From a531bcdd9fcc291345553339f3c598bfa005f73e Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sep 20 2021 19:53:33 +0000 Subject: import java-11-openjdk-11.0.12.0.7-4.el8 --- diff --git a/.gitignore b/.gitignore index 426ee8b..09ab344 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/jdk-updates-jdk11u-jdk-11.0.12+2-4curve.tar.xz +SOURCES/jdk-updates-jdk11u-jdk-11.0.12+7-4curve.tar.xz SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/.java-11-openjdk.metadata b/.java-11-openjdk.metadata index c64618a..42cb995 100644 --- a/.java-11-openjdk.metadata +++ b/.java-11-openjdk.metadata @@ -1,2 +1,2 @@ -73e3ecc340440bd249c7c0bd815544d63918aebb SOURCES/jdk-updates-jdk11u-jdk-11.0.12+2-4curve.tar.xz +7459fbf6c597831b6039c3a608048131cb637528 SOURCES/jdk-updates-jdk11u-jdk-11.0.12+7-4curve.tar.xz c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/SOURCES/NEWS b/SOURCES/NEWS index 26f6fdb..26c3f66 100644 --- a/SOURCES/NEWS +++ b/SOURCES/NEWS @@ -9,6 +9,21 @@ Live versions of these release notes can be found at: * https://bitly.com/openjdk11012 * https://builds.shipilev.net/backports-monitor/release-notes-11.0.12.txt +* Security fixes + - JDK-8256157: Improve bytecode assembly + - JDK-8256491: Better HTTP transport + - JDK-8258432, CVE-2021-2341: Improve file transfers + - JDK-8260453: Improve Font Bounding + - JDK-8260960: Signs of jarsigner signing + - JDK-8260967, CVE-2021-2369: Better jar file validation + - JDK-8262380: Enhance XML processing passes + - JDK-8262403: Enhanced data transfer + - JDK-8262410: Enhanced rules for zones + - JDK-8262477: Enhance String Conclusions + - JDK-8262967: Improve Zip file support + - JDK-8264066, CVE-2021-2388: Enhance compiler validation + - JDK-8264079: Improve abstractions + - JDK-8264460: Improve NTLM support * Other changes - JDK-6847157: java.lang.NullPointerException: HDC for component at sun.java2d.loops.Blit.Blit - JDK-7106851: Test should not use System.exit @@ -17,11 +32,14 @@ Live versions of these release notes can be found at: - JDK-8153005: Upgrade the default PKCS12 encryption/MAC algorithms - JDK-8171303: sun/java2d/pipe/InterpolationQualityTest.java fails on Windows & Linux - JDK-8177068: incomplete classpath causes NPE in Flow + - JDK-8185734: [Windows] Structured Exception Catcher missing around gtest execution - JDK-8187450: JNI local refs exceeds capacity warning in NetworkInterface::getAll - JDK-8190763: Class cast exception on (CompoundEdit) UndoableEditEvent.getEdit() - JDK-8195841: PNGImageReader.readNullTerminatedString() doesnt check for non-null terminated strings with length equal to maxLen + - JDK-8196100: javax/swing/text/JTextComponent/5074573/bug5074573.java fails - JDK-8199646: JShell tests: jdk/jshell/FailOverDirectExecutionControlTest.java failed with java.lang.UnsupportedOperationException - JDK-8206925: Support the certificate_authorities extension + - JDK-8207160: ClassReader::adjustMethodParams can potentially return null if the args list is empty - JDK-8207247: AARCH64: Enable Minimal and Client VM builds - JDK-8207404: MulticastSocket tests failing on AIX - JDK-8207779: Method::is_valid_method() compares 'this' with NULL @@ -38,6 +56,7 @@ Live versions of these release notes can be found at: - JDK-8214854: JDWP: Unforseen output truncation in logging - JDK-8214922: Add vectorization support for fmin/fmax - JDK-8215009: GCC 8 compilation error in libjli + - JDK-8216184: CDS/appCDS tests failed on Windows due to long path to a classlist file - JDK-8216259: AArch64: Vectorize Adler32 intrinsics - JDK-8216314: SIGILL in CodeHeapState::print_names() - JDK-8217348: assert(thread->is_Java_thread()) failed: just checking @@ -47,6 +66,7 @@ Live versions of these release notes can be found at: - JDK-8218458: [TESTBUG] runtime/NMT/CheckForProperDetailStackTrace.java fails with Expected stack trace missing from output - JDK-8219142: Remove unused JIMAGE_ResourcePath - JDK-8219586: CodeHeap State Analytics processes dead nmethods + - JDK-8220074: Clean up GCC 8.3 errors in LittleCMS - JDK-8220407: compiler/intrinsics/math/TestFpMinMaxIntrinsics.java timedout - JDK-8222302: [TESTBUG]test/hotspot/jtreg/compiler/intrinsics/sha/cli/TestUseSHAOptionOnUnsupportedCPU.java fails on any other CPU - JDK-8222412: AARCH64: multiple instructions encoding issues @@ -61,11 +81,14 @@ Live versions of these release notes can be found at: - JDK-8226374: Restrict TLS signature schemes and named groups - JDK-8226627: assert(t->singleton()) failed: must be a constant - JDK-8226721: Missing intrinsics for Math.ceil, floor, rint + - JDK-8227080: (fs) Files.newInputStream(...).skip(n) is slow - JDK-8227222: vmTestbase/jit/FloatingPoint/gen_math/Loops04/Loops04.java failed XMM register should be 0-15 + - JDK-8227609: (fs) Files.newInputStream(...).skip(n) should allow skipping beyond file size - JDK-8230428: Cleanup dead CastIP node code in formssel.cpp - JDK-8231460: Performance issue (CodeHeap) with large free blocks - JDK-8231713: x86_32 build failures after JDK-8226721 (Missing intrinsics for Math.ceil, floor, rint) - JDK-8231841: AArch64: debug.cpp help() is missing an AArch64 line for pns + - JDK-8232084: HotSpot build failed with GCC 9.2.1 - JDK-8232591: AArch64: Add missing match rules for smaddl, smsubl and smnegl - JDK-8233185: HttpServer.stop() blocks indefinitely when called on dispatch thread - JDK-8233787: Break cycle in vm_version* includes @@ -75,6 +98,7 @@ Live versions of these release notes can be found at: - JDK-8236859: WebSocket over authenticating proxy fails with NPE - JDK-8236992: AArch64: remove redundant load_klass in itable stub - JDK-8237743: test/langtools/jdk/jshell/FailOverExecutionControlTest.java fails No ExecutionControlProvider with name 'nonExistent' and parameter keys: [] + - JDK-8237804: sun/security/mscapi tests fail with "Key pair not generated, alias already exists" - JDK-8238175: CTW: Class.getDeclaredMethods fails with assert(k->is_subclass_of(SystemDictionary::Throwable_klass())) failed: invalid exception class - JDK-8238567: SoftMainMixer.processAudioBuffers(): Wrong handling of stoppedMixers - JDK-8238812: assert(false) failed: bad AD file @@ -84,7 +108,9 @@ Live versions of these release notes can be found at: - JDK-8240487: Cleanup whitespace in .cc, .hh, .m, and .mm files - JDK-8240848: ArrayIndexOutOfBoundsException buf for TextCallbackHandler - JDK-8241082: Upgrade IANA Language Subtag Registry data to 03-16-2020 version + - JDK-8241087: Build failure with VS 2019 (16.5.0) due to C2039 and C2873 - JDK-8241101: [s390] jtreg test failure after JDK-8238696: not conformant features string + - JDK-8241248: NullPointerException in sun.security.ssl.HKDF.extract(HKDF.java:93) - JDK-8241372: Several test failures due to javax.net.ssl.SSLException: Connection reset - JDK-8241475: AArch64: Add missing support for PopCountVI node - JDK-8241829: Cleanup the code for PrinterJob on windows @@ -92,8 +118,10 @@ Live versions of these release notes can be found at: - JDK-8242010: Upgrade IANA Language Subtag