diff --git a/.gitignore b/.gitignore
index 27854a0..f3e363a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.4+11.tar.xz
+SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.5+10.tar.xz
SOURCES/systemtap_3.2_tapsets_hg-icedtea8-9d464368e06d.tar.xz
diff --git a/.java-11-openjdk.metadata b/.java-11-openjdk.metadata
index c8ec3c7..f6d771b 100644
--- a/.java-11-openjdk.metadata
+++ b/.java-11-openjdk.metadata
@@ -1,2 +1,2 @@
-dcc5e78329858f75342094efdccce1e87d9cb1d9 SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.4+11.tar.xz
+1e1a7b4b1df7be1b70de37f84ccb0ded61c7e9ea SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.5+10.tar.xz
cd8bf91753b9eb1401cfc529e78517105fc66011 SOURCES/systemtap_3.2_tapsets_hg-icedtea8-9d464368e06d.tar.xz
diff --git a/SOURCES/jdk8230923-fips_mode_initialisation_failure.patch b/SOURCES/jdk8230923-fips_mode_initialisation_failure.patch
new file mode 100644
index 0000000..8a9040e
--- /dev/null
+++ b/SOURCES/jdk8230923-fips_mode_initialisation_failure.patch
@@ -0,0 +1,208 @@
+# HG changeset patch
+# User mbalao
+# Date 1568305840 10800
+# Thu Sep 12 13:30:40 2019 -0300
+# Node ID b0436c181872b567c5b8906051fc8836c860541c
+# Parent 6d947fcb3ea40ca9d40804db2c8c384f4679e10e
+8230923: SunJSSE is not properly initialized in FIPS mode from a configuration file
+Reviewed-by: andrew
+
+diff --git a/src/java.base/share/classes/sun/security/jca/ProviderConfig.java b/src/java.base/share/classes/sun/security/jca/ProviderConfig.java
+--- a/src/java.base/share/classes/sun/security/jca/ProviderConfig.java
++++ b/src/java.base/share/classes/sun/security/jca/ProviderConfig.java
+@@ -179,7 +179,11 @@
+ } else if (provName.equals("SunJCE") || provName.equals("com.sun.crypto.provider.SunJCE")) {
+ p = new com.sun.crypto.provider.SunJCE();
+ } else if (provName.equals("SunJSSE") || provName.equals("com.sun.net.ssl.internal.ssl.Provider")) {
+- p = new com.sun.net.ssl.internal.ssl.Provider();
++ if (hasArgument()) {
++ p = new com.sun.net.ssl.internal.ssl.Provider(argument);
++ } else {
++ p = new com.sun.net.ssl.internal.ssl.Provider();
++ }
+ } else if (provName.equals("Apple") || provName.equals("apple.security.AppleProvider")) {
+ // need to use reflection since this class only exists on MacOsx
+ p = AccessController.doPrivileged(new PrivilegedAction<Provider>() {
+diff --git a/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInit.java b/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInit.java
+new file mode 100644
+--- /dev/null
++++ b/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInit.java
+@@ -0,0 +1,131 @@
++/*
++ * Copyright (c) 2019, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++/*
++ * @test
++ * @bug 8230923
++ * @requires (jdk.version.major == 11) & (os.family == "linux") & (os.arch == "amd64" | os.arch == "x86_64")
++ * @modules java.base/com.sun.net.ssl.internal.ssl
++ * @library /test/lib
++ * @run main/othervm/timeout=30 SunJSSEFIPSInit
++ * @author Martin Balao (mbalao@redhat.com)
++ */
++
++import java.io.File;
++import java.io.FileOutputStream;
++import java.io.IOException;
++import java.nio.file.FileVisitResult;
++import java.nio.file.Files;
++import java.nio.file.Path;
++import java.nio.file.SimpleFileVisitor;
++import java.nio.file.attribute.BasicFileAttributes;
++import java.security.Security;
++import java.util.ArrayList;
++import java.util.List;
++
++import jdk.test.lib.process.OutputAnalyzer;
++import jdk.test.lib.process.ProcessTools;
++
++public class SunJSSEFIPSInit {
++ private static String lineSep = System.lineSeparator();
