From 73b83554810275199b0cbff29f6c2ad239495960 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 9 Nov 2021 04:47:17 -0500 Subject: [PATCH] import java-11-openjdk-11.0.12.0.7-4.el8 --- .gitignore | 2 +- .java-11-openjdk.metadata | 2 +- SOURCES/NEWS | 352 ------------ ...69668-rh1977671-aarch64_lib_path_fix.patch | 32 ++ ...929465-improve_system_FIPS_detection.patch | 430 +++++++++++++++ .../rh1996182-extend_security_policy.patch | 18 + ...h1996182-login_to_nss_software_token.patch | 66 +++ SPECS/java-11-openjdk.spec | 508 +++++++++--------- 8 files changed, 802 insertions(+), 608 deletions(-) create mode 100644 SOURCES/jdk8269668-rh1977671-aarch64_lib_path_fix.patch create mode 100644 SOURCES/rh1929465-improve_system_FIPS_detection.patch create mode 100644 SOURCES/rh1996182-extend_security_policy.patch create mode 100644 SOURCES/rh1996182-login_to_nss_software_token.patch diff --git a/.gitignore b/.gitignore index 8a39ad5..09ab344 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/jdk-updates-jdk11u-jdk-11.0.13+8-4curve.tar.xz +SOURCES/jdk-updates-jdk11u-jdk-11.0.12+7-4curve.tar.xz SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/.java-11-openjdk.metadata b/.java-11-openjdk.metadata index 78958a2..42cb995 100644 --- a/.java-11-openjdk.metadata +++ b/.java-11-openjdk.metadata @@ -1,2 +1,2 @@ -e36bde565834fe738fd222d419cfedc23ab80cee SOURCES/jdk-updates-jdk11u-jdk-11.0.13+8-4curve.tar.xz +7459fbf6c597831b6039c3a608048131cb637528 SOURCES/jdk-updates-jdk11u-jdk-11.0.12+7-4curve.tar.xz c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/SOURCES/NEWS b/SOURCES/NEWS index df6dc0c..26c3f66 100644 --- a/SOURCES/NEWS +++ b/SOURCES/NEWS @@ -3,358 +3,6 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY -New in release OpenJDK 11.0.13 (2021-10-19): -============================================= -Live versions of these release notes can be found at: - * https://bitly.com/openjdk11013 - * https://builds.shipilev.net/backports-monitor/release-notes-11.0.13.txt - -* Security fixes - - JDK-8163326, CVE-2021-35550: Update the default enabled cipher suites preference - - JDK-8254967, CVE-2021-35565: com.sun.net.HttpsServer spins on TLS session close - - JDK-8263314: Enhance XML Dsig modes - - JDK-8265167, CVE-2021-35556: Richer Text Editors - - JDK-8265574: Improve handling of sheets - - JDK-8265580, CVE-2021-35559: Enhanced style for RTF kit - - JDK-8265776: Improve Stream handling for SSL - - JDK-8266097, CVE-2021-35561: Better hashing support - - JDK-8266103: Better specified spec values - - JDK-8266109: More Resilient Classloading - - JDK-8266115: More Manifest Jar Loading - - JDK-8266137, CVE-2021-35564: Improve Keystore integrity - - JDK-8266689, CVE-2021-35567: More Constrained Delegation - - JDK-8267086: ArrayIndexOutOfBoundsException in java.security.KeyFactory.generatePublic - - JDK-8267712: Better LDAP reference processing - - JDK-8267729, CVE-2021-35578: Improve TLS client handshaking - - JDK-8267735, CVE-2021-35586: Better BMP support - - JDK-8268193: Improve requests of certificates - - JDK-8268199: Correct certificate requests - - JDK-8268205: Enhance DTLS client handshake - - JDK-8268506: More Manifest Digests - - JDK-8269618, CVE-2021-35603: Better session identification - - JDK-8269624: Enhance method selection support - - JDK-8270398: Enhance canonicalization - - JDK-8270404: Better canonicalization -* Other changes - - JDK-8024368: private methods are allocated vtable indices - - JDK-8042902: Test java/net/Inet6Address/serialize/Inet6AddressSerializationTest.java fails intermittently - - JDK-8140466: ChaCha20 and Poly1305 TLS Cipher Suites - - JDK-8157404: Unable to read certain PKCS12 keystores from SequenceInputStream - - JDK-8158066: SourceDebugExtensionTest fails to rename file - - JDK-8168304: Make all of DependencyContext_test available in product mode - - JDK-8169246: java/net/DatagramSocket/ReportSocketClosed.java fails intermittently with BindException - - JDK-8181313: SA: Remove libthread_db dependency on Linux - - JDK-8193214: Incorrect annotations.without.processors warnings with JDK 9 - - JDK-8194230: jdk/internal/jrtfs/remote/RemoteRuntimeImageTest.java fails with java.lang.NullPointerException - - JDK-8196092: javax/swing/JComboBox/8032878/bug8032878.java fails - - JDK-8199931: java/net/MulticastSocket/UnreferencedMulticastSockets.java fails with "incorrect data received" - - JDK-8206083: Make tools/javac/api/T6265137.java robust to JDK version changes - - JDK-8206350: java/util/Locale/bcp47u/SystemPropertyTests.java failed on Mac 10.13 with zh_CN and zh_TW locales. - - JDK-8207316: java/nio/channels/spi/SelectorProvider/inheritedChannel/InheritedChannelTest.java failed - - JDK-8208227: tools/jdeps/DotFileTest.java fails on Win-X64 - - JDK-8208363: test/jdk/java/lang/Package/PackageFromManifest.java missing module dependencies declaration - - JDK-8209380: ARM: cleanup maybe-uninitialized and reorder compiler warnings - - JDK-8209768: Refactor java/util/prefs/CheckUserPrefsStorage.sh to plain java test - - JDK-8209772: Refactor shell test java/util/ServiceLoader/basic/basic.sh to java - - JDK-8209773: Refactor shell test javax/naming/module/basic.sh to java - - JDK-8209832: Refactor jdk/internal/reflect/Reflection/GetCallerClassTest.sh to plain java test - - JDK-8209930: Refactor java/util/zip/ZipFile/deletetempjar.sh to plain java test - - JDK-8210406: Refactor java.util.PluggableLocale:i18n shell tests to plain java tests - - JDK-8210407: Refactor java.util.Calendar:i18n shell tests to plain java tests - - JDK-8210495: compiler crashes because of illegal signature in otherwise legal code - - JDK-8210669: Some launcher tests assume a pre-JDK 9 run-time image layout - - JDK-8210802: temp files left by tests in jdk/java/net/httpclient - - JDK-8210819: Update the host name in CNameTest.java - - JDK-8210908: Refactor java/util/prefs/PrefsSpi.sh to plain java test - - JDK-8210934: Move sun/net/www/protocol/http/GetErrorStream.java to OpenJDK - - JDK-8210959: JShell fails and exits when statement throws an exception whose message contains a '%'. - - JDK-8211055: Provide print to a file (PDF) feature even when printer was not connected - - JDK-8211092: test/jdk/sun/net/www/http/HttpClient/MultiThreadTest.java fails intermittently when cleaning up - - JDK-8211296: Remove HotSpot deprecation warning suppression for Mac/clang - - JDK-8211325: test/jdk/java/net/Socket/LingerTest.java fails with cleaning up - - JDK-8212040: Compilation error due to wrong usage of NSPrintJobDispositionValue in mac10.12 - - JDK-8212695: Add explicit timeout to several HTTP Client tests - - JDK-8212718: Refactor some annotation processor tests to better use collections - - JDK-8213007: Update the link in test/jdk/sun/security/provider/SecureRandom/DrbgCavp.java - - JDK-8213137: Remove static initialization of monitor/mutex instances - - JDK-8213235: java/nio/channels/SocketChannel/AsyncCloseChannel.java fails with threads that didn't exit - - JDK-8213409: Refactor sun.text.IntHashtable:i18n shell tests to plain java tests - - JDK-8213576: Make test AsyncCloseChannel.java run in othervm - - JDK-8213694: Test Timeout.java should run in othervm mode - - JDK-8213718: [TEST] Wrong classname in vmTestbase/nsk/stress/except/except002 and except003 - - JDK-8213922: fix ctw stand-alone build - - JDK-8214195: Align stdout messages in test/jdk/java/math/BigInteger/PrimitiveConversionTests.java - - JDK-8214520: [TEST_BUG] sun/security/mscapi/nonUniqueAliases/NonUniqueAliases.java failed with incorrect jtreg tags order - - JDK-8214937: sun/security/tools/jarsigner/warnings/NoTimestampTest.java failed due to unexpected expiration date - - JDK-8216532: tools/launcher/Test7029048.java fails (Solaris) - - JDK-8217825: Verify @AfterTest is used correctly in WebSocket tests - - JDK-8218145: block_if_requested is not proper inlined due to size - - JDK-8219417: bump jtreg requiredVersion to b14 - - JDK-8219552: bump jtreg requiredVersion to b14 in test/jdk/sanity/client/ - - JDK-8219804: java/net/MulticastSocket/Promiscuous.java fails intermittently due to NumberFormatException - - JDK-8220445: Support for side by side MSVC Toolset versions - - JDK-8221988: add possibility to build with Visual Studio 2019 - - JDK-8222751: closed/test/jdk/sun/security/util/DerIndefLenConverter/IndefBerPkcs12.java fail - - JDK-8223050: JVMCI: findUniqueConcreteMethod() should not use Dependencies::find_unique_concrete_method() for non-virtual methods - - JDK-8224853: CDS address sanitizer errors - - JDK-8225082: Remove IdenTrust certificate that is expiring in September 2021 - - JDK-8225583: Examine the HttpResponse.BodySubscribers for null handling and multiple subscriptions - - JDK-8225690: Multiple AttachListener threads can be created - - JDK-8225790: Two NestedDialogs tests fail on Ubuntu - - JDK-8226319: Add forgotten test/jdk/java/net/httpclient/BodySubscribersTest.java - - JDK-8226533: JVMCI: findUniqueConcreteMethod should handle statically bindable methods directly - - JDK-8226602: Test convenience reactive primitives from java.net.http with RS TCK - - JDK-8226683: Remove review suggestion from fix to 8219804 - - JDK-8227738: jvmti/DataDumpRequest/datadumpreq001 failed due to "exit code is 134" - - JDK-8227766: CheckUnhandledOops is broken in MemAllocator - - JDK-8227815: Minimal VM: set_state is not a member of AttachListener - - JDK-8230674: Heap dumps should exclude dormant CDS archived objects of unloaded classes - - JDK-8230808: Remove Access::equals() - - JDK-8230841: Remove oopDesc::equals() - - JDK-8231717: Improve performance of charset decoding when charset is always compactable - - JDK-8232243: Wrong caret position in JTextPane on