Registry to Version 2020-04-01 - JDK-8242429: Better implementation for sign extract - JDK-8242557: Add length limit for strings in PNGImageWriter + - JDK-8242919: Paste locks up jshell - JDK-8243155: AArch64: Add support for SqrtVF - JDK-8243240: AArch64: Add support for MulVB + - JDK-8243452: JFR: Could not create chunk in repository with over 200 recordings - JDK-8243559: Remove root certificates with 1024-bit keys - JDK-8243597: AArch64: Add support for integer vector abs - JDK-8244031: HttpClient should have more tests for HEAD requests @@ -111,11 +139,15 @@ Live versions of these release notes can be found at: - JDK-8248568: compiler/c2/TestBit.java failed: test missing from stdout/stderr - JDK-8248870: AARCH64: I2L/L2I conversions can be skipped for masked positive values - JDK-8249142: java/awt/FontClass/CreateFont/DeleteFont.sh is unstable + - JDK-8249189: AARCH64: more L2I conversions can be skipped - JDK-8249719: MethodHandle performance suffers from bad ResolvedMethodTable hash function + - JDK-8249875: GCC 10 warnings -Wtype-limits with JFR code - JDK-8250635: MethodArityHistogram should use Compile_lock in favour of fancy checks - JDK-8250876: Fix issues with cross-compile on macos + - JDK-8251031: Some vmTestbase/nsk/monitoring/RuntimeMXBean tests fail with hostnames starting from digits - JDK-8251525: AARCH64: Faster Math.signum(fp) - JDK-8252259: AArch64: Adjust default value of FLOATPRESSURE + - JDK-8252311: AArch64: save two words in itable lookup stub - JDK-8252779: compiler/graalunit/HotspotTest.java failed after 8251525 - JDK-8252883: AccessDeniedException caused by delayed file deletion on Windows - JDK-8253167: ARM32 builds fail after JDK-8247910 @@ -123,9 +155,11 @@ Live versions of these release notes can be found at: - JDK-8253923: C2 doesn't always run loop opts for compilations that include loops - JDK-8253948: Memory leak in ImageFileReader - JDK-8254631: Better support ALPN byte wire values in SunJSSE + - JDK-8254717: isAssignableFrom checks in KeyFactorySpi.engineGetKeySpec appear to be backwards - JDK-8255086: Update the root locale display names - JDK-8255625: AArch64: Implement Base64.encodeBlock accelerator/intrinsic - JDK-8255763: C2: OSR miscompilation caused by invalid memory instruction placement + - JDK-8255992: JFR EventWriter does not use first string from StringPool with id 0 - JDK-8256037: [TESTBUG] com/sun/jndi/dns/ConfigTests/PortUnreachable.java fails due to the hard coded threshold is small - JDK-8256244: java/lang/ProcessHandle/PermissionTest.java fails with TestNG 7.1 - JDK-8256287: [windows] add loop fuse to map_or_reserve_memory_aligned @@ -138,19 +172,31 @@ Live versions of these release notes can be found at: - JDK-8257621: JFR StringPool misses cached items across consecutive recordings - JDK-8257796: [TESTBUG] TestUseSHA512IntrinsicsOptionOnSupportedCPU.java fails on x86_32 - JDK-8257822: C2 crashes with SIGFPE due to a division that floats above its zero check + - JDK-8257828: SafeFetch may crash if invoked in non-JavaThreads + - JDK-8257853: Remove dependencies on JNF's JNI utility functions in AWT and 2D code + - JDK-8257858: [macOS]: Remove JNF dependency from libosxsecurity/KeystoreImpl.m + - JDK-8257860: [macOS]: Remove JNF dependency from libosxkrb5/SCDynamicStoreConfig.m + - JDK-8257988: Remove JNF dependency from libsaproc/MacosxDebuggerLocal.m - JDK-8258414: OldObjectSample events too expensive - JDK-8258505: [TESTBUG] TestDivZeroWithSplitIf.java fails due to missing