Compare commits

..

No commits in common. "c8" and "imports/c9-beta/java-1.8.0-openjdk-1.8.0.312.b01-0.1.ea.el9" have entirely different histories.

36 changed files with 2821 additions and 11871 deletions

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/shenandoah8u432-b06.tar.xz
SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u312-b01-4curve.tar.xz
SOURCES/tapsets-icedtea-3.15.0.tar.xz

View File

@ -1,2 +1,2 @@
af2d3b85c48ecc8c22188ac687e6160658ef6aca SOURCES/shenandoah8u432-b06.tar.xz
82ec3762fba3987e1440e069427a7d4be9f367d7 SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u312-b01-4curve.tar.xz
7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz

File diff suppressed because it is too large Load Diff

View File

@ -1,34 +1,8 @@
OpenJDK 8 is a Long-Term Support (LTS) release of the Java platform.
Package of LTS OpenJDK 8
OpenJDK have release cadence of 6 months. but 3/4 of them are Short Term Supported for 6 months only. This package is designed to harbore them. Currently it is build on openJDK 10. LTSs (next is 11) will go as separate packages.
For a list of major changes in OpenJDK 8 (java-1.8.0-openjdk), see the
upstream release page: https://openjdk.org/projects/jdk8/features
JDK8 is last LTS release of Java platform. It is bringing many cool improvements - http://openjdk.java.net/projects/jdk/8/ and is landing to your RHEL. Where it will be maintained for several years. You will always be allowed to install Used LTSs in build root, and alongside via alternatives.
# Rebuilding the OpenJDK package
See announcement: http://mail.openjdk.java.net/pipermail/discuss/2017-September/004281.html
See java SIG plans: https://jvanek.fedorapeople.org/devconf/2018/changesInjavaReleaseProcess.pdf
The OpenJDK packages are now created from a single build which is then
packaged for different major versions of Red Hat Enterprise Linux
(RHEL). This allows the OpenJDK team to focus their efforts on the
development and testing of this single build, rather than having
multiple builds which only differ by the platform they were built on.
This does make rebuilding the package slightly more complicated than a
normal package. Modifications should be made to the
`java-1.8.0-openjdk-portable.specfile` file, which can be found with
this README file in the source RPM or installed in the documentation
tree by the `java-1.8.0-openjdk-headless` RPM.
Once the modified `java-1.8.0-openjdk-portable` RPMs are built, they
should be installed and will produce a number of tarballs in the
`/usr/lib/jvm` directory. The `java-1.8.0-openjdk` RPMs can then be
built, which will use these tarballs to create the usual RPMs found in
RHEL. The `java-1.8.0-openjdk-portable` RPMs can be uninstalled once
the desired final RPMs are produced.
Note that the `java-1.8.0-openjdk.spec` file has a hard requirement on
the exact version of java-1.8.0-openjdk-portable to use, so this will
need to be modified if the version or rpmrelease values are changed in
`java-1.8.0-openjdk-portable.specfile`.
To reduce the number of RPMs involved, the `fastdebug` and `slowdebug`
builds may be disabled using `--without fastdebug` and `--without
slowdebug`.

View File

@ -1,20 +1,3 @@
/* TestSecurityProperties -- Ensure system security properties can be used to
enable the crypto policies.
Copyright (C) 2022 Red Hat, Inc.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
import java.io.File;
import java.io.FileInputStream;
import java.security.Security;
@ -26,24 +9,9 @@ public class TestSecurityProperties {
// JDK 8
private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
private static final String POLICY_FILE = "/etc/crypto-policies/back-ends/java.config";
private static final String MSG_PREFIX = "DEBUG: ";
public static void main(String[] args) {
if (args.length == 0) {
System.err.println("TestSecurityProperties <true|false>");
System.err.println("Invoke with 'true' if system security properties should be enabled.");
System.err.println("Invoke with 'false' if system security properties should be disabled.");
System.exit(1);
}
boolean enabled = Boolean.valueOf(args[0]);
System.out.println(MSG_PREFIX + "System security properties enabled: " + enabled);
Properties jdkProps = new Properties();
loadProperties(jdkProps);
if (enabled) {
loadPolicy(jdkProps);
}
for (Object key: jdkProps.keySet()) {
String sKey = (String)key;
String securityVal = Security.getProperty(sKey);
@ -53,7 +21,7 @@ public class TestSecurityProperties {
sKey + "'" + " but got value '" + securityVal + "'";
throw new RuntimeException("Test failed! " + msg);
} else {
System.out.println(MSG_PREFIX + sKey + " = " + jdkSecVal + " as expected.");
System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected.");
}
}
System.out.println("TestSecurityProperties PASSED!");
@ -61,24 +29,15 @@ public class TestSecurityProperties {
private static void loadProperties(Properties props) {
String javaVersion = System.getProperty("java.version");
System.out.println(MSG_PREFIX + "Java version is " + javaVersion);
System.out.println("Debug: Java version is " + javaVersion);
String propsFile = JDK_PROPS_FILE_JDK_11;
if (javaVersion.startsWith("1.8.0")) {
propsFile = JDK_PROPS_FILE_JDK_8;
}
try (FileInputStream fin = new FileInputStream(propsFile)) {
try (FileInputStream fin = new FileInputStream(new File(propsFile))) {
props.load(fin);
} catch (Exception e) {
throw new RuntimeException("Test failed!", e);
}
}
private static void loadPolicy(Properties props) {
try (FileInputStream fin = new FileInputStream(POLICY_FILE)) {
props.load(fin);
} catch (Exception e) {
throw new RuntimeException("Test failed!", e);
}
}
}

View File

@ -1,160 +0,0 @@
/* TestTranslations -- Ensure translations are available for new timezones
Copyright (C) 2022 Red Hat, Inc.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
import java.text.DateFormatSymbols;
import java.time.ZoneId;
import java.time.format.TextStyle;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Locale;
import java.util.Objects;
import java.util.TimeZone;
public class TestTranslations {
private static Map<Locale,String[]> KYIV, CIUDAD_JUAREZ;
static {
Map<Locale,String[]> map = new HashMap<Locale,String[]>();
map.put(Locale.US, new String[] { "Eastern European Time", "GMT+02:00", "EET",
"Eastern European Summer Time", "GMT+03:00", "EEST",
"Eastern European Time", "GMT+02:00", "EET"});
map.put(Locale.FRANCE, new String[] { "Heure d'Europe de l'Est", "UTC+02:00", "EET",
"Heure d'\u00e9t\u00e9 d'Europe de l'Est", "UTC+03:00", "EEST",
"Heure d'Europe de l'Est", "UTC+02:00", "EET"});
map.put(Locale.GERMANY, new String[] { "Osteurop\u00e4ische Zeit", "OEZ", "OEZ",
"Osteurop\u00e4ische Sommerzeit", "OESZ", "OESZ",
"Osteurop\u00e4ische Zeit", "OEZ", "OEZ"});
KYIV = Collections.unmodifiableMap(map);
map = new HashMap<Locale,String[]>();
map.put(Locale.US, new String[] { "Mountain Standard Time", "MST", "MST",
"Mountain Daylight Time", "MDT", "MDT",
"Mountain Time", "MT", "MT"});
map.put(Locale.FRANCE, new String[] { "Heure normale des Rocheuses", "UTC\u221207:00", "MST",
"Heure avanc\u00e9e des Rocheuses", "UTC\u221206:00", "MDT",
"Rocheuses", "UTC\u221207:00", "MT"});
map.put(Locale.GERMANY, new String[] { "Rocky Mountains Normalzeit", "GMT-07:00", "MST",
"Rocky Mountains Sommerzeit", "GMT-06:00", "MDT",
"Zeitzone Mountain", "GMT-07:00", "MT"});
CIUDAD_JUAREZ = Collections.unmodifiableMap(map);
}
public static void main(String[] args) {
if (args.length < 1) {
System.err.println("Test must be started with the name of the locale provider.");
System.exit(1);
}
System.out.println("Checking sanity of full zone string set...");
boolean invalid = Arrays.stream(Locale.getAvailableLocales())
.peek(l -> System.out.println("Locale: " + l))
.map(l -> DateFormatSymbols.getInstance(l).getZoneStrings())
.flatMap(zs -> Arrays.stream(zs))
.flatMap(names -> Arrays.stream(names))
.filter(name -> Objects.isNull(name) || name.isEmpty())
.findAny()
.isPresent();
if (invalid) {
System.err.println("Zone string for a locale returned null or empty string");
System.exit(2);
}
String localeProvider = args[0];
testZone(localeProvider, KYIV,
new String[] { "Europe/Kiev", "Europe/Kyiv", "Europe/Uzhgorod", "Europe/Zaporozhye" });
testZone(localeProvider, CIUDAD_JUAREZ,
new String[] { "America/Cambridge_Bay", "America/Ciudad_Juarez" });
}
private static void testZone(String localeProvider, Map<Locale,String[]> exp, String[] ids) {
for (Locale l : exp.keySet()) {
String[] expected = exp.get(l);
System.out.printf("Expected values for %s are %s\n", l, Arrays.toString(expected));
for (String id : ids) {
String expectedShortStd = null;
String expectedShortDST = null;
String expectedShortGen = null;
System.out.printf("Checking locale %s for %s...\n", l, id);
if ("JRE".equals(localeProvider)) {
expectedShortStd = expected[2];
expectedShortDST = expected[5];
expectedShortGen = expected[8];
} else if ("CLDR".equals(localeProvider)) {
expectedShortStd = expected[1];
expectedShortDST = expected[4];
expectedShortGen = expected[7];
} else {
System.err.printf("Invalid locale provider %s\n", localeProvider);
System.exit(3);
}
System.out.printf("Locale Provider is %s, using short values %s, %s and %s\n",
localeProvider, expectedShortStd, expectedShortDST, expectedShortGen);
String longStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.LONG, l);
String shortStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.SHORT, l);
String longDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.LONG, l);
String shortDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.SHORT, l);
String longGen = ZoneId.of(id).getDisplayName(TextStyle.FULL, l);
String shortGen = ZoneId.of(id).getDisplayName(TextStyle.SHORT, l);
if (!expected[0].equals(longStd)) {
System.err.printf("Long standard display name for %s in %s was %s, expected %s\n",
id, l, longStd, expected[0]);
System.exit(4);
}
if (!expectedShortStd.equals(shortStd)) {
System.err.printf("Short standard display name for %s in %s was %s, expected %s\n",
id, l, shortStd, expectedShortStd);
System.exit(5);
}
if (!expected[3].equals(longDST)) {
System.err.printf("Long DST display name for %s in %s was %s, expected %s\n",
id, l, longDST, expected[3]);
System.exit(6);
}
if (!expectedShortDST.equals(shortDST)) {
System.err.printf("Short DST display name for %s in %s was %s, expected %s\n",
id, l, shortDST, expectedShortDST);
System.exit(7);
}
if (!expected[6].equals(longGen)) {
System.err.printf("Long generic display name for %s in %s was %s, expected %s\n",
id, l, longGen, expected[6]);
System.exit(8);
}
if (!expectedShortGen.equals(shortGen)) {
System.err.printf("Short generic display name for %s in %s was %s, expected %s\n",
id, l, shortGen, expectedShortGen);
System.exit(9);
}
}
}
}
}

