Update generate_source_tarball.sh script to use the PR3751 patch and retain the secp256k1 curve.

Regenerate source tarball using the updated script and add the -'4curve' suffix.
PR3751 includes the changes in the PR1834/RH1022017 patch which is removed.
This commit is contained in:
Andrew John Hughes 2019-10-14 07:13:20 +01:00
parent ae98effbfe
commit c82830aa65
5 changed files with 27 additions and 92 deletions

1
.gitignore vendored
View File

@ -20,3 +20,4 @@
/shenandoah-jdk11-shenandoah-jdk-11.0.4+11.tar.xz /shenandoah-jdk11-shenandoah-jdk-11.0.4+11.tar.xz
/shenandoah-jdk11-shenandoah-jdk-11.0.5+1.tar.xz /shenandoah-jdk11-shenandoah-jdk-11.0.5+1.tar.xz
/shenandoah-jdk11-shenandoah-jdk-11.0.5+2.tar.xz /shenandoah-jdk11-shenandoah-jdk-11.0.5+2.tar.xz
/shenandoah-jdk11-shenandoah-jdk-11.0.5+2-4curve.tar.xz

View File

@ -4,7 +4,7 @@
# Example: # Example:
# When used from local repo set REPO_ROOT pointing to file:// with your repo # When used from local repo set REPO_ROOT pointing to file:// with your repo
# If your local repo follows upstream forests conventions, it may be enough to set OPENJDK_URL # If your local repo follows upstream forests conventions, it may be enough to set OPENJDK_URL
# If you want to use a local copy of patch PR3681, set the path to it in the PR3681 variable # If you want to use a local copy of patch PR3751, set the path to it in the PR3751 variable
# #
# In any case you have to set PROJECT_NAME REPO_NAME and VERSION. eg: # In any case you have to set PROJECT_NAME REPO_NAME and VERSION. eg:
# PROJECT_NAME=jdk # PROJECT_NAME=jdk
@ -26,9 +26,9 @@
# level folder, name is created, based on parameter # level folder, name is created, based on parameter
# #
if [ ! "x$PR3681" = "x" ] ; then if [ ! "x$PR3751" = "x" ] ; then
if [ ! -f "$PR3681" ] ; then if [ ! -f "$PR3751" ] ; then
echo "You have specified PR3681 as $PR3681 but it does not exist. Exiting" echo "You have specified PR3751 as $PR3751 but it does not exist. Exiting"
exit 1 exit 1
fi fi
fi fi
@ -48,7 +48,7 @@ if [ "x$1" = "xhelp" ] ; then
echo "FILE_NAME_ROOT - name of the archive, minus extensions (optional; defaults to PROJECT_NAME-REPO_NAME-VERSION)" echo "FILE_NAME_ROOT - name of the archive, minus extensions (optional; defaults to PROJECT_NAME-REPO_NAME-VERSION)"
echo "REPO_ROOT - the location of the Mercurial repository to archive (optional; defaults to OPENJDK_URL/PROJECT_NAME/REPO_NAME)" echo "REPO_ROOT - the location of the Mercurial repository to archive (optional; defaults to OPENJDK_URL/PROJECT_NAME/REPO_NAME)"
echo "TO_COMPRESS - what part of clone to pack (default is openjdk)" echo "TO_COMPRESS - what part of clone to pack (default is openjdk)"
echo "PR3681 - the path to the PR3681 patch to apply (optional; downloaded if unavailable)" echo "PR3751 - the path to the PR3751 patch to apply (optional; downloaded if unavailable)"
exit 1; exit 1;
fi fi
@ -126,18 +126,17 @@ pushd "${FILE_NAME_ROOT}"
rm -vf ${CRYPTO_PATH}/ecp_224.c rm -vf ${CRYPTO_PATH}/ecp_224.c
echo "Syncing EC list with NSS" echo "Syncing EC list with NSS"
if [ "x$PR3681" = "x" ] ; then if [ "x$PR3751" = "x" ] ; then
# orriginally for 8: # get pr3751.patch (from http://icedtea.classpath.org/hg/icedtea11) from most correct tag
# get pr3681.patch (from http://icedtea.classpath.org/hg/icedtea11) from most correct tag # Do not push it or publish it (see http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=3751)
# Do not push it or publish it (see http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=3681) echo "PR3751 not found. Downloading..."
echo "PR3681 not found. Downloading..." wget http://icedtea.classpath.org/hg/icedtea11/raw-file/tip/patches/pr3751.patch
wget http://icedtea.classpath.org/hg/icedtea11/raw-file/tip/patches/pr3681.patch echo "Applying ${PWD}/pr3751.patch"
echo "Applying ${PWD}/pr3681.patch" patch -Np1 < pr3751.patch
patch -Np1 < pr3681.patch rm pr3751.patch
rm pr3681.patch
else else
echo "Applying ${PR3681}" echo "Applying ${PR3751}"
patch -Np1 < $PR3681 patch -Np1 < $PR3751
fi; fi;
find . -name '*.orig' -exec rm -vf '{}' ';' find . -name '*.orig' -exec rm -vf '{}' ';'
popd popd
@ -149,8 +148,9 @@ pushd "${FILE_NAME_ROOT}"
else else
SWITCH=czf SWITCH=czf
fi fi
tar --exclude-vcs -$SWITCH ${FILE_NAME_ROOT}.tar.${COMPRESSION} $TO_COMPRESS TARBALL_NAME=${FILE_NAME_ROOT}-4curve.tar.${COMPRESSION}
mv ${FILE_NAME_ROOT}.tar.${COMPRESSION} .. tar --exclude-vcs -$SWITCH ${TARBALL_NAME} $TO_COMPRESS
mv ${TARBALL_NAME} ..
popd popd
echo "Done. You may want to remove the uncompressed version - $FILE_NAME_ROOT." echo "Done. You may want to remove the uncompressed version - $FILE_NAME_ROOT."

