diff --git a/.gitignore b/.gitignore index 09ab344..c595679 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/jdk-updates-jdk11u-jdk-11.0.12+7-4curve.tar.xz +SOURCES/jdk-updates-jdk11u-jdk-11.0.14+9-4curve.tar.xz SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/.java-11-openjdk.metadata b/.java-11-openjdk.metadata index 42cb995..5813a51 100644 --- a/.java-11-openjdk.metadata +++ b/.java-11-openjdk.metadata @@ -1,2 +1,2 @@ -7459fbf6c597831b6039c3a608048131cb637528 SOURCES/jdk-updates-jdk11u-jdk-11.0.12+7-4curve.tar.xz +f8da9d387162a2354eb36d9bdb6d540e84321422 SOURCES/jdk-updates-jdk11u-jdk-11.0.14+9-4curve.tar.xz c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/SOURCES/NEWS b/SOURCES/NEWS index 26c3f66..68212a8 100644 --- a/SOURCES/NEWS +++ b/SOURCES/NEWS @@ -3,6 +3,861 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 11.0.14 (2022-01-18): +============================================= +Live versions of these release notes can be found at: + * https://bitly.com/openjdk11014 + * https://builds.shipilev.net/backports-monitor/release-notes-11.0.14.txt + +* New features + - JDK-8248238: Implementation: JEP 388: Windows AArch64 Support +* Security fixes + - JDK-8217375: jarsigner breaks old signature with long lines in manifest + - JDK-8251329: (zipfs) Files.walkFileTree walks infinitely if zip has dir named "." inside + - JDK-8264934, CVE-2022-21248: Enhance cross VM serialization + - JDK-8268488: More valuable DerValues + - JDK-8268494: Better inlining of inlined interfaces + - JDK-8268512: More content for ContentInfo + - JDK-8268795: Enhance digests of Jar files + - JDK-8268801: Improve PKCS attribute handling + - JDK-8268813, CVE-2022-21283: Better String matching + - JDK-8269151: Better construction of EncryptedPrivateKeyInfo + - JDK-8269944: Better HTTP transport redux + - JDK-8270386, CVE-2022-21291: Better verification of scan methods + - JDK-8270392, CVE-2022-21293: Improve String constructions + - JDK-8270416, CVE-2022-21294: Enhance construction of Identity maps + - JDK-8270492, CVE-2022-21282: Better resolution of URIs + - JDK-8270498, CVE-2022-21296: Improve SAX Parser configuration management + - JDK-8270646, CVE-2022-21299: Improved scanning of XML entities + - JDK-8270952, CVE-2022-21277: Improve TIFF file handling + - JDK-8271962: Better TrueType font loading + - JDK-8271968: Better canonical naming + - JDK-8271987: Manifest improved manifest entries + - JDK-8272014, CVE-2022-21305: Better array indexing + - JDK-8272026, CVE-2022-21340: Verify Jar Verification + - JDK-8272236, CVE-2022-21341: Improve serial forms for transport + - JDK-8272272: Enhance jcmd communication + - JDK-8272462: Enhance image handling + - JDK-8273290: Enhance sound handling + - JDK-8273756, CVE-2022-21360: Enhance BMP image support + - JDK-8273838, CVE-2022-21365: Enhanced BMP processing + - JDK-8274096, CVE-2022-21366: Improve decoding of image files + - JDK-8279541: Improve HarfBuzz +* Other changes + - JDK-6849922: java/awt/Choice/ChoiceKeyEventReaction/ChoiceKeyEventReaction.html fails + - JDK-7105119: [TEST_BUG] [macosx] In test UIDefaults.toString() must be called with the invokeLater() + - JDK-7151826: [TEST_BUG] [macosx] The test javax/swing/JPopupMenu/4966112/bug4966112.java not for mac + - JDK-7179006: [macosx] Print-to-file doesn't work: printing to the default printer instead + - JDK-8015602: [macosx] Test javax/swing/SpringLayout/4726194/bug4726194.java fails on MacOSX + - JDK-8034084: nsk.nsk/jvmti/ThreadStart/threadstart003 Wrong number of thread end events + - JDK-8039261: [TEST_BUG]: There is not a minimal security level in Java Preferences and the TestApplet.html is blocked. + - JDK-8047218: [TEST_BUG] java/awt/FullScreen/AltTabCrashTest/AltTabCrashTest.java fails with exception + - JDK-8075909: [TEST_BUG] The regression-swing case failed as it does not have the 'Open' button when select 'subdir' folder with NimbusLAF + - JDK-8078219: Verify lack of @test tag in files in java/net test directory + - JDK-8080569: java/lang/ProcessBuilder/DestroyTest.java fails with "RuntimeException: Process terminated prematurely" + - JDK-8081652: [TESTBUG] java/lang/management/ThreadMXBean/ThreadMXBeanStateTest.java timed out intermittently + - JDK-8129310: java/net/Socket/asyncClose/AsyncClose.java fails intermittently + - JDK-8131745: java/lang/management/ThreadMXBean/AllThreadIds.java still fails intermittently + - JDK-8136517: [macosx]Test java/awt/Focus/8073453/AWTFocusTransitionTest.java fails on MacOSX + - JDK-8137101: [TEST_BUG] javax/swing/plaf/basic/BasicHTML/4251579/bug4251579.java failure due to timing + - JDK-8143021: [TEST_BUG] Test javax/swing/JColorChooser/Test6541987.java fails + - JDK-8159597: [TEST_BUG] closed/javax/swing/JPopupMenu/4760494/bug4760494.java leaves key pressed + - JDK-8159904: [TEST_BUG] Failure on solaris of java/awt/Window/MultiWindowApp/MultiWindowAppTest.java + - JDK-8163086: java/awt/Window/TranslucentJAppletTest/TranslucentJAppletTest.java fails + - JDK-8165828: [TEST_BUG] The reg case:javax/swing/plaf/metal/MetalIcons/MetalHiDPIIconsTest.java failed as No Metal Look and Feel + - JDK-8169953: JComboBox/8057893: ComboBoxEdited event is not fired! on Windows + - JDK-8169954: JFileChooser/8021253: java.lang.RuntimeException: Default button is not pressed + - JDK-8169959: javax/swing/JTable/6263446/bug6263446.java: Table should be editing + - JDK-8171381: [TEST_BUG] [macos] javax/swing/JPopupMenu/7156657/bug7156657.java fails on OS X + - JDK-8171998: javax/swing/JMenu/4692443/bug4692443.java fails on Windows + - JDK-8174819: java/nio/file/WatchService/LotsOfEvents.java fails intermittently + - JDK-8179880: Refactor javax/security shell tests to plain java tests + - JDK-8180568: Refactor javax/crypto shell tests to plain java tests + - JDK-8180569: Refactor sun/security/krb5/ shell tests to plain java tests + - JDK-8180571: Refactor sun/security/pkcs11 shell tests to plain java tests and fix failures + - JDK-8180573: Refactor sun/security/tools shell tests to plain java tests + - JDK-8187649: ArrayIndexOutOfBoundsException in java.util.JapaneseImperialCalendar + - JDK-8190753: (zipfs): Accessing a large entry (> 2^31 bytes) leads to a negative initial size for ByteArrayOutputStream + - JDK-8195703: BasicJDWPConnectionTest.java: 'App exited unexpectedly with 2' + - JDK-8196096: javax/swing/JPopupMenu/6580930/bug6580930.java fails + - JDK-8197560: test javax/swing/JTree/8003400/Test8003400.java fails + - JDK-8197800: Test java/awt/Focus/NonFocusableWindowTest/NoEventsTest.java fails on Windows + - JDK-8197811: Test java/awt/Choice/PopupPosTest/PopupPosTest.java fails on Windows + - JDK-8198616: java/awt/Focus/6378278/InputVerifierTest.java fails on mac + - JDK-8198617: java/awt/Focus/6382144/EndlessLoopTest.java fails on mac + - JDK-8198619: java/awt/Focus/FocusTraversalPolicy/ButtonGroupLayoutTraversal/ButtonGroupLayoutTraversalTest.java fails on mac + - JDK-8198623: java/awt/KeyboardFocusmanager/TypeAhead/EnqueueWithDialogButtonTest/EnqueueWithDialogButtonTest.java fails on mac + - JDK-8198624: java/awt/KeyboardFocusmanager/TypeAhead/SubMenuShowTest/SubMenuShowTest.html fails on mac + - JDK-8199138: Add RISC-V support to Zero + - JDK-8199529: javax/swing/text/Utilities/8142966/SwingFontMetricsTest.java fails on windows + - JDK-8201224: Make string buffer size dynamic in mlvmJvmtiUtils.c + - JDK-8202342: [Graal] fromTonga/nsk/jvmti/unit/FollowReferences/followref003/TestDescription.java fails with "Location mismatch" errors + - JDK-8204161: [TESTBUG] auto failed with the "Applet thread threw exception: java.lang.UnsupportedOperationException" exception + - JDK-8206085: Refactor langtools/tools/javac/versions/Versions.java + - JDK-8207936: TestZipFile failed with java.lang.AssertionError exception + - JDK-8208242: Add @requires to vmTestbase/gc/g1 tests + - JDK-8209611: use C++ compiler for hotspot tests + - JDK-8210182: Remove macros for C compilation from vmTestBase but non jvmti + - JDK-8210198: Clean up JNI_ENV_ARG for vmTestbase/jvmti/Get[A-F] tests + - JDK-8210205: build fails on AIX in hotspot cpp tests (for example getstacktr001.cpp) + - JDK-8210242: [TESTBUG] vmTestbase/nsk/stress/jni/jnistress001.java crashes with EXCEPTION_ACCESS_VIOLATION on windows-x86 + - JDK-8210353: Move java/util/Arrays/TimSortStackSize2.java back to tier1 + - JDK-8210385: Clean up JNI_ENV_ARG and factorize the macros for vmTestbase/jvmti[A-N] tests + - JDK-8210392: assert(Compile::current()->live_nodes() < Compile::current()->max_node_limit()) failed: Live Node limit exceeded limit + - JDK-8210395: Add doc to SecurityTools.java + - JDK-8210429: Clean up JNI_ENV_ARG for vmTestbase/jvmti/Get[G-Z] tests + - JDK-8210481: Remove #ifdef cplusplus from vmTestbase + - JDK-8210593: Clean up JNI_ENV_ARG and factorize the macros for vmTestbase/jvmti[N-R] tests + - JDK-8210665: Clean up JNI_ENV_ARG and factorize the macros for vmTestbase/jvmti[R-U] tests + - JDK-8210689: Remove the multi-line old C style for string literals + - JDK-8210700: Clean up JNI_ENV_ARG and factorize the macros for vmTestbase/jvmti/unit tests + - JDK-8210726: Fix up a few minor nits forgotten by JDK-8210665 + - JDK-8210920: Native C++ tests are not using CXXFLAGS + - JDK-8210984: [TESTBUG] hs203t003 fails with "# ERROR: hs203t003.cpp, 218: NSK_CPP_STUB2 ( ResumeThread, jvmti, thread)" + - JDK-8211036: Remove the NSK_STUB macros from vmTestbase for non jvmti + - JDK-8211131: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/[G-I]* + - JDK-8211148: var in implicit lambdas shouldn't be accepted for source < 11 + - JDK-8211171: move JarUtils to top-level testlibrary + - JDK-8211227: Inconsistent TLS protocol version in debug output + - JDK-8211261: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/[A-G]* + - JDK-8211432: [REDO] Handle JNIGlobalRefLocker.cpp + - JDK-8211782: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/[I-S]* + - JDK-8211801: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/scenarios/[A-E] + - JDK-8211899: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/scenarios/[E-M] + - JDK-8211905: Remove multiple casts for EM06 file + - JDK-8211999: Window positioning bugs due to overlapping GraphicsDevice bounds (Windows/HiDPI) + - JDK-8212082: Remove the NSK_CPP_STUB macros for remaining vmTestbase/jvmti/[sS]* + - JDK-8212083: Handle remaining gc/lock native code and fix two strings + - JDK-8212148: Remove remaining NSK_CPP_STUBs + - JDK-8213110: Remove the use of applets in automatic tests + - JDK-8213189: Make restricted headers in HTTP Client configurable and remove Date by default + - JDK-8213263: fix legal headers in test/langtools + - JDK-8213296: Fix legal headers in test/jdk/java/net + - JDK-8213301: Fix legal headers in jdk logging tests + - JDK-8213305: Fix legal headers in test/java/math + - JDK-8213306: Fix legal headers in test/java/nio + - JDK-8213328: Update test copyrights in test/java/util/zip and test/jdk/tools + - JDK-8213330: Fix legal headers in i18n tests + - JDK-8213707: [TEST] vmTestbase/nsk/stress/except/except011.java failed due to wrong class name + - JDK-8214469: [macos] PIT: java/awt/Choice/ChoiceKeyEventReaction/ChoiceKeyEventReaction.java fails + - JDK-8215410: Regression test for JDK-8214994 + - JDK-8215568: Refactor SA clhsdb tests to use ClhsdbLauncher + - JDK-8215624: Add parallel heap iteration for jmap –histo + - JDK-8215889: assert(!_unloading) failed: This oop is not available to unloading class loader data with ZGC + - JDK-8216318: The usage of Disposer in the java.awt.Robot can be deleted + - JDK-8216417: cleanup of IPv6 scope-id handling + - JDK-8217377: javax/swing/JPopupMenu/6583251/bug6583251.java failed with UnsupportedOperation exception + - JDK-8217438: Adapt tools//launcher/Test7029048.java for AIX + - JDK-8217633: Configurable extensions with system properties + - JDK-8217882: java/net/httpclient/MaxStreams.java failed once + - JDK-8217903: java/net/httpclient/Response204.java fails with 404 + - JDK-8218483: Crash in "assert(_daemon_threads_count->get_value() > daemon_count) failed: thread count mismatch 5 : 5" + - JDK-8219986: Change to Xcode 10.1 for building on Macosx at Oracle + - JDK-8220575: Correctly format test URI's that contain a retrieved IPv6 address + - JDK-8221259: New tests for java.net.Socket to exercise long standing behavior + - JDK-8221305: java/awt/FontMetrics/MaxAdvanceIsMax.java fails on MacOS + Solaris + - JDK-8221902: PIT: javax/swing/JRadioButton/FocusTraversal/FocusTraversal.java fails on ubuntu + - JDK-8221903: PIT: javax/swing/RepaintManager/IconifyTest/IconifyTest.java fails on ubuntu18.04 + - JDK-8222446: assert(C->env()->system_dictionary_modification_counter_changed()) failed: Must invalidate if TypeFuncs differ + - JDK-8223137: Rename predicate 'do_unroll_only()' to 'is_unroll_only()'. + - JDK-8223138: Small clean-up in loop-tree support. + - JDK-8223139: Rename mandatory policy-do routines. + - JDK-8223140: Clean-up in 'ok_to_convert()' + - JDK-8223141: Change (count) suffix _ct into _cnt. + - JDK-8223400: Replace some enums with static const members in hotspot/runtime + - JDK-8223658: Performance regression of XML.validation in 13-b19 + - JDK-8223923: C2: Missing interference with mismatched unsafe accesses + - JDK-8224829: AsyncSSLSocketClose.java has timing issue + - JDK-8225083: Remove Google certificate that is expiring in December 2021 + - JDK-8226514: Replace wildcard address with loopback or local host in tests - part 17 + - JDK-8226943: compile error in libfollowref003.cpp with XCode 10.2 on macosx + - JDK-8228442: DHKeyExchange/LegacyDHEKeyExchange.java failed due to "SSLException: An established connection was aborted by the software in your host machine" + - JDK-8228508: [TESTBUG] java/net/httpclient/SmokeTest.java fails on Windows7 + - JDK-8229935: [TEST_BUG]: bug8132119.java inconsistently positions text + - JDK-8230019: [REDO] compiler/types/correctness/* tests fail with "assert(recv == __null || recv->is_klass()) failed: wrong type" + - JDK-8230067: Add optional automatic retry when running jtreg tests + - JDK-8230228: [TESTBUG] Several runtime/ErrorHandling tests may fail on some platforms + - JDK-8231501: VM crash in MethodData::clean_extra_data(CleanExtraDataClosure*): fatal error: unexpected tag 99 + - JDK-8233403: Improve verbosity of some httpclient tests + - JDK-8233550: [TESTBUG] JTree tests fail regularly on MacOS + - JDK-8233552: [TESTBUG] JTable Test bug7068740.java fails on MacOS + - JDK-8233553: [TESTBUG] JSpinner test bug4973721.java fails on MacOS + - JDK-8233555: [TESTBUG] JRadioButton tests failing on MacoS + - JDK-8233556: [TESTBUG] JPopupMenu tests fail on MacOS + - JDK-8233559: [TESTBUG] TestNimbusOverride.java is failing on macos + - JDK-8233560: [TESTBUG] ToolTipManager/Test6256140.java is failing on macos + - JDK-8233561: [TESTBUG] Swing text test bug8014863.java fails on macos + - JDK-8233562: [TESTBUG] Swing StyledEditorKit test bug4506788.java fails on MacOS + - JDK-8233564: [TESTBUG] MouseComboBoxTest.java is failing + - JDK-8233566: [TESTBUG] KeyboardFocusManager tests failing on MacoS + - JDK-8233567: [TESTBUG] FocusSubRequestTest.java fails on macos + - JDK-8233569: [TESTBUG] JTextComponent test bug6361367.java fails on macos + - JDK-8233570: [TESTBUG] HTMLEditorKit test bug5043626.java is failing on macos + - JDK-8233634: [TESTBUG] Swing text test bug4278839.java fails on macos + - JDK-8233635: [TESTBUG] ProgressMonitorEscapeKeyPress.java fails on macos + - JDK-8233637: [TESTBUG] Swing ActionListenerCalledTwiceTest.java fails on macos + - JDK-8233638: [TESTBUG] Swing test ScreenMenuBarInputTwice.java