rpms/java-11-openjdk
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import java-11-openjdk-11.0.9.11-7.el8

Browse Source
This commit is contained in:
CentOS Sources 2021-03-30 12:51:48 -04:00 committed by Stepan Oksanichenko
parent 9720487697
commit fcdb3429a4
17 changed files with 4577 additions and 172 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.8+3-4curve.tar.xz
SOURCES/jdk-updates-jdk11u-jdk-11.0.9+11-4curve.tar.xz
SOURCES/tapsets-icedtea-3.15.0.tar.xz

2
.java-11-openjdk.metadata
View File

@ -1,2 +1,2 @@
dd60a556a5258490eec471495e2f9aa16e4e9ec6 SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.8+3-4curve.tar.xz
4a65c2e79897772480e91d1bc60aca9a4c7e20f2 SOURCES/jdk-updates-jdk11u-jdk-11.0.9+11-4curve.tar.xz
7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz

57
SOURCES/CheckVendor.java Normal file
View File

@ -0,0 +1,57 @@
/* CheckVendor -- Check the vendor properties match specified values.
Copyright (C) 2020 Red Hat, Inc.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/**
* @test
*/
public class CheckVendor {
public static void main(String[] args) {
if (args.length < 3) {
System.err.println("CheckVendor <VENDOR> <VENDOR-URL> <VENDOR-BUG-URL>");
System.exit(1);
}
String vendor = System.getProperty("java.vendor");
String expectedVendor = args[0];
String vendorURL = System.getProperty("java.vendor.url");
String expectedVendorURL = args[1];
String vendorBugURL = System.getProperty("java.vendor.url.bug");
String expectedVendorBugURL = args[2];
if (!expectedVendor.equals(vendor)) {
System.err.printf("Invalid vendor %s, expected %s\n",
vendor, expectedVendor);
System.exit(2);
}
if (!expectedVendorURL.equals(vendorURL)) {
System.err.printf("Invalid vendor URL %s, expected %s\n",
vendorURL, expectedVendorURL);
System.exit(3);
}
if (!expectedVendorBugURL.equals(vendorBugURL)) {
System.err.printf("Invalid vendor bug URL%s, expected %s\n",
vendorBugURL, expectedVendorBugURL);
System.exit(4);
}
System.err.printf("Vendor information verified as %s, %s, %s\n",
vendor, vendorURL, vendorBugURL);
}
}

782
SOURCES/NEWS
View File

@ -3,6 +3,788 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
New in release OpenJDK 11.0.9 (2020-10-20):
===========================================
Live versions of these release notes can be found at:
* https://bitly.com/openjdk1109
* https://builds.shipilev.net/backports-monitor/release-notes-11.0.9.txt
* Security fixes
- JDK-8233624: Enhance JNI linkage
- JDK-8236196: Improve string pooling
- JDK-8236862, CVE-2020-14779: Enhance support of Proxy class
- JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts
- JDK-8237995, CVE-2020-14782: Enhance certificate processing
- JDK-8240124: Better VM Interning
- JDK-8241114, CVE-2020-14792: Better range handling
- JDK-8242680, CVE-2020-14796: Improved URI Support
- JDK-8242685, CVE-2020-14797: Better Path Validation
- JDK-8242695, CVE-2020-14798: Enhanced buffer support
- JDK-8243302: Advanced class supports
- JDK-8244136, CVE-2020-14803: Improved Buffer supports
- JDK-8244479: Further constrain certificates
- JDK-8244955: Additional Fix for JDK-8240124
- JDK-8245407: Enhance zoning of times
- JDK-8245412: Better class definitions
- JDK-8245417: Improve certificate chain handling
- JDK-8248574: Improve jpeg processing
- JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit
- JDK-8253019: Enhanced JPEG decoding
* Other changes
- JDK-6532025: GIF reader throws misleading exception with truncated images
- JDK-6949753: [TEST BUG]: java/awt/print/PageFormat/PDialogTest.java needs update by removing a infinite loop