View File

@ -223,7 +223,7 @@
%global top_level_dir_name %{origin} %global top_level_dir_name %{origin}
%global minorver 0 %global minorver 0
%global buildver 2 %global buildver 2
%global rpmrelease 1 %global rpmrelease 2
#%%global tagsuffix "" #%%global tagsuffix ""
# priority must be 8 digits in total; untill openjdk 1.8 we were using 18..... so when moving to 11 we had to add another digit # priority must be 8 digits in total; untill openjdk 1.8 we were using 18..... so when moving to 11 we had to add another digit
%if %is_system_jdk %if %is_system_jdk
@ -995,7 +995,7 @@ URL: http://openjdk.java.net/
# to regenerate source0 (jdk) and source8 (jdk's taspets) run update_package.sh # to regenerate source0 (jdk) and source8 (jdk's taspets) run update_package.sh
# update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives # update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives
Source0: shenandoah-jdk%{majorver}-shenandoah-jdk-%{newjavaver}+%{buildver}%{?tagsuffix:-%{tagsuffix}}.tar.xz Source0: shenandoah-jdk%{majorver}-shenandoah-jdk-%{newjavaver}+%{buildver}%{?tagsuffix:-%{tagsuffix}}-4curve.tar.xz
Source8: systemtap_3.2_tapsets_hg-icedtea8-9d464368e06d.tar.xz Source8: systemtap_3.2_tapsets_hg-icedtea8-9d464368e06d.tar.xz
# Desktop files. Adapted from IcedTea # Desktop files. Adapted from IcedTea
@ -1030,10 +1030,6 @@ Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
# Restrict access to java-atk-wrapper classes # Restrict access to java-atk-wrapper classes
Patch2: rh1648644-java_access_bridge_privileged_security.patch Patch2: rh1648644-java_access_bridge_privileged_security.patch
# PR1834, RH1022017: Reduce curves reported by SSL to those in NSS
# Not currently suitable to go upstream as it disables curves
# for all providers unconditionally
Patch525: rh1022017-reduce_ssl_curves.patch
############################################# #############################################
# #
@ -1293,7 +1289,6 @@ pushd %{top_level_dir_name}
%patch6 -p1 %patch6 -p1
%patch7 -p1 %patch7 -p1
%patch8 -p1 %patch8 -p1
%patch525 -p1
popd # openjdk popd # openjdk
%patch1000 %patch1000
@ -1833,6 +1828,11 @@ require "copy_jdk_configs.lua"
%changelog %changelog
* Tue Aug 27 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.5.2-0.2.ea
- Update generate_source_tarball.sh script to use the PR3751 patch and retain the secp256k1 curve.
- Regenerate source tarball using the updated script and add the -'4curve' suffix.
- PR3751 includes the changes in the PR1834/RH1022017 patch which is removed.
* Sat Aug 24 2019 Andrew John Hughes <gnu.andrew@redhat.com> - 1:11.0.5.2-0.1.ea * Sat Aug 24 2019 Andrew John Hughes <gnu.andrew@redhat.com> - 1:11.0.5.2-0.1.ea
- Update to shenandoah-jdk-11.0.5+2 (EA) - Update to shenandoah-jdk-11.0.5+2 (EA)

