rpms/java-11-openjdk
5
0
Fork 0
Code Issues Pull Requests Releases Activity

import java-11-openjdk-11.0.5.10-3.el8

Browse Source
This commit is contained in:
CentOS Sources 2020-01-21 17:29:35 -05:00 committed by Stepan Oksanichenko
parent 4c2dca363d
commit 87b1ac377e
9 changed files with 626 additions and 596 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.3+7.tar.xz
SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.5+10.tar.xz
SOURCES/systemtap_3.2_tapsets_hg-icedtea8-9d464368e06d.tar.xz

2
.java-11-openjdk.metadata
View File

@ -1,2 +1,2 @@
f1e75a992a0dc64caf418414a93fed8f99fb4e18 SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.3+7.tar.xz
1e1a7b4b1df7be1b70de37f84ccb0ded61c7e9ea SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.5+10.tar.xz
cd8bf91753b9eb1401cfc529e78517105fc66011 SOURCES/systemtap_3.2_tapsets_hg-icedtea8-9d464368e06d.tar.xz

208
SOURCES/jdk8230923-fips_mode_initialisation_failure.patch Normal file
View File

@ -0,0 +1,208 @@
# HG changeset patch
# User mbalao
# Date 1568305840 10800
# Thu Sep 12 13:30:40 2019 -0300
# Node ID b0436c181872b567c5b8906051fc8836c860541c
# Parent 6d947fcb3ea40ca9d40804db2c8c384f4679e10e
8230923: SunJSSE is not properly initialized in FIPS mode from a configuration file
Reviewed-by: andrew
diff --git a/src/java.base/share/classes/sun/security/jca/ProviderConfig.java b/src/java.base/share/classes/sun/security/jca/ProviderConfig.java
--- a/src/java.base/share/classes/sun/security/jca/ProviderConfig.java
+++ b/src/java.base/share/classes/sun/security/jca/ProviderConfig.java
@@ -179,7 +179,11 @@
} else if (provName.equals("SunJCE") || provName.equals("com.sun.crypto.provider.SunJCE")) {
p = new com.sun.crypto.provider.SunJCE();
} else if (provName.equals("SunJSSE") || provName.equals("com.sun.net.ssl.internal.ssl.Provider")) {
- p = new com.sun.net.ssl.internal.ssl.Provider();
+ if (hasArgument()) {
+ p = new com.sun.net.ssl.internal.ssl.Provider(argument);
+ } else {
+ p = new com.sun.net.ssl.internal.ssl.Provider();
+ }
} else if (provName.equals("Apple") || provName.equals("apple.security.AppleProvider")) {
// need to use reflection since this class only exists on MacOsx
p = AccessController.doPrivileged(new PrivilegedAction<Provider>() {
diff --git a/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInit.java b/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInit.java
new file mode 100644
--- /dev/null
+++ b/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInit.java
@@ -0,0 +1,131 @@
+/*
+ * Copyright (c) 2019, Red Hat, Inc.
+ *
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8230923
+ * @requires (jdk.version.major == 11) & (os.family == "linux") & (os.arch == "amd64" | os.arch == "x86_64")
+ * @modules java.base/com.sun.net.ssl.internal.ssl
+ * @library /test/lib
+ * @run main/othervm/timeout=30 SunJSSEFIPSInit
+ * @author Martin Balao (mbalao@redhat.com)
+ */
+
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.nio.file.FileVisitResult;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.SimpleFileVisitor;
+import java.nio.file.attribute.BasicFileAttributes;
+import java.security.Security;
+import java.util.ArrayList;
+import java.util.List;
+
+import jdk.test.lib.process.OutputAnalyzer;
+import jdk.test.lib.process.ProcessTools;
+
+public class SunJSSEFIPSInit {
+ private static String lineSep = System.lineSeparator();
+ private static String javaBinPath = System.getProperty("java.home", ".") +
+ File.separator + "bin" + File.separator + "java";
+ private static String nssConfigFileName = "nss.cfg";
+ private static String javaSecConfigFileName = "java.security";
+ private static Path tmpDirPath;
+ public static void main(String[] args) throws Throwable {
+ tmpDirPath = Files.createTempDirectory("tmpdir");
+ try {
+ deployConfigFiles();
+ List<String> cmds = new ArrayList<>();
+ cmds.add(javaBinPath);
+ cmds.add("-cp");
+ cmds.add(System.getProperty("test.classes", "."));
+ cmds.add("-Djava.security.properties=" + tmpDirPath +
+ File.separator + javaSecConfigFileName);
+ cmds.add(SunJSSEFIPSInitClient.class.getName());
+ OutputAnalyzer out = ProcessTools.executeCommand(
+ cmds.toArray(new String[cmds.size()]));
+ out.stdoutShouldContain("SunJSSE.isFIPS(): true");
+ System.out.println("TEST PASS - OK");
+ } finally {
+ deleteDir(tmpDirPath);
+ }
+ }
+
+ private static void deployConfigFiles() throws IOException {
+ deployJavaSecurityFile();
+ deployNssConfigFile();
+ }
+
+ private static void deployJavaSecurityFile() throws IOException {
+ int numberOfProviders = Security.getProviders().length;
+ StringBuilder sb = new StringBuilder();
+ sb.append("security.provider.1=SunPKCS11 " + tmpDirPath +
+ File.separator + nssConfigFileName + lineSep);
+ sb.append("security.provider.2=com.sun.net.ssl.internal.ssl.Provider" +
+ " SunPKCS11-NSS" + lineSep);
+ for (int i = 3; i <= numberOfProviders; i++) {
+ sb.append("security.provider." + i + "=\"\"" + lineSep);
+ }
+ writeFile(javaSecConfigFileName, sb.toString());
+ }
+
+ private static void deployNssConfigFile() throws IOException {
+ StringBuilder sb = new StringBuilder();
+ sb.append("name = NSS" + lineSep);
+ sb.append("nssLibraryDirectory = /usr/lib64" + lineSep);
+ sb.append("nssDbMode = noDb" + lineSep);
+ sb.append("nssModule = crypto" + lineSep);
+ writeFile(nssConfigFileName, sb.toString());
+ }
+
+ private static void writeFile(String fileName, String fileContent)
+ throws IOException {
+ try (FileOutputStream fos = new FileOutputStream(new File(tmpDirPath +
+ File.separator + fileName))) {
+ fos.write(fileContent.getBytes());
+ }
+ }
+
+ private static void deleteDir(Path directory) throws IOException {
+ Files.walkFileTree(directory, new SimpleFileVisitor<Path>() {
+
+ @Override
+ public FileVisitResult visitFile(Path file,
+ BasicFileAttributes attrs) throws IOException {
+ Files.delete(file);
+ return FileVisitResult.CONTINUE;
+ }
+
+ @Override
+ public FileVisitResult postVisitDirectory(Path dir, IOException exc)
+ throws IOException {
+ Files.delete(dir);
+ return FileVisitResult.CONTINUE;
+ }
+ });
+ }
+}
+
diff --git a/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInitClient.java b/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInitClient.java
new file mode 100644
--- /dev/null
+++ b/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInitClient.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright (c) 2019, Red Hat, Inc.
+ *
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.security.Provider;
+import java.security.Security;
+
+public class SunJSSEFIPSInitClient {
+ public static void main(String[] args) throws Exception {
+ boolean isSunJSSEFIPS = false;
+ Provider[] provs = Security.getProviders();
+ for (Provider p : provs) {
+ if (p.getName().equals("SunJSSE") &&
+ p instanceof com.sun.net.ssl.internal.ssl.Provider) {
+ isSunJSSEFIPS = ((com.sun.net.ssl.internal.ssl.Provider)p).isFIPS();
+ break;
+ }
+ }
+ System.out.println("SunJSSE.isFIPS(): " + isSunJSSEFIPS);
+ }
+}
+