- JDK-8022535: [TEST BUG] javax/swing/text/html/parser/Test8017492.java fails
- JDK-8062947: Fix exception message to correctly represent LDAP connection failure
- JDK-8067354: com/sun/jdi/GetLocalVariables4Test.sh failed
- JDK-8134599: TEST_BUG: java/rmi/transport/closeServerSocket/CloseServerSocket.java fails intermittently with Address already in use
- JDK-8151678: com/sun/jndi/ldap/LdapTimeoutTest.java failed due to timeout on DeadServerNoTimeoutTest is incorrect
- JDK-8160768: Add capability to custom resolve host/domain names within the default JNDI LDAP provider
- JDK-8172404: Tools should warn if weak algorithms are used before restricting them
- JDK-8193367: Annotated type variable bounds crash javac
- JDK-8202117: com/sun/jndi/ldap/RemoveNamingListenerTest.java fails intermittently: Connection reset
- JDK-8203026: java.rmi.NoSuchObjectException: no such object in table
- JDK-8203281: [Windows] JComboBox change in ui when editor.setBorder() is called
- JDK-8203382: Rename SystemDictionary::initialize_wk_klass to resolve_wk_klass
- JDK-8203393: com/sun/jdi/JdbMethodExitTest.sh and JdbExprTest.sh fail due to timeout
- JDK-8203928: [Test] Convert non-JDB scaffolding serviceability shell script tests to java
- JDK-8204963: javax.swing.border.TitledBorder has a memory leak
- JDK-8204994: SA might fail to attach to process with "Windbg Error: WaitForEvent failed"
- JDK-8205534: Remove SymbolTable dependency from serviceability agent
- JDK-8206309: Tier1 SA tests fail
- JDK-8208281: java/nio/channels/AsynchronousSocketChannel/Basic.java timed out
- JDK-8209109: [TEST] rewrite com/sun/jdi shell tests to java version - step1
- JDK-8209332: [TEST] test/jdk/com/sun/jdi/CatchPatternTest.sh is incorrect
- JDK-8209342: Problemlist SA tests on Solaris due to Error attaching to process: Can't create thread_db agent!
- JDK-8209343: Test javax/swing/border/TestTitledBorderLeak.java should be marked as headful
- JDK-8209517: com/sun/jdi/BreakpointWithFullGC.java fails with timeout
- JDK-8209604: [TEST] rewrite com/sun/jdi shell tests to java version - step2
- JDK-8209605: com/sun/jdi/BreakpointWithFullGC.java fails with ZGC
- JDK-8209608: Problem list com/sun/jdi/BreakpointWithFullGC.java
- JDK-8210131: vmTestbase/nsk/jvmti/scenarios/allocation/AP10/ap10t001/TestDescription.java failed with ObjectFree: GetCurrentThreadCpuTimerInfo returned unexpected error code
- JDK-8210243: [TEST] rewrite com/sun/jdi shell tests to java version - step3
- JDK-8210527: JShell: NullPointerException in jdk.jshell.Eval.translateExceptionStack
- JDK-8210560: [TEST] convert com/sun/jdi redefineClass-related tests
- JDK-8210725: com/sun/jdi/RedefineClearBreakpoint.java fails with waitForPrompt timed out after 60 seconds
- JDK-8210748: [TESTBUG] lib.jdb.Jdb.waitForPrompt() should clarify which output is the pending reply after a timeout
- JDK-8210760: [TEST] rewrite com/sun/jdi shell tests to java version - step4
- JDK-8210977: jdk/jfr/event/oldobject/TestThreadLocalLeak.java fails to find ThreadLocalObject
- JDK-8211292: [TEST] convert com/sun/jdi/DeferredStepTest.sh test
- JDK-8211694: JShell: Redeclared variable should be reset
- JDK-8212200: assert when shared java.lang.Object is redefined by JVMTI agent
- JDK-8212629: [TEST] wrong breakpoint in test/jdk/com/sun/jdi/DeferredStepTest
- JDK-8212665: com/sun/jdi/DeferredStepTest.java: jj1 (line 57) - unexpected. lastLine=52, minLine=52, maxLine=55
- JDK-8212807: tools/jar/multiRelease/Basic.java times out