fails on macos + - JDK-8233641: [TESTBUG] JMenuItem test bug4171437.java fails on macos + - JDK-8233642: [TESTBUG] JMenuBar test bug 4750590.java fails on macos + - JDK-8233643: [TESTBUG] JMenu test bug4515762.java fails on macos + - JDK-8233644: [TESTBUG] JInternalFrame test bug8020708.java is failing on macos + - JDK-8233647: [TESTBUG] JColorChooser/Test8051548.java is failing on macos + - JDK-8234802: [TESTBUG] Test Right Mouse Button Drag Gesture Recognition in all the platforms + - JDK-8234823: java/net/Socket/Timeouts.java testcase testTimedConnect2() fails on Windows 10 + - JDK-8235784: java/lang/invoke/VarHandles/VarHandleTestByteArrayAsInt.java fails due to timeout with fastdebug bits + - JDK-8236042: [TESTBUG] serviceability/sa/ClhsdbCDSCore.java fails with -Xcomp -XX:TieredStopAtLevel=1 + - JDK-8236177: assert(status == 0) failed: error ETIMEDOUT(60), cond_wait + - JDK-8236596: HttpClient leaves HTTP/2 sockets in CLOSE_WAIT, when using proxy tunnel + - JDK-8237354: Add option to jcmd to write a gzipped heap dump + - JDK-8237589: Fix copyright header formatting + - JDK-8238677: java/net/httpclient/ssltest/CertificateTest.java should not specify TLS version + - JDK-8239334: Tab Size does not work correctly in JTextArea with setLineWrap on + - JDK-8239422: [TESTBUG] compiler/c1/TestPrintIRDuringConstruction.java failed when C1 is disabled + - JDK-8239827: The test OpenByUNCPathNameTest.java should be changed to be manual + - JDK-8240256: Better resource cleaning for SunPKCS11 Provider + - JDK-8242044: Add basic HTTP/1.1 support to the HTTP/2 Test Server + - JDK-8242526: PIT: javax/swing/JInternalFrame/8020708/bug8020708.java fails in mach5 ubuntu system + - JDK-8242793: Incorrect copyright header in ContinuousCallSiteTargetChange.java + - JDK-8243543: jtreg test security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java fails + - JDK-8244292: Headful clients failing with --illegal-access=deny + - JDK-8245147: Refactor and improve utility of test/langtools/tools/javac/versions/Versions.java + - JDK-8245165: Update bug id for javax/swing/text/StyledEditorKit/4506788/bug4506788.java in ProblemList + - JDK-8245665: Test WeakAlg.java should only make sure no warning for weak signature algorithms by keytool on root CA + - JDK-8246114: java/net/MulticastSocket/Promiscuous.java fails after 8241072 (multi-homed systems) + - JDK-8246807: Incorrect copyright header in TimeZoneDatePermissionCheck.sh + - JDK-8247403: JShell: No custom input (e.g. from GUI) possible with JavaShellToolBuilder + - JDK-8247510: typo in IllegalHandshakeMessage + - JDK-8248187: [TESTBUG] javax/swing/plaf/basic/BasicGraphicsUtils/8132119/bug8132119.java fails with String is not properly drawn + - JDK-8248341: ProblemList java/lang/management/ThreadMXBean/ThreadMXBeanStateTest.java + - JDK-8248500: AArch64: Remove the r18 dependency on Windows AArch64 + - JDK-8248899: security/infra/java/security/cert/CertPathValidator/certification/QuoVadisCA.java fails, Certificate has been revoked + - JDK-8249195: Change to Xcode 11.3.1 for building on Macos at Oracle + - JDK-8250521: Configure initial RTO to use minimal retry for loopback connections on Windows + - JDK-8250810: Push missing parts of JDK-8248817 + - JDK-8250839: Improve test template SSLEngineTemplate with SSLContextTemplate + - JDK-8250863: Build error with GCC 10 in NetworkInterface.c and k_standard.c + - JDK-8250888: nsk/jvmti/scenarios/general_functions/GF08/gf08t001/TestDriver.java fails + - JDK-8251155: HostIdentifier fails to canonicalize hostnames starting with digits + - JDK-8251377: [macos11] JTabbedPane selected tab text is barely legible + - JDK-8251570: JDK-8215624 causes assert(worker_id < _n_workers) failed: Invalid worker_id + - JDK-8251930: AArch64: Native types mismatch in hotspot + - JDK-8252049: Native memory leak in ciMethodData ctor + - JDK-8252051: Make mlvmJvmtiUtils strncpy uses GCC 10.x friendly + - JDK-8252114: Windows-AArch64: Enable and test ZGC and ShenandoahGC + - JDK-8253015: Aarch64: Move linux code out from generic CPU feature detection + - JDK-8253147: The javax/swing/JPopupMenu/7154841/bug7154841.java fail on big screens + - JDK-8253497: Core Libs Terminology Refresh + - JDK-8253682: The AppletInitialFocusTest1.java is unstable + - JDK-8253763: ParallelObjectIterator should have virtual destructor + - JDK-8253866: Security Libs Terminology Refresh + - JDK-8254802: ThrowingPushPromisesAsStringCustom.java fails in "try throwing in GET_BODY" + - JDK-8255227: java/net/httpclient/FlowAdapterPublisherTest.java intermittently failing with TestServer: start exception: java.io.IOException: Invalid preface + - JDK-8255264: Support for identifying the full range of IPv4 localhost addresses on Windows + - JDK-8255716: AArch64: Regression: JVM crashes if manually offline a core + - JDK-8255722: Create a new test for rotated blit + - JDK-8256009: Remove src/hotspot/share/adlc/Test/i486.ad + - JDK-8256066: Tests use deprecated TestNG API that is no longer available in new versions + - JDK-8256152: tests fail because of ambiguous method resolution + - JDK-8256182: Update qemu-debootstrap cross-compilation recipe + - JDK-8256201: java/awt/FullScreen/FullscreenWindowProps/FullscreenWindowProps.java failed + - JDK-8256202: Some tweaks for jarsigner tests PosixPermissionsTest and SymLinkTest + - JDK-8256372: [macos] Unexpected symbol was displayed on JTextField with Monospaced font + - JDK-8256956: RegisterImpl::max_slots_per_register is incorrect on AMD64 + - JDK-8258457: testlibrary_tests/ctw/JarDirTest.java fails with InvalidPathException on windows + - JDK-8258855: Two tests sun/security/krb5/auto/ReplayCacheTestProc.java and ReplayCacheTestProcWithMD5.java failed on OL8.3 + - JDK-8259237: Demo selection changes with left/right arrow key. No need to press space for selection. + - JDK-8260571: Add PrintMetaspaceStatistics to print metaspace statistics upon VM exit + - JDK-8260690: JConsole User Guide Link from the Help menu is not accessible by keyboard + - JDK-8261036: Reduce classes loaded by CleanerFactory initialization + - JDK-8261071: AArch64: Refactor interpreter native wrappers + - JDK-8261075: Create stubRoutines.inline.hpp with SafeFetch implementation + - JDK-8261236: C2: ClhsdbJstackXcompStress test fails when StressGCM is enabled + - JDK-8261297: NMT: Final report should use scale 1 + - JDK-8261661: gc/stress/TestReclaimStringsLeaksMemory.java fails because Reserved memory size is too big + - JDK-8261916: gtest/GTestWrapper.java vmErrorTest.unimplemented1_vm_assert failed + - JDK-8262438: sun/security/ssl/SSLLogger/LoggingFormatConsistency.java failed with "SocketException: Socket is closed" + - JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print" + - JDK-8262844: (fs) FileStore.supportsFileAttributeView might return false negative in case of ext3 + - JDK-8263059: security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java fails due to revoked cert + - JDK-8263068: Rename safefetch.hpp to safefetch.inline.hpp + - JDK-8263303: C2 compilation fails with assert(found_sfpt) failed: no node in loop that's not input to safepoint + - JDK-8263362: Avoid division by 0 in java/awt/font/TextJustifier.java justify + - JDK-8263773: Reenable German localization for builds at Oracle + - JDK-8263897: compiler/c2/aarch64/TestVolatilesSerial.java failed with "java.lang.RuntimeException: Wrong method" + - JDK-8264526: javax/swing/text/html/parser/Parser/8078268/bug8078268.java timeout + - JDK-8264824: java/net/Inet6Address/B6206527.java doesn't close ServerSocket properly + - JDK-8265019: Update tests for additional TestNG test permissions + - JDK-8265173: [test] divert spurious log output away from stream under test in ProcessBuilder Basic test + - JDK-8265524: Upgrading JSZip from v3.2.2 to v3.6.0 + - JDK-8266182: Automate manual steps listed in the test jdk/sun/security/pkcs12/ParamsTest.java + - JDK-8266579: Update test/jdk/java/lang/ProcessHandle/PermissionTest.java & test/jdk/java/sql/testng/util/TestPolicy.java + - JDK-8266949: Check possibility to disable OperationTimedOut on Unix + - JDK-8267246: -XX:MaxRAMPercentage=0 is unreasonable for jtreg tests on many-core machines + - JDK-8267256: Extend minimal retry for loopback connections on Windows to PlainSocketImpl + - JDK-8267304: Bump global JTReg memory limit to 768m + - JDK-8267652: c2 loop unrolling by 8 results in reading memory past array + - JDK-8268019: C2: assert(no_dead_loop) failed: dead loop detected + - JDK-8268093: Manual Testcase: "sun/security/krb5/config/native/TestDynamicStore.java" Fails with NPE + - JDK-8268555: Update HttpClient tests that use ITestContext to jtreg 6+1 + - JDK-8268672: C2: assert(!loop->is_member(u_loop)) failed: can be in outer loop or out of both loops only + - JDK-8269034: AccessControlException for SunPKCS11 daemon threads + - JDK-8269426: Rename test/jdk/java/lang/invoke/t8150782 to accessClassAndFindClass + - JDK-8269574: C2: Avoid redundant uncommon traps in GraphKit::builtin_throw() for JVMTI exception events + - JDK-8269656: The test test/langtools/tools/javac/versions/Versions.java has duplicate test cycles + - JDK-8269768: JFR Terminology Refresh + - JDK-8269951: [macos] Focus not painted in JButton when setBorderPainted(false) is invoked + - JDK-8269984: [macos] JTabbedPane title looks like disabled + - JDK-8269993: [Test]: java/net/httpclient/DigestEchoClientSSL.java contains redundant @run tags + - JDK-8270116: Expand ButtonGroupLayoutTraversalTest.java to run in all LaFs, including Aqua on macOS + - JDK-8270216: [macOS] Update named used for Java run loop mode + - JDK-8270280: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java OCSP response error + - JDK-8270290: NTLM authentication fails if HEAD request is used + - JDK-8270317: Large Allocation in CipherSuite + - JDK-8270344: Session resumption errors + - JDK-8270517: Add Zero support for LoongArch + - JDK-8270533: AArch64: size_fits_all_mem_uses should return false if its output is a CAS + - JDK-8270886: Crash in PhaseIdealLoop::verify_strip_mined_scheduling + - JDK-8271287: jdk/jshell/CommandCompletionTest.java fails with "lists don't have the same size expected" + - JDK-8271340: Crash PhaseIdealLoop::clone_outer_loop + - JDK-8271341: Opcode() != Op_If && Opcode() != Op_RangeCheck) || outcnt() == 2 assert failure with Test7179138_1.java + - JDK-8271459: C2: Missing NegativeArraySizeException when creating StringBuilder with negative capacity + - JDK-8271490: [ppc] [s390]: Crash in JavaThread::pd_get_top_frame_for_profiling + - JDK-8271560: sun/security/ssl/DHKeyExchange/LegacyDHEKeyExchange.java still fails due to "An established connection was aborted by the software in your host machine" + - JDK-8271567: AArch64: AES Galois CounterMode (GCM) interleaved implementation using vector instructions + - JDK-8272180: Upgrade JSZip from v3.6.0 to v3.7.1 + - JDK-8272181: Windows-AArch64:Backport fix of `Backtracing broken on PAC enabled systems` + - JDK-8272316: Wrong Boot JDK help message in 11 + - JDK-8272318: Improve performance of HeapDumpAllTest + - JDK-8272342: [TEST_BUG] java/awt/print/PrinterJob/PageDialogMarginTest.java catches all exceptions + - JDK-8272570: C2: crash in PhaseCFG::global_code_motion + - JDK-8272574: C2: assert(false) failed: Bad graph detected in build_loop_late + - JDK-8272581: sun/security/pkcs11/Provider/MultipleLogins.sh fails after JDK-8266182 + - JDK-8272708: [Test]: Cleanup: test/jdk/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java no longer needs ocspEnabled + - JDK-8272720: Fix the implementation of loop unrolling heuristic with LoopPercentProfileLimit + - JDK-8272783: Epsilon: Refactor tests to improve performance + - JDK-8272806: [macOS] "Apple AWT Internal Exception" when input method is changed + - JDK-8272828: Add correct licenses to jszip.md + - JDK-8272836: Limit run time for java/lang/invoke/LFCaching tests + - JDK-8272850: Drop zapping values in the Zap* option descriptions + - JDK-8272902: Bump update version for OpenJDK: jdk-11.0.14 + - JDK-8272914: Create hotspot:tier2 and hotspot:tier3 test groups + - JDK-8272966: test/jdk/java/awt/Robot/FlushCurrentEvent.java fails by timeout + - JDK-8273026: Slow LoginContext.login() on multi threading application + - JDK-8273229: Update OS detection code to recognize Windows Server 2022 + - JDK-8273235: tools/launcher/HelpFlagsTest.java Fails on Windows 32bit + - JDK-8273308: PatternMatchTest.java fails on CI + - JDK-8273314: Add tier4 test groups + - JDK-8273342: Null pointer dereference in classFileParser.cpp:2817 + - JDK-8273358: macOS Monterey does not have the font Times needed by Serif + - JDK-8273373: Zero: Cannot invoke JVM in primordial threads on Zero + - JDK-8273498: compiler/c2/Test7179138_1.java timed out + - JDK-8273541: Cleaner Thread creates with normal priority instead of MAX_PRIORITY - 2 + - JDK-8273547: [11u] [JVMCI] Partial module-info.java backport of JDK-8223332 + - JDK-8273606: Zero: SPARC64 build fails with si_band type mismatch + - JDK-8273646: Add openssl from path variable also in to Default System Openssl Path in OpensslArtifactFetcher + - JDK-8273671: Backport of 8260616 misses one JNF header inclusion removal + - JDK-8273790: Potential cyclic dependencies between Gregorian and CalendarSystem + - JDK-8273795: Zero SPARC64 debug builds fail due to missing interpreter fields + - JDK-8273826: Correct Manifest file name and NPE checks + - JDK-8273894: ConcurrentModificationException raised every time ReferralsCache drops referral + - JDK-8273924: ArrayIndexOutOfBoundsException thrown in java.util.JapaneseImperialCalendar.add() + - JDK-8273961: jdk/nio/zipfs/ZipFSTester.java fails if file path contains '+' character + - JDK-8273968: JCK javax_xml tests fail in CI + - JDK-8274056: JavaAccessibilityUtilities leaks JNI objects + - JDK-8274083: Update testing docs to mention tiered testing + - JDK-8274293: Build failure on macOS with Xcode 13.0 as vfork is deprecated + - JDK-8274326: [macos] Ensure initialisation of sun/lwawt/macosx/CAccessibility in JavaComponentAccessibility.m + - JDK-8274329: Fix non-portable HotSpot code in MethodMatcher::parse_method_pattern + - JDK-8274381: missing CAccessibility definitions in JNI code + - JDK-8274407: (tz) Update Timezone Data to 2021c + - JDK-8274467: TestZoneInfo310.java fails with tzdata2021b + - JDK-8274468: TimeZoneTest.java fails with tzdata2021b + - JDK-8274522: java/lang/management/ManagementFactory/MXBeanException.java test fails with Shenandoah + - JDK-8274642: jdk/jshell/CommandCompletionTest.java fails with NoSuchElementException after JDK-8271287 + - JDK-8274773: [TESTBUG] UnsafeIntrinsicsTest intermittently fails on weak memory model platform + - JDK-8274779: HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST + - JDK-8274840: Update OS detection code to recognize Windows 11 + - JDK-8274860: gcc 10.2.1 produces an uninitialized warning in sharedRuntimeTrig.cpp + - JDK-8275051: Shenandoah: Correct ordering of requested gc cause and gc request flag + - JDK-8275131: Exceptions after a touchpad gesture on macOS + - JDK-8275713: TestDockerMemoryMetrics test fails on recent runc + - JDK-8275766: (tz) Update Timezone Data to 2021e + - JDK-8275849: TestZoneInfo310.java fails with tzdata2021e + - JDK-8276066: Reset LoopPercentProfileLimit for x86 due to suboptimal performance + - JDK-8276139: TestJpsHostName.java not reliable, better to expand HostIdentifierCreate.java test + - JDK-8276157: C2: Compiler stack overflow during escape analysis on Linux x86_32 + - JDK-8276201: Shenandoah: Race results degenerated GC to enter wrong entry point + - JDK-8276536: Update TimeZoneNames files to follow the changes made by JDK-8275766 + - JDK-8276550: Use SHA256 hash in build.tools.depend.Depend + - JDK-8276774: Cookie stored in CookieHandler not sent if user headers contain cookie + - JDK-8276854: Windows GHA builds fail due to broken Cygwin + - JDK-8277029: JMM GetDiagnosticXXXInfo APIs should verify output array sizes + - JDK-8277224: sun.security.pkcs.PKCS9Attributes.toString() throws NPE + - JDK-8277529: SIGSEGV in C2 CompilerThread Node::rematerialize() compiling Packet::readUnsignedTrint + - JDK-8277815: Fix mistakes in legal header backports + +Notes on individual issues: +=========================== + +core-svc/tools: + +JDK-8250554: New Option Added to jcmd for Writing a gzipped Heap Dump +===================================================================== +A new integer option `gz` has been added to the `GC.heap_dump` +diagnostic command. If it is specified, it will enable the gzip +compression of the written heap dump. The supplied value is the +compression level. It can range from 1 (fastest) to 9 (slowest, but +best compression). The recommended level is 1. + +security-libs/javax.net.ssl: + +JDK-8260310: Configurable Extensions With System Properties +=========================================================== +Two new system properties have been added. The system property, +`jdk.tls.client.disableExtensions`, is used to disable TLS extensions +used in the client. The system property, +`jdk.tls.server.disableExtensions`, is used to disable TLS extensions +used in the server. If an extension is disabled, it will be neither +produced nor processed in the handshake messages. + +The property string is a list of comma separated standard TLS +extension names, as registered in the IANA documentation (for example, +server_name, status_request, and signature_algorithms_cert). Note that +the extension names are case sensitive. Unknown, unsupported, +misspelled and duplicated TLS extension name tokens will be ignored. + +Please note that the impact of blocking TLS extensions is +complicated. For example, a TLS connection may not be able to be +established if a mandatory extension is disabled. Please do not +disable mandatory extensions, and do not use this feature unless you +clearly understand the impact. + +security-libs/javax.crypto:pkcs11: + +JDK-8272907: New SunPKCS11 Configuration Properties +=================================================== +The SunPKCS11 provider gains new provider configuration attributes to +better control native resources usage. The SunPKCS11 provider consumes +native resources in order to work with native PKCS11 libraries. To +manage and better control the native resources, additional +configuration attributes are added to control the frequency of +clearing native references as well as whether to destroy the +underlying PKCS11 Token after logout. + +The 3 new attributes for the SunPKCS11 provider configuration file +are: + +1) `destroyTokenAfterLogout` (boolean, defaults to false) + +If set to true, when `java.security.AuthProvider.logout()` is called +upon the SunPKCS11 provider instance, the underlying Token object will +be destroyed and resources will be freed. This essentially renders the +SunPKCS11 provider instance unusable after `logout()` calls. Note that +a PKCS11 provider with this attribute set to `true` should not be +added to the system provider list since the provider object is not +usable after a `logout()` method call. + +2) `cleaner.shortInterval` (integer, defaults to 2000, in milliseconds) + +This defines the frequency for clearing native references during busy +periods (such as, how often should the cleaner thread processes the +no-longer-needed native references in the queue to free up native +memory). Note that the cleaner thread will switch to the +'longInterval' frequency after 200 failed tries (such as, when no +references are found in the queue). + +3) `cleaner.longInterval` (integer, defaults to 60000, in milliseconds) + +This defines the frequency for checking native reference during +non-busy period (such as, how often should the cleaner thread check +the queue for native references). Note that the cleaner thread will +switch back to the 'shortInterval' value if native PKCS11 references +for cleaning are detected. + +core-libs/java.nio: + +JDK-8271517: Zip File System Provider Throws ZipException when entry name element contains "." or "." +===================================================================================================== +The ZIP file system provider has been changed to reject existing ZIP +files that contain entries with "." or ".." in name elements. ZIP +files with these entries can not be used as a file system. Invoking +the `java.nio.file.FileSystems.newFileSystem(...)` methods will throw +`ZipException` if the ZIP file contains these entries. + +security-libs/java.security: + +JDK-8272535: Removed Google's GlobalSign Root Certificate +========================================================= +The following root certificate from Google has been removed from the +`cacerts` keystore: + +Alias Name: globalsignr2ca [jdk] +Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2 + +core-libs/java.time: + +JDK-8274857: Update Timezone Data to 2021c +=========================================== +IANA Time Zone Database, on which JDK's Date/Time libraries are based, +has been updated to version 2021c +(https://mm.icann.org/pipermail/tz-announce/2021-October/000067.html). Note +that with this update, some of the time zone rules prior to the year +1970 have been modified according to the changes which were introduced +with 2021b. For more detail, refer to the announcement of 2021b +(https://mm.icann.org/pipermail/tz-announce/2021-September/000066.html) + +New in release OpenJDK 11.0.13 (2021-10-19): +============================================= +Live versions of these release notes can be found at: + * https://bitly.com/openjdk11013 + * https://builds.shipilev.net/backports-monitor/release-notes-11.0.13.txt + +* Security fixes + - JDK-8163326, CVE-2021-35550: Update the default enabled cipher suites preference + - JDK-8254967, CVE-2021-35565: com.sun.net.HttpsServer spins on TLS session close + - JDK-8263314: Enhance XML Dsig modes + - JDK-8265167, CVE-2021-35556: Richer Text Editors + - JDK-8265574: Improve handling of sheets + - JDK-8265580, CVE-2021-35559: Enhanced style for RTF kit + - JDK-8265776: Improve Stream handling for SSL + - JDK-8266097, CVE-2021-35561: Better hashing support + - JDK-8266103: Better specified spec values + - JDK-8266109: More Resilient Classloading + - JDK-8266115: More Manifest Jar Loading + - JDK-8266137, CVE-2021-35564: Improve Keystore integrity + - JDK-8266689, CVE-2021-35567: More Constrained Delegation + - JDK-8267086: ArrayIndexOutOfBoundsException in java.security.KeyFactory.generatePublic + - JDK-8267712: Better LDAP reference processing + - JDK-8267729, CVE-2021-35578: Improve TLS client handshaking + - JDK-8267735, CVE-2021-35586: Better BMP support + - JDK-8268193: Improve requests of certificates + - JDK-8268199: Correct certificate requests + - JDK-8268205: Enhance DTLS client handshake + - JDK-8268506: More Manifest Digests + - JDK-8269618, CVE-2021-35603: Better session identification + - JDK-8269624: Enhance method selection support + - JDK-8270398: Enhance canonicalization + - JDK-8270404: Better canonicalization +* Other changes + - JDK-8024368: private methods are allocated vtable indices + - JDK-8042902: Test java/net/Inet6Address/serialize/Inet6AddressSerializationTest.java fails intermittently + - JDK-8140466: ChaCha20 and Poly1305 TLS Cipher Suites + - JDK-8157404: Unable to read certain PKCS12 keystores from SequenceInputStream + - JDK-8158066: SourceDebugExtensionTest fails to rename file + - JDK-8168304: Make all of DependencyContext_test available in product mode + - JDK-8169246: java/net/DatagramSocket/ReportSocketClosed.java fails intermittently with BindException + - JDK-8181313: SA: Remove libthread_db dependency on Linux + - JDK-8193214: Incorrect annotations.without.processors warnings with JDK 9 + - JDK-8194230: jdk/internal/jrtfs/remote/RemoteRuntimeImageTest.java fails with java.lang.NullPointerException + - JDK-8196092: javax/swing/JComboBox/8032878/bug8032878.java fails + - JDK-8199931: java/net/MulticastSocket/UnreferencedMulticastSockets.java fails with "incorrect data received" + - JDK-8206083: Make tools/javac/api/T6265137.java robust to JDK version changes + - JDK-8206350: java/util/Locale/bcp47u/SystemPropertyTests.java failed on Mac 10.13 with zh_CN and zh_TW locales. + - JDK-8207316: java/nio/channels/spi/SelectorProvider/inheritedChannel/InheritedChannelTest.java failed + - JDK-8208227: tools/jdeps/DotFileTest.java fails on Win-X64 + - JDK-8208363: test/jdk/java/lang/Package/PackageFromManifest.java missing module dependencies declaration + - JDK-8209380: ARM: cleanup maybe-uninitialized and reorder compiler warnings + - JDK-8209768: Refactor java/util/prefs/CheckUserPrefsStorage.sh to plain java test + - JDK-8209772: Refactor shell test java/util/ServiceLoader/basic/basic.sh to java + - JDK-8209773: Refactor shell test javax/naming/module/basic.sh to java + - JDK-8209832: Refactor jdk/internal/reflect/Reflection/GetCallerClassTest.sh to plain java test + - JDK-8209930: Refactor java/util/zip/ZipFile/deletetempjar.sh to plain java test + - JDK-8210406: Refactor java.util.PluggableLocale:i18n shell tests to plain java tests + - JDK-8210407: Refactor java.util.Calendar:i18n shell tests to plain java tests + - JDK-8210495: compiler crashes because of illegal signature in otherwise legal code + - JDK-8210669: Some launcher tests assume a pre-JDK 9 run-time image layout + - JDK-8210802: temp files left by tests in jdk/java/net/httpclient + - JDK-8210819: Update the host name in CNameTest.java + - JDK-8210908: Refactor java/util/prefs/PrefsSpi.sh to plain java test + - JDK-8210934: Move sun/net/www/protocol/http/GetErrorStream.java to OpenJDK + - JDK-8210959: JShell fails and exits when statement throws an exception whose message contains a '%'. + - JDK-8211055: Provide print to a file (PDF) feature even when printer was not connected + - JDK-8211092: test/jdk/sun/net/www/http/HttpClient/MultiThreadTest.java fails intermittently when cleaning up + - JDK-8211296: Remove HotSpot deprecation warning suppression for Mac/clang + - JDK-8211325: test/jdk/java/net/Socket/LingerTest.java fails with cleaning up + - JDK-8212040: Compilation error due to wrong usage of NSPrintJobDispositionValue in mac10.12 + - JDK-8212695: Add explicit timeout to several HTTP Client tests + - JDK-8212718: Refactor some annotation processor tests to better use collections + - JDK-8213007: Update the link in test/jdk/sun/security/provider/SecureRandom/DrbgCavp.java + - JDK-8213137: Remove static initialization of monitor/mutex instances + - JDK-8213235: java/nio/channels/SocketChannel/AsyncCloseChannel.java fails with threads that didn't exit + - JDK-8213409: Refactor sun.text.IntHashtable:i18n shell tests to plain java tests + - JDK-8213576: Make test AsyncCloseChannel.java run in othervm + - JDK-8213694: Test Timeout.java should run in othervm mode + - JDK-8213718: [TEST] Wrong classname in vmTestbase/nsk/stress/except/except002 and except003 + - JDK-8213922: fix ctw stand-alone build + - JDK-8214195: Align stdout messages in test/jdk/java/math/BigInteger/PrimitiveConversionTests.java + - JDK-8214520: [TEST_BUG] sun/security/mscapi/nonUniqueAliases/NonUniqueAliases.java failed with incorrect jtreg tags order + - JDK-8214937: sun/security/tools/jarsigner/warnings/NoTimestampTest.java failed due to unexpected expiration date + - JDK-8216532: tools/launcher/Test7029048.java fails (Solaris) + - JDK-8217825: Verify @AfterTest is used correctly in WebSocket tests + - JDK-8218145: block_if_requested is not proper inlined due to size + - JDK-8219417: bump jtreg requiredVersion to b14 + - JDK-8219552: bump jtreg requiredVersion to b14 in test/jdk/sanity/client/ + - JDK-8219804: java/net/MulticastSocket/Promiscuous.java fails intermittently due to NumberFormatException + - JDK-8220445: Support for side by side MSVC Toolset versions + - JDK-8221988: add possibility to build with Visual Studio 2019 + - JDK-8222751: closed/test/jdk/sun/security/util/DerIndefLenConverter/IndefBerPkcs12.java fail + - JDK-8223050: JVMCI: findUniqueConcreteMethod() should not use Dependencies::find_unique_concrete_method() for non-virtual methods + - JDK-8224853: CDS address sanitizer errors + - JDK-8225082: Remove IdenTrust certificate that is expiring in September 2021 + - JDK-8225583: Examine the HttpResponse.BodySubscribers for null handling and multiple subscriptions + - JDK-8225690: Multiple AttachListener threads can be created + - JDK-8225790: Two NestedDialogs tests fail on Ubuntu + - JDK-8226319: Add forgotten test/jdk/java/net/httpclient/BodySubscribersTest.java + - JDK-8226533: JVMCI: findUniqueConcreteMethod should handle statically bindable methods directly + - JDK-8226602: Test convenience reactive primitives from java.net.http with RS TCK + - JDK-8226683: Remove review suggestion from fix to 8219804 + - JDK-8227738: jvmti/DataDumpRequest/datadumpreq001 failed due to "exit code is 134" + - JDK-8227766: CheckUnhandledOops is broken in MemAllocator + - JDK-8227815: Minimal VM: set_state is not a member of AttachListener + - JDK-8230674: Heap dumps should exclude dormant CDS archived objects of unloaded classes + - JDK-8230808: Remove Access::equals() + - JDK-8230841: Remove oopDesc::equals() + - JDK-8231717: Improve performance of charset decoding when charset is always compactable + - JDK-8232243: Wrong caret position in JTextPane on Windows with a screen resolution > 100% + - JDK-8232782: Shenandoah: streamline post-LRB CAS barrier (aarch64) + - JDK-8233790: Forward output from heap dumper to jcmd/jmap + - JDK-8233989: Create an IPv4 version of java/net/MulticastSocket/SetLoopbackMode.java + - JDK-8234510: Remove file seeking requirement for writing a heap dump + - JDK-8235211: serviceability/attach/RemovingUnixDomainSocketTest.java fails with AttachNotSupportedException: Unable to open socket file + - JDK-8235216: typo in test filename + - JDK-8235866: bump jtreg requiredVersion to 4.2b16 + - JDK-8236111: narrow allowSmartActionArgs disabling + - JDK-8236413: AbstractConnectTimeout should tolerate both NoRouteToHostException and UnresolvedAddressException + - JDK-8236671: NullPointerException in JKS keystore + - JDK-8238930: problem list compiler/c2/Test8004741.java + - JDK-8238943: switch to jtreg 5.0 + - JDK-8240555: Using env of JAVA_TOOL_OPTIONS and _JAVA_OPTIONS breaks QuietOption.java test + - JDK-8240983: Incorrect copyright header in Apache Santuario 2.1.3 files + - JDK-8241336: Some java.net tests failed with NoRouteToHostException on MacOS with special network configuration + - JDK-8241353: NPE in ToolProvider.getSystemJavaCompiler + - JDK-8241768: git needs .gitattributes + - JDK-8242882: opening jar file with large manifest might throw NegativeArraySizeException + - JDK-8244973: serviceability/attach/RemovingUnixDomainSocketTest.java fails "stderr was not empty" + - JDK-8245134: test/lib/jdk/test/lib/security/KeyStoreUtils.java should allow to specify aliases + - JDK-8246261: TCKLocalTime.java failed due to "AssertionError: expected [18:14:22] but found [18:14:23]" + - JDK-8246387: switch to jtreg 5.1 + - JDK-8247421: [TESTBUG] ReturnBlobToWrongHeapTest.java failed allocating blob + - JDK-8247469: getSystemCpuLoad() returns -1 on linux when some offline cpus are present and cpusets.effective_cpus