6
SOURCES/nss.fips.cfg.in Normal file
View File

@ -0,0 +1,6 @@
name = NSS-FIPS
nssLibraryDirectory = @NSS_LIBDIR@
nssSecmodDirectory = @NSS_SECMOD@
nssDbMode = readOnly
nssModule = fips

434
SOURCES/pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch
View File

@ -1,434 +0,0 @@
diff --git a/make/autoconf/jdk-options.m4 b/make/autoconf/jdk-options.m4
--- a/make/autoconf/jdk-options.m4
+++ b/make/autoconf/jdk-options.m4
@@ -267,9 +267,10 @@
#
AC_DEFUN_ONCE([JDKOPT_DETECT_INTREE_EC],
[
+ AC_REQUIRE([LIB_SETUP_MISC_LIBS])
AC_MSG_CHECKING([if elliptic curve crypto implementation is present])
- if test -d "${TOPDIR}/src/jdk.crypto.ec/share/native/libsunec/impl"; then
+ if test "x${system_nss}" = "xyes" -o -d "${TOPDIR}/src/jdk.crypto.ec/share/native/libsunec/impl"; then
ENABLE_INTREE_EC=true
AC_MSG_RESULT([yes])
else
diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4
--- a/make/autoconf/libraries.m4
+++ b/make/autoconf/libraries.m4
@@ -178,6 +178,48 @@
AC_SUBST(LIBDL)
LIBS="$save_LIBS"
+ ###############################################################################
+ #
+ # Check for the NSS libraries
+ #
+
+ AC_MSG_CHECKING([whether to build the Sun EC provider against the system NSS libraries])
+
+ # default is bundled
+ DEFAULT_SYSTEM_NSS=no
+
+ AC_ARG_ENABLE([system-nss], [AS_HELP_STRING([--enable-system-nss],
+ [build the SunEC provider using the system NSS libraries @<:@disabled@:>@])],
+ [
+ case "${enableval}" in
+ yes)
+ system_nss=yes
+ ;;
+ *)
+ system_nss=no
+ ;;
+ esac
+ ],
+ [
+ system_nss=${DEFAULT_SYSTEM_NSS}
+ ])
+ AC_MSG_RESULT([$system_nss])
+
+ if test "x${system_nss}" = "xyes"; then
+ PKG_CHECK_MODULES(NSS_SOFTTKN, nss-softokn >= 3.16.1, [NSS_SOFTOKN_FOUND=yes], [NSS_SOFTOKN_FOUND=no])
+ PKG_CHECK_MODULES(NSS, nss >= 3.16.1, [NSS_FOUND=yes], [NSS_FOUND=no])
+ if test "x${NSS_SOFTOKN_FOUND}" = "xyes" -a "x${NSS_FOUND}" = "xyes"; then
+ NSS_LIBS="$NSS_SOFTOKN_LIBS $NSS_LIBS -lfreebl";
+ USE_EXTERNAL_NSS=true
+ else
+ AC_MSG_ERROR([--enable-system-nss specified, but NSS not found.])
+ fi
+ else
+ USE_EXTERNAL_NSS=false
+ fi
+ AC_SUBST(USE_EXTERNAL_NSS)
+
+
# Deprecated libraries, keep the flags for backwards compatibility
if test "x$OPENJDK_TARGET_OS" = "xwindows"; then
BASIC_DEPRECATED_ARG_WITH([dxsdk])
diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in
--- a/make/autoconf/spec.gmk.in
+++ b/make/autoconf/spec.gmk.in
@@ -795,6 +795,10 @@
# Libraries
#
+USE_EXTERNAL_NSS:=@USE_EXTERNAL_NSS@
+NSS_LIBS:=@NSS_LIBS@
+NSS_CFLAGS:=@NSS_CFLAGS@
+
USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
LCMS_CFLAGS:=@LCMS_CFLAGS@
LCMS_LIBS:=@LCMS_LIBS@
diff --git a/make/lib/Lib-jdk.crypto.ec.gmk b/make/lib/Lib-jdk.crypto.ec.gmk
--- a/make/lib/Lib-jdk.crypto.ec.gmk
+++ b/make/lib/Lib-jdk.crypto.ec.gmk
@@ -38,6 +38,11 @@
BUILD_LIBSUNEC_CXXFLAGS_JDKLIB := $(CXXFLAGS_JDKLIB)
endif
+ ifeq ($(USE_EXTERNAL_NSS), true)
+ BUILD_LIBSUNEC_CFLAGS_JDKLIB += $(NSS_CFLAGS) -DSYSTEM_NSS -DNSS_ENABLE_ECC
+ BUILD_LIBSUNEC_CXXFLAGS_JDKLIB += $(NSS_CFLAGS) -DSYSTEM_NSS -DNSS_ENABLE_ECC
+ endif
+
$(eval $(call SetupJdkLibrary, BUILD_LIBSUNEC, \
NAME := sunec, \
TOOLCHAIN := TOOLCHAIN_LINK_CXX, \
@@ -47,9 +52,11 @@
CXXFLAGS := $(BUILD_LIBSUNEC_CXXFLAGS_JDKLIB), \
DISABLED_WARNINGS_gcc := sign-compare implicit-fallthrough, \
DISABLED_WARNINGS_microsoft := 4101 4244 4146 4018, \
- LDFLAGS := $(LDFLAGS_JDKLIB) $(LDFLAGS_CXX_JDK), \
+ LDFLAGS := $(subst -Xlinker --as-needed,, \
+ $(subst -Wl$(COMMA)--as-needed,, $(LDFLAGS_JDKLIB))) $(LDFLAGS_CXX_JDK), \
LDFLAGS_macosx := $(call SET_SHARED_LIBRARY_ORIGIN), \
LIBS := $(LIBCXX), \
+ LIBS_linux := -lc $(NSS_LIBS), \
))
TARGETS += $(BUILD_LIBSUNEC)
diff --git a/src/java.base/unix/native/include/jni_md.h b/src/java.base/unix/native/include/jni_md.h
--- a/src/java.base/unix/native/include/jni_md.h
+++ b/src/java.base/unix/native/include/jni_md.h
@@ -41,6 +41,11 @@
#define JNIEXPORT
#define JNIIMPORT
#endif
+#if (defined(__GNUC__)) || __has_attribute(unused)
+ #define UNUSED(x) UNUSED_ ## x __attribute__((__unused__))
+#else
+ #define UNUSED(x) UNUSED_ ## x
+#endif
#define JNICALL
diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
--- a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
+++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
@@ -61,6 +61,7 @@