- JDK-8213182: Minimal VM build failure after JDK-8212200 (assert when shared java.lang.Object is redefined by JVMTI agent)
- JDK-8213214: Set -Djava.io.tmpdir= when running tests
- JDK-8213275: ReplaceCriticalClasses.java fails with jdk.internal.vm.PostVMInitHook not found
- JDK-8213574: Deadlock in string table expansion when dumping lots of CDS classes
- JDK-8213703: LambdaConversionException: Invalid receiver type not a subtype of implementation type interface
- JDK-8214074: Ghash optimization using AVX instructions
- JDK-8214491: Upgrade to JLine 3.9.0
- JDK-8214797: TestJmapCoreMetaspace.java timed out
- JDK-8215243: JShell tests failing intermitently with \"Problem cleaning up the following threads:\"
- JDK-8215244: jdk/jshell/ToolBasicTest.java testHistoryReference failed
- JDK-8215354: x86_32 build failures after JDK-8214074 (Ghash optimization using AVX instructions)
- JDK-8215438: jshell tool: Ctrl-D causes EOF
- JDK-8216021: RunTest.gmk might set concurrency level to 1 on Windows
- JDK-8216974: HttpConnection not returned to the pool after 204 response
- JDK-8218948: SimpleDateFormat :: format - Zone Names are not reflected correctly during run time
- JDK-8219712: code_size2 (defined in stub_routines_x86.hpp) is too small on new Skylake CPUs
- JDK-8220150: macos10.14 Mojave returns anti-aliased glyphs instead of aliased B&W glyphs
- JDK-8221658: aarch64: add necessary predicate for ubfx patterns
- JDK-8221759: Crash when completing \"java.io.File.path\"
- JDK-8221918: runtime/SharedArchiveFile/serviceability/ReplaceCriticalClasses.java fails: Shared archive not found
- JDK-8222074: Enhance auto vectorization for x86
- JDK-8222079: Don't use memset to initialize fields decode_env constructor in disassembler.cpp
- JDK-8222769: [TESTBUG] TestJFRNetworkEvents should not rely on hostname command
- JDK-8223688: JShell: crash on the instantiation of raw anonymous class
- JDK-8223777: In posix_spawn mode, failing to exec() jspawnhelper does not result in an error
- JDK-8223940: Private key not supported by chosen signature algorithm
- JDK-8224184: jshell got IOException at exiting with AIX
- JDK-8224234: compiler/codegen/TestCharVect2.java fails in test_mulc
- JDK-8225037: java.net.JarURLConnection::getJarEntry() throws NullPointerException
- JDK-8225625: AES Electronic Codebook (ECB) encryption and decryption optimization using AVX512 + VAES instructions
- JDK-8226536: Catch OOM from deopt that fails rematerializing objects
- JDK-8226575: OperatingSystemMXBean should be made container aware
- JDK-8226697: Several tests which need the @key headful keyword are missing it.
- JDK-8226809: Circular reference in printed stack trace is not correctly indented & ambiguous
- JDK-8227059: sun/security/tools/keytool/DefaultSignatureAlgorithm.java timed out
- JDK-8227269: Slow class loading when running with JDWP
- JDK-8227595: keytool/fakegen/DefaultSignatureAlgorithm.java fails due to "exitValue = 6"
- JDK-8228448: Jconsole can't connect to itself
- JDK-8228967: Trust/Key store and SSL context utilities for tests
- JDK-8229378: jdwp library loader in linker_md.c quietly truncates on buffer overflow
- JDK-8229815: Upgrade Jline to 3.12.1
- JDK-8230000: some httpclients testng tests run zero test
- JDK-8230002: javax/xml/jaxp/unittest/transform/SecureProcessingTest.java runs zero test
- JDK-8230010: Remove jdk8037819/BasicTest1.java
- JDK-8230094: CCE in createXMLEventWriter(Result) over an arbitrary XMLStreamWriter
- JDK-8230402: Allocation of compile task fails with assert: "Leaking compilation tasks?"
