Compare commits
No commits in common. "c8" and "imports/c9-beta/java-1.8.0-openjdk-1.8.0.312.b01-0.1.ea.el9" have entirely different histories.
c8
...
imports/c9
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,2 +1,2 @@
|
||||
SOURCES/shenandoah8u432-b06.tar.xz
|
||||
SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u312-b01-4curve.tar.xz
|
||||
SOURCES/tapsets-icedtea-3.15.0.tar.xz
|
||||
|
@ -1,2 +1,2 @@
|
||||
af2d3b85c48ecc8c22188ac687e6160658ef6aca SOURCES/shenandoah8u432-b06.tar.xz
|
||||
82ec3762fba3987e1440e069427a7d4be9f367d7 SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u312-b01-4curve.tar.xz
|
||||
7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz
|
||||
|
1842
SOURCES/NEWS
1842
SOURCES/NEWS
File diff suppressed because it is too large
Load Diff
@ -1,34 +1,8 @@
|
||||
OpenJDK 8 is a Long-Term Support (LTS) release of the Java platform.
|
||||
Package of LTS OpenJDK 8
|
||||
OpenJDK have release cadence of 6 months. but 3/4 of them are Short Term Supported for 6 months only. This package is designed to harbore them. Currently it is build on openJDK 10. LTSs (next is 11) will go as separate packages.
|
||||
|
||||
For a list of major changes in OpenJDK 8 (java-1.8.0-openjdk), see the
|
||||
upstream release page: https://openjdk.org/projects/jdk8/features
|
||||
JDK8 is last LTS release of Java platform. It is bringing many cool improvements - http://openjdk.java.net/projects/jdk/8/ and is landing to your RHEL. Where it will be maintained for several years. You will always be allowed to install Used LTSs in build root, and alongside via alternatives.
|
||||
|
||||
# Rebuilding the OpenJDK package
|
||||
See announcement: http://mail.openjdk.java.net/pipermail/discuss/2017-September/004281.html
|
||||
See java SIG plans: https://jvanek.fedorapeople.org/devconf/2018/changesInjavaReleaseProcess.pdf
|
||||
|
||||
The OpenJDK packages are now created from a single build which is then
|
||||
packaged for different major versions of Red Hat Enterprise Linux
|
||||
(RHEL). This allows the OpenJDK team to focus their efforts on the
|
||||
development and testing of this single build, rather than having
|
||||
multiple builds which only differ by the platform they were built on.
|
||||
|
||||
This does make rebuilding the package slightly more complicated than a
|
||||
normal package. Modifications should be made to the
|
||||
`java-1.8.0-openjdk-portable.specfile` file, which can be found with
|
||||
this README file in the source RPM or installed in the documentation
|
||||
tree by the `java-1.8.0-openjdk-headless` RPM.
|
||||
|
||||
Once the modified `java-1.8.0-openjdk-portable` RPMs are built, they
|
||||
should be installed and will produce a number of tarballs in the
|
||||
`/usr/lib/jvm` directory. The `java-1.8.0-openjdk` RPMs can then be
|
||||
built, which will use these tarballs to create the usual RPMs found in
|
||||
RHEL. The `java-1.8.0-openjdk-portable` RPMs can be uninstalled once
|
||||
the desired final RPMs are produced.
|
||||
|
||||
Note that the `java-1.8.0-openjdk.spec` file has a hard requirement on
|
||||
the exact version of java-1.8.0-openjdk-portable to use, so this will
|
||||
need to be modified if the version or rpmrelease values are changed in
|
||||
`java-1.8.0-openjdk-portable.specfile`.
|
||||
|
||||
To reduce the number of RPMs involved, the `fastdebug` and `slowdebug`
|
||||
builds may be disabled using `--without fastdebug` and `--without
|
||||
slowdebug`.
|
||||
|
@ -1,20 +1,3 @@
|
||||
/* TestSecurityProperties -- Ensure system security properties can be used to
|
||||
enable the crypto policies.
|
||||
Copyright (C) 2022 Red Hat, Inc.
|
||||
|
||||
This program is free software: you can redistribute it and/or modify
|
||||
it under the terms of the GNU Affero General Public License as
|
||||
published by the Free Software Foundation, either version 3 of the
|
||||
License, or (at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU Affero General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU Affero General Public License
|
||||
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
import java.io.File;
|
||||
import java.io.FileInputStream;
|
||||
import java.security.Security;
|
||||
@ -26,59 +9,35 @@ public class TestSecurityProperties {
|
||||
// JDK 8
|
||||
private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
|
||||
|
||||
private static final String POLICY_FILE = "/etc/crypto-policies/back-ends/java.config";
|
||||
|
||||
private static final String MSG_PREFIX = "DEBUG: ";
|
||||
|
||||
public static void main(String[] args) {
|
||||
if (args.length == 0) {
|
||||
System.err.println("TestSecurityProperties <true|false>");
|
||||
System.err.println("Invoke with 'true' if system security properties should be enabled.");
|
||||
System.err.println("Invoke with 'false' if system security properties should be disabled.");
|
||||
System.exit(1);
|
||||
}
|
||||
boolean enabled = Boolean.valueOf(args[0]);
|
||||
System.out.println(MSG_PREFIX + "System security properties enabled: " + enabled);
|
||||
Properties jdkProps = new Properties();
|
||||
loadProperties(jdkProps);
|
||||
if (enabled) {
|
||||
loadPolicy(jdkProps);
|
||||
}
|
||||
for (Object key: jdkProps.keySet()) {
|
||||
String sKey = (String)key;
|
||||
String securityVal = Security.getProperty(sKey);
|
||||
String jdkSecVal = jdkProps.getProperty(sKey);
|
||||
if (!securityVal.equals(jdkSecVal)) {
|
||||
String msg = "Expected value '" + jdkSecVal + "' for key '" +
|
||||
String msg = "Expected value '" + jdkSecVal + "' for key '" +
|
||||
sKey + "'" + " but got value '" + securityVal + "'";
|
||||
throw new RuntimeException("Test failed! " + msg);
|
||||
} else {
|
||||
System.out.println(MSG_PREFIX + sKey + " = " + jdkSecVal + " as expected.");
|
||||
System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected.");
|
||||
}
|
||||
}
|
||||
System.out.println("TestSecurityProperties PASSED!");
|
||||
}
|
||||
|
||||
|
||||
private static void loadProperties(Properties props) {
|
||||
String javaVersion = System.getProperty("java.version");
|
||||
System.out.println(MSG_PREFIX + "Java version is " + javaVersion);
|
||||
System.out.println("Debug: Java version is " + javaVersion);
|
||||
String propsFile = JDK_PROPS_FILE_JDK_11;
|
||||
if (javaVersion.startsWith("1.8.0")) {
|
||||
propsFile = JDK_PROPS_FILE_JDK_8;
|
||||
}
|
||||
try (FileInputStream fin = new FileInputStream(propsFile)) {
|
||||
try (FileInputStream fin = new FileInputStream(new File(propsFile))) {
|
||||
props.load(fin);
|
||||
} catch (Exception e) {
|
||||
throw new RuntimeException("Test failed!", e);
|
||||
}
|
||||
}
|
||||
|
||||
private static void loadPolicy(Properties props) {
|
||||
try (FileInputStream fin = new FileInputStream(POLICY_FILE)) {
|
||||
props.load(fin);
|
||||
} catch (Exception e) {
|
||||
throw new RuntimeException("Test failed!", e);
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
@ -1,160 +0,0 @@
|
||||
/* TestTranslations -- Ensure translations are available for new timezones
|
||||
Copyright (C) 2022 Red Hat, Inc.
|
||||
|
||||
This program is free software: you can redistribute it and/or modify
|
||||
it under the terms of the GNU Affero General Public License as
|
||||
published by the Free Software Foundation, either version 3 of the
|
||||
License, or (at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU Affero General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU Affero General Public License
|
||||
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
import java.text.DateFormatSymbols;
|
||||
|
||||
import java.time.ZoneId;
|
||||
import java.time.format.TextStyle;
|
||||
|
||||
import java.util.Arrays;
|
||||
import java.util.Collections;
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
import java.util.Locale;
|
||||
import java.util.Objects;
|
||||
import java.util.TimeZone;
|
||||
|
||||
public class TestTranslations {
|
||||
|
||||
private static Map<Locale,String[]> KYIV, CIUDAD_JUAREZ;
|
||||
|
||||
static {
|
||||
Map<Locale,String[]> map = new HashMap<Locale,String[]>();
|
||||
map.put(Locale.US, new String[] { "Eastern European Time", "GMT+02:00", "EET",
|
||||
"Eastern European Summer Time", "GMT+03:00", "EEST",
|
||||
"Eastern European Time", "GMT+02:00", "EET"});
|
||||
map.put(Locale.FRANCE, new String[] { "Heure d'Europe de l'Est", "UTC+02:00", "EET",
|
||||
"Heure d'\u00e9t\u00e9 d'Europe de l'Est", "UTC+03:00", "EEST",
|
||||
"Heure d'Europe de l'Est", "UTC+02:00", "EET"});
|
||||
map.put(Locale.GERMANY, new String[] { "Osteurop\u00e4ische Zeit", "OEZ", "OEZ",
|
||||
"Osteurop\u00e4ische Sommerzeit", "OESZ", "OESZ",
|
||||
"Osteurop\u00e4ische Zeit", "OEZ", "OEZ"});
|
||||
KYIV = Collections.unmodifiableMap(map);
|
||||
|
||||
map = new HashMap<Locale,String[]>();
|
||||
map.put(Locale.US, new String[] { "Mountain Standard Time", "MST", "MST",
|
||||
"Mountain Daylight Time", "MDT", "MDT",
|
||||
"Mountain Time", "MT", "MT"});
|
||||
map.put(Locale.FRANCE, new String[] { "Heure normale des Rocheuses", "UTC\u221207:00", "MST",
|
||||
"Heure avanc\u00e9e des Rocheuses", "UTC\u221206:00", "MDT",
|
||||
"Rocheuses", "UTC\u221207:00", "MT"});
|
||||
map.put(Locale.GERMANY, new String[] { "Rocky Mountains Normalzeit", "GMT-07:00", "MST",
|
||||
"Rocky Mountains Sommerzeit", "GMT-06:00", "MDT",
|
||||
"Zeitzone Mountain", "GMT-07:00", "MT"});
|
||||
CIUDAD_JUAREZ = Collections.unmodifiableMap(map);
|
||||
}
|
||||
|
||||
|
||||
public static void main(String[] args) {
|
||||
if (args.length < 1) {
|
||||
System.err.println("Test must be started with the name of the locale provider.");
|
||||
System.exit(1);
|
||||
}
|
||||
|
||||
System.out.println("Checking sanity of full zone string set...");
|
||||
boolean invalid = Arrays.stream(Locale.getAvailableLocales())
|
||||
.peek(l -> System.out.println("Locale: " + l))
|
||||
.map(l -> DateFormatSymbols.getInstance(l).getZoneStrings())
|
||||
.flatMap(zs -> Arrays.stream(zs))
|
||||
.flatMap(names -> Arrays.stream(names))
|
||||
.filter(name -> Objects.isNull(name) || name.isEmpty())
|
||||
.findAny()
|
||||
.isPresent();
|
||||
if (invalid) {
|
||||
System.err.println("Zone string for a locale returned null or empty string");
|
||||
System.exit(2);
|
||||
}
|
||||
|
||||
String localeProvider = args[0];
|
||||
testZone(localeProvider, KYIV,
|
||||
new String[] { "Europe/Kiev", "Europe/Kyiv", "Europe/Uzhgorod", "Europe/Zaporozhye" });
|
||||
testZone(localeProvider, CIUDAD_JUAREZ,
|
||||
new String[] { "America/Cambridge_Bay", "America/Ciudad_Juarez" });
|
||||
}
|
||||
|
||||
private static void testZone(String localeProvider, Map<Locale,String[]> exp, String[] ids) {
|
||||
for (Locale l : exp.keySet()) {
|
||||
String[] expected = exp.get(l);
|
||||
System.out.printf("Expected values for %s are %s\n", l, Arrays.toString(expected));
|
||||
for (String id : ids) {
|
||||
String expectedShortStd = null;
|
||||
String expectedShortDST = null;
|
||||
String expectedShortGen = null;
|
||||
|
||||
System.out.printf("Checking locale %s for %s...\n", l, id);
|
||||
|
||||
if ("JRE".equals(localeProvider)) {
|
||||
expectedShortStd = expected[2];
|
||||
expectedShortDST = expected[5];
|
||||
expectedShortGen = expected[8];
|
||||
} else if ("CLDR".equals(localeProvider)) {
|
||||
expectedShortStd = expected[1];
|
||||
expectedShortDST = expected[4];
|
||||
expectedShortGen = expected[7];
|
||||
} else {
|
||||
System.err.printf("Invalid locale provider %s\n", localeProvider);
|
||||
System.exit(3);
|
||||
}
|
||||
System.out.printf("Locale Provider is %s, using short values %s, %s and %s\n",
|
||||
localeProvider, expectedShortStd, expectedShortDST, expectedShortGen);
|
||||
|
||||
String longStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.LONG, l);
|
||||
String shortStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.SHORT, l);
|
||||
String longDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.LONG, l);
|
||||
String shortDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.SHORT, l);
|
||||
String longGen = ZoneId.of(id).getDisplayName(TextStyle.FULL, l);
|
||||
String shortGen = ZoneId.of(id).getDisplayName(TextStyle.SHORT, l);
|
||||
|
||||
if (!expected[0].equals(longStd)) {
|
||||
System.err.printf("Long standard display name for %s in %s was %s, expected %s\n",
|
||||
id, l, longStd, expected[0]);
|
||||
System.exit(4);
|
||||
}
|
||||
|
||||
if (!expectedShortStd.equals(shortStd)) {
|
||||
System.err.printf("Short standard display name for %s in %s was %s, expected %s\n",
|
||||
id, l, shortStd, expectedShortStd);
|
||||
System.exit(5);
|
||||
}
|
||||
|
||||
if (!expected[3].equals(longDST)) {
|
||||
System.err.printf("Long DST display name for %s in %s was %s, expected %s\n",
|
||||
id, l, longDST, expected[3]);
|
||||
System.exit(6);
|
||||
}
|
||||
|
||||
if (!expectedShortDST.equals(shortDST)) {
|
||||
System.err.printf("Short DST display name for %s in %s was %s, expected %s\n",
|
||||
id, l, shortDST, expectedShortDST);
|
||||
System.exit(7);
|
||||
}
|
||||
|
||||
if (!expected[6].equals(longGen)) {
|
||||
System.err.printf("Long generic display name for %s in %s was %s, expected %s\n",
|
||||
id, l, longGen, expected[6]);
|
||||
System.exit(8);
|
||||
}
|
||||
|
||||
if (!expectedShortGen.equals(shortGen)) {
|
||||
System.err.printf("Short generic display name for %s in %s was %s, expected %s\n",
|
||||
id, l, shortGen, expectedShortGen);
|
||||
System.exit(9);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
File diff suppressed because it is too large
Load Diff
74
SOURCES/java-1.8.0-openjdk-gcc11.patch
Normal file
74
SOURCES/java-1.8.0-openjdk-gcc11.patch
Normal file
@ -0,0 +1,74 @@
|
||||
diff --git a/openjdk/hotspot/src/share/vm/adlc/adlparse.cpp b/openjdk/hotspot/src/share/vm/adlc/adlparse.cpp
|
||||
index 31955ff7..6dcd90ac 100644
|
||||
--- openjdk/hotspot/src/share/vm/adlc/adlparse.cpp
|
||||
+++ openjdk/hotspot/src/share/vm/adlc/adlparse.cpp
|
||||
@@ -4564,7 +4564,7 @@ char *ADLParser::get_paren_expr(const char *description, bool include_location)
|
||||
// string(still inside the file buffer). Returns a pointer to the string or
|
||||
// NULL if some other token is found instead.
|
||||
char *ADLParser::get_ident_common(bool do_preproc) {
|
||||
- register char c;
|
||||
+ char c;
|
||||
char *start; // Pointer to start of token
|
||||
char *end; // Pointer to end of token
|
||||
|
||||
@@ -4762,7 +4762,7 @@ char *ADLParser::get_unique_ident(FormDict& dict, const char* nameDescription){
|
||||
// invokes a parse_err if the next token is not an integer.
|
||||
// This routine does not leave the integer null-terminated.
|
||||
int ADLParser::get_int(void) {
|
||||
- register char c;
|
||||
+ char c;
|
||||
char *start; // Pointer to start of token
|
||||
char *end; // Pointer to end of token
|
||||
int result; // Storage for integer result
|
||||
diff --git a/openjdk/hotspot/src/share/vm/adlc/arena.cpp b/openjdk/hotspot/src/share/vm/adlc/arena.cpp
|
||||
index d7e4fc6e..406187ae 100644
|
||||
--- openjdk/hotspot/src/share/vm/adlc/arena.cpp
|
||||
+++ openjdk/hotspot/src/share/vm/adlc/arena.cpp
|
||||
@@ -79,7 +79,7 @@ Arena::Arena( Arena *a )
|
||||
// Total of all Chunks in arena
|
||||
size_t Arena::used() const {
|
||||
size_t sum = _chunk->_len - (_max-_hwm); // Size leftover in this Chunk
|
||||
- register Chunk *k = _first;
|
||||
+ Chunk *k = _first;
|
||||
while( k != _chunk) { // Whilst have Chunks in a row
|
||||
sum += k->_len; // Total size of this Chunk
|
||||
k = k->_next; // Bump along to next Chunk
|
||||
@@ -93,7 +93,7 @@ void* Arena::grow( size_t x ) {
|
||||
// Get minimal required size. Either real big, or even bigger for giant objs
|
||||
size_t len = max(x, Chunk::size);
|
||||
|
||||
- register Chunk *k = _chunk; // Get filled-up chunk address
|
||||
+ Chunk *k = _chunk; // Get filled-up chunk address
|
||||
_chunk = new (len) Chunk(len);
|
||||
|
||||
if( k ) k->_next = _chunk; // Append new chunk to end of linked list
|
||||
diff --git a/openjdk/hotspot/src/share/vm/adlc/dict2.cpp b/openjdk/hotspot/src/share/vm/adlc/dict2.cpp
|
||||
index f341a2b6..2dc60b25 100644
|
||||
--- openjdk/hotspot/src/share/vm/adlc/dict2.cpp
|
||||
+++ openjdk/hotspot/src/share/vm/adlc/dict2.cpp
|
||||
@@ -283,9 +283,9 @@ void Dict::print(PrintKeyOrValue print_key, PrintKeyOrValue print_value) {
|
||||
// limited to MAXID characters in length. Experimental evidence on 150K of
|
||||
// C text shows excellent spreading of values for any size hash table.
