rpms/java-11-openjdk
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import java-11-openjdk-11.0.12.0.7-4.el8

Browse Source
This commit is contained in:
CentOS Sources 2021-11-09 04:47:17 -05:00 committed by Stepan Oksanichenko
parent a990579d9f
commit 73b8355481
8 changed files with 802 additions and 608 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/jdk-updates-jdk11u-jdk-11.0.13+8-4curve.tar.xz
SOURCES/jdk-updates-jdk11u-jdk-11.0.12+7-4curve.tar.xz
SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

2
.java-11-openjdk.metadata
View File

@ -1,2 +1,2 @@
e36bde565834fe738fd222d419cfedc23ab80cee SOURCES/jdk-updates-jdk11u-jdk-11.0.13+8-4curve.tar.xz
7459fbf6c597831b6039c3a608048131cb637528 SOURCES/jdk-updates-jdk11u-jdk-11.0.12+7-4curve.tar.xz
c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

352
SOURCES/NEWS
View File

@ -3,358 +3,6 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
New in release OpenJDK 11.0.13 (2021-10-19):
=============================================
Live versions of these release notes can be found at:
* https://bitly.com/openjdk11013
* https://builds.shipilev.net/backports-monitor/release-notes-11.0.13.txt
* Security fixes
- JDK-8163326, CVE-2021-35550: Update the default enabled cipher suites preference
- JDK-8254967, CVE-2021-35565: com.sun.net.HttpsServer spins on TLS session close
- JDK-8263314: Enhance XML Dsig modes
- JDK-8265167, CVE-2021-35556: Richer Text Editors
- JDK-8265574: Improve handling of sheets
- JDK-8265580, CVE-2021-35559: Enhanced style for RTF kit
- JDK-8265776: Improve Stream handling for SSL
- JDK-8266097, CVE-2021-35561: Better hashing support
- JDK-8266103: Better specified spec values
- JDK-8266109: More Resilient Classloading
- JDK-8266115: More Manifest Jar Loading
- JDK-8266137, CVE-2021-35564: Improve Keystore integrity
- JDK-8266689, CVE-2021-35567: More Constrained Delegation
- JDK-8267086: ArrayIndexOutOfBoundsException in java.security.KeyFactory.generatePublic
- JDK-8267712: Better LDAP reference processing
- JDK-8267729, CVE-2021-35578: Improve TLS client handshaking
- JDK-8267735, CVE-2021-35586: Better BMP support
- JDK-8268193: Improve requests of certificates
- JDK-8268199: Correct certificate requests
- JDK-8268205: Enhance DTLS client handshake
- JDK-8268506: More Manifest Digests
- JDK-8269618, CVE-2021-35603: Better session identification
- JDK-8269624: Enhance method selection support
- JDK-8270398: Enhance canonicalization
- JDK-8270404: Better canonicalization
* Other changes
- JDK-8024368: private methods are allocated vtable indices
- JDK-8042902: Test java/net/Inet6Address/serialize/Inet6AddressSerializationTest.java fails intermittently
- JDK-8140466: ChaCha20 and Poly1305 TLS Cipher Suites
- JDK-8157404: Unable to read certain PKCS12 keystores from SequenceInputStream
- JDK-8158066: SourceDebugExtensionTest fails to rename file
- JDK-8168304: Make all of DependencyContext_test available in product mode
- JDK-8169246: java/net/DatagramSocket/ReportSocketClosed.java fails intermittently with BindException
- JDK-8181313: SA: Remove libthread_db dependency on Linux
- JDK-8193214: Incorrect annotations.without.processors warnings with JDK 9
- JDK-8194230: jdk/internal/jrtfs/remote/RemoteRuntimeImageTest.java fails with java.lang.NullPointerException
- JDK-8196092: javax/swing/JComboBox/8032878/bug8032878.java fails
- JDK-8199931: java/net/MulticastSocket/UnreferencedMulticastSockets.java fails with "incorrect data received"
- JDK-8206083: Make tools/javac/api/T6265137.java robust to JDK version changes
- JDK-8206350: java/util/Locale/bcp47u/SystemPropertyTests.java failed on Mac 10.13 with zh_CN and zh_TW locales.
- JDK-8207316: java/nio/channels/spi/SelectorProvider/inheritedChannel/InheritedChannelTest.java failed
- JDK-8208227: tools/jdeps/DotFileTest.java fails on Win-X64
- JDK-8208363: test/jdk/java/lang/Package/PackageFromManifest.java missing module dependencies declaration
- JDK-8209380: ARM: cleanup maybe-uninitialized and reorder compiler warnings
- JDK-8209768: Refactor java/util/prefs/CheckUserPrefsStorage.sh to plain java test
- JDK-8209772: Refactor shell test java/util/ServiceLoader/basic/basic.sh to java
- JDK-8209773: Refactor shell test javax/naming/module/basic.sh to java
- JDK-8209832: Refactor jdk/internal/reflect/Reflection/GetCallerClassTest.sh to plain java test
- JDK-8209930: Refactor java/util/zip/ZipFile/deletetempjar.sh to plain java test
- JDK-8210406: Refactor java.util.PluggableLocale:i18n shell tests to plain java tests
- JDK-8210407: Refactor java.util.Calendar:i18n shell tests to plain java tests
- JDK-8210495: compiler crashes because of illegal signature in otherwise legal code
- JDK-8210669: Some launcher tests assume a pre-JDK 9 run-time image layout
- JDK-8210802: temp files left by tests in jdk/java/net/httpclient
- JDK-8210819: Update the host name in CNameTest.java
- JDK-8210908: Refactor java/util/prefs/PrefsSpi.sh to plain java test
- JDK-8210934: Move sun/net/www/protocol/http/GetErrorStream.java to OpenJDK
- JDK-8210959: JShell fails and exits when statement throws an exception whose message contains a '%'.
- JDK-8211055: Provide print to a file (PDF) feature even when printer was not connected
- JDK-8211092: test/jdk/sun/net/www/http/HttpClient/MultiThreadTest.java fails intermittently when cleaning up
- JDK-8211296: Remove HotSpot deprecation warning suppression for Mac/clang
- JDK-8211325: test/jdk/java/net/Socket/LingerTest.java fails with cleaning up
- JDK-8212040: Compilation error due to wrong usage of NSPrintJobDispositionValue in mac10.12
- JDK-8212695: Add explicit timeout to several HTTP Client tests
- JDK-8212718: Refactor some annotation processor tests to better use collections
- JDK-8213007: Update the link in test/jdk/sun/security/provider/SecureRandom/DrbgCavp.java
- JDK-8213137: Remove static initialization of monitor/mutex instances
- JDK-8213235: java/nio/channels/SocketChannel/AsyncCloseChannel.java fails with threads that didn't exit
- JDK-8213409: Refactor sun.text.IntHashtable:i18n shell tests to plain java tests
- JDK-8213576: Make test AsyncCloseChannel.java run in othervm
- JDK-8213694: Test Timeout.java should run in othervm mode
- JDK-8213718: [TEST] Wrong classname in vmTestbase/nsk/stress/except/except002 and except003
- JDK-8213922: fix ctw stand-alone build
- JDK-8214195: Align stdout messages in test/jdk/java/math/BigInteger/PrimitiveConversionTests.java
- JDK-8214520: [TEST_BUG] sun/security/mscapi/nonUniqueAliases/NonUniqueAliases.java failed with incorrect jtreg tags order
- JDK-8214937: sun/security/tools/jarsigner/warnings/NoTimestampTest.java failed due to unexpected expiration date
- JDK-8216532: tools/launcher/Test7029048.java fails (Solaris)
- JDK-8217825: Verify @AfterTest is used correctly in WebSocket tests
- JDK-8218145: block_if_requested is not proper inlined due to size
- JDK-8219417: bump jtreg requiredVersion to b14
- JDK-8219552: bump jtreg requiredVersion to b14 in test/jdk/sanity/client/
- JDK-8219804: java/net/MulticastSocket/Promiscuous.java fails intermittently due to NumberFormatException
- JDK-8220445: Support for side by side MSVC Toolset versions
- JDK-8221988: add possibility to build with Visual Studio 2019
- JDK-8222751: closed/test/jdk/sun/security/util/DerIndefLenConverter/IndefBerPkcs12.java fail
- JDK-8223050: JVMCI: findUniqueConcreteMethod() should not use Dependencies::find_unique_concrete_method() for non-virtual methods
- JDK-8224853: CDS address sanitizer errors
- JDK-8225082: Remove IdenTrust certificate that is expiring in September 2021
- JDK-8225583: Examine the HttpResponse.BodySubscribers for null handling and multiple subscriptions
- JDK-8225690: Multiple AttachListener threads can be created
- JDK-8225790: Two NestedDialogs tests fail on Ubuntu
- JDK-8226319: Add forgotten test/jdk/java/net/httpclient/BodySubscribersTest.java
- JDK-8226533: JVMCI: findUniqueConcreteMethod should handle statically bindable methods directly
- JDK-8226602: Test convenience reactive primitives from java.net.http with RS TCK
- JDK-8226683: Remove review suggestion from fix to 8219804
- JDK-8227738: jvmti/DataDumpRequest/datadumpreq001 failed due to "exit code is 134"
- JDK-8227766: CheckUnhandledOops is broken in MemAllocator
- JDK-8227815: Minimal VM: set_state is not a member of AttachListener
- JDK-8230674: Heap dumps should exclude dormant CDS archived objects of unloaded classes
- JDK-8230808: Remove Access::equals()
- JDK-8230841: Remove oopDesc::equals()
- JDK-8231717: Improve performance of charset decoding when charset is always compactable
- JDK-8232243: Wrong caret position in JTextPane on Windows with a screen resolution > 100%
- JDK-8232782: Shenandoah: streamline post-LRB CAS barrier (aarch64)
- JDK-8233790: Forward output from heap dumper to jcmd/jmap
- JDK-8233989: Create an IPv4 version of java/net/MulticastSocket/SetLoopbackMode.java
- JDK-8234510: Remove file seeking requirement for writing a heap dump
- JDK-8235211: serviceability/attach/RemovingUnixDomainSocketTest.java fails with AttachNotSupportedException: Unable to open socket file
- JDK-8235216: typo in test filename
- JDK-8235866: bump jtreg requiredVersion to 4.2b16
- JDK-8236111: narrow allowSmartActionArgs disabling
- JDK-8236413: AbstractConnectTimeout should tolerate both NoRouteToHostException and UnresolvedAddressException
- JDK-8236671: NullPointerException in JKS keystore
- JDK-8238930: problem list compiler/c2/Test8004741.java
- JDK-8238943: switch to jtreg 5.0
- JDK-8240555: Using env of JAVA_TOOL_OPTIONS and _JAVA_OPTIONS breaks QuietOption.java test
- JDK-8240983: Incorrect copyright header in Apache Santuario 2.1.3 files
- JDK-8241336: Some java.net tests failed with NoRouteToHostException on MacOS with special network configuration
- JDK-8241353: NPE in ToolProvider.getSystemJavaCompiler
- JDK-8241768: git needs .gitattributes
- JDK-8242882: opening jar file with large manifest might throw NegativeArraySizeException
- JDK-8244973: serviceability/attach/RemovingUnixDomainSocketTest.java fails "stderr was not empty"
- JDK-8245134: test/lib/jdk/test/lib/security/KeyStoreUtils.java should allow to specify aliases
- JDK-8246261: TCKLocalTime.java failed due to "AssertionError: expected [18:14:22] but found [18:14:23]"
- JDK-8246387: switch to jtreg 5.1
- JDK-8247421: [TESTBUG] ReturnBlobToWrongHeapTest.java failed allocating blob
- JDK-8247469: getSystemCpuLoad() returns -1 on linux when some offline cpus are present and cpusets.effective_cpus is not available
- JDK-8248352: [TEST_BUG] Test test/jdk/java/awt/font/TextLayout/ArabicDiacriticTest.java can leave frame open
- JDK-8248403: AArch64: Remove uses of kernel integer types
- JDK-8248414: AArch64: Remove uses of long and unsigned long ints
- JDK-8248657: Windows: strengthening in ThreadCritical regarding memory model
- JDK-8248666: AArch64: Use THREAD_LOCAL instead of __thread
- JDK-8248668: AArch64: Avoid MIN/MAX macros when using MSVC
- JDK-8248671: AArch64: Remove unused variables
- JDK-8248682: AArch64: Use ATTRIBUTE_ALIGNED helper
- JDK-8248816: C1: Fix signature conflict in LIRGenerator::strength_reduce_multiply
- JDK-8249095: tools/javac/launcher/SourceLauncherTest.java fails on Windows
- JDK-8249548: backward focus traversal gets stuck in button group
- JDK-8249773: Upgrade ReceiveISA.java test to be resilient to failure due to stray packets and interference
- JDK-8249897: jdk/javadoc/tool/LangVers.java uses @ignore w/o bug-id
- JDK-8249898: jdk/javadoc/tool/6176978/T6176978.java uses @ignore w/o bug-id
- JDK-8249899: jdk/javadoc/tool/InlineTagsWithBraces.java uses @ignore w/o bug-id
- JDK-8250588: Shenandoah: LRB needs to save/restore fp registers for runtime call
- JDK-8250824: AArch64: follow up for JDK-8248414
- JDK-8251166: Add automated testcases for changes done in JDK-8214112
- JDK-8251252: Add automated testcase for fix done in JDK-8214253
- JDK-8251254: Add automated test for fix done in JDK-8218472
- JDK-8251361: Potential race between Logger configuration and GCs in HttpURLConWithProxy test
- JDK-8251549: Update docs on building for Git
- JDK-8251945: SIGSEGV in PackageEntry::purge_qualified_exports()
- JDK-8252194: Add automated test for fix done in JDK-8218469
- JDK-8252648: Shenandoah: name gang tasks consistently
- JDK-8252825: Add automated test for fix done in JDK-8218479
- JDK-8252853: AArch64: gc/shenandoah/TestVerifyJCStress.java fails intermittently with C1
- JDK-8252857: AArch64: Shenandoah C1 CAS is not sequentially consistent
- JDK-8253048: AArch64: When CallLeaf, no need to preserve callee-saved registers in caller
- JDK-8253424: Add support for running pre-submit testing using GitHub Actions
- JDK-8253631: Remove unimplemented CompileBroker methods after JEP-165
- JDK-8253865: Pre-submit testing using GitHub Actions does not detect failures reliably
- JDK-8253899: Make IsClassUnloadingEnabled signature match specification
- JDK-8254024: Enhance native libs for AWT and Swing to work with GraalVM Native Image