Windows with a screen resolution > 100% - - JDK-8232782: Shenandoah: streamline post-LRB CAS barrier (aarch64) - - JDK-8233790: Forward output from heap dumper to jcmd/jmap - - JDK-8233989: Create an IPv4 version of java/net/MulticastSocket/SetLoopbackMode.java - - JDK-8234510: Remove file seeking requirement for writing a heap dump - - JDK-8235211: serviceability/attach/RemovingUnixDomainSocketTest.java fails with AttachNotSupportedException: Unable to open socket file - - JDK-8235216: typo in test filename - - JDK-8235866: bump jtreg requiredVersion to 4.2b16 - - JDK-8236111: narrow allowSmartActionArgs disabling - - JDK-8236413: AbstractConnectTimeout should tolerate both NoRouteToHostException and UnresolvedAddressException - - JDK-8236671: NullPointerException in JKS keystore - - JDK-8238930: problem list compiler/c2/Test8004741.java - - JDK-8238943: switch to jtreg 5.0 - - JDK-8240555: Using env of JAVA_TOOL_OPTIONS and _JAVA_OPTIONS breaks QuietOption.java test - - JDK-8240983: Incorrect copyright header in Apache Santuario 2.1.3 files - - JDK-8241336: Some java.net tests failed with NoRouteToHostException on MacOS with special network configuration - - JDK-8241353: NPE in ToolProvider.getSystemJavaCompiler - - JDK-8241768: git needs .gitattributes - - JDK-8242882: opening jar file with large manifest might throw NegativeArraySizeException - - JDK-8244973: serviceability/attach/RemovingUnixDomainSocketTest.java fails "stderr was not empty" - - JDK-8245134: test/lib/jdk/test/lib/security/KeyStoreUtils.java should allow to specify aliases - - JDK-8246261: TCKLocalTime.java failed due to "AssertionError: expected [18:14:22] but found [18:14:23]" - - JDK-8246387: switch to jtreg 5.1 - - JDK-8247421: [TESTBUG] ReturnBlobToWrongHeapTest.java failed allocating blob - - JDK-8247469: getSystemCpuLoad() returns -1 on linux when some offline cpus are present and cpusets.effective_cpus is not available - - JDK-8248352: [TEST_BUG] Test test/jdk/java/awt/font/TextLayout/ArabicDiacriticTest.java can leave frame open - - JDK-8248403: AArch64: Remove uses of kernel integer types - - JDK-8248414: AArch64: Remove uses of long and unsigned long ints - - JDK-8248657: Windows: strengthening in ThreadCritical regarding memory model - - JDK-8248666: AArch64: Use THREAD_LOCAL instead of __thread - - JDK-8248668: AArch64: Avoid MIN/MAX macros when using MSVC - - JDK-8248671: AArch64: Remove unused variables - - JDK-8248682: AArch64: Use ATTRIBUTE_ALIGNED helper - - JDK-8248816: C1: Fix signature conflict in LIRGenerator::strength_reduce_multiply - - JDK-8249095: tools/javac/launcher/SourceLauncherTest.java fails on Windows - - JDK-8249548: backward focus traversal gets stuck in button group - - JDK-8249773: Upgrade ReceiveISA.java test to be resilient to failure due to stray packets and interference - - JDK-8249897: jdk/javadoc/tool/LangVers.java uses @ignore w/o bug-id - - JDK-8249898: jdk/javadoc/tool/6176978/T6176978.java uses @ignore w/o bug-id - - JDK-8249899: jdk/javadoc/tool/InlineTagsWithBraces.java uses @ignore w/o bug-id - - JDK-8250588: Shenandoah: LRB needs to save/restore fp registers for runtime call - - JDK-8250824: AArch64: follow up for JDK-8248414 - - JDK-8251166: Add automated testcases for changes done in JDK-8214112 - - JDK-8251252: Add automated testcase for fix done in JDK-8214253 - - JDK-8251254: Add automated test for fix done in JDK-8218472 - - JDK-8251361: Potential race between Logger configuration and GCs in HttpURLConWithProxy test - - JDK-8251549: Update docs on building for Git - - JDK-8251945: SIGSEGV in PackageEntry::purge_qualified_exports() - - JDK-8252194: Add automated test for fix done in JDK-8218469 - - JDK-8252648: Shenandoah: name gang tasks consistently - - JDK-8252825: Add automated test for fix done in JDK-8218479 - - JDK-8252853: AArch64: gc/shenandoah/TestVerifyJCStress.java fails intermittently with C1 - - JDK-8252857: AArch64: Shenandoah C1 CAS is not sequentially consistent - - JDK-8253048: AArch64: When CallLeaf, no need to preserve callee-saved registers in caller - - JDK-8253424: Add support for running pre-submit testing using GitHub Actions - - JDK-8253631: Remove unimplemented CompileBroker methods after JEP-165 - - JDK-8253865: Pre-submit testing using GitHub Actions does not detect failures reliably - - JDK-8253899: Make IsClassUnloadingEnabled signature match specification - - JDK-8254024: Enhance native libs for AWT and Swing to work with GraalVM Native Image - - JDK-8254054: Pre-submit testing using GitHub Actions should not use the deprecated set-env command - - JDK-8254173: Add Zero, Minimal hotspot targets to submit workflow - - JDK-8254175: Build no-pch configuration in debug mode for submit checks - - JDK-8254244: Some code emitted by TemplateTable::branch is unused when running TieredCompilation - - JDK-8254270: linux 32 bit build doesn't compile libjdwp/log_messages.c - - JDK-8254282: Add Linux x86_32 builds to submit workflow - - JDK-8254850: Update terminology in java.awt.GridBagLayout source code comments - - JDK-8255255: Update Apache Santuario (XML Signature) to version 2.2.1 - - JDK-8255305: Add Linux x86_32 tier1 to submit workflow - - JDK-8255352: Archive important test outputs in submit workflow - - JDK-8255373: Submit workflow artifact name is always "test-results_.zip" - - JDK-8255452: Doing GC during JVMTI MethodExit event posting breaks return oop - - JDK-8255718: Zero: VM should know it runs in interpreter-only mode - - JDK-8255790: GTKL&F: Java 16 crashes on initialising GTKL&F on Manjaro Linux - - JDK-8255810: Zero: build fails without JVMTI - - JDK-8255895: Submit workflow artifacts miss hs_errs/replays due to ZIP include mismatch - - JDK-8256127: Add cross-compiled foreign architectures builds to submit workflow - - JDK-8256215: Shenandoah: re-organize saving/restoring machine state in assembler code - - JDK-8256267: Relax compiler/floatingpoint/NaNTest.java for x86_32 and lower -XX:+UseSSE - - JDK-8256277: Github Action build on macOS should define OS and Xcode versions - - JDK-8256354: Github Action build on Windows should define OS and MSVC versions - - JDK-8256393: Github Actions build on Linux should define OS and GCC versions - - JDK-8256414: add optimized build to submit workflow - - JDK-8256747: GitHub Actions: decouple the hotspot build-only jobs from Linux x64 testing - - JDK-8257056: Submit workflow should apt-get update to avoid package installation errors - - JDK-8257148: Remove obsolete code in AWTView.m - - JDK-8257497: Update keytool to create AKID from the SKID of the issuing certificate as specified by RFC 5280 - - JDK-8257620: Do not use objc_msgSend_stret to get macOS version - - JDK-8257913: Add more known library locations to simplify Linux cross-compilation - - JDK-8258703: Incorrect 512-bit vector registers restore on x86_32 - - JDK-8259338: Add expiry exception for identrustdstx3 alias to VerifyCACerts.java test - - JDK-8259535: ECDSA SignatureValue do not always have the specified length - - JDK-8259679: GitHub actions should use MSVC 14.28 - - JDK-8259924: GitHub actions fail on Linux x86_32 with "Could not configure libc6:i386" - - JDK-8260460: GitHub actions still fail on Linux x86_32 with "Could not configure libc6:i386" - - JDK-8260589: Crash in JfrTraceIdLoadBarrier::load(_jclass*) - - JDK-8260923: Add more tests for SSLSocket input/output shutdown - - JDK-8261072: AArch64: Fix MacroAssembler::get_thread convention - - JDK-8261147: C2: Node is wrongly marked as reduction resulting in a wrong execution due to wrong vector instructions - - JDK-8261238: NMT should not limit baselining by size threshold - - JDK-8261496: Shenandoah: reconsider pacing updates memory ordering - - JDK-8261652: Remove some dead comments from os_bsd_x86 - - JDK-8261846: [JVMCI] c2v_iterateFrames can get out of sync with the StackFrameStream - - JDK-8262000: jdk/jfr/event/gc/detailed/TestPromotionFailedEventWithParallelScavenge.java failed with "OutOfMemoryError: Java heap space" - - JDK-8262017: C2: assert(n != __null) failed: Bad immediate dominator info. - - JDK-8262392: Update Mesa 3-D Headers to version 21.0.3 - - JDK-8262409: sun/security/ssl/SSLSocketImpl/SSLSocketImplThrowsWrongExceptions. SSL test failures caused by java failed with "Server reported the wrong exception" - - JDK-8262470: Printed GlyphVector outline with low DPI has bad quality on Windows - - JDK-8262862: Harden tests sun/security/x509/URICertStore/ExtensionsWithLDAP.java and krb5/canonicalize/Test.java - - JDK-8263136: C4530 was reported from VS 2019 at access bridge - - JDK-8263227: C2: inconsistent spilling due to dead nodes in exception block - - JDK-8263382: java/util/logging/ParentLoggersTest.java failed with "checkLoggers: getLoggerNames() returned unexpected loggers" - - JDK-8263407: SPARC64 detection fails on Athena (SPARC64-X) - - JDK-8263432: javac may report an invalid package/class clash on case insensitive filesystems - - JDK-8263490: [macos] Crash occurs on JPasswordField with activated InputMethod - - JDK-8263531: Remove unused buffer int - - JDK-8263667: Avoid running GitHub actions on branches named pr/* - - JDK-8263776: [JVMCI] add helper to perform Java upcalls - - JDK-8264016: [JVMCI] add some thread local fields for use by JVMCI - - JDK-8264752: SIGFPE crash with option FlightRecorderOptions:threadbuffersize=30M - - JDK-8265132: C2 compilation fails with assert "missing precedence edge" - - JDK-8265231: (fc) ReadDirect and WriteDirect tests fail after fix for JDK-8264821 - - JDK-8265335: Epsilon: Minor typo in EpsilonElasticTLABDecay description - - JDK-8265756: AArch64: initialize memory allocated for locals according to Windows AArch64 stack page growth