AccessController.doPrivileged(new PrivilegedAction<Void>() {
public Void run() {
System.loadLibrary("sunec"); // check for native library
+ initialize();
return null;
}
});
@@ -293,6 +294,11 @@
"ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
}
+ /**
+ * Initialize the native code.
+ */
+ private static native void initialize();
+
private void putXDHEntries() {
HashMap<String, String> ATTRS = new HashMap<>(1);
diff --git a/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp b/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp
--- a/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp
+++ b/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp
@@ -25,7 +25,11 @@
#include <jni.h>
#include "jni_util.h"
+#ifdef SYSTEM_NSS
+#include "ecc_impl.h"
+#else
#include "impl/ecc_impl.h"
+#endif
#include "sun_security_ec_ECDHKeyAgreement.h"
#include "sun_security_ec_ECKeyPairGenerator.h"
#include "sun_security_ec_ECDSASignature.h"
@@ -33,6 +37,13 @@
#define INVALID_PARAMETER_EXCEPTION \
"java/security/InvalidParameterException"
#define KEY_EXCEPTION "java/security/KeyException"
+#define INTERNAL_ERROR "java/lang/InternalError"
+
+#ifdef SYSTEM_NSS
+#define SYSTEM_UNUSED(x) UNUSED(x)
+#else
+#define SYSTEM_UNUSED(x) x
+#endif
extern "C" {
@@ -55,8 +66,13 @@
/*
* Deep free of the ECParams struct
*/
-void FreeECParams(ECParams *ecparams, jboolean freeStruct)
+void FreeECParams(ECParams *ecparams, jboolean SYSTEM_UNUSED(freeStruct))
{
+#ifdef SYSTEM_NSS
+ // Needs to be freed using the matching method to the one
+ // that allocated it. PR_TRUE means the memory is zeroed.
+ PORT_FreeArena(ecparams->arena, PR_TRUE);
+#else
// Use B_FALSE to free the SECItem->data element, but not the SECItem itself
// Use B_TRUE to free both
@@ -70,6 +86,7 @@
SECITEM_FreeItem(&ecparams->curveOID, B_FALSE);
if (freeStruct)
free(ecparams);
+#endif
}
jbyteArray getEncodedBytes(JNIEnv *env, SECItem *hSECItem)
@@ -139,7 +156,7 @@
*/
JNIEXPORT jobjectArray
JNICALL Java_sun_security_ec_ECKeyPairGenerator_generateECKeyPair
- (JNIEnv *env, jclass clazz, jint keySize, jbyteArray encodedParams, jbyteArray seed)
+ (JNIEnv *env, jclass UNUSED(clazz), jint UNUSED(keySize), jbyteArray encodedParams, jbyteArray seed)
{
ECPrivateKey *privKey = NULL; // contains both public and private values
ECParams *ecparams = NULL;
@@ -171,8 +188,17 @@
env->GetByteArrayRegion(seed, 0, jSeedLength, pSeedBuffer);
// Generate the new keypair (using the supplied seed)
+#ifdef SYSTEM_NSS
+ if (RNG_RandomUpdate((unsigned char *) pSeedBuffer, jSeedLength)
+ != SECSuccess) {
+ ThrowException(env, KEY_EXCEPTION);
+ goto cleanup;
+ }
+ if (EC_NewKey(ecparams, &privKey) != SECSuccess) {
+#else
if (EC_NewKey(ecparams, &privKey, (unsigned char *) pSeedBuffer,
jSeedLength, 0) != SECSuccess) {
+#endif
ThrowException(env, KEY_EXCEPTION);
goto cleanup;
}
@@ -219,10 +245,15 @@
}
if (privKey) {
FreeECParams(&privKey->ecParams, false);
+#ifndef SYSTEM_NSS
+ // The entire ECPrivateKey is allocated in the arena
+ // when using system NSS, so only the in-tree version
+ // needs to clear these manually.
SECITEM_FreeItem(&privKey->version, B_FALSE);
SECITEM_FreeItem(&privKey->privateValue, B_FALSE);
SECITEM_FreeItem(&privKey->publicValue, B_FALSE);
free(privKey);
+#endif
}
if (pSeedBuffer) {
@@ -240,7 +271,7 @@
*/
JNIEXPORT jbyteArray
JNICALL Java_sun_security_ec_ECDSASignature_signDigest
- (JNIEnv *env, jclass clazz, jbyteArray digest, jbyteArray privateKey, jbyteArray encodedParams, jbyteArray seed, jint timing)
+ (JNIEnv *env, jclass UNUSED(clazz), jbyteArray digest, jbyteArray privateKey, jbyteArray encodedParams, jbyteArray seed, jint timing)
{
jbyte* pDigestBuffer = NULL;
jint jDigestLength = env->GetArrayLength(digest);
@@ -299,8 +330,18 @@
env->GetByteArrayRegion(seed, 0, jSeedLength, pSeedBuffer);
// Sign the digest (using the supplied seed)
+#ifdef SYSTEM_NSS
+ if (RNG_RandomUpdate((unsigned char *) pSeedBuffer, jSeedLength)
+ != SECSuccess) {
+ ThrowException(env, KEY_EXCEPTION);
+ goto cleanup;
+ }
+ if (ECDSA_SignDigest(&privKey, &signature_item, &digest_item)
+ != SECSuccess) {
+#else
if (ECDSA_SignDigest(&privKey, &signature_item, &digest_item,
(unsigned char *) pSeedBuffer, jSeedLength, 0, timing) != SECSuccess) {
+#endif
ThrowException(env, KEY_EXCEPTION);
goto cleanup;
}