UnlockDiagnosticVMOptions - JDK-8258753: StartTlsResponse.close() hangs due to synchronization issues - JDK-8259061: C2: assert(found) failed: memory-writing node is not placed in its original loop or an ancestor of it - JDK-8259227: C2 crashes with SIGFPE due to a division that floats above its zero check + - JDK-8259232: Bad JNI lookup during printing - JDK-8259276: C2: Empty expression stack when reexecuting tableswitch/lookupswitch instructions after deoptimization + - JDK-8259343: [macOS] Update JNI error handling in Cocoa code. + - JDK-8259585: Accessible actions do not work on mac os x + - JDK-8259651: [macOS] Replace JNF_COCOA_ENTER/EXIT macros - JDK-8259662: Don't wrap SocketExceptions into SSLExceptions in SSLSocketImpl - JDK-8259710: Inlining trace leaks memory + - JDK-8259729: Missed JNFInstanceOf -> IsInstanceOf conversion - JDK-8259777: Incorrect predication condition generated by ADLC - JDK-8259786: initialize last parameter of getpwuid_r - JDK-8259843: initialize dli_fname array before calling dll_address_to_library_name + - JDK-8259869: [macOS] Remove desktop module dependencies on JNF Reference APIs - JDK-8259886: Improve SSL session cache performance and scalability - JDK-8259983: do not use uninitialized expand_ms value in G1CollectedHeap::expand_heap_after_young_collection + - JDK-8260030: Improve stringStream buffer handling - JDK-8260236: better init AnnotationCollector _contended_group - JDK-8260255: C1: LoopInvariantCodeMotion constructor can leave some fields uninitialized - JDK-8260284: C2: assert(_base == Int) failed: Not an Int @@ -158,6 +204,8 @@ Live versions of these release notes can be found at: - JDK-8260420: C2 compilation fails with assert(found_sfpt) failed: no node in loop that's not input to safepoint - JDK-8260426: awt debug_mem.c DMem_AllocateBlock might leak memory - JDK-8260432: allocateSpaceForGP in freetypeScaler.c might leak memory + - JDK-8260616: Removing remaining JNF dependencies in the java.desktop module + - JDK-8260653: Unreachable nodes keep speculative types alive - JDK-8260707: java/lang/instrument/PremainClass/InheritAgent0100.java times out - JDK-8260925: HttpsURLConnection does not work with other JSSE provider. - JDK-8260926: Trace resource exhausted events unconditionally @@ -165,11 +213,14 @@ Live versions of these release notes can be found at: - JDK-8261027: AArch64: Support for LSE atomics C++ HotSpot code - JDK-8261167: print_process_memory_info add a close call after fopen - JDK-8261170: Upgrade to freetype 2.10.4 + - JDK-8261198: [macOS] Incorrect JNI parameters in number conversion in A11Y code - JDK-8261235: C1 compilation fails with assert(res->vreg_number() == index) failed: conversion check - JDK-8261261: The version extra fields needs to be overridable in jib-profiles.js - JDK-8261262: Kitchensink24HStress.java crashed with EXCEPTION_ACCESS_VIOLATION + - JDK-8261354: SIGSEGV at MethodIteratorHost - JDK-8261355: No data buffering in SunPKCS11 Cipher encryption when the underlying mechanism has no padding - JDK-8261397: try catch Method failing to work when dividing an integer by 0 + - JDK-8261422: Adjust problematic String.format calls in jdk/internal/util/Preconditions.java outOfBoundsMessage - JDK-8261447: MethodInvocationCounters frequently run into overflow - JDK-8261481: Cannot read Kerberos settings in dynamic store on macOS Big Sur - JDK-8261505: Test test/hotspot/jtreg/gc/parallel/TestDynShrinkHeap.java killed by Linux OOM Killer @@ -197,6 +248,7 @@ Live versions of these release