import java-1.8.0-openjdk-1.8.0.322.b06-9.el9

This commit is contained in:
CentOS Sources 2022-05-17 04:39:58 -04:00 committed by Stepan Oksanichenko
commit 81ecfb6bac
57 changed files with 15023 additions and 0 deletions

2
.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
SOURCES/openjdk-shenandoah-jdk8u-aarch64-shenandoah-jdk8u322-b06-4curve.tar.xz
SOURCES/tapsets-icedtea-3.15.0.tar.xz

View File

@ -0,0 +1,2 @@
c54dd40b6deb5defa8d4d7132d650080d0e300f4 SOURCES/openjdk-shenandoah-jdk8u-aarch64-shenandoah-jdk8u322-b06-4curve.tar.xz
7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz

57
SOURCES/CheckVendor.java Normal file
View File

@ -0,0 +1,57 @@
/* CheckVendor -- Check the vendor properties match specified values.
Copyright (C) 2020 Red Hat, Inc.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/**
* @test
*/
public class CheckVendor {
public static void main(String[] args) {
if (args.length < 3) {
System.err.println("CheckVendor <VENDOR> <VENDOR-URL> <VENDOR-BUG-URL>");
System.exit(1);
}
String vendor = System.getProperty("java.vendor");
String expectedVendor = args[0];
String vendorURL = System.getProperty("java.vendor.url");
String expectedVendorURL = args[1];
String vendorBugURL = System.getProperty("java.vendor.url.bug");
String expectedVendorBugURL = args[2];
if (!expectedVendor.equals(vendor)) {
System.err.printf("Invalid vendor %s, expected %s\n",
vendor, expectedVendor);
System.exit(2);
}
if (!expectedVendorURL.equals(vendorURL)) {
System.err.printf("Invalid vendor URL %s, expected %s\n",
vendorURL, expectedVendorURL);
System.exit(3);
}
if (!expectedVendorBugURL.equals(vendorBugURL)) {
System.err.printf("Invalid vendor bug URL%s, expected %s\n",
vendorBugURL, expectedVendorBugURL);
System.exit(4);
}
System.err.printf("Vendor information verified as %s, %s, %s\n",
vendor, vendorURL, vendorBugURL);
}
}

1652
SOURCES/NEWS Normal file

File diff suppressed because it is too large Load Diff

8
SOURCES/README.md Normal file
View File

@ -0,0 +1,8 @@
Package of LTS OpenJDK 8
OpenJDK have release cadence of 6 months. but 3/4 of them are Short Term Supported for 6 months only. This package is designed to harbore them. Currently it is build on openJDK 10. LTSs (next is 11) will go as separate packages.
JDK8 is last LTS release of Java platform. It is bringing many cool improvements - http://openjdk.java.net/projects/jdk/8/ and is landing to your RHEL. Where it will be maintained for several years. You will always be allowed to install Used LTSs in build root, and alongside via alternatives.
See announcement: http://mail.openjdk.java.net/pipermail/discuss/2017-September/004281.html
See java SIG plans: https://jvanek.fedorapeople.org/devconf/2018/changesInjavaReleaseProcess.pdf

View File

@ -0,0 +1,72 @@
/* TestCryptoLevel -- Ensure unlimited crypto policy is in use.
Copyright (C) 2012 Red Hat, Inc.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.lang.reflect.InvocationTargetException;
import java.security.Permission;
import java.security.PermissionCollection;
public class TestCryptoLevel
{
public static void main(String[] args)
throws NoSuchFieldException, ClassNotFoundException,
IllegalAccessException, InvocationTargetException
{
Class<?> cls = null;
Method def = null, exempt = null;
try
{
cls = Class.forName("javax.crypto.JceSecurity");
}
catch (ClassNotFoundException ex)
{
System.err.println("Running a non-Sun JDK.");
System.exit(0);
}
try
{
def = cls.getDeclaredMethod("getDefaultPolicy");
exempt = cls.getDeclaredMethod("getExemptPolicy");
}
catch (NoSuchMethodException ex)
{
System.err.println("Running IcedTea with the original crypto patch.");
System.exit(0);
}
def.setAccessible(true);
exempt.setAccessible(true);
PermissionCollection defPerms = (PermissionCollection) def.invoke(null);
PermissionCollection exemptPerms = (PermissionCollection) exempt.invoke(null);
Class<?> apCls = Class.forName("javax.crypto.CryptoAllPermission");
Field apField = apCls.getDeclaredField("INSTANCE");
apField.setAccessible(true);
Permission allPerms = (Permission) apField.get(null);
if (defPerms.implies(allPerms) && (exemptPerms == null || exemptPerms.implies(allPerms)))
{
System.err.println("Running with the unlimited policy.");
System.exit(0);
}
else
{
System.err.println("WARNING: Running with a restricted crypto policy.");
System.exit(-1);
}
}
}

49
SOURCES/TestECDSA.java Normal file
View File

@ -0,0 +1,49 @@
/* TestECDSA -- Ensure ECDSA signatures are working.
Copyright (C) 2016 Red Hat, Inc.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
import java.math.BigInteger;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.Signature;
/**
* @test
*/
public class TestECDSA {
public static void main(String[] args) throws Exception {
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC");
KeyPair key = keyGen.generateKeyPair();
byte[] data = "This is a string to sign".getBytes("UTF-8");
Signature dsa = Signature.getInstance("NONEwithECDSA");
dsa.initSign(key.getPrivate());
dsa.update(data);
byte[] sig = dsa.sign();
System.out.println("Signature: " + new BigInteger(1, sig).toString(16));
Signature dsaCheck = Signature.getInstance("NONEwithECDSA");
dsaCheck.initVerify(key.getPublic());
dsaCheck.update(data);
boolean success = dsaCheck.verify(sig);
if (!success) {
throw new RuntimeException("Test failed. Signature verification error");
}
System.out.println("Test passed.");
}
}

View File

@ -0,0 +1,43 @@
import java.io.File;
import java.io.FileInputStream;
import java.security.Security;
import java.util.Properties;
public class TestSecurityProperties {
// JDK 11
private static final String JDK_PROPS_FILE_JDK_11 = System.getProperty("java.home") + "/conf/security/java.security";
// JDK 8
private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
public static void main(String[] args) {
Properties jdkProps = new Properties();
loadProperties(jdkProps);
for (Object key: jdkProps.keySet()) {
String sKey = (String)key;
String securityVal = Security.getProperty(sKey);
String jdkSecVal = jdkProps.getProperty(sKey);
if (!securityVal.equals(jdkSecVal)) {
String msg = "Expected value '" + jdkSecVal + "' for key '" +
sKey + "'" + " but got value '" + securityVal + "'";
throw new RuntimeException("Test failed! " + msg);
} else {
System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected.");
}
}
System.out.println("TestSecurityProperties PASSED!");
}
private static void loadProperties(Properties props) {
String javaVersion = System.getProperty("java.version");
System.out.println("Debug: Java version is " + javaVersion);
String propsFile = JDK_PROPS_FILE_JDK_11;
if (javaVersion.startsWith("1.8.0")) {
propsFile = JDK_PROPS_FILE_JDK_8;
}
try (FileInputStream fin = new FileInputStream(new File(propsFile))) {
props.load(fin);
} catch (Exception e) {
throw new RuntimeException("Test failed!", e);
}
}
}

1558
SOURCES/config.guess vendored Normal file

File diff suppressed because it is too large Load Diff

1788
SOURCES/config.sub vendored Normal file

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,131 @@
#!/bin/sh
ZIP_SRC=openjdk/jdk/src/share/native/java/util/zip/zlib
JPEG_SRC=openjdk/jdk/src/share/native/sun/awt/image/jpeg
GIF_SRC=openjdk/jdk/src/share/native/sun/awt/giflib
PNG_SRC=openjdk/jdk/src/share/native/sun/awt/libpng
LCMS_SRC=openjdk/jdk/src/share/native/sun/java2d/cmm/lcms
echo "Removing built-in libs (they will be linked)"
echo "Removing zlib"
if [ ! -d ${ZIP_SRC} ]; then
echo "${ZIP_SRC} does not exist. Refusing to proceed."
exit 1
fi
rm -rvf ${ZIP_SRC}
echo "Removing libjpeg"
if [ ! -f ${JPEG_SRC}/jdhuff.c ]; then # some file that sound definitely exist
echo "${JPEG_SRC} does not contain jpeg sources. Refusing to proceed."
exit 1
fi
rm -vf ${JPEG_SRC}/jcomapi.c
rm -vf ${JPEG_SRC}/jdapimin.c
rm -vf ${JPEG_SRC}/jdapistd.c
rm -vf ${JPEG_SRC}/jdcoefct.c
rm -vf ${JPEG_SRC}/jdcolor.c
rm -vf ${JPEG_SRC}/jdct.h
rm -vf ${JPEG_SRC}/jddctmgr.c
rm -vf ${JPEG_SRC}/jdhuff.c
rm -vf ${JPEG_SRC}/jdhuff.h
rm -vf ${JPEG_SRC}/jdinput.c
rm -vf ${JPEG_SRC}/jdmainct.c
rm -vf ${JPEG_SRC}/jdmarker.c
rm -vf ${JPEG_SRC}/jdmaster.c
rm -vf ${JPEG_SRC}/jdmerge.c
rm -vf ${JPEG_SRC}/jdphuff.c
rm -vf ${JPEG_SRC}/jdpostct.c
rm -vf ${JPEG_SRC}/jdsample.c
rm -vf ${JPEG_SRC}/jerror.c
rm -vf ${JPEG_SRC}/jerror.h
rm -vf ${JPEG_SRC}/jidctflt.c
rm -vf ${JPEG_SRC}/jidctfst.c
rm -vf ${JPEG_SRC}/jidctint.c
rm -vf ${JPEG_SRC}/jidctred.c
rm -vf ${JPEG_SRC}/jinclude.h
rm -vf ${JPEG_SRC}/jmemmgr.c
rm -vf ${JPEG_SRC}/jmemsys.h
rm -vf ${JPEG_SRC}/jmemnobs.c
rm -vf ${JPEG_SRC}/jmorecfg.h
rm -vf ${JPEG_SRC}/jpegint.h
rm -vf ${JPEG_SRC}/jpeglib.h
rm -vf ${JPEG_SRC}/jquant1.c
rm -vf ${JPEG_SRC}/jquant2.c
rm -vf ${JPEG_SRC}/jutils.c
rm -vf ${JPEG_SRC}/jcapimin.c
rm -vf ${JPEG_SRC}/jcapistd.c
rm -vf ${JPEG_SRC}/jccoefct.c
rm -vf ${JPEG_SRC}/jccolor.c
rm -vf ${JPEG_SRC}/jcdctmgr.c
rm -vf ${JPEG_SRC}/jchuff.c
rm -vf ${JPEG_SRC}/jchuff.h
rm -vf ${JPEG_SRC}/jcinit.c
rm -vf ${JPEG_SRC}/jconfig.h
rm -vf ${JPEG_SRC}/jcmainct.c
rm -vf ${JPEG_SRC}/jcmarker.c
rm -vf ${JPEG_SRC}/jcmaster.c
rm -vf ${JPEG_SRC}/jcparam.c
rm -vf ${JPEG_SRC}/jcphuff.c
rm -vf ${JPEG_SRC}/jcprepct.c
rm -vf ${JPEG_SRC}/jcsample.c
rm -vf ${JPEG_SRC}/jctrans.c
rm -vf ${JPEG_SRC}/jdtrans.c
rm -vf ${JPEG_SRC}/jfdctflt.c
rm -vf ${JPEG_SRC}/jfdctfst.c
rm -vf ${JPEG_SRC}/jfdctint.c
rm -vf ${JPEG_SRC}/jversion.h
rm -vf ${JPEG_SRC}/README
echo "Removing giflib"
if [ ! -d ${GIF_SRC} ]; then
echo "${GIF_SRC} does not exist. Refusing to proceed."
exit 1
fi
rm -rvf ${GIF_SRC}
echo "Removing libpng"
if [ ! -d ${PNG_SRC} ]; then
echo "${PNG_SRC} does not exist. Refusing to proceed."
exit 1
fi
rm -rvf ${PNG_SRC}
echo "Removing lcms"
if [ ! -d ${LCMS_SRC} ]; then
echo "${LCMS_SRC} does not exist. Refusing to proceed."
exit 1
fi
# temporary change to move bundled LCMS
if [ ! true ]; then
rm -vf ${LCMS_SRC}/cmsalpha.c
rm -vf ${LCMS_SRC}/cmscam02.c
rm -vf ${LCMS_SRC}/cmscgats.c
rm -vf ${LCMS_SRC}/cmscnvrt.c
rm -vf ${LCMS_SRC}/cmserr.c
rm -vf ${LCMS_SRC}/cmsgamma.c
rm -vf ${LCMS_SRC}/cmsgmt.c
rm -vf ${LCMS_SRC}/cmshalf.c
rm -vf ${LCMS_SRC}/cmsintrp.c
rm -vf ${LCMS_SRC}/cmsio0.c
rm -vf ${LCMS_SRC}/cmsio1.c
rm -vf ${LCMS_SRC}/cmslut.c
rm -vf ${LCMS_SRC}/cmsmd5.c
rm -vf ${LCMS_SRC}/cmsmtrx.c
rm -vf ${LCMS_SRC}/cmsnamed.c
rm -vf ${LCMS_SRC}/cmsopt.c
rm -vf ${LCMS_SRC}/cmspack.c
rm -vf ${LCMS_SRC}/cmspcs.c
rm -vf ${LCMS_SRC}/cmsplugin.c
rm -vf ${LCMS_SRC}/cmsps2.c
rm -vf ${LCMS_SRC}/cmssamp.c
rm -vf ${LCMS_SRC}/cmssm.c
rm -vf ${LCMS_SRC}/cmstypes.c
rm -vf ${LCMS_SRC}/cmsvirt.c
rm -vf ${LCMS_SRC}/cmswtpnt.c
rm -vf ${LCMS_SRC}/cmsxform.c
rm -vf ${LCMS_SRC}/lcms2.h
rm -vf ${LCMS_SRC}/lcms2_internal.h
rm -vf ${LCMS_SRC}/lcms2_plugin.h
fi

View File

@ -0,0 +1,10 @@
[Desktop Entry]
Name=OpenJDK @JAVA_VER@ for @target_cpu@ Monitoring & Management Console (@OPENJDK_VER@)
Comment=Monitor and manage OpenJDK applications
Exec=_SDKBINDIR_/jconsole
Icon=java-@JAVA_VER@-@JAVA_VENDOR@
Terminal=false
Type=Application
StartupWMClass=sun-tools-jconsole-JConsole
Categories=Development;Profiling;Java;
Version=1.0

View File

@ -0,0 +1,115 @@
diff -ruN jdk8/common/autoconf/libraries.m4 jdk8/common/autoconf/libraries.m4
--- jdk8/common/autoconf/libraries.m4 2013-11-14 20:08:01.845065585 -0500
+++ jdk8/common/autoconf/libraries.m4 2013-11-14 20:10:56.186553066 -0500
@@ -676,6 +676,47 @@
###############################################################################
#
+ # Check for the png library
+ #
+
+ AC_ARG_WITH(libpng, [AS_HELP_STRING([--with-libpng],
+ [use libpng from build system or OpenJDK source (system, bundled) @<:@bundled@:>@])])
+
+ AC_CHECK_LIB(png, png_sig_cmp,
+ [ LIBPNG_FOUND=yes ],
+ [ LIBPNG_FOUND=no ])
+
+ AC_MSG_CHECKING([for which libpng to use])
+
+ # default is bundled
+ DEFAULT_LIBPNG=bundled
+
+ #
+ # if user didn't specify, use DEFAULT_LIBPNG
+ #
+ if test "x${with_libpng}" = "x"; then
+ with_libpng=${DEFAULT_libpng}
+ fi
+
+
+ if test "x${with_libpng}" = "xbundled"; then
+ USE_EXTERNAL_LIBPNG=false
+ AC_MSG_RESULT([bundled])
+ elif test "x${with_libpng}" = "xsystem"; then
+ if test "x${LIBPNG_FOUND}" = "xyes"; then
+ USE_EXTERNAL_LIBPNG=true
+ AC_MSG_RESULT([system])
+ else
+ AC_MSG_RESULT([system not found])
+ AC_MSG_ERROR([--with-libpng=system specified, but no libpng found!])
+ fi
+ else
+ AC_MSG_ERROR([Invalid value of --with-libpng: ${with_libpng}, use 'system' or 'bundled'])
+ fi
+ AC_SUBST(USE_EXTERNAL_LIBPNG)
+
+ ###############################################################################
+ #
# Check for the zlib library
#
diff -ruN jdk8/common/autoconf/spec.gmk.in jdk8/common/autoconf/spec.gmk.in
--- jdk8/common/autoconf/spec.gmk.in 2013-10-31 19:24:33.000000000 -0400
+++ jdk8/common/autoconf/spec.gmk.in 2013-11-14 21:10:56.365976518 -0500
@@ -548,6 +548,7 @@
ENABLE_JFR=@ENABLE_JFR@
ENABLE_INTREE_EC=@ENABLE_INTREE_EC@
USE_EXTERNAL_LIBJPEG:=@USE_EXTERNAL_LIBJPEG@
+USE_EXTERNAL_LIBPNG:=@USE_EXTERNAL_LIBPNG@
USE_EXTERNAL_LIBGIF:=@USE_EXTERNAL_LIBGIF@
USE_EXTERNAL_LIBZ:=@USE_EXTERNAL_LIBZ@
LIBZIP_CAN_USE_MMAP:=@LIBZIP_CAN_USE_MMAP@
diff -ruN jdk8/jdk/make/lib/Awt2dLibraries.gmk jdk8/jdk/make/lib/Awt2dLibraries.gmk
--- jdk8/jdk/make/lib/Awt2dLibraries.gmk 2013-11-14 20:08:01.845065585 -0500
+++ jdk8/jdk/make/lib/Awt2dLibraries.gmk 2013-11-14 20:14:10.791982343 -0500
@@ -1183,7 +1183,6 @@
ifndef BUILD_HEADLESS_ONLY
LIBSPLASHSCREEN_DIRS := \
- $(JDK_TOPDIR)/src/share/native/sun/awt/libpng \
$(JDK_TOPDIR)/src/share/native/sun/awt/splashscreen
ifeq ($(USE_EXTERNAL_LIBGIF), true)
@@ -1200,6 +1199,13 @@
LIBJPEG_CFLAGS := -I$(JDK_TOPDIR)/src/share/native/sun/awt/jpeg
endif
+ ifeq ($(USE_EXTERNAL_LIBPNG), true)
+ LIBPNG_LDFLAGS := -lpng
+ else
+ LIBSPLASHSCREEN_DIRS += $(JDK_TOPDIR)/src/share/native/sun/awt/image/libpng
+ LIBPNG_CFLAGS := -I$(JDK_TOPDIR)/src/share/native/sun/awt/libpng
+ endif
+
ifneq ($(OPENJDK_TARGET_OS), macosx)
LIBSPLASHSCREEN_DIRS += $(JDK_TOPDIR)/src/$(OPENJDK_TARGET_OS_API_DIR)/native/sun/awt/splashscreen
else
@@ -1263,12 +1269,12 @@
LANG := C, \
OPTIMIZATION := LOW, \
CFLAGS := $(LIBSPLASHSCREEN_CFLAGS) $(CFLAGS_JDKLIB) \
- $(GIFLIB_CFLAGS) $(LIBJPEG_CFLAGS), \
+ $(GIFLIB_CFLAGS) $(LIBJPEG_CFLAGS) $(LIBPNG_CFLAGS), \
MAPFILE := $(JDK_TOPDIR)/make/mapfiles/libsplashscreen/mapfile-vers, \
LDFLAGS := $(LDFLAGS_JDKLIB) \
$(call SET_SHARED_LIBRARY_ORIGIN), \
LDFLAGS_SUFFIX := $(LIBSPLASHSCREEN_LDFLAGS_SUFFIX) \
- $(LIBZ) $(GIFLIB_LDFLAGS) $(LIBJPEG_LDFLAGS), \
+ $(LIBZ) $(GIFLIB_LDFLAGS) $(LIBJPEG_LDFLAGS) $(LIBPNG_LDFLAGS), \
LDFLAGS_SUFFIX_solaris := -lc, \
VERSIONINFO_RESOURCE := $(JDK_TOPDIR)/src/windows/resource/version.rc, \
RC_FLAGS := $(RC_FLAGS) \
diff -ruN jdk8/jdk/src/share/native/sun/awt/splashscreen/splashscreen_png.c jdk8/jdk/src/share/native/sun/awt/splashscreen/splashscreen_png.c
--- jdk8/jdk/src/share/native/sun/awt/splashscreen/splashscreen_png.c 2013-10-31 19:44:18.000000000 -0400
+++ jdk8/jdk/src/share/native/sun/awt/splashscreen/splashscreen_png.c 2013-11-14 20:14:41.363892797 -0500
@@ -25,8 +25,7 @@
#include "splashscreen_impl.h"
-#include "../libpng/png.h"
-
+#include <png.h>
#include <setjmp.h>
#define SIG_BYTES 8

View File

@ -0,0 +1,68 @@
diff --git openjdk.orig/jdk/make/lib/Awt2dLibraries.gmk openjdk/jdk/make/lib/Awt2dLibraries.gmk
--- openjdk.orig/jdk/make/lib/Awt2dLibraries.gmk
+++ openjdk/jdk/make/lib/Awt2dLibraries.gmk
@@ -665,18 +665,35 @@
endif
endif
+LIBLCMS_DIR := $(JDK_TOPDIR)/src/share/native/sun/java2d/cmm/lcms
+
+ifeq ($(USE_EXTERNAL_LCMS), true)
+ # If we're using an external library, we'll just need the wrapper part.
+ # By including it explicitely, all other files will be excluded.
+ BUILD_LIBLCMS_INCLUDE_FILES := LCMS.c
+ BUILD_LIBLCMS_HEADERS :=
+else
+ BUILD_LIBLCMS_INCLUDE_FILES :=
+ # If we're using the bundled library, we'll need to include it in the
+ # include path explicitly. Otherwise the system headers will be used.
+ BUILD_LIBLCMS_HEADERS := -I$(LIBLCMS_DIR)
+endif
+
# TODO: Update awt lib path when awt is converted
$(eval $(call SetupNativeCompilation,BUILD_LIBLCMS, \
LIBRARY := lcms, \
OUTPUT_DIR := $(INSTALL_LIBRARIES_HERE), \
- SRC := $(JDK_TOPDIR)/src/share/native/sun/java2d/cmm/lcms, \
+ SRC := $(LIBLCMS_DIR), \
+ INCLUDE_FILES := $(BUILD_LIBLCMS_INCLUDE_FILES), \
LANG := C, \
OPTIMIZATION := HIGHEST, \
CFLAGS := $(filter-out -xc99=%none, $(CFLAGS_JDKLIB)) \
-DCMS_DONT_USE_FAST_FLOOR \
$(SHARED_LIBRARY_FLAGS) \
-I$(JDK_TOPDIR)/src/share/native/sun/java2d \
- -I$(JDK_TOPDIR)/src/share/native/sun/awt/debug, \
+ -I$(JDK_TOPDIR)/src/share/native/sun/awt/debug \
+ $(BUILD_LIBLCMS_HEADERS) \
+ $(LCMS_CFLAGS), \
CFLAGS_solaris := -xc99=no_lib, \
CFLAGS_windows := -DCMS_IS_WINDOWS_, \
MAPFILE := $(JDK_TOPDIR)/make/mapfiles/liblcms/mapfile-vers, \
@@ -684,10 +701,10 @@
$(call SET_SHARED_LIBRARY_ORIGIN), \
LDFLAGS_solaris := /usr/lib$(OPENJDK_TARGET_CPU_ISADIR)/libm.so.2, \
LDFLAGS_windows := $(WIN_AWT_LIB) $(WIN_JAVA_LIB), \
- LDFLAGS_SUFFIX_solaris := -lawt -ljava -ljvm -lc, \
- LDFLAGS_SUFFIX_macosx := $(LIBM) -lawt -ljava -ljvm, \
- LDFLAGS_SUFFIX_linux := -lm -lawt -ljava -ljvm, \
- LDFLAGS_SUFFIX_aix := -lm -lawt -ljava -ljvm,\
+ LDFLAGS_SUFFIX_solaris := -lawt -ljava -ljvm -lc $(LCMS_LIBS), \
+ LDFLAGS_SUFFIX_macosx := $(LIBM) -lawt -ljava -ljvm $(LCMS_LIBS), \
+ LDFLAGS_SUFFIX_linux := -lm -lawt -ljava -ljvm $(LCMS_LIBS), \
+ LDFLAGS_SUFFIX_aix := -lm -lawt -ljava -ljvm $(LCMS_LIBS),\
VERSIONINFO_RESOURCE := $(JDK_TOPDIR)/src/windows/resource/version.rc, \
RC_FLAGS := $(RC_FLAGS) \
-D "JDK_FNAME=lcms.dll" \
diff --git openjdk.orig/jdk/src/share/native/sun/java2d/cmm/lcms/LCMS.c openjdk/jdk/src/share/native/sun/java2d/cmm/lcms/LCMS.c
--- openjdk.orig/jdk/src/share/native/sun/java2d/cmm/lcms/LCMS.c
+++ openjdk/jdk/src/share/native/sun/java2d/cmm/lcms/LCMS.c
@@ -30,7 +30,7 @@
#include "jni_util.h"
#include "Trace.h"
#include "Disposer.h"
-#include "lcms2.h"
+#include <lcms2.h>
#include "jlong.h"