is not available + - JDK-8248352: [TEST_BUG] Test test/jdk/java/awt/font/TextLayout/ArabicDiacriticTest.java can leave frame open + - JDK-8248403: AArch64: Remove uses of kernel integer types + - JDK-8248414: AArch64: Remove uses of long and unsigned long ints + - JDK-8248657: Windows: strengthening in ThreadCritical regarding memory model + - JDK-8248666: AArch64: Use THREAD_LOCAL instead of __thread + - JDK-8248668: AArch64: Avoid MIN/MAX macros when using MSVC + - JDK-8248671: AArch64: Remove unused variables + - JDK-8248682: AArch64: Use ATTRIBUTE_ALIGNED helper + - JDK-8248816: C1: Fix signature conflict in LIRGenerator::strength_reduce_multiply + - JDK-8249095: tools/javac/launcher/SourceLauncherTest.java fails on Windows + - JDK-8249548: backward focus traversal gets stuck in button group + - JDK-8249773: Upgrade ReceiveISA.java test to be resilient to failure due to stray packets and interference + - JDK-8249897: jdk/javadoc/tool/LangVers.java uses @ignore w/o bug-id + - JDK-8249898: jdk/javadoc/tool/6176978/T6176978.java uses @ignore w/o bug-id + - JDK-8249899: jdk/javadoc/tool/InlineTagsWithBraces.java uses @ignore w/o bug-id + - JDK-8250588: Shenandoah: LRB needs to save/restore fp registers for runtime call + - JDK-8250824: AArch64: follow up for JDK-8248414 + - JDK-8251166: Add automated testcases for changes done in JDK-8214112 + - JDK-8251252: Add automated testcase for fix done in JDK-8214253 + - JDK-8251254: Add automated test for fix done in JDK-8218472 + - JDK-8251361: Potential race between Logger configuration and GCs in HttpURLConWithProxy test + - JDK-8251549: Update docs on building for Git + - JDK-8251945: SIGSEGV in PackageEntry::purge_qualified_exports() + - JDK-8252194: Add automated test for fix done in JDK-8218469 + - JDK-8252648: Shenandoah: name gang tasks consistently + - JDK-8252825: Add automated test for fix done in JDK-8218479 + - JDK-8252853: AArch64: gc/shenandoah/TestVerifyJCStress.java fails intermittently with C1 + - JDK-8252857: AArch64: Shenandoah C1 CAS is not sequentially consistent + - JDK-8253048: AArch64: When CallLeaf, no need to preserve callee-saved registers in caller + - JDK-8253424: Add support for running pre-submit testing using GitHub Actions + - JDK-8253631: Remove unimplemented CompileBroker methods after JEP-165 + - JDK-8253865: Pre-submit testing using GitHub Actions does not detect failures reliably + - JDK-8253899: Make IsClassUnloadingEnabled signature match specification + - JDK-8254024: Enhance native libs for AWT and Swing to work with GraalVM Native Image + - JDK-8254054: Pre-submit testing using GitHub Actions should not use the deprecated set-env command + - JDK-8254173: Add Zero, Minimal hotspot targets to submit workflow + - JDK-8254175: Build no-pch configuration in debug mode for submit checks + - JDK-8254244: Some code emitted by TemplateTable::branch is unused when running TieredCompilation + - JDK-8254270: linux 32 bit build doesn't compile libjdwp/log_messages.c + - JDK-8254282: Add Linux x86_32 builds to submit workflow + - JDK-8254850: Update terminology in java.awt.GridBagLayout source code comments + - JDK-8255255: Update Apache Santuario (XML Signature) to version 2.2.1 + - JDK-8255305: Add Linux x86_32 tier1 to submit workflow + - JDK-8255352: Archive important test outputs in submit workflow + - JDK-8255373: Submit workflow artifact name is always "test-results_.zip" + - JDK-8255452: Doing GC during JVMTI MethodExit event posting breaks return oop + - JDK-8255718: Zero: VM should know it runs in interpreter-only mode + - JDK-8255790: GTKL&F: Java 16 crashes on initialising GTKL&F on Manjaro Linux + - JDK-8255810: Zero: build fails without JVMTI + - JDK-8255895: Submit workflow artifacts miss hs_errs/replays due to ZIP include mismatch + - JDK-8256127: Add cross-compiled foreign architectures builds to submit workflow + - JDK-8256215: Shenandoah: re-organize saving/restoring machine state in assembler code + - JDK-8256267: Relax compiler/floatingpoint/NaNTest.java for x86_32 and lower -XX:+UseSSE + - JDK-8256277: Github Action build on macOS should define OS and Xcode versions + - JDK-8256354: Github Action build on Windows should define OS and MSVC versions + - JDK-8256393: Github Actions build on Linux should define OS and GCC versions + - JDK-8256414: add optimized build to submit workflow + - JDK-8256747: GitHub Actions: decouple the hotspot build-only jobs from Linux x64 testing + - JDK-8257056: Submit workflow should apt-get update to avoid package installation errors + - JDK-8257148: Remove obsolete code in AWTView.m + - JDK-8257497: Update keytool to create AKID from the SKID of the issuing certificate as specified by RFC 5280 + - JDK-8257620: Do not use objc_msgSend_stret to get macOS version + - JDK-8257913: Add more known library locations to simplify Linux cross-compilation + - JDK-8258703: Incorrect 512-bit vector registers restore on x86_32 + - JDK-8259338: Add expiry exception for identrustdstx3 alias to VerifyCACerts.java test + - JDK-8259535: ECDSA SignatureValue do not always have the specified length + - JDK-8259679: GitHub actions should use MSVC 14.28 + - JDK-8259924: GitHub actions fail on Linux x86_32 with "Could not configure libc6:i386" + - JDK-8260460: GitHub actions still fail on Linux x86_32 with "Could not configure libc6:i386" + - JDK-8260589: Crash in JfrTraceIdLoadBarrier::load(_jclass*) + - JDK-8260923: Add more tests for SSLSocket input/output shutdown + - JDK-8261072: AArch64: Fix MacroAssembler::get_thread convention + - JDK-8261147: C2: Node is wrongly marked as reduction resulting in a wrong execution due to wrong vector instructions + - JDK-8261238: NMT should not limit baselining by size threshold + - JDK-8261496: Shenandoah: reconsider pacing updates memory ordering + - JDK-8261652: Remove some dead comments from os_bsd_x86 + - JDK-8261846: [JVMCI] c2v_iterateFrames can get out of sync with the StackFrameStream + - JDK-8262000: jdk/jfr/event/gc/detailed/TestPromotionFailedEventWithParallelScavenge.java failed with "OutOfMemoryError: Java heap space" + - JDK-8262017: C2: assert(n != __null) failed: Bad immediate dominator info. + - JDK-8262392: Update Mesa 3-D Headers to version 21.0.3 + - JDK-8262409: sun/security/ssl/SSLSocketImpl/SSLSocketImplThrowsWrongExceptions. SSL test failures caused by java failed with "Server reported the wrong exception" + - JDK-8262470: Printed GlyphVector outline with low DPI has bad quality on Windows + - JDK-8262862: Harden tests sun/security/x509/URICertStore/ExtensionsWithLDAP.java and krb5/canonicalize/Test.java + - JDK-8263136: C4530 was reported from VS 2019 at access bridge + - JDK-8263227: C2: inconsistent spilling due to dead nodes in exception block + - JDK-8263382: java/util/logging/ParentLoggersTest.java failed with "checkLoggers: getLoggerNames() returned unexpected loggers" + - JDK-8263407: SPARC64 detection fails on Athena (SPARC64-X) + - JDK-8263432: javac may report an invalid package/class clash on case insensitive filesystems + - JDK-8263490: [macos] Crash occurs on JPasswordField with activated InputMethod + - JDK-8263531: Remove unused buffer int + - JDK-8263667: Avoid running GitHub actions on branches named pr/* + - JDK-8263776: [JVMCI] add helper to perform Java upcalls + - JDK-8264016: [JVMCI] add some thread local fields for use by JVMCI + - JDK-8264752: SIGFPE crash with option FlightRecorderOptions:threadbuffersize=30M + - JDK-8265132: C2 compilation fails with assert "missing precedence edge" + - JDK-8265231: (fc) ReadDirect and WriteDirect tests fail after fix for JDK-8264821 + - JDK-8265335: Epsilon: Minor typo in EpsilonElasticTLABDecay description + - JDK-8265756: AArch64: initialize memory allocated for locals according to Windows AArch64 stack page growth requirement in template interpreter + - JDK-8265761: Font with missed font family name is not properly printed on Windows + - JDK-8265773: incorrect jdeps message "jdk8internals" to describe a removed JDK internal API + - JDK-8265836: OperatingSystemImpl.getCpuLoad() returns incorrect CPU load inside a container + - JDK-8266018: Shenandoah: fix an incorrect assert + - JDK-8266206: Build failure after JDK-8264752 with older GCCs + - JDK-8266248: Compilation failure in PLATFORM_API_MacOSX_MidiUtils.c with Xcode 12.5 + - JDK-8266288: assert root method not found in witnessed_reabstraction_in_supers is too strong + - JDK-8266404: Fatal error report generated with -XX:+CrashOnOutOfMemoryError should not contain suggestion to submit a bug report + - JDK-8266480: Implicit null check optimization does not update control of hoisted memory operation + - JDK-8266615: C2 incorrectly folds subtype checks involving an interface array + - JDK-8266642: Improve ResolvedMethodTable hash function + - JDK-8266749: AArch64: Backtracing broken on PAC enabled systems + - JDK-8266761: AssertionError in sun.net.httpserver.ServerImpl.responseCompleted + - JDK-8266813: Shenandoah: Use shorter instruction sequence for checking if marking in progress + - JDK-8267042: bug in monitor locking/unlocking on ARM32 C1 due to uninitialized BasicObjectLock::_displaced_header + - JDK-8267348: Rewrite gc/epsilon/TestClasses.java to use Metaspace with less classes + - JDK-8267396: Avoid recording "pc" in unhandled oops detector for better performance + - JDK-8267399: C2: java/text/Normalizer/ConformanceTest.java test failed with assertion + - JDK-8267424: CTW: C1 fails with "State must not be null" + - JDK-8267459: Pasting Unicode characters into JShell does not work. + - JDK-8267625: AARCH64: typo in LIR_Assembler::emit_profile_type + - JDK-8267666: Add option to jcmd GC.heap_dump to use existing file + - JDK-8267695: Bump update version for OpenJDK: jdk-11.0.13 + - JDK-8267751: (test) jtreg.SkippedException has no serial VersionUID + - JDK-8267773: PhaseStringOpts::int_stringSize doesn't handle min_jint correctly + - JDK-8268103: JNI functions incorrectly return a double after JDK-8265836 + - JDK-8268127: Shenandoah: Heap size may be too small for region to align to large page size + - JDK-8268261: C2: assert(n != __null) failed: Bad immediate dominator info. + - JDK-8268347: C2: nested locks optimization may create unbalanced monitor enter/exit code + - JDK-8268360: Missing check for infinite loop during node placement + - JDK-8268362: [REDO] C2 crash when compile negative Arrays.copyOf length after loop + - JDK-8268366: Incorrect calculation of has_fpu_registers in C1 linear scan + - JDK-8268369: SIGSEGV in PhaseCFG::implicit_null_check due to missing null check + - JDK-8268417: Add test from JDK-8268360 + - JDK-8268427: Improve AlgorithmConstraints:checkAlgorithm performance + - JDK-8268617: [11u REDO] - WebSocket over authenticating proxy fails with NPE + - JDK-8268620: InfiniteLoopException test may fail on x86 platforms + - JDK-8268635: Corrupt oop in ClassLoaderData + - JDK-8268699: Shenandoah: Add test for JDK-8268127 + - JDK-8268771: javadoc -notimestamp option does not work on index.html + - JDK-8268775: Password is being converted to String in AccessibleJPasswordField + - JDK-8268776: Test `ADatagramSocket.java` missing /othervm from @run tag + - JDK-8268965: TCP Connection Reset when connecting simple socket to SSL server + - JDK-8269304: Regression ~5% in 2005 in b27 + - JDK-8269415: [11u] Remove ea from DEFAULT_PROMOTED_VERSION_PRE in OpenJDK 11u + - JDK-8269478: Shenandoah: gc/shenandoah/mxbeans tests should be more resilient + - JDK-8269529: javax/swing/reliability/HangDuringStaticInitialization.java fails in Windows debug build + - JDK-8269594: assert(_handle_mark_nesting > 1) failed: memory leak: allocating handle outside HandleMark + - JDK-8269614: [s390] Interpreter checks wrong bit for slow path instance allocation + - JDK-8269650: Optimize gc-locker in [Get|Release]StringCritical for latin string + - JDK-8269661: JNI_GetStringCritical does not lock char array + - JDK-8269668: [aarch64] java.library.path not including /usr/lib64 + - JDK-8269763: The JEditorPane is blank after JDK-8265167 + - JDK-8269795: C2: Out of bounds array load floats above its range check in loop peeling resulting in SEGV + - JDK-8269847: JDK-8269594 backport breaks 11u builds + - JDK-8269850: Most JDK releases report macOS version 12 as 10.16 instead of 12.0 + - JDK-8269851: OperatingSystemMXBean getProcessCpuLoad reports incorrect process cpu usage in containers + - JDK-8269882: stack-use-after-scope in NewObjectA + - JDK-8269934: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in java_lang_Thread::get_thread_status + - JDK-8270096: Shenandoah: Optimize gc/shenandoah/TestRefprocSanity.java for interpreter mode + - JDK-8270137: Kerberos Credential Retrieval from Cache not Working in Cross-Realm Setup + - JDK-8270184: [TESTBUG] Add coverage for jvmci ResolvedJavaType.toJavaName() for lambdas + - JDK-8270196: [11u] [JVMCI] JavaType.toJavaName() returns incorrect type name for lambdas + - JDK-8270556: Exclude security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA + - JDK-8270893: IndexOutOfBoundsException while reading large TIFF file + - JDK-8272078: Wrong Checksums in Temurin BootJDK dependencies + - JDK-8272124: Cgroup v1 initialization causes NullPointerException when cgroup path contains colon + - JDK-8272131: PhaseMacroExpand::generate_slow_arraycopy crash when clone null CallProjections.fallthrough_ioproj + - JDK-8272197: Update 11u GHA workflow with Shenandoah configurations + - JDK-8272332: --with-harfbuzz=system doesn't add -lharfbuzz after JDK-8255790 + - JDK-8272472: StackGuardPages test doesn't build with glibc 2.34 + - JDK-8272602: [macos] not all KEY_PRESSED events sent when control modifier is used + - JDK-8272628: Problemlist gc/stress/gcbasher/TestGCBasherWithCMS.java for x86_32 + - JDK-8272700: [macos] Build failure with Xcode 13.0 after JDK-8264848 + - JDK-8272772: Shenandoah: compiler/c2/aarch64/TestVolatilesShenandoah.java fails in 11u + - JDK-8273939: Backport of 8248414 to JDK11 breaks MacroAssembler::adrp + +Notes on individual issues: +=========================== + +security-libs/java.security: + +JDK-8271434: Removed IdenTrust Root Certificate +=============================================== +The following root certificate from IdenTrust has been removed from +the `cacerts` keystore: + +Alias Name: identrustdstx3 [jdk] +Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co. + +JDK-8261922: Updated keytool to Create AKID From SKID of Issuing Certificate as Specified by RFC 5280 +===================================================================================================== +The `gencert` command of the `keytool` utility has been updated to +create AKID from the SKID of the issuing certificate as specified by +RFC 5280. + +security-libs/javax.net.ssl: + +JDK-8210799: ChaCha20 and Poly1305 TLS Cipher Suites +==================================================== +New TLS cipher suites using the `ChaCha20-Poly1305` algorithm have +been added to JSSE. These cipher suites are enabled by default. The +TLS_CHACHA20_POLY1305_SHA256 cipher suite is available for TLS 1.3. +The following cipher suites are available for TLS 1.2: + +* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 +* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 +* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + +Refer to the "Java Secure Socket Extension (JSSE) Reference Guide" for +details on these new TLS cipher suites. + +JDK-8219551: Updated the Default Enabled Cipher Suites Preference +================================================================= +The preference of the default enabled cipher suites has been +changed. The