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,74 @@
diff --git a/openjdk/hotspot/src/share/vm/adlc/adlparse.cpp b/openjdk/hotspot/src/share/vm/adlc/adlparse.cpp
index 31955ff7..6dcd90ac 100644
--- openjdk/hotspot/src/share/vm/adlc/adlparse.cpp
+++ openjdk/hotspot/src/share/vm/adlc/adlparse.cpp
@@ -4564,7 +4564,7 @@ char *ADLParser::get_paren_expr(const char *description, bool include_location)
// string(still inside the file buffer). Returns a pointer to the string or
// NULL if some other token is found instead.
char *ADLParser::get_ident_common(bool do_preproc) {
- register char c;
+ char c;
char *start; // Pointer to start of token
char *end; // Pointer to end of token
@@ -4762,7 +4762,7 @@ char *ADLParser::get_unique_ident(FormDict& dict, const char* nameDescription){
// invokes a parse_err if the next token is not an integer.
// This routine does not leave the integer null-terminated.
int ADLParser::get_int(void) {
- register char c;
+ char c;
char *start; // Pointer to start of token
char *end; // Pointer to end of token
int result; // Storage for integer result
diff --git a/openjdk/hotspot/src/share/vm/adlc/arena.cpp b/openjdk/hotspot/src/share/vm/adlc/arena.cpp
index d7e4fc6e..406187ae 100644
--- openjdk/hotspot/src/share/vm/adlc/arena.cpp
+++ openjdk/hotspot/src/share/vm/adlc/arena.cpp
@@ -79,7 +79,7 @@ Arena::Arena( Arena *a )
// Total of all Chunks in arena
size_t Arena::used() const {
size_t sum = _chunk->_len - (_max-_hwm); // Size leftover in this Chunk
- register Chunk *k = _first;
+ Chunk *k = _first;
while( k != _chunk) { // Whilst have Chunks in a row
sum += k->_len; // Total size of this Chunk
k = k->_next; // Bump along to next Chunk
@@ -93,7 +93,7 @@ void* Arena::grow( size_t x ) {
// Get minimal required size. Either real big, or even bigger for giant objs
size_t len = max(x, Chunk::size);
- register Chunk *k = _chunk; // Get filled-up chunk address
+ Chunk *k = _chunk; // Get filled-up chunk address
_chunk = new (len) Chunk(len);
if( k ) k->_next = _chunk; // Append new chunk to end of linked list
diff --git a/openjdk/hotspot/src/share/vm/adlc/dict2.cpp b/openjdk/hotspot/src/share/vm/adlc/dict2.cpp
index f341a2b6..2dc60b25 100644
--- openjdk/hotspot/src/share/vm/adlc/dict2.cpp
+++ openjdk/hotspot/src/share/vm/adlc/dict2.cpp
@@ -283,9 +283,9 @@ void Dict::print(PrintKeyOrValue print_key, PrintKeyOrValue print_value) {
// limited to MAXID characters in length. Experimental evidence on 150K of
// C text shows excellent spreading of values for any size hash table.
int hashstr(const void *t) {
- register char c, k = 0;
- register int sum = 0;
- register const char *s = (const char *)t;
+ char c, k = 0;
+ int sum = 0;
+ const char *s = (const char *)t;
while (((c = s[k]) != '\0') && (k < MAXID-1)) { // Get characters till nul
c = (char) ((c << 1) + 1); // Characters are always odd!
diff --git a/openjdk/hotspot/src/share/vm/adlc/main.cpp b/openjdk/hotspot/src/share/vm/adlc/main.cpp
index 52044f12..40bcda74 100644
--- openjdk/hotspot/src/share/vm/adlc/main.cpp
+++ openjdk/hotspot/src/share/vm/adlc/main.cpp
@@ -58,7 +58,7 @@ int main(int argc, char *argv[])
// Read command line arguments and file names
for( int i = 1; i < argc; i++ ) { // For all arguments
- register char *s = argv[i]; // Get option/filename
+ char *s = argv[i]; // Get option/filename
if( *s++ == '-' ) { // It's a flag? (not a filename)
if( !*s ) { // Stand-alone `-' means stdin

File diff suppressed because it is too large Load Diff

View File

@ -1,286 +0,0 @@
# HG changeset patch
# User sherman
# Date 1505950914 25200
# Wed Sep 20 16:41:54 2017 -0700
# Node ID 723486922bfe4c17e3f5c067ce5e97229842fbcd
# Parent c8ac05bbe47771b3dafa2e7fc9a95d86d68d7c07
8186464: ZipFile cannot read some InfoZip ZIP64 zip files
Reviewed-by: martin
diff --git openjdk.orig/jdk/src/share/demo/nio/zipfs/src/com/sun/nio/zipfs/ZipFileSystem.java openjdk/jdk/src/share/demo/nio/zipfs/src/com/sun/nio/zipfs/ZipFileSystem.java
index 26e2a5bf9e9..2630c118817 100644
--- openjdk.orig/jdk/src/share/demo/nio/zipfs/src/com/sun/nio/zipfs/ZipFileSystem.java
+++ openjdk/jdk/src/share/demo/nio/zipfs/src/com/sun/nio/zipfs/ZipFileSystem.java
@@ -92,6 +92,7 @@ public class ZipFileSystem extends FileSystem {
private final boolean createNew; // create a new zip if not exists
private static final boolean isWindows =
System.getProperty("os.name").startsWith("Windows");
+ private final boolean forceEnd64;
// a threshold, in bytes, to decide whether to create a temp file
// for outputstream of a zip entry
@@ -112,12 +113,13 @@ public class ZipFileSystem extends FileSystem {
if (this.defaultDir.charAt(0) != '/')
throw new IllegalArgumentException("default dir should be absolute");
+ this.forceEnd64 = "true".equals(env.get("forceZIP64End"));
this.provider = provider;
this.zfpath = zfpath;
if (Files.notExists(zfpath)) {
if (createNew) {
try (OutputStream os = Files.newOutputStream(zfpath, CREATE_NEW, WRITE)) {
- new END().write(os, 0);
+ new END().write(os, 0, forceEnd64);
}
} else {
throw new FileSystemNotFoundException(zfpath.toString());
@@ -1014,28 +1016,36 @@ public class ZipFileSystem extends FileSystem {
end.cenoff = ENDOFF(buf);
end.comlen = ENDCOM(buf);
end.endpos = pos + i;
- if (end.cenlen == ZIP64_MINVAL ||
- end.cenoff == ZIP64_MINVAL ||
- end.centot == ZIP64_MINVAL32)
- {
- // need to find the zip64 end;
- byte[] loc64 = new byte[ZIP64_LOCHDR];
- if (readFullyAt(loc64, 0, loc64.length, end.endpos - ZIP64_LOCHDR)
- != loc64.length) {
- return end;
- }
- long end64pos = ZIP64_LOCOFF(loc64);
- byte[] end64buf = new byte[ZIP64_ENDHDR];
- if (readFullyAt(end64buf, 0, end64buf.length, end64pos)
- != end64buf.length) {
- return end;
- }
- // end64 found, re-calcualte everything.
- end.cenlen = ZIP64_ENDSIZ(end64buf);
- end.cenoff = ZIP64_ENDOFF(end64buf);
- end.centot = (int)ZIP64_ENDTOT(end64buf); // assume total < 2g
- end.endpos = end64pos;
+ // try if there is zip64 end;
+ byte[] loc64 = new byte[ZIP64_LOCHDR];
+ if (end.endpos < ZIP64_LOCHDR ||
+ readFullyAt(loc64, 0, loc64.length, end.endpos - ZIP64_LOCHDR)
+ != loc64.length ||
+ !locator64SigAt(loc64, 0)) {
+ return end;
+ }
+ long end64pos = ZIP64_LOCOFF(loc64);
+ byte[] end64buf = new byte[ZIP64_ENDHDR];
+ if (readFullyAt(end64buf, 0, end64buf.length, end64pos)
+ != end64buf.length ||
+ !end64SigAt(end64buf, 0)) {
+ return end;
+ }
+ // end64 found,
+ long cenlen64 = ZIP64_ENDSIZ(end64buf);
+ long cenoff64 = ZIP64_ENDOFF(end64buf);
+ long centot64 = ZIP64_ENDTOT(end64buf);
+ // double-check
+ if (cenlen64 != end.cenlen && end.cenlen != ZIP64_MINVAL ||
+ cenoff64 != end.cenoff && end.cenoff != ZIP64_MINVAL ||
+ centot64 != end.centot && end.centot != ZIP64_MINVAL32) {
+ return end;
}
+ // to use the end64 values
+ end.cenlen = cenlen64;
+ end.cenoff = cenoff64;
+ end.centot = (int)centot64; // assume total < 2g
+ end.endpos = end64pos;
return end;
}
}
@@ -1201,7 +1211,7 @@ public class ZipFileSystem extends FileSystem {
// sync the zip file system, if there is any udpate
private void sync() throws IOException {
- //System.out.printf("->sync(%s) starting....!%n", toString());
+ // System.out.printf("->sync(%s) starting....!%n", toString());
// check ex-closer
if (!exChClosers.isEmpty()) {
for (ExChannelCloser ecc : exChClosers) {
@@ -1292,7 +1302,7 @@ public class ZipFileSystem extends FileSystem {
}
end.centot = elist.size();
end.cenlen = written - end.cenoff;
- end.write(os, written);
+ end.write(os, written, forceEnd64);
}
if (!streams.isEmpty()) {
//
@@ -1849,8 +1859,8 @@ public class ZipFileSystem extends FileSystem {
long endpos;
int disktot;
- void write(OutputStream os, long offset) throws IOException {
- boolean hasZip64 = false;
+ void write(OutputStream os, long offset, boolean forceEnd64) throws IOException {
+ boolean hasZip64 = forceEnd64; // false;
long xlen = cenlen;
long xoff = cenoff;
if (xlen >= ZIP64_MINVAL) {
@@ -1875,8 +1885,8 @@ public class ZipFileSystem extends FileSystem {
writeShort(os, 45); // version needed to extract
writeInt(os, 0); // number of this disk
writeInt(os, 0); // central directory start disk
- writeLong(os, centot); // number of directory entires on disk
- writeLong(os, centot); // number of directory entires
+ writeLong(os, centot); // number of directory entries on disk
+ writeLong(os, centot); // number of directory entries
writeLong(os, cenlen); // length of central directory
writeLong(os, cenoff); // offset of central directory
diff --git openjdk.orig/jdk/src/share/native/java/util/zip/zip_util.c openjdk/jdk/src/share/native/java/util/zip/zip_util.c
index 5fd6fea049d..858e5814e92 100644
--- openjdk.orig/jdk/src/share/native/java/util/zip/zip_util.c
+++ openjdk/jdk/src/share/native/java/util/zip/zip_util.c
@@ -385,6 +385,9 @@ findEND64(jzfile *zip, void *end64buf, jlong endpos)
{
char loc64[ZIP64_LOCHDR];
jlong end64pos;
+ if (endpos < ZIP64_LOCHDR) {
+ return -1;
+ }
if (readFullyAt(zip->zfd, loc64, ZIP64_LOCHDR, endpos - ZIP64_LOCHDR) == -1) {
return -1; // end64 locator not found
}
@@ -567,6 +570,7 @@ readCEN(jzfile *zip, jint knownTotal)
{
/* Following are unsigned 32-bit */
jlong endpos, end64pos, cenpos, cenlen, cenoff;
+ jlong cenlen64, cenoff64, centot64;
/* Following are unsigned 16-bit */
jint total, tablelen, i, j;
unsigned char *cenbuf = NULL;
@@ -594,13 +598,20 @@ readCEN(jzfile *zip, jint knownTotal)
cenlen = ENDSIZ(endbuf);
cenoff = ENDOFF(endbuf);
total = ENDTOT(endbuf);
- if (cenlen == ZIP64_MAGICVAL || cenoff == ZIP64_MAGICVAL ||
- total == ZIP64_MAGICCOUNT) {
- unsigned char end64buf[ZIP64_ENDHDR];
- if ((end64pos = findEND64(zip, end64buf, endpos)) != -1) {
- cenlen = ZIP64_ENDSIZ(end64buf);
- cenoff = ZIP64_ENDOFF(end64buf);
- total = (jint)ZIP64_ENDTOT(end64buf);
+ unsigned char end64buf[ZIP64_ENDHDR];
+ if ((end64pos = findEND64(zip, end64buf, endpos)) != -1) {
+ // end64 candidate found,
+ cenlen64 = ZIP64_ENDSIZ(end64buf);
+ cenoff64 = ZIP64_ENDOFF(end64buf);
+ centot64 = ZIP64_ENDTOT(end64buf);
+ // double-check
+ if ((cenlen64 == cenlen || cenlen == ZIP64_MAGICVAL) &&
+ (cenoff64 == cenoff || cenoff == ZIP64_MAGICVAL) &&
+ (centot64 == total || total == ZIP64_MAGICCOUNT)) {
+ // to use the end64 values
+ cenlen = cenlen64;
+ cenoff = cenoff64;
+ total = (jint)centot64;
endpos = end64pos;
endhdrlen = ZIP64_ENDHDR;
}
diff --git openjdk.orig/jdk/test/java/util/zip/ZipFile/ReadZip.java openjdk/jdk/test/java/util/zip/ZipFile/ReadZip.java
index ffe8a8ed712..9b380003893 100644
--- openjdk.orig/jdk/test/java/util/zip/ZipFile/ReadZip.java
+++ openjdk/jdk/test/java/util/zip/ZipFile/ReadZip.java
@@ -22,7 +22,7 @@
*/
/* @test
- * @bug 4241361 4842702 4985614 6646605 5032358 6923692 6233323 8144977 8184993
+ * @bug 4241361 4842702 4985614 6646605 5032358 6923692 6233323 8144977 8184993 8186464
* @summary Make sure we can read a zip file.
@key randomness
* @run main/othervm ReadZip
@@ -31,12 +31,24 @@
*/
import java.io.*;
+import java.net.URI;
import java.nio.file.Files;
+import java.nio.file.FileSystem;
+import java.nio.file.FileSystems;
+import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.StandardCopyOption;
import java.nio.file.StandardOpenOption;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
import java.util.zip.*;
+import sun.misc.IOUtils;
+
+import static java.nio.charset.StandardCharsets.US_ASCII;
+
public class ReadZip {
private static void unreached (Object o)
throws Exception
@@ -144,8 +156,6 @@ public class ReadZip {
newZip.delete();
}
-
-
// Throw a FNF exception when read a non-existing zip file
try { unreached (new ZipFile(
new File(System.getProperty("test.src", "."),
@@ -153,5 +163,54 @@ public class ReadZip {
+ String.valueOf(new java.util.Random().nextInt())
+ ".zip")));
} catch (FileNotFoundException fnfe) {}
+
+ // read a zip file with ZIP64 end
+ Path path = Paths.get(System.getProperty("test.dir", ""), "end64.zip");
+ try {
+ URI uri = URI.create("jar:" + path.toUri());
+ Map<String, Object> env = new HashMap<>();
+ env.put("create", "true");
+ env.put("forceZIP64End", "true");
+ try (FileSystem fs = FileSystems.newFileSystem(uri, env)) {
+ Files.write(fs.getPath("hello"), "hello".getBytes());
+ }
+ try (ZipFile zf = new ZipFile(path.toFile())) {
+ if (!"hello".equals(new String(IOUtils.readAllBytes(zf.getInputStream(new ZipEntry("hello"))),
+ US_ASCII)))
+ throw new RuntimeException("zipfile: read entry failed");
+ } catch (IOException x) {
+ throw new RuntimeException("zipfile: zip64 end failed");
+ }
+ try (FileSystem fs = FileSystems.newFileSystem(uri, Collections.emptyMap())) {
+ if (!"hello".equals(new String(Files.readAllBytes(fs.getPath("hello")))))
+ throw new RuntimeException("zipfs: read entry failed");
+ } catch (IOException x) {
+ throw new RuntimeException("zipfile: zip64 end failed");
+ }
+ } finally {
+ Files.deleteIfExists(path);
+ }
+
+ // read a zip file created via "echo hello | zip dst.zip -", which uses
+ // ZIP64 end record
+ if (Files.notExists(Paths.get("/usr/bin/zip")))
+ return;
+ try {
+ Process zip = new ProcessBuilder("zip", path.toString().toString(), "-").start();
+ OutputStream os = zip.getOutputStream();
+ os.write("hello".getBytes(US_ASCII));
+ os.close();
+ zip.waitFor();
+ if (zip.exitValue() == 0 && Files.exists(path)) {
+ try (ZipFile zf = new ZipFile(path.toFile())) {
+ if (!"hello".equals(new String(IOUtils.readAllBytes(zf.getInputStream(new ZipEntry("-"))))))
+ throw new RuntimeException("zipfile: read entry failed");
+ } catch (IOException x) {
+ throw new RuntimeException("zipfile: zip64 end failed");
+ }
+ }
+ } finally {
+ Files.deleteIfExists(path);
+ }
}
}