View File

@ -0,0 +1,50 @@
diff -ruN openjdk/common/autoconf/libraries.m4 openjdk/common/autoconf/libraries.m4
--- openjdk/common/autoconf/libraries.m4 2013-11-14 22:04:38.039440136 -0500
+++ openjdk/common/autoconf/libraries.m4 2013-11-14 22:05:11.474356424 -0500
@@ -676,6 +676,46 @@
###############################################################################
#
+ # Check for the lcms2 library
+ #
+
+ AC_ARG_WITH(lcms, [AS_HELP_STRING([--with-lcms],
+ [use lcms2 from build system or OpenJDK source (system, bundled) @<:@bundled@:>@])])
+
+ AC_CHECK_LIB(lcms2, cmsOpenProfileFromFile,
+ [ LCMS_FOUND=yes ],
+ [ LCMS_FOUND=no ])
+
+ AC_MSG_CHECKING([for which lcms to use])
+
+ DEFAULT_LCMS=bundled
+
+ #
+ # If user didn't specify, use DEFAULT_LCMS
+ #
+ if test "x${with_lcms}" = "x"; then
+ with_lcms=${DEFAULT_LCMS}
+ fi
+
+ if test "x${with_lcms}" = "xbundled"; then
+ USE_EXTERNAL_LCMS=false
+ AC_MSG_RESULT([bundled])
+ elif test "x${with_lcms}" = "xsystem"; then
+ if test "x${LCMS_FOUND}" = "xyes"; then
+ USE_EXTERNAL_LCMS=true
+ AC_MSG_RESULT([system])
+ else
+ AC_MSG_RESULT([system not found])
+ AC_MSG_ERROR([--with-lcms=system specified, but no lcms found!])
+ fi
+ else
+ AC_MSG_ERROR([Invalid value for --with-lcms: ${with_lcms}, use 'system' or 'bundled'])
+ fi
+
+ AC_SUBST(USE_EXTERNAL_LCMS)
+
+ ###############################################################################
+ #
# Check for the png library
#

View File

@ -0,0 +1,228 @@
diff -ruN jdk8/common/autoconf/libraries.m4 jdk8/common/autoconf/libraries.m4
--- jdk8/common/autoconf/libraries.m4 2013-10-31 19:24:33.000000000 -0400
+++ jdk8/common/autoconf/libraries.m4 2013-11-14 21:55:20.249903347 -0500
@@ -601,12 +601,42 @@
#
USE_EXTERNAL_LIBJPEG=true
- AC_CHECK_LIB(jpeg, main, [],
- [ USE_EXTERNAL_LIBJPEG=false
- AC_MSG_NOTICE([Will use jpeg decoder bundled with the OpenJDK source])
- ])
+ AC_ARG_WITH(libjpeg, [AS_HELP_STRING([--with-libjpeg],
+ [use libjpeg from build system or OpenJDK sources (system, bundled) @<:@bundled@:>@])])
+
+ AC_CHECK_LIB(jpeg, jpeg_destroy_compress,
+ [ LIBJPEG_FOUND=yes ],
+ [ LIBJPEG_FOUND=no ])
+
+ AC_MSG_CHECKING([for which libjpeg to use])
+
+ # default is bundled
+ DEFAULT_LIBJPEG=bundled
+
+ #
+ # if user didn't specify, use DEFAULT_LIBJPEG
+ #
+ if test "x${with_libjpeg}" = "x"; then
+ with_libjpeg=${DEFAULT_LIBJPEG}
+ fi
+
+ if test "x${with_libjpeg}" = "xbundled"; then
+ USE_EXTERNAL_LIBJPEG=false
+ AC_MSG_RESULT([bundled])
+ elif test "x${with_libjpeg}" = "xsystem"; then
+ if test "x${LIBJPEG_FOUND}" = "xyes"; then
+ USE_EXTERNAL_LIBJPEG=true
+ AC_MSG_RESULT([system])
+ else
+ AC_MSG_RESULT([system not found])
+ AC_MSG_ERROR([--with-libjpeg=system specified, but no libjpeg found])
+ fi
+ else
+ AC_MSG_ERROR([Invalid use of --with-libjpeg: ${with_libjpeg}, use 'system' or 'bundled'])
+ fi
AC_SUBST(USE_EXTERNAL_LIBJPEG)
+
###############################################################################
#
# Check for the gif library
diff -ruN jdk8/jdk/make/lib/Awt2dLibraries.gmk jdk8/jdk/make/lib/Awt2dLibraries.gmk
--- jdk8/jdk/make/lib/Awt2dLibraries.gmk 2013-10-31 19:44:18.000000000 -0400
+++ jdk8/jdk/make/lib/Awt2dLibraries.gmk 2013-11-14 21:56:01.020796703 -0500
@@ -693,17 +693,17 @@
##########################################################################################
ifdef OPENJDK
- BUILD_LIBJPEG_MAPFILE := $(JDK_TOPDIR)/make/mapfiles/libjpeg/mapfile-vers
+ BUILD_LIBJAVAJPEG_MAPFILE := $(JDK_TOPDIR)/make/mapfiles/libjpeg/mapfile-vers
else
- BUILD_LIBJPEG_MAPFILE := $(JDK_TOPDIR)/make/mapfiles/libjpeg/mapfile-vers-closed
- BUILD_LIBJPEG_CLOSED_SRC := $(JDK_TOPDIR)/src/closed/share/native/sun/awt/image/jpeg
- BUILD_LIBJPEG_CLOSED_INCLUDES := -I$(BUILD_LIBJPEG_CLOSED_SRC)
+ BUILD_LIBJAVAJPEG_MAPFILE := $(JDK_TOPDIR)/make/mapfiles/libjpeg/mapfile-vers-closed
+ BUILD_LIBJAVAJPEG_CLOSED_SRC := $(JDK_TOPDIR)/src/closed/share/native/sun/awt/image/jpeg
+ BUILD_LIBJAVAJPEG_CLOSED_INCLUDES := -I$(BUILD_LIBJPEG_CLOSED_SRC)
endif
-BUILD_LIBJPEG_REORDER :=
+BUILD_LIBJAVAJPEG_REORDER :=
ifeq ($(OPENJDK_TARGET_OS), solaris)
ifneq ($(OPENJDK_TARGET_CPU), x86_64)
- BUILD_LIBJPEG_REORDER := $(JDK_TOPDIR)/make/mapfiles/libjpeg/reorder-$(OPENJDK_TARGET_CPU)
+ BUILD_LIBJAVAJPEG_REORDER := $(JDK_TOPDIR)/make/mapfiles/libjpeg/reorder-$(OPENJDK_TARGET_CPU)
endif
endif
@@ -718,37 +718,38 @@
# $(shell $(EXPR) $(CC_MAJORVER) \> 4 \| \
# \( $(CC_MAJORVER) = 4 \& $(CC_MINORVER) \>= 3 \) )
# ifeq ($(CC_43_OR_NEWER), 1)
-# BUILD_LIBJPEG_CFLAGS_linux += -Wno-clobbered
+# BUILD_LIBJAVAJPEG_CFLAGS_linux += -Wno-clobbered
# endif
#endif
-$(eval $(call SetupNativeCompilation,BUILD_LIBJPEG, \
- LIBRARY := jpeg, \
+$(eval $(call SetupNativeCompilation,BUILD_LIBJAVAJPEG, \
+ LIBRARY := javajpeg, \
OUTPUT_DIR := $(INSTALL_LIBRARIES_HERE), \
- SRC := $(BUILD_LIBJPEG_CLOSED_SRC) \
+ SRC := $(BUILD_LIBJAVAJPEG_CLOSED_SRC) \
$(JDK_TOPDIR)/src/share/native/sun/awt/image/jpeg, \
LANG := C, \
OPTIMIZATION := HIGHEST, \
CFLAGS := $(CFLAGS_JDKLIB) \
- $(BUILD_LIBJPEG_CLOSED_INCLUDES) \
+ $(BUILD_LIBJAVAJPEG_CLOSED_INCLUDES) \
-I$(JDK_TOPDIR)/src/share/native/sun/awt/image/jpeg, \
- MAPFILE := $(BUILD_LIBJPEG_MAPFILE), \
- LDFLAGS := $(LDFLAGS_JDKLIB) \
+ MAPFILE := $(BUILD_LIBJAVAJPEG_MAPFILE), \
+ LDFLAGS := $(subst -Xlinker --as-needed,, \
+ $(subst -Wl$(COMMA)--as-needed,, $(LDFLAGS_JDKLIB))) -ljpeg \
$(call SET_SHARED_LIBRARY_ORIGIN), \
LDFLAGS_windows := $(WIN_JAVA_LIB) jvm.lib, \
LDFLAGS_SUFFIX := $(LDFLAGS_JDKLIB_SUFFIX), \
VERSIONINFO_RESOURCE := $(JDK_TOPDIR)/src/windows/resource/version.rc, \
RC_FLAGS := $(RC_FLAGS) \
- -D "JDK_FNAME=jpeg.dll" \
- -D "JDK_INTERNAL_NAME=jpeg" \
+ -D "JDK_FNAME=javajpeg.dll" \
+ -D "JDK_INTERNAL_NAME=javajpeg" \
-D "JDK_FTYPE=0x2L", \
- REORDER := $(BUILD_LIBJPEG_REORDER), \
- OBJECT_DIR := $(JDK_OUTPUTDIR)/objs/libjpeg, \
+ REORDER := $(BUILD_LIBJAVAJPEG_REORDER), \
+ OBJECT_DIR := $(JDK_OUTPUTDIR)/objs/libjavajpeg, \
DEBUG_SYMBOLS := $(DEBUG_ALL_BINARIES)))
-$(BUILD_LIBJPEG): $(BUILD_LIBJAVA)
+$(BUILD_LIBJAVAJPEG): $(BUILD_LIBJAVA)
-BUILD_LIBRARIES += $(BUILD_LIBJPEG)
+BUILD_LIBRARIES += $(BUILD_LIBJAVAJPEG)
##########################################################################################
@@ -1127,7 +1128,6 @@
ifndef BUILD_HEADLESS_ONLY
LIBSPLASHSCREEN_DIRS := \
- $(JDK_TOPDIR)/src/share/native/sun/awt/image/jpeg \
$(JDK_TOPDIR)/src/share/native/sun/awt/libpng \
$(JDK_TOPDIR)/src/share/native/sun/awt/splashscreen
@@ -1138,6 +1138,13 @@
GIFLIB_CFLAGS := -I$(JDK_TOPDIR)/src/share/native/sun/awt/giflib
endif
+ ifeq ($(USE_EXTERNAL_LIBJPEG), true)
+ LIBJPEG_LDFLAGS := -ljpeg
+ else
+ LIBSPLASHSCREEN_DIRS += $(JDK_TOPDIR)/src/share/native/sun/awt/image/jpeg
+ LIBJPEG_CFLAGS := -I$(JDK_TOPDIR)/src/share/native/sun/awt/jpeg
+ endif
+
ifneq ($(OPENJDK_TARGET_OS), macosx)
LIBSPLASHSCREEN_DIRS += $(JDK_TOPDIR)/src/$(OPENJDK_TARGET_OS_API_DIR)/native/sun/awt/splashscreen
else
@@ -1193,11 +1200,13 @@
EXCLUDE_FILES := imageioJPEG.c jpegdecoder.c pngtest.c, \
LANG := C, \
OPTIMIZATION := LOW, \
- CFLAGS := $(LIBSPLASHSCREEN_CFLAGS) $(CFLAGS_JDKLIB) $(GIFLIB_CFLAGS), \
+ CFLAGS := $(LIBSPLASHSCREEN_CFLAGS) $(CFLAGS_JDKLIB) \
+ $(GIFLIB_CFLAGS) $(LIBJPEG_CFLAGS), \
MAPFILE := $(JDK_TOPDIR)/make/mapfiles/libsplashscreen/mapfile-vers, \
LDFLAGS := $(LDFLAGS_JDKLIB) \
$(call SET_SHARED_LIBRARY_ORIGIN), \
- LDFLAGS_SUFFIX := $(LIBSPLASHSCREEN_LDFLAGS_SUFFIX) $(LIBZ) $(GIFLIB_LDFLAGS), \
+ LDFLAGS_SUFFIX := $(LIBSPLASHSCREEN_LDFLAGS_SUFFIX) \
+ $(LIBZ) $(GIFLIB_LDFLAGS) $(LIBJPEG_LDFLAGS), \
LDFLAGS_SUFFIX_solaris := -lc, \
VERSIONINFO_RESOURCE := $(JDK_TOPDIR)/src/windows/resource/version.rc, \
RC_FLAGS := $(RC_FLAGS) \
diff -ruN jdk8/jdk/src/share/classes/com/sun/imageio/plugins/jpeg/JPEGImageReader.java jdk8/jdk/src/share/classes/com/sun/imageio/plugins/jpeg/JPEGImageReader.java
--- jdk8/jdk/src/share/classes/com/sun/imageio/plugins/jpeg/JPEGImageReader.java 2013-10-31 19:44:18.000000000 -0400
+++ jdk8/jdk/src/share/classes/com/sun/imageio/plugins/jpeg/JPEGImageReader.java 2013-11-14 21:55:20.250903340 -0500
@@ -89,7 +89,7 @@
java.security.AccessController.doPrivileged(
new java.security.PrivilegedAction<Void>() {
public Void run() {
- System.loadLibrary("jpeg");
+ System.loadLibrary("javajpeg");
return null;
}
});
diff -ruN jdk8/jdk/src/share/classes/com/sun/imageio/plugins/jpeg/JPEGImageWriter.java jdk8/jdk/src/share/classes/com/sun/imageio/plugins/jpeg/JPEGImageWriter.java
--- jdk8/jdk/src/share/classes/com/sun/imageio/plugins/jpeg/JPEGImageWriter.java 2013-10-31 19:44:18.000000000 -0400
+++ jdk8/jdk/src/share/classes/com/sun/imageio/plugins/jpeg/JPEGImageWriter.java 2013-11-14 21:55:20.250903340 -0500
@@ -179,7 +179,7 @@
java.security.AccessController.doPrivileged(
new java.security.PrivilegedAction<Void>() {
public Void run() {
- System.loadLibrary("jpeg");
+ System.loadLibrary("javajpeg");
return null;
}
});
diff -ruN jdk8/jdk/src/share/classes/sun/awt/image/JPEGImageDecoder.java jdk8/jdk/src/share/classes/sun/awt/image/JPEGImageDecoder.java
--- jdk8/jdk/src/share/classes/sun/awt/image/JPEGImageDecoder.java 2013-10-31 19:44:18.000000000 -0400
+++ jdk8/jdk/src/share/classes/sun/awt/image/JPEGImageDecoder.java 2013-11-14 21:55:20.251903376 -0500
@@ -56,7 +56,7 @@
java.security.AccessController.doPrivileged(
new java.security.PrivilegedAction<Void>() {
public Void run() {
- System.loadLibrary("jpeg");
+ System.loadLibrary("javajpeg");
return null;
}
});
diff -ruN jdk8/jdk/src/share/native/sun/awt/splashscreen/splashscreen_jpeg.c jdk8/jdk/src/share/native/sun/awt/splashscreen/splashscreen_jpeg.c
--- jdk8/jdk/src/share/native/sun/awt/splashscreen/splashscreen_jpeg.c 2013-10-31 19:44:18.000000000 -0400
+++ jdk8/jdk/src/share/native/sun/awt/splashscreen/splashscreen_jpeg.c 2013-11-14 21:55:20.251903376 -0500
@@ -25,7 +25,6 @@
#include "splashscreen_impl.h"
-#include "jinclude.h"
#include "jpeglib.h"
#include "jerror.h"
@@ -107,11 +106,11 @@
if (cinfo->src == NULL) { /* first time for this JPEG object? */
cinfo->src = (struct jpeg_source_mgr *)
(*cinfo->mem->alloc_small) ((j_common_ptr) cinfo,
- JPOOL_PERMANENT, SIZEOF(stream_source_mgr));
+ JPOOL_PERMANENT, sizeof(stream_source_mgr));
src = (stream_src_ptr) cinfo->src;
src->buffer = (JOCTET *)
(*cinfo->mem->alloc_small) ((j_common_ptr) cinfo,
- JPOOL_PERMANENT, INPUT_BUF_SIZE * SIZEOF(JOCTET));
+ JPOOL_PERMANENT, INPUT_BUF_SIZE * sizeof(JOCTET));
}
src = (stream_src_ptr) cinfo->src;

View File

@ -0,0 +1,148 @@
# HG changeset patch
# User sgehwolf
# Date 1525714161 -3600
# Mon May 07 18:29:21 2018 +0100
# Node ID afb31413c73cbc06420fdb447aa90a7a38258904
# Parent bcbc64dfb629c5f188bbf59b8f986ad95963ed60
8143245, PR3548: Zero build requires disabled warnings
Reviewed-by: dholmes, coleenp
diff --git openjdk.orig/hotspot/make/linux/makefiles/zeroshark.make openjdk/hotspot/make/linux/makefiles/zeroshark.make
--- openjdk.orig/hotspot/make/linux/makefiles/zeroshark.make
+++ openjdk/hotspot/make/linux/makefiles/zeroshark.make
@@ -1,5 +1,5 @@
#
-# Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved.
# Copyright 2007, 2008 Red Hat, Inc.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
@@ -29,12 +29,7 @@
ifeq ($(JVM_VARIANT_ZEROSHARK), true)
WARNING_FLAGS += -Wno-undef
endif
-# Suppress some warning flags that are normally turned on for hotspot,
-# because some of the zero code has not been updated accordingly.
-WARNING_FLAGS += -Wno-return-type \
- -Wno-format-nonliteral -Wno-format-security \
- -Wno-maybe-uninitialized
-
+
# If FDLIBM_CFLAGS is non-empty it holds CFLAGS needed to be passed to
# the compiler so as to be able to produce optimized objects
diff --git openjdk.orig/hotspot/src/cpu/zero/vm/cppInterpreter_zero.cpp openjdk/hotspot/src/cpu/zero/vm/cppInterpreter_zero.cpp
--- openjdk.orig/hotspot/src/cpu/zero/vm/cppInterpreter_zero.cpp
+++ openjdk/hotspot/src/cpu/zero/vm/cppInterpreter_zero.cpp
@@ -102,7 +102,7 @@
return result;
default:
ShouldNotReachHere();
- return result; // silence compiler warnings
+ return NULL_WORD; // silence compiler warnings
}
}
diff --git openjdk.orig/hotspot/src/cpu/zero/vm/interpreterRT_zero.cpp openjdk/hotspot/src/cpu/zero/vm/interpreterRT_zero.cpp
--- openjdk.orig/hotspot/src/cpu/zero/vm/interpreterRT_zero.cpp
+++ openjdk/hotspot/src/cpu/zero/vm/interpreterRT_zero.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved.
* Copyright 2007, 2008, 2010 Red Hat, Inc.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
@@ -62,7 +62,7 @@
}
void InterpreterRuntime::SignatureHandlerGeneratorBase::push(BasicType type) {
- ffi_type *ftype;
+ ffi_type *ftype = NULL;
switch (type) {
case T_VOID:
ftype = &ffi_type_void;
diff --git openjdk.orig/hotspot/src/os_cpu/linux_zero/vm/os_linux_zero.cpp openjdk/hotspot/src/os_cpu/linux_zero/vm/os_linux_zero.cpp
--- openjdk.orig/hotspot/src/os_cpu/linux_zero/vm/os_linux_zero.cpp
+++ openjdk/hotspot/src/os_cpu/linux_zero/vm/os_linux_zero.cpp
@@ -1,6 +1,6 @@
/*
* Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
- * Copyright 2007, 2008, 2009, 2010 Red Hat, Inc.
+ * Copyright 2016 Red Hat, Inc.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -61,6 +61,7 @@
frame os::get_sender_for_C_frame(frame* fr) {
ShouldNotCallThis();
+ return frame(NULL, NULL); // silence compile warning.
}
frame os::current_frame() {
@@ -98,16 +99,19 @@
address os::Linux::ucontext_get_pc(ucontext_t* uc) {
ShouldNotCallThis();
+ return NULL; // silence compile warnings
}
ExtendedPC os::fetch_frame_from_context(void* ucVoid,
intptr_t** ret_sp,
intptr_t** ret_fp) {
ShouldNotCallThis();
+ return NULL; // silence compile warnings
}
frame os::fetch_frame_from_context(void* ucVoid) {
ShouldNotCallThis();
+ return frame(NULL, NULL); // silence compile warnings
}
extern "C" JNIEXPORT int
@@ -247,11 +251,16 @@
}
#endif // !PRODUCT
- const char *fmt = "caught unhandled signal %d";
char buf[64];
- sprintf(buf, fmt, sig);
+ sprintf(buf, "caught unhandled signal %d", sig);
+
+// Silence -Wformat-security warning for fatal()
+PRAGMA_DIAG_PUSH
+PRAGMA_FORMAT_NONLITERAL_IGNORED
fatal(buf);
+PRAGMA_DIAG_POP
+ return true; // silence compiler warnings
}
void os::Linux::init_thread_fpu_state(void) {
@@ -260,6 +269,7 @@
int os::Linux::get_fpu_control_word() {
ShouldNotCallThis();
+ return -1; // silence compile warnings
}
void os::Linux::set_fpu_control_word(int fpu) {
diff --git openjdk.orig/hotspot/src/os_cpu/linux_zero/vm/thread_linux_zero.hpp openjdk/hotspot/src/os_cpu/linux_zero/vm/thread_linux_zero.hpp
--- openjdk.orig/hotspot/src/os_cpu/linux_zero/vm/thread_linux_zero.hpp
+++ openjdk/hotspot/src/os_cpu/linux_zero/vm/thread_linux_zero.hpp
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
* Copyright 2007, 2008, 2009, 2010 Red Hat, Inc.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
@@ -110,6 +110,7 @@
void* ucontext,
bool isInJava) {
ShouldNotCallThis();
+ return false; // silence compile warning
}
bool pd_get_top_frame_for_profiling(frame* fr_addr,

View File

@ -0,0 +1,125 @@
# HG changeset patch
# User mbalao
# Date 1529971845 -28800
# Tue Jun 26 08:10:45 2018 +0800
# Node ID e9c20b7250cd98d16a67f2a30b34284c2caa01dc
# Parent 9f1aa2e38d90dd60522237d7414af6bdcf03c4ff
8195607, PR3776: sun/security/pkcs11/Secmod/TestNssDbSqlite.java failed with "NSS initialization failed" on NSS 3.34.1
Reviewed-by: valeriep, weijun
diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/Secmod.java openjdk/jdk/src/share/classes/sun/security/pkcs11/Secmod.java
--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/Secmod.java
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/Secmod.java
@@ -197,7 +197,7 @@
if (configDir != null) {
String configDirPath = null;
- String sqlPrefix = "sql:/";
+ String sqlPrefix = "sql:";
if (!configDir.startsWith(sqlPrefix)) {
configDirPath = configDir;
} else {
diff --git openjdk.orig/jdk/src/share/native/sun/security/pkcs11/j2secmod.c openjdk/jdk/src/share/native/sun/security/pkcs11/j2secmod.c
--- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/j2secmod.c
+++ openjdk/jdk/src/share/native/sun/security/pkcs11/j2secmod.c
@@ -69,9 +69,14 @@
int res = 0;
FPTR_Initialize initialize =
(FPTR_Initialize)findFunction(env, jHandle, "NSS_Initialize");
+ #ifdef SECMOD_DEBUG
+ FPTR_GetError getError =
+ (FPTR_GetError)findFunction(env, jHandle, "PORT_GetError");
+ #endif // SECMOD_DEBUG
unsigned int flags = 0x00;
const char *configDir = NULL;
const char *functionName = NULL;
+ const char *configFile = NULL;
/* If we cannot initialize, exit now */
if (initialize == NULL) {
@@ -97,13 +102,18 @@
flags = 0x20; // NSS_INIT_OPTIMIZESPACE flag
}
+ configFile = "secmod.db";
+ if (configDir != NULL && strncmp("sql:", configDir, 4U) == 0) {
+ configFile = "pkcs11.txt";
+ }
+
/*
* If the NSS_Init function is requested then call NSS_Initialize to
* open the Cert, Key and Security Module databases, read only.
*/
if (strcmp("NSS_Init", functionName) == 0) {
flags = flags | 0x01; // NSS_INIT_READONLY flag
- res = initialize(configDir, "", "", "secmod.db", flags);
+ res = initialize(configDir, "", "", configFile, flags);
/*
* If the NSS_InitReadWrite function is requested then call
@@ -111,7 +121,7 @@
* read/write.
*/
} else if (strcmp("NSS_InitReadWrite", functionName) == 0) {
- res = initialize(configDir, "", "", "secmod.db", flags);
+ res = initialize(configDir, "", "", configFile, flags);
/*
* If the NSS_NoDB_Init function is requested then call
@@ -137,6 +147,13 @@
(*env)->ReleaseStringUTFChars(env, jConfigDir, configDir);
}
dprintf1("-res: %d\n", res);
+ #ifdef SECMOD_DEBUG
+ if (res == -1) {
+ if (getError != NULL) {
+ dprintf1("-NSS error: %d\n", getError());
+ }
+ }
+ #endif // SECMOD_DEBUG
return (res == 0) ? JNI_TRUE : JNI_FALSE;
}
diff --git openjdk.orig/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h openjdk/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h
--- openjdk.orig/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h
+++ openjdk/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h
@@ -34,6 +34,10 @@
const char *certPrefix, const char *keyPrefix,
const char *secmodName, unsigned int flags);
+#ifdef SECMOD_DEBUG
+typedef int (*FPTR_GetError)(void);
+#endif //SECMOD_DEBUG
+
// in secmod.h
//extern SECMODModule *SECMOD_LoadModule(char *moduleSpec,SECMODModule *parent,
// PRBool recurse);
diff --git openjdk.orig/jdk/test/sun/security/pkcs11/Secmod/pkcs11.txt openjdk/jdk/test/sun/security/pkcs11/Secmod/pkcs11.txt
new file mode 100644
--- /dev/null
+++ openjdk/jdk/test/sun/security/pkcs11/Secmod/pkcs11.txt
@@ -0,0 +1,4 @@
+library=
+name=NSS Internal PKCS #11 Module
+parameters=configdir='sql:./tmpdb' certPrefix='' keyPrefix='' secmod='' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
+NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
diff --git openjdk.orig/jdk/test/sun/security/pkcs11/SecmodTest.java openjdk/jdk/test/sun/security/pkcs11/SecmodTest.java
--- openjdk.orig/jdk/test/sun/security/pkcs11/SecmodTest.java
+++ openjdk/jdk/test/sun/security/pkcs11/SecmodTest.java
@@ -55,7 +55,7 @@
DBDIR = System.getProperty("test.classes", ".") + SEP + "tmpdb";
if (useSqlite) {
- System.setProperty("pkcs11test.nss.db", "sql:/" + DBDIR);
+ System.setProperty("pkcs11test.nss.db", "sql:" + DBDIR);
} else {
System.setProperty("pkcs11test.nss.db", DBDIR);
}
@@ -67,6 +67,7 @@
if (useSqlite) {
copyFile("key4.db", BASE, DBDIR);
copyFile("cert9.db", BASE, DBDIR);
+ copyFile("pkcs11.txt", BASE, DBDIR);
} else {
copyFile("secmod.db", BASE, DBDIR);
copyFile("key3.db", BASE, DBDIR);

