import java-11-openjdk-11.0.11.0.9-5.el8

.gitignore

@@ -0,0 +1,2 @@
+SOURCES/jdk-updates-jdk11u-jdk-11.0.11+9-4curve.tar.xz
+SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

.java-11-openjdk.metadata

@@ -0,0 +1,2 @@
+a339f6e108c16a23c47504565b602a6fc395bf2e SOURCES/jdk-updates-jdk11u-jdk-11.0.11+9-4curve.tar.xz
+c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

SOURCES/CheckVendor.java

@@ -0,0 +1,57 @@
+/* CheckVendor -- Check the vendor properties match specified values.
+   Copyright (C) 2020 Red Hat, Inc.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/**
+ * @test
+ */
+public class CheckVendor {
+
+    public static void main(String[] args) {
+	if (args.length < 3) {
+	    System.err.println("CheckVendor <VENDOR> <VENDOR-URL> <VENDOR-BUG-URL>");
+	    System.exit(1);
+	}
+
+	String vendor = System.getProperty("java.vendor");
+	String expectedVendor = args[0];
+	String vendorURL = System.getProperty("java.vendor.url");
+	String expectedVendorURL = args[1];
+	String vendorBugURL = System.getProperty("java.vendor.url.bug");
+	String expectedVendorBugURL = args[2];
+
+	if (!expectedVendor.equals(vendor)) {
+	    System.err.printf("Invalid vendor %s, expected %s\n",
+			      vendor, expectedVendor);
+	    System.exit(2);
+	}
+
+	if (!expectedVendorURL.equals(vendorURL)) {
+	    System.err.printf("Invalid vendor URL %s, expected %s\n",
+			      vendorURL, expectedVendorURL);
+	    System.exit(3);
+	}
+
+	if (!expectedVendorBugURL.equals(vendorBugURL)) {
+	    System.err.printf("Invalid vendor bug URL%s, expected %s\n",
+			      vendorBugURL, expectedVendorBugURL);
+	    System.exit(4);
+	}
+
+	System.err.printf("Vendor information verified as %s, %s, %s\n",
+			  vendor, vendorURL, vendorBugURL);
+    }
+}

SOURCES/TestCryptoLevel.java

@@ -0,0 +1,72 @@
+/* TestCryptoLevel -- Ensure unlimited crypto policy is in use.
+   Copyright (C) 2012 Red Hat, Inc.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+import java.lang.reflect.Field;
+import java.lang.reflect.Method;
+import java.lang.reflect.InvocationTargetException;
+
+import java.security.Permission;
+import java.security.PermissionCollection;
+
+public class TestCryptoLevel
+{
+  public static void main(String[] args)
+    throws NoSuchFieldException, ClassNotFoundException,
+           IllegalAccessException, InvocationTargetException
+  {
+    Class<?> cls = null;
+    Method def = null, exempt = null;
+
+    try
+      {
+        cls = Class.forName("javax.crypto.JceSecurity");
+      }
+    catch (ClassNotFoundException ex)
+      {
+        System.err.println("Running a non-Sun JDK.");
+        System.exit(0);
+      }
+    try
+      {
+        def = cls.getDeclaredMethod("getDefaultPolicy");
+        exempt = cls.getDeclaredMethod("getExemptPolicy");
+      }
+    catch (NoSuchMethodException ex)
+      {
+        System.err.println("Running IcedTea with the original crypto patch.");
+        System.exit(0);
+      }
+    def.setAccessible(true);
+    exempt.setAccessible(true);
+    PermissionCollection defPerms = (PermissionCollection) def.invoke(null);
+    PermissionCollection exemptPerms = (PermissionCollection) exempt.invoke(null);
+    Class<?> apCls = Class.forName("javax.crypto.CryptoAllPermission");
+    Field apField = apCls.getDeclaredField("INSTANCE");
+    apField.setAccessible(true);
+    Permission allPerms = (Permission) apField.get(null);
+    if (defPerms.implies(allPerms) && (exemptPerms == null || exemptPerms.implies(allPerms)))
+      {
+        System.err.println("Running with the unlimited policy.");
+        System.exit(0);
+      }
+    else
+      {
+        System.err.println("WARNING: Running with a restricted crypto policy.");
+        System.exit(-1);
+      }
+  }
+}

SOURCES/TestECDSA.java

@@ -0,0 +1,49 @@
+/* TestECDSA -- Ensure ECDSA signatures are working.
+   Copyright (C) 2016 Red Hat, Inc.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+import java.math.BigInteger;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.Signature;
+
+/**
+ * @test
+ */
+public class TestECDSA {
+
+    public static void main(String[] args) throws Exception {
+        KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC");
+        KeyPair key = keyGen.generateKeyPair();
+        
+        byte[] data = "This is a string to sign".getBytes("UTF-8");
+        
+        Signature dsa = Signature.getInstance("NONEwithECDSA");
+        dsa.initSign(key.getPrivate());
+        dsa.update(data);
+        byte[] sig = dsa.sign();
+        System.out.println("Signature: " + new BigInteger(1, sig).toString(16));
+        
+        Signature dsaCheck = Signature.getInstance("NONEwithECDSA");
+        dsaCheck.initVerify(key.getPublic());
+        dsaCheck.update(data);
+        boolean success = dsaCheck.verify(sig);
+        if (!success) {
+            throw new RuntimeException("Test failed. Signature verification error");
+        }
+        System.out.println("Test passed.");
+    }
+}

SOURCES/jconsole.desktop.in

@@ -0,0 +1,10 @@
+[Desktop Entry]
+Name=OpenJDK @JAVA_VER@ for @target_cpu@ Monitoring & Management Console (@OPENJDK_VER@)
+Comment=Monitor and manage OpenJDK applications
+Exec=_SDKBINDIR_/jconsole
+Icon=java-@JAVA_VER@-@JAVA_VENDOR@
+Terminal=false
+Type=Application
+StartupWMClass=sun-tools-jconsole-JConsole
+Categories=Development;Profiling;Java;
+Version=1.0

SOURCES/nss.cfg.in

@@ -0,0 +1,5 @@
+name = NSS
+nssLibraryDirectory = @NSS_LIBDIR@
+nssDbMode = noDb
+attributes = compatibility
+handleStartupErrors = ignoreMultipleInitialisation

SOURCES/nss.fips.cfg.in

@@ -0,0 +1,6 @@
+name = NSS-FIPS
+nssLibraryDirectory = @NSS_LIBDIR@
+nssSecmodDirectory = @NSS_SECMOD@
+nssDbMode = readOnly
+nssModule = fips
+