|
||||
int hashstr(const void *t) {
|
||||
- register char c, k = 0;
|
||||
- register int sum = 0;
|
||||
- register const char *s = (const char *)t;
|
||||
+ char c, k = 0;
|
||||
+ int sum = 0;
|
||||
+ const char *s = (const char *)t;
|
||||
|
||||
while (((c = s[k]) != '\0') && (k < MAXID-1)) { // Get characters till nul
|
||||
c = (char) ((c << 1) + 1); // Characters are always odd!
|
||||
diff --git a/openjdk/hotspot/src/share/vm/adlc/main.cpp b/openjdk/hotspot/src/share/vm/adlc/main.cpp
|
||||
index 52044f12..40bcda74 100644
|
||||
--- openjdk/hotspot/src/share/vm/adlc/main.cpp
|
||||
+++ openjdk/hotspot/src/share/vm/adlc/main.cpp
|
||||
@@ -58,7 +58,7 @@ int main(int argc, char *argv[])
|
||||
|
||||
// Read command line arguments and file names
|
||||
for( int i = 1; i < argc; i++ ) { // For all arguments
|
||||
- register char *s = argv[i]; // Get option/filename
|
||||
+ char *s = argv[i]; // Get option/filename
|
||||
|
||||
if( *s++ == '-' ) { // It's a flag? (not a filename)
|
||||
if( !*s ) { // Stand-alone `-' means stdin
|
File diff suppressed because it is too large
Load Diff
@ -1,286 +0,0 @@
|
||||
# HG changeset patch
|
||||
# User sherman
|
||||
# Date 1505950914 25200
|
||||
# Wed Sep 20 16:41:54 2017 -0700
|
||||
# Node ID 723486922bfe4c17e3f5c067ce5e97229842fbcd
|
||||
# Parent c8ac05bbe47771b3dafa2e7fc9a95d86d68d7c07
|
||||
8186464: ZipFile cannot read some InfoZip ZIP64 zip files
|
||||
Reviewed-by: martin
|
||||
|
||||
diff --git openjdk.orig/jdk/src/share/demo/nio/zipfs/src/com/sun/nio/zipfs/ZipFileSystem.java openjdk/jdk/src/share/demo/nio/zipfs/src/com/sun/nio/zipfs/ZipFileSystem.java
|
||||
index 26e2a5bf9e9..2630c118817 100644
|
||||
--- openjdk.orig/jdk/src/share/demo/nio/zipfs/src/com/sun/nio/zipfs/ZipFileSystem.java
|
||||
+++ openjdk/jdk/src/share/demo/nio/zipfs/src/com/sun/nio/zipfs/ZipFileSystem.java
|
||||
@@ -92,6 +92,7 @@ public class ZipFileSystem extends FileSystem {
|
||||
private final boolean createNew; // create a new zip if not exists
|
||||
private static final boolean isWindows =
|
||||
System.getProperty("os.name").startsWith("Windows");
|
||||
+ private final boolean forceEnd64;
|
||||
|
||||
// a threshold, in bytes, to decide whether to create a temp file
|
||||
// for outputstream of a zip entry
|
||||
@@ -112,12 +113,13 @@ public class ZipFileSystem extends FileSystem {
|
||||
if (this.defaultDir.charAt(0) != '/')
|
||||
throw new IllegalArgumentException("default dir should be absolute");
|
||||
|
||||
+ this.forceEnd64 = "true".equals(env.get("forceZIP64End"));
|
||||
this.provider = provider;
|
||||
this.zfpath = zfpath;
|
||||
if (Files.notExists(zfpath)) {
|
||||
if (createNew) {
|
||||
try (OutputStream os = Files.newOutputStream(zfpath, CREATE_NEW, WRITE)) {
|
||||
- new END().write(os, 0);
|
||||
+ new END().write(os, 0, forceEnd64);
|
||||
}
|
||||
} else {
|
||||
throw new FileSystemNotFoundException(zfpath.toString());
|
||||
@@ -1014,28 +1016,36 @@ public class ZipFileSystem extends FileSystem {
|
||||
end.cenoff = ENDOFF(buf);
|
||||
end.comlen = ENDCOM(buf);
|
||||
end.endpos = pos + i;
|
||||
- if (end.cenlen == ZIP64_MINVAL ||
|
||||
- end.cenoff == ZIP64_MINVAL ||
|
||||
- end.centot == ZIP64_MINVAL32)
|
||||
- {
|
||||
- // need to find the zip64 end;
|
||||
- byte[] loc64 = new byte[ZIP64_LOCHDR];
|
||||
- if (readFullyAt(loc64, 0, loc64.length, end.endpos - ZIP64_LOCHDR)
|
||||
- != loc64.length) {
|
||||
- return end;
|
||||
- }
|
||||
- long end64pos = ZIP64_LOCOFF(loc64);
|
||||
- byte[] end64buf = new byte[ZIP64_ENDHDR];
|
||||
- if (readFullyAt(end64buf, 0, end64buf.length, end64pos)
|
||||
- != end64buf.length) {
|
||||
- return end;
|
||||
- }
|
||||
- // end64 found, re-calcualte everything.
|
||||
- end.cenlen = ZIP64_ENDSIZ(end64buf);
|
||||
- end.cenoff = ZIP64_ENDOFF(end64buf);
|
||||
- end.centot = (int)ZIP64_ENDTOT(end64buf); // assume total < 2g
|
||||
- end.endpos = end64pos;
|
||||
+ // try if there is zip64 end;
|
||||
+ byte[] loc64 = new byte[ZIP64_LOCHDR];
|
||||
+ if (end.endpos < ZIP64_LOCHDR ||
|
||||
+ readFullyAt(loc64, 0, loc64.length, end.endpos - ZIP64_LOCHDR)
|
||||
+ != loc64.length ||
|
||||
+ !locator64SigAt(loc64, 0)) {
|
||||
+ return end;
|
||||
+ }
|
||||
+ long end64pos = ZIP64_LOCOFF(loc64);
|
||||
+ byte[] end64buf = new byte[ZIP64_ENDHDR];
|
||||
+ if (readFullyAt(end64buf, 0, end64buf.length, end64pos)
|
||||
+ != end64buf.length ||
|
||||
+ !end64SigAt(end64buf, 0)) {
|
||||
+ return end;
|
||||
+ }
|
||||
+ // end64 found,
|
||||
+ long cenlen64 = ZIP64_ENDSIZ(end64buf);
|
||||
+ long cenoff64 = ZIP64_ENDOFF(end64buf);
|
||||
+ long centot64 = ZIP64_ENDTOT(end64buf);
|
||||
+ // double-check
|
||||
+ if (cenlen64 != end.cenlen && end.cenlen != ZIP64_MINVAL ||
|
||||
+ cenoff64 != end.cenoff && end.cenoff != ZIP64_MINVAL ||
|
||||
+ centot64 != end.centot && end.centot != ZIP64_MINVAL32) {
|
||||
+ return end;
|
||||
}
|
||||
+ // to use the end64 values
|
||||
+ end.cenlen = cenlen64;
|
||||
+ end.cenoff = cenoff64;
|
||||
+ end.centot = (int)centot64; // assume total < 2g
|
||||
+ end.endpos = end64pos;
|
||||
return end;
|
||||
}
|
||||
}
|
||||
@@ -1201,7 +1211,7 @@ public class ZipFileSystem extends FileSystem {
|
||||
|
||||
// sync the zip file system, if there is any udpate
|
||||
private void sync() throws IOException {
|
||||
- //System.out.printf("->sync(%s) starting....!%n", toString());
|
||||
+ // System.out.printf("->sync(%s) starting....!%n", toString());
|
||||
// check ex-closer
|
||||
if (!exChClosers.isEmpty()) {
|
||||
for (ExChannelCloser ecc : exChClosers) {
|
||||
@@ -1292,7 +1302,7 @@ public class ZipFileSystem extends FileSystem {
|
||||
}
|
||||
end.centot = elist.size();
|
||||
end.cenlen = written - end.cenoff;
|
||||
- end.write(os, written);
|
||||
+ end.write(os, written, forceEnd64);
|
||||
}
|
||||
if (!streams.isEmpty()) {
|
||||
//
|
||||
@@ -1849,8 +1859,8 @@ public class ZipFileSystem extends FileSystem {
|
||||
long endpos;
|
||||
int disktot;
|
||||
|
||||
- void write(OutputStream os, long offset) throws IOException {
|
||||
- boolean hasZip64 = false;
|
||||
+ void write(OutputStream os, long offset, boolean forceEnd64) throws IOException {
|
||||
+ boolean hasZip64 = forceEnd64; // false;
|
||||
long xlen = cenlen;
|
||||
long xoff = cenoff;
|
||||
if (xlen >= ZIP64_MINVAL) {
|
||||
@@ -1875,8 +1885,8 @@ public class ZipFileSystem extends FileSystem {
|
||||
writeShort(os, 45); // version needed to extract
|
||||
writeInt(os, 0); // number of this disk
|
||||
writeInt(os, 0); // central directory start disk
|
||||
- writeLong(os, centot); // number of directory entires on disk
|
||||
- writeLong(os, centot); // number of directory entires
|
||||
+ writeLong(os, centot); // number of directory entries on disk
|
||||
+ writeLong(os, centot); // number of directory entries
|
||||
writeLong(os, cenlen); // length of central directory
|
||||
writeLong(os, cenoff); // offset of central directory
|
||||
|
||||
diff --git openjdk.orig/jdk/src/share/native/java/util/zip/zip_util.c openjdk/jdk/src/share/native/java/util/zip/zip_util.c
|
||||
index 5fd6fea049d..858e5814e92 100644
|
||||
--- openjdk.orig/jdk/src/share/native/java/util/zip/zip_util.c
|
||||
+++ openjdk/jdk/src/share/native/java/util/zip/zip_util.c
|
||||
@@ -385,6 +385,9 @@ findEND64(jzfile *zip, void *end64buf, jlong endpos)
|
||||
{
|
||||
char loc64[ZIP64_LOCHDR];
|
||||
jlong end64pos;
|
||||
+ if (endpos < ZIP64_LOCHDR) {
|
||||
+ return -1;
|
||||
+ }
|
||||
if (readFullyAt(zip->zfd, loc64, ZIP64_LOCHDR, endpos - ZIP64_LOCHDR) == -1) {
|
||||
return -1; // end64 locator not found
|
||||
}
|
||||
@@ -567,6 +570,7 @@ readCEN(jzfile *zip, jint knownTotal)
|
||||
{
|
||||
/* Following are unsigned 32-bit */
|
||||
jlong endpos, end64pos, cenpos, cenlen, cenoff;
|
||||
+ jlong cenlen64, cenoff64, centot64;
|
||||
/* Following are unsigned 16-bit */
|
||||
jint total, tablelen, i, j;
|
||||
unsigned char *cenbuf = NULL;
|
||||
@@ -594,13 +598,20 @@ readCEN(jzfile *zip, jint knownTotal)
|
||||
cenlen = ENDSIZ(endbuf);
|
||||
cenoff = ENDOFF(endbuf);
|
||||
total = ENDTOT(endbuf);
|
||||
- if (cenlen == ZIP64_MAGICVAL || cenoff == ZIP64_MAGICVAL ||
|
||||
- total == ZIP64_MAGICCOUNT) {
|
||||
- unsigned char end64buf[ZIP64_ENDHDR];
|
||||
- if ((end64pos = findEND64(zip, end64buf, endpos)) != -1) {
|
||||
- cenlen = ZIP64_ENDSIZ(end64buf);
|
||||
- cenoff = ZIP64_ENDOFF(end64buf);
|
||||
- total = (jint)ZIP64_ENDTOT(end64buf);
|
||||
+ unsigned char end64buf[ZIP64_ENDHDR];
|
||||
+ if ((end64pos = findEND64(zip, end64buf, endpos)) != -1) {
|
||||
+ // end64 candidate found,
|
||||
+ cenlen64 = ZIP64_ENDSIZ(end64buf);
|
||||
+ cenoff64 = ZIP64_ENDOFF(end64buf);
|
||||
+ centot64 = ZIP64_ENDTOT(end64buf);
|
||||
+ // double-check
|
||||
+ if ((cenlen64 == cenlen || cenlen == ZIP64_MAGICVAL) &&
|
||||
+ (cenoff64 == cenoff || cenoff == ZIP64_MAGICVAL) &&
|
||||
+ (centot64 == total || total == ZIP64_MAGICCOUNT)) {
|
||||
+ // to use the end64 values
|
||||
+ cenlen = cenlen64;
|
||||
+ cenoff = cenoff64;
|
||||
+ total = (jint)centot64;
|
||||
endpos = end64pos;
|
||||
endhdrlen = ZIP64_ENDHDR;
|
||||
}
|
||||
diff --git openjdk.orig/jdk/test/java/util/zip/ZipFile/ReadZip.java openjdk/jdk/test/java/util/zip/ZipFile/ReadZip.java
|
||||
index ffe8a8ed712..9b380003893 100644
|
||||
--- openjdk.orig/jdk/test/java/util/zip/ZipFile/ReadZip.java
|
||||
+++ openjdk/jdk/test/java/util/zip/ZipFile/ReadZip.java
|
||||
@@ -22,7 +22,7 @@
|
||||
*/
|
||||
|
||||
/* @test
|
||||
- * @bug 4241361 4842702 4985614 6646605 5032358 6923692 6233323 8144977 8184993
|
||||
+ * @bug 4241361 4842702 4985614 6646605 5032358 6923692 6233323 8144977 8184993 8186464
|
||||
* @summary Make sure we can read a zip file.