View File

@ -0,0 +1,125 @@
# HG changeset patch
# User mbalao
# Date 1529971845 -28800
# Tue Jun 26 08:10:45 2018 +0800
# Node ID e9c20b7250cd98d16a67f2a30b34284c2caa01dc
# Parent 9f1aa2e38d90dd60522237d7414af6bdcf03c4ff
8195607, PR3776: sun/security/pkcs11/Secmod/TestNssDbSqlite.java failed with "NSS initialization failed" on NSS 3.34.1
Reviewed-by: valeriep, weijun
diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/Secmod.java openjdk/jdk/src/share/classes/sun/security/pkcs11/Secmod.java
--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/Secmod.java
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/Secmod.java
@@ -197,7 +197,7 @@
if (configDir != null) {
String configDirPath = null;
- String sqlPrefix = "sql:/";
+ String sqlPrefix = "sql:";
if (!configDir.startsWith(sqlPrefix)) {
configDirPath = configDir;
} else {
diff --git openjdk.orig/jdk/src/share/native/sun/security/pkcs11/j2secmod.c openjdk/jdk/src/share/native/sun/security/pkcs11/j2secmod.c
--- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/j2secmod.c
+++ openjdk/jdk/src/share/native/sun/security/pkcs11/j2secmod.c
@@ -69,9 +69,14 @@
int res = 0;
FPTR_Initialize initialize =
(FPTR_Initialize)findFunction(env, jHandle, "NSS_Initialize");
+ #ifdef SECMOD_DEBUG
+ FPTR_GetError getError =
+ (FPTR_GetError)findFunction(env, jHandle, "PORT_GetError");
+ #endif // SECMOD_DEBUG
unsigned int flags = 0x00;
const char *configDir = NULL;
const char *functionName = NULL;
+ const char *configFile = NULL;
/* If we cannot initialize, exit now */
if (initialize == NULL) {
@@ -97,13 +102,18 @@
flags = 0x20; // NSS_INIT_OPTIMIZESPACE flag
}
+ configFile = "secmod.db";
+ if (configDir != NULL && strncmp("sql:", configDir, 4U) == 0) {
+ configFile = "pkcs11.txt";
+ }
+
/*
* If the NSS_Init function is requested then call NSS_Initialize to
* open the Cert, Key and Security Module databases, read only.
*/
if (strcmp("NSS_Init", functionName) == 0) {
flags = flags | 0x01; // NSS_INIT_READONLY flag
- res = initialize(configDir, "", "", "secmod.db", flags);
+ res = initialize(configDir, "", "", configFile, flags);
/*
* If the NSS_InitReadWrite function is requested then call
@@ -111,7 +121,7 @@
* read/write.
*/
} else if (strcmp("NSS_InitReadWrite", functionName) == 0) {
- res = initialize(configDir, "", "", "secmod.db", flags);
+ res = initialize(configDir, "", "", configFile, flags);
/*
* If the NSS_NoDB_Init function is requested then call
@@ -137,6 +147,13 @@
(*env)->ReleaseStringUTFChars(env, jConfigDir, configDir);
}
dprintf1("-res: %d\n", res);
+ #ifdef SECMOD_DEBUG
+ if (res == -1) {
+ if (getError != NULL) {
+ dprintf1("-NSS error: %d\n", getError());
+ }
+ }
+ #endif // SECMOD_DEBUG
return (res == 0) ? JNI_TRUE : JNI_FALSE;
}
diff --git openjdk.orig/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h openjdk/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h
--- openjdk.orig/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h
+++ openjdk/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h
@@ -34,6 +34,10 @@
const char *certPrefix, const char *keyPrefix,
const char *secmodName, unsigned int flags);
+#ifdef SECMOD_DEBUG
+typedef int (*FPTR_GetError)(void);
+#endif //SECMOD_DEBUG
+
// in secmod.h
//extern SECMODModule *SECMOD_LoadModule(char *moduleSpec,SECMODModule *parent,
// PRBool recurse);
diff --git openjdk.orig/jdk/test/sun/security/pkcs11/Secmod/pkcs11.txt openjdk/jdk/test/sun/security/pkcs11/Secmod/pkcs11.txt
new file mode 100644
--- /dev/null
+++ openjdk/jdk/test/sun/security/pkcs11/Secmod/pkcs11.txt
@@ -0,0 +1,4 @@
+library=
+name=NSS Internal PKCS #11 Module
+parameters=configdir='sql:./tmpdb' certPrefix='' keyPrefix='' secmod='' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
+NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
diff --git openjdk.orig/jdk/test/sun/security/pkcs11/SecmodTest.java openjdk/jdk/test/sun/security/pkcs11/SecmodTest.java
--- openjdk.orig/jdk/test/sun/security/pkcs11/SecmodTest.java
+++ openjdk/jdk/test/sun/security/pkcs11/SecmodTest.java
@@ -55,7 +55,7 @@
DBDIR = System.getProperty("test.classes", ".") + SEP + "tmpdb";
if (useSqlite) {
- System.setProperty("pkcs11test.nss.db", "sql:/" + DBDIR);
+ System.setProperty("pkcs11test.nss.db", "sql:" + DBDIR);
} else {
System.setProperty("pkcs11test.nss.db", DBDIR);
}
@@ -67,6 +67,7 @@
if (useSqlite) {
copyFile("key4.db", BASE, DBDIR);
copyFile("cert9.db", BASE, DBDIR);
+ copyFile("pkcs11.txt", BASE, DBDIR);
} else {
copyFile("secmod.db", BASE, DBDIR);
copyFile("key3.db", BASE, DBDIR);

View File

@ -7,11 +7,10 @@
PR3533: HotSpot generates code with unaligned stack, crashes on SSE operations
Summary: Enable -mstackrealign on x86 Linux as well as x86 Mac OS X
diff --git a/common/autoconf/flags.m4 b/common/autoconf/flags.m4
index 113bf367e2..bed030e8d1 100644
--- a/common/autoconf/flags.m4
+++ b/common/autoconf/flags.m4
@@ -451,6 +451,21 @@ AC_DEFUN_ONCE([FLAGS_SETUP_COMPILER_FLAGS_FOR_JDK],
diff --git openjdk.orig///common/autoconf/flags.m4 openjdk///common/autoconf/flags.m4
--- openjdk.orig///common/autoconf/flags.m4
+++ openjdk///common/autoconf/flags.m4
@@ -402,6 +402,21 @@
AC_SUBST($2CXXSTD_CXXFLAG)
fi
@ -23,7 +22,7 @@ index 113bf367e2..bed030e8d1 100644
+ # On 32-bit MacOSX the OS requires C-entry points to be 16 byte aligned.
+ # While waiting for a better solution, the current workaround is to use -mstackrealign
+ # This is also required on Linux systems which use libraries compiled with SSE instructions
+ REALIGN_CFLAG="-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4"
+ REALIGN_CFLAG="-mstackrealign"
+ FLAGS_COMPILER_CHECK_ARGUMENTS([$REALIGN_CFLAG -Werror], [],
+ AC_MSG_ERROR([The selected compiler $CXX does not support -mstackrealign! Try to put another compiler in the path.])
+ )
@ -33,32 +32,23 @@ index 113bf367e2..bed030e8d1 100644
if test "x$CFLAGS" != "x${ADDED_CFLAGS}"; then
AC_MSG_WARN([Ignoring CFLAGS($CFLAGS) found in environment. Use --with-extra-cflags])
fi
diff --git a/common/autoconf/hotspot-spec.gmk.in b/common/autoconf/hotspot-spec.gmk.in
index 3f86751d2b..f8a271383f 100644
--- a/common/autoconf/hotspot-spec.gmk.in
+++ b/common/autoconf/hotspot-spec.gmk.in
@@ -114,13 +114,14 @@ RC:=@HOTSPOT_RC@
# Retain EXTRA_{CFLAGS,CXXFLAGS,LDFLAGS,ASFLAGS} for the target flags to
# maintain compatibility with the existing Makefiles
EXTRA_CFLAGS=@LEGACY_TARGET_CFLAGS@ $(NO_DELETE_NULL_POINTER_CHECKS_CFLAG) \
- $(NO_LIFETIME_DSE_CFLAG) $(CXXSTD_CXXFLAG)
+ $(NO_LIFETIME_DSE_CFLAG) $(CXXSTD_CXXFLAG) \
+ $(REALIGN_CFLAG)
EXTRA_CXXFLAGS=@LEGACY_TARGET_CXXFLAGS@
EXTRA_LDFLAGS=@LEGACY_TARGET_LDFLAGS@
EXTRA_ASFLAGS=@LEGACY_TARGET_ASFLAGS@
# Define an equivalent set for the host flags (i.e. without sysroot options)
HOST_CFLAGS=@LEGACY_HOST_CFLAGS@ $(NO_DELETE_NULL_POINTER_CHECKS_CFLAG) \
- $(NO_LIFETIME_DSE_CFLAG) $(CXXSTD_CXXFLAG)
+ $(NO_LIFETIME_DSE_CFLAG) $(CXXSTD_CXXFLAG)
HOST_CXXFLAGS=@LEGACY_HOST_CXXFLAGS@
HOST_LDFLAGS=@LEGACY_HOST_LDFLAGS@
HOST_ASFLAGS=@LEGACY_HOST_ASFLAGS@
diff --git a/common/autoconf/spec.gmk.in b/common/autoconf/spec.gmk.in
index 9573bb2cbd..fe7efc130c 100644
--- a/common/autoconf/spec.gmk.in
+++ b/common/autoconf/spec.gmk.in
@@ -366,6 +366,7 @@ CXXFLAGS_JDKEXE:=@CXXFLAGS_JDKEXE@
diff --git openjdk.orig///common/autoconf/hotspot-spec.gmk.in openjdk///common/autoconf/hotspot-spec.gmk.in
--- openjdk.orig///common/autoconf/hotspot-spec.gmk.in
+++ openjdk///common/autoconf/hotspot-spec.gmk.in
@@ -112,7 +112,8 @@
RC:=@HOTSPOT_RC@
EXTRA_CFLAGS=@LEGACY_EXTRA_CFLAGS@ $(NO_DELETE_NULL_POINTER_CHECKS_CFLAG) \
- $(NO_LIFETIME_DSE_CFLAG) $(CXXSTD_CXXFLAG)
+ $(NO_LIFETIME_DSE_CFLAG) $(CXXSTD_CXXFLAG) \
+ $(REALIGN_CFLAG)
EXTRA_CXXFLAGS=@LEGACY_EXTRA_CXXFLAGS@
EXTRA_LDFLAGS=@LEGACY_EXTRA_LDFLAGS@
EXTRA_ASFLAGS=@LEGACY_EXTRA_ASFLAGS@
diff --git openjdk.orig///common/autoconf/spec.gmk.in openjdk///common/autoconf/spec.gmk.in
--- openjdk.orig///common/autoconf/spec.gmk.in
+++ openjdk///common/autoconf/spec.gmk.in
@@ -366,6 +366,7 @@
NO_DELETE_NULL_POINTER_CHECKS_CFLAG=@NO_DELETE_NULL_POINTER_CHECKS_CFLAG@
NO_LIFETIME_DSE_CFLAG=@NO_LIFETIME_DSE_CFLAG@

