.16.1, [NSS_FOUND=yes], [NSS_FOUND=no]) -+ if test "x${NSS_SOFTOKN_FOUND}" = "xyes" -a "x${NSS_FOUND}" = "xyes"; then -+ NSS_LIBS="$NSS_SOFTOKN_LIBS $NSS_LIBS -lfreebl"; -+ USE_EXTERNAL_NSS=true -+ else -+ AC_MSG_ERROR([--enable-system-nss specified, but NSS not found.]) -+ fi -+ else -+ USE_EXTERNAL_NSS=false -+ fi -+ AC_SUBST(USE_EXTERNAL_NSS) -+ -+ - # Deprecated libraries, keep the flags for backwards compatibility - if test "x$OPENJDK_TARGET_OS" = "xwindows"; then - BASIC_DEPRECATED_ARG_WITH([dxsdk]) -diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in ---- a/make/autoconf/spec.gmk.in -+++ b/make/autoconf/spec.gmk.in -@@ -795,6 +795,10 @@ - # Libraries - # - -+USE_EXTERNAL_NSS:=@USE_EXTERNAL_NSS@ -+NSS_LIBS:=@NSS_LIBS@ -+NSS_CFLAGS:=@NSS_CFLAGS@ -+ - USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@ - LCMS_CFLAGS:=@LCMS_CFLAGS@ - LCMS_LIBS:=@LCMS_LIBS@ -diff --git a/make/lib/Lib-jdk.crypto.ec.gmk b/make/lib/Lib-jdk.crypto.ec.gmk ---- a/make/lib/Lib-jdk.crypto.ec.gmk -+++ b/make/lib/Lib-jdk.crypto.ec.gmk -@@ -38,6 +38,11 @@ - BUILD_LIBSUNEC_CXXFLAGS_JDKLIB := $(CXXFLAGS_JDKLIB) - endif - -+ ifeq ($(USE_EXTERNAL_NSS), true) -+ BUILD_LIBSUNEC_CFLAGS_JDKLIB += $(NSS_CFLAGS) -DSYSTEM_NSS -DNSS_ENABLE_ECC -+ BUILD_LIBSUNEC_CXXFLAGS_JDKLIB += $(NSS_CFLAGS) -DSYSTEM_NSS -DNSS_ENABLE_ECC -+ endif -+ - $(eval $(call SetupJdkLibrary, BUILD_LIBSUNEC, \ - NAME := sunec, \ - TOOLCHAIN := TOOLCHAIN_LINK_CXX, \ -@@ -47,9 +52,11 @@ - CXXFLAGS := $(BUILD_LIBSUNEC_CXXFLAGS_JDKLIB), \ - DISABLED_WARNINGS_gcc := sign-compare implicit-fallthrough, \ - DISABLED_WARNINGS_microsoft := 4101 4244 4146 4018, \ -- LDFLAGS := $(LDFLAGS_JDKLIB) $(LDFLAGS_CXX_JDK), \ -+ LDFLAGS := $(subst -Xlinker --as-needed,, \ -+ $(subst -Wl$(COMMA)--as-needed,, $(LDFLAGS_JDKLIB))) $(LDFLAGS_CXX_JDK), \ - LDFLAGS_macosx := $(call SET_SHARED_LIBRARY_ORIGIN), \ - LIBS := $(LIBCXX), \ -+ LIBS_linux := -lc $(NSS_LIBS), \ - )) - - TARGETS += $(BUILD_LIBSUNEC) -diff --git a/src/java.base/unix/native/include/jni_md.h b/src/java.base/unix/native/include/jni_md.h ---- a/src/java.base/unix/native/include/jni_md.h -+++ b/src/java.base/unix/native/include/jni_md.h -@@ -41,6 +41,11 @@ - #define JNIEXPORT - #define JNIIMPORT - #endif -+#if (defined(__GNUC__)) || __has_attribute(unused) -+ #define UNUSED(x) UNUSED_ ## x __attribute__((__unused__)) -+#else -+ #define UNUSED(x) UNUSED_ ## x -+#endif - - #define JNICALL - -diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java ---- a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java -+++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java -@@ -61,6 +61,7 @@ - AccessController.doPrivileged(new PrivilegedAction() { - public Void run() { - System.loadLibrary("sunec"); // check for native library -+ initialize(); - return null; - } - }); -@@ -293,6 +294,11 @@ - "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS)); - } - -+ /** -+ * Initialize the native code. -+ */ -+ private static native void initialize(); -+ - private void putXDHEntries() { - - HashMap ATTRS = new HashMap<>(1); -diff --git a/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp b/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp ---- a/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp -+++ b/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp -@@ -25,7 +25,11 @@ - - #include - #include "jni_util.h" -+#ifdef SYSTEM_NSS -+#include "ecc_impl.h" -+#else - #include "impl/ecc_impl.h" -+#endif - #include "sun_security_ec_ECDHKeyAgreement.h" - #include "sun_security_ec_ECKeyPairGenerator.h" - #include "sun_security_ec_ECDSASignature.h" -@@ -33,6 +37,13 @@ - #define INVALID_PARAMETER_EXCEPTION \ - "java/security/InvalidParameterException" - #define KEY_EXCEPTION "java/security/KeyException" -+#define INTERNAL_ERROR "java/lang/InternalError" -+ -+#ifdef SYSTEM_NSS -+#define SYSTEM_UNUSED(x) UNUSED(x) -+#else -+#define SYSTEM_UNUSED(x) x -+#endif - - extern "C" { - -@@ -55,8 +66,13 @@ - /* - * Deep free of the ECParams struct - */ --void FreeECParams(ECParams *ecparams, jboolean freeStruct) -+void FreeECParams(ECParams *ecparams, jboolean SYSTEM_UNUSED(freeStruct)) - { -+#ifdef SYSTEM_NSS -+ // Needs to be freed using the matching method to the one -+ // that allocated it. PR_TRUE means the memory is zeroed. -+ PORT_FreeArena(ecparams->arena, PR_TRUE); -+#else - // Use B_FALSE to free the SECItem->data element, but not the SECItem itself - // Use B_TRUE to free both - -@@ -70,6 +86,7 @@ - SECITEM_FreeItem(&ecparams->curveOID, B_FALSE); - if (freeStruct) - free(ecparams); -+#endif - } - - jbyteArray getEncodedBytes(JNIEnv *env, SECItem *hSECItem) -@@ -139,7 +156,7 @@ - */ - JNIEXPORT jobjectArray - JNICALL Java_sun_security_ec_ECKeyPairGenerator_generateECKeyPair -- (JNIEnv *env, jclass clazz, jint keySize, jbyteArray encodedParams, jbyteArray seed) -+ (JNIEnv *env, jclass UNUSED(clazz), jint UNUSED(keySize), jbyteArray encodedParams, jbyteArray seed) - { - ECPrivateKey *privKey = NULL; // contains both public and private values - ECParams *ecparams = NULL; -@@ -171,8 +188,17 @@ - env->GetByteArrayRegion(seed, 0, jSeedLength, pSeedBuffer); - - // Generate the new keypair (using the supplied seed) -+#ifdef SYSTEM_NSS -+ if (RNG_RandomUpdate((unsigned char *) pSeedBuffer, jSeedLength) -+ != SECSuccess) { -+ ThrowException(env, KEY_EXCEPTION); -+ goto cleanup; -+ } -+ if (EC_NewKey(ecparams, &privKey) != SECSuccess) { -+#else - if (EC_NewKey(ecparams, &privKey, (unsigned char *) pSeedBuffer, - jSeedLength, 0) != SECSuccess) { -+#endif - ThrowException(env, KEY_EXCEPTION); - goto cleanup; - } -@@ -219,10 +245,15 @@ - } - if (privKey) { - FreeECParams(&privKey->ecParams, false); -+#ifndef SYSTEM_NSS -+ // The entire ECPrivateKey is allocated in the arena -+ // when using system NSS, so only the in-tree version -+ // needs to clear these manually. - SECITEM_FreeItem(&privKey->version, B_FALSE); - SECITEM_FreeItem(&privKey->privateValue, B_FALSE); - SECITEM_FreeItem(&privKey->publicValue, B_FALSE); - free(privKey); -+#endif - } - - if (pSeedBuffer) { -@@ -240,7 +271,7 @@ - */ - JNIEXPORT jbyteArray - JNICALL Java_sun_security_ec_ECDSASignature_signDigest -- (JNIEnv *env, jclass clazz, jbyteArray digest, jbyteArray privateKey, jbyteArray encodedParams, jbyteArray seed, jint timing) -+ (JNIEnv *env, jclass UNUSED(clazz), jbyteArray digest, jbyteArray privateKey, jbyteArray encodedParams, jbyteArray seed, jint timing) - { - jbyte* pDigestBuffer = NULL; - jint jDigestLength = env->GetArrayLength(digest); -@@ -299,8 +330,18 @@ - env->GetByteArrayRegion(seed, 0, jSeedLength, pSeedBuffer); - - // Sign the digest (using the supplied seed) -+#ifdef SYSTEM_NSS -+ if (RNG_RandomUpdate((unsigned char *) pSeedBuffer, jSeedLength) -+ != SECSuccess) { -+ ThrowException(env, KEY_EXCEPTION); -+ goto cleanup; -+ } -+ if (ECDSA_SignDigest(&privKey, &signature_item, &digest_item) -+ != SECSuccess) { -+#else - if (ECDSA_SignDigest(&privKey, &signature_item, &digest_item, - (unsigned char *) pSeedBuffer, jSeedLength, 0, timing) != SECSuccess) { -+#endif - ThrowException(env, KEY_EXCEPTION); - goto cleanup; - } -@@ -349,7 +390,7 @@ - */ - JNIEXPORT jboolean - JNICALL Java_sun_security_ec_ECDSASignature_verifySignedDigest -- (JNIEnv *env, jclass clazz, jbyteArray signedDigest, jbyteArray digest, jbyteArray publicKey, jbyteArray encodedParams) -+ (JNIEnv *env, jclass UNUSED(clazz), jbyteArray signedDigest, jbyteArray digest, jbyteArray publicKey, jbyteArray encodedParams) - { - jboolean isValid = false; - -@@ -406,9 +447,10 @@ - - cleanup: - { -- if (params_item.data) -+ if (params_item.data) { - env->ReleaseByteArrayElements(encodedParams, - (jbyte *) params_item.data, JNI_ABORT); -+ } - - if (pubKey.publicValue.data) - env->ReleaseByteArrayElements(publicKey, -@@ -434,7 +476,7 @@ - */ - JNIEXPORT jbyteArray - JNICALL Java_sun_security_ec_ECDHKeyAgreement_deriveKey -- (JNIEnv *env, jclass clazz, jbyteArray privateKey, jbyteArray publicKey, jbyteArray encodedParams) -+ (JNIEnv *env, jclass UNUSED(clazz), jbyteArray privateKey, jbyteArray publicKey, jbyteArray encodedParams) - { - jbyteArray jSecret = NULL; - ECParams *ecparams = NULL; -@@ -510,9 +552,10 @@ - env->ReleaseByteArrayElements(publicKey, - (jbyte *) publicValue_item.data, JNI_ABORT); - -- if (params_item.data) -+ if (params_item.data) { - env->ReleaseByteArrayElements(encodedParams, - (jbyte *) params_item.data, JNI_ABORT); -+ } - - if (ecparams) - FreeECParams(ecparams, true); -@@ -521,4 +564,28 @@ - return jSecret; - } - -+JNIEXPORT void -+JNICALL Java_sun_security_ec_SunEC_initialize -+ (JNIEnv *env, jclass UNUSED(clazz)) -+{ -+#ifdef SYSTEM_NSS -+ if (SECOID_Init() != SECSuccess) { -+ ThrowException(env, INTERNAL_ERROR); -+ } -+ if (RNG_RNGInit() != SECSuccess) { -+ ThrowException(env, INTERNAL_ERROR); -+ } -+#endif -+} -+ -+JNIEXPORT void -+JNICALL JNI_OnUnload -+ (JavaVM *vm, void *reserved) -+{ -+#ifdef SYSTEM_NSS -+ RNG_RNGShutdown(); -+ SECOID_Shutdown(); -+#endif -+} -+ - } /* extern "C" */ ---- a/src/jdk.crypto.ec/share/native/libsunec/ecc_impl.h 2019-01-11 00:01:25.000000000 -0500 -+++ b/src/jdk.crypto.ec/share/native/libsunec/ecc_impl.h 2019-01-14 03:52:54.145695946 -0500 -@@ -45,7 +45,19 @@ - #endif - - #include -+ -+#ifdef SYSTEM_NSS -+#include -+#include -+#include -+#ifdef LEGACY_NSS -+#include -+#else -+#include -+#endif -+#else - #include "ecl-exp.h" -+#endif - - /* - * Multi-platform definitions -@@ -96,6 +108,7 @@ - * Various structures and definitions from NSS are here. - */ - -+#ifndef SYSTEM_NSS - #ifdef _KERNEL - #define PORT_ArenaAlloc(a, n, f) kmem_alloc((n), (f)) - #define PORT_ArenaZAlloc(a, n, f) kmem_zalloc((n), (f)) -@@ -130,9 +143,12 @@ - #define PORT_Memcpy(t, f, l) memcpy((t), (f), (l)) - #endif - -+#endif -+ - #define CHECK_OK(func) if (func == NULL) goto cleanup - #define CHECK_SEC_OK(func) if (SECSuccess != (rv = func)) goto cleanup - -+#ifndef SYSTEM_NSS - typedef enum { - siBuffer = 0, - siClearDataBuffer = 1, -@@ -229,6 +245,7 @@ - SECFailure = -1, - SECSuccess = 0 - } SECStatus; -+#endif - - #ifdef _KERNEL - #define RNG_GenerateGlobalRandomBytes(p,l) ecc_knzero_random_generator((p), (l)) -@@ -237,8 +254,10 @@ - This function is no longer required because the random bytes are now - supplied by the caller. Force a failure. - */ -+#ifndef SYSTEM_NSS - #define RNG_GenerateGlobalRandomBytes(p,l) SECFailure - #endif -+#endif - #define CHECK_MPI_OK(func) if (MP_OKAY > (err = func)) goto cleanup - #define MP_TO_SEC_ERROR(err) - -@@ -248,11 +267,18 @@ - extern int ecc_knzero_random_generator(uint8_t *, size_t); - extern ulong_t soft_nzero_random_generator(uint8_t *, ulong_t); - -+#ifdef SYSTEM_NSS -+#define EC_DecodeParams(a,b,c) EC_DecodeParams(a,b) -+#define ECDSA_VerifyDigest(a,b,c,d) ECDSA_VerifyDigest(a,b,c) -+#define ECDH_Derive(a,b,c,d,e,f) ECDH_Derive(a,b,c,d,e) -+#else - extern SECStatus EC_DecodeParams(const SECItem *, ECParams **, int); -+ - extern SECItem * SECITEM_AllocItem(PRArenaPool *, SECItem *, unsigned int, int); - extern SECStatus SECITEM_CopyItem(PRArenaPool *, SECItem *, const SECItem *, - int); - extern void SECITEM_FreeItem(SECItem *, boolean_t); -+ - /* This function has been modified to accept an array of random bytes */ - extern SECStatus EC_NewKey(ECParams *ecParams, ECPrivateKey **privKey, - const unsigned char* random, int randomlen, int); -@@ -263,9 +289,10 @@ - const SECItem *, int); - extern SECStatus ECDH_Derive(SECItem *, ECParams *, SECItem *, boolean_t, - SECItem *, int); -+#endif - - #ifdef __cplusplus - } - #endif - --#endif /* _ECC_IMPL_H */ -+#endif /* _ECC_IMPL_H */ diff --git a/SOURCES/remove-intree-libraries.sh b/SOURCES/remove-intree-libraries.sh index 4ec68b7..f3be341 100644 --- a/SOURCES/remove-intree-libraries.sh +++ b/SOURCES/remove-intree-libraries.sh @@ -128,10 +128,4 @@ rm -vf ${LCMS_SRC}/lcms2.h rm -vf ${LCMS_SRC}/lcms2_internal.h rm -vf ${LCMS_SRC}/lcms2_plugin.h -# Get rid of in-tree SunEC until RH1656676 is implemented -echo "Removing SunEC native code" -mv -v src/jdk.crypto.ec/share/native/libsunec/impl/ecc_impl.h . -rm -vrf src/jdk.crypto.ec/share/native/libsunec/impl -mv -v ecc_impl.h src/jdk.crypto.ec/share/native/libsunec - diff --git a/SOURCES/rh1022017-reduce_ssl_curves.patch b/SOURCES/rh1022017-reduce_ssl_curves.patch deleted file mode 100644 index 6dab416..0000000 --- a/SOURCES/rh1022017-reduce_ssl_curves.patch +++ /dev/null @@ -1,66 +0,0 @@ -diff --git openjdk.orig///src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java openjdk///src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java ---- openjdk.orig///src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java -+++ openjdk///src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java -@@ -515,50 +515,19 @@ - } - } else { // default groups - NamedGroup[] groups; -- if (requireFips) { -- groups = new NamedGroup[] { -- // only NIST curves in FIPS mode -- NamedGroup.SECP256_R1, -- NamedGroup.SECP384_R1, -- NamedGroup.SECP521_R1, -- NamedGroup.SECT283_K1, -- NamedGroup.SECT283_R1, -- NamedGroup.SECT409_K1, -- NamedGroup.SECT409_R1, -- NamedGroup.SECT571_K1, -- NamedGroup.SECT571_R1, -+ groups = new NamedGroup[] { -+ // only NIST curves in FIPS mode -+ NamedGroup.SECP256_R1, -+ NamedGroup.SECP384_R1, -+ NamedGroup.SECP521_R1, - -- // FFDHE 2048 -- NamedGroup.FFDHE_2048, -- NamedGroup.FFDHE_3072, -- NamedGroup.FFDHE_4096, -- NamedGroup.FFDHE_6144, -- NamedGroup.FFDHE_8192, -- }; -- } else { -- groups = new NamedGroup[] { -- // NIST curves first -- NamedGroup.SECP256_R1, -- NamedGroup.SECP384_R1, -- NamedGroup.SECP521_R1, -- NamedGroup.SECT283_K1, -- NamedGroup.SECT283_R1, -- NamedGroup.SECT409_K1, -- NamedGroup.SECT409_R1, -- NamedGroup.SECT571_K1, -- NamedGroup.SECT571_R1, -- -- // non-NIST curves -- NamedGroup.SECP256_K1, -- -- // FFDHE 2048 -- NamedGroup.FFDHE_2048, -- NamedGroup.FFDHE_3072, -- NamedGroup.FFDHE_4096, -- NamedGroup.FFDHE_6144, -- NamedGroup.FFDHE_8192, -- }; -- } -+ // FFDHE 2048 -+ NamedGroup.FFDHE_2048, -+ NamedGroup.FFDHE_3072, -+ NamedGroup.FFDHE_4096, -+ NamedGroup.FFDHE_6144, -+ NamedGroup.FFDHE_8192, -+ }; - - groupList = new ArrayList<>(groups.length); - for (NamedGroup group : groups) { diff --git a/SOURCES/rh1655466-global_crypto_and_fips.patch b/SOURCES/rh1655466-global_crypto_and_fips.patch new file mode 100644 index 0000000..1c67c83 --- /dev/null +++ b/SOURCES/rh1655466-global_crypto_and_fips.patch @@ -0,0 +1,205 @@ +diff --git a/src/java.base/share/classes/javopenjdk.orig///security/Security.java openjdk///src/java.base/share/classes/java/security/Security.java +--- openjdk.orig///src/java.base/share/classes/java/security/Security.java ++++ openjdk///src/java.base/share/classes/java/security/Security.java +@@ -196,26 +196,8 @@ + if (disableSystemProps == null && + "true".equalsIgnoreCase(props.getProperty + ("security.useSystemPropertiesFile"))) { +- +- // now