rpms
/
java-1.8.0-openjdk
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import java-1.8.0-openjdk-1.8.0.322.b06-2.el9

This commit is contained in:
CentOS Sources 2022-03-01 05:59:39 -05:00 committed by Stepan Oksanichenko
parent 82f21bfd83
commit e3b0344654
10 changed files with 1126 additions and 156 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u312-b01-4curve.tar.xz
SOURCES/openjdk-shenandoah-jdk8u-aarch64-shenandoah-jdk8u322-b06-4curve.tar.xz
SOURCES/tapsets-icedtea-3.15.0.tar.xz

2
.java-1.8.0-openjdk.metadata
View File

@ -1,2 +1,2 @@
82ec3762fba3987e1440e069427a7d4be9f367d7 SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u312-b01-4curve.tar.xz
c54dd40b6deb5defa8d4d7132d650080d0e300f4 SOURCES/openjdk-shenandoah-jdk8u-aarch64-shenandoah-jdk8u322-b06-4curve.tar.xz
7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz

207
SOURCES/NEWS
View File

@ -3,15 +3,171 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
New in release OpenJDK 8u322 (2022-01-18):
===========================================
Live versions of these release notes can be found at:
* https://bitly.com/openjdk8u322
* https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u322.txt
* Security fixes
- JDK-8264934, CVE-2022-21248: Enhance cross VM serialization
- JDK-8268488: More valuable DerValues
- JDK-8268494: Better inlining of inlined interfaces
- JDK-8268512: More content for ContentInfo
- JDK-8268795: Enhance digests of Jar files
- JDK-8268801: Improve PKCS attribute handling
- JDK-8268813, CVE-2022-21283: Better String matching
- JDK-8269151: Better construction of EncryptedPrivateKeyInfo
- JDK-8269944: Better HTTP transport redux
- JDK-8270392, CVE-2022-21293: Improve String constructions
- JDK-8270416, CVE-2022-21294: Enhance construction of Identity maps
- JDK-8270492, CVE-2022-21282: Better resolution of URIs
- JDK-8270498, CVE-2022-21296: Improve SAX Parser configuration management
- JDK-8270646, CVE-2022-21299: Improved scanning of XML entities
- JDK-8271962: Better TrueType font loading
- JDK-8271968: Better canonical naming
- JDK-8271987: Manifest improved manifest entries
- JDK-8272014, CVE-2022-21305: Better array indexing
- JDK-8272026, CVE-2022-21340: Verify Jar Verification
- JDK-8272236, CVE-2022-21341: Improve serial forms for transport
- JDK-8272272: Enhance jcmd communication
- JDK-8272462: Enhance image handling
- JDK-8273290: Enhance sound handling
- JDK-8273748, CVE-2022-21349: Improve Solaris font rendering
- JDK-8273756, CVE-2022-21360: Enhance BMP image support
- JDK-8273838, CVE-2022-21365: Enhanced BMP processing
* Other changes
- JDK-6801613: Cross-platform pageDialog and printDialog top margin entry broken
- JDK-8011541: [TEST_BUG] closed/javax/swing/plaf/metal/MetalUtils/bug6190373.java fails NPE since 7u25b03
- JDK-8025430: [TEST_BUG] javax/swing/JEditorPane/5076514/bug5076514.java failed since jdk8b108
- JDK-8041928: MouseEvent.getModifiersEx gives wrong result
- JDK-8042199: The build of J2DBench via makefile is broken after the JDK-8005402
- JDK-8044365: (dc) MulticastSendReceiveTests.java failing with ENOMEM when joining group (OS X 10.9)
- JDK-8048021: Remove @version tag in jaxp repo
- JDK-8049348: compiler/intrinsics/bmi/verifycode tests on lzcnt and tzcnt use incorrect assumption about REXB prefix usage
- JDK-8060027: Tests java/beans/XMLEncoder/Test4903007.java and java/beans/XMLEncoder/java_awt_GridBagLayout.java
- JDK-8066588: javax/management/remote/mandatory/connection/RMIConnector_NPETest.java fails to compile
- JDK-8066652: Default TimeZone is GMT not local if user.timezone is invalid on Mac OS
- JDK-8069034: gc/g1/TestEagerReclaimHumongousRegionsClearMarkBits.java nightly failure
- JDK-8077590: windows_i586_6.2-product-c2-runThese8_Xcomp_vm failing after win compiler upgrade
- JDK-8080287: The image of BufferedImage.TYPE_INT_ARGB and BufferedImage.TYPE_INT_ARGB_PRE is blank
- JDK-8140329: [TEST_BUG] test FullScreenAfterSplash.java failed because image was not generated
- JDK-8140472: java/net/ipv6tests/TcpTest.java failed intermittently with java.net.BindException: Address already in use: NET_Bind
- JDK-8147051: StaxEntityResolverWrapper should create StaxXMLInputSource with a resolver indicator
- JDK-8148915: Intermittent failures of bug6400879.java
- JDK-8176837: SunPKCS11 provider needs to check more details on PKCS11 Mechanism
- JDK-8177393: Result of RescaleOp for 4BYTE_ABGR images may be 25% black
- JDK-8177536: Avoid Apple Peer-to-Peer interfaces in networking tests
- JDK-8182036: Load from initializing arraycopy uses wrong memory state
- JDK-8183369: RFC unconformity of HttpURLConnection with proxy
- JDK-8183543: Aarch64: C2 compilation often fails with "failed spill-split-recycle sanity check"
- JDK-8187450: JNI local refs exceeds capacity warning in NetworkInterface::getAll
- JDK-8187649: ArrayIndexOutOfBoundsException in java.util.JapaneseImperialCalendar
- JDK-8190482: InnocuousThread creation should not require the caller to possess enableContextClassLoaderOverride
- JDK-8190793: Httpserver does not detect truncated request body
- JDK-8196572: Tests ColConvCCMTest.java and MTColConvTest.java fail
- JDK-8202788: Explicitly reclaim cached thread-local direct buffers at thread exit
- JDK-8210058: Algorithmic Italic font leans opposite angle in Printing
- JDK-8220150: macos10.14 Mojave returns anti-aliased glyphs instead of aliased B&W glyphs
- JDK-8225082: Remove IdenTrust certificate that is expiring in September 2021
- JDK-8225083: Remove Google certificate that is expiring in December 2021
- JDK-8226806: [macOS 10.14] Methods of Java Robot should be called from appropriate thread
- JDK-8231254: (fs) Add test for macOS Catalina changes to protect system software
- JDK-8231438: [macOS] Dark mode for the desktop is not supported
- JDK-8232178: MacVolumesTest failed after upgrade to MacOS Catalina
- JDK-8232226: [macos 10.15] test/jdk/java/awt/color/EqualityTest/EqualityTest.java may fail
- JDK-8235153: [TESTBUG] [macos 10.15] java/awt/Graphics/DrawImageBG/SystemBgColorTest.java fails
- JDK-8236897: Fix the copyright header for pkcs11gcm2.h
- JDK-8237499: JFR: Include stack trace in the ThreadStart event
- JDK-8239886: Minimal VM build fails after JDK-8237499
- JDK-8261397: Try Catch Method Failing to Work When Dividing An Integer By 0
- JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print"
- JDK-8272342: [TEST_BUG] java/awt/print/PrinterJob/PageDialogMarginTest.java catches all exceptions
- JDK-8273308: PatternMatchTest.java fails on CI
- JDK-8273342: Null pointer dereference in classFileParser.cpp:2817
- JDK-8273826: Correct Manifest file name and NPE checks
- JDK-8273968: JCK javax_xml tests fail in CI
- JDK-8274407: (tz) Update Timezone Data to 2021c
- JDK-8274467: TestZoneInfo310.java fails with tzdata2021b
- JDK-8274468: TimeZoneTest.java fails with tzdata2021b
- JDK-8274595: DisableRMIOverHTTPTest failed: connection refused
- JDK-8274779: HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST
- JDK-8275766: (tz) Update Timezone Data to 2021e
- JDK-8275849: TestZoneInfo310.java fails with tzdata2021e
- JDK-8276536: Update TimeZoneNames files to follow the changes made by JDK-8275766
Notes on individual issues:
===========================
security-libs/java.security:
JDK-8271434: Removed IdenTrust Root Certificate
===============================================
The following root certificate from IdenTrust has been removed from
the `cacerts` keystore:
Alias Name: identrustdstx3 [jdk]
Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co.
JDK-8272535: Removed Google's GlobalSign Root Certificate
=========================================================
The following root certificate from Google has been removed from the
`cacerts` keystore:
Alias Name: globalsignr2ca [jdk]
Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
core-libs/java.time:
JDK-8274857: Update Timezone Data to 2021c
===========================================
IANA Time Zone Database, on which JDK's Date/Time libraries are based,
has been updated to version 2021c
(https://mm.icann.org/pipermail/tz-announce/2021-October/000067.html). Note
that with this update, some of the time zone rules prior to the year
1970 have been modified according to the changes which were introduced
with 2021b. For more detail, refer to the announcement of 2021b