requirement in template interpreter - - JDK-8265761: Font with missed font family name is not properly printed on Windows - - JDK-8265773: incorrect jdeps message "jdk8internals" to describe a removed JDK internal API - - JDK-8265836: OperatingSystemImpl.getCpuLoad() returns incorrect CPU load inside a container - - JDK-8266018: Shenandoah: fix an incorrect assert - - JDK-8266206: Build failure after JDK-8264752 with older GCCs - - JDK-8266248: Compilation failure in PLATFORM_API_MacOSX_MidiUtils.c with Xcode 12.5 - - JDK-8266288: assert root method not found in witnessed_reabstraction_in_supers is too strong - - JDK-8266404: Fatal error report generated with -XX:+CrashOnOutOfMemoryError should not contain suggestion to submit a bug report - - JDK-8266480: Implicit null check optimization does not update control of hoisted memory operation - - JDK-8266615: C2 incorrectly folds subtype checks involving an interface array - - JDK-8266642: Improve ResolvedMethodTable hash function - - JDK-8266749: AArch64: Backtracing broken on PAC enabled systems - - JDK-8266761: AssertionError in sun.net.httpserver.ServerImpl.responseCompleted - - JDK-8266813: Shenandoah: Use shorter instruction sequence for checking if marking in progress - - JDK-8267042: bug in monitor locking/unlocking on ARM32 C1 due to uninitialized BasicObjectLock::_displaced_header - - JDK-8267348: Rewrite gc/epsilon/TestClasses.java to use Metaspace with less classes - - JDK-8267396: Avoid recording "pc" in unhandled oops detector for better performance - - JDK-8267399: C2: java/text/Normalizer/ConformanceTest.java test failed with assertion - - JDK-8267424: CTW: C1 fails with "State must not be null" - - JDK-8267459: Pasting Unicode characters into JShell does not work. - - JDK-8267625: AARCH64: typo in LIR_Assembler::emit_profile_type - - JDK-8267666: Add option to jcmd GC.heap_dump to use existing file - - JDK-8267695: Bump update version for OpenJDK: jdk-11.0.13 - - JDK-8267751: (test) jtreg.SkippedException has no serial VersionUID - - JDK-8267773: PhaseStringOpts::int_stringSize doesn't handle min_jint correctly - - JDK-8268103: JNI functions incorrectly return a double after JDK-8265836 - - JDK-8268127: Shenandoah: Heap size may be too small for region to align to large page size - - JDK-8268261: C2: assert(n != __null) failed: Bad immediate dominator info. - - JDK-8268347: C2: nested locks optimization may create unbalanced monitor enter/exit code - - JDK-8268360: Missing check for infinite loop during node placement - - JDK-8268362: [REDO] C2 crash when compile negative Arrays.copyOf length after loop - - JDK-8268366: Incorrect calculation of has_fpu_registers in C1 linear scan - - JDK-8268369: SIGSEGV in PhaseCFG::implicit_null_check due to missing null check - - JDK-8268417: Add test from JDK-8268360 - - JDK-8268427: Improve AlgorithmConstraints:checkAlgorithm performance - - JDK-8268617: [11u REDO] - WebSocket over authenticating proxy fails with NPE - - JDK-8268620: InfiniteLoopException test may fail on x86 platforms - - JDK-8268635: Corrupt oop in ClassLoaderData - - JDK-8268699: Shenandoah: Add test for JDK-8268127 - - JDK-8268771: javadoc -notimestamp option does not work on index.html - - JDK-8268775: Password is being converted to String in AccessibleJPasswordField - - JDK-8268776: Test `ADatagramSocket.java` missing /othervm from @run tag - - JDK-8268965: TCP Connection Reset when connecting simple socket to SSL server - - JDK-8269304: Regression ~5% in 2005 in b27 - - JDK-8269415: [11u] Remove ea from DEFAULT_PROMOTED_VERSION_PRE in OpenJDK 11u - - JDK-8269478: Shenandoah: gc/shenandoah/mxbeans tests should be more resilient - - JDK-8269529: javax/swing/reliability/HangDuringStaticInitialization.java fails in Windows debug build - - JDK-8269594: assert(_handle_mark_nesting > 1) failed: memory leak: allocating handle outside HandleMark - - JDK-8269614: [s390] Interpreter checks wrong bit for slow path instance allocation - - JDK-8269650: Optimize gc-locker in [Get|Release]StringCritical for latin string - - JDK-8269661: JNI_GetStringCritical does not lock char array - - JDK-8269668: [aarch64] java.library.path not including /usr/lib64 - - JDK-8269763: The JEditorPane is blank after JDK-8265167 - - JDK-8269795: C2: Out of bounds array load floats above its range check in loop peeling resulting in SEGV - - JDK-8269847: JDK-8269594 backport breaks 11u builds - - JDK-8269850: Most JDK releases report macOS version 12 as 10.16 instead of 12.0 - - JDK-8269851: OperatingSystemMXBean getProcessCpuLoad reports incorrect process cpu usage in containers - - JDK-8269882: stack-use-after-scope in NewObjectA - - JDK-8269934: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in java_lang_Thread::get_thread_status - - JDK-8270096: Shenandoah: Optimize gc/shenandoah/TestRefprocSanity.java for interpreter mode - - JDK-8270137: Kerberos Credential Retrieval from Cache not Working in Cross-Realm Setup - - JDK-8270184: [TESTBUG] Add coverage for jvmci ResolvedJavaType.toJavaName() for lambdas - - JDK-8270196: [11u] [JVMCI] JavaType.toJavaName() returns incorrect type name for lambdas - - JDK-8270556: Exclude security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA - - JDK-8270893: IndexOutOfBoundsException while reading large TIFF file - - JDK-8272078: Wrong Checksums in Temurin BootJDK dependencies - - JDK-8272124: Cgroup v1 initialization causes NullPointerException when cgroup path contains colon - - JDK-8272131: PhaseMacroExpand::generate_slow_arraycopy crash when clone null CallProjections.fallthrough_ioproj - - JDK-8272197: Update 11u GHA workflow with Shenandoah configurations - - JDK-8272332: --with-harfbuzz=system doesn't add -lharfbuzz after JDK-8255790 - - JDK-8272472: StackGuardPages test doesn't build with glibc 2.34 - - JDK-8272602: [macos] not all KEY_PRESSED events sent when control modifier is used - - JDK-8272628: Problemlist gc/stress/gcbasher/TestGCBasherWithCMS.java for x86_32 - - JDK-8272700: [macos] Build failure with Xcode 13.0 after JDK-8264848 - - JDK-8272772: Shenandoah: compiler/c2/aarch64/TestVolatilesShenandoah.java fails in 11u - - JDK-8273939: Backport of 8248414 to JDK11 breaks MacroAssembler::adrp - -Notes on individual issues: -=========================== - -security-libs/java.security: - -JDK-8271434: Removed IdenTrust Root Certificate -=============================================== -The following root certificate from IdenTrust has been removed from -the `cacerts` keystore: - -Alias Name: identrustdstx3 [jdk] -Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co. - -JDK-8261922: Updated keytool to Create AKID From SKID of Issuing Certificate as Specified by RFC 5280 -===================================================================================================== -The `gencert` command of the `keytool` utility has been updated to -create AKID from the SKID of the issuing certificate as specified by -RFC 5280. - -security-libs/javax.net.ssl: - -JDK-8210799: ChaCha20 and Poly1305 TLS Cipher Suites -==================================================== -New TLS cipher suites using the `ChaCha20-Poly1305` algorithm have -been added to JSSE. These cipher suites are enabled by default. The -TLS_CHACHA20_POLY1305_SHA256 cipher suite is available for TLS 1.3. -The following cipher suites are available for TLS 1.2: - -* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 -* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 -* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - -Refer to the "Java Secure Socket Extension (JSSE) Reference Guide" for -details on these new TLS cipher suites. - -JDK-8219551: Updated the Default Enabled Cipher Suites Preference -================================================================= -The preference of the default enabled cipher suites has been -changed. The compatibility impact should be minimal. If needed, -applications can customize the enabled cipher suites and the -preference. For more details, refer to the SunJSSE provider -documentation and the JSSE Reference Guide documentation. - New in release OpenJDK 11.0.12 (2021-07-20): ============================================= Live versions of these release notes can be found at: diff --git a/SOURCES/jdk8269668-rh1977671-aarch64_lib_path_fix.patch b/SOURCES/jdk8269668-rh1977671-aarch64_lib_path_fix.patch new file mode 100644 index 0000000..ddf686c --- /dev/null +++ b/SOURCES/jdk8269668-rh1977671-aarch64_lib_path_fix.patch @@ -0,0 +1,32 @@ +From ec03fdb752f2dc0833784a6877a4c232a8cdd9d2 Mon Sep 17 00:00:00 2001 +From: Severin Gehwolf +Date: Wed, 14 Jul 2021 12:06:39 +0200 +Subject: [PATCH] Backport e14801cdd9b108aa4ca47d0bc1dc67fca575764c + +--- + src/hotspot/os/linux/os_linux.cpp | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/hotspot/os/linux/os_linux.cpp b/src/hotspot/os/linux/os_linux.cpp +index e8baf704e3a..12b75b733b5 100644 +--- a/src/hotspot/os/linux/os_linux.cpp ++++ b/src/hotspot/os/linux/os_linux.cpp +@@ -413,8 +413,15 @@ void os::init_system_properties_values() { + // 7: The default directories, normally /lib and /usr/lib. + #if defined(AMD64) || (defined(_LP64) && defined(SPARC)) || defined(PPC64) || defined(S390) + #define DEFAULT_LIBPATH "/usr/lib64:/lib64:/lib:/usr/lib" ++#else ++#if defined(AARCH64) ++ // Use 32-bit locations first for AARCH64 (a 64-bit architecture), since some systems ++ // might not adhere to the FHS and it would be a change in behaviour if we used ++ // DEFAULT_LIBPATH of other 64-bit architectures which prefer the 64-bit paths. ++ #define DEFAULT_LIBPATH "/lib:/usr/lib:/usr/lib64:/lib64" + #else + #define DEFAULT_LIBPATH "/lib:/usr/lib" ++#endif // AARCH64 + #endif + + // Base path