++ private static String javaBinPath = System.getProperty("java.home", ".") +
++ File.separator + "bin" + File.separator + "java";
++ private static String nssConfigFileName = "nss.cfg";
++ private static String javaSecConfigFileName = "java.security";
++ private static Path tmpDirPath;
++ public static void main(String[] args) throws Throwable {
++ tmpDirPath = Files.createTempDirectory("tmpdir");
++ try {
++ deployConfigFiles();
++ List<String> cmds = new ArrayList<>();
++ cmds.add(javaBinPath);
++ cmds.add("-cp");
++ cmds.add(System.getProperty("test.classes", "."));
++ cmds.add("-Djava.security.properties=" + tmpDirPath +
++ File.separator + javaSecConfigFileName);
++ cmds.add(SunJSSEFIPSInitClient.class.getName());
++ OutputAnalyzer out = ProcessTools.executeCommand(
++ cmds.toArray(new String[cmds.size()]));
++ out.stdoutShouldContain("SunJSSE.isFIPS(): true");
++ System.out.println("TEST PASS - OK");
++ } finally {
++ deleteDir(tmpDirPath);
++ }
++ }
++
++ private static void deployConfigFiles() throws IOException {
++ deployJavaSecurityFile();
++ deployNssConfigFile();
++ }
++
++ private static void deployJavaSecurityFile() throws IOException {
++ int numberOfProviders = Security.getProviders().length;
++ StringBuilder sb = new StringBuilder();
++ sb.append("security.provider.1=SunPKCS11 " + tmpDirPath +
++ File.separator + nssConfigFileName + lineSep);
++ sb.append("security.provider.2=com.sun.net.ssl.internal.ssl.Provider" +
++ " SunPKCS11-NSS" + lineSep);
++ for (int i = 3; i <= numberOfProviders; i++) {
++ sb.append("security.provider." + i + "=\"\"" + lineSep);
++ }
++ writeFile(javaSecConfigFileName, sb.toString());
++ }
++
++ private static void deployNssConfigFile() throws IOException {
++ StringBuilder sb = new StringBuilder();
++ sb.append("name = NSS" + lineSep);
++ sb.append("nssLibraryDirectory = /usr/lib64" + lineSep);
++ sb.append("nssDbMode = noDb" + lineSep);
++ sb.append("nssModule = crypto" + lineSep);
++ writeFile(nssConfigFileName, sb.toString());
++ }
++
++ private static void writeFile(String fileName, String fileContent)
++ throws IOException {
++ try (FileOutputStream fos = new FileOutputStream(new File(tmpDirPath +
++ File.separator + fileName))) {
++ fos.write(fileContent.getBytes());
++ }
++ }
++
++ private static void deleteDir(Path directory) throws IOException {
++ Files.walkFileTree(directory, new SimpleFileVisitor<Path>() {
++
++ @Override
++ public FileVisitResult visitFile(Path file,
++ BasicFileAttributes attrs) throws IOException {
++ Files.delete(file);
++ return FileVisitResult.CONTINUE;
++ }
++
++ @Override
++ public FileVisitResult postVisitDirectory(Path dir, IOException exc)
++ throws IOException {
++ Files.delete(dir);
++ return FileVisitResult.CONTINUE;
++ }
++ });
++ }
++}
++
+diff --git a/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInitClient.java b/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInitClient.java
+new file mode 100644
+--- /dev/null
++++ b/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInitClient.java
+@@ -0,0 +1,42 @@
++/*
++ * Copyright (c) 2019, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++import java.security.Provider;
++import java.security.Security;
++
++public class SunJSSEFIPSInitClient {
++ public static void main(String[] args) throws Exception {
++ boolean isSunJSSEFIPS = false;
++ Provider[] provs = Security.getProviders();
++ for (Provider p : provs) {
++ if (p.getName().equals("SunJSSE") &&
++ p instanceof com.sun.net.ssl.internal.ssl.Provider) {
++ isSunJSSEFIPS = ((com.sun.net.ssl.internal.ssl.Provider)p).isFIPS();
++ break;
++ }
++ }