(https://mm.icann.org/pipermail/tz-announce/2021-September/000066.html)
New in release OpenJDK 8u312 (2021-10-19):
===========================================
Live versions of these release notes can be found at:
* https://bitly.com/openjdk8u312
* https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u312.txt
* Security fixes
- JDK-8130183, CVE-2021-35588: InnerClasses: VM permits wrong Throw ClassFormatError if InnerClasses attribute's inner_class_info_index is 0
- JDK-8161016: Strange behavior of URLConnection with proxy
- JDK-8163326, CVE-2021-35550: Update the default enabled cipher suites preference
- JDK-8254967, CVE-2021-35565: com.sun.net.HttpsServer spins on TLS session close
- JDK-8263314: Enhance XML Dsig modes
- JDK-8265167, CVE-2021-35556: Richer Text Editors
- JDK-8265574: Improve handling of sheets
- JDK-8265580, CVE-2021-35559: Enhanced style for RTF kit
- JDK-8265776: Improve Stream handling for SSL
- JDK-8266097, CVE-2021-35561: Better hashing support
- JDK-8266103: Better specified spec values
- JDK-8266109: More Resilient Classloading
- JDK-8266115: More Manifest Jar Loading
- JDK-8266137, CVE-2021-35564: Improve Keystore integrity
- JDK-8266689, CVE-2021-35567: More Constrained Delegation
- JDK-8267086: ArrayIndexOutOfBoundsException in java.security.KeyFactory.generatePublic
- JDK-8267712: Better LDAP reference processing
- JDK-8267729, CVE-2021-35578: Improve TLS client handshaking
- JDK-8267735, CVE-2021-35586: Better BMP support
- JDK-8268193: Improve requests of certificates
- JDK-8268199: Correct certificate requests
- JDK-8268506: More Manifest Digests
- JDK-8269618, CVE-2021-35603: Better session identification
- JDK-8269624: Enhance method selection support
- JDK-8270398: Enhance canonicalization
- JDK-8270404: Better canonicalization
* Other changes
- JDK-6847157: java.lang.NullPointerException: HDC for component at sun.java2d.loops.Blit.Blit
- JDK-7146776: deadlock between URLStreamHandler.getHostAddress and file.Handler.openconnection
- JDK-7188942: Remove support of pbuffers in OGL Java2d pipeline
- JDK-8004148: NPE in sun.awt.SunToolkit.getWindowDeactivationTime
- JDK-8022323: [JavaSecurityScanner] review package com.sun.management.* Native methods should be private
- JDK-8027154: [TESTBUG] Test java/awt/Mouse/GetMousePositionTest/GetMousePositionWithPopup.java fails
- JDK-8035001: TEST_BUG: the retry logic in RMID.start() should check that the subprocess hasn't terminated
- JDK-8035424: (reflect) Performance problem in sun.reflect.generics.parser.SignatureParser
@ -22,31 +178,82 @@ Live versions of these release notes can be found at:
- JDK-8079891: Store configure log in $BUILD/configure.log
- JDK-8080082: configure fails if you create an empty directory and then run configure from it
- JDK-8086003: Test fails on OSX with java.lang.RuntimeException 'Narrow klass base: 0x0000000000000000, Narrow klass shift: 3' missing
- JDK-8131062: aarch64: add support for GHASH acceleration
- JDK-8134869: AARCH64: GHASH intrinsic is not optimal
- JDK-8134989: java/net/MulticastSocket/TestInterfaces.java failed due to unexpected IP address
- JDK-8156584: Initialization race in sun.security.x509.AlgorithmId.get
- JDK-8157404: Unable to read certain PKCS12 keystores from SequenceInputStream
- JDK-8166673: The new implementation of Robot.waitForIdle() may hang
- JDK-8170467: (reflect) Optimize SignatureParser's use of StringBuilders
- JDK-8194246: JVM crashes when calling getStackTrace if stack contains a method that is a member of a very large class
- JDK-8196181: sun/java2d/GdiRendering/InsetClipping.java fails
- JDK-8202837: PBES2 AlgorithmId encoding error in PKCS12 KeyStore
- JDK-8206189: sun/security/pkcs12/EmptyPassword.java fails with Sequence tag error
- JDK-8214418: half-closed SSLEngine status may cause application dead loop
- JDK-8214513: A PKCS12 keystore from Java 8 using custom PBE parameters cannot be read in Java 11
- JDK-8220786: Create new switch to redirect error reporting output to stdout or stderr
- JDK-8222751: closed/test/jdk/sun/security/util/DerIndefLenConverter/IndefBerPkcs12.java fail
- JDK-8229243: SunPKCS11-Solaris provider tests failing on Solaris 11.4
- JDK-8231222: fix pkcs11 P11_DEBUG guarded native traces
- JDK-8237495: Java MIDI fails with a dereferenced memory error when asked to send a raw 0xF7
- JDK-8238567: SoftMainMixer.processAudioBuffers(): Wrong handling of stoppedMixers
- JDK-8240518: Incorrect JNU_ReleaseStringPlatformChars in Windows Print
- JDK-8241248: NullPointerException in sun.security.ssl.HKDF.extract(HKDF.java:93)
- JDK-8244154: Update SunPKCS11 provider with PKCS11 v3.0 header files
- JDK-8247469: getSystemCpuLoad() returns -1 on linux when some offline cpus are present and cpusets.effective_cpus is not available
- JDK-8248901: Signed immediate support in .../share/assembler.hpp is broken.
- JDK-8259338: Add expiry exception for identrustdstx3 alias to VerifyCACerts.java test
- JDK-8262000: jdk/jfr/event/gc/detailed/TestPromotionFailedEventWithParallelScavenge.java failed with "OutOfMemoryError: Java heap space"
- JDK-8262829: Native crash in Win32PrintServiceLookup.getAllPrinterNames()
- JDK-8263311: Watch registry changes for remote printers update instead of polling
- JDK-8263382: java/util/logging/ParentLoggersTest.java failed with "checkLoggers: getLoggerNames() returned unexpected loggers"
- JDK-8264752: SIGFPE crash with option FlightRecorderOptions:threadbuffersize=30M
- JDK-8265238: [8u] [macos] build failure in OpenJDK8u after JDK-8211301 in older xcode
- JDK-8265836: OperatingSystemImpl.getCpuLoad() returns incorrect CPU load inside a container
- JDK-8265978: make test should look for more locations when searching for exit code
- JDK-8266206: Build failure after JDK-8264752 with older GCCs
- JDK-8268103: JNI functions incorrectly return a double after JDK-8265836
- JDK-8268965: TCP Connection Reset when connecting simple socket to SSL server
- JDK-8269594: assert(_handle_mark_nesting > 1) failed: memory leak: allocating handle outside HandleMark
- JDK-8269763: The JEditorPane is blank after JDK-8265167
- JDK-8269810: [8u] Update generated_configure.sh after JDK-8250876 backport
- JDK-8269851: OperatingSystemMXBean getProcessCpuLoad reports incorrect process cpu usage in containers
- JDK-8269859: BacktraceBuilder._cprefs needs to be accessed as unsigned short
- JDK-8269882: stack-use-after-scope in NewObjectA
- JDK-8269953: config.log is not in build directory after 8u backport of JDK-8079891
- JDK-8270137: Kerberos Credential Retrieval from Cache not Working in Cross-Realm Setup
- JDK-8271466: StackGap test fails on aarch64 due to "-m64"
- JDK-8272124: Cgroup v1 initialization causes NullPointerException when cgroup path contains colon
- JDK-8272214: [8u] Build failure after backport of JDK-8248901
- JDK-8272714: [8u] Build failure after backport of JDK-8248901 with MSVC 2013
* Shenandoah
- [backport] JDK-8269661: JNI_GetStringCritical does not lock char array
- Re-cast JNI critical strings patch to be Shenandoah-specific
Notes on individual issues:
===========================
core-libs/java.net:
JDK-8164200: Modified HttpURLConnection behavior when no suitable proxy is found
================================================================================
The behavior of HttpURLConnection when using a ProxySelector has been
modified with this JDK release. HttpURLConnection used to fall back to
a DIRECT connection attempt if the configured proxy(s) failed to make
a connection. This release introduces a change whereby no DIRECT
connection will be attempted in such a scenario. Instead, the
HttpURLConnection.connect() method will fail and throw an IOException
which occurred from the last proxy tested.
security-libs/javax.net.ssl:
JDK-8219551: Updated the Default Enabled Cipher Suites Preference
=================================================================
The preference of the default enabled cipher suites has been
changed. The compatibility impact should be minimal. If needed,
applications can customize the enabled cipher suites and the
preference. For more details, refer to the SunJSSE provider
documentation and the JSSE Reference Guide documentation.
New in release OpenJDK 8u302 (2021-07-20):
===========================================