of extensions installed on the system. +-- +2.31.1 + diff --git a/SOURCES/rh1929465-improve_system_FIPS_detection.patch b/SOURCES/rh1929465-improve_system_FIPS_detection.patch new file mode 100644 index 0000000..2cdf6f7 --- /dev/null +++ b/SOURCES/rh1929465-improve_system_FIPS_detection.patch @@ -0,0 +1,430 @@ +diff --git openjdk.orig/make/autoconf/libraries.m4 openjdk/make/autoconf/libraries.m4 +--- openjdk.orig/make/autoconf/libraries.m4 ++++ openjdk/make/autoconf/libraries.m4 +@@ -101,6 +101,7 @@ + LIB_SETUP_LIBFFI + LIB_SETUP_BUNDLED_LIBS + LIB_SETUP_MISC_LIBS ++ LIB_SETUP_SYSCONF_LIBS + LIB_SETUP_SOLARIS_STLPORT + LIB_TESTS_SETUP_GRAALUNIT + +@@ -223,3 +224,62 @@ + fi + ]) + ++################################################################################ ++# Setup system configuration libraries ++################################################################################ ++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], ++[ ++ ############################################################################### ++ # ++ # Check for the NSS library ++ # ++ ++ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)]) ++ ++ # default is not available ++ DEFAULT_SYSCONF_NSS=no ++ ++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], ++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], ++ [ ++ case "${enableval}" in ++ yes) ++ sysconf_nss=yes ++ ;; ++ *) ++ sysconf_nss=no ++ ;; ++ esac ++ ], ++ [ ++ sysconf_nss=${DEFAULT_SYSCONF_NSS} ++ ]) ++ AC_MSG_RESULT([$sysconf_nss]) ++ ++ USE_SYSCONF_NSS=false ++ if test "x${sysconf_nss}" = "xyes"; then ++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) ++ if test "x${NSS_FOUND}" = "xyes"; then ++ AC_MSG_CHECKING([for system FIPS support in NSS]) ++ saved_libs="${LIBS}" ++ saved_cflags="${CFLAGS}" ++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" ++ LIBS="${LIBS} ${NSS_LIBS}" ++ AC_LANG_PUSH([C]) ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], ++ [[SECMOD_GetSystemFIPSEnabled()]])], ++ [AC_MSG_RESULT([yes])], ++ [AC_MSG_RESULT([no]) ++ AC_MSG_ERROR([System NSS FIPS detection unavailable])]) ++ AC_LANG_POP([C]) ++ CFLAGS="${saved_cflags}" ++ LIBS="${saved_libs}" ++ USE_SYSCONF_NSS=true ++ else ++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API ++ dnl in nss3/pk11pub.h. ++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) ++ fi ++ fi ++ AC_SUBST(USE_SYSCONF_NSS) ++]) +diff --git openjdk.orig/make/autoconf/spec.gmk.in openjdk/make/autoconf/spec.gmk.in +--- openjdk.orig/make/autoconf/spec.gmk.in ++++ openjdk/make/autoconf/spec.gmk.in +@@ -828,6 +828,10 @@ + # Libraries + # + ++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ ++NSS_LIBS:=@NSS_LIBS@ ++NSS_CFLAGS:=@NSS_CFLAGS@ ++ + USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@ + LCMS_CFLAGS:=@LCMS_CFLAGS@ + LCMS_LIBS:=@LCMS_LIBS@ +diff --git openjdk.orig/make/lib/Lib-java.base.gmk openjdk/make/lib/Lib-java.base.gmk +--- openjdk.orig/make/lib/Lib-java.base.gmk ++++ openjdk/make/lib/Lib-java.base.gmk +@@ -179,6 +179,31 @@ + endif + + ################################################################################ ++# Create the systemconf library ++ ++LIBSYSTEMCONF_CFLAGS := ++LIBSYSTEMCONF_CXXFLAGS := ++ ++ifeq ($(USE_SYSCONF_NSS), true) ++ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++endif ++ ++ifeq ($(OPENJDK_BUILD_OS), linux) ++ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \ ++ NAME := systemconf, \ ++ OPTIMIZATION := LOW, \ ++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ ++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ ++ LDFLAGS := $(LDFLAGS_JDKLIB) \ ++ $(call SET_SHARED_LIBRARY_ORIGIN), \ ++ LIBS_unix := $(LIBDL) $(NSS_LIBS), \ ++ )) ++ ++ TARGETS += $(BUILD_LIBSYSTEMCONF) ++endif ++ ++################################################################################ + # Create the symbols file for static builds. + + ifeq ($(STATIC_BUILD), true) +diff --git openjdk.orig/make/nb_native/nbproject/configurations.xml openjdk/make/nb_native/nbproject/configurations.xml +--- openjdk.orig/make/nb_native/nbproject/configurations.xml ++++ openjdk/make/nb_native/nbproject/configurations.xml +@@ -2950,6 +2950,9 @@ + LinuxWatchService.c + + ++ ++ systemconf.c ++ + + + +@@ -29301,6 +29304,11 @@ + tool="0" + flavor2="0"> + ++ ++ + ++#include ++#include ++#include ++ ++#ifdef SYSCONF_NSS ++#include ++#endif //SYSCONF_NSS ++ ++#include "java_security_SystemConfigurator.h" ++ ++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++#define MSG_MAX_SIZE 96 ++ ++static jmethodID debugPrintlnMethodID = NULL; ++static jobject debugObj = NULL; ++ ++static void throwIOException(JNIEnv *env, const char *msg); ++static void dbgPrint(JNIEnv *env, const char* msg); ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnLoad ++ */ ++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ jclass sysConfCls, debugCls; ++ jfieldID sdebugFld; ++ ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return JNI_EVERSION; /* JNI version not supported */ ++ } ++ ++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); ++ if (sysConfCls == NULL) { ++ printf("libsystemconf: SystemConfigurator class not found\n"); ++ return JNI_ERR; ++ } ++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, ++ "sdebug", "Lsun/security/util/Debug;"); ++ if (sdebugFld == NULL) { ++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); ++ if (debugObj != NULL) { ++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); ++ if (debugCls == NULL) { ++ printf("libsystemconf: Debug class not found\n"); ++ return JNI_ERR; ++ } ++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, ++ "println", "(Ljava/lang/String;)V"); ++ if (debugPrintlnMethodID == NULL) { ++ printf("libsystemconf: Debug::println(String) method not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->NewGlobalRef(env, debugObj); ++ } ++ ++ return (*env)->GetVersion(env); ++} ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnUnload ++ */ ++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ ++ if (debugObj != NULL) { ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return; /* Should not happen */ ++ } ++ (*env)->DeleteGlobalRef(env, debugObj); ++ } ++} ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ int fips_enabled; ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ ++#ifdef SYSCONF_NSS ++ ++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); ++ fips_enabled = SECMOD_GetSystemFIPSEnabled(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ ++ " SECMOD_GetSystemFIPSEnabled return value"); ++ } ++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); ++ ++#else // SYSCONF_NSS ++ ++ FILE *fe; ++ ++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); ++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { ++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); ++ } ++ fips_enabled = fgetc(fe); ++ fclose(fe); ++ if (fips_enabled == EOF) { ++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); ++ } ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " read character is '%c'", fips_enabled); ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ ++ " read character"); ++ } ++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); ++ ++#endif // SYSCONF_NSS ++} ++ ++static void throwIOException(JNIEnv *env, const char *msg) ++{ ++ jclass cls = (*env)->FindClass(env, "java/io/IOException"); ++ if (cls != 0) ++ (*env)->ThrowNew(env, cls, msg); ++} ++ ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} +diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2019, 2020, Red Hat, Inc. ++ * Copyright (c) 2019, 2021, Red Hat, Inc. + * + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * +@@ -30,13 +30,9 @@ + import java.io.FileInputStream; + import java.io.IOException; + +-import java.nio.file.Files; +-import java.nio.file.Path; +- + import java.util.Iterator; + import java.util.Map.Entry; + import java.util.Properties; +-import java.util.regex.Pattern; + + import sun.security.util.Debug; + +@@ -58,10 +54,21 @@ + private static final String CRYPTO_POLICIES_JAVA_CONFIG = + CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; + +- private static final String CRYPTO_POLICIES_CONFIG = +- CRYPTO_POLICIES_BASE_DIR + "/config"; ++ private static boolean systemFipsEnabled = false; ++ ++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; ++ ++ private static native boolean getSystemFIPSEnabled() ++ throws IOException; + +- private static boolean systemFipsEnabled = false; ++ static { ++ AccessController.doPrivileged(new PrivilegedAction() { ++ public Void run() { ++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); ++ return null; ++ } ++ }); ++ } + + /* + * Invoked when java.security.Security class is initialized, if +@@ -170,16 +177,34 @@ + } + + /* +- * FIPS is enabled only if crypto-policies are set to "FIPS" +- * and the com.redhat.fips property is true. ++ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips ++ * system property is true (default) and the system is in FIPS mode. ++ * ++ * There are 2 possible ways in which OpenJDK detects that the system ++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is ++ * available at OpenJDK's built-time, it is called; 2) otherwise, the ++ * /proc/sys/crypto/fips_enabled file is read. + */ + private static boolean enableFips() throws Exception { + boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); + if (shouldEnable) { +- String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG))); +- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } +- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE); +- return pattern.matcher(cryptoPoliciesConfig).find(); ++ if (sdebug != null) { ++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); ++ } ++ try { ++ shouldEnable = getSystemFIPSEnabled(); ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " ++ + shouldEnable); ++ } ++ return shouldEnable; ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); ++ sdebug.println(e.getMessage()); ++ } ++ throw e; ++ } + } else { + return false; + } diff --git a/SOURCES/rh1996182-extend_security_policy.patch b/SOURCES/rh1996182-extend_security_policy.patch new file mode 100644 index 0000000..78552c3 --- /dev/null +++ b/SOURCES/rh1996182-extend_security_policy.patch @@ -0,0 +1,18 @@ +commit 598fe421216b0a437fa36ee91a29966599867aa3 +Author: Andrew Hughes +Date: Mon Aug 30 16:12:52 2021 +0100 + + RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.misc + +diff --git openjdk.orig/src/java.base/share/lib/security/default.policy openjdk/src/java.base/share/lib/security/default.policy +index ab59a334cd..5db744ff17 100644 +--- openjdk.orig/src/java.base/share/lib/security/default.policy ++++ openjdk/src/java.base/share/lib/security/default.policy +@@ -124,6 +124,7 @@ grant codeBase "jrt:/jdk.crypto.ec" { + grant codeBase "jrt:/jdk.crypto.cryptoki" { + permission java.lang.RuntimePermission + "accessClassInPackage.com.sun.crypto.provider"; ++ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc"; + permission java.lang.RuntimePermission + "accessClassInPackage.sun.security.