View File

@ -0,0 +1,12 @@
diff --git openjdk.orig/hotspot/src/os/linux/vm/perfMemory_linux.cpp openjdk/hotspot/src/os/linux/vm/perfMemory_linux.cpp
--- openjdk.orig/hotspot/src/os/linux/vm/perfMemory_linux.cpp
+++ openjdk/hotspot/src/os/linux/vm/perfMemory_linux.cpp
@@ -878,7 +878,7 @@
// open the file
int result;
- RESTARTABLE(::open(filename, oflags), result);
+ RESTARTABLE(::open(filename, oflags, 0), result);
if (result == OS_ERR) {
if (errno == ENOENT) {
THROW_MSG_(vmSymbols::java_lang_IllegalArgumentException(),

View File

@ -1,13 +0,0 @@
diff --git openjdk.orig/hotspot/src/share/vm/interpreter/bytecodeInterpreter.cpp openjdk/hotspot/src/share/vm/interpreter/bytecodeInterpreter.cpp
--- openjdk.orig/hotspot/src/share/vm/interpreter/bytecodeInterpreter.cpp
+++ openjdk/hotspot/src/share/vm/interpreter/bytecodeInterpreter.cpp
@@ -493,9 +493,6 @@
assert(labs(istate->_stack_base - istate->_stack_limit) == (istate->_method->max_stack() + extra_stack_entries
+ 1), "bad stack limit");
}
-#ifndef SHARK
- IA32_ONLY(assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1, "wrong"));
-#endif // !SHARK
}
// Verify linkages.
interpreterState l = istate;

File diff suppressed because it is too large Load Diff

View File

@ -1,8 +1,6 @@
name = NSS-FIPS
nssLibraryDirectory = @NSS_LIBDIR@
nssSecmodDirectory = sql:/etc/pki/nssdb
nssSecmodDirectory = @NSS_SECMOD@
nssDbMode = readOnly
nssModule = fips
attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }

View File

@ -7,11 +7,10 @@
8074839: Resolve disabled warnings for libunpack and the unpack200 binary
Reviewed-by: dholmes, ksrini
diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h b/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
index bdaf95a2f6a..60c5b4f2a69 100644
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
@@ -63,7 +63,7 @@ struct bytes {
diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
@@ -63,7 +63,7 @@
bytes res;
res.ptr = ptr + beg;
res.len = end - beg;
@ -20,11 +19,10 @@ index bdaf95a2f6a..60c5b4f2a69 100644
return res;
}
// building C strings inside byte buffers:
diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp b/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
index 5fbc7261fb3..4c002e779d8 100644
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
@@ -292,7 +292,7 @@ Java_com_sun_java_util_jar_pack_NativeUnpack_getUnusedInput(JNIEnv *env, jobject
diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
@@ -292,7 +292,7 @@
if (uPtr->aborting()) {
THROW_IOE(uPtr->get_abort_message());
@ -33,16 +31,16 @@ index 5fbc7261fb3..4c002e779d8 100644
}
// We have fetched all the files.
@@ -312,7 +312,7 @@ Java_com_sun_java_util_jar_pack_NativeUnpack_finish(JNIEnv *env, jobject pObj) {
// There's no need to create a new unpacker here if we don't already have one
// just to immediatly free it afterwards.
unpacker* uPtr = get_unpacker(env, pObj, /* noCreate= */ true);
@@ -310,7 +310,7 @@
JNIEXPORT jlong JNICALL
Java_com_sun_java_util_jar_pack_NativeUnpack_finish(JNIEnv *env, jobject pObj) {
unpacker* uPtr = get_unpacker(env, pObj, false);
- CHECK_EXCEPTION_RETURN_VALUE(uPtr, NULL);
+ CHECK_EXCEPTION_RETURN_VALUE(uPtr, 0);
size_t consumed = uPtr->input_consumed();
// free_unpacker() will set the unpacker field on 'pObj' to null
free_unpacker(env, pObj, uPtr);
@@ -323,6 +323,7 @@ JNIEXPORT jboolean JNICALL
return consumed;
@@ -320,6 +320,7 @@
Java_com_sun_java_util_jar_pack_NativeUnpack_setOption(JNIEnv *env, jobject pObj,
jstring pProp, jstring pValue) {
unpacker* uPtr = get_unpacker(env, pObj);
@ -50,11 +48,10 @@ index 5fbc7261fb3..4c002e779d8 100644
const char* prop = env->GetStringUTFChars(pProp, JNI_FALSE);
CHECK_EXCEPTION_RETURN_VALUE(prop, false);
const char* value = env->GetStringUTFChars(pValue, JNI_FALSE);
diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp b/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
index 6fbc43a18ae..722c8baaff0 100644
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
@@ -142,31 +142,28 @@ static const char* nbasename(const char* progname) {
diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
@@ -142,31 +142,28 @@
return progname;
}
@ -104,11 +101,10 @@ index 6fbc43a18ae..722c8baaff0 100644
}
}
diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp b/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
index a585535c513..8df3fade499 100644
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
@@ -225,9 +225,9 @@ struct entry {
diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
@@ -222,9 +222,9 @@
}
#ifdef PRODUCT
@ -120,7 +116,7 @@ index a585535c513..8df3fade499 100644
#endif
};
@@ -719,13 +719,13 @@ void unpacker::read_file_header() {
@@ -715,13 +715,13 @@
// Now we can size the whole archive.
// Read everything else into a mega-buffer.
rp = hdr.rp;
@ -138,7 +134,7 @@ index a585535c513..8df3fade499 100644
abort("EOF reading fixed input buffer");
return;
}
@@ -739,7 +739,7 @@ void unpacker::read_file_header() {
@@ -735,7 +735,7 @@
return;
}
input.set(U_NEW(byte, add_size(header_size_0, archive_size, C_SLOP)),
@ -147,7 +143,7 @@ index a585535c513..8df3fade499 100644
CHECK;
assert(input.limit()[0] == 0);
// Move all the bytes we read initially into the real buffer.
@@ -962,13 +962,13 @@ void cpool::init(unpacker* u_, int counts[CONSTANT_Limit]) {
@@ -958,13 +958,13 @@
nentries = next_entry;
// place a limit on future CP growth:
@ -163,7 +159,18 @@ index a585535c513..8df3fade499 100644
// Note that this CP does not include "empty" entries
// for longs and doubles. Those are introduced when
@@ -3694,21 +3694,22 @@ void cpool::computeOutputIndexes() {
@@ -982,8 +982,9 @@
}
// Initialize *all* our entries once
- for (int i = 0 ; i < maxentries ; i++)
+ for (uint i = 0 ; i < maxentries ; i++) {
entries[i].outputIndex = REQUESTED_NONE;
+ }
initGroupIndexes();
// Initialize hashTab to a generous power-of-two size.
@@ -3677,21 +3678,22 @@
unpacker* debug_u;
@ -190,7 +197,7 @@ index a585535c513..8df3fade499 100644
case CONSTANT_Signature:
if (value.b.ptr == null)
return ref(0)->string();
@@ -3728,26 +3729,28 @@ char* entry::string() {
@@ -3711,26 +3713,28 @@
break;
default:
if (nrefs == 0) {
@ -228,11 +235,10 @@ index a585535c513..8df3fade499 100644
}
void print_cp_entries(int beg, int end) {
diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h b/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
index 4ec595333c4..aad0c971ef2 100644
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
@@ -209,7 +209,7 @@ struct unpacker {
diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
@@ -209,7 +209,7 @@
byte* rp; // read pointer (< rplimit <= input.limit())
byte* rplimit; // how much of the input block has been read?
julong bytes_read;
@ -241,11 +247,10 @@ index 4ec595333c4..aad0c971ef2 100644
// callback to read at least one byte, up to available input
typedef jlong (*read_input_fn_t)(unpacker* self, void* buf, jlong minlen, jlong maxlen);
diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp b/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
index da39a589545..1281d8b25c8 100644
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
@@ -81,7 +81,7 @@ void breakpoint() { } // hook for debugger
diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
@@ -81,7 +81,7 @@
int assert_failed(const char* p) {
char message[1<<12];
sprintf(message, "@assert failed: %s\n", p);
@ -254,11 +259,10 @@ index da39a589545..1281d8b25c8 100644
breakpoint();
unpack_abort(message);
return 0;
diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp b/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
index f58c94956c0..343da3e183b 100644
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
@@ -84,7 +84,7 @@ void jar::init(unpacker* u_) {
diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
@@ -84,7 +84,7 @@
}
// Write data to the ZIP output stream.
@ -267,7 +271,7 @@ index f58c94956c0..343da3e183b 100644
while (len > 0) {
int rc = (int)fwrite(buff, 1, len, jarfp);
if (rc <= 0) {
@@ -323,12 +323,12 @@ void jar::write_central_directory() {
@@ -323,12 +323,12 @@
// Total number of disks (int)
header64[36] = (ushort)SWAP_BYTES(1);
header64[37] = 0;
@ -282,11 +286,10 @@ index f58c94956c0..343da3e183b 100644
PRINTCR((2, "writing zip comment\n"));
// Write the comment.
diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h b/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
index 14ffc9d65bd..9877f6f68ca 100644
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
@@ -68,8 +68,8 @@ struct jar {
diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
@@ -68,8 +68,8 @@
}
// Private Methods

View File

@ -0,0 +1,63 @@
# HG changeset patch
# User andrew
# Date 1459487045 -3600
# Fri Apr 01 06:04:05 2016 +0100
# Node ID 3334efeacd8327a14b7d2f392f4546e3c29c594b
# Parent 6b81fd2227d14226f2121f2d51b464536925686e
PR2888: OpenJDK should check for system cacerts database (e.g. /etc/pki/java/cacerts)
PR3575: System cacerts database handling should not affect jssecacerts
diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java openjdk/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
+++ openjdk/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
@@ -72,7 +72,7 @@
* The preference of the default trusted KeyStore is:
* javax.net.ssl.trustStore
* jssecacerts
- * cacerts
+ * cacerts (system and local)
*/
private static final class TrustStoreDescriptor {
private static final String fileSep = File.separator;
@@ -83,6 +83,10 @@
defaultStorePath + fileSep + "cacerts";
private static final String jsseDefaultStore =
defaultStorePath + fileSep + "jssecacerts";
+ /* Check system cacerts DB: /etc/pki/java/cacerts */
+ private static final String systemStore =
+ fileSep + "etc" + fileSep + "pki" +
+ fileSep + "java" + fileSep + "cacerts";
// the trust store name
private final String storeName;
@@ -146,7 +150,8 @@
long temporaryTime = 0L;
if (!"NONE".equals(storePropName)) {
String[] fileNames =
- new String[] {storePropName, defaultStore};
+ new String[] {storePropName,
+ systemStore, defaultStore};
for (String fileName : fileNames) {
File f = new File(fileName);
if (f.isFile() && f.canRead()) {
diff --git openjdk.orig/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java openjdk/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
--- openjdk.orig/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
+++ openjdk/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
@@ -108,9 +108,14 @@
throws Exception
{
String sep = File.separator;
- File file = new File(System.getProperty("java.home") + sep
- + "lib" + sep + "security" + sep
- + "cacerts");
+ /* Check system cacerts DB first; /etc/pki/java/cacerts */
+ File file = new File(sep + "etc" + sep + "pki" + sep
+ + "java" + sep + "cacerts");
+ if (!file.exists()) {
+ file = new File(System.getProperty("java.home") + sep
+ + "lib" + sep + "security" + sep
+ + "cacerts");
+ }
if (!file.exists()) {
return null;
}