74
SOURCES/java-1.8.0-openjdk-gcc11.patch
View File

@ -1,74 +0,0 @@
diff --git a/openjdk/hotspot/src/share/vm/adlc/adlparse.cpp b/openjdk/hotspot/src/share/vm/adlc/adlparse.cpp
index 31955ff7..6dcd90ac 100644
--- openjdk/hotspot/src/share/vm/adlc/adlparse.cpp
+++ openjdk/hotspot/src/share/vm/adlc/adlparse.cpp
@@ -4564,7 +4564,7 @@ char *ADLParser::get_paren_expr(const char *description, bool include_location)
// string(still inside the file buffer). Returns a pointer to the string or
// NULL if some other token is found instead.
char *ADLParser::get_ident_common(bool do_preproc) {
- register char c;
+ char c;
char *start; // Pointer to start of token
char *end; // Pointer to end of token
@@ -4762,7 +4762,7 @@ char *ADLParser::get_unique_ident(FormDict& dict, const char* nameDescription){
// invokes a parse_err if the next token is not an integer.
// This routine does not leave the integer null-terminated.
int ADLParser::get_int(void) {
- register char c;
+ char c;
char *start; // Pointer to start of token
char *end; // Pointer to end of token
int result; // Storage for integer result
diff --git a/openjdk/hotspot/src/share/vm/adlc/arena.cpp b/openjdk/hotspot/src/share/vm/adlc/arena.cpp
index d7e4fc6e..406187ae 100644
--- openjdk/hotspot/src/share/vm/adlc/arena.cpp
+++ openjdk/hotspot/src/share/vm/adlc/arena.cpp
@@ -79,7 +79,7 @@ Arena::Arena( Arena *a )
// Total of all Chunks in arena
size_t Arena::used() const {
size_t sum = _chunk->_len - (_max-_hwm); // Size leftover in this Chunk
- register Chunk *k = _first;
+ Chunk *k = _first;
while( k != _chunk) { // Whilst have Chunks in a row
sum += k->_len; // Total size of this Chunk
k = k->_next; // Bump along to next Chunk
@@ -93,7 +93,7 @@ void* Arena::grow( size_t x ) {
// Get minimal required size. Either real big, or even bigger for giant objs
size_t len = max(x, Chunk::size);
- register Chunk *k = _chunk; // Get filled-up chunk address
+ Chunk *k = _chunk; // Get filled-up chunk address
_chunk = new (len) Chunk(len);
if( k ) k->_next = _chunk; // Append new chunk to end of linked list
diff --git a/openjdk/hotspot/src/share/vm/adlc/dict2.cpp b/openjdk/hotspot/src/share/vm/adlc/dict2.cpp
index f341a2b6..2dc60b25 100644
--- openjdk/hotspot/src/share/vm/adlc/dict2.cpp
+++ openjdk/hotspot/src/share/vm/adlc/dict2.cpp
@@ -283,9 +283,9 @@ void Dict::print(PrintKeyOrValue print_key, PrintKeyOrValue print_value) {
// limited to MAXID characters in length. Experimental evidence on 150K of
// C text shows excellent spreading of values for any size hash table.
int hashstr(const void *t) {
- register char c, k = 0;
- register int sum = 0;
- register const char *s = (const char *)t;
+ char c, k = 0;
+ int sum = 0;
+ const char *s = (const char *)t;
while (((c = s[k]) != '\0') && (k < MAXID-1)) { // Get characters till nul
c = (char) ((c << 1) + 1); // Characters are always odd!
diff --git a/openjdk/hotspot/src/share/vm/adlc/main.cpp b/openjdk/hotspot/src/share/vm/adlc/main.cpp
index 52044f12..40bcda74 100644
--- openjdk/hotspot/src/share/vm/adlc/main.cpp
+++ openjdk/hotspot/src/share/vm/adlc/main.cpp
@@ -58,7 +58,7 @@ int main(int argc, char *argv[])
// Read command line arguments and file names
for( int i = 1; i < argc; i++ ) { // For all arguments
- register char *s = argv[i]; // Get option/filename
+ char *s = argv[i]; // Get option/filename
if( *s++ == '-' ) { // It's a flag? (not a filename)
if( !*s ) { // Stand-alone `-' means stdin

2
SOURCES/jdk8199936-pr3533-enable_mstackrealign_on_x86_linux_as_well_as_x86_mac_os_x.patch
View File

@ -22,7 +22,7 @@ diff --git openjdk.orig///common/autoconf/flags.m4 openjdk///common/autoconf/fla
+ # On 32-bit MacOSX the OS requires C-entry points to be 16 byte aligned.
+ # While waiting for a better solution, the current workaround is to use -mstackrealign
+ # This is also required on Linux systems which use libraries compiled with SSE instructions
+ REALIGN_CFLAG="-mstackrealign"
+ REALIGN_CFLAG="-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4"
+ FLAGS_COMPILER_CHECK_ARGUMENTS([$REALIGN_CFLAG -Werror], [],
+ AC_MSG_ERROR([The selected compiler $CXX does not support -mstackrealign! Try to put another compiler in the path.])
+ )

13
SOURCES/jdk8257794-remove_broken_assert.patch Normal file
View File

@ -0,0 +1,13 @@
diff --git openjdk.orig/hotspot/src/share/vm/interpreter/bytecodeInterpreter.cpp openjdk/hotspot/src/share/vm/interpreter/bytecodeInterpreter.cpp
--- openjdk.orig/hotspot/src/share/vm/interpreter/bytecodeInterpreter.cpp
+++ openjdk/hotspot/src/share/vm/interpreter/bytecodeInterpreter.cpp
@@ -493,9 +493,6 @@
assert(labs(istate->_stack_base - istate->_stack_limit) == (istate->_method->max_stack() + extra_stack_entries
+ 1), "bad stack limit");
}
-#ifndef SHARK
- IA32_ONLY(assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1, "wrong"));
-#endif // !SHARK
}
// Verify linkages.
interpreterState l = istate;