|
||||
@key randomness
|
||||
* @run main/othervm ReadZip
|
||||
@@ -31,12 +31,24 @@
|
||||
*/
|
||||
|
||||
import java.io.*;
|
||||
+import java.net.URI;
|
||||
import java.nio.file.Files;
|
||||
+import java.nio.file.FileSystem;
|
||||
+import java.nio.file.FileSystems;
|
||||
+import java.nio.file.Path;
|
||||
import java.nio.file.Paths;
|
||||
import java.nio.file.StandardCopyOption;
|
||||
import java.nio.file.StandardOpenOption;
|
||||
+import java.util.Collections;
|
||||
+import java.util.HashMap;
|
||||
+import java.util.List;
|
||||
+import java.util.Map;
|
||||
import java.util.zip.*;
|
||||
|
||||
+import sun.misc.IOUtils;
|
||||
+
|
||||
+import static java.nio.charset.StandardCharsets.US_ASCII;
|
||||
+
|
||||
public class ReadZip {
|
||||
private static void unreached (Object o)
|
||||
throws Exception
|
||||
@@ -144,8 +156,6 @@ public class ReadZip {
|
||||
newZip.delete();
|
||||
}
|
||||
|
||||
-
|
||||
-
|
||||
// Throw a FNF exception when read a non-existing zip file
|
||||
try { unreached (new ZipFile(
|
||||
new File(System.getProperty("test.src", "."),
|
||||
@@ -153,5 +163,54 @@ public class ReadZip {
|
||||
+ String.valueOf(new java.util.Random().nextInt())
|
||||
+ ".zip")));
|
||||
} catch (FileNotFoundException fnfe) {}
|
||||
+
|
||||
+ // read a zip file with ZIP64 end
|
||||
+ Path path = Paths.get(System.getProperty("test.dir", ""), "end64.zip");
|
||||
+ try {
|
||||
+ URI uri = URI.create("jar:" + path.toUri());
|
||||
+ Map<String, Object> env = new HashMap<>();
|
||||
+ env.put("create", "true");
|
||||
+ env.put("forceZIP64End", "true");
|
||||
+ try (FileSystem fs = FileSystems.newFileSystem(uri, env)) {
|
||||
+ Files.write(fs.getPath("hello"), "hello".getBytes());
|
||||
+ }
|
||||
+ try (ZipFile zf = new ZipFile(path.toFile())) {
|
||||
+ if (!"hello".equals(new String(IOUtils.readAllBytes(zf.getInputStream(new ZipEntry("hello"))),
|
||||
+ US_ASCII)))
|
||||
+ throw new RuntimeException("zipfile: read entry failed");
|
||||
+ } catch (IOException x) {
|
||||
+ throw new RuntimeException("zipfile: zip64 end failed");
|
||||
+ }
|
||||
+ try (FileSystem fs = FileSystems.newFileSystem(uri, Collections.emptyMap())) {
|
||||
+ if (!"hello".equals(new String(Files.readAllBytes(fs.getPath("hello")))))
|
||||
+ throw new RuntimeException("zipfs: read entry failed");
|
||||
+ } catch (IOException x) {
|
||||
+ throw new RuntimeException("zipfile: zip64 end failed");
|
||||
+ }
|
||||
+ } finally {
|
||||
+ Files.deleteIfExists(path);
|
||||
+ }
|
||||
+
|
||||
+ // read a zip file created via "echo hello | zip dst.zip -", which uses
|
||||
+ // ZIP64 end record
|
||||
+ if (Files.notExists(Paths.get("/usr/bin/zip")))
|
||||
+ return;
|
||||
+ try {
|
||||
+ Process zip = new ProcessBuilder("zip", path.toString().toString(), "-").start();
|
||||
+ OutputStream os = zip.getOutputStream();
|
||||
+ os.write("hello".getBytes(US_ASCII));
|
||||
+ os.close();
|
||||
+ zip.waitFor();
|
||||
+ if (zip.exitValue() == 0 && Files.exists(path)) {
|
||||
+ try (ZipFile zf = new ZipFile(path.toFile())) {
|
||||
+ if (!"hello".equals(new String(IOUtils.readAllBytes(zf.getInputStream(new ZipEntry("-"))))))
|
||||
+ throw new RuntimeException("zipfile: read entry failed");
|
||||
+ } catch (IOException x) {
|
||||
+ throw new RuntimeException("zipfile: zip64 end failed");
|
||||
+ }
|
||||
+ }
|
||||
+ } finally {
|
||||
+ Files.deleteIfExists(path);
|
||||
+ }
|
||||
}
|
||||
}
|
125
SOURCES/jdk8195607-pr3776-rh1760437-nss_sqlite_db_config.patch
Normal file
125
SOURCES/jdk8195607-pr3776-rh1760437-nss_sqlite_db_config.patch
Normal file
@ -0,0 +1,125 @@
|
||||
# HG changeset patch
|
||||
# User mbalao
|
||||
# Date 1529971845 -28800
|
||||
# Tue Jun 26 08:10:45 2018 +0800
|
||||
# Node ID e9c20b7250cd98d16a67f2a30b34284c2caa01dc
|
||||
# Parent 9f1aa2e38d90dd60522237d7414af6bdcf03c4ff
|
||||
8195607, PR3776: sun/security/pkcs11/Secmod/TestNssDbSqlite.java failed with "NSS initialization failed" on NSS 3.34.1
|
||||
Reviewed-by: valeriep, weijun
|
||||
|
||||
diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/Secmod.java openjdk/jdk/src/share/classes/sun/security/pkcs11/Secmod.java
|
||||
--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/Secmod.java
|
||||
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/Secmod.java
|
||||
@@ -197,7 +197,7 @@
|
||||
|
||||
if (configDir != null) {
|
||||
String configDirPath = null;
|
||||
- String sqlPrefix = "sql:/";
|
||||
+ String sqlPrefix = "sql:";
|
||||
if (!configDir.startsWith(sqlPrefix)) {
|
||||
configDirPath = configDir;
|
||||
} else {
|
||||
diff --git openjdk.orig/jdk/src/share/native/sun/security/pkcs11/j2secmod.c openjdk/jdk/src/share/native/sun/security/pkcs11/j2secmod.c
|
||||
--- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/j2secmod.c
|
||||
+++ openjdk/jdk/src/share/native/sun/security/pkcs11/j2secmod.c
|
||||
@@ -69,9 +69,14 @@
|
||||
int res = 0;
|
||||
FPTR_Initialize initialize =
|
||||
(FPTR_Initialize)findFunction(env, jHandle, "NSS_Initialize");
|
||||
+ #ifdef SECMOD_DEBUG
|
||||
+ FPTR_GetError getError =
|
||||
+ (FPTR_GetError)findFunction(env, jHandle, "PORT_GetError");
|
||||
+ #endif // SECMOD_DEBUG
|
||||
unsigned int flags = 0x00;
|
||||
const char *configDir = NULL;
|
||||
const char *functionName = NULL;
|
||||
+ const char *configFile = NULL;
|
||||
|
||||
/* If we cannot initialize, exit now */
|
||||
if (initialize == NULL) {
|
||||
@@ -97,13 +102,18 @@
|
||||
flags = 0x20; // NSS_INIT_OPTIMIZESPACE flag
|
||||
}
|
||||
|
||||
+ configFile = "secmod.db";
|
||||
+ if (configDir != NULL && strncmp("sql:", configDir, 4U) == 0) {
|
||||
+ configFile = "pkcs11.txt";
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* If the NSS_Init function is requested then call NSS_Initialize to
|
||||
* open the Cert, Key and Security Module databases, read only.
|
||||
*/
|
||||
if (strcmp("NSS_Init", functionName) == 0) {
|
||||
flags = flags | 0x01; // NSS_INIT_READONLY flag
|
||||
- res = initialize(configDir, "", "", "secmod.db", flags);
|
||||
+ res = initialize(configDir, "", "", configFile, flags);
|
||||
|
||||
/*
|
||||
* If the NSS_InitReadWrite function is requested then call
|
||||
@@ -111,7 +121,7 @@
|
||||
* read/write.
|
||||
*/
|
||||
} else if (strcmp("NSS_InitReadWrite", functionName) == 0) {
|
||||
- res = initialize(configDir, "", "", "secmod.db", flags);
|
||||
+ res = initialize(configDir, "", "", configFile, flags);
|
||||
|
||||
/*
|
||||
* If the NSS_NoDB_Init function is requested then call
|
||||
@@ -137,6 +147,13 @@
|
||||
(*env)->ReleaseStringUTFChars(env, jConfigDir, configDir);
|
||||
}
|
||||
dprintf1("-res: %d\n", res);
|
||||
+ #ifdef SECMOD_DEBUG
|
||||
+ if (res == -1) {
|
||||
+ if (getError != NULL) {
|
||||
+ dprintf1("-NSS error: %d\n", getError());
|
||||
+ }
|
||||
+ }
|
||||
+ #endif // SECMOD_DEBUG
|
||||
|
||||
return (res == 0) ? JNI_TRUE : JNI_FALSE;
|
||||
}
|
||||
diff --git openjdk.orig/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h openjdk/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h
|
||||
--- openjdk.orig/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h
|
||||
+++ openjdk/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h
|
||||
@@ -34,6 +34,10 @@
|
||||
const char *certPrefix, const char *keyPrefix,
|
||||
const char *secmodName, unsigned int flags);
|
||||
|
||||
+#ifdef SECMOD_DEBUG
|
||||
+typedef int (*FPTR_GetError)(void);
|
||||
+#endif //SECMOD_DEBUG
|
||||
+
|
||||
// in secmod.h
|
||||
//extern SECMODModule *SECMOD_LoadModule(char *moduleSpec,SECMODModule *parent,
|
||||
// PRBool recurse);
|
||||
diff --git openjdk.orig/jdk/test/sun/security/pkcs11/Secmod/pkcs11.txt openjdk/jdk/test/sun/security/pkcs11/Secmod/pkcs11.txt
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ openjdk/jdk/test/sun/security/pkcs11/Secmod/pkcs11.txt
|
||||
@@ -0,0 +1,4 @@
|
||||
+library=
|
||||
+name=NSS Internal PKCS #11 Module
|
||||
+parameters=configdir='sql:./tmpdb' certPrefix='' keyPrefix='' secmod='' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
|
||||
+NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
|
||||
diff --git openjdk.orig/jdk/test/sun/security/pkcs11/SecmodTest.java openjdk/jdk/test/sun/security/pkcs11/SecmodTest.java
|
||||
--- openjdk.orig/jdk/test/sun/security/pkcs11/SecmodTest.java
|
||||
+++ openjdk/jdk/test/sun/security/pkcs11/SecmodTest.java
|
||||
@@ -55,7 +55,7 @@
|
||||
|
||||
DBDIR = System.getProperty("test.classes", ".") + SEP + "tmpdb";
|
||||
if (useSqlite) {
|
||||
- System.setProperty("pkcs11test.nss.db", "sql:/" + DBDIR);
|
||||
+ System.setProperty("pkcs11test.nss.db", "sql:" + DBDIR);
|
||||
} else {
|
||||
System.setProperty("pkcs11test.nss.db", DBDIR);
|
||||
}
|
||||
@@ -67,6 +67,7 @@
|
||||
if (useSqlite) {
|
||||
copyFile("key4.db", BASE, DBDIR);
|
||||
copyFile("cert9.db", BASE, DBDIR);
|
||||
+ copyFile("pkcs11.txt", BASE, DBDIR);
|
||||
} else {
|
||||
copyFile("secmod.db", BASE, DBDIR);
|
||||
copyFile("key3.db", BASE, DBDIR);
|
@ -7,11 +7,10 @@
|
||||
PR3533: HotSpot generates code with unaligned stack, crashes on SSE operations
|
||||
Summary: Enable -mstackrealign on x86 Linux as well as x86 Mac OS X
|
||||
|
||||
diff --git a/common/autoconf/flags.m4 b/common/autoconf/flags.m4
|
||||
index 113bf367e2..bed030e8d1 100644
|
||||
--- a/common/autoconf/flags.m4
|
||||
+++ b/common/autoconf/flags.m4
|
||||
@@ -451,6 +451,21 @@ AC_DEFUN_ONCE([FLAGS_SETUP_COMPILER_FLAGS_FOR_JDK],
|
||||
diff --git openjdk.orig///common/autoconf/flags.m4 openjdk///common/autoconf/flags.m4
|
||||
--- openjdk.orig///common/autoconf/flags.m4
|
||||
+++ openjdk///common/autoconf/flags.m4
|
||||
@@ -402,6 +402,21 @@
|
||||
AC_SUBST($2CXXSTD_CXXFLAG)
|
||||
fi
|
||||
|
||||
@ -23,7 +22,7 @@ index 113bf367e2..bed030e8d1 100644
|
||||
+ # On 32-bit MacOSX the OS requires C-entry points to be 16 byte aligned.
|
||||
+ # While waiting for a better solution, the current workaround is to use -mstackrealign
|
||||
+ # This is also required on Linux systems which use libraries compiled with SSE instructions
|
||||
+ REALIGN_CFLAG="-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4"
|
||||
+ REALIGN_CFLAG="-mstackrealign"
|
||||
+ FLAGS_COMPILER_CHECK_ARGUMENTS([$REALIGN_CFLAG -Werror], [],
|
||||
+ AC_MSG_ERROR([The selected compiler $CXX does not support -mstackrealign! Try to put another compiler in the path.])
|
||||
+ )
|
||||
@ -33,32 +32,23 @@ index 113bf367e2..bed030e8d1 100644
|
||||
if test "x$CFLAGS" != "x${ADDED_CFLAGS}"; then
|
||||
AC_MSG_WARN([Ignoring CFLAGS($CFLAGS) found in environment. Use --with-extra-cflags])
|
||||
fi
|
||||
diff --git a/common/autoconf/hotspot-spec.gmk.in b/common/autoconf/hotspot-spec.gmk.in
|
||||
index 3f86751d2b..f8a271383f 100644
|
||||
--- a/common/autoconf/hotspot-spec.gmk.in
|
||||
+++ b/common/autoconf/hotspot-spec.gmk.in
|
||||
@@ -114,13 +114,14 @@ RC:=@HOTSPOT_RC@
|
||||
# Retain EXTRA_{CFLAGS,CXXFLAGS,LDFLAGS,ASFLAGS} for the target flags to
|
||||
# maintain compatibility with the existing Makefiles
|
||||
EXTRA_CFLAGS=@LEGACY_TARGET_CFLAGS@ $(NO_DELETE_NULL_POINTER_CHECKS_CFLAG) \
|
||||
- $(NO_LIFETIME_DSE_CFLAG) $(CXXSTD_CXXFLAG)
|
||||
+ $(NO_LIFETIME_DSE_CFLAG) $(CXXSTD_CXXFLAG) \
|
||||
+ $(REALIGN_CFLAG)
|
||||
EXTRA_CXXFLAGS=@LEGACY_TARGET_CXXFLAGS@
|
||||
EXTRA_LDFLAGS=@LEGACY_TARGET_LDFLAGS@
|
||||
EXTRA_ASFLAGS=@LEGACY_TARGET_ASFLAGS@
|
||||
# Define an equivalent set for the host flags (i.e. without sysroot options)
|
||||
HOST_CFLAGS=@LEGACY_HOST_CFLAGS@ $(NO_DELETE_NULL_POINTER_CHECKS_CFLAG) \
|
||||
- $(NO_LIFETIME_DSE_CFLAG) $(CXXSTD_CXXFLAG)
|
||||
+ $(NO_LIFETIME_DSE_CFLAG) $(CXXSTD_CXXFLAG)
|
||||
HOST_CXXFLAGS=@LEGACY_HOST_CXXFLAGS@
|
||||
HOST_LDFLAGS=@LEGACY_HOST_LDFLAGS@
|
||||
HOST_ASFLAGS=@LEGACY_HOST_ASFLAGS@
|
||||
diff --git a/common/autoconf/spec.gmk.in b/common/autoconf/spec.gmk.in
|
||||
index 9573bb2cbd..fe7efc130c 100644
|
||||
--- a/common/autoconf/spec.gmk.in
|
||||
+++ b/common/autoconf/spec.gmk.in
|
||||
@@ -366,6 +366,7 @@ CXXFLAGS_JDKEXE:=@CXXFLAGS_JDKEXE@
|
||||
diff --git openjdk.orig///common/autoconf/hotspot-spec.gmk.in openjdk///common/autoconf/hotspot-spec.gmk.in
|
||||
--- openjdk.orig///common/autoconf/hotspot-spec.gmk.in
|
||||
+++ openjdk///common/autoconf/hotspot-spec.gmk.in
|
||||
@@ -112,7 +112,8 @@
|
||||
RC:=@HOTSPOT_RC@
|
||||
|
||||
EXTRA_CFLAGS=@LEGACY_EXTRA_CFLAGS@ $(NO_DELETE_NULL_POINTER_CHECKS_CFLAG) \
|
||||
- $(NO_LIFETIME_DSE_CFLAG) $(CXXSTD_CXXFLAG)
|
||||
+ $(NO_LIFETIME_DSE_CFLAG) $(CXXSTD_CXXFLAG) \
|
||||
+ $(REALIGN_CFLAG)
|
||||
EXTRA_CXXFLAGS=@LEGACY_EXTRA_CXXFLAGS@
|
||||
EXTRA_LDFLAGS=@LEGACY_EXTRA_LDFLAGS@
|
||||
EXTRA_ASFLAGS=@LEGACY_EXTRA_ASFLAGS@
|
||||
diff --git openjdk.orig///common/autoconf/spec.gmk.in openjdk///common/autoconf/spec.gmk.in
|
||||
--- openjdk.orig///common/autoconf/spec.gmk.in
|
||||
+++ openjdk///common/autoconf/spec.gmk.in
|
||||
@@ -366,6 +366,7 @@
|
||||
|
||||
NO_DELETE_NULL_POINTER_CHECKS_CFLAG=@NO_DELETE_NULL_POINTER_CHECKS_CFLAG@
|
||||
NO_LIFETIME_DSE_CFLAG=@NO_LIFETIME_DSE_CFLAG@
|
||||
|
12
SOURCES/jdk8218811-perfMemory_linux.patch
Normal file
12
SOURCES/jdk8218811-perfMemory_linux.patch
Normal file
@ -0,0 +1,12 @@
|
||||
diff --git openjdk.orig/hotspot/src/os/linux/vm/perfMemory_linux.cpp openjdk/hotspot/src/os/linux/vm/perfMemory_linux.cpp
|
||||
--- openjdk.orig/hotspot/src/os/linux/vm/perfMemory_linux.cpp
|
||||
+++ openjdk/hotspot/src/os/linux/vm/perfMemory_linux.cpp
|
||||
@@ -878,7 +878,7 @@
|
||||
|
||||
// open the file
|
||||
int result;
|
||||
- RESTARTABLE(::open(filename, oflags), result);
|
||||
+ RESTARTABLE(::open(filename, oflags, 0), result);
|
||||
if (result == OS_ERR) {
|
||||
if (errno == ENOENT) {
|
||||
THROW_MSG_(vmSymbols::java_lang_IllegalArgumentException(),
|
@ -1,13 +0,0 @@
|
||||
diff --git openjdk.orig/hotspot/src/share/vm/interpreter/bytecodeInterpreter.cpp openjdk/hotspot/src/share/vm/interpreter/bytecodeInterpreter.cpp
|
||||
--- openjdk.orig/hotspot/src/share/vm/interpreter/bytecodeInterpreter.cpp
|
||||
+++ openjdk/hotspot/src/share/vm/interpreter/bytecodeInterpreter.cpp
|
||||
@@ -493,9 +493,6 @@
|
||||
assert(labs(istate->_stack_base - istate->_stack_limit) == (istate->_method->max_stack() + extra_stack_entries
|
||||
+ 1), "bad stack limit");
|
||||
}
|
||||
-#ifndef SHARK
|
||||
- IA32_ONLY(assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1, "wrong"));
|
||||
-#endif // !SHARK
|
||||
}
|
||||
// Verify linkages.
|
||||
interpreterState l = istate;
|
File diff suppressed because it is too large
Load Diff
@ -1,8 +1,6 @@
|
||||
name = NSS-FIPS
|
||||
nssLibraryDirectory = @NSS_LIBDIR@
|
||||
nssSecmodDirectory = sql:/etc/pki/nssdb
|
||||
nssSecmodDirectory = @NSS_SECMOD@
|
||||
nssDbMode = readOnly
|
||||
nssModule = fips
|
||||
|
||||
attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
|
||||
|
||||
|
@ -7,11 +7,10 @@
|
||||
8074839: Resolve disabled warnings for libunpack and the unpack200 binary
|
||||
Reviewed-by: dholmes, ksrini
|
||||
|
||||
diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h b/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
|
||||
index bdaf95a2f6a..60c5b4f2a69 100644
|
||||
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
|
||||
+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
|
||||
@@ -63,7 +63,7 @@ struct bytes {
|
||||
diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
|
||||
--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
|
||||
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
|
||||
@@ -63,7 +63,7 @@
|
||||
bytes res;
|
||||
res.ptr = ptr + beg;
|
||||
res.len = end - beg;
|
||||
@ -20,11 +19,10 @@ index bdaf95a2f6a..60c5b4f2a69 100644
|
||||
return res;
|
||||
}
|
||||
// building C strings inside byte buffers:
|
||||
diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp b/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
|
||||
index 5fbc7261fb3..4c002e779d8 100644
|
||||
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
|
||||
+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
|
||||
@@ -292,7 +292,7 @@ Java_com_sun_java_util_jar_pack_NativeUnpack_getUnusedInput(JNIEnv *env, jobject
|
||||
diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
|
||||
--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
|
||||
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
|
||||
@@ -292,7 +292,7 @@
|
||||
|
||||
if (uPtr->aborting()) {
|
||||
THROW_IOE(uPtr->get_abort_message());
|
||||
@ -33,16 +31,16 @@ index 5fbc7261fb3..4c002e779d8 100644
|
||||
}
|
||||
|
||||
// We have fetched all the files.