- JDK-8230767: FlightRecorderListener returns null recording
- JDK-8230870: (zipfs) Add a ZIP FS test that is similar to test/jdk/java/util/zip/EntryCount64k.java
- JDK-8231209: [REDO] ThreadMXBean::getThreadAllocatedBytes() can be quicker for self thread
- JDK-8231586: enlarge encoding space for OopMapValue offsets
- JDK-8231953: Wrong assumption in assertion in oop::register_oop
- JDK-8231968: getCurrentThreadAllocatedBytes default implementation s/b getThreadAllocatedBytes
- JDK-8232083: Minimal VM is broken after JDK-8231586
- JDK-8232161: Align some one-way conversion in MS950 charset with Windows
- JDK-8232855: jshell missing word in /help help
- JDK-8233027: OopMapSet::all_do does oms.next() twice during iteration
- JDK-8233228: Disable weak named curves by default in TLS, CertPath, and Signed JAR
- JDK-8233386: Initialize NULL fields for unused decorations
- JDK-8233452: java.math.BigDecimal.sqrt() with RoundingMode.FLOOR results in incorrect result
- JDK-8233686: XML transformer uses excessive amount of memory
- JDK-8233741: AES Countermode (AES-CTR) optimization using AVX512 + VAES instructions
- JDK-8233829: javac cannot find non-ASCII module name under non-UTF8 environment
- JDK-8233958: Memory retention due to HttpsURLConnection finalizer that serves no purpose
- JDK-8234011: (zipfs) Memory leak in ZipFileSystem.releaseDeflater()
- JDK-8234058: runtime/CompressedOops/CompressedClassPointers.java fails with 'Narrow klass base: 0x0000000000000000' missing from stdout/stderr
- JDK-8234149: Several regression tests do not dispose Frame at end
- JDK-8234347: "Turkey" meta time zone does not generate composed localized names
- JDK-8234385: [TESTBUG] java/awt/EventQueue/6980209/bug6980209.java fails in linux nightly
- JDK-8234535: Cross compilation fails due to missing CFLAGS for the BUILD_CC
- JDK-8234541: C1 emits an empty message when it inlines successfully
- JDK-8234687: change javap reporting on unknown attributes
- JDK-8236464: SO_LINGER option is ignored by SSLSocket in JDK 11
- JDK-8236548: Localized time zone name inconsistency between English and other locales
- JDK-8236617: jtreg test containers/docker/TestMemoryAwareness.java fails after 8226575
- JDK-8237182: Update copyright header for shenandoah and epsilon files
- JDK-8237888: security/infra/java/security/cert/CertPathValidator/certification/LuxTrustCA.java fails when checking validity interval
- JDK-8237977: Further update javax/net/ssl/compatibility/Compatibility.java
- JDK-8238270: java.net HTTP/2 client does not decrease stream count when receives 204 response
- JDK-8238284: [macos] Zero VM build fails due to an obvious typo
- JDK-8238380: java.base/unix/native/libjava/childproc.c "multiple definition" link errors with GCC10
- JDK-8238386: (sctp) jdk.sctp/unix/native/libsctp/SctpNet.c "multiple definition" link errors with GCC10
- JDK-8238388: libj2gss/NativeFunc.o "multiple definition" link errors with GCC10
- JDK-8238448: RSASSA-PSS signature verification fail when using certain odd key sizes
- JDK-8238710: LingeredApp doesn't log stdout/stderr if exits with non-zero code
- JDK-8239083: C1 assert(known_holder == NULL || (known_holder->is_instance_klass() && (!known_holder->is_interface() || ((ciInstanceKlass*)known_holder)->has_nonstatic_concrete_methods())), "should be non-static concrete method");
