diff --git a/.gitignore b/.gitignore index ea5315f..00df8f2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/jdk-updates-jdk11u-jdk-11.0.12+7-4curve-clean.tar.xz +SOURCES/jdk-updates-jdk11u-jdk-11.0.14.1+1-4curve.tar.xz SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/.java-11-openjdk.metadata b/.java-11-openjdk.metadata index 31a7e90..4c5a915 100644 --- a/.java-11-openjdk.metadata +++ b/.java-11-openjdk.metadata @@ -1,2 +1,2 @@ -6453aa42343678f2e4a86362921ff373625f3ed3 SOURCES/jdk-updates-jdk11u-jdk-11.0.12+7-4curve-clean.tar.xz +dc2a5d071dcf324a925de54709e153c6df94dd43 SOURCES/jdk-updates-jdk11u-jdk-11.0.14.1+1-4curve.tar.xz c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/SOURCES/NEWS b/SOURCES/NEWS index 26c3f66..8069f37 100644 --- a/SOURCES/NEWS +++ b/SOURCES/NEWS @@ -3,6 +3,872 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 11.0.14.1 (2022-02-08): +============================================= +Live versions of these release notes can be found at: + * https://bitly.com/openjdk110141 + * https://builds.shipilev.net/backports-monitor/release-notes-11.0.14.1.txt + +* Other changes + - JDK-8218546: Unable to connect to https://google.com using java.net.HttpClient + - JDK-8280786: Build failure on Solaris after 8262392 + - JDK-8281324: Bump update version for OpenJDK: jdk-11.0.14.1 + +New in release OpenJDK 11.0.14 (2022-01-18): +============================================= +Live versions of these release notes can be found at: + * https://bitly.com/openjdk11014 + * https://builds.shipilev.net/backports-monitor/release-notes-11.0.14.txt + +* New features + - JDK-8248238: Implementation: JEP 388: Windows AArch64 Support +* Security fixes + - JDK-8217375: jarsigner breaks old signature with long lines in manifest + - JDK-8251329: (zipfs) Files.walkFileTree walks infinitely if zip has dir named "." inside + - JDK-8264934, CVE-2022-21248: Enhance cross VM serialization + - JDK-8268488: More valuable DerValues + - JDK-8268494: Better inlining of inlined interfaces + - JDK-8268512: More content for ContentInfo + - JDK-8268795: Enhance digests of Jar files + - JDK-8268801: Improve PKCS attribute handling + - JDK-8268813, CVE-2022-21283: Better String matching + - JDK-8269151: Better construction of EncryptedPrivateKeyInfo + - JDK-8269944: Better HTTP transport redux + - JDK-8270386, CVE-2022-21291: Better verification of scan methods + - JDK-8270392, CVE-2022-21293: Improve String constructions + - JDK-8270416, CVE-2022-21294: Enhance construction of Identity maps + - JDK-8270492, CVE-2022-21282: Better resolution of URIs + - JDK-8270498, CVE-2022-21296: Improve SAX Parser configuration management + - JDK-8270646, CVE-2022-21299: Improved scanning of XML entities + - JDK-8270952, CVE-2022-21277: Improve TIFF file handling + - JDK-8271962: Better TrueType font loading + - JDK-8271968: Better canonical naming + - JDK-8271987: Manifest improved manifest entries + - JDK-8272014, CVE-2022-21305: Better array indexing + - JDK-8272026, CVE-2022-21340: Verify Jar Verification + - JDK-8272236, CVE-2022-21341: Improve serial forms for transport + - JDK-8272272: Enhance jcmd communication + - JDK-8272462: Enhance image handling + - JDK-8273290: Enhance sound handling + - JDK-8273756, CVE-2022-21360: Enhance BMP image support + - JDK-8273838, CVE-2022-21365: Enhanced BMP processing + - JDK-8274096, CVE-2022-21366: Improve decoding of image files + - JDK-8279541: Improve HarfBuzz +* Other changes + - JDK-6849922: java/awt/Choice/ChoiceKeyEventReaction/ChoiceKeyEventReaction.html fails + - JDK-7105119: [TEST_BUG] [macosx] In test UIDefaults.toString() must be called with the invokeLater() + - JDK-7151826: [TEST_BUG] [macosx] The test javax/swing/JPopupMenu/4966112/bug4966112.java not for mac + - JDK-7179006: [macosx] Print-to-file doesn't work: printing to the default printer instead + - JDK-8015602: [macosx] Test javax/swing/SpringLayout/4726194/bug4726194.java fails on MacOSX + - JDK-8034084: nsk.nsk/jvmti/ThreadStart/threadstart003 Wrong number of thread end events + - JDK-8039261: [TEST_BUG]: There is not a minimal security level in Java Preferences and the TestApplet.html is blocked. + - JDK-8047218: [TEST_BUG] java/awt/FullScreen/AltTabCrashTest/AltTabCrashTest.java fails with exception + - JDK-8075909: [TEST_BUG] The regression-swing case failed as it does not have the 'Open' button when select 'subdir' folder with NimbusLAF + - JDK-8078219: Verify lack of @test tag in files in java/net test directory + - JDK-8080569: java/lang/ProcessBuilder/DestroyTest.java fails with "RuntimeException: Process terminated prematurely" + - JDK-8081652: [TESTBUG] java/lang/management/ThreadMXBean/ThreadMXBeanStateTest.java timed out intermittently + - JDK-8129310: java/net/Socket/asyncClose/AsyncClose.java fails intermittently + - JDK-8131745: java/lang/management/ThreadMXBean/AllThreadIds.java still fails intermittently + - JDK-8136517: [macosx]Test java/awt/Focus/8073453/AWTFocusTransitionTest.java fails on MacOSX + - JDK-8137101: [TEST_BUG] javax/swing/plaf/basic/BasicHTML/4251579/bug4251579.java failure due to timing + - JDK-8143021: [TEST_BUG] Test javax/swing/JColorChooser/Test6541987.java fails + - JDK-8159597: [TEST_BUG] closed/javax/swing/JPopupMenu/4760494/bug4760494.java leaves key pressed + - JDK-8159904: [TEST_BUG] Failure on solaris of java/awt/Window/MultiWindowApp/MultiWindowAppTest.java + - JDK-8163086: java/awt/Window/TranslucentJAppletTest/TranslucentJAppletTest.java fails + - JDK-8165828: [TEST_BUG] The reg case:javax/swing/plaf/metal/MetalIcons/MetalHiDPIIconsTest.java failed as No Metal Look and Feel + - JDK-8169953: JComboBox/8057893: ComboBoxEdited event is not fired! on Windows + - JDK-8169954: JFileChooser/8021253: java.lang.RuntimeException: Default button is not pressed + - JDK-8169959: javax/swing/JTable/6263446/bug6263446.java: Table should be editing + - JDK-8171381: [TEST_BUG] [macos] javax/swing/JPopupMenu/7156657/bug7156657.java fails on OS X + - JDK-8171998: javax/swing/JMenu/4692443/bug4692443.java fails on Windows + - JDK-8174819: java/nio/file/WatchService/LotsOfEvents.java fails intermittently + - JDK-8179880: Refactor javax/security shell tests to plain java tests + - JDK-8180568: Refactor javax/crypto shell tests to plain java tests + - JDK-8180569: Refactor sun/security/krb5/ shell tests to plain java tests + - JDK-8180571: Refactor sun/security/pkcs11 shell tests to plain java tests and fix failures + - JDK-8180573: Refactor sun/security/tools shell tests to plain java tests + - JDK-8187649: ArrayIndexOutOfBoundsException in java.util.JapaneseImperialCalendar + - JDK-8190753: (zipfs): Accessing a large entry (> 2^31 bytes) leads to a negative initial size for ByteArrayOutputStream + - JDK-8195703: BasicJDWPConnectionTest.java: 'App exited unexpectedly with 2' + - JDK-8196096: javax/swing/JPopupMenu/6580930/bug6580930.java fails + - JDK-8197560: test javax/swing/JTree/8003400/Test8003400.java fails + - JDK-8197800: Test java/awt/Focus/NonFocusableWindowTest/NoEventsTest.java fails on Windows + - JDK-8197811: Test java/awt/Choice/PopupPosTest/PopupPosTest.java fails on Windows + - JDK-8198616: java/awt/Focus/6378278/InputVerifierTest.java fails on mac + - JDK-8198617: java/awt/Focus/6382144/EndlessLoopTest.java fails on mac + - JDK-8198619: java/awt/Focus/FocusTraversalPolicy/ButtonGroupLayoutTraversal/ButtonGroupLayoutTraversalTest.java fails on mac + - JDK-8198623: java/awt/KeyboardFocusmanager/TypeAhead/EnqueueWithDialogButtonTest/EnqueueWithDialogButtonTest.java fails on mac + - JDK-8198624: java/awt/KeyboardFocusmanager/TypeAhead/SubMenuShowTest/SubMenuShowTest.html fails on mac + - JDK-8199138: Add RISC-V support to Zero + - JDK-8199529: javax/swing/text/Utilities/8142966/SwingFontMetricsTest.java fails on windows + - JDK-8201224: Make string buffer size dynamic in mlvmJvmtiUtils.c + - JDK-8202342: [Graal] fromTonga/nsk/jvmti/unit/FollowReferences/followref003/TestDescription.java fails with "Location mismatch" errors + - JDK-8204161: [TESTBUG] auto failed with the "Applet thread threw exception: java.lang.UnsupportedOperationException" exception + - JDK-8206085: Refactor langtools/tools/javac/versions/Versions.java + - JDK-8207936: TestZipFile failed with java.lang.AssertionError exception + - JDK-8208242: Add @requires to vmTestbase/gc/g1 tests + - JDK-8209611: use C++ compiler for hotspot tests + - JDK-8210182: Remove macros for C compilation from vmTestBase but non jvmti + - JDK-8210198: Clean up JNI_ENV_ARG for vmTestbase/jvmti/Get[A-F] tests + - JDK-8210205: build fails on AIX in hotspot cpp tests (for example getstacktr001.cpp) + - JDK-8210242: [TESTBUG] vmTestbase/nsk/stress/jni/jnistress001.java crashes with EXCEPTION_ACCESS_VIOLATION on windows-x86 + - JDK-8210353: Move java/util/Arrays/TimSortStackSize2.java back to tier1 + - JDK-8210385: Clean up JNI_ENV_ARG and factorize the macros for vmTestbase/jvmti[A-N] tests + - JDK-8210392: assert(Compile::current()->live_nodes() < Compile::current()->max_node_limit()) failed: Live Node limit exceeded limit + - JDK-8210395: Add doc to SecurityTools.java + - JDK-8210429: Clean up JNI_ENV_ARG for vmTestbase/jvmti/Get[G-Z] tests + - JDK-8210481: Remove #ifdef cplusplus from vmTestbase + - JDK-8210593: Clean up JNI_ENV_ARG and factorize the macros for vmTestbase/jvmti[N-R] tests + - JDK-8210665: Clean up JNI_ENV_ARG and factorize the macros for vmTestbase/jvmti[R-U] tests + - JDK-8210689: Remove the multi-line old C style for string literals + - JDK-8210700: Clean up JNI_ENV_ARG and factorize the macros for vmTestbase/jvmti/unit tests + - JDK-8210726: Fix up a few minor nits forgotten by JDK-8210665 + - JDK-8210920: Native C++ tests are not using CXXFLAGS + - JDK-8210984: [TESTBUG] hs203t003 fails with "# ERROR: hs203t003.cpp, 218: NSK_CPP_STUB2 ( ResumeThread, jvmti, thread)" + - JDK-8211036: Remove the NSK_STUB macros from vmTestbase for non jvmti + - JDK-8211131: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/[G-I]* + - JDK-8211148: var in implicit lambdas shouldn't be accepted for source < 11 + - JDK-8211171: move JarUtils to top-level testlibrary + - JDK-8211227: Inconsistent TLS protocol version in debug output + - JDK-8211261: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/[A-G]* + - JDK-8211432: [REDO] Handle JNIGlobalRefLocker.cpp + - JDK-8211782: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/[I-S]* + - JDK-8211801: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/scenarios/[A-E] + - JDK-8211899: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/scenarios/[E-M] + - JDK-8211905: Remove multiple casts for EM06 file + - JDK-8211999: Window positioning bugs due to overlapping GraphicsDevice bounds (Windows/HiDPI) + - JDK-8212082: Remove the NSK_CPP_STUB macros for remaining vmTestbase/jvmti/[sS]* + - JDK-8212083: Handle remaining gc/lock native code and fix two strings + - JDK-8212148: Remove remaining NSK_CPP_STUBs + - JDK-8213110: Remove the use of applets in automatic tests + - JDK-8213189: Make restricted headers in HTTP Client configurable and remove Date by default + - JDK-8213263: fix legal headers in test/langtools + - JDK-8213296: Fix legal headers in test/jdk/java/net + - JDK-8213301: Fix legal headers in jdk logging tests + - JDK-8213305: Fix legal headers in test/java/math + - JDK-8213306: Fix legal headers in test/java/nio + - JDK-8213328: Update test copyrights in test/java/util/zip and test/jdk/tools + - JDK-8213330: Fix legal headers in i18n tests + - JDK-8213707: [TEST] vmTestbase/nsk/stress/except/except011.java failed due to wrong class name + - JDK-8214469: [macos] PIT: java/awt/Choice/ChoiceKeyEventReaction/ChoiceKeyEventReaction.java fails + - JDK-8215410: Regression test for JDK-8214994 + - JDK-8215568: Refactor SA clhsdb tests to use ClhsdbLauncher + - JDK-8215624: Add parallel heap iteration for jmap –histo + - JDK-8215889: assert(!_unloading) failed: This oop is not available to unloading class loader data with ZGC + - JDK-8216318: The usage of Disposer in the java.awt.Robot can be deleted + - JDK-8216417: cleanup of IPv6 scope-id handling + - JDK-8217377: javax/swing/JPopupMenu/6583251/bug6583251.java failed with UnsupportedOperation exception + - JDK-8217438: Adapt tools//launcher/Test7029048.java for AIX + - JDK-8217633: Configurable extensions with system properties + - JDK-8217882: java/net/httpclient/MaxStreams.java failed once + - JDK-8217903: java/net/httpclient/Response204.java fails with 404 + - JDK-8218483: Crash in "assert(_daemon_threads_count->get_value() > daemon_count) failed: thread count mismatch 5 : 5" + - JDK-8219986: Change to Xcode 10.1 for building on Macosx at Oracle + - JDK-8220575: Correctly format test URI's that contain a retrieved IPv6 address + - JDK-8221259: New tests for java.net.Socket to exercise long standing behavior + - JDK-8221305: java/awt/FontMetrics/MaxAdvanceIsMax.java fails on MacOS + Solaris + - JDK-8221902: PIT: javax/swing/JRadioButton/FocusTraversal/FocusTraversal.java fails on ubuntu + - JDK-8221903: PIT: javax/swing/RepaintManager/IconifyTest/IconifyTest.java fails on ubuntu18.04 + - JDK-8222446: assert(C->env()->system_dictionary_modification_counter_changed()) failed: Must invalidate if TypeFuncs differ + - JDK-8223137: Rename predicate 'do_unroll_only()' to 'is_unroll_only()'. + - JDK-8223138: Small clean-up in loop-tree support. + - JDK-8223139: Rename mandatory policy-do routines. + - JDK-8223140: Clean-up in 'ok_to_convert()' + - JDK-8223141: Change (count) suffix _ct into _cnt. + - JDK-8223400: Replace some enums with static const members in hotspot/runtime + - JDK-8223658: Performance regression of XML.validation in 13-b19 + - JDK-8223923: C2: Missing interference with mismatched unsafe accesses + - JDK-8224829: AsyncSSLSocketClose.java has timing issue + - JDK-8225083: Remove Google certificate that is expiring in December 2021 + - JDK-8226514: Replace wildcard address with loopback or local host in tests - part 17 + - JDK-8226943: compile error in libfollowref003.cpp with XCode 10.2 on macosx + - JDK-8228442: DHKeyExchange/LegacyDHEKeyExchange.java failed due to "SSLException: An established connection was aborted by the software in your host machine" + - JDK-8228508: [TESTBUG] java/net/httpclient/SmokeTest.java fails on Windows7 + - JDK-8229935: [TEST_BUG]: bug8132119.java inconsistently positions text + - JDK-8230019: [REDO] compiler/types/correctness/* tests fail with "assert(recv == __null || recv->is_klass()) failed: wrong type" + - JDK-8230067: Add optional automatic retry when running jtreg tests + - JDK-8230228: [TESTBUG] Several runtime/ErrorHandling tests may fail on some platforms + - JDK-8231501: VM crash in MethodData::clean_extra_data(CleanExtraDataClosure*): fatal error: unexpected tag 99 + - JDK-8233403: Improve verbosity of some httpclient tests + - JDK-8233550: [TESTBUG] JTree tests fail regularly on MacOS + - JDK-8233552: [TESTBUG] JTable Test bug7068740.java fails on MacOS + - JDK-8233553: [TESTBUG] JSpinner test bug4973721.java fails on MacOS + - JDK-8233555: [TESTBUG] JRadioButton tests failing on MacoS + - JDK-8233556: [TESTBUG] JPopupMenu tests fail on MacOS + - JDK-8233559: [TESTBUG] TestNimbusOverride.java is failing on macos + - JDK-8233560: [TESTBUG] ToolTipManager/Test6256140.java is failing on macos + - JDK-8233561: [TESTBUG] Swing text test bug8014863.java fails on macos + - JDK-8233562: [TESTBUG] Swing StyledEditorKit test bug4506788.java fails on MacOS + - JDK-8233564: [TESTBUG] MouseComboBoxTest.java is failing + - JDK-8233566: [TESTBUG] KeyboardFocusManager tests failing on MacoS + - JDK-8233567: [TESTBUG] FocusSubRequestTest.java fails on macos + - JDK-8233569: [TESTBUG] JTextComponent test bug6361367.java fails on macos + - JDK-8233570: [TESTBUG] HTMLEditorKit test bug5043626.java is failing on macos + - JDK-8233634: [TESTBUG] Swing text test bug4278839.java fails on macos + - JDK-8233635: [TESTBUG] ProgressMonitorEscapeKeyPress.java fails on macos + - JDK-8233637: [TESTBUG] Swing ActionListenerCalledTwiceTest.java fails on macos + - JDK-8233638: [TESTBUG] Swing test ScreenMenuBarInputTwice.java fails on macos + - JDK-8233641: [TESTBUG] JMenuItem test bug4171437.java fails on macos + - JDK-8233642: [TESTBUG] JMenuBar test bug 4750590.java fails on macos + - JDK-8233643: [TESTBUG] JMenu test bug4515762.java fails on macos + - JDK-8233644: [TESTBUG] JInternalFrame test bug8020708.java is failing on macos + - JDK-8233647: [TESTBUG] JColorChooser/Test8051548.java is failing on macos + - JDK-8234802: [TESTBUG] Test Right Mouse Button Drag Gesture Recognition in all the platforms + - JDK-8234823: java/net/Socket/Timeouts.java testcase testTimedConnect2() fails on Windows 10 + - JDK-8235784: java/lang/invoke/VarHandles/VarHandleTestByteArrayAsInt.java fails due to timeout with fastdebug bits + - JDK-8236042: [TESTBUG] serviceability/sa/ClhsdbCDSCore.java fails with -Xcomp -XX:TieredStopAtLevel=1 + - JDK-8236177: assert(status == 0) failed: error ETIMEDOUT(60), cond_wait + - JDK-8236596: HttpClient leaves HTTP/2 sockets in CLOSE_WAIT, when using proxy tunnel + - JDK-8237354: Add option to jcmd to write a gzipped heap dump + - JDK-8237589: Fix copyright header formatting + - JDK-8238677: java/net/httpclient/ssltest/CertificateTest.java should not specify TLS version + - JDK-8239334: Tab Size does not work correctly in JTextArea with setLineWrap on + - JDK-8239422: [TESTBUG] compiler/c1/TestPrintIRDuringConstruction.java failed when C1 is disabled + - JDK-8239827: The test OpenByUNCPathNameTest.java should be changed to be manual + - JDK-8240256: Better resource cleaning for SunPKCS11 Provider + - JDK-8242044: Add basic HTTP/1.1 support to the HTTP/2 Test Server + - JDK-8242526: PIT: javax/swing/JInternalFrame/8020708/bug8020708.java fails in mach5 ubuntu system + - JDK-8242793: Incorrect copyright header in ContinuousCallSiteTargetChange.java + - JDK-8243543: jtreg test security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java fails + - JDK-8244292: Headful clients failing with --illegal-access=deny + - JDK-8245147: Refactor and improve utility of test/langtools/tools/javac/versions/Versions.java + - JDK-8245165: Update bug id for javax/swing/text/StyledEditorKit/4506788/bug4506788.java in ProblemList + - JDK-8245665: Test WeakAlg.java should only make sure no warning for weak signature algorithms by keytool on root CA + - JDK-8246114: java/net/MulticastSocket/Promiscuous.java fails after 8241072 (multi-homed systems) + - JDK-8246807: Incorrect copyright header in TimeZoneDatePermissionCheck.sh + - JDK-8247403: JShell: No custom input (e.g. from GUI) possible with JavaShellToolBuilder + - JDK-8247510: typo in IllegalHandshakeMessage + - JDK-8248187: [TESTBUG] javax/swing/plaf/basic/BasicGraphicsUtils/8132119/bug8132119.java fails with String is not properly drawn + - JDK-8248341: ProblemList java/lang/management/ThreadMXBean/ThreadMXBeanStateTest.java + - JDK-8248500: AArch64: Remove the r18 dependency on Windows AArch64 + - JDK-8248899: security/infra/java/security/cert/CertPathValidator/certification/QuoVadisCA.java fails, Certificate has been revoked + - JDK-8249195: Change to Xcode 11.3.1 for building on Macos at Oracle + - JDK-8250521: Configure initial RTO to use minimal retry for loopback connections on Windows + - JDK-8250810: Push missing parts of JDK-8248817 + - JDK-8250839: Improve test template SSLEngineTemplate with SSLContextTemplate + - JDK-8250863: Build error with GCC 10 in NetworkInterface.c and k_standard.c + - JDK-8250888: nsk/jvmti/scenarios/general_functions/GF08/gf08t001/TestDriver.java fails + - JDK-8251155: HostIdentifier fails to canonicalize hostnames starting with digits + - JDK-8251377: [macos11] JTabbedPane selected tab text is barely legible + - JDK-8251570: JDK-8215624 causes assert(worker_id < _n_workers) failed: Invalid worker_id + - JDK-8251930: AArch64: Native types mismatch in hotspot + - JDK-8252049: Native memory leak in ciMethodData ctor + - JDK-8252051: Make mlvmJvmtiUtils strncpy uses GCC 10.x friendly + - JDK-8252114: Windows-AArch64: Enable and test ZGC and ShenandoahGC + - JDK-8253015: Aarch64: Move linux code out from generic CPU feature detection + - JDK-8253147: The javax/swing/JPopupMenu/7154841/bug7154841.java fail on big screens + - JDK-8253497: Core Libs Terminology Refresh + - JDK-8253682: The AppletInitialFocusTest1.java is unstable + - JDK-8253763: ParallelObjectIterator should have virtual destructor + - JDK-8253866: Security Libs Terminology Refresh + - JDK-8254802: ThrowingPushPromisesAsStringCustom.java fails in "try throwing in GET_BODY" + - JDK-8255227: java/net/httpclient/FlowAdapterPublisherTest.java intermittently failing with TestServer: start exception: java.io.IOException: Invalid preface + - JDK-8255264: Support for identifying the full range of IPv4 localhost addresses on Windows + - JDK-8255716: AArch64: Regression: JVM crashes if manually offline a core + - JDK-8255722: Create a new test for rotated blit + - JDK-8256009: Remove src/hotspot/share/adlc/Test/i486.ad + - JDK-8256066: Tests use deprecated TestNG API that is no longer available in new versions + - JDK-8256152: tests fail because of ambiguous method resolution + - JDK-8256182: Update qemu-debootstrap cross-compilation recipe + - JDK-8256201: java/awt/FullScreen/FullscreenWindowProps/FullscreenWindowProps.java failed + - JDK-8256202: Some tweaks for jarsigner tests PosixPermissionsTest and SymLinkTest + - JDK-8256372: [macos] Unexpected symbol was displayed on JTextField with Monospaced font + - JDK-8256956: RegisterImpl::max_slots_per_register is incorrect on AMD64 + - JDK-8258457: testlibrary_tests/ctw/JarDirTest.java fails with InvalidPathException on windows + - JDK-8258855: Two tests sun/security/krb5/auto/ReplayCacheTestProc.java and ReplayCacheTestProcWithMD5.java failed on OL8.3 + - JDK-8259237: Demo selection changes with left/right arrow key. No need to press space for selection. + - JDK-8260571: Add PrintMetaspaceStatistics to print metaspace statistics upon VM exit + - JDK-8260690: JConsole User Guide Link from the Help menu is not accessible by keyboard + - JDK-8261036: Reduce classes loaded by CleanerFactory initialization + - JDK-8261071: AArch64: Refactor interpreter native wrappers + - JDK-8261075: Create stubRoutines.inline.hpp with SafeFetch implementation + - JDK-8261236: C2: ClhsdbJstackXcompStress test fails when StressGCM is enabled + - JDK-8261297: NMT: Final report should use scale 1 + - JDK-8261661: gc/stress/TestReclaimStringsLeaksMemory.java fails because Reserved memory size is too big + - JDK-8261916: gtest/GTestWrapper.java vmErrorTest.unimplemented1_vm_assert failed + - JDK-8262438: sun/security/ssl/SSLLogger/LoggingFormatConsistency.java failed with "SocketException: Socket is closed" + - JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print" + - JDK-8262844: (fs) FileStore.supportsFileAttributeView might return false negative in case of ext3 + - JDK-8263059: security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java fails due to revoked cert + - JDK-8263068: Rename safefetch.hpp to safefetch.inline.hpp + - JDK-8263303: C2 compilation fails with assert(found_sfpt) failed: no node in loop that's not input to safepoint + - JDK-8263362: Avoid division by 0 in java/awt/font/TextJustifier.java justify + - JDK-8263773: Reenable German localization for builds at Oracle + - JDK-8263897: compiler/c2/aarch64/TestVolatilesSerial.java failed with "java.lang.RuntimeException: Wrong method" + - JDK-8264526: javax/swing/text/html/parser/Parser/8078268/bug8078268.java timeout + - JDK-8264824: java/net/Inet6Address/B6206527.java doesn't close ServerSocket properly + - JDK-8265019: Update tests for additional TestNG test permissions + - JDK-8265173: [test] divert spurious log output away from stream under test in ProcessBuilder Basic test + - JDK-8265524: Upgrading JSZip from v3.2.2 to v3.6.0 + - JDK-8266182: Automate manual steps listed in the test jdk/sun/security/pkcs12/ParamsTest.java + - JDK-8266579: Update test/jdk/java/lang/ProcessHandle/PermissionTest.java & test/jdk/java/sql/testng/util/TestPolicy.java + - JDK-8266949: Check possibility to disable OperationTimedOut on Unix + - JDK-8267246: -XX:MaxRAMPercentage=0 is unreasonable for jtreg tests on many-core machines + - JDK-8267256: Extend minimal retry for loopback connections on Windows to PlainSocketImpl + - JDK-8267304: Bump global JTReg memory limit to 768m + - JDK-8267652: c2 loop unrolling by 8 results in reading memory past array + - JDK-8268019: C2: assert(no_dead_loop) failed: dead loop detected + - JDK-8268093: Manual Testcase: "sun/security/krb5/config/native/TestDynamicStore.java" Fails with NPE + - JDK-8268555: Update HttpClient tests that use ITestContext to jtreg 6+1 + - JDK-8268672: C2: assert(!loop->is_member(u_loop)) failed: can be in outer loop or out of both loops only + - JDK-8269034: AccessControlException for SunPKCS11 daemon threads + - JDK-8269426: Rename test/jdk/java/lang/invoke/t8150782 to accessClassAndFindClass + - JDK-8269574: C2: Avoid redundant uncommon traps in GraphKit::builtin_throw() for JVMTI exception events + - JDK-8269656: The test test/langtools/tools/javac/versions/Versions.java has duplicate test cycles + - JDK-8269768: JFR Terminology Refresh + - JDK-8269951: [macos] Focus not painted in JButton when setBorderPainted(false) is invoked + - JDK-8269984: [macos] JTabbedPane title looks like disabled + - JDK-8269993: [Test]: java/net/httpclient/DigestEchoClientSSL.java contains redundant @run tags + - JDK-8270116: Expand ButtonGroupLayoutTraversalTest.java to run in all LaFs, including Aqua on macOS + - JDK-8270216: [macOS] Update named used for Java run loop mode + - JDK-8270280: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java OCSP response error + - JDK-8270290: NTLM authentication fails if HEAD request is used + - JDK-8270317: Large Allocation in CipherSuite + - JDK-8270344: Session resumption errors + - JDK-8270517: Add Zero support for LoongArch + - JDK-8270533: AArch64: size_fits_all_mem_uses should return false if its output is a CAS + - JDK-8270886: Crash in PhaseIdealLoop::verify_strip_mined_scheduling + - JDK-8271287: jdk/jshell/CommandCompletionTest.java fails with "lists don't have the same size expected" + - JDK-8271340: Crash PhaseIdealLoop::clone_outer_loop + - JDK-8271341: Opcode() != Op_If && Opcode() != Op_RangeCheck) || outcnt() == 2 assert failure with Test7179138_1.java + - JDK-8271459: C2: Missing NegativeArraySizeException when creating StringBuilder with negative capacity + - JDK-8271490: [ppc] [s390]: Crash in JavaThread::pd_get_top_frame_for_profiling + - JDK-8271560: sun/security/ssl/DHKeyExchange/LegacyDHEKeyExchange.java still fails due to "An established connection was aborted by the software in your host machine" + - JDK-8271567: AArch64: AES Galois CounterMode (GCM) interleaved implementation using vector instructions + - JDK-8272180: Upgrade JSZip from v3.6.0 to v3.7.1 + - JDK-8272181: Windows-AArch64:Backport fix of `Backtracing broken on PAC enabled systems` + - JDK-8272316: Wrong Boot JDK help message in 11 + - JDK-8272318: Improve performance of HeapDumpAllTest + - JDK-8272342: [TEST_BUG] java/awt/print/PrinterJob/PageDialogMarginTest.java catches all exceptions + - JDK-8272570: C2: crash in PhaseCFG::global_code_motion + - JDK-8272574: C2: assert(false) failed: Bad graph detected in build_loop_late + - JDK-8272581: sun/security/pkcs11/Provider/MultipleLogins.sh fails after JDK-8266182 + - JDK-8272708: [Test]: Cleanup: test/jdk/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java no longer needs ocspEnabled + - JDK-8272720: Fix the implementation of loop unrolling heuristic with LoopPercentProfileLimit + - JDK-8272783: Epsilon: Refactor tests to improve performance + - JDK-8272806: [macOS] "Apple AWT Internal Exception" when input method is changed + - JDK-8272828: Add correct licenses to jszip.md + - JDK-8272836: Limit run time for java/lang/invoke/LFCaching tests + - JDK-8272850: Drop zapping values in the Zap* option descriptions + - JDK-8272902: Bump update version for OpenJDK: jdk-11.0.14 + - JDK-8272914: Create hotspot:tier2 and hotspot:tier3 test groups + - JDK-8272966: test/jdk/java/awt/Robot/FlushCurrentEvent.java fails by timeout + - JDK-8273026: Slow LoginContext.login() on multi threading application + - JDK-8273229: Update OS detection code to recognize Windows Server 2022 + - JDK-8273235: tools/launcher/HelpFlagsTest.java Fails on Windows 32bit + - JDK-8273308: PatternMatchTest.java fails on CI + - JDK-8273314: Add tier4 test groups + - JDK-8273342: Null pointer dereference in classFileParser.cpp:2817 + - JDK-8273358: macOS Monterey does not have the font Times needed by Serif + - JDK-8273373: Zero: Cannot invoke JVM in primordial threads on Zero + - JDK-8273498: compiler/c2/Test7179138_1.java timed out + - JDK-8273541: Cleaner Thread creates with normal priority instead of MAX_PRIORITY - 2 + - JDK-8273547: [11u] [JVMCI] Partial module-info.java backport of JDK-8223332 + - JDK-8273606: Zero: SPARC64 build fails with si_band type mismatch + - JDK-8273646: Add openssl from path variable also in to Default System Openssl Path in OpensslArtifactFetcher + - JDK-8273671: Backport of 8260616 misses one JNF header inclusion removal + - JDK-8273790: Potential cyclic dependencies between Gregorian and CalendarSystem + - JDK-8273795: Zero SPARC64 debug builds fail due to missing interpreter fields + - JDK-8273826: Correct Manifest file name and NPE checks + - JDK-8273894: ConcurrentModificationException raised every time ReferralsCache drops referral + - JDK-8273924: ArrayIndexOutOfBoundsException thrown in java.util.JapaneseImperialCalendar.add() + - JDK-8273961: jdk/nio/zipfs/ZipFSTester.java fails if file path contains '+' character + - JDK-8273968: JCK javax_xml tests fail in CI + - JDK-8274056: JavaAccessibilityUtilities leaks JNI objects + - JDK-8274083: Update testing docs to mention tiered testing + - JDK-8274293: Build failure on macOS with Xcode 13.0 as vfork is deprecated + - JDK-8274326: [macos] Ensure initialisation of sun/lwawt/macosx/CAccessibility in JavaComponentAccessibility.m + - JDK-8274329: Fix non-portable HotSpot code in MethodMatcher::parse_method_pattern + - JDK-8274381: missing CAccessibility definitions in JNI code + - JDK-8274407: (tz) Update Timezone Data to 2021c + - JDK-8274467: TestZoneInfo310.java fails with tzdata2021b + - JDK-8274468: TimeZoneTest.java fails with tzdata2021b + - JDK-8274522: java/lang/management/ManagementFactory/MXBeanException.java test fails with Shenandoah + - JDK-8274642: jdk/jshell/CommandCompletionTest.java fails with NoSuchElementException after JDK-8271287 + - JDK-8274773: [TESTBUG] UnsafeIntrinsicsTest intermittently fails on weak memory model platform + - JDK-8274779: HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST + - JDK-8274840: Update OS detection code to recognize Windows 11 + - JDK-8274860: gcc 10.2.1 produces an uninitialized warning in sharedRuntimeTrig.cpp + - JDK-8275051: Shenandoah: Correct ordering of requested gc cause and gc request flag + - JDK-8275131: Exceptions after a touchpad gesture on macOS + - JDK-8275713: TestDockerMemoryMetrics test fails on recent runc + - JDK-8275766: (tz) Update Timezone Data to 2021e + - JDK-8275849: TestZoneInfo310.java fails with tzdata2021e + - JDK-8276066: Reset LoopPercentProfileLimit for x86 due to suboptimal performance + - JDK-8276139: TestJpsHostName.java not reliable, better to expand HostIdentifierCreate.java test + - JDK-8276157: C2: Compiler stack overflow during escape analysis on Linux x86_32 + - JDK-8276201: Shenandoah: Race results degenerated GC to enter wrong entry point + - JDK-8276536: Update TimeZoneNames files to follow the changes made by JDK-8275766 + - JDK-8276550: Use SHA256 hash in build.tools.depend.Depend + - JDK-8276774: Cookie stored in CookieHandler not sent if user headers contain cookie + - JDK-8276854: Windows GHA builds fail due to broken Cygwin + - JDK-8277029: JMM GetDiagnosticXXXInfo APIs should verify output array sizes + - JDK-8277224: sun.security.pkcs.PKCS9Attributes.toString() throws NPE + - JDK-8277529: SIGSEGV in C2 CompilerThread Node::rematerialize() compiling Packet::readUnsignedTrint + - JDK-8277815: Fix mistakes in legal header backports + +Notes on individual issues: +=========================== + +core-svc/tools: + +JDK-8250554: New Option Added to jcmd for Writing a gzipped Heap Dump +===================================================================== +A new integer option `gz` has been added to the `GC.heap_dump` +diagnostic command. If it is specified, it will enable the gzip +compression of the written heap dump. The supplied value is the +compression level. It can range from 1 (fastest) to 9 (slowest, but +best compression). The recommended level is 1. + +security-libs/javax.net.ssl: + +JDK-8260310: Configurable Extensions With System Properties +=========================================================== +Two new system properties have been added. The system property, +`jdk.tls.client.disableExtensions`, is used to disable TLS extensions +used in the client. The system property, +`jdk.tls.server.disableExtensions`, is used to disable TLS extensions +used in the server. If an extension is disabled, it will be neither +produced nor processed in the handshake messages. + +The property string is a list of comma separated standard TLS +extension names, as registered in the IANA documentation (for example, +server_name, status_request, and signature_algorithms_cert). Note that +the extension names are case sensitive. Unknown, unsupported, +misspelled and duplicated TLS extension name tokens will be ignored. + +Please note that the impact of blocking TLS extensions is +complicated. For example, a TLS connection may not be able to be +established if a mandatory extension is disabled. Please do not +disable mandatory extensions, and do not use this feature unless you +clearly understand the impact. + +security-libs/javax.crypto:pkcs11: + +JDK-8272907: New SunPKCS11 Configuration Properties +=================================================== +The SunPKCS11 provider gains new provider configuration attributes to +better control native resources usage. The SunPKCS11 provider consumes +native resources in order to work with native PKCS11 libraries. To +manage and better control the native resources, additional +configuration attributes are added to control the frequency of +clearing native references as well as whether to destroy the +underlying PKCS11 Token after logout. + +The 3 new attributes for the SunPKCS11 provider configuration file +are: + +1) `destroyTokenAfterLogout` (boolean, defaults to false) + +If set to true, when `java.security.AuthProvider.logout()` is called +upon the SunPKCS11 provider instance, the underlying Token object will +be destroyed and resources will be freed. This essentially renders the +SunPKCS11 provider instance unusable after `logout()` calls. Note that +a PKCS11 provider with this attribute set to `true` should not be +added to the system provider list since the provider object is not +usable after a `logout()` method call. + +2) `cleaner.shortInterval` (integer, defaults to 2000, in milliseconds) + +This defines the frequency for clearing native references during busy +periods (such as, how often should the cleaner thread processes the +no-longer-needed native references in the queue to free up native +memory). Note that the cleaner thread will switch to the +'longInterval' frequency after 200 failed tries (such as, when no +references are found in the queue). + +3) `cleaner.longInterval` (integer, defaults to 60000, in milliseconds) + +This defines the frequency for checking native reference during +non-busy period (such as, how often should the cleaner thread check +the queue for native references). Note that the cleaner thread will +switch back to the 'shortInterval' value if native PKCS11 references +for cleaning are detected. + +core-libs/java.nio: + +JDK-8271517: Zip File System Provider Throws ZipException when entry name element contains "." or "." +===================================================================================================== +The ZIP file system provider has been changed to reject existing ZIP +files that contain entries with "." or ".." in name elements. ZIP +files with these entries can not be used as a file system. Invoking +the `java.nio.file.FileSystems.newFileSystem(...)