|
||||
@@ -312,7 +312,7 @@ Java_com_sun_java_util_jar_pack_NativeUnpack_finish(JNIEnv *env, jobject pObj) {
|
||||
// There's no need to create a new unpacker here if we don't already have one
|
||||
// just to immediatly free it afterwards.
|
||||
unpacker* uPtr = get_unpacker(env, pObj, /* noCreate= */ true);
|
||||
@@ -310,7 +310,7 @@
|
||||
JNIEXPORT jlong JNICALL
|
||||
Java_com_sun_java_util_jar_pack_NativeUnpack_finish(JNIEnv *env, jobject pObj) {
|
||||
unpacker* uPtr = get_unpacker(env, pObj, false);
|
||||
- CHECK_EXCEPTION_RETURN_VALUE(uPtr, NULL);
|
||||
+ CHECK_EXCEPTION_RETURN_VALUE(uPtr, 0);
|
||||
size_t consumed = uPtr->input_consumed();
|
||||
// free_unpacker() will set the unpacker field on 'pObj' to null
|
||||
free_unpacker(env, pObj, uPtr);
|
||||
@@ -323,6 +323,7 @@ JNIEXPORT jboolean JNICALL
|
||||
return consumed;
|
||||
@@ -320,6 +320,7 @@
|
||||
Java_com_sun_java_util_jar_pack_NativeUnpack_setOption(JNIEnv *env, jobject pObj,
|
||||
jstring pProp, jstring pValue) {
|
||||
unpacker* uPtr = get_unpacker(env, pObj);
|
||||
@ -50,11 +48,10 @@ index 5fbc7261fb3..4c002e779d8 100644
|
||||
const char* prop = env->GetStringUTFChars(pProp, JNI_FALSE);
|
||||
CHECK_EXCEPTION_RETURN_VALUE(prop, false);
|
||||
const char* value = env->GetStringUTFChars(pValue, JNI_FALSE);
|
||||
diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp b/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
|
||||
index 6fbc43a18ae..722c8baaff0 100644
|
||||
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
|
||||
+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
|
||||
@@ -142,31 +142,28 @@ static const char* nbasename(const char* progname) {
|
||||
diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
|
||||
--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
|
||||
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
|
||||
@@ -142,31 +142,28 @@
|
||||
return progname;
|
||||
}
|
||||
|
||||
@ -104,11 +101,10 @@ index 6fbc43a18ae..722c8baaff0 100644
|
||||
}
|
||||
}
|
||||
|
||||
diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp b/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
|
||||
index a585535c513..8df3fade499 100644
|
||||
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
|
||||
+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
|
||||
@@ -225,9 +225,9 @@ struct entry {
|
||||
diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
|
||||
--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
|
||||
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
|
||||
@@ -222,9 +222,9 @@
|
||||
}
|
||||
|
||||
#ifdef PRODUCT
|
||||
@ -120,7 +116,7 @@ index a585535c513..8df3fade499 100644
|
||||
#endif
|
||||
};
|
||||
|
||||
@@ -719,13 +719,13 @@ void unpacker::read_file_header() {
|
||||
@@ -715,13 +715,13 @@
|
||||
// Now we can size the whole archive.
|
||||
// Read everything else into a mega-buffer.
|
||||
rp = hdr.rp;
|
||||
@ -138,7 +134,7 @@ index a585535c513..8df3fade499 100644
|
||||
abort("EOF reading fixed input buffer");
|
||||
return;
|
||||
}
|
||||
@@ -739,7 +739,7 @@ void unpacker::read_file_header() {
|
||||
@@ -735,7 +735,7 @@
|
||||
return;
|
||||
}
|
||||
input.set(U_NEW(byte, add_size(header_size_0, archive_size, C_SLOP)),
|
||||
@ -147,7 +143,7 @@ index a585535c513..8df3fade499 100644
|
||||
CHECK;
|
||||
assert(input.limit()[0] == 0);
|
||||
// Move all the bytes we read initially into the real buffer.
|
||||
@@ -962,13 +962,13 @@ void cpool::init(unpacker* u_, int counts[CONSTANT_Limit]) {
|
||||
@@ -958,13 +958,13 @@
|
||||
nentries = next_entry;
|
||||
|
||||
// place a limit on future CP growth:
|
||||
@ -163,7 +159,18 @@ index a585535c513..8df3fade499 100644
|
||||
|
||||
// Note that this CP does not include "empty" entries
|
||||
// for longs and doubles. Those are introduced when
|
||||
@@ -3694,21 +3694,22 @@ void cpool::computeOutputIndexes() {
|
||||
@@ -982,8 +982,9 @@
|
||||
}
|
||||
|
||||
// Initialize *all* our entries once
|
||||
- for (int i = 0 ; i < maxentries ; i++)
|
||||
+ for (uint i = 0 ; i < maxentries ; i++) {
|
||||
entries[i].outputIndex = REQUESTED_NONE;
|
||||
+ }
|
||||
|
||||
initGroupIndexes();
|
||||
// Initialize hashTab to a generous power-of-two size.
|
||||
@@ -3677,21 +3678,22 @@
|
||||
|
||||
unpacker* debug_u;
|
||||
|
||||
@ -190,7 +197,7 @@ index a585535c513..8df3fade499 100644
|
||||
case CONSTANT_Signature:
|
||||
if (value.b.ptr == null)
|
||||
return ref(0)->string();
|
||||
@@ -3728,26 +3729,28 @@ char* entry::string() {
|
||||
@@ -3711,26 +3713,28 @@
|
||||
break;
|
||||
default:
|
||||
if (nrefs == 0) {
|
||||
@ -228,11 +235,10 @@ index a585535c513..8df3fade499 100644
|
||||
}
|
||||
|
||||
void print_cp_entries(int beg, int end) {
|
||||
diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h b/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
|
||||
index 4ec595333c4..aad0c971ef2 100644
|
||||
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
|
||||
+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
|
||||
@@ -209,7 +209,7 @@ struct unpacker {
|
||||
diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
|
||||
--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
|
||||
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
|
||||
@@ -209,7 +209,7 @@
|
||||
byte* rp; // read pointer (< rplimit <= input.limit())
|
||||
byte* rplimit; // how much of the input block has been read?
|
||||
julong bytes_read;
|
||||
@ -241,11 +247,10 @@ index 4ec595333c4..aad0c971ef2 100644
|
||||
|
||||
// callback to read at least one byte, up to available input
|
||||
typedef jlong (*read_input_fn_t)(unpacker* self, void* buf, jlong minlen, jlong maxlen);
|
||||
diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp b/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
|
||||
index da39a589545..1281d8b25c8 100644
|
||||
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
|
||||
+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
|
||||
@@ -81,7 +81,7 @@ void breakpoint() { } // hook for debugger
|
||||
diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
|
||||
--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
|
||||
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
|
||||
@@ -81,7 +81,7 @@
|
||||
int assert_failed(const char* p) {
|
||||
char message[1<<12];
|
||||
sprintf(message, "@assert failed: %s\n", p);
|
||||
@ -254,11 +259,10 @@ index da39a589545..1281d8b25c8 100644
|
||||
breakpoint();
|
||||
unpack_abort(message);
|
||||
return 0;
|
||||
diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp b/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
|
||||
index f58c94956c0..343da3e183b 100644
|
||||
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
|
||||
+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
|
||||
@@ -84,7 +84,7 @@ void jar::init(unpacker* u_) {
|
||||
diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
|
||||
--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
|
||||
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
|
||||
@@ -84,7 +84,7 @@
|
||||
}
|
||||
|
||||
// Write data to the ZIP output stream.
|
||||
@ -267,7 +271,7 @@ index f58c94956c0..343da3e183b 100644
|
||||
while (len > 0) {
|
||||
int rc = (int)fwrite(buff, 1, len, jarfp);
|
||||
if (rc <= 0) {
|
||||
@@ -323,12 +323,12 @@ void jar::write_central_directory() {
|
||||
@@ -323,12 +323,12 @@
|
||||
// Total number of disks (int)
|
||||
header64[36] = (ushort)SWAP_BYTES(1);
|
||||
header64[37] = 0;
|
||||
@ -282,11 +286,10 @@ index f58c94956c0..343da3e183b 100644
|
||||
|
||||
PRINTCR((2, "writing zip comment\n"));
|
||||
// Write the comment.
|
||||
diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h b/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
|
||||
index 14ffc9d65bd..9877f6f68ca 100644
|
||||
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
|
||||
+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
|
||||
@@ -68,8 +68,8 @@ struct jar {
|
||||
diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
|
||||
--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
|
||||
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
|
||||
@@ -68,8 +68,8 @@
|
||||
}
|
||||
|
||||
// Private Methods
|
||||
|
@ -0,0 +1,63 @@
|
||||
# HG changeset patch
|
||||
# User andrew
|
||||
# Date 1459487045 -3600
|
||||
# Fri Apr 01 06:04:05 2016 +0100
|
||||
# Node ID 3334efeacd8327a14b7d2f392f4546e3c29c594b
|
||||
# Parent 6b81fd2227d14226f2121f2d51b464536925686e
|
||||
PR2888: OpenJDK should check for system cacerts database (e.g. /etc/pki/java/cacerts)
|
||||
PR3575: System cacerts database handling should not affect jssecacerts
|
||||
|
||||
diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java openjdk/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
|
||||
--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
|
||||
+++ openjdk/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
|
||||
@@ -72,7 +72,7 @@
|
||||
* The preference of the default trusted KeyStore is:
|
||||
* javax.net.ssl.trustStore
|
||||
* jssecacerts
|
||||
- * cacerts
|
||||
+ * cacerts (system and local)
|
||||
*/
|
||||
private static final class TrustStoreDescriptor {
|
||||
private static final String fileSep = File.separator;
|
||||
@@ -83,6 +83,10 @@
|
||||
defaultStorePath + fileSep + "cacerts";
|
||||
private static final String jsseDefaultStore =
|
||||
defaultStorePath + fileSep + "jssecacerts";
|
||||
+ /* Check system cacerts DB: /etc/pki/java/cacerts */
|
||||
+ private static final String systemStore =
|
||||
+ fileSep + "etc" + fileSep + "pki" +
|
||||
+ fileSep + "java" + fileSep + "cacerts";
|
||||
|
||||
// the trust store name
|
||||
private final String storeName;
|
||||
@@ -146,7 +150,8 @@
|
||||
long temporaryTime = 0L;
|
||||
if (!"NONE".equals(storePropName)) {
|
||||
String[] fileNames =
|
||||
- new String[] {storePropName, defaultStore};
|
||||
+ new String[] {storePropName,
|
||||
+ systemStore, defaultStore};
|
||||
for (String fileName : fileNames) {
|
||||
File f = new File(fileName);
|
||||
if (f.isFile() && f.canRead()) {
|
||||
diff --git openjdk.orig/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java openjdk/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
|
||||
--- openjdk.orig/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
|
||||
+++ openjdk/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
|
||||
@@ -108,9 +108,14 @@
|
||||
throws Exception
|
||||
{
|
||||
String sep = File.separator;
|
||||
- File file = new File(System.getProperty("java.home") + sep
|
||||
- + "lib" + sep + "security" + sep
|
||||
- + "cacerts");
|
||||
+ /* Check system cacerts DB first; /etc/pki/java/cacerts */
|
||||
+ File file = new File(sep + "etc" + sep + "pki" + sep
|
||||
+ + "java" + sep + "cacerts");
|
||||
+ if (!file.exists()) {
|
||||
+ file = new File(System.getProperty("java.home") + sep
|
||||
+ + "lib" + sep + "security" + sep
|
||||
+ + "cacerts");
|
||||
+ }
|
||||
if (!file.exists()) {
|
||||
return null;
|
||||
}
|
@ -1,193 +0,0 @@
|
||||
diff --git a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
|
||||
index e7b4763db53..0005e56f528 100644
|
||||
--- a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
|
||||
+++ b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
|
||||
@@ -31,6 +31,7 @@ import java.security.*;
|
||||
import java.security.cert.*;
|
||||
import java.util.*;
|
||||
import sun.security.action.*;
|
||||
+import sun.security.tools.KeyStoreUtil;
|
||||
import sun.security.validator.TrustStoreUtil;
|
||||
|
||||
/**
|
||||
@@ -68,7 +69,7 @@ final class TrustStoreManager {
|
||||
* The preference of the default trusted KeyStore is:
|
||||
* javax.net.ssl.trustStore
|
||||
* jssecacerts
|
||||
- * cacerts
|
||||
+ * cacerts (system and local)
|
||||
*/
|
||||
private static final class TrustStoreDescriptor {
|
||||
private static final String fileSep = File.separator;
|
||||
@@ -76,7 +77,8 @@ final class TrustStoreManager {
|
||||
GetPropertyAction.privilegedGetProperty("java.home") +
|
||||
fileSep + "lib" + fileSep + "security";
|
||||
private static final String defaultStore =
|
||||
- defaultStorePath + fileSep + "cacerts";
|
||||
+ AccessController.doPrivileged((PrivilegedAction<String>) () ->
|
||||
+ KeyStoreUtil.getCacertsKeyStorePath());
|
||||
private static final String jsseDefaultStore =
|
||||
defaultStorePath + fileSep + "jssecacerts";
|
||||
|
||||
@@ -139,6 +141,10 @@ final class TrustStoreManager {
|
||||
String storePropPassword = System.getProperty(
|
||||
"javax.net.ssl.trustStorePassword", "");
|
||||
|
||||
+ if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
|
||||
+ SSLLogger.fine("Default store: " + defaultStore);
|
||||
+ }
|
||||
+
|
||||
String temporaryName = "";
|
||||
File temporaryFile = null;
|
||||
long temporaryTime = 0L;
|
||||
@@ -160,7 +166,7 @@ final class TrustStoreManager {
|
||||
SSLLogger.isOn("trustmanager")) {
|
||||
SSLLogger.fine(
|
||||
"Inaccessible trust store: " +
|
||||
- storePropName);
|
||||
+ fileName);
|
||||
}
|
||||
}
|
||||
} else {
|
||||
diff --git a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
|
||||
index fcc77786da1..3a4388964cc 100644
|
||||
--- a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
|
||||
+++ b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
|
||||
@@ -41,6 +41,8 @@ import java.text.Collator;
|
||||
import java.util.Locale;
|
||||
import java.util.ResourceBundle;
|
||||
|
||||
+import sun.security.util.SecurityProperties;
|
||||
+
|
||||
/**
|
||||
* <p> This class provides several utilities to <code>KeyStore</code>.
|
||||
*
|
||||
@@ -54,6 +56,8 @@ public class KeyStoreUtil {
|
||||
|
||||
private static final String JKS = "jks";
|
||||
|
||||
+ private static final String SYSTEM_CA_CERTS_PROP = "security.systemCACerts";
|
||||
+
|
||||
/**
|
||||
* Returns true if the certificate is self-signed, false otherwise.
|
||||
*/
|
||||
@@ -96,16 +100,30 @@ public class KeyStoreUtil {
|
||||
}
|
||||
}
|
||||
|
||||
+ /**
|
||||
+ * Returns the path to the cacerts DB
|
||||
+ */
|
||||
+ public static String getCacertsKeyStorePath()
|
||||
+ {
|
||||
+ // Check system DB first, preferring system property over security one
|
||||
+ String systemDB = SecurityProperties
|
||||
+ .privilegedGetOverridable(SYSTEM_CA_CERTS_PROP);
|
||||
+ if (systemDB != null && !"".equals(systemDB) &&
|
||||
+ (new File(systemDB)).isFile()) {
|
||||
+ return systemDB;
|
||||
+ }
|
||||
+ String sep = File.separator;
|
||||
+ return System.getProperty("java.home") + sep
|
||||
+ + "lib" + sep + "security" + sep + "cacerts";
|
||||
+ }
|
||||
+
|
||||
/**
|
||||
* Returns the keystore with the configured CA certificates.