@@ -349,7 +390,7 @@
*/
JNIEXPORT jboolean
JNICALL Java_sun_security_ec_ECDSASignature_verifySignedDigest
- (JNIEnv *env, jclass clazz, jbyteArray signedDigest, jbyteArray digest, jbyteArray publicKey, jbyteArray encodedParams)
+ (JNIEnv *env, jclass UNUSED(clazz), jbyteArray signedDigest, jbyteArray digest, jbyteArray publicKey, jbyteArray encodedParams)
{
jboolean isValid = false;
@@ -406,9 +447,10 @@
cleanup:
{
- if (params_item.data)
+ if (params_item.data) {
env->ReleaseByteArrayElements(encodedParams,
(jbyte *) params_item.data, JNI_ABORT);
+ }
if (pubKey.publicValue.data)
env->ReleaseByteArrayElements(publicKey,
@@ -434,7 +476,7 @@
*/
JNIEXPORT jbyteArray
JNICALL Java_sun_security_ec_ECDHKeyAgreement_deriveKey
- (JNIEnv *env, jclass clazz, jbyteArray privateKey, jbyteArray publicKey, jbyteArray encodedParams)
+ (JNIEnv *env, jclass UNUSED(clazz), jbyteArray privateKey, jbyteArray publicKey, jbyteArray encodedParams)
{
jbyteArray jSecret = NULL;
ECParams *ecparams = NULL;
@@ -510,9 +552,10 @@
env->ReleaseByteArrayElements(publicKey,
(jbyte *) publicValue_item.data, JNI_ABORT);
- if (params_item.data)
+ if (params_item.data) {
env->ReleaseByteArrayElements(encodedParams,
(jbyte *) params_item.data, JNI_ABORT);
+ }
if (ecparams)
FreeECParams(ecparams, true);
@@ -521,4 +564,28 @@
return jSecret;
}
+JNIEXPORT void
+JNICALL Java_sun_security_ec_SunEC_initialize
+ (JNIEnv *env, jclass UNUSED(clazz))
+{
+#ifdef SYSTEM_NSS
+ if (SECOID_Init() != SECSuccess) {
+ ThrowException(env, INTERNAL_ERROR);
+ }
+ if (RNG_RNGInit() != SECSuccess) {
+ ThrowException(env, INTERNAL_ERROR);
+ }
+#endif
+}
+
+JNIEXPORT void
+JNICALL JNI_OnUnload
+ (JavaVM *vm, void *reserved)
+{
+#ifdef SYSTEM_NSS
+ RNG_RNGShutdown();
+ SECOID_Shutdown();
+#endif
+}
+
} /* extern "C" */
--- a/src/jdk.crypto.ec/share/native/libsunec/ecc_impl.h 2019-01-11 00:01:25.000000000 -0500
+++ b/src/jdk.crypto.ec/share/native/libsunec/ecc_impl.h 2019-01-14 03:52:54.145695946 -0500
@@ -45,7 +45,19 @@
#endif
#include <sys/types.h>
+
+#ifdef SYSTEM_NSS
+#include <secitem.h>
+#include <secerr.h>
+#include <keythi.h>
+#ifdef LEGACY_NSS
+#include <softoken.h>
+#else
+#include <blapi.h>
+#endif
+#else
#include "ecl-exp.h"
+#endif
/*
* Multi-platform definitions
@@ -96,6 +108,7 @@
* Various structures and definitions from NSS are here.
*/
+#ifndef SYSTEM_NSS
#ifdef _KERNEL
#define PORT_ArenaAlloc(a, n, f) kmem_alloc((n), (f))
#define PORT_ArenaZAlloc(a, n, f) kmem_zalloc((n), (f))
@@ -130,9 +143,12 @@
#define PORT_Memcpy(t, f, l) memcpy((t), (f), (l))
#endif
+#endif
+
#define CHECK_OK(func) if (func == NULL) goto cleanup
#define CHECK_SEC_OK(func) if (SECSuccess != (rv = func)) goto cleanup
+#ifndef SYSTEM_NSS
typedef enum {
siBuffer = 0,
siClearDataBuffer = 1,
@@ -229,6 +245,7 @@
SECFailure = -1,
SECSuccess = 0
} SECStatus;
+#endif
#ifdef _KERNEL
#define RNG_GenerateGlobalRandomBytes(p,l) ecc_knzero_random_generator((p), (l))
@@ -237,8 +254,10 @@
This function is no longer required because the random bytes are now
supplied by the caller. Force a failure.
*/
+#ifndef SYSTEM_NSS
#define RNG_GenerateGlobalRandomBytes(p,l) SECFailure
#endif
+#endif
#define CHECK_MPI_OK(func) if (MP_OKAY > (err = func)) goto cleanup
#define MP_TO_SEC_ERROR(err)
@@ -248,11 +267,18 @@
extern int ecc_knzero_random_generator(uint8_t *, size_t);
extern ulong_t soft_nzero_random_generator(uint8_t *, ulong_t);
+#ifdef SYSTEM_NSS
+#define EC_DecodeParams(a,b,c) EC_DecodeParams(a,b)
+#define ECDSA_VerifyDigest(a,b,c,d) ECDSA_VerifyDigest(a,b,c)
+#define ECDH_Derive(a,b,c,d,e,f) ECDH_Derive(a,b,c,d,e)
+#else
extern SECStatus EC_DecodeParams(const SECItem *, ECParams **, int);
+
extern SECItem * SECITEM_AllocItem(PRArenaPool *, SECItem *, unsigned int, int);
extern SECStatus SECITEM_CopyItem(PRArenaPool *, SECItem *, const SECItem *,
int);
extern void SECITEM_FreeItem(SECItem *, boolean_t);
+
/* This function has been modified to accept an array of random bytes */
extern SECStatus EC_NewKey(ECParams *ecParams, ECPrivateKey **privKey,
const unsigned char* random, int randomlen, int);
@@ -263,9 +289,10 @@
const SECItem *, int);
extern SECStatus ECDH_Derive(SECItem *, ECParams *, SECItem *, boolean_t,
SECItem *, int);
+#endif
#ifdef __cplusplus
}
#endif
-#endif /* _ECC_IMPL_H */
+#endif /* _ECC_IMPL_H */