SOURCES/pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch

@@ -0,0 +1,88 @@
+
+# HG changeset patch
+# User andrew
+# Date 1478057514 0
+# Node ID 1c4d5cb2096ae55106111da200b0bcad304f650c
+# Parent  3d53f19b48384e5252f4ec8891f7a3a82d77af2a
+PR3694: Support Fedora/RHEL system crypto policy
+diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/classes/java/security/Security.java
+--- a/src/java.base/share/classes/java/security/Security.java	Wed Oct 26 03:51:39 2016 +0100
++++ b/src/java.base/share/classes/java/security/Security.java	Wed Nov 02 03:31:54 2016 +0000
+@@ -43,6 +43,9 @@
+  * implementation-specific location, which is typically the properties file
+  * {@code conf/security/java.security} in the Java installation directory.
+  *
++ * <p>Additional default values of security properties are read from a
++ * system-specific location, if available.</p>
++ *
+  * @author Benjamin Renaud
+  * @since 1.1
+  */
+@@ -52,6 +55,10 @@
+     private static final Debug sdebug =
+                         Debug.getInstance("properties");
+ 
++    /* System property file*/
++    private static final String SYSTEM_PROPERTIES =
++        "/etc/crypto-policies/back-ends/java.config";
++
+     /* The java.security properties */
+     private static Properties props;
+ 
+@@ -93,6 +100,7 @@
+                 if (sdebug != null) {
+                     sdebug.println("reading security properties file: " +
+                                 propFile);
++                    sdebug.println(props.toString());
+                 }
+             } catch (IOException e) {
+                 if (sdebug != null) {
+@@ -114,6 +122,31 @@
+         }
+ 
+         if ("true".equalsIgnoreCase(props.getProperty
++                ("security.useSystemPropertiesFile"))) {
++
++            // now load the system file, if it exists, so its values
++            // will win if they conflict with the earlier values
++            try (BufferedInputStream bis =
++                 new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
++                props.load(bis);
++                loadedProps = true;
++
++                if (sdebug != null) {
++                    sdebug.println("reading system security properties file " +
++                                   SYSTEM_PROPERTIES);
++                    sdebug.println(props.toString());
++                }
++            } catch (IOException e) {
++                if (sdebug != null) {
++                    sdebug.println
++                        ("unable to load security properties from " +
++                         SYSTEM_PROPERTIES);
++                    e.printStackTrace();
++                }
++            }
++        }
++
++        if ("true".equalsIgnoreCase(props.getProperty
+                 ("security.overridePropertiesFile"))) {
+ 
+             String extraPropFile = System.getProperty
+diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/conf/security/java.security
+--- a/src/java.base/share/conf/security/java.security	Wed Oct 26 03:51:39 2016 +0100
++++ b/src/java.base/share/conf/security/java.security	Wed Nov 02 03:31:54 2016 +0000
+@@ -276,6 +276,13 @@
+ security.overridePropertiesFile=true
+ 
+ #
++# Determines whether this properties file will be appended to
++# using the system properties file stored at
++# /etc/crypto-policies/back-ends/java.config
++#
++security.useSystemPropertiesFile=true
++
++#
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+ #

SOURCES/pr3695-toggle_system_crypto_policy.patch

@@ -0,0 +1,78 @@
+# HG changeset patch
+# User andrew
+# Date 1545198926 0
+#      Wed Dec 19 05:55:26 2018 +0000
+# Node ID f2cbd688824c128db7fa848c8732fb0ab3507776
+# Parent  81f07f6d1f8b7b51b136d3974c61bc8bb513770c
+PR3695: Allow use of system crypto policy to be disabled by the user
+Summary: Read user overrides first so security.useSystemPropertiesFile can be disabled and add -Djava.security.disableSystemPropertiesFile
+
+diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
+--- a/src/java.base/share/classes/java/security/Security.java
++++ b/src/java.base/share/classes/java/security/Security.java
+@@ -125,31 +125,6 @@
+         }
+ 
+         if ("true".equalsIgnoreCase(props.getProperty
+-                ("security.useSystemPropertiesFile"))) {
+-
+-            // now load the system file, if it exists, so its values
+-            // will win if they conflict with the earlier values
+-            try (BufferedInputStream bis =
+-                 new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
+-                props.load(bis);
+-                loadedProps = true;
+-
+-                if (sdebug != null) {
+-                    sdebug.println("reading system security properties file " +
+-                                   SYSTEM_PROPERTIES);
+-                    sdebug.println(props.toString());
+-                }
+-            } catch (IOException e) {
+-                if (sdebug != null) {
+-                    sdebug.println
+-                        ("unable to load security properties from " +
+-                         SYSTEM_PROPERTIES);
+-                    e.printStackTrace();
+-                }
+-            }
+-        }
+-
+-        if ("true".equalsIgnoreCase(props.getProperty
+                 ("security.overridePropertiesFile"))) {
+ 
+             String extraPropFile = System.getProperty
+@@ -215,6 +190,33 @@
+             }
+         }
+ 
++        String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
++        if (disableSystemProps == null &&
++            "true".equalsIgnoreCase(props.getProperty
++                ("security.useSystemPropertiesFile"))) {
++
++            // now load the system file, if it exists, so its values
++            // will win if they conflict with the earlier values
++            try (BufferedInputStream bis =
++                 new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
++                props.load(bis);
++                loadedProps = true;
++
++                if (sdebug != null) {
++                    sdebug.println("reading system security properties file " +
++                                   SYSTEM_PROPERTIES);
++                    sdebug.println(props.toString());
++                }
++            } catch (IOException e) {
++                if (sdebug != null) {
++                    sdebug.println
++                        ("unable to load security properties from " +
++                         SYSTEM_PROPERTIES);
++                    e.printStackTrace();
++                }
++            }
++        }
++
+         if (!loadedProps) {
+             initializeStatic();
+             if (sdebug != null) {