View File

@ -0,0 +1,58 @@
# HG changeset patch
# User andrew
# Date 1526122977 -3600
# Sat May 12 12:02:57 2018 +0100
# Node ID 00ccc73498628a51a45301322e64ce2ad06e49be
# Parent aecf9f48f7b5c6148b62713a6b746301435b57cc
PR3533: HotSpot generates code with unaligned stack, crashes on SSE operations
Summary: Enable -mstackrealign on x86 Linux as well as x86 Mac OS X
diff --git openjdk.orig///common/autoconf/flags.m4 openjdk///common/autoconf/flags.m4
--- openjdk.orig///common/autoconf/flags.m4
+++ openjdk///common/autoconf/flags.m4
@@ -402,6 +402,21 @@
AC_SUBST($2CXXSTD_CXXFLAG)
fi
+ #
+ # NOTE: check for -mstackrealign needs to be below potential addition of -m32
+ #
+ if test "x$OPENJDK_TARGET_CPU" = xx86 && test "x$OPENJDK_TARGET_OS" = xmacosx -o \
+ "x$OPENJDK_TARGET_OS" = xlinux; then
+ # On 32-bit MacOSX the OS requires C-entry points to be 16 byte aligned.
+ # While waiting for a better solution, the current workaround is to use -mstackrealign
+ # This is also required on Linux systems which use libraries compiled with SSE instructions
+ REALIGN_CFLAG="-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4"
+ FLAGS_COMPILER_CHECK_ARGUMENTS([$REALIGN_CFLAG -Werror], [],
+ AC_MSG_ERROR([The selected compiler $CXX does not support -mstackrealign! Try to put another compiler in the path.])
+ )
+ AC_SUBST([REALIGN_CFLAG])
+ fi
+
if test "x$CFLAGS" != "x${ADDED_CFLAGS}"; then
AC_MSG_WARN([Ignoring CFLAGS($CFLAGS) found in environment. Use --with-extra-cflags])
fi
diff --git openjdk.orig///common/autoconf/hotspot-spec.gmk.in openjdk///common/autoconf/hotspot-spec.gmk.in
--- openjdk.orig///common/autoconf/hotspot-spec.gmk.in
+++ openjdk///common/autoconf/hotspot-spec.gmk.in
@@ -112,7 +112,8 @@
RC:=@HOTSPOT_RC@
EXTRA_CFLAGS=@LEGACY_EXTRA_CFLAGS@ $(NO_DELETE_NULL_POINTER_CHECKS_CFLAG) \
- $(NO_LIFETIME_DSE_CFLAG) $(CXXSTD_CXXFLAG)
+ $(NO_LIFETIME_DSE_CFLAG) $(CXXSTD_CXXFLAG) \
+ $(REALIGN_CFLAG)
EXTRA_CXXFLAGS=@LEGACY_EXTRA_CXXFLAGS@
EXTRA_LDFLAGS=@LEGACY_EXTRA_LDFLAGS@
EXTRA_ASFLAGS=@LEGACY_EXTRA_ASFLAGS@
diff --git openjdk.orig///common/autoconf/spec.gmk.in openjdk///common/autoconf/spec.gmk.in
--- openjdk.orig///common/autoconf/spec.gmk.in
+++ openjdk///common/autoconf/spec.gmk.in
@@ -366,6 +366,7 @@
NO_DELETE_NULL_POINTER_CHECKS_CFLAG=@NO_DELETE_NULL_POINTER_CHECKS_CFLAG@
NO_LIFETIME_DSE_CFLAG=@NO_LIFETIME_DSE_CFLAG@
+REALIGN_CFLAG=@REALIGN_CFLAG@
CXXSTD_CXXFLAG=@CXXSTD_CXXFLAG@
CXX:=@FIXPATH@ @CCACHE@ @CXX@

View File

@ -0,0 +1,20 @@
# HG changeset patch
# User andrew
# Date 1526489197 -3600
# Wed May 16 17:46:37 2018 +0100
# Node ID 64e87a408afd2b56d59dad73dee28d4b99463810
# Parent 00ccc73498628a51a45301322e64ce2ad06e49be
PR3591: Fix for bug 3533 doesn't add -mstackrealign to JDK code
diff --git openjdk.orig///common/autoconf/flags.m4 openjdk///common/autoconf/flags.m4
--- openjdk.orig///common/autoconf/flags.m4
+++ openjdk///common/autoconf/flags.m4
@@ -401,6 +401,8 @@
FLAGS_COMPILER_CHECK_ARGUMENTS([$REALIGN_CFLAG -Werror], [],
AC_MSG_ERROR([The selected compiler $CXX does not support -mstackrealign! Try to put another compiler in the path.])
)
+ CFLAGS_JDK="${CFLAGS_JDK} ${REALIGN_CFLAG}"
+ CXXFLAGS_JDK="${CXXFLAGS_JDK} ${REALIGN_CFLAG}"
AC_SUBST([REALIGN_CFLAG])
fi

View File

@ -0,0 +1,328 @@
diff -r 4689eaf1a5c9 src/share/vm/gc_implementation/concurrentMarkSweep/compactibleFreeListSpace.cpp
--- openjdk.orig/hotspot/src/share/vm/gc_implementation/concurrentMarkSweep/compactibleFreeListSpace.cpp Mon Aug 31 07:09:56 2020 +0100
+++ openjdk/hotspot/src/share/vm/gc_implementation/concurrentMarkSweep/compactibleFreeListSpace.cpp Tue Sep 08 22:20:44 2020 -0400
@@ -2689,7 +2689,7 @@
if (ResizeOldPLAB && CMSOldPLABResizeQuicker) {
size_t multiple = _num_blocks[word_sz]/(CMSOldPLABToleranceFactor*CMSOldPLABNumRefills*n_blks);
n_blks += CMSOldPLABReactivityFactor*multiple*n_blks;
- n_blks = MIN2(n_blks, CMSOldPLABMax);
+ n_blks = MIN2(n_blks, (size_t)CMSOldPLABMax);
}
assert(n_blks > 0, "Error");
_cfls->par_get_chunk_of_blocks(word_sz, n_blks, fl);
diff -r 4689eaf1a5c9 src/share/vm/gc_implementation/concurrentMarkSweep/concurrentMarkSweepGeneration.cpp
--- openjdk.orig/hotspot/src/share/vm/gc_implementation/concurrentMarkSweep/concurrentMarkSweepGeneration.cpp Mon Aug 31 07:09:56 2020 +0100
+++ openjdk/hotspot/src/share/vm/gc_implementation/concurrentMarkSweep/concurrentMarkSweepGeneration.cpp Tue Sep 08 22:20:44 2020 -0400
@@ -961,7 +961,7 @@
if (free_percentage < desired_free_percentage) {
size_t desired_capacity = (size_t)(used() / ((double) 1 - desired_free_percentage));
assert(desired_capacity >= capacity(), "invalid expansion size");
- size_t expand_bytes = MAX2(desired_capacity - capacity(), MinHeapDeltaBytes);
+ size_t expand_bytes = MAX2(desired_capacity - capacity(), (size_t)MinHeapDeltaBytes);
if (PrintGCDetails && Verbose) {
size_t desired_capacity = (size_t)(used() / ((double) 1 - desired_free_percentage));
gclog_or_tty->print_cr("\nFrom compute_new_size: ");
@@ -6591,7 +6591,7 @@
HeapWord* curAddr = _markBitMap.startWord();
while (curAddr < _markBitMap.endWord()) {
size_t remaining = pointer_delta(_markBitMap.endWord(), curAddr);
- MemRegion chunk(curAddr, MIN2(CMSBitMapYieldQuantum, remaining));
+ MemRegion chunk(curAddr, MIN2((size_t)CMSBitMapYieldQuantum, remaining));
_markBitMap.clear_large_range(chunk);
if (ConcurrentMarkSweepThread::should_yield() &&
!foregroundGCIsActive() &&
@@ -6889,7 +6889,7 @@
return;
}
// Double capacity if possible
- size_t new_capacity = MIN2(_capacity*2, MarkStackSizeMax);
+ size_t new_capacity = MIN2(_capacity*2, (size_t)MarkStackSizeMax);
// Do not give up existing stack until we have managed to
// get the double capacity that we desired.
ReservedSpace rs(ReservedSpace::allocation_align_size_up(
diff -r 4689eaf1a5c9 src/share/vm/gc_implementation/g1/concurrentMark.cpp
--- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/concurrentMark.cpp Mon Aug 31 07:09:56 2020 +0100
+++ openjdk/hotspot/src/share/vm/gc_implementation/g1/concurrentMark.cpp Tue Sep 08 22:20:44 2020 -0400
@@ -3916,7 +3916,7 @@
// of things to do) or totally (at the very end).
size_t target_size;
if (partially) {
- target_size = MIN2((size_t)_task_queue->max_elems()/3, GCDrainStackTargetSize);
+ target_size = MIN2((size_t)_task_queue->max_elems()/3, (size_t)GCDrainStackTargetSize);
} else {
target_size = 0;
}
diff -r 4689eaf1a5c9 src/share/vm/gc_implementation/g1/g1BiasedArray.hpp
--- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1BiasedArray.hpp Mon Aug 31 07:09:56 2020 +0100
+++ openjdk/hotspot/src/share/vm/gc_implementation/g1/g1BiasedArray.hpp Tue Sep 08 22:20:44 2020 -0400
@@ -78,7 +78,8 @@
size_t num_target_elems = pointer_delta(end, bottom, mapping_granularity_in_bytes);
idx_t bias = (uintptr_t)bottom / mapping_granularity_in_bytes;
address base = create_new_base_array(num_target_elems, target_elem_size_in_bytes);
- initialize_base(base, num_target_elems, bias, target_elem_size_in_bytes, log2_intptr(mapping_granularity_in_bytes));
+ initialize_base(base, num_target_elems, bias, target_elem_size_in_bytes,
+ log2_intptr((uintptr_t)mapping_granularity_in_bytes));
}
size_t bias() const { return _bias; }
diff -r 4689eaf1a5c9 src/share/vm/gc_implementation/g1/g1CollectedHeap.cpp
--- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1CollectedHeap.cpp Mon Aug 31 07:09:56 2020 +0100
+++ openjdk/hotspot/src/share/vm/gc_implementation/g1/g1CollectedHeap.cpp Tue Sep 08 22:20:44 2020 -0400
@@ -1729,7 +1729,7 @@
verify_region_sets_optional();
- size_t expand_bytes = MAX2(word_size * HeapWordSize, MinHeapDeltaBytes);
+ size_t expand_bytes = MAX2(word_size * HeapWordSize, (size_t)MinHeapDeltaBytes);
ergo_verbose1(ErgoHeapSizing,
"attempt heap expansion",
ergo_format_reason("allocation request failed")
diff -r 4689eaf1a5c9 src/share/vm/gc_implementation/g1/g1ConcurrentMarkObjArrayProcessor.cpp
--- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1ConcurrentMarkObjArrayProcessor.cpp Mon Aug 31 07:09:56 2020 +0100
+++ openjdk/hotspot/src/share/vm/gc_implementation/g1/g1ConcurrentMarkObjArrayProcessor.cpp Tue Sep 08 22:20:44 2020 -0400
@@ -41,7 +41,7 @@
}
size_t G1CMObjArrayProcessor::process_array_slice(objArrayOop obj, HeapWord* start_from, size_t remaining) {
- size_t words_to_scan = MIN2(remaining, ObjArrayMarkingStride);
+ size_t words_to_scan = MIN2(remaining, (size_t)ObjArrayMarkingStride);
if (remaining > ObjArrayMarkingStride) {
push_array_slice(start_from + ObjArrayMarkingStride);
diff -r 4689eaf1a5c9 src/share/vm/gc_implementation/g1/g1PageBasedVirtualSpace.hpp
--- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1PageBasedVirtualSpace.hpp Mon Aug 31 07:09:56 2020 +0100
+++ openjdk/hotspot/src/share/vm/gc_implementation/g1/g1PageBasedVirtualSpace.hpp Tue Sep 08 22:20:44 2020 -0400
@@ -89,7 +89,7 @@
void pretouch_internal(size_t start_page, size_t end_page);
// Returns the index of the page which contains the given address.
- uintptr_t addr_to_page_index(char* addr) const;
+ size_t addr_to_page_index(char* addr) const;
// Returns the address of the given page index.
char* page_start(size_t index) const;
diff -r 4689eaf1a5c9 src/share/vm/gc_implementation/g1/g1StringDedupQueue.cpp
--- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1StringDedupQueue.cpp Mon Aug 31 07:09:56 2020 +0100
+++ openjdk/hotspot/src/share/vm/gc_implementation/g1/g1StringDedupQueue.cpp Tue Sep 08 22:20:44 2020 -0400
@@ -38,7 +38,7 @@
_cancel(false),
_empty(true),
_dropped(0) {
- _nqueues = MAX2(ParallelGCThreads, (size_t)1);
+ _nqueues = MAX2(ParallelGCThreads, (uintx)1);
_queues = NEW_C_HEAP_ARRAY(G1StringDedupWorkerQueue, _nqueues, mtGC);
for (size_t i = 0; i < _nqueues; i++) {
new (_queues + i) G1StringDedupWorkerQueue(G1StringDedupWorkerQueue::default_segment_size(), _max_cache_size, _max_size);
diff -r 4689eaf1a5c9 src/share/vm/gc_implementation/g1/g1StringDedupTable.cpp
--- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1StringDedupTable.cpp Mon Aug 31 07:09:56 2020 +0100
+++ openjdk/hotspot/src/share/vm/gc_implementation/g1/g1StringDedupTable.cpp Tue Sep 08 22:20:44 2020 -0400
@@ -120,7 +120,7 @@
};
G1StringDedupEntryCache::G1StringDedupEntryCache(size_t max_size) :
- _nlists(MAX2(ParallelGCThreads, (size_t)1)),
+ _nlists(MAX2(ParallelGCThreads, (uintx)1)),
_max_list_length(0),
_cached(PaddedArray<G1StringDedupEntryList, mtGC>::create_unfreeable((uint)_nlists)),
_overflowed(PaddedArray<G1StringDedupEntryList, mtGC>::create_unfreeable((uint)_nlists)) {
diff -r 4689eaf1a5c9 src/share/vm/gc_implementation/g1/heapRegion.cpp
--- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/heapRegion.cpp Mon Aug 31 07:09:56 2020 +0100
+++ openjdk/hotspot/src/share/vm/gc_implementation/g1/heapRegion.cpp Tue Sep 08 22:20:44 2020 -0400
@@ -110,7 +110,7 @@
if (FLAG_IS_DEFAULT(G1HeapRegionSize)) {
size_t average_heap_size = (initial_heap_size + max_heap_size) / 2;
region_size = MAX2(average_heap_size / HeapRegionBounds::target_number(),
- (uintx) HeapRegionBounds::min_size());
+ HeapRegionBounds::min_size());
}
int region_size_log = log2_long((jlong) region_size);
diff -r 4689eaf1a5c9 src/share/vm/gc_implementation/parNew/parNewGeneration.cpp
--- openjdk.orig/hotspot/src/share/vm/gc_implementation/parNew/parNewGeneration.cpp Mon Aug 31 07:09:56 2020 +0100
+++ openjdk/hotspot/src/share/vm/gc_implementation/parNew/parNewGeneration.cpp Tue Sep 08 22:20:44 2020 -0400
@@ -194,7 +194,7 @@
const size_t num_overflow_elems = of_stack->size();
const size_t space_available = queue->max_elems() - queue->size();
const size_t num_take_elems = MIN3(space_available / 4,
- ParGCDesiredObjsFromOverflowList,
+ (size_t)ParGCDesiredObjsFromOverflowList,
num_overflow_elems);
// Transfer the most recent num_take_elems from the overflow
// stack to our work queue.
diff -r 4689eaf1a5c9 src/share/vm/gc_implementation/parallelScavenge/psParallelCompact.cpp
--- openjdk.orig/hotspot/src/share/vm/gc_implementation/parallelScavenge/psParallelCompact.cpp Mon Aug 31 07:09:56 2020 +0100
+++ openjdk/hotspot/src/share/vm/gc_implementation/parallelScavenge/psParallelCompact.cpp Tue Sep 08 22:20:44 2020 -0400
@@ -912,7 +912,7 @@
void PSParallelCompact::initialize_dead_wood_limiter()
{
- const size_t max = 100;
+ const uintx max = 100;
_dwl_mean = double(MIN2(ParallelOldDeadWoodLimiterMean, max)) / 100.0;
_dwl_std_dev = double(MIN2(ParallelOldDeadWoodLimiterStdDev, max)) / 100.0;
_dwl_first_term = 1.0 / (sqrt(2.0 * M_PI) * _dwl_std_dev);
diff -r 4689eaf1a5c9 src/share/vm/memory/collectorPolicy.cpp
--- openjdk.orig/hotspot/src/share/vm/memory/collectorPolicy.cpp Mon Aug 31 07:09:56 2020 +0100
+++ openjdk/hotspot/src/share/vm/memory/collectorPolicy.cpp Tue Sep 08 22:20:44 2020 -0400
@@ -385,7 +385,7 @@
uintx calculated_size = NewSize + OldSize;
double shrink_factor = (double) MaxHeapSize / calculated_size;
uintx smaller_new_size = align_size_down((uintx)(NewSize * shrink_factor), _gen_alignment);
- FLAG_SET_ERGO(uintx, NewSize, MAX2(young_gen_size_lower_bound(), smaller_new_size));
+ FLAG_SET_ERGO(uintx, NewSize, MAX2((uintx)young_gen_size_lower_bound(), smaller_new_size));
_initial_gen0_size = NewSize;
// OldSize is already aligned because above we aligned MaxHeapSize to
@@ -433,7 +433,7 @@
// yield a size that is too small) and bound it by MaxNewSize above.
// Ergonomics plays here by previously calculating the desired
// NewSize and MaxNewSize.
- max_new_size = MIN2(MAX2(max_new_size, NewSize), MaxNewSize);
+ max_new_size = MIN2(MAX2(max_new_size, (size_t)NewSize), (size_t)MaxNewSize);
}
assert(max_new_size > 0, "All paths should set max_new_size");
@@ -455,23 +455,25 @@
// lower limit.
_min_gen0_size = NewSize;
desired_new_size = NewSize;
- max_new_size = MAX2(max_new_size, NewSize);
+ max_new_size = MAX2(max_new_size, (size_t)NewSize);
} else if (FLAG_IS_ERGO(NewSize)) {
// If NewSize is set ergonomically, we should use it as a lower
// limit, but use NewRatio to calculate the initial size.
_min_gen0_size = NewSize;
desired_new_size =
- MAX2(scale_by_NewRatio_aligned(_initial_heap_byte_size), NewSize);
- max_new_size = MAX2(max_new_size, NewSize);
+ MAX2(scale_by_NewRatio_aligned(_initial_heap_byte_size), (size_t)NewSize);
+ max_new_size = MAX2(max_new_size, (size_t)NewSize);
} else {
// For the case where NewSize is the default, use NewRatio
// to size the minimum and initial generation sizes.
// Use the default NewSize as the floor for these values. If
// NewRatio is overly large, the resulting sizes can be too
// small.
- _min_gen0_size = MAX2(scale_by_NewRatio_aligned(_min_heap_byte_size), NewSize);
+ _min_gen0_size = MAX2(scale_by_NewRatio_aligned(_min_heap_byte_size),
+ (size_t)NewSize);
desired_new_size =
- MAX2(scale_by_NewRatio_aligned(_initial_heap_byte_size), NewSize);
+ MAX2(scale_by_NewRatio_aligned(_initial_heap_byte_size),
+ (size_t)NewSize);
}
assert(_min_gen0_size > 0, "Sanity check");
@@ -573,7 +575,7 @@
} else {
// It's been explicitly set on the command line. Use the
// OldSize and then determine the consequences.
- _min_gen1_size = MIN2(OldSize, _min_heap_byte_size - _min_gen0_size);
+ _min_gen1_size = MIN2((size_t)OldSize, _min_heap_byte_size - _min_gen0_size);
_initial_gen1_size = OldSize;
// If the user has explicitly set an OldSize that is inconsistent
diff -r 4689eaf1a5c9 src/share/vm/memory/metaspace.cpp
--- openjdk.orig/hotspot/src/share/vm/memory/metaspace.cpp Mon Aug 31 07:09:56 2020 +0100
+++ openjdk/hotspot/src/share/vm/memory/metaspace.cpp Tue Sep 08 22:20:44 2020 -0400
@@ -1482,7 +1482,7 @@
void MetaspaceGC::post_initialize() {
// Reset the high-water mark once the VM initialization is done.
- _capacity_until_GC = MAX2(MetaspaceAux::committed_bytes(), MetaspaceSize);
+ _capacity_until_GC = MAX2(MetaspaceAux::committed_bytes(), (size_t)MetaspaceSize);
}
bool MetaspaceGC::can_expand(size_t word_size, bool is_class) {
@@ -1542,7 +1542,7 @@
(size_t)MIN2(min_tmp, double(MaxMetaspaceSize));
// Don't shrink less than the initial generation size
minimum_desired_capacity = MAX2(minimum_desired_capacity,
- MetaspaceSize);
+ (size_t)MetaspaceSize);
if (PrintGCDetails && Verbose) {
gclog_or_tty->print_cr("\nMetaspaceGC::compute_new_size: ");
@@ -1600,7 +1600,7 @@
const double max_tmp = used_after_gc / minimum_used_percentage;
size_t maximum_desired_capacity = (size_t)MIN2(max_tmp, double(MaxMetaspaceSize));
maximum_desired_capacity = MAX2(maximum_desired_capacity,
- MetaspaceSize);
+ (size_t)MetaspaceSize);
if (PrintGCDetails && Verbose) {
gclog_or_tty->print_cr(" "
" maximum_free_percentage: %6.2f"
@@ -3320,7 +3320,7 @@
// Make the first class chunk bigger than a medium chunk so it's not put
// on the medium chunk list. The next chunk will be small and progress
// from there. This size calculated by -version.
- _first_class_chunk_word_size = MIN2((size_t)MediumChunk*6,
+ _first_class_chunk_word_size = MIN2((uintx)MediumChunk*6,
(CompressedClassSpaceSize/BytesPerWord)*2);
_first_class_chunk_word_size = align_word_size_up(_first_class_chunk_word_size);
// Arbitrarily set the initial virtual space to a multiple
diff -r 4689eaf1a5c9 src/share/vm/oops/objArrayKlass.inline.hpp
--- openjdk.orig/hotspot/src/share/vm/oops/objArrayKlass.inline.hpp Mon Aug 31 07:09:56 2020 +0100
+++ openjdk/hotspot/src/share/vm/oops/objArrayKlass.inline.hpp Tue Sep 08 22:20:44 2020 -0400
@@ -48,7 +48,7 @@
const size_t beg_index = size_t(index);
assert(beg_index < len || len == 0, "index too large");
- const size_t stride = MIN2(len - beg_index, ObjArrayMarkingStride);
+ const size_t stride = MIN2(len - beg_index, (size_t)ObjArrayMarkingStride);
const size_t end_index = beg_index + stride;
T* const base = (T*)a->base();
T* const beg = base + beg_index;
@@ -82,7 +82,7 @@
const size_t beg_index = size_t(index);
assert(beg_index < len || len == 0, "index too large");
- const size_t stride = MIN2(len - beg_index, ObjArrayMarkingStride);
+ const size_t stride = MIN2(len - beg_index, (size_t)ObjArrayMarkingStride);
const size_t end_index = beg_index + stride;
T* const base = (T*)a->base();
T* const beg = base + beg_index;
diff -r 4689eaf1a5c9 src/share/vm/runtime/arguments.cpp
--- openjdk.orig/hotspot/src/share/vm/runtime/arguments.cpp Mon Aug 31 07:09:56 2020 +0100
+++ openjdk/hotspot/src/share/vm/runtime/arguments.cpp Tue Sep 08 22:20:44 2020 -0400
@@ -1301,7 +1301,7 @@
// NewSize was set on the command line and it is larger than
// preferred_max_new_size.
if (!FLAG_IS_DEFAULT(NewSize)) { // NewSize explicitly set at command-line
- FLAG_SET_ERGO(uintx, MaxNewSize, MAX2(NewSize, preferred_max_new_size));
+ FLAG_SET_ERGO(uintx, MaxNewSize, MAX2((size_t)NewSize, preferred_max_new_size));
} else {
FLAG_SET_ERGO(uintx, MaxNewSize, preferred_max_new_size);
}
@@ -1326,8 +1326,8 @@
// Unless explicitly requested otherwise, make young gen
// at least min_new, and at most preferred_max_new_size.
if (FLAG_IS_DEFAULT(NewSize)) {
- FLAG_SET_ERGO(uintx, NewSize, MAX2(NewSize, min_new));
- FLAG_SET_ERGO(uintx, NewSize, MIN2(preferred_max_new_size, NewSize));
+ FLAG_SET_ERGO(uintx, NewSize, MAX2((size_t)NewSize, min_new));
+ FLAG_SET_ERGO(uintx, NewSize, MIN2(preferred_max_new_size, (size_t)NewSize));
if (PrintGCDetails && Verbose) {
// Too early to use gclog_or_tty
tty->print_cr("CMS ergo set NewSize: " SIZE_FORMAT, NewSize);
@@ -1337,7 +1337,7 @@
// so it's NewRatio x of NewSize.
if (FLAG_IS_DEFAULT(OldSize)) {
if (max_heap > NewSize) {
- FLAG_SET_ERGO(uintx, OldSize, MIN2(NewRatio*NewSize, max_heap - NewSize));
+ FLAG_SET_ERGO(uintx, OldSize, MIN2((size_t)(NewRatio*NewSize), max_heap - NewSize));
if (PrintGCDetails && Verbose) {
// Too early to use gclog_or_tty
tty->print_cr("CMS ergo set OldSize: " SIZE_FORMAT, OldSize);
diff -r 4689eaf1a5c9 src/share/vm/runtime/os.cpp
--- openjdk.orig/hotspot/src/share/vm/runtime/os.cpp Mon Aug 31 07:09:56 2020 +0100
+++ openjdk/hotspot/src/share/vm/runtime/os.cpp Tue Sep 08 22:20:44 2020 -0400
@@ -1272,7 +1272,7 @@
}
void os::set_memory_serialize_page(address page) {
- int count = log2_intptr(sizeof(class JavaThread)) - log2_int(64);
+ int count = log2_intptr((uintptr_t)sizeof(class JavaThread)) - log2_int(64);
_mem_serialize_page = (volatile int32_t *)page;
// We initialize the serialization page shift count here
// We assume a cache line size of 64 bytes