*"; + permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch"; diff --git a/SOURCES/rh1996182-login_to_nss_software_token.patch b/SOURCES/rh1996182-login_to_nss_software_token.patch new file mode 100644 index 0000000..d3a1dde --- /dev/null +++ b/SOURCES/rh1996182-login_to_nss_software_token.patch @@ -0,0 +1,66 @@ +commit 53bda6adfacc02b8dddd8f10350c9569bca4eb1e +Author: Martin Balao +Date: Fri Aug 27 19:42:07 2021 +0100 + + RH1996182: Login to the NSS Software Token in FIPS Mode + +diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java +index 0cf61732d7..2cd851587c 100644 +--- openjdk.orig/src/java.base/share/classes/module-info.java ++++ openjdk/src/java.base/share/classes/module-info.java +@@ -182,6 +182,7 @@ module java.base { + java.security.jgss, + java.sql, + java.xml, ++ jdk.crypto.cryptoki, + jdk.jartool, + jdk.attach, + jdk.charsets, +diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +index b00b738b85..1eca1f8f0a 100644 +--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java ++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +@@ -42,6 +42,8 @@ import javax.security.auth.callback.ConfirmationCallback; + import javax.security.auth.callback.PasswordCallback; + import javax.security.auth.callback.TextOutputCallback; + ++import jdk.internal.misc.SharedSecrets; ++ + import sun.security.util.Debug; + import sun.security.util.ResourcesMgr; + import static sun.security.util.SecurityConstants.PROVIDER_VER; +@@ -59,6 +61,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + */ + public final class SunPKCS11 extends AuthProvider { + ++ private static final boolean systemFipsEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); ++ + private static final long serialVersionUID = -1354835039035306505L; + + static final Debug debug = Debug.getInstance("sunpkcs11"); +@@ -373,6 +378,24 @@ public final class SunPKCS11 extends AuthProvider { + if (nssModule != null) { + nssModule.setProvider(this); + } ++ if (systemFipsEnabled) { ++ // The NSS Software Token in FIPS 140-2 mode requires a user ++ // login for most operations. See sftk_fipsCheck. The NSS DB ++ // (/etc/pki/nssdb) PIN is empty. ++ Session session = null; ++ try { ++ session = token.getOpSession(); ++ p11.C_Login(session.id(), CKU_USER, new char[] {}); ++ } catch (PKCS11Exception p11e) { ++ if (debug != null) { ++ debug.println("Error during token login: " + ++ p11e.getMessage()); ++ } ++ throw p11e; ++ } finally { ++ token.releaseSession(session); ++ } ++ } + } catch (Exception e) { + if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { + throw new UnsupportedOperationException diff --git a/SPECS/java-11-openjdk.spec b/SPECS/java-11-openjdk.spec index cc4a611..3f501e9 100644 --- a/SPECS/java-11-openjdk.spec +++ b/SPECS/java-11-openjdk.spec @@ -7,12 +7,12 @@ # Produce release, fastdebug *and* slowdebug builds on x86_64 (default): # $ rpmbuild -ba java-11-openjdk.spec # -# Produce only release builds (no slowdebug builds) on x86_64: +# Produce only release builds (no debug builds) on x86_64: # $ rpmbuild -ba java-11-openjdk.spec --without slowdebug --without fastdebug # # Only produce a release build on x86_64: # $ rhpkg mockbuild --without slowdebug --without fastdebug - +# # Enable fastdebug builds by default on relevant arches. %bcond_without fastdebug # Enable slowdebug builds by default on relevant arches. @@ -21,8 +21,6 @@ %bcond_without release # Enable static library builds by default. %bcond_without staticlibs -# Remove build artifacts by default -%bcond_with artifacts # Workaround for stripping of debug symbols from static libraries %if %{with staticlibs} @@ -100,7 +98,7 @@ # Set of architectures for which we build slowdebug builds %global debug_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} s390x # Set of architectures for which we build fastdebug builds -%global fastdebug_arches x86_64 +%global fastdebug_arches x86_64 ppc64le aarch64 # Set of architectures with a Just-In-Time (JIT) compiler %global jit_arches %{debug_arches} %{arm} # Set of architectures which run a full bootstrap cycle @@ -122,7 +120,7 @@ # Set of architectures for which alt-java has SSB mitigation %global ssbd_arches x86_64 -# By default, we build a slowdebug build during main build on JIT architectures +# By default, we build a debug build during main build on JIT architectures %if %{with slowdebug} %ifarch %{debug_arches} %global include_debug_build 1 @@ -176,7 +174,7 @@ # If you disable both builds, then the build fails # Build and test slowdebug first as it provides the best diagnostics -%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} +%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} %if %{include_staticlibs} %global staticlibs_loop %{staticlibs_suffix} @@ -190,28 +188,22 @@ %global bootstrap_build 1 %endif +%if %{bootstrap_build} +%global release_targets bootcycle-images docs-zip +%else +%global release_targets images docs-zip +%endif +# No docs nor bootcycle for debug builds +%global debug_targets images + %if %{include_staticlibs} # Extra target for producing the static-libraries. Separate from # other targets since this target is configured to use in-tree # AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib # and possibly others %global static_libs_target static-libs-image -%else -%global static_libs_target %{nil} %endif -# RPM JDK builds keep the debug symbols internal, to be later stripped by RPM -%global debug_symbols internal - -# unlike portables,the rpms have to use static_libs_target very dynamically -%global bootstrap_targets images -%global release_targets images docs-zip -# No docs nor bootcycle for debug builds -%global debug_targets images - -# Disable LTO as this causes build failures at the moment. -# See RHBZ#1861401 -%define _lto_cflags %{nil} # Filter out flags from the optflags macro that cause problems with the OpenJDK build # We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2 @@ -297,7 +289,7 @@ # New Version-String scheme-style defines %global featurever 11 %global interimver 0 -%global updatever 13 +%global updatever 12 %global patchver 0 # If you bump featurever, you must bump also vendor_version_string # Used via new version scheme. JDK 11 was @@ -344,8 +336,8 @@ %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 8 -%global rpmrelease 1 +%global buildver 7 +%global rpmrelease 4 #%%global tagsuffix %%{nil} # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk @@ -359,7 +351,7 @@ # for techpreview, using 1, so slowdebugs can have 0 %global priority %( printf '%08d' 1 ) %endif -%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} +%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} # Omit trailing 0 in filenames when the patch version is 0 %if 0%{?patchver} > 0 @@ -395,7 +387,6 @@ %global static_libs_image static-libs # output dir stub %define buildoutputdir() %{expand:build/jdk11.build%{?1}} -%define installoutputdir() %{expand:install/jdk11.install%{?1}} # we can copy the javadoc to not arched dir, or make it not noarch %define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}} # main id and dir of this jdk @@ -405,7 +396,7 @@ # fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349 # https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14 # https://bugzilla.redhat.com/show_bug.cgi?id=1655938 -%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsunec[.]so.*|libunpack[.]so.*|libzip[.]so.* +%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.* %global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.* %if %is_system_jdk %global __provides_exclude ^(%{_privatelibs})$ @@ -764,6 +755,7 @@ exit 0 %endif %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsunec.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libunpack.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libverify.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libzip.so @@ -1019,19 +1011,23 @@ Requires: tzdata-java >= 2021a # for support of kernel stream control # libsctp.so.1 is being `dlopen`ed on demand Requires: lksctp-tools%{?_isa} +%if ! 