SOURCES/remove-intree-libraries.sh

@@ -0,0 +1,159 @@
+#!/bin/sh
+
+# Arguments: <JDK TREE> <MINIMAL|FULL>
+TREE=${1}
+TYPE=${2}
+
+ZIP_SRC=src/java.base/share/native/libzip/zlib/
+JPEG_SRC=src/java.desktop/share/native/libjavajpeg/
+GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/
+PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/
+LCMS_SRC=src/java.desktop/share/native/liblcms/
+
+if test "x${TREE}" = "x"; then
+    echo "$0 <JDK_TREE> (MINIMAL|FULL)";
+    exit 1;
+fi
+
+if test "x${TYPE}" = "x"; then
+    TYPE=minimal;
+fi
+
+if test "x${TYPE}" != "xminimal" -a "x${TYPE}" != "xfull"; then
+    echo "Type must be minimal or full";
+    exit 2;
+fi
+
+echo "Removing in-tree libraries from ${TREE}"
+echo "Cleansing operation: ${TYPE}";
+
+cd ${TREE}
+
+echo "Removing built-in libs (they will be linked)"
+
+# On full runs, allow for zlib having already been deleted by minimal
+echo "Removing zlib"
+if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then
+	echo "${ZIP_SRC} does not exist. Refusing to proceed."
+	exit 1
+fi	
+rm -rvf ${ZIP_SRC}
+
+# Minimal is limited to just zlib so finish here
+if test "x${TYPE}" = "xminimal"; then
+    echo "Finished.";
+    exit 0;
+fi
+
+echo "Removing libjpeg"
+if [ ! -f ${JPEG_SRC}/jdhuff.c ]; then # some file that should definitely exist
+	echo "${JPEG_SRC} does not contain jpeg sources. Refusing to proceed."
+	exit 1
+fi	
+
+rm -vf ${JPEG_SRC}/jcomapi.c
+rm -vf ${JPEG_SRC}/jdapimin.c
+rm -vf ${JPEG_SRC}/jdapistd.c
+rm -vf ${JPEG_SRC}/jdcoefct.c
+rm -vf ${JPEG_SRC}/jdcolor.c
+rm -vf ${JPEG_SRC}/jdct.h
+rm -vf ${JPEG_SRC}/jddctmgr.c
+rm -vf ${JPEG_SRC}/jdhuff.c
+rm -vf ${JPEG_SRC}/jdhuff.h
+rm -vf ${JPEG_SRC}/jdinput.c
+rm -vf ${JPEG_SRC}/jdmainct.c
+rm -vf ${JPEG_SRC}/jdmarker.c
+rm -vf ${JPEG_SRC}/jdmaster.c
+rm -vf ${JPEG_SRC}/jdmerge.c
+rm -vf ${JPEG_SRC}/jdphuff.c
+rm -vf ${JPEG_SRC}/jdpostct.c
+rm -vf ${JPEG_SRC}/jdsample.c
+rm -vf ${JPEG_SRC}/jerror.c
+rm -vf ${JPEG_SRC}/jerror.h
+rm -vf ${JPEG_SRC}/jidctflt.c
+rm -vf ${JPEG_SRC}/jidctfst.c
+rm -vf ${JPEG_SRC}/jidctint.c
+rm -vf ${JPEG_SRC}/jidctred.c
+rm -vf ${JPEG_SRC}/jinclude.h
+rm -vf ${JPEG_SRC}/jmemmgr.c
+rm -vf ${JPEG_SRC}/jmemsys.h
+rm -vf ${JPEG_SRC}/jmemnobs.c
+rm -vf ${JPEG_SRC}/jmorecfg.h
+rm -vf ${JPEG_SRC}/jpegint.h
+rm -vf ${JPEG_SRC}/jpeglib.h
+rm -vf ${JPEG_SRC}/jquant1.c
+rm -vf ${JPEG_SRC}/jquant2.c
+rm -vf ${JPEG_SRC}/jutils.c
+rm -vf ${JPEG_SRC}/jcapimin.c
+rm -vf ${JPEG_SRC}/jcapistd.c
+rm -vf ${JPEG_SRC}/jccoefct.c
+rm -vf ${JPEG_SRC}/jccolor.c
+rm -vf ${JPEG_SRC}/jcdctmgr.c
+rm -vf ${JPEG_SRC}/jchuff.c
+rm -vf ${JPEG_SRC}/jchuff.h
+rm -vf ${JPEG_SRC}/jcinit.c
+rm -vf ${JPEG_SRC}/jconfig.h
+rm -vf ${JPEG_SRC}/jcmainct.c
+rm -vf ${JPEG_SRC}/jcmarker.c
+rm -vf ${JPEG_SRC}/jcmaster.c
+rm -vf ${JPEG_SRC}/jcparam.c
+rm -vf ${JPEG_SRC}/jcphuff.c
+rm -vf ${JPEG_SRC}/jcprepct.c
+rm -vf ${JPEG_SRC}/jcsample.c
+rm -vf ${JPEG_SRC}/jctrans.c
+rm -vf ${JPEG_SRC}/jdtrans.c
+rm -vf ${JPEG_SRC}/jfdctflt.c
+rm -vf ${JPEG_SRC}/jfdctfst.c
+rm -vf ${JPEG_SRC}/jfdctint.c
+rm -vf ${JPEG_SRC}/jversion.h
+rm -vf ${JPEG_SRC}/README
+
+echo "Removing giflib"
+if [ ! -d ${GIF_SRC} ]; then
+	echo "${GIF_SRC} does not exist. Refusing to proceed."
+	exit 1
+fi	
+rm -rvf ${GIF_SRC}
+
+echo "Removing libpng"
+if [ ! -d ${PNG_SRC} ]; then
+	echo "${PNG_SRC} does not exist. Refusing to proceed."
+	exit 1
+fi	
+rm -rvf ${PNG_SRC}
+
+echo "Removing lcms"
+if [ ! -d ${LCMS_SRC} ]; then
+	echo "${LCMS_SRC} does not exist. Refusing to proceed."
+	exit 1
+fi
+rm -vf ${LCMS_SRC}/cmscam02.c
+rm -vf ${LCMS_SRC}/cmscgats.c
+rm -vf ${LCMS_SRC}/cmscnvrt.c
+rm -vf ${LCMS_SRC}/cmserr.c
+rm -vf ${LCMS_SRC}/cmsgamma.c
+rm -vf ${LCMS_SRC}/cmsgmt.c
+rm -vf ${LCMS_SRC}/cmshalf.c
+rm -vf ${LCMS_SRC}/cmsintrp.c
+rm -vf ${LCMS_SRC}/cmsio0.c
+rm -vf ${LCMS_SRC}/cmsio1.c
+rm -vf ${LCMS_SRC}/cmslut.c
+rm -vf ${LCMS_SRC}/cmsmd5.c
+rm -vf ${LCMS_SRC}/cmsmtrx.c
+rm -vf ${LCMS_SRC}/cmsnamed.c
+rm -vf ${LCMS_SRC}/cmsopt.c
+rm -vf ${LCMS_SRC}/cmspack.c
+rm -vf ${LCMS_SRC}/cmspcs.c
+rm -vf ${LCMS_SRC}/cmsplugin.c
+rm -vf ${LCMS_SRC}/cmsps2.c
+rm -vf ${LCMS_SRC}/cmssamp.c
+rm -vf ${LCMS_SRC}/cmssm.c
+rm -vf ${LCMS_SRC}/cmstypes.c
+rm -vf ${LCMS_SRC}/cmsvirt.c
+rm -vf ${LCMS_SRC}/cmswtpnt.c
+rm -vf ${LCMS_SRC}/cmsxform.c
+rm -vf ${LCMS_SRC}/lcms2.h
+rm -vf ${LCMS_SRC}/lcms2_internal.h
+rm -vf ${LCMS_SRC}/lcms2_plugin.h
+
+

SOURCES/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch

@@ -0,0 +1,18 @@
+diff -uNr openjdk/src/java.desktop/share/classes/java/awt/Toolkit.java jdk8/jdk/src/java.desktop/share/classes/java/awt/Toolkit.java
+--- openjdk/src/java.desktop/share/classes/java/awt/Toolkit.java
++++ openjdk/src/java.desktop/share/classes/java/awt/Toolkit.java
+@@ -883,9 +883,13 @@
+                     return null;
+                 }
+             });
+             if (!GraphicsEnvironment.isHeadless()) {
+-                loadAssistiveTechnologies();
++                try {
++                    loadAssistiveTechnologies();
++                } catch (AWTError error) {
++                    // ignore silently
++                }
+             }
+         }
+         return toolkit;
+     }

SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch

@@ -0,0 +1,11 @@
+diff -r 5b86f66575b7 src/share/lib/security/java.security-linux
+--- openjdk/src/java.base/share/conf/security/java.security	Tue May 16 13:29:05 2017 -0700
++++ openjdk/src/java.base/share/conf/security/java.security	Tue Jun 06 14:05:12 2017 +0200
+@@ -83,6 +83,7 @@
+ #ifndef solaris
+ security.provider.tbd=SunPKCS11
+ #endif
++#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
+ 
+ #
+ # A list of preferred providers for specific algorithms. These providers will

SOURCES/rh1648644-java_access_bridge_privileged_security.patch

@@ -0,0 +1,20 @@
+--- openjdk/src/java.base/share/conf/security/java.security
++++ openjdk/src/java.base/share/conf/security/java.security
+@@ -304,6 +304,8 @@
+ #
+ package.access=sun.misc.,\
+                sun.reflect.,\
++               org.GNOME.Accessibility.,\
++               org.GNOME.Bonobo.,\
+ 
+ #
+ # List of comma-separated packages that start with or equal this string
+@@ -316,6 +318,8 @@
+ #
+ package.definition=sun.misc.,\
+                    sun.reflect.,\
++                   org.GNOME.Accessibility.,\
++                   org.GNOME.Bonobo.,\
+ 
+ #
+ # Determines whether this properties file can be appended to