View File

@ -1,193 +0,0 @@
diff --git a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
index e7b4763db53..0005e56f528 100644
--- a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
+++ b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
@@ -31,6 +31,7 @@ import java.security.*;
import java.security.cert.*;
import java.util.*;
import sun.security.action.*;
+import sun.security.tools.KeyStoreUtil;
import sun.security.validator.TrustStoreUtil;
/**
@@ -68,7 +69,7 @@ final class TrustStoreManager {
* The preference of the default trusted KeyStore is:
* javax.net.ssl.trustStore
* jssecacerts
- * cacerts
+ * cacerts (system and local)
*/
private static final class TrustStoreDescriptor {
private static final String fileSep = File.separator;
@@ -76,7 +77,8 @@ final class TrustStoreManager {
GetPropertyAction.privilegedGetProperty("java.home") +
fileSep + "lib" + fileSep + "security";
private static final String defaultStore =
- defaultStorePath + fileSep + "cacerts";
+ AccessController.doPrivileged((PrivilegedAction<String>) () ->
+ KeyStoreUtil.getCacertsKeyStorePath());
private static final String jsseDefaultStore =
defaultStorePath + fileSep + "jssecacerts";
@@ -139,6 +141,10 @@ final class TrustStoreManager {
String storePropPassword = System.getProperty(
"javax.net.ssl.trustStorePassword", "");
+ if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
+ SSLLogger.fine("Default store: " + defaultStore);
+ }
+
String temporaryName = "";
File temporaryFile = null;
long temporaryTime = 0L;
@@ -160,7 +166,7 @@ final class TrustStoreManager {
SSLLogger.isOn("trustmanager")) {
SSLLogger.fine(
"Inaccessible trust store: " +
- storePropName);
+ fileName);
}
}
} else {
diff --git a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
index fcc77786da1..3a4388964cc 100644
--- a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
+++ b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
@@ -41,6 +41,8 @@ import java.text.Collator;
import java.util.Locale;
import java.util.ResourceBundle;
+import sun.security.util.SecurityProperties;
+
/**
* <p> This class provides several utilities to <code>KeyStore</code>.
*
@@ -54,6 +56,8 @@ public class KeyStoreUtil {
private static final String JKS = "jks";
+ private static final String SYSTEM_CA_CERTS_PROP = "security.systemCACerts";
+
/**
* Returns true if the certificate is self-signed, false otherwise.
*/
@@ -96,16 +100,30 @@ public class KeyStoreUtil {
}
}
+ /**
+ * Returns the path to the cacerts DB
+ */
+ public static String getCacertsKeyStorePath()
+ {
+ // Check system DB first, preferring system property over security one
+ String systemDB = SecurityProperties
+ .privilegedGetOverridable(SYSTEM_CA_CERTS_PROP);
+ if (systemDB != null && !"".equals(systemDB) &&
+ (new File(systemDB)).isFile()) {
+ return systemDB;
+ }
+ String sep = File.separator;
+ return System.getProperty("java.home") + sep
+ + "lib" + sep + "security" + sep + "cacerts";
+ }
+
/**
* Returns the keystore with the configured CA certificates.
*/
public static KeyStore getCacertsKeyStore()
throws Exception
{
- String sep = File.separator;
- File file = new File(System.getProperty("java.home") + sep
- + "lib" + sep + "security" + sep
- + "cacerts");
+ File file = new File(getCacertsKeyStorePath());
if (!file.exists()) {
return null;
}
diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix
index 681a24b905d..ecb8bc43a6c 100644
--- a/jdk/src/share/lib/security/java.security-aix
+++ b/jdk/src/share/lib/security/java.security-aix
@@ -294,6 +294,12 @@ security.overridePropertiesFile=true
#
security.useSystemPropertiesFile=false
+#
+# Specifies the system certificate store
+# This property may be disabled using an empty value
+#
+security.systemCACerts=${java.home}/lib/security/cacerts
+
#
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux
index 789c19a8cba..2546fdec9b2 100644
--- a/jdk/src/share/lib/security/java.security-linux
+++ b/jdk/src/share/lib/security/java.security-linux
@@ -307,6 +307,12 @@ security.overridePropertiesFile=true
#
security.useSystemPropertiesFile=false
+#
+# Specifies the system certificate store
+# This property may be disabled using an empty value
+#
+security.systemCACerts=${java.home}/lib/security/cacerts
+
#
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx
index d4da666af3b..1a20027c02b 100644
--- a/jdk/src/share/lib/security/java.security-macosx
+++ b/jdk/src/share/lib/security/java.security-macosx
@@ -297,6 +297,12 @@ security.overridePropertiesFile=true
#
security.useSystemPropertiesFile=false
+#
+# Specifies the system certificate store
+# This property may be disabled using an empty value
+#
+security.systemCACerts=${java.home}/lib/security/cacerts
+
#
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris
index 300132384a1..6299e0a3c7b 100644
--- a/jdk/src/share/lib/security/java.security-solaris
+++ b/jdk/src/share/lib/security/java.security-solaris
@@ -295,6 +295,12 @@ security.overridePropertiesFile=true
#
security.useSystemPropertiesFile=false
+#
+# Specifies the system certificate store
+# This property may be disabled using an empty value
+#
+security.systemCACerts=${java.home}/lib/security/cacerts
+
#
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows
index 64db5a5cd1e..823994f3466 100644
--- a/jdk/src/share/lib/security/java.security-windows
+++ b/jdk/src/share/lib/security/java.security-windows
@@ -297,6 +297,12 @@ security.overridePropertiesFile=true
#
security.useSystemPropertiesFile=false
+#
+# Specifies the system certificate store
+# This property may be disabled using an empty value
+#
+security.systemCACerts=${java.home}/lib/security/cacerts
+
#
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.

View File

@ -0,0 +1,158 @@
# HG changeset patch
# User andrew
# Date 1478057514 0
# Node ID 1c4d5cb2096ae55106111da200b0bcad304f650c
# Parent 3d53f19b48384e5252f4ec8891f7a3a82d77af2a
PR3183: Support Fedora/RHEL system crypto policy
diff -r 3d53f19b4838 -r 1c4d5cb2096a src/share/classes/java/security/Security.java
--- openjdk/jdk/src/share/classes/java/security/Security.java Wed Oct 26 03:51:39 2016 +0100
+++ openjdk/jdk/src/share/classes/java/security/Security.java Wed Nov 02 03:31:54 2016 +0000
@@ -43,6 +43,9 @@
* implementation-specific location, which is typically the properties file
* {@code lib/security/java.security} in the Java installation directory.
*
+ * <p>Additional default values of security properties are read from a
+ * system-specific location, if available.</p>
+ *
* @author Benjamin Renaud
*/
@@ -52,6 +55,10 @@
private static final Debug sdebug =
Debug.getInstance("properties");
+ /* System property file*/
+ private static final String SYSTEM_PROPERTIES =
+ "/etc/crypto-policies/back-ends/java.config";
+
/* The java.security properties */
private static Properties props;
@@ -93,6 +100,7 @@
if (sdebug != null) {
sdebug.println("reading security properties file: " +
propFile);
+ sdebug.println(props.toString());
}
} catch (IOException e) {
if (sdebug != null) {
@@ -114,6 +122,31 @@
}
if ("true".equalsIgnoreCase(props.getProperty
+ ("security.useSystemPropertiesFile"))) {
+
+ // now load the system file, if it exists, so its values
+ // will win if they conflict with the earlier values
+ try (BufferedInputStream bis =
+ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
+ props.load(bis);
+ loadedProps = true;
+
+ if (sdebug != null) {
+ sdebug.println("reading system security properties file " +
+ SYSTEM_PROPERTIES);
+ sdebug.println(props.toString());
+ }
+ } catch (IOException e) {
+ if (sdebug != null) {
+ sdebug.println
+ ("unable to load security properties from " +
+ SYSTEM_PROPERTIES);
+ e.printStackTrace();
+ }
+ }
+ }
+
+ if ("true".equalsIgnoreCase(props.getProperty
("security.overridePropertiesFile"))) {
String extraPropFile = System.getProperty
diff -r 3d53f19b4838 -r 1c4d5cb2096a src/share/lib/security/java.security-aix
--- openjdk/jdk/src/share/lib/security/java.security-aix Wed Oct 26 03:51:39 2016 +0100
+++ openjdk/jdk/src/share/lib/security/java.security-aix Wed Nov 02 03:31:54 2016 +0000
@@ -276,6 +276,13 @@
security.overridePropertiesFile=true
#
+# Determines whether this properties file will be appended to
+# using the system properties file stored at
+# /etc/crypto-policies/back-ends/java.config
+#
+security.useSystemPropertiesFile=false
+
+#
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
#
diff -r 3d53f19b4838 -r 1c4d5cb2096a src/share/lib/security/java.security-linux
--- openjdk/jdk/src/share/lib/security/java.security-linux Wed Oct 26 03:51:39 2016 +0100
+++ openjdk/jdk/src/share/lib/security/java.security-linux Wed Nov 02 03:31:54 2016 +0000
@@ -276,6 +276,13 @@
security.overridePropertiesFile=true
#
+# Determines whether this properties file will be appended to
+# using the system properties file stored at
+# /etc/crypto-policies/back-ends/java.config
+#
+security.useSystemPropertiesFile=true
+
+#
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
#
diff -r 3d53f19b4838 -r 1c4d5cb2096a src/share/lib/security/java.security-macosx
--- openjdk/jdk/src/share/lib/security/java.security-macosx Wed Oct 26 03:51:39 2016 +0100
+++ openjdk/jdk/src/share/lib/security/java.security-macosx Wed Nov 02 03:31:54 2016 +0000
@@ -279,6 +279,13 @@
security.overridePropertiesFile=true
#
+# Determines whether this properties file will be appended to
+# using the system properties file stored at
+# /etc/crypto-policies/back-ends/java.config
+#
+security.useSystemPropertiesFile=false
+
+#
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
#
diff -r 3d53f19b4838 -r 1c4d5cb2096a src/share/lib/security/java.security-solaris
--- openjdk/jdk/src/share/lib/security/java.security-solaris Wed Oct 26 03:51:39 2016 +0100
+++ openjdk/jdk/src/share/lib/security/java.security-solaris Wed Nov 02 03:31:54 2016 +0000
@@ -278,6 +278,13 @@
security.overridePropertiesFile=true
#
+# Determines whether this properties file will be appended to
+# using the system properties file stored at
+# /etc/crypto-policies/back-ends/java.config
+#
+security.useSystemPropertiesFile=false
+
+#
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
#
diff -r 3d53f19b4838 -r 1c4d5cb2096a src/share/lib/security/java.security-windows
--- openjdk/jdk/src/share/lib/security/java.security-windows Wed Oct 26 03:51:39 2016 +0100
+++ openjdk/jdk/src/share/lib/security/java.security-windows Wed Nov 02 03:31:54 2016 +0000
@@ -279,6 +279,13 @@
security.overridePropertiesFile=true
#
+# Determines whether this properties file will be appended to
+# using the system properties file stored at
+# /etc/crypto-policies/back-ends/java.config
+#
+security.useSystemPropertiesFile=false
+
+#
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
#

View File

@ -0,0 +1,78 @@
# HG changeset patch
# User andrew
# Date 1545198926 0
# Wed Dec 19 05:55:26 2018 +0000
# Node ID f2cbd688824c128db7fa848c8732fb0ab3507776
# Parent 81f07f6d1f8b7b51b136d3974c61bc8bb513770c
PR3655: Allow use of system crypto policy to be disabled by the user
Summary: Read user overrides first so security.useSystemPropertiesFile can be disabled and add -Djava.security.disableSystemPropertiesFile
diff --git a/src/share/classes/javopenjdk.orig/jdk/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java
--- openjdk.orig/jdk/src/share/classes/java/security/Security.java
+++ openjdk/jdk/src/share/classes/java/security/Security.java
@@ -122,31 +122,6 @@
}
if ("true".equalsIgnoreCase(props.getProperty
- ("security.useSystemPropertiesFile"))) {
-
- // now load the system file, if it exists, so its values
- // will win if they conflict with the earlier values
- try (BufferedInputStream bis =
- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
- props.load(bis);
- loadedProps = true;
-
- if (sdebug != null) {
- sdebug.println("reading system security properties file " +
- SYSTEM_PROPERTIES);
- sdebug.println(props.toString());
- }
- } catch (IOException e) {
- if (sdebug != null) {
- sdebug.println
- ("unable to load security properties from " +
- SYSTEM_PROPERTIES);
- e.printStackTrace();
- }
- }
- }
-
- if ("true".equalsIgnoreCase(props.getProperty
("security.overridePropertiesFile"))) {
String extraPropFile = System.getProperty
@@ -212,6 +187,33 @@
}
}
+ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
+ if (disableSystemProps == null &&
+ "true".equalsIgnoreCase(props.getProperty
+ ("security.useSystemPropertiesFile"))) {
+
+ // now load the system file, if it exists, so its values
+ // will win if they conflict with the earlier values
+ try (BufferedInputStream bis =
+ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
+ props.load(bis);
+ loadedProps = true;
+
+ if (sdebug != null) {
+ sdebug.println("reading system security properties file " +
+ SYSTEM_PROPERTIES);
+ sdebug.println(props.toString());
+ }
+ } catch (IOException e) {
+ if (sdebug != null) {
+ sdebug.println
+ ("unable to load security properties from " +
+ SYSTEM_PROPERTIES);
+ e.printStackTrace();
+ }
+ }
+ }
+
if (!loadedProps) {
initializeStatic();
if (sdebug != null) {

View File

@ -17,7 +17,7 @@ fi
d=`mktemp -d`
NW=$d/$f
pushd $d
unzip $ORIG
jar xf $ORIG
cat $M
# sed -i "s/Created-By.*/Created-By: 1.7.0/g" $M
sed -i "s/Created-By.*/Created-By: $2/g" $M