0%{?flatpak} # tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it, # not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be # considered as regression -Requires: copy-jdk-configs >= 3.3 +Requires: copy-jdk-configs >= 4.0 OrderWithRequires: copy-jdk-configs +%endif # for printing support Requires: cups-libs -# for FIPS PKCS11 provider -Requires: nss # Post requires alternatives to install tool alternatives Requires(post): %{alternatives_requires} +# in version 1.7 and higher for --family switch +Requires(post): chkconfig >= 1.7 # Postun requires alternatives to uninstall tool alternatives Requires(postun): %{alternatives_requires} +# in version 1.7 and higher for --family switch +Requires(postun): chkconfig >= 1.7 # for optional support of kernel stream control, card reader and printing bindings %if 0%{?rhel} >= 8 Suggests: lksctp-tools%{?_isa}, pcsc-lite-devel%{?_isa} @@ -1056,8 +1052,12 @@ Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release} OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} # Post requires alternatives to install tool alternatives Requires(post): %{alternatives_requires} +# in version 1.7 and higher for --family switch +Requires(post): chkconfig >= 1.7 # Postun requires alternatives to uninstall tool alternatives Requires(postun): %{alternatives_requires} +# in version 1.7 and higher for --family switch +Requires(postun): chkconfig >= 1.7 # Standard JPackage devel provides Provides: java-sdk-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release} @@ -1098,7 +1098,6 @@ Provides: java-%{javaver}-demo%{?1} = %{epoch}:%{version}-%{release} Provides: java-%{javaver}-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release} %if %is_system_jdk Provides: java-demo%{?1} = %{epoch}:%{version}-%{release} -Provides: java-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release} %endif } @@ -1106,8 +1105,12 @@ Provides: java-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release} OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} # Post requires alternatives to install javadoc alternative Requires(post): %{alternatives_requires} +# in version 1.7 and higher for --family switch +Requires(post): chkconfig >= 1.7 # Postun requires alternatives to uninstall javadoc alternative Requires(postun): %{alternatives_requires} +# in version 1.7 and higher for --family switch +Requires(postun): chkconfig >= 1.7 # Standard JPackage javadoc provides Provides: java-%{javaver}-javadoc%{?1} = %{epoch}:%{version}-%{release} @@ -1125,7 +1128,6 @@ Provides: java-%{javaver}-src%{?1} = %{epoch}:%{version}-%{release} Provides: java-%{javaver}-%{origin}-src%{?1} = %{epoch}:%{version}-%{release} %if %is_system_jdk Provides: java-src%{?1} = %{epoch}:%{version}-%{release} -Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release} %endif } @@ -1147,9 +1149,7 @@ Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} Epoch: 1 Summary: %{origin_nice} %{featurever} Runtime Environment -%if 0%{?rhel} <= 8 Group: Development/Languages -%endif # HotSpot code is licensed under GPLv2 # JDK library code is licensed under GPLv2 with the Classpath exception @@ -1217,7 +1217,7 @@ Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch Patch2: rh1648644-java_access_bridge_privileged_security.patch # NSS via SunPKCS11 Provider (disabled due to memory leak). Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch -# RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639) +# enable build of speculative store bypass hardened alt-java Patch600: rh1750419-redhat_alt_java.patch # RH1582504: Use RSA as default for keytool, as DSA is disabled in all crypto policies except LEGACY Patch1003: rh1842572-rsa_default_for_keytool.patch @@ -1231,6 +1231,11 @@ Patch1002: rh1818909-fips_default_keystore_type.patch Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch # RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess Patch1007: rh1915071-always_initialise_configurator_access.patch +# RH1929465: Improve system FIPS detection +Patch1008: rh1929465-improve_system_FIPS_detection.patch +# RH1996182: Login to the NSS software token in FIPS mode +Patch1009: rh1996182-login_to_nss_software_token.patch +Patch1010: rh1996182-extend_security_policy.patch ############################################# # @@ -1257,13 +1262,15 @@ Patch7: pr3695-toggle_system_crypto_policy.patch ############################################# # -# Patches appearing in 11.0.10 +# Patches appearing in 11.0.13 # # This section includes patches which are present # in the listed OpenJDK 11u release and should be # able to be removed once that release is out # and used by this RPM. ############################################# +# JDK-8269668, RH1977671: [aarch64] java.library.path not including /usr/lib64 +Patch8: jdk8269668-rh1977671-aarch64_lib_path_fix.patch BuildRequires: autoconf BuildRequires: automake @@ -1290,8 +1297,8 @@ BuildRequires: libXrandr-devel BuildRequires: libXrender-devel BuildRequires: libXt-devel BuildRequires: libXtst-devel -# Requirements for setting up the nss.cfg -BuildRequires: nss-devel +# Requirements for setting up the nss.cfg and FIPS support +BuildRequires: nss-devel >= 3.53 BuildRequires: pkgconfig BuildRequires: xorg-x11-proto-devel BuildRequires: zip @@ -1310,7 +1317,6 @@ BuildRequires: gcc >= 4.8.3-8 %if %{with_systemtap} BuildRequires: systemtap-sdt-devel %endif -BuildRequires: make # this is always built, also during debug-only build # when it is built in debug-only this package is just placeholder @@ -1322,9 +1328,7 @@ The %{origin_nice} %{featurever} runtime environment. %if %{include_debug_build} %package slowdebug Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on} -%if 0%{?rhel} <= 8 Group: Development/Languages -%endif %{java_rpo -- %{debug_suffix_unquoted}} %description slowdebug @@ -1335,9 +1339,7 @@ The %{origin_nice} %{featurever} runtime environment. %if %{include_fastdebug_build} %package fastdebug Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on} -%if 0%{?rhel} <= 8 Group: Development/Languages -%endif %{java_rpo -- %{fastdebug_suffix_unquoted}} %description fastdebug @@ -1348,9 +1350,7 @@ The %{origin_nice} %{featurever} runtime environment. %if %{include_normal_build} %package headless Summary: %{origin_nice} %{featurever} Headless Runtime Environment -%if 0%{?rhel} <= 8 Group: Development/Languages -%endif %{java_headless_rpo %{nil}} @@ -1385,9 +1385,7 @@ The %{origin_nice} %{featurever} runtime environment without audio and video sup %if %{include_normal_build} %package devel Summary: %{origin_nice} %{featurever} Development Environment -%if 0%{?rhel} <= 8 -Group: Development/Languages -%endif +Group: Development/Tools %{java_devel_rpo %{nil}} @@ -1398,9 +1396,7 @@ The %{origin_nice} %{featurever} development tools. %if %{include_debug_build} %package devel-slowdebug Summary: %{origin_nice} %{featurever} Development Environment %{debug_on} -%if 0%{?rhel} <= 8 -Group: Development/Languages -%endif +Group: Development/Tools %{java_devel_rpo -- %{debug_suffix_unquoted}} @@ -1461,9 +1457,7 @@ The %{origin_nice} %{featurever} libraries for static linking. %if %{include_normal_build} %package jmods Summary: JMods for %{origin_nice} %{featurever} -%if 0%{?rhel} <= 8 -Group: Development/Languages -%endif +Group: Development/Tools %{java_jmods_rpo %{nil}} @@ -1474,9 +1468,7 @@ The JMods for %{origin_nice} %{featurever}. %if %{include_debug_build} %package jmods-slowdebug Summary: JMods for %{origin_nice} %{featurever} %{debug_on} -%if 0%{?rhel} <= 8 -Group: Development/Languages -%endif +Group: Development/Tools %{java_jmods_rpo -- %{debug_suffix_unquoted}} @@ -1500,9 +1492,7 @@ The JMods for %{origin_nice} %{featurever}. %if %{include_normal_build} %package demo Summary: %{origin_nice} %{featurever} Demos -%if 0%{?rhel} <= 8 Group: Development/Languages -%endif %{java_demo_rpo %{nil}} @@ -1513,9 +1503,7 @@ The %{origin_nice} %{featurever} demos. %if %{include_debug_build} %package demo-slowdebug Summary: %{origin_nice} %{featurever} Demos %{debug_on} -%if 0%{?rhel} <= 8 Group: Development/Languages -%endif %{java_demo_rpo -- %{debug_suffix_unquoted}} @@ -1539,9 +1527,7 @@ The %{origin_nice} %{featurever} demos. %if %{include_normal_build} %package src Summary: %{origin_nice} %{featurever} Source Bundle -%if 0%{?rhel} <= 8 Group: Development/Languages -%endif %{java_src_rpo %{nil}} @@ -1553,9 +1539,7 @@ class library source code for use by IDE indexers and debuggers. %if %{include_debug_build} %package src-slowdebug Summary: %{origin_nice} %{featurever} Source Bundle %{for_debug} -%if 0%{?rhel} <= 8 Group: Development/Languages -%endif %{java_src_rpo -- %{debug_suffix_unquoted}} @@ -1579,9 +1563,7 @@ The %{compatiblename}-src-fastdebug sub-package contains the complete %{origin_n %if %{include_normal_build} %package javadoc Summary: %{origin_nice} %{featurever} API documentation -%if 0%{?rhel} <= 8 Group: Documentation -%endif Requires: javapackages-filesystem Obsoletes: javadoc-debug @@ -1592,9 +1574,7 @@ The %{origin_nice} %{featurever} API documentation. %package javadoc-zip Summary: %{origin_nice} %{featurever} API documentation compressed in a single archive -%if 0%{?rhel} <= 8 Group: Documentation -%endif Requires: javapackages-filesystem Obsoletes: javadoc-zip-debug @@ -1654,6 +1634,7 @@ pushd %{top_level_dir_name} %patch3 -p1 %patch4 -p1 %patch7 -p1 +%patch8 -p1 popd # openjdk %patch1000 @@ -1663,6 +1644,9 @@ popd # openjdk %patch1003 %patch1004 %patch1007 +%patch1008 +%patch1009 +%patch1010 # Extract systemtap tapsets %if %{with_systemtap} @@ -1674,6 +1658,7 @@ cp -r tapset tapset%{debug_suffix} cp -r tapset tapset%{fastdebug_suffix} %endif + for suffix in %{build_loop} ; do for file in "tapset"$suffix/*.in; do OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"` @@ -1742,33 +1727,45 @@ EXTRA_CPP_FLAGS="%ourcppflags" # fix rpmlint warnings EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing" %endif -# Fixes annocheck warnings in assembler files due to missing build notes EXTRA_ASFLAGS="${EXTRA_CFLAGS} -Wa,--generate-missing-build-notes=yes" export