load the system file, if it exists, so its values +- // will win if they conflict with the earlier values +- try (BufferedInputStream bis = +- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { +- props.load(bis); ++ if (SystemConfigurator.configure(props)) { + loadedProps = true; +- +- if (sdebug != null) { +- sdebug.println("reading system security properties file " + +- SYSTEM_PROPERTIES); +- sdebug.println(props.toString()); +- } +- } catch (IOException e) { +- if (sdebug != null) { +- sdebug.println +- ("unable to load security properties from " + +- SYSTEM_PROPERTIES); +- e.printStackTrace(); +- } + } + } + +diff --git a/src/java.base/share/classes/javopenjdk.orig///security/SystemConfigurator.java openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java +new file mode 100644 +--- /dev/null ++++ openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -0,0 +1,151 @@ ++/* ++ * Copyright (c) 2019, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package java.security; ++ ++import java.io.BufferedInputStream; ++import java.io.FileInputStream; ++import java.io.IOException; ++ ++import java.nio.file.Files; ++import java.nio.file.Path; ++ ++import java.util.Iterator; ++import java.util.Map.Entry; ++import java.util.Properties; ++import java.util.function.Consumer; ++import java.util.regex.Matcher; ++import java.util.regex.Pattern; ++ ++import sun.security.util.Debug; ++ ++/** ++ * Internal class to align OpenJDK with global crypto-policies. ++ * Called from java.security.Security class initialization, ++ * during startup. ++ * ++ */ ++ ++class SystemConfigurator { ++ ++ private static final Debug sdebug = ++ Debug.getInstance("properties"); ++ ++ private static final String CRYPTO_POLICIES_BASE_DIR = ++ "/etc/crypto-policies"; ++ ++ private static final String CRYPTO_POLICIES_JAVA_CONFIG = ++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; ++ ++ private static final String CRYPTO_POLICIES_CONFIG = ++ CRYPTO_POLICIES_BASE_DIR + "/config"; ++ ++ private static final class SecurityProviderInfo { ++ int number; ++ String key; ++ String value; ++ SecurityProviderInfo(int number, String key, String value) { ++ this.number = number; ++ this.key = key; ++ this.value = value; ++ } ++ } ++ ++ /* ++ * Invoked when java.security.Security class is initialized, if ++ * java.security.disableSystemPropertiesFile property is not set and ++ * security.useSystemPropertiesFile is true. ++ */ ++ static boolean configure(Properties props) { ++ boolean loadedProps = false; ++ ++ try (BufferedInputStream bis = ++ new BufferedInputStream( ++ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { ++ props.load(bis); ++ loadedProps = true; ++ if (sdebug != null) { ++ sdebug.println("reading system security properties file " + ++ CRYPTO_POLICIES_JAVA_CONFIG); ++ sdebug.println(props.toString()); ++ } ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load security properties from " + ++ CRYPTO_POLICIES_JAVA_CONFIG); ++ e.printStackTrace(); ++ } ++ } ++ ++ try { ++ if (enableFips()) { ++ if (sdebug != null) { sdebug.println("FIPS mode detected"); } ++ loadedProps = false; ++ // Remove all security providers ++ Iterator> i = props.entrySet().iterator(); ++ while (i.hasNext()) { ++ Entry e = i.next(); ++ if (((String) e.getKey()).startsWith("security.provider")) { ++ if (sdebug != null) { sdebug.println("Removing provider: " + e); } ++ i.remove(); ++ } ++ } ++ // Add FIPS security providers ++ String fipsProviderValue = null; ++ for (int n = 1; ++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { ++ String fipsProviderKey = "security.provider." + n; ++ if (sdebug != null) { ++ sdebug.println("Adding provider " + n + ": " + ++ fipsProviderKey + "=" + fipsProviderValue); ++ } ++ props.put(fipsProviderKey, fipsProviderValue); ++ } ++ loadedProps = true; ++ } ++ } catch (Exception e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load FIPS configuration"); ++ e.printStackTrace(); ++ } ++ } ++ return loadedProps; ++ } ++ ++ /* ++ * FIPS is enabled only if crypto-policies are set to "FIPS" ++ * and the com.redhat.fips property is true. ++ */ ++ private static boolean enableFips() throws Exception { ++ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "false")); ++ if (fipsEnabled) { ++ String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG))); ++ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } ++ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE); ++ return pattern.matcher(cryptoPoliciesConfig).find(); ++ } else { ++ return false; ++ } ++ } ++} +diff --git openjdk.orig///src/java.base/share/conf/security/java.security openjdk///src/java.base/share/conf/security/java.security +--- openjdk.orig///src/java.base/share/conf/security/java.security ++++ openjdk///src/java.base/share/conf/security/java.security +@@ -87,6 +87,14 @@ + #security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg + + # ++# Security providers used when global crypto-policies are set