View File

@ -0,0 +1,66 @@
diff --git a/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java b/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java
--- openjdk/jdk/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java
+++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java
@@ -1,5 +1,6 @@
/*
* Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2014 Red Hat Inc.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -61,13 +62,13 @@
private static void checkKeySize(int keysize)
throws InvalidParameterException {
- boolean supported = ((keysize == 2048) || (keysize == 3072) ||
+ boolean supported = ((keysize == 2048) || (keysize == 3072) || (keysize == 4096) ||
((keysize >= 512) && (keysize <= 1024) && ((keysize & 0x3F) == 0)));
if (!supported) {
throw new InvalidParameterException(
"DH key size must be multiple of 64 and range " +
- "from 512 to 1024 (inclusive), or 2048, 3072. " +
+ "from 512 to 1024 (inclusive), or 2048, 3072, 4096. " +
"The specific key size " + keysize + " is not supported");
}
}
diff --git a/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java b/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java
--- openjdk/jdk/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java
+++ openjdk/jdk/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java
@@ -1,5 +1,6 @@
/*
* Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2014 Red Hat Inc.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -58,7 +59,7 @@
*/
private enum Sizes {
two56(256), three84(384), five12(512), seven68(768), ten24(1024),
- twenty48(2048);
+ twenty48(2048), forty96(4096);
private final int intSize;
private final BigInteger bigIntValue;
@@ -130,6 +131,19 @@
kp = kpg.generateKeyPair();
checkKeyPair(kp, Sizes.twenty48, Sizes.five12);
+ kpg.initialize(Sizes.forty96.getIntSize());
+ kp = kpg.generateKeyPair();
+ checkKeyPair(kp, Sizes.forty96, Sizes.twenty48);
+
+ publicKey = (DHPublicKey)kp.getPublic();
+ p = publicKey.getParams().getP();
+ g = publicKey.getParams().getG();
+
+ // test w/ all values specified
+ kpg.initialize(new DHParameterSpec(p, g, Sizes.ten24.getIntSize()));
+ kp = kpg.generateKeyPair();
+ checkKeyPair(kp, Sizes.forty96, Sizes.ten24);
+
System.out.println("OK");
}

View File

@ -1,16 +0,0 @@
diff -uNr openjdk-orig/jdk/src/share/classes/java/awt/Toolkit.java jdk8/jdk/src/share/classes/java/awt/Toolkit.java
--- openjdk-orig/jdk/src/share/classes/java/awt/Toolkit.java 2009-01-23 11:59:47.000000000 -0500
+++ jdk8/jdk/src/share/classes/java/awt/Toolkit.java 2009-01-23 12:05:20.000000000 -0500
@@ -883,7 +883,11 @@
return null;
}
});
- loadAssistiveTechnologies();
+ try {
+ loadAssistiveTechnologies();
+ } catch ( AWTError error) {
+ // ignore silently
+ }
}
return toolkit;
}

View File

@ -1,12 +1,11 @@
diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux
index 9d1c8fe8a8e..a80a3c12abb 100644
--- a/jdk/src/share/lib/security/java.security-linux
+++ b/jdk/src/share/lib/security/java.security-linux
@@ -74,6 +74,7 @@ security.provider.6=sun.security.jgss.SunProvider
diff -r 5b86f66575b7 src/share/lib/security/java.security-linux
--- openjdk/jdk/src/share/lib/security/java.security-linux Tue May 16 13:29:05 2017 -0700
+++ openjdk/jdk/src/share/lib/security/java.security-linux Tue Jun 06 14:05:12 2017 +0200
@@ -74,6 +74,7 @@
security.provider.7=com.sun.security.sasl.Provider
security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.9=sun.security.smartcardio.SunPCSC
+#security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
#
# Security providers used when FIPS mode support is active
# Sun Provider SecureRandom seed source.

View File

@ -0,0 +1,208 @@
diff --git a/src/share/classes/javopenjdk.orig/jdk/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java
--- openjdk.orig/jdk/src/share/classes/java/security/Security.java
+++ openjdk/jdk/src/share/classes/java/security/Security.java
@@ -191,27 +191,7 @@
if (disableSystemProps == null &&
"true".equalsIgnoreCase(props.getProperty
("security.useSystemPropertiesFile"))) {
-
- // now load the system file, if it exists, so its values
- // will win if they conflict with the earlier values
- try (BufferedInputStream bis =
- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
- props.load(bis);
- loadedProps = true;
-
- if (sdebug != null) {
- sdebug.println("reading system security properties file " +
- SYSTEM_PROPERTIES);
- sdebug.println(props.toString());
- }
- } catch (IOException e) {
- if (sdebug != null) {
- sdebug.println
- ("unable to load security properties from " +
- SYSTEM_PROPERTIES);
- e.printStackTrace();
- }
- }
+ loadedProps = loadedProps && SystemConfigurator.configure(props);
}
if (!loadedProps) {
diff --git a/src/share/classes/javopenjdk.orig/jdk/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
new file mode 100644
--- /dev/null
+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
@@ -0,0 +1,153 @@
+/*
+ * Copyright (c) 2019, Red Hat, Inc.
+ *
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package java.security;
+
+import java.io.BufferedInputStream;
+import java.io.FileInputStream;
+import java.io.IOException;
+
+import java.nio.file.Files;
+import java.nio.file.FileSystems;
+import java.nio.file.Path;
+
+import java.util.Iterator;
+import java.util.Map.Entry;
+import java.util.Properties;
+import java.util.function.Consumer;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import sun.security.util.Debug;
+
+/**
+ * Internal class to align OpenJDK with global crypto-policies.
+ * Called from java.security.Security class initialization,
+ * during startup.
+ *
+ */
+
+class SystemConfigurator {
+
+ private static final Debug sdebug =
+ Debug.getInstance("properties");
+
+ private static final String CRYPTO_POLICIES_BASE_DIR =
+ "/etc/crypto-policies";
+
+ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
+
+ private static final String CRYPTO_POLICIES_CONFIG =
+ CRYPTO_POLICIES_BASE_DIR + "/config";
+
+ private static final class SecurityProviderInfo {
+ int number;
+ String key;
+ String value;
+ SecurityProviderInfo(int number, String key, String value) {
+ this.number = number;
+ this.key = key;
+ this.value = value;
+ }
+ }
+
+ /*
+ * Invoked when java.security.Security class is initialized, if
+ * java.security.disableSystemPropertiesFile property is not set and
+ * security.useSystemPropertiesFile is true.
+ */
+ static boolean configure(Properties props) {
+ boolean loadedProps = false;
+
+ try (BufferedInputStream bis =
+ new BufferedInputStream(
+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
+ props.load(bis);
+ loadedProps = true;
+ if (sdebug != null) {
+ sdebug.println("reading system security properties file " +
+ CRYPTO_POLICIES_JAVA_CONFIG);
+ sdebug.println(props.toString());
+ }
+ } catch (IOException e) {
+ if (sdebug != null) {
+ sdebug.println("unable to load security properties from " +
+ CRYPTO_POLICIES_JAVA_CONFIG);
+ e.printStackTrace();
+ }
+ }
+
+ try {
+ if (enableFips()) {
+ if (sdebug != null) { sdebug.println("FIPS mode detected"); }
+ loadedProps = false;
+ // Remove all security providers
+ Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
+ while (i.hasNext()) {
+ Entry<Object, Object> e = i.next();
+ if (((String) e.getKey()).startsWith("security.provider")) {
+ if (sdebug != null) { sdebug.println("Removing provider: " + e); }
+ i.remove();
+ }
+ }
+ // Add FIPS security providers
+ String fipsProviderValue = null;
+ for (int n = 1;
+ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) {
+ String fipsProviderKey = "security.provider." + n;
+ if (sdebug != null) {
+ sdebug.println("Adding provider " + n + ": " +
+ fipsProviderKey + "=" + fipsProviderValue);
+ }
+ props.put(fipsProviderKey, fipsProviderValue);
+ }
+ loadedProps = true;
+ }
+ } catch (Exception e) {
+ if (sdebug != null) {
+ sdebug.println("unable to load FIPS configuration");
+ e.printStackTrace();
+ }
+ }
+ return loadedProps;
+ }
+
+ /*
+ * FIPS is enabled only if crypto-policies are set to "FIPS"
+ * and the com.redhat.fips property is true.
+ */
+ private static boolean enableFips() throws Exception {
+ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
+ if (fipsEnabled) {
+ Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG);
+ String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath));
+ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
+ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
+ return pattern.matcher(cryptoPoliciesConfig).find();
+ } else {
+ return false;
+ }
+ }
+}
diff --git openjdk.orig/jdk/src/share/lib/security/java.security-linux openjdk/jdk/src/share/lib/security/java.security-linux
--- openjdk.orig/jdk/src/share/lib/security/java.security-linux
+++ openjdk/jdk/src/share/lib/security/java.security-linux
@@ -77,6 +77,14 @@
#security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
#
+# Security providers used when global crypto-policies are set to FIPS.
+#
+fips.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.fips.cfg
+fips.provider.2=sun.security.provider.Sun
+fips.provider.3=sun.security.ec.SunEC
+fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS
+
+#
# Sun Provider SecureRandom seed source.
#
# Select the primary source of seed data for the "SHA1PRNG" and

View File

@ -1,13 +0,0 @@
--- openjdk/jdk/src/solaris/classes/sun/security/smartcardio/PlatformPCSC.java 2013-03-01 10:48:12.038189968 +0100
+++ openjdk/jdk/src/solaris/classes/sun/security/smartcardio/PlatformPCSC.java 2013-03-01 10:48:11.913188505 +0100
@@ -48,8 +48,8 @@
private final static String PROP_NAME = "sun.security.smartcardio.library";
- private final static String LIB1 = "/usr/$LIBISA/libpcsclite.so";
- private final static String LIB2 = "/usr/local/$LIBISA/libpcsclite.so";
+ private final static String LIB1 = "/usr/$LIBISA/libpcsclite.so.1";
+ private final static String LIB2 = "/usr/local/$LIBISA/libpcsclite.so.1";
private final static String PCSC_FRAMEWORK = "/System/Library/Frameworks/PCSC.framework/Versions/Current/PCSC";
PlatformPCSC() {

View File

@ -0,0 +1,52 @@
diff -r 6efbd7b35a10 src/share/classes/java/security/SystemConfigurator.java
--- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300
+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java Mon Mar 02 19:20:17 2020 -0300
@@ -123,6 +123,33 @@
}
props.put(fipsProviderKey, fipsProviderValue);
}
+ // Add other security properties
+ String keystoreTypeValue = (String) props.get("fips.keystore.type");
+ if (keystoreTypeValue != null) {
+ String nonFipsKeystoreType = props.getProperty("keystore.type");
+ props.put("keystore.type", keystoreTypeValue);
+ if (keystoreTypeValue.equals("PKCS11")) {
+ // If keystore.type is PKCS11, javax.net.ssl.keyStore
+ // must be "NONE". See JDK-8238264.
+ System.setProperty("javax.net.ssl.keyStore", "NONE");
+ }
+ if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
+ // If no trustStoreType has been set, use the
+ // previous keystore.type under FIPS mode. In
+ // a default configuration, the Trust Store will
+ // be 'cacerts' (JKS type).
+ System.setProperty("javax.net.ssl.trustStoreType",
+ nonFipsKeystoreType);
+ }
+ if (sdebug != null) {
+ sdebug.println("FIPS mode default keystore.type = " +
+ keystoreTypeValue);
+ sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
+ System.getProperty("javax.net.ssl.keyStore", ""));
+ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
+ System.getProperty("javax.net.ssl.trustStoreType", ""));
+ }
+ }
loadedProps = true;
}
} catch (Exception e) {
diff -r 6efbd7b35a10 src/share/lib/security/java.security-linux
--- openjdk.orig/jdk/src/share/lib/security/java.security-linux Thu Jan 23 18:22:31 2020 -0300
+++ openjdk/jdk/src/share/lib/security/java.security-linux Mon Mar 02 19:20:17 2020 -0300
@@ -179,6 +179,11 @@
keystore.type=jks
#
+# Default keystore type used when global crypto-policies are set to FIPS.
+#
+fips.keystore.type=PKCS11
+
+#
# Controls compatibility mode for the JKS keystore type.
#
# When set to 'true', the JKS keystore type supports loading