67
SOURCES/jdk8281098-pr3836-pass_compiler_flags_to_adlc.patch Normal file
View File

@ -0,0 +1,67 @@
# HG changeset patch
# User Andrew John Hughes <gnu_andrew@member.fsf.org>
# Date 1620365804 -3600
# Fri May 07 06:36:44 2021 +0100
# Node ID 39b62f35eca823b4c9a98bc1dc0cb9acb87360f8
# Parent 723b59ed1afe878c5cd35f080399c8ceec4f776b
PR3836: Extra compiler flags not passed to adlc build
diff --git openjdk.orig/hotspot/make/aix/makefiles/adlc.make openjdk/hotspot/make/aix/makefiles/adlc.make
--- openjdk.orig/hotspot/make/aix/makefiles/adlc.make
+++ openjdk/hotspot/make/aix/makefiles/adlc.make
@@ -69,6 +69,11 @@
CFLAGS_WARN = -w
CFLAGS += $(CFLAGS_WARN)
+# Extra flags from gnumake's invocation or environment
+CFLAGS += $(EXTRA_CFLAGS)
+LFLAGS += $(EXTRA_CFLAGS) $(EXTRA_LDFLAGS)
+ASFLAGS += $(EXTRA_ASFLAGS)
+
OBJECTNAMES = \
adlparse.o \
archDesc.o \
diff --git openjdk.orig/hotspot/make/bsd/makefiles/adlc.make openjdk/hotspot/make/bsd/makefiles/adlc.make
--- openjdk.orig/hotspot/make/bsd/makefiles/adlc.make
+++ openjdk/hotspot/make/bsd/makefiles/adlc.make
@@ -71,6 +71,11 @@
endif
CFLAGS += $(CFLAGS_WARN)
+# Extra flags from gnumake's invocation or environment
+CFLAGS += $(EXTRA_CFLAGS)
+LFLAGS += $(EXTRA_CFLAGS) $(EXTRA_LDFLAGS)
+ASFLAGS += $(EXTRA_ASFLAGS)
+
OBJECTNAMES = \
adlparse.o \
archDesc.o \
diff --git openjdk.orig/hotspot/make/linux/makefiles/adlc.make openjdk/hotspot/make/linux/makefiles/adlc.make
--- openjdk.orig/hotspot/make/linux/makefiles/adlc.make
+++ openjdk/hotspot/make/linux/makefiles/adlc.make
@@ -69,6 +69,11 @@
CFLAGS_WARN = $(WARNINGS_ARE_ERRORS)
CFLAGS += $(CFLAGS_WARN)
+# Extra flags from gnumake's invocation or environment
+CFLAGS += $(EXTRA_CFLAGS)
+LFLAGS += $(EXTRA_CFLAGS) $(EXTRA_LDFLAGS)
+ASFLAGS += $(EXTRA_ASFLAGS)
+
OBJECTNAMES = \
adlparse.o \
archDesc.o \
diff --git openjdk.orig/hotspot/make/solaris/makefiles/adlc.make openjdk/hotspot/make/solaris/makefiles/adlc.make
--- openjdk.orig/hotspot/make/solaris/makefiles/adlc.make
+++ openjdk/hotspot/make/solaris/makefiles/adlc.make
@@ -85,6 +85,10 @@
endif
CFLAGS += $(CFLAGS_WARN)
+# Extra flags from gnumake's invocation or environment
+CFLAGS += $(EXTRA_CFLAGS)
+ASFLAGS += $(EXTRA_ASFLAGS)
+
ifeq ("${Platform_compiler}", "sparcWorks")
# Enable the following CFLAGS addition if you need to compare the
# built ELF objects.

2
SOURCES/nss.fips.cfg.in
View File

@ -1,6 +1,6 @@
name = NSS-FIPS
nssLibraryDirectory = @NSS_LIBDIR@
nssSecmodDirectory = @NSS_SECMOD@
nssSecmodDirectory = sql:/etc/pki/nssdb
nssDbMode = readOnly
nssModule = fips