to FIPS. ++# ++fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg ++fips.provider.2=SUN ++fips.provider.3=SunEC ++fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS ++ ++# + # A list of preferred providers for specific algorithms. These providers will + # be searched for matching algorithms before the list of registered providers. + # Entries containing errors (parsing, etc) will be ignored. Use the diff --git a/SPECS/java-11-openjdk.spec b/SPECS/java-11-openjdk.spec index d01b03e..0ef5043 100644 --- a/SPECS/java-11-openjdk.spec +++ b/SPECS/java-11-openjdk.spec @@ -121,10 +121,12 @@ %endif %if %{bootstrap_build} -%global targets bootcycle-images all docs +%global release_targets bootcycle-images docs-zip %else -%global targets all docs +%global release_targets images docs-zip %endif +# No docs nor bootcycle for debug builds +%global debug_targets images # Filter out flags from the optflags macro that cause problems with the OpenJDK build @@ -141,14 +143,6 @@ # looks like openjdk RPM specific bug # Always set this so the nss.cfg file is not broken %global NSS_LIBDIR %(pkg-config --variable=libdir nss) -%global NSS_LIBS %(pkg-config --libs nss) -%global NSS_CFLAGS %(pkg-config --cflags nss-softokn) -# see https://bugzilla.redhat.com/show_bug.cgi?id=1332456 -%global NSSSOFTOKN_BUILDTIME_NUMBER %(pkg-config --modversion nss-softokn || : ) -%global NSS_BUILDTIME_NUMBER %(pkg-config --modversion nss || : ) -# this is workaround for processing of requires during srpm creation -%global NSSSOFTOKN_BUILDTIME_VERSION %(if [ "x%{NSSSOFTOKN_BUILDTIME_NUMBER}" == "x" ] ; then echo "" ;else echo ">= %{NSSSOFTOKN_BUILDTIME_NUMBER}" ;fi) -%global NSS_BUILDTIME_VERSION %(if [ "x%{NSS_BUILDTIME_NUMBER}" == "x" ] ; then echo "" ;else echo ">= %{NSS_BUILDTIME_NUMBER}" ;fi) # In some cases, the arch used by the JDK does # not match _arch. @@ -206,7 +200,7 @@ # New Version-String scheme-style defines %global majorver 11 -%global securityver 3 +%global securityver 5 # buildjdkver is usually same as %%{majorver}, # but in time of bootstrap of next jdk, it is majorver-1, # and this it is better to change it here, on single place @@ -228,7 +222,8 @@ %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global minorver 0 -%global buildver 7 +%global buildver 10 +%global rpmrelease 3 #%%global tagsuffix "" # priority must be 8 digits in total; untill openjdk 1.8 we were using 18..... so when moving to 11 we had to add another digit %if %is_system_jdk @@ -241,6 +236,23 @@ %global javaver %{majorver} +# Define milestone (EA for pre-releases, GA for releases) +# Release will be (where N is usually a number starting at 1): +# - 0.N%%{?extraver}%%{?dist} for EA releases, +# - N%%{?extraver}{?dist} for GA releases +%global is_ga 1 +%if %{is_ga} +%global ea_designator "" +%global ea_designator_zip "" +%global extraver %{nil} +%global eaprefix %{nil} +%else +%global ea_designator ea +%global ea_designator_zip -%{ea_designator} +%global extraver .%{ea_designator} +%global eaprefix 0. +%endif + # parametrized macros are order-sensitive %global compatiblename java-%{majorver}-%{origin} %global fullversion %{compatiblename}-%{version}-%{release} @@ -563,6 +575,7 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/classlist %endif %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jexec +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jspawnhelper %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jrt-fs.jar %{_jvmdir}/%{sdkdir -- %{?1}}/lib/modules %{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfont.properties.ja @@ -648,6 +661,7 @@ exit 0 %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security %config(noreplace) %{etcjavadir -- %{?1}}/conf/logging.properties %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.cfg +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.fips.cfg %config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access # this is conifg template, thus not config-noreplace %config %{etcjavadir -- %{?1}}/conf/management/jmxremote.password.template @@ -819,7 +833,9 @@ Requires: libXcomposite%{?_isa} Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} # for java-X-openjdk package's desktop binding +%if 0%{?rhel} >= 8 Recommends: gtk3%{?_isa} +%endif Provides: java-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release} @@ -844,9 +860,6 @@ Requires: javapackages-filesystem Requires: tzdata-java >= 2015d # libsctp.so.1 is being `dlopen`ed on demand Requires: lksctp-tools%{?_isa} -# there is a need to depend on the exact version of NSS -Requires: nss%{?_isa} %{NSS_BUILDTIME_VERSION} -Requires: nss-softokn%{?_isa} %{NSSSOFTOKN_BUILDTIME_VERSION} # tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it, # not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be # considered as regression @@ -863,7 +876,9 @@ Requires(postun): %{_sbindir}/alternatives # in version 1.7 and higher for --family switch Requires(postun): chkconfig >= 1.7 # for optional support of kernel stream control, card reader and printing bindings +%if 0%{?rhel} >= 8 Suggests: lksctp-tools%{?