++ System.out.println("SunJSSE.isFIPS(): " + isSunJSSEFIPS);
++ }
++}
++
diff --git a/SOURCES/nss.fips.cfg.in b/SOURCES/nss.fips.cfg.in
new file mode 100644
index 0000000..ead27be
--- /dev/null
+++ b/SOURCES/nss.fips.cfg.in
@@ -0,0 +1,6 @@
+name = NSS-FIPS
+nssLibraryDirectory = @NSS_LIBDIR@
+nssSecmodDirectory = @NSS_SECMOD@
+nssDbMode = readOnly
+nssModule = fips
+
diff --git a/SOURCES/rh1022017-reduce_ssl_curves.patch b/SOURCES/rh1022017-reduce_ssl_curves.patch
deleted file mode 100644
index 6dab416..0000000
--- a/SOURCES/rh1022017-reduce_ssl_curves.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-diff --git openjdk.orig///src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java openjdk///src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java
---- openjdk.orig///src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java
-+++ openjdk///src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java
-@@ -515,50 +515,19 @@
- }
- } else { // default groups
- NamedGroup[] groups;
-- if (requireFips) {
-- groups = new NamedGroup[] {
-- // only NIST curves in FIPS mode
-- NamedGroup.SECP256_R1,
-- NamedGroup.SECP384_R1,
-- NamedGroup.SECP521_R1,
-- NamedGroup.SECT283_K1,
-- NamedGroup.SECT283_R1,
-- NamedGroup.SECT409_K1,
-- NamedGroup.SECT409_R1,
-- NamedGroup.SECT571_K1,
-- NamedGroup.SECT571_R1,
-+ groups = new NamedGroup[] {
-+ // only NIST curves in FIPS mode
-+ NamedGroup.SECP256_R1,
-+ NamedGroup.SECP384_R1,
-+ NamedGroup.SECP521_R1,
-
-- // FFDHE 2048
-- NamedGroup.FFDHE_2048,
-- NamedGroup.FFDHE_3072,
-- NamedGroup.FFDHE_4096,
-- NamedGroup.FFDHE_6144,
-- NamedGroup.FFDHE_8192,
-- };
-- } else {
-- groups = new NamedGroup[] {
-- // NIST curves first
-- NamedGroup.SECP256_R1,
-- NamedGroup.SECP384_R1,
-- NamedGroup.SECP521_R1,
-- NamedGroup.SECT283_K1,
-- NamedGroup.SECT283_R1,
-- NamedGroup.SECT409_K1,
-- NamedGroup.SECT409_R1,
-- NamedGroup.SECT571_K1,
-- NamedGroup.SECT571_R1,
--
-- // non-NIST curves
-- NamedGroup.SECP256_K1,
--
-- // FFDHE 2048
-- NamedGroup.FFDHE_2048,
-- NamedGroup.FFDHE_3072,
-- NamedGroup.FFDHE_4096,
-- NamedGroup.FFDHE_6144,
-- NamedGroup.FFDHE_8192,
-- };
-- }
-+ // FFDHE 2048
-+ NamedGroup.FFDHE_2048,
-+ NamedGroup.FFDHE_3072,
-+ NamedGroup.FFDHE_4096,
-+ NamedGroup.FFDHE_6144,
-+ NamedGroup.FFDHE_8192,
-+ };
-
- groupList = new ArrayList<>(groups.length);
- for (NamedGroup group : groups) {
diff --git a/SOURCES/rh1655466-global_crypto_and_fips.patch b/SOURCES/rh1655466-global_crypto_and_fips.patch
new file mode 100644
index 0000000..1c67c83
--- /dev/null
+++ b/SOURCES/rh1655466-global_crypto_and_fips.patch
@@ -0,0 +1,205 @@
+diff --git a/src/java.base/share/classes/javopenjdk.orig///security/Security.java openjdk///src/java.base/share/classes/java/security/Security.java
+--- openjdk.orig///src/java.base/share/classes/java/security/Security.java
++++ openjdk///src/java.base/share/classes/java/security/Security.java
+@@ -196,26 +196,8 @@
+ if (disableSystemProps == null &&
+ "true".equalsIgnoreCase(props.getProperty
+ ("security.useSystemPropertiesFile"))) {
+-
+- // now load the system file, if it exists, so its values
+- // will win if they conflict with the earlier values
+- try (BufferedInputStream bis =
+- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
+- props.load(bis);
++ if (SystemConfigurator.configure(props)) {
+ loadedProps = true;
+-
+- if (sdebug != null) {
+- sdebug.println("reading system security properties file " +
+- SYSTEM_PROPERTIES);
+- sdebug.println(props.toString());
+- }
+- } catch (IOException e) {
+- if (sdebug != null) {
+- sdebug.println