` methods will throw +`ZipException` if the ZIP file contains these entries. + +security-libs/java.security: + +JDK-8272535: Removed Google's GlobalSign Root Certificate +========================================================= +The following root certificate from Google has been removed from the +`cacerts` keystore: + +Alias Name: globalsignr2ca [jdk] +Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2 + +core-libs/java.time: + +JDK-8274857: Update Timezone Data to 2021c +=========================================== +IANA Time Zone Database, on which JDK's Date/Time libraries are based, +has been updated to version 2021c +(https://mm.icann.org/pipermail/tz-announce/2021-October/000067.html). Note +that with this update, some of the time zone rules prior to the year +1970 have been modified according to the changes which were introduced +with 2021b. For more detail, refer to the announcement of 2021b +(https://mm.icann.org/pipermail/tz-announce/2021-September/000066.html) + +New in release OpenJDK 11.0.13 (2021-10-19): +============================================= +Live versions of these release notes can be found at: + * https://bitly.com/openjdk11013 + * https://builds.shipilev.net/backports-monitor/release-notes-11.0.13.txt + +* Security fixes + - JDK-8163326, CVE-2021-35550: Update the default enabled cipher suites preference + - JDK-8254967, CVE-2021-35565: com.sun.net.HttpsServer spins on TLS session close + - JDK-8263314: Enhance XML Dsig modes + - JDK-8265167, CVE-2021-35556: Richer Text Editors + - JDK-8265574: Improve handling of sheets + - JDK-8265580, CVE-2021-35559: Enhanced style for RTF kit + - JDK-8265776: Improve Stream handling for SSL + - JDK-8266097, CVE-2021-35561: Better hashing support + - JDK-8266103: Better specified spec values + - JDK-8266109: More Resilient Classloading + - JDK-8266115: More Manifest Jar Loading + - JDK-8266137, CVE-2021-35564: Improve Keystore integrity + - JDK-8266689, CVE-2021-35567: More Constrained Delegation + - JDK-8267086: ArrayIndexOutOfBoundsException in java.security.KeyFactory.generatePublic + - JDK-8267712: Better LDAP reference processing + - JDK-8267729, CVE-2021-35578: Improve TLS client handshaking + - JDK-8267735, CVE-2021-35586: Better BMP support + - JDK-8268193: Improve requests of certificates + - JDK-8268199: Correct certificate requests + - JDK-8268205: Enhance DTLS client handshake + - JDK-8268506: More Manifest Digests + - JDK-8269618, CVE-2021-35603: Better session identification + - JDK-8269624: Enhance method selection support + - JDK-8270398: Enhance canonicalization + - JDK-8270404: Better canonicalization +* Other changes + - JDK-8024368: private methods are allocated vtable indices + - JDK-8042902: Test java/net/Inet6Address/serialize/Inet6AddressSerializationTest.java fails intermittently + - JDK-8140466: ChaCha20 and Poly1305 TLS Cipher Suites + - JDK-8157404: Unable to read certain PKCS12 keystores from SequenceInputStream + - JDK-8158066: SourceDebugExtensionTest fails to rename file + - JDK-8168304: Make all of DependencyContext_test available in product mode + - JDK-8169246: java/net/DatagramSocket/ReportSocketClosed.java fails intermittently with BindException + - JDK-8181313: SA: Remove libthread_db dependency on Linux + - JDK-8193214: Incorrect annotations.without.processors warnings with JDK 9 + - JDK-8194230: jdk/internal/jrtfs/remote/RemoteRuntimeImageTest.java fails with java.lang.NullPointerException + - JDK-8196092: javax/swing/JComboBox/8032878/bug8032878.java fails + - JDK-8199931: java/net/MulticastSocket/UnreferencedMulticastSockets.java fails with "incorrect data received" + - JDK-8206083: Make tools/javac/api/T6265137.java robust to JDK version changes + - JDK-8206350: java/util/Locale/bcp47u/SystemPropertyTests.java failed on Mac 10.13 with zh_CN and zh_TW locales. + - JDK-8207316: java/nio/channels/spi/SelectorProvider/inheritedChannel/InheritedChannelTest.java failed + - JDK-8208227: tools/jdeps/DotFileTest.java fails on Win-X64 + - JDK-8208363: test/jdk/java/lang/Package/PackageFromManifest.java missing module dependencies declaration + - JDK-8209380: ARM: cleanup maybe-uninitialized and reorder compiler warnings + - JDK-8209768: Refactor java/util/prefs/CheckUserPrefsStorage.sh to plain java test + - JDK-8209772: Refactor shell test java/util/ServiceLoader/basic/basic.sh to java + - JDK-8209773: Refactor shell test javax/naming/module/basic.sh to java + - JDK-8209832: Refactor jdk/internal/reflect/Reflection/GetCallerClassTest.sh to plain java test + - JDK-8209930: Refactor java/util/zip/ZipFile/deletetempjar.sh to plain java test + - JDK-8210406: Refactor java.util.PluggableLocale:i18n shell tests to plain java tests + - JDK-8210407: Refactor java.util.Calendar:i18n shell tests to plain java tests + - JDK-8210495: compiler crashes because of illegal signature in otherwise legal code + - JDK-8210669: Some launcher tests assume a pre-JDK 9 run-time image layout + - JDK-8210802: temp files left by tests in jdk/java/net/httpclient + - JDK-8210819: Update the host name in CNameTest.java + - JDK-8210908: Refactor java/util/prefs/PrefsSpi.sh to plain java test + - JDK-8210934: Move sun/net/www/protocol/http/GetErrorStream.java to OpenJDK + - JDK-8210959: JShell fails and exits when statement throws an exception whose message contains a '%'. + - JDK-8211055: Provide print to a file (PDF) feature even when printer was not connected + - JDK-8211092: test/jdk/sun/net/www/http/HttpClient/MultiThreadTest.java fails intermittently when cleaning up + - JDK-8211296: Remove HotSpot deprecation warning suppression for Mac/clang + - JDK-8211325: test/jdk/java/net/Socket/LingerTest.java fails with cleaning up + - JDK-8212040: Compilation error due to wrong usage of NSPrintJobDispositionValue in mac10.12 + - JDK-8212695: Add explicit timeout to several HTTP Client tests + - JDK-8212718: Refactor some annotation processor tests to better use collections + - JDK-8213007: Update the link in test/jdk/sun/security/provider/SecureRandom/DrbgCavp.java + - JDK-8213137: Remove static initialization of monitor/mutex instances + - JDK-8213235: java/nio/channels/SocketChannel/AsyncCloseChannel.java fails with threads that didn't exit + - JDK-8213409: Refactor sun.text.IntHashtable:i18n shell tests to plain java tests + - JDK-8213576: Make test AsyncCloseChannel.java run in othervm + - JDK-8213694: Test Timeout.java should run in othervm mode + - JDK-8213718: [TEST] Wrong classname in vmTestbase/nsk/stress/except/except002 and except003 + - JDK-8213922: fix ctw stand-alone build + - JDK-8214195: Align stdout messages in test/jdk/java/math/BigInteger/PrimitiveConversionTests.java + - JDK-8214520: [TEST_BUG] sun/security/mscapi/nonUniqueAliases/NonUniqueAliases.java failed with incorrect jtreg tags order + - JDK-8214937: sun/security/tools/jarsigner/warnings/NoTimestampTest.java failed due to unexpected expiration date + - JDK-8216532: tools/launcher/Test7029048.java fails (Solaris) + - JDK-8217825: Verify @AfterTest is used correctly in WebSocket tests + - JDK-8218145: block_if_requested is not proper inlined due to size + - JDK-8219417: bump jtreg requiredVersion to b14 + - JDK-8219552: bump jtreg requiredVersion to b14 in test/jdk/sanity/client/ + - JDK-8219804: java/net/MulticastSocket/Promiscuous.java fails intermittently due to NumberFormatException + - JDK-8220445: Support for side by side MSVC Toolset versions + - JDK-8221988: add possibility to build with Visual Studio 2019 + - JDK-8222751: closed/test/jdk/sun/security/util/DerIndefLenConverter/IndefBerPkcs12.java fail + - JDK-8223050: JVMCI: findUniqueConcreteMethod() should not use Dependencies::find_unique_concrete_method() for non-virtual methods + - JDK-8224853: CDS address sanitizer errors + - JDK-8225082: Remove IdenTrust certificate that is expiring in September 2021 + - JDK-8225583: Examine the HttpResponse.BodySubscribers for null handling and multiple subscriptions + - JDK-8225690: Multiple AttachListener threads can be created + - JDK-8225790: Two NestedDialogs tests fail on Ubuntu + - JDK-8226319: Add forgotten test/jdk/java/net/httpclient/BodySubscribersTest.java + - JDK-8226533: JVMCI: findUniqueConcreteMethod should handle statically bindable methods directly + - JDK-8226602: Test convenience reactive primitives from java.net.http with RS TCK + - JDK-8226683: Remove review suggestion from fix to 8219804 + - JDK-8227738: jvmti/DataDumpRequest/datadumpreq001 failed due to "exit code is 134" + - JDK-8227766: CheckUnhandledOops is broken in MemAllocator + - JDK-8227815: Minimal VM: set_state is not a member of AttachListener + - JDK-8230674: Heap dumps should exclude dormant CDS archived objects of unloaded classes + - JDK-8230808: Remove Access::equals() + - JDK-8230841: Remove oopDesc::equals() + - JDK-8231717: Improve performance of charset decoding when charset is always compactable + - JDK-8232243: Wrong caret position in JTextPane on Windows with a screen resolution > 100% + - JDK-8232782: Shenandoah: streamline post-LRB CAS barrier (aarch64) + - JDK-8233790: Forward output from heap dumper to jcmd/jmap + - JDK-8233989: Create an IPv4 version of java/net/MulticastSocket/SetLoopbackMode.java + - JDK-8234510: Remove file seeking requirement for writing a heap dump + - JDK-8235211: serviceability/attach/RemovingUnixDomainSocketTest.java fails with AttachNotSupportedException: Unable to open socket file + - JDK-8235216: typo in test filename + - JDK-8235866: bump jtreg requiredVersion to 4.2b16 + - JDK-8236111: narrow allowSmartActionArgs disabling + - JDK-8236413: AbstractConnectTimeout should tolerate both NoRouteToHostException and UnresolvedAddressException + - JDK-8236671: NullPointerException in JKS keystore + - JDK-8238930: problem list compiler/c2/Test8004741.java + - JDK-8238943: switch to jtreg 5.0 + - JDK-8240555: Using env of JAVA_TOOL_OPTIONS and _JAVA_OPTIONS breaks QuietOption.java test + - JDK-8240983: Incorrect copyright header in Apache Santuario 2.1.3 files + - JDK-8241336: Some java.net tests failed with NoRouteToHostException on MacOS with special network configuration + - JDK-8241353: NPE in ToolProvider.getSystemJavaCompiler + - JDK-8241768: git needs .gitattributes + - JDK-8242882: opening jar file with large manifest might throw NegativeArraySizeException + - JDK-8244973: serviceability/attach/RemovingUnixDomainSocketTest.java fails "stderr was not empty" + - JDK-8245134: test/lib/jdk/test/lib/security/KeyStoreUtils.java should allow to specify aliases + - JDK-8246261: TCKLocalTime.java failed due to "AssertionError: expected [18:14:22] but found [18:14:23]" + - JDK-8246387: switch to jtreg 5.1 + - JDK-8247421: [TESTBUG] ReturnBlobToWrongHeapTest.java failed allocating blob + - JDK-8247469: getSystemCpuLoad() returns -1 on linux when some offline cpus are present and cpusets.effective_cpus is not available + - JDK-8248352: [TEST_BUG] Test test/jdk/java/awt/font/TextLayout/ArabicDiacriticTest.java can leave frame open + - JDK-8248403: AArch64: Remove uses of kernel integer types + - JDK-8248414: AArch64: Remove uses of long and unsigned long ints + - JDK-8248657: Windows: strengthening in ThreadCritical regarding memory model + - JDK-8248666: AArch64: Use THREAD_LOCAL instead of __thread + - JDK-8248668: AArch64: Avoid MIN/MAX macros when using MSVC + - JDK-8248671: AArch64: Remove unused variables + - JDK-8248682: AArch64: Use ATTRIBUTE_ALIGNED helper + - JDK-8248816: C1: Fix signature conflict in LIRGenerator::strength_reduce_multiply + - JDK-8249095: tools/javac/launcher/SourceLauncherTest.java fails on Windows + - JDK-8249548: backward focus traversal gets stuck in button group + - JDK-8249773: Upgrade ReceiveISA.java test to be resilient to failure due to stray packets and interference + - JDK-8249897: jdk/javadoc/tool/LangVers.java uses @ignore w/o bug-id + - JDK-8249898: jdk/javadoc/tool/6176978/T6176978.java uses @ignore w/o bug-id + - JDK-8249899: jdk/javadoc/tool/InlineTagsWithBraces.java uses @ignore w/o bug-id + - JDK-8250588: Shenandoah: LRB needs to save/restore fp registers for runtime call + - JDK-8250824: AArch64: follow up for JDK-8248414 + - JDK-8251166: Add automated testcases for changes done in JDK-8214112 + - JDK-8251252: Add automated testcase for fix done in JDK-8214253 + - JDK-8251254: Add automated test for fix done in JDK-8218472 + - JDK-8251361: Potential race between Logger configuration and GCs in HttpURLConWithProxy test + - JDK-8251549: Update docs on building for Git + - JDK-8251945: SIGSEGV in PackageEntry::purge_qualified_exports() + - JDK-8252194: Add automated test for fix done in JDK-8218469 + - JDK-8252648: Shenandoah: name gang tasks consistently + - JDK-8252825: Add automated test for fix done in JDK-8218479 + - JDK-8252853: AArch64: gc/shenandoah/TestVerifyJCStress.java fails intermittently with C1 + - JDK-8252857: AArch64: Shenandoah C1 CAS is not sequentially consistent + - JDK-8253048: AArch64: When CallLeaf, no need to preserve callee-saved registers in caller + - JDK-8253424: Add support for running pre-submit testing using GitHub Actions + - JDK-8253631: Remove unimplemented CompileBroker methods after JEP-165 + - JDK-8253865: Pre-submit testing using GitHub Actions does not detect failures reliably + - JDK-8253899: Make IsClassUnloadingEnabled signature match specification + - JDK-8254024: Enhance native libs for AWT and Swing to work with GraalVM Native Image + - JDK-8254054: Pre-submit testing using GitHub Actions should not use the deprecated set-env command + - JDK-8254173: Add Zero, Minimal hotspot targets to submit workflow + - JDK-8254175: Build no-pch configuration in debug mode for submit checks + - JDK-8254244: Some code emitted by TemplateTable::branch is unused when running TieredCompilation + - JDK-8254270: linux 32 bit build doesn't compile libjdwp/log_messages.c + - JDK-8254282: Add Linux x86_32 builds to submit workflow + - JDK-8254850: Update terminology in java.awt.GridBagLayout source code comments + - JDK-8255255: Update Apache Santuario (XML Signature) to version 2.2.1 + - JDK-8255305: Add Linux x86_32 tier1 to submit workflow + - JDK-8255352: Archive important test outputs in submit workflow + - JDK-8255373: Submit workflow artifact name is always "test-results_.zip" + - JDK-8255452: Doing GC during JVMTI MethodExit event posting breaks return oop + - JDK-8255718: Zero: VM should know it runs in interpreter-only mode + - JDK-8255790: GTKL&F: Java 16 crashes on initialising GTKL&F on Manjaro Linux + - JDK-8255810: Zero: build fails without JVMTI + - JDK-8255895: Submit workflow artifacts miss hs_errs/replays due to ZIP include mismatch + - JDK-8256127: Add cross-compiled foreign architectures builds to submit workflow + - JDK-8256215: Shenandoah: re-organize saving/restoring machine state in assembler code + - JDK-8256267: Relax compiler/floatingpoint/NaNTest.java for x86_32 and lower -XX:+UseSSE + - JDK-8256277: Github Action build on macOS should define OS and Xcode versions + - JDK-8256354: Github Action build on Windows should define OS and MSVC versions + - JDK-8256393: Github Actions