From c82830aa651c45c6d8457d8a1105341f5c6aff3e Mon Sep 17 00:00:00 2001 From: Andrew John Hughes Date: Mon, 14 Oct 2019 07:13:20 +0100 Subject: [PATCH] Update generate_source_tarball.sh script to use the PR3751 patch and retain the secp256k1 curve. Regenerate source tarball using the updated script and add the -'4curve' suffix. PR3751 includes the changes in the PR1834/RH1022017 patch which is removed. --- .gitignore | 1 + generate_source_tarball.sh | 36 ++++++++--------- java-11-openjdk.spec | 14 +++---- rh1022017-reduce_ssl_curves.patch | 66 ------------------------------- sources | 2 +- 5 files changed, 27 insertions(+), 92 deletions(-) delete mode 100644 rh1022017-reduce_ssl_curves.patch diff --git a/.gitignore b/.gitignore index dfc8a2e..c6ade2b 100644 --- a/.gitignore +++ b/.gitignore @@ -20,3 +20,4 @@ /shenandoah-jdk11-shenandoah-jdk-11.0.4+11.tar.xz /shenandoah-jdk11-shenandoah-jdk-11.0.5+1.tar.xz /shenandoah-jdk11-shenandoah-jdk-11.0.5+2.tar.xz +/shenandoah-jdk11-shenandoah-jdk-11.0.5+2-4curve.tar.xz diff --git a/generate_source_tarball.sh b/generate_source_tarball.sh index a8a8422..a320ee5 100755 --- a/generate_source_tarball.sh +++ b/generate_source_tarball.sh @@ -4,7 +4,7 @@ # Example: # When used from local repo set REPO_ROOT pointing to file:// with your repo # If your local repo follows upstream forests conventions, it may be enough to set OPENJDK_URL -# If you want to use a local copy of patch PR3681, set the path to it in the PR3681 variable +# If you want to use a local copy of patch PR3751, set the path to it in the PR3751 variable # # In any case you have to set PROJECT_NAME REPO_NAME and VERSION. eg: # PROJECT_NAME=jdk @@ -26,9 +26,9 @@ # level folder, name is created, based on parameter # -if [ ! "x$PR3681" = "x" ] ; then - if [ ! -f "$PR3681" ] ; then - echo "You have specified PR3681 as $PR3681 but it does not exist. Exiting" +if [ ! "x$PR3751" = "x" ] ; then + if [ ! -f "$PR3751" ] ; then + echo "You have specified PR3751 as $PR3751 but it does not exist. Exiting" exit 1 fi fi @@ -48,7 +48,7 @@ if [ "x$1" = "xhelp" ] ; then echo "FILE_NAME_ROOT - name of the archive, minus extensions (optional; defaults to PROJECT_NAME-REPO_NAME-VERSION)" echo "REPO_ROOT - the location of the Mercurial repository to archive (optional; defaults to OPENJDK_URL/PROJECT_NAME/REPO_NAME)" echo "TO_COMPRESS - what part of clone to pack (default is openjdk)" - echo "PR3681 - the path to the PR3681 patch to apply (optional; downloaded if unavailable)" + echo "PR3751 - the path to the PR3751 patch to apply (optional; downloaded if unavailable)" exit 1; fi @@ -126,18 +126,17 @@ pushd "${FILE_NAME_ROOT}" rm -vf ${CRYPTO_PATH}/ecp_224.c echo "Syncing EC list with NSS" - if [ "x$PR3681" = "x" ] ; then - # orriginally for 8: - # get pr3681.patch (from http://icedtea.classpath.org/hg/icedtea11) from most correct tag - # Do not push it or publish it (see http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=3681) - echo "PR3681 not found. Downloading..." - wget http://icedtea.classpath.org/hg/icedtea11/raw-file/tip/patches/pr3681.patch - echo "Applying ${PWD}/pr3681.patch" - patch -Np1 < pr3681.patch - rm pr3681.patch + if [ "x$PR3751" = "x" ] ; then + # get pr3751.patch (from http://icedtea.classpath.org/hg/icedtea11) from most correct tag + # Do not push it or publish it (see http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=3751) + echo "PR3751 not found. Downloading..." + wget http://icedtea.classpath.org/hg/icedtea11/raw-file/tip/patches/pr3751.patch + echo "Applying ${PWD}/pr3751.patch" + patch -Np1 < pr3751.patch + rm pr3751.patch else - echo "Applying ${PR3681}" - patch -Np1 < $PR3681 + echo "Applying ${PR3751}" + patch -Np1 < $PR3751 fi; find . -name '*.orig' -exec rm -vf '{}' ';' popd @@ -149,8 +148,9 @@ pushd "${FILE_NAME_ROOT}" else SWITCH=czf fi - tar --exclude-vcs -$SWITCH ${FILE_NAME_ROOT}.tar.${COMPRESSION} $TO_COMPRESS - mv ${FILE_NAME_ROOT}.tar.${COMPRESSION} .. + TARBALL_NAME=${FILE_NAME_ROOT}-4curve.tar.