583
SOURCES/rh1991003-enable_fips_keys_import.patch Normal file
View File

@ -0,0 +1,583 @@
diff --git openjdk.orig/jdk/src/share/classes/java/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java
--- openjdk.orig/jdk/src/share/classes/java/security/Security.java
+++ openjdk/jdk/src/share/classes/java/security/Security.java
@@ -78,6 +78,10 @@
public boolean isSystemFipsEnabled() {
return SystemConfigurator.isSystemFipsEnabled();
}
+ @Override
+ public boolean isPlainKeySupportEnabled() {
+ return SystemConfigurator.isPlainKeySupportEnabled();
+ }
});
// doPrivileged here because there are multiple
diff --git openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
--- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java
+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
@@ -55,6 +55,7 @@
CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
private static boolean systemFipsEnabled = false;
+ private static boolean plainKeySupportEnabled = false;
private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
@@ -149,6 +150,16 @@
}
loadedProps = true;
systemFipsEnabled = true;
+ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport",
+ "true");
+ plainKeySupportEnabled = !"false".equals(plainKeySupport);
+ if (sdebug != null) {
+ if (plainKeySupportEnabled) {
+ sdebug.println("FIPS support enabled with plain key support");
+ } else {
+ sdebug.println("FIPS support enabled without plain key support");
+ }
+ }
}
} catch (Exception e) {
if (sdebug != null) {
@@ -176,6 +187,19 @@
return systemFipsEnabled;
}
+ /**
+ * Returns {@code true} if system FIPS alignment is enabled
+ * and plain key support is allowed. Plain key support is
+ * enabled by default but can be disabled with
+ * {@code -Dcom.redhat.fips.plainKeySupport=false}.
+ *
+ * @return a boolean indicating whether plain key support
+ * should be enabled.
+ */
+ static boolean isPlainKeySupportEnabled() {
+ return plainKeySupportEnabled;
+ }
+
/*
* OpenJDK FIPS mode will be enabled only if the com.redhat.fips
* system property is true (default) and the system is in FIPS mode.
diff --git openjdk.orig/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
--- openjdk.orig/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
+++ openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
@@ -27,4 +27,5 @@
public interface JavaSecuritySystemConfiguratorAccess {
boolean isSystemFipsEnabled();
+ boolean isPlainKeySupportEnabled();
}
diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java openjdk/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
new file mode 100644
--- /dev/null
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
@@ -0,0 +1,290 @@
+/*
+ * Copyright (c) 2021, Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.pkcs11;
+
+import java.math.BigInteger;
+import java.security.KeyFactory;
+import java.security.Provider;
+import java.security.Security;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.concurrent.locks.ReentrantLock;
+
+import javax.crypto.Cipher;
+import javax.crypto.spec.DHPrivateKeySpec;
+import javax.crypto.spec.IvParameterSpec;
+
+import sun.security.jca.JCAUtil;
+import sun.security.pkcs11.TemplateManager;
+import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
+import sun.security.pkcs11.wrapper.CK_MECHANISM;
+import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+import sun.security.pkcs11.wrapper.PKCS11Exception;
+import sun.security.rsa.RSAUtil.KeyType;
+import sun.security.util.Debug;
+import sun.security.util.ECUtil;
+
+final class FIPSKeyImporter {
+
+ private static final Debug debug =
+ Debug.getInstance("sunpkcs11");
+
+ private static P11Key importerKey = null;
+ private static final ReentrantLock importerKeyLock = new ReentrantLock();
+ private static CK_MECHANISM importerKeyMechanism = null;
+ private static Cipher importerCipher = null;
+
+ private static Provider sunECProvider = null;
+ private static final ReentrantLock sunECProviderLock = new ReentrantLock();
+
+ private static KeyFactory DHKF = null;
+ private static final ReentrantLock DHKFLock = new ReentrantLock();
+
+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
+ throws PKCS11Exception {
+ long keyID = -1;
+ Token token = sunPKCS11.getToken();
+ if (debug != null) {
+ debug.println("Private or Secret key will be imported in" +
+ " system FIPS mode.");
+ }
+ if (importerKey == null) {
+ importerKeyLock.lock();
+ try {
+ if (importerKey == null) {
+ if (importerKeyMechanism == null) {
+ // Importer Key creation has not been tried yet. Try it.
+ createImporterKey(token);
+ }
+ if (importerKey == null || importerCipher == null) {
+ if (debug != null) {
+ debug.println("Importer Key could not be" +
+ " generated.");
+ }
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ if (debug != null) {
+ debug.println("Importer Key successfully" +
+ " generated.");
+ }
+ }
+ } finally {
+ importerKeyLock.unlock();
+ }
+ }
+ long importerKeyID = importerKey.getKeyID();
+ try {
+ byte[] keyBytes = null;
+ byte[] encKeyBytes = null;
+ long keyClass = 0L;
+ long keyType = 0L;
+ Map<Long, CK_ATTRIBUTE> attrsMap = new HashMap<>();
+ for (CK_ATTRIBUTE attr : attributes) {
+ if (attr.type == CKA_CLASS) {
+ keyClass = attr.getLong();
+ } else if (attr.type == CKA_KEY_TYPE) {
+ keyType = attr.getLong();
+ }
+ attrsMap.put(attr.type, attr);
+ }
+ BigInteger v = null;
+ if (keyClass == CKO_PRIVATE_KEY) {
+ if (keyType == CKK_RSA) {
+ if (debug != null) {
+ debug.println("Importing an RSA private key...");
+ }
+ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(
+ KeyType.RSA,
+ null,
+ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null)
+ ? v : BigInteger.ZERO
+ ).getEncoded();
+ } else if (keyType == CKK_DSA) {
+ if (debug != null) {
+ debug.println("Importing a DSA private key...");
+ }
+ keyBytes = new sun.security.provider.DSAPrivateKey(
+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO
+ ).getEncoded();
+ if (token.config.getNssNetscapeDbWorkaround() &&
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
+ attrsMap.put(CKA_NETSCAPE_DB,
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
+ }
+ } else if (keyType == CKK_EC) {
+ if (debug != null) {
+ debug.println("Importing an EC private key...");
+ }
+ if (sunECProvider == null) {
+ sunECProviderLock.lock();
+ try {
+ if (sunECProvider == null) {
+ sunECProvider = Security.getProvider("SunEC");
+ }
+ } finally {
+ sunECProviderLock.unlock();
+ }
+ }
+ keyBytes = P11ECUtil.generateECPrivateKey(
+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ECUtil.getECParameterSpec(sunECProvider,
+ attrsMap.get(CKA_EC_PARAMS).getByteArray()))
+ .getEncoded();
+ if (token.config.getNssNetscapeDbWorkaround() &&
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
+ attrsMap.put(CKA_NETSCAPE_DB,
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
+ }
+ } else if (keyType == CKK_DH) {
+ if (debug != null) {
+ debug.println("Importing a Diffie-Hellman private key...");
+ }
+ if (DHKF == null) {
+ DHKFLock.lock();
+ try {
+ if (DHKF == null) {
+ DHKF = KeyFactory.getInstance(
+ "DH", P11Util.getSunJceProvider());
+ }
+ } finally {
+ DHKFLock.unlock();
+ }
+ }
+ DHPrivateKeySpec spec = new DHPrivateKeySpec
+ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO);
+ keyBytes = DHKF.generatePrivate(spec).getEncoded();
+ if (token.config.getNssNetscapeDbWorkaround() &&
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
+ attrsMap.put(CKA_NETSCAPE_DB,
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
+ }
+ } else {
+ if (debug != null) {
+ debug.println("Unrecognized private key type.");
+ }
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ } else if (keyClass == CKO_SECRET_KEY) {
+ if (debug != null) {
+ debug.println("Importing a secret key...");
+ }
+ keyBytes = attrsMap.get(CKA_VALUE).getByteArray();
+ }
+ if (keyBytes == null || keyBytes.length == 0) {
+ if (debug != null) {
+ debug.println("Private or secret key plain bytes could" +
+ " not be obtained. Import failed.");
+ }
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
+ new IvParameterSpec((byte[])importerKeyMechanism.pParameter),
+ null);
+ attributes = new CK_ATTRIBUTE[attrsMap.size()];
+ attrsMap.values().toArray(attributes);
+ encKeyBytes = importerCipher.doFinal(keyBytes);