|
||||
*/
|
||||
public static KeyStore getCacertsKeyStore()
|
||||
throws Exception
|
||||
{
|
||||
- String sep = File.separator;
|
||||
- File file = new File(System.getProperty("java.home") + sep
|
||||
- + "lib" + sep + "security" + sep
|
||||
- + "cacerts");
|
||||
+ File file = new File(getCacertsKeyStorePath());
|
||||
if (!file.exists()) {
|
||||
return null;
|
||||
}
|
||||
diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix
|
||||
index 681a24b905d..ecb8bc43a6c 100644
|
||||
--- a/jdk/src/share/lib/security/java.security-aix
|
||||
+++ b/jdk/src/share/lib/security/java.security-aix
|
||||
@@ -294,6 +294,12 @@ security.overridePropertiesFile=true
|
||||
#
|
||||
security.useSystemPropertiesFile=false
|
||||
|
||||
+#
|
||||
+# Specifies the system certificate store
|
||||
+# This property may be disabled using an empty value
|
||||
+#
|
||||
+security.systemCACerts=${java.home}/lib/security/cacerts
|
||||
+
|
||||
#
|
||||
# Determines the default key and trust manager factory algorithms for
|
||||
# the javax.net.ssl package.
|
||||
diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux
|
||||
index 789c19a8cba..2546fdec9b2 100644
|
||||
--- a/jdk/src/share/lib/security/java.security-linux
|
||||
+++ b/jdk/src/share/lib/security/java.security-linux
|
||||
@@ -307,6 +307,12 @@ security.overridePropertiesFile=true
|
||||
#
|
||||
security.useSystemPropertiesFile=false
|
||||
|
||||
+#
|
||||
+# Specifies the system certificate store
|
||||
+# This property may be disabled using an empty value
|
||||
+#
|
||||
+security.systemCACerts=${java.home}/lib/security/cacerts
|
||||
+
|
||||
#
|
||||
# Determines the default key and trust manager factory algorithms for
|
||||
# the javax.net.ssl package.
|
||||
diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx
|
||||
index d4da666af3b..1a20027c02b 100644
|
||||
--- a/jdk/src/share/lib/security/java.security-macosx
|
||||
+++ b/jdk/src/share/lib/security/java.security-macosx
|
||||
@@ -297,6 +297,12 @@ security.overridePropertiesFile=true
|
||||
#
|
||||
security.useSystemPropertiesFile=false
|
||||
|
||||
+#
|
||||
+# Specifies the system certificate store
|
||||
+# This property may be disabled using an empty value
|
||||
+#
|
||||
+security.systemCACerts=${java.home}/lib/security/cacerts
|
||||
+
|
||||
#
|
||||
# Determines the default key and trust manager factory algorithms for
|
||||
# the javax.net.ssl package.
|
||||
diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris
|
||||
index 300132384a1..6299e0a3c7b 100644
|
||||
--- a/jdk/src/share/lib/security/java.security-solaris
|
||||
+++ b/jdk/src/share/lib/security/java.security-solaris
|
||||
@@ -295,6 +295,12 @@ security.overridePropertiesFile=true
|
||||
#
|
||||
security.useSystemPropertiesFile=false
|
||||
|
||||
+#
|
||||
+# Specifies the system certificate store
|
||||
+# This property may be disabled using an empty value
|
||||
+#
|
||||
+security.systemCACerts=${java.home}/lib/security/cacerts
|
||||
+
|
||||
#
|
||||
# Determines the default key and trust manager factory algorithms for
|
||||
# the javax.net.ssl package.
|
||||
diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows
|
||||
index 64db5a5cd1e..823994f3466 100644
|
||||
--- a/jdk/src/share/lib/security/java.security-windows
|
||||
+++ b/jdk/src/share/lib/security/java.security-windows
|
||||
@@ -297,6 +297,12 @@ security.overridePropertiesFile=true
|
||||
#
|
||||
security.useSystemPropertiesFile=false
|
||||
|
||||
+#
|
||||
+# Specifies the system certificate store
|
||||
+# This property may be disabled using an empty value
|
||||
+#
|
||||
+security.systemCACerts=${java.home}/lib/security/cacerts
|
||||
+
|
||||
#
|
||||
# Determines the default key and trust manager factory algorithms for
|
||||
# the javax.net.ssl package.
|
@ -0,0 +1,158 @@
|
||||
|
||||
# HG changeset patch
|
||||
# User andrew
|
||||
# Date 1478057514 0
|
||||
# Node ID 1c4d5cb2096ae55106111da200b0bcad304f650c
|
||||
# Parent 3d53f19b48384e5252f4ec8891f7a3a82d77af2a
|
||||
PR3183: Support Fedora/RHEL system crypto policy
|
||||
|
||||
diff -r 3d53f19b4838 -r 1c4d5cb2096a src/share/classes/java/security/Security.java
|
||||
--- openjdk/jdk/src/share/classes/java/security/Security.java Wed Oct 26 03:51:39 2016 +0100
|
||||
+++ openjdk/jdk/src/share/classes/java/security/Security.java Wed Nov 02 03:31:54 2016 +0000
|
||||
@@ -43,6 +43,9 @@
|
||||
* implementation-specific location, which is typically the properties file
|
||||
* {@code lib/security/java.security} in the Java installation directory.
|
||||
*
|
||||
+ * <p>Additional default values of security properties are read from a
|
||||
+ * system-specific location, if available.</p>
|
||||
+ *
|
||||
* @author Benjamin Renaud
|
||||
*/
|
||||
|
||||
@@ -52,6 +55,10 @@
|
||||
private static final Debug sdebug =
|
||||
Debug.getInstance("properties");
|
||||
|
||||
+ /* System property file*/
|
||||
+ private static final String SYSTEM_PROPERTIES =
|
||||
+ "/etc/crypto-policies/back-ends/java.config";
|
||||
+
|
||||
/* The java.security properties */
|
||||
private static Properties props;
|
||||
|
||||
@@ -93,6 +100,7 @@
|
||||
if (sdebug != null) {
|
||||
sdebug.println("reading security properties file: " +
|
||||
propFile);
|
||||
+ sdebug.println(props.toString());
|
||||
}
|
||||
} catch (IOException e) {
|
||||
if (sdebug != null) {
|
||||
@@ -114,6 +122,31 @@
|
||||
}
|
||||
|
||||
if ("true".equalsIgnoreCase(props.getProperty
|
||||
+ ("security.useSystemPropertiesFile"))) {
|
||||
+
|
||||
+ // now load the system file, if it exists, so its values
|
||||
+ // will win if they conflict with the earlier values
|
||||
+ try (BufferedInputStream bis =
|
||||
+ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
|
||||
+ props.load(bis);
|
||||
+ loadedProps = true;
|
||||
+
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println("reading system security properties file " +
|
||||
+ SYSTEM_PROPERTIES);
|
||||
+ sdebug.println(props.toString());
|
||||
+ }
|
||||
+ } catch (IOException e) {
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println
|
||||
+ ("unable to load security properties from " +
|
||||
+ SYSTEM_PROPERTIES);
|
||||
+ e.printStackTrace();
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if ("true".equalsIgnoreCase(props.getProperty
|
||||
("security.overridePropertiesFile"))) {
|
||||
|
||||
String extraPropFile = System.getProperty
|
||||
diff -r 3d53f19b4838 -r 1c4d5cb2096a src/share/lib/security/java.security-aix
|
||||
--- openjdk/jdk/src/share/lib/security/java.security-aix Wed Oct 26 03:51:39 2016 +0100
|
||||
+++ openjdk/jdk/src/share/lib/security/java.security-aix Wed Nov 02 03:31:54 2016 +0000
|
||||
@@ -276,6 +276,13 @@
|
||||
security.overridePropertiesFile=true
|
||||
|
||||
#
|
||||
+# Determines whether this properties file will be appended to
|
||||
+# using the system properties file stored at
|
||||
+# /etc/crypto-policies/back-ends/java.config
|
||||
+#
|
||||
+security.useSystemPropertiesFile=false
|
||||
+
|
||||
+#
|
||||
# Determines the default key and trust manager factory algorithms for
|
||||
# the javax.net.ssl package.
|
||||
#
|
||||
diff -r 3d53f19b4838 -r 1c4d5cb2096a src/share/lib/security/java.security-linux
|
||||
--- openjdk/jdk/src/share/lib/security/java.security-linux Wed Oct 26 03:51:39 2016 +0100
|
||||
+++ openjdk/jdk/src/share/lib/security/java.security-linux Wed Nov 02 03:31:54 2016 +0000
|
||||
@@ -276,6 +276,13 @@
|
||||
security.overridePropertiesFile=true
|
||||
|
||||
#
|
||||
+# Determines whether this properties file will be appended to
|
||||
+# using the system properties file stored at
|
||||
+# /etc/crypto-policies/back-ends/java.config
|
||||
+#
|
||||
+security.useSystemPropertiesFile=true
|
||||
+
|
||||
+#
|
||||
# Determines the default key and trust manager factory algorithms for
|
||||
# the javax.net.ssl package.
|
||||
#
|
||||
diff -r 3d53f19b4838 -r 1c4d5cb2096a src/share/lib/security/java.security-macosx
|
||||
--- openjdk/jdk/src/share/lib/security/java.security-macosx Wed Oct 26 03:51:39 2016 +0100
|
||||
+++ openjdk/jdk/src/share/lib/security/java.security-macosx Wed Nov 02 03:31:54 2016 +0000
|
||||
@@ -279,6 +279,13 @@
|
||||
security.overridePropertiesFile=true
|
||||
|
||||
#
|
||||
+# Determines whether this properties file will be appended to
|
||||
+# using the system properties file stored at
|
||||
+# /etc/crypto-policies/back-ends/java.config
|
||||
+#
|
||||
+security.useSystemPropertiesFile=false
|
||||
+
|
||||
+#
|
||||
# Determines the default key and trust manager factory algorithms for
|
||||
# the javax.net.ssl package.
|
||||
#
|
||||
diff -r 3d53f19b4838 -r 1c4d5cb2096a src/share/lib/security/java.security-solaris
|
||||
--- openjdk/jdk/src/share/lib/security/java.security-solaris Wed Oct 26 03:51:39 2016 +0100
|
||||
+++ openjdk/jdk/src/share/lib/security/java.security-solaris Wed Nov 02 03:31:54 2016 +0000
|
||||
@@ -278,6 +278,13 @@
|
||||
security.overridePropertiesFile=true
|
||||
|
||||
#
|
||||
+# Determines whether this properties file will be appended to
|
||||
+# using the system properties file stored at
|
||||
+# /etc/crypto-policies/back-ends/java.config
|
||||
+#
|
||||
+security.useSystemPropertiesFile=false
|
||||
+
|
||||
+#
|
||||
# Determines the default key and trust manager factory algorithms for
|
||||
# the javax.net.ssl package.
|
||||
#
|
||||
diff -r 3d53f19b4838 -r 1c4d5cb2096a src/share/lib/security/java.security-windows
|
||||
--- openjdk/jdk/src/share/lib/security/java.security-windows Wed Oct 26 03:51:39 2016 +0100
|
||||
+++ openjdk/jdk/src/share/lib/security/java.security-windows Wed Nov 02 03:31:54 2016 +0000
|
||||
@@ -279,6 +279,13 @@
|
||||
security.overridePropertiesFile=true
|
||||
|
||||
#
|
||||
+# Determines whether this properties file will be appended to
|
||||
+# using the system properties file stored at
|
||||
+# /etc/crypto-policies/back-ends/java.config
|
||||
+#
|
||||
+security.useSystemPropertiesFile=false
|
||||
+
|
||||
+#
|
||||
# Determines the default key and trust manager factory algorithms for
|
||||
# the javax.net.ssl package.
|
||||
#
|
||||
|
78
SOURCES/pr3655-toggle_system_crypto_policy.patch
Normal file
78
SOURCES/pr3655-toggle_system_crypto_policy.patch
Normal file
@ -0,0 +1,78 @@
|
||||
# HG changeset patch
|
||||
# User andrew
|
||||
# Date 1545198926 0
|
||||
# Wed Dec 19 05:55:26 2018 +0000
|
||||
# Node ID f2cbd688824c128db7fa848c8732fb0ab3507776
|
||||
# Parent 81f07f6d1f8b7b51b136d3974c61bc8bb513770c
|
||||
PR3655: Allow use of system crypto policy to be disabled by the user
|
||||
Summary: Read user overrides first so security.useSystemPropertiesFile can be disabled and add -Djava.security.disableSystemPropertiesFile
|
||||
|
||||
diff --git a/src/share/classes/javopenjdk.orig/jdk/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java
|
||||
--- openjdk.orig/jdk/src/share/classes/java/security/Security.java
|
||||
+++ openjdk/jdk/src/share/classes/java/security/Security.java
|
||||
@@ -122,31 +122,6 @@
|
||||
}
|
||||
|
||||
if ("true".equalsIgnoreCase(props.getProperty
|
||||
- ("security.useSystemPropertiesFile"))) {
|
||||
-
|
||||
- // now load the system file, if it exists, so its values
|
||||
- // will win if they conflict with the earlier values
|
||||
- try (BufferedInputStream bis =
|
||||
- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
|
||||
- props.load(bis);
|
||||
- loadedProps = true;
|
||||
-
|
||||
- if (sdebug != null) {
|
||||
- sdebug.println("reading system security properties file " +
|
||||
- SYSTEM_PROPERTIES);
|
||||
- sdebug.println(props.toString());
|
||||
- }
|
||||
- } catch (IOException e) {
|
||||
- if (sdebug != null) {
|
||||
- sdebug.println
|
||||
- ("unable to load security properties from " +
|
||||
- SYSTEM_PROPERTIES);
|
||||
- e.printStackTrace();
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- if ("true".equalsIgnoreCase(props.getProperty
|
||||
("security.overridePropertiesFile"))) {
|
||||
|
||||
String extraPropFile = System.getProperty
|
||||
@@ -212,6 +187,33 @@
|
||||
}
|
||||
}
|
||||
|
||||
+ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
|
||||
+ if (disableSystemProps == null &&
|
||||
+ "true".equalsIgnoreCase(props.getProperty
|
||||
+ ("security.useSystemPropertiesFile"))) {
|
||||
+
|
||||
+ // now load the system file, if it exists, so its values
|
||||
+ // will win if they conflict with the earlier values
|
||||
+ try (BufferedInputStream bis =
|
||||
+ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
|
||||
+ props.load(bis);
|
||||
+ loadedProps = true;
|
||||
+
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println("reading system security properties file " +
|
||||
+ SYSTEM_PROPERTIES);
|
||||
+ sdebug.println(props.toString());
|
||||
+ }
|
||||
+ } catch (IOException e) {
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println
|
||||
+ ("unable to load security properties from " +
|
||||
+ SYSTEM_PROPERTIES);
|
||||
+ e.printStackTrace();
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (!loadedProps) {
|
||||
initializeStatic();
|
||||
if (sdebug != null) {
|
@ -17,7 +17,7 @@ fi
|
||||
d=`mktemp -d`
|
||||
NW=$d/$f
|
||||
pushd $d
|
||||
unzip $ORIG
|
||||
jar xf $ORIG
|
||||
cat $M
|
||||
# sed -i "s/Created-By.*/Created-By: 1.7.0/g" $M
|
||||
sed -i "s/Created-By.*/Created-By: $2/g" $M
|
@ -0,0 +1,66 @@
|
||||
diff --git a/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java b/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java
|
||||
--- openjdk/jdk/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java
|
||||
+++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java
|
||||
@@ -1,5 +1,6 @@
|
||||
/*
|
||||
* Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
|
||||
+ * Copyright (c) 2014 Red Hat Inc.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@@ -61,13 +62,13 @@
|
||||
|
||||
private static void checkKeySize(int keysize)
|
||||
throws InvalidParameterException {
|
||||
- boolean supported = ((keysize == 2048) || (keysize == 3072) ||
|
||||
+ boolean supported = ((keysize == 2048) || (keysize == 3072) || (keysize == 4096) ||
|
||||
((keysize >= 512) && (keysize <= 1024) && ((keysize & 0x3F) == 0)));
|
||||
|
||||
if (!supported) {
|
||||
throw new InvalidParameterException(
|
||||
"DH key size must be multiple of 64 and range " +
|
||||
- "from 512 to 1024 (inclusive), or 2048, 3072. " +
|
||||
+ "from 512 to 1024 (inclusive), or 2048, 3072, 4096. " +
|
||||
"The specific key size " + keysize + " is not supported");
|
||||
}
|
||||
}
|
||||
diff --git a/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java b/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java
|
||||
--- openjdk/jdk/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java
|
||||
+++ openjdk/jdk/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java
|
||||
@@ -1,5 +1,6 @@
|
||||
/*
|
||||
* Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
|
||||
+ * Copyright (c) 2014 Red Hat Inc.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@@ -58,7 +59,7 @@
|
||||
*/
|
||||
private enum Sizes {
|
||||
two56(256), three84(384), five12(512), seven68(768), ten24(1024),
|
||||
- twenty48(2048);
|
||||
+ twenty48(2048), forty96(4096);
|
||||
|
||||
private final int intSize;
|
||||
private final BigInteger bigIntValue;
|
||||
@@ -130,6 +131,19 @@
|
||||
kp = kpg.generateKeyPair();
|
||||
checkKeyPair(kp, Sizes.twenty48, Sizes.five12);
|
||||
|
||||
+ kpg.initialize(Sizes.forty96.getIntSize());
|
||||
+ kp = kpg.generateKeyPair();
|
||||
+ checkKeyPair(kp, Sizes.forty96, Sizes.twenty48);
|
||||
+
|
||||
+ publicKey = (DHPublicKey)kp.getPublic();
|
||||
+ p = publicKey.getParams().getP();
|
||||
+ g = publicKey.getParams().getG();
|
||||
+
|
||||
+ // test w/ all values specified
|
||||
+ kpg.initialize(new DHParameterSpec(p, g, Sizes.ten24.getIntSize()));
|
||||
+ kp = kpg.generateKeyPair();
|
||||
+ checkKeyPair(kp, Sizes.forty96, Sizes.ten24);
|
||||
+
|
||||
System.out.println("OK");
|
||||
}
|
||||
|
||||
|
@ -1,16 +0,0 @@
|
||||
diff -uNr openjdk-orig/jdk/src/share/classes/java/awt/Toolkit.java jdk8/jdk/src/share/classes/java/awt/Toolkit.java
|
||||
--- openjdk-orig/jdk/src/share/classes/java/awt/Toolkit.java 2009-01-23 11:59:47.000000000 -0500
|
||||
+++ jdk8/jdk/src/share/classes/java/awt/Toolkit.java 2009-01-23 12:05:20.000000000 -0500
|
||||
@@ -883,7 +883,11 @@
|
||||
return null;
|
||||
}
|
||||
});
|
||||
- loadAssistiveTechnologies();
|
||||
+ try {
|
||||
+ loadAssistiveTechnologies();
|
||||
+ } catch ( AWTError error) {
|
||||
+ // ignore silently
|
||||
+ }
|
||||
}
|
||||
return toolkit;
|
||||
}
|
@ -1,12 +1,11 @@
|
||||
diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux
|
||||
index 9d1c8fe8a8e..a80a3c12abb 100644
|
||||
--- a/jdk/src/share/lib/security/java.security-linux
|
||||
+++ b/jdk/src/share/lib/security/java.security-linux
|
||||
@@ -74,6 +74,7 @@ security.provider.6=sun.security.jgss.SunProvider
|
||||
diff -r 5b86f66575b7 src/share/lib/security/java.security-linux
|
||||
--- openjdk/jdk/src/share/lib/security/java.security-linux Tue May 16 13:29:05 2017 -0700
|
||||
+++ openjdk/jdk/src/share/lib/security/java.security-linux Tue Jun 06 14:05:12 2017 +0200