compatibility impact should be minimal. If needed, +applications can customize the enabled cipher suites and the +preference. For more details, refer to the SunJSSE provider +documentation and the JSSE Reference Guide documentation. + New in release OpenJDK 11.0.12 (2021-07-20): ============================================= Live versions of these release notes can be found at: diff --git a/SOURCES/jdk8257794-remove_broken_assert.patch b/SOURCES/jdk8257794-remove_broken_assert.patch new file mode 100644 index 0000000..1bfc571 --- /dev/null +++ b/SOURCES/jdk8257794-remove_broken_assert.patch @@ -0,0 +1,12 @@ +diff --git openjdk.orig/src/hotspot/share/interpreter/bytecodeInterpreter.cpp openjdk/src/hotspot/share/interpreter/bytecodeInterpreter.cpp +index d18d70b5f9..30ab380e40 100644 +--- openjdk.orig/src/hotspot/share/interpreter/bytecodeInterpreter.cpp ++++ openjdk/src/hotspot/share/interpreter/bytecodeInterpreter.cpp +@@ -481,7 +481,6 @@ BytecodeInterpreter::run(interpreterState istate) { + #ifdef ASSERT + if (istate->_msg != initialize) { + assert(labs(istate->_stack_base - istate->_stack_limit) == (istate->_method->max_stack() + 1), "bad stack limit"); +- IA32_ONLY(assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1, "wrong")); + } + // Verify linkages. + interpreterState l = istate; diff --git a/SOURCES/jdk8269668-rh1977671-aarch64_lib_path_fix.patch b/SOURCES/jdk8269668-rh1977671-aarch64_lib_path_fix.patch deleted file mode 100644 index ddf686c..0000000 --- a/SOURCES/jdk8269668-rh1977671-aarch64_lib_path_fix.patch +++ /dev/null @@ -1,32 +0,0 @@ -From ec03fdb752f2dc0833784a6877a4c232a8cdd9d2 Mon Sep 17 00:00:00 2001 -From: Severin Gehwolf -Date: Wed, 14 Jul 2021 12:06:39 +0200 -Subject: [PATCH] Backport e14801cdd9b108aa4ca47d0bc1dc67fca575764c - ---- - src/hotspot/os/linux/os_linux.cpp | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/src/hotspot/os/linux/os_linux.cpp b/src/hotspot/os/linux/os_linux.cpp -index e8baf704e3a..12b75b733b5 100644 ---- a/src/hotspot/os/linux/os_linux.cpp -+++ b/src/hotspot/os/linux/os_linux.cpp -@@ -413,8 +413,15 @@ void os::init_system_properties_values() { - // 7: The default directories, normally /lib and /usr/lib. - #if defined(AMD64) || (defined(_LP64) && defined(SPARC)) || defined(PPC64) || defined(S390) - #define DEFAULT_LIBPATH "/usr/lib64:/lib64:/lib:/usr/lib" -+#else -+#if defined(AARCH64) -+ // Use 32-bit locations first for AARCH64 (a 64-bit architecture), since some systems -+ // might not adhere to the FHS and it would be a change in behaviour if we used -+ // DEFAULT_LIBPATH of other 64-bit architectures which prefer the 64-bit paths. -+ #define DEFAULT_LIBPATH "/lib:/usr/lib:/usr/lib64:/lib64" - #else - #define DEFAULT_LIBPATH "/lib:/usr/lib" -+#endif // AARCH64 - #endif - - // Base path of extensions installed on the system. --- -2.31.1 - diff --git a/SOURCES/nss.fips.cfg.in b/SOURCES/nss.fips.cfg.in index ead27be..1aff153 100644 --- a/SOURCES/nss.fips.cfg.in +++ b/SOURCES/nss.fips.cfg.in @@ -1,6 +1,6 @@ name = NSS-FIPS nssLibraryDirectory = @NSS_LIBDIR@ -nssSecmodDirectory = @NSS_SECMOD@ +nssSecmodDirectory = sql:/etc/pki/nssdb nssDbMode = readOnly nssModule = fips diff --git a/SOURCES/rh1991003-enable_fips_keys_import.patch b/SOURCES/rh1991003-enable_fips_keys_import.patch new file mode 100644 index 0000000..ac9bdb5 --- /dev/null +++ b/SOURCES/rh1991003-enable_fips_keys_import.patch @@ -0,0 +1,590 @@ +diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java +index 53f32d12cc..28ab184617 100644 +--- openjdk.orig/src/java.base/share/classes/java/security/Security.java ++++ openjdk/src/java.base/share/classes/java/security/Security.java +@@ -82,6 +82,10 @@ public final class Security { + public boolean isSystemFipsEnabled() { + return SystemConfigurator.isSystemFipsEnabled(); + } ++ @Override ++ public boolean isPlainKeySupportEnabled() { ++ return SystemConfigurator.isPlainKeySupportEnabled(); ++ } + }); + + // doPrivileged here because there are multiple +diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +index 5565acb7c6..874c6221eb 100644 +--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -55,6 +55,7 @@ final class SystemConfigurator { + CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; + + private static boolean systemFipsEnabled = false; ++ private static boolean plainKeySupportEnabled = false; + + private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; + +@@ -149,6 +150,16 @@ final class SystemConfigurator { + } + loadedProps = true; + systemFipsEnabled = true; ++ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport", ++ "true"); ++ plainKeySupportEnabled = !"false".equals(plainKeySupport); ++ if (sdebug != null) { ++ if (plainKeySupportEnabled) { ++ sdebug.println("FIPS support enabled with plain key support"); ++ } else { ++ sdebug.println("FIPS support enabled without plain key support"); ++ } ++ } + } + } catch (Exception e) { + if (sdebug != null) { +@@ -176,6 +187,19 @@ final class SystemConfigurator { + return systemFipsEnabled; + } + ++ /** ++ * Returns {@code true} if system FIPS alignment is enabled ++ * and plain key support is allowed. Plain key support is ++ * enabled by default but can be disabled with ++ * {@code -Dcom.redhat.fips.plainKeySupport=false}. ++ * ++ * @return a boolean indicating whether plain key support ++ * should be enabled. ++ */ ++ static boolean isPlainKeySupportEnabled() { ++ return plainKeySupportEnabled; ++ } ++ + /* + * OpenJDK FIPS mode will be enabled only if the com.redhat.fips + * system property is true (default) and the system is in FIPS mode. +diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java +index d8caa5640c..21bc6d0b59 100644 +--- openjdk.orig/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java ++++ openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java +@@ -27,4 +27,5 @@ package jdk.internal.misc; + + public interface JavaSecuritySystemConfiguratorAccess { + boolean isSystemFipsEnabled(); ++ boolean isPlainKeySupportEnabled(); + } +diff --git openjdk.orig/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java openjdk/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java +index ffee2c1603..ff3d5e0e4a 100644 +--- openjdk.orig/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java ++++ openjdk/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java +@@ -33,8 +33,13 @@ import java.security.KeyStore.*; + + import javax.net.ssl.*; + ++import jdk.internal.misc.SharedSecrets; ++ + abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { + ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ + X509ExtendedKeyManager keyManager; + boolean isInitialized; + +@@ -62,7 +67,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { + KeyStoreException, NoSuchAlgorithmException, + UnrecoverableKeyException { + if ((ks != null) && SunJSSE.isFIPS()) { +- if (ks.getProvider() != SunJSSE.cryptoProvider) { ++ if (ks.getProvider() != SunJSSE.cryptoProvider && ++ !plainKeySupportEnabled) { + throw new KeyStoreException("FIPS mode: KeyStore must be " + + "from provider " + SunJSSE.cryptoProvider.getName()); + } +@@ -91,8 +97,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { + keyManager = new X509KeyManagerImpl( + Collections.emptyList()); + } else { +- if (SunJSSE.isFIPS() && +- (ks.getProvider() != SunJSSE.cryptoProvider)) { ++ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider) ++ && !plainKeySupportEnabled) { + throw new KeyStoreException( + "FIPS mode: KeyStore must be " + + "from provider " + SunJSSE.cryptoProvider.getName()); +diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +new file mode 100644 +index 0000000000..b848a1fd78 +--- /dev/null ++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +@@ -0,0 +1,290 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.pkcs11; ++ ++import java.math.BigInteger; ++import java.security.KeyFactory; ++import java.security.Provider; ++import java.security.Security; ++import java.util.HashMap; ++import java.util.Map; ++import java.util.concurrent.locks.ReentrantLock; ++ ++import javax.crypto.Cipher; ++import javax.crypto.spec.DHPrivateKeySpec; ++import javax.crypto.spec.IvParameterSpec; ++ ++import sun.security.jca.JCAUtil; ++import sun.security.pkcs11.TemplateManager; ++import sun.security.pkcs11.wrapper.CK_ATTRIBUTE; ++import sun.security.pkcs11.wrapper.CK_MECHANISM; ++import static sun.security.pkcs11.wrapper.PKCS11Constants.*; ++import sun.security.pkcs11.wrapper.PKCS11Exception; ++import sun.security.rsa.RSAUtil.KeyType; ++import sun.security.util.Debug; ++import sun.security.util.ECUtil; ++ ++final class FIPSKeyImporter { ++ ++ private static final Debug debug = ++ Debug.getInstance("sunpkcs11"); ++ ++ private static P11Key importerKey = null; ++ private static final ReentrantLock importerKeyLock = new ReentrantLock(); ++ private static CK_MECHANISM importerKeyMechanism = null; ++ private static Cipher importerCipher = null; ++ ++ private static Provider sunECProvider = null; ++ private static final ReentrantLock sunECProviderLock = new ReentrantLock(); ++ ++ private static KeyFactory DHKF = null; ++ private static final ReentrantLock DHKFLock = new ReentrantLock(); ++ ++ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) ++ throws PKCS11Exception { ++ long keyID = -1; ++ Token token = sunPKCS11.getToken(); ++ if (debug != null) { ++ debug.println("Private or Secret key will be imported in" + ++ " system FIPS mode."); ++ } ++ if (importerKey == null) { ++ importerKeyLock.lock(); ++ try { ++ if (importerKey == null) { ++ if (importerKeyMechanism == null) { ++ // Importer Key creation has not been tried yet. Try it. ++ createImporterKey(token); ++ } ++ if (importerKey == null || importerCipher == null) { ++ if (debug != null) { ++ debug.println("Importer Key could not be" + ++ " generated."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ if (debug != null) { ++ debug.println("Importer Key successfully" + ++ " generated."); ++ } ++ } ++ } finally { ++ importerKeyLock.unlock(); ++ } ++ } ++ long importerKeyID = importerKey.getKeyID(); ++ try { ++ byte[] keyBytes = null; ++ byte[] encKeyBytes = null; ++ long keyClass = 0L; ++ long keyType = 0L; ++ Map attrsMap = new HashMap<>(); ++ for (CK_ATTRIBUTE attr : attributes) { ++ if (attr.type == CKA_CLASS) { ++ keyClass = attr.getLong(); ++ } else if (attr.type == CKA_KEY_TYPE) { ++ keyType = attr.getLong(); ++ } ++ attrsMap.put(attr.type, attr); ++ } ++ BigInteger v = null; ++ if (keyClass == CKO_PRIVATE_KEY) { ++ if (keyType == CKK_RSA) { ++ if (debug != null) { ++ debug.println("Importing an RSA private key..."); ++ } ++ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey( ++ KeyType.RSA, ++ null, ++ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ } else if (keyType == CKK_DSA) { ++ if (debug != null) { ++ debug.println("Importing a DSA private key..."); ++ } ++ keyBytes = new sun.security.provider.DSAPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else if (keyType == CKK_EC) { ++ if (debug != null) { ++ debug.println("Importing an EC private key..."); ++ } ++ if (sunECProvider == null) { ++ sunECProviderLock.lock(); ++ try { ++ if (sunECProvider == null) { ++ sunECProvider = Security.getProvider("SunEC"); ++ } ++ } finally { ++ sunECProviderLock.unlock(); ++ } ++ } ++ keyBytes = ECUtil.generateECPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ECUtil.getECParameterSpec(sunECProvider, ++ attrsMap.get(CKA_EC_PARAMS).getByteArray())) ++ .getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else if (keyType == CKK_DH) { ++ if (debug != null) { ++ debug.println("Importing a Diffie-Hellman private key..."); ++ } ++ if (DHKF == null) { ++ DHKFLock.lock(); ++ try { ++ if (DHKF == null) { ++ DHKF = KeyFactory.getInstance( ++ "DH", P11Util.getSunJceProvider()); ++ } ++ } finally { ++ DHKFLock.unlock(); ++ } ++ } ++ DHPrivateKeySpec spec = new DHPrivateKeySpec ++ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO); ++ keyBytes = DHKF.generatePrivate(spec).getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else { ++ if (debug != null) { ++ debug.println("Unrecognized private key type."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ } else if (keyClass == CKO_SECRET_KEY) { ++ if (debug != null) { ++ debug.println("Importing a secret key..."); ++ } ++ keyBytes = attrsMap.get(CKA_VALUE).getByteArray(); ++ } ++ if (keyBytes == null || keyBytes.length == 0) { ++ if (debug != null) { ++ debug.println("Private or secret key plain bytes could" + ++ " not be obtained. Import failed."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey, ++ new IvParameterSpec((byte[])importerKeyMechanism.pParameter), ++ null); ++ attributes = new CK_ATTRIBUTE[attrsMap.size()]; ++ attrsMap.values().toArray(attributes); ++ encKeyBytes = importerCipher.doFinal(keyBytes); ++ attributes = token.getAttributes(TemplateManager.O_IMPORT, ++ keyClass, keyType, attributes); ++ keyID = token.p11.C_UnwrapKey(hSession, ++ importerKeyMechanism, importerKeyID, encKeyBytes, attributes); ++ if (debug != null) { ++ debug.println("Imported key ID: " + keyID); ++ } ++ } catch (Throwable t) { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } finally { ++ importerKey.releaseKeyID(); ++ } ++ return Long.valueOf(keyID); ++ } ++ ++ private static void createImporterKey(Token token) { ++ if (debug != null) { ++ debug.println("Generating Importer Key..."); ++ } ++ byte[] iv = new byte[16]; ++ JCAUtil.getSecureRandom().nextBytes(iv); ++ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); ++ try { ++ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE, ++ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] { ++ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), ++ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)}); ++ Session s = null; ++ try { ++ s = token.getObjSession(); ++ long keyID = token.p11.C_GenerateKey( ++ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN), ++ attributes); ++ if (debug != null) { ++ debug.println("Importer Key ID: " + keyID); ++ } ++ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES", ++ 256 >> 3, null); ++ } catch (PKCS11Exception e) { ++ // best effort ++ } finally { ++ token.releaseSession(s); ++ } ++ if (importerKey != null) { ++ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); ++ } ++ } catch (Throwable t) { ++ // best effort ++ importerKey = null; ++ importerCipher = null; ++ // importerKeyMechanism value is kept initialized to indicate that ++ // Importer Key creation has been tried and failed. ++ } ++ } ++} +diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +index 1eca1f8f0a..72674a7330 100644 +--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java ++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +@@ -26,6 +26,9 @@ + package sun.security.pkcs11; + + import java.io.*; ++import java.lang.invoke.MethodHandle; ++import java.lang.invoke.MethodHandles; ++import java.lang.invoke.MethodType; + import java.util.*; + + import java.security.*; +@@ -64,6 +67,26 @@ public final class SunPKCS11 extends AuthProvider { + private static final boolean systemFipsEnabled = SharedSecrets + .