View File

@ -1,66 +0,0 @@
diff --git openjdk.orig///src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java openjdk///src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java
--- openjdk.orig///src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java
+++ openjdk///src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java
@@ -515,50 +515,19 @@
}
} else { // default groups
NamedGroup[] groups;
- if (requireFips) {
- groups = new NamedGroup[] {
- // only NIST curves in FIPS mode
- NamedGroup.SECP256_R1,
- NamedGroup.SECP384_R1,
- NamedGroup.SECP521_R1,
- NamedGroup.SECT283_K1,
- NamedGroup.SECT283_R1,
- NamedGroup.SECT409_K1,
- NamedGroup.SECT409_R1,
- NamedGroup.SECT571_K1,
- NamedGroup.SECT571_R1,
+ groups = new NamedGroup[] {
+ // only NIST curves in FIPS mode
+ NamedGroup.SECP256_R1,
+ NamedGroup.SECP384_R1,
+ NamedGroup.SECP521_R1,
- // FFDHE 2048
- NamedGroup.FFDHE_2048,
- NamedGroup.FFDHE_3072,
- NamedGroup.FFDHE_4096,
- NamedGroup.FFDHE_6144,
- NamedGroup.FFDHE_8192,
- };
- } else {
- groups = new NamedGroup[] {
- // NIST curves first
- NamedGroup.SECP256_R1,
- NamedGroup.SECP384_R1,
- NamedGroup.SECP521_R1,
- NamedGroup.SECT283_K1,
- NamedGroup.SECT283_R1,
- NamedGroup.SECT409_K1,
- NamedGroup.SECT409_R1,
- NamedGroup.SECT571_K1,
- NamedGroup.SECT571_R1,
-
- // non-NIST curves
- NamedGroup.SECP256_K1,
-
- // FFDHE 2048
- NamedGroup.FFDHE_2048,
- NamedGroup.FFDHE_3072,
- NamedGroup.FFDHE_4096,
- NamedGroup.FFDHE_6144,
- NamedGroup.FFDHE_8192,
- };
- }
+ // FFDHE 2048
+ NamedGroup.FFDHE_2048,
+ NamedGroup.FFDHE_3072,
+ NamedGroup.FFDHE_4096,
+ NamedGroup.FFDHE_6144,
+ NamedGroup.FFDHE_8192,
+ };
groupList = new ArrayList<>(groups.length);
for (NamedGroup group : groups) {

View File

@ -1,2 +1,2 @@
SHA512 (systemtap_3.2_tapsets_hg-icedtea8-9d464368e06d.tar.xz) = cf578221b77d8c7e019f69909bc86c419c5fb5e10bceba9592ff6e7f96887b0a7f07c9cefe90800975247a078785ca190fdec5c2d0f841bb447cee784b570f7d SHA512 (systemtap_3.2_tapsets_hg-icedtea8-9d464368e06d.tar.xz) = cf578221b77d8c7e019f69909bc86c419c5fb5e10bceba9592ff6e7f96887b0a7f07c9cefe90800975247a078785ca190fdec5c2d0f841bb447cee784b570f7d
SHA512 (shenandoah-jdk11-shenandoah-jdk-11.0.5+2.tar.xz) = bb86dcb406d7f986180a9fc582b0c1eeeb37f71170ea76454151a278d3880ef5994db8fc971dc42f9fc11b12a08d202c1a22e1c5e4d8ce368c47f1e3c5964ea8 SHA512 (shenandoah-jdk11-shenandoah-jdk-11.0.5+2-4curve.tar.xz) = 92fb6fbe86c40cfae1d7ad0a66234923a595f368ba3fccdeedef8194a20ddce162c6fd725c35d6be4ccba436c41f8753c2accd4cd82eeebf877504299c7908ea