SOURCES/rh1655466-global_crypto_and_fips.patch

@@ -0,0 +1,205 @@
+diff --git a/src/java.base/share/classes/javopenjdk.orig///security/Security.java openjdk///src/java.base/share/classes/java/security/Security.java
+--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
++++ openjdk/src/java.base/share/classes/java/security/Security.java
+@@ -196,26 +196,8 @@
+         if (disableSystemProps == null &&
+             "true".equalsIgnoreCase(props.getProperty
+                 ("security.useSystemPropertiesFile"))) {
+-
+-            // now load the system file, if it exists, so its values
+-            // will win if they conflict with the earlier values
+-            try (BufferedInputStream bis =
+-                 new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
+-                props.load(bis);
++            if (SystemConfigurator.configure(props)) {
+                 loadedProps = true;
+-
+-                if (sdebug != null) {
+-                    sdebug.println("reading system security properties file " +
+-                                   SYSTEM_PROPERTIES);
+-                    sdebug.println(props.toString());
+-                }
+-            } catch (IOException e) {
+-                if (sdebug != null) {
+-                    sdebug.println
+-                        ("unable to load security properties from " +
+-                         SYSTEM_PROPERTIES);
+-                    e.printStackTrace();
+-                }
+             }
+         }
+ 
+diff --git a/src/java.base/share/classes/javopenjdk.orig///security/SystemConfigurator.java openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java
+new file mode 100644
+--- /dev/null
++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+@@ -0,0 +1,151 @@
++/*
++ * Copyright (c) 2019, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package java.security;
++
++import java.io.BufferedInputStream;
++import java.io.FileInputStream;
++import java.io.IOException;
++
++import java.nio.file.Files;
++import java.nio.file.Path;
++
++import java.util.Iterator;
++import java.util.Map.Entry;
++import java.util.Properties;
++import java.util.function.Consumer;
++import java.util.regex.Matcher;
++import java.util.regex.Pattern;
++
++import sun.security.util.Debug;
++
++/**
++ * Internal class to align OpenJDK with global crypto-policies.
++ * Called from java.security.Security class initialization,
++ * during startup.
++ *
++ */
++
++class SystemConfigurator {
++
++    private static final Debug sdebug =
++            Debug.getInstance("properties");
++
++    private static final String CRYPTO_POLICIES_BASE_DIR =
++            "/etc/crypto-policies";
++
++    private static final String CRYPTO_POLICIES_JAVA_CONFIG =
++            CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
++
++    private static final String CRYPTO_POLICIES_CONFIG =
++            CRYPTO_POLICIES_BASE_DIR + "/config";
++
++    private static final class SecurityProviderInfo {
++        int number;
++        String key;
++        String value;
++        SecurityProviderInfo(int number, String key, String value) {
++            this.number = number;
++            this.key = key;
++            this.value = value;
++        }
++    }
++
++    /*
++     * Invoked when java.security.Security class is initialized, if
++     * java.security.disableSystemPropertiesFile property is not set and
++     * security.useSystemPropertiesFile is true.
++     */
++    static boolean configure(Properties props) {
++        boolean loadedProps = false;
++
++        try (BufferedInputStream bis =
++                new BufferedInputStream(
++                        new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
++            props.load(bis);
++            loadedProps = true;
++            if (sdebug != null) {
++                sdebug.println("reading system security properties file " +
++                        CRYPTO_POLICIES_JAVA_CONFIG);
++                sdebug.println(props.toString());
++            }
++        } catch (IOException e) {
++            if (sdebug != null) {
++                sdebug.println("unable to load security properties from " +
++                        CRYPTO_POLICIES_JAVA_CONFIG);
++                e.printStackTrace();
++            }
++        }
++
++        try {
++            if (enableFips()) {
++                if (sdebug != null) { sdebug.println("FIPS mode detected"); }
++                loadedProps = false;
++                // Remove all security providers
++                Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
++                while (i.hasNext()) {
++                    Entry<Object, Object> e = i.next();
++                    if (((String) e.getKey()).startsWith("security.provider")) {
++                        if (sdebug != null) { sdebug.println("Removing provider: " + e); }
++                        i.remove();
++                    }
++                }
++                // Add FIPS security providers
++                String fipsProviderValue = null;
++                for (int n = 1;
++                     (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) {
++                    String fipsProviderKey = "security.provider." + n;
++                    if (sdebug != null) {
++                        sdebug.println("Adding provider " + n + ": " +
++                                fipsProviderKey + "=" + fipsProviderValue);
++                    }
++                    props.put(fipsProviderKey, fipsProviderValue);
++                }
++                loadedProps = true;
++            }
++        } catch (Exception e) {
++            if (sdebug != null) {
++                sdebug.println("unable to load FIPS configuration");
++                e.printStackTrace();
++            }
++        }
++        return loadedProps;
++    }
++
++    /*
++     * FIPS is enabled only if crypto-policies are set to "FIPS"
++     * and the com.redhat.fips property is true.
++     */
++    private static boolean enableFips() throws Exception {
++        boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
++        if (fipsEnabled) {
++            String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
++            if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
++            Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
++            return pattern.matcher(cryptoPoliciesConfig).find();
++        } else {
++            return false;
++        }
++    }
++}
+diff --git openjdk.orig///src/java.base/share/conf/security/java.security openjdk///src/java.base/share/conf/security/java.security
+--- openjdk.orig/src/java.base/share/conf/security/java.security
++++ openjdk/src/java.base/share/conf/security/java.security
+@@ -87,6 +87,14 @@
+ #security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
+ 
+ #
++# Security providers used when global crypto-policies are set to FIPS.
++#
++fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
++fips.provider.2=SUN
++fips.provider.3=SunEC
++fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS
++
++#
+ # A list of preferred providers for specific algorithms. These providers will
+ # be searched for matching algorithms before the list of registered providers.
+ # Entries containing errors (parsing, etc) will be ignored. Use the

SOURCES/rh1750419-redhat_alt_java.patch

@@ -0,0 +1,116 @@
+diff -r 1356affa5e44 make/launcher/Launcher-java.base.gmk
+--- openjdk/make/launcher/Launcher-java.base.gmk      Wed Nov 25 08:27:15 2020 +0100
++++ openjdk/make/launcher/Launcher-java.base.gmk      Tue Dec 01 12:29:30 2020 +0100
+@@ -41,6 +41,16 @@
+     OPTIMIZATION := HIGH, \
+ ))
+ 
++#Wno-error=cpp is present to allow commented warning in ifdef part of main.c
++$(eval $(call SetupBuildLauncher, alt-java, \
++    CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA -Wno-error=cpp, \
++    LDFLAGS_solaris := -R$(OPENWIN_HOME)/lib$(OPENJDK_TARGET_CPU_ISADIR), \
++    LIBS_windows := user32.lib comctl32.lib, \
++    EXTRA_RC_FLAGS := $(JAVA_RC_FLAGS), \
++    VERSION_INFO_RESOURCE := $(JAVA_VERSION_INFO_RESOURCE), \
++    OPTIMIZATION := HIGH, \
++))
++
+ ifeq ($(OPENJDK_TARGET_OS), windows)
+   $(eval $(call SetupBuildLauncher, javaw, \
+       CFLAGS := -DJAVAW -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES, \
+
+diff -r 25e94aa812b2 src/share/bin/alt_main.h
+--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
++++ openjdk/src/java.base/share/native/launcher/alt_main.h	Tue Jun 02 17:15:28 2020 +0100
+@@ -0,0 +1,73 @@
++/*
++ * Copyright (c) 2019, Red Hat, Inc. All rights reserved.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.  Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++#ifdef REDHAT_ALT_JAVA
++
++#include <sys/prctl.h>
++
++
++/* Per task speculation control */
++#ifndef PR_GET_SPECULATION_CTRL
++# define PR_GET_SPECULATION_CTRL    52
++#endif
++#ifndef PR_SET_SPECULATION_CTRL
++# define PR_SET_SPECULATION_CTRL    53
++#endif
++/* Speculation control variants */
++#ifndef PR_SPEC_STORE_BYPASS
++# define PR_SPEC_STORE_BYPASS          0
++#endif
++/* Return and control values for PR_SET/GET_SPECULATION_CTRL */
++
++#ifndef PR_SPEC_NOT_AFFECTED
++# define PR_SPEC_NOT_AFFECTED          0
++#endif
++#ifndef PR_SPEC_PRCTL
++# define PR_SPEC_PRCTL                 (1UL << 0)
++#endif
++#ifndef PR_SPEC_ENABLE
++# define PR_SPEC_ENABLE                (1UL << 1)
++#endif
++#ifndef PR_SPEC_DISABLE
++# define PR_SPEC_DISABLE               (1UL << 2)
++#endif
++#ifndef PR_SPEC_FORCE_DISABLE
++# define PR_SPEC_FORCE_DISABLE         (1UL << 3)
++#endif
++#ifndef PR_SPEC_DISABLE_NOEXEC
++# define PR_SPEC_DISABLE_NOEXEC        (1UL << 4)
++#endif
++
++static void set_speculation() __attribute__((constructor));
++static void set_speculation() {
++  if ( prctl(PR_SET_SPECULATION_CTRL,
++             PR_SPEC_STORE_BYPASS,
++             PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) {
++    return;
++  }
++  prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
++}
++
++#endif // REDHAT_ALT_JAVA
+diff -r 25e94aa812b2 src/share/bin/main.c
+--- openjdk/src/java.base/share/native/launcher/main.c	Wed Feb 05 12:20:36 2020 -0300
++++ openjdk/src/java.base/share/native/launcher/main.c	Tue Jun 02 17:15:28 2020 +0100
+@@ -34,6 +34,14 @@
+ #include "jli_util.h"
+ #include "jni.h"
+ 
++#ifdef REDHAT_ALT_JAVA
++#if defined(__linux__) && defined(__x86_64__)
++#include "alt_main.h"
++#else
++#warning alt-java requested but SSB mitigation not available on this platform.
++#endif
++#endif
++
+ #ifdef _MSC_VER
+ #if _MSC_VER > 1400 && _MSC_VER < 1600
+ 

