import java-11-openjdk-11.0.14.1.1-6.el9
This commit is contained in:
parent
561b9cc3f9
commit
9a76bdbac2
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,2 +1,2 @@
|
||||
SOURCES/jdk-updates-jdk11u-jdk-11.0.12+7-4curve-clean.tar.xz
|
||||
SOURCES/jdk-updates-jdk11u-jdk-11.0.14.1+1-4curve.tar.xz
|
||||
SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
|
||||
|
@ -1,2 +1,2 @@
|
||||
6453aa42343678f2e4a86362921ff373625f3ed3 SOURCES/jdk-updates-jdk11u-jdk-11.0.12+7-4curve-clean.tar.xz
|
||||
dc2a5d071dcf324a925de54709e153c6df94dd43 SOURCES/jdk-updates-jdk11u-jdk-11.0.14.1+1-4curve.tar.xz
|
||||
c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
|
||||
|
866
SOURCES/NEWS
866
SOURCES/NEWS
@ -3,6 +3,872 @@ Key:
|
||||
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
|
||||
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
|
||||
|
||||
New in release OpenJDK 11.0.14.1 (2022-02-08):
|
||||
=============================================
|
||||
Live versions of these release notes can be found at:
|
||||
* https://bitly.com/openjdk110141
|
||||
* https://builds.shipilev.net/backports-monitor/release-notes-11.0.14.1.txt
|
||||
|
||||
* Other changes
|
||||
- JDK-8218546: Unable to connect to https://google.com using java.net.HttpClient
|
||||
- JDK-8280786: Build failure on Solaris after 8262392
|
||||
- JDK-8281324: Bump update version for OpenJDK: jdk-11.0.14.1
|
||||
|
||||
New in release OpenJDK 11.0.14 (2022-01-18):
|
||||
=============================================
|
||||
Live versions of these release notes can be found at:
|
||||
* https://bitly.com/openjdk11014
|
||||
* https://builds.shipilev.net/backports-monitor/release-notes-11.0.14.txt
|
||||
|
||||
* New features
|
||||
- JDK-8248238: Implementation: JEP 388: Windows AArch64 Support
|
||||
* Security fixes
|
||||
- JDK-8217375: jarsigner breaks old signature with long lines in manifest
|
||||
- JDK-8251329: (zipfs) Files.walkFileTree walks infinitely if zip has dir named "." inside
|
||||
- JDK-8264934, CVE-2022-21248: Enhance cross VM serialization
|
||||
- JDK-8268488: More valuable DerValues
|
||||
- JDK-8268494: Better inlining of inlined interfaces
|
||||
- JDK-8268512: More content for ContentInfo
|
||||
- JDK-8268795: Enhance digests of Jar files
|
||||
- JDK-8268801: Improve PKCS attribute handling
|
||||
- JDK-8268813, CVE-2022-21283: Better String matching
|
||||
- JDK-8269151: Better construction of EncryptedPrivateKeyInfo
|
||||
- JDK-8269944: Better HTTP transport redux
|
||||
- JDK-8270386, CVE-2022-21291: Better verification of scan methods
|
||||
- JDK-8270392, CVE-2022-21293: Improve String constructions
|
||||
- JDK-8270416, CVE-2022-21294: Enhance construction of Identity maps
|
||||
- JDK-8270492, CVE-2022-21282: Better resolution of URIs
|
||||
- JDK-8270498, CVE-2022-21296: Improve SAX Parser configuration management
|
||||
- JDK-8270646, CVE-2022-21299: Improved scanning of XML entities
|
||||
- JDK-8270952, CVE-2022-21277: Improve TIFF file handling
|
||||
- JDK-8271962: Better TrueType font loading
|
||||
- JDK-8271968: Better canonical naming
|
||||
- JDK-8271987: Manifest improved manifest entries
|
||||
- JDK-8272014, CVE-2022-21305: Better array indexing
|
||||
- JDK-8272026, CVE-2022-21340: Verify Jar Verification
|
||||
- JDK-8272236, CVE-2022-21341: Improve serial forms for transport
|
||||
- JDK-8272272: Enhance jcmd communication
|
||||
- JDK-8272462: Enhance image handling
|
||||
- JDK-8273290: Enhance sound handling
|
||||
- JDK-8273756, CVE-2022-21360: Enhance BMP image support
|
||||
- JDK-8273838, CVE-2022-21365: Enhanced BMP processing
|
||||
- JDK-8274096, CVE-2022-21366: Improve decoding of image files
|
||||
- JDK-8279541: Improve HarfBuzz
|
||||
* Other changes
|
||||
- JDK-6849922: java/awt/Choice/ChoiceKeyEventReaction/ChoiceKeyEventReaction.html fails
|
||||
- JDK-7105119: [TEST_BUG] [macosx] In test UIDefaults.toString() must be called with the invokeLater()
|
||||
- JDK-7151826: [TEST_BUG] [macosx] The test javax/swing/JPopupMenu/4966112/bug4966112.java not for mac
|
||||
- JDK-7179006: [macosx] Print-to-file doesn't work: printing to the default printer instead
|
||||
- JDK-8015602: [macosx] Test javax/swing/SpringLayout/4726194/bug4726194.java fails on MacOSX
|
||||
- JDK-8034084: nsk.nsk/jvmti/ThreadStart/threadstart003 Wrong number of thread end events
|
||||
- JDK-8039261: [TEST_BUG]: There is not a minimal security level in Java Preferences and the TestApplet.html is blocked.
|
||||
- JDK-8047218: [TEST_BUG] java/awt/FullScreen/AltTabCrashTest/AltTabCrashTest.java fails with exception
|
||||
- JDK-8075909: [TEST_BUG] The regression-swing case failed as it does not have the 'Open' button when select 'subdir' folder with NimbusLAF
|
||||
- JDK-8078219: Verify lack of @test tag in files in java/net test directory
|
||||
- JDK-8080569: java/lang/ProcessBuilder/DestroyTest.java fails with "RuntimeException: Process terminated prematurely"
|
||||
- JDK-8081652: [TESTBUG] java/lang/management/ThreadMXBean/ThreadMXBeanStateTest.java timed out intermittently
|
||||
- JDK-8129310: java/net/Socket/asyncClose/AsyncClose.java fails intermittently
|
||||
- JDK-8131745: java/lang/management/ThreadMXBean/AllThreadIds.java still fails intermittently
|
||||
- JDK-8136517: [macosx]Test java/awt/Focus/8073453/AWTFocusTransitionTest.java fails on MacOSX
|
||||
- JDK-8137101: [TEST_BUG] javax/swing/plaf/basic/BasicHTML/4251579/bug4251579.java failure due to timing
|
||||
- JDK-8143021: [TEST_BUG] Test javax/swing/JColorChooser/Test6541987.java fails
|
||||
- JDK-8159597: [TEST_BUG] closed/javax/swing/JPopupMenu/4760494/bug4760494.java leaves key pressed
|
||||
- JDK-8159904: [TEST_BUG] Failure on solaris of java/awt/Window/MultiWindowApp/MultiWindowAppTest.java
|
||||
- JDK-8163086: java/awt/Window/TranslucentJAppletTest/TranslucentJAppletTest.java fails
|
||||
- JDK-8165828: [TEST_BUG] The reg case:javax/swing/plaf/metal/MetalIcons/MetalHiDPIIconsTest.java failed as No Metal Look and Feel
|
||||
- JDK-8169953: JComboBox/8057893: ComboBoxEdited event is not fired! on Windows
|
||||
- JDK-8169954: JFileChooser/8021253: java.lang.RuntimeException: Default button is not pressed
|
||||
- JDK-8169959: javax/swing/JTable/6263446/bug6263446.java: Table should be editing
|
||||
- JDK-8171381: [TEST_BUG] [macos] javax/swing/JPopupMenu/7156657/bug7156657.java fails on OS X
|
||||
- JDK-8171998: javax/swing/JMenu/4692443/bug4692443.java fails on Windows
|
||||
- JDK-8174819: java/nio/file/WatchService/LotsOfEvents.java fails intermittently
|
||||
- JDK-8179880: Refactor javax/security shell tests to plain java tests
|
||||
- JDK-8180568: Refactor javax/crypto shell tests to plain java tests
|
||||
- JDK-8180569: Refactor sun/security/krb5/ shell tests to plain java tests
|
||||
- JDK-8180571: Refactor sun/security/pkcs11 shell tests to plain java tests and fix failures
|
||||
- JDK-8180573: Refactor sun/security/tools shell tests to plain java tests
|
||||
- JDK-8187649: ArrayIndexOutOfBoundsException in java.util.JapaneseImperialCalendar
|
||||
- JDK-8190753: (zipfs): Accessing a large entry (> 2^31 bytes) leads to a negative initial size for ByteArrayOutputStream
|
||||
- JDK-8195703: BasicJDWPConnectionTest.java: 'App exited unexpectedly with 2'
|
||||
- JDK-8196096: javax/swing/JPopupMenu/6580930/bug6580930.java fails
|
||||
- JDK-8197560: test javax/swing/JTree/8003400/Test8003400.java fails
|
||||
- JDK-8197800: Test java/awt/Focus/NonFocusableWindowTest/NoEventsTest.java fails on Windows
|
||||
- JDK-8197811: Test java/awt/Choice/PopupPosTest/PopupPosTest.java fails on Windows
|
||||
- JDK-8198616: java/awt/Focus/6378278/InputVerifierTest.java fails on mac
|
||||
- JDK-8198617: java/awt/Focus/6382144/EndlessLoopTest.java fails on mac
|
||||
- JDK-8198619: java/awt/Focus/FocusTraversalPolicy/ButtonGroupLayoutTraversal/ButtonGroupLayoutTraversalTest.java fails on mac
|
||||
- JDK-8198623: java/awt/KeyboardFocusmanager/TypeAhead/EnqueueWithDialogButtonTest/EnqueueWithDialogButtonTest.java fails on mac
|
||||
- JDK-8198624: java/awt/KeyboardFocusmanager/TypeAhead/SubMenuShowTest/SubMenuShowTest.html fails on mac
|
||||
- JDK-8199138: Add RISC-V support to Zero
|
||||
- JDK-8199529: javax/swing/text/Utilities/8142966/SwingFontMetricsTest.java fails on windows
|
||||
- JDK-8201224: Make string buffer size dynamic in mlvmJvmtiUtils.c
|
||||
- JDK-8202342: [Graal] fromTonga/nsk/jvmti/unit/FollowReferences/followref003/TestDescription.java fails with "Location mismatch" errors
|
||||
- JDK-8204161: [TESTBUG] auto failed with the "Applet thread threw exception: java.lang.UnsupportedOperationException" exception
|
||||
- JDK-8206085: Refactor langtools/tools/javac/versions/Versions.java
|
||||
- JDK-8207936: TestZipFile failed with java.lang.AssertionError exception
|
||||
- JDK-8208242: Add @requires to vmTestbase/gc/g1 tests
|
||||
- JDK-8209611: use C++ compiler for hotspot tests
|
||||
- JDK-8210182: Remove macros for C compilation from vmTestBase but non jvmti
|
||||
- JDK-8210198: Clean up JNI_ENV_ARG for vmTestbase/jvmti/Get[A-F] tests
|
||||
- JDK-8210205: build fails on AIX in hotspot cpp tests (for example getstacktr001.cpp)
|
||||
- JDK-8210242: [TESTBUG] vmTestbase/nsk/stress/jni/jnistress001.java crashes with EXCEPTION_ACCESS_VIOLATION on windows-x86
|
||||
- JDK-8210353: Move java/util/Arrays/TimSortStackSize2.java back to tier1
|
||||
- JDK-8210385: Clean up JNI_ENV_ARG and factorize the macros for vmTestbase/jvmti[A-N] tests
|
||||
- JDK-8210392: assert(Compile::current()->live_nodes() < Compile::current()->max_node_limit()) failed: Live Node limit exceeded limit
|
||||
- JDK-8210395: Add doc to SecurityTools.java
|
||||
- JDK-8210429: Clean up JNI_ENV_ARG for vmTestbase/jvmti/Get[G-Z] tests
|
||||
- JDK-8210481: Remove #ifdef cplusplus from vmTestbase
|
||||
- JDK-8210593: Clean up JNI_ENV_ARG and factorize the macros for vmTestbase/jvmti[N-R] tests
|
||||
- JDK-8210665: Clean up JNI_ENV_ARG and factorize the macros for vmTestbase/jvmti[R-U] tests
|
||||
- JDK-8210689: Remove the multi-line old C style for string literals
|
||||
- JDK-8210700: Clean up JNI_ENV_ARG and factorize the macros for vmTestbase/jvmti/unit tests
|
||||
- JDK-8210726: Fix up a few minor nits forgotten by JDK-8210665
|
||||
- JDK-8210920: Native C++ tests are not using CXXFLAGS
|
||||
- JDK-8210984: [TESTBUG] hs203t003 fails with "# ERROR: hs203t003.cpp, 218: NSK_CPP_STUB2 ( ResumeThread, jvmti, thread)"
|
||||
- JDK-8211036: Remove the NSK_STUB macros from vmTestbase for non jvmti
|
||||
- JDK-8211131: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/[G-I]*
|
||||
- JDK-8211148: var in implicit lambdas shouldn't be accepted for source < 11
|
||||
- JDK-8211171: move JarUtils to top-level testlibrary
|
||||
- JDK-8211227: Inconsistent TLS protocol version in debug output
|
||||
- JDK-8211261: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/[A-G]*
|
||||
- JDK-8211432: [REDO] Handle JNIGlobalRefLocker.cpp
|
||||
- JDK-8211782: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/[I-S]*
|
||||
- JDK-8211801: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/scenarios/[A-E]
|
||||
- JDK-8211899: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/scenarios/[E-M]
|
||||
- JDK-8211905: Remove multiple casts for EM06 file
|
||||
- JDK-8211999: Window positioning bugs due to overlapping GraphicsDevice bounds (Windows/HiDPI)
|
||||
- JDK-8212082: Remove the NSK_CPP_STUB macros for remaining vmTestbase/jvmti/[sS]*
|
||||
- JDK-8212083: Handle remaining gc/lock native code and fix two strings
|
||||
- JDK-8212148: Remove remaining NSK_CPP_STUBs
|
||||
- JDK-8213110: Remove the use of applets in automatic tests
|
||||
- JDK-8213189: Make restricted headers in HTTP Client configurable and remove Date by default
|
||||
- JDK-8213263: fix legal headers in test/langtools
|
||||
- JDK-8213296: Fix legal headers in test/jdk/java/net
|
||||
- JDK-8213301: Fix legal headers in jdk logging tests
|
||||
- JDK-8213305: Fix legal headers in test/java/math
|
||||
- JDK-8213306: Fix legal headers in test/java/nio
|
||||
- JDK-8213328: Update test copyrights in test/java/util/zip and test/jdk/tools
|
||||
- JDK-8213330: Fix legal headers in i18n tests
|
||||
- JDK-8213707: [TEST] vmTestbase/nsk/stress/except/except011.java failed due to wrong class name
|
||||
- JDK-8214469: [macos] PIT: java/awt/Choice/ChoiceKeyEventReaction/ChoiceKeyEventReaction.java fails
|
||||
- JDK-8215410: Regression test for JDK-8214994
|
||||
- JDK-8215568: Refactor SA clhsdb tests to use ClhsdbLauncher
|
||||
- JDK-8215624: Add parallel heap iteration for jmap –histo
|
||||
- JDK-8215889: assert(!_unloading) failed: This oop is not available to unloading class loader data with ZGC
|
||||
- JDK-8216318: The usage of Disposer in the java.awt.Robot can be deleted
|
||||
- JDK-8216417: cleanup of IPv6 scope-id handling
|
||||
- JDK-8217377: javax/swing/JPopupMenu/6583251/bug6583251.java failed with UnsupportedOperation exception
|
||||
- JDK-8217438: Adapt tools//launcher/Test7029048.java for AIX
|
||||
- JDK-8217633: Configurable extensions with system properties
|
||||
- JDK-8217882: java/net/httpclient/MaxStreams.java failed once
|
||||
- JDK-8217903: java/net/httpclient/Response204.java fails with 404
|
||||
- JDK-8218483: Crash in "assert(_daemon_threads_count->get_value() > daemon_count) failed: thread count mismatch 5 : 5"
|
||||
- JDK-8219986: Change to Xcode 10.1 for building on Macosx at Oracle
|
||||
- JDK-8220575: Correctly format test URI's that contain a retrieved IPv6 address
|
||||
- JDK-8221259: New tests for java.net.Socket to exercise long standing behavior
|
||||
- JDK-8221305: java/awt/FontMetrics/MaxAdvanceIsMax.java fails on MacOS + Solaris
|
||||
- JDK-8221902: PIT: javax/swing/JRadioButton/FocusTraversal/FocusTraversal.java fails on ubuntu
|
||||
- JDK-8221903: PIT: javax/swing/RepaintManager/IconifyTest/IconifyTest.java fails on ubuntu18.04
|
||||
- JDK-8222446: assert(C->env()->system_dictionary_modification_counter_changed()) failed: Must invalidate if TypeFuncs differ
|
||||
- JDK-8223137: Rename predicate 'do_unroll_only()' to 'is_unroll_only()'.