build on Linux should define OS and GCC versions + - JDK-8256414: add optimized build to submit workflow + - JDK-8256747: GitHub Actions: decouple the hotspot build-only jobs from Linux x64 testing + - JDK-8257056: Submit workflow should apt-get update to avoid package installation errors + - JDK-8257148: Remove obsolete code in AWTView.m + - JDK-8257497: Update keytool to create AKID from the SKID of the issuing certificate as specified by RFC 5280 + - JDK-8257620: Do not use objc_msgSend_stret to get macOS version + - JDK-8257913: Add more known library locations to simplify Linux cross-compilation + - JDK-8258703: Incorrect 512-bit vector registers restore on x86_32 + - JDK-8259338: Add expiry exception for identrustdstx3 alias to VerifyCACerts.java test + - JDK-8259535: ECDSA SignatureValue do not always have the specified length + - JDK-8259679: GitHub actions should use MSVC 14.28 + - JDK-8259924: GitHub actions fail on Linux x86_32 with "Could not configure libc6:i386" + - JDK-8260460: GitHub actions still fail on Linux x86_32 with "Could not configure libc6:i386" + - JDK-8260589: Crash in JfrTraceIdLoadBarrier::load(_jclass*) + - JDK-8260923: Add more tests for SSLSocket input/output shutdown + - JDK-8261072: AArch64: Fix MacroAssembler::get_thread convention + - JDK-8261147: C2: Node is wrongly marked as reduction resulting in a wrong execution due to wrong vector instructions + - JDK-8261238: NMT should not limit baselining by size threshold + - JDK-8261496: Shenandoah: reconsider pacing updates memory ordering + - JDK-8261652: Remove some dead comments from os_bsd_x86 + - JDK-8261846: [JVMCI] c2v_iterateFrames can get out of sync with the StackFrameStream + - JDK-8262000: jdk/jfr/event/gc/detailed/TestPromotionFailedEventWithParallelScavenge.java failed with "OutOfMemoryError: Java heap space" + - JDK-8262017: C2: assert(n != __null) failed: Bad immediate dominator info. + - JDK-8262392: Update Mesa 3-D Headers to version 21.0.3 + - JDK-8262409: sun/security/ssl/SSLSocketImpl/SSLSocketImplThrowsWrongExceptions. SSL test failures caused by java failed with "Server reported the wrong exception" + - JDK-8262470: Printed GlyphVector outline with low DPI has bad quality on Windows + - JDK-8262862: Harden tests sun/security/x509/URICertStore/ExtensionsWithLDAP.java and krb5/canonicalize/Test.java + - JDK-8263136: C4530 was reported from VS 2019 at access bridge + - JDK-8263227: C2: inconsistent spilling due to dead nodes in exception block + - JDK-8263382: java/util/logging/ParentLoggersTest.java failed with "checkLoggers: getLoggerNames() returned unexpected loggers" + - JDK-8263407: SPARC64 detection fails on Athena (SPARC64-X) + - JDK-8263432: javac may report an invalid package/class clash on case insensitive filesystems + - JDK-8263490: [macos] Crash occurs on JPasswordField with activated InputMethod + - JDK-8263531: Remove unused buffer int + - JDK-8263667: Avoid running GitHub actions on branches named pr/* + - JDK-8263776: [JVMCI] add helper to perform Java upcalls + - JDK-8264016: [JVMCI] add some thread local fields for use by JVMCI + - JDK-8264752: SIGFPE crash with option FlightRecorderOptions:threadbuffersize=30M + - JDK-8265132: C2 compilation fails with assert "missing precedence edge" + - JDK-8265231: (fc) ReadDirect and WriteDirect tests fail after fix for JDK-8264821 + - JDK-8265335: Epsilon: Minor typo in EpsilonElasticTLABDecay description + - JDK-8265756: AArch64: initialize memory allocated for locals according to Windows AArch64 stack page growth requirement in template interpreter + - JDK-8265761: Font with missed font family name is not properly printed on Windows + - JDK-8265773: incorrect jdeps message "jdk8internals" to describe a removed JDK internal API + - JDK-8265836: OperatingSystemImpl.getCpuLoad() returns incorrect CPU load inside a container + - JDK-8266018: Shenandoah: fix an incorrect assert + - JDK-8266206: Build failure after JDK-8264752 with older GCCs + - JDK-8266248: Compilation failure in PLATFORM_API_MacOSX_MidiUtils.c with Xcode 12.5 + - JDK-8266288: assert root method not found in witnessed_reabstraction_in_supers is too strong + - JDK-8266404: Fatal error report generated with -XX:+CrashOnOutOfMemoryError should not contain suggestion to submit a bug report + - JDK-8266480: Implicit null check optimization does not update control of hoisted memory operation + - JDK-8266615: C2 incorrectly folds subtype checks involving an interface array + - JDK-8266642: Improve ResolvedMethodTable hash function + - JDK-8266749: AArch64: Backtracing broken on PAC enabled systems + - JDK-8266761: AssertionError in sun.net.httpserver.ServerImpl.responseCompleted + - JDK-8266813: Shenandoah: Use shorter instruction sequence for checking if marking in progress + - JDK-8267042: bug in monitor locking/unlocking on ARM32 C1 due to uninitialized BasicObjectLock::_displaced_header + - JDK-8267348: Rewrite gc/epsilon/TestClasses.java to use Metaspace with less classes + - JDK-8267396: Avoid recording "pc" in unhandled oops detector for better performance + - JDK-8267399: C2: java/text/Normalizer/ConformanceTest.java test failed with assertion + - JDK-8267424: CTW: C1 fails with "State must not be null" + - JDK-8267459: Pasting Unicode characters into JShell does not work. + - JDK-8267625: AARCH64: typo in LIR_Assembler::emit_profile_type + - JDK-8267666: Add option to jcmd GC.heap_dump to use existing file + - JDK-8267695: Bump update version for OpenJDK: jdk-11.0.13 + - JDK-8267751: (test) jtreg.SkippedException has no serial VersionUID + - JDK-8267773: PhaseStringOpts::int_stringSize doesn't handle min_jint correctly + - JDK-8268103: JNI functions incorrectly return a double after JDK-8265836 + - JDK-8268127: Shenandoah: Heap size may be too small for region to align to large page size + - JDK-8268261: C2: assert(n != __null) failed: Bad immediate dominator info. + - JDK-8268347: C2: nested locks optimization may create unbalanced monitor enter/exit code + - JDK-8268360: Missing check for infinite loop during node placement + - JDK-8268362: [REDO] C2 crash when compile negative Arrays.copyOf length after loop + - JDK-8268366: Incorrect calculation of has_fpu_registers in C1 linear scan + - JDK-8268369: SIGSEGV in PhaseCFG::implicit_null_check due to missing null check + - JDK-8268417: Add test from JDK-8268360 + - JDK-8268427: Improve AlgorithmConstraints:checkAlgorithm performance + - JDK-8268617: [11u REDO] - WebSocket over authenticating proxy fails with NPE + - JDK-8268620: InfiniteLoopException test may fail on x86 platforms + - JDK-8268635: Corrupt oop in ClassLoaderData + - JDK-8268699: Shenandoah: Add test for JDK-8268127 + - JDK-8268771: javadoc -notimestamp option does not work on index.html + - JDK-8268775: Password is being converted to String in AccessibleJPasswordField + - JDK-8268776: Test `ADatagramSocket.java` missing /othervm from @run tag + - JDK-8268965: TCP Connection Reset when connecting simple socket to SSL server + - JDK-8269304: Regression ~5% in 2005 in b27 + - JDK-8269415: [11u] Remove ea from DEFAULT_PROMOTED_VERSION_PRE in OpenJDK 11u + - JDK-8269478: Shenandoah: gc/shenandoah/mxbeans tests should be more resilient + - JDK-8269529: javax/swing/reliability/HangDuringStaticInitialization.java fails in Windows debug build + - JDK-8269594: assert(_handle_mark_nesting > 1) failed: memory leak: allocating handle outside HandleMark + - JDK-8269614: [s390] Interpreter checks wrong bit for slow path instance allocation + - JDK-8269650: Optimize gc-locker in [Get|Release]StringCritical for latin string + - JDK-8269661: JNI_GetStringCritical does not lock char array + - JDK-8269668: [aarch64] java.library.path not including /usr/lib64 + - JDK-8269763: The JEditorPane is blank after JDK-8265167 + - JDK-8269795: C2: Out of bounds array load floats above its range check in loop peeling resulting in SEGV + - JDK-8269847: JDK-8269594 backport breaks 11u builds + - JDK-8269850: Most JDK releases report macOS version 12 as 10.16 instead of 12.0 + - JDK-8269851: OperatingSystemMXBean getProcessCpuLoad reports incorrect process cpu usage in containers + - JDK-8269882: stack-use-after-scope in NewObjectA + - JDK-8269934: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in java_lang_Thread::get_thread_status + - JDK-8270096: Shenandoah: Optimize gc/shenandoah/TestRefprocSanity.java for interpreter mode + - JDK-8270137: Kerberos Credential Retrieval from Cache not Working in Cross-Realm Setup + - JDK-8270184: [TESTBUG] Add coverage for jvmci ResolvedJavaType.toJavaName() for lambdas + - JDK-8270196: [11u] [JVMCI] JavaType.toJavaName() returns incorrect type name for lambdas + - JDK-8270556: Exclude security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA + - JDK-8270893: IndexOutOfBoundsException while reading large TIFF file + - JDK-8272078: Wrong Checksums in Temurin BootJDK dependencies + - JDK-8272124: Cgroup v1 initialization causes NullPointerException when cgroup path contains colon + - JDK-8272131: PhaseMacroExpand::generate_slow_arraycopy crash when clone null CallProjections.fallthrough_ioproj + - JDK-8272197: Update 11u GHA workflow with Shenandoah configurations + - JDK-8272332: --with-harfbuzz=system doesn't add -lharfbuzz after JDK-8255790 + - JDK-8272472: StackGuardPages test doesn't build with glibc 2.34 + - JDK-8272602: [macos] not all KEY_PRESSED events sent when control modifier is used + - JDK-8272628: Problemlist gc/stress/gcbasher/TestGCBasherWithCMS.java for x86_32 + - JDK-8272700: [macos] Build failure with Xcode 13.0 after JDK-8264848 + - JDK-8272772: Shenandoah: compiler/c2/aarch64/TestVolatilesShenandoah.java fails in 11u + - JDK-8273939: Backport of 8248414 to JDK11 breaks MacroAssembler::adrp + +Notes on individual issues: +=========================== + +security-libs/java.security: + +JDK-8271434: Removed IdenTrust Root Certificate +=============================================== +The following root certificate from IdenTrust has been removed from +the `cacerts` keystore: + +Alias Name: identrustdstx3 [jdk] +Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co. + +JDK-8261922: Updated keytool to Create AKID From SKID of Issuing Certificate as Specified by RFC 5280 +===================================================================================================== +The `gencert` command of the `keytool` utility has been updated to +create AKID from the SKID of the issuing certificate as specified by +RFC 5280. + +security-libs/javax.net.ssl: + +JDK-8210799: ChaCha20 and Poly1305 TLS Cipher Suites +==================================================== +New TLS cipher suites using the `ChaCha20-Poly1305` algorithm have +been added to JSSE. These cipher suites are enabled by default. The +TLS_CHACHA20_POLY1305_SHA256 cipher suite is available for TLS 1.3. +The following cipher suites are available for TLS 1.2: + +* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 +* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 +* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + +Refer to the "Java Secure Socket Extension (JSSE) Reference Guide" for +details on these new TLS cipher suites. + +JDK-8219551: Updated the Default Enabled Cipher Suites Preference +================================================================= +The preference of the default enabled cipher suites has been +changed. The compatibility impact should be minimal. If needed, +applications can customize the enabled cipher suites and the +preference. For more details, refer to the SunJSSE provider +documentation and the JSSE Reference Guide documentation. + New in release OpenJDK 11.0.12 (2021-07-20): ============================================= Live versions of these release notes can be found at: diff --git a/SOURCES/jdk8257794-remove_broken_assert.patch b/SOURCES/jdk8257794-remove_broken_assert.patch new file mode 100644 index 0000000..1bfc571 --- /dev/null +++ b/SOURCES/jdk8257794-remove_broken_assert.patch @@ -0,0 +1,12 @@ +diff --git openjdk.orig/src/hotspot/share/interpreter/bytecodeInterpreter.cpp openjdk/src/hotspot/share/interpreter/bytecodeInterpreter.cpp +index d18d70b5f9..30ab380e40 100644 +--- openjdk.orig/src/hotspot/share/interpreter/bytecodeInterpreter.cpp ++++ openjdk/src/hotspot/share/interpreter/bytecodeInterpreter.cpp +@@ -481,7 +481,6 @@ BytecodeInterpreter::run(interpreterState istate) { + #ifdef ASSERT + if (istate->_msg != initialize) { + assert(labs(istate->_stack_base - istate->_stack_limit) == (istate->_method->max_stack() + 1), "bad stack limit"); +- IA32_ONLY(assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1, "wrong")); + } + // Verify linkages. + interpreterState l = istate; diff --git a/SOURCES/jdk8269668-rh1977671-aarch64_lib_path_fix.patch b/SOURCES/jdk8269668-rh1977671-aarch64_lib_path_fix.patch deleted file mode 100644 index ddf686c..0000000 --- a/SOURCES/jdk8269668-rh1977671-aarch64_lib_path_fix.patch +++ /dev/null @@ -1,32 +0,0 @@ -From ec03fdb752f2dc0833784a6877a4c232a8cdd9d2 Mon Sep 17 00:00:00 2001 -From: Severin Gehwolf -Date: Wed, 14 Jul 2021 12:06:39 +0200 -Subject: [PATCH] Backport e14801cdd9b108aa4ca47d0bc1dc67fca575764c - ---- - src/hotspot/os/linux/os_linux.cpp | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/src/hotspot/os/linux/os_linux.cpp b/src/hotspot/os/linux/os_linux.cpp -index e8baf704e3a..12b75b733b5 100644 ---- a/src/hotspot/os/linux/os_linux.cpp -+++ b/src/hotspot/os/linux/os_linux.cpp -@@ -413,8 +413,15 @@ void os::init_system_properties_values() { - // 7: The default directories, normally /lib and /usr/lib. - #if defined(AMD64) || (defined(_LP64) && defined(SPARC)) || defined(PPC64) || defined(S390) - #define DEFAULT_LIBPATH "/usr/lib64:/lib64:/lib:/usr/lib" -+#else -+#if defined(AARCH64) -+ // Use 32-bit locations first for AARCH64 (a 64-bit architecture), since some systems -+ // might not adhere to the FHS and it would be a change in behaviour if we used -+ // DEFAULT_LIBPATH of other 64-bit architectures which prefer the 64-bit paths. -+ #define DEFAULT_LIBPATH "/lib:/usr/lib:/usr/lib64:/lib64" - #else - #define DEFAULT_LIBPATH "/lib:/usr/lib" -+#endif // AARCH64 - #endif - - // Base path of extensions installed on the system. --- -2.31.1 - diff --git a/SOURCES/jdk8275535-rh2053256-ldap_auth.patch b/SOURCES/jdk8275535-rh2053256-ldap_auth.patch new file mode 100644 index 0000000..7a25e4b --- /dev/null +++ b/SOURCES/jdk8275535-rh2053256-ldap_auth.patch @@ -0,0 +1,26 @@ +diff --git openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java +index 300f3682655..6f3eb6c450b 100644 +--- openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java ++++ openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java +@@ -226,6 +226,10 @@ final public class LdapCtxFactory implements ObjectFactory, InitialContextFactor + ctx = getLdapCtxFromUrl( + r.getDomainName(), url, new LdapURL(u), env); + return ctx; ++ } catch (AuthenticationException e) { ++ // do not retry on a different endpoint to avoid blocking ++ // the user if authentication credentials are wrong. ++ throw e; + } catch (NamingException e) { + // try the next element + lastException = e; +@@ -278,6 +282,10 @@ final public class LdapCtxFactory implements ObjectFactory, InitialContextFactor + for (String u : urls) { + try { + return getUsingURL(u, env); ++ } catch (AuthenticationException e) { ++ // do not retry on a different URL to avoid blocking ++ // the user if authentication credentials are wrong. ++ throw e; + } catch (NamingException e) { + ex = e; + } diff --git a/SOURCES/nss.fips.cfg.in b/SOURCES/nss.fips.cfg.in index ead27be..1aff153 100644 --- a/SOURCES/nss.fips.cfg.in +++ b/SOURCES/nss.fips.cfg.in @@ -1,6 +1,6 @@ name = NSS-FIPS nssLibraryDirectory = @NSS_LIBDIR@ -nssSecmodDirectory = @NSS_SECMOD@ +nssSecmodDirectory = sql:/etc/pki/nssdb nssDbMode = readOnly nssModule = fips diff --git a/SOURCES/rh1991003-enable_fips_keys_import.patch b/SOURCES/rh1991003-enable_fips_keys_import.patch new file mode 100644 index 0000000..ac9bdb5 --- /dev/null +++ b/SOURCES/rh1991003-enable_fips_keys_import.patch @@ -0,0 +1,590 @@ +diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java +index 53f32d12cc..28ab184617 100644 +--- openjdk.orig/src/java.base/share/classes/java/security/Security.java ++++ openjdk/src/java.base/share/classes/java/security/Security.java +@@ -82,6 +82,10 @@ public final class Security { + public boolean isSystemFipsEnabled() { + return SystemConfigurator.isSystemFipsEnabled(); + } ++ @Override ++ public boolean isPlainKeySupportEnabled() { ++ return SystemConfigurator.isPlainKeySupportEnabled(); ++ } + }); + + // doPrivileged here because there are multiple +diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +index 5565acb7c6..874c6221eb 100644 +--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -55,6 +55,7 @@ final class SystemConfigurator { + CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; + + private static boolean systemFipsEnabled = false; ++ private static boolean plainKeySupportEnabled = false; + + private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; + +@@ -149,6 +150,16 @@ final class SystemConfigurator { + } + loadedProps = true; + systemFipsEnabled = true; ++ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport", ++ "true"); ++ plainKeySupportEnabled = !"false".equals(plainKeySupport); ++ if (sdebug != null) { ++ if (plainKeySupportEnabled) { ++ sdebug.println("FIPS support enabled with plain key support"); ++ } else { ++ sdebug.println("FIPS support enabled without plain key support"); ++ } ++ } + } + } catch (Exception e) { + if (sdebug != null) { +@@ -176,6 +187,19 @@ final class SystemConfigurator { + return systemFipsEnabled; + } + ++ /** ++ * Returns {@code true} if system FIPS alignment is enabled ++ * and plain key support is allowed. Plain key support is ++ * enabled by default but can be disabled with ++ * {@code -Dcom.redhat.fips.plainKeySupport=false}. ++ * ++ * @return a boolean indicating whether plain key support ++ * should be enabled. ++ */ ++ static boolean isPlainKeySupportEnabled() { ++ return plainKeySupportEnabled; ++ } ++ + /* + * OpenJDK FIPS mode will be enabled only if the com.redhat.fips + * system property is true (default) and the system is in FIPS mode. +diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java +index d8caa5640c..21bc6d0b59 100644 +--- openjdk.orig/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java ++++ openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java +@@ -27,4 +27,5 @@ package jdk.internal.misc; + + public interface JavaSecuritySystemConfiguratorAccess { + boolean isSystemFipsEnabled(); ++ boolean isPlainKeySupportEnabled(); + } +diff --git openjdk.orig/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java openjdk/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java +index ffee2c1603..ff3d5e0e4a 100644 +--- openjdk.orig/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java ++++ openjdk/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java +@@ -33,8 +33,13 @@ import java.security.KeyStore.