diff --git a/.gitignore b/.gitignore index f3e363a..a27ca58 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.5+10.tar.xz +SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.6+10.tar.xz SOURCES/systemtap_3.2_tapsets_hg-icedtea8-9d464368e06d.tar.xz diff --git a/.java-11-openjdk.metadata b/.java-11-openjdk.metadata index f6d771b..40c5074 100644 --- a/.java-11-openjdk.metadata +++ b/.java-11-openjdk.metadata @@ -1,2 +1,2 @@ -1e1a7b4b1df7be1b70de37f84ccb0ded61c7e9ea SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.5+10.tar.xz +46672ad972c89177ff640feaef1a4161c43984f7 SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.6+10.tar.xz cd8bf91753b9eb1401cfc529e78517105fc66011 SOURCES/systemtap_3.2_tapsets_hg-icedtea8-9d464368e06d.tar.xz diff --git a/SOURCES/jdk8230923-fips_mode_initialisation_failure.patch b/SOURCES/jdk8230923-fips_mode_initialisation_failure.patch deleted file mode 100644 index 8a9040e..0000000 --- a/SOURCES/jdk8230923-fips_mode_initialisation_failure.patch +++ /dev/null @@ -1,208 +0,0 @@ -# HG changeset patch -# User mbalao -# Date 1568305840 10800 -# Thu Sep 12 13:30:40 2019 -0300 -# Node ID b0436c181872b567c5b8906051fc8836c860541c -# Parent 6d947fcb3ea40ca9d40804db2c8c384f4679e10e -8230923: SunJSSE is not properly initialized in FIPS mode from a configuration file -Reviewed-by: andrew - -diff --git a/src/java.base/share/classes/sun/security/jca/ProviderConfig.java b/src/java.base/share/classes/sun/security/jca/ProviderConfig.java ---- a/src/java.base/share/classes/sun/security/jca/ProviderConfig.java -+++ b/src/java.base/share/classes/sun/security/jca/ProviderConfig.java -@@ -179,7 +179,11 @@ - } else if (provName.equals("SunJCE") || provName.equals("com.sun.crypto.provider.SunJCE")) { - p = new com.sun.crypto.provider.SunJCE(); - } else if (provName.equals("SunJSSE") || provName.equals("com.sun.net.ssl.internal.ssl.Provider")) { -- p = new com.sun.net.ssl.internal.ssl.Provider(); -+ if (hasArgument()) { -+ p = new com.sun.net.ssl.internal.ssl.Provider(argument); -+ } else { -+ p = new com.sun.net.ssl.internal.ssl.Provider(); -+ } - } else if (provName.equals("Apple") || provName.equals("apple.security.AppleProvider")) { - // need to use reflection since this class only exists on MacOsx - p = AccessController.doPrivileged(new PrivilegedAction() { -diff --git a/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInit.java b/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInit.java -new file mode 100644 ---- /dev/null -+++ b/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInit.java -@@ -0,0 +1,131 @@ -+/* -+ * Copyright (c) 2019, Red Hat, Inc. -+ * -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+/* -+ * @test -+ * @bug 8230923 -+ * @requires (jdk.version.major == 11) & (os.family == "linux") & (os.arch == "amd64" | os.arch == "x86_64") -+ * @modules java.base/com.sun.net.ssl.internal.ssl -+ * @library /test/lib -+ * @run main/othervm/timeout=30 SunJSSEFIPSInit -+ * @author Martin Balao (mbalao@redhat.com) -+ */ -+ -+import java.io.File; -+import java.io.FileOutputStream; -+import java.io.IOException; -+import java.nio.file.FileVisitResult; -+import java.nio.file.Files; -+import java.nio.file.Path; -+import java.nio.file.SimpleFileVisitor; -+import java.nio.file.attribute.BasicFileAttributes; -+import java.security.Security; -+import java.util.ArrayList; -+import java.util.List; -+ -+import jdk.test.lib.process.OutputAnalyzer; -+import jdk.test.lib.process.ProcessTools; -+ -+public class SunJSSEFIPSInit { -+ private static String lineSep = System.lineSeparator(); -+ private static String javaBinPath = System.getProperty("java.home", ".") + -+ File.separator + "bin" + File.separator + "java"; -+ private static String nssConfigFileName = "nss.cfg"; -+ private static String javaSecConfigFileName = "java.security"; -+ private static Path tmpDirPath; -+ public static void main(String[] args) throws Throwable { -+ tmpDirPath = Files.createTempDirectory("tmpdir"); -+ try { -+ deployConfigFiles(); -+ List cmds = new ArrayList<>(); -+ cmds.add(javaBinPath); -+ cmds.add("-cp"); -+ cmds.add(System.getProperty("test.classes", ".")); -+ cmds.add("-Djava.security.properties=" + tmpDirPath + -+ File.separator + javaSecConfigFileName); -+ cmds.add(SunJSSEFIPSInitClient.class.getName()); -+ OutputAnalyzer out = ProcessTools.executeCommand( -+ cmds.toArray(new String[cmds.size()])); -+ out.stdoutShouldContain("SunJSSE.isFIPS(): true"); -+ System.out.println("TEST PASS - OK"); -+ } finally { -+ deleteDir(tmpDirPath); -+ } -+ } -+ -+ private static void deployConfigFiles() throws IOException { -+ deployJavaSecurityFile(); -+ deployNssConfigFile(); -+ } -+ -+ private static void deployJavaSecurityFile() throws IOException { -+ int numberOfProviders = Security.getProviders().length; -+ StringBuilder sb = new StringBuilder(); -+ sb.append("security.provider.1=SunPKCS11 " + tmpDirPath + -+ File.separator + nssConfigFileName + lineSep); -+ sb.append("security.provider.2=com.sun.net.ssl.internal.ssl.Provider" + -+ " SunPKCS11-NSS" + lineSep); -+ for (int i = 3; i <= numberOfProviders; i++) { -+ sb.append("security.provider." + i + "=\"\"" + lineSep); -+ } -+ writeFile(javaSecConfigFileName, sb.toString()); -+ } -+ -+ private static void deployNssConfigFile() throws IOException { -+ StringBuilder sb = new StringBuilder(); -+ sb.append("name = NSS" + lineSep); -+ sb.append("nssLibraryDirectory = /usr/lib64" + lineSep); -+ sb.append("nssDbMode = noDb" + lineSep); -+ sb.append("nssModule = crypto" + lineSep); -+ writeFile(nssConfigFileName, sb.toString()); -+ } -+ -+ private static void writeFile(String fileName, String fileContent) -+ throws IOException { -+ try (FileOutputStream fos = new FileOutputStream(new File(tmpDirPath + -+ File.separator + fileName))) { -+ fos.write(fileContent.getBytes()); -+ } -+ } -+ -+ private static void deleteDir(Path directory) throws IOException { -+ Files.walkFileTree(directory, new SimpleFileVisitor() { -+ -+ @Override -+ public FileVisitResult visitFile(Path file, -+ BasicFileAttributes attrs) throws IOException { -+ Files.delete(file); -+ return FileVisitResult.CONTINUE; -+ } -+ -+ @Override -+ public FileVisitResult postVisitDirectory(Path dir, IOException exc) -+ throws IOException { -+ Files.delete(dir); -+ return FileVisitResult.CONTINUE; -+ } -+ }); -+ } -+} -+ -diff --git a/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInitClient.java b/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInitClient.java -new file mode 100644 ---- /dev/null -+++ b/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInitClient.java -@@ -0,0 +1,42 @@ -+/* -+ * Copyright (c) 2019, Red Hat, Inc. -+ * -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+import java.security.Provider; -+import java.security.Security; -+ -+public class SunJSSEFIPSInitClient { -+ public static void main(String[] args) throws Exception { -+ boolean isSunJSSEFIPS = false; -+ Provider[] provs = Security.getProviders(); -+ for (Provider p : provs) { -+ if (p.getName().equals("SunJSSE") && -+ p instanceof com.sun.net.ssl.internal.ssl.Provider) { -+ isSunJSSEFIPS = ((com.sun.net.ssl.internal.ssl.Provider)p).isFIPS(); -+ break; -+ } -+ } -+ System.out.println("SunJSSE.isFIPS(): " + isSunJSSEFIPS); -+ } -+} -+ diff --git a/SOURCES/jdk8236039-status_request_extension.patch b/SOURCES/jdk8236039-status_request_extension.patch new file mode 100644 index 0000000..be7008c --- /dev/null +++ b/SOURCES/jdk8236039-status_request_extension.patch @@ -0,0 +1,310 @@ +# HG changeset patch +# User jnimeh +# Date 1578287079 28800 +# Sun Jan 05 21:04:39 2020 -0800 +# Node ID b9d1ce20dd4b2ce34e74c8fa2d784335231abcd1 +# Parent 3782f295811625b65d57f1aef15daa10d82a58a7 +8236039: JSSE Client does not accept status_request extension in CertificateRequest messages for TLS 1.3 +Reviewed-by: xuelei + +diff --git a/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java b/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java +--- a/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java ++++ b/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2015, 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -39,11 +39,7 @@ + import javax.net.ssl.SSLProtocolException; + import sun.security.provider.certpath.OCSPResponse; + import sun.security.provider.certpath.ResponderId; +-import static sun.security.ssl.SSLExtension.CH_STATUS_REQUEST; +-import static sun.security.ssl.SSLExtension.CH_STATUS_REQUEST_V2; + import sun.security.ssl.SSLExtension.ExtensionConsumer; +-import static sun.security.ssl.SSLExtension.SH_STATUS_REQUEST; +-import static sun.security.ssl.SSLExtension.SH_STATUS_REQUEST_V2; + import sun.security.ssl.SSLExtension.SSLExtensionSpec; + import sun.security.ssl.SSLHandshake.HandshakeMessage; + import sun.security.util.DerInputStream; +@@ -434,8 +430,9 @@ + } else { + extBuilder.append(",\n"); + } +- extBuilder.append( +- "{\n" + Utilities.indent(ext.toString()) + "}"); ++ extBuilder.append("{\n"). ++ append(Utilities.indent(ext.toString())). ++ append("}"); + } + + extsStr = extBuilder.toString(); +@@ -552,11 +549,11 @@ + return null; + } + +- if (!chc.sslConfig.isAvailable(CH_STATUS_REQUEST)) { ++ if (!chc.sslConfig.isAvailable(SSLExtension.CH_STATUS_REQUEST)) { + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + SSLLogger.fine( + "Ignore unavailable extension: " + +- CH_STATUS_REQUEST.name); ++ SSLExtension.CH_STATUS_REQUEST.name); + } + return null; + } +@@ -568,8 +565,8 @@ + byte[] extData = new byte[] {0x01, 0x00, 0x00, 0x00, 0x00}; + + // Update the context. +- chc.handshakeExtensions.put( +- CH_STATUS_REQUEST, CertStatusRequestSpec.DEFAULT); ++ chc.handshakeExtensions.put(SSLExtension.CH_STATUS_REQUEST, ++ CertStatusRequestSpec.DEFAULT); + + return extData; + } +@@ -593,10 +590,10 @@ + // The consuming happens in server side only. + ServerHandshakeContext shc = (ServerHandshakeContext)context; + +- if (!shc.sslConfig.isAvailable(CH_STATUS_REQUEST)) { ++ if (!shc.sslConfig.isAvailable(SSLExtension.CH_STATUS_REQUEST)) { + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + SSLLogger.fine("Ignore unavailable extension: " + +- CH_STATUS_REQUEST.name); ++ SSLExtension.CH_STATUS_REQUEST.name); + } + return; // ignore the extension + } +@@ -610,7 +607,7 @@ + } + + // Update the context. +- shc.handshakeExtensions.put(CH_STATUS_REQUEST, spec); ++ shc.handshakeExtensions.put(SSLExtension.CH_STATUS_REQUEST, spec); + if (!shc.isResumption && + !shc.negotiatedProtocol.useTLS13PlusSpec()) { + shc.handshakeProducers.put(SSLHandshake.CERTIFICATE_STATUS.id, +@@ -654,13 +651,12 @@ + + // In response to "status_request" extension request only. + CertStatusRequestSpec spec = (CertStatusRequestSpec) +- shc.handshakeExtensions.get(CH_STATUS_REQUEST); ++ shc.handshakeExtensions.get(SSLExtension.CH_STATUS_REQUEST); + if (spec == null) { + // Ignore, no status_request extension requested. + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { +- SSLLogger.finest( +- "Ignore unavailable extension: " + +- CH_STATUS_REQUEST.name); ++ SSLLogger.finest("Ignore unavailable extension: " + ++ SSLExtension.CH_STATUS_REQUEST.name); + } + + return null; // ignore the extension +@@ -681,8 +677,8 @@ + byte[] extData = new byte[0]; + + // Update the context. +- shc.handshakeExtensions.put( +- SH_STATUS_REQUEST, CertStatusRequestSpec.DEFAULT); ++ shc.handshakeExtensions.put(SSLExtension.SH_STATUS_REQUEST, ++ CertStatusRequestSpec.DEFAULT); + + return extData; + } +@@ -708,7 +704,7 @@ + + // In response to "status_request" extension request only. + CertStatusRequestSpec requestedCsr = (CertStatusRequestSpec) +- chc.handshakeExtensions.get(CH_STATUS_REQUEST); ++ chc.handshakeExtensions.get(SSLExtension.CH_STATUS_REQUEST); + if (requestedCsr == null) { + throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, + "Unexpected status_request extension in ServerHello"); +@@ -722,8 +718,8 @@ + } + + // Update the context. +- chc.handshakeExtensions.put( +- SH_STATUS_REQUEST, CertStatusRequestSpec.DEFAULT); ++ chc.handshakeExtensions.put(SSLExtension.SH_STATUS_REQUEST, ++ CertStatusRequestSpec.DEFAULT); + + // Since we've received a legitimate status_request in the + // ServerHello, stapling is active if it's been enabled. +@@ -909,7 +905,7 @@ + return null; + } + +- if (!chc.sslConfig.isAvailable(CH_STATUS_REQUEST_V2)) { ++ if (!chc.sslConfig.isAvailable(SSLExtension.CH_STATUS_REQUEST_V2)) { + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + SSLLogger.finest( + "Ignore unavailable status_request_v2 extension"); +@@ -926,8 +922,8 @@ + 0x00, 0x07, 0x02, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00}; + + // Update the context. +- chc.handshakeExtensions.put( +- CH_STATUS_REQUEST_V2, CertStatusRequestV2Spec.DEFAULT); ++ chc.handshakeExtensions.put(SSLExtension.CH_STATUS_REQUEST_V2, ++ CertStatusRequestV2Spec.DEFAULT); + + return extData; + } +@@ -951,7 +947,7 @@ + // The consuming happens in server side only. + ServerHandshakeContext shc = (ServerHandshakeContext)context; + +- if (!shc.sslConfig.isAvailable(CH_STATUS_REQUEST_V2)) { ++ if (!shc.sslConfig.isAvailable(SSLExtension.CH_STATUS_REQUEST_V2)) { + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + SSLLogger.finest( + "Ignore unavailable status_request_v2 extension"); +@@ -969,7 +965,8 @@ + } + + // Update the context. +- shc.handshakeExtensions.put(CH_STATUS_REQUEST_V2, spec); ++ shc.handshakeExtensions.put(SSLExtension.CH_STATUS_REQUEST_V2, ++ spec); + if (!shc.isResumption) { + shc.handshakeProducers.putIfAbsent( + SSLHandshake.CERTIFICATE_STATUS.id, +@@ -1013,7 +1010,7 @@ + + // In response to "status_request_v2" extension request only + CertStatusRequestV2Spec spec = (CertStatusRequestV2Spec) +- shc.handshakeExtensions.get(CH_STATUS_REQUEST_V2); ++ shc.handshakeExtensions.get(SSLExtension.CH_STATUS_REQUEST_V2); + if (spec == null) { + // Ignore, no status_request_v2 