|
||||
- JDK-8223138: Small clean-up in loop-tree support.
|
||||
- JDK-8223139: Rename mandatory policy-do routines.
|
||||
- JDK-8223140: Clean-up in 'ok_to_convert()'
|
||||
- JDK-8223141: Change (count) suffix _ct into _cnt.
|
||||
- JDK-8223400: Replace some enums with static const members in hotspot/runtime
|
||||
- JDK-8223658: Performance regression of XML.validation in 13-b19
|
||||
- JDK-8223923: C2: Missing interference with mismatched unsafe accesses
|
||||
- JDK-8224829: AsyncSSLSocketClose.java has timing issue
|
||||
- JDK-8225083: Remove Google certificate that is expiring in December 2021
|
||||
- JDK-8226514: Replace wildcard address with loopback or local host in tests - part 17
|
||||
- JDK-8226943: compile error in libfollowref003.cpp with XCode 10.2 on macosx
|
||||
- JDK-8228442: DHKeyExchange/LegacyDHEKeyExchange.java failed due to "SSLException: An established connection was aborted by the software in your host machine"
|
||||
- JDK-8228508: [TESTBUG] java/net/httpclient/SmokeTest.java fails on Windows7
|
||||
- JDK-8229935: [TEST_BUG]: bug8132119.java inconsistently positions text
|
||||
- JDK-8230019: [REDO] compiler/types/correctness/* tests fail with "assert(recv == __null || recv->is_klass()) failed: wrong type"
|
||||
- JDK-8230067: Add optional automatic retry when running jtreg tests
|
||||
- JDK-8230228: [TESTBUG] Several runtime/ErrorHandling tests may fail on some platforms
|
||||
- JDK-8231501: VM crash in MethodData::clean_extra_data(CleanExtraDataClosure*): fatal error: unexpected tag 99
|
||||
- JDK-8233403: Improve verbosity of some httpclient tests
|
||||
- JDK-8233550: [TESTBUG] JTree tests fail regularly on MacOS
|
||||
- JDK-8233552: [TESTBUG] JTable Test bug7068740.java fails on MacOS
|
||||
- JDK-8233553: [TESTBUG] JSpinner test bug4973721.java fails on MacOS
|
||||
- JDK-8233555: [TESTBUG] JRadioButton tests failing on MacoS
|
||||
- JDK-8233556: [TESTBUG] JPopupMenu tests fail on MacOS
|
||||
- JDK-8233559: [TESTBUG] TestNimbusOverride.java is failing on macos
|
||||
- JDK-8233560: [TESTBUG] ToolTipManager/Test6256140.java is failing on macos
|
||||
- JDK-8233561: [TESTBUG] Swing text test bug8014863.java fails on macos
|
||||
- JDK-8233562: [TESTBUG] Swing StyledEditorKit test bug4506788.java fails on MacOS
|
||||
- JDK-8233564: [TESTBUG] MouseComboBoxTest.java is failing
|
||||
- JDK-8233566: [TESTBUG] KeyboardFocusManager tests failing on MacoS
|
||||
- JDK-8233567: [TESTBUG] FocusSubRequestTest.java fails on macos
|
||||
- JDK-8233569: [TESTBUG] JTextComponent test bug6361367.java fails on macos
|
||||
- JDK-8233570: [TESTBUG] HTMLEditorKit test bug5043626.java is failing on macos
|
||||
- JDK-8233634: [TESTBUG] Swing text test bug4278839.java fails on macos
|
||||
- JDK-8233635: [TESTBUG] ProgressMonitorEscapeKeyPress.java fails on macos
|
||||
- JDK-8233637: [TESTBUG] Swing ActionListenerCalledTwiceTest.java fails on macos
|
||||
- JDK-8233638: [TESTBUG] Swing test ScreenMenuBarInputTwice.java fails on macos
|
||||
- JDK-8233641: [TESTBUG] JMenuItem test bug4171437.java fails on macos
|
||||
- JDK-8233642: [TESTBUG] JMenuBar test bug 4750590.java fails on macos
|
||||
- JDK-8233643: [TESTBUG] JMenu test bug4515762.java fails on macos
|
||||
- JDK-8233644: [TESTBUG] JInternalFrame test bug8020708.java is failing on macos
|
||||
- JDK-8233647: [TESTBUG] JColorChooser/Test8051548.java is failing on macos
|
||||
- JDK-8234802: [TESTBUG] Test Right Mouse Button Drag Gesture Recognition in all the platforms
|
||||
- JDK-8234823: java/net/Socket/Timeouts.java testcase testTimedConnect2() fails on Windows 10
|
||||
- JDK-8235784: java/lang/invoke/VarHandles/VarHandleTestByteArrayAsInt.java fails due to timeout with fastdebug bits
|
||||
- JDK-8236042: [TESTBUG] serviceability/sa/ClhsdbCDSCore.java fails with -Xcomp -XX:TieredStopAtLevel=1
|
||||
- JDK-8236177: assert(status == 0) failed: error ETIMEDOUT(60), cond_wait
|
||||
- JDK-8236596: HttpClient leaves HTTP/2 sockets in CLOSE_WAIT, when using proxy tunnel
|
||||
- JDK-8237354: Add option to jcmd to write a gzipped heap dump
|
||||
- JDK-8237589: Fix copyright header formatting
|
||||
- JDK-8238677: java/net/httpclient/ssltest/CertificateTest.java should not specify TLS version
|
||||
- JDK-8239334: Tab Size does not work correctly in JTextArea with setLineWrap on
|
||||
- JDK-8239422: [TESTBUG] compiler/c1/TestPrintIRDuringConstruction.java failed when C1 is disabled
|
||||
- JDK-8239827: The test OpenByUNCPathNameTest.java should be changed to be manual
|
||||
- JDK-8240256: Better resource cleaning for SunPKCS11 Provider
|
||||
- JDK-8242044: Add basic HTTP/1.1 support to the HTTP/2 Test Server
|
||||
- JDK-8242526: PIT: javax/swing/JInternalFrame/8020708/bug8020708.java fails in mach5 ubuntu system
|
||||
- JDK-8242793: Incorrect copyright header in ContinuousCallSiteTargetChange.java
|
||||
- JDK-8243543: jtreg test security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java fails
|
||||
- JDK-8244292: Headful clients failing with --illegal-access=deny
|
||||
- JDK-8245147: Refactor and improve utility of test/langtools/tools/javac/versions/Versions.java
|
||||
- JDK-8245165: Update bug id for javax/swing/text/StyledEditorKit/4506788/bug4506788.java in ProblemList
|
||||
- JDK-8245665: Test WeakAlg.java should only make sure no warning for weak signature algorithms by keytool on root CA
|
||||
- JDK-8246114: java/net/MulticastSocket/Promiscuous.java fails after 8241072 (multi-homed systems)
|
||||
- JDK-8246807: Incorrect copyright header in TimeZoneDatePermissionCheck.sh
|
||||
- JDK-8247403: JShell: No custom input (e.g. from GUI) possible with JavaShellToolBuilder
|
||||
- JDK-8247510: typo in IllegalHandshakeMessage
|
||||
- JDK-8248187: [TESTBUG] javax/swing/plaf/basic/BasicGraphicsUtils/8132119/bug8132119.java fails with String is not properly drawn
|
||||
- JDK-8248341: ProblemList java/lang/management/ThreadMXBean/ThreadMXBeanStateTest.java
|
||||
- JDK-8248500: AArch64: Remove the r18 dependency on Windows AArch64
|
||||
- JDK-8248899: security/infra/java/security/cert/CertPathValidator/certification/QuoVadisCA.java fails, Certificate has been revoked
|
||||
- JDK-8249195: Change to Xcode 11.3.1 for building on Macos at Oracle
|
||||
- JDK-8250521: Configure initial RTO to use minimal retry for loopback connections on Windows
|
||||
- JDK-8250810: Push missing parts of JDK-8248817
|
||||
- JDK-8250839: Improve test template SSLEngineTemplate with SSLContextTemplate
|
||||
- JDK-8250863: Build error with GCC 10 in NetworkInterface.c and k_standard.c
|
||||
- JDK-8250888: nsk/jvmti/scenarios/general_functions/GF08/gf08t001/TestDriver.java fails
|
||||
- JDK-8251155: HostIdentifier fails to canonicalize hostnames starting with digits
|
||||
- JDK-8251377: [macos11] JTabbedPane selected tab text is barely legible
|
||||
- JDK-8251570: JDK-8215624 causes assert(worker_id < _n_workers) failed: Invalid worker_id
|
||||
- JDK-8251930: AArch64: Native types mismatch in hotspot
|
||||
- JDK-8252049: Native memory leak in ciMethodData ctor
|
||||
- JDK-8252051: Make mlvmJvmtiUtils strncpy uses GCC 10.x friendly
|
||||
- JDK-8252114: Windows-AArch64: Enable and test ZGC and ShenandoahGC
|
||||
- JDK-8253015: Aarch64: Move linux code out from generic CPU feature detection
|
||||
- JDK-8253147: The javax/swing/JPopupMenu/7154841/bug7154841.java fail on big screens
|
||||
- JDK-8253497: Core Libs Terminology Refresh
|
||||
- JDK-8253682: The AppletInitialFocusTest1.java is unstable
|
||||
- JDK-8253763: ParallelObjectIterator should have virtual destructor
|
||||
- JDK-8253866: Security Libs Terminology Refresh
|
||||
- JDK-8254802: ThrowingPushPromisesAsStringCustom.java fails in "try throwing in GET_BODY"
|
||||
- JDK-8255227: java/net/httpclient/FlowAdapterPublisherTest.java intermittently failing with TestServer: start exception: java.io.IOException: Invalid preface
|
||||
- JDK-8255264: Support for identifying the full range of IPv4 localhost addresses on Windows
|
||||
- JDK-8255716: AArch64: Regression: JVM crashes if manually offline a core
|
||||
- JDK-8255722: Create a new test for rotated blit
|
||||
- JDK-8256009: Remove src/hotspot/share/adlc/Test/i486.ad
|
||||
- JDK-8256066: Tests use deprecated TestNG API that is no longer available in new versions
|
||||
- JDK-8256152: tests fail because of ambiguous method resolution
|
||||
- JDK-8256182: Update qemu-debootstrap cross-compilation recipe
|
||||
- JDK-8256201: java/awt/FullScreen/FullscreenWindowProps/FullscreenWindowProps.java failed
|
||||
- JDK-8256202: Some tweaks for jarsigner tests PosixPermissionsTest and SymLinkTest
|
||||
- JDK-8256372: [macos] Unexpected symbol was displayed on JTextField with Monospaced font
|
||||
- JDK-8256956: RegisterImpl::max_slots_per_register is incorrect on AMD64
|
||||
- JDK-8258457: testlibrary_tests/ctw/JarDirTest.java fails with InvalidPathException on windows
|
||||
- JDK-8258855: Two tests sun/security/krb5/auto/ReplayCacheTestProc.java and ReplayCacheTestProcWithMD5.java failed on OL8.3
|
||||
- JDK-8259237: Demo selection changes with left/right arrow key. No need to press space for selection.