_isa}, pcsc-lite-devel%{?_isa} +%endif # Standard JPackage base provides Provides: jre-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} @@ -963,7 +978,7 @@ Provides: java-src%{?1} = %{epoch}:%{version}-%{release} Name: java-%{javaver}-%{origin} Version: %{newjavaver}.%{buildver} -Release: 3%{?dist} +Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons # and this change was brought into RHEL-4. java-1.5.0-ibm packages # also included the epoch in their virtual provides. This created a @@ -1016,29 +1031,23 @@ Source13: TestCryptoLevel.java # Ensure ECDSA is working Source14: TestECDSA.java +# nss fips configuration file +Source15: nss.fips.cfg.in + ############################################ # # RPM/distribution specific patches # ############################################ -# NSS via SunPKCS11 Provider (disabled comment -# due to memory leak). -Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch - # Ignore AWTError when assistive technologies are loaded Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch # Restrict access to java-atk-wrapper classes Patch2: rh1648644-java_access_bridge_privileged_security.patch -# PR1834, RH1022017: Reduce curves reported by SSL to those in NSS -# Not currently suitable to go upstream as it disables curves -# for all providers unconditionally -Patch525: rh1022017-reduce_ssl_curves.patch -Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch -# PR3694, RH1340845: Add security.useSystemPropertiesFile option to java.security to use system crypto policy -Patch4: pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch -# System NSS via SunEC Provider -Patch5: pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch +# NSS via SunPKCS11 Provider (disabled due to memory leak). +Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch +# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider +Patch1001: rh1655466-global_crypto_and_fips.patch ############################################# # @@ -1050,10 +1059,16 @@ Patch5: pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_s ############################################# # -# OpenJDK specific patches +# Upstreamable patches # +# This section includes patches which need to +# be reviewed & pushed to the current development +# tree of OpenJDK. ############################################# +Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch +# PR3694, RH1340845: Add security.useSystemPropertiesFile option to java.security to use system crypto policy +Patch4: pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch # RH1566890: CVE-2018-3639 Patch6: rh1566890-CVE_2018_3639-speculative_store_bypass.patch # PR3695: Allow use of system crypto policy to be disabled by the user @@ -1063,6 +1078,18 @@ Patch8: s390-8214206_fix.patch ############################################# # +# Patches appearing in 11.0.6 +# +# This section includes patches which are present +# in the listed OpenJDK 8u release and should be +# able to be removed once that release is out +# and used by this RPM. +############################################# +# JDK-8230923: SunJSSE is not properly initialized in FIPS mode from a configuration file +Patch11: jdk8230923-fips_mode_initialisation_failure.patch + +############################################# +# # JDK 9+ only patches # ############################################# @@ -1075,12 +1102,11 @@ BuildRequires: cups-devel BuildRequires: desktop-file-utils # elfutils only are OK for build without AOT BuildRequires: elfutils-devel -BuildRequires: fontconfig +BuildRequires: fontconfig-devel BuildRequires: freetype-devel BuildRequires: giflib-devel BuildRequires: gcc-c++ BuildRequires: gdb -BuildRequires: gtk3-devel BuildRequires: lcms2-devel BuildRequires: libjpeg-devel BuildRequires: libpng-devel @@ -1088,6 +1114,8 @@ BuildRequires: libxslt BuildRequires: libX11-devel BuildRequires: libXi-devel BuildRequires: libXinerama-devel +BuildRequires: libXrandr-devel +BuildRequires: libXrender-devel BuildRequires: libXt-devel BuildRequires: libXtst-devel # Requirements for setting up the nss.cfg @@ -1105,8 +1133,6 @@ BuildRequires: libffi-devel BuildRequires: tzdata-java >= 2015d # Earlier versions have a bug in tree vectorization on PPC BuildRequires: gcc >= 4.8.3-8 -# Build requirements for SunEC system NSS support -BuildRequires: nss-softokn-freebl-devel >= 3.16.1 %if %{with_systemtap} BuildRequires: systemtap-sdt-devel @@ -1251,6 +1277,7 @@ The java-%{origin}-src-slowdebug sub-package contains the complete %{origin_nice Summary: %{origin_nice} %{majorver} API documentation Group: Documentation Requires: javapackages-filesystem +Obsoletes: javadoc-debug %{java_javadoc_rpo %{nil}} @@ -1263,6 +1290,7 @@ The %{origin_nice} %{majorver} API documentation. Summary: %{origin_nice} %{majorver} API documentation compressed in single archive