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); + ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ ++ private static final MethodHandle fipsImportKey; ++ static { ++ MethodHandle fipsImportKeyTmp = null; ++ if (plainKeySupportEnabled) { ++ try { ++ fipsImportKeyTmp = MethodHandles.lookup().findStatic( ++ FIPSKeyImporter.class, "importKey", ++ MethodType.methodType(Long.class, SunPKCS11.class, ++ long.class, CK_ATTRIBUTE[].class)); ++ } catch (Throwable t) { ++ throw new SecurityException("FIPS key importer initialization" + ++ " failed", t); ++ } ++ } ++ fipsImportKey = fipsImportKeyTmp; ++ } ++ + private static final long serialVersionUID = -1354835039035306505L; + + static final Debug debug = Debug.getInstance("sunpkcs11"); +@@ -319,10 +342,15 @@ public final class SunPKCS11 extends AuthProvider { + // request multithreaded access first + initArgs.flags = CKF_OS_LOCKING_OK; + PKCS11 tmpPKCS11; ++ MethodHandle fipsKeyImporter = null; ++ if (plainKeySupportEnabled) { ++ fipsKeyImporter = MethodHandles.insertArguments( ++ fipsImportKey, 0, this); ++ } + try { + tmpPKCS11 = PKCS11.getInstance( + library, functionList, initArgs, +- config.getOmitInitialize()); ++ config.getOmitInitialize(), fipsKeyImporter); + } catch (PKCS11Exception e) { + if (debug != null) { + debug.println("Multi-threaded initialization failed: " + e); +@@ -338,7 +366,7 @@ public final class SunPKCS11 extends AuthProvider { + initArgs.flags = 0; + } + tmpPKCS11 = PKCS11.getInstance(library, +- functionList, initArgs, config.getOmitInitialize()); ++ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter); + } + p11 = tmpPKCS11; + +diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +index 04a369f453..8d2081abaa 100644 +--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java ++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper; + + import java.io.File; + import java.io.IOException; ++import java.lang.invoke.MethodHandle; + import java.util.*; + + import java.security.AccessController; +@@ -150,16 +151,28 @@ public class PKCS11 { + + public static synchronized PKCS11 getInstance(String pkcs11ModulePath, + String functionList, CK_C_INITIALIZE_ARGS pInitArgs, +- boolean omitInitialize) throws IOException, PKCS11Exception { ++ boolean omitInitialize, MethodHandle fipsKeyImporter) ++ throws IOException, PKCS11Exception { + // we may only call C_Initialize once per native .so/.dll + // so keep a cache using the (non-canonicalized!) path + PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath); + if (pkcs11 == null) { ++ boolean nssFipsMode = fipsKeyImporter != null; + if ((pInitArgs != null) + && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) { +- pkcs11 = new PKCS11(pkcs11ModulePath, functionList); ++ if (nssFipsMode) { ++ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList, ++ fipsKeyImporter); ++ } else { ++ pkcs11 = new PKCS11(pkcs11ModulePath, functionList); ++ } + } else { +- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); ++ if (nssFipsMode) { ++ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath, ++ functionList, fipsKeyImporter); ++ } else { ++ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); ++ } + } + if (omitInitialize == false) { + try { +@@ -1909,4 +1922,69 @@ static class SynchronizedPKCS11 extends PKCS11 { + super.C_GenerateRandom(hSession, randomData); + } + } ++ ++// PKCS11 subclass that allows using plain private or secret keys in ++// FIPS-configured NSS Software Tokens. Only used when System FIPS ++// is enabled. ++static class FIPSPKCS11 extends PKCS11 { ++ private MethodHandle fipsKeyImporter; ++ FIPSPKCS11(String pkcs11ModulePath, String functionListName, ++ MethodHandle fipsKeyImporter) throws IOException { ++ super(pkcs11ModulePath, functionListName); ++ this.fipsKeyImporter = fipsKeyImporter; ++ } ++ ++ public synchronized long C_CreateObject(long hSession, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ // Creating sensitive key objects from plain key material in a ++ // FIPS-configured NSS Software Token is not allowed. We apply ++ // a key-unwrapping scheme to achieve so. ++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { ++ try { ++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) ++ .longValue(); ++ } catch (Throwable t) { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ } ++ return super.C_CreateObject(hSession, pTemplate); ++ } ++} ++ ++// FIPSPKCS11 synchronized counterpart. ++static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 { ++ private MethodHandle fipsKeyImporter; ++ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName, ++ MethodHandle fipsKeyImporter) throws IOException { ++ super(pkcs11ModulePath, functionListName); ++ this.fipsKeyImporter = fipsKeyImporter; ++ } ++ ++ public synchronized long C_CreateObject(long hSession, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ // See FIPSPKCS11::C_CreateObject. ++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { ++ try { ++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) ++ .longValue(); ++ } catch (Throwable t) { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ } ++ return super.C_CreateObject(hSession, pTemplate); ++ } ++} ++ ++private static class FIPSPKCS11Helper { ++ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) { ++ for (CK_ATTRIBUTE attr : pTemplate) { ++ if (attr.type == CKA_CLASS && ++ (attr.getLong() == CKO_PRIVATE_KEY || ++ attr.getLong() == CKO_SECRET_KEY)) { ++ return true; ++ } ++ } ++ return false; ++ } ++} + } diff --git a/SOURCES/rh1996182-extend_security_policy.patch b/SOURCES/rh1996182-extend_security_policy.patch deleted file mode 100644 index 78552c3..0000000 --- a/SOURCES/rh1996182-extend_security_policy.patch +++ /dev/null @@ -1,18 +0,0 @@ -commit 598fe421216b0a437fa36ee91a29966599867aa3 -Author: Andrew Hughes -Date: Mon Aug 30 16:12:52 2021 +0100 - - RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.misc - -diff --git openjdk.orig/src/java.base/share/lib/security/default.policy openjdk/src/java.base/share/lib/security/default.policy -index ab59a334cd..5db744ff17 100644 ---- openjdk.orig/src/java.base/share/lib/security/default.policy -+++ openjdk/src/java.base/share/lib/security/default.policy -@@ -124,6 +124,7 @@ grant codeBase "jrt:/jdk.crypto.ec" { - grant codeBase "jrt:/jdk.crypto.cryptoki" { - permission java.lang.RuntimePermission - "accessClassInPackage.com.sun.crypto.provider"; -+ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc"; - permission java.lang.RuntimePermission - "accessClassInPackage.sun.security.*"; - permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch"; diff --git a/SOURCES/rh1996182-login_to_nss_software_token.patch b/SOURCES/rh1996182-login_to_nss_software_token.patch index d3a1dde..10c5666 100644 --- a/SOURCES/rh1996182-login_to_nss_software_token.patch +++ b/SOURCES/rh1996182-login_to_nss_software_token.patch @@ -5,7 +5,7 @@ Date: Fri Aug 27 19:42:07 2021 +0100 RH1996182: Login to the NSS Software Token in FIPS Mode diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java -index 0cf61732d7..2cd851587c 100644 +index 5460efcf8c..f08dc2fafc 100644 --- openjdk.orig/src/java.base/share/classes/module-info.java +++ openjdk/src/java.base/share/classes/module-info.java @@ -182,6 +182,7 @@ module java.base { @@ -17,19 +17,19 @@ index 0cf61732d7..2cd851587c 100644 jdk.attach, jdk.charsets, diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -index b00b738b85..1eca1f8f0a 100644 +index 5e227f4531..164de8ff08 100644 --- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -@@ -42,6 +42,8 @@ import javax.security.auth.callback.ConfirmationCallback; +@@ -41,6 +41,8 @@ import javax.security.auth.callback.CallbackHandler; import javax.security.auth.callback.PasswordCallback; - import javax.security.auth.callback.TextOutputCallback; + import jdk.internal.misc.InnocuousThread; +import jdk.internal.misc.SharedSecrets; + import sun.security.util.Debug; import sun.security.util.ResourcesMgr; import static sun.security.util.SecurityConstants.PROVIDER_VER; -@@ -59,6 +61,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*; +@@ -58,6 +60,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*; */ public final class SunPKCS11 extends AuthProvider { @@ -39,7 +39,7 @@ index b00b738b85..1eca1f8f0a 100644 private static final long serialVersionUID = -1354835039035306505L; static final Debug debug = Debug.getInstance("sunpkcs11"); -@@ -373,6 +378,24 @@ public final class SunPKCS11 extends AuthProvider { +@@ -374,6 +379,24 @@ public final class SunPKCS11 extends AuthProvider { if (nssModule != null) { nssModule.setProvider(this); } diff --git a/SOURCES/rh2021263-fips_ensure_security_initialised.patch b/SOURCES/rh2021263-fips_ensure_security_initialised.patch new file mode 100644 index 0000000..9490624 --- /dev/null +++ b/SOURCES/rh2021263-fips_ensure_security_initialised.patch @@ -0,0 +1,28 @@ +commit 8a8452b9ae862755210a9a2f4e34b1aa3ec7343d +Author: Andrew Hughes +Date: Tue Jan 18 02:00:55 2022 +0000 + + RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance + +diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java +index 2ec51d57806..8489b940c43 100644 +--- openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java ++++ openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java +@@ -36,6 +36,7 @@ import java.io.FilePermission; + import java.io.ObjectInputStream; + import java.io.RandomAccessFile; + import java.security.ProtectionDomain; ++import java.security.Security; + import java.security.Signature; + + /** A repository of "shared secrets", which are a mechanism for +@@ -368,6 +369,9 @@ public class SharedSecrets { + } + + public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { ++ if (javaSecuritySystemConfiguratorAccess == null) { ++ unsafe.ensureClassInitialized(Security.class); ++ } + return javaSecuritySystemConfiguratorAccess; + } + } diff --git a/SOURCES/rh2021263-fips_missing_native_returns.patch b/SOURCES/rh2021263-fips_missing_native_returns.patch new file mode 100644 index 0000000..b8c8ba5 --- /dev/null +++ b/SOURCES/rh2021263-fips_missing_native_returns.patch @@ -0,0 +1,24 @@ +commit 1b5bd349bdfa7b9627ea58d819bc250a55112de2 +Author: Fridrich Strba +Date: Mon Jan 17 19:44:03 2022 +0000 + + RH2021263: Return in C code after having generated Java exception + +diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +index 6f4656bfcb6..34d0ff0ce91 100644 +--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c ++++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +@@ -131,11 +131,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn + dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); + if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { + throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); ++ return JNI_FALSE; + } + fips_enabled = fgetc(fe); + fclose(fe); + if (fips_enabled == EOF) { + throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); ++ return JNI_FALSE; + } + msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ + " read character is '%c'", fips_enabled); diff --git a/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch b/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch new file mode 100644 index 0000000..b5351a8 --- /dev/null +++ b/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch @@ -0,0 +1,99 @@ +commit 0cd8cee94fe0f867b0b39890e00be620af1d9b07 +Author: Andrew Hughes +Date: Tue Jan 18 02:09:27 2022 +0000 + + RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support + +diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java +index 28ab1846173..f9726741afd 100644 +--- openjdk.orig/src/java.base/share/classes/java/security/Security.java ++++ openjdk/src/java.base/share/classes/java/security/Security.java +@@ -61,10 +61,6 @@ public final class Security { + private static final Debug sdebug = + Debug.getInstance("properties"); + +- /* System property file*/ +- private static final String SYSTEM_PROPERTIES = +- "/etc/crypto-policies/back-ends/java.config"; +- + /* The java.security properties */ + private static Properties props; + +@@ -206,22 +202,36 @@ public final class Security { + } + } + ++ if (!loadedProps) { ++ initializeStatic(); ++ if (sdebug != null) { ++ sdebug.println("unable to load security properties " + ++ "-- using defaults"); ++ } ++ } ++ + String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile"); + if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) && + "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) { +- if (SystemConfigurator.configure(props)) { +- loadedProps = true; ++ if (!SystemConfigurator.configureSysProps(props)) { ++ if (sdebug != null) { ++ sdebug.println("WARNING: System properties could not be loaded."); ++ } + } + } + +- if (!loadedProps) { +- initializeStatic(); ++ // FIPS support depends on the contents of java.security so ++ // ensure it has loaded first ++ if (loadedProps) { ++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); + if (sdebug != null) { +- sdebug.println("unable to load security properties " + +- "-- using defaults"); ++ if (fipsEnabled) { ++ sdebug.println("FIPS support enabled."); ++ } else { ++ sdebug.println("FIPS support disabled."); ++ } + } + } +- + } + + /* +diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +index 874c6221ebe..b7ed41acf0f 100644 +--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -76,7 +76,7 @@ final class SystemConfigurator { + * java.security.disableSystemPropertiesFile property is not set and + * security.useSystemPropertiesFile is true. + */ +- static boolean configure(Properties props) { ++ static boolean configureSysProps(Properties props) { + boolean loadedProps = false; + + try (BufferedInputStream bis = +@@ -96,11 +96,19 @@ final class SystemConfigurator { + e.printStackTrace(); + } + } ++ return loadedProps; ++ } ++ ++ /* ++ * Invoked at the end of java.security.Security initialisation ++ * if java.security properties have been loaded ++ */ ++ static boolean configureFIPS(Properties props) { ++ boolean loadedProps = false; + + try { + if (enableFips()) { + if (sdebug != null) { sdebug.println("FIPS mode detected"); } +- loadedProps = false; + // Remove all security providers + Iterator> i = props.entrySet().iterator(); + while (i.hasNext()) { diff --git a/SPECS/java-11-openjdk.spec b/SPECS/java-11-openjdk.spec index 3f501e9..d6d6192 100644 --- a/SPECS/java-11-openjdk.spec +++ b/SPECS/java-11-openjdk.spec @@ -7,12 +7,12 @@ # Produce release, fastdebug *and* slowdebug builds on x86_64 (default): # $ rpmbuild -ba java-11-openjdk.spec # -# Produce only release builds (no debug builds) on x86_64: +# Produce only release builds (no slowdebug builds) on x86_64: # $ rpmbuild -ba java-11-openjdk.spec --without slowdebug --without fastdebug # # Only produce a release build on x86_64: # $ rhpkg mockbuild --without slowdebug --without fastdebug -# + # Enable fastdebug builds by default on relevant arches. %bcond_without fastdebug # Enable slowdebug builds by default on relevant arches. @@ -21,6 +21,10 @@ %bcond_without release # Enable static library builds by default. %bcond_without staticlibs +# Remove build artifacts by default +%bcond_with artifacts +# Build a fresh libjvm.so for use in a copy of the bootstrap JDK +%bcond_without fresh_libjvm # Workaround for stripping of debug symbols from static libraries %if %{with staticlibs} @@ -30,6 +34,13 @@ %global include_staticlibs 0 %endif +# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so +%if %{with fresh_libjvm} +%global build_hotspot_first 1 +%else +%global build_hotspot_first 0 +%endif + # The -g flag says to use strip -g instead of full strip on DSOs or EXEs. # This fixes detailed NMT and other tools which need minimal debug info. # See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879 @@ -100,7 +111,9 @@ # Set of architectures for which we build fastdebug builds %global fastdebug_arches x86_64 ppc64le aarch64 # Set of architectures with a Just-In-Time (JIT) compiler -%global jit_arches %{debug_arches} %{arm} +%global jit_arches %{arm} %{aarch64} %{ix86} %{power64} s390x sparcv9 sparc64 x86_64 +# Set of architectures which use the Zero assembler port (!jit_arches) +%global zero_arches ppc s390 # Set of architectures