|
||||
- JDK-8260571: Add PrintMetaspaceStatistics to print metaspace statistics upon VM exit
|
||||
- JDK-8260690: JConsole User Guide Link from the Help menu is not accessible by keyboard
|
||||
- JDK-8261036: Reduce classes loaded by CleanerFactory initialization
|
||||
- JDK-8261071: AArch64: Refactor interpreter native wrappers
|
||||
- JDK-8261075: Create stubRoutines.inline.hpp with SafeFetch implementation
|
||||
- JDK-8261236: C2: ClhsdbJstackXcompStress test fails when StressGCM is enabled
|
||||
- JDK-8261297: NMT: Final report should use scale 1
|
||||
- JDK-8261661: gc/stress/TestReclaimStringsLeaksMemory.java fails because Reserved memory size is too big
|
||||
- JDK-8261916: gtest/GTestWrapper.java vmErrorTest.unimplemented1_vm_assert failed
|
||||
- JDK-8262438: sun/security/ssl/SSLLogger/LoggingFormatConsistency.java failed with "SocketException: Socket is closed"
|
||||
- JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print"
|
||||
- JDK-8262844: (fs) FileStore.supportsFileAttributeView might return false negative in case of ext3
|
||||
- JDK-8263059: security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java fails due to revoked cert
|
||||
- JDK-8263068: Rename safefetch.hpp to safefetch.inline.hpp
|
||||
- JDK-8263303: C2 compilation fails with assert(found_sfpt) failed: no node in loop that's not input to safepoint
|
||||
- JDK-8263362: Avoid division by 0 in java/awt/font/TextJustifier.java justify
|
||||
- JDK-8263773: Reenable German localization for builds at Oracle
|
||||
- JDK-8263897: compiler/c2/aarch64/TestVolatilesSerial.java failed with "java.lang.RuntimeException: Wrong method"
|
||||
- JDK-8264526: javax/swing/text/html/parser/Parser/8078268/bug8078268.java timeout
|
||||
- JDK-8264824: java/net/Inet6Address/B6206527.java doesn't close ServerSocket properly
|
||||
- JDK-8265019: Update tests for additional TestNG test permissions
|
||||
- JDK-8265173: [test] divert spurious log output away from stream under test in ProcessBuilder Basic test
|
||||
- JDK-8265524: Upgrading JSZip from v3.2.2 to v3.6.0
|
||||
- JDK-8266182: Automate manual steps listed in the test jdk/sun/security/pkcs12/ParamsTest.java
|
||||
- JDK-8266579: Update test/jdk/java/lang/ProcessHandle/PermissionTest.java & test/jdk/java/sql/testng/util/TestPolicy.java
|
||||
- JDK-8266949: Check possibility to disable OperationTimedOut on Unix
|
||||
- JDK-8267246: -XX:MaxRAMPercentage=0 is unreasonable for jtreg tests on many-core machines
|
||||
- JDK-8267256: Extend minimal retry for loopback connections on Windows to PlainSocketImpl
|
||||
- JDK-8267304: Bump global JTReg memory limit to 768m
|
||||
- JDK-8267652: c2 loop unrolling by 8 results in reading memory past array
|
||||
- JDK-8268019: C2: assert(no_dead_loop) failed: dead loop detected
|
||||
- JDK-8268093: Manual Testcase: "sun/security/krb5/config/native/TestDynamicStore.java" Fails with NPE
|
||||
- JDK-8268555: Update HttpClient tests that use ITestContext to jtreg 6+1
|
||||
- JDK-8268672: C2: assert(!loop->is_member(u_loop)) failed: can be in outer loop or out of both loops only
|
||||
- JDK-8269034: AccessControlException for SunPKCS11 daemon threads
|
||||
- JDK-8269426: Rename test/jdk/java/lang/invoke/t8150782 to accessClassAndFindClass
|
||||
- JDK-8269574: C2: Avoid redundant uncommon traps in GraphKit::builtin_throw() for JVMTI exception events
|
||||
- JDK-8269656: The test test/langtools/tools/javac/versions/Versions.java has duplicate test cycles
|
||||
- JDK-8269768: JFR Terminology Refresh
|
||||
- JDK-8269951: [macos] Focus not painted in JButton when setBorderPainted(false) is invoked
|
||||
- JDK-8269984: [macos] JTabbedPane title looks like disabled
|
||||
- JDK-8269993: [Test]: java/net/httpclient/DigestEchoClientSSL.java contains redundant @run tags
|
||||
- JDK-8270116: Expand ButtonGroupLayoutTraversalTest.java to run in all LaFs, including Aqua on macOS
|
||||
- JDK-8270216: [macOS] Update named used for Java run loop mode
|
||||
- JDK-8270280: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java OCSP response error
|
||||
- JDK-8270290: NTLM authentication fails if HEAD request is used
|
||||
- JDK-8270317: Large Allocation in CipherSuite
|
||||
- JDK-8270344: Session resumption errors
|
||||
- JDK-8270517: Add Zero support for LoongArch
|
||||
- JDK-8270533: AArch64: size_fits_all_mem_uses should return false if its output is a CAS
|
||||
- JDK-8270886: Crash in PhaseIdealLoop::verify_strip_mined_scheduling
|
||||
- JDK-8271287: jdk/jshell/CommandCompletionTest.java fails with "lists don't have the same size expected"
|
||||
- JDK-8271340: Crash PhaseIdealLoop::clone_outer_loop
|
||||
- JDK-8271341: Opcode() != Op_If && Opcode() != Op_RangeCheck) || outcnt() == 2 assert failure with Test7179138_1.java
|
||||
- JDK-8271459: C2: Missing NegativeArraySizeException when creating StringBuilder with negative capacity
|
||||
- JDK-8271490: [ppc] [s390]: Crash in JavaThread::pd_get_top_frame_for_profiling
|
||||
- JDK-8271560: sun/security/ssl/DHKeyExchange/LegacyDHEKeyExchange.java still fails due to "An established connection was aborted by the software in your host machine"
|
||||
- JDK-8271567: AArch64: AES Galois CounterMode (GCM) interleaved implementation using vector instructions
|
||||
- JDK-8272180: Upgrade JSZip from v3.6.0 to v3.7.1
|
||||
- JDK-8272181: Windows-AArch64:Backport fix of `Backtracing broken on PAC enabled systems`
|
||||
- JDK-8272316: Wrong Boot JDK help message in 11
|
||||
- JDK-8272318: Improve performance of HeapDumpAllTest
|
||||
- JDK-8272342: [TEST_BUG] java/awt/print/PrinterJob/PageDialogMarginTest.java catches all exceptions
|
||||
- JDK-8272570: C2: crash in PhaseCFG::global_code_motion
|
||||
- JDK-8272574: C2: assert(false) failed: Bad graph detected in build_loop_late
|
||||
- JDK-8272581: sun/security/pkcs11/Provider/MultipleLogins.sh fails after JDK-8266182
|
||||
- JDK-8272708: [Test]: Cleanup: test/jdk/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java no longer needs ocspEnabled
|
||||
- JDK-8272720: Fix the implementation of loop unrolling heuristic with LoopPercentProfileLimit
|
||||
- JDK-8272783: Epsilon: Refactor tests to improve performance
|
||||
- JDK-8272806: [macOS] "Apple AWT Internal Exception" when input method is changed
|
||||
- JDK-8272828: Add correct licenses to jszip.md
|
||||
- JDK-8272836: Limit run time for java/lang/invoke/LFCaching tests
|
||||
- JDK-8272850: Drop zapping values in the Zap* option descriptions
|
||||
- JDK-8272902: Bump update version for OpenJDK: jdk-11.0.14
|
||||
- JDK-8272914: Create hotspot:tier2 and hotspot:tier3 test groups
|
||||
- JDK-8272966: test/jdk/java/awt/Robot/FlushCurrentEvent.java fails by timeout
|
||||
- JDK-8273026: Slow LoginContext.login() on multi threading application
|
||||
- JDK-8273229: Update OS detection code to recognize Windows Server 2022
|
||||
- JDK-8273235: tools/launcher/HelpFlagsTest.java Fails on Windows 32bit
|
||||
- JDK-8273308: PatternMatchTest.java fails on CI
|
||||
- JDK-8273314: Add tier4 test groups
|
||||
- JDK-8273342: Null pointer dereference in classFileParser.cpp:2817
|
||||
- JDK-8273358: macOS Monterey does not have the font Times needed by Serif
|
||||
- JDK-8273373: Zero: Cannot invoke JVM in primordial threads on Zero
|
||||
- JDK-8273498: compiler/c2/Test7179138_1.java timed out
|
||||
- JDK-8273541: Cleaner Thread creates with normal priority instead of MAX_PRIORITY - 2
|
||||
- JDK-8273547: [11u] [JVMCI] Partial module-info.java backport of JDK-8223332
|
||||
- JDK-8273606: Zero: SPARC64 build fails with si_band type mismatch
|
||||
- JDK-8273646: Add openssl from path variable also in to Default System Openssl Path in OpensslArtifactFetcher
|
||||
- JDK-8273671: Backport of 8260616 misses one JNF header inclusion removal
|
||||
- JDK-8273790: Potential cyclic dependencies between Gregorian and CalendarSystem
|
||||
- JDK-8273795: Zero SPARC64 debug builds fail due to missing interpreter fields
|
||||
- JDK-8273826: Correct Manifest file name and NPE checks
|
||||
- JDK-8273894: ConcurrentModificationException raised every time ReferralsCache drops referral
|
||||
- JDK-8273924: ArrayIndexOutOfBoundsException thrown in java.util.JapaneseImperialCalendar.add()
|
||||
- JDK-8273961: jdk/nio/zipfs/ZipFSTester.java fails if file path contains '+' character
|
||||
- JDK-8273968: JCK javax_xml tests fail in CI
|
||||
- JDK-8274056: JavaAccessibilityUtilities leaks JNI objects
|
||||
- JDK-8274083: Update testing docs to mention tiered testing
|
||||
- JDK-8274293: Build failure on macOS with Xcode 13.0 as vfork is deprecated
|
||||
- JDK-8274326: [macos] Ensure initialisation of sun/lwawt/macosx/CAccessibility in JavaComponentAccessibility.m
|
||||
- JDK-8274329: Fix non-portable HotSpot code in MethodMatcher::parse_method_pattern
|
||||
- JDK-8274381: missing CAccessibility definitions in JNI code
|
||||
- JDK-8274407: (tz) Update Timezone Data to 2021c
|
||||
- JDK-8274467: TestZoneInfo310.java fails with tzdata2021b
|
||||
- JDK-8274468: TimeZoneTest.java fails with tzdata2021b
|
||||
- JDK-8274522: java/lang/management/ManagementFactory/MXBeanException.java test fails with Shenandoah
|
||||
- JDK-8274642: jdk/jshell/CommandCompletionTest.java fails with NoSuchElementException after JDK-8271287
|
||||
- JDK-8274773: [TESTBUG] UnsafeIntrinsicsTest intermittently fails on weak memory model platform
|
||||
- JDK-8274779: HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST
|
||||
- JDK-8274840: Update OS detection code to recognize Windows 11
|
||||
- JDK-8274860: gcc 10.2.1 produces an uninitialized warning in sharedRuntimeTrig.cpp
|
||||
- JDK-8275051: Shenandoah: Correct ordering of requested gc cause and gc request flag
|
||||
- JDK-8275131: Exceptions after a touchpad gesture on macOS
|
||||
- JDK-8275713: TestDockerMemoryMetrics test fails on recent runc
|
||||
- JDK-8275766: (tz) Update Timezone Data to 2021e
|
||||
- JDK-8275849: TestZoneInfo310.java fails with tzdata2021e
|
||||
- JDK-8276066: Reset LoopPercentProfileLimit for x86 due to suboptimal performance
|
||||
- JDK-8276139: TestJpsHostName.java not reliable, better to expand HostIdentifierCreate.java test
|
||||
- JDK-8276157: C2: Compiler stack overflow during escape analysis on Linux x86_32
|
||||
- JDK-8276201: Shenandoah: Race results degenerated GC to enter wrong entry point
|
||||
- JDK-8276536: Update TimeZoneNames files to follow the changes made by JDK-8275766
|
||||
- JDK-8276550: Use SHA256 hash in build.tools.depend.Depend
|
||||
- JDK-8276774: Cookie stored in CookieHandler not sent if user headers contain cookie
|
||||
- JDK-8276854: Windows GHA builds fail due to broken Cygwin
|
||||
- JDK-8277029: JMM GetDiagnosticXXXInfo APIs should verify output array sizes
|
||||
- JDK-8277224: sun.security.pkcs.PKCS9Attributes.toString() throws NPE
|
||||
- JDK-8277529: SIGSEGV in C2 CompilerThread Node::rematerialize() compiling Packet::readUnsignedTrint
|
||||
- JDK-8277815: Fix mistakes in legal header backports
|
||||
|
||||
Notes on individual issues:
|
||||
===========================
|
||||
|
||||
core-svc/tools:
|
||||
|
||||
JDK-8250554: New Option Added to jcmd for Writing a gzipped Heap Dump
|
||||
=====================================================================
|
||||
A new integer option `gz` has been added to the `GC.heap_dump`
|
||||
diagnostic command. If it is specified, it will enable the gzip
|
||||
compression of the written heap dump. The supplied value is the
|
||||
compression level. It can range from 1 (fastest) to 9 (slowest, but
|
||||
best compression). The recommended level is 1.
|
||||
|
||||
security-libs/javax.net.ssl:
|
||||
|
||||
JDK-8260310: Configurable Extensions With System Properties
|
||||
===========================================================
|
||||
Two new system properties have been added. The system property,
|
||||
`jdk.tls.client.disableExtensions`, is used to disable TLS extensions
|
||||
used in the client. The system property,
|
||||
`jdk.tls.server.disableExtensions`, is used to disable TLS extensions
|
||||
used in the server. If an extension is disabled, it will be neither
|
||||
produced nor processed in the handshake messages.
|
||||
|
||||
The property string is a list of comma separated standard TLS
|
||||
extension names, as registered in the IANA documentation (for example,
|
||||
server_name, status_request, and signature_algorithms_cert). Note that
|
||||
the extension names are case sensitive. Unknown, unsupported,
|
||||
misspelled and duplicated TLS extension name tokens will be ignored.
|
||||
|
||||
Please note that the impact of blocking TLS extensions is
|
||||
complicated. For example, a TLS connection may not be able to be
|
||||
established if a mandatory extension is disabled. Please do not
|
||||
disable mandatory extensions, and do not use this feature unless you
|
||||
clearly understand the impact.
|
||||
|
||||
security-libs/javax.crypto:pkcs11:
|
||||
|
||||
JDK-8272907: New SunPKCS11 Configuration Properties
|
||||
===================================================
|
||||
The SunPKCS11 provider gains new provider configuration attributes to
|
||||
better control native resources usage. The SunPKCS11 provider consumes
|
||||
native resources in order to work with native PKCS11 libraries. To
|
||||
manage and better control the native resources, additional
|
||||
configuration attributes are added to control the frequency of
|
||||
clearing native references as well as whether to destroy the
|
||||
underlying PKCS11 Token after logout.
|
||||
|
||||
The 3 new attributes for the SunPKCS11 provider configuration file
|
||||
are:
|
||||
|
||||
1) `destroyTokenAfterLogout` (boolean, defaults to false)
|
||||
|
||||
If set to true, when `java.security.AuthProvider.logout()` is called
|
||||
upon the SunPKCS11 provider instance, the underlying Token object will
|
||||
be destroyed and resources will be freed. This essentially renders the
|
||||
SunPKCS11 provider instance unusable after `logout()` calls. Note that
|
||||
a PKCS11 provider with this attribute set to `true` should not be
|
||||
added to the system provider list since the provider object is not
|
||||
usable after a `logout()` method call.
|
||||
|
||||
2) `cleaner.shortInterval` (integer, defaults to 2000, in milliseconds)
|
||||
|
||||
This defines the frequency for clearing native references during busy
|
||||
periods (such as, how often should the cleaner thread processes the
|
||||
no-longer-needed native references in the queue to free up native
|
||||
memory). Note that the cleaner thread will switch to the
|
||||
'longInterval' frequency after 200 failed tries (such as, when no
|
||||
references are found in the queue).
|
||||
|
||||
3) `cleaner.longInterval` (integer, defaults to 60000, in milliseconds)
|
||||
|
||||
This defines the frequency for checking native reference during
|
||||
non-busy period (such as, how often should the cleaner thread check
|
||||
the queue for native references). Note that the cleaner thread will
|
||||
switch back to the 'shortInterval' value if native PKCS11 references
|
||||
for cleaning are detected.
|
||||
|
||||
core-libs/java.nio:
|
||||
|
||||
JDK-8271517: Zip File System Provider Throws ZipException when entry name element contains "." or "."
|
||||
=====================================================================================================
|
||||
The ZIP file system provider has been changed to reject existing ZIP
|
||||
files that contain entries with "." or ".." in name elements. ZIP
|
||||
files with these entries can not be used as a file system. Invoking
|
||||
the `java.nio.file.FileSystems.newFileSystem(...)` methods will throw
|
||||
`ZipException` if the ZIP file contains these entries.