+- ("unable to load security properties from " +
+- SYSTEM_PROPERTIES);
+- e.printStackTrace();
+- }
+ }
+ }
+
+diff --git a/src/java.base/share/classes/javopenjdk.orig///security/SystemConfigurator.java openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java
+new file mode 100644
+--- /dev/null
++++ openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java
+@@ -0,0 +1,151 @@
++/*
++ * Copyright (c) 2019, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package java.security;
++
++import java.io.BufferedInputStream;
++import java.io.FileInputStream;
++import java.io.IOException;
++
++import java.nio.file.Files;
++import java.nio.file.Path;
++
++import java.util.Iterator;
++import java.util.Map.Entry;
++import java.util.Properties;
++import java.util.function.Consumer;
++import java.util.regex.Matcher;
++import java.util.regex.Pattern;
++
++import sun.security.util.Debug;
++
++/**
++ * Internal class to align OpenJDK with global crypto-policies.
++ * Called from java.security.Security class initialization,
++ * during startup.
++ *
++ */
++
++class SystemConfigurator {
++
++ private static final Debug sdebug =
++ Debug.getInstance("properties");
++
++ private static final String CRYPTO_POLICIES_BASE_DIR =
++ "/etc/crypto-policies";
++
++ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
++
++ private static final String CRYPTO_POLICIES_CONFIG =
++ CRYPTO_POLICIES_BASE_DIR + "/config";
++
++ private static final class SecurityProviderInfo {
++ int number;
++ String key;
++ String value;
++ SecurityProviderInfo(int number, String key, String value) {
++ this.number = number;
++ this.key = key;
++ this.value = value;
++ }
++ }
++
++ /*
++ * Invoked when java.security.Security class is initialized, if
++ * java.security.disableSystemPropertiesFile property is not set and
++ * security.useSystemPropertiesFile is true.
++ */
++ static boolean configure(Properties props) {
++ boolean loadedProps = false;
++
++ try (BufferedInputStream bis =
++ new BufferedInputStream(
++ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
++ props.load(bis);
++ loadedProps = true;
++ if (sdebug != null) {
++ sdebug.println("reading system security properties file " +
++ CRYPTO_POLICIES_JAVA_CONFIG);
++ sdebug.println(props.toString());
++ }
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println("unable to load security properties from " +
++ CRYPTO_POLICIES_JAVA_CONFIG);
++ e.printStackTrace();
++ }
++ }
++
++ try {
++ if (enableFips()) {
++ if (sdebug != null) { sdebug.println("FIPS mode detected"); }
++ loadedProps = false;
++ // Remove all security providers
++ Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
++ while (i.hasNext()) {
++ Entry<Object, Object> e = i.next();
++ if (((String) e.getKey()).startsWith("security.provider")) {
++ if (sdebug != null) { sdebug.println("Removing provider: " + e); }
++ i.remove();
++ }
++ }
++ // Add FIPS security providers
++ String fipsProviderValue = null;
++ for (int n = 1;
++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) {
++ String fipsProviderKey = "security.provider." + n;
++ if (sdebug != null) {
++ sdebug.println("Adding provider " + n + ": " +
++ fipsProviderKey + "=" + fipsProviderValue);
++ }
++ props.put(fipsProviderKey, fipsProviderValue);
++ }
++ loadedProps = true;
++ }
++ } catch (Exception e) {
++ if (sdebug != null) {
++ sdebug.println("unable to load FIPS configuration");
++ e.printStackTrace();
++ }
++ }
++ return loadedProps;
++ }
++
++ /*
++ * FIPS is enabled only if crypto-policies are set to "FIPS"
++ * and the com.redhat.fips property is true.