- JDK-8254054: Pre-submit testing using GitHub Actions should not use the deprecated set-env command
- JDK-8254173: Add Zero, Minimal hotspot targets to submit workflow
- JDK-8254175: Build no-pch configuration in debug mode for submit checks
- JDK-8254244: Some code emitted by TemplateTable::branch is unused when running TieredCompilation
- JDK-8254270: linux 32 bit build doesn't compile libjdwp/log_messages.c
- JDK-8254282: Add Linux x86_32 builds to submit workflow
- JDK-8254850: Update terminology in java.awt.GridBagLayout source code comments
- JDK-8255255: Update Apache Santuario (XML Signature) to version 2.2.1
- JDK-8255305: Add Linux x86_32 tier1 to submit workflow
- JDK-8255352: Archive important test outputs in submit workflow
- JDK-8255373: Submit workflow artifact name is always "test-results_.zip"
- JDK-8255452: Doing GC during JVMTI MethodExit event posting breaks return oop
- JDK-8255718: Zero: VM should know it runs in interpreter-only mode
- JDK-8255790: GTKL&F: Java 16 crashes on initialising GTKL&F on Manjaro Linux
- JDK-8255810: Zero: build fails without JVMTI
- JDK-8255895: Submit workflow artifacts miss hs_errs/replays due to ZIP include mismatch
- JDK-8256127: Add cross-compiled foreign architectures builds to submit workflow
- JDK-8256215: Shenandoah: re-organize saving/restoring machine state in assembler code
- JDK-8256267: Relax compiler/floatingpoint/NaNTest.java for x86_32 and lower -XX:+UseSSE
- JDK-8256277: Github Action build on macOS should define OS and Xcode versions
- JDK-8256354: Github Action build on Windows should define OS and MSVC versions
- JDK-8256393: Github Actions build on Linux should define OS and GCC versions
- JDK-8256414: add optimized build to submit workflow
- JDK-8256747: GitHub Actions: decouple the hotspot build-only jobs from Linux x64 testing
- JDK-8257056: Submit workflow should apt-get update to avoid package installation errors
- JDK-8257148: Remove obsolete code in AWTView.m
- JDK-8257497: Update keytool to create AKID from the SKID of the issuing certificate as specified by RFC 5280
- JDK-8257620: Do not use objc_msgSend_stret to get macOS version
- JDK-8257913: Add more known library locations to simplify Linux cross-compilation
- JDK-8258703: Incorrect 512-bit vector registers restore on x86_32
- JDK-8259338: Add expiry exception for identrustdstx3 alias to VerifyCACerts.java test
- JDK-8259535: ECDSA SignatureValue do not always have the specified length
- JDK-8259679: GitHub actions should use MSVC 14.28
- JDK-8259924: GitHub actions fail on Linux x86_32 with "Could not configure libc6:i386"
- JDK-8260460: GitHub actions still fail on Linux x86_32 with "Could not configure libc6:i386"
- JDK-8260589: Crash in JfrTraceIdLoadBarrier::load(_jclass*)
- JDK-8260923: Add more tests for SSLSocket input/output shutdown
- JDK-8261072: AArch64: Fix MacroAssembler::get_thread convention
- JDK-8261147: C2: Node is wrongly marked as reduction resulting in a wrong execution due to wrong vector instructions
- JDK-8261238: NMT should not limit baselining by size threshold
- JDK-8261496: Shenandoah: reconsider pacing updates memory ordering
- JDK-8261652: Remove some dead comments from os_bsd_x86
- JDK-8261846: [JVMCI] c2v_iterateFrames can get out of sync with the StackFrameStream
- JDK-8262000: jdk/jfr/event/gc/detailed/TestPromotionFailedEventWithParallelScavenge.java failed with "OutOfMemoryError: Java heap space"
- JDK-8262017: C2: assert(n != __null) failed: Bad immediate dominator info.
- JDK-8262392: Update Mesa 3-D Headers to version 21.0.3
- JDK-8262409: sun/security/ssl/SSLSocketImpl/SSLSocketImplThrowsWrongExceptions. SSL test failures caused by java failed with "Server reported the wrong exception"
- JDK-8262470: Printed GlyphVector outline with low DPI has bad quality on Windows
- JDK-8262862: Harden tests sun/security/x509/URICertStore/ExtensionsWithLDAP.java and krb5/canonicalize/Test.java
- JDK-8263136: C4530 was reported from VS 2019 at access bridge
- JDK-8263227: C2: inconsistent spilling due to dead nodes in exception block
- JDK-8263382: java/util/logging/ParentLoggersTest.java failed with "checkLoggers: getLoggerNames() returned unexpected loggers"
- JDK-8263407: SPARC64 detection fails on Athena (SPARC64-X)
- JDK-8263432: javac may report an invalid package/class clash on case insensitive filesystems
- JDK-8263490: [macos] Crash occurs on JPasswordField with activated InputMethod
- JDK-8263531: Remove unused buffer int
- JDK-8263667: Avoid running GitHub actions on branches named pr/*
- JDK-8263776: [JVMCI] add helper to perform Java upcalls
- JDK-8264016: [JVMCI] add some thread local fields for use by JVMCI
- JDK-8264752: SIGFPE crash with option FlightRecorderOptions:threadbuffersize=30M
- JDK-8265132: C2 compilation fails with assert "missing precedence edge"
- JDK-8265231: (fc) ReadDirect and WriteDirect tests fail after fix for JDK-8264821
- JDK-8265335: Epsilon: Minor typo in EpsilonElasticTLABDecay description
- JDK-8265756: AArch64: initialize memory allocated for locals according to Windows AArch64 stack page growth requirement in template interpreter
- JDK-8265761: Font with missed font family name is not properly printed on Windows
- JDK-8265773: incorrect jdeps message "jdk8internals" to describe a removed JDK internal API
- JDK-8265836: OperatingSystemImpl.getCpuLoad() returns incorrect CPU load inside a container
- JDK-8266018: Shenandoah: fix an incorrect assert
- JDK-8266206: Build failure after JDK-8264752 with older GCCs
- JDK-8266248: Compilation failure in PLATFORM_API_MacOSX_MidiUtils.c with Xcode 12.5
- JDK-8266288: assert root method not found in witnessed_reabstraction_in_supers is too strong
- JDK-8266404: Fatal error report generated with -XX:+CrashOnOutOfMemoryError should not contain suggestion to submit a bug report
- JDK-8266480: Implicit null check optimization does not update control of hoisted memory operation
- JDK-8266615: C2 incorrectly folds subtype checks involving an interface array
- JDK-8266642: Improve ResolvedMethodTable hash function
- JDK-8266749: AArch64: Backtracing broken on PAC enabled systems
- JDK-8266761: AssertionError in sun.net.httpserver.ServerImpl.responseCompleted
- JDK-8266813: Shenandoah: Use shorter instruction sequence for checking if marking in progress
- JDK-8267042: bug in monitor locking/unlocking on ARM32 C1 due to uninitialized BasicObjectLock::_displaced_header
- JDK-8267348: Rewrite gc/epsilon/TestClasses.java to use Metaspace with less classes
- JDK-8267396: Avoid recording "pc" in unhandled oops detector for better performance
- JDK-8267399: C2: java/text/Normalizer/ConformanceTest.java test failed with assertion
- JDK-8267424: CTW: C1 fails with "State must not be null"
- JDK-8267459: Pasting Unicode characters into JShell does not work.
- JDK-8267625: AARCH64: typo in LIR_Assembler::emit_profile_type
- JDK-8267666: Add option to jcmd GC.heap_dump to use existing file
- JDK-8267695: Bump update version for OpenJDK: jdk-11.0.13
- JDK-8267751: (test) jtreg.SkippedException has no serial VersionUID
- JDK-8267773: PhaseStringOpts::int_stringSize doesn't handle min_jint correctly
- JDK-8268103: JNI functions incorrectly return a double after JDK-8265836
- JDK-8268127: Shenandoah: Heap size may be too small for region to align to large page size
- JDK-8268261: C2: assert(n != __null) failed: Bad immediate dominator info.
- JDK-8268347: C2: nested locks optimization may create unbalanced monitor enter/exit code
- JDK-8268360: Missing check for infinite loop during node placement
- JDK-8268362: [REDO] C2 crash when compile negative Arrays.copyOf length after loop
- JDK-8268366: Incorrect calculation of has_fpu_registers in C1 linear scan
- JDK-8268369: SIGSEGV in PhaseCFG::implicit_null_check due to missing null check
- JDK-8268417: Add test from JDK-8268360
- JDK-8268427: Improve AlgorithmConstraints:checkAlgorithm performance
- JDK-8268617: [11u REDO] - WebSocket over authenticating proxy fails with NPE
- JDK-8268620: InfiniteLoopException test may fail on x86 platforms
- JDK-8268635: Corrupt oop in ClassLoaderData
- JDK-8268699: Shenandoah: Add test for JDK-8268127
- JDK-8268771: javadoc -notimestamp option does not work on index.html
- JDK-8268775: Password is being converted to String in AccessibleJPasswordField
- JDK-8268776: Test `ADatagramSocket.java` missing /othervm from @run tag
- JDK-8268965: TCP Connection Reset when connecting simple socket to SSL server
- JDK-8269304: Regression ~5% in 2005 in b27
- JDK-8269415: [11u] Remove ea from DEFAULT_PROMOTED_VERSION_PRE in OpenJDK 11u
- JDK-8269478: Shenandoah: gc/shenandoah/mxbeans tests should be more resilient
- JDK-8269529: javax/swing/reliability/HangDuringStaticInitialization.java fails in Windows debug build
- JDK-8269594: assert(_handle_mark_nesting > 1) failed: memory leak: allocating handle outside HandleMark
- JDK-8269614: [s390] Interpreter checks wrong bit for slow path instance allocation
- JDK-8269650: Optimize gc-locker in [Get|Release]StringCritical for latin string
- JDK-8269661: JNI_GetStringCritical does not lock char array
- JDK-8269668: [aarch64] java.library.path not including /usr/lib64
- JDK-8269763: The JEditorPane is blank after JDK-8265167
- JDK-8269795: C2: Out of bounds array load floats above its range check in loop peeling resulting in SEGV
- JDK-8269847: JDK-8269594 backport breaks 11u builds
- JDK-8269850: Most JDK releases report macOS version 12 as 10.16 instead of 12.0
- JDK-8269851: OperatingSystemMXBean getProcessCpuLoad reports incorrect process cpu usage in containers
- JDK-8269882: stack-use-after-scope in NewObjectA
- JDK-8269934: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in java_lang_Thread::get_thread_status
- JDK-8270096: Shenandoah: Optimize gc/shenandoah/TestRefprocSanity.java for interpreter mode
- JDK-8270137: Kerberos Credential Retrieval from Cache not Working in Cross-Realm Setup
- JDK-8270184: [TESTBUG] Add coverage for jvmci ResolvedJavaType.toJavaName() for lambdas
- JDK-8270196: [11u] [JVMCI] JavaType.toJavaName() returns incorrect type name for lambdas
- JDK-8270556: Exclude security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA
- JDK-8270893: IndexOutOfBoundsException while reading large TIFF file
- JDK-8272078: Wrong Checksums in Temurin BootJDK dependencies
- JDK-8272124: Cgroup v1 initialization causes NullPointerException when cgroup path contains colon
- JDK-8272131: PhaseMacroExpand::generate_slow_arraycopy crash when clone null CallProjections.fallthrough_ioproj
- JDK-8272197: Update 11u GHA workflow with Shenandoah configurations
- JDK-8272332: --with-harfbuzz=system doesn't add -lharfbuzz after JDK-8255790
- JDK-8272472: StackGuardPages test doesn't build with glibc 2.34
- JDK-8272602: [macos] not all KEY_PRESSED events sent when control modifier is used
- JDK-8272628: Problemlist gc/stress/gcbasher/TestGCBasherWithCMS.java for x86_32
- JDK-8272700: [macos] Build failure with Xcode 13.0 after JDK-8264848
- JDK-8272772: Shenandoah: compiler/c2/aarch64/TestVolatilesShenandoah.java fails in 11u
- JDK-8273939: Backport of 8248414 to JDK11 breaks MacroAssembler::adrp
Notes on individual issues:
===========================
security-libs/java.security:
JDK-8271434: Removed IdenTrust Root Certificate
===============================================
The following root certificate from IdenTrust has been removed from
the `cacerts` keystore:
Alias Name: identrustdstx3 [jdk]
Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co.
JDK-8261922: Updated keytool to Create AKID From SKID of Issuing Certificate as Specified by RFC 5280
=====================================================================================================
The `gencert` command of the `keytool` utility has been updated to
create AKID from the SKID of the issuing certificate as specified by
RFC 5280.
security-libs/javax.net.ssl:
JDK-8210799: ChaCha20 and Poly1305 TLS Cipher Suites
====================================================
New TLS cipher suites using the `ChaCha20-Poly1305` algorithm have
been added to JSSE. These cipher suites are enabled by default. The
TLS_CHACHA20_POLY1305_SHA256 cipher suite is available for TLS 1.3.
The following cipher suites are available for TLS 1.2:
* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
Refer to the "Java Secure Socket Extension (JSSE) Reference Guide" for
details on these new TLS cipher suites.
JDK-8219551: Updated the Default Enabled Cipher Suites Preference
=================================================================
The preference of the default enabled cipher suites has been
changed. The compatibility impact should be minimal. If needed,
applications can customize the enabled cipher suites and the
preference. For more details, refer to the SunJSSE provider
documentation and the JSSE Reference Guide documentation.
New in release OpenJDK 11.0.12 (2021-07-20):
=============================================
Live versions of these release notes can be found at:

32
SOURCES/jdk8269668-rh1977671-aarch64_lib_path_fix.patch Normal file
View File

@ -0,0 +1,32 @@
From ec03fdb752f2dc0833784a6877a4c232a8cdd9d2 Mon Sep 17 00:00:00 2001
From: Severin Gehwolf <sgehwolf@redhat.com>
Date: Wed, 14 Jul 2021 12:06:39 +0200
Subject: [PATCH] Backport e14801cdd9b108aa4ca47d0bc1dc67fca575764c
---
src/hotspot/os/linux/os_linux.cpp | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/hotspot/os/linux/os_linux.cpp b/src/hotspot/os/linux/os_linux.cpp
index e8baf704e3a..12b75b733b5 100644
--- a/src/hotspot/os/linux/os_linux.cpp
+++ b/src/hotspot/os/linux/os_linux.cpp
@@ -413,8 +413,15 @@ void os::init_system_properties_values() {
// 7: The default directories, normally /lib and /usr/lib.
#if defined(AMD64) || (defined(_LP64) && defined(SPARC)) || defined(PPC64) || defined(S390)
#define DEFAULT_LIBPATH "/usr/lib64:/lib64:/lib:/usr/lib"
+#else
+#if defined(AARCH64)
+ // Use 32-bit locations first for AARCH64 (a 64-bit architecture), since some systems
+ // might not adhere to the FHS and it would be a change in behaviour if we used
+ // DEFAULT_LIBPATH of other 64-bit architectures which prefer the 64-bit paths.
+ #define DEFAULT_LIBPATH "/lib:/usr/lib:/usr/lib64:/lib64"
#else
#define DEFAULT_LIBPATH "/lib:/usr/lib"
+#endif // AARCH64
#endif
// Base path of extensions installed on the system.
--
2.31.1