notes can be found at: - JDK-8263260: [s390] Support latest hardware (z14 and z15) - JDK-8263311: Watch registry changes for remote printers update instead of polling - JDK-8263361: Incorrect arraycopy stub selected by C2 for SATB collectors + - JDK-8263404: RsaPrivateKeySpec is always recognized as RSAPrivateCrtKeySpec in RSAKeyFactory.engineGetKeySpec - JDK-8263425: AArch64: two potential bugs in C1 LIRGenerator::generate_address() - JDK-8263448: CTW: fatal error: meet not symmetric - JDK-8263504: Some OutputMachOpcodes fields are uninitialized @@ -204,6 +256,7 @@ Live versions of these release notes can be found at: - JDK-8263558: Possible NULL dereference in fast path arena free if ZapResourceArea is true - JDK-8263676: AArch64: one potential bug in C1 LIRGenerator::generate_address() - JDK-8263729: [test] divert spurious output away from stream under test in ProcessBuilder Basic test + - JDK-8263846: Bad JNI lookup getFocusOwner in accessibility code on Mac OS X - JDK-8264047: Duplicate global variable 'jvm' in libjavajpeg and libawt - JDK-8264096: slowdebug jvm crashes when StrInflatedCopy match rule is not supported - JDK-8264151: ciMethod::ensure_method_data() should return false is loading resulted in empty state @@ -216,7 +269,7 @@ Live versions of these release notes can be found at: - JDK-8264640: CMS ParScanClosure misses a barrier - JDK-8264786: [macos] All Swing/AWT apps cause Allow Notifications prompt to appear when app is launched - JDK-8264821: DirectIOTest fails on a system with large block size - - JDK-8264846: [macos] libjvm.dylib linker warning due to macOS version mismatch + - JDK-8264848: [macos] libjvm.dylib linker warning due to macOS version mismatch - JDK-8264923: PNGImageWriter.write_zTXt throws Exception with a typo - JDK-8264958: C2 compilation fails with assert "n is later than its clone" - JDK-8265099: Revert backport to 11u of 8236859: WebSocket over authenticating proxy fails with NPE @@ -224,13 +277,27 @@ Live versions of these release notes can be found at: - JDK-8265239: Shenandoah: Shenandoah heap region count could be off by 1 - JDK-8265417: Backport of JDK-8249672 breaks Solaris x86 build - JDK-8265421: java/lang/String/StringRepeat.java test is missing a memory requirement + - JDK-8265462: Handle multiple slots in the NSS Internal Module from SunPKCS11's Secmod - JDK-8265537: x86 version string truncated after JDK-8249672 11u backport + - JDK-8265666: Enable AIX build platform to make external debug symbols - JDK-8265677: CMS: CardTableBarrierSet::write_ref_array_work() lacks storestore barrier - JDK-8265690: Use the latest Ubuntu base image version in Docker testing - JDK-8265718: Build failure after JDK-8258414 11u backport - JDK-8265750: Fatal error in safepoint.cpp after backport of 8258414 - JDK-8265784: [C2] Hoisting of DecodeN leaves MachTemp inputs behind + - JDK-8265938: C2's conditional move optimization does not handle top Phi + - JDK-8266220: keytool still prompt for store password on a password-less pkcs12 file if -storetype pkcs12 is specified + - JDK-8266293: Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long" - JDK-8266713: [AIX] Build failure after 11u backport of JDK-8247753 + - JDK-8266802: Shenandoah: Round up region size to page size unconditionally + - JDK-8266892: avoid maybe-uninitialized gcc warnings on linux s390x + - JDK-8266929: Unable to use algorithms from 3p providers + - JDK-8267235: [macos_aarch64] InterpreterRuntime::throw_pending_exception messing up LR results