- JDK-8239385: KerberosTicket client name refers wrongly to sAMAccountName in AD
- JDK-8240169: javadoc fails to link to non-modular api docs
- JDK-8240295: hs_err elapsed time in seconds is not accurate enough
- JDK-8240360: NativeLibraryEvent has wrong library name on Linux
- JDK-8240676: Meet not symmetric failure when running lucene on jdk8
- JDK-8241007: Shenandoah: remove ShenandoahCriticalControlThreadPriority support
- JDK-8241065: Shenandoah: remove leftover code after JDK-8231086
- JDK-8241086: Test runtime/NMT/HugeArenaTracking.java is failing on 32bit Windows
- JDK-8241130: com.sun.jndi.ldap.EventSupport.removeDeadNotifier: java.lang.NullPointerException
- JDK-8241138: http.nonProxyHosts=* causes StringIndexOutOfBoundsException in DefaultProxySelector
- JDK-8241319: WB_GetCodeBlob doesn't have ResourceMark
- JDK-8241478: vmTestbase/gc/gctests/Steal/steal001/steal001.java fails with OOME
- JDK-8241574: Shenandoah: remove ShenandoahAssertToSpaceClosure
- JDK-8241750: x86_32 build failure after JDK-8227269
- JDK-8242184: CRL generation error with RSASSA-PSS
- JDK-8242283: Can't start JVM when java home path includes non-ASCII character
- JDK-8242556: Cannot load RSASSA-PSS public key with non-null params from byte array
- JDK-8243029: Rewrite javax/net/ssl/compatibility/Compatibility.java with a flexible interop test framework
- JDK-8243138: Enhance BaseLdapServer to support starttls extended request
- JDK-8243320: Add SSL root certificates to Oracle Root CA program
- JDK-8243321: Add Entrust root CA - G4 to Oracle Root CA program
- JDK-8243389: enhance os::pd_print_cpu_info on linux
- JDK-8243453: java --describe-module failed with non-ASCII module name under non-UTF8 environment
- JDK-8243470: [macos] bring back O2 opt level for unsafe.cpp
- JDK-8243489: Thread CPU Load event may contain wrong data for CPU time under certain conditions
- JDK-8243925: Toolkit#getScreenInsets() returns wrong value on HiDPI screens (Windows)
- JDK-8244087: 2020-04-24 public suffix list update
- JDK-8244151: Update MUSCLE PC/SC-Lite headers to the latest release 1.8.26
- JDK-8244164: AArch64: jaotc generates incorrect code for compressed OOPs with non-zero heap base
- JDK-8244196: adjust output in os_linux
- JDK-8244225: stringop-overflow warning on strncpy call from compile_the_world_in
- JDK-8244287: JFR: Methods samples have line number 0
- JDK-8244703: "platform encoding not initialized" exceptions with debugger, JNI
- JDK-8244719: CTW: C2 compilation fails with "assert(!VerifyHashTableKeys || _hash_lock == 0) failed: remove node from hash table before modifying it"
- JDK-8244729: Shenandoah: remove resolve paths from SBSA::generate_shenandoah_lrb
- JDK-8244763: Update --release 8 symbol information after JSR 337 MR3
- JDK-8244818: Java2D Queue Flusher crash while moving application window to external monitor
- JDK-8245151: jarsigner should not raise duplicate warnings on verification
- JDK-8245616: Bump update version for OpenJDK: jdk-11.0.9
- JDK-8245714: "Bad graph detected in build_loop_late" when loads are pinned on loop limit check uncommon branch
- JDK-8245801: StressRecompilation triggers assert "redundunt OSR recompilation detected. memory leak in CodeCache!"