View File

@ -0,0 +1,12 @@
diff --git openjdk.orig/hotspot/src/os/linux/vm/perfMemory_linux.cpp openjdk/hotspot/src/os/linux/vm/perfMemory_linux.cpp
--- openjdk.orig/hotspot/src/os/linux/vm/perfMemory_linux.cpp
+++ openjdk/hotspot/src/os/linux/vm/perfMemory_linux.cpp
@@ -878,7 +878,7 @@
// open the file
int result;
- RESTARTABLE(::open(filename, oflags), result);
+ RESTARTABLE(::open(filename, oflags, 0), result);
if (result == OS_ERR) {
if (errno == ENOENT) {
THROW_MSG_(vmSymbols::java_lang_IllegalArgumentException(),

View File

@ -0,0 +1,13 @@
diff --git openjdk.orig/hotspot/src/share/vm/interpreter/bytecodeInterpreter.cpp openjdk/hotspot/src/share/vm/interpreter/bytecodeInterpreter.cpp
--- openjdk.orig/hotspot/src/share/vm/interpreter/bytecodeInterpreter.cpp
+++ openjdk/hotspot/src/share/vm/interpreter/bytecodeInterpreter.cpp
@@ -493,9 +493,6 @@
assert(labs(istate->_stack_base - istate->_stack_limit) == (istate->_method->max_stack() + extra_stack_entries
+ 1), "bad stack limit");
}
-#ifndef SHARK
- IA32_ONLY(assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1, "wrong"));
-#endif // !SHARK
}
// Verify linkages.
interpreterState l = istate;

View File

@ -0,0 +1,26 @@
diff --git openjdk.orig/jdk/src/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java openjdk/jdk/src/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
index cf4becb7db..4ab2ac0a31 100644
--- openjdk.orig/jdk/src/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
+++ openjdk/jdk/src/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
@@ -189,6 +189,10 @@ final public class LdapCtxFactory implements ObjectFactory, InitialContextFactor
ctx = getLdapCtxFromUrl(
r.getDomainName(), url, new LdapURL(u), env);
return ctx;
+ } catch (AuthenticationException e) {
+ // do not retry on a different endpoint to avoid blocking
+ // the user if authentication credentials are wrong.
+ throw e;
} catch (NamingException e) {
// try the next element
lastException = e;
@@ -241,6 +245,10 @@ final public class LdapCtxFactory implements ObjectFactory, InitialContextFactor
for (String u : urls) {
try {
return getUsingURL(u, env);
+ } catch (AuthenticationException e) {
+ // do not retry on a different URL to avoid blocking
+ // the user if authentication credentials are wrong.
+ throw e;
} catch (NamingException e) {
ex = e;
}

View File

@ -0,0 +1,67 @@
# HG changeset patch
# User Andrew John Hughes <gnu_andrew@member.fsf.org>
# Date 1620365804 -3600
# Fri May 07 06:36:44 2021 +0100
# Node ID 39b62f35eca823b4c9a98bc1dc0cb9acb87360f8
# Parent 723b59ed1afe878c5cd35f080399c8ceec4f776b
PR3836: Extra compiler flags not passed to adlc build
diff --git openjdk.orig/hotspot/make/aix/makefiles/adlc.make openjdk/hotspot/make/aix/makefiles/adlc.make
--- openjdk.orig/hotspot/make/aix/makefiles/adlc.make
+++ openjdk/hotspot/make/aix/makefiles/adlc.make
@@ -69,6 +69,11 @@
CFLAGS_WARN = -w
CFLAGS += $(CFLAGS_WARN)
+# Extra flags from gnumake's invocation or environment
+CFLAGS += $(EXTRA_CFLAGS)
+LFLAGS += $(EXTRA_CFLAGS) $(EXTRA_LDFLAGS)
+ASFLAGS += $(EXTRA_ASFLAGS)
+
OBJECTNAMES = \
adlparse.o \
archDesc.o \
diff --git openjdk.orig/hotspot/make/bsd/makefiles/adlc.make openjdk/hotspot/make/bsd/makefiles/adlc.make
--- openjdk.orig/hotspot/make/bsd/makefiles/adlc.make
+++ openjdk/hotspot/make/bsd/makefiles/adlc.make
@@ -71,6 +71,11 @@
endif
CFLAGS += $(CFLAGS_WARN)
+# Extra flags from gnumake's invocation or environment
+CFLAGS += $(EXTRA_CFLAGS)
+LFLAGS += $(EXTRA_CFLAGS) $(EXTRA_LDFLAGS)
+ASFLAGS += $(EXTRA_ASFLAGS)
+
OBJECTNAMES = \
adlparse.o \
archDesc.o \
diff --git openjdk.orig/hotspot/make/linux/makefiles/adlc.make openjdk/hotspot/make/linux/makefiles/adlc.make
--- openjdk.orig/hotspot/make/linux/makefiles/adlc.make
+++ openjdk/hotspot/make/linux/makefiles/adlc.make
@@ -69,6 +69,11 @@
CFLAGS_WARN = $(WARNINGS_ARE_ERRORS)
CFLAGS += $(CFLAGS_WARN)
+# Extra flags from gnumake's invocation or environment
+CFLAGS += $(EXTRA_CFLAGS)
+LFLAGS += $(EXTRA_CFLAGS) $(EXTRA_LDFLAGS)
+ASFLAGS += $(EXTRA_ASFLAGS)
+
OBJECTNAMES = \
adlparse.o \
archDesc.o \
diff --git openjdk.orig/hotspot/make/solaris/makefiles/adlc.make openjdk/hotspot/make/solaris/makefiles/adlc.make
--- openjdk.orig/hotspot/make/solaris/makefiles/adlc.make
+++ openjdk/hotspot/make/solaris/makefiles/adlc.make
@@ -85,6 +85,10 @@
endif
CFLAGS += $(CFLAGS_WARN)
+# Extra flags from gnumake's invocation or environment
+CFLAGS += $(EXTRA_CFLAGS)
+ASFLAGS += $(EXTRA_ASFLAGS)
+
ifeq ("${Platform_compiler}", "sparcWorks")
# Enable the following CFLAGS addition if you need to compare the
# built ELF objects.

5
SOURCES/nss.cfg.in Normal file
View File

@ -0,0 +1,5 @@
name = NSS
nssLibraryDirectory = @NSS_LIBDIR@
nssDbMode = noDb
attributes = compatibility
handleStartupErrors = ignoreMultipleInitialisation

6
SOURCES/nss.fips.cfg.in Normal file
View File

@ -0,0 +1,6 @@
name = NSS-FIPS
nssLibraryDirectory = @NSS_LIBDIR@
nssSecmodDirectory = sql:/etc/pki/nssdb
nssDbMode = readOnly
nssModule = fips

View File

@ -0,0 +1,10 @@
[Desktop Entry]
Name=OpenJDK @JAVA_VER@ for @target_cpu@ Policy Tool (@OPENJDK_VER@)
Comment=Manage OpenJDK policy files
Exec=_JREBINDIR_/policytool
Icon=java-@JAVA_VER@-@JAVA_VENDOR@
Terminal=false
Type=Application
StartupWMClass=sun-security-tools-PolicyTool
Categories=Settings;Java;
Version=1.0

View File

@ -0,0 +1,302 @@
# HG changeset patch
# User mikael
# Date 1426870964 25200
# Fri Mar 20 10:02:44 2015 -0700
# Node ID ee13ce369705a700b867f8c77423580b7b22cc13
# Parent 7847ccfb240b35ed0dd328f0404b713b20e0905a
8074839: Resolve disabled warnings for libunpack and the unpack200 binary
Reviewed-by: dholmes, ksrini
diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
@@ -63,7 +63,7 @@
bytes res;
res.ptr = ptr + beg;
res.len = end - beg;
- assert(res.len == 0 || inBounds(res.ptr) && inBounds(res.limit()-1));
+ assert(res.len == 0 || (inBounds(res.ptr) && inBounds(res.limit()-1)));
return res;
}
// building C strings inside byte buffers:
diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
@@ -292,7 +292,7 @@
if (uPtr->aborting()) {
THROW_IOE(uPtr->get_abort_message());
- return false;
+ return null;
}
// We have fetched all the files.
@@ -310,7 +310,7 @@
JNIEXPORT jlong JNICALL
Java_com_sun_java_util_jar_pack_NativeUnpack_finish(JNIEnv *env, jobject pObj) {
unpacker* uPtr = get_unpacker(env, pObj, false);
- CHECK_EXCEPTION_RETURN_VALUE(uPtr, NULL);
+ CHECK_EXCEPTION_RETURN_VALUE(uPtr, 0);
size_t consumed = uPtr->input_consumed();
free_unpacker(env, pObj, uPtr);
return consumed;
@@ -320,6 +320,7 @@
Java_com_sun_java_util_jar_pack_NativeUnpack_setOption(JNIEnv *env, jobject pObj,
jstring pProp, jstring pValue) {
unpacker* uPtr = get_unpacker(env, pObj);
+ CHECK_EXCEPTION_RETURN_VALUE(uPtr, false);
const char* prop = env->GetStringUTFChars(pProp, JNI_FALSE);
CHECK_EXCEPTION_RETURN_VALUE(prop, false);
const char* value = env->GetStringUTFChars(pValue, JNI_FALSE);
diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
@@ -142,31 +142,28 @@
return progname;
}
-static const char* usage_lines[] = {
- "Usage: %s [-opt... | --option=value]... x.pack[.gz] y.jar\n",
- "\n",
- "Unpacking Options\n",
- " -H{h}, --deflate-hint={h} override transmitted deflate hint: true, false, or keep (default)\n",
- " -r, --remove-pack-file remove input file after unpacking\n",
- " -v, --verbose increase program verbosity\n",
- " -q, --quiet set verbosity to lowest level\n",
- " -l{F}, --log-file={F} output to the given log file, or '-' for standard output (default)\n",
- " -?, -h, --help print this message\n",
- " -V, --version print program version\n",
- " -J{X} Java VM argument (ignored)\n",
- null
-};
+#define USAGE_HEADER "Usage: %s [-opt... | --option=value]... x.pack[.gz] y.jar\n"
+#define USAGE_OPTIONS \
+ "\n" \
+ "Unpacking Options\n" \
+ " -H{h}, --deflate-hint={h} override transmitted deflate hint: true, false, or keep (default)\n" \
+ " -r, --remove-pack-file remove input file after unpacking\n" \
+ " -v, --verbose increase program verbosity\n" \
+ " -q, --quiet set verbosity to lowest level\n" \
+ " -l{F}, --log-file={F} output to the given log file, or '-' for standard output (default)\n" \
+ " -?, -h, --help print this message\n" \
+ " -V, --version print program version\n" \
+ " -J{X} Java VM argument (ignored)\n"
static void usage(unpacker* u, const char* progname, bool full = false) {
// WinMain does not set argv[0] to the progrname
progname = (progname != null) ? nbasename(progname) : "unpack200";
- for (int i = 0; usage_lines[i] != null; i++) {
- fprintf(u->errstrm, usage_lines[i], progname);
- if (!full) {
- fprintf(u->errstrm,
- "(For more information, run %s --help .)\n", progname);
- break;
- }
+
+ fprintf(u->errstrm, USAGE_HEADER, progname);
+ if (full) {
+ fprintf(u->errstrm, USAGE_OPTIONS);
+ } else {
+ fprintf(u->errstrm, "(For more information, run %s --help .)\n", progname);
}
}
diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
@@ -222,9 +222,9 @@
}
#ifdef PRODUCT
- char* string() { return 0; }
+ const char* string() { return NULL; }
#else
- char* string(); // see far below
+ const char* string(); // see far below
#endif
};
@@ -715,13 +715,13 @@
// Now we can size the whole archive.
// Read everything else into a mega-buffer.
rp = hdr.rp;
- int header_size_0 = (int)(rp - input.base()); // used-up header (4byte + 3int)
- int header_size_1 = (int)(rplimit - rp); // buffered unused initial fragment
- int header_size = header_size_0+header_size_1;
+ size_t header_size_0 = (rp - input.base()); // used-up header (4byte + 3int)
+ size_t header_size_1 = (rplimit - rp); // buffered unused initial fragment
+ size_t header_size = header_size_0 + header_size_1;
unsized_bytes_read = header_size_0;
CHECK;
if (foreign_buf) {
- if (archive_size > (size_t)header_size_1) {
+ if (archive_size > header_size_1) {
abort("EOF reading fixed input buffer");
return;
}
@@ -735,7 +735,7 @@
return;
}
input.set(U_NEW(byte, add_size(header_size_0, archive_size, C_SLOP)),
- (size_t) header_size_0 + archive_size);
+ header_size_0 + archive_size);
CHECK;
assert(input.limit()[0] == 0);
// Move all the bytes we read initially into the real buffer.
@@ -958,13 +958,13 @@
nentries = next_entry;
// place a limit on future CP growth:
- int generous = 0;
+ size_t generous = 0;
generous = add_size(generous, u->ic_count); // implicit name
generous = add_size(generous, u->ic_count); // outer
generous = add_size(generous, u->ic_count); // outer.utf8
generous = add_size(generous, 40); // WKUs, misc
generous = add_size(generous, u->class_count); // implicit SourceFile strings
- maxentries = add_size(nentries, generous);
+ maxentries = (uint)add_size(nentries, generous);
// Note that this CP does not include "empty" entries
// for longs and doubles. Those are introduced when
@@ -982,8 +982,9 @@
}
// Initialize *all* our entries once
- for (int i = 0 ; i < maxentries ; i++)
+ for (uint i = 0 ; i < maxentries ; i++) {
entries[i].outputIndex = REQUESTED_NONE;
+ }
initGroupIndexes();
// Initialize hashTab to a generous power-of-two size.
@@ -3677,21 +3678,22 @@
unpacker* debug_u;
-static bytes& getbuf(int len) { // for debugging only!
+static bytes& getbuf(size_t len) { // for debugging only!
static int bn = 0;
static bytes bufs[8];
bytes& buf = bufs[bn++ & 7];
- while ((int)buf.len < len+10)
+ while (buf.len < len + 10) {
buf.realloc(buf.len ? buf.len * 2 : 1000);
+ }
buf.ptr[0] = 0; // for the sake of strcat
return buf;
}
-char* entry::string() {
+const char* entry::string() {
bytes buf;
switch (tag) {
case CONSTANT_None:
- return (char*)"<empty>";
+ return "<empty>";
case CONSTANT_Signature:
if (value.b.ptr == null)
return ref(0)->string();
@@ -3711,26 +3713,28 @@
break;
default:
if (nrefs == 0) {
- buf = getbuf(20);
- sprintf((char*)buf.ptr, TAG_NAME[tag]);
+ return TAG_NAME[tag];
} else if (nrefs == 1) {
return refs[0]->string();
} else {
- char* s1 = refs[0]->string();
- char* s2 = refs[1]->string();
- buf = getbuf((int)strlen(s1) + 1 + (int)strlen(s2) + 4 + 1);
+ const char* s1 = refs[0]->string();
+ const char* s2 = refs[1]->string();
+ buf = getbuf(strlen(s1) + 1 + strlen(s2) + 4 + 1);
buf.strcat(s1).strcat(" ").strcat(s2);
if (nrefs > 2) buf.strcat(" ...");
}
}
- return (char*)buf.ptr;
+ return (const char*)buf.ptr;
}
void print_cp_entry(int i) {
entry& e = debug_u->cp.entries[i];
- char buf[30];
- sprintf(buf, ((uint)e.tag < CONSTANT_Limit)? TAG_NAME[e.tag]: "%d", e.tag);
- printf(" %d\t%s %s\n", i, buf, e.string());
+
+ if ((uint)e.tag < CONSTANT_Limit) {
+ printf(" %d\t%s %s\n", i, TAG_NAME[e.tag], e.string());
+ } else {
+ printf(" %d\t%d %s\n", i, e.tag, e.string());
+ }
}
void print_cp_entries(int beg, int end) {
diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
@@ -209,7 +209,7 @@
byte* rp; // read pointer (< rplimit <= input.limit())
byte* rplimit; // how much of the input block has been read?
julong bytes_read;
- int unsized_bytes_read;
+ size_t unsized_bytes_read;
// callback to read at least one byte, up to available input
typedef jlong (*read_input_fn_t)(unpacker* self, void* buf, jlong minlen, jlong maxlen);
diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
@@ -81,7 +81,7 @@
int assert_failed(const char* p) {
char message[1<<12];
sprintf(message, "@assert failed: %s\n", p);
- fprintf(stdout, 1+message);
+ fprintf(stdout, "%s", 1+message);
breakpoint();
unpack_abort(message);
return 0;
diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
@@ -84,7 +84,7 @@
}
// Write data to the ZIP output stream.
-void jar::write_data(void* buff, int len) {
+void jar::write_data(void* buff, size_t len) {
while (len > 0) {
int rc = (int)fwrite(buff, 1, len, jarfp);
if (rc <= 0) {
@@ -323,12 +323,12 @@
// Total number of disks (int)
header64[36] = (ushort)SWAP_BYTES(1);
header64[37] = 0;
- write_data(header64, (int)sizeof(header64));
+ write_data(header64, sizeof(header64));
}
// Write the End of Central Directory structure.
PRINTCR((2, "end-of-directory at %d\n", output_file_offset));
- write_data(header, (int)sizeof(header));
+ write_data(header, sizeof(header));
PRINTCR((2, "writing zip comment\n"));
// Write the comment.
diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
@@ -68,8 +68,8 @@
}
// Private Methods
- void write_data(void* ptr, int len);
- void write_data(bytes& b) { write_data(b.ptr, (int)b.len); }
+ void write_data(void* ptr, size_t len);
+ void write_data(bytes& b) { write_data(b.ptr, b.len); }
void add_to_jar_directory(const char* fname, bool store, int modtime,
int len, int clen, uLong crc);
void write_jar_header(const char* fname, bool store, int modtime,

View File

@ -0,0 +1,74 @@
# HG changeset patch
# User andrew
# Date 1352129932 0
# Node ID e9c857dcb964dbfa5eef3a3590244cb4d999cf7a
# Parent 1406789608b76d0906881979335d685855f44190
Allow multiple PKCS11 library initialisation to be a non-critical error.
diff -r 1406789608b7 -r e9c857dcb964 src/share/classes/sun/security/pkcs11/Config.java
--- jdk8/jdk/src/share/classes/sun/security/pkcs11/Config.java Tue Oct 30 13:05:14 2012 +0000
+++ jdk8/jdk/src/share/classes/sun/security/pkcs11/Config.java Mon Nov 05 15:38:52 2012 +0000
@@ -52,6 +52,7 @@
static final int ERR_HALT = 1;
static final int ERR_IGNORE_ALL = 2;
static final int ERR_IGNORE_LIB = 3;
+ static final int ERR_IGNORE_MULTI_INIT = 4;
// same as allowSingleThreadedModules but controlled via a system property
// and applied to all providers. if set to false, no SunPKCS11 instances
@@ -980,6 +981,8 @@
handleStartupErrors = ERR_IGNORE_LIB;
} else if (val.equals("halt")) {
handleStartupErrors = ERR_HALT;
+ } else if (val.equals("ignoreMultipleInitialisation")) {
+ handleStartupErrors = ERR_IGNORE_MULTI_INIT;
} else {
throw excToken("Invalid value for handleStartupErrors:");
}
diff -r 1406789608b7 -r e9c857dcb964 src/share/classes/sun/security/pkcs11/SunPKCS11.java
--- jdk8/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java Tue Oct 30 13:05:14 2012 +0000
+++ jdk8/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java Mon Nov 05 15:38:52 2012 +0000
@@ -168,26 +168,37 @@
String nssLibraryDirectory = config.getNssLibraryDirectory();
String nssSecmodDirectory = config.getNssSecmodDirectory();
boolean nssOptimizeSpace = config.getNssOptimizeSpace();
+ int errorHandling = config.getHandleStartupErrors();
if (secmod.isInitialized()) {
if (nssSecmodDirectory != null) {
String s = secmod.getConfigDir();
if ((s != null) &&
(s.equals(nssSecmodDirectory) == false)) {
- throw new ProviderException("Secmod directory "
- + nssSecmodDirectory
- + " invalid, NSS already initialized with "
- + s);
+ String msg = "Secmod directory " + nssSecmodDirectory
+ + " invalid, NSS already initialized with " + s;
+ if (errorHandling == Config.ERR_IGNORE_MULTI_INIT ||
+ errorHandling == Config.ERR_IGNORE_ALL) {
+ throw new UnsupportedOperationException(msg);
+ } else {
+ throw new ProviderException(msg);
+ }
}
}
if (nssLibraryDirectory != null) {
String s = secmod.getLibDir();
if ((s != null) &&
(s.equals(nssLibraryDirectory) == false)) {
- throw new ProviderException("NSS library directory "
+ String msg = "NSS library directory "
+ nssLibraryDirectory
+ " invalid, NSS already initialized with "
- + s);
+ + s;
+ if (errorHandling == Config.ERR_IGNORE_MULTI_INIT ||
+ errorHandling == Config.ERR_IGNORE_ALL) {
+ throw new UnsupportedOperationException(msg);
+ } else {
+ throw new ProviderException(msg);
+ }
}
}
} else {

View File

@ -0,0 +1,63 @@
# HG changeset patch
# User andrew
# Date 1459487045 -3600
# Fri Apr 01 06:04:05 2016 +0100
# Node ID 3334efeacd8327a14b7d2f392f4546e3c29c594b
# Parent 6b81fd2227d14226f2121f2d51b464536925686e
PR2888: OpenJDK should check for system cacerts database (e.g. /etc/pki/java/cacerts)
PR3575: System cacerts database handling should not affect jssecacerts
diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java openjdk/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
+++ openjdk/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
@@ -72,7 +72,7 @@
* The preference of the default trusted KeyStore is:
* javax.net.ssl.trustStore
* jssecacerts
- * cacerts
+ * cacerts (system and local)
*/
private static final class TrustStoreDescriptor {
private static final String fileSep = File.separator;
@@ -83,6 +83,10 @@
defaultStorePath + fileSep + "cacerts";
private static final String jsseDefaultStore =
defaultStorePath + fileSep + "jssecacerts";
+ /* Check system cacerts DB: /etc/pki/java/cacerts */
+ private static final String systemStore =
+ fileSep + "etc" + fileSep + "pki" +
+ fileSep + "java" + fileSep + "cacerts";
// the trust store name
private final String storeName;
@@ -146,7 +150,8 @@
long temporaryTime = 0L;
if (!"NONE".equals(storePropName)) {
String[] fileNames =
- new String[] {storePropName, defaultStore};
+ new String[] {storePropName,
+ systemStore, defaultStore};
for (String fileName : fileNames) {
File f = new File(fileName);
if (f.isFile() && f.canRead()) {
diff --git openjdk.orig/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java openjdk/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
--- openjdk.orig/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
+++ openjdk/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
@@ -108,9 +108,14 @@
throws Exception
{
String sep = File.separator;
- File file = new File(System.getProperty("java.home") + sep
- + "lib" + sep + "security" + sep
- + "cacerts");
+ /* Check system cacerts DB first; /etc/pki/java/cacerts */
+ File file = new File(sep + "etc" + sep + "pki" + sep
+ + "java" + sep + "cacerts");
+ if (!file.exists()) {
+ file = new File(System.getProperty("java.home") + sep
+ + "lib" + sep + "security" + sep
+ + "cacerts");
+ }
if (!file.exists()) {
return null;
}