${COMPRESSION} + tar --exclude-vcs -$SWITCH ${TARBALL_NAME} $TO_COMPRESS + mv ${TARBALL_NAME} .. popd echo "Done. You may want to remove the uncompressed version - $FILE_NAME_ROOT." diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec index ba3118c..4502b16 100644 --- a/java-11-openjdk.spec +++ b/java-11-openjdk.spec @@ -223,7 +223,7 @@ %global top_level_dir_name %{origin} %global minorver 0 %global buildver 2 -%global rpmrelease 1 +%global rpmrelease 2 #%%global tagsuffix "" # priority must be 8 digits in total; untill openjdk 1.8 we were using 18..... so when moving to 11 we had to add another digit %if %is_system_jdk @@ -995,7 +995,7 @@ URL: http://openjdk.java.net/ # to regenerate source0 (jdk) and source8 (jdk's taspets) run update_package.sh # update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives -Source0: shenandoah-jdk%{majorver}-shenandoah-jdk-%{newjavaver}+%{buildver}%{?tagsuffix:-%{tagsuffix}}.tar.xz +Source0: shenandoah-jdk%{majorver}-shenandoah-jdk-%{newjavaver}+%{buildver}%{?tagsuffix:-%{tagsuffix}}-4curve.tar.xz Source8: systemtap_3.2_tapsets_hg-icedtea8-9d464368e06d.tar.xz # Desktop files. Adapted from IcedTea @@ -1030,10 +1030,6 @@ Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch # Restrict access to java-atk-wrapper classes Patch2: rh1648644-java_access_bridge_privileged_security.patch -# PR1834, RH1022017: Reduce curves reported by SSL to those in NSS -# Not currently suitable to go upstream as it disables curves -# for all providers unconditionally -Patch525: rh1022017-reduce_ssl_curves.patch ############################################# # @@ -1293,7 +1289,6 @@ pushd %{top_level_dir_name} %patch6 -p1 %patch7 -p1 %patch8 -p1 -%patch525 -p1 popd # openjdk %patch1000 @@ -1833,6 +1828,11 @@ require "copy_jdk_configs.lua" %changelog +* Tue Aug 27 2019 Andrew Hughes - 1:11.0.5.2-0.2.ea +- Update generate_source_tarball.sh script to use the PR3751 patch and retain the secp256k1 curve. +- Regenerate source tarball using the updated script and add the -'4curve' suffix. +- PR3751 includes the changes in the PR1834/RH1022017 patch which is removed. + * Sat Aug 24 2019 Andrew John Hughes - 1:11.0.5.2-0.1.ea - Update to shenandoah-jdk-11.0.5+2 (EA) diff --git a/rh1022017-reduce_ssl_curves.patch b/rh1022017-reduce_ssl_curves.patch deleted file mode 100644 index 6dab416..0000000 --- a/rh1022017-reduce_ssl_curves.patch +++ /dev/null @@ -1,66 +0,0 @@ -diff --git openjdk.orig///src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java openjdk///src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java ---- openjdk.orig///src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java -+++ openjdk///src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java -@@ -515,50 +515,19 @@ - } - } else { // default groups - NamedGroup[] groups; -- if (requireFips) { -- groups = new NamedGroup[] { -- // only NIST curves in FIPS mode -- NamedGroup.SECP256_R1, -- NamedGroup.SECP384_R1, -- NamedGroup.SECP521_R1, -- NamedGroup.SECT283_K1, -- NamedGroup.SECT283_R1, -- NamedGroup.SECT409_K1, -- NamedGroup.SECT409_R1, -- NamedGroup.SECT571_K1, -- NamedGroup.SECT571_R1, -+ groups = new NamedGroup[] { -+ // only NIST curves in FIPS mode -+ NamedGroup.SECP256_R1, -+ NamedGroup.SECP384_R1, -+ NamedGroup.SECP521_R1, - -- // FFDHE 2048 -- NamedGroup.FFDHE_2048, -- NamedGroup.FFDHE_3072, -- NamedGroup.FFDHE_4096, -- NamedGroup.FFDHE_6144, -- NamedGroup.FFDHE_8192, -- }; -- } else { -- groups = new NamedGroup[] { -- // NIST curves first -- NamedGroup.SECP256_R1, -- NamedGroup.SECP384_R1, -- NamedGroup.SECP521_R1, -- NamedGroup.SECT283_K1, -- NamedGroup.SECT283_R1, -- NamedGroup.SECT409_K1, -- NamedGroup.SECT409_R1, -- NamedGroup.SECT571_K1, -- NamedGroup.SECT571_R1, -- -- // non-NIST curves -- NamedGroup.SECP256_K1, -- -- // FFDHE 2048 -- NamedGroup.FFDHE_2048, -- NamedGroup.FFDHE_3072, -- NamedGroup.FFDHE_4096, -- NamedGroup.FFDHE_6144, -- NamedGroup.FFDHE_8192, -- }; -- } -+ // FFDHE 2048 -+ NamedGroup.FFDHE_2048, -+ NamedGroup.FFDHE_3072, -+ NamedGroup.FFDHE_4096, -+ NamedGroup.FFDHE_6144, -+ NamedGroup.FFDHE_8192, -+ }; - - groupList = new ArrayList<>(groups.length); - for (NamedGroup group : groups) { diff --git a/sources b/sources index ab26677..f0ca9b7 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (systemtap_3.2_tapsets_hg-icedtea8-9d464368e06d.tar.xz) = cf578221b77d8c7e019f69909bc86c419c5fb5e10bceba9592ff6e7f96887b0a7f07c9cefe90800975247a078785ca190fdec5c2d0f841bb447cee784b570f7d -SHA512 (shenandoah-jdk11-shenandoah-jdk-11.0.5+2.tar.xz) = bb86dcb406d7f986180a9fc582b0c1eeeb37f71170ea76454151a278d3880ef5994db8fc971dc42f9fc11b12a08d202c1a22e1c5e4d8ce368c47f1e3c5964ea8 +SHA512 (shenandoah-jdk11-shenandoah-jdk-11.0.5+2-4curve.tar.xz) = 92fb6fbe86c40cfae1d7ad0a66234923a595f368ba3fccdeedef8194a20ddce162c6fd725c35d6be4ccba436c41f8753c2accd4cd82eeebf877504299c7908ea