|
||||
@@ -74,6 +74,7 @@
|
||||
security.provider.7=com.sun.security.sasl.Provider
|
||||
security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
|
||||
security.provider.9=sun.security.smartcardio.SunPCSC
|
||||
+#security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
|
||||
|
||||
#
|
||||
# Security providers used when FIPS mode support is active
|
||||
# Sun Provider SecureRandom seed source.
|
||||
|
208
SOURCES/rh1655466-global_crypto_and_fips.patch
Normal file
208
SOURCES/rh1655466-global_crypto_and_fips.patch
Normal file
@ -0,0 +1,208 @@
|
||||
diff --git a/src/share/classes/javopenjdk.orig/jdk/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java
|
||||
--- openjdk.orig/jdk/src/share/classes/java/security/Security.java
|
||||
+++ openjdk/jdk/src/share/classes/java/security/Security.java
|
||||
@@ -191,27 +191,7 @@
|
||||
if (disableSystemProps == null &&
|
||||
"true".equalsIgnoreCase(props.getProperty
|
||||
("security.useSystemPropertiesFile"))) {
|
||||
-
|
||||
- // now load the system file, if it exists, so its values
|
||||
- // will win if they conflict with the earlier values
|
||||
- try (BufferedInputStream bis =
|
||||
- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
|
||||
- props.load(bis);
|
||||
- loadedProps = true;
|
||||
-
|
||||
- if (sdebug != null) {
|
||||
- sdebug.println("reading system security properties file " +
|
||||
- SYSTEM_PROPERTIES);
|
||||
- sdebug.println(props.toString());
|
||||
- }
|
||||
- } catch (IOException e) {
|
||||
- if (sdebug != null) {
|
||||
- sdebug.println
|
||||
- ("unable to load security properties from " +
|
||||
- SYSTEM_PROPERTIES);
|
||||
- e.printStackTrace();
|
||||
- }
|
||||
- }
|
||||
+ loadedProps = loadedProps && SystemConfigurator.configure(props);
|
||||
}
|
||||
|
||||
if (!loadedProps) {
|
||||
diff --git a/src/share/classes/javopenjdk.orig/jdk/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
|
||||
@@ -0,0 +1,153 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2019, Red Hat, Inc.
|
||||
+ *
|
||||
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
+ *
|
||||
+ * This code is free software; you can redistribute it and/or modify it
|
||||
+ * under the terms of the GNU General Public License version 2 only, as
|
||||
+ * published by the Free Software Foundation.
|
||||
+ *
|
||||
+ * This code is distributed in the hope that it will be useful, but WITHOUT
|
||||
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
+ * version 2 for more details (a copy is included in the LICENSE file that
|
||||
+ * accompanied this code).
|
||||
+ *
|
||||
+ * You should have received a copy of the GNU General Public License version
|
||||
+ * 2 along with this work; if not, write to the Free Software Foundation,
|
||||
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
+ *
|
||||
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
||||
+ * or visit www.oracle.com if you need additional information or have any
|
||||
+ * questions.
|
||||
+ */
|
||||
+
|
||||
+package java.security;
|
||||
+
|
||||
+import java.io.BufferedInputStream;
|
||||
+import java.io.FileInputStream;
|
||||
+import java.io.IOException;
|
||||
+
|
||||
+import java.nio.file.Files;
|
||||
+import java.nio.file.FileSystems;
|
||||
+import java.nio.file.Path;
|
||||
+
|
||||
+import java.util.Iterator;
|
||||
+import java.util.Map.Entry;
|
||||
+import java.util.Properties;
|
||||
+import java.util.function.Consumer;
|
||||
+import java.util.regex.Matcher;
|
||||
+import java.util.regex.Pattern;
|
||||
+
|
||||
+import sun.security.util.Debug;
|
||||
+
|
||||
+/**
|
||||
+ * Internal class to align OpenJDK with global crypto-policies.
|
||||
+ * Called from java.security.Security class initialization,
|
||||
+ * during startup.
|
||||
+ *
|
||||
+ */
|
||||
+
|
||||
+class SystemConfigurator {
|
||||
+
|
||||
+ private static final Debug sdebug =
|
||||
+ Debug.getInstance("properties");
|
||||
+
|
||||
+ private static final String CRYPTO_POLICIES_BASE_DIR =
|
||||
+ "/etc/crypto-policies";
|
||||
+
|
||||
+ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
|
||||
+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
|
||||
+
|
||||
+ private static final String CRYPTO_POLICIES_CONFIG =
|
||||
+ CRYPTO_POLICIES_BASE_DIR + "/config";
|
||||
+
|
||||
+ private static final class SecurityProviderInfo {
|
||||
+ int number;
|
||||
+ String key;
|
||||
+ String value;
|
||||
+ SecurityProviderInfo(int number, String key, String value) {
|
||||
+ this.number = number;
|
||||
+ this.key = key;
|
||||
+ this.value = value;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * Invoked when java.security.Security class is initialized, if
|
||||
+ * java.security.disableSystemPropertiesFile property is not set and
|
||||
+ * security.useSystemPropertiesFile is true.
|
||||
+ */
|
||||
+ static boolean configure(Properties props) {
|
||||
+ boolean loadedProps = false;
|
||||
+
|
||||
+ try (BufferedInputStream bis =
|
||||
+ new BufferedInputStream(
|
||||
+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
|
||||
+ props.load(bis);
|
||||
+ loadedProps = true;
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println("reading system security properties file " +
|
||||
+ CRYPTO_POLICIES_JAVA_CONFIG);
|
||||
+ sdebug.println(props.toString());
|
||||
+ }
|
||||
+ } catch (IOException e) {
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println("unable to load security properties from " +
|
||||
+ CRYPTO_POLICIES_JAVA_CONFIG);
|
||||
+ e.printStackTrace();
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ try {
|
||||
+ if (enableFips()) {
|
||||
+ if (sdebug != null) { sdebug.println("FIPS mode detected"); }
|
||||
+ loadedProps = false;
|
||||
+ // Remove all security providers
|
||||
+ Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
|
||||
+ while (i.hasNext()) {
|
||||
+ Entry<Object, Object> e = i.next();
|
||||
+ if (((String) e.getKey()).startsWith("security.provider")) {
|
||||
+ if (sdebug != null) { sdebug.println("Removing provider: " + e); }
|
||||
+ i.remove();
|
||||
+ }
|
||||
+ }
|
||||
+ // Add FIPS security providers
|
||||
+ String fipsProviderValue = null;
|
||||
+ for (int n = 1;
|
||||
+ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) {
|
||||
+ String fipsProviderKey = "security.provider." + n;
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println("Adding provider " + n + ": " +
|
||||
+ fipsProviderKey + "=" + fipsProviderValue);
|
||||
+ }
|
||||
+ props.put(fipsProviderKey, fipsProviderValue);
|
||||
+ }
|
||||
+ loadedProps = true;
|
||||
+ }
|
||||
+ } catch (Exception e) {
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println("unable to load FIPS configuration");
|
||||
+ e.printStackTrace();
|
||||
+ }
|
||||
+ }
|
||||
+ return loadedProps;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * FIPS is enabled only if crypto-policies are set to "FIPS"
|
||||
+ * and the com.redhat.fips property is true.
|
||||
+ */
|
||||
+ private static boolean enableFips() throws Exception {
|
||||
+ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
|
||||
+ if (fipsEnabled) {
|
||||
+ Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG);
|
||||
+ String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath));
|
||||
+ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
|
||||
+ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
|
||||
+ return pattern.matcher(cryptoPoliciesConfig).find();
|
||||
+ } else {
|
||||
+ return false;
|
||||
+ }
|
||||
+ }
|
||||
+}
|
||||
diff --git openjdk.orig/jdk/src/share/lib/security/java.security-linux openjdk/jdk/src/share/lib/security/java.security-linux
|
||||
--- openjdk.orig/jdk/src/share/lib/security/java.security-linux
|
||||
+++ openjdk/jdk/src/share/lib/security/java.security-linux
|
||||
@@ -77,6 +77,14 @@
|
||||
#security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
|
||||
|
||||
#
|
||||
+# Security providers used when global crypto-policies are set to FIPS.
|
||||
+#
|
||||
+fips.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.fips.cfg
|
||||
+fips.provider.2=sun.security.provider.Sun
|
||||
+fips.provider.3=sun.security.ec.SunEC
|
||||
+fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS
|
||||
+
|
||||
+#
|
||||
# Sun Provider SecureRandom seed source.
|
||||
#
|
||||
# Select the primary source of seed data for the "SHA1PRNG" and
|
@ -1,13 +0,0 @@
|
||||
--- openjdk/jdk/src/solaris/classes/sun/security/smartcardio/PlatformPCSC.java 2013-03-01 10:48:12.038189968 +0100
|
||||
+++ openjdk/jdk/src/solaris/classes/sun/security/smartcardio/PlatformPCSC.java 2013-03-01 10:48:11.913188505 +0100
|
||||
@@ -48,8 +48,8 @@
|
||||
|
||||
private final static String PROP_NAME = "sun.security.smartcardio.library";
|
||||
|
||||
- private final static String LIB1 = "/usr/$LIBISA/libpcsclite.so";
|
||||
- private final static String LIB2 = "/usr/local/$LIBISA/libpcsclite.so";
|
||||
+ private final static String LIB1 = "/usr/$LIBISA/libpcsclite.so.1";
|
||||
+ private final static String LIB2 = "/usr/local/$LIBISA/libpcsclite.so.1";
|
||||
private final static String PCSC_FRAMEWORK = "/System/Library/Frameworks/PCSC.framework/Versions/Current/PCSC";
|
||||
|
||||
PlatformPCSC() {
|
52
SOURCES/rh1760838-fips_default_keystore_type.patch
Normal file
52
SOURCES/rh1760838-fips_default_keystore_type.patch
Normal file
@ -0,0 +1,52 @@
|
||||
diff -r 6efbd7b35a10 src/share/classes/java/security/SystemConfigurator.java
|
||||
--- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300
|
||||
+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java Mon Mar 02 19:20:17 2020 -0300
|
||||
@@ -123,6 +123,33 @@
|
||||
}
|
||||
props.put(fipsProviderKey, fipsProviderValue);
|
||||
}
|
||||
+ // Add other security properties
|
||||
+ String keystoreTypeValue = (String) props.get("fips.keystore.type");
|
||||
+ if (keystoreTypeValue != null) {
|
||||
+ String nonFipsKeystoreType = props.getProperty("keystore.type");
|
||||
+ props.put("keystore.type", keystoreTypeValue);
|
||||
+ if (keystoreTypeValue.equals("PKCS11")) {
|
||||
+ // If keystore.type is PKCS11, javax.net.ssl.keyStore
|
||||
+ // must be "NONE". See JDK-8238264.
|
||||
+ System.setProperty("javax.net.ssl.keyStore", "NONE");
|
||||
+ }
|
||||
+ if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
|
||||
+ // If no trustStoreType has been set, use the
|
||||
+ // previous keystore.type under FIPS mode. In
|
||||
+ // a default configuration, the Trust Store will
|
||||
+ // be 'cacerts' (JKS type).
|
||||
+ System.setProperty("javax.net.ssl.trustStoreType",
|
||||
+ nonFipsKeystoreType);
|
||||
+ }
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println("FIPS mode default keystore.type = " +
|
||||
+ keystoreTypeValue);
|
||||
+ sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
|
||||
+ System.getProperty("javax.net.ssl.keyStore", ""));
|
||||
+ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
|
||||
+ System.getProperty("javax.net.ssl.trustStoreType", ""));
|
||||
+ }
|
||||
+ }
|
||||
loadedProps = true;
|
||||
}
|
||||
} catch (Exception e) {
|
||||
diff -r 6efbd7b35a10 src/share/lib/security/java.security-linux
|
||||
--- openjdk.orig/jdk/src/share/lib/security/java.security-linux Thu Jan 23 18:22:31 2020 -0300
|
||||
+++ openjdk/jdk/src/share/lib/security/java.security-linux Mon Mar 02 19:20:17 2020 -0300
|
||||
@@ -179,6 +179,11 @@
|
||||
keystore.type=jks
|
||||
|
||||
#
|
||||
+# Default keystore type used when global crypto-policies are set to FIPS.
|
||||
+#
|
||||
+fips.keystore.type=PKCS11
|
||||
+
|
||||
+#
|
||||
# Controls compatibility mode for the JKS keystore type.
|
||||
#
|
||||
# When set to 'true', the JKS keystore type supports loading
|
327
SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch
Normal file
327
SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch
Normal file
@ -0,0 +1,327 @@
|
||||
diff -r bbc65dfa59d1 src/share/classes/java/security/SystemConfigurator.java
|
||||
--- openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300
|
||||
+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java Sat Aug 01 23:16:51 2020 -0300
|
||||
@@ -1,11 +1,13 @@
|
||||
/*
|
||||
- * Copyright (c) 2019, Red Hat, Inc.
|
||||
+ * Copyright (c) 2019, 2020, Red Hat, Inc.
|
||||
*
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License version 2 only, as
|
||||
- * published by the Free Software Foundation.
|
||||
+ * published by the Free Software Foundation. Oracle designates this
|
||||
+ * particular file as subject to the "Classpath" exception as provided
|
||||
+ * by Oracle in the LICENSE file that accompanied this code.
|
||||
*
|
||||
* This code is distributed in the hope that it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
@@ -34,10 +36,10 @@
|
||||
import java.util.Iterator;
|
||||
import java.util.Map.Entry;
|
||||
import java.util.Properties;
|
||||
-import java.util.function.Consumer;
|
||||
-import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
+import sun.misc.SharedSecrets;
|
||||
+import sun.misc.JavaSecuritySystemConfiguratorAccess;
|
||||
import sun.security.util.Debug;
|
||||
|
||||
/**
|
||||
@@ -47,7 +49,7 @@
|
||||
*
|
||||
*/
|
||||
|
||||
-class SystemConfigurator {
|
||||
+final class SystemConfigurator {
|
||||
|
||||
private static final Debug sdebug =
|
||||
Debug.getInstance("properties");
|
||||
@@ -61,15 +63,16 @@
|
||||
private static final String CRYPTO_POLICIES_CONFIG =
|
||||
CRYPTO_POLICIES_BASE_DIR + "/config";
|
||||
|
||||
- private static final class SecurityProviderInfo {
|
||||
- int number;
|
||||
- String key;
|
||||
- String value;
|
||||
- SecurityProviderInfo(int number, String key, String value) {
|
||||
- this.number = number;
|
||||
- this.key = key;
|
||||
- this.value = value;
|
||||
- }
|
||||
+ private static boolean systemFipsEnabled = false;
|
||||
+
|
||||
+ static {
|
||||
+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
|
||||
+ new JavaSecuritySystemConfiguratorAccess() {
|
||||
+ @Override
|
||||
+ public boolean isSystemFipsEnabled() {
|
||||
+ return SystemConfigurator.isSystemFipsEnabled();
|
||||
+ }
|
||||
+ });
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -128,9 +131,9 @@
|
||||
String nonFipsKeystoreType = props.getProperty("keystore.type");
|
||||
props.put("keystore.type", keystoreTypeValue);
|
||||
if (keystoreTypeValue.equals("PKCS11")) {
|
||||
- // If keystore.type is PKCS11, javax.net.ssl.keyStore
|
||||
- // must be "NONE". See JDK-8238264.
|
||||
- System.setProperty("javax.net.ssl.keyStore", "NONE");
|
||||
+ // If keystore.type is PKCS11, javax.net.ssl.keyStore
|
||||
+ // must be "NONE". See JDK-8238264.
|
||||
+ System.setProperty("javax.net.ssl.keyStore", "NONE");
|
||||
}
|
||||
if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
|
||||
// If no trustStoreType has been set, use the
|
||||
@@ -144,12 +147,13 @@
|
||||
sdebug.println("FIPS mode default keystore.type = " +
|
||||
keystoreTypeValue);
|
||||
sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
|
||||
- System.getProperty("javax.net.ssl.keyStore", ""));
|
||||
+ System.getProperty("javax.net.ssl.keyStore", ""));
|
||||
sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
|
||||
System.getProperty("javax.net.ssl.trustStoreType", ""));
|
||||
}
|
||||
}
|
||||
loadedProps = true;
|
||||
+ systemFipsEnabled = true;
|
||||
}
|
||||
} catch (Exception e) {
|
||||
if (sdebug != null) {
|
||||
@@ -165,20 +165,37 @@
|
||||
return loadedProps;
|
||||
}
|
||||
|
||||
+ /**
|
||||
+ * Returns whether or not global system FIPS alignment is enabled.
|
||||
+ *
|
||||
+ * Value is always 'false' before java.security.Security class is
|
||||
+ * initialized.
|
||||
+ *
|
||||
+ * Call from out of this package through SharedSecrets:
|
||||
+ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
|
||||
+ * .isSystemFipsEnabled();
|
||||
+ *
|
||||
+ * @return a boolean value indicating whether or not global
|
||||
+ * system FIPS alignment is enabled.
|
||||
+ */
|
||||
+ static boolean isSystemFipsEnabled() {
|
||||
+ return systemFipsEnabled;
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* FIPS is enabled only if crypto-policies are set to "FIPS"
|
||||
* and the com.redhat.fips property is true.