430
SOURCES/rh1929465-improve_system_FIPS_detection.patch Normal file
View File

@ -0,0 +1,430 @@
diff --git openjdk.orig/make/autoconf/libraries.m4 openjdk/make/autoconf/libraries.m4
--- openjdk.orig/make/autoconf/libraries.m4
+++ openjdk/make/autoconf/libraries.m4
@@ -101,6 +101,7 @@
LIB_SETUP_LIBFFI
LIB_SETUP_BUNDLED_LIBS
LIB_SETUP_MISC_LIBS
+ LIB_SETUP_SYSCONF_LIBS
LIB_SETUP_SOLARIS_STLPORT
LIB_TESTS_SETUP_GRAALUNIT
@@ -223,3 +224,62 @@
fi
])
+################################################################################
+# Setup system configuration libraries
+################################################################################
+AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
+[
+ ###############################################################################
+ #
+ # Check for the NSS library
+ #
+
+ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
+
+ # default is not available
+ DEFAULT_SYSCONF_NSS=no
+
+ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
+ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
+ [
+ case "${enableval}" in
+ yes)
+ sysconf_nss=yes
+ ;;
+ *)
+ sysconf_nss=no
+ ;;
+ esac
+ ],
+ [
+ sysconf_nss=${DEFAULT_SYSCONF_NSS}
+ ])
+ AC_MSG_RESULT([$sysconf_nss])
+
+ USE_SYSCONF_NSS=false
+ if test "x${sysconf_nss}" = "xyes"; then
+ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
+ if test "x${NSS_FOUND}" = "xyes"; then
+ AC_MSG_CHECKING([for system FIPS support in NSS])
+ saved_libs="${LIBS}"
+ saved_cflags="${CFLAGS}"
+ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
+ LIBS="${LIBS} ${NSS_LIBS}"
+ AC_LANG_PUSH([C])
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <nss3/pk11pub.h>]],
+ [[SECMOD_GetSystemFIPSEnabled()]])],
+ [AC_MSG_RESULT([yes])],
+ [AC_MSG_RESULT([no])
+ AC_MSG_ERROR([System NSS FIPS detection unavailable])])
+ AC_LANG_POP([C])
+ CFLAGS="${saved_cflags}"
+ LIBS="${saved_libs}"
+ USE_SYSCONF_NSS=true
+ else
+ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
+ dnl in nss3/pk11pub.h.
+ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
+ fi
+ fi
+ AC_SUBST(USE_SYSCONF_NSS)
+])
diff --git openjdk.orig/make/autoconf/spec.gmk.in openjdk/make/autoconf/spec.gmk.in
--- openjdk.orig/make/autoconf/spec.gmk.in
+++ openjdk/make/autoconf/spec.gmk.in
@@ -828,6 +828,10 @@
# Libraries
#
+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
+NSS_LIBS:=@NSS_LIBS@
+NSS_CFLAGS:=@NSS_CFLAGS@
+
USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
LCMS_CFLAGS:=@LCMS_CFLAGS@
LCMS_LIBS:=@LCMS_LIBS@
diff --git openjdk.orig/make/lib/Lib-java.base.gmk openjdk/make/lib/Lib-java.base.gmk
--- openjdk.orig/make/lib/Lib-java.base.gmk
+++ openjdk/make/lib/Lib-java.base.gmk
@@ -179,6 +179,31 @@
endif
################################################################################
+# Create the systemconf library
+
+LIBSYSTEMCONF_CFLAGS :=
+LIBSYSTEMCONF_CXXFLAGS :=
+
+ifeq ($(USE_SYSCONF_NSS), true)
+ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
+ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
+endif
+
+ifeq ($(OPENJDK_BUILD_OS), linux)
+ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \
+ NAME := systemconf, \
+ OPTIMIZATION := LOW, \
+ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \
+ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \
+ LDFLAGS := $(LDFLAGS_JDKLIB) \
+ $(call SET_SHARED_LIBRARY_ORIGIN), \
+ LIBS_unix := $(LIBDL) $(NSS_LIBS), \
+ ))
+
+ TARGETS += $(BUILD_LIBSYSTEMCONF)
+endif
+
+################################################################################
# Create the symbols file for static builds.
ifeq ($(STATIC_BUILD), true)
diff --git openjdk.orig/make/nb_native/nbproject/configurations.xml openjdk/make/nb_native/nbproject/configurations.xml
--- openjdk.orig/make/nb_native/nbproject/configurations.xml
+++ openjdk/make/nb_native/nbproject/configurations.xml
@@ -2950,6 +2950,9 @@
<in>LinuxWatchService.c</in>
</df>
</df>
+ <df name="libsystemconf">
+ <in>systemconf.c</in>
+ </df>
</df>
</df>
<df name="macosx">
@@ -29301,6 +29304,11 @@
tool="0"
flavor2="0">
</item>
+ <item path="../../src/java.base/linux/native/libsystemconf/systemconf.c"
+ ex="false"
+ tool="0"
+ flavor2="0">
+ </item>
<item path="../../src/java.base/macosx/native/include/jni_md.h"
ex="false"
tool="3"
diff --git openjdk.orig/make/scripts/compare_exceptions.sh.incl openjdk/make/scripts/compare_exceptions.sh.incl
--- openjdk.orig/make/scripts/compare_exceptions.sh.incl
+++ openjdk/make/scripts/compare_exceptions.sh.incl
@@ -179,6 +179,7 @@
./lib/libsplashscreen.so
./lib/libsunec.so
./lib/libsunwjdga.so
+ ./lib/libsystemconf.so
./lib/libunpack.so
./lib/libverify.so
./lib/libzip.so
@@ -289,6 +290,7 @@
./lib/libsplashscreen.so
./lib/libsunec.so
./lib/libsunwjdga.so
+ ./lib/libsystemconf.so
./lib/libunpack.so
./lib/libverify.so
./lib/libzip.so
diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
new file mode 100644
--- /dev/null
+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
@@ -0,0 +1,168 @@
+/*
+ * Copyright (c) 2021, Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+#include <dlfcn.h>
+#include <jni.h>
+#include <jni_util.h>
+#include <stdio.h>
+
+#ifdef SYSCONF_NSS
+#include <nss3/pk11pub.h>
+#endif //SYSCONF_NSS
+
+#include "java_security_SystemConfigurator.h"
+
+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
+#define MSG_MAX_SIZE 96
+
+static jmethodID debugPrintlnMethodID = NULL;
+static jobject debugObj = NULL;
+
+static void throwIOException(JNIEnv *env, const char *msg);
+static void dbgPrint(JNIEnv *env, const char* msg);
+
+/*
+ * Class: java_security_SystemConfigurator
+ * Method: JNI_OnLoad
+ */
+JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
+{
+ JNIEnv *env;
+ jclass sysConfCls, debugCls;
+ jfieldID sdebugFld;
+
+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
+ return JNI_EVERSION; /* JNI version not supported */
+ }
+
+ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
+ if (sysConfCls == NULL) {
+ printf("libsystemconf: SystemConfigurator class not found\n");
+ return JNI_ERR;
+ }
+ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
+ "sdebug", "Lsun/security/util/Debug;");
+ if (sdebugFld == NULL) {
+ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
+ return JNI_ERR;
+ }
+ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
+ if (debugObj != NULL) {
+ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
+ if (debugCls == NULL) {
+ printf("libsystemconf: Debug class not found\n");
+ return JNI_ERR;
+ }
+ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
+ "println", "(Ljava/lang/String;)V");
+ if (debugPrintlnMethodID == NULL) {
+ printf("libsystemconf: Debug::println(String) method not found\n");
+ return JNI_ERR;
+ }
+ debugObj = (*env)->NewGlobalRef(env, debugObj);
+ }
+
+ return (*env)->GetVersion(env);
+}
+
+/*
+ * Class: java_security_SystemConfigurator
+ * Method: JNI_OnUnload
+ */
+JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
+{
+ JNIEnv *env;
+
+ if (debugObj != NULL) {
+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
+ return; /* Should not happen */
+ }
+ (*env)->DeleteGlobalRef(env, debugObj);
+ }
+}
+
+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
+ (JNIEnv *env, jclass cls)
+{
+ int fips_enabled;
+ char msg[MSG_MAX_SIZE];
+ int msg_bytes;
+
+#ifdef SYSCONF_NSS
+
+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
+ fips_enabled = SECMOD_GetSystemFIPSEnabled();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+ dbgPrint(env, msg);
+ } else {
+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
+ " SECMOD_GetSystemFIPSEnabled return value");
+ }
+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
+
+#else // SYSCONF_NSS
+
+ FILE *fe;
+
+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
+ }
+ fips_enabled = fgetc(fe);
+ fclose(fe);
+ if (fips_enabled == EOF) {
+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
+ }
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " read character is '%c'", fips_enabled);
+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+ dbgPrint(env, msg);
+ } else {
+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
+ " read character");
+ }
+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
+
+#endif // SYSCONF_NSS
+}
+
+static void throwIOException(JNIEnv *env, const char *msg)
+{
+ jclass cls = (*env)->FindClass(env, "java/io/IOException");
+ if (cls != 0)
+ (*env)->ThrowNew(env, cls, msg);
+}
+
+static void dbgPrint(JNIEnv *env, const char* msg)
+{
+ jstring jMsg;
+ if (debugObj != NULL) {
+ jMsg = (*env)->NewStringUTF(env, msg);
+ CHECK_NULL(jMsg);
+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
+ }
+}
diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2019, 2020, Red Hat, Inc.
+ * Copyright (c) 2019, 2021, Red Hat, Inc.
*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
@@ -30,13 +30,9 @@
import java.io.FileInputStream;
import java.io.IOException;
-import java.nio.file.Files;
-import java.nio.file.Path;
-
import java.util.Iterator;
import java.util.Map.Entry;
import java.util.Properties;
-import java.util.regex.Pattern;
import sun.security.util.Debug;
@@ -58,10 +54,21 @@
private static final String CRYPTO_POLICIES_JAVA_CONFIG =
CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
- private static final String CRYPTO_POLICIES_CONFIG =
- CRYPTO_POLICIES_BASE_DIR + "/config";
+ private static boolean systemFipsEnabled = false;
+
+ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
+
+ private static native boolean getSystemFIPSEnabled()
+ throws IOException;
- private static boolean systemFipsEnabled = false;
+ static {
+ AccessController.doPrivileged(new PrivilegedAction<Void>() {
+ public Void run() {
+ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
+ return null;
+ }
+ });
+ }
/*
* Invoked when java.security.Security class is initialized, if
@@ -170,16 +177,34 @@
}
/*
- * FIPS is enabled only if crypto-policies are set to "FIPS"
- * and the com.redhat.fips property is true.
+ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
+ * system property is true (default) and the system is in FIPS mode.
+ *
+ * There are 2 possible ways in which OpenJDK detects that the system
+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
+ * available at OpenJDK's built-time, it is called; 2) otherwise, the
+ * /proc/sys/crypto/fips_enabled file is read.
*/
private static boolean enableFips() throws Exception {
boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
if (shouldEnable) {
- String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
- return pattern.matcher(cryptoPoliciesConfig).find();
+ if (sdebug != null) {
+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
+ }
+ try {
+ shouldEnable = getSystemFIPSEnabled();
+ if (sdebug != null) {
+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
+ + shouldEnable);
+ }
+ return shouldEnable;
+ } catch (IOException e) {
+ if (sdebug != null) {
+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
+ sdebug.println(e.getMessage());
+ }
+ throw e;
+ }
} else {
return false;
}