which run a full bootstrap cycle %global bootstrap_arches %{jit_arches} # Set of architectures which support SystemTap tapsets @@ -119,8 +132,10 @@ %global zgc_arches x86_64 # Set of architectures for which alt-java has SSB mitigation %global ssbd_arches x86_64 +# Set of architectures where we verify backtraces with gdb +%global gdb_arches %{jit_arches} %{zero_arches} -# By default, we build a debug build during main build on JIT architectures +# By default, we build a slowdebug build during main build on JIT architectures %if %{with slowdebug} %ifarch %{debug_arches} %global include_debug_build 1 @@ -172,9 +187,9 @@ %global fastdebug_build %{nil} %endif -# If you disable both builds, then the build fails +# If you disable all builds, then the build fails # Build and test slowdebug first as it provides the best diagnostics -%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} +%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} %if %{include_staticlibs} %global staticlibs_loop %{staticlibs_suffix} @@ -183,27 +198,38 @@ %endif %ifarch %{bootstrap_arches} -%global bootstrap_build 1 +%global bootstrap_build true %else -%global bootstrap_build 1 +%global bootstrap_build false %endif -%if %{bootstrap_build} -%global release_targets bootcycle-images docs-zip -%else -%global release_targets images docs-zip -%endif -# No docs nor bootcycle for debug builds -%global debug_targets images - %if %{include_staticlibs} # Extra target for producing the static-libraries. Separate from # other targets since this target is configured to use in-tree # AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib # and possibly others %global static_libs_target static-libs-image +%else +%global static_libs_target %{nil} %endif +# RPM JDK builds keep the debug symbols internal, to be later stripped by RPM +%global debug_symbols internal + +# unlike portables,the rpms have to use static_libs_target very dynamically +%global bootstrap_targets images +%global release_targets images docs-zip +# No docs nor bootcycle for debug builds +%global debug_targets images +# Target to use to just build HotSpot +%global hotspot_target hotspot + +# JDK to use for bootstrapping +%global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk + +# Disable LTO as this causes build failures at the moment. +# See RHBZ#1861401 +%define _lto_cflags %{nil} # Filter out flags from the optflags macro that cause problems with the OpenJDK build # We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2 @@ -289,7 +315,7 @@ # New Version-String scheme-style defines %global featurever 11 %global interimver 0 -%global updatever 12 +%global updatever 14 %global patchver 0 # If you bump featurever, you must bump also vendor_version_string # Used via new version scheme. JDK 11 was @@ -336,8 +362,8 @@ %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 7 -%global rpmrelease 4 +%global buildver 9 +%global rpmrelease 6 #%%global tagsuffix %%{nil} # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk @@ -351,7 +377,7 @@ # for techpreview, using 1, so slowdebugs can have 0 %global priority %( printf '%08d' 1 ) %endif -%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} +%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} # Omit trailing 0 in filenames when the patch version is 0 %if 0%{?patchver} > 0 @@ -386,7 +412,8 @@ %global jdkimage jdk %global static_libs_image static-libs # output dir stub -%define buildoutputdir() %{expand:build/jdk11.build%{?1}} +%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}} +%define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}} # we can copy the javadoc to not arched dir, or make it not noarch %define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}} # main id and dir of this jdk @@ -401,7 +428,7 @@ %if %is_system_jdk %global __provides_exclude ^(%{_privatelibs})$ %global __requires_exclude ^(%{_privatelibs})$ -# Never generate lib-style provides/requires for slowdebug packages +# Never generate lib-style provides/requires for any debug packages %global __provides_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ %global __requires_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ %global __provides_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$ @@ -556,7 +583,9 @@ alternatives \\ --slave %{_bindir}/jlink jlink %{sdkbindir -- %{?1}}/jlink \\ --slave %{_bindir}/jmod jmod %{sdkbindir -- %{?1}}/jmod \\ %ifarch %{sa_arches} +%ifnarch %{zero_arches} --slave %{_bindir}/jhsdb jhsdb %{sdkbindir -- %{?1}}/jhsdb \\ +%endif %endif --slave %{_bindir}/jar jar %{sdkbindir -- %{?1}}/jar \\ --slave %{_bindir}/jarsigner jarsigner %{sdkbindir -- %{?1}}/jarsigner \\ @@ -751,8 +780,10 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/librmi.so # Some architectures don't have the serviceability agent %ifarch %{sa_arches} +%ifnarch %{zero_arches} %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsaproc.so %endif +%endif %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsunec.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so @@ -786,7 +817,7 @@ exit 0 %dir %{etcjavadir -- %{?1}}/conf/security/policy/limited %dir %{etcjavadir -- %{?1}}/conf/security/policy/unlimited %config(noreplace) %{etcjavadir -- %{?1}}/lib/security/default.policy -%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/blacklisted.certs +%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/blocked.certs %config(noreplace) %{etcjavadir -- %{?1}}/lib/security/public_suffix_list.dat %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/exempt_local.policy %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_local.policy @@ -846,8 +877,10 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jimage # Some architectures don't have the serviceability agent %ifarch %{sa_arches} +%ifnarch %{zero_arches} %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb %endif +%endif %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jlink %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmap @@ -1022,12 +1055,8 @@ OrderWithRequires: copy-jdk-configs Requires: cups-libs # Post requires alternatives to install tool alternatives Requires(post): %{alternatives_requires} -# in version 1.7 and higher for --family switch -Requires(post): chkconfig >= 1.7 # Postun requires alternatives to uninstall tool alternatives Requires(postun): %{alternatives_requires} -# in version 1.7 and higher for --family switch -Requires(postun): chkconfig >= 1.7 # for optional support of kernel stream control, card reader and printing bindings %if 0%{?rhel} >= 8 Suggests: lksctp-tools%{?_isa}, pcsc-lite-devel%{?_isa} @@ -1052,12 +1081,8 @@ Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release} OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} # Post requires alternatives to install tool alternatives Requires(post): %{alternatives_requires} -# in version 1.7 and higher for --family switch -Requires(post): chkconfig >= 1.7 # Postun requires alternatives to uninstall tool alternatives Requires(postun): %{alternatives_requires} -# in version 1.7 and higher for --family switch -Requires(postun): chkconfig >= 1.7 # Standard JPackage devel provides Provides: java-sdk-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release} @@ -1098,6 +1123,7 @@ Provides: java-%{javaver}-demo%{?1} = %{epoch}:%{version}-%{release} Provides: java-%{javaver}-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release} %if %is_system_jdk Provides: java-demo%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release} %endif } @@ -1105,18 +1131,14 @@ Provides: java-demo%{?1} = %{epoch}:%{version}-%{release} OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} # Post requires alternatives to install javadoc alternative Requires(post): %{alternatives_requires} -# in version 1.7 and higher for --family switch -Requires(post): chkconfig >= 1.7 # Postun requires alternatives to uninstall javadoc alternative Requires(postun): %{alternatives_requires} -# in version 1.7 and higher for --family switch -Requires(postun): chkconfig >= 1.7 # Standard JPackage javadoc provides -Provides: java-%{javaver}-javadoc%{?1} = %{epoch}:%{version}-%{release} -Provides: java-%{javaver}-%{origin}-javadoc%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release} %if %is_system_jdk -Provides: java-javadoc%{?1} = %{epoch}:%{version}-%{release} +Provides: java-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release} %endif } @@ -1128,6 +1150,7 @@ Provides: java-%{javaver}-src%{?1} = %{epoch}:%{version}-%{release} Provides: java-%{javaver}-%{origin}-src%{?1} = %{epoch}:%{version}-%{release} %if %is_system_jdk Provides: java-src%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release} %endif } @@ -1149,7 +1172,9 @@ Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} Epoch: 1 Summary: %{origin_nice} %{featurever} Runtime Environment +%if 0%{?rhel} <= 8 Group: Development/Languages +%endif # HotSpot code is licensed under GPLv2 # JDK library code is licensed under GPLv2 with the Classpath exception @@ -1217,7 +1242,7 @@ Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch Patch2: rh1648644-java_access_bridge_privileged_security.patch # NSS via SunPKCS11 Provider (disabled due to memory leak). Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch -# enable build of speculative store bypass hardened alt-java +# RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639) Patch600: rh1750419-redhat_alt_java.patch # RH1582504: Use RSA as default for keytool, as DSA is disabled in all crypto policies except LEGACY Patch1003: rh1842572-rsa_default_for_keytool.patch @@ -1235,7 +1260,12 @@ Patch1007: rh1915071-always_initialise_configurator_access.patch Patch1008: rh1929465-improve_system_FIPS_detection.patch # RH1996182: Login to the NSS software token in FIPS mode Patch1009: rh1996182-login_to_nss_software_token.patch -Patch1010: rh1996182-extend_security_policy.patch +# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false +Patch1011: rh1991003-enable_fips_keys_import.patch +# RH2021263: Resolve outstanding FIPS issues +Patch1014: rh2021263-fips_ensure_security_initialised.patch +Patch1015: rh2021263-fips_missing_native_returns.patch +Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch ############################################# # @@ -1260,6 +1290,18 @@ Patch4: pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch # PR3695: Allow use of system crypto policy to be disabled by the user Patch7: pr3695-toggle_system_crypto_policy.patch +############################################# +# +# Backportable patches +# +# This section includes patches which are +# present in the current development tree, but +# need to be reviewed & pushed to the appropriate +# updates tree of OpenJDK. +############################################# +# JDK-8257794: Zero: assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1) failed: wrong on Linux/x86_32 +Patch101: jdk8257794-remove_broken_assert.patch + ############################################# # # Patches appearing in 11.0.13 @@ -1269,8 +1311,6 @@ Patch7: pr3695-toggle_system_crypto_policy.patch # able to be removed once that release is out # and used by this RPM. ############################################# -# JDK-8269668, RH1977671: [aarch64] java.library.path not including /usr/lib64 -Patch8: jdk8269668-rh1977671-aarch64_lib_path_fix.patch BuildRequires: autoconf BuildRequires: automake @@ -1306,7 +1346,7 @@ BuildRequires: unzip BuildRequires: javapackages-filesystem BuildRequires: java-%{buildjdkver}-openjdk-devel # Zero-assembler build requirement -%ifnarch %{jit_arches} +%ifarch %{zero_arches} BuildRequires: libffi-devel %endif # 2021a required as of JDK-8260356 in April 2021 CPU @@ -1317,6 +1357,7 @@ BuildRequires: gcc >= 4.8.3-8 %if %{with_systemtap} BuildRequires: systemtap-sdt-devel %endif +BuildRequires: make # this is always built, also during debug-only build # when it is built in debug-only this package is just placeholder @@ -1328,7 +1369,9 @@ The %{origin_nice} %{featurever} runtime environment. %if %{include_debug_build} %package slowdebug Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on} +%if 0%{?rhel} <= 8 Group: Development/Languages +%endif %{java_rpo -- %{debug_suffix_unquoted}} %description slowdebug @@ -1339,7 +1382,9 @@ The %{origin_nice} %{featurever} runtime environment. %if %{include_fastdebug_build} %package fastdebug Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on} +%if 0%{?rhel} <= 8 Group: Development/Languages +%endif %{java_rpo -- %{fastdebug_suffix_unquoted}} %description fastdebug @@ -1350,7 +1395,9 @@ The %{origin_nice} %{featurever} runtime environment. %if %{include_normal_build} %package headless Summary: %{origin_nice} %{featurever} Headless Runtime Environment +%if 0%{?rhel} <= 8 Group: Development/Languages +%endif %{java_headless_rpo %{nil}} @@ -1385,7 +1432,9 @@ The %{origin_nice} %{featurever} runtime environment without audio and video sup %if %{include_normal_build} %package devel Summary: %{origin_nice} %{featurever} Development Environment -Group: Development/Tools +%if 0%{?rhel} <= 8 +Group: Development/Languages +%endif %{java_devel_rpo %{nil}} @@ -1396,7 +1445,9 @@ The %{origin_nice} %{featurever} development tools. %if %{include_debug_build} %package devel-slowdebug Summary: %{origin_nice} %{featurever} Development Environment %{debug_on} -Group: Development/Tools +%if 0%{?rhel} <= 8 +Group: Development/Languages +%endif %{java_devel_rpo -- %{debug_suffix_unquoted}} @@ -1457,7 +1508,9 @@ The %{origin_nice} %{featurever} libraries for static linking. %if %{include_normal_build} %package jmods Summary: JMods for %{origin_nice} %{featurever} -Group: Development/Tools +%if 0%{?rhel} <= 8 +Group: Development/Languages +%endif %{java_jmods_rpo %{nil}} @@ -1468,7 +1521,9 @@ The JMods for %{origin_nice} %{featurever}. %if %{include_debug_build} %package jmods-slowdebug Summary: JMods for %{origin_nice} %{featurever} %{debug_on} -Group: Development/Tools +%if 0%{?rhel} <= 8 +Group: Development/Languages +%endif %{java_jmods_rpo -- %{debug_suffix_unquoted}} @@ -1492,7 +1547,9 @@ The JMods for %{origin_nice} %{featurever}. %if %{include_normal_build} %package demo Summary: %{origin_nice} %{featurever} Demos +%if 0%{?rhel} <= 8 Group: Development/Languages +%endif %{java_demo_rpo %{nil}} @@ -1503,7 +1560,9 @@ The %{origin_nice} %{featurever} demos. %if %{include_debug_build} %package demo-slowdebug Summary: %{origin_nice} %{featurever} Demos %{debug_on} +%if 0%{?rhel} <= 8 Group: Development/Languages +%endif %{java_demo_rpo -- %{debug_suffix_unquoted}} @@ -1527,7 +1586,9 @@ The %{origin_nice} %{featurever} demos. %if %{include_normal_build} %package src Summary: %{origin_nice} %{featurever} Source Bundle +%if 0%{?rhel} <= 8 Group: Development/Languages +%endif %{java_src_rpo %{nil}} @@ -1539,7 +1600,9 @@ class library source code for use by IDE indexers and debuggers. %if %{include_debug_build} %package src-slowdebug Summary: %{origin_nice} %{featurever} Source Bundle %{for_debug} +%if 0%{?rhel} <= 8 Group: Development/Languages +%endif %{java_src_rpo -- %{debug_suffix_unquoted}} @@ -1563,22 +1626,27 @@ The %{compatiblename}-src-fastdebug sub-package contains the complete %{origin_n %if %{include_normal_build} %package javadoc Summary: %{origin_nice} %{featurever} API documentation +%if 0%{?rhel} <= 8 Group: Documentation +%endif Requires: javapackages-filesystem Obsoletes: javadoc-debug -%{java_javadoc_rpo %{nil}} +%{java_javadoc_rpo -- %{nil} %{nil}} %description javadoc The %{origin_nice} %{featurever} API documentation. %package javadoc-zip Summary: %{origin_nice} %{featurever} API documentation compressed in a single