SOURCES/rh1818909-fips_default_keystore_type.patch

@@ -0,0 +1,52 @@
+diff -r 6efbd7b35a10 src/share/classes/java/security/SystemConfigurator.java
+--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java	Thu Jan 23 18:22:31 2020 -0300
++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java	Mon Mar 02 19:20:17 2020 -0300
+@@ -123,6 +123,33 @@
+                     }
+                     props.put(fipsProviderKey, fipsProviderValue);
+                 }
++                // Add other security properties
++                String keystoreTypeValue = (String) props.get("fips.keystore.type");
++                if (keystoreTypeValue != null) {
++                    String nonFipsKeystoreType = props.getProperty("keystore.type");
++                    props.put("keystore.type", keystoreTypeValue);
++                    if (keystoreTypeValue.equals("PKCS11")) {
++                    	// If keystore.type is PKCS11, javax.net.ssl.keyStore
++                    	// must be "NONE". See JDK-8238264.
++                    	System.setProperty("javax.net.ssl.keyStore", "NONE");
++                    }
++                    if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
++                        // If no trustStoreType has been set, use the
++                        // previous keystore.type under FIPS mode. In
++                        // a default configuration, the Trust Store will
++                        // be 'cacerts' (JKS type).
++                        System.setProperty("javax.net.ssl.trustStoreType",
++                                nonFipsKeystoreType);
++                    }
++                    if (sdebug != null) {
++                        sdebug.println("FIPS mode default keystore.type = " +
++                                keystoreTypeValue);
++                        sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
++                        		System.getProperty("javax.net.ssl.keyStore", ""));
++                        sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
++                                System.getProperty("javax.net.ssl.trustStoreType", ""));
++                    }
++                }
+                 loadedProps = true;
+             }
+         } catch (Exception e) {
+diff -r 6efbd7b35a10 src/share/lib/security/java.security-linux
+--- openjdk.orig/src/java.base/share/conf/security/java.security	Thu Jan 23 18:22:31 2020 -0300
++++ openjdk/src/java.base/share/conf/security/java.security	Mon Mar 02 19:20:17 2020 -0300
+@@ -299,6 +299,11 @@
+ keystore.type=pkcs12
+ 
+ #
++# Default keystore type used when global crypto-policies are set to FIPS.
++#
++fips.keystore.type=PKCS11
++
++#
+ # Controls compatibility mode for JKS and PKCS12 keystore types.
+ #
+ # When set to 'true', both JKS and PKCS12 keystore types support loading

SOURCES/rh1842572-rsa_default_for_keytool.patch

@@ -0,0 +1,12 @@
+diff --git openjdk.orig/src/java.base/share/classes/sun/security/tools/keytool/Main.java openjdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java
+--- openjdk.orig/src/java.base/share/classes/sun/security/tools/keytool/Main.java
++++ openjdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java
+@@ -1135,7 +1135,7 @@
+             }
+         } else if (command == GENKEYPAIR) {
+             if (keyAlgName == null) {
+-                keyAlgName = "DSA";
++                keyAlgName = "RSA";
+             }
+             doGenKeyPair(alias, dname, keyAlgName, keysize, groupName, sigAlgName);
+             kssave = true;

SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch

@@ -0,0 +1,311 @@
+diff -r bbc65dfa59d1 src/java.base/share/classes/java/security/SystemConfigurator.java
+--- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java	Thu Jan 23 18:22:31 2020 -0300
++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java	Sat Aug 01 23:16:51 2020 -0300
+@@ -1,11 +1,13 @@
+ /*
+- * Copyright (c) 2019, Red Hat, Inc.
++ * Copyright (c) 2019, 2020, Red Hat, Inc.
+  *
+  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+  *
+  * This code is free software; you can redistribute it and/or modify it
+  * under the terms of the GNU General Public License version 2 only, as
+- * published by the Free Software Foundation.
++ * published by the Free Software Foundation.  Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
+  *
+  * This code is distributed in the hope that it will be useful, but WITHOUT
+  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+@@ -34,10 +36,10 @@
+ import java.util.Iterator;
+ import java.util.Map.Entry;
+ import java.util.Properties;
+-import java.util.function.Consumer;
+-import java.util.regex.Matcher;
+ import java.util.regex.Pattern;
+ 
++import jdk.internal.misc.SharedSecrets;
++import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess;
+ import sun.security.util.Debug;
+ 
+ /**
+@@ -47,7 +49,7 @@
+  *
+  */
+ 
+-class SystemConfigurator {
++final class SystemConfigurator {
+ 
+     private static final Debug sdebug =
+             Debug.getInstance("properties");
+@@ -61,15 +63,16 @@
+     private static final String CRYPTO_POLICIES_CONFIG =
+             CRYPTO_POLICIES_BASE_DIR + "/config";
+ 
+-    private static final class SecurityProviderInfo {
+-        int number;
+-        String key;
+-        String value;
+-        SecurityProviderInfo(int number, String key, String value) {
+-            this.number = number;
+-            this.key = key;
+-            this.value = value;
+-        }
++    private static boolean systemFipsEnabled = false;
++
++    static {
++        SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
++            new JavaSecuritySystemConfiguratorAccess() {
++                @Override
++                public boolean isSystemFipsEnabled() {
++                    return SystemConfigurator.isSystemFipsEnabled();
++                }
++            });
+     }
+ 
+     /*
+@@ -128,9 +131,9 @@
+                     String nonFipsKeystoreType = props.getProperty("keystore.type");
+                     props.put("keystore.type", keystoreTypeValue);
+                     if (keystoreTypeValue.equals("PKCS11")) {
+-                    	// If keystore.type is PKCS11, javax.net.ssl.keyStore
+-                    	// must be "NONE". See JDK-8238264.
+-                    	System.setProperty("javax.net.ssl.keyStore", "NONE");
++                        // If keystore.type is PKCS11, javax.net.ssl.keyStore
++                        // must be "NONE". See JDK-8238264.
++                        System.setProperty("javax.net.ssl.keyStore", "NONE");
+                     }
+                     if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
+                         // If no trustStoreType has been set, use the
+@@ -144,12 +147,13 @@
+                         sdebug.println("FIPS mode default keystore.type = " +
+                                 keystoreTypeValue);
+                         sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
+-                        		System.getProperty("javax.net.ssl.keyStore", ""));
++                                System.getProperty("javax.net.ssl.keyStore", ""));
+                         sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
+                                 System.getProperty("javax.net.ssl.trustStoreType", ""));
+                     }
+                 }
+                 loadedProps = true;
++                systemFipsEnabled = true;
+             }
+         } catch (Exception e) {
+             if (sdebug != null) {
+@@ -160,13 +164,30 @@
+         return loadedProps;
+     }
+ 
++    /**
++     * Returns whether or not global system FIPS alignment is enabled.
++     *
++     * Value is always 'false' before java.security.Security class is
++     * initialized.
++     *
++     * Call from out of this package through SharedSecrets:
++     *   SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++     *           .isSystemFipsEnabled();
++     *
++     * @return  a boolean value indicating whether or not global
++     *          system FIPS alignment is enabled.
++     */
++    static boolean isSystemFipsEnabled() {
++        return systemFipsEnabled;
++    }
++
+     /*
+      * FIPS is enabled only if crypto-policies are set to "FIPS"
+      * and the com.redhat.fips property is true.
+      */
+     private static boolean enableFips() throws Exception {
+-        boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
+-        if (fipsEnabled) {
++        boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
++        if (shouldEnable) {
+             String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
+             if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
+             Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
+diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
+--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
++++ openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java	Sat Aug 01 23:16:51 2020 -0300
+@@ -0,0 +1,30 @@
++/*
++ * Copyright (c) 2020, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.  Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package jdk.internal.misc;
++
++public interface JavaSecuritySystemConfiguratorAccess {
++    boolean isSystemFipsEnabled();
++}
+diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
+--- openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java	Thu Jan 23 18:22:31 2020 -0300
++++ openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java	Sat Aug 01 23:16:51 2020 -0300
+@@ -76,6 +76,7 @@
+     private static JavaIORandomAccessFileAccess javaIORandomAccessFileAccess;
+     private static JavaSecuritySignatureAccess javaSecuritySignatureAccess;
+     private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess;
++    private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess;
+ 
+     public static JavaUtilJarAccess javaUtilJarAccess() {
+         if (javaUtilJarAccess == null) {
+@@ -361,4 +362,12 @@
+         }
+         return javaxCryptoSealedObjectAccess;
+     }
++
++    public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) {
++        javaSecuritySystemConfiguratorAccess = jssca;
++    }
++
++    public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
++        return javaSecuritySystemConfiguratorAccess;
++    }
+ }
+diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
+--- openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java	Thu Jan 23 18:22:31 2020 -0300
++++ openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java	Sat Aug 01 23:16:51 2020 -0300
+@@ -31,6 +31,7 @@
+ import java.security.cert.*;
+ import java.util.*;
+ import javax.net.ssl.*;
++import jdk.internal.misc.SharedSecrets;
+ import sun.security.action.GetPropertyAction;
+ import sun.security.provider.certpath.AlgorithmChecker;
+ import sun.security.validator.Validator;
+@@ -542,20 +543,38 @@
+ 
+         static {
+             if (SunJSSE.isFIPS()) {
+-                supportedProtocols = Arrays.asList(
+-                    ProtocolVersion.TLS13,
+-                    ProtocolVersion.TLS12,
+-                    ProtocolVersion.TLS11,
+-                    ProtocolVersion.TLS10
+-                );
++                if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++                        .isSystemFipsEnabled()) {
++                    // RH1860986: TLSv1.3 key derivation not supported with
++                    // the Security Providers available in system FIPS mode.
++                    supportedProtocols = Arrays.asList(
++                        ProtocolVersion.TLS12,
++                        ProtocolVersion.TLS11,
++                        ProtocolVersion.TLS10
++                    );
+ 
+-                serverDefaultProtocols = getAvailableProtocols(
+-                        new ProtocolVersion[] {
+-                    ProtocolVersion.TLS13,
+-                    ProtocolVersion.TLS12,
+-                    ProtocolVersion.TLS11,
+-                    ProtocolVersion.TLS10
+-                });
++                    serverDefaultProtocols = getAvailableProtocols(
++                            new ProtocolVersion[] {
++                        ProtocolVersion.TLS12,
++                        ProtocolVersion.TLS11,
++                        ProtocolVersion.TLS10
++                    });
++                } else {
++                    supportedProtocols = Arrays.asList(
++                        ProtocolVersion.TLS13,
++                        ProtocolVersion.TLS12,
++                        ProtocolVersion.TLS11,
++                        ProtocolVersion.TLS10
++                    );
++
++                    serverDefaultProtocols = getAvailableProtocols(
++                            new ProtocolVersion[] {
++                        ProtocolVersion.TLS13,
++                        ProtocolVersion.TLS12,
++                        ProtocolVersion.TLS11,
++                        ProtocolVersion.TLS10
++                    });
++                }
+             } else {
+                 supportedProtocols = Arrays.asList(
+                     ProtocolVersion.TLS13,
+@@ -620,6 +639,16 @@
+ 
+         static ProtocolVersion[] getSupportedProtocols() {
+             if (SunJSSE.isFIPS()) {
++                if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++                        .isSystemFipsEnabled()) {
++                    // RH1860986: TLSv1.3 key derivation not supported with
++                    // the Security Providers available in system FIPS mode.
++                    return new ProtocolVersion[] {
++                            ProtocolVersion.TLS12,
++                            ProtocolVersion.TLS11,
++                            ProtocolVersion.TLS10
++                    };
++                }
+                 return new ProtocolVersion[] {
+                         ProtocolVersion.TLS13,
+                         ProtocolVersion.TLS12,
+@@ -949,6 +978,16 @@
+ 
+         static ProtocolVersion[] getProtocols() {
+             if (SunJSSE.isFIPS()) {
++                if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++                        .isSystemFipsEnabled()) {
++                    // RH1860986: TLSv1.3 key derivation not supported with
++                    // the Security Providers available in system FIPS mode.
++                    return new ProtocolVersion[] {
++                            ProtocolVersion.TLS12,
++                            ProtocolVersion.TLS11,
++                            ProtocolVersion.TLS10
++                    };
++                }
+                 return new ProtocolVersion[]{
+                         ProtocolVersion.TLS13,
+                         ProtocolVersion.TLS12,
+diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SunJSSE.java
+--- openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java	Thu Jan 23 18:22:31 2020 -0300
++++ openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java	Sat Aug 01 23:16:51 2020 -0300
+@@ -27,6 +27,8 @@
+ 
+ import java.security.*;
+ import java.util.*;
++
++import jdk.internal.misc.SharedSecrets;
+ import sun.security.rsa.SunRsaSignEntries;
+ import static sun.security.util.SecurityConstants.PROVIDER_VER;
+ import static sun.security.provider.SunEntries.createAliases;
+@@ -195,8 +197,13 @@
+             "sun.security.ssl.SSLContextImpl$TLS11Context", null, null);
+         ps("SSLContext", "TLSv1.2",
+             "sun.security.ssl.SSLContextImpl$TLS12Context", null, null);
+-        ps("SSLContext", "TLSv1.3",
+-            "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
++        if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++                .isSystemFipsEnabled()) {
++            // RH1860986: TLSv1.3 key derivation not supported with
++            // the Security Providers available in system FIPS mode.
++            ps("SSLContext", "TLSv1.3",
++                "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
++        }
+         ps("SSLContext", "TLS",
+             "sun.security.ssl.SSLContextImpl$TLSContext",
+             (isfips? null : createAliases("SSL")), null);

