From f7802547db19ebac2aab766cf020d487eba205b9 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jan 16 2020 10:54:21 +0000 Subject: import java-11-openjdk-11.0.6.10-1.el7_7 --- diff --git a/.gitignore b/.gitignore index f3e363a..a27ca58 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.5+10.tar.xz +SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.6+10.tar.xz SOURCES/systemtap_3.2_tapsets_hg-icedtea8-9d464368e06d.tar.xz diff --git a/.java-11-openjdk.metadata b/.java-11-openjdk.metadata index f6d771b..40c5074 100644 --- a/.java-11-openjdk.metadata +++ b/.java-11-openjdk.metadata @@ -1,2 +1,2 @@ -1e1a7b4b1df7be1b70de37f84ccb0ded61c7e9ea SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.5+10.tar.xz +46672ad972c89177ff640feaef1a4161c43984f7 SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.6+10.tar.xz cd8bf91753b9eb1401cfc529e78517105fc66011 SOURCES/systemtap_3.2_tapsets_hg-icedtea8-9d464368e06d.tar.xz diff --git a/SOURCES/jdk8236039-status_request_extension.patch b/SOURCES/jdk8236039-status_request_extension.patch new file mode 100644 index 0000000..be7008c --- /dev/null +++ b/SOURCES/jdk8236039-status_request_extension.patch @@ -0,0 +1,310 @@ +# HG changeset patch +# User jnimeh +# Date 1578287079 28800 +# Sun Jan 05 21:04:39 2020 -0800 +# Node ID b9d1ce20dd4b2ce34e74c8fa2d784335231abcd1 +# Parent 3782f295811625b65d57f1aef15daa10d82a58a7 +8236039: JSSE Client does not accept status_request extension in CertificateRequest messages for TLS 1.3 +Reviewed-by: xuelei + +diff --git a/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java b/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java +--- a/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java ++++ b/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2015, 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -39,11 +39,7 @@ + import javax.net.ssl.SSLProtocolException; + import sun.security.provider.certpath.OCSPResponse; + import sun.security.provider.certpath.ResponderId; +-import static sun.security.ssl.SSLExtension.CH_STATUS_REQUEST; +-import static sun.security.ssl.SSLExtension.CH_STATUS_REQUEST_V2; + import sun.security.ssl.SSLExtension.ExtensionConsumer; +-import static sun.security.ssl.SSLExtension.SH_STATUS_REQUEST; +-import static sun.security.ssl.SSLExtension.SH_STATUS_REQUEST_V2; + import sun.security.ssl.SSLExtension.SSLExtensionSpec; + import sun.security.ssl.SSLHandshake.HandshakeMessage; + import sun.security.util.DerInputStream; +@@ -434,8 +430,9 @@ + } else { + extBuilder.append(",\n"); + } +- extBuilder.append( +- "{\n" + Utilities.indent(ext.toString()) + "}"); ++ extBuilder.append("{\n"). ++ append(Utilities.indent(ext.toString())). ++ append("}"); + } + + extsStr = extBuilder.toString(); +@@ -552,11 +549,11 @@ + return null; + } + +- if (!chc.sslConfig.isAvailable(CH_STATUS_REQUEST)) { ++ if (!chc.sslConfig.isAvailable(SSLExtension.CH_STATUS_REQUEST)) { + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + SSLLogger.fine( + "Ignore unavailable extension: " + +- CH_STATUS_REQUEST.name); ++ SSLExtension.CH_STATUS_REQUEST.name); + } + return null; + } +@@ -568,8 +565,8 @@ + byte[] extData = new byte[] {0x01, 0x00, 0x00, 0x00, 0x00}; + + // Update the context. +- chc.handshakeExtensions.put( +- CH_STATUS_REQUEST, CertStatusRequestSpec.DEFAULT); ++ chc.handshakeExtensions.put(SSLExtension.CH_STATUS_REQUEST, ++ CertStatusRequestSpec.DEFAULT); + + return extData; + } +@@ -593,10 +590,10 @@ + // The consuming happens in server side only. + ServerHandshakeContext shc = (ServerHandshakeContext)context; + +- if (!shc.sslConfig.isAvailable(CH_STATUS_REQUEST)) { ++ if (!shc.sslConfig.isAvailable(SSLExtension.CH_STATUS_REQUEST)) { + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + SSLLogger.fine("Ignore unavailable extension: " + +- CH_STATUS_REQUEST.name); ++ SSLExtension.CH_STATUS_REQUEST.name); + } + return; // ignore the extension + } +@@ -610,7 +607,7 @@ + } + + // Update the context. +- shc.handshakeExtensions.put(CH_STATUS_REQUEST, spec); ++ shc.handshakeExtensions.put(SSLExtension.CH_STATUS_REQUEST, spec); + if (!shc.isResumption && + !shc.negotiatedProtocol.useTLS13PlusSpec()) { + shc.handshakeProducers.put(SSLHandshake.CERTIFICATE_STATUS.id, +@@ -654,13 +651,12 @@ + + // In response to "status_request" extension request only. + CertStatusRequestSpec spec = (CertStatusRequestSpec) +- shc.handshakeExtensions.get(CH_STATUS_REQUEST); ++ shc.handshakeExtensions.get(SSLExtension.CH_STATUS_REQUEST); + if (spec == null) { + // Ignore, no status_request extension requested. + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { +- SSLLogger.finest( +- "Ignore unavailable extension: " + +- CH_STATUS_REQUEST.name); ++ SSLLogger.finest("Ignore unavailable extension: " + ++ SSLExtension.CH_STATUS_REQUEST.name); + } + + return null; // ignore the extension +@@ -681,8 +677,8 @@ + byte[] extData = new byte[0]; + + // Update the context. +- shc.handshakeExtensions.put( +- SH_STATUS_REQUEST, CertStatusRequestSpec.DEFAULT); ++ shc.handshakeExtensions.put(SSLExtension.SH_STATUS_REQUEST, ++ CertStatusRequestSpec.DEFAULT); + + return extData; + } +@@ -708,7 +704,7 @@ + + // In response to "status_request" extension request only. + CertStatusRequestSpec requestedCsr = (CertStatusRequestSpec) +- chc.handshakeExtensions.get(CH_STATUS_REQUEST); ++ chc.handshakeExtensions.get(SSLExtension.CH_STATUS_REQUEST); + if (requestedCsr == null) { + throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, + "Unexpected status_request extension in ServerHello"); +@@ -722,8 +718,8 @@ + } + + // Update the context. +- chc.handshakeExtensions.put( +- SH_STATUS_REQUEST, CertStatusRequestSpec.DEFAULT); ++ chc.handshakeExtensions.put(SSLExtension.SH_STATUS_REQUEST, ++ CertStatusRequestSpec.DEFAULT); + + // Since we've received a legitimate status_request in the + // ServerHello, stapling is active if it's been enabled. +@@ -909,7 +905,7 @@ + return null; + } + +- if (!chc.sslConfig.isAvailable(CH_STATUS_REQUEST_V2)) { ++ if (!chc.sslConfig.isAvailable(SSLExtension.CH_STATUS_REQUEST_V2)) { + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + SSLLogger.finest( + "Ignore unavailable status_request_v2 extension"); +@@ -926,8 +922,8 @@ + 0x00, 0x07, 0x02, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00}; + + // Update the context. +- chc.handshakeExtensions.put( +- CH_STATUS_REQUEST_V2, CertStatusRequestV2Spec.DEFAULT); ++ chc.handshakeExtensions.put(SSLExtension.CH_STATUS_REQUEST_V2, ++ CertStatusRequestV2Spec.DEFAULT); + + return extData; + } +@@ -951,7 +947,7 @@ + // The consuming happens in server side only. + ServerHandshakeContext shc = (ServerHandshakeContext)context; + +- if (!shc.sslConfig.isAvailable(CH_STATUS_REQUEST_V2)) { ++ if (!shc.sslConfig.isAvailable(SSLExtension.CH_STATUS_REQUEST_V2)) { + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + SSLLogger.finest( + "Ignore unavailable status_request_v2 extension"); +@@ -969,7 +965,8 @@ + } + + // Update the context. +- shc.handshakeExtensions.put(CH_STATUS_REQUEST_V2, spec); ++ shc.handshakeExtensions.put(SSLExtension.CH_STATUS_REQUEST_V2, ++ spec); + if (!shc.isResumption) { + shc.handshakeProducers.putIfAbsent( + SSLHandshake.CERTIFICATE_STATUS.id, +@@ -1013,7 +1010,7 @@ + + // In response