|
||||
|
||||
security-libs/java.security:
|
||||
|
||||
JDK-8272535: Removed Google's GlobalSign Root Certificate
|
||||
=========================================================
|
||||
The following root certificate from Google has been removed from the
|
||||
`cacerts` keystore:
|
||||
|
||||
Alias Name: globalsignr2ca [jdk]
|
||||
Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
|
||||
|
||||
core-libs/java.time:
|
||||
|
||||
JDK-8274857: Update Timezone Data to 2021c
|
||||
===========================================
|
||||
IANA Time Zone Database, on which JDK's Date/Time libraries are based,
|
||||
has been updated to version 2021c
|
||||
(https://mm.icann.org/pipermail/tz-announce/2021-October/000067.html). Note
|
||||
that with this update, some of the time zone rules prior to the year
|
||||
1970 have been modified according to the changes which were introduced
|
||||
with 2021b. For more detail, refer to the announcement of 2021b
|
||||
(https://mm.icann.org/pipermail/tz-announce/2021-September/000066.html)
|
||||
|
||||
New in release OpenJDK 11.0.13 (2021-10-19):
|
||||
=============================================
|
||||
Live versions of these release notes can be found at:
|
||||
* https://bitly.com/openjdk11013
|
||||
* https://builds.shipilev.net/backports-monitor/release-notes-11.0.13.txt
|
||||
|
||||
* Security fixes
|
||||
- JDK-8163326, CVE-2021-35550: Update the default enabled cipher suites preference
|
||||
- JDK-8254967, CVE-2021-35565: com.sun.net.HttpsServer spins on TLS session close
|
||||
- JDK-8263314: Enhance XML Dsig modes
|
||||
- JDK-8265167, CVE-2021-35556: Richer Text Editors
|
||||
- JDK-8265574: Improve handling of sheets
|
||||
- JDK-8265580, CVE-2021-35559: Enhanced style for RTF kit
|
||||
- JDK-8265776: Improve Stream handling for SSL
|
||||
- JDK-8266097, CVE-2021-35561: Better hashing support
|
||||
- JDK-8266103: Better specified spec values
|
||||
- JDK-8266109: More Resilient Classloading
|
||||
- JDK-8266115: More Manifest Jar Loading
|
||||
- JDK-8266137, CVE-2021-35564: Improve Keystore integrity
|
||||
- JDK-8266689, CVE-2021-35567: More Constrained Delegation
|
||||
- JDK-8267086: ArrayIndexOutOfBoundsException in java.security.KeyFactory.generatePublic
|
||||
- JDK-8267712: Better LDAP reference processing
|
||||
- JDK-8267729, CVE-2021-35578: Improve TLS client handshaking
|
||||
- JDK-8267735, CVE-2021-35586: Better BMP support
|
||||
- JDK-8268193: Improve requests of certificates
|
||||
- JDK-8268199: Correct certificate requests
|
||||
- JDK-8268205: Enhance DTLS client handshake
|
||||
- JDK-8268506: More Manifest Digests
|
||||
- JDK-8269618, CVE-2021-35603: Better session identification
|
||||
- JDK-8269624: Enhance method selection support
|
||||
- JDK-8270398: Enhance canonicalization
|
||||
- JDK-8270404: Better canonicalization
|
||||
* Other changes
|
||||
- JDK-8024368: private methods are allocated vtable indices
|
||||
- JDK-8042902: Test java/net/Inet6Address/serialize/Inet6AddressSerializationTest.java fails intermittently
|
||||
- JDK-8140466: ChaCha20 and Poly1305 TLS Cipher Suites
|
||||
- JDK-8157404: Unable to read certain PKCS12 keystores from SequenceInputStream
|
||||
- JDK-8158066: SourceDebugExtensionTest fails to rename file
|
||||
- JDK-8168304: Make all of DependencyContext_test available in product mode
|
||||
- JDK-8169246: java/net/DatagramSocket/ReportSocketClosed.java fails intermittently with BindException
|
||||
- JDK-8181313: SA: Remove libthread_db dependency on Linux
|
||||
- JDK-8193214: Incorrect annotations.without.processors warnings with JDK 9
|
||||
- JDK-8194230: jdk/internal/jrtfs/remote/RemoteRuntimeImageTest.java fails with java.lang.NullPointerException
|
||||
- JDK-8196092: javax/swing/JComboBox/8032878/bug8032878.java fails
|
||||
- JDK-8199931: java/net/MulticastSocket/UnreferencedMulticastSockets.java fails with "incorrect data received"
|
||||
- JDK-8206083: Make tools/javac/api/T6265137.java robust to JDK version changes
|
||||
- JDK-8206350: java/util/Locale/bcp47u/SystemPropertyTests.java failed on Mac 10.13 with zh_CN and zh_TW locales.
|
||||
- JDK-8207316: java/nio/channels/spi/SelectorProvider/inheritedChannel/InheritedChannelTest.java failed
|
||||
- JDK-8208227: tools/jdeps/DotFileTest.java fails on Win-X64
|
||||
- JDK-8208363: test/jdk/java/lang/Package/PackageFromManifest.java missing module dependencies declaration
|
||||
- JDK-8209380: ARM: cleanup maybe-uninitialized and reorder compiler warnings
|
||||
- JDK-8209768: Refactor java/util/prefs/CheckUserPrefsStorage.sh to plain java test
|
||||
- JDK-8209772: Refactor shell test java/util/ServiceLoader/basic/basic.sh to java
|
||||
- JDK-8209773: Refactor shell test javax/naming/module/basic.sh to java
|
||||
- JDK-8209832: Refactor jdk/internal/reflect/Reflection/GetCallerClassTest.sh to plain java test
|
||||
- JDK-8209930: Refactor java/util/zip/ZipFile/deletetempjar.sh to plain java test
|
||||
- JDK-8210406: Refactor java.util.PluggableLocale:i18n shell tests to plain java tests
|
||||
- JDK-8210407: Refactor java.util.Calendar:i18n shell tests to plain java tests
|
||||
- JDK-8210495: compiler crashes because of illegal signature in otherwise legal code
|
||||
- JDK-8210669: Some launcher tests assume a pre-JDK 9 run-time image layout
|
||||
- JDK-8210802: temp files left by tests in jdk/java/net/httpclient
|
||||
- JDK-8210819: Update the host name in CNameTest.java
|
||||
- JDK-8210908: Refactor java/util/prefs/PrefsSpi.sh to plain java test
|
||||
- JDK-8210934: Move sun/net/www/protocol/http/GetErrorStream.java to OpenJDK
|
||||
- JDK-8210959: JShell fails and exits when statement throws an exception whose message contains a '%'.
|
||||
- JDK-8211055: Provide print to a file (PDF) feature even when printer was not connected
|
||||
- JDK-8211092: test/jdk/sun/net/www/http/HttpClient/MultiThreadTest.java fails intermittently when cleaning up
|
||||
- JDK-8211296: Remove HotSpot deprecation warning suppression for Mac/clang
|
||||
- JDK-8211325: test/jdk/java/net/Socket/LingerTest.java fails with cleaning up
|
||||
- JDK-8212040: Compilation error due to wrong usage of NSPrintJobDispositionValue in mac10.12
|
||||
- JDK-8212695: Add explicit timeout to several HTTP Client tests
|
||||
- JDK-8212718: Refactor some annotation processor tests to better use collections
|
||||
- JDK-8213007: Update the link in test/jdk/sun/security/provider/SecureRandom/DrbgCavp.java
|
||||
- JDK-8213137: Remove static initialization of monitor/mutex instances
|
||||
- JDK-8213235: java/nio/channels/SocketChannel/AsyncCloseChannel.java fails with threads that didn't exit
|
||||
- JDK-8213409: Refactor sun.text.IntHashtable:i18n shell tests to plain java tests
|
||||
- JDK-8213576: Make test AsyncCloseChannel.java run in othervm
|
||||
- JDK-8213694: Test Timeout.java should run in othervm mode
|
||||
- JDK-8213718: [TEST] Wrong classname in vmTestbase/nsk/stress/except/except002 and except003
|
||||
- JDK-8213922: fix ctw stand-alone build
|
||||
- JDK-8214195: Align stdout messages in test/jdk/java/math/BigInteger/PrimitiveConversionTests.java
|
||||
- JDK-8214520: [TEST_BUG] sun/security/mscapi/nonUniqueAliases/NonUniqueAliases.java failed with incorrect jtreg tags order
|
||||
- JDK-8214937: sun/security/tools/jarsigner/warnings/NoTimestampTest.java failed due to unexpected expiration date
|
||||
- JDK-8216532: tools/launcher/Test7029048.java fails (Solaris)
|
||||
- JDK-8217825: Verify @AfterTest is used correctly in WebSocket tests
|
||||
- JDK-8218145: block_if_requested is not proper inlined due to size
|
||||
- JDK-8219417: bump jtreg requiredVersion to b14
|
||||
- JDK-8219552: bump jtreg requiredVersion to b14 in test/jdk/sanity/client/
|
||||
- JDK-8219804: java/net/MulticastSocket/Promiscuous.java fails intermittently due to NumberFormatException
|
||||
- JDK-8220445: Support for side by side MSVC Toolset versions
|
||||
- JDK-8221988: add possibility to build with Visual Studio 2019
|
||||
- JDK-8222751: closed/test/jdk/sun/security/util/DerIndefLenConverter/IndefBerPkcs12.java fail
|
||||
- JDK-8223050: JVMCI: findUniqueConcreteMethod() should not use Dependencies::find_unique_concrete_method() for non-virtual methods
|
||||
- JDK-8224853: CDS address sanitizer errors
|
||||
- JDK-8225082: Remove IdenTrust certificate that is expiring in September 2021
|
||||
- JDK-8225583: Examine the HttpResponse.BodySubscribers for null handling and multiple subscriptions
|
||||
- JDK-8225690: Multiple AttachListener threads can be created
|
||||
- JDK-8225790: Two NestedDialogs tests fail on Ubuntu
|
||||
- JDK-8226319: Add forgotten test/jdk/java/net/httpclient/BodySubscribersTest.java
|
||||
- JDK-8226533: JVMCI: findUniqueConcreteMethod should handle statically bindable methods directly
|
||||
- JDK-8226602: Test convenience reactive primitives from java.net.http with RS TCK
|
||||
- JDK-8226683: Remove review suggestion from fix to 8219804
|
||||
- JDK-8227738: jvmti/DataDumpRequest/datadumpreq001 failed due to "exit code is 134"
|
||||
- JDK-8227766: CheckUnhandledOops is broken in MemAllocator
|
||||
- JDK-8227815: Minimal VM: set_state is not a member of AttachListener
|
||||
- JDK-8230674: Heap dumps should exclude dormant CDS archived objects of unloaded classes
|
||||
- JDK-8230808: Remove Access::equals()
|
||||
- JDK-8230841: Remove oopDesc::equals()
|
||||
- JDK-8231717: Improve performance of charset decoding when charset is always compactable
|
||||
- JDK-8232243: Wrong caret position in JTextPane on Windows with a screen resolution > 100%
|
||||
- JDK-8232782: Shenandoah: streamline post-LRB CAS barrier (aarch64)
|
||||
- JDK-8233790: Forward output from heap dumper to jcmd/jmap
|
||||
- JDK-8233989: Create an IPv4 version of java/net/MulticastSocket/SetLoopbackMode.java
|
||||
- JDK-8234510: Remove file seeking requirement for writing a heap dump
|
||||
- JDK-8235211: serviceability/attach/RemovingUnixDomainSocketTest.java fails with AttachNotSupportedException: Unable to open socket file
|
||||
- JDK-8235216: typo in test filename
|
||||
- JDK-8235866: bump jtreg requiredVersion to 4.2b16
|
||||
- JDK-8236111: narrow allowSmartActionArgs disabling
|
||||
- JDK-8236413: AbstractConnectTimeout should tolerate both NoRouteToHostException and UnresolvedAddressException
|
||||
- JDK-8236671: NullPointerException in JKS keystore
|
||||
- JDK-8238930: problem list compiler/c2/Test8004741.java
|
||||
- JDK-8238943: switch to jtreg 5.0
|
||||
- JDK-8240555: Using env of JAVA_TOOL_OPTIONS and _JAVA_OPTIONS breaks QuietOption.java test
|
||||
- JDK-8240983: Incorrect copyright header in Apache Santuario 2.1.3 files
|
||||
- JDK-8241336: Some java.net tests failed with NoRouteToHostException on MacOS with special network configuration
|
||||
- JDK-8241353: NPE in ToolProvider.getSystemJavaCompiler
|
||||
- JDK-8241768: git needs .gitattributes
|
||||
- JDK-8242882: opening jar file with large manifest might throw NegativeArraySizeException
|
||||
- JDK-8244973: serviceability/attach/RemovingUnixDomainSocketTest.java fails "stderr was not empty"
|
||||
- JDK-8245134: test/lib/jdk/test/lib/security/KeyStoreUtils.java should allow to specify aliases
|
||||
- JDK-8246261: TCKLocalTime.java failed due to "AssertionError: expected [18:14:22] but found [18:14:23]"
|
||||
- JDK-8246387: switch to jtreg 5.1
|
||||
- JDK-8247421: [TESTBUG] ReturnBlobToWrongHeapTest.java failed allocating blob
|
||||
- JDK-8247469: getSystemCpuLoad() returns -1 on linux when some offline cpus are present and cpusets.effective_cpus is not available
|
||||
- JDK-8248352: [TEST_BUG] Test test/jdk/java/awt/font/TextLayout/ArabicDiacriticTest.java can leave frame open
|
||||
- JDK-8248403: AArch64: Remove uses of kernel integer types
|
||||
- JDK-8248414: AArch64: Remove uses of long and unsigned long ints
|
||||
- JDK-8248657: Windows: strengthening in ThreadCritical regarding memory model
|
||||
- JDK-8248666: AArch64: Use THREAD_LOCAL instead of __thread
|
||||
- JDK-8248668: AArch64: Avoid MIN/MAX macros when using MSVC
|
||||
- JDK-8248671: AArch64: Remove unused variables
|
||||
- JDK-8248682: AArch64: Use ATTRIBUTE_ALIGNED helper
|
||||
- JDK-8248816: C1: Fix signature conflict in LIRGenerator::strength_reduce_multiply
|
||||
- JDK-8249095: tools/javac/launcher/SourceLauncherTest.java fails on Windows
|
||||
- JDK-8249548: backward focus traversal gets stuck in button group
|
||||
- JDK-8249773: Upgrade ReceiveISA.java test to be resilient to failure due to stray packets and interference
|
||||
- JDK-8249897: jdk/javadoc/tool/LangVers.java uses @ignore w/o bug-id
|
||||
- JDK-8249898: jdk/javadoc/tool/6176978/T6176978.java uses @ignore w/o bug-id
|
||||
- JDK-8249899: jdk/javadoc/tool/InlineTagsWithBraces.java uses @ignore w/o bug-id
|
||||
- JDK-8250588: Shenandoah: LRB needs to save/restore fp registers for runtime call
|
||||
- JDK-8250824: AArch64: follow up for JDK-8248414
|
||||
- JDK-8251166: Add automated testcases for changes done in JDK-8214112
|
||||
- JDK-8251252: Add automated testcase for fix done in JDK-8214253
|
||||
- JDK-8251254: Add automated test for fix done in JDK-8218472
|
||||
- JDK-8251361: Potential race between Logger configuration and GCs in HttpURLConWithProxy test
|
||||
- JDK-8251549: Update docs on building for Git
|
||||
- JDK-8251945: SIGSEGV in PackageEntry::purge_qualified_exports()
|
||||
- JDK-8252194: Add automated test for fix done in JDK-8218469
|
||||
- JDK-8252648: Shenandoah: name gang tasks consistently
|
||||
- JDK-8252825: Add automated test for fix done in JDK-8218479
|
||||
- JDK-8252853: AArch64: gc/shenandoah/TestVerifyJCStress.java fails intermittently with C1
|
||||
- JDK-8252857: AArch64: Shenandoah C1 CAS is not sequentially consistent
|
||||
- JDK-8253048: AArch64: When CallLeaf, no need to preserve callee-saved registers in caller
|
||||
- JDK-8253424: Add support for running pre-submit testing using GitHub Actions
|
||||
- JDK-8253631: Remove unimplemented CompileBroker methods after JEP-165
|
||||
- JDK-8253865: Pre-submit testing using GitHub Actions does not detect failures reliably
|
||||
- JDK-8253899: Make IsClassUnloadingEnabled signature match specification
|
||||
- JDK-8254024: Enhance native libs for AWT and Swing to work with GraalVM Native Image
|
||||
- JDK-8254054: Pre-submit testing using GitHub Actions should not use the deprecated set-env command
|
||||
- JDK-8254173: Add Zero, Minimal hotspot targets to submit workflow
|
||||
- JDK-8254175: Build no-pch configuration in debug mode for submit checks
|
||||
- JDK-8254244: Some code emitted by TemplateTable::branch is unused when running TieredCompilation
|
||||
- JDK-8254270: linux 32 bit build doesn't compile libjdwp/log_messages.c
|
||||
- JDK-8254282: Add Linux x86_32 builds to submit workflow
|
||||
- JDK-8254850: Update terminology in java.awt.GridBagLayout source code comments
|
||||
- JDK-8255255: Update Apache Santuario (XML Signature) to version 2.2.1
|
||||
- JDK-8255305: Add Linux x86_32 tier1 to submit workflow
|
||||
- JDK-8255352: Archive important test outputs in submit workflow
|
||||
- JDK-8255373: Submit workflow artifact name is always "test-results_.zip"
|
||||
- JDK-8255452: Doing GC during JVMTI MethodExit event posting breaks return oop
|
||||
- JDK-8255718: Zero: VM should know it runs in interpreter-only mode
|
||||
- JDK-8255790: GTKL&F: Java 16 crashes on initialising GTKL&F on Manjaro Linux
|
||||
- JDK-8255810: Zero: build fails without JVMTI
|
||||
- JDK-8255895: Submit workflow artifacts miss hs_errs/replays due to ZIP include mismatch
|
||||
- JDK-8256127: Add cross-compiled foreign architectures builds to submit workflow
|
||||
- JDK-8256215: Shenandoah: re-organize saving/restoring machine state in assembler code
|
||||
- JDK-8256267: Relax compiler/floatingpoint/NaNTest.java for x86_32 and lower -XX:+UseSSE
|
||||
- JDK-8256277: Github Action build on macOS should define OS and Xcode versions
|
||||
- JDK-8256354: Github Action build on Windows should define OS and MSVC versions
|
||||
- JDK-8256393: Github Actions build on Linux should define OS and GCC versions
|
||||
- JDK-8256414: add optimized build to submit workflow
|
||||
- JDK-8256747: GitHub Actions: decouple the hotspot build-only jobs from Linux x64 testing
|
||||
- JDK-8257056: Submit workflow should apt-get update to avoid package installation errors
|
||||
- JDK-8257148: Remove obsolete code in AWTView.m
|
||||
- JDK-8257497: Update keytool to create AKID from the SKID of the issuing certificate as specified by RFC 5280
|
||||
- JDK-8257620: Do not use objc_msgSend_stret to get macOS version
|
||||
- JDK-8257913: Add more known library locations to simplify Linux cross-compilation
|
||||
- JDK-8258703: Incorrect 512-bit vector registers restore on x86_32
|
||||
- JDK-8259338: Add expiry exception for identrustdstx3 alias to VerifyCACerts.java test
|
||||
- JDK-8259535: ECDSA SignatureValue do not always have the specified length
|
||||
- JDK-8259679: GitHub actions should use MSVC 14.28
|
||||
- JDK-8259924: GitHub actions fail on Linux x86_32 with "Could not configure libc6:i386"
|
||||
- JDK-8260460: GitHub actions still fail on Linux x86_32 with "Could not configure libc6:i386"
|
||||
- JDK-8260589: Crash in JfrTraceIdLoadBarrier::load(_jclass*)
|
||||
- JDK-8260923: Add more tests for SSLSocket input/output shutdown
|
||||
- JDK-8261072: AArch64: Fix MacroAssembler::get_thread convention
|
||||
- JDK-8261147: C2: Node is wrongly marked as reduction resulting in a wrong execution due to wrong vector instructions
|
||||
- JDK-8261238: NMT should not limit baselining by size threshold
|
||||
- JDK-8261496: Shenandoah: reconsider pacing updates memory ordering
|
||||
- JDK-8261652: Remove some dead comments from os_bsd_x86
|
||||
- JDK-8261846: [JVMCI] c2v_iterateFrames can get out of sync with the StackFrameStream
|
||||
- JDK-8262000: jdk/jfr/event/gc/detailed/TestPromotionFailedEventWithParallelScavenge.java failed with "OutOfMemoryError: Java heap space"
|
||||
- JDK-8262017: C2: assert(n != __null) failed: Bad immediate dominator info.