in crash + - JDK-8267561: Shenandoah: Reference processing not properly setup for outside of cycle degenerated GC + - JDK-8267599: Revert the change to the default PKCS12 macAlgorithm and macIterationCount props for 11u/8u/7u + - JDK-8267641: [11u] 8227609 backport typo + - JDK-8267721: Enable sun/security/pkcs11 tests for Amazon Linux 2 AArch64 + - JDK-8268678: LetsEncryptCA.java test fails as Let’s Encrypt Authority X3 is retired Notes on individual issues: =========================== diff --git a/SOURCES/jdk8269668-rh1977671-aarch64_lib_path_fix.patch b/SOURCES/jdk8269668-rh1977671-aarch64_lib_path_fix.patch new file mode 100644 index 0000000..ddf686c --- /dev/null +++ b/SOURCES/jdk8269668-rh1977671-aarch64_lib_path_fix.patch @@ -0,0 +1,32 @@ +From ec03fdb752f2dc0833784a6877a4c232a8cdd9d2 Mon Sep 17 00:00:00 2001 +From: Severin Gehwolf +Date: Wed, 14 Jul 2021 12:06:39 +0200 +Subject: [PATCH] Backport e14801cdd9b108aa4ca47d0bc1dc67fca575764c + +--- + src/hotspot/os/linux/os_linux.cpp | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/hotspot/os/linux/os_linux.cpp b/src/hotspot/os/linux/os_linux.cpp +index e8baf704e3a..12b75b733b5 100644 +--- a/src/hotspot/os/linux/os_linux.cpp ++++ b/src/hotspot/os/linux/os_linux.cpp +@@ -413,8 +413,15 @@ void os::init_system_properties_values() { + // 7: The default directories, normally /lib and /usr/lib. + #if defined(AMD64) || (defined(_LP64) && defined(SPARC)) || defined(PPC64) || defined(S390) + #define DEFAULT_LIBPATH "/usr/lib64:/lib64:/lib:/usr/lib" ++#else ++#if defined(AARCH64) ++ // Use 32-bit locations first for AARCH64 (a 64-bit architecture), since some systems ++ // might not adhere to the FHS and it would be a change in behaviour if we used ++ // DEFAULT_LIBPATH of other 64-bit architectures which prefer the 64-bit paths. ++ #define DEFAULT_LIBPATH "/lib:/usr/lib:/usr/lib64:/lib64" + #else + #define DEFAULT_LIBPATH "/lib:/usr/lib" ++#endif // AARCH64 + #endif + + // Base path of extensions installed on the system. +-- +2.31.1 + diff --git a/SOURCES/rh1996182-extend_security_policy.patch b/SOURCES/rh1996182-extend_security_policy.patch new file mode 100644 index 0000000..78552c3 --- /dev/null +++ b/SOURCES/rh1996182-extend_security_policy.patch @@ -0,0 +1,18 @@ +commit 598fe421216b0a437fa36ee91a29966599867aa3 +Author: Andrew Hughes +Date: Mon Aug 30 16:12:52 2021 +0100 + + RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.misc + +diff --git openjdk.orig/src/java.base/share/lib/security/default.policy openjdk/src/java.base/share/lib/security/default.policy +index ab59a334cd..5db744ff17 100644 +--- openjdk.orig/src/java.base/share/lib/security/default.policy ++++ openjdk/src/java.base/share/lib/security/default.policy +@@ -124,6 +124,7 @@ grant codeBase "jrt:/jdk.crypto.ec" { + grant codeBase "jrt:/jdk.crypto.cryptoki" { + permission java.lang.RuntimePermission + "accessClassInPackage.com.sun.crypto.provider"; ++ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc"; + permission java.lang.RuntimePermission + "accessClassInPackage.sun.security.