*; + + import javax.net.ssl.*; + ++import jdk.internal.misc.SharedSecrets; ++ + abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { + ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ + X509ExtendedKeyManager keyManager; + boolean isInitialized; + +@@ -62,7 +67,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { + KeyStoreException, NoSuchAlgorithmException, + UnrecoverableKeyException { + if ((ks != null) && SunJSSE.isFIPS()) { +- if (ks.getProvider() != SunJSSE.cryptoProvider) { ++ if (ks.getProvider() != SunJSSE.cryptoProvider && ++ !plainKeySupportEnabled) { + throw new KeyStoreException("FIPS mode: KeyStore must be " + + "from provider " + SunJSSE.cryptoProvider.getName()); + } +@@ -91,8 +97,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { + keyManager = new X509KeyManagerImpl( + Collections.emptyList()); + } else { +- if (SunJSSE.isFIPS() && +- (ks.getProvider() != SunJSSE.cryptoProvider)) { ++ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider) ++ && !plainKeySupportEnabled) { + throw new KeyStoreException( + "FIPS mode: KeyStore must be " + + "from provider " + SunJSSE.cryptoProvider.getName()); +diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +new file mode 100644 +index 0000000000..b848a1fd78 +--- /dev/null ++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +@@ -0,0 +1,290 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.pkcs11; ++ ++import java.math.BigInteger; ++import java.security.KeyFactory; ++import java.security.Provider; ++import java.security.Security; ++import java.util.HashMap; ++import java.util.Map; ++import java.util.concurrent.locks.ReentrantLock; ++ ++import javax.crypto.Cipher; ++import javax.crypto.spec.DHPrivateKeySpec; ++import javax.crypto.spec.IvParameterSpec; ++ ++import sun.security.jca.JCAUtil; ++import sun.security.pkcs11.TemplateManager; ++import sun.security.pkcs11.wrapper.CK_ATTRIBUTE; ++import sun.security.pkcs11.wrapper.CK_MECHANISM; ++import static sun.security.pkcs11.wrapper.PKCS11Constants.*; ++import sun.security.pkcs11.wrapper.PKCS11Exception; ++import sun.security.rsa.RSAUtil.KeyType; ++import sun.security.util.Debug; ++import sun.security.util.ECUtil; ++ ++final class FIPSKeyImporter { ++ ++ private static final Debug debug = ++ Debug.getInstance("sunpkcs11"); ++ ++ private static P11Key importerKey = null; ++ private static final ReentrantLock importerKeyLock = new ReentrantLock(); ++ private static CK_MECHANISM importerKeyMechanism = null; ++ private static Cipher importerCipher = null; ++ ++ private static Provider sunECProvider = null; ++ private static final ReentrantLock sunECProviderLock = new ReentrantLock(); ++ ++ private static KeyFactory DHKF = null; ++ private static final ReentrantLock DHKFLock = new ReentrantLock(); ++ ++ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) ++ throws PKCS11Exception { ++ long keyID = -1; ++ Token token = sunPKCS11.getToken(); ++ if (debug != null) { ++ debug.println("Private or Secret key will be imported in" + ++ " system FIPS mode."); ++ } ++ if (importerKey == null) { ++ importerKeyLock.lock(); ++ try { ++ if (importerKey == null) { ++ if (importerKeyMechanism == null) { ++ // Importer Key creation has not been tried yet. Try it. ++ createImporterKey(token); ++ } ++ if (importerKey == null || importerCipher == null) { ++ if (debug != null) { ++ debug.println("Importer Key could not be" + ++ " generated."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ if (debug != null) { ++ debug.println("Importer Key successfully" + ++ " generated."); ++ } ++ } ++ } finally { ++ importerKeyLock.unlock(); ++ } ++ } ++ long importerKeyID = importerKey.getKeyID(); ++ try { ++ byte[] keyBytes = null; ++ byte[] encKeyBytes = null; ++ long keyClass = 0L; ++ long keyType = 0L; ++ Map attrsMap = new HashMap<>(); ++ for (CK_ATTRIBUTE attr : attributes) { ++ if (attr.type == CKA_CLASS) { ++ keyClass = attr.getLong(); ++ } else if (attr.type == CKA_KEY_TYPE) { ++ keyType = attr.getLong(); ++ } ++ attrsMap.put(attr.type, attr); ++ } ++ BigInteger v = null; ++ if (keyClass == CKO_PRIVATE_KEY) { ++ if (keyType == CKK_RSA) { ++ if (debug != null) { ++ debug.println("Importing an RSA private key..."); ++ } ++ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey( ++ KeyType.RSA, ++ null, ++ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ } else if (keyType == CKK_DSA) { ++ if (debug != null) { ++ debug.println("Importing a DSA private key..."); ++ } ++ keyBytes = new sun.security.provider.DSAPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else if (keyType == CKK_EC) { ++ if (debug != null) { ++ debug.println("Importing an EC private key..."); ++ } ++ if (sunECProvider == null) { ++ sunECProviderLock.lock(); ++ try { ++ if (sunECProvider == null) { ++ sunECProvider = Security.getProvider("SunEC"); ++ } ++ } finally { ++ sunECProviderLock.unlock(); ++ } ++ } ++ keyBytes = ECUtil.generateECPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ECUtil.getECParameterSpec(sunECProvider, ++ attrsMap.get(CKA_EC_PARAMS).getByteArray())) ++ .getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else if (keyType == CKK_DH) { ++ if (debug != null) { ++ debug.println("Importing a Diffie-Hellman private key..."); ++ } ++ if (DHKF == null) { ++ DHKFLock.lock(); ++ try { ++ if (DHKF == null) { ++ DHKF = KeyFactory.getInstance( ++ "DH", P11Util.getSunJceProvider()); ++ } ++ } finally { ++ DHKFLock.unlock(); ++ } ++ } ++ DHPrivateKeySpec spec = new DHPrivateKeySpec ++ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO); ++ keyBytes = DHKF.generatePrivate(spec).getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else { ++ if (debug != null) { ++ debug.println("Unrecognized private key type."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ } else if (keyClass == CKO_SECRET_KEY) { ++ if (debug != null) { ++ debug.println("Importing a secret key..."); ++ } ++ keyBytes = attrsMap.get(CKA_VALUE).getByteArray(); ++ } ++ if (keyBytes == null || keyBytes.length == 0) { ++ if (debug != null) { ++ debug.println("Private or secret key plain bytes could" + ++ " not be obtained. Import failed."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey, ++ new IvParameterSpec((byte[])importerKeyMechanism.pParameter), ++ null); ++ attributes = new CK_ATTRIBUTE[attrsMap.size()]; ++ attrsMap.values().toArray(attributes); ++ encKeyBytes = importerCipher.doFinal(keyBytes); ++ attributes = token.getAttributes(TemplateManager.O_IMPORT, ++ keyClass, keyType, attributes); ++ keyID = token.p11.C_UnwrapKey(hSession, ++ importerKeyMechanism, importerKeyID, encKeyBytes, attributes); ++ if (debug != null) { ++ debug.println("Imported key ID: " + keyID); ++ } ++ } catch (Throwable t) { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } finally { ++ importerKey.releaseKeyID(); ++ } ++ return Long.valueOf(keyID); ++ } ++ ++ private static void createImporterKey(Token token) { ++ if (debug != null) { ++ debug.println("Generating Importer Key..."); ++ } ++ byte[] iv = new byte[16]; ++ JCAUtil.getSecureRandom().nextBytes(iv); ++ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); ++ try { ++ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE, ++ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] { ++ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), ++ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)}); ++ Session s = null; ++ try { ++ s = token.getObjSession(); ++ long keyID = token.p11.C_GenerateKey( ++ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN), ++ attributes); ++ if (debug != null) { ++ debug.println("Importer Key ID: " + keyID); ++ } ++ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES", ++ 256 >> 3, null); ++ } catch (PKCS11Exception e) { ++ // best effort ++ } finally { ++ token.releaseSession(s); ++ } ++ if (importerKey != null) { ++ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); ++ } ++ } catch (Throwable t) { ++ // best effort ++ importerKey = null; ++ importerCipher = null; ++ // importerKeyMechanism value is kept initialized to indicate that ++ // Importer Key creation has been tried and failed. ++ } ++ } ++} +diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +index 1eca1f8f0a..72674a7330 100644 +--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java ++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +@@ -26,6 +26,9 @@ + package sun.security.pkcs11; + + import java.io.*; ++import java.lang.invoke.MethodHandle; ++import java.lang.invoke.MethodHandles; ++import java.lang.invoke.MethodType; + import java.util.*; + + import java.security.*; +@@ -64,6 +67,26 @@ public final class SunPKCS11 extends AuthProvider { + private static final boolean systemFipsEnabled = SharedSecrets + .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); + ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ ++ private static final MethodHandle fipsImportKey; ++ static { ++ MethodHandle fipsImportKeyTmp = null; ++ if (plainKeySupportEnabled) { ++ try { ++ fipsImportKeyTmp = MethodHandles.lookup().findStatic( ++ FIPSKeyImporter.class, "importKey", ++ MethodType.methodType(Long.class, SunPKCS11.class, ++ long.class, CK_ATTRIBUTE[].class)); ++ } catch (Throwable t) { ++ throw new SecurityException("FIPS key importer initialization" + ++ " failed", t); ++ } ++ } ++ fipsImportKey = fipsImportKeyTmp; ++ } ++ + private static final long serialVersionUID = -1354835039035306505L; + + static final Debug debug = Debug.getInstance("sunpkcs11"); +@@ -319,10 +342,15 @@ public final class SunPKCS11 extends AuthProvider { + // request multithreaded access first + initArgs.flags = CKF_OS_LOCKING_OK; + PKCS11 tmpPKCS11; ++ MethodHandle fipsKeyImporter = null; ++ if (plainKeySupportEnabled) { ++ fipsKeyImporter = MethodHandles.insertArguments( ++ fipsImportKey, 0, this); ++ } + try { + tmpPKCS11 = PKCS11.getInstance( + library, functionList, initArgs, +- config.getOmitInitialize()); ++ config.getOmitInitialize(), fipsKeyImporter); + } catch (PKCS11Exception e) { + if (debug != null) { + debug.println("Multi-threaded initialization failed: " + e); +@@ -338,7 +366,7 @@ public final class SunPKCS11 extends AuthProvider { + initArgs.flags = 0; + } + tmpPKCS11 = PKCS11.getInstance(library, +- functionList, initArgs, config.getOmitInitialize()); ++ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter); + } + p11 = tmpPKCS11; + +diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +index 04a369f453..8d2081abaa 100644 +--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java ++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper; + + import java.io.File; + import java.io.IOException; ++import java.lang.invoke.MethodHandle; + import java.util.*; + + import java.security.AccessController; +@@ -150,16 +151,28 @@ public class PKCS11 { + + public static synchronized PKCS11 getInstance(String pkcs11ModulePath, + String functionList, CK_C_INITIALIZE_ARGS pInitArgs, +- boolean omitInitialize) throws IOException, PKCS11Exception { ++ boolean omitInitialize, MethodHandle fipsKeyImporter) ++ throws IOException, PKCS11Exception { + // we may only call C_Initialize once per native .so/.dll + // so keep a cache using the (non-canonicalized!) path + PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath); + if (pkcs11 == null) { ++ boolean nssFipsMode = fipsKeyImporter != null; + if ((pInitArgs != null) + && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) { +- pkcs11 = new PKCS11(pkcs11ModulePath, functionList); ++ if (nssFipsMode) { ++ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList, ++ fipsKeyImporter); ++ } else { ++ pkcs11 = new PKCS11(pkcs11ModulePath, functionList); ++ } + } else { +- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); ++ if (nssFipsMode) { ++ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath, ++ functionList, fipsKeyImporter); ++ } else { ++ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); ++ } + } + if (omitInitialize == false) { + try { +@@ -1909,4 +1922,69 @@ static class SynchronizedPKCS11 extends PKCS11 { + super.C_GenerateRandom(hSession, randomData); + } + } ++ ++// PKCS11 subclass that allows using plain private or secret keys in ++// FIPS-configured NSS Software Tokens. Only used when System FIPS ++// is enabled. ++static class FIPSPKCS11 extends PKCS11 { ++ private MethodHandle fipsKeyImporter; ++ FIPSPKCS11(String pkcs11ModulePath, String functionListName, ++ MethodHandle fipsKeyImporter) throws IOException { ++ super(pkcs11ModulePath, functionListName); ++ this.fipsKeyImporter = fipsKeyImporter; ++ } ++ ++ public synchronized long C_CreateObject(long hSession, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ // Creating sensitive key objects from plain key material in a ++ // FIPS-configured NSS Software Token is not allowed. We apply ++ // a key-unwrapping scheme to achieve so. ++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { ++ try { ++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) ++ .longValue(); ++ } catch (Throwable t) { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ } ++ return super.C_CreateObject(hSession, pTemplate); ++ } ++} ++ ++// FIPSPKCS11 synchronized counterpart. ++static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 { ++ private MethodHandle fipsKeyImporter; ++ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName, ++ MethodHandle fipsKeyImporter) throws IOException { ++ super(pkcs11ModulePath, functionListName); ++ this.fipsKeyImporter = fipsKeyImporter; ++ } ++ ++ public synchronized long C_CreateObject(long hSession, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ // See FIPSPKCS11::C_CreateObject. ++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { ++ try { ++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) ++ .longValue(); ++ } catch (Throwable t) { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ } ++ return super.C_CreateObject(hSession, pTemplate); ++ } ++} ++ ++private static class FIPSPKCS11Helper { ++ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) { ++ for (CK_ATTRIBUTE attr : pTemplate) { ++ if (attr.type == CKA_CLASS && ++ (attr.getLong() == CKO_PRIVATE_KEY || ++ attr.getLong() == CKO_SECRET_KEY)) { ++ return true; ++ } ++ } ++ return false; ++ } ++} + } diff --git a/SOURCES/rh1996182-extend_security_policy.patch b/SOURCES/rh1996182-extend_security_policy.patch deleted file mode 100644 index 78552c3..0000000 --- a/SOURCES/rh1996182-extend_security_policy.patch +++ /dev/null @@ -1,18 +0,0 @@ -commit 598fe421216b0a437fa36ee91a29966599867aa3 -Author: Andrew Hughes -Date: Mon Aug 30 16:12:52 2021 +0100 - - RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.misc - -diff --git openjdk.orig/src/java.base/share/lib/security/default.policy openjdk/src/java.base/share/lib/security/default.policy -index ab59a334cd..5db744ff17 100644 ---- openjdk.orig/src/java.base/share/lib/security/default.policy -+++ openjdk/src/java.base/share/lib/security/default.policy -@@ -124,6 +124,7 @@ grant codeBase "jrt:/jdk.crypto.ec" { - grant codeBase "jrt:/jdk.crypto.cryptoki" { - permission java.lang.RuntimePermission - "accessClassInPackage.com.sun.crypto.provider"; -+ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc"; - permission java.lang.RuntimePermission - "accessClassInPackage.sun.security.