|
||||
- JDK-8262392: Update Mesa 3-D Headers to version 21.0.3
|
||||
- JDK-8262409: sun/security/ssl/SSLSocketImpl/SSLSocketImplThrowsWrongExceptions. SSL test failures caused by java failed with "Server reported the wrong exception"
|
||||
- JDK-8262470: Printed GlyphVector outline with low DPI has bad quality on Windows
|
||||
- JDK-8262862: Harden tests sun/security/x509/URICertStore/ExtensionsWithLDAP.java and krb5/canonicalize/Test.java
|
||||
- JDK-8263136: C4530 was reported from VS 2019 at access bridge
|
||||
- JDK-8263227: C2: inconsistent spilling due to dead nodes in exception block
|
||||
- JDK-8263382: java/util/logging/ParentLoggersTest.java failed with "checkLoggers: getLoggerNames() returned unexpected loggers"
|
||||
- JDK-8263407: SPARC64 detection fails on Athena (SPARC64-X)
|
||||
- JDK-8263432: javac may report an invalid package/class clash on case insensitive filesystems
|
||||
- JDK-8263490: [macos] Crash occurs on JPasswordField with activated InputMethod
|
||||
- JDK-8263531: Remove unused buffer int
|
||||
- JDK-8263667: Avoid running GitHub actions on branches named pr/*
|
||||
- JDK-8263776: [JVMCI] add helper to perform Java upcalls
|
||||
- JDK-8264016: [JVMCI] add some thread local fields for use by JVMCI
|
||||
- JDK-8264752: SIGFPE crash with option FlightRecorderOptions:threadbuffersize=30M
|
||||
- JDK-8265132: C2 compilation fails with assert "missing precedence edge"
|
||||
- JDK-8265231: (fc) ReadDirect and WriteDirect tests fail after fix for JDK-8264821
|
||||
- JDK-8265335: Epsilon: Minor typo in EpsilonElasticTLABDecay description
|
||||
- JDK-8265756: AArch64: initialize memory allocated for locals according to Windows AArch64 stack page growth requirement in template interpreter
|
||||
- JDK-8265761: Font with missed font family name is not properly printed on Windows
|
||||
- JDK-8265773: incorrect jdeps message "jdk8internals" to describe a removed JDK internal API
|
||||
- JDK-8265836: OperatingSystemImpl.getCpuLoad() returns incorrect CPU load inside a container
|
||||
- JDK-8266018: Shenandoah: fix an incorrect assert
|
||||
- JDK-8266206: Build failure after JDK-8264752 with older GCCs
|
||||
- JDK-8266248: Compilation failure in PLATFORM_API_MacOSX_MidiUtils.c with Xcode 12.5
|
||||
- JDK-8266288: assert root method not found in witnessed_reabstraction_in_supers is too strong
|
||||
- JDK-8266404: Fatal error report generated with -XX:+CrashOnOutOfMemoryError should not contain suggestion to submit a bug report
|
||||
- JDK-8266480: Implicit null check optimization does not update control of hoisted memory operation
|
||||
- JDK-8266615: C2 incorrectly folds subtype checks involving an interface array
|
||||
- JDK-8266642: Improve ResolvedMethodTable hash function
|
||||
- JDK-8266749: AArch64: Backtracing broken on PAC enabled systems
|
||||
- JDK-8266761: AssertionError in sun.net.httpserver.ServerImpl.responseCompleted
|
||||
- JDK-8266813: Shenandoah: Use shorter instruction sequence for checking if marking in progress
|
||||
- JDK-8267042: bug in monitor locking/unlocking on ARM32 C1 due to uninitialized BasicObjectLock::_displaced_header
|
||||
- JDK-8267348: Rewrite gc/epsilon/TestClasses.java to use Metaspace with less classes
|
||||
- JDK-8267396: Avoid recording "pc" in unhandled oops detector for better performance
|
||||
- JDK-8267399: C2: java/text/Normalizer/ConformanceTest.java test failed with assertion
|
||||
- JDK-8267424: CTW: C1 fails with "State must not be null"
|
||||
- JDK-8267459: Pasting Unicode characters into JShell does not work.
|
||||
- JDK-8267625: AARCH64: typo in LIR_Assembler::emit_profile_type
|
||||
- JDK-8267666: Add option to jcmd GC.heap_dump to use existing file
|
||||
- JDK-8267695: Bump update version for OpenJDK: jdk-11.0.13
|
||||
- JDK-8267751: (test) jtreg.SkippedException has no serial VersionUID
|
||||
- JDK-8267773: PhaseStringOpts::int_stringSize doesn't handle min_jint correctly
|
||||
- JDK-8268103: JNI functions incorrectly return a double after JDK-8265836
|
||||
- JDK-8268127: Shenandoah: Heap size may be too small for region to align to large page size
|
||||
- JDK-8268261: C2: assert(n != __null) failed: Bad immediate dominator info.
|
||||
- JDK-8268347: C2: nested locks optimization may create unbalanced monitor enter/exit code
|
||||
- JDK-8268360: Missing check for infinite loop during node placement
|
||||
- JDK-8268362: [REDO] C2 crash when compile negative Arrays.copyOf length after loop
|
||||
- JDK-8268366: Incorrect calculation of has_fpu_registers in C1 linear scan
|
||||
- JDK-8268369: SIGSEGV in PhaseCFG::implicit_null_check due to missing null check
|
||||
- JDK-8268417: Add test from JDK-8268360
|
||||
- JDK-8268427: Improve AlgorithmConstraints:checkAlgorithm performance
|
||||
- JDK-8268617: [11u REDO] - WebSocket over authenticating proxy fails with NPE
|
||||
- JDK-8268620: InfiniteLoopException test may fail on x86 platforms
|
||||
- JDK-8268635: Corrupt oop in ClassLoaderData
|
||||
- JDK-8268699: Shenandoah: Add test for JDK-8268127
|
||||
- JDK-8268771: javadoc -notimestamp option does not work on index.html
|
||||
- JDK-8268775: Password is being converted to String in AccessibleJPasswordField
|
||||
- JDK-8268776: Test `ADatagramSocket.java` missing /othervm from @run tag
|
||||
- JDK-8268965: TCP Connection Reset when connecting simple socket to SSL server
|
||||
- JDK-8269304: Regression ~5% in 2005 in b27
|
||||
- JDK-8269415: [11u] Remove ea from DEFAULT_PROMOTED_VERSION_PRE in OpenJDK 11u
|
||||
- JDK-8269478: Shenandoah: gc/shenandoah/mxbeans tests should be more resilient
|
||||
- JDK-8269529: javax/swing/reliability/HangDuringStaticInitialization.java fails in Windows debug build
|
||||
- JDK-8269594: assert(_handle_mark_nesting > 1) failed: memory leak: allocating handle outside HandleMark
|
||||
- JDK-8269614: [s390] Interpreter checks wrong bit for slow path instance allocation
|
||||
- JDK-8269650: Optimize gc-locker in [Get|Release]StringCritical for latin string
|
||||
- JDK-8269661: JNI_GetStringCritical does not lock char array
|
||||
- JDK-8269668: [aarch64] java.library.path not including /usr/lib64
|
||||
- JDK-8269763: The JEditorPane is blank after JDK-8265167
|
||||
- JDK-8269795: C2: Out of bounds array load floats above its range check in loop peeling resulting in SEGV
|
||||
- JDK-8269847: JDK-8269594 backport breaks 11u builds
|
||||
- JDK-8269850: Most JDK releases report macOS version 12 as 10.16 instead of 12.0
|
||||
- JDK-8269851: OperatingSystemMXBean getProcessCpuLoad reports incorrect process cpu usage in containers
|
||||
- JDK-8269882: stack-use-after-scope in NewObjectA
|
||||
- JDK-8269934: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in java_lang_Thread::get_thread_status
|
||||
- JDK-8270096: Shenandoah: Optimize gc/shenandoah/TestRefprocSanity.java for interpreter mode
|
||||
- JDK-8270137: Kerberos Credential Retrieval from Cache not Working in Cross-Realm Setup
|
||||
- JDK-8270184: [TESTBUG] Add coverage for jvmci ResolvedJavaType.toJavaName() for lambdas
|
||||
- JDK-8270196: [11u] [JVMCI] JavaType.toJavaName() returns incorrect type name for lambdas
|
||||
- JDK-8270556: Exclude security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA
|
||||
- JDK-8270893: IndexOutOfBoundsException while reading large TIFF file
|
||||
- JDK-8272078: Wrong Checksums in Temurin BootJDK dependencies
|
||||
- JDK-8272124: Cgroup v1 initialization causes NullPointerException when cgroup path contains colon
|
||||
- JDK-8272131: PhaseMacroExpand::generate_slow_arraycopy crash when clone null CallProjections.fallthrough_ioproj
|
||||
- JDK-8272197: Update 11u GHA workflow with Shenandoah configurations
|
||||
- JDK-8272332: --with-harfbuzz=system doesn't add -lharfbuzz after JDK-8255790
|
||||
- JDK-8272472: StackGuardPages test doesn't build with glibc 2.34
|
||||
- JDK-8272602: [macos] not all KEY_PRESSED events sent when control modifier is used
|
||||
- JDK-8272628: Problemlist gc/stress/gcbasher/TestGCBasherWithCMS.java for x86_32
|
||||
- JDK-8272700: [macos] Build failure with Xcode 13.0 after JDK-8264848
|
||||
- JDK-8272772: Shenandoah: compiler/c2/aarch64/TestVolatilesShenandoah.java fails in 11u
|
||||
- JDK-8273939: Backport of 8248414 to JDK11 breaks MacroAssembler::adrp
|
||||
|
||||
Notes on individual issues:
|
||||
===========================
|
||||
|
||||
security-libs/java.security:
|
||||
|
||||
JDK-8271434: Removed IdenTrust Root Certificate
|
||||
===============================================
|
||||
The following root certificate from IdenTrust has been removed from
|
||||
the `cacerts` keystore:
|
||||
|
||||
Alias Name: identrustdstx3 [jdk]
|
||||
Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co.
|
||||
|
||||
JDK-8261922: Updated keytool to Create AKID From SKID of Issuing Certificate as Specified by RFC 5280
|
||||
=====================================================================================================
|
||||
The `gencert` command of the `keytool` utility has been updated to
|
||||
create AKID from the SKID of the issuing certificate as specified by
|
||||
RFC 5280.
|
||||
|
||||
security-libs/javax.net.ssl:
|
||||
|
||||
JDK-8210799: ChaCha20 and Poly1305 TLS Cipher Suites
|
||||
====================================================
|
||||
New TLS cipher suites using the `ChaCha20-Poly1305` algorithm have
|
||||
been added to JSSE. These cipher suites are enabled by default. The
|
||||
TLS_CHACHA20_POLY1305_SHA256 cipher suite is available for TLS 1.3.
|
||||
The following cipher suites are available for TLS 1.2:
|
||||
|
||||
* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
|
||||
* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
|
||||
* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
|
||||
|
||||
Refer to the "Java Secure Socket Extension (JSSE) Reference Guide" for
|
||||
details on these new TLS cipher suites.
|
||||
|
||||
JDK-8219551: Updated the Default Enabled Cipher Suites Preference
|
||||
=================================================================
|
||||
The preference of the default enabled cipher suites has been
|
||||
changed. The compatibility impact should be minimal. If needed,
|
||||
applications can customize the enabled cipher suites and the
|
||||
preference. For more details, refer to the SunJSSE provider
|
||||
documentation and the JSSE Reference Guide documentation.