++ */
++ private static boolean enableFips() throws Exception {
++ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "false"));
++ if (fipsEnabled) {
++ String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
++ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
++ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
++ return pattern.matcher(cryptoPoliciesConfig).find();
++ } else {
++ return false;
++ }
++ }
++}
+diff --git openjdk.orig///src/java.base/share/conf/security/java.security openjdk///src/java.base/share/conf/security/java.security
+--- openjdk.orig///src/java.base/share/conf/security/java.security
++++ openjdk///src/java.base/share/conf/security/java.security
+@@ -87,6 +87,14 @@
+ #security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
+
+ #
++# Security providers used when global crypto-policies are set to FIPS.
++#
++fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
++fips.provider.2=SUN
++fips.provider.3=SunEC
++fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS
++
++#
+ # A list of preferred providers for specific algorithms. These providers will
+ # be searched for matching algorithms before the list of registered providers.
+ # Entries containing errors (parsing, etc) will be ignored. Use the
diff --git a/SPECS/java-11-openjdk.spec b/SPECS/java-11-openjdk.spec
index 486955f..3651fa4 100644
--- a/SPECS/java-11-openjdk.spec
+++ b/SPECS/java-11-openjdk.spec
@@ -200,7 +200,7 @@
# New Version-String scheme-style defines
%global majorver 11
-%global securityver 4
+%global securityver 5
# buildjdkver is usually same as %%{majorver},
# but in time of bootstrap of next jdk, it is majorver-1,
# and this it is better to change it here, on single place
@@ -222,7 +222,7 @@
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
%global minorver 0
-%global buildver 11
+%global buildver 10
%global rpmrelease 2
#%%global tagsuffix ""
# priority must be 8 digits in total; untill openjdk 1.8 we were using 18..... so when moving to 11 we had to add another digit
@@ -661,6 +661,7 @@ exit 0
%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security
%config(noreplace) %{etcjavadir -- %{?1}}/conf/logging.properties
%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.cfg
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.fips.cfg
%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access
# this is conifg template, thus not config-noreplace
%config %{etcjavadir -- %{?1}}/conf/management/jmxremote.password.template
@@ -1030,27 +1031,23 @@ Source13: TestCryptoLevel.java
# Ensure ECDSA is working
Source14: TestECDSA.java
+# nss fips configuration file
+Source15: nss.fips.cfg.in
+
############################################
#
# RPM/distribution specific patches
#
############################################
-# NSS via SunPKCS11 Provider (disabled comment
-# due to memory leak).
-Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
-
# Ignore AWTError when assistive technologies are loaded
Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
# Restrict access to java-atk-wrapper classes
Patch2: rh1648644-java_access_bridge_privileged_security.patch
-# PR1834, RH1022017: Reduce curves reported by SSL to those in NSS
-# Not currently suitable to go upstream as it disables curves
-# for all providers unconditionally
-Patch525: rh1022017-reduce_ssl_curves.patch
-Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
-# PR3694, RH1340845: Add security.useSystemPropertiesFile option to java.security to use system crypto policy
-Patch4: pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch
+# NSS via SunPKCS11 Provider (disabled due to memory leak).
+Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
+# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
+Patch1001: rh1655466-global_crypto_and_fips.patch
#############################################
#
@@ -1062,10 +1059,16 @@ Patch4: pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch
#############################################
#
-# OpenJDK specific patches
+# Upstreamable patches
#
+# This section includes patches which need to
+# be reviewed & pushed to the current development
+# tree of OpenJDK.