View File

@ -0,0 +1,140 @@
# HG changeset patch
# User andrew
# Date 1464316115 -3600
# Fri May 27 03:28:35 2016 +0100
# Node ID 794541fbbdc323f7da8a5cee75611f977eee66ee
# Parent 0be28a33e12dfc9ae1e4be381530643f691d351a
PR2974: PKCS#10 certificate requests now use CRLF line endings rather than system line endings
Summary: Add -systemlineendings option to keytool to allow system line endings to be used again.
diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs10/PKCS10.java openjdk/jdk/src/share/classes/sun/security/pkcs10/PKCS10.java
--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs10/PKCS10.java
+++ openjdk/jdk/src/share/classes/sun/security/pkcs10/PKCS10.java
@@ -35,6 +35,7 @@
import java.util.Base64;
+import sun.security.action.GetPropertyAction;
import sun.security.util.*;
import sun.security.x509.AlgorithmId;
import sun.security.x509.X509Key;
@@ -74,6 +75,14 @@
* @author Hemma Prafullchandra
*/
public class PKCS10 {
+
+ private static final byte[] sysLineEndings;
+
+ static {
+ sysLineEndings =
+ AccessController.doPrivileged(new GetPropertyAction("line.separator")).getBytes();
+ }
+
/**
* Constructs an unsigned PKCS #10 certificate request. Before this
* request may be used, it must be encoded and signed. Then it
@@ -303,13 +312,39 @@
*/
public void print(PrintStream out)
throws IOException, SignatureException {
+ print(out, false);
+ }
+
+ /**
+ * Prints an E-Mailable version of the certificate request on the print
+ * stream passed. The format is a common base64 encoded one, supported
+ * by most Certificate Authorities because Netscape web servers have
+ * used this for some time. Some certificate authorities expect some
+ * more information, in particular contact information for the web
+ * server administrator.
+ *
+ * @param out the print stream where the certificate request
+ * will be printed.
+ * @param systemLineEndings true if the request should be terminated
+ * using the system line endings.
+ * @exception IOException when an output operation failed
+ * @exception SignatureException when the certificate request was
+ * not yet signed.
+ */
+ public void print(PrintStream out, boolean systemLineEndings)
+ throws IOException, SignatureException {
+ byte[] lineEndings;
+
if (encoded == null)
throw new SignatureException("Cert request was not signed");
+ if (systemLineEndings)
+ lineEndings = sysLineEndings;
+ else
+ lineEndings = new byte[] {'\r', '\n'}; // CRLF
- byte[] CRLF = new byte[] {'\r', '\n'};
out.println("-----BEGIN NEW CERTIFICATE REQUEST-----");
- out.println(Base64.getMimeEncoder(64, CRLF).encodeToString(encoded));
+ out.println(Base64.getMimeEncoder(64, lineEndings).encodeToString(encoded));
out.println("-----END NEW CERTIFICATE REQUEST-----");
}
diff --git openjdk.orig/jdk/src/share/classes/sun/security/tools/keytool/Main.java openjdk/jdk/src/share/classes/sun/security/tools/keytool/Main.java
--- openjdk.orig/jdk/src/share/classes/sun/security/tools/keytool/Main.java
+++ openjdk/jdk/src/share/classes/sun/security/tools/keytool/Main.java
@@ -126,6 +126,7 @@
private String infilename = null;
private String outfilename = null;
private String srcksfname = null;
+ private boolean systemLineEndings = false;
// User-specified providers are added before any command is called.
// However, they are not removed before the end of the main() method.
@@ -188,7 +189,7 @@
CERTREQ("Generates.a.certificate.request",
ALIAS, SIGALG, FILEOUT, KEYPASS, KEYSTORE, DNAME,
STOREPASS, STORETYPE, PROVIDERNAME, PROVIDERCLASS,
- PROVIDERARG, PROVIDERPATH, V, PROTECTED),
+ PROVIDERARG, PROVIDERPATH, SYSTEMLINEENDINGS, V, PROTECTED),
CHANGEALIAS("Changes.an.entry.s.alias",
ALIAS, DESTALIAS, KEYPASS, KEYSTORE, STOREPASS,
STORETYPE, PROVIDERNAME, PROVIDERCLASS, PROVIDERARG,
@@ -321,6 +322,7 @@
STARTDATE("startdate", "<startdate>", "certificate.validity.start.date.time"),
STOREPASS("storepass", "<arg>", "keystore.password"),
STORETYPE("storetype", "<storetype>", "keystore.type"),
+ SYSTEMLINEENDINGS("systemlineendings", null, "system.line.endings"),
TRUSTCACERTS("trustcacerts", null, "trust.certificates.from.cacerts"),
V("v", null, "verbose.output"),
VALIDITY("validity", "<valDays>", "validity.number.of.days");
@@ -561,6 +563,8 @@
protectedPath = true;
} else if (collator.compare(flags, "-srcprotected") == 0) {
srcprotectedPath = true;
+ } else if (collator.compare(flags, "-systemlineendings") == 0) {
+ systemLineEndings = true;
} else {
System.err.println(rb.getString("Illegal.option.") + flags);
tinyHelp();
@@ -1464,7 +1468,7 @@
// Sign the request and base-64 encode it
request.encodeAndSign(subject, signature);
- request.print(out);
+ request.print(out, systemLineEndings);
checkWeak(rb.getString("the.generated.certificate.request"), request);
}
@@ -4544,4 +4548,3 @@
return new Pair<>(a,b);
}
}
-
diff --git openjdk.orig/jdk/src/share/classes/sun/security/tools/keytool/Resources.java openjdk/jdk/src/share/classes/sun/security/tools/keytool/Resources.java
--- openjdk.orig/jdk/src/share/classes/sun/security/tools/keytool/Resources.java
+++ openjdk/jdk/src/share/classes/sun/security/tools/keytool/Resources.java
@@ -168,6 +168,8 @@
"keystore password"}, //-storepass
{"keystore.type",
"keystore type"}, //-storetype
+ {"system.line.endings",
+ "use system line endings rather than CRLF to terminate output"}, //-systemlineendings
{"trust.certificates.from.cacerts",
"trust certificates from cacerts"}, //-trustcacerts
{"verbose.output",

View File

@ -0,0 +1,164 @@
# HG changeset patch
# User andrew
# Date 1467652889 -3600
# Mon Jul 04 18:21:29 2016 +0100
# Node ID a4541d1d8609cadb08d3e31b40b9184ff32dd6c3
# Parent bc6eab2038c603afb2eb2b4644f3b900c8fd0c46
PR3083, RH1346460: Regression in SSL debug output without an ECC provider
Summary: Return null rather than throwing an exception when there's no ECC provider.
diff --git openjdk.orig/jdk/src/share/classes/sun/security/ec/ECKeyPairGenerator.java openjdk/jdk/src/share/classes/sun/security/ec/ECKeyPairGenerator.java
--- openjdk.orig/jdk/src/share/classes/sun/security/ec/ECKeyPairGenerator.java
+++ openjdk/jdk/src/share/classes/sun/security/ec/ECKeyPairGenerator.java
@@ -121,7 +121,7 @@
private static void ensureCurveIsSupported(ECParameterSpec ecSpec)
throws InvalidAlgorithmParameterException {
- AlgorithmParameters ecParams = ECUtil.getECParameters(null);
+ AlgorithmParameters ecParams = ECUtil.getECParameters(null, true);
byte[] encodedParams;
try {
ecParams.init(ecSpec);
diff --git openjdk.orig/jdk/src/share/classes/sun/security/util/Debug.java openjdk/jdk/src/share/classes/sun/security/util/Debug.java
--- openjdk.orig/jdk/src/share/classes/sun/security/util/Debug.java
+++ openjdk/jdk/src/share/classes/sun/security/util/Debug.java
@@ -73,6 +73,7 @@
System.err.println("certpath PKIX CertPathBuilder and");
System.err.println(" CertPathValidator debugging");
System.err.println("combiner SubjectDomainCombiner debugging");
+ System.err.println("ecc Elliptic Curve Cryptography debugging");
System.err.println("gssloginconfig");
System.err.println(" GSS LoginConfigImpl debugging");
System.err.println("configfile JAAS ConfigFile loading");
diff --git openjdk.orig/jdk/src/share/classes/sun/security/util/ECUtil.java openjdk/jdk/src/share/classes/sun/security/util/ECUtil.java
--- openjdk.orig/jdk/src/share/classes/sun/security/util/ECUtil.java
+++ openjdk/jdk/src/share/classes/sun/security/util/ECUtil.java
@@ -41,6 +41,9 @@
public final class ECUtil {
+ /* Are we debugging ? */
+ private static final Debug debug = Debug.getInstance("ecc");
+
// Used by SunPKCS11 and SunJSSE.
public static ECPoint decodePoint(byte[] data, EllipticCurve curve)
throws IOException {
@@ -90,6 +93,10 @@
}
public static AlgorithmParameters getECParameters(Provider p) {
+ return getECParameters(p, false);
+ }
+
+ public static AlgorithmParameters getECParameters(Provider p, boolean throwException) {
try {
if (p != null) {
return AlgorithmParameters.getInstance("EC", p);
@@ -97,13 +104,21 @@
return AlgorithmParameters.getInstance("EC");
} catch (NoSuchAlgorithmException nsae) {
- throw new RuntimeException(nsae);
+ if (throwException) {
+ throw new RuntimeException(nsae);
+ } else {
+ // ECC provider is optional so just return null
+ if (debug != null) {
+ debug.println("Provider unavailable: " + nsae);
+ }
+ return null;
+ }
}
}
public static byte[] encodeECParameterSpec(Provider p,
ECParameterSpec spec) {
- AlgorithmParameters parameters = getECParameters(p);
+ AlgorithmParameters parameters = getECParameters(p, true);
try {
parameters.init(spec);
@@ -122,11 +137,16 @@
public static ECParameterSpec getECParameterSpec(Provider p,
ECParameterSpec spec) {
AlgorithmParameters parameters = getECParameters(p);
+ if (parameters == null)
+ return null;
try {
parameters.init(spec);
return parameters.getParameterSpec(ECParameterSpec.class);
} catch (InvalidParameterSpecException ipse) {
+ if (debug != null) {
+ debug.println("Invalid parameter specification: " + ipse);
+ }
return null;
}
}
@@ -135,34 +155,49 @@
byte[] params)
throws IOException {
AlgorithmParameters parameters = getECParameters(p);
+ if (parameters == null)
+ return null;
parameters.init(params);
try {
return parameters.getParameterSpec(ECParameterSpec.class);
} catch (InvalidParameterSpecException ipse) {
+ if (debug != null) {
+ debug.println("Invalid parameter specification: " + ipse);
+ }
return null;
}
}
public static ECParameterSpec getECParameterSpec(Provider p, String name) {
AlgorithmParameters parameters = getECParameters(p);
+ if (parameters == null)
+ return null;
try {
parameters.init(new ECGenParameterSpec(name));
return parameters.getParameterSpec(ECParameterSpec.class);
} catch (InvalidParameterSpecException ipse) {
+ if (debug != null) {
+ debug.println("Invalid parameter specification: " + ipse);
+ }
return null;
}
}
public static ECParameterSpec getECParameterSpec(Provider p, int keySize) {
AlgorithmParameters parameters = getECParameters(p);
+ if (parameters == null)
+ return null;
try {
parameters.init(new ECKeySizeParameterSpec(keySize));
return parameters.getParameterSpec(ECParameterSpec.class);
} catch (InvalidParameterSpecException ipse) {
+ if (debug != null) {
+ debug.println("Invalid parameter specification: " + ipse);
+ }
return null;
}
@@ -171,11 +206,16 @@
public static String getCurveName(Provider p, ECParameterSpec spec) {
ECGenParameterSpec nameSpec;
AlgorithmParameters parameters = getECParameters(p);
+ if (parameters == null)
+ return null;
try {
parameters.init(spec);
nameSpec = parameters.getParameterSpec(ECGenParameterSpec.class);
} catch (InvalidParameterSpecException ipse) {
+ if (debug != null) {
+ debug.println("Invalid parameter specification: " + ipse);
+ }
return null;
}

View File

@ -0,0 +1,158 @@
# HG changeset patch
# User andrew
# Date 1478057514 0
# Node ID 1c4d5cb2096ae55106111da200b0bcad304f650c
# Parent 3d53f19b48384e5252f4ec8891f7a3a82d77af2a
PR3183: Support Fedora/RHEL system crypto policy
diff -r 3d53f19b4838 -r 1c4d5cb2096a src/share/classes/java/security/Security.java
--- openjdk/jdk/src/share/classes/java/security/Security.java Wed Oct 26 03:51:39 2016 +0100
+++ openjdk/jdk/src/share/classes/java/security/Security.java Wed Nov 02 03:31:54 2016 +0000
@@ -43,6 +43,9 @@
* implementation-specific location, which is typically the properties file
* {@code lib/security/java.security} in the Java installation directory.
*
+ * <p>Additional default values of security properties are read from a
+ * system-specific location, if available.</p>
+ *
* @author Benjamin Renaud
*/
@@ -52,6 +55,10 @@
private static final Debug sdebug =
Debug.getInstance("properties");
+ /* System property file*/
+ private static final String SYSTEM_PROPERTIES =
+ "/etc/crypto-policies/back-ends/java.config";
+
/* The java.security properties */
private static Properties props;
@@ -93,6 +100,7 @@
if (sdebug != null) {
sdebug.println("reading security properties file: " +
propFile);
+ sdebug.println(props.toString());
}
} catch (IOException e) {
if (sdebug != null) {
@@ -114,6 +122,31 @@
}
if ("true".equalsIgnoreCase(props.getProperty
+ ("security.useSystemPropertiesFile"))) {
+
+ // now load the system file, if it exists, so its values
+ // will win if they conflict with the earlier values
+ try (BufferedInputStream bis =
+ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
+ props.load(bis);
+ loadedProps = true;
+
+ if (sdebug != null) {
+ sdebug.println("reading system security properties file " +
+ SYSTEM_PROPERTIES);
+ sdebug.println(props.toString());
+ }
+ } catch (IOException e) {
+ if (sdebug != null) {
+ sdebug.println
+ ("unable to load security properties from " +
+ SYSTEM_PROPERTIES);
+ e.printStackTrace();
+ }
+ }
+ }
+
+ if ("true".equalsIgnoreCase(props.getProperty
("security.overridePropertiesFile"))) {
String extraPropFile = System.getProperty
diff -r 3d53f19b4838 -r 1c4d5cb2096a src/share/lib/security/java.security-aix
--- openjdk/jdk/src/share/lib/security/java.security-aix Wed Oct 26 03:51:39 2016 +0100
+++ openjdk/jdk/src/share/lib/security/java.security-aix Wed Nov 02 03:31:54 2016 +0000
@@ -276,6 +276,13 @@
security.overridePropertiesFile=true
#
+# Determines whether this properties file will be appended to
+# using the system properties file stored at
+# /etc/crypto-policies/back-ends/java.config
+#
+security.useSystemPropertiesFile=false
+
+#
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
#
diff -r 3d53f19b4838 -r 1c4d5cb2096a src/share/lib/security/java.security-linux
--- openjdk/jdk/src/share/lib/security/java.security-linux Wed Oct 26 03:51:39 2016 +0100
+++ openjdk/jdk/src/share/lib/security/java.security-linux Wed Nov 02 03:31:54 2016 +0000
@@ -276,6 +276,13 @@
security.overridePropertiesFile=true
#
+# Determines whether this properties file will be appended to
+# using the system properties file stored at
+# /etc/crypto-policies/back-ends/java.config
+#
+security.useSystemPropertiesFile=true
+
+#
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
#
diff -r 3d53f19b4838 -r 1c4d5cb2096a src/share/lib/security/java.security-macosx
--- openjdk/jdk/src/share/lib/security/java.security-macosx Wed Oct 26 03:51:39 2016 +0100
+++ openjdk/jdk/src/share/lib/security/java.security-macosx Wed Nov 02 03:31:54 2016 +0000
@@ -279,6 +279,13 @@
security.overridePropertiesFile=true
#
+# Determines whether this properties file will be appended to
+# using the system properties file stored at
+# /etc/crypto-policies/back-ends/java.config
+#
+security.useSystemPropertiesFile=false
+
+#
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
#
diff -r 3d53f19b4838 -r 1c4d5cb2096a src/share/lib/security/java.security-solaris
--- openjdk/jdk/src/share/lib/security/java.security-solaris Wed Oct 26 03:51:39 2016 +0100
+++ openjdk/jdk/src/share/lib/security/java.security-solaris Wed Nov 02 03:31:54 2016 +0000
@@ -278,6 +278,13 @@
security.overridePropertiesFile=true
#
+# Determines whether this properties file will be appended to
+# using the system properties file stored at
+# /etc/crypto-policies/back-ends/java.config
+#
+security.useSystemPropertiesFile=false
+
+#
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
#
diff -r 3d53f19b4838 -r 1c4d5cb2096a src/share/lib/security/java.security-windows
--- openjdk/jdk/src/share/lib/security/java.security-windows Wed Oct 26 03:51:39 2016 +0100
+++ openjdk/jdk/src/share/lib/security/java.security-windows Wed Nov 02 03:31:54 2016 +0000
@@ -279,6 +279,13 @@
security.overridePropertiesFile=true
#
+# Determines whether this properties file will be appended to
+# using the system properties file stored at
+# /etc/crypto-policies/back-ends/java.config
+#
+security.useSystemPropertiesFile=false
+
+#
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
#

View File

@ -0,0 +1,166 @@
diff --git openjdk.orig/hotspot/src/share/vm/asm/codeBuffer.cpp openjdk/hotspot/src/share/vm/asm/codeBuffer.cpp
--- openjdk.orig/hotspot/src/share/vm/asm/codeBuffer.cpp
+++ openjdk/hotspot/src/share/vm/asm/codeBuffer.cpp
@@ -977,7 +977,7 @@
for (int n = (int) CodeBuffer::SECT_FIRST; n < (int) CodeBuffer::SECT_LIMIT; n++) {
CodeSection* sect = code_section(n);
if (!sect->is_allocated() || sect->is_empty()) continue;
- xtty->print_cr("<sect index='%d' size='" SIZE_FORMAT "' free='" SIZE_FORMAT "'/>",
+ xtty->print_cr("<sect index='%d' size='" INTX_FORMAT "' free='" INTX_FORMAT "'/>",
n, sect->limit() - sect->start(), sect->limit() - sect->end());
}
xtty->print_cr("</blob>");
diff --git openjdk.orig/hotspot/src/share/vm/code/codeCache.cpp openjdk/hotspot/src/share/vm/code/codeCache.cpp
--- openjdk.orig/hotspot/src/share/vm/code/codeCache.cpp
+++ openjdk/hotspot/src/share/vm/code/codeCache.cpp
@@ -192,7 +192,7 @@
}
if (PrintCodeCacheExtension) {
ResourceMark rm;
- tty->print_cr("code cache extended to [" INTPTR_FORMAT ", " INTPTR_FORMAT "] (" SSIZE_FORMAT " bytes)",
+ tty->print_cr("code cache extended to [" INTPTR_FORMAT ", " INTPTR_FORMAT "] (" INTX_FORMAT " bytes)",
(intptr_t)_heap->low_boundary(), (intptr_t)_heap->high(),
(address)_heap->high() - (address)_heap->low_boundary());
}
diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1StringDedupTable.cpp openjdk/hotspot/src/share/vm/gc_implementation/g1/g1StringDedupTable.cpp
--- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1StringDedupTable.cpp
+++ openjdk/hotspot/src/share/vm/gc_implementation/g1/g1StringDedupTable.cpp
@@ -598,7 +598,7 @@
" [Table]\n"
" [Memory Usage: " G1_STRDEDUP_BYTES_FORMAT_NS "]\n"
" [Size: " SIZE_FORMAT ", Min: " SIZE_FORMAT ", Max: " SIZE_FORMAT "]\n"
- " [Entries: " UINTX_FORMAT ", Load: " G1_STRDEDUP_PERCENT_FORMAT_NS ", Cached: " UINTX_FORMAT ", Added: " UINTX_FORMAT ", Removed: " UINTX_FORMAT "]\n"
+ " [Entries: " UINTX_FORMAT ", Load: " G1_STRDEDUP_PERCENT_FORMAT_NS ", Cached: " SIZE_FORMAT ", Added: " UINTX_FORMAT ", Removed: " UINTX_FORMAT "]\n"
" [Resize Count: " UINTX_FORMAT ", Shrink Threshold: " UINTX_FORMAT "(" G1_STRDEDUP_PERCENT_FORMAT_NS "), Grow Threshold: " UINTX_FORMAT "(" G1_STRDEDUP_PERCENT_FORMAT_NS ")]\n"
" [Rehash Count: " UINTX_FORMAT ", Rehash Threshold: " UINTX_FORMAT ", Hash Seed: " UINT64_FORMAT "]\n"
" [Age Threshold: " UINTX_FORMAT "]",
diff --git openjdk.orig/hotspot/src/share/vm/memory/blockOffsetTable.cpp openjdk/hotspot/src/share/vm/memory/blockOffsetTable.cpp
--- openjdk.orig/hotspot/src/share/vm/memory/blockOffsetTable.cpp
+++ openjdk/hotspot/src/share/vm/memory/blockOffsetTable.cpp
@@ -57,7 +57,7 @@
gclog_or_tty->print_cr("BlockOffsetSharedArray::BlockOffsetSharedArray: ");
gclog_or_tty->print_cr(" "
" rs.base(): " INTPTR_FORMAT
- " rs.size(): " INTPTR_FORMAT
+ " rs.size(): " SIZE_FORMAT
" rs end(): " INTPTR_FORMAT,
p2i(rs.base()), rs.size(), p2i(rs.base() + rs.size()));
gclog_or_tty->print_cr(" "
diff --git openjdk.orig/hotspot/src/share/vm/memory/collectorPolicy.cpp openjdk/hotspot/src/share/vm/memory/collectorPolicy.cpp
--- openjdk.orig/hotspot/src/share/vm/memory/collectorPolicy.cpp
+++ openjdk/hotspot/src/share/vm/memory/collectorPolicy.cpp
@@ -1055,7 +1055,8 @@
size_t expected = msp.scale_by_NewRatio_aligned(initial_heap_size);
assert(msp.initial_gen0_size() == expected, err_msg("%zu != %zu", msp.initial_gen0_size(), expected));
assert(FLAG_IS_ERGO(NewSize) && NewSize == expected,
- err_msg("NewSize should have been set ergonomically to %zu, but was %zu", expected, NewSize));
+ err_msg("NewSize should have been set ergonomically to " SIZE_FORMAT ", but was " UINTX_FORMAT,
+ expected, NewSize));
}
private:
diff --git openjdk.orig/hotspot/src/share/vm/runtime/arguments.cpp openjdk/hotspot/src/share/vm/runtime/arguments.cpp
--- openjdk.orig/hotspot/src/share/vm/runtime/arguments.cpp
+++ openjdk/hotspot/src/share/vm/runtime/arguments.cpp
@@ -1291,14 +1291,14 @@
}
if (PrintGCDetails && Verbose) {
// Too early to use gclog_or_tty
- tty->print_cr("CMS ergo set MaxNewSize: " SIZE_FORMAT, MaxNewSize);
+ tty->print_cr("CMS ergo set MaxNewSize: " UINTX_FORMAT, MaxNewSize);
}
// Code along this path potentially sets NewSize and OldSize
if (PrintGCDetails && Verbose) {
// Too early to use gclog_or_tty
- tty->print_cr("CMS set min_heap_size: " SIZE_FORMAT
- " initial_heap_size: " SIZE_FORMAT
+ tty->print_cr("CMS set min_heap_size: " UINTX_FORMAT
+ " initial_heap_size: " UINTX_FORMAT
" max_heap: " SIZE_FORMAT,
min_heap_size(), InitialHeapSize, max_heap);
}
@@ -1314,7 +1314,7 @@
FLAG_SET_ERGO(uintx, NewSize, MIN2(preferred_max_new_size, (size_t)NewSize));
if (PrintGCDetails && Verbose) {
// Too early to use gclog_or_tty
- tty->print_cr("CMS ergo set NewSize: " SIZE_FORMAT, NewSize);
+ tty->print_cr("CMS ergo set NewSize: " UINTX_FORMAT, NewSize);
}
}
// Unless explicitly requested otherwise, size old gen
@@ -1324,7 +1324,7 @@
FLAG_SET_ERGO(uintx, OldSize, MIN2((size_t)(NewRatio*NewSize), max_heap - NewSize));
if (PrintGCDetails && Verbose) {
// Too early to use gclog_or_tty
- tty->print_cr("CMS ergo set OldSize: " SIZE_FORMAT, OldSize);
+ tty->print_cr("CMS ergo set OldSize: " UINTX_FORMAT, OldSize);
}
}
}
@@ -2043,7 +2043,7 @@
if (PrintGCDetails && Verbose) {
// Cannot use gclog_or_tty yet.
- tty->print_cr(" Initial heap size " SIZE_FORMAT, (uintx)reasonable_initial);
+ tty->print_cr(" Initial heap size " SIZE_FORMAT, (size_t)reasonable_initial);
}
FLAG_SET_ERGO(uintx, InitialHeapSize, (uintx)reasonable_initial);
}
@@ -2053,7 +2053,7 @@
set_min_heap_size(MIN2((uintx)reasonable_minimum, InitialHeapSize));
if (PrintGCDetails && Verbose) {
// Cannot use gclog_or_tty yet.
- tty->print_cr(" Minimum heap size " SIZE_FORMAT, min_heap_size());
+ tty->print_cr(" Minimum heap size " UINTX_FORMAT, min_heap_size());
}
}
}
diff --git openjdk.orig/hotspot/src/share/vm/utilities/globalDefinitions.hpp openjdk/hotspot/src/share/vm/utilities/globalDefinitions.hpp
--- openjdk.orig/hotspot/src/share/vm/utilities/globalDefinitions.hpp
+++ openjdk/hotspot/src/share/vm/utilities/globalDefinitions.hpp
@@ -1389,12 +1389,21 @@
#define INTPTR_FORMAT_W(width) "%" #width PRIxPTR
+#if defined(S390) && !defined(_LP64)
+#define SSIZE_FORMAT "%z" PRIdPTR
+#define SIZE_FORMAT "%z" PRIuPTR
+#define SIZE_FORMAT_HEX "0x%z" PRIxPTR
+#define SSIZE_FORMAT_W(width) "%" #width "z" PRIdPTR
+#define SIZE_FORMAT_W(width) "%" #width "z" PRIuPTR
+#define SIZE_FORMAT_HEX_W(width) "0x%" #width "z" PRIxPTR
+#else // !S390
#define SSIZE_FORMAT "%" PRIdPTR
#define SIZE_FORMAT "%" PRIuPTR
#define SIZE_FORMAT_HEX "0x%" PRIxPTR
#define SSIZE_FORMAT_W(width) "%" #width PRIdPTR
#define SIZE_FORMAT_W(width) "%" #width PRIuPTR
#define SIZE_FORMAT_HEX_W(width) "0x%" #width PRIxPTR
+#endif // S390
#define INTX_FORMAT "%" PRIdPTR
#define UINTX_FORMAT "%" PRIuPTR
diff --git openjdk.orig/hotspot/src/share/vm/runtime/memprofiler.cpp openjdk/hotspot/src/share/vm/runtime/memprofiler.cpp
--- openjdk.orig/hotspot/src/share/vm/runtime/memprofiler.cpp
+++ openjdk/hotspot/src/share/vm/runtime/memprofiler.cpp
@@ -117,16 +117,16 @@
}
// Print trace line in log
- fprintf(_log_fp, "%6.1f,%5d,%5d," UINTX_FORMAT_W(6) "," UINTX_FORMAT_W(6) ",",
+ fprintf(_log_fp, "%6.1f,%5d,%5d," SIZE_FORMAT_W(6) "," SIZE_FORMAT_W(6) ",",
os::elapsedTime(),
Threads::number_of_threads(),
SystemDictionary::number_of_classes(),
Universe::heap()->used() / K,
Universe::heap()->capacity() / K);
- fprintf(_log_fp, UINTX_FORMAT_W(6) ",", CodeCache::capacity() / K);
+ fprintf(_log_fp, SIZE_FORMAT_W(6) ",", CodeCache::capacity() / K);
- fprintf(_log_fp, UINTX_FORMAT_W(6) "," UINTX_FORMAT_W(6) "," UINTX_FORMAT_W(6) "\n",
+ fprintf(_log_fp, SIZE_FORMAT_W(6) "," SIZE_FORMAT_W(6) "," SIZE_FORMAT_W(6) "\n",
handles_memory_usage / K,
resource_memory_usage / K,
OopMapCache::memory_usage() / K);