|
||||
|
||||
New in release OpenJDK 11.0.12 (2021-07-20):
|
||||
=============================================
|
||||
Live versions of these release notes can be found at:
|
||||
|
12
SOURCES/jdk8257794-remove_broken_assert.patch
Normal file
12
SOURCES/jdk8257794-remove_broken_assert.patch
Normal file
@ -0,0 +1,12 @@
|
||||
diff --git openjdk.orig/src/hotspot/share/interpreter/bytecodeInterpreter.cpp openjdk/src/hotspot/share/interpreter/bytecodeInterpreter.cpp
|
||||
index d18d70b5f9..30ab380e40 100644
|
||||
--- openjdk.orig/src/hotspot/share/interpreter/bytecodeInterpreter.cpp
|
||||
+++ openjdk/src/hotspot/share/interpreter/bytecodeInterpreter.cpp
|
||||
@@ -481,7 +481,6 @@ BytecodeInterpreter::run(interpreterState istate) {
|
||||
#ifdef ASSERT
|
||||
if (istate->_msg != initialize) {
|
||||
assert(labs(istate->_stack_base - istate->_stack_limit) == (istate->_method->max_stack() + 1), "bad stack limit");
|
||||
- IA32_ONLY(assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1, "wrong"));
|
||||
}
|
||||
// Verify linkages.
|
||||
interpreterState l = istate;
|
@ -1,32 +0,0 @@
|
||||
From ec03fdb752f2dc0833784a6877a4c232a8cdd9d2 Mon Sep 17 00:00:00 2001
|
||||
From: Severin Gehwolf <sgehwolf@redhat.com>
|
||||
Date: Wed, 14 Jul 2021 12:06:39 +0200
|
||||
Subject: [PATCH] Backport e14801cdd9b108aa4ca47d0bc1dc67fca575764c
|
||||
|
||||
---
|
||||
src/hotspot/os/linux/os_linux.cpp | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/src/hotspot/os/linux/os_linux.cpp b/src/hotspot/os/linux/os_linux.cpp
|
||||
index e8baf704e3a..12b75b733b5 100644
|
||||
--- a/src/hotspot/os/linux/os_linux.cpp
|
||||
+++ b/src/hotspot/os/linux/os_linux.cpp
|
||||
@@ -413,8 +413,15 @@ void os::init_system_properties_values() {
|
||||
// 7: The default directories, normally /lib and /usr/lib.
|
||||
#if defined(AMD64) || (defined(_LP64) && defined(SPARC)) || defined(PPC64) || defined(S390)
|
||||
#define DEFAULT_LIBPATH "/usr/lib64:/lib64:/lib:/usr/lib"
|
||||
+#else
|
||||
+#if defined(AARCH64)
|
||||
+ // Use 32-bit locations first for AARCH64 (a 64-bit architecture), since some systems
|
||||
+ // might not adhere to the FHS and it would be a change in behaviour if we used
|
||||
+ // DEFAULT_LIBPATH of other 64-bit architectures which prefer the 64-bit paths.
|
||||
+ #define DEFAULT_LIBPATH "/lib:/usr/lib:/usr/lib64:/lib64"
|
||||
#else
|
||||
#define DEFAULT_LIBPATH "/lib:/usr/lib"
|
||||
+#endif // AARCH64
|
||||
#endif
|
||||
|
||||
// Base path of extensions installed on the system.
|
||||
--
|
||||
2.31.1
|
||||
|
26
SOURCES/jdk8275535-rh2053256-ldap_auth.patch
Normal file
26
SOURCES/jdk8275535-rh2053256-ldap_auth.patch
Normal file
@ -0,0 +1,26 @@
|
||||
diff --git openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
|
||||
index 300f3682655..6f3eb6c450b 100644
|
||||
--- openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
|
||||
+++ openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
|
||||
@@ -226,6 +226,10 @@ final public class LdapCtxFactory implements ObjectFactory, InitialContextFactor
|
||||
ctx = getLdapCtxFromUrl(
|
||||
r.getDomainName(), url, new LdapURL(u), env);
|
||||
return ctx;
|
||||
+ } catch (AuthenticationException e) {
|
||||
+ // do not retry on a different endpoint to avoid blocking
|
||||
+ // the user if authentication credentials are wrong.
|
||||
+ throw e;
|
||||
} catch (NamingException e) {
|
||||
// try the next element
|
||||
lastException = e;
|
||||
@@ -278,6 +282,10 @@ final public class LdapCtxFactory implements ObjectFactory, InitialContextFactor
|
||||
for (String u : urls) {
|
||||
try {
|
||||
return getUsingURL(u, env);
|
||||
+ } catch (AuthenticationException e) {
|
||||
+ // do not retry on a different URL to avoid blocking
|
||||
+ // the user if authentication credentials are wrong.
|
||||
+ throw e;
|
||||
} catch (NamingException e) {
|
||||
ex = e;
|
||||
}
|
@ -1,6 +1,6 @@
|
||||
name = NSS-FIPS
|
||||
nssLibraryDirectory = @NSS_LIBDIR@
|
||||
nssSecmodDirectory = @NSS_SECMOD@
|
||||
nssSecmodDirectory = sql:/etc/pki/nssdb
|
||||
nssDbMode = readOnly
|
||||
nssModule = fips
|
||||
|
||||
|
590
SOURCES/rh1991003-enable_fips_keys_import.patch
Normal file
590
SOURCES/rh1991003-enable_fips_keys_import.patch
Normal file
@ -0,0 +1,590 @@
|
||||
diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
|
||||
index 53f32d12cc..28ab184617 100644
|
||||
--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
|
||||
+++ openjdk/src/java.base/share/classes/java/security/Security.java
|
||||
@@ -82,6 +82,10 @@ public final class Security {
|
||||
public boolean isSystemFipsEnabled() {
|
||||
return SystemConfigurator.isSystemFipsEnabled();
|
||||
}
|
||||
+ @Override
|
||||
+ public boolean isPlainKeySupportEnabled() {
|
||||
+ return SystemConfigurator.isPlainKeySupportEnabled();
|
||||
+ }
|
||||
});
|
||||
|
||||
// doPrivileged here because there are multiple
|
||||
diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||
index 5565acb7c6..874c6221eb 100644
|
||||
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||
@@ -55,6 +55,7 @@ final class SystemConfigurator {
|
||||
CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
|
||||
|
||||
private static boolean systemFipsEnabled = false;
|
||||
+ private static boolean plainKeySupportEnabled = false;
|
||||
|
||||
private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
|
||||
|
||||
@@ -149,6 +150,16 @@ final class SystemConfigurator {
|
||||
}
|
||||
loadedProps = true;
|
||||
systemFipsEnabled = true;
|
||||
+ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport",
|
||||
+ "true");
|
||||
+ plainKeySupportEnabled = !"false".equals(plainKeySupport);
|
||||
+ if (sdebug != null) {
|
||||
+ if (plainKeySupportEnabled) {
|
||||
+ sdebug.println("FIPS support enabled with plain key support");
|
||||
+ } else {
|
||||
+ sdebug.println("FIPS support enabled without plain key support");
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
} catch (Exception e) {
|
||||
if (sdebug != null) {
|
||||
@@ -176,6 +187,19 @@ final class SystemConfigurator {
|
||||
return systemFipsEnabled;
|
||||
}
|
||||
|
||||
+ /**
|
||||
+ * Returns {@code true} if system FIPS alignment is enabled
|
||||
+ * and plain key support is allowed. Plain key support is
|
||||
+ * enabled by default but can be disabled with
|
||||
+ * {@code -Dcom.redhat.fips.plainKeySupport=false}.
|
||||
+ *
|
||||
+ * @return a boolean indicating whether plain key support
|
||||
+ * should be enabled.
|
||||
+ */
|
||||
+ static boolean isPlainKeySupportEnabled() {
|
||||
+ return plainKeySupportEnabled;
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* OpenJDK FIPS mode will be enabled only if the com.redhat.fips
|
||||
* system property is true (default) and the system is in FIPS mode.
|
||||
diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
|
||||
index d8caa5640c..21bc6d0b59 100644
|
||||
--- openjdk.orig/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
|
||||
+++ openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
|
||||
@@ -27,4 +27,5 @@ package jdk.internal.misc;
|
||||
|
||||
public interface JavaSecuritySystemConfiguratorAccess {
|
||||
boolean isSystemFipsEnabled();
|
||||
+ boolean isPlainKeySupportEnabled();
|
||||
}
|
||||
diff --git openjdk.orig/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java openjdk/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
|
||||
index ffee2c1603..ff3d5e0e4a 100644
|
||||
--- openjdk.orig/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
|
||||
+++ openjdk/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
|
||||
@@ -33,8 +33,13 @@ import java.security.KeyStore.*;
|
||||
|
||||
import javax.net.ssl.*;
|
||||
|
||||
+import jdk.internal.misc.SharedSecrets;
|
||||
+
|
||||
abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
|
||||
|
||||
+ private static final boolean plainKeySupportEnabled = SharedSecrets
|
||||
+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
|
||||
+
|
||||
X509ExtendedKeyManager keyManager;
|
||||
boolean isInitialized;
|
||||
|
||||
@@ -62,7 +67,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
|
||||
KeyStoreException, NoSuchAlgorithmException,
|
||||
UnrecoverableKeyException {
|
||||
if ((ks != null) && SunJSSE.isFIPS()) {
|
||||
- if (ks.getProvider() != SunJSSE.cryptoProvider) {
|
||||
+ if (ks.getProvider() != SunJSSE.cryptoProvider &&
|
||||
+ !plainKeySupportEnabled) {
|
||||
throw new KeyStoreException("FIPS mode: KeyStore must be "
|
||||
+ "from provider " + SunJSSE.cryptoProvider.getName());
|
||||
}
|
||||
@@ -91,8 +97,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
|
||||
keyManager = new X509KeyManagerImpl(
|
||||
Collections.<Builder>emptyList());
|
||||
} else {
|
||||
- if (SunJSSE.isFIPS() &&
|
||||
- (ks.getProvider() != SunJSSE.cryptoProvider)) {
|
||||
+ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider)
|
||||
+ && !plainKeySupportEnabled) {
|
||||
throw new KeyStoreException(
|
||||
"FIPS mode: KeyStore must be " +
|
||||
"from provider " + SunJSSE.cryptoProvider.getName());
|
||||
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
|
||||
new file mode 100644
|
||||
index 0000000000..b848a1fd78
|
||||
--- /dev/null
|
||||
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
|
||||
@@ -0,0 +1,290 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2021, Red Hat, Inc.
|
||||
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
+ *
|
||||
+ * This code is free software; you can redistribute it and/or modify it
|
||||
+ * under the terms of the GNU General Public License version 2 only, as
|
||||
+ * published by the Free Software Foundation. Oracle designates this
|
||||
+ * particular file as subject to the "Classpath" exception as provided
|
||||
+ * by Oracle in the LICENSE file that accompanied this code.
|
||||
+ *
|
||||
+ * This code is distributed in the hope that it will be useful, but WITHOUT
|
||||
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
+ * version 2 for more details (a copy is included in the LICENSE file that
|
||||
+ * accompanied this code).
|
||||
+ *
|
||||
+ * You should have received a copy of the GNU General Public License version
|
||||
+ * 2 along with this work; if not, write to the Free Software Foundation,
|
||||
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
+ *
|
||||
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
||||
+ * or visit www.oracle.com if you need additional information or have any
|
||||
+ * questions.
|
||||
+ */
|
||||
+
|
||||
+package sun.security.pkcs11;
|
||||
+
|
||||
+import java.math.BigInteger;
|
||||
+import java.security.KeyFactory;
|
||||
+import java.security.Provider;
|
||||
+import java.security.Security;
|
||||
+import java.util.HashMap;
|
||||
+import java.util.Map;
|
||||
+import java.util.concurrent.locks.ReentrantLock;
|
||||
+
|
||||
+import javax.crypto.Cipher;
|
||||
+import javax.crypto.spec.DHPrivateKeySpec;
|
||||
+import javax.crypto.spec.IvParameterSpec;
|
||||
+
|
||||
+import sun.security.jca.JCAUtil;
|
||||
+import sun.security.pkcs11.TemplateManager;
|
||||
+import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
|
||||
+import sun.security.pkcs11.wrapper.CK_MECHANISM;
|
||||
+import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
|
||||
+import sun.security.pkcs11.wrapper.PKCS11Exception;
|
||||
+import sun.security.rsa.RSAUtil.KeyType;
|
||||
+import sun.security.util.Debug;
|
||||
+import sun.security.util.ECUtil;
|
||||
+
|
||||
+final class FIPSKeyImporter {
|
||||
+
|
||||
+ private static final Debug debug =
|
||||
+ Debug.getInstance("sunpkcs11");
|
||||
+
|
||||
+ private static P11Key importerKey = null;
|
||||
+ private static final ReentrantLock importerKeyLock = new ReentrantLock();
|
||||
+ private static CK_MECHANISM importerKeyMechanism = null;
|
||||
+ private static Cipher importerCipher = null;
|
||||
+
|
||||
+ private static Provider sunECProvider = null;
|
||||
+ private static final ReentrantLock sunECProviderLock = new ReentrantLock();
|
||||
+
|
||||
+ private static KeyFactory DHKF = null;
|
||||
+ private static final ReentrantLock DHKFLock = new ReentrantLock();
|
||||
+
|
||||
+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
|
||||
+ throws PKCS11Exception {
|
||||
+ long keyID = -1;
|
||||
+ Token token = sunPKCS11.getToken();
|
||||
+ if (debug != null) {
|
||||
+ debug.println("Private or Secret key will be imported in" +
|
||||
+ " system FIPS mode.");
|
||||
+ }
|
||||
+ if (importerKey == null) {
|
||||
+ importerKeyLock.lock();
|
||||
+ try {
|
||||
+ if (importerKey == null) {
|
||||
+ if (importerKeyMechanism == null) {
|
||||
+ // Importer Key creation has not been tried yet. Try it.