#############################################
+Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
+# PR3694, RH1340845: Add security.useSystemPropertiesFile option to java.security to use system crypto policy
+Patch4: pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch
# RH1566890: CVE-2018-3639
Patch6: rh1566890-CVE_2018_3639-speculative_store_bypass.patch
# PR3695: Allow use of system crypto policy to be disabled by the user
@@ -1075,6 +1078,18 @@ Patch8: s390-8214206_fix.patch
#############################################
#
+# Patches appearing in 11.0.6
+#
+# This section includes patches which are present
+# in the listed OpenJDK 8u release and should be
+# able to be removed once that release is out
+# and used by this RPM.
+#############################################
+# JDK-8230923: SunJSSE is not properly initialized in FIPS mode from a configuration file
+Patch11: jdk8230923-fips_mode_initialisation_failure.patch
+
+#############################################
+#
# JDK 9+ only patches
#
#############################################
@@ -1320,10 +1335,11 @@ pushd %{top_level_dir_name}
%patch6 -p1
%patch7 -p1
%patch8 -p1
-%patch525 -p1
+%patch11 -p1
popd # openjdk
%patch1000
+%patch1001
# Extract systemtap tapsets
%if %{with_systemtap}
@@ -1369,6 +1385,9 @@ done
# Setup nss.cfg
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
+# Setup nss.fips.cfg
+sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE15} > nss.fips.cfg
+sed -i -e "s:@NSS_SECMOD@:/etc/pki/nssdb:g" nss.fips.cfg
%build
# How many CPU's do we have?
@@ -1474,6 +1493,9 @@ export JAVA_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{jdkimage}
# Install nss.cfg right away as we will be using the JRE above
install -m 644 nss.cfg $JAVA_HOME/conf/security/
+# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
+install -m 644 nss.fips.cfg $JAVA_HOME/conf/security/
+
# Use system-wide tzdata
rm $JAVA_HOME/lib/tzdb.dat
ln -s %{_datadir}/javazi-1.8/tzdb.dat $JAVA_HOME/lib/tzdb.dat
@@ -1854,6 +1876,38 @@ require "copy_jdk_configs.lua"
%endif
%changelog
+* Fri Oct 25 2019 Andrew John Hughes <gnu.andrew@redhat.com> - 1:11.0.5.10-2
+- Disable FIPS mode support unless com.redhat.fips is set to "true".
+- Resolves: rhbz#1751845
+
+* Wed Oct 09 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.5.10-1
+- Update to shenandoah-jdk-11.0.5+10 (GA)
+- Switch to GA mode for final release.
+- Remove PR1834/RH1022017 which is now handled by JDK-8228825 upstream.
+- Resolves: rhbz#1753423
+
+* Wed Oct 09 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.5.9-0.0.ea
+- Update to shenandoah-jdk-11.0.5+9 (EA)
+- Resolves: rhbz#1753423
+
+* Mon Oct 07 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.5.1-0.1.ea
+- Update to shenandoah-jdk-11.0.5+1 (EA)
+- Switch to EA mode for 11.0.5 pre-release builds.
+- Drop JDK-8223482 which is included upstream in 11.0.5+1.
+- Resolves: rhbz#1753423
+
+* Mon Sep 30 2019 Andrew John Hughes <gnu.andrew@redhat.com> - 1:11.0.4.11-4
+- Backport JDK-8230923 so arguments are passed to security providers.
+- Update RH1655466 patch with changes in OpenJDK 8 version.
+- SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file.
+- Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg.
+- No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable.
+- Resolves: rhbz#1751845
+
+* Tue Aug 13 2019 Martin Balao <mbalao@redhat.com> - 1:11.0.4.11-3
+- Support the FIPS mode crypto policy on RHEL 8.
+- Resolves: rhbz#1725961
+
* Tue Jul 09 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.4.11-2
- Drop NSS runtime dependencies and patches to link against it.
- Resolves: rhbz#1678554