Group: Documentation Requires: javapackages-filesystem +Obsoletes: javadoc-zip-debug %{java_javadoc_rpo %{nil}} @@ -1270,31 +1298,6 @@ Requires: javapackages-filesystem The %{origin_nice} %{majorver} API documentation compressed in single archive. %endif -%if %{include_debug_build} -%package javadoc-slowdebug -Summary: %{origin_nice} %{majorver} API documentation %{for_debug} -Group: Documentation -Requires: javapackages-filesystem - -%{java_javadoc_rpo -- %{debug_suffix_unquoted}} - -%description javadoc-slowdebug -The %{origin_nice} %{majorver} API documentation %{for_debug}. -%endif - -%if %{include_debug_build} -%package javadoc-zip-slowdebug -Summary: %{origin_nice} %{majorver} API documentation compressed in single archive %{for_debug} -Group: Documentation -Requires: javapackages-filesystem - -%{java_javadoc_rpo -- %{debug_suffix_unquoted}} - -%description javadoc-zip-slowdebug -The %{origin_nice} %{majorver} API documentation compressed in single archive %{for_debug}. -%endif - - %prep if [ %{include_normal_build} -eq 0 -o %{include_normal_build} -eq 1 ] ; then echo "include_normal_build is %{include_normal_build}" @@ -1329,14 +1332,14 @@ pushd %{top_level_dir_name} %patch2 -p1 %patch3 -p1 %patch4 -p1 -%patch5 -p1 %patch6 -p1 %patch7 -p1 %patch8 -p1 -%patch525 -p1 +%patch11 -p1 popd # openjdk %patch1000 +%patch1001 # Extract systemtap tapsets %if %{with_systemtap} @@ -1382,6 +1385,9 @@ done # Setup nss.cfg sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg +# Setup nss.fips.cfg +sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE15} > nss.fips.cfg +sed -i -e "s:@NSS_SECMOD@:/etc/pki/nssdb:g" nss.fips.cfg %build # How many CPU's do we have? @@ -1433,14 +1439,13 @@ bash ../configure \ --with-jobs=1 \ %endif --with-version-build=%{buildver} \ - --with-version-pre="" \ + --with-version-pre="%{ea_designator}" \ --with-version-opt=%{lts_designator} \ --with-vendor-version-string="%{vendor_version_string}" \ --with-boot-jdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk \ --with-debug-level=$debugbuild \ --with-native-debug-symbols=internal \ --enable-unlimited-crypto \ - --enable-system-nss \ --with-zlib=system \ --with-libjpeg=system \ --with-giflib=system \ @@ -1457,14 +1462,18 @@ bash ../configure \ %endif --disable-warnings-as-errors +# Debug builds don't need same targets as release for +# build speed-up +maketargets="%{release_targets}" +if echo $debugbuild | grep -q "debug" ; then + maketargets="%{debug_targets}" +fi make \ JAVAC_FLAGS=-g \ LOG=trace \ WARNINGS_ARE_ERRORS="-Wno-error" \ CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \ - %{targets} || ( pwd; find $top_dir_abs_path -name "hs_err_pid*.log" | xargs cat && false ) - -make docs-zip + $maketargets || ( pwd; find $top_dir_abs_path -name "hs_err_pid*.log" | xargs cat && false ) # the build (erroneously) removes read permissions from some jars # this is a regression in OpenJDK 7 (our compiler): @@ -1484,6 +1493,9 @@ export JAVA_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{jdkimage} # Install nss.cfg right away as we will be using the JRE above install -m 644 nss.cfg $JAVA_HOME/conf/security/ +# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) +install -m 644 nss.fips.cfg $JAVA_HOME/conf/security/ + # Use system-wide tzdata rm $JAVA_HOME/lib/tzdb.dat ln -s %{_datadir}/javazi-1.8/tzdb.dat $JAVA_HOME/lib/tzdb.dat @@ -1498,7 +1510,7 @@ for suffix in %{rev_build_loop} ; do export JAVA_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{jdkimage} -#check sheandoah is enabled +#check Shenandoah is enabled %if %{use_shenandoah_hotspot} $JAVA_HOME//bin/java -XX:+UseShenandoahGC -version %endif @@ -1646,10 +1658,12 @@ pushd %{buildoutputdir $suffix}/images/%{jdkimage} popd -# Install Javadoc documentation -install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir} -cp -a %{buildoutputdir -- $suffix}/images/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix} -cp -a %{buildoutputdir -- $suffix}/bundles/jdk-%{newjavaver}+%{buildver}%{lts_designator_zip}-docs.zip $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip +if ! echo $suffix | grep -q "debug" ; then + # Install Javadoc documentation + install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir} + cp -a %{buildoutputdir $suffix}/images/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir $suffix} + cp -a %{buildoutputdir -- $suffix}/bundles/jdk-%{newjavaver}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip +fi # Install icons and menu entries for s in 16 24 32 48 ; do @@ -1799,17 +1813,6 @@ require "copy_jdk_configs.lua" %posttrans devel-slowdebug %{posttrans_devel -- %{debug_suffix_unquoted}} -%post javadoc-slowdebug -%{post_javadoc -- %{debug_suffix_unquoted}} - -%postun javadoc-slowdebug -%{postun_javadoc -- %{debug_suffix_unquoted}} - -%post javadoc-zip-slowdebug -%{post_javadoc_zip -- %{debug_suffix_unquoted}} - -%postun javadoc-zip-slowdebug -%{postun_javadoc_zip -- %{debug_suffix_unquoted}} %endif %if %{include_normal_build} @@ -1870,15 +1873,129 @@ require "copy_jdk_configs.lua" %files src-slowdebug %{files_src -- %{debug_suffix_unquoted}} -%files javadoc-slowdebug -%{files_javadoc -- %{debug_suffix_unquoted}} - -%files javadoc-zip-slowdebug -%{files_javadoc_zip -- %{debug_suffix_unquoted}} %endif - %changelog +* Wed Nov 06 2019 Andrew John Hughes - 1:11.0.5.10-3 +- Bump release number for RHEL 8.2.0. +- Resolves: rhbz#1753423 + +* Fri Oct 25 2019 Andrew John Hughes - 1:11.0.5.10-2 +- Disable FIPS mode support unless com.redhat.fips is set to "true". +- Resolves: rhbz#1751845 + +* Wed Oct 09 2019 Andrew Hughes - 1:11.0.5.10-1 +- Update to shenandoah-jdk-11.0.5+10 (GA) +- Switch to GA mode for final release. +- Remove PR1834/RH1022017 which is now handled by JDK-8228825 upstream. +- Resolves: rhbz#1753423 + +* Wed Oct 09 2019 Andrew Hughes - 1:11.0.5.9-0.0.ea +- Update to shenandoah-jdk-11.0.5+9 (EA) +- Resolves: rhbz#1753423 + +* Mon Oct 07 2019 Andrew Hughes - 1:11.0.5.1-0.1.ea +- Update to shenandoah-jdk-11.0.5+1 (EA) +- Switch to EA mode for 11.0.5 pre-release builds. +- Drop JDK-8223482 which is included upstream in 11.0.5+1. +- Resolves: rhbz#1753423 + +* Mon Sep 30 2019 Andrew John Hughes - 1:11.0.4.11-4 +- Backport JDK-8230923 so arguments are passed to security providers. +- Update RH1655466 patch with changes in OpenJDK 8 version. +- SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file. +- Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg. +- No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable. +- Resolves: rhbz#1751845 + +* Tue Aug 13 2019 Martin Balao - 1:11.0.4.11-3 +- Support the FIPS mode crypto policy on RHEL 8. +- Resolves: rhbz#1725961 + +* Tue Jul 09 2019 Andrew Hughes - 1:11.0.4.11-2 +- Drop NSS runtime dependencies and patches to link against it. +- Resolves: rhbz#1678554 + +* Tue Jul 09 2019 Andrew Hughes - 1:11.0.4.11-1 +- Update to shenandoah-jdk-11.0.4+11 (GA) +- Switch to GA mode for final release. +- Resolves: rhbz#1724452 + +* Mon Jul 08 2019 Andrew Hughes - 1:11.0.4.10-0.1.ea +- Update to shenandoah-jdk-11.0.4+10 (EA) +- Resolves: rhbz#1724452 + +* Mon Jul 08 2019 Andrew Hughes - 1:11.0.4.9-0.1.ea +- Update to shenandoah-jdk-11.0.4+9 (EA) +- Resolves: rhbz#1724452 + +* Mon Jul 08 2019 Andrew Hughes - 1:11.0.4.8-0.1.ea +- Update to shenandoah-jdk-11.0.4+8 (EA) +- Resolves: rhbz#1724452 + +* Sun Jul 07 2019 Andrew John Hughes - 1:11.0.4.7-0.2.ea +- fontconfig build requirement should be fontconfig-devel, previously masked by Gtk3+ dependency +- Resolves: rhbz#1724452 + +* Sun Jul 07 2019 Andrew John Hughes - 1:11.0.4.7-0.2.ea +- Add missing build requirement for libXrandr-devel, previously masked by Gtk3+ dependency +- Resolves: rhbz#1724452 + +* Sun Jul 07 2019 Andrew John Hughes - 1:11.0.4.7-0.2.ea +- Add missing build requirement for libXrender-devel, previously masked by Gtk3+ dependency +- Resolves: rhbz#1724452 + +* Sun Jul 07 2019 Andrew John Hughes - 1:11.0.4.7-0.2.ea +- Make use of Recommends and Suggests dependent on RHEL 8+ environment. +- Drop unnecessary build requirement on gtk3-devel, as OpenJDK searches for Gtk+ at runtime. +- Resolves: rhbz#1724452 + +* Sun Jul 07 2019 Andrew Hughes - 1:11.0.4.7-0.1.ea +- Update to shenandoah-jdk-11.0.4+7 (EA) +- Resolves: rhbz#1724452 + +* Wed Jul 03 2019 Andrew Hughes - 1:11.0.4.6-0.1.ea +- Obsolete javadoc-debug and javadoc-debug-zip packages via javadoc and javadoc-zip respectively. +- Resolves: rhbz#1724452 + +* Wed Jul 03 2019 Andrew Hughes - 1:11.0.4.6-0.1.ea +- Update to shenandoah-jdk-11.0.4+6 (EA) +- Resolves: rhbz#1724452 + +* Wed Jul 03 2019 Andrew Hughes - 1:11.0.4.5-0.1.ea +- Update to shenandoah-jdk-11.0.4+5 (EA) +- Resolves: rhbz#1724452 + +* Tue Jul 02 2019 Andrew Hughes - 1:11.0.4.4-0.1.ea +- Update to shenandoah-jdk-11.0.4+4 (EA) +- Resolves: rhbz#1724452 + +* Mon Jul 01 2019 Andrew Hughes - 1:11.0.4.3-0.1.ea +- Update to shenandoah-jdk-11.0.4+3 (EA) +- Resolves: rhbz#1724452 + +* Sun Jun 30 2019 Andrew John Hughes - 1:11.0.4.2-0.1.ea +- Update to shenandoah-jdk-11.0.4+2 (EA) +- Resolves: rhbz#1724452 + +* Fri Jun 21 2019 Severin Gehwolf - 1:11.0.4.2-0.1.ea +- Package jspawnhelper (see JDK-8220360). +- Resolves: rhbz#1724452 + +* Fri Jun 21 2019 Severin Gehwolf - 1:11.0.3.7-5 +- Include 'ea' designator in Release when appropriate. +- Resolves: rhbz#1724452 + +* Wed May 22 2019 Andrew Hughes - 1:11.0.3.7-5 +- Handle milestone as variables so we can alter it easily and set the docs zip filename appropriately. +- Resolves: rhbz#1724452 + +* Thu Apr 25 2019 Severin Gehwolf - 1:11.0.3.7-4 +- Don't build the test images needlessly. +- Don't produce javadoc/javadoc-zip sub packages for the debug variant build. +- Don't perform a bootcycle build for the debug variant build. +- Resolves: rhbz#1724452 + * Wed Apr 24 2019 Severin Gehwolf - 1:11.0.3.7-3 - Do not generate lib-style requires for -slowdebug subpackages. - Resolves: rhbz#1693468