|
||||
+ createImporterKey(token);
|
||||
+ }
|
||||
+ if (importerKey == null || importerCipher == null) {
|
||||
+ if (debug != null) {
|
||||
+ debug.println("Importer Key could not be" +
|
||||
+ " generated.");
|
||||
+ }
|
||||
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
|
||||
+ }
|
||||
+ if (debug != null) {
|
||||
+ debug.println("Importer Key successfully" +
|
||||
+ " generated.");
|
||||
+ }
|
||||
+ }
|
||||
+ } finally {
|
||||
+ importerKeyLock.unlock();
|
||||
+ }
|
||||
+ }
|
||||
+ long importerKeyID = importerKey.getKeyID();
|
||||
+ try {
|
||||
+ byte[] keyBytes = null;
|
||||
+ byte[] encKeyBytes = null;
|
||||
+ long keyClass = 0L;
|
||||
+ long keyType = 0L;
|
||||
+ Map<Long, CK_ATTRIBUTE> attrsMap = new HashMap<>();
|
||||
+ for (CK_ATTRIBUTE attr : attributes) {
|
||||
+ if (attr.type == CKA_CLASS) {
|
||||
+ keyClass = attr.getLong();
|
||||
+ } else if (attr.type == CKA_KEY_TYPE) {
|
||||
+ keyType = attr.getLong();
|
||||
+ }
|
||||
+ attrsMap.put(attr.type, attr);
|
||||
+ }
|
||||
+ BigInteger v = null;
|
||||
+ if (keyClass == CKO_PRIVATE_KEY) {
|
||||
+ if (keyType == CKK_RSA) {
|
||||
+ if (debug != null) {
|
||||
+ debug.println("Importing an RSA private key...");
|
||||
+ }
|
||||
+ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(
|
||||
+ KeyType.RSA,
|
||||
+ null,
|
||||
+ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null)
|
||||
+ ? v : BigInteger.ZERO,
|
||||
+ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null)
|
||||
+ ? v : BigInteger.ZERO,
|
||||
+ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null)
|
||||
+ ? v : BigInteger.ZERO,
|
||||
+ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null)
|
||||
+ ? v : BigInteger.ZERO,
|
||||
+ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null)
|
||||
+ ? v : BigInteger.ZERO,
|
||||
+ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null)
|
||||
+ ? v : BigInteger.ZERO,
|
||||
+ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null)
|
||||
+ ? v : BigInteger.ZERO,
|
||||
+ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null)
|
||||
+ ? v : BigInteger.ZERO
|
||||
+ ).getEncoded();
|
||||
+ } else if (keyType == CKK_DSA) {
|
||||
+ if (debug != null) {
|
||||
+ debug.println("Importing a DSA private key...");
|
||||
+ }
|
||||
+ keyBytes = new sun.security.provider.DSAPrivateKey(
|
||||
+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
|
||||
+ ? v : BigInteger.ZERO,
|
||||
+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
|
||||
+ ? v : BigInteger.ZERO,
|
||||
+ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null)
|
||||
+ ? v : BigInteger.ZERO,
|
||||
+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
|
||||
+ ? v : BigInteger.ZERO
|
||||
+ ).getEncoded();
|
||||
+ if (token.config.getNssNetscapeDbWorkaround() &&
|
||||
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
|
||||
+ attrsMap.put(CKA_NETSCAPE_DB,
|
||||
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
|
||||
+ }
|
||||
+ } else if (keyType == CKK_EC) {
|
||||
+ if (debug != null) {
|
||||
+ debug.println("Importing an EC private key...");
|
||||
+ }
|
||||
+ if (sunECProvider == null) {
|
||||
+ sunECProviderLock.lock();
|
||||
+ try {
|
||||
+ if (sunECProvider == null) {
|
||||
+ sunECProvider = Security.getProvider("SunEC");
|
||||
+ }
|
||||
+ } finally {
|
||||
+ sunECProviderLock.unlock();
|
||||
+ }
|
||||
+ }
|
||||
+ keyBytes = ECUtil.generateECPrivateKey(
|
||||
+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
|
||||
+ ? v : BigInteger.ZERO,
|
||||
+ ECUtil.getECParameterSpec(sunECProvider,
|
||||
+ attrsMap.get(CKA_EC_PARAMS).getByteArray()))
|
||||
+ .getEncoded();
|
||||
+ if (token.config.getNssNetscapeDbWorkaround() &&
|
||||
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
|
||||
+ attrsMap.put(CKA_NETSCAPE_DB,
|
||||
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
|
||||
+ }
|
||||
+ } else if (keyType == CKK_DH) {
|
||||
+ if (debug != null) {
|
||||
+ debug.println("Importing a Diffie-Hellman private key...");
|
||||
+ }
|
||||
+ if (DHKF == null) {
|
||||
+ DHKFLock.lock();
|
||||
+ try {
|
||||
+ if (DHKF == null) {
|
||||
+ DHKF = KeyFactory.getInstance(
|
||||
+ "DH", P11Util.getSunJceProvider());
|
||||
+ }
|
||||
+ } finally {
|
||||
+ DHKFLock.unlock();
|
||||
+ }
|
||||
+ }
|
||||
+ DHPrivateKeySpec spec = new DHPrivateKeySpec
|
||||
+ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
|
||||
+ ? v : BigInteger.ZERO,
|
||||
+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
|
||||
+ ? v : BigInteger.ZERO,
|
||||
+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
|
||||
+ ? v : BigInteger.ZERO);
|
||||
+ keyBytes = DHKF.generatePrivate(spec).getEncoded();
|
||||
+ if (token.config.getNssNetscapeDbWorkaround() &&
|
||||
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
|
||||
+ attrsMap.put(CKA_NETSCAPE_DB,
|
||||
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
|
||||
+ }
|
||||
+ } else {
|
||||
+ if (debug != null) {
|
||||
+ debug.println("Unrecognized private key type.");
|
||||
+ }
|
||||
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
|
||||
+ }
|
||||
+ } else if (keyClass == CKO_SECRET_KEY) {
|
||||
+ if (debug != null) {
|
||||
+ debug.println("Importing a secret key...");
|
||||
+ }
|
||||
+ keyBytes = attrsMap.get(CKA_VALUE).getByteArray();
|
||||
+ }
|
||||
+ if (keyBytes == null || keyBytes.length == 0) {
|
||||
+ if (debug != null) {
|
||||
+ debug.println("Private or secret key plain bytes could" +
|
||||
+ " not be obtained. Import failed.");
|
||||
+ }
|
||||
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
|
||||
+ }
|
||||
+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
|
||||
+ new IvParameterSpec((byte[])importerKeyMechanism.pParameter),
|
||||
+ null);
|
||||
+ attributes = new CK_ATTRIBUTE[attrsMap.size()];
|
||||
+ attrsMap.values().toArray(attributes);
|
||||
+ encKeyBytes = importerCipher.doFinal(keyBytes);
|
||||
+ attributes = token.getAttributes(TemplateManager.O_IMPORT,
|
||||
+ keyClass, keyType, attributes);
|
||||
+ keyID = token.p11.C_UnwrapKey(hSession,
|
||||
+ importerKeyMechanism, importerKeyID, encKeyBytes, attributes);
|
||||
+ if (debug != null) {
|
||||
+ debug.println("Imported key ID: " + keyID);
|
||||
+ }
|
||||
+ } catch (Throwable t) {
|
||||
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
|
||||
+ } finally {
|
||||
+ importerKey.releaseKeyID();
|
||||
+ }
|
||||
+ return Long.valueOf(keyID);
|
||||
+ }
|
||||
+
|
||||
+ private static void createImporterKey(Token token) {
|
||||
+ if (debug != null) {
|
||||
+ debug.println("Generating Importer Key...");
|
||||
+ }
|
||||
+ byte[] iv = new byte[16];
|
||||
+ JCAUtil.getSecureRandom().nextBytes(iv);
|
||||
+ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
|
||||
+ try {
|
||||
+ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE,
|
||||
+ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] {
|
||||
+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
|
||||
+ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)});
|
||||
+ Session s = null;
|
||||
+ try {
|
||||
+ s = token.getObjSession();
|
||||
+ long keyID = token.p11.C_GenerateKey(
|
||||
+ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN),
|
||||
+ attributes);
|
||||
+ if (debug != null) {
|
||||
+ debug.println("Importer Key ID: " + keyID);
|
||||
+ }
|
||||
+ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES",
|
||||
+ 256 >> 3, null);
|
||||
+ } catch (PKCS11Exception e) {
|
||||
+ // best effort
|
||||
+ } finally {
|
||||
+ token.releaseSession(s);
|
||||
+ }
|
||||
+ if (importerKey != null) {
|
||||
+ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
|
||||
+ }
|
||||
+ } catch (Throwable t) {
|
||||
+ // best effort
|
||||
+ importerKey = null;
|
||||
+ importerCipher = null;
|
||||
+ // importerKeyMechanism value is kept initialized to indicate that
|
||||
+ // Importer Key creation has been tried and failed.
|
||||
+ }
|
||||
+ }
|
||||
+}
|
||||
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||
index 1eca1f8f0a..72674a7330 100644
|
||||
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||
@@ -26,6 +26,9 @@
|
||||
package sun.security.pkcs11;
|
||||
|
||||
import java.io.*;
|
||||
+import java.lang.invoke.MethodHandle;
|
||||
+import java.lang.invoke.MethodHandles;
|
||||
+import java.lang.invoke.MethodType;
|
||||
import java.util.*;
|
||||
|
||||
import java.security.*;
|
||||
@@ -64,6 +67,26 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
private static final boolean systemFipsEnabled = SharedSecrets
|
||||
.getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
|
||||
|
||||
+ private static final boolean plainKeySupportEnabled = SharedSecrets
|
||||
+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
|
||||
+
|
||||
+ private static final MethodHandle fipsImportKey;
|
||||
+ static {
|
||||
+ MethodHandle fipsImportKeyTmp = null;
|
||||
+ if (plainKeySupportEnabled) {
|
||||
+ try {
|
||||
+ fipsImportKeyTmp = MethodHandles.lookup().findStatic(
|
||||
+ FIPSKeyImporter.class, "importKey",
|
||||
+ MethodType.methodType(Long.class, SunPKCS11.class,
|
||||
+ long.class, CK_ATTRIBUTE[].class));
|
||||
+ } catch (Throwable t) {
|
||||
+ throw new SecurityException("FIPS key importer initialization" +
|
||||
+ " failed", t);
|
||||
+ }
|
||||
+ }
|
||||
+ fipsImportKey = fipsImportKeyTmp;
|
||||
+ }
|
||||
+
|
||||
private static final long serialVersionUID = -1354835039035306505L;
|
||||
|
||||
static final Debug debug = Debug.getInstance("sunpkcs11");
|
||||
@@ -319,10 +342,15 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
// request multithreaded access first
|
||||
initArgs.flags = CKF_OS_LOCKING_OK;
|
||||
PKCS11 tmpPKCS11;
|
||||
+ MethodHandle fipsKeyImporter = null;
|
||||
+ if (plainKeySupportEnabled) {
|
||||
+ fipsKeyImporter = MethodHandles.insertArguments(
|
||||
+ fipsImportKey, 0, this);
|
||||
+ }
|
||||
try {
|
||||
tmpPKCS11 = PKCS11.getInstance(
|
||||
library, functionList, initArgs,
|
||||
- config.getOmitInitialize());
|
||||
+ config.getOmitInitialize(), fipsKeyImporter);
|
||||
} catch (PKCS11Exception e) {
|
||||
if (debug != null) {
|
||||
debug.println("Multi-threaded initialization failed: " + e);
|
||||
@@ -338,7 +366,7 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
initArgs.flags = 0;
|
||||
}
|
||||
tmpPKCS11 = PKCS11.getInstance(library,
|
||||
- functionList, initArgs, config.getOmitInitialize());
|
||||
+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter);
|
||||
}
|
||||
p11 = tmpPKCS11;
|
||||
|
||||
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
|
||||
index 04a369f453..8d2081abaa 100644
|
||||
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
|
||||
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
|
||||
@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper;
|
||||
|
||||
import java.io.File;
|
||||
import java.io.IOException;
|
||||
+import java.lang.invoke.MethodHandle;
|
||||
import java.util.*;
|
||||
|
||||
import java.security.AccessController;
|
||||
@@ -150,16 +151,28 @@ public class PKCS11 {
|
||||
|
||||
public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
|
||||
String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
|
||||
- boolean omitInitialize) throws IOException, PKCS11Exception {
|
||||
+ boolean omitInitialize, MethodHandle fipsKeyImporter)
|
||||
+ throws IOException, PKCS11Exception {
|
||||
// we may only call C_Initialize once per native .so/.dll
|
||||
// so keep a cache using the (non-canonicalized!) path
|
||||
PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
|
||||
if (pkcs11 == null) {
|
||||
+ boolean nssFipsMode = fipsKeyImporter != null;
|
||||
if ((pInitArgs != null)
|
||||
&& ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
|
||||
- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
|
||||
+ if (nssFipsMode) {
|
||||
+ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
|
||||
+ fipsKeyImporter);
|
||||
+ } else {
|
||||
+ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
|
||||
+ }
|
||||
} else {
|
||||
- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
|
||||
+ if (nssFipsMode) {
|
||||
+ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
|
||||
+ functionList, fipsKeyImporter);
|
||||
+ } else {
|
||||
+ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
|
||||
+ }
|
||||
}
|
||||
if (omitInitialize == false) {
|
||||
try {
|
||||
@@ -1909,4 +1922,69 @@ static class SynchronizedPKCS11 extends PKCS11 {
|
||||
super.C_GenerateRandom(hSession, randomData);
|
||||
}
|
||||
}
|
||||
+
|
||||
+// PKCS11 subclass that allows using plain private or secret keys in
|
||||
+// FIPS-configured NSS Software Tokens. Only used when System FIPS
|
||||
+// is enabled.
|
||||
+static class FIPSPKCS11 extends PKCS11 {
|
||||
+ private MethodHandle fipsKeyImporter;
|
||||
+ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
|
||||
+ MethodHandle fipsKeyImporter) throws IOException {
|
||||
+ super(pkcs11ModulePath, functionListName);
|
||||
+ this.fipsKeyImporter = fipsKeyImporter;
|
||||
+ }
|
||||
+
|
||||
+ public synchronized long C_CreateObject(long hSession,
|
||||
+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
|
||||
+ // Creating sensitive key objects from plain key material in a
|
||||
+ // FIPS-configured NSS Software Token is not allowed. We apply
|
||||
+ // a key-unwrapping scheme to achieve so.
|
||||
+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
|
||||
+ try {
|
||||
+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
|
||||
+ .longValue();
|
||||
+ } catch (Throwable t) {
|
||||
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
|
||||
+ }
|
||||
+ }
|
||||
+ return super.C_CreateObject(hSession, pTemplate);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+// FIPSPKCS11 synchronized counterpart.
|
||||
+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
|
||||
+ private MethodHandle fipsKeyImporter;
|
||||
+ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
|
||||
+ MethodHandle fipsKeyImporter) throws IOException {
|
||||
+ super(pkcs11ModulePath, functionListName);
|
||||
+ this.fipsKeyImporter = fipsKeyImporter;
|
||||
+ }
|
||||
+
|
||||
+ public synchronized long C_CreateObject(long hSession,
|
||||
+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
|
||||
+ // See FIPSPKCS11::C_CreateObject.