6
SOURCES/remove-intree-libraries.sh
View File

@ -128,10 +128,4 @@ rm -vf ${LCMS_SRC}/lcms2.h
rm -vf ${LCMS_SRC}/lcms2_internal.h
rm -vf ${LCMS_SRC}/lcms2_plugin.h
# Get rid of in-tree SunEC until RH1656676 is implemented
echo "Removing SunEC native code"
mv -v src/jdk.crypto.ec/share/native/libsunec/impl/ecc_impl.h .
rm -vrf src/jdk.crypto.ec/share/native/libsunec/impl
mv -v ecc_impl.h src/jdk.crypto.ec/share/native/libsunec

66
SOURCES/rh1022017-reduce_ssl_curves.patch
View File

@ -1,66 +0,0 @@
diff --git openjdk.orig///src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java openjdk///src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java
--- openjdk.orig///src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java
+++ openjdk///src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java
@@ -515,50 +515,19 @@
}
} else { // default groups
NamedGroup[] groups;
- if (requireFips) {
- groups = new NamedGroup[] {
- // only NIST curves in FIPS mode
- NamedGroup.SECP256_R1,
- NamedGroup.SECP384_R1,
- NamedGroup.SECP521_R1,
- NamedGroup.SECT283_K1,
- NamedGroup.SECT283_R1,
- NamedGroup.SECT409_K1,
- NamedGroup.SECT409_R1,
- NamedGroup.SECT571_K1,
- NamedGroup.SECT571_R1,
+ groups = new NamedGroup[] {
+ // only NIST curves in FIPS mode
+ NamedGroup.SECP256_R1,
+ NamedGroup.SECP384_R1,
+ NamedGroup.SECP521_R1,
- // FFDHE 2048
- NamedGroup.FFDHE_2048,
- NamedGroup.FFDHE_3072,
- NamedGroup.FFDHE_4096,
- NamedGroup.FFDHE_6144,
- NamedGroup.FFDHE_8192,
- };
- } else {
- groups = new NamedGroup[] {
- // NIST curves first
- NamedGroup.SECP256_R1,
- NamedGroup.SECP384_R1,
- NamedGroup.SECP521_R1,
- NamedGroup.SECT283_K1,
- NamedGroup.SECT283_R1,
- NamedGroup.SECT409_K1,
- NamedGroup.SECT409_R1,
- NamedGroup.SECT571_K1,
- NamedGroup.SECT571_R1,
-
- // non-NIST curves
- NamedGroup.SECP256_K1,
-
- // FFDHE 2048
- NamedGroup.FFDHE_2048,
- NamedGroup.FFDHE_3072,
- NamedGroup.FFDHE_4096,
- NamedGroup.FFDHE_6144,
- NamedGroup.FFDHE_8192,
- };
- }
+ // FFDHE 2048
+ NamedGroup.FFDHE_2048,
+ NamedGroup.FFDHE_3072,
+ NamedGroup.FFDHE_4096,
+ NamedGroup.FFDHE_6144,
+ NamedGroup.FFDHE_8192,
+ };
groupList = new ArrayList<>(groups.length);
for (NamedGroup group : groups) {

205
SOURCES/rh1655466-global_crypto_and_fips.patch Normal file
View File

@ -0,0 +1,205 @@
diff --git a/src/java.base/share/classes/javopenjdk.orig///security/Security.java openjdk///src/java.base/share/classes/java/security/Security.java
--- openjdk.orig///src/java.base/share/classes/java/security/Security.java
+++ openjdk///src/java.base/share/classes/java/security/Security.java
@@ -196,26 +196,8 @@
if (disableSystemProps == null &&
"true".equalsIgnoreCase(props.getProperty
("security.useSystemPropertiesFile"))) {
-
- // now load the system file, if it exists, so its values
- // will win if they conflict with the earlier values
- try (BufferedInputStream bis =
- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
- props.load(bis);
+ if (SystemConfigurator.configure(props)) {
loadedProps = true;
-
- if (sdebug != null) {
- sdebug.println("reading system security properties file " +
- SYSTEM_PROPERTIES);
- sdebug.println(props.toString());
- }
- } catch (IOException e) {
- if (sdebug != null) {
- sdebug.println
- ("unable to load security properties from " +
- SYSTEM_PROPERTIES);
- e.printStackTrace();
- }
}
}
diff --git a/src/java.base/share/classes/javopenjdk.orig///security/SystemConfigurator.java openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java
new file mode 100644
--- /dev/null
+++ openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -0,0 +1,151 @@
+/*
+ * Copyright (c) 2019, Red Hat, Inc.
+ *
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package java.security;
+
+import java.io.BufferedInputStream;
+import java.io.FileInputStream;
+import java.io.IOException;
+
+import java.nio.file.Files;
+import java.nio.file.Path;
+
+import java.util.Iterator;
+import java.util.Map.Entry;
+import java.util.Properties;
+import java.util.function.Consumer;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import sun.security.util.Debug;
+
+/**
+ * Internal class to align OpenJDK with global crypto-policies.
+ * Called from java.security.Security class initialization,
+ * during startup.
+ *
+ */
+
+class SystemConfigurator {
+
+ private static final Debug sdebug =
+ Debug.getInstance("properties");
+
+ private static final String CRYPTO_POLICIES_BASE_DIR =
+ "/etc/crypto-policies";
+
+ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
+
+ private static final String CRYPTO_POLICIES_CONFIG =
+ CRYPTO_POLICIES_BASE_DIR + "/config";
+
+ private static final class SecurityProviderInfo {
+ int number;
+ String key;
+ String value;
+ SecurityProviderInfo(int number, String key, String value) {
+ this.number = number;
+ this.key = key;
+ this.value = value;
+ }
+ }
+
+ /*
+ * Invoked when java.security.Security class is initialized, if
+ * java.security.disableSystemPropertiesFile property is not set and
+ * security.useSystemPropertiesFile is true.
+ */
+ static boolean configure(Properties props) {
+ boolean loadedProps = false;
+
+ try (BufferedInputStream bis =
+ new BufferedInputStream(
+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
+ props.load(bis);
+ loadedProps = true;
+ if (sdebug != null) {
+ sdebug.println("reading system security properties file " +
+ CRYPTO_POLICIES_JAVA_CONFIG);
+ sdebug.println(props.toString());
+ }
+ } catch (IOException e) {
+ if (sdebug != null) {
+ sdebug.println("unable to load security properties from " +
+ CRYPTO_POLICIES_JAVA_CONFIG);
+ e.printStackTrace();
+ }
+ }
+
+ try {
+ if (enableFips()) {
+ if (sdebug != null) { sdebug.println("FIPS mode detected"); }
+ loadedProps = false;
+ // Remove all security providers
+ Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
+ while (i.hasNext()) {
+ Entry<Object, Object> e = i.next();
+ if (((String) e.getKey()).startsWith("security.provider")) {
+ if (sdebug != null) { sdebug.println("Removing provider: " + e); }
+ i.remove();
+ }
+ }
+ // Add FIPS security providers
+ String fipsProviderValue = null;
+ for (int n = 1;
+ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) {
+ String fipsProviderKey = "security.provider." + n;
+ if (sdebug != null) {
+ sdebug.println("Adding provider " + n + ": " +
+ fipsProviderKey + "=" + fipsProviderValue);
+ }
+ props.put(fipsProviderKey, fipsProviderValue);
+ }
+ loadedProps = true;
+ }
+ } catch (Exception e) {
+ if (sdebug != null) {
+ sdebug.println("unable to load FIPS configuration");
+ e.printStackTrace();
+ }
+ }
+ return loadedProps;
+ }
+
+ /*
+ * FIPS is enabled only if crypto-policies are set to "FIPS"
+ * and the com.redhat.fips property is true.
+ */
+ private static boolean enableFips() throws Exception {
+ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "false"));
+ if (fipsEnabled) {
+ String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
+ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
+ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
+ return pattern.matcher(cryptoPoliciesConfig).find();
+ } else {
+ return false;
+ }
+ }
+}
diff --git openjdk.orig///src/java.base/share/conf/security/java.security openjdk///src/java.base/share/conf/security/java.security
--- openjdk.orig///src/java.base/share/conf/security/java.security
+++ openjdk///src/java.base/share/conf/security/java.security
@@ -87,6 +87,14 @@
#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
#
+# Security providers used when global crypto-policies are set to FIPS.
+#
+fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
+fips.provider.2=SUN
+fips.provider.3=SunEC
+fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS
+
+#
# A list of preferred providers for specific algorithms. These providers will
# be searched for matching algorithms before the list of registered providers.
# Entries containing errors (parsing, etc) will be ignored. Use the