18
SOURCES/rh1996182-extend_security_policy.patch Normal file
View File

@ -0,0 +1,18 @@
commit 598fe421216b0a437fa36ee91a29966599867aa3
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Mon Aug 30 16:12:52 2021 +0100
RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.misc
diff --git openjdk.orig/src/java.base/share/lib/security/default.policy openjdk/src/java.base/share/lib/security/default.policy
index ab59a334cd..5db744ff17 100644
--- openjdk.orig/src/java.base/share/lib/security/default.policy
+++ openjdk/src/java.base/share/lib/security/default.policy
@@ -124,6 +124,7 @@ grant codeBase "jrt:/jdk.crypto.ec" {
grant codeBase "jrt:/jdk.crypto.cryptoki" {
permission java.lang.RuntimePermission
"accessClassInPackage.com.sun.crypto.provider";
+ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc";
permission java.lang.RuntimePermission
"accessClassInPackage.sun.security.*";
permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";

66
SOURCES/rh1996182-login_to_nss_software_token.patch Normal file
View File

@ -0,0 +1,66 @@
commit 53bda6adfacc02b8dddd8f10350c9569bca4eb1e
Author: Martin Balao <mbalao@redhat.com>
Date: Fri Aug 27 19:42:07 2021 +0100
RH1996182: Login to the NSS Software Token in FIPS Mode
diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
index 0cf61732d7..2cd851587c 100644
--- openjdk.orig/src/java.base/share/classes/module-info.java
+++ openjdk/src/java.base/share/classes/module-info.java
@@ -182,6 +182,7 @@ module java.base {
java.security.jgss,
java.sql,
java.xml,
+ jdk.crypto.cryptoki,
jdk.jartool,
jdk.attach,
jdk.charsets,
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
index b00b738b85..1eca1f8f0a 100644
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -42,6 +42,8 @@ import javax.security.auth.callback.ConfirmationCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.TextOutputCallback;
+import jdk.internal.misc.SharedSecrets;
+
import sun.security.util.Debug;
import sun.security.util.ResourcesMgr;
import static sun.security.util.SecurityConstants.PROVIDER_VER;
@@ -59,6 +61,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
*/
public final class SunPKCS11 extends AuthProvider {
+ private static final boolean systemFipsEnabled = SharedSecrets
+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
+
private static final long serialVersionUID = -1354835039035306505L;
static final Debug debug = Debug.getInstance("sunpkcs11");
@@ -373,6 +378,24 @@ public final class SunPKCS11 extends AuthProvider {
if (nssModule != null) {
nssModule.setProvider(this);
}
+ if (systemFipsEnabled) {
+ // The NSS Software Token in FIPS 140-2 mode requires a user
+ // login for most operations. See sftk_fipsCheck. The NSS DB
+ // (/etc/pki/nssdb) PIN is empty.
+ Session session = null;
+ try {
+ session = token.getOpSession();
+ p11.C_Login(session.id(), CKU_USER, new char[] {});
+ } catch (PKCS11Exception p11e) {
+ if (debug != null) {
+ debug.println("Error during token login: " +
+ p11e.getMessage());
+ }
+ throw p11e;
+ } finally {
+ token.releaseSession(session);
+ }
+ }
} catch (Exception e) {
if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
throw new UnsupportedOperationException