to "status_request_v2" extension request only + CertStatusRequestV2Spec spec = (CertStatusRequestV2Spec) +- shc.handshakeExtensions.get(CH_STATUS_REQUEST_V2); ++ shc.handshakeExtensions.get(SSLExtension.CH_STATUS_REQUEST_V2); + if (spec == null) { + // Ignore, no status_request_v2 extension requested. + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { +@@ -1038,8 +1035,8 @@ + byte[] extData = new byte[0]; + + // Update the context. +- shc.handshakeExtensions.put( +- SH_STATUS_REQUEST_V2, CertStatusRequestV2Spec.DEFAULT); ++ shc.handshakeExtensions.put(SSLExtension.SH_STATUS_REQUEST_V2, ++ CertStatusRequestV2Spec.DEFAULT); + + return extData; + } +@@ -1065,7 +1062,7 @@ + + // In response to "status_request" extension request only + CertStatusRequestV2Spec requestedCsr = (CertStatusRequestV2Spec) +- chc.handshakeExtensions.get(CH_STATUS_REQUEST_V2); ++ chc.handshakeExtensions.get(SSLExtension.CH_STATUS_REQUEST_V2); + if (requestedCsr == null) { + throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, + "Unexpected status_request_v2 extension in ServerHello"); +@@ -1079,8 +1076,8 @@ + } + + // Update the context. +- chc.handshakeExtensions.put( +- SH_STATUS_REQUEST_V2, CertStatusRequestV2Spec.DEFAULT); ++ chc.handshakeExtensions.put(SSLExtension.SH_STATUS_REQUEST_V2, ++ CertStatusRequestV2Spec.DEFAULT); + + // Since we've received a legitimate status_request in the + // ServerHello, stapling is active if it's been enabled. If it +diff --git a/src/java.base/share/classes/sun/security/ssl/SSLExtension.java b/src/java.base/share/classes/sun/security/ssl/SSLExtension.java +--- a/src/java.base/share/classes/sun/security/ssl/SSLExtension.java ++++ b/src/java.base/share/classes/sun/security/ssl/SSLExtension.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -113,7 +113,6 @@ + null, + null, + CertStatusExtension.certStatusReqStringizer), +- + CR_STATUS_REQUEST (0x0005, "status_request"), + CT_STATUS_REQUEST (0x0005, "status_request", + SSLHandshake.CERTIFICATE, +@@ -124,6 +123,7 @@ + null, + null, + CertStatusExtension.certStatusRespStringizer), ++ + // extensions defined in RFC 4681 + USER_MAPPING (0x0006, "user_mapping"), + +@@ -515,6 +515,16 @@ + return null; + } + ++ static String nameOf(int extensionType) { ++ for (SSLExtension ext : SSLExtension.values()) { ++ if (ext.id == extensionType) { ++ return ext.name; ++ } ++ } ++ ++ return "unknown extension"; ++ } ++ + static boolean isConsumable(int extensionType) { + for (SSLExtension ext : SSLExtension.values()) { + if (ext.id == extensionType && +diff --git a/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java b/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java +--- a/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java ++++ b/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2018, 2020 Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -86,11 +86,14 @@ + "Received buggy supported_groups extension " + + "in the ServerHello handshake message"); + } +- } else { ++ } else if (handshakeType == SSLHandshake.SERVER_HELLO) { + throw hm.handshakeContext.conContext.fatal( +- Alert.UNSUPPORTED_EXTENSION, +- "extension (" + extId + +- ") should not be presented in " + handshakeType.name); ++ Alert.UNSUPPORTED_EXTENSION, "extension (" + ++ extId + ") should not be presented in " + ++ handshakeType.name); ++ } else { ++ isSupported = false; ++ // debug log to ignore unknown extension for handshakeType + } + } + +@@ -365,9 +368,10 @@ + } + + private static String toString(int extId, byte[] extData) { ++ String extName = SSLExtension.nameOf(extId); + MessageFormat messageFormat = new MessageFormat( +- "\"unknown