View File

@ -0,0 +1,78 @@
# HG changeset patch
# User andrew
# Date 1545198926 0
# Wed Dec 19 05:55:26 2018 +0000
# Node ID f2cbd688824c128db7fa848c8732fb0ab3507776
# Parent 81f07f6d1f8b7b51b136d3974c61bc8bb513770c
PR3655: Allow use of system crypto policy to be disabled by the user
Summary: Read user overrides first so security.useSystemPropertiesFile can be disabled and add -Djava.security.disableSystemPropertiesFile
diff --git a/src/share/classes/javopenjdk.orig/jdk/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java
--- openjdk.orig/jdk/src/share/classes/java/security/Security.java
+++ openjdk/jdk/src/share/classes/java/security/Security.java
@@ -122,31 +122,6 @@
}
if ("true".equalsIgnoreCase(props.getProperty
- ("security.useSystemPropertiesFile"))) {
-
- // now load the system file, if it exists, so its values
- // will win if they conflict with the earlier values
- try (BufferedInputStream bis =
- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
- props.load(bis);
- loadedProps = true;
-
- if (sdebug != null) {
- sdebug.println("reading system security properties file " +
- SYSTEM_PROPERTIES);
- sdebug.println(props.toString());
- }
- } catch (IOException e) {
- if (sdebug != null) {
- sdebug.println
- ("unable to load security properties from " +
- SYSTEM_PROPERTIES);
- e.printStackTrace();
- }
- }
- }
-
- if ("true".equalsIgnoreCase(props.getProperty
("security.overridePropertiesFile"))) {
String extraPropFile = System.getProperty
@@ -212,6 +187,33 @@
}
}
+ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
+ if (disableSystemProps == null &&
+ "true".equalsIgnoreCase(props.getProperty
+ ("security.useSystemPropertiesFile"))) {
+
+ // now load the system file, if it exists, so its values
+ // will win if they conflict with the earlier values
+ try (BufferedInputStream bis =
+ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
+ props.load(bis);
+ loadedProps = true;
+
+ if (sdebug != null) {
+ sdebug.println("reading system security properties file " +
+ SYSTEM_PROPERTIES);
+ sdebug.println(props.toString());
+ }
+ } catch (IOException e) {
+ if (sdebug != null) {
+ sdebug.println
+ ("unable to load security properties from " +
+ SYSTEM_PROPERTIES);
+ e.printStackTrace();
+ }
+ }
+ }
+
if (!loadedProps) {
initializeStatic();
if (sdebug != null) {

View File

@ -0,0 +1,44 @@
#!/bin/sh
set -e
# https://bugzilla.redhat.com/show_bug.cgi?id=1142153
M=META-INF/MANIFEST.MF
#P=/usr/lib/jvm/java/jre/lib/security/policy
P=$1/lib/security/policy
ERRORS=0
for type in unlimited limited ; do
for f in local_policy.jar US_export_policy.jar ; do
ORIG=$P/$type/$f
echo "processing $f ($ORIG)"
if [ ! -f $ORIG ]; then
echo "File not found! $ORIG"
let ERRORS=$ERRORS+1
continue
fi
d=`mktemp -d`
NW=$d/$f
pushd $d
jar xf $ORIG
cat $M
# sed -i "s/Created-By.*/Created-By: 1.7.0/g" $M
sed -i "s/Created-By.*/Created-By: $2/g" $M
cat $M
find . -exec touch -t 201401010000 {} +
zip -rX $f *
popd
echo "replacing $ORIG"
touch -t 201401010000 $ORIG
md5sum $ORIG
sha256sum $ORIG
echo "by $NW"
md5sum $NW
sha256sum $NW
touch -t 201401010000 $NW
cp $NW $ORIG
md5sum $ORIG
sha256sum $ORIG
touch -t 201401010000 $ORIG
rm -rfv $d
done
done
exit $ERRORS

View File

@ -0,0 +1,66 @@
diff --git a/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java b/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java
--- openjdk/jdk/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java
+++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java
@@ -1,5 +1,6 @@
/*
* Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2014 Red Hat Inc.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -61,13 +62,13 @@
private static void checkKeySize(int keysize)
throws InvalidParameterException {
- boolean supported = ((keysize == 2048) || (keysize == 3072) ||
+ boolean supported = ((keysize == 2048) || (keysize == 3072) || (keysize == 4096) ||
((keysize >= 512) && (keysize <= 1024) && ((keysize & 0x3F) == 0)));
if (!supported) {
throw new InvalidParameterException(
"DH key size must be multiple of 64 and range " +
- "from 512 to 1024 (inclusive), or 2048, 3072. " +
+ "from 512 to 1024 (inclusive), or 2048, 3072, 4096. " +
"The specific key size " + keysize + " is not supported");
}
}
diff --git a/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java b/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java
--- openjdk/jdk/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java
+++ openjdk/jdk/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java
@@ -1,5 +1,6 @@
/*
* Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2014 Red Hat Inc.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -58,7 +59,7 @@
*/
private enum Sizes {
two56(256), three84(384), five12(512), seven68(768), ten24(1024),
- twenty48(2048);
+ twenty48(2048), forty96(4096);
private final int intSize;
private final BigInteger bigIntValue;
@@ -130,6 +131,19 @@
kp = kpg.generateKeyPair();
checkKeyPair(kp, Sizes.twenty48, Sizes.five12);
+ kpg.initialize(Sizes.forty96.getIntSize());
+ kp = kpg.generateKeyPair();
+ checkKeyPair(kp, Sizes.forty96, Sizes.twenty48);
+
+ publicKey = (DHPublicKey)kp.getPublic();
+ p = publicKey.getParams().getP();
+ g = publicKey.getParams().getG();
+
+ // test w/ all values specified
+ kpg.initialize(new DHParameterSpec(p, g, Sizes.ten24.getIntSize()));
+ kp = kpg.generateKeyPair();
+ checkKeyPair(kp, Sizes.forty96, Sizes.ten24);
+
System.out.println("OK");
}

View File

@ -0,0 +1,12 @@
diff --git openjdk.orig/jdk/src/share/classes/sun/security/tools/keytool/Main.java openjdk/jdk/src/share/classes/sun/security/tools/keytool/Main.java
--- openjdk.orig/jdk/src/share/classes/sun/security/tools/keytool/Main.java
+++ openjdk/jdk/src/share/classes/sun/security/tools/keytool/Main.java
@@ -1004,7 +1004,7 @@
}
} else if (command == GENKEYPAIR) {
if (keyAlgName == null) {
- keyAlgName = "DSA";
+ keyAlgName = "RSA";
}
doGenKeyPair(alias, dname, keyAlgName, keysize, sigAlgName);
kssave = true;

View File

@ -0,0 +1,12 @@
diff --git a/src/share/vm/runtime/globals.hpp b/src/share/vm/runtime/globals.hpp
--- openjdk/hotspot/src/share/vm/runtime/globals.hpp
+++ openjdk/hotspot/src/share/vm/runtime/globals.hpp
@@ -530,7 +530,7 @@
lp64_product(intx, ObjectAlignmentInBytes, 8, \
"Default object alignment in bytes, 8 is minimum") \
\
- product(bool, AssumeMP, false, \
+ product(bool, AssumeMP, true, \
"Instruct the VM to assume multiple processors are available") \
\
/* UseMembar is theoretically a temp flag used for memory barrier \

View File

@ -0,0 +1,11 @@
diff -r 5b86f66575b7 src/share/lib/security/java.security-linux
--- openjdk/jdk/src/share/lib/security/java.security-linux Tue May 16 13:29:05 2017 -0700
+++ openjdk/jdk/src/share/lib/security/java.security-linux Tue Jun 06 14:05:12 2017 +0200
@@ -74,6 +74,7 @@
security.provider.7=com.sun.security.sasl.Provider
security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.9=sun.security.smartcardio.SunPCSC
+#security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
#
# Sun Provider SecureRandom seed source.

View File

@ -0,0 +1,16 @@
diff --git openjdk.orig/jdk/make/lib/Awt2dLibraries.gmk openjdk/jdk/make/lib/Awt2dLibraries.gmk
--- openjdk.orig/jdk/make/lib/Awt2dLibraries.gmk
+++ openjdk/jdk/make/lib/Awt2dLibraries.gmk
@@ -891,6 +891,12 @@
BUILD_LIBFONTMANAGER_ExtensionSubtables.cpp_CXXFLAGS := -fno-strict-aliasing
endif
+# Turn off strict overflow with GCC for IndicRearrangementProcessor.cpp
+ifeq ($(OPENJDK_TARGET_OS), linux)
+ BUILD_LIBFONTMANAGER_IndicRearrangementProcessor.cpp_CXXFLAGS := -fno-strict-overflow
+ BUILD_LIBFONTMANAGER_IndicRearrangementProcessor2.cpp_CXXFLAGS := -fno-strict-overflow
+endif
+
# LDFLAGS clarification:
# Filter relevant linker flags disallowing unresolved symbols as we cannot
# build-time decide to which library to link against (libawt_headless or

View File

@ -0,0 +1,208 @@
diff --git a/src/share/classes/javopenjdk.orig/jdk/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java
--- openjdk.orig/jdk/src/share/classes/java/security/Security.java
+++ openjdk/jdk/src/share/classes/java/security/Security.java
@@ -191,27 +191,7 @@
if (disableSystemProps == null &&
"true".equalsIgnoreCase(props.getProperty
("security.useSystemPropertiesFile"))) {
-
- // now load the system file, if it exists, so its values
- // will win if they conflict with the earlier values
- try (BufferedInputStream bis =
- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
- props.load(bis);
- loadedProps = true;
-
- if (sdebug != null) {
- sdebug.println("reading system security properties file " +
- SYSTEM_PROPERTIES);
- sdebug.println(props.toString());
- }
- } catch (IOException e) {
- if (sdebug != null) {
- sdebug.println
- ("unable to load security properties from " +
- SYSTEM_PROPERTIES);
- e.printStackTrace();
- }
- }
+ loadedProps = loadedProps && SystemConfigurator.configure(props);
}
if (!loadedProps) {
diff --git a/src/share/classes/javopenjdk.orig/jdk/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
new file mode 100644
--- /dev/null
+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
@@ -0,0 +1,153 @@
+/*
+ * Copyright (c) 2019, Red Hat, Inc.
+ *
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package java.security;
+
+import java.io.BufferedInputStream;
+import java.io.FileInputStream;
+import java.io.IOException;
+
+import java.nio.file.Files;
+import java.nio.file.FileSystems;
+import java.nio.file.Path;
+
+import java.util.Iterator;
+import java.util.Map.Entry;
+import java.util.Properties;
+import java.util.function.Consumer;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import sun.security.util.Debug;
+
+/**
+ * Internal class to align OpenJDK with global crypto-policies.
+ * Called from java.security.Security class initialization,
+ * during startup.
+ *
+ */
+
+class SystemConfigurator {
+
+ private static final Debug sdebug =
+ Debug.getInstance("properties");
+
+ private static final String CRYPTO_POLICIES_BASE_DIR =
+ "/etc/crypto-policies";
+
+ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
+
+ private static final String CRYPTO_POLICIES_CONFIG =
+ CRYPTO_POLICIES_BASE_DIR + "/config";
+
+ private static final class SecurityProviderInfo {
+ int number;
+ String key;
+ String value;
+ SecurityProviderInfo(int number, String key, String value) {
+ this.number = number;
+ this.key = key;
+ this.value = value;
+ }
+ }
+
+ /*
+ * Invoked when java.security.Security class is initialized, if
+ * java.security.disableSystemPropertiesFile property is not set and
+ * security.useSystemPropertiesFile is true.
+ */
+ static boolean configure(Properties props) {
+ boolean loadedProps = false;
+
+ try (BufferedInputStream bis =
+ new BufferedInputStream(
+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
+ props.load(bis);
+ loadedProps = true;
+ if (sdebug != null) {
+ sdebug.println("reading system security properties file " +
+ CRYPTO_POLICIES_JAVA_CONFIG);
+ sdebug.println(props.toString());
+ }
+ } catch (IOException e) {
+ if (sdebug != null) {
+ sdebug.println("unable to load security properties from " +
+ CRYPTO_POLICIES_JAVA_CONFIG);
+ e.printStackTrace();
+ }
+ }
+
+ try {
+ if (enableFips()) {
+ if (sdebug != null) { sdebug.println("FIPS mode detected"); }
+ loadedProps = false;
+ // Remove all security providers
+ Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
+ while (i.hasNext()) {
+ Entry<Object, Object> e = i.next();
+ if (((String) e.getKey()).startsWith("security.provider")) {
+ if (sdebug != null) { sdebug.println("Removing provider: " + e); }
+ i.remove();
+ }
+ }
+ // Add FIPS security providers
+ String fipsProviderValue = null;
+ for (int n = 1;
+ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) {
+ String fipsProviderKey = "security.provider." + n;
+ if (sdebug != null) {
+ sdebug.println("Adding provider " + n + ": " +
+ fipsProviderKey + "=" + fipsProviderValue);
+ }
+ props.put(fipsProviderKey, fipsProviderValue);
+ }
+ loadedProps = true;
+ }
+ } catch (Exception e) {
+ if (sdebug != null) {
+ sdebug.println("unable to load FIPS configuration");
+ e.printStackTrace();
+ }
+ }
+ return loadedProps;
+ }
+
+ /*
+ * FIPS is enabled only if crypto-policies are set to "FIPS"
+ * and the com.redhat.fips property is true.
+ */
+ private static boolean enableFips() throws Exception {
+ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
+ if (fipsEnabled) {
+ Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG);
+ String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath));
+ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
+ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
+ return pattern.matcher(cryptoPoliciesConfig).find();
+ } else {
+ return false;
+ }
+ }
+}
diff --git openjdk.orig/jdk/src/share/lib/security/java.security-linux openjdk/jdk/src/share/lib/security/java.security-linux
--- openjdk.orig/jdk/src/share/lib/security/java.security-linux
+++ openjdk/jdk/src/share/lib/security/java.security-linux
@@ -77,6 +77,14 @@
#security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
#
+# Security providers used when global crypto-policies are set to FIPS.
+#
+fips.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.fips.cfg
+fips.provider.2=sun.security.provider.Sun
+fips.provider.3=sun.security.ec.SunEC
+fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS
+
+#
# Sun Provider SecureRandom seed source.
#
# Select the primary source of seed data for the "SHA1PRNG" and

View File

@ -0,0 +1,133 @@
diff --git openjdk.orig/jdk/make/CompileLaunchers.gmk openjdk/jdk/make/CompileLaunchers.gmk
--- openjdk.orig/jdk/make/CompileLaunchers.gmk
+++ openjdk/jdk/make/CompileLaunchers.gmk
@@ -255,6 +255,33 @@
endif
endif
+# -Wno-error=cpp is present to allow commented warning in ifdef part of main.c
+$(eval $(call SetupLauncher,alt-java, \
+ -DEXPAND_CLASSPATH_WILDCARDS -DREDHAT_ALT_JAVA -Wno-error=cpp,,,user32.lib comctl32.lib, \
+ $(JDK_OUTPUTDIR)/objs/jli_static.lib, $(JAVA_RC_FLAGS), \
+ $(JDK_TOPDIR)/src/windows/resource/java.rc, $(JDK_OUTPUTDIR)/objs/java_objs,true))
+
+$(JDK_OUTPUTDIR)/bin$(OUTPUT_SUBDIR)/alt-java$(EXE_SUFFIX): $(BUILD_LAUNCHER_alt-java)
+ $(MKDIR) -p $(@D)
+ $(RM) $@
+ $(CP) $(JDK_OUTPUTDIR)/objs/java_objs$(OUTPUT_SUBDIR)/alt-java$(EXE_SUFFIX) $@
+
+$(JDK_OUTPUTDIR)/bin$(OUTPUT_SUBDIR)/alt-java$(DEBUGINFO_EXT): $(BUILD_LAUNCHER_alt-java)
+ $(MKDIR) -p $(@D)
+ $(RM) $@
+ $(CP) $(JDK_OUTPUTDIR)/objs/java_objs$(OUTPUT_SUBDIR)/alt-java$(DEBUGINFO_EXT) $@
+
+ifeq ($(OPENJDK_TARGET_OS), linux)
+ BUILD_LAUNCHERS += $(JDK_OUTPUTDIR)/bin$(OUTPUT_SUBDIR)/alt-java$(EXE_SUFFIX)
+ ifeq ($(ENABLE_DEBUG_SYMBOLS), true)
+ ifneq ($(POST_STRIP_CMD), )
+ ifneq ($(STRIP_POLICY), no_strip)
+ BUILD_LAUNCHERS += $(JDK_OUTPUTDIR)/bin$(OUTPUT_SUBDIR)/alt-java$(DEBUGINFO_EXT)
+ endif
+ endif
+ endif
+endif
+
ifeq ($(OPENJDK_TARGET_OS), windows)
$(eval $(call SetupLauncher,javaw, \
-DJAVAW -DEXPAND_CLASSPATH_WILDCARDS,,,user32.lib comctl32.lib, \
diff --git openjdk.orig/jdk/src/share/bin/alt_main.h openjdk/jdk/src/share/bin/alt_main.h
new file mode 100644
--- /dev/null
+++ openjdk/jdk/src/share/bin/alt_main.h
@@ -0,0 +1,73 @@
+/*
+ * Copyright (c) 2019, Red Hat, Inc. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+#ifdef REDHAT_ALT_JAVA
+
+#include <sys/prctl.h>
+
+
+/* Per task speculation control */
+#ifndef PR_GET_SPECULATION_CTRL
+# define PR_GET_SPECULATION_CTRL 52
+#endif
+#ifndef PR_SET_SPECULATION_CTRL
+# define PR_SET_SPECULATION_CTRL 53
+#endif
+/* Speculation control variants */
+#ifndef PR_SPEC_STORE_BYPASS
+# define PR_SPEC_STORE_BYPASS 0
+#endif
+/* Return and control values for PR_SET/GET_SPECULATION_CTRL */
+
+#ifndef PR_SPEC_NOT_AFFECTED
+# define PR_SPEC_NOT_AFFECTED 0
+#endif
+#ifndef PR_SPEC_PRCTL
+# define PR_SPEC_PRCTL (1UL << 0)
+#endif
+#ifndef PR_SPEC_ENABLE
+# define PR_SPEC_ENABLE (1UL << 1)
+#endif
+#ifndef PR_SPEC_DISABLE
+# define PR_SPEC_DISABLE (1UL << 2)
+#endif
+#ifndef PR_SPEC_FORCE_DISABLE
+# define PR_SPEC_FORCE_DISABLE (1UL << 3)
+#endif
+#ifndef PR_SPEC_DISABLE_NOEXEC
+# define PR_SPEC_DISABLE_NOEXEC (1UL << 4)
+#endif
+
+static void set_speculation() __attribute__((constructor));
+static void set_speculation() {
+ if ( prctl(PR_SET_SPECULATION_CTRL,
+ PR_SPEC_STORE_BYPASS,
+ PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) {
+ return;
+ }
+ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
+}
+
+#endif // REDHAT_ALT_JAVA
diff --git openjdk.orig/jdk/src/share/bin/main.c openjdk/jdk/src/share/bin/main.c
--- openjdk.orig/jdk/src/share/bin/main.c
+++ openjdk/jdk/src/share/bin/main.c
@@ -32,6 +32,14 @@
#include "defines.h"
+#ifdef REDHAT_ALT_JAVA
+#if defined(__linux__) && defined(__x86_64__)
+#include "alt_main.h"
+#else
+#warning alt-java requested but SSB mitigation not available on this platform.
+#endif
+#endif
+
#ifdef _MSC_VER
#if _MSC_VER > 1400 && _MSC_VER < 1600

View File

@ -0,0 +1,52 @@
diff -r 6efbd7b35a10 src/share/classes/java/security/SystemConfigurator.java
--- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300
+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java Mon Mar 02 19:20:17 2020 -0300
@@ -123,6 +123,33 @@
}
props.put(fipsProviderKey, fipsProviderValue);
}
+ // Add other security properties
+ String keystoreTypeValue = (String) props.get("fips.keystore.type");
+ if (keystoreTypeValue != null) {
+ String nonFipsKeystoreType = props.getProperty("keystore.type");
+ props.put("keystore.type", keystoreTypeValue);
+ if (keystoreTypeValue.equals("PKCS11")) {
+ // If keystore.type is PKCS11, javax.net.ssl.keyStore
+ // must be "NONE". See JDK-8238264.
+ System.setProperty("javax.net.ssl.keyStore", "NONE");
+ }
+ if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
+ // If no trustStoreType has been set, use the
+ // previous keystore.type under FIPS mode. In
+ // a default configuration, the Trust Store will
+ // be 'cacerts' (JKS type).
+ System.setProperty("javax.net.ssl.trustStoreType",
+ nonFipsKeystoreType);
+ }
+ if (sdebug != null) {
+ sdebug.println("FIPS mode default keystore.type = " +
+ keystoreTypeValue);
+ sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
+ System.getProperty("javax.net.ssl.keyStore", ""));
+ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
+ System.getProperty("javax.net.ssl.trustStoreType", ""));
+ }
+ }
loadedProps = true;
}
} catch (Exception e) {
diff -r 6efbd7b35a10 src/share/lib/security/java.security-linux
--- openjdk.orig/jdk/src/share/lib/security/java.security-linux Thu Jan 23 18:22:31 2020 -0300
+++ openjdk/jdk/src/share/lib/security/java.security-linux Mon Mar 02 19:20:17 2020 -0300
@@ -179,6 +179,11 @@
keystore.type=jks
#
+# Default keystore type used when global crypto-policies are set to FIPS.
+#
+fips.keystore.type=PKCS11
+
+#
# Controls compatibility mode for the JKS keystore type.
#
# When set to 'true', the JKS keystore type supports loading