archive +%if 0%{?rhel} <= 8 Group: Documentation +%endif Requires: javapackages-filesystem Obsoletes: javadoc-zip-debug -%{java_javadoc_rpo %{nil}} +%{java_javadoc_rpo -- %{nil} -zip} +%{java_javadoc_rpo -- %{nil} %{nil}} %description javadoc-zip The %{origin_nice} %{featurever} API documentation compressed in a single archive. @@ -1634,9 +1702,10 @@ pushd %{top_level_dir_name} %patch3 -p1 %patch4 -p1 %patch7 -p1 -%patch8 -p1 popd # openjdk +%patch101 + %patch1000 %patch600 %patch1001 @@ -1646,7 +1715,10 @@ popd # openjdk %patch1007 %patch1008 %patch1009 -%patch1010 +%patch1011 +%patch1014 +%patch1015 +%patch1016 # Extract systemtap tapsets %if %{with_systemtap} @@ -1658,7 +1730,6 @@ cp -r tapset tapset%{debug_suffix} cp -r tapset tapset%{fastdebug_suffix} %endif - for suffix in %{build_loop} ; do for file in "tapset"$suffix/*.in; do OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"` @@ -1700,7 +1771,6 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg # Setup nss.fips.cfg sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg -sed -i -e "s:@NSS_SECMOD@:/etc/pki/nssdb:g" nss.fips.cfg %build # How many CPU's do we have? @@ -1727,46 +1797,38 @@ EXTRA_CPP_FLAGS="%ourcppflags" # fix rpmlint warnings EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing" %endif +%ifarch %{ix86} +# Align stack boundary on x86_32 +EXTRA_CFLAGS="$(echo ${EXTRA_CFLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')" +EXTRA_CPP_FLAGS="$(echo ${EXTRA_CPP_FLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')" +%endif +# Fixes annocheck warnings in assembler files due to missing build notes EXTRA_ASFLAGS="${EXTRA_CFLAGS} -Wa,--generate-missing-build-notes=yes" -export EXTRA_CFLAGS EXTRA_ASFLAGS +export EXTRA_CFLAGS EXTRA_CPP_FLAGS EXTRA_ASFLAGS -for suffix in %{build_loop} ; do -if [ "x$suffix" = "x" ] ; then - debugbuild=release -else - # change --something to something - debugbuild=`echo $suffix | sed "s/-//g"` -fi +function buildjdk() { + local outputdir=${1} + local buildjdk=${2} + local maketargets="${3}" + local debuglevel=${4} + local link_opt=${5} -for loop in %{main_suffix} %{staticlibs_loop} ; do + local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name} + local top_dir_abs_build_path=$(pwd)/${outputdir} -if test "x${loop}" = "x%{main_suffix}" ; then - # Copy the source tree so we can remove all in-tree libraries - cp -a %{top_level_dir_name} %{top_level_dir_name_backup} - # Remove all libraries that are linked - sh %{SOURCE12} %{top_level_dir_name} full - # Variable used by configure and hs_err hook on build failures - link_opt="system" - # Debug builds don't need same targets as release for - # build speed-up - maketargets="%{release_targets}" - if echo $debugbuild | grep -q "debug" ; then - maketargets="%{debug_targets}" - fi -else - # Variable used by configure and hs_err hook on build failures - link_opt="bundled" - # Static library cycle only builds the static libraries - maketargets="%{static_libs_target}" -fi + echo "Using output directory: ${outputdir}"; + echo "Checking build JDK ${buildjdk} is operational..." + ${buildjdk}/bin/java -version + echo "Using make targets: ${maketargets}" + echo "Using debuglevel: ${debuglevel}" + echo "Using link_opt: ${link_opt}" + echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}" -top_dir_abs_src_path=$(pwd)/%{top_level_dir_name} -top_dir_abs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}${loop}} -mkdir -p ${top_dir_abs_build_path} -pushd ${top_dir_abs_build_path} + mkdir -p ${outputdir} + pushd ${outputdir} -bash ${top_dir_abs_src_path}/configure \ -%ifnarch %{jit_arches} + bash ${top_dir_abs_src_path}/configure \ +%ifarch %{zero_arches} --with-jvm-variants=zero \ %endif %ifarch %{ppc64le} @@ -1780,9 +1842,9 @@ bash ${top_dir_abs_src_path}/configure \ --with-vendor-url="%{oj_vendor_url}" \ --with-vendor-bug-url="%{oj_vendor_bug_url}" \ --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \ - --with-boot-jdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk \ - --with-debug-level=$debugbuild \ - --with-native-debug-symbols=internal \ + --with-boot-jdk=${buildjdk} \ + --with-debug-level=${debuglevel} \ + --with-native-debug-symbols="%{debug_symbols}" \ --enable-sysconf-nss \ --enable-unlimited-crypto \ --with-zlib=system \ @@ -1801,54 +1863,139 @@ bash ${top_dir_abs_src_path}/configure \ --with-jvm-features="%{shenandoah_feature},%{zgc_feature}" \ --disable-warnings-as-errors -make \ - JAVAC_FLAGS=-g \ - LOG=trace \ - WARNINGS_ARE_ERRORS="-Wno-error" \ - CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \ - $maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false ) + cat spec.gmk -popd >& /dev/null + make \ + JAVAC_FLAGS=-g \ + LOG=trace \ + WARNINGS_ARE_ERRORS="-Wno-error" \ + CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \ + $maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false ) -# Restore original source tree if we modified it by removing full in-tree sources -if [ -d %{top_level_dir_name_backup} ] ; then - rm -rf %{top_level_dir_name} - mv %{top_level_dir_name_backup} %{top_level_dir_name} -fi + popd +} -done # end of main / staticlibs loop +function installjdk() { + local outputdir=${1} + local installdir=${2} + local imagepath=${installdir}/images/%{jdkimage} -top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} + echo "Installing build from ${outputdir} to ${installdir}..." + mkdir -p ${installdir} + echo "Installing images..." + mv ${outputdir}/images ${installdir} + if [ -d ${outputdir}/bundles ] ; then + echo "Installing bundles..."; + mv ${outputdir}/bundles ${installdir} ; + fi + if [ -d ${outputdir}/docs ] ; then + echo "Installing docs..."; + mv ${outputdir}/docs ${installdir} ; + fi -# the build (erroneously) removes read permissions from some jars -# this is a regression in OpenJDK 7 (our compiler): -# http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 -find ${top_dir_abs_main_build_path}/images/%{jdkimage} -iname '*.jar' -exec chmod ugo+r {} \; +%if !%{with artifacts} + echo "Removing output directory..."; + rm -rf ${outputdir} +%endif -# Build screws up permissions on binaries -# https://bugs.openjdk.java.net/browse/JDK-8173610 -find ${top_dir_abs_main_build_path}/images/%{jdkimage} -iname '*.so' -exec chmod +x {} \; -find ${top_dir_abs_main_build_path}/images/%{jdkimage}/bin/ -exec chmod +x {} \; + if [ -d ${imagepath} ] ; then + # the build (erroneously) removes read permissions from some jars + # this is a regression in OpenJDK 7 (our compiler): + # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 + find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \; -# Install nss.cfg right away as we will be using the JRE above -export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} + # Build screws up permissions on binaries + # https://bugs.openjdk.java.net/browse/JDK-8173610 + find ${imagepath} -iname '*.so' -exec chmod +x {} \; + find ${imagepath}/bin/ -exec chmod +x {} \; -# Install nss.cfg right away as we will be using the JRE above -install -m 644 nss.cfg $JAVA_HOME/conf/security/ + # Install nss.cfg right away as we will be using the JRE above + install -m 644 nss.cfg ${imagepath}/conf/security/ -# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) -install -m 644 nss.fips.cfg $JAVA_HOME/conf/security/ + # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) + install -m 644 nss.fips.cfg ${imagepath}/conf/security/ -# Use system-wide tzdata -rm $JAVA_HOME/lib/tzdb.dat -ln -s %{_datadir}/javazi-1.8/tzdb.dat $JAVA_HOME/lib/tzdb.dat + # Use system-wide tzdata + rm ${imagepath}/lib/tzdb.dat + ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat -# Create fake alt-java as a placeholder for future alt-java -pushd ${JAVA_HOME} -# add alt-java man page -echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 -cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 -popd + # Create fake alt-java as a placeholder for future alt-java + pushd ${imagepath} + # add alt-java man page + echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 + cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 + popd + fi +} + +%if %{build_hotspot_first} + # Build a fresh libjvm.so first and use it to bootstrap + cp -LR --preserve=mode,timestamps %{bootjdk} newboot + systemjdk=$(pwd)/newboot + buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled" + mv build/newboot/jdk/lib/server/libjvm.so newboot/lib/server +%else + systemjdk=%{bootjdk} +%endif + +for suffix in %{build_loop} ; do + + if [ "x$suffix" = "x" ] ; then + debugbuild=release + else + # change --something to something + debugbuild=`echo $suffix | sed "s/-//g"` + fi + + + for loop in %{main_suffix} %{staticlibs_loop} ; do + + builddir=%{buildoutputdir -- ${suffix}${loop}} + bootbuilddir=boot${builddir} + installdir=%{installoutputdir -- ${suffix}${loop}} + bootinstalldir=boot${installdir} + + if test "x${loop}" = "x%{main_suffix}" ; then + # Copy the source tree so we can remove all in-tree libraries + cp -a %{top_level_dir_name} %{top_level_dir_name_backup} + # Remove all libraries that are linked + sh %{SOURCE12} %{top_level_dir_name} full + # Use system libraries + link_opt="system" + # Debug builds don't need same targets as release for + # build speed-up. We also avoid bootstrapping these + # slower builds. + if echo $debugbuild | grep -q "debug" ; then + maketargets="%{debug_targets}" + run_bootstrap=false + else + maketargets="%{release_targets}" + run_bootstrap=%{bootstrap_build} + fi + if ${run_bootstrap} ; then + buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt} + installjdk ${bootbuilddir} ${bootinstalldir} + buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt} + installjdk ${builddir} ${installdir} + %{!?with_artifacts:rm -rf ${bootinstalldir}} + else + buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} + installjdk ${builddir} ${installdir} + fi + # Restore original source tree we modified by removing full in-tree sources + rm -rf %{top_level_dir_name} + mv %{top_level_dir_name_backup} %{top_level_dir_name} + else + # Use bundled libraries for building statically + link_opt="bundled" + # Static library cycle only builds the static libraries + maketargets="%{static_libs_target}" + # Always just do the one build for the static libraries + buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} + installjdk ${builddir} ${installdir} + fi + + done # end of main / staticlibs loop # build cycles done # end of release / debug cycle loop @@ -1858,9 +2005,9 @@ done # end of release / debug cycle loop # We test debug first as it will give better diagnostics on a crash for suffix in %{build_loop} ; do -top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} +top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{main_suffix}} %if %{include_staticlibs} -top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}} +top_dir_abs_staticlibs_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{staticlibs_loop}} %endif export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} @@ -1903,8 +2050,9 @@ readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c %endif +so_suffix="so" # Check debug symbols are present and can identify code -find "$JAVA_HOME" -iname '*.so' -print0 | while read -d $'\0' lib +find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib do if [ -f "$lib" ] ; then echo "Testing $lib for debug symbols" @@ -1957,17 +2105,19 @@ gdb -q "$JAVA_HOME/bin/java" < - 1:11.0.14.0.9-6 +- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent +- Resolves: rhbz#2052816 + +* Fri Feb 11 2022 Andrew Hughes - 1:11.0.14.0.9-5 +- Refactor build functions so we can build just HotSpot without any attempt at installation. +- Sync gdb test with java-1.8.0-openjdk. +- Improve architecture restrictions for the gdb test. +- Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on x86_32 for stack alignment +- Explicitly list JIT architectures rather than relying on those with slowdebug builds +- Disable the serviceability agent on Zero architectures even when the architecture itself is supported +- Add backport of JDK-8257794 to fix bogus assert on slowdebug x86-32 Zero builds +- Related: rhbz#2052809 + +* Fri Feb 11 2022 Jiri Vanek - 1:11.0.14.0.9-5 +- Give javadoc-zip its own Provides, next to the plain javadoc ones +- Related: rhbz#2052809 + +* Fri Feb 11 2022 Andrew Hughes - 1:11.0.14.0.9-4 +- Fix FIPS issues in native code and with initialisation of java.security.Security +- Resolves: rhbz#2021559 + +* Thu Feb 10 2022 Severin Gehwolf - 1:11.0.14.0.9-3 +- Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy + secmod.db file as part of nss +- Resolves: rhbz#2023534 + +* Mon Jan 17 2022 Andrew Hughes - 1:11.0.14.0.9-2 +- Update to jdk-11.0.14.0+9 +- Update release notes to 11.0.14.0+9 +- Switch to GA mode for final release. +- Resolves: rhbz#2039366 + +* Fri Jan 14 2022 Andrew Hughes - 1:11.0.14.0.8-0.1.ea +- Update to jdk-11.0.14.0+8 +- Update release notes to 11.0.14.0+8 +- Resolves: rhbz#2022821 + +* Thu Jan 13 2022 Andrew Hughes - 1:11.0.14.0.1-0.1.ea +- Update to jdk-11.0.14.0+1 +- Update release notes to 11.0.14.0+1 +- Switch to EA mode for 11.0.14 pre-release builds. +- Rename blacklisted.certs to blocked.certs following JDK-8253866 +- Rebase RH1996182 login patch and drop redundant security policy extension after JDK-8269034 +- Related: rhbz#2022821 + +* Thu Jan 13 2022 Andrew Hughes - 1:11.0.13.0.8-5 +- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le. +- Related: rhbz#2022821 + +* Wed Dec 01 2021 Jiri Vanek - 1:11.0.13.0.8-4 +- Replaced hardcoded 11 by featurever where appropriate +- Fixed comment of `for slowdebug` to correct `any debug` +- Related: rhbz#2022821 + +* Wed Oct 13 2021 Andrew Hughes - 1:11.0.13.0.8-3 +- Update to jdk-11.0.13.0+8 +- Update release notes to 11.0.13.0+8 +- Switch to GA mode for final release. +- Resolves: rhbz#2012335 + +* Tue Oct 12 2021 Andrew Hughes - 1:11.0.13.0.7-0.1.ea +- Update to jdk-11.0.13.0+7 +- Update release notes to 11.0.13.0+7 +- Resolves: rhbz#1999938 + +* Mon Oct 11 2021 Andrew Hughes - 1:11.0.13.0.1-0.1.ea +- Update to jdk-11.0.13.0+1 +- Update release notes to 11.0.13.0+1 +- Update tarball generation script to use git following OpenJDK 11u's move to github +- Switch to EA mode for 11.0.13 pre-release builds. +- Remove "-clean" suffix as no 11.0.13 builds are unclean. +- Drop JDK-8269668 patch which is now applied upstream. +- Related: rhbz#1999938 + +* Sun Oct 10 2021 Andrew Hughes - 1:11.0.12.0.7-9 +- The bootstrap JDK is now in bootinstalldir, not bootbuilddir. +- Related: rhbz#1999938 + +* Sun Oct 10 2021 Andrew Hughes - 1:11.0.12.0.7-9 +- Reduce disk footprint by removing build artifacts by default. +- Related: rhbz#1999938 + +* Sun Oct 10 2021 Andrew Hughes - 1:11.0.12.0.7-8 +- Restructure the build so a minimal initial build is then used for the final build (with docs) +- This reduces pressure on the system JDK and ensures the JDK being built can do a full build +- Related: rhbz#1999938 + +* Tue Oct 05 2021 Andrew Hughes - 1:11.0.12.0.7-7 +- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false +- Resolves: rhbz#1991003 + +* Tue Oct 05 2021 Martin Balao - 1:11.0.12.0.7-7 +- Add patch to allow plain key import. +- Resolves: rhbz#1991003 + +* Mon Sep 06 2021 Jiri Vanek - 1:11.0.12.0.7-6 +- Minor cosmetic improvements to make spec more comparable between variants +- Related: rhbz#1999938 + +* Mon Sep 06 2021 Andrew Hughes - 1:11.0.12.0.7-5 +- Remove non-Free test from source tarball. +- Related: rhbz#1999938 + * Mon Aug 30 2021 Andrew Hughes - 1:11.0.12.0.7-4 - Extend the default security policy to accomodate PKCS11 accessing jdk.internal.misc. - Resolves: rhbz#1997357