*"; + permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch"; diff --git a/SOURCES/rh1996182-login_to_nss_software_token.patch b/SOURCES/rh1996182-login_to_nss_software_token.patch new file mode 100644 index 0000000..d3a1dde --- /dev/null +++ b/SOURCES/rh1996182-login_to_nss_software_token.patch @@ -0,0 +1,66 @@ +commit 53bda6adfacc02b8dddd8f10350c9569bca4eb1e +Author: Martin Balao +Date: Fri Aug 27 19:42:07 2021 +0100 + + RH1996182: Login to the NSS Software Token in FIPS Mode + +diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java +index 0cf61732d7..2cd851587c 100644 +--- openjdk.orig/src/java.base/share/classes/module-info.java ++++ openjdk/src/java.base/share/classes/module-info.java +@@ -182,6 +182,7 @@ module java.base { + java.security.jgss, + java.sql, + java.xml, ++ jdk.crypto.cryptoki, + jdk.jartool, + jdk.attach, + jdk.charsets, +diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +index b00b738b85..1eca1f8f0a 100644 +--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java ++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +@@ -42,6 +42,8 @@ import javax.security.auth.callback.ConfirmationCallback; + import javax.security.auth.callback.PasswordCallback; + import javax.security.auth.callback.TextOutputCallback; + ++import jdk.internal.misc.SharedSecrets; ++ + import sun.security.util.Debug; + import sun.security.util.ResourcesMgr; + import static sun.security.util.SecurityConstants.PROVIDER_VER; +@@ -59,6 +61,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + */ + public final class SunPKCS11 extends AuthProvider { + ++ private static final boolean systemFipsEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); ++ + private static final long serialVersionUID = -1354835039035306505L; + + static final Debug debug = Debug.getInstance("sunpkcs11"); +@@ -373,6 +378,24 @@ public final class SunPKCS11 extends AuthProvider { + if (nssModule != null) { + nssModule.setProvider(this); + } ++ if (systemFipsEnabled) { ++ // The NSS Software Token in FIPS 140-2 mode requires a user ++ // login for most operations. See sftk_fipsCheck. The NSS DB ++ // (/etc/pki/nssdb) PIN is empty. ++ Session session = null; ++ try { ++ session = token.getOpSession(); ++ p11.C_Login(session.id(), CKU_USER, new char[] {}); ++ } catch (PKCS11Exception p11e) { ++ if (debug != null) { ++ debug.println("Error during token login: " + ++ p11e.getMessage()); ++ } ++ throw p11e; ++ } finally { ++ token.releaseSession(session); ++ } ++ } + } catch (Exception e) { + if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { + throw new UnsupportedOperationException diff --git a/SPECS/java-11-openjdk.spec b/SPECS/java-11-openjdk.spec index 89ada40..3f501e9 100644 --- a/SPECS/java-11-openjdk.spec +++ b/SPECS/java-11-openjdk.spec @@ -173,10 +173,8 @@ %endif # If you disable both builds, then the build fails -# Note that the debug build requires the normal build for docs -%global build_loop %{normal_build} %{fastdebug_build} %{slowdebug_build} -# Test slowdebug first as it provides the best diagnostics -%global rev_build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} +# Build and test slowdebug first as it provides the best diagnostics +%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} %if %{include_staticlibs} %global staticlibs_loop %{staticlibs_suffix} @@ -338,8 +336,8 @@ %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 2 -%global rpmrelease 0 +%global buildver 7 +%global rpmrelease 4 #%%global tagsuffix %%{nil} # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk @@ -368,7 +366,7 @@ # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, # - N%%{?extraver}{?dist} for GA releases -%global is_ga 0 +%global is_ga 1 %if %{is_ga} %global ea_designator "" %global ea_designator_zip "" @@ -1235,6 +1233,9 @@ Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch Patch1007: rh1915071-always_initialise_configurator_access.patch # RH1929465: Improve system FIPS detection Patch1008: rh1929465-improve_system_FIPS_detection.patch +# RH1996182: Login to the NSS software token in FIPS mode +Patch1009: rh1996182-login_to_nss_software_token.patch +Patch1010: rh1996182-extend_security_policy.patch ############################################# # @@ -1261,13 +1262,15 @@ Patch7: pr3695-toggle_system_crypto_policy.patch ############################################# # -# Patches appearing in 11.0.10 +# Patches appearing in 11.0.13 # # This section includes patches which are present # in the listed OpenJDK 11u release and should be # able to be removed once that release is out # and used by this RPM. ############################################# +# JDK-8269668, RH1977671: [aarch64] java.library.path not including /usr/lib64 +Patch8: jdk8269668-rh1977671-aarch64_lib_path_fix.patch BuildRequires: autoconf BuildRequires: automake @@ -1612,10 +1615,6 @@ if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{includ echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go." exit 14 fi -if [ %{include_normal_build} -eq 0 ] ; then - echo "You have disabled the normal build, but this is required to provide docs for the debug build." - exit 15 -fi %setup -q -c -n %{uniquesuffix ""} -T -a 0 # https://bugzilla.redhat.com/show_bug.cgi?id=1189084 prioritylength=`expr length %{priority}` @@ -1635,6 +1634,7 @@ pushd %{top_level_dir_name} %patch3 -p1 %patch4 -p1 %patch7 -p1 +%patch8 -p1 popd # openjdk %patch1000 @@ -1645,6 +1645,8 @@ popd # openjdk %patch1004 %patch1007 %patch1008 +%patch1009 +%patch1010 # Extract systemtap tapsets %if %{with_systemtap} @@ -1854,7 +1856,7 @@ done # end of release / debug cycle loop %check # We test debug first as it will give better diagnostics on a crash -for suffix in %{rev_build_loop} ; do +for suffix in %{build_loop} ; do top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} %if %{include_staticlibs} @@ -2361,6 +2363,46 @@ end %endif %changelog +* Mon Aug 30 2021 Andrew Hughes - 1:11.0.12.0.7-4 +- Extend the default security policy to accomodate PKCS11 accessing jdk.internal.misc. +- Resolves: rhbz#1997357 + +* Fri Aug 27 2021 Andrew Hughes - 1:11.0.12.0.7-3 +- Add patch to login to the NSS software token when in FIPS mode. +- Resolves: rhbz#1997357 + +* Wed Jul 28 2021 Severin Gehwolf - 1:11.0.12.0.7-2 +- Add patch in order to fix java.library.path issue on aarch64 (JDK-8269668) +- Resolves: rhbz#1994104 + +* Tue Jul 13 2021 Andrew Hughes - 1:11.0.12.0.7-1 +- Update to jdk-11.0.12.0+7 +- Update release notes to 11.0.12.0+7 +- Switch to GA mode for final release. +- Resolves: rhbz#1972395 + +* Thu Jul 08 2021 Andrew Hughes - 1:11.0.12.0.6-0.0.ea +- Update to jdk-11.0.12.0+6 +- Update release notes to 11.0.12.0+6 +- Skip 11.0.12.0+5 as 11.0.12.0+6 only adds a test change +- Resolves: rhbz#1967374 + +* Thu Jul 08 2021 Andrew Hughes - 1:11.0.12.0.4-0.0.ea +- Update to jdk-11.0.12.0+4 +- Update release notes to 11.0.12.0+4 +- Correct bug ID JDK-8264846 to intended ID of JDK-8264848 +- Resolves: rhbz#1967374 + +* Mon Jul 05 2021 Andrew Hughes - 1:11.0.12.0.3-0.0.ea +- Update to jdk-11.0.12.0+3 +- Update release notes to 11.0.12.0+3 +- Resolves: rhbz#1967374 + +* Fri Jul 02 2021 Andrew Hughes - 1:11.0.12.0.2-0.1.ea +- Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics. +- Remove restriction on disabling product build, as debug packages no longer have javadoc packages. +- Resolves: rhbz#1966234 + * Fri Jul 02 2021 Andrew Hughes - 1:11.0.12.0.2-0.0.ea - Update to jdk-11.0.12.0+2 - Update release notes to 11.0.12.0+2