+ attributes = token.getAttributes(TemplateManager.O_IMPORT,
+ keyClass, keyType, attributes);
+ keyID = token.p11.C_UnwrapKey(hSession,
+ importerKeyMechanism, importerKeyID, encKeyBytes, attributes);
+ if (debug != null) {
+ debug.println("Imported key ID: " + keyID);
+ }
+ } catch (Throwable t) {
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ } finally {
+ importerKey.releaseKeyID();
+ }
+ return Long.valueOf(keyID);
+ }
+
+ private static void createImporterKey(Token token) {
+ if (debug != null) {
+ debug.println("Generating Importer Key...");
+ }
+ byte[] iv = new byte[16];
+ JCAUtil.getSecureRandom().nextBytes(iv);
+ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
+ try {
+ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE,
+ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] {
+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
+ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)});
+ Session s = null;
+ try {
+ s = token.getObjSession();
+ long keyID = token.p11.C_GenerateKey(
+ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN),
+ attributes);
+ if (debug != null) {
+ debug.println("Importer Key ID: " + keyID);
+ }
+ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES",
+ 256 >> 3, null);
+ } catch (PKCS11Exception e) {
+ // best effort
+ } finally {
+ token.releaseSession(s);
+ }
+ if (importerKey != null) {
+ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
+ }
+ } catch (Throwable t) {
+ // best effort
+ importerKey = null;
+ importerCipher = null;
+ // importerKeyMechanism value is kept initialized to indicate that
+ // Importer Key creation has been tried and failed.
+ }
+ }
+}
diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -26,6 +26,9 @@
package sun.security.pkcs11;
import java.io.*;
+import java.lang.invoke.MethodHandle;
+import java.lang.invoke.MethodHandles;
+import java.lang.invoke.MethodType;
import java.util.*;
import java.security.*;
@@ -63,6 +66,26 @@
private static final boolean systemFipsEnabled = SharedSecrets
.getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
+ private static final boolean plainKeySupportEnabled = SharedSecrets
+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
+
+ private static final MethodHandle fipsImportKey;
+ static {
+ MethodHandle fipsImportKeyTmp = null;
+ if (plainKeySupportEnabled) {
+ try {
+ fipsImportKeyTmp = MethodHandles.lookup().findStatic(
+ FIPSKeyImporter.class, "importKey",
+ MethodType.methodType(Long.class, SunPKCS11.class,
+ long.class, CK_ATTRIBUTE[].class));
+ } catch (Throwable t) {
+ throw new SecurityException("FIPS key importer initialization" +
+ " failed", t);
+ }
+ }
+ fipsImportKey = fipsImportKeyTmp;
+ }
+
private static final long serialVersionUID = -1354835039035306505L;
static final Debug debug = Debug.getInstance("sunpkcs11");
@@ -314,10 +337,15 @@
// request multithreaded access first
initArgs.flags = CKF_OS_LOCKING_OK;
PKCS11 tmpPKCS11;
+ MethodHandle fipsKeyImporter = null;
+ if (plainKeySupportEnabled) {
+ fipsKeyImporter = MethodHandles.insertArguments(
+ fipsImportKey, 0, this);
+ }
try {
tmpPKCS11 = PKCS11.getInstance(
library, functionList, initArgs,
- config.getOmitInitialize());
+ config.getOmitInitialize(), fipsKeyImporter);
} catch (PKCS11Exception e) {
if (debug != null) {
debug.println("Multi-threaded initialization failed: " + e);
@@ -333,7 +361,7 @@
initArgs.flags = 0;
}
tmpPKCS11 = PKCS11.getInstance(library,
- functionList, initArgs, config.getOmitInitialize());
+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter);
}
p11 = tmpPKCS11;
diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
@@ -49,6 +49,7 @@
import java.io.File;
import java.io.IOException;
+import java.lang.invoke.MethodHandle;
import java.util.*;
import java.security.AccessController;
@@ -147,16 +148,28 @@
public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
- boolean omitInitialize) throws IOException, PKCS11Exception {
+ boolean omitInitialize, MethodHandle fipsKeyImporter)
+ throws IOException, PKCS11Exception {
// we may only call C_Initialize once per native .so/.dll
// so keep a cache using the (non-canonicalized!) path
PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
if (pkcs11 == null) {
+ boolean nssFipsMode = fipsKeyImporter != null;
if ((pInitArgs != null)
&& ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
+ if (nssFipsMode) {
+ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
+ fipsKeyImporter);
+ } else {
+ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
+ }
} else {
- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
+ if (nssFipsMode) {
+ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
+ functionList, fipsKeyImporter);
+ } else {
+ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
+ }
}
if (omitInitialize == false) {
try {
@@ -1905,4 +1918,69 @@
super.C_GenerateRandom(hSession, randomData);
}
}
+
+// PKCS11 subclass that allows using plain private or secret keys in
+// FIPS-configured NSS Software Tokens. Only used when System FIPS
+// is enabled.
+static class FIPSPKCS11 extends PKCS11 {
+ private MethodHandle fipsKeyImporter;
+ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
+ MethodHandle fipsKeyImporter) throws IOException {
+ super(pkcs11ModulePath, functionListName);
+ this.fipsKeyImporter = fipsKeyImporter;
+ }
+
+ public synchronized long C_CreateObject(long hSession,
+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
+ // Creating sensitive key objects from plain key material in a
+ // FIPS-configured NSS Software Token is not allowed. We apply
+ // a key-unwrapping scheme to achieve so.
+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
+ try {
+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
+ .longValue();
+ } catch (Throwable t) {
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ }
+ return super.C_CreateObject(hSession, pTemplate);
+ }
}
+
+// FIPSPKCS11 synchronized counterpart.
+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
+ private MethodHandle fipsKeyImporter;
+ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
+ MethodHandle fipsKeyImporter) throws IOException {
+ super(pkcs11ModulePath, functionListName);
+ this.fipsKeyImporter = fipsKeyImporter;
+ }
+
+ public synchronized long C_CreateObject(long hSession,
+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
+ // See FIPSPKCS11::C_CreateObject.
+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
+ try {
+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
+ .longValue();
+ } catch (Throwable t) {
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ }
+ return super.C_CreateObject(hSession, pTemplate);
+ }
+}
+
+private static class FIPSPKCS11Helper {
+ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
+ for (CK_ATTRIBUTE attr : pTemplate) {
+ if (attr.type == CKA_CLASS &&
+ (attr.getLong() == CKO_PRIVATE_KEY ||
+ attr.getLong() == CKO_SECRET_KEY)) {
+ return true;
+ }
+ }
+ return false;
+ }
+}
+}
diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java openjdk/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
+++ openjdk/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
@@ -33,8 +33,13 @@
import javax.net.ssl.*;
+import sun.misc.SharedSecrets;
+
abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
+ private static final boolean plainKeySupportEnabled = SharedSecrets
+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
+
X509ExtendedKeyManager keyManager;
boolean isInitialized;
@@ -62,7 +67,8 @@
KeyStoreException, NoSuchAlgorithmException,
UnrecoverableKeyException {
if ((ks != null) && SunJSSE.isFIPS()) {
- if (ks.getProvider() != SunJSSE.cryptoProvider) {
+ if (ks.getProvider() != SunJSSE.cryptoProvider &&
+ !plainKeySupportEnabled) {
throw new KeyStoreException("FIPS mode: KeyStore must be "
+ "from provider " + SunJSSE.cryptoProvider.getName());
}
@@ -91,8 +97,8 @@
keyManager = new X509KeyManagerImpl(
Collections.<Builder>emptyList());
} else {
- if (SunJSSE.isFIPS() &&
- (ks.getProvider() != SunJSSE.cryptoProvider)) {
+ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider)
+ && !plainKeySupportEnabled) {
throw new KeyStoreException(
"FIPS mode: KeyStore must be " +
"from provider " + SunJSSE.cryptoProvider.getName());