|
||||
*/
|
||||
private static boolean enableFips() throws Exception {
|
||||
- boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
|
||||
- if (fipsEnabled) {
|
||||
- Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG);
|
||||
- String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath));
|
||||
- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
|
||||
- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
|
||||
- return pattern.matcher(cryptoPoliciesConfig).find();
|
||||
- } else {
|
||||
- return false;
|
||||
- }
|
||||
+ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
|
||||
+ if (shouldEnable) {
|
||||
+ Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG);
|
||||
+ String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath));
|
||||
+ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
|
||||
+ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
|
||||
+ return pattern.matcher(cryptoPoliciesConfig).find();
|
||||
+ } else {
|
||||
+ return false;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
diff --git openjdk.orig/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
|
||||
@@ -0,0 +1,30 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2020, Red Hat, Inc.
|
||||
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
+ *
|
||||
+ * This code is free software; you can redistribute it and/or modify it
|
||||
+ * under the terms of the GNU General Public License version 2 only, as
|
||||
+ * published by the Free Software Foundation. Oracle designates this
|
||||
+ * particular file as subject to the "Classpath" exception as provided
|
||||
+ * by Oracle in the LICENSE file that accompanied this code.
|
||||
+ *
|
||||
+ * This code is distributed in the hope that it will be useful, but WITHOUT
|
||||
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
+ * version 2 for more details (a copy is included in the LICENSE file that
|
||||
+ * accompanied this code).
|
||||
+ *
|
||||
+ * You should have received a copy of the GNU General Public License version
|
||||
+ * 2 along with this work; if not, write to the Free Software Foundation,
|
||||
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
+ *
|
||||
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
||||
+ * or visit www.oracle.com if you need additional information or have any
|
||||
+ * questions.
|
||||
+ */
|
||||
+
|
||||
+package sun.misc;
|
||||
+
|
||||
+public interface JavaSecuritySystemConfiguratorAccess {
|
||||
+ boolean isSystemFipsEnabled();
|
||||
+}
|
||||
diff --git openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java
|
||||
--- openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java
|
||||
+++ openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java
|
||||
@@ -63,6 +63,7 @@
|
||||
private static JavaObjectInputStreamReadString javaObjectInputStreamReadString;
|
||||
private static JavaObjectInputStreamAccess javaObjectInputStreamAccess;
|
||||
private static JavaSecuritySignatureAccess javaSecuritySignatureAccess;
|
||||
+ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess;
|
||||
|
||||
public static JavaUtilJarAccess javaUtilJarAccess() {
|
||||
if (javaUtilJarAccess == null) {
|
||||
@@ -248,4 +249,12 @@
|
||||
}
|
||||
return javaxCryptoSealedObjectAccess;
|
||||
}
|
||||
+
|
||||
+ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) {
|
||||
+ javaSecuritySystemConfiguratorAccess = jssca;
|
||||
+ }
|
||||
+
|
||||
+ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
|
||||
+ return javaSecuritySystemConfiguratorAccess;
|
||||
+ }
|
||||
}
|
||||
diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
|
||||
--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
|
||||
+++ openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
|
||||
@@ -31,6 +31,7 @@
|
||||
import java.security.cert.*;
|
||||
import java.util.*;
|
||||
import javax.net.ssl.*;
|
||||
+import sun.misc.SharedSecrets;
|
||||
import sun.security.action.GetPropertyAction;
|
||||
import sun.security.provider.certpath.AlgorithmChecker;
|
||||
import sun.security.validator.Validator;
|
||||
@@ -539,20 +540,38 @@
|
||||
|
||||
static {
|
||||
if (SunJSSE.isFIPS()) {
|
||||
- supportedProtocols = Arrays.asList(
|
||||
- ProtocolVersion.TLS13,
|
||||
- ProtocolVersion.TLS12,
|
||||
- ProtocolVersion.TLS11,
|
||||
- ProtocolVersion.TLS10
|
||||
- );
|
||||
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
|
||||
+ .isSystemFipsEnabled()) {
|
||||
+ // RH1860986: TLSv1.3 key derivation not supported with
|
||||
+ // the Security Providers available in system FIPS mode.
|
||||
+ supportedProtocols = Arrays.asList(
|
||||
+ ProtocolVersion.TLS12,
|
||||
+ ProtocolVersion.TLS11,
|
||||
+ ProtocolVersion.TLS10
|
||||
+ );
|
||||
|
||||
- serverDefaultProtocols = getAvailableProtocols(
|
||||
- new ProtocolVersion[] {
|
||||
- ProtocolVersion.TLS13,
|
||||
- ProtocolVersion.TLS12,
|
||||
- ProtocolVersion.TLS11,
|
||||
- ProtocolVersion.TLS10
|
||||
- });
|
||||
+ serverDefaultProtocols = getAvailableProtocols(
|
||||
+ new ProtocolVersion[] {
|
||||
+ ProtocolVersion.TLS12,
|
||||
+ ProtocolVersion.TLS11,
|
||||
+ ProtocolVersion.TLS10
|
||||
+ });
|
||||
+ } else {
|
||||
+ supportedProtocols = Arrays.asList(
|
||||
+ ProtocolVersion.TLS13,
|
||||
+ ProtocolVersion.TLS12,
|
||||
+ ProtocolVersion.TLS11,
|
||||
+ ProtocolVersion.TLS10
|
||||
+ );
|
||||
+
|
||||
+ serverDefaultProtocols = getAvailableProtocols(
|
||||
+ new ProtocolVersion[] {
|
||||
+ ProtocolVersion.TLS13,
|
||||
+ ProtocolVersion.TLS12,
|
||||
+ ProtocolVersion.TLS11,
|
||||
+ ProtocolVersion.TLS10
|
||||
+ });
|
||||
+ }
|
||||
} else {
|
||||
supportedProtocols = Arrays.asList(
|
||||
ProtocolVersion.TLS13,
|
||||
@@ -612,6 +631,16 @@
|
||||
|
||||
static ProtocolVersion[] getSupportedProtocols() {
|
||||
if (SunJSSE.isFIPS()) {
|
||||
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
|
||||
+ .isSystemFipsEnabled()) {
|
||||
+ // RH1860986: TLSv1.3 key derivation not supported with
|
||||
+ // the Security Providers available in system FIPS mode.
|
||||
+ return new ProtocolVersion[] {
|
||||
+ ProtocolVersion.TLS12,
|
||||
+ ProtocolVersion.TLS11,
|
||||
+ ProtocolVersion.TLS10
|
||||
+ };
|
||||
+ }
|
||||
return new ProtocolVersion[] {
|
||||
ProtocolVersion.TLS13,
|
||||
ProtocolVersion.TLS12,
|
||||
@@ -939,6 +968,16 @@
|
||||
|
||||
static ProtocolVersion[] getProtocols() {
|
||||
if (SunJSSE.isFIPS()) {
|
||||
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
|
||||
+ .isSystemFipsEnabled()) {
|
||||
+ // RH1860986: TLSv1.3 key derivation not supported with
|
||||
+ // the Security Providers available in system FIPS mode.
|
||||
+ return new ProtocolVersion[] {
|
||||
+ ProtocolVersion.TLS12,
|
||||
+ ProtocolVersion.TLS11,
|
||||
+ ProtocolVersion.TLS10
|
||||
+ };
|
||||
+ }
|
||||
return new ProtocolVersion[]{
|
||||
ProtocolVersion.TLS12,
|
||||
ProtocolVersion.TLS11,
|
||||
diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/SunJSSE.java openjdk/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
|
||||
--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
|
||||
+++ openjdk/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
|
||||
@@ -30,6 +30,8 @@
|
||||
|
||||
import java.security.*;
|
||||
|
||||
+import sun.misc.SharedSecrets;
|
||||
+
|
||||
/**
|
||||
* The JSSE provider.
|
||||
*
|
||||
@@ -215,8 +217,13 @@
|
||||
"sun.security.ssl.SSLContextImpl$TLS11Context");
|
||||
put("SSLContext.TLSv1.2",
|
||||
"sun.security.ssl.SSLContextImpl$TLS12Context");
|
||||
- put("SSLContext.TLSv1.3",
|
||||
- "sun.security.ssl.SSLContextImpl$TLS13Context");
|
||||
+ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
|
||||
+ .isSystemFipsEnabled()) {
|
||||
+ // RH1860986: TLSv1.3 key derivation not supported with
|
||||
+ // the Security Providers available in system FIPS mode.
|
||||
+ put("SSLContext.TLSv1.3",
|
||||
+ "sun.security.ssl.SSLContextImpl$TLS13Context");
|
||||
+ }
|
||||
put("SSLContext.TLS",
|
||||
"sun.security.ssl.SSLContextImpl$TLSContext");
|
||||
if (isfips == false) {
|
@ -0,0 +1,65 @@
|
||||
# HG changeset patch
|
||||
# User andrew
|
||||
# Date 1608219816 0
|
||||
# Thu Dec 17 15:43:36 2020 +0000
|
||||
# Node ID db5d1b28bfce04352b3a48960bf836f6eb20804b
|
||||
# Parent a2cfa397150e99b813354226d536eb8509b5850b
|
||||
RH1906862: Always initialise JavaSecuritySystemConfiguratorAccess
|
||||
|
||||
diff --git openjdk.orig/jdk/src/share/classes/java/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java
|
||||
--- openjdk.orig/jdk/src/share/classes/java/security/Security.java
|
||||
+++ openjdk/jdk/src/share/classes/java/security/Security.java
|
||||
@@ -30,6 +30,8 @@
|
||||
import java.util.concurrent.ConcurrentHashMap;
|
||||
import java.io.*;
|
||||
import java.net.URL;
|
||||
+import sun.misc.SharedSecrets;
|
||||
+import sun.misc.JavaSecuritySystemConfiguratorAccess;
|
||||
import sun.security.util.Debug;
|
||||
import sun.security.util.PropertyExpander;
|
||||
|
||||
@@ -69,6 +71,15 @@
|
||||
}
|
||||
|
||||
static {
|
||||
+ // Initialise here as used by code with system properties disabled
|
||||
+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
|
||||
+ new JavaSecuritySystemConfiguratorAccess() {
|
||||
+ @Override
|
||||
+ public boolean isSystemFipsEnabled() {
|
||||
+ return SystemConfigurator.isSystemFipsEnabled();
|
||||
+ }
|
||||
+ });
|
||||
+
|
||||
// doPrivileged here because there are multiple
|
||||
// things in initialize that might require privs.
|
||||
// (the FileInputStream call and the File.exists call,
|
||||
diff --git openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
|
||||
--- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java
|
||||
+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
|
||||
@@ -39,8 +39,6 @@
|
||||
import java.util.Properties;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
-import sun.misc.SharedSecrets;
|
||||
-import sun.misc.JavaSecuritySystemConfiguratorAccess;
|
||||
import sun.security.util.Debug;
|
||||
|
||||
/**
|
||||
@@ -66,16 +64,6 @@
|
||||
|
||||
private static boolean systemFipsEnabled = false;
|
||||
|
||||
- static {
|
||||
- SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
|
||||
- new JavaSecuritySystemConfiguratorAccess() {
|
||||
- @Override
|
||||
- public boolean isSystemFipsEnabled() {
|
||||
- return SystemConfigurator.isSystemFipsEnabled();
|
||||
- }
|
||||
- });
|
||||
- }
|
||||
-
|
||||
/*
|
||||
* Invoked when java.security.Security class is initialized, if
|
||||
* java.security.disableSystemPropertiesFile property is not set and
|
344
SOURCES/rh1929465-improve_system_FIPS_detection-jdk.patch
Normal file
344
SOURCES/rh1929465-improve_system_FIPS_detection-jdk.patch
Normal file
@ -0,0 +1,344 @@
|
||||
diff --git openjdk.orig/jdk/make/lib/SecurityLibraries.gmk openjdk/jdk/make/lib/SecurityLibraries.gmk
|
||||
--- openjdk.orig/jdk/make/lib/SecurityLibraries.gmk
|
||||
+++ openjdk/jdk/make/lib/SecurityLibraries.gmk
|
||||
@@ -289,3 +289,34 @@
|
||||
|
||||
endif
|
||||
endif
|
||||
+
|
||||
+################################################################################
|
||||
+# Create the systemconf library
|
||||
+
|
||||
+LIBSYSTEMCONF_CFLAGS :=
|
||||
+LIBSYSTEMCONF_CXXFLAGS :=
|
||||
+
|
||||
+ifeq ($(USE_SYSCONF_NSS), true)
|
||||
+ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
|
||||
+ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
|
||||
+endif
|
||||
+
|
||||
+ifeq ($(OPENJDK_BUILD_OS), linux)
|
||||
+ $(eval $(call SetupNativeCompilation,BUILD_LIBSYSTEMCONF, \
|
||||
+ LIBRARY := systemconf, \
|
||||
+ OUTPUT_DIR := $(INSTALL_LIBRARIES_HERE), \
|
||||
+ SRC := $(JDK_TOPDIR)/src/$(OPENJDK_TARGET_OS_API_DIR)/native/java/security, \
|
||||
+ LANG := C, \
|
||||
+ OPTIMIZATION := LOW, \
|
||||
+ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \
|
||||
+ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \
|
||||
+ MAPFILE := $(JDK_TOPDIR)/make/mapfiles/libsystemconf/mapfile-vers, \
|
||||
+ LDFLAGS := $(LDFLAGS_JDKLIB) \
|
||||
+ $(call SET_SHARED_LIBRARY_ORIGIN), \
|
||||
+ LDFLAGS_SUFFIX := $(LIBDL) $(NSS_LIBS), \
|
||||
+ OBJECT_DIR := $(JDK_OUTPUTDIR)/objs/libsystemconf, \
|
||||
+ DEBUG_SYMBOLS := $(DEBUG_ALL_BINARIES)))
|
||||
+
|
||||
+ BUILD_LIBRARIES += $(BUILD_LIBSYSTEMCONF)
|
||||
+endif
|
||||
+
|
||||
diff --git openjdk.orig/jdk/make/mapfiles/libsystemconf/mapfile-vers openjdk/jdk/make/mapfiles/libsystemconf/mapfile-vers
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ openjdk/jdk/make/mapfiles/libsystemconf/mapfile-vers
|
||||
@@ -0,0 +1,35 @@
|
||||
+#
|
||||
+# Copyright (c) 2021, Red Hat, Inc.
|
||||
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
+#
|
||||
+# This code is free software; you can redistribute it and/or modify it
|
||||
+# under the terms of the GNU General Public License version 2 only, as
|
||||
+# published by the Free Software Foundation. Oracle designates this
|
||||
+# particular file as subject to the "Classpath" exception as provided
|
||||
+# by Oracle in the LICENSE file that accompanied this code.
|
||||
+#
|
||||
+# This code is distributed in the hope that it will be useful, but WITHOUT
|
||||
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
+# version 2 for more details (a copy is included in the LICENSE file that
|
||||
+# accompanied this code).
|
||||
+#
|
||||
+# You should have received a copy of the GNU General Public License version
|
||||
+# 2 along with this work; if not, write to the Free Software Foundation,
|
||||
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
+#
|
||||
+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
||||
+# or visit www.oracle.com if you need additional information or have any
|
||||
+# questions.
|
||||
+#
|
||||
+
|
||||
+# Define public interface.
|
||||
+
|
||||
+SUNWprivate_1.1 {
|
||||
+ global:
|
||||
+ DEF_JNI_OnLoad;
|
||||
+ DEF_JNI_OnUnLoad;
|
||||
+ Java_java_security_SystemConfigurator_getSystemFIPSEnabled;
|
||||
+ local:
|
||||
+ *;
|
||||
+};
|
||||
diff --git openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
|
||||
--- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java
|
||||
+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
- * Copyright (c) 2019, 2020, Red Hat, Inc.
|
||||
+ * Copyright (c) 2019, 2021, Red Hat, Inc.
|
||||
*
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
@@ -30,14 +30,9 @@
|
||||
import java.io.FileInputStream;
|
||||
import java.io.IOException;
|
||||
|
||||
-import java.nio.file.Files;
|
||||
-import java.nio.file.FileSystems;
|
||||
-import java.nio.file.Path;
|
||||
-
|
||||
import java.util.Iterator;
|
||||
import java.util.Map.Entry;
|
||||
import java.util.Properties;
|
||||
-import java.util.regex.Pattern;
|
||||
|
||||
import sun.security.util.Debug;
|
||||
|
||||
@@ -59,10 +54,21 @@
|
||||
private static final String CRYPTO_POLICIES_JAVA_CONFIG =
|
||||
CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
|
||||
|
||||
- private static final String CRYPTO_POLICIES_CONFIG =
|
||||
- CRYPTO_POLICIES_BASE_DIR + "/config";
|
||||
+ private static boolean systemFipsEnabled = false;
|
||||
+
|
||||
+ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
|
||||
+
|
||||
+ private static native boolean getSystemFIPSEnabled()
|
||||
+ throws IOException;
|
||||
|
||||
- private static boolean systemFipsEnabled = false;
|
||||
+ static {
|
||||
+ AccessController.doPrivileged(new PrivilegedAction<Void>() {
|
||||
+ public Void run() {
|
||||
+ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
|
||||
+ return null;
|
||||
+ }
|
||||
+ });
|
||||
+ }
|
||||
|
||||
/*
|
||||
* Invoked when java.security.Security class is initialized, if
|
||||
@@ -171,17 +177,34 @@
|
||||
}
|
||||
|
||||
/*
|
||||
- * FIPS is enabled only if crypto-policies are set to "FIPS"
|
||||
- * and the com.redhat.fips property is true.
|
||||
+ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
|
||||
+ * system property is true (default) and the system is in FIPS mode.
|
||||
+ *
|
||||
+ * There are 2 possible ways in which OpenJDK detects that the system
|
||||
+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
|
||||
+ * available at OpenJDK's built-time, it is called; 2) otherwise, the
|
||||
+ * /proc/sys/crypto/fips_enabled file is read.