504
SPECS/java-11-openjdk.spec
View File

@ -7,12 +7,12 @@
# Produce release, fastdebug *and* slowdebug builds on x86_64 (default):
# $ rpmbuild -ba java-11-openjdk.spec
#
# Produce only release builds (no slowdebug builds) on x86_64:
# Produce only release builds (no debug builds) on x86_64:
# $ rpmbuild -ba java-11-openjdk.spec --without slowdebug --without fastdebug
#
# Only produce a release build on x86_64:
# $ rhpkg mockbuild --without slowdebug --without fastdebug
#
# Enable fastdebug builds by default on relevant arches.
%bcond_without fastdebug
# Enable slowdebug builds by default on relevant arches.
@ -21,8 +21,6 @@
%bcond_without release
# Enable static library builds by default.
%bcond_without staticlibs
# Remove build artifacts by default
%bcond_with artifacts
# Workaround for stripping of debug symbols from static libraries
%if %{with staticlibs}
@ -100,7 +98,7 @@
# Set of architectures for which we build slowdebug builds
%global debug_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} s390x
# Set of architectures for which we build fastdebug builds
%global fastdebug_arches x86_64
%global fastdebug_arches x86_64 ppc64le aarch64
# Set of architectures with a Just-In-Time (JIT) compiler
%global jit_arches %{debug_arches} %{arm}
# Set of architectures which run a full bootstrap cycle
@ -122,7 +120,7 @@
# Set of architectures for which alt-java has SSB mitigation
%global ssbd_arches x86_64
# By default, we build a slowdebug build during main build on JIT architectures
# By default, we build a debug build during main build on JIT architectures
%if %{with slowdebug}
%ifarch %{debug_arches}
%global include_debug_build 1
@ -190,28 +188,22 @@
%global bootstrap_build 1
%endif
%if %{bootstrap_build}
%global release_targets bootcycle-images docs-zip
%else
%global release_targets images docs-zip
%endif
# No docs nor bootcycle for debug builds
%global debug_targets images
%if %{include_staticlibs}
# Extra target for producing the static-libraries. Separate from
# other targets since this target is configured to use in-tree
# AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib
# and possibly others
%global static_libs_target static-libs-image
%else
%global static_libs_target %{nil}
%endif
# RPM JDK builds keep the debug symbols internal, to be later stripped by RPM
%global debug_symbols internal
# unlike portables,the rpms have to use static_libs_target very dynamically
%global bootstrap_targets images
%global release_targets images docs-zip
# No docs nor bootcycle for debug builds
%global debug_targets images
# Disable LTO as this causes build failures at the moment.
# See RHBZ#1861401
%define _lto_cflags %{nil}
# Filter out flags from the optflags macro that cause problems with the OpenJDK build
# We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2
@ -297,7 +289,7 @@
# New Version-String scheme-style defines
%global featurever 11
%global interimver 0
%global updatever 13
%global updatever 12
%global patchver 0
# If you bump featurever, you must bump also vendor_version_string
# Used via new version scheme. JDK 11 was
@ -344,8 +336,8 @@
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 8
%global rpmrelease 1
%global buildver 7
%global rpmrelease 4
#%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
@ -395,7 +387,6 @@
%global static_libs_image static-libs
# output dir stub
%define buildoutputdir() %{expand:build/jdk11.build%{?1}}
%define installoutputdir() %{expand:install/jdk11.install%{?1}}
# we can copy the javadoc to not arched dir, or make it not noarch
%define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}}
# main id and dir of this jdk
@ -405,7 +396,7 @@
# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349
# https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14
# https://bugzilla.redhat.com/show_bug.cgi?id=1655938
%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsunec[.]so.*|libunpack[.]so.*|libzip[.]so.*
%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*
%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.*
%if %is_system_jdk
%global __provides_exclude ^(%{_privatelibs})$
@ -764,6 +755,7 @@ exit 0
%endif
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsunec.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libunpack.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libverify.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libzip.so
@ -1019,19 +1011,23 @@ Requires: tzdata-java >= 2021a
# for support of kernel stream control
# libsctp.so.1 is being `dlopen`ed on demand
Requires: lksctp-tools%{?_isa}
%if ! 0%{?flatpak}
# tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it,
# not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be
# considered as regression
Requires: copy-jdk-configs >= 3.3
Requires: copy-jdk-configs >= 4.0
OrderWithRequires: copy-jdk-configs
%endif
# for printing support
Requires: cups-libs
# for FIPS PKCS11 provider
Requires: nss
# Post requires alternatives to install tool alternatives
Requires(post): %{alternatives_requires}
# in version 1.7 and higher for --family switch
Requires(post): chkconfig >= 1.7
# Postun requires alternatives to uninstall tool alternatives
Requires(postun): %{alternatives_requires}
# in version 1.7 and higher for --family switch
Requires(postun): chkconfig >= 1.7
# for optional support of kernel stream control, card reader and printing bindings
%if 0%{?rhel} >= 8
Suggests: lksctp-tools%{?_isa}, pcsc-lite-devel%{?_isa}
@ -1056,8 +1052,12 @@ Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
# Post requires alternatives to install tool alternatives
Requires(post): %{alternatives_requires}
# in version 1.7 and higher for --family switch
Requires(post): chkconfig >= 1.7
# Postun requires alternatives to uninstall tool alternatives
Requires(postun): %{alternatives_requires}
# in version 1.7 and higher for --family switch
Requires(postun): chkconfig >= 1.7
# Standard JPackage devel provides
Provides: java-sdk-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release}
@ -1098,7 +1098,6 @@ Provides: java-%{javaver}-demo%{?1} = %{epoch}:%{version}-%{release}
Provides: java-%{javaver}-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release}
%if %is_system_jdk
Provides: java-demo%{?1} = %{epoch}:%{version}-%{release}
Provides: java-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release}
%endif
}
@ -1106,8 +1105,12 @@ Provides: java-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release}
OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
# Post requires alternatives to install javadoc alternative
Requires(post): %{alternatives_requires}
# in version 1.7 and higher for --family switch
Requires(post): chkconfig >= 1.7
# Postun requires alternatives to uninstall javadoc alternative
Requires(postun): %{alternatives_requires}
# in version 1.7 and higher for --family switch
Requires(postun): chkconfig >= 1.7
# Standard JPackage javadoc provides
Provides: java-%{javaver}-javadoc%{?1} = %{epoch}:%{version}-%{release}
@ -1125,7 +1128,6 @@ Provides: java-%{javaver}-src%{?1} = %{epoch}:%{version}-%{release}
Provides: java-%{javaver}-%{origin}-src%{?1} = %{epoch}:%{version}-%{release}
%if %is_system_jdk
Provides: java-src%{?1} = %{epoch}:%{version}-%{release}
Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release}
%endif
}
@ -1147,9 +1149,7 @@ Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}
Epoch: 1
Summary: %{origin_nice} %{featurever} Runtime Environment
%if 0%{?rhel} <= 8
Group: Development/Languages
%endif
# HotSpot code is licensed under GPLv2
# JDK library code is licensed under GPLv2 with the Classpath exception
@ -1217,7 +1217,7 @@ Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
Patch2: rh1648644-java_access_bridge_privileged_security.patch
# NSS via SunPKCS11 Provider (disabled due to memory leak).
Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
# RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639)
# enable build of speculative store bypass hardened alt-java
Patch600: rh1750419-redhat_alt_java.patch
# RH1582504: Use RSA as default for keytool, as DSA is disabled in all crypto policies except LEGACY
Patch1003: rh1842572-rsa_default_for_keytool.patch
@ -1231,6 +1231,11 @@ Patch1002: rh1818909-fips_default_keystore_type.patch
Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch
# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess
Patch1007: rh1915071-always_initialise_configurator_access.patch
# RH1929465: Improve system FIPS detection
Patch1008: rh1929465-improve_system_FIPS_detection.patch
# RH1996182: Login to the NSS software token in FIPS mode
Patch1009: rh1996182-login_to_nss_software_token.patch
Patch1010: rh1996182-extend_security_policy.patch
#############################################
#
@ -1257,13 +1262,15 @@ Patch7: pr3695-toggle_system_crypto_policy.patch
#############################################
#
# Patches appearing in 11.0.10
# Patches appearing in 11.0.13
#
# This section includes patches which are present
# in the listed OpenJDK 11u release and should be
# able to be removed once that release is out
# and used by this RPM.
#############################################
# JDK-8269668, RH1977671: [aarch64] java.library.path not including /usr/lib64
Patch8: jdk8269668-rh1977671-aarch64_lib_path_fix.patch
BuildRequires: autoconf
BuildRequires: automake
@ -1290,8 +1297,8 @@ BuildRequires: libXrandr-devel
BuildRequires: libXrender-devel
BuildRequires: libXt-devel
BuildRequires: libXtst-devel
# Requirements for setting up the nss.cfg
BuildRequires: nss-devel
# Requirements for setting up the nss.cfg and FIPS support
BuildRequires: nss-devel >= 3.53
BuildRequires: pkgconfig
BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
@ -1310,7 +1317,6 @@ BuildRequires: gcc >= 4.8.3-8
%if %{with_systemtap}
BuildRequires: systemtap-sdt-devel
%endif
BuildRequires: make
# this is always built, also during debug-only build
# when it is built in debug-only this package is just placeholder
@ -1322,9 +1328,7 @@ The %{origin_nice} %{featurever} runtime environment.
%if %{include_debug_build}
%package slowdebug
Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on}
%if 0%{?rhel} <= 8
Group: Development/Languages
%endif
%{java_rpo -- %{debug_suffix_unquoted}}
%description slowdebug
@ -1335,9 +1339,7 @@ The %{origin_nice} %{featurever} runtime environment.
%if %{include_fastdebug_build}
%package fastdebug
Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on}
%if 0%{?rhel} <= 8
Group: Development/Languages
%endif
%{java_rpo -- %{fastdebug_suffix_unquoted}}
%description fastdebug
@ -1348,9 +1350,7 @@ The %{origin_nice} %{featurever} runtime environment.
%if %{include_normal_build}
%package headless
Summary: %{origin_nice} %{featurever} Headless Runtime Environment
%if 0%{?rhel} <= 8
Group: Development/Languages
%endif
%{java_headless_rpo %{nil}}
@ -1385,9 +1385,7 @@ The %{origin_nice} %{featurever} runtime environment without audio and video sup
%if %{include_normal_build}
%package devel
Summary: %{origin_nice} %{featurever} Development Environment
%if 0%{?rhel} <= 8
Group: Development/Languages
%endif
Group: Development/Tools
%{java_devel_rpo %{nil}}
@ -1398,9 +1396,7 @@ The %{origin_nice} %{featurever} development tools.
%if %{include_debug_build}