330
SPECS/java-1.8.0-openjdk.spec
View File

@ -22,6 +22,17 @@
%bcond_without slowdebug
# Enable release builds by default on relevant arches.
%bcond_without release
# Remove build artifacts by default
%bcond_with artifacts
# Build a fresh libjvm.so for use in a copy of the bootstrap JDK
%bcond_without fresh_libjvm
# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so
%if %{with fresh_libjvm}
%global build_hotspot_first 1
%else
%global build_hotspot_first 0
%endif
# The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
# This fixes detailed NMT and other tools which need minimal debug info.
@ -63,7 +74,7 @@
# in alternatives those are slaves and master, very often triplicated by man pages
# in files all masters and slaves are ghosted
# the ghosts are here to allow installation via query like `dnf install /usr/bin/java`
# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_
# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ -e alternatives
# TODO - fix those hardcoded lists via single list
# Those files must *NOT* be ghosted for *slowdebug* packages
# FIXME - if you are moving jshell or jlink or similar, always modify all three sections
@ -84,23 +95,30 @@
%global ppc64be ppc64 ppc64p7
# Set of architectures which support multiple ABIs
%global multilib_arches %{power64} sparc64 x86_64
# Set of architectures for which we build debug builds
# Set of architectures for which we build slowdebug builds
%global debug_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64}
# Set of architectures for which we build fastdebug builds
%global fastdebug_arches x86_64 ppc64le aarch64
# Set of architectures with a Just-In-Time (JIT) compiler
%global jit_arches %{debug_arches}
%global jit_arches %{aarch64} %{ix86} %{power64} sparcv9 sparc64 x86_64
# Set of architectures which use the Zero assembler port (!jit_arches)
%global zero_arches %{arm} ppc s390 s390x
# Set of architectures which run a full bootstrap cycle
%global bootstrap_arches %{jit_arches} %{zero_arches}
# Set of architectures which support SystemTap tapsets
%global systemtap_arches %{jit_arches}
%global fastdebug_arches x86_64 ppc64le aarch64
# Set of architectures which support the serviceability agent
%global sa_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64}
# Set of architectures which support class data sharing
# See https://bugzilla.redhat.com/show_bug.cgi?id=513605
# MetaspaceShared::generate_vtable_methods is not implemented for the PPC JIT
%global share_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64}
# Set of architectures which support JFR
%global jfr_arches %{jit_arches}
# Set of architectures for which alt-java has SSB mitigation
%global ssbd_arches x86_64
# Set of architectures where we verify backtraces with gdb
%global gdb_arches %{jit_arches} %{zero_arches}
# By default, we build a debug build during main build on JIT architectures
%if %{with slowdebug}
@ -135,15 +153,32 @@
%else
%global fastdebug_build %{nil}
%endif
%global bootstrap_build 1
# If you disable both builds, then the build fails
# If you disable all builds, then the build fails
# Build and test slowdebug first as it provides the best diagnostics
%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build}
%ifarch %{bootstrap_arches}
%global bootstrap_build true
%else
%global bootstrap_build false
%endif
%global bootstrap_targets images
%global release_targets images docs-zip
%global debug_targets images
# Target to use to just build HotSpot
%global hotspot_target hotspot
# JDK to use for bootstrapping
# Use OpenJDK 7 where available (on RHEL) to avoid
# having to use the rhel-7.x-java-unsafe-candidate hack
%if ! 0%{?fedora} && 0%{?rhel} <= 7
%global buildjdkver 1.7.0
%else
%global buildjdkver 1.8.0
%endif
%global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk
# Disable LTO as this causes build failures at the moment.
# See RHBZ#1861401
@ -272,9 +307,9 @@
%endif
# note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there.
%global shenandoah_project aarch64-port
%global shenandoah_repo jdk8u-shenandoah
%global shenandoah_revision aarch64-shenandoah-jdk8u312-b01
%global shenandoah_project openjdk
%global shenandoah_repo shenandoah-jdk8u
%global shenandoah_revision aarch64-shenandoah-jdk8u322-b06
# Define old aarch64/jdk8u tree variables for compatibility
%global project %{shenandoah_project}
%global repo %{shenandoah_repo}
@ -289,12 +324,12 @@
%global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u})
# eg jdk8u60-b27 -> b27
%global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-})
%global rpmrelease 1
%global rpmrelease 2
# Define milestone (EA for pre-releases, GA ("fcs") for releases)
# Release will be (where N is usually a number starting at 1):
# - 0.N%%{?extraver}%%{?dist} for EA releases,
# - N%%{?extraver}{?dist} for GA releases
%global is_ga 0
%global is_ga 1
%if %{is_ga}
%global milestone fcs
%global milestone_version %{nil}
@ -323,6 +358,7 @@
%global jdkimage j2sdk-image
# output dir stub
%define buildoutputdir() %{expand:build/jdk8.build%{?1}}
%define installoutputdir() %{expand:install/jdk8.install%{?1}}
# we can copy the javadoc to not arched dir, or make it not noarch
%define uniquejavadocdir() %{expand:%{fullversion}%{?1}}
# main id and dir of this jdk
@ -394,12 +430,7 @@ update-desktop-database %{_datadir}/applications &> /dev/null || :
exit 0
}
%define post_headless() %{expand:
%ifarch %{share_arches}
%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null
%endif
%define alternatives_java_install() %{expand:
PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then
let PRIORITY=PRIORITY-1
@ -449,8 +480,13 @@ for X in %{origin} %{javaver} ; do
alternatives --install %{_jvmdir}/jre-"$X" jre_"$X" %{_jvmdir}/%{jredir -- %{?1}} $PRIORITY --family %{name}.%{_arch}
done
update-alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{name}.%{_arch}
alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{name}.%{_arch}
}
%define post_headless() %{expand:
%ifarch %{share_arches}
%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null
%endif
update-desktop-database %{_datadir}/applications &> /dev/null || :
/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
@ -487,8 +523,8 @@ exit 0
%{update_desktop_icons}
}
%define post_devel() %{expand:
%define alternatives_javac_install() %{expand:
PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then
let PRIORITY=PRIORITY-1
@ -596,7 +632,9 @@ for X in %{origin} %{javaver} ; do
done
update-alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch}
}
%define post_devel() %{expand:
update-desktop-database %{_datadir}/applications &> /dev/null || :
/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
@ -619,11 +657,11 @@ exit 0
}
%define posttrans_devel() %{expand:
%{alternatives_javac_install -- %{?1}}
%{update_desktop_icons}
}
%define post_javadoc() %{expand:
%define alternatives_javadoc_install() %{expand:
PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then
let PRIORITY=PRIORITY-1
@ -640,8 +678,7 @@ exit 0
exit 0
}
%define post_javadoc_zip() %{expand:
%define alternatives_javadoczip_install() %{expand:
PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then
let PRIORITY=PRIORITY-1
@ -780,8 +817,10 @@ exit 0
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libnio.so
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libnpt.so
%ifarch %{sa_arches}
%ifnarch %{zero_arches}
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libsaproc.so
%endif
%endif
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libsctp.so
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libsunec.so
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libsystemconf.so
@ -918,8 +957,10 @@ exit 0
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jconsole.jar
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/orb.idl
%ifarch %{sa_arches}
%ifnarch %{zero_arches}
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/sa-jdi.jar
%endif
%endif
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/dt.jar
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jexec
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tools.jar
@ -1025,7 +1066,7 @@ exit 0
%defattr(-,root,root,-)
%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}
#javadoc is in jdk8 noarch, so also licnese file must be treated like it
%license %{buildoutputdir -- %{?1}}/images/%{jdkimage}/jre/LICENSE
%license %{installoutputdir -- %{?1}}/images/%{jdkimage}/jre/LICENSE
%if %is_system_jdk
%if %{is_release_build -- %{?1}}
%ghost %{_javadocdir}/java
@ -1037,7 +1078,7 @@ exit 0
%defattr(-,root,root,-)
%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip
#javadoc is in jdk8 noarch, so also licnese file must be treated like it
%license %{buildoutputdir -- %{?1}}/images/%{jdkimage}/jre/LICENSE
%license %{installoutputdir -- %{?1}}/images/%{jdkimage}/jre/LICENSE
%if %is_system_jdk
%if %{is_release_build -- %{?1}}
%ghost %{_javadocdir}/java-zip
@ -1080,8 +1121,8 @@ Requires: ca-certificates
# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
Requires: javapackages-filesystem
# Require zoneinfo data provided by tzdata-java subpackage.
# 2021a required as of JDK-8260356 in April CPU
Requires: tzdata-java >= 2021a
# 2021e required as of JDK-8275766 in January 2022 CPU
Requires: tzdata-java >= 2021e
# for support of kernel stream control
# libsctp.so.1 is being `dlopen`ed on demand
Requires: lksctp-tools%{?_isa}
@ -1291,6 +1332,8 @@ Patch1006: rh1929465-improve_system_FIPS_detection-root.patch
Patch1007: rh1929465-improve_system_FIPS_detection-jdk.patch
# RH1996182: Login to the NSS software token in FIPS mode
Patch1008: rh1996182-login_to_nss_software_token.patch
# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
Patch1011: rh1991003-enable_fips_keys_import.patch
#############################################
#
@ -1322,8 +1365,8 @@ Patch600: rh1750419-redhat_alt_java.patch
# JDK-8218811: replace open by os::open in hotspot coding
# This fixes a GCC 10 build issue
Patch111: jdk8218811-perfMemory_linux.patch
# Similar for GCC 11
Patch112: %{name}-gcc11.patch
# JDK-8281098, PR3836: Extra compiler flags not passed to adlc build
Patch112: jdk8281098-pr3836-pass_compiler_flags_to_adlc.patch
#############################################
#
@ -1368,6 +1411,8 @@ Patch203: jdk8042159-allow_using_system_installed_lcms2-root.patch
Patch204: jdk8042159-allow_using_system_installed_lcms2-jdk.patch
# JDK-8195607, PR3776, RH1760437: sun/security/pkcs11/Secmod/TestNssDbSqlite.java failed with "NSS initialization failed" on NSS 3.34.1
Patch580: jdk8195607-pr3776-rh1760437-nss_sqlite_db_config.patch
# JDK-8257794: Zero: assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1) failed: wrong on Linux/x86_32
Patch581: jdk8257794-remove_broken_assert.patch
#############################################
#
@ -1443,20 +1488,14 @@ BuildRequires: pkgconfig
BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
BuildRequires: unzip
# Use OpenJDK 7 where available (on RHEL) to avoid
# having to use the rhel-7.x-java-unsafe-candidate hack
%if ! 0%{?fedora} && 0%{?rhel} <= 7
# Require a boot JDK which doesn't fail due to RH1482244
BuildRequires: java-1.7.0-openjdk-devel >= 1.7.0.151-2.6.11.3
%else
BuildRequires: java-1.8.0-openjdk-devel
%endif
BuildRequires: java-%{buildjdkver}-openjdk-devel >= 1.7.0.151-2.6.11.3
# Zero-assembler build requirement
%ifnarch %{jit_arches}
%ifarch %{zero_arches}
BuildRequires: libffi-devel
%endif
# 2021a required as of JDK-8260356 in April CPU
BuildRequires: tzdata-java >= 2021a