EXTRA_CFLAGS EXTRA_ASFLAGS -function buildjdk() { - local outputdir=${1} - local installdir=${2} - local buildjdk=${3} - local maketargets="${4}" - local debuglevel=${5} - local link_opt=${6} +for suffix in %{build_loop} ; do +if [ "x$suffix" = "x" ] ; then + debugbuild=release +else + # change --something to something + debugbuild=`echo $suffix | sed "s/-//g"` +fi - local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name} - local top_dir_abs_build_path=$(pwd)/${outputdir} +for loop in %{main_suffix} %{staticlibs_loop} ; do - echo "Using output directory: ${outputdir}"; - echo "Checking build JDK ${buildjdk} is operational..." - ${buildjdk}/bin/java -version - echo "Using make targets: ${maketargets}" - echo "Using debuglevel: ${debuglevel}" - echo "Using link_opt: ${link_opt}" - echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}" +if test "x${loop}" = "x%{main_suffix}" ; then + # Copy the source tree so we can remove all in-tree libraries + cp -a %{top_level_dir_name} %{top_level_dir_name_backup} + # Remove all libraries that are linked + sh %{SOURCE12} %{top_level_dir_name} full + # Variable used by configure and hs_err hook on build failures + link_opt="system" + # Debug builds don't need same targets as release for + # build speed-up + maketargets="%{release_targets}" + if echo $debugbuild | grep -q "debug" ; then + maketargets="%{debug_targets}" + fi +else + # Variable used by configure and hs_err hook on build failures + link_opt="bundled" + # Static library cycle only builds the static libraries + maketargets="%{static_libs_target}" +fi - mkdir -p ${outputdir} ${installdir} - pushd ${outputdir} +top_dir_abs_src_path=$(pwd)/%{top_level_dir_name} +top_dir_abs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}${loop}} +mkdir -p ${top_dir_abs_build_path} +pushd ${top_dir_abs_build_path} - bash ${top_dir_abs_src_path}/configure \ +bash ${top_dir_abs_src_path}/configure \ %ifnarch %{jit_arches} --with-jvm-variants=zero \ %endif @@ -1783,9 +1780,10 @@ function buildjdk() { --with-vendor-url="%{oj_vendor_url}" \ --with-vendor-bug-url="%{oj_vendor_bug_url}" \ --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \ - --with-boot-jdk=${buildjdk} \ - --with-debug-level=${debuglevel} \ - --with-native-debug-symbols="%{debug_symbols}" \ + --with-boot-jdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk \ + --with-debug-level=$debugbuild \ + --with-native-debug-symbols=internal \ + --enable-sysconf-nss \ --enable-unlimited-crypto \ --with-zlib=system \ --with-libjpeg=${link_opt} \ @@ -1803,121 +1801,54 @@ function buildjdk() { --with-jvm-features="%{shenandoah_feature},%{zgc_feature}" \ --disable-warnings-as-errors - cat spec.gmk +make \ + JAVAC_FLAGS=-g \ + LOG=trace \ + WARNINGS_ARE_ERRORS="-Wno-error" \ + CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \ + $maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false ) - make \ - JAVAC_FLAGS=-g \ - LOG=trace \ - WARNINGS_ARE_ERRORS="-Wno-error" \ - CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \ - $maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false ) +popd >& /dev/null - popd +# Restore original source tree if we modified it by removing full in-tree sources +if [ -d %{top_level_dir_name_backup} ] ; then + rm -rf %{top_level_dir_name} + mv %{top_level_dir_name_backup} %{top_level_dir_name} +fi - echo "Installing build from ${outputdir} to ${installdir}..." - echo "Installing images..." - mv ${outputdir}/images ${installdir} - if [ -d ${outputdir}/bundles ] ; then - echo "Installing bundles..."; - mv ${outputdir}/bundles ${installdir} ; - fi - if [ -d ${outputdir}/docs ] ; then - echo "Installing docs..."; - mv ${outputdir}/docs ${installdir} ; - fi +done # end of main / staticlibs loop -%if !%{with artifacts} - echo "Removing output directory..."; - rm -rf ${outputdir} -%endif -} +top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} -function installjdk() { - local imagepath=${1} +# the build (erroneously) removes read permissions from some jars +# this is a regression in OpenJDK 7 (our compiler): +# http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 +find ${top_dir_abs_main_build_path}/images/%{jdkimage} -iname '*.jar' -exec chmod ugo+r {} \; - # the build (erroneously) removes read permissions from some jars - # this is a regression in OpenJDK 7 (our compiler): - # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 - find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \; +# Build screws up permissions on binaries +# https://bugs.openjdk.java.net/browse/JDK-8173610 +find ${top_dir_abs_main_build_path}/images/%{jdkimage} -iname '*.so' -exec chmod +x {} \; +find ${top_dir_abs_main_build_path}/images/%{jdkimage}/bin/ -exec chmod +x {} \; - # Build screws up permissions on binaries - # https://bugs.openjdk.java.net/browse/JDK-8173610 - find ${imagepath} -iname '*.so' -exec chmod +x {} \; - find ${imagepath}/bin/ -exec chmod +x {} \; +# Install nss.cfg right away as we will be using the JRE above +export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} - # Install nss.cfg right away as we will be using the JRE above - install -m 644 nss.cfg ${imagepath}/conf/security/ +# Install nss.cfg right away as we will be using the JRE above +install -m 644 nss.cfg $JAVA_HOME/conf/security/ - # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) - install -m 644 nss.fips.cfg ${imagepath}/conf/security/ +# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) +install -m 644 nss.fips.cfg $JAVA_HOME/conf/security/ - # Use system-wide tzdata - rm ${imagepath}/lib/tzdb.dat - ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat +# Use system-wide tzdata +rm $JAVA_HOME/lib/tzdb.dat +ln -s %{_datadir}/javazi-1.8/tzdb.dat $JAVA_HOME/lib/tzdb.dat - # Create fake alt-java as a placeholder for future alt-java - pushd ${imagepath} - # add alt-java man page - echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 - cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 - popd -} - -for suffix in %{build_loop} ; do - - if [ "x$suffix" = "x" ] ; then - debugbuild=release - else - # change --something to something - debugbuild=`echo $suffix | sed "s/-//g"` - fi - - systemjdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk - - for loop in %{main_suffix} %{staticlibs_loop} ; do - - builddir=%{buildoutputdir -- ${suffix}${loop}} - bootbuilddir=boot${builddir} - installdir=%{installoutputdir -- ${suffix}${loop}} - bootinstalldir=boot${installdir} - - if test "x${loop}" = "x%{main_suffix}" ; then - # Copy the source tree so we can remove all in-tree libraries - cp -a %{top_level_dir_name} %{top_level_dir_name_backup} - # Remove all libraries that are linked - sh %{SOURCE12} %{top_level_dir_name} full - # Use system libraries - link_opt="system" - # Debug builds don't need same targets as release for - # build speed-up - maketargets="%{release_targets}" - if echo $debugbuild | grep -q "debug" ; then - maketargets="%{debug_targets}" - fi -%if %{bootstrap_build} - buildjdk ${bootbuilddir} ${bootinstalldir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt} - buildjdk ${builddir} ${installdir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt} - %{!?with_artifacts:rm -rf ${bootinstalldir}} -%else - buildjdk ${builddir} ${installdir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} -%endif - # Restore original source tree we modified by removing full in-tree sources - rm -rf %{top_level_dir_name} - mv %{top_level_dir_name_backup} %{top_level_dir_name} - else - # Use bundled libraries for building statically - link_opt="bundled" - # Static library cycle only builds the static libraries - maketargets="%{static_libs_target}" - # Always just do the one build for the static libraries - buildjdk ${builddir} ${installdir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} - fi - - done # end of main / staticlibs loop - - # Final setup on the main image - top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{main_suffix}} - installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage} +# Create fake alt-java as a placeholder for future alt-java +pushd ${JAVA_HOME} +# add alt-java man page +echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 +cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 +popd # build cycles done # end of release / debug cycle loop @@ -1927,9 +1858,9 @@ done # end of release / debug cycle loop # We test debug first as it will give better diagnostics on a crash for suffix in %{build_loop} ; do -top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{main_suffix}} +top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} %if %{include_staticlibs} -top_dir_abs_staticlibs_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{staticlibs_loop}} +top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}} %endif export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} @@ -1972,9 +1903,8 @@ readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c %endif -so_suffix="so" # Check debug symbols are present and can identify code -find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib +find "$JAVA_HOME" -iname '*.so' -print0 | while read -d $'\0' lib do if [ -f "$lib" ] ; then echo "Testing $lib for debug symbols" @@ -2034,16 +1964,10 @@ quit end run -version EOF -%if 0%{?fedora} > 0 -# This fails on s390x for some reason. Disable for now. See: -# https://koji.fedoraproject.org/koji/taskinfo?taskID=41499227 -%ifnarch s390x grep 'JavaCallWrapper::JavaCallWrapper' gdb.out -%endif -%endif # Check src.zip has all sources. See RHBZ#1130490 -$JAVA_HOME/bin/jar -tf $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe' +jar -tf $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe' # Check