View File

@ -0,0 +1,327 @@
diff -r bbc65dfa59d1 src/share/classes/java/security/SystemConfigurator.java
--- openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300
+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java Sat Aug 01 23:16:51 2020 -0300
@@ -1,11 +1,13 @@
/*
- * Copyright (c) 2019, Red Hat, Inc.
+ * Copyright (c) 2019, 2020, Red Hat, Inc.
*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
@@ -34,10 +36,10 @@
import java.util.Iterator;
import java.util.Map.Entry;
import java.util.Properties;
-import java.util.function.Consumer;
-import java.util.regex.Matcher;
import java.util.regex.Pattern;
+import sun.misc.SharedSecrets;
+import sun.misc.JavaSecuritySystemConfiguratorAccess;
import sun.security.util.Debug;
/**
@@ -47,7 +49,7 @@
*
*/
-class SystemConfigurator {
+final class SystemConfigurator {
private static final Debug sdebug =
Debug.getInstance("properties");
@@ -61,15 +63,16 @@
private static final String CRYPTO_POLICIES_CONFIG =
CRYPTO_POLICIES_BASE_DIR + "/config";
- private static final class SecurityProviderInfo {
- int number;
- String key;
- String value;
- SecurityProviderInfo(int number, String key, String value) {
- this.number = number;
- this.key = key;
- this.value = value;
- }
+ private static boolean systemFipsEnabled = false;
+
+ static {
+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
+ new JavaSecuritySystemConfiguratorAccess() {
+ @Override
+ public boolean isSystemFipsEnabled() {
+ return SystemConfigurator.isSystemFipsEnabled();
+ }
+ });
}
/*
@@ -128,9 +131,9 @@
String nonFipsKeystoreType = props.getProperty("keystore.type");
props.put("keystore.type", keystoreTypeValue);
if (keystoreTypeValue.equals("PKCS11")) {
- // If keystore.type is PKCS11, javax.net.ssl.keyStore
- // must be "NONE". See JDK-8238264.
- System.setProperty("javax.net.ssl.keyStore", "NONE");
+ // If keystore.type is PKCS11, javax.net.ssl.keyStore
+ // must be "NONE". See JDK-8238264.
+ System.setProperty("javax.net.ssl.keyStore", "NONE");
}
if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
// If no trustStoreType has been set, use the
@@ -144,12 +147,13 @@
sdebug.println("FIPS mode default keystore.type = " +
keystoreTypeValue);
sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
- System.getProperty("javax.net.ssl.keyStore", ""));
+ System.getProperty("javax.net.ssl.keyStore", ""));
sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
System.getProperty("javax.net.ssl.trustStoreType", ""));
}
}
loadedProps = true;
+ systemFipsEnabled = true;
}
} catch (Exception e) {
if (sdebug != null) {
@@ -165,20 +165,37 @@
return loadedProps;
}
+ /**
+ * Returns whether or not global system FIPS alignment is enabled.
+ *
+ * Value is always 'false' before java.security.Security class is
+ * initialized.
+ *
+ * Call from out of this package through SharedSecrets:
+ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ * .isSystemFipsEnabled();
+ *
+ * @return a boolean value indicating whether or not global
+ * system FIPS alignment is enabled.
+ */
+ static boolean isSystemFipsEnabled() {
+ return systemFipsEnabled;
+ }
+
/*
* FIPS is enabled only if crypto-policies are set to "FIPS"
* and the com.redhat.fips property is true.
*/
private static boolean enableFips() throws Exception {
- boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
- if (fipsEnabled) {
- Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG);
- String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath));
- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
- return pattern.matcher(cryptoPoliciesConfig).find();
- } else {
- return false;
- }
+ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
+ if (shouldEnable) {
+ Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG);
+ String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath));
+ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
+ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
+ return pattern.matcher(cryptoPoliciesConfig).find();
+ } else {
+ return false;
+ }
}
}
diff --git openjdk.orig/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
new file mode 100644
--- /dev/null
+++ openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2020, Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.misc;
+
+public interface JavaSecuritySystemConfiguratorAccess {
+ boolean isSystemFipsEnabled();
+}
diff --git openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java
--- openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java
+++ openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java
@@ -63,6 +63,7 @@
private static JavaObjectInputStreamReadString javaObjectInputStreamReadString;
private static JavaObjectInputStreamAccess javaObjectInputStreamAccess;
private static JavaSecuritySignatureAccess javaSecuritySignatureAccess;
+ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess;
public static JavaUtilJarAccess javaUtilJarAccess() {
if (javaUtilJarAccess == null) {
@@ -248,4 +249,12 @@
}
return javaxCryptoSealedObjectAccess;
}
+
+ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) {
+ javaSecuritySystemConfiguratorAccess = jssca;
+ }
+
+ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
+ return javaSecuritySystemConfiguratorAccess;
+ }
}
diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
+++ openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
@@ -31,6 +31,7 @@
import java.security.cert.*;
import java.util.*;
import javax.net.ssl.*;
+import sun.misc.SharedSecrets;
import sun.security.action.GetPropertyAction;
import sun.security.provider.certpath.AlgorithmChecker;
import sun.security.validator.Validator;
@@ -539,20 +540,38 @@
static {
if (SunJSSE.isFIPS()) {
- supportedProtocols = Arrays.asList(
- ProtocolVersion.TLS13,
- ProtocolVersion.TLS12,
- ProtocolVersion.TLS11,
- ProtocolVersion.TLS10
- );
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ .isSystemFipsEnabled()) {
+ // RH1860986: TLSv1.3 key derivation not supported with
+ // the Security Providers available in system FIPS mode.
+ supportedProtocols = Arrays.asList(
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ );
- serverDefaultProtocols = getAvailableProtocols(
- new ProtocolVersion[] {
- ProtocolVersion.TLS13,
- ProtocolVersion.TLS12,
- ProtocolVersion.TLS11,
- ProtocolVersion.TLS10
- });
+ serverDefaultProtocols = getAvailableProtocols(
+ new ProtocolVersion[] {
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ });
+ } else {
+ supportedProtocols = Arrays.asList(
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ );
+
+ serverDefaultProtocols = getAvailableProtocols(
+ new ProtocolVersion[] {
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ });
+ }
} else {
supportedProtocols = Arrays.asList(
ProtocolVersion.TLS13,
@@ -612,6 +631,16 @@
static ProtocolVersion[] getSupportedProtocols() {
if (SunJSSE.isFIPS()) {
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ .isSystemFipsEnabled()) {
+ // RH1860986: TLSv1.3 key derivation not supported with
+ // the Security Providers available in system FIPS mode.
+ return new ProtocolVersion[] {
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ };
+ }
return new ProtocolVersion[] {
ProtocolVersion.TLS13,
ProtocolVersion.TLS12,
@@ -939,6 +968,16 @@
static ProtocolVersion[] getProtocols() {
if (SunJSSE.isFIPS()) {
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ .isSystemFipsEnabled()) {
+ // RH1860986: TLSv1.3 key derivation not supported with
+ // the Security Providers available in system FIPS mode.
+ return new ProtocolVersion[] {
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ };
+ }
return new ProtocolVersion[]{
ProtocolVersion.TLS12,
ProtocolVersion.TLS11,
diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/SunJSSE.java openjdk/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
+++ openjdk/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
@@ -30,6 +30,8 @@
import java.security.*;
+import sun.misc.SharedSecrets;
+
/**
* The JSSE provider.
*
@@ -215,8 +217,13 @@
"sun.security.ssl.SSLContextImpl$TLS11Context");
put("SSLContext.TLSv1.2",
"sun.security.ssl.SSLContextImpl$TLS12Context");
- put("SSLContext.TLSv1.3",
- "sun.security.ssl.SSLContextImpl$TLS13Context");
+ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ .isSystemFipsEnabled()) {
+ // RH1860986: TLSv1.3 key derivation not supported with
+ // the Security Providers available in system FIPS mode.
+ put("SSLContext.TLSv1.3",
+ "sun.security.ssl.SSLContextImpl$TLS13Context");
+ }
put("SSLContext.TLS",
"sun.security.ssl.SSLContextImpl$TLSContext");
if (isfips == false) {

View File

@ -0,0 +1,65 @@
# HG changeset patch
# User andrew
# Date 1608219816 0
# Thu Dec 17 15:43:36 2020 +0000
# Node ID db5d1b28bfce04352b3a48960bf836f6eb20804b
# Parent a2cfa397150e99b813354226d536eb8509b5850b
RH1906862: Always initialise JavaSecuritySystemConfiguratorAccess
diff --git openjdk.orig/jdk/src/share/classes/java/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java
--- openjdk.orig/jdk/src/share/classes/java/security/Security.java
+++ openjdk/jdk/src/share/classes/java/security/Security.java
@@ -30,6 +30,8 @@
import java.util.concurrent.ConcurrentHashMap;
import java.io.*;
import java.net.URL;
+import sun.misc.SharedSecrets;
+import sun.misc.JavaSecuritySystemConfiguratorAccess;
import sun.security.util.Debug;
import sun.security.util.PropertyExpander;
@@ -69,6 +71,15 @@
}
static {
+ // Initialise here as used by code with system properties disabled
+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
+ new JavaSecuritySystemConfiguratorAccess() {
+ @Override
+ public boolean isSystemFipsEnabled() {
+ return SystemConfigurator.isSystemFipsEnabled();
+ }
+ });
+
// doPrivileged here because there are multiple
// things in initialize that might require privs.
// (the FileInputStream call and the File.exists call,
diff --git openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
--- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java
+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
@@ -39,8 +39,6 @@
import java.util.Properties;
import java.util.regex.Pattern;
-import sun.misc.SharedSecrets;
-import sun.misc.JavaSecuritySystemConfiguratorAccess;
import sun.security.util.Debug;
/**
@@ -66,16 +64,6 @@
private static boolean systemFipsEnabled = false;
- static {
- SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
- new JavaSecuritySystemConfiguratorAccess() {
- @Override
- public boolean isSystemFipsEnabled() {
- return SystemConfigurator.isSystemFipsEnabled();
- }
- });
- }
-
/*
* Invoked when java.security.Security class is initialized, if
* java.security.disableSystemPropertiesFile property is not set and

View File

@ -0,0 +1,344 @@
diff --git openjdk.orig/jdk/make/lib/SecurityLibraries.gmk openjdk/jdk/make/lib/SecurityLibraries.gmk
--- openjdk.orig/jdk/make/lib/SecurityLibraries.gmk
+++ openjdk/jdk/make/lib/SecurityLibraries.gmk
@@ -289,3 +289,34 @@
endif
endif
+
+################################################################################
+# Create the systemconf library
+
+LIBSYSTEMCONF_CFLAGS :=
+LIBSYSTEMCONF_CXXFLAGS :=
+
+ifeq ($(USE_SYSCONF_NSS), true)
+ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
+ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
+endif
+
+ifeq ($(OPENJDK_BUILD_OS), linux)
+ $(eval $(call SetupNativeCompilation,BUILD_LIBSYSTEMCONF, \
+ LIBRARY := systemconf, \
+ OUTPUT_DIR := $(INSTALL_LIBRARIES_HERE), \
+ SRC := $(JDK_TOPDIR)/src/$(OPENJDK_TARGET_OS_API_DIR)/native/java/security, \
+ LANG := C, \
+ OPTIMIZATION := LOW, \
+ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \
+ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \
+ MAPFILE := $(JDK_TOPDIR)/make/mapfiles/libsystemconf/mapfile-vers, \
+ LDFLAGS := $(LDFLAGS_JDKLIB) \
+ $(call SET_SHARED_LIBRARY_ORIGIN), \
+ LDFLAGS_SUFFIX := $(LIBDL) $(NSS_LIBS), \
+ OBJECT_DIR := $(JDK_OUTPUTDIR)/objs/libsystemconf, \
+ DEBUG_SYMBOLS := $(DEBUG_ALL_BINARIES)))
+
+ BUILD_LIBRARIES += $(BUILD_LIBSYSTEMCONF)
+endif
+
diff --git openjdk.orig/jdk/make/mapfiles/libsystemconf/mapfile-vers openjdk/jdk/make/mapfiles/libsystemconf/mapfile-vers
new file mode 100644
--- /dev/null
+++ openjdk/jdk/make/mapfiles/libsystemconf/mapfile-vers
@@ -0,0 +1,35 @@
+#
+# Copyright (c) 2021, Red Hat, Inc.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation. Oracle designates this
+# particular file as subject to the "Classpath" exception as provided
+# by Oracle in the LICENSE file that accompanied this code.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+# or visit www.oracle.com if you need additional information or have any
+# questions.
+#
+
+# Define public interface.
+
+SUNWprivate_1.1 {
+ global:
+ DEF_JNI_OnLoad;
+ DEF_JNI_OnUnLoad;
+ Java_java_security_SystemConfigurator_getSystemFIPSEnabled;
+ local:
+ *;
+};
diff --git openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
--- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java
+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2019, 2020, Red Hat, Inc.
+ * Copyright (c) 2019, 2021, Red Hat, Inc.
*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
@@ -30,14 +30,9 @@
import java.io.FileInputStream;
import java.io.IOException;
-import java.nio.file.Files;
-import java.nio.file.FileSystems;
-import java.nio.file.Path;
-
import java.util.Iterator;
import java.util.Map.Entry;
import java.util.Properties;
-import java.util.regex.Pattern;
import sun.security.util.Debug;
@@ -59,10 +54,21 @@
private static final String CRYPTO_POLICIES_JAVA_CONFIG =
CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
- private static final String CRYPTO_POLICIES_CONFIG =
- CRYPTO_POLICIES_BASE_DIR + "/config";
+ private static boolean systemFipsEnabled = false;
+
+ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
+
+ private static native boolean getSystemFIPSEnabled()
+ throws IOException;
- private static boolean systemFipsEnabled = false;
+ static {
+ AccessController.doPrivileged(new PrivilegedAction<Void>() {
+ public Void run() {
+ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
+ return null;
+ }
+ });
+ }
/*
* Invoked when java.security.Security class is initialized, if
@@ -171,17 +177,34 @@
}
/*
- * FIPS is enabled only if crypto-policies are set to "FIPS"
- * and the com.redhat.fips property is true.
+ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
+ * system property is true (default) and the system is in FIPS mode.
+ *
+ * There are 2 possible ways in which OpenJDK detects that the system
+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
+ * available at OpenJDK's built-time, it is called; 2) otherwise, the
+ * /proc/sys/crypto/fips_enabled file is read.
*/
- private static boolean enableFips() throws Exception {
+ private static boolean enableFips() throws IOException {
boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
if (shouldEnable) {
- Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG);
- String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath));
- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
- return pattern.matcher(cryptoPoliciesConfig).find();
+ if (sdebug != null) {
+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
+ }
+ try {
+ shouldEnable = getSystemFIPSEnabled();
+ if (sdebug != null) {
+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
+ + shouldEnable);
+ }
+ return shouldEnable;
+ } catch (IOException e) {
+ if (sdebug != null) {
+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
+ sdebug.println(e.getMessage());
+ }
+ throw e;
+ }
} else {
return false;
}
diff --git openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c openjdk/jdk/src/solaris/native/java/security/systemconf.c
new file mode 100644
--- /dev/null
+++ openjdk/jdk/src/solaris/native/java/security/systemconf.c
@@ -0,0 +1,168 @@
+/*
+ * Copyright (c) 2021, Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+#include <dlfcn.h>
+#include <jni.h>
+#include <jni_util.h>
+#include <stdio.h>
+
+#ifdef SYSCONF_NSS
+#include <nss3/pk11pub.h>
+#endif //SYSCONF_NSS
+
+#include "java_security_SystemConfigurator.h"
+
+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
+#define MSG_MAX_SIZE 96
+
+static jmethodID debugPrintlnMethodID = NULL;
+static jobject debugObj = NULL;
+
+static void throwIOException(JNIEnv *env, const char *msg);
+static void dbgPrint(JNIEnv *env, const char* msg);
+
+/*
+ * Class: java_security_SystemConfigurator
+ * Method: JNI_OnLoad
+ */
+JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
+{
+ JNIEnv *env;
+ jclass sysConfCls, debugCls;
+ jfieldID sdebugFld;
+
+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
+ return JNI_EVERSION; /* JNI version not supported */
+ }
+
+ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
+ if (sysConfCls == NULL) {
+ printf("libsystemconf: SystemConfigurator class not found\n");
+ return JNI_ERR;
+ }
+ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
+ "sdebug", "Lsun/security/util/Debug;");
+ if (sdebugFld == NULL) {
+ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
+ return JNI_ERR;
+ }
+ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
+ if (debugObj != NULL) {
+ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
+ if (debugCls == NULL) {
+ printf("libsystemconf: Debug class not found\n");
+ return JNI_ERR;
+ }
+ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
+ "println", "(Ljava/lang/String;)V");
+ if (debugPrintlnMethodID == NULL) {
+ printf("libsystemconf: Debug::println(String) method not found\n");
+ return JNI_ERR;
+ }
+ debugObj = (*env)->NewGlobalRef(env, debugObj);
+ }
+
+ return (*env)->GetVersion(env);
+}
+
+/*
+ * Class: java_security_SystemConfigurator
+ * Method: JNI_OnUnload
+ */
+JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
+{
+ JNIEnv *env;
+
+ if (debugObj != NULL) {
+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
+ return; /* Should not happen */
+ }
+ (*env)->DeleteGlobalRef(env, debugObj);
+ }
+}
+
+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
+ (JNIEnv *env, jclass cls)
+{
+ int fips_enabled;
+ char msg[MSG_MAX_SIZE];
+ int msg_bytes;
+
+#ifdef SYSCONF_NSS
+
+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
+ fips_enabled = SECMOD_GetSystemFIPSEnabled();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+ dbgPrint(env, msg);
+ } else {
+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
+ " SECMOD_GetSystemFIPSEnabled return value");
+ }
+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
+
+#else // SYSCONF_NSS
+
+ FILE *fe;
+
+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
+ }
+ fips_enabled = fgetc(fe);
+ fclose(fe);
+ if (fips_enabled == EOF) {
+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
+ }
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " read character is '%c'", fips_enabled);
+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+ dbgPrint(env, msg);
+ } else {
+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
+ " read character");
+ }
+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
+
+#endif // SYSCONF_NSS
+}
+
+static void throwIOException(JNIEnv *env, const char *msg)
+{
+ jclass cls = (*env)->FindClass(env, "java/io/IOException");
+ if (cls != 0)
+ (*env)->ThrowNew(env, cls, msg);
+}
+
+static void dbgPrint(JNIEnv *env, const char* msg)
+{
+ jstring jMsg;
+ if (debugObj != NULL) {
+ jMsg = (*env)->NewStringUTF(env, msg);
+ CHECK_NULL(jMsg);
+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
+ }
+}

View File

@ -0,0 +1,152 @@
diff --git openjdk.orig/common/autoconf/configure.ac openjdk/common/autoconf/configure.ac
--- openjdk.orig/common/autoconf/configure.ac
+++ openjdk/common/autoconf/configure.ac
@@ -212,6 +212,7 @@
LIB_SETUP_ALSA
LIB_SETUP_FONTCONFIG
LIB_SETUP_MISC_LIBS
+LIB_SETUP_SYSCONF_LIBS
LIB_SETUP_STATIC_LINK_LIBSTDCPP
LIB_SETUP_ON_WINDOWS
diff --git openjdk.orig/common/autoconf/libraries.m4 openjdk/common/autoconf/libraries.m4
--- openjdk.orig/common/autoconf/libraries.m4
+++ openjdk/common/autoconf/libraries.m4
@@ -1067,3 +1067,63 @@
BASIC_DEPRECATED_ARG_WITH([dxsdk-include])
fi
])
+
+################################################################################
+# Setup system configuration libraries
+################################################################################
+AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
+[
+ ###############################################################################
+ #
+ # Check for the NSS library
+ #
+
+ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
+
+ # default is not available
+ DEFAULT_SYSCONF_NSS=no
+
+ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
+ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
+ [
+ case "${enableval}" in
+ yes)
+ sysconf_nss=yes
+ ;;
+ *)
+ sysconf_nss=no
+ ;;
+ esac
+ ],
+ [
+ sysconf_nss=${DEFAULT_SYSCONF_NSS}
+ ])
+ AC_MSG_RESULT([$sysconf_nss])
+
+ USE_SYSCONF_NSS=false
+ if test "x${sysconf_nss}" = "xyes"; then
+ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
+ if test "x${NSS_FOUND}" = "xyes"; then
+ AC_MSG_CHECKING([for system FIPS support in NSS])
+ saved_libs="${LIBS}"
+ saved_cflags="${CFLAGS}"
+ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
+ LIBS="${LIBS} ${NSS_LIBS}"
+ AC_LANG_PUSH([C])
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <nss3/pk11pub.h>]],
+ [[SECMOD_GetSystemFIPSEnabled()]])],
+ [AC_MSG_RESULT([yes])],
+ [AC_MSG_RESULT([no])
+ AC_MSG_ERROR([System NSS FIPS detection unavailable])])
+ AC_LANG_POP([C])
+ CFLAGS="${saved_cflags}"
+ LIBS="${saved_libs}"
+ USE_SYSCONF_NSS=true
+ else
+ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
+ dnl in nss3/pk11pub.h.
+ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
+ fi
+ fi
+ AC_SUBST(USE_SYSCONF_NSS)
+])
diff --git openjdk.orig/common/autoconf/spec.gmk.in openjdk/common/autoconf/spec.gmk.in
--- openjdk.orig/common/autoconf/spec.gmk.in
+++ openjdk/common/autoconf/spec.gmk.in
@@ -312,6 +312,10 @@
ALSA_LIBS:=@ALSA_LIBS@
ALSA_CFLAGS:=@ALSA_CFLAGS@
+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
+NSS_LIBS:=@NSS_LIBS@
+NSS_CFLAGS:=@NSS_CFLAGS@
+
PACKAGE_PATH=@PACKAGE_PATH@
# Source file for cacerts
diff --git openjdk.orig/common/bin/compare_exceptions.sh.incl openjdk/common/bin/compare_exceptions.sh.incl
--- openjdk.orig/common/bin/compare_exceptions.sh.incl
+++ openjdk/common/bin/compare_exceptions.sh.incl
@@ -280,6 +280,7 @@
./jre/lib/i386/libsplashscreen.so
./jre/lib/i386/libsunec.so
./jre/lib/i386/libsunwjdga.so
+./jre/lib/i386/libsystemconf.so
./jre/lib/i386/libt2k.so
./jre/lib/i386/libunpack.so
./jre/lib/i386/libverify.so
@@ -433,6 +434,7 @@
./jre/lib/amd64/libsplashscreen.so
./jre/lib/amd64/libsunec.so
./jre/lib/amd64/libsunwjdga.so
+//jre/lib/amd64/libsystemconf.so
./jre/lib/amd64/libt2k.so
./jre/lib/amd64/libunpack.so
./jre/lib/amd64/libverify.so
@@ -587,6 +589,7 @@
./jre/lib/sparc/libsplashscreen.so
./jre/lib/sparc/libsunec.so
./jre/lib/sparc/libsunwjdga.so
+./jre/lib/sparc/libsystemconf.so
./jre/lib/sparc/libt2k.so
./jre/lib/sparc/libunpack.so
./jre/lib/sparc/libverify.so
@@ -741,6 +744,7 @@
./jre/lib/sparcv9/libsplashscreen.so
./jre/lib/sparcv9/libsunec.so
./jre/lib/sparcv9/libsunwjdga.so
+./jre/lib/sparcv9/libsystemconf.so
./jre/lib/sparcv9/libt2k.so
./jre/lib/sparcv9/libunpack.so
./jre/lib/sparcv9/libverify.so
diff --git openjdk.orig/common/nb_native/nbproject/configurations.xml openjdk/common/nb_native/nbproject/configurations.xml
--- openjdk.orig/common/nb_native/nbproject/configurations.xml
+++ openjdk/common/nb_native/nbproject/configurations.xml
@@ -53,6 +53,9 @@
<in>jvmtiEnterTrace.cpp</in>
</df>
</df>
+ <df name="libsystemconf">
+ <in>systemconf.c</in>
+ </df>
</df>
</df>
<df name="jdk">
@@ -12772,6 +12775,11 @@
tool="0"
flavor2="0">
</item>
+ <item path="../../jdk/src/solaris/native/java/security/systemconf.c"
+ ex="false"
+ tool="0"
+ flavor2="0">
+ </item>
<item path="../../jdk/src/share/native/java/util/TimeZone.c"
ex="false"
tool="0"