SOURCES/rh1915071-always_initialise_configurator_access.patch

@@ -0,0 +1,68 @@
+diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
+--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
++++ openjdk/src/java.base/share/classes/java/security/Security.java
+@@ -32,6 +32,7 @@
+ 
+ import jdk.internal.event.EventHelper;
+ import jdk.internal.event.SecurityPropertyModificationEvent;
++import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess;
+ import jdk.internal.misc.SharedSecrets;
+ import jdk.internal.util.StaticProperty;
+ import sun.security.util.Debug;
+@@ -74,6 +75,15 @@
+     }
+ 
+     static {
++        // Initialise here as used by code with system properties disabled
++        SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
++            new JavaSecuritySystemConfiguratorAccess() {
++                @Override
++                public boolean isSystemFipsEnabled() {
++                    return SystemConfigurator.isSystemFipsEnabled();
++                }
++            });
++
+         // doPrivileged here because there are multiple
+         // things in initialize that might require privs.
+         // (the FileInputStream call and the File.exists call,
+@@ -193,9 +203,8 @@
+         }
+ 
+         String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
+-        if (disableSystemProps == null &&
+-            "true".equalsIgnoreCase(props.getProperty
+-                ("security.useSystemPropertiesFile"))) {
++        if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
++            "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
+             if (SystemConfigurator.configure(props)) {
+                 loadedProps = true;
+             }
+diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+@@ -38,8 +38,6 @@
+ import java.util.Properties;
+ import java.util.regex.Pattern;
+ 
+-import jdk.internal.misc.SharedSecrets;
+-import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess;
+ import sun.security.util.Debug;
+ 
+ /**
+@@ -65,16 +63,6 @@
+ 
+     private static boolean systemFipsEnabled = false;
+ 
+-    static {
+-        SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
+-            new JavaSecuritySystemConfiguratorAccess() {
+-                @Override
+-                public boolean isSystemFipsEnabled() {
+-                    return SystemConfigurator.isSystemFipsEnabled();
+-                }
+-            });
+-    }
+-
+     /*
+      * Invoked when java.security.Security class is initialized, if
+      * java.security.disableSystemPropertiesFile property is not set and