293
SPECS/java-11-openjdk.spec
View File

@ -121,10 +121,12 @@
%endif
%if %{bootstrap_build}
%global targets bootcycle-images all docs
%global release_targets bootcycle-images docs-zip
%else
%global targets all docs
%global release_targets images docs-zip
%endif
# No docs nor bootcycle for debug builds
%global debug_targets images
# Filter out flags from the optflags macro that cause problems with the OpenJDK build
@ -141,14 +143,6 @@
# looks like openjdk RPM specific bug
# Always set this so the nss.cfg file is not broken
%global NSS_LIBDIR %(pkg-config --variable=libdir nss)
%global NSS_LIBS %(pkg-config --libs nss)
%global NSS_CFLAGS %(pkg-config --cflags nss-softokn)
# see https://bugzilla.redhat.com/show_bug.cgi?id=1332456
%global NSSSOFTOKN_BUILDTIME_NUMBER %(pkg-config --modversion nss-softokn || : )
%global NSS_BUILDTIME_NUMBER %(pkg-config --modversion nss || : )
# this is workaround for processing of requires during srpm creation
%global NSSSOFTOKN_BUILDTIME_VERSION %(if [ "x%{NSSSOFTOKN_BUILDTIME_NUMBER}" == "x" ] ; then echo "" ;else echo ">= %{NSSSOFTOKN_BUILDTIME_NUMBER}" ;fi)
%global NSS_BUILDTIME_VERSION %(if [ "x%{NSS_BUILDTIME_NUMBER}" == "x" ] ; then echo "" ;else echo ">= %{NSS_BUILDTIME_NUMBER}" ;fi)
# In some cases, the arch used by the JDK does
# not match _arch.
@ -206,7 +200,7 @@
# New Version-String scheme-style defines
%global majorver 11
%global securityver 3
%global securityver 5
# buildjdkver is usually same as %%{majorver},
# but in time of bootstrap of next jdk, it is majorver-1,
# and this it is better to change it here, on single place
@ -228,7 +222,8 @@
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
%global minorver 0
%global buildver 7
%global buildver 10
%global rpmrelease 3
#%%global tagsuffix ""
# priority must be 8 digits in total; untill openjdk 1.8 we were using 18..... so when moving to 11 we had to add another digit
%if %is_system_jdk
@ -241,6 +236,23 @@
%global javaver %{majorver}
# Define milestone (EA for pre-releases, GA for releases)
# Release will be (where N is usually a number starting at 1):
# - 0.N%%{?extraver}%%{?dist} for EA releases,
# - N%%{?extraver}{?dist} for GA releases
%global is_ga 1
%if %{is_ga}
%global ea_designator ""
%global ea_designator_zip ""
%global extraver %{nil}
%global eaprefix %{nil}
%else
%global ea_designator ea
%global ea_designator_zip -%{ea_designator}
%global extraver .%{ea_designator}
%global eaprefix 0.
%endif
# parametrized macros are order-sensitive
%global compatiblename java-%{majorver}-%{origin}
%global fullversion %{compatiblename}-%{version}-%{release}
@ -563,6 +575,7 @@ exit 0
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/classlist
%endif
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jexec
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jspawnhelper
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jrt-fs.jar
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/modules
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfont.properties.ja
@ -648,6 +661,7 @@ exit 0
%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security
%config(noreplace) %{etcjavadir -- %{?1}}/conf/logging.properties
%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.cfg
%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.fips.cfg
%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access
# this is conifg template, thus not config-noreplace
%config %{etcjavadir -- %{?1}}/conf/management/jmxremote.password.template
@ -819,7 +833,9 @@ Requires: libXcomposite%{?_isa}
Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
# for java-X-openjdk package's desktop binding
%if 0%{?rhel} >= 8
Recommends: gtk3%{?_isa}
%endif
Provides: java-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release}
@ -844,9 +860,6 @@ Requires: javapackages-filesystem
Requires: tzdata-java >= 2015d
# libsctp.so.1 is being `dlopen`ed on demand
Requires: lksctp-tools%{?_isa}
# there is a need to depend on the exact version of NSS
Requires: nss%{?_isa} %{NSS_BUILDTIME_VERSION}
Requires: nss-softokn%{?_isa} %{NSSSOFTOKN_BUILDTIME_VERSION}
# tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it,
# not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be
# considered as regression
@ -863,7 +876,9 @@ Requires(postun): %{_sbindir}/alternatives
# in version 1.7 and higher for --family switch
Requires(postun): chkconfig >= 1.7
# for optional support of kernel stream control, card reader and printing bindings
%if 0%{?rhel} >= 8
Suggests: lksctp-tools%{?_isa}, pcsc-lite-devel%{?_isa}
%endif
# Standard JPackage base provides
Provides: jre-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
@ -963,7 +978,7 @@ Provides: java-src%{?1} = %{epoch}:%{version}-%{release}
Name: java-%{javaver}-%{origin}
Version: %{newjavaver}.%{buildver}
Release: 3%{?dist}
Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}
# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
# and this change was brought into RHEL-4. java-1.5.0-ibm packages
# also included the epoch in their virtual provides. This created a
@ -1016,29 +1031,23 @@ Source13: TestCryptoLevel.java
# Ensure ECDSA is working
Source14: TestECDSA.java
# nss fips configuration file
Source15: nss.fips.cfg.in
############################################
#
# RPM/distribution specific patches
#
############################################
# NSS via SunPKCS11 Provider (disabled comment
# due to memory leak).
Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
# Ignore AWTError when assistive technologies are loaded
Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
# Restrict access to java-atk-wrapper classes
Patch2: rh1648644-java_access_bridge_privileged_security.patch
# PR1834, RH1022017: Reduce curves reported by SSL to those in NSS
# Not currently suitable to go upstream as it disables curves
# for all providers unconditionally
Patch525: rh1022017-reduce_ssl_curves.patch
Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
# PR3694, RH1340845: Add security.useSystemPropertiesFile option to java.security to use system crypto policy
Patch4: pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch
# System NSS via SunEC Provider
Patch5: pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch
# NSS via SunPKCS11 Provider (disabled due to memory leak).
Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
Patch1001: rh1655466-global_crypto_and_fips.patch
#############################################
#
@ -1050,10 +1059,16 @@ Patch5: pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_s