extension requested. + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { +@@ -1038,8 +1035,8 @@ + byte[] extData = new byte[0]; + + // Update the context. +- shc.handshakeExtensions.put( +- SH_STATUS_REQUEST_V2, CertStatusRequestV2Spec.DEFAULT); ++ shc.handshakeExtensions.put(SSLExtension.SH_STATUS_REQUEST_V2, ++ CertStatusRequestV2Spec.DEFAULT); + + return extData; + } +@@ -1065,7 +1062,7 @@ + + // In response to "status_request" extension request only + CertStatusRequestV2Spec requestedCsr = (CertStatusRequestV2Spec) +- chc.handshakeExtensions.get(CH_STATUS_REQUEST_V2); ++ chc.handshakeExtensions.get(SSLExtension.CH_STATUS_REQUEST_V2); + if (requestedCsr == null) { + throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, + "Unexpected status_request_v2 extension in ServerHello"); +@@ -1079,8 +1076,8 @@ + } + + // Update the context. +- chc.handshakeExtensions.put( +- SH_STATUS_REQUEST_V2, CertStatusRequestV2Spec.DEFAULT); ++ chc.handshakeExtensions.put(SSLExtension.SH_STATUS_REQUEST_V2, ++ CertStatusRequestV2Spec.DEFAULT); + + // Since we've received a legitimate status_request in the + // ServerHello, stapling is active if it's been enabled. If it +diff --git a/src/java.base/share/classes/sun/security/ssl/SSLExtension.java b/src/java.base/share/classes/sun/security/ssl/SSLExtension.java +--- a/src/java.base/share/classes/sun/security/ssl/SSLExtension.java ++++ b/src/java.base/share/classes/sun/security/ssl/SSLExtension.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -113,7 +113,6 @@ + null, + null, + CertStatusExtension.certStatusReqStringizer), +- + CR_STATUS_REQUEST (0x0005, "status_request"), + CT_STATUS_REQUEST (0x0005, "status_request", + SSLHandshake.CERTIFICATE, +@@ -124,6 +123,7 @@ + null, + null, + CertStatusExtension.certStatusRespStringizer), ++ + // extensions defined in RFC 4681 + USER_MAPPING (0x0006, "user_mapping"), + +@@ -515,6 +515,16 @@ + return null; + } + ++ static String nameOf(int extensionType) { ++ for (SSLExtension ext : SSLExtension.values()) { ++ if (ext.id == extensionType) { ++ return ext.name; ++ } ++ } ++ ++ return "unknown extension"; ++ } ++ + static boolean isConsumable(int extensionType) { + for (SSLExtension ext : SSLExtension.values()) { + if (ext.id == extensionType && +diff --git a/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java b/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java +--- a/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java ++++ b/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2018, 2020 Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -86,11 +86,14 @@ + "Received buggy supported_groups extension " + + "in the ServerHello handshake message"); + } +- } else { ++ } else if (handshakeType == SSLHandshake.SERVER_HELLO) { + throw hm.handshakeContext.conContext.fatal( +- Alert.UNSUPPORTED_EXTENSION, +- "extension (" + extId + +- ") should not be presented in " + handshakeType.name); ++ Alert.UNSUPPORTED_EXTENSION, "extension (" + ++ extId + ") should not be presented in " + ++ handshakeType.name); ++ } else { ++ isSupported = false; ++ // debug log to ignore unknown extension for handshakeType + } + } + +@@ -365,9 +368,10 @@ + } + + private static String toString(int extId, byte[] extData) { ++ String extName = SSLExtension.nameOf(extId); + MessageFormat messageFormat = new MessageFormat( +- "\"unknown extension ({0})\": '{'\n" + +- "{1}\n" + ++ "\"{0} ({1})\": '{'\n" + ++ "{2}\n" + + "'}'", + Locale.ENGLISH); + +@@ -375,6 +379,7 @@ + String encoded = hexEncoder.encodeBuffer(extData); + + Object[] messageFields = { ++ extName, + extId, + Utilities.indent(encoded) + }; diff --git a/SPECS/java-11-openjdk.spec b/SPECS/java-11-openjdk.spec index 3651fa4..65733ee 100644 --- a/SPECS/java-11-openjdk.spec +++ b/SPECS/java-11-openjdk.spec @@ -200,7 +200,7 @@ # New Version-String scheme-style defines %global majorver 11 -%global securityver 5 +%global securityver 6 # buildjdkver is usually same as %%{majorver}, # but in time of bootstrap of next jdk, it is majorver-1, # and this it is better to change it here, on single place @@ -223,7 +223,7 @@ %global top_level_dir_name %{origin} %global minorver 0 %global buildver 10 -%global rpmrelease 2 +%global rpmrelease 0 #%%global tagsuffix "" # priority must be 8 digits in total; untill openjdk 1.8 we were using 18..... so when moving to 11 we had to add another digit %if %is_system_jdk @@ -431,6 +431,7 @@ alternatives \\ --slave %{_bindir}/jdb jdb %{sdkbindir -- %{?1}}/jdb \\ --slave %{_bindir}/jdeps jdeps %{sdkbindir -- %{?1}}/jdeps \\ --slave %{_bindir}/jdeprscan jdeprscan %{sdkbindir -- %{?1}}/jdeprscan \\ + --slave %{_bindir}/jfr jfr %{sdkbindir -- %{?1}}/jfr \\ --slave %{_bindir}/jimage jimage %{sdkbindir -- %{?1}}/jimage \\ --slave %{_bindir}/jinfo jinfo %{sdkbindir -- %{?1}}/jinfo \\ --slave %{_bindir}/jmap jmap %{sdkbindir -- %{?1}}/jmap \\ @@ -700,6 +701,7 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdb %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeps %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeprscan +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jfr %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jimage # Zero and S390x don't have SA %ifarch %{jit_arches} @@ -1075,18 +1077,8 @@ Patch6: rh1566890-CVE_2018_3639-speculative_store_bypass.patch Patch7: pr3695-toggle_system_crypto_policy.patch # S390 ambiguous log2_intptr call Patch8: s390-8214206_fix.patch - -############################################# -# -# Patches appearing in 11.0.6 -# -# This section includes patches which are present -# in the listed OpenJDK 8u release and should be -# able to be removed once that release is out -# and used by this RPM. -############################################# -# JDK-8230923: SunJSSE is not properly initialized in FIPS mode from a configuration file -Patch11: jdk8230923-fips_mode_initialisation_failure.patch +# JDK-8236039: JSSE Client does not accept status_request extension in CertificateRequest messages for TLS 1.3 +Patch9: jdk8236039-status_request_extension.patch ############################################# # @@ -1335,7 +1327,7 @@ pushd %{top_level_dir_name} %patch6 -p1 %patch7 -p1 %patch8 -p1 -%patch11 -p1 +%patch9 -p1 popd # openjdk %patch1000 @@ -1876,6 +1868,19 @@ require "copy_jdk_configs.lua" %endif %changelog +* Sat Jan 11 2020 Andrew John Hughes - 1:11.0.6.10-1 +- Update to shenandoah-jdk-11.0.6+10 (GA) +- Switch to GA mode for final release. +- Add JDK-8236039 backport to resolve OpenShift blocker +- Resolves: rhbz#1785753 + +* Thu Dec 19 2019 Andrew Hughes - 1:11.0.6.1-0.0.ea +- Update to shenandoah-jdk-11.0.6+1 (EA) +- Switch to EA mode for 11.0.6 pre-release builds. +- Add support for jfr binary. +- Drop JDK-8230923 now applied upstream. +- Resolves: rhbz#1785753 + * Fri Oct 25 2019 Andrew John Hughes - 1:11.0.5.10-2 - Disable FIPS mode support unless com.redhat.fips is set to "true". - Resolves: rhbz#1751845