class files include useful debugging information $JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from" @@ -2063,9 +1987,9 @@ STRIP_KEEP_SYMTAB=libjvm* for suffix in %{build_loop} ; do -top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{main_suffix}} +top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} %if %{include_staticlibs} -top_dir_abs_staticlibs_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{staticlibs_loop}} +top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}} %endif jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage} @@ -2133,7 +2057,7 @@ if ! echo $suffix | grep -q "debug" ; then fi # Install release notes -commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir -- $suffix} +commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir $suffix} install -d -m 755 ${commondocdir} cp -a %{SOURCE10} ${commondocdir} @@ -2191,7 +2115,13 @@ done -- whether copy-jdk-configs is installed or not. If so, then configs are copied -- (copy_jdk_configs from %%{_libexecdir} used) or not copied at all local posix = require "posix" -local debug = false + +if (os.getenv("debug") == "true") then + debug = true; + print("cjc: in spec debug is on") +else + debug = false; +end SOURCE1 = "%{rpm_state_dir}/copy_jdk_configs.lua" SOURCE2 = "%{_libexecdir}/copy_jdk_configs.lua" @@ -2219,9 +2149,10 @@ else return end end --- run content of included file with fake args -arg = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"} -require "copy_jdk_configs.lua" +arg = nil ; -- it is better to null the arg up, no meter if they exists or not, and use cjc as module in unified way, instead of relaying on "main" method during require "copy_jdk_configs.lua" +cjc = require "copy_jdk_configs.lua" +args = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"} +cjc.mainProgram(args) -- the returns from copy_jdk_configs.lua should not affect this 'main', so it shodl run under all circumstances, except fatal error -- https://bugzilla.redhat.com/show_bug.cgi?id=1820172 -- https://docs.fedoraproject.org/en-US/packaging-guidelines/Directory_Replacement/ @@ -2306,6 +2237,7 @@ end %posttrans devel-slowdebug %{posttrans_devel -- %{debug_suffix_unquoted}} + %endif %if %{include_fastdebug_build} @@ -2401,6 +2333,7 @@ end %files src-slowdebug %{files_src -- %{debug_suffix_unquoted}} + %endif %if %{include_fastdebug_build} @@ -2430,79 +2363,146 @@ end %endif %changelog -* Wed Oct 13 2021 Andrew Hughes - 1:11.0.13.0.8-1 -- Update to jdk-11.0.12.0+8 -- Update release notes to 11.0.12.0+8 -- Switch to GA mode for final release. -- This tarball is embargoed until 2021-10-19 @ 1pm PT. -- Resolves: rhbz#2012333 +* Mon Aug 30 2021 Andrew Hughes - 1:11.0.12.0.7-4 +- Extend the default security policy to accomodate PKCS11 accessing jdk.internal.misc. +- Resolves: rhbz#1997357 -* Tue Oct 12 2021 Andrew Hughes - 1:11.0.13.0.7-0.1.ea -- Update to jdk-11.0.13.0+7 -- Update release notes to 11.0.13.0+7 -- Update tarball generation script to use git following OpenJDK 11u's move to github -- Switch to EA mode for 11.0.13 pre-release builds. -- Remove non-Free test from source tarball. -- Related: rhbz#2011826 +* Fri Aug 27 2021 Andrew Hughes - 1:11.0.12.0.7-3 +- Add patch to login to the NSS software token when in FIPS mode. +- Resolves: rhbz#1997357 -* Sun Oct 10 2021 Andrew Hughes - 1:11.0.12.0.7-1 -- Restructure the build so a minimal initial build is then used for the final build (with docs) -- This reduces pressure on the system JDK and ensures the JDK being built can do a full build -- Reduce disk footprint by removing build artifacts by default. -- Related: rhbz#2011826 +* Wed Jul 28 2021 Severin Gehwolf - 1:11.0.12.0.7-2 +- Add patch in order to fix java.library.path issue on aarch64 (JDK-8269668) +- Resolves: rhbz#1994104 -* Mon Sep 06 2021 Jiri Vanek - 1:11.0.12.0.7-1 -- Minor cosmetic improvements to make spec more comparable between variants -- Related: rhbz#2011826 - -* Tue Jul 13 2021 Andrew Hughes - 1:11.0.12.0.7-0 +* Tue Jul 13 2021 Andrew Hughes - 1:11.0.12.0.7-1 - Update to jdk-11.0.12.0+7 - Update release notes to 11.0.12.0+7 - Switch to GA mode for final release. -- This tarball is embargoed until 2021-07-20 @ 1pm PT. - Resolves: rhbz#1972395 * Thu Jul 08 2021 Andrew Hughes - 1:11.0.12.0.6-0.0.ea - Update to jdk-11.0.12.0+6 - Update release notes to 11.0.12.0+6 -- Switch to EA mode for 11.0.12 pre-release builds. -- Update ECC patch following JDK-8226374 (bug ID yet to be confirmed) -- Re-order source files to sync with Fedora. -- Remove explicit compiler flags which should be handled by the upstream build - (-std=gnu++98, -fno-delete-null-pointer-checks, -fno-lifetime-dse) +- Skip 11.0.12.0+5 as 11.0.12.0+6 only adds a test change +- Resolves: rhbz#1967374 + +* Thu Jul 08 2021 Andrew Hughes - 1:11.0.12.0.4-0.0.ea +- Update to jdk-11.0.12.0+4 +- Update release notes to 11.0.12.0+4 +- Correct bug ID JDK-8264846 to intended ID of JDK-8264848 +- Resolves: rhbz#1967374 + +* Mon Jul 05 2021 Andrew Hughes - 1:11.0.12.0.3-0.0.ea +- Update to jdk-11.0.12.0+3 +- Update release notes to 11.0.12.0+3 +- Resolves: rhbz#1967374 + +* Fri Jul 02 2021 Andrew Hughes - 1:11.0.12.0.2-0.1.ea - Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics. - Remove restriction on disabling product build, as debug packages no longer have javadoc packages. -- Correct bug ID JDK-8264846 to intended ID of JDK-8264848 -- Skip 11.0.12.0+5 as 11.0.12.0+6 only adds a test change -- Resolves: rhbz#1972395 +- Resolves: rhbz#1966234 -* Mon Jun 28 2021 Severin Gehwolf - 1:11.0.12.0.6-0.0.ea +* Fri Jul 02 2021 Andrew Hughes - 1:11.0.12.0.2-0.0.ea +- Update to jdk-11.0.12.0+2 +- Update release notes to 11.0.12.0+2 +- Resolves: rhbz#1967374 + +* Wed Jun 30 2021 Andrew Hughes - 1:11.0.12.0.1-0.3.ea +- Remove explicit compiler flags which should be handled by the upstream build + (-std=gnu++98, -fno-delete-null-pointer-checks, -fno-lifetime-dse) +- Resolves: rhbz#1966234 + +* Wed Jun 30 2021 Andrew Hughes - 1:11.0.12.0.1-0.2.ea +- Add ppc64le and aarch64 to fastdebug_arches +- Resolves: rhbz#1969255 + +* Mon Jun 28 2021 Andrew Hughes - 1:11.0.12.0.1-0.1.ea +- Re-order source files to sync with Fedora. +- Resolves: rhbz#1966234 + +* Mon Jun 28 2021 Severin Gehwolf - 1:11.0.12.0.1-0.1.ea - Add a test verifying system crypto policies can be disabled -- Resolves: rhbz#1972395 +- Resolves: rhbz#1966234 -* Thu Apr 15 2021 Andrew Hughes - 1:11.0.11.0.9-2 -- Require tzdata 2021a to match upstream change JDK-8260356 -- Resolves: rhbz#1942310 +* Mon Jun 28 2021 Andrew Hughes - 1:11.0.12.0.1-0.0.ea +- Update to jdk-11.0.12.0+1 +- Update release notes to 11.0.12.0+1 +- Switch to EA mode for 11.0.12 pre-release builds. +- Update ECC patch following JDK-8226374 (bug ID yet to be confirmed) +- Resolves: rhbz#1967374 -* Tue Apr 13 2021 Andrew Hughes - 1:11.0.11.0.9-1 +* Wed Jun 16 2021 Jiri Vanek - 1:11.0.11.0.9-5 +- adapted to newst cjc to fix issue with rpm 4.17 +- Disable copy-jdk-configs for Flatpak builds +- removed cjc backward comaptiblity, to fix when both rpm 4.16 and 4.17 are in transaction +- Resolves: rhbz#1953923 + +* Tue Jun 08 2021 Andrew Hughes - 1:11.0.11.0.9-4 +- Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure. +- Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM. +- Resolves: rhbz#1929465 + +* Tue Jun 08 2021 Martin Balao - 1:11.0.11.0.9-4 +- Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library. +- Resolves: rhbz#1929465 + +* Wed Apr 21 2021 Andrew Hughes - 1:11.0.11.0.9-3 - Update to jdk-11.0.11.0+9 - Update release notes to 11.0.11.0+9 - Switch to GA mode for final release. - This tarball is embargoed until 2021-04-20 @ 1pm PT. - Resolves: rhbz#1938201 -* Tue Apr 13 2021 Andrew Hughes - 1:11.0.11.0.7-0.1.ea +* Thu Apr 15 2021 Andrew Hughes - 1:11.0.11.0.7-0.3.ea +- Require tzdata 2021a to match upstream change JDK-8260356 +- Resolves: rhbz#1942310 + +* Mon Apr 12 2021 Andrew Hughes - 1:11.0.11.0.7-0.2.ea - Update to jdk-11.0.11.0+7 - Update release notes to 11.0.11.0+7 +- Resolves: rhbz#1942310 + +* Mon Apr 12 2021 Andrew Hughes - 1:11.0.11.0.6-0.2.ea +- Update to jdk-11.0.11.0+6 +- Update release notes to 11.0.11.0+6 +- Resolves: rhbz#1942310 + +* Sat Apr 10 2021 Andrew Hughes - 1:11.0.11.0.5-0.2.ea +- Update to jdk-11.0.11.0+5 +- Update release notes to 11.0.11.0+5 +- Resolves: rhbz#1942310 + +* Fri Apr 09 2021 Andrew Hughes - 1:11.0.11.0.4-0.2.ea +- Update to jdk-11.0.11.0+4 +- Update release notes to 11.0.11.0+4 +- Resolves: rhbz#1942310 + +* Fri Apr 09 2021 Andrew Hughes - 1:11.0.11.0.3-0.2.ea +- Update to jdk-11.0.11.0+3 +- Update release notes to 11.0.11.0+3 +- Resolves: rhbz#1942310 + +* Fri Apr 09 2021 Andrew Hughes - 1:11.0.11.0.2-0.2.ea +- Update to jdk-11.0.11.0+2 +- Update release notes to 11.0.11.0+2 +- Resolves: rhbz#1942310 + +* Mon Apr 05 2021 Andrew Hughes - 1:11.0.11.0.1-0.2.ea +- Update to jdk-11.0.11.0+1 +- Update release notes to 11.0.11.0+1 - Switch to EA mode for 11.0.11 pre-release builds. - Require tzdata 2020f to match upstream change JDK-8259048 - Remove RH1868754 patch as this is now resolved upstream by JDK-8258833 - Remove RH1868740 & RH1883849 patches as these are now resolved by JDK-8259319 - Resolves: rhbz#1942310 -* Tue Apr 13 2021 Jayashree Huttanagoudar - 1:11.0.11.0.7-0.1.ea +* Sun Mar 28 2021 Jayashree Huttanagoudar - 1:11.0.10.0.9-10 - Fix issue where CheckVendor.java test erroneously passes when it should fail. - Add proper quoting so '&' is not treated as a special character by the shell. +- Resolves: rhbz#1942310 + +* Wed Mar 24 2021 Jayashree Huttanagoudar - 1:11.0.10.0.9-9 - Fixed not-including fastdebug build in case of --without fastdebug - Resolves: rhbz#1942310