*"; - permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch"; diff --git a/SOURCES/rh1996182-login_to_nss_software_token.patch b/SOURCES/rh1996182-login_to_nss_software_token.patch index d3a1dde..10c5666 100644 --- a/SOURCES/rh1996182-login_to_nss_software_token.patch +++ b/SOURCES/rh1996182-login_to_nss_software_token.patch @@ -5,7 +5,7 @@ Date: Fri Aug 27 19:42:07 2021 +0100 RH1996182: Login to the NSS Software Token in FIPS Mode diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java -index 0cf61732d7..2cd851587c 100644 +index 5460efcf8c..f08dc2fafc 100644 --- openjdk.orig/src/java.base/share/classes/module-info.java +++ openjdk/src/java.base/share/classes/module-info.java @@ -182,6 +182,7 @@ module java.base { @@ -17,19 +17,19 @@ index 0cf61732d7..2cd851587c 100644 jdk.attach, jdk.charsets, diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -index b00b738b85..1eca1f8f0a 100644 +index 5e227f4531..164de8ff08 100644 --- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -@@ -42,6 +42,8 @@ import javax.security.auth.callback.ConfirmationCallback; +@@ -41,6 +41,8 @@ import javax.security.auth.callback.CallbackHandler; import javax.security.auth.callback.PasswordCallback; - import javax.security.auth.callback.TextOutputCallback; + import jdk.internal.misc.InnocuousThread; +import jdk.internal.misc.SharedSecrets; + import sun.security.util.Debug; import sun.security.util.ResourcesMgr; import static sun.security.util.SecurityConstants.PROVIDER_VER; -@@ -59,6 +61,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*; +@@ -58,6 +60,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*; */ public final class SunPKCS11 extends AuthProvider { @@ -39,7 +39,7 @@ index b00b738b85..1eca1f8f0a 100644 private static final long serialVersionUID = -1354835039035306505L; static final Debug debug = Debug.getInstance("sunpkcs11"); -@@ -373,6 +378,24 @@ public final class SunPKCS11 extends AuthProvider { +@@ -374,6 +379,24 @@ public final class SunPKCS11 extends AuthProvider { if (nssModule != null) { nssModule.setProvider(this); } diff --git a/SOURCES/rh2021263-fips_ensure_security_initialised.patch b/SOURCES/rh2021263-fips_ensure_security_initialised.patch new file mode 100644 index 0000000..9490624 --- /dev/null +++ b/SOURCES/rh2021263-fips_ensure_security_initialised.patch @@ -0,0 +1,28 @@ +commit 8a8452b9ae862755210a9a2f4e34b1aa3ec7343d +Author: Andrew Hughes +Date: Tue Jan 18 02:00:55 2022 +0000 + + RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance + +diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java +index 2ec51d57806..8489b940c43 100644 +--- openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java ++++ openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java +@@ -36,6 +36,7 @@ import java.io.FilePermission; + import java.io.ObjectInputStream; + import java.io.RandomAccessFile; + import java.security.ProtectionDomain; ++import java.security.Security; + import java.security.Signature; + + /** A repository of "shared secrets", which are a mechanism for +@@ -368,6 +369,9 @@ public class SharedSecrets { + } + + public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { ++ if (javaSecuritySystemConfiguratorAccess == null) { ++ unsafe.ensureClassInitialized(Security.class); ++ } + return javaSecuritySystemConfiguratorAccess; + } + } diff --git a/SOURCES/rh2021263-fips_missing_native_returns.patch b/SOURCES/rh2021263-fips_missing_native_returns.patch new file mode 100644 index 0000000..b8c8ba5 --- /dev/null +++ b/SOURCES/rh2021263-fips_missing_native_returns.patch @@ -0,0 +1,24 @@ +commit 1b5bd349bdfa7b9627ea58d819bc250a55112de2 +Author: Fridrich Strba +Date: Mon Jan 17 19:44:03 2022 +0000 + + RH2021263: Return in C code after having generated Java exception + +diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +index 6f4656bfcb6..34d0ff0ce91 100644 +--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c ++++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +@@ -131,11 +131,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn + dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); + if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { + throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); ++ return JNI_FALSE; + } + fips_enabled = fgetc(fe); + fclose(fe); + if (fips_enabled == EOF) { + throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); ++ return JNI_FALSE; + } + msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ + " read character is '%c'", fips_enabled); diff --git a/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch b/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch new file mode 100644 index 0000000..b5351a8 --- /dev/null +++ b/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch @@ -0,0 +1,99 @@ +commit 0cd8cee94fe0f867b0b39890e00be620af1d9b07 +Author: Andrew Hughes +Date: Tue Jan 18 02:09:27 2022 +0000 + + RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support + +diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java +index 28ab1846173..f9726741afd 100644 +--- openjdk.orig/src/java.base/share/classes/java/security/Security.java ++++ openjdk/src/java.base/share/classes/java/security/Security.java +@@ -61,10 +61,6 @@ public final class Security { + private static final Debug sdebug = + Debug.getInstance("properties"); + +- /* System property file*/ +- private static final String SYSTEM_PROPERTIES = +- "/etc/crypto-policies/back-ends/java.config"; +- + /* The java.security properties */ + private static Properties props; + +@@ -206,22 +202,36 @@ public final class Security { + } + } + ++ if (!loadedProps) { ++ initializeStatic(); ++ if (sdebug != null) { ++ sdebug.println("unable to load security properties " + ++ "-- using defaults"); ++ } ++ } ++ + String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile"); + if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) && + "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) { +- if (SystemConfigurator.configure(props)) { +- loadedProps = true; ++ if (!SystemConfigurator.configureSysProps(props)) { ++ if (sdebug != null) { ++ sdebug.println("WARNING: System properties could not be loaded."); ++ } + } + } + +- if (!loadedProps) { +- initializeStatic(); ++ // FIPS support depends on the contents of java.security so ++ // ensure it has loaded first ++ if (loadedProps) { ++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); + if (sdebug != null) { +- sdebug.println("unable to load security properties " + +- "-- using defaults"); ++ if (fipsEnabled) { ++ sdebug.println("FIPS support enabled."); ++ } else { ++ sdebug.println("FIPS support disabled."); ++ } + } + } +- + } + + /* +diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +index 874c6221ebe..b7ed41acf0f 100644 +--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -76,7 +76,7 @@ final class SystemConfigurator { + * java.security.disableSystemPropertiesFile property is not set and + * security.useSystemPropertiesFile is true. + */ +- static boolean configure(Properties props) { ++ static boolean configureSysProps(Properties props) { + boolean loadedProps = false; + + try (BufferedInputStream bis = +@@ -96,11 +96,19 @@ final class SystemConfigurator { + e.printStackTrace(); + } + } ++ return loadedProps; ++ } ++ ++ /* ++ * Invoked at the end of java.security.Security initialisation ++ * if java.security properties have been loaded ++ */ ++ static boolean configureFIPS(Properties props) { ++ boolean loadedProps = false; + + try { + if (enableFips()) { + if (sdebug != null) { sdebug.println("FIPS mode detected"); } +- loadedProps = false; + // Remove all security providers + Iterator> i = props.entrySet().iterator(); + while (i.hasNext()) { diff --git a/SOURCES/rh2052829-fips_runtime_nss_detection.patch b/SOURCES/rh2052829-fips_runtime_nss_detection.patch new file mode 100644 index 0000000..dd30384 --- /dev/null +++ b/SOURCES/rh2052829-fips_runtime_nss_detection.patch @@ -0,0 +1,220 @@ +commit e2be09f982af1cc05f5e6556d51900bca4757416 +Author: Andrew Hughes +Date: Mon Feb 28 05:30:32 2022 +0000 + + RH2051605: Detect NSS at Runtime for FIPS detection + +diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +index 34d0ff0ce91..8dcb7d9073f 100644 +--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c ++++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +@@ -23,25 +23,99 @@ + * questions. + */ + +-#include + #include + #include ++#include "jvm_md.h" + #include + + #ifdef SYSCONF_NSS + #include ++#else ++#include + #endif //SYSCONF_NSS + + #include "java_security_SystemConfigurator.h" + ++#define MSG_MAX_SIZE 256 + #define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" +-#define MSG_MAX_SIZE 96 + ++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); ++ ++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; + static jmethodID debugPrintlnMethodID = NULL; + static jobject debugObj = NULL; + +-static void throwIOException(JNIEnv *env, const char *msg); +-static void dbgPrint(JNIEnv *env, const char* msg); ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} ++ ++static void throwIOException(JNIEnv *env, const char *msg) ++{ ++ jclass cls = (*env)->FindClass(env, "java/io/IOException"); ++ if (cls != 0) ++ (*env)->ThrowNew(env, cls, msg); ++} ++ ++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) ++{ ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "systemconf: cannot render message"); ++ } ++} ++ ++// Only used when NSS is not linked at build time ++#ifndef SYSCONF_NSS ++ ++static void *nss_handle; ++ ++static jboolean loadNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); ++ if (nss_handle == NULL) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ dlerror(); /* Clear errors */ ++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); ++ if ((errmsg = dlerror()) != NULL) { ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ return JNI_TRUE; ++} ++ ++static void closeNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ if (dlclose(nss_handle) != 0) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ } ++} ++ ++#endif + + /* + * Class: java_security_SystemConfigurator +@@ -84,6 +158,14 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) + debugObj = (*env)->NewGlobalRef(env, debugObj); + } + ++#ifdef SYSCONF_NSS ++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; ++#else ++ if (loadNSS(env) == JNI_FALSE) { ++ dbgPrint(env, "libsystemconf: Failed to load NSS library."); ++ } ++#endif ++ + return (*env)->GetVersion(env); + } + +@@ -99,6 +181,9 @@ JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) + if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { + return; /* Should not happen */ + } ++#ifndef SYSCONF_NSS ++ closeNSS(env); ++#endif + (*env)->DeleteGlobalRef(env, debugObj); + } + } +@@ -110,61 +195,30 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn + char msg[MSG_MAX_SIZE]; + int msg_bytes; + +-#ifdef SYSCONF_NSS +- +- dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); +- fips_enabled = SECMOD_GetSystemFIPSEnabled(); +- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ +- " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); +- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { +- dbgPrint(env, msg); ++ if (getSystemFIPSEnabled != NULL) { ++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); ++ fips_enabled = (*getSystemFIPSEnabled)(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); + } else { +- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ +- " SECMOD_GetSystemFIPSEnabled return value"); +- } +- return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); +- +-#else // SYSCONF_NSS ++ FILE *fe; + +- FILE *fe; +- +- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); +- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { ++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); ++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { + throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); + return JNI_FALSE; +- } +- fips_enabled = fgetc(fe); +- fclose(fe); +- if (fips_enabled == EOF) { ++ } ++ fips_enabled = fgetc(fe); ++ fclose(fe); ++ if (fips_enabled == EOF) { + throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); + return JNI_FALSE; +- } +- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ +- " read character is '%c'", fips_enabled); +- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { +- dbgPrint(env, msg); +- } else { +- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ +- " read character"); +- } +- return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); +- +-#endif // SYSCONF_NSS +-} +- +-static void throwIOException(JNIEnv *env, const char *msg) +-{ +- jclass cls = (*env)->FindClass(env, "java/io/IOException"); +- if (cls != 0) +- (*env)->ThrowNew(env, cls, msg); +-} +- +-static void dbgPrint(JNIEnv *env, const char* msg) +-{ +- jstring jMsg; +- if (debugObj != NULL) { +- jMsg = (*env)->NewStringUTF(env, msg); +- CHECK_NULL(jMsg); +- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " read character is '%c'", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); + } + } diff --git a/SPECS/java-11-openjdk.spec b/SPECS/java-11-openjdk.spec index 5fdec70..a1483f5 100644 --- a/SPECS/java-11-openjdk.spec +++ b/SPECS/java-11-openjdk.spec @@ -21,6 +21,10 @@ %bcond_without release # Enable static library builds by default. %bcond_without staticlibs +# Remove build artifacts by default +%bcond_with artifacts +# Build a fresh libjvm.so for use in a copy of the bootstrap JDK +%bcond_without fresh_libjvm # Workaround for stripping of debug symbols from static libraries %if %{with staticlibs} @@ -30,6 +34,13 @@ %global include_staticlibs 0 %endif +# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so +%if %{with fresh_libjvm} +%global build_hotspot_first 1 +%else +%global build_hotspot_first 0 +%endif + # The -g flag says to use strip -g instead of full strip on DSOs or EXEs. # This fixes detailed NMT and other tools which need minimal debug info. # See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879 @@ -74,7 +85,7 @@ # in alternatives those are slaves and master, very often triplicated by man pages # in files all masters and slaves are ghosted # the ghosts are here to allow installation via query like `dnf install /usr/bin/java` -# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ +# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ -e alternatives # TODO - fix those hardcoded lists via single list # Those files must *NOT* be ghosted for *slowdebug* packages # FIXME - if you are moving jshell or jlink or similar, always modify all three sections @@ -100,7 +111,9 @@ # Set of architectures for which we build fastdebug builds %global fastdebug_arches x86_64 ppc64le aarch64 # Set of architectures with a Just-In-Time (JIT) compiler -%global jit_arches %{debug_arches} %{arm} +%global jit_arches %{arm} %{aarch64} %{ix86} %{power64} s390x sparcv9 sparc64 x86_64 +# Set of architectures which use the Zero assembler port (!jit_arches) +%global zero_arches ppc s390 # Set of architectures which run a full bootstrap cycle %global bootstrap_arches %{jit_arches} # Set of architectures which support SystemTap tapsets @@ -119,6 +132,8 @@ %global zgc_arches x86_64 # Set of architectures for which alt-java has SSB mitigation %global ssbd_arches x86_64 +# Set of architectures where we verify backtraces with gdb +%global gdb_arches %{jit_arches} %{zero_arches} # By default, we build a slowdebug build during main build on JIT architectures %if %{with slowdebug} @@ -172,7 +187,7 @@ %global fastdebug_build %{nil} %endif -# If you disable both builds, then the build fails +# If you disable all builds, then the build fails # Build and test slowdebug first as it provides the best diagnostics %global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} @@ -183,9 +198,9 @@ %endif %ifarch %{bootstrap_arches} -%global bootstrap_build 1 +%global bootstrap_build true %else -%global bootstrap_build 1 +%global bootstrap_build false %endif %if %{include_staticlibs} @@ -198,14 +213,19 @@ %global static_libs_target %{nil} %endif +# RPM JDK builds keep the debug symbols internal, to be later stripped by RPM +%global debug_symbols internal + # unlike portables,the rpms have to use static_libs_target very dynamically -%if %{bootstrap_build} -%global release_targets bootcycle-images docs-zip -%else +%global bootstrap_targets images %global release_targets images docs-zip -%endif # No docs nor bootcycle for debug builds %global debug_targets images +# Target to use to just build HotSpot +%global hotspot_target hotspot + +# JDK to use for bootstrapping +%global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk # Disable LTO as this causes build failures at the moment. # See RHBZ#1861401 @@ -295,8 +315,8 @@ # New Version-String scheme-style defines %global featurever 11 %global interimver 0 -%global updatever 12 -%global patchver 0 +%global updatever 14 +%global patchver 1 # If you bump featurever, you must bump also vendor_version_string # Used via new version scheme. JDK 11 was # GA'ed in September 2018 => 18.9 @@ -342,8 +362,8 @@ %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 7 -%global rpmrelease 3 +%global buildver 1 +%global rpmrelease 6 #%%global tagsuffix %%{nil} # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk @@ -392,7 +412,8 @@ %global jdkimage jdk %global static_libs_image static-libs # output dir stub -%define buildoutputdir() %{expand:build/jdk11.build%{?1}} +%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}} +%define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}} # we can copy the javadoc to not arched dir, or make it not noarch %define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}} # main id and dir of this jdk @@ -407,7 +428,7 @@ %if %is_system_jdk %global __provides_exclude ^(%{_privatelibs})$ %global __requires_exclude ^(%{_privatelibs})$ -# Never generate lib-style provides/requires for slowdebug packages +# Never generate lib-style provides/requires for any debug packages %global __provides_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ %global __requires_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ %global __provides_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$ @@ -440,6 +461,9 @@ %global alternatives_requires %{_sbindir}/alternatives %endif +%global family %{name}.