View File

@ -0,0 +1,327 @@
diff -r bbc65dfa59d1 src/share/classes/java/security/SystemConfigurator.java
--- openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300
+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java Sat Aug 01 23:16:51 2020 -0300
@@ -1,11 +1,13 @@
/*
- * Copyright (c) 2019, Red Hat, Inc.
+ * Copyright (c) 2019, 2020, Red Hat, Inc.
*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
@@ -34,10 +36,10 @@
import java.util.Iterator;
import java.util.Map.Entry;
import java.util.Properties;
-import java.util.function.Consumer;
-import java.util.regex.Matcher;
import java.util.regex.Pattern;
+import sun.misc.SharedSecrets;
+import sun.misc.JavaSecuritySystemConfiguratorAccess;
import sun.security.util.Debug;
/**
@@ -47,7 +49,7 @@
*
*/
-class SystemConfigurator {
+final class SystemConfigurator {
private static final Debug sdebug =
Debug.getInstance("properties");
@@ -61,15 +63,16 @@
private static final String CRYPTO_POLICIES_CONFIG =
CRYPTO_POLICIES_BASE_DIR + "/config";
- private static final class SecurityProviderInfo {
- int number;
- String key;
- String value;
- SecurityProviderInfo(int number, String key, String value) {
- this.number = number;
- this.key = key;
- this.value = value;
- }
+ private static boolean systemFipsEnabled = false;
+
+ static {
+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
+ new JavaSecuritySystemConfiguratorAccess() {
+ @Override
+ public boolean isSystemFipsEnabled() {
+ return SystemConfigurator.isSystemFipsEnabled();
+ }
+ });
}
/*
@@ -128,9 +131,9 @@
String nonFipsKeystoreType = props.getProperty("keystore.type");
props.put("keystore.type", keystoreTypeValue);
if (keystoreTypeValue.equals("PKCS11")) {
- // If keystore.type is PKCS11, javax.net.ssl.keyStore
- // must be "NONE". See JDK-8238264.
- System.setProperty("javax.net.ssl.keyStore", "NONE");
+ // If keystore.type is PKCS11, javax.net.ssl.keyStore
+ // must be "NONE". See JDK-8238264.
+ System.setProperty("javax.net.ssl.keyStore", "NONE");
}
if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
// If no trustStoreType has been set, use the
@@ -144,12 +147,13 @@
sdebug.println("FIPS mode default keystore.type = " +
keystoreTypeValue);
sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
- System.getProperty("javax.net.ssl.keyStore", ""));
+ System.getProperty("javax.net.ssl.keyStore", ""));
sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
System.getProperty("javax.net.ssl.trustStoreType", ""));
}
}
loadedProps = true;
+ systemFipsEnabled = true;
}
} catch (Exception e) {
if (sdebug != null) {
@@ -165,20 +165,37 @@
return loadedProps;
}
+ /**
+ * Returns whether or not global system FIPS alignment is enabled.
+ *
+ * Value is always 'false' before java.security.Security class is
+ * initialized.
+ *
+ * Call from out of this package through SharedSecrets:
+ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ * .isSystemFipsEnabled();
+ *
+ * @return a boolean value indicating whether or not global
+ * system FIPS alignment is enabled.
+ */
+ static boolean isSystemFipsEnabled() {
+ return systemFipsEnabled;
+ }
+
/*
* FIPS is enabled only if crypto-policies are set to "FIPS"
* and the com.redhat.fips property is true.
*/
private static boolean enableFips() throws Exception {
- boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
- if (fipsEnabled) {
- Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG);
- String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath));
- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
- return pattern.matcher(cryptoPoliciesConfig).find();
- } else {
- return false;
- }
+ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
+ if (shouldEnable) {
+ Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG);
+ String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath));
+ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
+ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
+ return pattern.matcher(cryptoPoliciesConfig).find();
+ } else {
+ return false;
+ }
}
}
diff --git openjdk.orig/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
new file mode 100644
--- /dev/null
+++ openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2020, Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.misc;
+
+public interface JavaSecuritySystemConfiguratorAccess {
+ boolean isSystemFipsEnabled();
+}
diff --git openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java
--- openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java
+++ openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java
@@ -63,6 +63,7 @@
private static JavaObjectInputStreamReadString javaObjectInputStreamReadString;
private static JavaObjectInputStreamAccess javaObjectInputStreamAccess;
private static JavaSecuritySignatureAccess javaSecuritySignatureAccess;
+ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess;
public static JavaUtilJarAccess javaUtilJarAccess() {
if (javaUtilJarAccess == null) {
@@ -248,4 +249,12 @@
}
return javaxCryptoSealedObjectAccess;
}
+
+ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) {
+ javaSecuritySystemConfiguratorAccess = jssca;
+ }
+
+ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
+ return javaSecuritySystemConfiguratorAccess;
+ }
}
diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
+++ openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
@@ -31,6 +31,7 @@
import java.security.cert.*;
import java.util.*;
import javax.net.ssl.*;
+import sun.misc.SharedSecrets;
import sun.security.action.GetPropertyAction;
import sun.security.provider.certpath.AlgorithmChecker;
import sun.security.validator.Validator;
@@ -539,20 +540,38 @@
static {
if (SunJSSE.isFIPS()) {
- supportedProtocols = Arrays.asList(
- ProtocolVersion.TLS13,
- ProtocolVersion.TLS12,
- ProtocolVersion.TLS11,
- ProtocolVersion.TLS10
- );
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ .isSystemFipsEnabled()) {
+ // RH1860986: TLSv1.3 key derivation not supported with
+ // the Security Providers available in system FIPS mode.
+ supportedProtocols = Arrays.asList(
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ );
- serverDefaultProtocols = getAvailableProtocols(
- new ProtocolVersion[] {
- ProtocolVersion.TLS13,
- ProtocolVersion.TLS12,
- ProtocolVersion.TLS11,
- ProtocolVersion.TLS10
- });
+ serverDefaultProtocols = getAvailableProtocols(
+ new ProtocolVersion[] {
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ });
+ } else {
+ supportedProtocols = Arrays.asList(
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ );
+
+ serverDefaultProtocols = getAvailableProtocols(
+ new ProtocolVersion[] {
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ });
+ }
} else {
supportedProtocols = Arrays.asList(
ProtocolVersion.TLS13,
@@ -612,6 +631,16 @@
static ProtocolVersion[] getSupportedProtocols() {
if (SunJSSE.isFIPS()) {
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ .isSystemFipsEnabled()) {
+ // RH1860986: TLSv1.3 key derivation not supported with
+ // the Security Providers available in system FIPS mode.
+ return new ProtocolVersion[] {
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ };
+ }
return new ProtocolVersion[] {
ProtocolVersion.TLS13,
ProtocolVersion.TLS12,
@@ -939,6 +968,16 @@
static ProtocolVersion[] getProtocols() {
if (SunJSSE.isFIPS()) {
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ .isSystemFipsEnabled()) {
+ // RH1860986: TLSv1.3 key derivation not supported with
+ // the Security Providers available in system FIPS mode.
+ return new ProtocolVersion[] {
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ };
+ }
return new ProtocolVersion[]{
ProtocolVersion.TLS12,
ProtocolVersion.TLS11,
diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/SunJSSE.java openjdk/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
+++ openjdk/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
@@ -30,6 +30,8 @@
import java.security.*;
+import sun.misc.SharedSecrets;
+
/**
* The JSSE provider.
*
@@ -215,8 +217,13 @@
"sun.security.ssl.SSLContextImpl$TLS11Context");
put("SSLContext.TLSv1.2",
"sun.security.ssl.SSLContextImpl$TLS12Context");
- put("SSLContext.TLSv1.3",
- "sun.security.ssl.SSLContextImpl$TLS13Context");
+ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ .isSystemFipsEnabled()) {
+ // RH1860986: TLSv1.3 key derivation not supported with
+ // the Security Providers available in system FIPS mode.
+ put("SSLContext.TLSv1.3",
+ "sun.security.ssl.SSLContextImpl$TLS13Context");
+ }
put("SSLContext.TLS",
"sun.security.ssl.SSLContextImpl$TLSContext");
if (isfips == false) {

View File

@ -0,0 +1,65 @@
# HG changeset patch
# User andrew
# Date 1608219816 0
# Thu Dec 17 15:43:36 2020 +0000
# Node ID db5d1b28bfce04352b3a48960bf836f6eb20804b
# Parent a2cfa397150e99b813354226d536eb8509b5850b
RH1906862: Always initialise JavaSecuritySystemConfiguratorAccess
diff --git openjdk.orig/jdk/src/share/classes/java/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java
--- openjdk.orig/jdk/src/share/classes/java/security/Security.java
+++ openjdk/jdk/src/share/classes/java/security/Security.java
@@ -30,6 +30,8 @@
import java.util.concurrent.ConcurrentHashMap;
import java.io.*;
import java.net.URL;
+import sun.misc.SharedSecrets;
+import sun.misc.JavaSecuritySystemConfiguratorAccess;
import sun.security.util.Debug;
import sun.security.util.PropertyExpander;
@@ -69,6 +71,15 @@
}
static {
+ // Initialise here as used by code with system properties disabled
+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
+ new JavaSecuritySystemConfiguratorAccess() {
+ @Override
+ public boolean isSystemFipsEnabled() {
+ return SystemConfigurator.isSystemFipsEnabled();
+ }
+ });
+
// doPrivileged here because there are multiple
// things in initialize that might require privs.
// (the FileInputStream call and the File.exists call,
diff --git openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
--- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java
+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
@@ -39,8 +39,6 @@
import java.util.Properties;
import java.util.regex.Pattern;
-import sun.misc.SharedSecrets;
-import sun.misc.JavaSecuritySystemConfiguratorAccess;
import sun.security.util.Debug;
/**
@@ -66,16 +64,6 @@
private static boolean systemFipsEnabled = false;
- static {
- SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
- new JavaSecuritySystemConfiguratorAccess() {
- @Override
- public boolean isSystemFipsEnabled() {
- return SystemConfigurator.isSystemFipsEnabled();
- }
- });
- }
-
/*
* Invoked when java.security.Security class is initialized, if
* java.security.disableSystemPropertiesFile property is not set and