# 2021e required as of JDK-8275766 in January 2022 CPU
BuildRequires: tzdata-java >= 2021e
# Earlier versions have a bug in tree vectorization on PPC
BuildRequires: gcc >= 4.8.3-8
@ -1752,6 +1791,7 @@ sh %{SOURCE12}
%patch111
%patch112
%patch580
%patch581
# RPM-only fixes
%patch539
@ -1765,6 +1805,7 @@ sh %{SOURCE12}
%patch1006
%patch1007
%patch1008
%patch1011
# RHEL-only patches
%if ! 0%{?fedora} && 0%{?rhel} <= 7
@ -1825,7 +1866,6 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
# Setup nss.fips.cfg
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
sed -i -e "s:@NSS_SECMOD@:/etc/pki/nssdb:g" nss.fips.cfg
%build
# How many CPU's do we have?
@ -1863,7 +1903,7 @@ export EXTRA_CFLAGS EXTRA_ASFLAGS
function buildjdk() {
local outputdir=${1}
local buildjdk=${2}
local maketargets=${3}
local maketargets="${3}"
local debuglevel=${4}
local top_srcdir_abs_path=$(pwd)/%{top_level_dir_name}
@ -1883,7 +1923,7 @@ function buildjdk() {
%else
--disable-jfr \
%endif
%ifnarch %{jit_arches}
%ifarch %{zero_arches}
--with-jvm-variants=zero \
%endif
--with-native-debug-symbols=internal \
@ -1919,24 +1959,60 @@ function buildjdk() {
SCTP_WERROR= \
${maketargets} || ( pwd; find ${top_srcdir_abs_path} ${top_builddir_abs_path} -name "hs_err_pid*.log" | xargs cat && false )
# the build (erroneously) removes read permissions from some jars
# this is a regression in OpenJDK 7 (our compiler):
# http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
find images/%{jdkimage} -iname '*.jar' -exec chmod ugo+r {} \;
chmod ugo+r images/%{jdkimage}/lib/ct.sym
# remove redundant *diz and *debuginfo files
find images/%{jdkimage} -iname '*.diz' -exec rm -v {} \;
find images/%{jdkimage} -iname '*.debuginfo' -exec rm -v {} \;
# Build screws up permissions on binaries
# https://bugs.openjdk.java.net/browse/JDK-8173610
find images/%{jdkimage} -iname '*.so' -exec chmod +x {} \;
find images/%{jdkimage}/bin/ -exec chmod +x {} \;
popd >& /dev/null
popd
}
function installjdk() {
local outputdir=${1}
local installdir=${2}
local imagepath=${installdir}/images/%{jdkimage}
echo "Installing build from ${outputdir} to ${installdir}..."
mkdir -p ${installdir}
echo "Installing images..."
mv ${outputdir}/images ${installdir}
if [ -d ${outputdir}/bundles ] ; then
echo "Installing bundles...";
mv ${outputdir}/bundles ${installdir} ;
fi
if [ -d ${outputdir}/docs ] ; then
echo "Installing docs...";
mv ${outputdir}/docs ${installdir} ;
fi
%if !%{with artifacts}
echo "Removing output directory...";
rm -rf ${outputdir}
%endif
if [ -d ${imagepath} ] ; then
# the build (erroneously) removes read permissions from some jars
# this is a regression in OpenJDK 7 (our compiler):
# http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \;
chmod ugo+r ${imagepath}/lib/ct.sym
# remove redundant *diz and *debuginfo files
find ${imagepath} -iname '*.diz' -exec rm -v {} \;
find ${imagepath} -iname '*.debuginfo' -exec rm -v {} \;
# Build screws up permissions on binaries
# https://bugs.openjdk.java.net/browse/JDK-8173610
find ${imagepath} -iname '*.so' -exec chmod +x {} \;
find ${imagepath}/bin/ -exec chmod +x {} \;
fi
}
%if %{build_hotspot_first}
# Build a fresh libjvm.so first and use it to bootstrap
cp -LR --preserve=mode,timestamps %{bootjdk} newboot
systemjdk=$(pwd)/newboot
buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled"
mv build/newboot/hotspot/dist/jre/lib/%{archinstall}/server/libjvm.so newboot/jre/lib/%{archinstall}/server
%else
systemjdk=%{bootjdk}
%endif
for suffix in %{build_loop} ; do
if [ "x$suffix" = "x" ] ; then
debugbuild=release
@ -1945,27 +2021,35 @@ else
debugbuild=`echo $suffix | sed "s/-//g"`
fi
systemjdk=/usr/lib/jvm/java-openjdk
builddir=%{buildoutputdir -- $suffix}
bootbuilddir=boot${builddir}
installdir=%{installoutputdir -- $suffix}
bootinstalldir=boot${installdir}
# Debug builds don't need same targets as release for
# build speed-up
maketargets="%{release_targets}"
# build speed-up. We also avoid bootstrapping these
# slower builds.
if echo $debugbuild | grep -q "debug" ; then
maketargets="%{debug_targets}"
run_bootstrap=false
else
maketargets="%{release_targets}"
run_bootstrap=%{bootstrap_build}
fi
%if %{bootstrap_build}
buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild}
buildjdk ${builddir} $(pwd)/${bootbuilddir}/images/%{jdkimage} "${maketargets}" ${debugbuild}
rm -rf ${bootbuilddir}
%else
buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild}
%endif
if ${run_bootstrap} ; then
buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild}
installjdk ${bootbuilddir} ${bootinstalldir}
buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild}
installjdk ${builddir} ${installdir}
%{!?with_artifacts:rm -rf ${bootinstalldir}}
else
buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild}
installjdk ${builddir} ${installdir}
fi
# Install nss.cfg right away as we will be using the JRE above
export JAVA_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{jdkimage}
export JAVA_HOME=$(pwd)/%{installoutputdir -- $suffix}/images/%{jdkimage}
# Install nss.cfg right away as we will be using the JRE above
install -m 644 nss.cfg $JAVA_HOME/jre/lib/security/
@ -1991,7 +2075,7 @@ done
# We test debug first as it will give better diagnostics on a crash
for suffix in %{build_loop} ; do
export JAVA_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{jdkimage}
export JAVA_HOME=$(pwd)/%{installoutputdir -- $suffix}/images/%{jdkimage}
# Check unlimited policy has been used
$JAVA_HOME/bin/javac -d . %{SOURCE13}
@ -2082,7 +2166,9 @@ end
run -version
EOF
%ifarch %{gdb_arches}
grep 'JavaCallWrapper::JavaCallWrapper' gdb.out
%endif
# Check src.zip has all sources. See RHBZ#1130490
jar -tf $JAVA_HOME/src.zip | grep 'sun.misc.Unsafe'
@ -2106,7 +2192,7 @@ STRIP_KEEP_SYMTAB=libjvm*
for suffix in %{build_loop} ; do
# Install the jdk
pushd %{buildoutputdir -- $suffix}/images/%{jdkimage}
pushd %{installoutputdir -- $suffix}/images/%{jdkimage}
# Install jsa directories so we can owe them
mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix}/lib/%{archinstall}/server/
@ -2173,9 +2259,9 @@ popd
if ! echo $suffix | grep -q "debug" ; then
# Install Javadoc documentation
install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir}
cp -a %{buildoutputdir -- $suffix}/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}
cp -a %{installoutputdir -- $suffix}/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}
built_doc_archive=`echo "jdk-%{javaver}_%{updatever}%{milestone_version}$suffix-%{buildver}-docs.zip" | sed s/slowdebug/debug/`
cp -a %{buildoutputdir -- $suffix}/bundles/$built_doc_archive $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip
cp -a %{installoutputdir -- $suffix}/bundles/$built_doc_archive $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip
fi
# Install release notes
@ -2314,6 +2400,9 @@ cjc.mainProgram(args)
%posttrans
%{posttrans_script %{nil}}
%posttrans headless
%{alternatives_java_install %{nil}}
%post devel
%{post_devel %{nil}}
@ -2323,14 +2412,14 @@ cjc.mainProgram(args)
%posttrans devel
%{posttrans_devel %{nil}}
%post javadoc
%{post_javadoc %{nil}}
%posttrans javadoc
%{alternatives_javadoc_install %{nil}}
%postun javadoc
%{postun_javadoc %{nil}}
%post javadoc-zip
%{post_javadoc_zip %{nil}}
%posttrans javadoc-zip
%{alternatives_javadoczip_install %{nil}}
%postun javadoc-zip
%{postun_javadoc_zip %{nil}}
@ -2343,6 +2432,9 @@ cjc.mainProgram(args)
%post headless-slowdebug
%{post_headless -- %{debug_suffix_unquoted}}
%posttrans headless-slowdebug
%{alternatives_java_install -- %{debug_suffix_unquoted}}
%postun slowdebug
%{postun_script -- %{debug_suffix_unquoted}}
@ -2378,6 +2470,9 @@ cjc.mainProgram(args)
%posttrans fastdebug
%{posttrans_script -- %{fastdebug_suffix_unquoted}}
%posttrans headless-fastdebug
%{alternatives_java_install -- %{fastdebug_suffix_unquoted}}
%post devel-fastdebug
%{post_devel -- %{fastdebug_suffix_unquoted}}
@ -2460,6 +2555,85 @@ cjc.mainProgram(args)
%endif
%changelog
* Mon Feb 21 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b06-2
- Refactor build functions so we can build just HotSpot without any attempt at installation.
- Introduce architecture restriction logic for the gdb test. (RH2041970)
- Replace GCC 11 patch to remove use of the register keyword with correct fix to ADLC build (JDK-8281098)
- Adjust JDK8199936/PR3533 -mstackrealign patch to instead pass -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4
- Explicitly list JIT architectures rather than relying on those with slowdebug builds
- Disable the serviceability agent on Zero architectures even when the architecture itself is supported
- Add backport of JDK-8257794 to fix bogus assert on slowdebug x86-32 Zero builds
- Related: rhbz#2022823
* Fri Feb 18 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b06-1
- Update to aarch64-shenandoah-jdk8u322-b06 (GA)
- Update release notes for 8u322-b06.
- Switch to GA mode for final release.
- Resolves: rhbz#2039398
* Wed Feb 16 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b05-0.1.ea
- Update to aarch64-shenandoah-jdk8u322-b05 (EA)
- Update release notes for 8u322-b05.
- Switch to EA mode.
- Require tzdata 2021c as of JDK-8274407.
- Require tzdata 2021e as of JDK-8275766.
- Update tarball generation script to use git following shenandoah-jdk8u's move to github
- Resolves: rhbz#2022823
* Mon Dec 06 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b07-3
- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le.
- Related: rhbz#2022823
* Sun Dec 05 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:1.8.0.312.b07-2
- Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy
secmod.db file as part of nss
- Resolves: rhbz#2023533
* Wed Nov 10 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b07-1
- Update to aarch64-shenandoah-jdk8u312-b07 (GA)
- Update release notes for 8u312-b07.
- Switch to GA mode for final release.
- Resolves: rhbz#2013844
* Wed Nov 10 2021 Jiri Vanek <jvanek@redhat.com> - 1:1.8.0.312.b05-0.3.ea
- alternatives creation moved to posttrans
- Thus fixing the old reisntall issue:
- https://bugzilla.redhat.com/show_bug.cgi?id=1200302
- https://bugzilla.redhat.com/show_bug.cgi?id=1976053
- Resolves: rhbz#2008202
* Thu Oct 07 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b05-0.2.ea
- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false
- Resolves: rhbz#1994676
* Thu Oct 07 2021 Martin Balao <mbalao@redhat.com> - 1:1.8.0.312.b05-0.2.ea
- Add patch to allow plain key import.
- Resolves: rhbz#1994676
* Thu Sep 30 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b05-0.1.ea
- Update to aarch64-shenandoah-jdk8u312-b05 (EA)
- Update release notes for 8u312-b05.
- Resolves: rhbz#1999939
* Sun Sep 26 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b04-0.1.ea
- Update to aarch64-shenandoah-jdk8u312-b04 (EA)
- Update release notes for 8u312-b04.
- Related: rhbz#1999939
* Fri Sep 24 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b03-0.1.ea
- Update to aarch64-shenandoah-jdk8u312-b03 (EA)
- Update release notes for 8u312-b03.
- Related: rhbz#1999939
* Tue Sep 21 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b02-0.2.ea
- Reduce disk footprint by removing build artifacts by default.
- Related: rhbz#1999939
* Sun Sep 19 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b02-0.1.ea
- Update to aarch64-shenandoah-jdk8u312-b02 (EA)
- Update release notes for 8u312-b02.
- Related: rhbz#1999939
* Mon Sep 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b01-0.1.ea
- Update to aarch64-shenandoah-jdk8u312-b01 (EA)
- Update release notes for 8u312-b01.