%{_arch} +%global family_noarch %{name} + %if %{with_systemtap} # Where to install systemtap tapset (links) # We would like these to be in a package specific sub-dir, @@ -457,6 +481,50 @@ # not-duplicated scriptlets for normal/debug packages %global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : +%define save_alternatives() %{expand: + # warning! alternatives are localised! + # LANG=cs_CZ.UTF-8 alternatives --display java | head + # LANG=en_US.UTF-8 alternatives --display java | head + function nonLocalisedAlternativesDisplayOfMaster() { + LANG=en_US.UTF-8 alternatives --display "$MASTER" + } + function headOfAbove() { + nonLocalisedAlternativesDisplayOfMaster | head -n $1 + } + MASTER="%{?1}" + LOCAL_LINK="%{?2}" + FAMILY="%{?3}" + rm -f %{_localstatedir}/lib/rpm-state/"$MASTER"_$FAMILY > /dev/null + if nonLocalisedAlternativesDisplayOfMaster > /dev/null ; then + if headOfAbove 1 | grep -q manual ; then + if headOfAbove 2 | tail -n 1 | grep -q %{compatiblename} ; then + headOfAbove 2 > %{_localstatedir}/lib/rpm-state/"$MASTER"_"$FAMILY" + fi + fi + fi +} + +%define save_and_remove_alternatives() %{expand: + if [ "x$debug" == "xtrue" ] ; then + set -x + fi + upgrade1_uninstal0=%{?3} + if [ "0$upgrade1_uninstal0" -gt 0 ] ; then # removal of this condition will cause persistence between uninstall + %{save_alternatives %{?1} %{?2} %{?4}} + fi + alternatives --remove "%{?1}" "%{?2}" +} + +%define set_if_needed_alternatives() %{expand: + MASTER="%{?1}" + FAMILY="%{?2}" + ALTERNATIVES_FILE="%{_localstatedir}/lib/rpm-state/$MASTER"_"$FAMILY" + if [ -e "$ALTERNATIVES_FILE" ] ; then + rm "$ALTERNATIVES_FILE" + alternatives --set $MASTER $FAMILY + fi +} + %define post_script() %{expand: update-desktop-database %{_datadir}/applications &> /dev/null || : @@ -464,20 +532,19 @@ update-desktop-database %{_datadir}/applications &> /dev/null || : exit 0 } - -%define post_headless() %{expand: -%ifarch %{share_arches} -%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null -%endif - +%define alternatives_java_install() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 fi ext=.gz +key=java alternatives \\ - --install %{_bindir}/java java %{jrebindir -- %{?1}}/java $PRIORITY --family %{name}.%{_arch} \\ + --install %{_bindir}/java $key %{jrebindir -- %{?1}}/java $PRIORITY --family %{family} \\ --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\ --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\ --slave %{_bindir}/jjs jjs %{jrebindir -- %{?1}}/jjs \\ @@ -503,12 +570,23 @@ alternatives \\ --slave %{_mandir}/man1/unpack200.1$ext unpack200.1$ext \\ %{_mandir}/man1/unpack200-%{uniquesuffix -- %{?1}}.1$ext +%{set_if_needed_alternatives $key %{family}} + for X in %{origin} %{javaver} ; do - alternatives --install %{_jvmdir}/jre-"$X" jre_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} + key=jre_"$X" + alternatives --install %{_jvmdir}/jre-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family} + %{set_if_needed_alternatives $key %{family}} done -update-alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{name}.%{_arch} +key=jre_%{javaver}_%{origin} +alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} $key %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{family} +%{set_if_needed_alternatives $key %{family}} +} +%define post_headless() %{expand: +%ifarch %{share_arches} +%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null +%endif update-desktop-database %{_datadir}/applications &> /dev/null || : /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : @@ -535,26 +613,34 @@ exit 0 %define postun_headless() %{expand: - alternatives --remove java %{jrebindir -- %{?1}}/java - alternatives --remove jre_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} - alternatives --remove jre_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} - alternatives --remove jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} + if [ "x$debug" == "xtrue" ] ; then + set -x + fi + post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax + %{save_and_remove_alternatives java %{jrebindir -- %{?1}}/java $post_state %{family}} + %{save_and_remove_alternatives jre_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} + %{save_and_remove_alternatives jre_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} + %{save_and_remove_alternatives jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $post_state %{family}} } %define posttrans_script() %{expand: %{update_desktop_icons} } -%define post_devel() %{expand: +%define alternatives_javac_install() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 fi ext=.gz +key=javac alternatives \\ - --install %{_bindir}/javac javac %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{name}.%{_arch} \\ + --install %{_bindir}/javac $key %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{family} \\ --slave %{_jvmdir}/java java_sdk %{_jvmdir}/%{sdkdir -- %{?1}} \\ %ifarch %{aot_arches} --slave %{_bindir}/jaotc jaotc %{sdkbindir -- %{?1}}/jaotc \\ @@ -562,8 +648,10 @@ alternatives \\ --slave %{_bindir}/jlink jlink %{sdkbindir -- %{?1}}/jlink \\ --slave %{_bindir}/jmod jmod %{sdkbindir -- %{?1}}/jmod \\ %ifarch %{sa_arches} +%ifnarch %{zero_arches} --slave %{_bindir}/jhsdb jhsdb %{sdkbindir -- %{?1}}/jhsdb \\ %endif +%endif --slave %{_bindir}/jar jar %{sdkbindir -- %{?1}}/jar \\ --slave %{_bindir}/jarsigner jarsigner %{sdkbindir -- %{?1}}/jarsigner \\ --slave %{_bindir}/javadoc javadoc %{sdkbindir -- %{?1}}/javadoc \\ @@ -620,15 +708,22 @@ alternatives \\ --slave %{_mandir}/man1/rmic.1$ext rmic.1$ext \\ %{_mandir}/man1/rmic-%{uniquesuffix -- %{?1}}.1$ext \\ --slave %{_mandir}/man1/serialver.1$ext serialver.1$ext \\ - %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1$ext \\ + %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1$ext + +%{set_if_needed_alternatives $key %{family}} for X in %{origin} %{javaver} ; do - alternatives \\ - --install %{_jvmdir}/java-"$X" java_sdk_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} + key=java_sdk_"$X" + alternatives --install %{_jvmdir}/java-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family} + %{set_if_needed_alternatives $key %{family}} done -update-alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} +key=java_sdk_%{javaver}_%{origin} +alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family} +%{set_if_needed_alternatives $key %{family}} +} +%define post_devel() %{expand: update-desktop-database %{_datadir}/applications &> /dev/null || : /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : @@ -636,10 +731,14 @@ exit 0 } %define postun_devel() %{expand: - alternatives --remove javac %{sdkbindir -- %{?1}}/javac - alternatives --remove java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} - alternatives --remove java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} - alternatives --remove java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} + if [ "x$debug" == "xtrue" ] ; then + set -x + fi + post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax + %{save_and_remove_alternatives javac %{sdkbindir -- %{?1}}/javac $post_state %{family}} + %{save_and_remove_alternatives java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} + %{save_and_remove_alternatives java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} + %{save_and_remove_alternatives java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} update-desktop-database %{_datadir}/applications &> /dev/null || : @@ -651,42 +750,54 @@ exit 0 } %define posttrans_devel() %{expand: +%{alternatives_javac_install -- %{?1}} %{update_desktop_icons} } -%define post_javadoc() %{expand: - +%define alternatives_javadoc_install() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 fi -alternatives \\ - --install %{_javadocdir}/java javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api \\ - $PRIORITY --family %{name} +key=javadocdir +alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch} +%{set_if_needed_alternatives $key %{family_noarch}} exit 0 } %define postun_javadoc() %{expand: - alternatives --remove javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api +if [ "x$debug" == "xtrue" ] ; then + set -x +fi + post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax + %{save_and_remove_alternatives javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}} exit 0 } -%define post_javadoc_zip() %{expand: - +%define alternatives_javadoczip_install() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 fi - -alternatives \\ - --install %{_javadocdir}/java-zip javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip \\ - $PRIORITY --family %{name} +key=javadoczip +alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch} +%{set_if_needed_alternatives $key %{family_noarch}} exit 0 } %define postun_javadoc_zip() %{expand: - alternatives --remove javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip + if [ "x$debug" == "xtrue" ] ; then + set -x + fi + post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax + %{save_and_remove_alternatives javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}} exit 0 } @@ -757,8 +868,10 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/librmi.so # Some architectures don't have the serviceability agent %ifarch %{sa_arches} +%ifnarch %{zero_arches} %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsaproc.so %endif +%endif %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsunec.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so @@ -792,7 +905,7 @@ exit 0 %dir %{etcjavadir -- %{?1}}/conf/security/policy/limited %dir %{etcjavadir -- %{?1}}/conf/security/policy/unlimited %config(noreplace) %{etcjavadir -- %{?1}}/lib/security/default.policy -%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/blacklisted.certs +%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/blocked.certs %config(noreplace) %{etcjavadir -- %{?1}}/lib/security/public_suffix_list.dat %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/exempt_local.policy %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_local.policy @@ -852,8 +965,10 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jimage # Some architectures don't have the serviceability agent %ifarch %{sa_arches} +%ifnarch %{zero_arches} %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb %endif +%endif %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jlink %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmap @@ -1012,8 +1127,8 @@ Requires: ca-certificates # Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros Requires: javapackages-filesystem # Require zone-info data provided by tzdata-java sub-package -# 2021a required as of JDK-8260356 in April 2021 CPU -Requires: tzdata-java >= 2021a +# 2021e required as of JDK-8275766 in January 2022 CPU +Requires: tzdata-java >= 2021e # for support of kernel stream control # libsctp.so.1 is being `dlopen`ed on demand Requires: lksctp-tools%{?_isa} @@ -1026,6 +1141,8 @@ OrderWithRequires: copy-jdk-configs %endif # for printing support Requires: cups-libs +# for FIPS PKCS11 provider +Requires: nss # Post requires alternatives to install tool alternatives Requires(post): %{alternatives_requires} # Postun requires alternatives to uninstall tool alternatives @@ -1108,10 +1225,10 @@ Requires(post): %{alternatives_requires} Requires(postun): %{alternatives_requires} # Standard JPackage javadoc provides -Provides: java-%{javaver}-javadoc%{?1} = %{epoch}:%{version}-%{release} -Provides: java-%{javaver}-%{origin}-javadoc%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release} %if %is_system_jdk -Provides: java-javadoc%{?1} = %{epoch}:%{version}-%{release} +Provides: java-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release} %endif } @@ -1169,7 +1286,7 @@ URL: http://openjdk.java.net/ # to regenerate source0 (jdk) run update_package.sh # update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives -Source0: jdk-updates-jdk%{featurever}u-jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}-4curve-clean.tar.xz +Source0: jdk-updates-jdk%{featurever}u-jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}-4curve.tar.xz # Use 'icedtea_sync.sh' to update the following # They are based on code contained in the IcedTea project (6.x). @@ -1233,7 +1350,15 @@ Patch1007: rh1915071-always_initialise_configurator_access.patch Patch1008: rh1929465-improve_system_FIPS_detection.patch # RH1996182: Login to the NSS software token in FIPS mode Patch1009: rh1996182-login_to_nss_software_token.patch -Patch1010: rh1996182-extend_security_policy.patch +# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false +Patch1011: rh1991003-enable_fips_keys_import.patch +# RH2021263: Resolve outstanding FIPS issues +Patch1014: rh2021263-fips_ensure_security_initialised.patch +Patch1015: rh2021263-fips_missing_native_returns.patch +# RH2052819: Fix FIPS reliance on crypto policies +Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch +# RH2052829: Detect NSS at Runtime for FIPS detection +Patch1017: rh2052829-fips_runtime_nss_detection.patch ############################################# # @@ -1257,6 +1382,20 @@ Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk1 Patch4: pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch # PR3695: Allow use of system crypto policy to be disabled by the user Patch7: pr3695-toggle_system_crypto_policy.patch +# JDK-8275535, RH2053256: Retrying a failed authentication on multiple LDAP servers can lead to users blocked +Patch8: jdk8275535-rh2053256-ldap_auth.patch + +############################################# +# +# Backportable patches +# +# This section includes patches which are +# present in the current development tree, but +# need to be reviewed & pushed to the appropriate +# updates tree of OpenJDK. +############################################# +# JDK-8257794: Zero: assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1) failed: wrong on Linux/x86_32 +Patch101: jdk8257794-remove_broken_assert.patch ############################################# # @@ -1267,8 +1406,6 @@ Patch7: pr3695-toggle_system_crypto_policy.patch # able to be removed once that release is out # and used by this RPM. ############################################# -# JDK-8269668, RH1977671: [aarch64] java.library.path not including /usr/lib64 -Patch8: jdk8269668-rh1977671-aarch64_lib_path_fix.patch BuildRequires: autoconf BuildRequires: automake @@ -1295,8 +1432,8 @@ BuildRequires: libXrandr-devel BuildRequires: libXrender-devel BuildRequires: libXt-devel BuildRequires: libXtst-devel -# Requirements for setting up the nss.cfg and FIPS support -BuildRequires: nss-devel >= 3.53 +# Requirement for setting up nss.cfg and nss.fips.cfg +BuildRequires: nss-devel BuildRequires: pkgconfig BuildRequires: xorg-x11-proto-devel BuildRequires: zip @@ -1304,11 +1441,11 @@ BuildRequires: unzip BuildRequires: javapackages-filesystem BuildRequires: java-%{buildjdkver}-openjdk-devel # Zero-assembler build requirement -%ifnarch %{jit_arches} +%ifarch %{zero_arches} BuildRequires: libffi-devel %endif -# 2021a required as of JDK-8260356 in April 2021 CPU -BuildRequires: tzdata-java >= 2021a +# 2021e required as of JDK-8275766 in January 2022 CPU +BuildRequires: tzdata-java >= 2021e # Earlier versions have a bug in tree vectorization on PPC BuildRequires: gcc >= 4.8.3-8 @@ -1590,7 +1727,7 @@ Group: Documentation Requires: javapackages-filesystem Obsoletes: javadoc-slowdebug < 1:11.0.3.7-4 -%{java_javadoc_rpo %{nil}} +%{java_javadoc_rpo -- %{nil} %{nil}} %description javadoc The %{origin_nice} %{featurever} API documentation. @@ -1603,7 +1740,8 @@ Group: Documentation Requires: javapackages-filesystem Obsoletes: javadoc-zip-slowdebug < 1:11.0.3.7-4 -%{java_javadoc_rpo %{nil}} +%{java_javadoc_rpo -- %{nil} -zip} +%{java_javadoc_rpo -- %{nil} %{nil}} %description javadoc-zip The %{origin_nice} %{featurever} API documentation compressed in a single archive. @@ -1659,9 +1797,10 @@ pushd %{top_level_dir_name} %patch3 -p1 %patch4 -p1 %patch7 -p1 -%patch8 -p1 popd # openjdk +%patch101 + %patch1000 %patch600 %patch1001 @@ -1671,7 +1810,13 @@ popd # openjdk %patch1007 %patch1008 %patch1009 -%patch1010 +%patch1011 +%patch1014 +%patch1015 +%patch1016 +%patch1017 + +%patch8 # Extract systemtap tapsets %if %{with_systemtap} @@ -1724,7 +1869,6 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg # Setup nss.fips.cfg sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg -sed -i -e "s:@NSS_SECMOD@:/etc/pki/nssdb:g" nss.fips.cfg %build # How many CPU's do we have? @@ -1751,49 +1895,38 @@ EXTRA_CPP_FLAGS="%ourcppflags" # fix rpmlint warnings EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing" %endif +%ifarch %{ix86} +# Align stack boundary on x86_32 +EXTRA_CFLAGS="$(echo ${EXTRA_CFLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')" +EXTRA_CPP_FLAGS="$(echo ${EXTRA_CPP_FLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')" +%endif # Fixes annocheck warnings in assembler files due to missing build notes EXTRA_ASFLAGS="${EXTRA_CFLAGS} -Wa,--generate-missing-build-notes=yes" -export EXTRA_CFLAGS EXTRA_ASFLAGS - -for suffix in %{build_loop} ; do -if [ "x$suffix" = "x" ] ; then - debugbuild=release - debug_symbols=internal -else - # change --something to something - debugbuild=`echo $suffix | sed "s/-//g"` - debug_symbols=internal -fi - -for loop in %{main_suffix} %{staticlibs_loop} ; do - -if test "x${loop}" = "x%{main_suffix}" ; then - # Copy the source tree so we can remove all in-tree libraries - cp -a %{top_level_dir_name} %{top_level_dir_name_backup} - # Remove all libraries that are linked - sh %{SOURCE12} %{top_level_dir_name} full - # Variable used by configure and hs_err hook on build failures - link_opt="system" - # Debug builds don't need same targets as release for - # build speed-up - maketargets="%{release_targets}" - if echo $debugbuild | grep -q "debug" ; then - maketargets="%{debug_targets}" - fi -else - # Variable used by configure and hs_err hook on build failures - link_opt="bundled" - # Static library cycle only builds the static libraries - maketargets="%{static_libs_target}" -fi - -top_dir_abs_src_path=$(pwd)/%{top_level_dir_name} -top_dir_abs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}${loop}} -mkdir -p ${top_dir_abs_build_path} -pushd ${top_dir_abs_build_path} - -bash ${top_dir_abs_src_path}/configure \ -%ifnarch %{jit_arches} +export EXTRA_CFLAGS EXTRA_CPP_FLAGS EXTRA_ASFLAGS + +function buildjdk() { + local outputdir=${1} + local buildjdk=${2} + local maketargets="${3}" + local debuglevel=${4} + local link_opt=${5} + + local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name} + local top_dir_abs_build_path=$(pwd)/${outputdir} + + echo "Using output directory: ${outputdir}"; + echo "Checking build JDK ${buildjdk} is operational..." + ${buildjdk}/bin/java -version + echo "Using make targets: ${maketargets}" + echo "Using debuglevel: ${debuglevel}" + echo "Using link_opt: ${link_opt}" + echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}" + + mkdir -p ${outputdir} + pushd ${outputdir} + + bash ${top_dir_abs_src_path}/configure \ +%ifarch %{zero_arches} --with-jvm-variants=zero \ %endif %ifarch %{ppc64le} @@ -1807,10 +1940,10 @@ bash ${top_dir_abs_src_path}/configure \ --with-vendor-url="%{oj_vendor_url}" \ --with-vendor-bug-url="%{oj_vendor_bug_url}" \ --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \ - --with-boot-jdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk \ - --with-debug-level=$debugbuild \ - --with-native-debug-symbols=$debug_symbols \ - --enable-sysconf-nss \ + --with-boot-jdk=${buildjdk} \ + --with-debug-level=${debuglevel} \ + --with-native-debug-symbols="%{debug_symbols}" \ + --disable-sysconf-nss \ --enable-unlimited-crypto \ --with-zlib=system \ --with-libjpeg=${link_opt} \ @@ -1828,54 +1961,139 @@ bash ${top_dir_abs_src_path}/configure \ --with-jvm-features="%{shenandoah_feature},%{zgc_feature}" \ --disable-warnings-as-errors -make \ - JAVAC_FLAGS=-g \ - LOG=trace \ - WARNINGS_ARE_ERRORS="-Wno-error" \ - CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \ - $maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false ) + cat spec.gmk -popd + make \ + JAVAC_FLAGS=-g \ + LOG=trace \ + WARNINGS_ARE_ERRORS="-Wno-error" \ + CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \ + $maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false ) -# Restore original source tree if we modified it by removing full in-tree sources -if [ -d %{top_level_dir_name_backup} ] ; then - rm -rf %{top_level_dir_name} - mv %{top_level_dir_name_backup} %{top_level_dir_name} -fi + popd +} -done # end of main / staticlibs loop +function installjdk() { + local outputdir=${1} + local installdir=${2} + local imagepath=${installdir}/images/%{jdkimage} + + echo "Installing build from ${outputdir} to ${installdir}..." + mkdir -p ${installdir} + echo "Installing images..." + mv ${outputdir}/images ${installdir} + if [ -d ${outputdir}/bundles ] ; then + echo "Installing bundles..."; + mv ${outputdir}/bundles ${installdir} ; + fi + if [ -d ${outputdir}/docs ] ; then + echo "Installing docs..."; + mv ${outputdir}/docs ${installdir} ; + fi -top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} +%if !%{with artifacts} + echo "Removing output directory..."; + rm -rf ${outputdir} +%endif -# the build (erroneously) removes read permissions from some jars -# this is a regression in OpenJDK 7 (our compiler): -# http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 -find ${top_dir_abs_main_build_path}/images/%{jdkimage} -iname '*.jar' -exec chmod ugo+r {} \; + if [ -d ${imagepath} ] ; then + # the build (erroneously) removes read permissions from some jars + # this is a regression in OpenJDK 7 (our compiler): + # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 + find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \; -# Build screws up permissions on binaries -# https://bugs.openjdk.java.net/browse/JDK-8173610 -find ${top_dir_abs_main_build_path}/images/%{jdkimage} -iname '*.so' -exec chmod +x {} \; -find ${top_dir_abs_main_build_path}/images/%{jdkimage}/bin/ -exec chmod +x {} \; + # Build screws up permissions on binaries + # https://bugs.openjdk.java.net/browse/JDK-8173610 + find ${imagepath} -iname '*.so' -exec chmod +x {} \; + find ${imagepath}/bin/ -exec chmod +x {} \; -# Install nss.cfg right away as we will be using the JRE above -export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} + # Install nss.cfg right away as we will be using the JRE above + install -m 644 nss.cfg ${imagepath}/conf/security/ -# Install nss.cfg right away as we will be using the JRE above -install -m 644 nss.cfg $JAVA_HOME/conf/security/ + # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) + install -m 644 nss.fips.cfg ${imagepath}/conf/security/ -# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) -install -m 644 nss.fips.cfg $JAVA_HOME/conf/security/ + # Use system-wide tzdata + rm ${imagepath}/lib/tzdb.dat + ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat -# Use system-wide tzdata -rm $JAVA_HOME/lib/tzdb.dat -ln -s %{_datadir}/javazi-1.8/tzdb.dat $JAVA_HOME/lib/tzdb.dat + # Create fake alt-java as a placeholder for future alt-java + pushd ${imagepath} + # add alt-java man page + echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 + cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 + popd + fi +} -# Create fake alt-java as a placeholder for future alt-java -pushd ${JAVA_HOME} -# add alt-java man page -echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 -cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 -popd +%if %{build_hotspot_first} + # Build a fresh libjvm.so first and use it to bootstrap + cp -LR --preserve=mode,timestamps %{bootjdk} newboot + systemjdk=$(pwd)/newboot + buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled" + mv build/newboot/jdk/lib/server/libjvm.so newboot/lib/server +%else + systemjdk=%{bootjdk} +%endif + +for suffix in %{build_loop} ; do + + if [ "x$suffix" = "x" ] ; then + debugbuild=release + else + # change --something to something + debugbuild=`echo $suffix | sed "s/-//g"` + fi + + + for loop in %{main_suffix} %{staticlibs_loop} ; do + + builddir=%{buildoutputdir -- ${suffix}${loop}} + bootbuilddir=boot${builddir} + installdir=%{installoutputdir -- ${suffix}${loop}} + bootinstalldir=boot${installdir} + + if test "x${loop}" = "x%{main_suffix}" ; then + # Copy the source tree so we can remove all in-tree libraries + cp -a %{top_level_dir_name} %{top_level_dir_name_backup} + # Remove all libraries that are linked + sh %{SOURCE12} %{top_level_dir_name} full + # Use system libraries + link_opt="system" + # Debug builds don't need same targets as release for + # build speed-up. We also avoid bootstrapping these + # slower builds. + if echo $debugbuild | grep -q "debug" ; then + maketargets="%{debug_targets}" + run_bootstrap=false + else + maketargets="%{release_targets}" + run_bootstrap=%{bootstrap_build} + fi + if ${run_bootstrap} ; then + buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt} + installjdk ${bootbuilddir} ${bootinstalldir} + buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt} + installjdk ${builddir} ${installdir} + %{!?with_artifacts:rm -rf ${bootinstalldir}} + else + buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} + installjdk ${builddir} ${installdir} + fi + # Restore original source tree we modified by removing full in-tree sources + rm -rf %{top_level_dir_name} + mv %{top_level_dir_name_backup} %{top_level_dir_name} + else + # Use bundled libraries for building statically + link_opt="bundled" + # Static library cycle only builds the static libraries + maketargets="%{static_libs_target}" + # Always just do the one build for the static libraries + buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} + installjdk ${builddir} ${installdir} + fi + + done # end of main / staticlibs loop # build cycles done # end of release / debug cycle loop @@ -1885,9 +2103,9 @@ done # end of release / debug cycle loop # We test debug first as it will give better diagnostics on a crash for suffix in %{build_loop} ; do -top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} +top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{main_suffix}} %if %{include_staticlibs} -top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}} +top_dir_abs_staticlibs_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{staticlibs_loop}} %endif export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} @@ -1985,20 +2203,16 @@ gdb -q "$JAVA_HOME/bin/java" < 0 -# This fails on s390x for some reason. Disable for now. See: -# https://koji.fedoraproject.org/koji/taskinfo?taskID=41499227 -%ifnarch s390x +%ifarch %{gdb_arches} grep 'JavaCallWrapper::JavaCallWrapper' gdb.out %endif -%endif # Check src.zip has all sources. See RHBZ#1130490 $JAVA_HOME/bin/jar -tf $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe' @@ -2021,9 +2235,9 @@ STRIP_KEEP_SYMTAB=libjvm* for suffix in %{build_loop} ; do -top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} +top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{main_suffix}} %if %{include_staticlibs} -top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}} +top_dir_abs_staticlibs_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{staticlibs_loop}} %endif jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage} @@ -2196,6 +2410,9 @@ require "copy_jdk_configs.lua" %posttrans %{posttrans_script %{nil}} +%posttrans headless +%{alternatives_java_install %{nil}} + %post devel %{post_devel %{nil}} @@ -2205,14 +2422,14 @@ require "copy_jdk_configs.lua" %posttrans devel %{posttrans_devel %{nil}} -%post javadoc -%{post_javadoc %{nil}} +%posttrans javadoc +%{alternatives_javadoc_install %{nil}} %postun javadoc %{postun_javadoc %{nil}} -%post javadoc-zip -%{post_javadoc_zip %{nil}} +%posttrans javadoc-zip +%{alternatives_javadoczip_install %{nil}} %postun javadoc-zip %{postun_javadoc_zip %{nil}} @@ -2225,6 +2442,9 @@ require "copy_jdk_configs.lua" %post headless-slowdebug %{post_headless -- %{debug_suffix_unquoted}} +%posttrans headless-slowdebug +%{alternatives_java_install -- %{debug_suffix_unquoted}} + %postun slowdebug %{postun_script -- %{debug_suffix_unquoted}} @@ -2260,6 +2480,9 @@ require "copy_jdk_configs.lua" %posttrans fastdebug %{posttrans_script -- %{fastdebug_suffix_unquoted}} +%posttrans headless-fastdebug +%{alternatives_java_install -- %{fastdebug_suffix_unquoted}} + %post devel-fastdebug %{post_devel -- %{fastdebug_suffix_unquoted}} @@ -2366,6 +2589,123 @@ require "copy_jdk_configs.lua" %endif %changelog +* Mon Feb 28 2022 Andrew Hughes - 1:11.0.14.1.1-6 +- Detect NSS at runtime for FIPS detection +- Turn off build-time NSS linking and go back to an explicit Requires on NSS +- Resolves: rhbz#2052831 + +* Sun Feb 27 2022 Andrew Hughes - 1:11.0.14.1.1-5 +- Introduce tests/tests.yml, based on the one in RHEL 8 +- Resolves: rhbz#2058489 + +* Fri Feb 25 2022 Jiri Vanek - 1:11.0.14.1.1-4 +- Storing and restoring alterntives during update manually +- Fixing Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE +-- The move of alternatives creation to posttrans to fix: +-- Bug 1200302 - dnf reinstall breaks alternatives +-- Had caused the alternatives to be removed, and then created again, +-- instead of being added, and then removing the old, and thus persisting +-- the selection in family +-- Thus this fix, is storing the family of manually selected master, and if +-- stored, then it is restoring the family of the master +- Resolves: rhbz#2008205 + +* Fri Feb 25 2022 Jiri Vanek - 1:11.0.14.1.1-3 +- Family extracted to globals +- Resolves: rhbz#2008205 + +* Wed Feb 23 2022 Andrew Hughes - 1:11.0.14.1.1-2 +- Add JDK-8275535 patch to fix LDAP authentication issue. +- Resolves: rhbz#2053523 + +* Fri Feb 18 2022 Andrew Hughes - 1:11.0.14.1.1-1 +- Update to jdk-11.0.14.1+1 +- Update release notes to 11.0.14.1+1 +- Require tzdata 2021e as of JDK-8275766. +- Resolves: rhbz#2052834 + +* Thu Feb 17 2022 Andrew Hughes - 1:11.0.14.0.9-2 +- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent +- Resolves: rhbz#2052820 + +* Wed Feb 16 2022 Andrew Hughes - 1:11.0.14.0.9-1 +- Update to jdk-11.0.14.0+9 +- Update release notes to 11.0.14.0+9 +- Switch to GA mode for final release. +- Resolves: rhbz#2039395 + +* Tue Feb 15 2022 Andrew Hughes - 1:11.0.14.0.8-0.3.ea +- Fix FIPS issues in native code and with initialisation of java.security.Security +- Resolves: rhbz#2023530 + +* Fri Feb 11 2022 Andrew Hughes - 1:11.0.14.0.8-0.2.ea +- Refactor build functions so we can build just HotSpot without any attempt at installation. +- Sync gdb test with java-1.8.0-openjdk. +- Improve architecture restrictions for the gdb test. +- Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on x86_32 for stack alignment +- Explicitly list JIT architectures rather than relying on those with slowdebug builds +- Disable the serviceability agent on Zero architectures even when the architecture itself is supported +- Add backport of JDK-8257794 to fix bogus assert on slowdebug x86-32 Zero builds +- Related: rhbz#2052834 + +* Fri Feb 11 2022 Jiri Vanek - 1:11.0.14.0.8-0.2.ea +- Give javadoc-zip its own Provides, next to the plain javadoc ones +- Related: rhbz#2052834 + +* Fri Feb 11 2022 Andrew Hughes - 1:11.0.14.0.8-0.1.ea +- Update to jdk-11.0.14.0+8 +- Update release notes to 11.0.14.0+8 +- Switch to EA mode for 11.0.14 pre-release builds. +- Rename blacklisted.certs to blocked.certs following JDK-8253866 +- Rebase RH1996182 login patch and drop redundant security policy extension after JDK-8269034 +- Resolves: rhbz#2022825 + +* Thu Jan 13 2022 Andrew Hughes - 1:11.0.13.0.8-5 +- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le. +- Related: rhbz#2022825 + +* Thu Dec 02 2021 Severin Gehwolf - 1:11.0.13.0.8-4 +- Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy + secmod.db file as part of NSS +- Resolves: rhbz#2023535 + +* Wed Dec 01 2021 Jiri Vanek - 1:11.0.13.0.8-3 +- Replaced hardcoded 11 by featurever where appropriate +- Fixed comment of `for slowdebug` to correct `any debug` +- Related: rhbz#2022825 + +* Tue Nov 09 2021 Jiri Vanek - 1:11.0.13.0.8-2 +- alternatives creation moved to posttrans +- Thus fixing the old reisntall issue: +- https://bugzilla.redhat.com/show_bug.cgi?id=1200302 +- https://bugzilla.redhat.com/show_bug.cgi?id=1976053 +- Resolves: rhbz#2008205 + +* Wed Oct 13 2021 Andrew Hughes - 1:11.0.13.0.8-1 +- Update to jdk-11.0.13.0+8 +- Update release notes to 11.0.13.0+8 +- Update tarball generation script to use git following OpenJDK 11u's move to github +- Remove "-clean" suffix as no 11.0.13 builds are unclean. +- Drop JDK-8269668 patch which is now applied upstream. +- Resolves: rhbz#2013845 + +* Sun Oct 10 2021 Andrew Hughes - 1:11.0.12.0.7-6 +- Reduce disk footprint by removing build artifacts by default. +- Related: rhbz#1999940 + +* Sun Oct 10 2021 Andrew Hughes - 1:11.0.12.0.7-5 +- Restructure the build so a minimal initial build is then used for the final build (with docs) +- This reduces pressure on the system JDK and ensures the JDK being built can do a full build +- Related: rhbz#1999940 + +* Tue Oct 05 2021 Andrew Hughes - 1:11.0.12.0.7-4 +- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false +- Resolves: rhbz#1994681 + +* Tue Oct 05 2021 Martin Balao - 1:11.0.12.0.7-4 +- Add patch to allow plain key import. +- Resolves: rhbz#1994681 + * Thu Sep 02 2021 Jiri Vanek - 1:11.0.12.0.7-3 - Minor cosmetic improvements to make spec more comparable between variants - Related: rhbz#1999940