%package devel-slowdebug
Summary: %{origin_nice} %{featurever} Development Environment %{debug_on}
%if 0%{?rhel} <= 8
Group: Development/Languages
%endif
Group: Development/Tools
%{java_devel_rpo -- %{debug_suffix_unquoted}}
@ -1461,9 +1457,7 @@ The %{origin_nice} %{featurever} libraries for static linking.
%if %{include_normal_build}
%package jmods
Summary: JMods for %{origin_nice} %{featurever}
%if 0%{?rhel} <= 8
Group: Development/Languages
%endif
Group: Development/Tools
%{java_jmods_rpo %{nil}}
@ -1474,9 +1468,7 @@ The JMods for %{origin_nice} %{featurever}.
%if %{include_debug_build}
%package jmods-slowdebug
Summary: JMods for %{origin_nice} %{featurever} %{debug_on}
%if 0%{?rhel} <= 8
Group: Development/Languages
%endif
Group: Development/Tools
%{java_jmods_rpo -- %{debug_suffix_unquoted}}
@ -1500,9 +1492,7 @@ The JMods for %{origin_nice} %{featurever}.
%if %{include_normal_build}
%package demo
Summary: %{origin_nice} %{featurever} Demos
%if 0%{?rhel} <= 8
Group: Development/Languages
%endif
%{java_demo_rpo %{nil}}
@ -1513,9 +1503,7 @@ The %{origin_nice} %{featurever} demos.
%if %{include_debug_build}
%package demo-slowdebug
Summary: %{origin_nice} %{featurever} Demos %{debug_on}
%if 0%{?rhel} <= 8
Group: Development/Languages
%endif
%{java_demo_rpo -- %{debug_suffix_unquoted}}
@ -1539,9 +1527,7 @@ The %{origin_nice} %{featurever} demos.
%if %{include_normal_build}
%package src
Summary: %{origin_nice} %{featurever} Source Bundle
%if 0%{?rhel} <= 8
Group: Development/Languages
%endif
%{java_src_rpo %{nil}}
@ -1553,9 +1539,7 @@ class library source code for use by IDE indexers and debuggers.
%if %{include_debug_build}
%package src-slowdebug
Summary: %{origin_nice} %{featurever} Source Bundle %{for_debug}
%if 0%{?rhel} <= 8
Group: Development/Languages
%endif
%{java_src_rpo -- %{debug_suffix_unquoted}}
@ -1579,9 +1563,7 @@ The %{compatiblename}-src-fastdebug sub-package contains the complete %{origin_n
%if %{include_normal_build}
%package javadoc
Summary: %{origin_nice} %{featurever} API documentation
%if 0%{?rhel} <= 8
Group: Documentation
%endif
Requires: javapackages-filesystem
Obsoletes: javadoc-debug
@ -1592,9 +1574,7 @@ The %{origin_nice} %{featurever} API documentation.
%package javadoc-zip
Summary: %{origin_nice} %{featurever} API documentation compressed in a single archive
%if 0%{?rhel} <= 8
Group: Documentation
%endif
Requires: javapackages-filesystem
Obsoletes: javadoc-zip-debug
@ -1654,6 +1634,7 @@ pushd %{top_level_dir_name}
%patch3 -p1
%patch4 -p1
%patch7 -p1
%patch8 -p1
popd # openjdk
%patch1000
@ -1663,6 +1644,9 @@ popd # openjdk
%patch1003
%patch1004
%patch1007
%patch1008
%patch1009
%patch1010
# Extract systemtap tapsets
%if %{with_systemtap}
@ -1674,6 +1658,7 @@ cp -r tapset tapset%{debug_suffix}
cp -r tapset tapset%{fastdebug_suffix}
%endif
for suffix in %{build_loop} ; do
for file in "tapset"$suffix/*.in; do
OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"`
@ -1742,33 +1727,45 @@ EXTRA_CPP_FLAGS="%ourcppflags"
# fix rpmlint warnings
EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing"
%endif
# Fixes annocheck warnings in assembler files due to missing build notes
EXTRA_ASFLAGS="${EXTRA_CFLAGS} -Wa,--generate-missing-build-notes=yes"
export EXTRA_CFLAGS EXTRA_ASFLAGS
function buildjdk() {
local outputdir=${1}
local installdir=${2}
local buildjdk=${3}
local maketargets="${4}"
local debuglevel=${5}
local link_opt=${6}
for suffix in %{build_loop} ; do
if [ "x$suffix" = "x" ] ; then
debugbuild=release
else
# change --something to something
debugbuild=`echo $suffix | sed "s/-//g"`
fi
local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
local top_dir_abs_build_path=$(pwd)/${outputdir}
for loop in %{main_suffix} %{staticlibs_loop} ; do
echo "Using output directory: ${outputdir}";
echo "Checking build JDK ${buildjdk} is operational..."
${buildjdk}/bin/java -version
echo "Using make targets: ${maketargets}"
echo "Using debuglevel: ${debuglevel}"
echo "Using link_opt: ${link_opt}"
echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}"
if test "x${loop}" = "x%{main_suffix}" ; then
# Copy the source tree so we can remove all in-tree libraries
cp -a %{top_level_dir_name} %{top_level_dir_name_backup}
# Remove all libraries that are linked
sh %{SOURCE12} %{top_level_dir_name} full
# Variable used by configure and hs_err hook on build failures
link_opt="system"
# Debug builds don't need same targets as release for
# build speed-up
maketargets="%{release_targets}"
if echo $debugbuild | grep -q "debug" ; then
maketargets="%{debug_targets}"
fi
else
# Variable used by configure and hs_err hook on build failures
link_opt="bundled"
# Static library cycle only builds the static libraries
maketargets="%{static_libs_target}"
fi
mkdir -p ${outputdir} ${installdir}
pushd ${outputdir}
top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
top_dir_abs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}${loop}}
mkdir -p ${top_dir_abs_build_path}
pushd ${top_dir_abs_build_path}
bash ${top_dir_abs_src_path}/configure \
bash ${top_dir_abs_src_path}/configure \
%ifnarch %{jit_arches}
--with-jvm-variants=zero \
%endif
@ -1783,9 +1780,10 @@ function buildjdk() {
--with-vendor-url="%{oj_vendor_url}" \
--with-vendor-bug-url="%{oj_vendor_bug_url}" \
--with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \
--with-boot-jdk=${buildjdk} \
--with-debug-level=${debuglevel} \
--with-native-debug-symbols="%{debug_symbols}" \
--with-boot-jdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk \
--with-debug-level=$debugbuild \
--with-native-debug-symbols=internal \
--enable-sysconf-nss \
--enable-unlimited-crypto \
--with-zlib=system \
--with-libjpeg=${link_opt} \
@ -1803,121 +1801,54 @@ function buildjdk() {
--with-jvm-features="%{shenandoah_feature},%{zgc_feature}" \
--disable-warnings-as-errors
cat spec.gmk
make \
make \
JAVAC_FLAGS=-g \
LOG=trace \
WARNINGS_ARE_ERRORS="-Wno-error" \
CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \
$maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false )
popd
popd >& /dev/null
echo "Installing build from ${outputdir} to ${installdir}..."
echo "Installing images..."
mv ${outputdir}/images ${installdir}
if [ -d ${outputdir}/bundles ] ; then
echo "Installing bundles...";
mv ${outputdir}/bundles ${installdir} ;
fi
if [ -d ${outputdir}/docs ] ; then
echo "Installing docs...";
mv ${outputdir}/docs ${installdir} ;
fi
%if !%{with artifacts}
echo "Removing output directory...";
rm -rf ${outputdir}
%endif
}
function installjdk() {
local imagepath=${1}
# the build (erroneously) removes read permissions from some jars
# this is a regression in OpenJDK 7 (our compiler):
# http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \;
# Build screws up permissions on binaries
# https://bugs.openjdk.java.net/browse/JDK-8173610
find ${imagepath} -iname '*.so' -exec chmod +x {} \;
find ${imagepath}/bin/ -exec chmod +x {} \;
# Install nss.cfg right away as we will be using the JRE above
install -m 644 nss.cfg ${imagepath}/conf/security/
# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
install -m 644 nss.fips.cfg ${imagepath}/conf/security/
# Use system-wide tzdata
rm ${imagepath}/lib/tzdb.dat
ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
# Create fake alt-java as a placeholder for future alt-java
pushd ${imagepath}
# add alt-java man page
echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
popd
}
for suffix in %{build_loop} ; do
if [ "x$suffix" = "x" ] ; then
debugbuild=release
else
# change --something to something
debugbuild=`echo $suffix | sed "s/-//g"`
fi
systemjdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk
for loop in %{main_suffix} %{staticlibs_loop} ; do
builddir=%{buildoutputdir -- ${suffix}${loop}}
bootbuilddir=boot${builddir}
installdir=%{installoutputdir -- ${suffix}${loop}}
bootinstalldir=boot${installdir}
if test "x${loop}" = "x%{main_suffix}" ; then
# Copy the source tree so we can remove all in-tree libraries
cp -a %{top_level_dir_name} %{top_level_dir_name_backup}
# Remove all libraries that are linked
sh %{SOURCE12} %{top_level_dir_name} full
# Use system libraries
link_opt="system"
# Debug builds don't need same targets as release for
# build speed-up
maketargets="%{release_targets}"
if echo $debugbuild | grep -q "debug" ; then
maketargets="%{debug_targets}"
fi
%if %{bootstrap_build}
buildjdk ${bootbuilddir} ${bootinstalldir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt}
buildjdk ${builddir} ${installdir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt}
%{!?with_artifacts:rm -rf ${bootinstalldir}}
%else
buildjdk ${builddir} ${installdir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
%endif
# Restore original source tree we modified by removing full in-tree sources
# Restore original source tree if we modified it by removing full in-tree sources
if [ -d %{top_level_dir_name_backup} ] ; then
rm -rf %{top_level_dir_name}
mv %{top_level_dir_name_backup} %{top_level_dir_name}
else
# Use bundled libraries for building statically
link_opt="bundled"
# Static library cycle only builds the static libraries
maketargets="%{static_libs_target}"
# Always just do the one build for the static libraries
buildjdk ${builddir} ${installdir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
fi
fi
done # end of main / staticlibs loop
done # end of main / staticlibs loop
# Final setup on the main image
top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{main_suffix}}
installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage}
top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
# the build (erroneously) removes read permissions from some jars
# this is a regression in OpenJDK 7 (our compiler):
# http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
find ${top_dir_abs_main_build_path}/images/%{jdkimage} -iname '*.jar' -exec chmod ugo+r {} \;
# Build screws up permissions on binaries
# https://bugs.openjdk.java.net/browse/JDK-8173610
find ${top_dir_abs_main_build_path}/images/%{jdkimage} -iname '*.so' -exec chmod +x {} \;
find ${top_dir_abs_main_build_path}/images/%{jdkimage}/bin/ -exec chmod +x {} \;
# Install nss.cfg right away as we will be using the JRE above
export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
# Install nss.cfg right away as we will be using the JRE above
install -m 644 nss.cfg $JAVA_HOME/conf/security/
# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
install -m 644 nss.fips.cfg $JAVA_HOME/conf/security/
# Use system-wide tzdata
rm $JAVA_HOME/lib/tzdb.dat
ln -s %{_datadir}/javazi-1.8/tzdb.dat $JAVA_HOME/lib/tzdb.dat
# Create fake alt-java as a placeholder for future alt-java
pushd ${JAVA_HOME}
# add alt-java man page
echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
popd
# build cycles
done # end of release / debug cycle loop
@ -1927,9 +1858,9 @@ done # end of release / debug cycle loop
# We test debug first as it will give better diagnostics on a crash
for suffix in %{build_loop} ; do
top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{main_suffix}}
top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
%if %{include_staticlibs}
top_dir_abs_staticlibs_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{staticlibs_loop}}
top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}}