View File

@ -0,0 +1,583 @@
diff --git openjdk.orig/jdk/src/share/classes/java/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java
--- openjdk.orig/jdk/src/share/classes/java/security/Security.java
+++ openjdk/jdk/src/share/classes/java/security/Security.java
@@ -78,6 +78,10 @@
public boolean isSystemFipsEnabled() {
return SystemConfigurator.isSystemFipsEnabled();
}
+ @Override
+ public boolean isPlainKeySupportEnabled() {
+ return SystemConfigurator.isPlainKeySupportEnabled();
+ }
});
// doPrivileged here because there are multiple
diff --git openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
--- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java
+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
@@ -55,6 +55,7 @@
CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
private static boolean systemFipsEnabled = false;
+ private static boolean plainKeySupportEnabled = false;
private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
@@ -149,6 +150,16 @@
}
loadedProps = true;
systemFipsEnabled = true;
+ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport",
+ "true");
+ plainKeySupportEnabled = !"false".equals(plainKeySupport);
+ if (sdebug != null) {
+ if (plainKeySupportEnabled) {
+ sdebug.println("FIPS support enabled with plain key support");
+ } else {
+ sdebug.println("FIPS support enabled without plain key support");
+ }
+ }
}
} catch (Exception e) {
if (sdebug != null) {
@@ -176,6 +187,19 @@
return systemFipsEnabled;
}
+ /**
+ * Returns {@code true} if system FIPS alignment is enabled
+ * and plain key support is allowed. Plain key support is
+ * enabled by default but can be disabled with
+ * {@code -Dcom.redhat.fips.plainKeySupport=false}.
+ *
+ * @return a boolean indicating whether plain key support
+ * should be enabled.
+ */
+ static boolean isPlainKeySupportEnabled() {
+ return plainKeySupportEnabled;
+ }
+
/*
* OpenJDK FIPS mode will be enabled only if the com.redhat.fips
* system property is true (default) and the system is in FIPS mode.
diff --git openjdk.orig/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
--- openjdk.orig/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
+++ openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
@@ -27,4 +27,5 @@
public interface JavaSecuritySystemConfiguratorAccess {
boolean isSystemFipsEnabled();
+ boolean isPlainKeySupportEnabled();
}
diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java openjdk/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
new file mode 100644
--- /dev/null
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
@@ -0,0 +1,290 @@
+/*
+ * Copyright (c) 2021, Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.pkcs11;
+
+import java.math.BigInteger;
+import java.security.KeyFactory;
+import java.security.Provider;
+import java.security.Security;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.concurrent.locks.ReentrantLock;
+
+import javax.crypto.Cipher;
+import javax.crypto.spec.DHPrivateKeySpec;
+import javax.crypto.spec.IvParameterSpec;
+
+import sun.security.jca.JCAUtil;
+import sun.security.pkcs11.TemplateManager;
+import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
+import sun.security.pkcs11.wrapper.CK_MECHANISM;
+import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+import sun.security.pkcs11.wrapper.PKCS11Exception;
+import sun.security.rsa.RSAUtil.KeyType;
+import sun.security.util.Debug;
+import sun.security.util.ECUtil;
+
+final class FIPSKeyImporter {
+
+ private static final Debug debug =
+ Debug.getInstance("sunpkcs11");
+
+ private static P11Key importerKey = null;
+ private static final ReentrantLock importerKeyLock = new ReentrantLock();
+ private static CK_MECHANISM importerKeyMechanism = null;
+ private static Cipher importerCipher = null;
+
+ private static Provider sunECProvider = null;
+ private static final ReentrantLock sunECProviderLock = new ReentrantLock();
+
+ private static KeyFactory DHKF = null;
+ private static final ReentrantLock DHKFLock = new ReentrantLock();
+
+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
+ throws PKCS11Exception {
+ long keyID = -1;
+ Token token = sunPKCS11.getToken();
+ if (debug != null) {
+ debug.println("Private or Secret key will be imported in" +
+ " system FIPS mode.");
+ }
+ if (importerKey == null) {
+ importerKeyLock.lock();
+ try {
+ if (importerKey == null) {
+ if (importerKeyMechanism == null) {
+ // Importer Key creation has not been tried yet. Try it.
+ createImporterKey(token);
+ }
+ if (importerKey == null || importerCipher == null) {
+ if (debug != null) {
+ debug.println("Importer Key could not be" +
+ " generated.");
+ }
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ if (debug != null) {
+ debug.println("Importer Key successfully" +
+ " generated.");
+ }
+ }
+ } finally {
+ importerKeyLock.unlock();
+ }
+ }
+ long importerKeyID = importerKey.getKeyID();
+ try {
+ byte[] keyBytes = null;
+ byte[] encKeyBytes = null;
+ long keyClass = 0L;
+ long keyType = 0L;
+ Map<Long, CK_ATTRIBUTE> attrsMap = new HashMap<>();
+ for (CK_ATTRIBUTE attr : attributes) {
+ if (attr.type == CKA_CLASS) {
+ keyClass = attr.getLong();
+ } else if (attr.type == CKA_KEY_TYPE) {
+ keyType = attr.getLong();
+ }
+ attrsMap.put(attr.type, attr);
+ }
+ BigInteger v = null;
+ if (keyClass == CKO_PRIVATE_KEY) {
+ if (keyType == CKK_RSA) {
+ if (debug != null) {
+ debug.println("Importing an RSA private key...");
+ }
+ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(
+ KeyType.RSA,
+ null,
+ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null)
+ ? v : BigInteger.ZERO
+ ).getEncoded();
+ } else if (keyType == CKK_DSA) {
+ if (debug != null) {
+ debug.println("Importing a DSA private key...");
+ }
+ keyBytes = new sun.security.provider.DSAPrivateKey(
+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO
+ ).getEncoded();
+ if (token.config.getNssNetscapeDbWorkaround() &&
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
+ attrsMap.put(CKA_NETSCAPE_DB,
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
+ }
+ } else if (keyType == CKK_EC) {
+ if (debug != null) {
+ debug.println("Importing an EC private key...");
+ }
+ if (sunECProvider == null) {
+ sunECProviderLock.lock();
+ try {
+ if (sunECProvider == null) {
+ sunECProvider = Security.getProvider("SunEC");
+ }
+ } finally {
+ sunECProviderLock.unlock();
+ }
+ }
+ keyBytes = P11ECUtil.generateECPrivateKey(
+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ECUtil.getECParameterSpec(sunECProvider,
+ attrsMap.get(CKA_EC_PARAMS).getByteArray()))
+ .getEncoded();
+ if (token.config.getNssNetscapeDbWorkaround() &&
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
+ attrsMap.put(CKA_NETSCAPE_DB,
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
+ }
+ } else if (keyType == CKK_DH) {
+ if (debug != null) {
+ debug.println("Importing a Diffie-Hellman private key...");
+ }
+ if (DHKF == null) {
+ DHKFLock.lock();
+ try {
+ if (DHKF == null) {
+ DHKF = KeyFactory.getInstance(
+ "DH", P11Util.getSunJceProvider());
+ }
+ } finally {
+ DHKFLock.unlock();
+ }
+ }
+ DHPrivateKeySpec spec = new DHPrivateKeySpec
+ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO);
+ keyBytes = DHKF.generatePrivate(spec).getEncoded();
+ if (token.config.getNssNetscapeDbWorkaround() &&
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
+ attrsMap.put(CKA_NETSCAPE_DB,
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
+ }
+ } else {
+ if (debug != null) {
+ debug.println("Unrecognized private key type.");
+ }
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ } else if (keyClass == CKO_SECRET_KEY) {
+ if (debug != null) {
+ debug.println("Importing a secret key...");
+ }
+ keyBytes = attrsMap.get(CKA_VALUE).getByteArray();
+ }
+ if (keyBytes == null || keyBytes.length == 0) {
+ if (debug != null) {
+ debug.println("Private or secret key plain bytes could" +
+ " not be obtained. Import failed.");
+ }
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
+ new IvParameterSpec((byte[])importerKeyMechanism.pParameter),
+ null);
+ attributes = new CK_ATTRIBUTE[attrsMap.size()];
+ attrsMap.values().toArray(attributes);
+ encKeyBytes = importerCipher.doFinal(keyBytes);
+ attributes = token.getAttributes(TemplateManager.O_IMPORT,
+ keyClass, keyType, attributes);
+ keyID = token.p11.C_UnwrapKey(hSession,
+ importerKeyMechanism, importerKeyID, encKeyBytes, attributes);
+ if (debug != null) {
+ debug.println("Imported key ID: " + keyID);
+ }
+ } catch (Throwable t) {
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ } finally {
+ importerKey.releaseKeyID();
+ }
+ return Long.valueOf(keyID);
+ }
+
+ private static void createImporterKey(Token token) {
+ if (debug != null) {
+ debug.println("Generating Importer Key...");
+ }
+ byte[] iv = new byte[16];
+ JCAUtil.getSecureRandom().nextBytes(iv);
+ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
+ try {
+ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE,
+ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] {
+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
+ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)});
+ Session s = null;
+ try {
+ s = token.getObjSession();
+ long keyID = token.p11.C_GenerateKey(
+ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN),
+ attributes);
+ if (debug != null) {
+ debug.println("Importer Key ID: " + keyID);
+ }
+ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES",
+ 256 >> 3, null);
+ } catch (PKCS11Exception e) {
+ // best effort
+ } finally {
+ token.releaseSession(s);
+ }
+ if (importerKey != null) {
+ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
+ }
+ } catch (Throwable t) {
+ // best effort
+ importerKey = null;
+ importerCipher = null;
+ // importerKeyMechanism value is kept initialized to indicate that
+ // Importer Key creation has been tried and failed.
+ }
+ }
+}
diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -26,6 +26,9 @@
package sun.security.pkcs11;
import java.io.*;
+import java.lang.invoke.MethodHandle;
+import java.lang.invoke.MethodHandles;
+import java.lang.invoke.MethodType;
import java.util.*;
import java.security.*;
@@ -63,6 +66,26 @@
private static final boolean systemFipsEnabled = SharedSecrets
.getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
+ private static final boolean plainKeySupportEnabled = SharedSecrets
+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
+
+ private static final MethodHandle fipsImportKey;
+ static {
+ MethodHandle fipsImportKeyTmp = null;
+ if (plainKeySupportEnabled) {
+ try {
+ fipsImportKeyTmp = MethodHandles.lookup().findStatic(
+ FIPSKeyImporter.class, "importKey",
+ MethodType.methodType(Long.class, SunPKCS11.class,
+ long.class, CK_ATTRIBUTE[].class));
+ } catch (Throwable t) {
+ throw new SecurityException("FIPS key importer initialization" +
+ " failed", t);
+ }
+ }
+ fipsImportKey = fipsImportKeyTmp;
+ }
+
private static final long serialVersionUID = -1354835039035306505L;
static final Debug debug = Debug.getInstance("sunpkcs11");
@@ -314,10 +337,15 @@
// request multithreaded access first
initArgs.flags = CKF_OS_LOCKING_OK;
PKCS11 tmpPKCS11;
+ MethodHandle fipsKeyImporter = null;
+ if (plainKeySupportEnabled) {
+ fipsKeyImporter = MethodHandles.insertArguments(
+ fipsImportKey, 0, this);
+ }
try {
tmpPKCS11 = PKCS11.getInstance(
library, functionList, initArgs,
- config.getOmitInitialize());
+ config.getOmitInitialize(), fipsKeyImporter);
} catch (PKCS11Exception e) {
if (debug != null) {
debug.println("Multi-threaded initialization failed: " + e);
@@ -333,7 +361,7 @@
initArgs.flags = 0;
}
tmpPKCS11 = PKCS11.getInstance(library,
- functionList, initArgs, config.getOmitInitialize());
+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter);
}
p11 = tmpPKCS11;
diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
@@ -49,6 +49,7 @@
import java.io.File;
import java.io.IOException;
+import java.lang.invoke.MethodHandle;
import java.util.*;
import java.security.AccessController;
@@ -147,16 +148,28 @@
public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
- boolean omitInitialize) throws IOException, PKCS11Exception {
+ boolean omitInitialize, MethodHandle fipsKeyImporter)
+ throws IOException, PKCS11Exception {
// we may only call C_Initialize once per native .so/.dll
// so keep a cache using the (non-canonicalized!) path
PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
if (pkcs11 == null) {
+ boolean nssFipsMode = fipsKeyImporter != null;
if ((pInitArgs != null)
&& ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
+ if (nssFipsMode) {
+ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
+ fipsKeyImporter);
+ } else {
+ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
+ }
} else {
- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
+ if (nssFipsMode) {
+ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
+ functionList, fipsKeyImporter);
+ } else {
+ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
+ }
}
if (omitInitialize == false) {
try {
@@ -1905,4 +1918,69 @@
super.C_GenerateRandom(hSession, randomData);
}
}
+
+// PKCS11 subclass that allows using plain private or secret keys in
+// FIPS-configured NSS Software Tokens. Only used when System FIPS
+// is enabled.
+static class FIPSPKCS11 extends PKCS11 {
+ private MethodHandle fipsKeyImporter;
+ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
+ MethodHandle fipsKeyImporter) throws IOException {
+ super(pkcs11ModulePath, functionListName);
+ this.fipsKeyImporter = fipsKeyImporter;
+ }
+
+ public synchronized long C_CreateObject(long hSession,
+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
+ // Creating sensitive key objects from plain key material in a
+ // FIPS-configured NSS Software Token is not allowed. We apply
+ // a key-unwrapping scheme to achieve so.
+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
+ try {
+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
+ .longValue();
+ } catch (Throwable t) {
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ }
+ return super.C_CreateObject(hSession, pTemplate);
+ }
}
+
+// FIPSPKCS11 synchronized counterpart.
+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
+ private MethodHandle fipsKeyImporter;
+ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
+ MethodHandle fipsKeyImporter) throws IOException {
+ super(pkcs11ModulePath, functionListName);
+ this.fipsKeyImporter = fipsKeyImporter;
+ }
+
+ public synchronized long C_CreateObject(long hSession,
+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
+ // See FIPSPKCS11::C_CreateObject.
+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
+ try {
+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
+ .longValue();
+ } catch (Throwable t) {
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ }
+ return super.C_CreateObject(hSession, pTemplate);
+ }
+}
+
+private static class FIPSPKCS11Helper {
+ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
+ for (CK_ATTRIBUTE attr : pTemplate) {
+ if (attr.type == CKA_CLASS &&
+ (attr.getLong() == CKO_PRIVATE_KEY ||
+ attr.getLong() == CKO_SECRET_KEY)) {
+ return true;
+ }
+ }
+ return false;
+ }
+}
+}
diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java openjdk/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
+++ openjdk/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
@@ -33,8 +33,13 @@
import javax.net.ssl.*;
+import sun.misc.SharedSecrets;
+
abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
+ private static final boolean plainKeySupportEnabled = SharedSecrets
+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
+
X509ExtendedKeyManager keyManager;
boolean isInitialized;
@@ -62,7 +67,8 @@
KeyStoreException, NoSuchAlgorithmException,
UnrecoverableKeyException {
if ((ks != null) && SunJSSE.isFIPS()) {
- if (ks.getProvider() != SunJSSE.cryptoProvider) {
+ if (ks.getProvider() != SunJSSE.cryptoProvider &&
+ !plainKeySupportEnabled) {
throw new KeyStoreException("FIPS mode: KeyStore must be "
+ "from provider " + SunJSSE.cryptoProvider.getName());
}
@@ -91,8 +97,8 @@
keyManager = new X509KeyManagerImpl(
Collections.<Builder>emptyList());
} else {
- if (SunJSSE.isFIPS() &&
- (ks.getProvider() != SunJSSE.cryptoProvider)) {
+ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider)
+ && !plainKeySupportEnabled) {
throw new KeyStoreException(
"FIPS mode: KeyStore must be " +
"from provider " + SunJSSE.cryptoProvider.getName());

View File

@ -0,0 +1,55 @@
# HG changeset patch
# User mbalao
# Date 1630103180 -3600
# Fri Aug 27 23:26:20 2021 +0100
# Node ID b3bd3119fab9bc5adfd7073377aca12bb1af80b3
# Parent c90394a76ee02a689f95199559d5724824b4b25e
RH1996182: Login to the NSS Software Token in FIPS Mode
diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -42,6 +42,8 @@
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.TextOutputCallback;
+import sun.misc.SharedSecrets;
+
import sun.security.util.Debug;
import sun.security.util.ResourcesMgr;
@@ -58,6 +60,9 @@
*/
public final class SunPKCS11 extends AuthProvider {
+ private static final boolean systemFipsEnabled = SharedSecrets
+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
+
private static final long serialVersionUID = -1354835039035306505L;
static final Debug debug = Debug.getInstance("sunpkcs11");
@@ -368,6 +373,24 @@
if (nssModule != null) {
nssModule.setProvider(this);
}
+ if (systemFipsEnabled) {
+ // The NSS Software Token in FIPS 140-2 mode requires a user
+ // login for most operations. See sftk_fipsCheck. The NSS DB
+ // (/etc/pki/nssdb) PIN is empty.
+ Session session = null;
+ try {
+ session = token.getOpSession();
+ p11.C_Login(session.id(), CKU_USER, new char[] {});
+ } catch (PKCS11Exception p11e) {
+ if (debug != null) {
+ debug.println("Error during token login: " +
+ p11e.getMessage());
+ }
+ throw p11e;
+ } finally {
+ token.releaseSession(session);
+ }
+ }
} catch (Exception e) {
if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
throw new UnsupportedOperationException

View File

@ -0,0 +1,28 @@
commit 06c2decab204fcce5aca2d285953fcac1820b1ae
Author: Andrew John Hughes <andrew@openjdk.org>
Date: Mon Jan 24 01:23:28 2022 +0000
RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
diff --git openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java
index 40ca609e02..0dafe6f59c 100644
--- openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java
+++ openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java
@@ -31,6 +31,7 @@ import java.io.Console;
import java.io.FileDescriptor;
import java.io.ObjectInputStream;
import java.security.ProtectionDomain;
+import java.security.Security;
import java.security.Signature;
import java.security.AccessController;
@@ -255,6 +256,9 @@ public class SharedSecrets {
}
public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
+ if (javaSecuritySystemConfiguratorAccess == null) {
+ unsafe.ensureClassInitialized(Security.class);
+ }
return javaSecuritySystemConfiguratorAccess;
}
}

View File

@ -0,0 +1,24 @@
commit 7f58a05104138ebdfd3b7b968ed67ea4c8573073
Author: Fridrich Strba <fstrba@suse.com>
Date: Mon Jan 24 01:10:57 2022 +0000
RH2021263: Return in C code after having generated Java exception
diff --git openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c openjdk/jdk/src/solaris/native/java/security/systemconf.c
index 6f4656bfcb..34d0ff0ce9 100644
--- openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c
+++ openjdk/jdk/src/solaris/native/java/security/systemconf.c
@@ -131,11 +131,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
+ return JNI_FALSE;
}
fips_enabled = fgetc(fe);
fclose(fe);
if (fips_enabled == EOF) {
throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
+ return JNI_FALSE;
}
msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
" read character is '%c'", fips_enabled);

View File

@ -0,0 +1,98 @@
commit aaf92165ad1cbb1c9818eb60178c91293e13b053
Author: Andrew John Hughes <andrew@openjdk.org>
Date: Mon Jan 24 15:13:14 2022 +0000
RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
diff --git openjdk.orig/jdk/src/share/classes/java/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java
index fa494b680f..b5aa5c749d 100644
--- openjdk.orig/jdk/src/share/classes/java/security/Security.java
+++ openjdk/jdk/src/share/classes/java/security/Security.java
@@ -57,10 +57,6 @@ public final class Security {
private static final Debug sdebug =
Debug.getInstance("properties");
- /* System property file*/
- private static final String SYSTEM_PROPERTIES =
- "/etc/crypto-policies/back-ends/java.config";
-
/* The java.security properties */
private static Properties props;
@@ -202,13 +198,6 @@ public final class Security {
}
}
- String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
- if (disableSystemProps == null &&
- "true".equalsIgnoreCase(props.getProperty
- ("security.useSystemPropertiesFile"))) {
- loadedProps = loadedProps && SystemConfigurator.configure(props);
- }
-
if (!loadedProps) {
initializeStatic();
if (sdebug != null) {
@@ -217,6 +206,28 @@ public final class Security {
}
}
+ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
+ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
+ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
+ if (!SystemConfigurator.configureSysProps(props)) {
+ if (sdebug != null) {
+ sdebug.println("WARNING: System properties could not be loaded.");
+ }
+ }
+ }
+
+ // FIPS support depends on the contents of java.security so
+ // ensure it has loaded first
+ if (loadedProps) {
+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
+ if (sdebug != null) {
+ if (fipsEnabled) {
+ sdebug.println("FIPS support enabled.");
+ } else {
+ sdebug.println("FIPS support disabled.");
+ }
+ }
+ }
}
/*
diff --git openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
index d1f677597d..7da65b1d2c 100644
--- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java
+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
@@ -76,7 +76,7 @@ final class SystemConfigurator {
* java.security.disableSystemPropertiesFile property is not set and
* security.useSystemPropertiesFile is true.
*/
- static boolean configure(Properties props) {
+ static boolean configureSysProps(Properties props) {
boolean loadedProps = false;
try (BufferedInputStream bis =
@@ -96,11 +96,19 @@ final class SystemConfigurator {
e.printStackTrace();
}
}
+ return loadedProps;
+ }
+
+ /*
+ * Invoked at the end of java.security.Security initialisation
+ * if java.security properties have been loaded
+ */
+ static boolean configureFIPS(Properties props) {
+ boolean loadedProps = false;
try {
if (enableFips()) {
if (sdebug != null) { sdebug.println("FIPS mode detected"); }
- loadedProps = false;
// Remove all security providers
Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
while (i.hasNext()) {

View File

@ -0,0 +1,220 @@
commit 820d1b1b23be6ea2fd34c687a1be384e7a9830e2
Author: Andrew John Hughes <andrew@openjdk.org>
Date: Mon Feb 28 05:50:10 2022 +0000
RH2051605: Detect NSS at Runtime for FIPS detection
diff --git openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c openjdk/jdk/src/solaris/native/java/security/systemconf.c
index 34d0ff0ce9..8dcb7d9073 100644
--- openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c
+++ openjdk/jdk/src/solaris/native/java/security/systemconf.c
@@ -23,25 +23,99 @@
* questions.
*/
-#include <dlfcn.h>
#include <jni.h>
#include <jni_util.h>
+#include "jvm_md.h"
#include <stdio.h>
#ifdef SYSCONF_NSS
#include <nss3/pk11pub.h>
+#else
+#include <dlfcn.h>
#endif //SYSCONF_NSS
#include "java_security_SystemConfigurator.h"
+#define MSG_MAX_SIZE 256
#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
-#define MSG_MAX_SIZE 96
+typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
+
+static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
static jmethodID debugPrintlnMethodID = NULL;
static jobject debugObj = NULL;
-static void throwIOException(JNIEnv *env, const char *msg);
-static void dbgPrint(JNIEnv *env, const char* msg);
+static void dbgPrint(JNIEnv *env, const char* msg)
+{
+ jstring jMsg;
+ if (debugObj != NULL) {
+ jMsg = (*env)->NewStringUTF(env, msg);
+ CHECK_NULL(jMsg);
+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
+ }
+}
+
+static void throwIOException(JNIEnv *env, const char *msg)
+{
+ jclass cls = (*env)->FindClass(env, "java/io/IOException");
+ if (cls != 0)
+ (*env)->ThrowNew(env, cls, msg);
+}
+
+static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
+{
+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+ dbgPrint(env, msg);
+ } else {
+ dbgPrint(env, "systemconf: cannot render message");
+ }
+}
+
+// Only used when NSS is not linked at build time
+#ifndef SYSCONF_NSS
+
+static void *nss_handle;
+
+static jboolean loadNSS(JNIEnv *env)
+{
+ char msg[MSG_MAX_SIZE];
+ int msg_bytes;
+ const char* errmsg;
+
+ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
+ if (nss_handle == NULL) {
+ errmsg = dlerror();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
+ errmsg);
+ handle_msg(env, msg, msg_bytes);
+ return JNI_FALSE;
+ }
+ dlerror(); /* Clear errors */
+ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
+ if ((errmsg = dlerror()) != NULL) {
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
+ errmsg);
+ handle_msg(env, msg, msg_bytes);
+ return JNI_FALSE;
+ }
+ return JNI_TRUE;
+}
+
+static void closeNSS(JNIEnv *env)
+{
+ char msg[MSG_MAX_SIZE];
+ int msg_bytes;
+ const char* errmsg;
+
+ if (dlclose(nss_handle) != 0) {
+ errmsg = dlerror();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
+ errmsg);
+ handle_msg(env, msg, msg_bytes);
+ }
+}
+
+#endif
/*
* Class: java_security_SystemConfigurator
@@ -84,6 +158,14 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
debugObj = (*env)->NewGlobalRef(env, debugObj);
}
+#ifdef SYSCONF_NSS
+ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
+#else
+ if (loadNSS(env) == JNI_FALSE) {
+ dbgPrint(env, "libsystemconf: Failed to load NSS library.");
+ }
+#endif
+
return (*env)->GetVersion(env);
}
@@ -99,6 +181,9 @@ JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
return; /* Should not happen */
}
+#ifndef SYSCONF_NSS
+ closeNSS(env);
+#endif
(*env)->DeleteGlobalRef(env, debugObj);
}
}
@@ -110,61 +195,30 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
char msg[MSG_MAX_SIZE];
int msg_bytes;
-#ifdef SYSCONF_NSS
-
- dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
- fips_enabled = SECMOD_GetSystemFIPSEnabled();
- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
- " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
- dbgPrint(env, msg);
+ if (getSystemFIPSEnabled != NULL) {
+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
+ fips_enabled = (*getSystemFIPSEnabled)();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
+ handle_msg(env, msg, msg_bytes);
+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
} else {
- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
- " SECMOD_GetSystemFIPSEnabled return value");
- }
- return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
-
-#else // SYSCONF_NSS
+ FILE *fe;
- FILE *fe;
-
- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
return JNI_FALSE;
- }
- fips_enabled = fgetc(fe);
- fclose(fe);
- if (fips_enabled == EOF) {
+ }
+ fips_enabled = fgetc(fe);
+ fclose(fe);
+ if (fips_enabled == EOF) {
throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
return JNI_FALSE;
- }
- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
- " read character is '%c'", fips_enabled);
- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
- dbgPrint(env, msg);
- } else {
- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
- " read character");
- }
- return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
-
-#endif // SYSCONF_NSS
-}
-
-static void throwIOException(JNIEnv *env, const char *msg)
-{
- jclass cls = (*env)->FindClass(env, "java/io/IOException");
- if (cls != 0)
- (*env)->ThrowNew(env, cls, msg);
-}
-
-static void dbgPrint(JNIEnv *env, const char* msg)
-{
- jstring jMsg;
- if (debugObj != NULL) {
- jMsg = (*env)->NewStringUTF(env, msg);
- CHECK_NULL(jMsg);
- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
+ }
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " read character is '%c'", fips_enabled);
+ handle_msg(env, msg, msg_bytes);
+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
}
}

View File

@ -0,0 +1,46 @@
diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahUtils.cpp openjdk/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahUtils.cpp
--- openjdk.orig/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahUtils.cpp
+++ openjdk/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahUtils.cpp
@@ -150,5 +150,5 @@
return value;
}
- return (size_t)1 << (log2_intptr(value) + 1);
+ return (size_t)1 << (log2_intptr((uintptr_t) value) + 1);
}
diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahNumberSeq.cpp openjdk/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahNumberSeq.cpp
--- openjdk.orig/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahNumberSeq.cpp
+++ openjdk/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahNumberSeq.cpp
@@ -135,7 +135,7 @@
void BinaryMagnitudeSeq::add(size_t val) {
Atomic::add(val, &_sum);
- int mag = log2_intptr(val) + 1;
+ int mag = log2_intptr((uintptr_t)val) + 1;
// Defensively saturate for product bits:
if (mag < 0) {
diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahHeap.cpp openjdk/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahHeap.cpp
--- openjdk.orig/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahHeap.cpp
+++ openjdk/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahHeap.cpp
@@ -659,7 +659,7 @@
}
size_t ShenandoahHeap::soft_max_capacity() const {
- size_t v = OrderAccess::load_acquire((volatile size_t*)&_soft_max_size);
+ size_t v = OrderAccess::load_acquire((volatile jlong*)&_soft_max_size);
assert(min_capacity() <= v && v <= max_capacity(),
err_msg("Should be in bounds: " SIZE_FORMAT " <= " SIZE_FORMAT " <= " SIZE_FORMAT,
min_capacity(), v, max_capacity()));
diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahHeap.hpp openjdk/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahHeap.hpp
--- openjdk.orig/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahHeap.hpp
+++ openjdk/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahHeap.hpp
@@ -155,7 +155,7 @@
private:
size_t _initial_size;
size_t _minimum_size;
- volatile size_t _soft_max_size;
+ volatile jlong _soft_max_size;
shenandoah_padding(0);
volatile jlong _used;
volatile size_t _committed;

File diff suppressed because it is too large Load Diff