|
||||
+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
|
||||
+ try {
|
||||
+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
|
||||
+ .longValue();
|
||||
+ } catch (Throwable t) {
|
||||
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
|
||||
+ }
|
||||
+ }
|
||||
+ return super.C_CreateObject(hSession, pTemplate);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+private static class FIPSPKCS11Helper {
|
||||
+ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
|
||||
+ for (CK_ATTRIBUTE attr : pTemplate) {
|
||||
+ if (attr.type == CKA_CLASS &&
|
||||
+ (attr.getLong() == CKO_PRIVATE_KEY ||
|
||||
+ attr.getLong() == CKO_SECRET_KEY)) {
|
||||
+ return true;
|
||||
+ }
|
||||
+ }
|
||||
+ return false;
|
||||
+ }
|
||||
+}
|
||||
}
|
@ -1,18 +0,0 @@
|
||||
commit 598fe421216b0a437fa36ee91a29966599867aa3
|
||||
Author: Andrew Hughes <gnu.andrew@redhat.com>
|
||||
Date: Mon Aug 30 16:12:52 2021 +0100
|
||||
|
||||
RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.misc
|
||||
|
||||
diff --git openjdk.orig/src/java.base/share/lib/security/default.policy openjdk/src/java.base/share/lib/security/default.policy
|
||||
index ab59a334cd..5db744ff17 100644
|
||||
--- openjdk.orig/src/java.base/share/lib/security/default.policy
|
||||
+++ openjdk/src/java.base/share/lib/security/default.policy
|
||||
@@ -124,6 +124,7 @@ grant codeBase "jrt:/jdk.crypto.ec" {
|
||||
grant codeBase "jrt:/jdk.crypto.cryptoki" {
|
||||
permission java.lang.RuntimePermission
|
||||
"accessClassInPackage.com.sun.crypto.provider";
|
||||
+ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc";
|
||||
permission java.lang.RuntimePermission
|
||||
"accessClassInPackage.sun.security.*";
|
||||
permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
|
@ -5,7 +5,7 @@ Date: Fri Aug 27 19:42:07 2021 +0100
|
||||
RH1996182: Login to the NSS Software Token in FIPS Mode
|
||||
|
||||
diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
|
||||
index 0cf61732d7..2cd851587c 100644
|
||||
index 5460efcf8c..f08dc2fafc 100644
|
||||
--- openjdk.orig/src/java.base/share/classes/module-info.java
|
||||
+++ openjdk/src/java.base/share/classes/module-info.java
|
||||
@@ -182,6 +182,7 @@ module java.base {
|
||||
@ -17,19 +17,19 @@ index 0cf61732d7..2cd851587c 100644
|
||||
jdk.attach,
|
||||
jdk.charsets,
|
||||
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||
index b00b738b85..1eca1f8f0a 100644
|
||||
index 5e227f4531..164de8ff08 100644
|
||||
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||
@@ -42,6 +42,8 @@ import javax.security.auth.callback.ConfirmationCallback;
|
||||
@@ -41,6 +41,8 @@ import javax.security.auth.callback.CallbackHandler;
|
||||
import javax.security.auth.callback.PasswordCallback;
|
||||
import javax.security.auth.callback.TextOutputCallback;
|
||||
|
||||
import jdk.internal.misc.InnocuousThread;
|
||||
+import jdk.internal.misc.SharedSecrets;
|
||||
+
|
||||
import sun.security.util.Debug;
|
||||
import sun.security.util.ResourcesMgr;
|
||||
import static sun.security.util.SecurityConstants.PROVIDER_VER;
|
||||
@@ -59,6 +61,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
|
||||
@@ -58,6 +60,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
|
||||
*/
|
||||
public final class SunPKCS11 extends AuthProvider {
|
||||
|
||||
@ -39,7 +39,7 @@ index b00b738b85..1eca1f8f0a 100644
|
||||
private static final long serialVersionUID = -1354835039035306505L;
|
||||
|
||||
static final Debug debug = Debug.getInstance("sunpkcs11");
|
||||
@@ -373,6 +378,24 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
@@ -374,6 +379,24 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
if (nssModule != null) {
|
||||
nssModule.setProvider(this);
|
||||
}
|
||||
|
28
SOURCES/rh2021263-fips_ensure_security_initialised.patch
Normal file
28
SOURCES/rh2021263-fips_ensure_security_initialised.patch
Normal file
@ -0,0 +1,28 @@
|
||||
commit 8a8452b9ae862755210a9a2f4e34b1aa3ec7343d
|
||||
Author: Andrew Hughes <gnu.andrew@redhat.com>
|
||||
Date: Tue Jan 18 02:00:55 2022 +0000
|
||||
|
||||
RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
|
||||
|
||||
diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
|
||||
index 2ec51d57806..8489b940c43 100644
|
||||
--- openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
|
||||
+++ openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
|
||||
@@ -36,6 +36,7 @@ import java.io.FilePermission;
|
||||
import java.io.ObjectInputStream;
|
||||
import java.io.RandomAccessFile;
|
||||
import java.security.ProtectionDomain;
|
||||
+import java.security.Security;
|
||||
import java.security.Signature;
|
||||
|
||||
/** A repository of "shared secrets", which are a mechanism for
|
||||
@@ -368,6 +369,9 @@ public class SharedSecrets {
|
||||
}
|
||||
|
||||
public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
|
||||
+ if (javaSecuritySystemConfiguratorAccess == null) {
|
||||
+ unsafe.ensureClassInitialized(Security.class);
|
||||
+ }
|
||||
return javaSecuritySystemConfiguratorAccess;
|
||||
}
|
||||
}
|
24
SOURCES/rh2021263-fips_missing_native_returns.patch
Normal file
24
SOURCES/rh2021263-fips_missing_native_returns.patch
Normal file
@ -0,0 +1,24 @@
|
||||
commit 1b5bd349bdfa7b9627ea58d819bc250a55112de2
|
||||
Author: Fridrich Strba <fstrba@suse.com>
|
||||
Date: Mon Jan 17 19:44:03 2022 +0000
|
||||
|
||||
RH2021263: Return in C code after having generated Java exception
|
||||
|
||||
diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
|
||||
index 6f4656bfcb6..34d0ff0ce91 100644
|
||||
--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
|
||||
+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
|
||||
@@ -131,11 +131,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
|
||||
dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
|
||||
if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
|
||||
throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
|
||||
+ return JNI_FALSE;
|
||||
}
|
||||
fips_enabled = fgetc(fe);
|
||||
fclose(fe);
|
||||
if (fips_enabled == EOF) {
|
||||
throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
|
||||
+ return JNI_FALSE;
|
||||
}
|
||||
msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
|
||||
" read character is '%c'", fips_enabled);
|
99
SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch
Normal file
99
SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch
Normal file
@ -0,0 +1,99 @@
|
||||
commit 0cd8cee94fe0f867b0b39890e00be620af1d9b07
|
||||
Author: Andrew Hughes <gnu.andrew@redhat.com>
|
||||
Date: Tue Jan 18 02:09:27 2022 +0000
|
||||
|
||||
RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
|
||||
|
||||
diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
|
||||
index 28ab1846173..f9726741afd 100644
|
||||
--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
|
||||
+++ openjdk/src/java.base/share/classes/java/security/Security.java
|
||||
@@ -61,10 +61,6 @@ public final class Security {
|
||||
private static final Debug sdebug =
|
||||
Debug.getInstance("properties");
|
||||
|
||||
- /* System property file*/
|
||||
- private static final String SYSTEM_PROPERTIES =
|
||||
- "/etc/crypto-policies/back-ends/java.config";
|
||||
-
|
||||
/* The java.security properties */
|
||||
private static Properties props;
|
||||
|
||||
@@ -206,22 +202,36 @@ public final class Security {
|
||||
}
|
||||
}
|
||||
|
||||
+ if (!loadedProps) {
|
||||
+ initializeStatic();
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println("unable to load security properties " +
|
||||
+ "-- using defaults");
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
|
||||
if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
|
||||
"true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
|
||||
- if (SystemConfigurator.configure(props)) {
|
||||
- loadedProps = true;
|
||||
+ if (!SystemConfigurator.configureSysProps(props)) {
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println("WARNING: System properties could not be loaded.");
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
- if (!loadedProps) {
|
||||
- initializeStatic();
|
||||
+ // FIPS support depends on the contents of java.security so
|
||||
+ // ensure it has loaded first
|
||||
+ if (loadedProps) {
|
||||
+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
|
||||
if (sdebug != null) {
|
||||
- sdebug.println("unable to load security properties " +
|
||||
- "-- using defaults");
|
||||
+ if (fipsEnabled) {
|
||||
+ sdebug.println("FIPS support enabled.");
|
||||
+ } else {
|
||||
+ sdebug.println("FIPS support disabled.");
|
||||
+ }
|
||||
}
|
||||
}
|
||||
-
|
||||
}
|
||||
|
||||
/*
|
||||
diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||
index 874c6221ebe..b7ed41acf0f 100644
|
||||
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||
@@ -76,7 +76,7 @@ final class SystemConfigurator {
|
||||
* java.security.disableSystemPropertiesFile property is not set and
|
||||
* security.useSystemPropertiesFile is true.
|
||||
*/
|
||||
- static boolean configure(Properties props) {
|
||||
+ static boolean configureSysProps(Properties props) {
|
||||
boolean loadedProps = false;
|
||||
|
||||
try (BufferedInputStream bis =
|
||||
@@ -96,11 +96,19 @@ final class SystemConfigurator {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
+ return loadedProps;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * Invoked at the end of java.security.Security initialisation
|
||||
+ * if java.security properties have been loaded
|
||||
+ */
|
||||
+ static boolean configureFIPS(Properties props) {
|
||||
+ boolean loadedProps = false;
|
||||
|
||||
try {
|
||||
if (enableFips()) {
|
||||
if (sdebug != null) { sdebug.println("FIPS mode detected"); }
|
||||
- loadedProps = false;
|
||||
// Remove all security providers
|
||||
Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
|
||||
while (i.hasNext()) {
|
220
SOURCES/rh2052829-fips_runtime_nss_detection.patch
Normal file
220
SOURCES/rh2052829-fips_runtime_nss_detection.patch
Normal file
@ -0,0 +1,220 @@
|
||||
commit e2be09f982af1cc05f5e6556d51900bca4757416
|
||||
Author: Andrew Hughes <gnu.andrew@redhat.com>
|
||||
Date: Mon Feb 28 05:30:32 2022 +0000
|
||||
|
||||
RH2051605: Detect NSS at Runtime for FIPS detection
|
||||
|
||||
diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
|
||||
index 34d0ff0ce91..8dcb7d9073f 100644
|
||||
--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
|
||||
+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
|
||||
@@ -23,25 +23,99 @@
|
||||
* questions.
|
||||
*/
|
||||
|
||||
-#include <dlfcn.h>
|
||||
#include <jni.h>
|
||||
#include <jni_util.h>
|
||||
+#include "jvm_md.h"
|
||||
#include <stdio.h>
|
||||
|
||||
#ifdef SYSCONF_NSS
|
||||
#include <nss3/pk11pub.h>
|
||||
+#else
|
||||
+#include <dlfcn.h>
|
||||
#endif //SYSCONF_NSS
|
||||
|
||||
#include "java_security_SystemConfigurator.h"
|
||||
|
||||
+#define MSG_MAX_SIZE 256
|
||||
#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
|
||||
-#define MSG_MAX_SIZE 96
|
||||
|
||||
+typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
|
||||
+
|
||||
+static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
|
||||
static jmethodID debugPrintlnMethodID = NULL;
|
||||
static jobject debugObj = NULL;
|
||||
|
||||
-static void throwIOException(JNIEnv *env, const char *msg);
|
||||
-static void dbgPrint(JNIEnv *env, const char* msg);
|
||||
+static void dbgPrint(JNIEnv *env, const char* msg)
|
||||
+{
|
||||
+ jstring jMsg;
|
||||
+ if (debugObj != NULL) {
|
||||
+ jMsg = (*env)->NewStringUTF(env, msg);
|
||||
+ CHECK_NULL(jMsg);
|
||||
+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static void throwIOException(JNIEnv *env, const char *msg)
|
||||
+{
|
||||
+ jclass cls = (*env)->FindClass(env, "java/io/IOException");
|
||||
+ if (cls != 0)
|
||||
+ (*env)->ThrowNew(env, cls, msg);
|
||||
+}
|
||||
+
|
||||
+static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
|
||||
+{
|
||||
+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
|
||||
+ dbgPrint(env, msg);
|
||||
+ } else {
|
||||
+ dbgPrint(env, "systemconf: cannot render message");
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+// Only used when NSS is not linked at build time
|
||||
+#ifndef SYSCONF_NSS
|
||||
+
|
||||
+static void *nss_handle;
|
||||
+
|
||||
+static jboolean loadNSS(JNIEnv *env)
|
||||
+{
|
||||
+ char msg[MSG_MAX_SIZE];
|
||||
+ int msg_bytes;
|
||||
+ const char* errmsg;
|
||||
+
|
||||
+ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
|
||||
+ if (nss_handle == NULL) {
|
||||
+ errmsg = dlerror();
|
||||
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
|
||||
+ errmsg);
|
||||
+ handle_msg(env, msg, msg_bytes);
|
||||
+ return JNI_FALSE;
|
||||
+ }
|
||||
+ dlerror(); /* Clear errors */
|
||||
+ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
|
||||
+ if ((errmsg = dlerror()) != NULL) {
|
||||
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
|
||||
+ errmsg);
|
||||
+ handle_msg(env, msg, msg_bytes);
|
||||
+ return JNI_FALSE;
|
||||
+ }
|
||||
+ return JNI_TRUE;
|
||||
+}
|
||||
+
|
||||
+static void closeNSS(JNIEnv *env)
|
||||
+{
|
||||
+ char msg[MSG_MAX_SIZE];
|
||||
+ int msg_bytes;
|
||||
+ const char* errmsg;
|
||||
+
|
||||
+ if (dlclose(nss_handle) != 0) {
|
||||
+ errmsg = dlerror();
|
||||
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
|
||||
+ errmsg);
|
||||
+ handle_msg(env, msg, msg_bytes);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+#endif
|
||||
|
||||
/*
|
||||
* Class: java_security_SystemConfigurator
|
||||
@@ -84,6 +158,14 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
|
||||
debugObj = (*env)->NewGlobalRef(env, debugObj);
|
||||
}
|
||||
|
||||
+#ifdef SYSCONF_NSS
|
||||
+ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
|
||||
+#else
|
||||
+ if (loadNSS(env) == JNI_FALSE) {
|
||||
+ dbgPrint(env, "libsystemconf: Failed to load NSS library.");
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
return (*env)->GetVersion(env);
|
||||
}
|
||||
|
||||
@@ -99,6 +181,9 @@ JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
|
||||
if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
|
||||
return; /* Should not happen */
|
||||
}
|
||||
+#ifndef SYSCONF_NSS
|
||||
+ closeNSS(env);
|
||||
+#endif
|
||||
(*env)->DeleteGlobalRef(env, debugObj);
|
||||
}
|
||||
}
|
||||
@@ -110,61 +195,30 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
|
||||
char msg[MSG_MAX_SIZE];
|
||||
int msg_bytes;
|
||||
|
||||
-#ifdef SYSCONF_NSS
|
||||
-
|
||||
- dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
|
||||
- fips_enabled = SECMOD_GetSystemFIPSEnabled();
|
||||
- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
|
||||
- " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
|
||||
- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
|
||||
- dbgPrint(env, msg);
|
||||
+ if (getSystemFIPSEnabled != NULL) {
|
||||
+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
|
||||
+ fips_enabled = (*getSystemFIPSEnabled)();
|
||||
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
|
||||
+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
|
||||
+ handle_msg(env, msg, msg_bytes);
|
||||
+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
|
||||
} else {
|
||||
- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
|
||||
- " SECMOD_GetSystemFIPSEnabled return value");
|
||||
- }
|
||||
- return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
|
||||
-
|
||||
-#else // SYSCONF_NSS
|
||||
+ FILE *fe;
|
||||
|
||||
- FILE *fe;
|
||||
-
|
||||
- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
|
||||
- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
|
||||
+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
|
||||
+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
|
||||
throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
|
||||
return JNI_FALSE;
|
||||
- }
|
||||
- fips_enabled = fgetc(fe);
|
||||
- fclose(fe);
|
||||
- if (fips_enabled == EOF) {
|
||||
+ }
|
||||
+ fips_enabled = fgetc(fe);
|
||||
+ fclose(fe);
|
||||
+ if (fips_enabled == EOF) {
|
||||
throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
|
||||
return JNI_FALSE;
|
||||
- }
|
||||
- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
|
||||
- " read character is '%c'", fips_enabled);
|
||||
- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
|
||||
- dbgPrint(env, msg);
|
||||
- } else {
|
||||
- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
|
||||
- " read character");
|
||||
- }
|
||||
- return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
|
||||
-
|
||||
-#endif // SYSCONF_NSS
|
||||
-}
|
||||
-
|
||||
-static void throwIOException(JNIEnv *env, const char *msg)
|
||||
-{
|
||||
- jclass cls = (*env)->FindClass(env, "java/io/IOException");
|
||||
- if (cls != 0)
|
||||
- (*env)->ThrowNew(env, cls, msg);
|
||||
-}
|
||||
-
|
||||
-static void dbgPrint(JNIEnv *env, const char* msg)
|
||||
-{
|
||||
- jstring jMsg;
|
||||
- if (debugObj != NULL) {
|
||||
- jMsg = (*env)->NewStringUTF(env, msg);
|
||||
- CHECK_NULL(jMsg);
|
||||
- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
|
||||
+ }
|
||||
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
|
||||
+ " read character is '%c'", fips_enabled);
|
||||
+ handle_msg(env, msg, msg_bytes);
|
||||
+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
|
||||
}
|
||||
}
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user