%endif
export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
@ -1972,9 +1903,8 @@ readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c
readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c
%endif
so_suffix="so"
# Check debug symbols are present and can identify code
find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib
find "$JAVA_HOME" -iname '*.so' -print0 | while read -d $'\0' lib
do
if [ -f "$lib" ] ; then
echo "Testing $lib for debug symbols"
@ -2034,16 +1964,10 @@ quit
end
run -version
EOF
%if 0%{?fedora} > 0
# This fails on s390x for some reason. Disable for now. See:
# https://koji.fedoraproject.org/koji/taskinfo?taskID=41499227
%ifnarch s390x
grep 'JavaCallWrapper::JavaCallWrapper' gdb.out
%endif
%endif
# Check src.zip has all sources. See RHBZ#1130490
$JAVA_HOME/bin/jar -tf $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe'
jar -tf $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe'
# Check class files include useful debugging information
$JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from"
@ -2063,9 +1987,9 @@ STRIP_KEEP_SYMTAB=libjvm*
for suffix in %{build_loop} ; do
top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{main_suffix}}
top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
%if %{include_staticlibs}
top_dir_abs_staticlibs_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{staticlibs_loop}}
top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}}
%endif
jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage}
@ -2133,7 +2057,7 @@ if ! echo $suffix | grep -q "debug" ; then
fi
# Install release notes
commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir -- $suffix}
commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir $suffix}
install -d -m 755 ${commondocdir}
cp -a %{SOURCE10} ${commondocdir}
@ -2191,7 +2115,13 @@ done
-- whether copy-jdk-configs is installed or not. If so, then configs are copied
-- (copy_jdk_configs from %%{_libexecdir} used) or not copied at all
local posix = require "posix"
local debug = false
if (os.getenv("debug") == "true") then
debug = true;
print("cjc: in spec debug is on")
else
debug = false;
end
SOURCE1 = "%{rpm_state_dir}/copy_jdk_configs.lua"
SOURCE2 = "%{_libexecdir}/copy_jdk_configs.lua"
@ -2219,9 +2149,10 @@ else
return
end
end
-- run content of included file with fake args
arg = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"}
require "copy_jdk_configs.lua"
arg = nil ; -- it is better to null the arg up, no meter if they exists or not, and use cjc as module in unified way, instead of relaying on "main" method during require "copy_jdk_configs.lua"
cjc = require "copy_jdk_configs.lua"
args = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"}
cjc.mainProgram(args)
-- the returns from copy_jdk_configs.lua should not affect this 'main', so it shodl run under all circumstances, except fatal error
-- https://bugzilla.redhat.com/show_bug.cgi?id=1820172
-- https://docs.fedoraproject.org/en-US/packaging-guidelines/Directory_Replacement/
@ -2306,6 +2237,7 @@ end
%posttrans devel-slowdebug
%{posttrans_devel -- %{debug_suffix_unquoted}}
%endif
%if %{include_fastdebug_build}
@ -2401,6 +2333,7 @@ end
%files src-slowdebug
%{files_src -- %{debug_suffix_unquoted}}
%endif
%if %{include_fastdebug_build}
@ -2430,79 +2363,146 @@ end
%endif
%changelog
* Wed Oct 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.13.0.8-1
- Update to jdk-11.0.12.0+8
- Update release notes to 11.0.12.0+8
- Switch to GA mode for final release.
- This tarball is embargoed until 2021-10-19 @ 1pm PT.
- Resolves: rhbz#2012333
* Mon Aug 30 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-4
- Extend the default security policy to accomodate PKCS11 accessing jdk.internal.misc.
- Resolves: rhbz#1997357
* Tue Oct 12 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.13.0.7-0.1.ea
- Update to jdk-11.0.13.0+7
- Update release notes to 11.0.13.0+7
- Update tarball generation script to use git following OpenJDK 11u's move to github
- Switch to EA mode for 11.0.13 pre-release builds.
- Remove non-Free test from source tarball.
- Related: rhbz#2011826
* Fri Aug 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-3
- Add patch to login to the NSS software token when in FIPS mode.
- Resolves: rhbz#1997357
* Sun Oct 10 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-1
- Restructure the build so a minimal initial build is then used for the final build (with docs)
- This reduces pressure on the system JDK and ensures the JDK being built can do a full build
- Reduce disk footprint by removing build artifacts by default.
- Related: rhbz#2011826
* Wed Jul 28 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.12.0.7-2
- Add patch in order to fix java.library.path issue on aarch64 (JDK-8269668)
- Resolves: rhbz#1994104
* Mon Sep 06 2021 Jiri Vanek <jvanek@redhat.com> - 1:11.0.12.0.7-1
- Minor cosmetic improvements to make spec more comparable between variants
- Related: rhbz#2011826
* Tue Jul 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-0
* Tue Jul 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-1
- Update to jdk-11.0.12.0+7
- Update release notes to 11.0.12.0+7
- Switch to GA mode for final release.
- This tarball is embargoed until 2021-07-20 @ 1pm PT.
- Resolves: rhbz#1972395
* Thu Jul 08 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.6-0.0.ea
- Update to jdk-11.0.12.0+6
- Update release notes to 11.0.12.0+6
- Switch to EA mode for 11.0.12 pre-release builds.
- Update ECC patch following JDK-8226374 (bug ID yet to be confirmed)
- Re-order source files to sync with Fedora.
- Remove explicit compiler flags which should be handled by the upstream build
(-std=gnu++98, -fno-delete-null-pointer-checks, -fno-lifetime-dse)
- Skip 11.0.12.0+5 as 11.0.12.0+6 only adds a test change
- Resolves: rhbz#1967374
* Thu Jul 08 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.4-0.0.ea
- Update to jdk-11.0.12.0+4
- Update release notes to 11.0.12.0+4
- Correct bug ID JDK-8264846 to intended ID of JDK-8264848
- Resolves: rhbz#1967374
* Mon Jul 05 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.3-0.0.ea
- Update to jdk-11.0.12.0+3
- Update release notes to 11.0.12.0+3
- Resolves: rhbz#1967374
* Fri Jul 02 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.2-0.1.ea
- Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics.
- Remove restriction on disabling product build, as debug packages no longer have javadoc packages.
- Correct bug ID JDK-8264846 to intended ID of JDK-8264848
- Skip 11.0.12.0+5 as 11.0.12.0+6 only adds a test change
- Resolves: rhbz#1972395
- Resolves: rhbz#1966234
* Mon Jun 28 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.12.0.6-0.0.ea
* Fri Jul 02 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.2-0.0.ea
- Update to jdk-11.0.12.0+2
- Update release notes to 11.0.12.0+2
- Resolves: rhbz#1967374
* Wed Jun 30 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.1-0.3.ea
- Remove explicit compiler flags which should be handled by the upstream build
(-std=gnu++98, -fno-delete-null-pointer-checks, -fno-lifetime-dse)
- Resolves: rhbz#1966234
* Wed Jun 30 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.1-0.2.ea
- Add ppc64le and aarch64 to fastdebug_arches
- Resolves: rhbz#1969255
* Mon Jun 28 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.1-0.1.ea
- Re-order source files to sync with Fedora.
- Resolves: rhbz#1966234
* Mon Jun 28 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.12.0.1-0.1.ea
- Add a test verifying system crypto policies can be disabled
- Resolves: rhbz#1972395
- Resolves: rhbz#1966234
* Thu Apr 15 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.9-2
- Require tzdata 2021a to match upstream change JDK-8260356
- Resolves: rhbz#1942310
* Mon Jun 28 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.1-0.0.ea
- Update to jdk-11.0.12.0+1
- Update release notes to 11.0.12.0+1
- Switch to EA mode for 11.0.12 pre-release builds.
- Update ECC patch following JDK-8226374 (bug ID yet to be confirmed)
- Resolves: rhbz#1967374
* Tue Apr 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.9-1
* Wed Jun 16 2021 Jiri Vanek <jvanek@redhat.com> - 1:11.0.11.0.9-5
- adapted to newst cjc to fix issue with rpm 4.17
- Disable copy-jdk-configs for Flatpak builds
- removed cjc backward comaptiblity, to fix when both rpm 4.16 and 4.17 are in transaction
- Resolves: rhbz#1953923
* Tue Jun 08 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.9-4
- Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure.
- Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM.
- Resolves: rhbz#1929465
* Tue Jun 08 2021 Martin Balao <mbalao@redhat.com> - 1:11.0.11.0.9-4
- Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library.
- Resolves: rhbz#1929465
* Wed Apr 21 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.9-3
- Update to jdk-11.0.11.0+9
- Update release notes to 11.0.11.0+9
- Switch to GA mode for final release.
- This tarball is embargoed until 2021-04-20 @ 1pm PT.
- Resolves: rhbz#1938201
* Tue Apr 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.7-0.1.ea
* Thu Apr 15 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.7-0.3.ea
- Require tzdata 2021a to match upstream change JDK-8260356
- Resolves: rhbz#1942310
* Mon Apr 12 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.7-0.2.ea
- Update to jdk-11.0.11.0+7
- Update release notes to 11.0.11.0+7
- Resolves: rhbz#1942310
* Mon Apr 12 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.6-0.2.ea
- Update to jdk-11.0.11.0+6
- Update release notes to 11.0.11.0+6
- Resolves: rhbz#1942310
* Sat Apr 10 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.5-0.2.ea
- Update to jdk-11.0.11.0+5
- Update release notes to 11.0.11.0+5
- Resolves: rhbz#1942310
* Fri Apr 09 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.4-0.2.ea
- Update to jdk-11.0.11.0+4
- Update release notes to 11.0.11.0+4
- Resolves: rhbz#1942310
* Fri Apr 09 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.3-0.2.ea
- Update to jdk-11.0.11.0+3
- Update release notes to 11.0.11.0+3
- Resolves: rhbz#1942310
* Fri Apr 09 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.2-0.2.ea
- Update to jdk-11.0.11.0+2
- Update release notes to 11.0.11.0+2
- Resolves: rhbz#1942310
* Mon Apr 05 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.1-0.2.ea
- Update to jdk-11.0.11.0+1
- Update release notes to 11.0.11.0+1
- Switch to EA mode for 11.0.11 pre-release builds.
- Require tzdata 2020f to match upstream change JDK-8259048
- Remove RH1868754 patch as this is now resolved upstream by JDK-8258833
- Remove RH1868740 & RH1883849 patches as these are now resolved by JDK-8259319
- Resolves: rhbz#1942310
* Tue Apr 13 2021 Jayashree Huttanagoudar <jhuttana@redhat.com> - 1:11.0.11.0.7-0.1.ea
* Sun Mar 28 2021 Jayashree Huttanagoudar <jhuttana@redhat.com> - 1:11.0.10.0.9-10
- Fix issue where CheckVendor.java test erroneously passes when it should fail.
- Add proper quoting so '&' is not treated as a special character by the shell.
- Resolves: rhbz#1942310
* Wed Mar 24 2021 Jayashree Huttanagoudar <jhuttana@redhat.com> - 1:11.0.10.0.9-9
- Fixed not-including fastdebug build in case of --without fastdebug
- Resolves: rhbz#1942310