- JDK-8245832: JDK build make-static-libs should build all JDK libraries
- JDK-8245880: Shenandoah: check class unloading flag early in concurrent code root scan
- JDK-8245981: Upgrade to jQuery 3.5.1
- JDK-8246027: Minimal fastdebug build broken after JDK-8245801
- JDK-8246094: [macos] Sound Recording and playback is not working
- JDK-8246153: TestEliminateArrayCopy fails with -XX:+StressReflectiveCode
- JDK-8246193: Possible NPE in ENC-PA-REP search in AS-REQ
- JDK-8246196: javax/management/MBeanServer/OldMBeanServerTest fails with AssertionError
- JDK-8246203: Segmentation fault in verification due to stack overflow with -XX:+VerifyIterativeGVN
- JDK-8246330: Add TLS Tests for Legacy ECDSA curves
- JDK-8246453: TestClone crashes with "all collected exceptions must come from the same place"
- JDK-8247246: Add explicit ResolvedJavaType.link and expose presence of default methods
- JDK-8247350: [aarch64] assert(false) failed: wrong size of mach node
- JDK-8247502: PhaseStringOpts crashes while optimising effectively dead code
- JDK-8247615: Initialize the bytes left for the heap sampler
- JDK-8247824: CTW: C2 (Shenandoah) compilation fails with SEGV in SBC2Support::pin_and_expand
- JDK-8247874: Replacement in VersionProps.java.template not working when --with-vendor-bug-url contains '&'
- JDK-8247979: aarch64: missing side effect of killing flags for clearArray_reg_reg
- JDK-8248214: Add paddings for TaskQueueSuper to reduce false-sharing cache contention
- JDK-8248219: aarch64: missing memory barrier in fast_storefield and fast_accessfield
- JDK-8248348: Regression caused by the update to BCEL 6.0
- JDK-8248385: [testbug][11u] Adapt TestInitiExceptions to jtreg 5.1
- JDK-8248495: [macos] zerovm is broken due to libffi headers location
- JDK-8248851: CMS: Missing memory fences between free chunk check and klass read
- JDK-8248987: AOT's Linker.java seems to eagerly fail-fast on Windows
- JDK-8249159: Downport test rework for SSLSocketTemplate from 8224650
- JDK-8249215: JFrame::setVisible crashed with -Dfile.encoding=UTF-8 on Japanese Windows.
- JDK-8249251: [dark_mode ubuntu 20.04] The selected menu is not highlighted in GTKLookAndFeel
- JDK-8249255: Build fails if source code in cygwin home dir
- JDK-8249277: TestVerifyIterativeGVN.java is failing with timeout in OpenJDK 11
- JDK-8249278: Revert JDK-8226253 which breaks the spec of AccessibleState.SHOWING for JList
- JDK-8249560: Shenandoah: Fix racy GC request handling
- JDK-8249801: Shenandoah: Clear soft-refs on requested GC cycle
- JDK-8249953: Shenandoah: gc/shenandoah/mxbeans tests should account for corner cases
- JDK-8250582: Revert Principal Name type to NT-UNKNOWN when requesting TGS Kerberos tickets
- JDK-8250609: C2 crash in IfNode::fold_compares
- JDK-8250627: Use -XX:+/-UseContainerSupport for enabling/disabling Java container metrics
- JDK-8250755: Better cleanup for jdk/test/javax/imageio/plugins/shared/CanWriteSequence.java
- JDK-8250787: Provider.put no longer registering aliases in FIPS env
- JDK-8250826: jhsdb does not work with coredump which comes from Substrate VM
- JDK-8250827: Shenandoah: needs to reset/finish StringTable's dead count before/after parallel walk
- JDK-8250844: Make sure {type,obj}ArrayOopDesc accessors check the bounds
- JDK-8251117: Cannot check P11Key size in P11Cipher and P11AEADCipher
- JDK-8251354: Shenandoah: Fix jdk/jfr/tool/TestPrintJSON.java test failure
- JDK-8251451: Shenandoah: Remark ObjectSynchronizer roots with I-U
- JDK-8251469: Better cleanup for test/jdk/javax/imageio/SetOutput.java
- JDK-8251487: Shenandoah: missing detail timing tracking for final mark cleaning phase