extension ({0})\": '{'\n" + +- "{1}\n" + ++ "\"{0} ({1})\": '{'\n" + ++ "{2}\n" + + "'}'", + Locale.ENGLISH); + +@@ -375,6 +379,7 @@ + String encoded = hexEncoder.encodeBuffer(extData); + + Object[] messageFields = { ++ extName, + extId, + Utilities.indent(encoded) + }; diff --git a/SPECS/java-11-openjdk.spec b/SPECS/java-11-openjdk.spec index 1f92524..826bf25 100644 --- a/SPECS/java-11-openjdk.spec +++ b/SPECS/java-11-openjdk.spec @@ -188,7 +188,7 @@ # New Version-String scheme-style defines %global majorver 11 -%global securityver 5 +%global securityver 6 # buildjdkver is usually same as %%{majorver}, # but in time of bootstrap of next jdk, it is majorver-1, # and this it is better to change it here, on single place @@ -211,7 +211,7 @@ %global top_level_dir_name %{origin} %global minorver 0 %global buildver 10 -%global rpmrelease 0 +%global rpmrelease 1 #%%global tagsuffix %{nil} # priority must be 7 digits in total # setting to 1, so debug ones can have 0 @@ -395,6 +395,7 @@ alternatives \\ --slave %{_bindir}/jdb jdb %{sdkbindir %%1}/jdb \\ --slave %{_bindir}/jdeps jdeps %{sdkbindir %%1}/jdeps \\ --slave %{_bindir}/jdeprscan jdeprscan %{sdkbindir %%1}/jdeprscan \\ + --slave %{_bindir}/jfr jfr %{sdkbindir %%1}/jfr \\ --slave %{_bindir}/jimage jimage %{sdkbindir %%1}/jimage \\ --slave %{_bindir}/jinfo jinfo %{sdkbindir %%1}/jinfo \\ --slave %{_bindir}/jmap jmap %{sdkbindir %%1}/jmap \\ @@ -644,6 +645,7 @@ exit 0 %{_jvmdir}/%{sdkdir %%1}/bin/jdb %{_jvmdir}/%{sdkdir %%1}/bin/jdeps %{_jvmdir}/%{sdkdir %%1}/bin/jdeprscan +%{_jvmdir}/%{sdkdir %%1}/bin/jfr %{_jvmdir}/%{sdkdir %%1}/bin/jimage # Zero and S390x don't have SA %ifarch %{jit_arches} @@ -960,6 +962,8 @@ Patch6: rh1566890-CVE_2018_3639-speculative_store_bypass.patch Patch7: jdk8009550-rh910107-search_for_versioned_libpcsclite.patch # S390 ambiguous log2_intptr call Patch8: s390-8214206_fix.patch +# JDK-8236039: JSSE Client does not accept status_request extension in CertificateRequest messages for TLS 1.3 +Patch9: jdk8236039-status_request_extension.patch ############################################# # @@ -980,13 +984,6 @@ BuildRequires: freetype-devel BuildRequires: giflib-devel BuildRequires: gcc-c++ BuildRequires: gdb -%ifarch %{arm} -BuildRequires: devtoolset-7-build -BuildRequires: devtoolset-7-binutils -BuildRequires: devtoolset-7-gcc -BuildRequires: devtoolset-7-gcc-c++ -BuildRequires: devtoolset-7-gdb -%endif BuildRequires: gtk2-devel # LCMS on rhel7 is older then LCMS in intree JDK BuildRequires: lcms2-devel @@ -1240,6 +1237,7 @@ pushd %{top_level_dir_name} %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 popd # openjdk %patch1000 @@ -1290,10 +1288,6 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg %build -%ifarch %{arm} -%{?enable_devtoolset7:%{enable_devtoolset7}} -%endif - # How many CPU's do we have? export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) export NUM_PROC=${NUM_PROC:-1} @@ -1793,6 +1787,21 @@ require "copy_jdk_configs.lua" %endif %changelog +* Sat Jan 11 2020 Andrew John Hughes - 1:11.0.6.10-1 +- Add JDK-8236039 backport to resolve OpenShift blocker +- Resolves: rhbz#1785753 + +* Thu Jan 09 2020 Andrew Hughes - 1:11.0.6.10-0 +- Update to shenandoah-jdk-11.0.6+10 (GA) +- Switch to GA mode for final release. +- Resolves: rhbz#1785753 + +* Thu Dec 19 2019 Andrew Hughes - 1:11.0.6.1-0.1.ea +- Update to shenandoah-jdk-11.0.6+1 (EA) +- Switch to EA mode for 11.0.6 pre-release builds. +- Add support for jfr binary. +- Resolves: rhbz#1785753 + * Wed Oct 09 2019 Andrew Hughes - 1:11.0.5.10-0 - Update to shenandoah-jdk-11.0.5+10 (GA) - Switch to GA mode for final release.