#############################################
#
# OpenJDK specific patches
# Upstreamable patches
#
# This section includes patches which need to
# be reviewed & pushed to the current development
# tree of OpenJDK.
#############################################
Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
# PR3694, RH1340845: Add security.useSystemPropertiesFile option to java.security to use system crypto policy
Patch4: pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch
# RH1566890: CVE-2018-3639
Patch6: rh1566890-CVE_2018_3639-speculative_store_bypass.patch
# PR3695: Allow use of system crypto policy to be disabled by the user
@ -1061,6 +1076,18 @@ Patch7: pr3695-toggle_system_crypto_policy.patch
# S390 ambiguous log2_intptr call
Patch8: s390-8214206_fix.patch
#############################################
#
# Patches appearing in 11.0.6
#
# This section includes patches which are present
# in the listed OpenJDK 8u release and should be
# able to be removed once that release is out
# and used by this RPM.
#############################################
# JDK-8230923: SunJSSE is not properly initialized in FIPS mode from a configuration file
Patch11: jdk8230923-fips_mode_initialisation_failure.patch
#############################################
#
# JDK 9+ only patches
@ -1075,12 +1102,11 @@ BuildRequires: cups-devel
BuildRequires: desktop-file-utils
# elfutils only are OK for build without AOT
BuildRequires: elfutils-devel
BuildRequires: fontconfig
BuildRequires: fontconfig-devel
BuildRequires: freetype-devel
BuildRequires: giflib-devel
BuildRequires: gcc-c++
BuildRequires: gdb
BuildRequires: gtk3-devel
BuildRequires: lcms2-devel
BuildRequires: libjpeg-devel
BuildRequires: libpng-devel
@ -1088,6 +1114,8 @@ BuildRequires: libxslt
BuildRequires: libX11-devel
BuildRequires: libXi-devel
BuildRequires: libXinerama-devel
BuildRequires: libXrandr-devel
BuildRequires: libXrender-devel
BuildRequires: libXt-devel
BuildRequires: libXtst-devel
# Requirements for setting up the nss.cfg
@ -1105,8 +1133,6 @@ BuildRequires: libffi-devel
BuildRequires: tzdata-java >= 2015d
# Earlier versions have a bug in tree vectorization on PPC
BuildRequires: gcc >= 4.8.3-8
# Build requirements for SunEC system NSS support
BuildRequires: nss-softokn-freebl-devel >= 3.16.1
%if %{with_systemtap}
BuildRequires: systemtap-sdt-devel
@ -1251,6 +1277,7 @@ The java-%{origin}-src-slowdebug sub-package contains the complete %{origin_nice
Summary: %{origin_nice} %{majorver} API documentation
Group: Documentation
Requires: javapackages-filesystem
Obsoletes: javadoc-debug
%{java_javadoc_rpo %{nil}}
@ -1263,6 +1290,7 @@ The %{origin_nice} %{majorver} API documentation.
Summary: %{origin_nice} %{majorver} API documentation compressed in single archive
Group: Documentation
Requires: javapackages-filesystem
Obsoletes: javadoc-zip-debug
%{java_javadoc_rpo %{nil}}
@ -1270,31 +1298,6 @@ Requires: javapackages-filesystem
The %{origin_nice} %{majorver} API documentation compressed in single archive.
%endif
%if %{include_debug_build}
%package javadoc-slowdebug
Summary: %{origin_nice} %{majorver} API documentation %{for_debug}
Group: Documentation
Requires: javapackages-filesystem
%{java_javadoc_rpo -- %{debug_suffix_unquoted}}
%description javadoc-slowdebug
The %{origin_nice} %{majorver} API documentation %{for_debug}.
%endif
%if %{include_debug_build}
%package javadoc-zip-slowdebug
Summary: %{origin_nice} %{majorver} API documentation compressed in single archive %{for_debug}
Group: Documentation
Requires: javapackages-filesystem
%{java_javadoc_rpo -- %{debug_suffix_unquoted}}
%description javadoc-zip-slowdebug
The %{origin_nice} %{majorver} API documentation compressed in single archive %{for_debug}.
%endif
%prep
if [ %{include_normal_build} -eq 0 -o %{include_normal_build} -eq 1 ] ; then
echo "include_normal_build is %{include_normal_build}"
@ -1329,14 +1332,14 @@ pushd %{top_level_dir_name}
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch525 -p1
%patch11 -p1
popd # openjdk
%patch1000
%patch1001
# Extract systemtap tapsets
%if %{with_systemtap}
@ -1382,6 +1385,9 @@ done
# Setup nss.cfg
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
# Setup nss.fips.cfg
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE15} > nss.fips.cfg
sed -i -e "s:@NSS_SECMOD@:/etc/pki/nssdb:g" nss.fips.cfg
%build
# How many CPU's do we have?
@ -1433,14 +1439,13 @@ bash ../configure \
--with-jobs=1 \
%endif
--with-version-build=%{buildver} \
--with-version-pre="" \
--with-version-pre="%{ea_designator}" \
--with-version-opt=%{lts_designator} \
--with-vendor-version-string="%{vendor_version_string}" \
--with-boot-jdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk \
--with-debug-level=$debugbuild \
--with-native-debug-symbols=internal \
--enable-unlimited-crypto \
--enable-system-nss \
--with-zlib=system \
--with-libjpeg=system \
--with-giflib=system \
@ -1457,14 +1462,18 @@ bash ../configure \
%endif
--disable-warnings-as-errors
# Debug builds don't need same targets as release for
# build speed-up
maketargets="%{release_targets}"
if echo $debugbuild | grep -q "debug" ; then
maketargets="%{debug_targets}"
fi
make \
JAVAC_FLAGS=-g \
LOG=trace \
WARNINGS_ARE_ERRORS="-Wno-error" \
CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \
%{targets} || ( pwd; find $top_dir_abs_path -name "hs_err_pid*.log" | xargs cat && false )
make docs-zip
$maketargets || ( pwd; find $top_dir_abs_path -name "hs_err_pid*.log" | xargs cat && false )
# the build (erroneously) removes read permissions from some jars
# this is a regression in OpenJDK 7 (our compiler):
@ -1484,6 +1493,9 @@ export JAVA_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{jdkimage}
# Install nss.cfg right away as we will be using the JRE above
install -m 644 nss.cfg $JAVA_HOME/conf/security/
# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
install -m 644 nss.fips.cfg $JAVA_HOME/conf/security/
# Use system-wide tzdata
rm $JAVA_HOME/lib/tzdb.dat
ln -s %{_datadir}/javazi-1.8/tzdb.dat $JAVA_HOME/lib/tzdb.dat
@ -1498,7 +1510,7 @@ for suffix in %{rev_build_loop} ; do
export JAVA_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{jdkimage}
#check sheandoah is enabled
#check Shenandoah is enabled
%if %{use_shenandoah_hotspot}
$JAVA_HOME//bin/java -XX:+UseShenandoahGC -version
%endif
@ -1646,10 +1658,12 @@ pushd %{buildoutputdir $suffix}/images/%{jdkimage}
popd
# Install Javadoc documentation
install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir}
cp -a %{buildoutputdir -- $suffix}/images/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}