SOURCES/rh1929465-improve_system_FIPS_detection.patch

@@ -0,0 +1,430 @@
+diff --git openjdk.orig/make/autoconf/libraries.m4 openjdk/make/autoconf/libraries.m4
+--- openjdk.orig/make/autoconf/libraries.m4
++++ openjdk/make/autoconf/libraries.m4
+@@ -101,6 +101,7 @@
+   LIB_SETUP_LIBFFI
+   LIB_SETUP_BUNDLED_LIBS
+   LIB_SETUP_MISC_LIBS
++  LIB_SETUP_SYSCONF_LIBS
+   LIB_SETUP_SOLARIS_STLPORT
+   LIB_TESTS_SETUP_GRAALUNIT
+ 
+@@ -223,3 +224,62 @@
+   fi
+ ])
+ 
++################################################################################
++# Setup system configuration libraries
++################################################################################
++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
++[
++  ###############################################################################
++  #
++  # Check for the NSS library
++  #
++
++  AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
++
++  # default is not available
++  DEFAULT_SYSCONF_NSS=no
++
++  AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
++     [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
++  [
++    case "${enableval}" in
++      yes)
++        sysconf_nss=yes
++        ;;
++      *)
++        sysconf_nss=no
++        ;;
++    esac
++  ],
++  [
++    sysconf_nss=${DEFAULT_SYSCONF_NSS}
++  ])
++  AC_MSG_RESULT([$sysconf_nss])
++
++  USE_SYSCONF_NSS=false
++  if test "x${sysconf_nss}" = "xyes"; then
++      PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
++      if test "x${NSS_FOUND}" = "xyes"; then
++         AC_MSG_CHECKING([for system FIPS support in NSS])
++         saved_libs="${LIBS}"
++         saved_cflags="${CFLAGS}"
++         CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
++         LIBS="${LIBS} ${NSS_LIBS}"
++         AC_LANG_PUSH([C])
++         AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <nss3/pk11pub.h>]],
++                                         [[SECMOD_GetSystemFIPSEnabled()]])],
++                        [AC_MSG_RESULT([yes])],
++                        [AC_MSG_RESULT([no])
++                        AC_MSG_ERROR([System NSS FIPS detection unavailable])])
++         AC_LANG_POP([C])
++         CFLAGS="${saved_cflags}"
++         LIBS="${saved_libs}"
++         USE_SYSCONF_NSS=true
++      else
++         dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
++         dnl in nss3/pk11pub.h.
++         AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
++      fi
++  fi
++  AC_SUBST(USE_SYSCONF_NSS)
++])
+diff --git openjdk.orig/make/autoconf/spec.gmk.in openjdk/make/autoconf/spec.gmk.in
+--- openjdk.orig/make/autoconf/spec.gmk.in
++++ openjdk/make/autoconf/spec.gmk.in
+@@ -828,6 +828,10 @@
+ # Libraries
+ #
+ 
++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
++NSS_LIBS:=@NSS_LIBS@
++NSS_CFLAGS:=@NSS_CFLAGS@
++
+ USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
+ LCMS_CFLAGS:=@LCMS_CFLAGS@
+ LCMS_LIBS:=@LCMS_LIBS@
+diff --git openjdk.orig/make/lib/Lib-java.base.gmk openjdk/make/lib/Lib-java.base.gmk
+--- openjdk.orig/make/lib/Lib-java.base.gmk
++++ openjdk/make/lib/Lib-java.base.gmk
+@@ -179,6 +179,31 @@
+ endif
+ 
+ ################################################################################
++# Create the systemconf library
++
++LIBSYSTEMCONF_CFLAGS :=
++LIBSYSTEMCONF_CXXFLAGS :=
++
++ifeq ($(USE_SYSCONF_NSS), true)
++  LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
++  LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
++endif
++
++ifeq ($(OPENJDK_BUILD_OS), linux)
++  $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \
++      NAME := systemconf, \
++      OPTIMIZATION := LOW, \
++      CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \
++      CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \
++      LDFLAGS := $(LDFLAGS_JDKLIB) \
++          $(call SET_SHARED_LIBRARY_ORIGIN), \
++      LIBS_unix := $(LIBDL) $(NSS_LIBS), \
++  ))
++
++  TARGETS += $(BUILD_LIBSYSTEMCONF)
++endif
++
++################################################################################
+ # Create the symbols file for static builds.
+ 
+ ifeq ($(STATIC_BUILD), true)
+diff --git openjdk.orig/make/nb_native/nbproject/configurations.xml openjdk/make/nb_native/nbproject/configurations.xml
+--- openjdk.orig/make/nb_native/nbproject/configurations.xml
++++ openjdk/make/nb_native/nbproject/configurations.xml
+@@ -2950,6 +2950,9 @@
+                   <in>LinuxWatchService.c</in>
+                 </df>
+               </df>
++              <df name="libsystemconf">
++                <in>systemconf.c</in>
++              </df>
+             </df>
+           </df>
+           <df name="macosx">
+@@ -29301,6 +29304,11 @@
+             tool="0"
+             flavor2="0">
+       </item>
++      <item path="../../src/java.base/linux/native/libsystemconf/systemconf.c"
++            ex="false"
++            tool="0"
++            flavor2="0">
++      </item>
+       <item path="../../src/java.base/macosx/native/include/jni_md.h"
+             ex="false"
+             tool="3"
+diff --git openjdk.orig/make/scripts/compare_exceptions.sh.incl openjdk/make/scripts/compare_exceptions.sh.incl
+--- openjdk.orig/make/scripts/compare_exceptions.sh.incl
++++ openjdk/make/scripts/compare_exceptions.sh.incl
+@@ -179,6 +179,7 @@
+       ./lib/libsplashscreen.so
+       ./lib/libsunec.so
+       ./lib/libsunwjdga.so
++      ./lib/libsystemconf.so
+       ./lib/libunpack.so
+       ./lib/libverify.so
+       ./lib/libzip.so
+@@ -289,6 +290,7 @@
+       ./lib/libsplashscreen.so
+       ./lib/libsunec.so
+       ./lib/libsunwjdga.so
++      ./lib/libsystemconf.so
+       ./lib/libunpack.so
+       ./lib/libverify.so
+       ./lib/libzip.so
+diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
+new file mode 100644
+--- /dev/null
++++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
+@@ -0,0 +1,168 @@
++/*
++ * Copyright (c) 2021, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.  Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++#include <dlfcn.h>
++#include <jni.h>
++#include <jni_util.h>
++#include <stdio.h>
++
++#ifdef SYSCONF_NSS
++#include <nss3/pk11pub.h>
++#endif //SYSCONF_NSS
++
++#include "java_security_SystemConfigurator.h"
++
++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
++#define MSG_MAX_SIZE 96
++
++static jmethodID debugPrintlnMethodID = NULL;
++static jobject debugObj = NULL;
++
++static void throwIOException(JNIEnv *env, const char *msg);
++static void dbgPrint(JNIEnv *env, const char* msg);
++
++/*
++ * Class:     java_security_SystemConfigurator
++ * Method:    JNI_OnLoad
++ */
++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
++{
++    JNIEnv *env;
++    jclass sysConfCls, debugCls;
++    jfieldID sdebugFld;
++
++    if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
++        return JNI_EVERSION; /* JNI version not supported */
++    }
++
++    sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
++    if (sysConfCls == NULL) {
++        printf("libsystemconf: SystemConfigurator class not found\n");
++        return JNI_ERR;
++    }
++    sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
++            "sdebug", "Lsun/security/util/Debug;");
++    if (sdebugFld == NULL) {
++        printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
++        return JNI_ERR;
++    }
++    debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
++    if (debugObj != NULL) {
++        debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
++        if (debugCls == NULL) {
++            printf("libsystemconf: Debug class not found\n");
++            return JNI_ERR;
++        }
++        debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
++                "println", "(Ljava/lang/String;)V");
++        if (debugPrintlnMethodID == NULL) {
++            printf("libsystemconf: Debug::println(String) method not found\n");
++            return JNI_ERR;
++        }
++        debugObj = (*env)->NewGlobalRef(env, debugObj);
++    }
++
++    return (*env)->GetVersion(env);
++}
++
++/*
++ * Class:     java_security_SystemConfigurator
++ * Method:    JNI_OnUnload
++ */
++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
++{
++    JNIEnv *env;
++
++    if (debugObj != NULL) {
++        if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
++            return; /* Should not happen */
++        }
++        (*env)->DeleteGlobalRef(env, debugObj);
++    }
++}
++
++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
++  (JNIEnv *env, jclass cls)
++{
++    int fips_enabled;
++    char msg[MSG_MAX_SIZE];
++    int msg_bytes;
++
++#ifdef SYSCONF_NSS
++
++    dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
++    fips_enabled = SECMOD_GetSystemFIPSEnabled();
++    msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++            " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
++    if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
++        dbgPrint(env, msg);
++    } else {
++        dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
++                " SECMOD_GetSystemFIPSEnabled return value");
++    }
++    return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
++
++#else // SYSCONF_NSS
++
++    FILE *fe;
++
++    dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
++    if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
++        throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
++    }
++    fips_enabled = fgetc(fe);
++    fclose(fe);
++    if (fips_enabled == EOF) {
++        throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
++    }
++    msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++            " read character is '%c'", fips_enabled);
++    if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
++        dbgPrint(env, msg);
++    } else {
++        dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
++                " read character");
++    }
++    return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
++
++#endif // SYSCONF_NSS
++}
++
++static void throwIOException(JNIEnv *env, const char *msg)
++{
++    jclass cls = (*env)->FindClass(env, "java/io/IOException");
++    if (cls != 0)
++        (*env)->ThrowNew(env, cls, msg);
++}
++
++static void dbgPrint(JNIEnv *env, const char* msg)
++{
++    jstring jMsg;
++    if (debugObj != NULL) {
++        jMsg = (*env)->NewStringUTF(env, msg);
++        CHECK_NULL(jMsg);
++        (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
++    }
++}
+diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2019, 2020, Red Hat, Inc.
++ * Copyright (c) 2019, 2021, Red Hat, Inc.
+  *
+  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+  *
+@@ -30,13 +30,9 @@
+ import java.io.FileInputStream;
+ import java.io.IOException;
+ 
+-import java.nio.file.Files;
+-import java.nio.file.Path;
+-
+ import java.util.Iterator;
+ import java.util.Map.Entry;
+ import java.util.Properties;
+-import java.util.regex.Pattern;
+ 
+ import sun.security.util.Debug;
+ 
+@@ -58,10 +54,21 @@
+     private static final String CRYPTO_POLICIES_JAVA_CONFIG =
+             CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
+ 
+-    private static final String CRYPTO_POLICIES_CONFIG =
+-            CRYPTO_POLICIES_BASE_DIR + "/config";
++    private static boolean systemFipsEnabled = false;
++
++    private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
++
++    private static native boolean getSystemFIPSEnabled()
++            throws IOException;
+ 
+-    private static boolean systemFipsEnabled = false;
++    static {
++        AccessController.doPrivileged(new PrivilegedAction<Void>() {
++            public Void run() {
++                System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
++                return null;
++            }
++        });
++    }
+ 
+     /*
+      * Invoked when java.security.Security class is initialized, if
+@@ -170,16 +177,34 @@
+     }
+ 
+     /*
+-     * FIPS is enabled only if crypto-policies are set to "FIPS"
+-     * and the com.redhat.fips property is true.
++     * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
++     * system property is true (default) and the system is in FIPS mode.
++     *
++     * There are 2 possible ways in which OpenJDK detects that the system
++     * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
++     * available at OpenJDK's built-time, it is called; 2) otherwise, the
++     * /proc/sys/crypto/fips_enabled file is read.
+      */
+     private static boolean enableFips() throws Exception {
+         boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
+         if (shouldEnable) {
+-            String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
+-            if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
+-            Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
+-            return pattern.matcher(cryptoPoliciesConfig).find();
++            if (sdebug != null) {
++                sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
++            }
++            try {
++                shouldEnable = getSystemFIPSEnabled();
++                if (sdebug != null) {
++                    sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
++                            + shouldEnable);
++                }
++                return shouldEnable;
++            } catch (IOException e) {
++                if (sdebug != null) {
++                    sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
++                    sdebug.println(e.getMessage());
++                }
++                throw e;
++            }
+         } else {
+             return false;
+         }

SOURCES/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch

@@ -0,0 +1,19 @@
+Remove uses of FAR in jpeg code
+
+Upstream libjpeg-trubo removed the (empty) FAR macro:
+http://sourceforge.net/p/libjpeg-turbo/code/1312/
+
+Adjust our code to not use the undefined FAR macro anymore.
+
+diff --git a/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c b/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
+--- openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
++++ openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
+@@ -1385,7 +1385,7 @@
+     /* and fill it in */
+     dst_ptr = icc_data;
+     for (seq_no = first; seq_no < last; seq_no++) {
+-        JOCTET FAR *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN;
++        JOCTET *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN;
+         unsigned int length =
+             icc_markers[seq_no]->data_length - ICC_OVERHEAD_LEN;
+