|
||||
*/
|
||||
- private static boolean enableFips() throws Exception {
|
||||
+ private static boolean enableFips() throws IOException {
|
||||
boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
|
||||
if (shouldEnable) {
|
||||
- Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG);
|
||||
- String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath));
|
||||
- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
|
||||
- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
|
||||
- return pattern.matcher(cryptoPoliciesConfig).find();
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
|
||||
+ }
|
||||
+ try {
|
||||
+ shouldEnable = getSystemFIPSEnabled();
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
|
||||
+ + shouldEnable);
|
||||
+ }
|
||||
+ return shouldEnable;
|
||||
+ } catch (IOException e) {
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
|
||||
+ sdebug.println(e.getMessage());
|
||||
+ }
|
||||
+ throw e;
|
||||
+ }
|
||||
} else {
|
||||
return false;
|
||||
}
|
||||
diff --git openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c openjdk/jdk/src/solaris/native/java/security/systemconf.c
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ openjdk/jdk/src/solaris/native/java/security/systemconf.c
|
||||
@@ -0,0 +1,168 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2021, Red Hat, Inc.
|
||||
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
+ *
|
||||
+ * This code is free software; you can redistribute it and/or modify it
|
||||
+ * under the terms of the GNU General Public License version 2 only, as
|
||||
+ * published by the Free Software Foundation. Oracle designates this
|
||||
+ * particular file as subject to the "Classpath" exception as provided
|
||||
+ * by Oracle in the LICENSE file that accompanied this code.
|
||||
+ *
|
||||
+ * This code is distributed in the hope that it will be useful, but WITHOUT
|
||||
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
+ * version 2 for more details (a copy is included in the LICENSE file that
|
||||
+ * accompanied this code).
|
||||
+ *
|
||||
+ * You should have received a copy of the GNU General Public License version
|
||||
+ * 2 along with this work; if not, write to the Free Software Foundation,
|
||||
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
+ *
|
||||
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
||||
+ * or visit www.oracle.com if you need additional information or have any
|
||||
+ * questions.
|
||||
+ */
|
||||
+
|
||||
+#include <dlfcn.h>
|
||||
+#include <jni.h>
|
||||
+#include <jni_util.h>
|
||||
+#include <stdio.h>
|
||||
+
|
||||
+#ifdef SYSCONF_NSS
|
||||
+#include <nss3/pk11pub.h>
|
||||
+#endif //SYSCONF_NSS
|
||||
+
|
||||
+#include "java_security_SystemConfigurator.h"
|
||||
+
|
||||
+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
|
||||
+#define MSG_MAX_SIZE 96
|
||||
+
|
||||
+static jmethodID debugPrintlnMethodID = NULL;
|
||||
+static jobject debugObj = NULL;
|
||||
+
|
||||
+static void throwIOException(JNIEnv *env, const char *msg);
|
||||
+static void dbgPrint(JNIEnv *env, const char* msg);
|
||||
+
|
||||
+/*
|
||||
+ * Class: java_security_SystemConfigurator
|
||||
+ * Method: JNI_OnLoad
|
||||
+ */
|
||||
+JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
|
||||
+{
|
||||
+ JNIEnv *env;
|
||||
+ jclass sysConfCls, debugCls;
|
||||
+ jfieldID sdebugFld;
|
||||
+
|
||||
+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
|
||||
+ return JNI_EVERSION; /* JNI version not supported */
|
||||
+ }
|
||||
+
|
||||
+ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
|
||||
+ if (sysConfCls == NULL) {
|
||||
+ printf("libsystemconf: SystemConfigurator class not found\n");
|
||||
+ return JNI_ERR;
|
||||
+ }
|
||||
+ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
|
||||
+ "sdebug", "Lsun/security/util/Debug;");
|
||||
+ if (sdebugFld == NULL) {
|
||||
+ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
|
||||
+ return JNI_ERR;
|
||||
+ }
|
||||
+ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
|
||||
+ if (debugObj != NULL) {
|
||||
+ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
|
||||
+ if (debugCls == NULL) {
|
||||
+ printf("libsystemconf: Debug class not found\n");
|
||||
+ return JNI_ERR;
|
||||
+ }
|
||||
+ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
|
||||
+ "println", "(Ljava/lang/String;)V");
|
||||
+ if (debugPrintlnMethodID == NULL) {
|
||||
+ printf("libsystemconf: Debug::println(String) method not found\n");
|
||||
+ return JNI_ERR;
|
||||
+ }
|
||||
+ debugObj = (*env)->NewGlobalRef(env, debugObj);
|
||||
+ }
|
||||
+
|
||||
+ return (*env)->GetVersion(env);
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Class: java_security_SystemConfigurator
|
||||
+ * Method: JNI_OnUnload
|
||||
+ */
|
||||
+JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
|
||||
+{
|
||||
+ JNIEnv *env;
|
||||
+
|
||||
+ if (debugObj != NULL) {
|
||||
+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
|
||||
+ return; /* Should not happen */
|
||||
+ }
|
||||
+ (*env)->DeleteGlobalRef(env, debugObj);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
|
||||
+ (JNIEnv *env, jclass cls)
|
||||
+{
|
||||
+ int fips_enabled;
|
||||
+ char msg[MSG_MAX_SIZE];
|
||||
+ int msg_bytes;
|
||||
+
|
||||
+#ifdef SYSCONF_NSS
|
||||
+
|
||||
+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
|
||||
+ fips_enabled = SECMOD_GetSystemFIPSEnabled();
|
||||
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
|
||||
+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
|
||||
+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
|
||||
+ dbgPrint(env, msg);
|
||||
+ } else {
|
||||
+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
|
||||
+ " SECMOD_GetSystemFIPSEnabled return value");
|
||||
+ }
|
||||
+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
|
||||
+
|
||||
+#else // SYSCONF_NSS
|
||||
+
|
||||
+ FILE *fe;
|
||||
+
|
||||
+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
|
||||
+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
|
||||
+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
|
||||
+ }
|
||||
+ fips_enabled = fgetc(fe);
|
||||
+ fclose(fe);
|
||||
+ if (fips_enabled == EOF) {
|
||||
+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
|
||||
+ }
|
||||
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
|
||||
+ " read character is '%c'", fips_enabled);
|
||||
+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
|
||||
+ dbgPrint(env, msg);
|
||||
+ } else {
|
||||
+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
|
||||
+ " read character");
|
||||
+ }
|
||||
+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
|
||||
+
|
||||
+#endif // SYSCONF_NSS
|
||||
+}
|
||||
+
|
||||
+static void throwIOException(JNIEnv *env, const char *msg)
|
||||
+{
|
||||
+ jclass cls = (*env)->FindClass(env, "java/io/IOException");
|
||||
+ if (cls != 0)
|
||||
+ (*env)->ThrowNew(env, cls, msg);
|
||||
+}
|
||||
+
|
||||
+static void dbgPrint(JNIEnv *env, const char* msg)
|
||||
+{
|
||||
+ jstring jMsg;
|
||||
+ if (debugObj != NULL) {
|
||||
+ jMsg = (*env)->NewStringUTF(env, msg);
|
||||
+ CHECK_NULL(jMsg);
|
||||
+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
|
||||
+ }
|
||||
+}
|
152
SOURCES/rh1929465-improve_system_FIPS_detection-root.patch
Normal file
152
SOURCES/rh1929465-improve_system_FIPS_detection-root.patch
Normal file
@ -0,0 +1,152 @@
|
||||
diff --git openjdk.orig/common/autoconf/configure.ac openjdk/common/autoconf/configure.ac
|
||||
--- openjdk.orig/common/autoconf/configure.ac
|
||||
+++ openjdk/common/autoconf/configure.ac
|
||||
@@ -212,6 +212,7 @@
|
||||
LIB_SETUP_ALSA
|
||||
LIB_SETUP_FONTCONFIG
|
||||
LIB_SETUP_MISC_LIBS
|
||||
+LIB_SETUP_SYSCONF_LIBS
|
||||
LIB_SETUP_STATIC_LINK_LIBSTDCPP
|
||||
LIB_SETUP_ON_WINDOWS
|
||||
|
||||
diff --git openjdk.orig/common/autoconf/libraries.m4 openjdk/common/autoconf/libraries.m4
|
||||
--- openjdk.orig/common/autoconf/libraries.m4
|
||||
+++ openjdk/common/autoconf/libraries.m4
|
||||
@@ -1067,3 +1067,63 @@
|
||||
BASIC_DEPRECATED_ARG_WITH([dxsdk-include])
|
||||
fi
|
||||
])
|
||||
+
|
||||
+################################################################################
|
||||
+# Setup system configuration libraries
|
||||
+################################################################################
|
||||
+AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
|
||||
+[
|
||||
+ ###############################################################################
|
||||
+ #
|
||||
+ # Check for the NSS library
|
||||
+ #
|
||||
+
|
||||
+ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
|
||||
+
|
||||
+ # default is not available
|
||||
+ DEFAULT_SYSCONF_NSS=no
|
||||
+
|
||||
+ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
|
||||
+ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
|
||||
+ [
|
||||
+ case "${enableval}" in
|
||||
+ yes)
|
||||
+ sysconf_nss=yes
|
||||
+ ;;
|
||||
+ *)
|
||||
+ sysconf_nss=no
|
||||
+ ;;
|
||||
+ esac
|
||||
+ ],
|
||||
+ [
|
||||
+ sysconf_nss=${DEFAULT_SYSCONF_NSS}
|
||||
+ ])
|
||||
+ AC_MSG_RESULT([$sysconf_nss])
|
||||
+
|
||||
+ USE_SYSCONF_NSS=false
|
||||
+ if test "x${sysconf_nss}" = "xyes"; then
|
||||
+ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
|
||||
+ if test "x${NSS_FOUND}" = "xyes"; then
|
||||
+ AC_MSG_CHECKING([for system FIPS support in NSS])
|
||||
+ saved_libs="${LIBS}"
|
||||
+ saved_cflags="${CFLAGS}"
|
||||
+ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
|
||||
+ LIBS="${LIBS} ${NSS_LIBS}"
|
||||
+ AC_LANG_PUSH([C])
|
||||
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <nss3/pk11pub.h>]],
|
||||
+ [[SECMOD_GetSystemFIPSEnabled()]])],
|
||||
+ [AC_MSG_RESULT([yes])],
|
||||
+ [AC_MSG_RESULT([no])
|
||||
+ AC_MSG_ERROR([System NSS FIPS detection unavailable])])
|
||||
+ AC_LANG_POP([C])
|
||||
+ CFLAGS="${saved_cflags}"
|
||||
+ LIBS="${saved_libs}"
|
||||
+ USE_SYSCONF_NSS=true
|
||||
+ else
|
||||
+ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
|
||||
+ dnl in nss3/pk11pub.h.
|
||||
+ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
|
||||
+ fi
|
||||
+ fi
|
||||
+ AC_SUBST(USE_SYSCONF_NSS)
|
||||
+])
|
||||
diff --git openjdk.orig/common/autoconf/spec.gmk.in openjdk/common/autoconf/spec.gmk.in
|
||||
--- openjdk.orig/common/autoconf/spec.gmk.in
|
||||
+++ openjdk/common/autoconf/spec.gmk.in
|
||||
@@ -312,6 +312,10 @@
|
||||
ALSA_LIBS:=@ALSA_LIBS@
|
||||
ALSA_CFLAGS:=@ALSA_CFLAGS@
|
||||
|
||||
+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
|
||||
+NSS_LIBS:=@NSS_LIBS@
|
||||
+NSS_CFLAGS:=@NSS_CFLAGS@
|
||||
+
|
||||
PACKAGE_PATH=@PACKAGE_PATH@
|
||||
|
||||
# Source file for cacerts
|
||||
diff --git openjdk.orig/common/bin/compare_exceptions.sh.incl openjdk/common/bin/compare_exceptions.sh.incl
|
||||
--- openjdk.orig/common/bin/compare_exceptions.sh.incl
|
||||
+++ openjdk/common/bin/compare_exceptions.sh.incl
|
||||
@@ -280,6 +280,7 @@
|
||||
./jre/lib/i386/libsplashscreen.so
|
||||
./jre/lib/i386/libsunec.so
|
||||
./jre/lib/i386/libsunwjdga.so
|
||||
+./jre/lib/i386/libsystemconf.so
|
||||
./jre/lib/i386/libt2k.so
|
||||
./jre/lib/i386/libunpack.so
|
||||
./jre/lib/i386/libverify.so
|
||||
@@ -433,6 +434,7 @@
|
||||
./jre/lib/amd64/libsplashscreen.so
|
||||
./jre/lib/amd64/libsunec.so
|
||||
./jre/lib/amd64/libsunwjdga.so
|
||||
+//jre/lib/amd64/libsystemconf.so
|
||||
./jre/lib/amd64/libt2k.so
|
||||
./jre/lib/amd64/libunpack.so
|
||||
./jre/lib/amd64/libverify.so
|
||||
@@ -587,6 +589,7 @@
|
||||
./jre/lib/sparc/libsplashscreen.so
|
||||
./jre/lib/sparc/libsunec.so
|
||||
./jre/lib/sparc/libsunwjdga.so
|
||||
+./jre/lib/sparc/libsystemconf.so
|
||||
./jre/lib/sparc/libt2k.so
|
||||
./jre/lib/sparc/libunpack.so
|
||||
./jre/lib/sparc/libverify.so
|
||||
@@ -741,6 +744,7 @@
|
||||
./jre/lib/sparcv9/libsplashscreen.so
|
||||
./jre/lib/sparcv9/libsunec.so
|
||||
./jre/lib/sparcv9/libsunwjdga.so
|
||||
+./jre/lib/sparcv9/libsystemconf.so
|
||||
./jre/lib/sparcv9/libt2k.so
|
||||
./jre/lib/sparcv9/libunpack.so
|
||||
./jre/lib/sparcv9/libverify.so
|
||||
diff --git openjdk.orig/common/nb_native/nbproject/configurations.xml openjdk/common/nb_native/nbproject/configurations.xml
|
||||
--- openjdk.orig/common/nb_native/nbproject/configurations.xml
|
||||
+++ openjdk/common/nb_native/nbproject/configurations.xml
|
||||
@@ -53,6 +53,9 @@
|
||||
<in>jvmtiEnterTrace.cpp</in>
|
||||
</df>
|
||||
</df>
|
||||
+ <df name="libsystemconf">
|
||||
+ <in>systemconf.c</in>
|
||||
+ </df>
|
||||
</df>
|
||||
</df>
|
||||
<df name="jdk">
|
||||
@@ -12772,6 +12775,11 @@
|
||||
tool="0"
|
||||
flavor2="0">
|
||||
</item>
|
||||
+ <item path="../../jdk/src/solaris/native/java/security/systemconf.c"
|
||||
+ ex="false"
|
||||
+ tool="0"
|
||||
+ flavor2="0">
|
||||
+ </item>
|
||||
<item path="../../jdk/src/share/native/java/util/TimeZone.c"
|
||||
ex="false"
|
||||
tool="0"
|
55
SOURCES/rh1996182-login_to_nss_software_token.patch
Normal file
55
SOURCES/rh1996182-login_to_nss_software_token.patch
Normal file
@ -0,0 +1,55 @@
|
||||
# HG changeset patch
|
||||
# User mbalao
|
||||
# Date 1630103180 -3600
|
||||
# Fri Aug 27 23:26:20 2021 +0100
|
||||
# Node ID b3bd3119fab9bc5adfd7073377aca12bb1af80b3
|
||||
# Parent c90394a76ee02a689f95199559d5724824b4b25e
|
||||
RH1996182: Login to the NSS Software Token in FIPS Mode
|
||||
|
||||
diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||
--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||
@@ -42,6 +42,8 @@
|
||||
import javax.security.auth.callback.PasswordCallback;
|
||||
import javax.security.auth.callback.TextOutputCallback;
|
||||
|
||||
+import sun.misc.SharedSecrets;
|
||||
+
|
||||
import sun.security.util.Debug;
|
||||
import sun.security.util.ResourcesMgr;
|
||||
|
||||
@@ -58,6 +60,9 @@
|
||||
*/
|
||||
public final class SunPKCS11 extends AuthProvider {
|
||||
|
||||
+ private static final boolean systemFipsEnabled = SharedSecrets
|
||||
+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
|
||||
+
|
||||
private static final long serialVersionUID = -1354835039035306505L;
|
||||
|
||||
static final Debug debug = Debug.getInstance("sunpkcs11");
|
||||
@@ -368,6 +373,24 @@
|
||||
if (nssModule != null) {
|
||||
nssModule.setProvider(this);
|
||||
}
|
||||
+ if (systemFipsEnabled) {
|
||||
+ // The NSS Software Token in FIPS 140-2 mode requires a user
|
||||
+ // login for most operations. See sftk_fipsCheck. The NSS DB
|
||||
+ // (/etc/pki/nssdb) PIN is empty.
|
||||
+ Session session = null;
|
||||
+ try {
|
||||
+ session = token.getOpSession();
|
||||
+ p11.C_Login(session.id(), CKU_USER, new char[] {});
|
||||
+ } catch (PKCS11Exception p11e) {
|
||||
+ if (debug != null) {
|
||||
+ debug.println("Error during token login: " +
|
||||
+ p11e.getMessage());
|
||||
+ }
|
||||
+ throw p11e;
|
||||
+ } finally {
|
||||
+ token.releaseSession(session);
|
||||
+ }
|
||||
+ }
|
||||
} catch (Exception e) {
|
||||
if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
|
||||
throw new UnsupportedOperationException
|
@ -16,7 +16,7 @@ diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/shenandoah/shenan
|
||||
Atomic::add(val, &_sum);
|
||||
|
||||
- int mag = log2_intptr(val) + 1;
|
||||
+ int mag = log2_long(val) + 1;
|
||||
+ int mag = log2_intptr((uintptr_t)val) + 1;
|
||||
|
||||
// Defensively saturate for product bits:
|
||||
if (mag < 0) {
|
||||
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user