cp -a %{buildoutputdir -- $suffix}/bundles/jdk-%{newjavaver}+%{buildver}%{lts_designator_zip}-docs.zip $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip
if ! echo $suffix | grep -q "debug" ; then
# Install Javadoc documentation
install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir}
cp -a %{buildoutputdir $suffix}/images/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir $suffix}
cp -a %{buildoutputdir -- $suffix}/bundles/jdk-%{newjavaver}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip
fi
# Install icons and menu entries
for s in 16 24 32 48 ; do
@ -1799,17 +1813,6 @@ require "copy_jdk_configs.lua"
%posttrans devel-slowdebug
%{posttrans_devel -- %{debug_suffix_unquoted}}
%post javadoc-slowdebug
%{post_javadoc -- %{debug_suffix_unquoted}}
%postun javadoc-slowdebug
%{postun_javadoc -- %{debug_suffix_unquoted}}
%post javadoc-zip-slowdebug
%{post_javadoc_zip -- %{debug_suffix_unquoted}}
%postun javadoc-zip-slowdebug
%{postun_javadoc_zip -- %{debug_suffix_unquoted}}
%endif
%if %{include_normal_build}
@ -1870,15 +1873,129 @@ require "copy_jdk_configs.lua"
%files src-slowdebug
%{files_src -- %{debug_suffix_unquoted}}
%files javadoc-slowdebug
%{files_javadoc -- %{debug_suffix_unquoted}}
%files javadoc-zip-slowdebug
%{files_javadoc_zip -- %{debug_suffix_unquoted}}
%endif
%changelog
* Wed Nov 06 2019 Andrew John Hughes <gnu.andrew@redhat.com> - 1:11.0.5.10-3
- Bump release number for RHEL 8.2.0.
- Resolves: rhbz#1753423
* Fri Oct 25 2019 Andrew John Hughes <gnu.andrew@redhat.com> - 1:11.0.5.10-2
- Disable FIPS mode support unless com.redhat.fips is set to "true".
- Resolves: rhbz#1751845
* Wed Oct 09 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.5.10-1
- Update to shenandoah-jdk-11.0.5+10 (GA)
- Switch to GA mode for final release.
- Remove PR1834/RH1022017 which is now handled by JDK-8228825 upstream.
- Resolves: rhbz#1753423
* Wed Oct 09 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.5.9-0.0.ea
- Update to shenandoah-jdk-11.0.5+9 (EA)
- Resolves: rhbz#1753423
* Mon Oct 07 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.5.1-0.1.ea
- Update to shenandoah-jdk-11.0.5+1 (EA)
- Switch to EA mode for 11.0.5 pre-release builds.
- Drop JDK-8223482 which is included upstream in 11.0.5+1.
- Resolves: rhbz#1753423
* Mon Sep 30 2019 Andrew John Hughes <gnu.andrew@redhat.com> - 1:11.0.4.11-4
- Backport JDK-8230923 so arguments are passed to security providers.
- Update RH1655466 patch with changes in OpenJDK 8 version.
- SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file.
- Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg.
- No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable.
- Resolves: rhbz#1751845
* Tue Aug 13 2019 Martin Balao <mbalao@redhat.com> - 1:11.0.4.11-3
- Support the FIPS mode crypto policy on RHEL 8.
- Resolves: rhbz#1725961
* Tue Jul 09 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.4.11-2
- Drop NSS runtime dependencies and patches to link against it.
- Resolves: rhbz#1678554
* Tue Jul 09 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.4.11-1
- Update to shenandoah-jdk-11.0.4+11 (GA)
- Switch to GA mode for final release.
- Resolves: rhbz#1724452
* Mon Jul 08 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.4.10-0.1.ea
- Update to shenandoah-jdk-11.0.4+10 (EA)
- Resolves: rhbz#1724452
* Mon Jul 08 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.4.9-0.1.ea
- Update to shenandoah-jdk-11.0.4+9 (EA)
- Resolves: rhbz#1724452
* Mon Jul 08 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.4.8-0.1.ea
- Update to shenandoah-jdk-11.0.4+8 (EA)
- Resolves: rhbz#1724452
* Sun Jul 07 2019 Andrew John Hughes <gnu.andrew@redhat.com> - 1:11.0.4.7-0.2.ea
- fontconfig build requirement should be fontconfig-devel, previously masked by Gtk3+ dependency
- Resolves: rhbz#1724452
* Sun Jul 07 2019 Andrew John Hughes <gnu.andrew@redhat.com> - 1:11.0.4.7-0.2.ea
- Add missing build requirement for libXrandr-devel, previously masked by Gtk3+ dependency
- Resolves: rhbz#1724452
* Sun Jul 07 2019 Andrew John Hughes <gnu.andrew@redhat.com> - 1:11.0.4.7-0.2.ea
- Add missing build requirement for libXrender-devel, previously masked by Gtk3+ dependency
- Resolves: rhbz#1724452
* Sun Jul 07 2019 Andrew John Hughes <gnu.andrew@redhat.com> - 1:11.0.4.7-0.2.ea
- Make use of Recommends and Suggests dependent on RHEL 8+ environment.
- Drop unnecessary build requirement on gtk3-devel, as OpenJDK searches for Gtk+ at runtime.
- Resolves: rhbz#1724452
* Sun Jul 07 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.4.7-0.1.ea
- Update to shenandoah-jdk-11.0.4+7 (EA)
- Resolves: rhbz#1724452
* Wed Jul 03 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.4.6-0.1.ea
- Obsolete javadoc-debug and javadoc-debug-zip packages via javadoc and javadoc-zip respectively.
- Resolves: rhbz#1724452
* Wed Jul 03 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.4.6-0.1.ea
- Update to shenandoah-jdk-11.0.4+6 (EA)
- Resolves: rhbz#1724452
* Wed Jul 03 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.4.5-0.1.ea
- Update to shenandoah-jdk-11.0.4+5 (EA)
- Resolves: rhbz#1724452
* Tue Jul 02 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.4.4-0.1.ea
- Update to shenandoah-jdk-11.0.4+4 (EA)
- Resolves: rhbz#1724452
* Mon Jul 01 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.4.3-0.1.ea
- Update to shenandoah-jdk-11.0.4+3 (EA)
- Resolves: rhbz#1724452
* Sun Jun 30 2019 Andrew John Hughes <gnu.andrew@redhat.com> - 1:11.0.4.2-0.1.ea
- Update to shenandoah-jdk-11.0.4+2 (EA)
- Resolves: rhbz#1724452
* Fri Jun 21 2019 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.4.2-0.1.ea
- Package jspawnhelper (see JDK-8220360).
- Resolves: rhbz#1724452
* Fri Jun 21 2019 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.3.7-5
- Include 'ea' designator in Release when appropriate.
- Resolves: rhbz#1724452
* Wed May 22 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.3.7-5
- Handle milestone as variables so we can alter it easily and set the docs zip filename appropriately.
- Resolves: rhbz#1724452
* Thu Apr 25 2019 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.3.7-4
- Don't build the test images needlessly.
- Don't produce javadoc/javadoc-zip sub packages for the debug variant build.
- Don't perform a bootcycle build for the debug variant build.
- Resolves: rhbz#1724452
* Wed Apr 24 2019 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.3.7-3
- Do not generate lib-style requires for -slowdebug subpackages.
- Resolves: rhbz#1693468