View File

@ -0,0 +1,344 @@
diff --git openjdk.orig/jdk/make/lib/SecurityLibraries.gmk openjdk/jdk/make/lib/SecurityLibraries.gmk
--- openjdk.orig/jdk/make/lib/SecurityLibraries.gmk
+++ openjdk/jdk/make/lib/SecurityLibraries.gmk
@@ -289,3 +289,34 @@
endif
endif
+
+################################################################################
+# Create the systemconf library
+
+LIBSYSTEMCONF_CFLAGS :=
+LIBSYSTEMCONF_CXXFLAGS :=
+
+ifeq ($(USE_SYSCONF_NSS), true)
+ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
+ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
+endif
+
+ifeq ($(OPENJDK_BUILD_OS), linux)
+ $(eval $(call SetupNativeCompilation,BUILD_LIBSYSTEMCONF, \
+ LIBRARY := systemconf, \
+ OUTPUT_DIR := $(INSTALL_LIBRARIES_HERE), \
+ SRC := $(JDK_TOPDIR)/src/$(OPENJDK_TARGET_OS_API_DIR)/native/java/security, \
+ LANG := C, \
+ OPTIMIZATION := LOW, \
+ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \
+ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \
+ MAPFILE := $(JDK_TOPDIR)/make/mapfiles/libsystemconf/mapfile-vers, \
+ LDFLAGS := $(LDFLAGS_JDKLIB) \
+ $(call SET_SHARED_LIBRARY_ORIGIN), \
+ LDFLAGS_SUFFIX := $(LIBDL) $(NSS_LIBS), \
+ OBJECT_DIR := $(JDK_OUTPUTDIR)/objs/libsystemconf, \
+ DEBUG_SYMBOLS := $(DEBUG_ALL_BINARIES)))
+
+ BUILD_LIBRARIES += $(BUILD_LIBSYSTEMCONF)
+endif
+
diff --git openjdk.orig/jdk/make/mapfiles/libsystemconf/mapfile-vers openjdk/jdk/make/mapfiles/libsystemconf/mapfile-vers
new file mode 100644
--- /dev/null
+++ openjdk/jdk/make/mapfiles/libsystemconf/mapfile-vers
@@ -0,0 +1,35 @@
+#
+# Copyright (c) 2021, Red Hat, Inc.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation. Oracle designates this
+# particular file as subject to the "Classpath" exception as provided
+# by Oracle in the LICENSE file that accompanied this code.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+# or visit www.oracle.com if you need additional information or have any
+# questions.
+#
+
+# Define public interface.
+
+SUNWprivate_1.1 {
+ global:
+ DEF_JNI_OnLoad;
+ DEF_JNI_OnUnLoad;
+ Java_java_security_SystemConfigurator_getSystemFIPSEnabled;
+ local:
+ *;
+};
diff --git openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
--- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java
+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2019, 2020, Red Hat, Inc.
+ * Copyright (c) 2019, 2021, Red Hat, Inc.
*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
@@ -30,14 +30,9 @@
import java.io.FileInputStream;
import java.io.IOException;
-import java.nio.file.Files;
-import java.nio.file.FileSystems;
-import java.nio.file.Path;
-
import java.util.Iterator;
import java.util.Map.Entry;
import java.util.Properties;
-import java.util.regex.Pattern;
import sun.security.util.Debug;
@@ -59,10 +54,21 @@
private static final String CRYPTO_POLICIES_JAVA_CONFIG =
CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
- private static final String CRYPTO_POLICIES_CONFIG =
- CRYPTO_POLICIES_BASE_DIR + "/config";
+ private static boolean systemFipsEnabled = false;
+
+ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
+
+ private static native boolean getSystemFIPSEnabled()
+ throws IOException;
- private static boolean systemFipsEnabled = false;
+ static {
+ AccessController.doPrivileged(new PrivilegedAction<Void>() {
+ public Void run() {
+ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
+ return null;
+ }
+ });
+ }
/*
* Invoked when java.security.Security class is initialized, if
@@ -171,17 +177,34 @@
}
/*
- * FIPS is enabled only if crypto-policies are set to "FIPS"
- * and the com.redhat.fips property is true.
+ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
+ * system property is true (default) and the system is in FIPS mode.
+ *
+ * There are 2 possible ways in which OpenJDK detects that the system
+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
+ * available at OpenJDK's built-time, it is called; 2) otherwise, the
+ * /proc/sys/crypto/fips_enabled file is read.
*/
- private static boolean enableFips() throws Exception {
+ private static boolean enableFips() throws IOException {
boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
if (shouldEnable) {
- Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG);
- String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath));
- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
- return pattern.matcher(cryptoPoliciesConfig).find();
+ if (sdebug != null) {
+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
+ }
+ try {
+ shouldEnable = getSystemFIPSEnabled();
+ if (sdebug != null) {
+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
+ + shouldEnable);
+ }
+ return shouldEnable;
+ } catch (IOException e) {
+ if (sdebug != null) {
+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
+ sdebug.println(e.getMessage());
+ }
+ throw e;
+ }
} else {
return false;
}
diff --git openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c openjdk/jdk/src/solaris/native/java/security/systemconf.c
new file mode 100644
--- /dev/null
+++ openjdk/jdk/src/solaris/native/java/security/systemconf.c
@@ -0,0 +1,168 @@
+/*
+ * Copyright (c) 2021, Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+#include <dlfcn.h>
+#include <jni.h>
+#include <jni_util.h>
+#include <stdio.h>
+
+#ifdef SYSCONF_NSS
+#include <nss3/pk11pub.h>
+#endif //SYSCONF_NSS
+
+#include "java_security_SystemConfigurator.h"
+
+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
+#define MSG_MAX_SIZE 96
+
+static jmethodID debugPrintlnMethodID = NULL;
+static jobject debugObj = NULL;
+
+static void throwIOException(JNIEnv *env, const char *msg);
+static void dbgPrint(JNIEnv *env, const char* msg);
+
+/*
+ * Class: java_security_SystemConfigurator
+ * Method: JNI_OnLoad
+ */
+JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
+{
+ JNIEnv *env;
+ jclass sysConfCls, debugCls;
+ jfieldID sdebugFld;
+
+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
+ return JNI_EVERSION; /* JNI version not supported */
+ }
+
+ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
+ if (sysConfCls == NULL) {
+ printf("libsystemconf: SystemConfigurator class not found\n");
+ return JNI_ERR;
+ }
+ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
+ "sdebug", "Lsun/security/util/Debug;");
+ if (sdebugFld == NULL) {
+ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
+ return JNI_ERR;
+ }
+ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
+ if (debugObj != NULL) {
+ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
+ if (debugCls == NULL) {
+ printf("libsystemconf: Debug class not found\n");
+ return JNI_ERR;
+ }
+ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
+ "println", "(Ljava/lang/String;)V");
+ if (debugPrintlnMethodID == NULL) {
+ printf("libsystemconf: Debug::println(String) method not found\n");
+ return JNI_ERR;
+ }
+ debugObj = (*env)->NewGlobalRef(env, debugObj);
+ }
+
+ return (*env)->GetVersion(env);
+}
+
+/*
+ * Class: java_security_SystemConfigurator
+ * Method: JNI_OnUnload
+ */
+JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
+{
+ JNIEnv *env;
+
+ if (debugObj != NULL) {
+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
+ return; /* Should not happen */
+ }
+ (*env)->DeleteGlobalRef(env, debugObj);
+ }
+}
+
+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
+ (JNIEnv *env, jclass cls)
+{
+ int fips_enabled;
+ char msg[MSG_MAX_SIZE];
+ int msg_bytes;
+
+#ifdef SYSCONF_NSS
+
+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
+ fips_enabled = SECMOD_GetSystemFIPSEnabled();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+ dbgPrint(env, msg);
+ } else {
+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
+ " SECMOD_GetSystemFIPSEnabled return value");
+ }
+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
+
+#else // SYSCONF_NSS
+
+ FILE *fe;
+
+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
+ }
+ fips_enabled = fgetc(fe);
+ fclose(fe);
+ if (fips_enabled == EOF) {
+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
+ }
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " read character is '%c'", fips_enabled);
+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+ dbgPrint(env, msg);
+ } else {
+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
+ " read character");
+ }
+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
+
+#endif // SYSCONF_NSS
+}
+
+static void throwIOException(JNIEnv *env, const char *msg)
+{
+ jclass cls = (*env)->FindClass(env, "java/io/IOException");
+ if (cls != 0)
+ (*env)->ThrowNew(env, cls, msg);
+}
+
+static void dbgPrint(JNIEnv *env, const char* msg)
+{
+ jstring jMsg;
+ if (debugObj != NULL) {
+ jMsg = (*env)->NewStringUTF(env, msg);
+ CHECK_NULL(jMsg);
+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
+ }
+}

View File

@ -0,0 +1,152 @@
diff --git openjdk.orig/common/autoconf/configure.ac openjdk/common/autoconf/configure.ac
--- openjdk.orig/common/autoconf/configure.ac
+++ openjdk/common/autoconf/configure.ac
@@ -212,6 +212,7 @@
LIB_SETUP_ALSA
LIB_SETUP_FONTCONFIG
LIB_SETUP_MISC_LIBS
+LIB_SETUP_SYSCONF_LIBS
LIB_SETUP_STATIC_LINK_LIBSTDCPP
LIB_SETUP_ON_WINDOWS
diff --git openjdk.orig/common/autoconf/libraries.m4 openjdk/common/autoconf/libraries.m4
--- openjdk.orig/common/autoconf/libraries.m4
+++ openjdk/common/autoconf/libraries.m4
@@ -1067,3 +1067,63 @@
BASIC_DEPRECATED_ARG_WITH([dxsdk-include])
fi
])
+
+################################################################################
+# Setup system configuration libraries
+################################################################################
+AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
+[
+ ###############################################################################
+ #
+ # Check for the NSS library
+ #
+
+ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
+
+ # default is not available
+ DEFAULT_SYSCONF_NSS=no
+
+ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
+ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
+ [
+ case "${enableval}" in
+ yes)
+ sysconf_nss=yes
+ ;;
+ *)
+ sysconf_nss=no
+ ;;
+ esac
+ ],
+ [
+ sysconf_nss=${DEFAULT_SYSCONF_NSS}
+ ])
+ AC_MSG_RESULT([$sysconf_nss])
+
+ USE_SYSCONF_NSS=false
+ if test "x${sysconf_nss}" = "xyes"; then
+ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
+ if test "x${NSS_FOUND}" = "xyes"; then
+ AC_MSG_CHECKING([for system FIPS support in NSS])
+ saved_libs="${LIBS}"
+ saved_cflags="${CFLAGS}"
+ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
+ LIBS="${LIBS} ${NSS_LIBS}"
+ AC_LANG_PUSH([C])
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <nss3/pk11pub.h>]],
+ [[SECMOD_GetSystemFIPSEnabled()]])],
+ [AC_MSG_RESULT([yes])],
+ [AC_MSG_RESULT([no])
+ AC_MSG_ERROR([System NSS FIPS detection unavailable])])
+ AC_LANG_POP([C])
+ CFLAGS="${saved_cflags}"
+ LIBS="${saved_libs}"
+ USE_SYSCONF_NSS=true
+ else
+ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
+ dnl in nss3/pk11pub.h.
+ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
+ fi
+ fi
+ AC_SUBST(USE_SYSCONF_NSS)
+])
diff --git openjdk.orig/common/autoconf/spec.gmk.in openjdk/common/autoconf/spec.gmk.in
--- openjdk.orig/common/autoconf/spec.gmk.in
+++ openjdk/common/autoconf/spec.gmk.in
@@ -312,6 +312,10 @@
ALSA_LIBS:=@ALSA_LIBS@
ALSA_CFLAGS:=@ALSA_CFLAGS@
+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
+NSS_LIBS:=@NSS_LIBS@
+NSS_CFLAGS:=@NSS_CFLAGS@
+
PACKAGE_PATH=@PACKAGE_PATH@
# Source file for cacerts
diff --git openjdk.orig/common/bin/compare_exceptions.sh.incl openjdk/common/bin/compare_exceptions.sh.incl
--- openjdk.orig/common/bin/compare_exceptions.sh.incl
+++ openjdk/common/bin/compare_exceptions.sh.incl
@@ -280,6 +280,7 @@
./jre/lib/i386/libsplashscreen.so
./jre/lib/i386/libsunec.so
./jre/lib/i386/libsunwjdga.so
+./jre/lib/i386/libsystemconf.so
./jre/lib/i386/libt2k.so
./jre/lib/i386/libunpack.so
./jre/lib/i386/libverify.so
@@ -433,6 +434,7 @@
./jre/lib/amd64/libsplashscreen.so
./jre/lib/amd64/libsunec.so
./jre/lib/amd64/libsunwjdga.so
+//jre/lib/amd64/libsystemconf.so
./jre/lib/amd64/libt2k.so
./jre/lib/amd64/libunpack.so
./jre/lib/amd64/libverify.so
@@ -587,6 +589,7 @@
./jre/lib/sparc/libsplashscreen.so
./jre/lib/sparc/libsunec.so
./jre/lib/sparc/libsunwjdga.so
+./jre/lib/sparc/libsystemconf.so
./jre/lib/sparc/libt2k.so
./jre/lib/sparc/libunpack.so
./jre/lib/sparc/libverify.so
@@ -741,6 +744,7 @@
./jre/lib/sparcv9/libsplashscreen.so
./jre/lib/sparcv9/libsunec.so
./jre/lib/sparcv9/libsunwjdga.so
+./jre/lib/sparcv9/libsystemconf.so
./jre/lib/sparcv9/libt2k.so
./jre/lib/sparcv9/libunpack.so
./jre/lib/sparcv9/libverify.so
diff --git openjdk.orig/common/nb_native/nbproject/configurations.xml openjdk/common/nb_native/nbproject/configurations.xml
--- openjdk.orig/common/nb_native/nbproject/configurations.xml
+++ openjdk/common/nb_native/nbproject/configurations.xml
@@ -53,6 +53,9 @@
<in>jvmtiEnterTrace.cpp</in>
</df>
</df>
+ <df name="libsystemconf">
+ <in>systemconf.c</in>
+ </df>
</df>
</df>
<df name="jdk">
@@ -12772,6 +12775,11 @@
tool="0"
flavor2="0">
</item>
+ <item path="../../jdk/src/solaris/native/java/security/systemconf.c"
+ ex="false"
+ tool="0"
+ flavor2="0">
+ </item>
<item path="../../jdk/src/share/native/java/util/TimeZone.c"
ex="false"
tool="0"

View File

@ -0,0 +1,55 @@
# HG changeset patch
# User mbalao
# Date 1630103180 -3600
# Fri Aug 27 23:26:20 2021 +0100
# Node ID b3bd3119fab9bc5adfd7073377aca12bb1af80b3
# Parent c90394a76ee02a689f95199559d5724824b4b25e
RH1996182: Login to the NSS Software Token in FIPS Mode
diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -42,6 +42,8 @@
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.TextOutputCallback;
+import sun.misc.SharedSecrets;
+
import sun.security.util.Debug;
import sun.security.util.ResourcesMgr;
@@ -58,6 +60,9 @@
*/
public final class SunPKCS11 extends AuthProvider {
+ private static final boolean systemFipsEnabled = SharedSecrets
+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
+
private static final long serialVersionUID = -1354835039035306505L;
static final Debug debug = Debug.getInstance("sunpkcs11");
@@ -368,6 +373,24 @@
if (nssModule != null) {
nssModule.setProvider(this);
}
+ if (systemFipsEnabled) {
+ // The NSS Software Token in FIPS 140-2 mode requires a user
+ // login for most operations. See sftk_fipsCheck. The NSS DB
+ // (/etc/pki/nssdb) PIN is empty.
+ Session session = null;
+ try {
+ session = token.getOpSession();
+ p11.C_Login(session.id(), CKU_USER, new char[] {});
+ } catch (PKCS11Exception p11e) {
+ if (debug != null) {
+ debug.println("Error during token login: " +
+ p11e.getMessage());
+ }
+ throw p11e;
+ } finally {
+ token.releaseSession(session);
+ }
+ }
} catch (Exception e) {
if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
throw new UnsupportedOperationException

View File

@ -16,7 +16,7 @@ diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/shenandoah/shenan
Atomic::add(val, &_sum);
- int mag = log2_intptr(val) + 1;
+ int mag = log2_long(val) + 1;
+ int mag = log2_intptr((uintptr_t)val) + 1;
// Defensively saturate for product bits:
if (mag < 0) {

File diff suppressed because it is too large Load Diff