- JDK-8252120: compiler/oracle/TestCompileCommand.java misspells "occured"
- JDK-8252157: JDK-8231209 11u backport breaks jmm binary compatibility
- JDK-8252258: [11u] JDK-8242154 changes the default vendor
- JDK-8252804: [test] Fix 'ReleaseDeflater.java' test after downport of 8234011
- JDK-8253134: JMM_VERSION should remain at 0x20020000 (JDK 10) in JDK 11
- JDK-8253283: [11u] Test build/translations/VerifyTranslations.java failing after JDK-8252258
- JDK-8253813: Backout JDK-8244287 from 11u: it causes several crashes
Notes on individual issues:
===========================
core-libs/java.nio.charsets:
JDK-8240196: Modified the MS950 charset Encoder's Conversion Table
==================================================================
In this release, some of the one-way byte-to-char mappings have been
aligned with the preferred mappings provided by the Unicode Consortium
(https://unicode.org/Public/MAPPINGS/VENDORS/MICSFT/WindowsBestFit/bestfit950.txt).
core-libs/java.util:i18n:
JDK-8238914: Localized Time Zone Name Inconsistency Between English and Other Locales
=====================================================================================
English time zone names provided by the CLDR locale provider are now
correctly synthesized following the CLDR spec, rather than substituted
from the COMPAT provider. For example, SHORT style names are no longer
synthesized abbreviations of LONG style names, but instead produce GMT
offset formats.
core-svc/java.lang.management:
JDK-8236876: OperatingSystemMXBean Methods Inside a Container Return Container Specific Data
============================================================================================
When executing in a container, or other virtualized operating
environment, the following `OperatingSystemMXBean` methods in this
release return container specific information, if
available. Otherwise, they return host specific data:
* getFreePhysicalMemorySize()
* getTotalPhysicalMemorySize()
* getFreeSwapSpaceSize()
* getTotalSwapSpaceSize()
* getSystemCpuLoad()
security-libs/java.security:
JDK-8250756: Added Entrust Root Certification Authority - G4 certificate
========================================================================
The Entrust root certificate has been added to the cacerts truststore:
Alias Name: entrustrootcag4
Distinguished Name: CN=Entrust Root Certification Authority - G4, OU="(c) 2015 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
JDK-8250860: Added 3 SSL Corporation Root CA Certificates
=========================================================
The following root certificates have been added to the cacerts truststore for the SSL Corporation:
Alias Name: sslrootrsaca
Distinguished Name: CN=SSL.com Root Certification Authority RSA, O=SSL Corporation, L=Houston, ST=Texas, C=US
Alias Name: sslrootevrsaca
Distinguished Name: CN=SSL.com EV Root Certification Authority RSA R2, O=SSL Corporation, L=Houston, ST=Texas, C=US
Alias Name: sslrooteccca
Distinguished Name: CN=SSL.com Root Certification Authority ECC, O=SSL Corporation, L=Houston, ST=Texas, C=US
JDK-8236730: Weak Named Curves in TLS, CertPath, and Signed JAR Disabled by Default
===================================================================================
Weak named curves are disabled by default by adding them to the
following `disabledAlgorithms` security properties:
* jdk.tls.disabledAlgorithms
* jdk.certpath.disabledAlgorithms
* jdk.jar.disabledAlgorithms
Red Hat has always disabled many of the curves provided by upstream,
so the only addition in this release is:
* secp256k1
The curves that remain enabled are:
* secp256r1
* secp384r1
* secp521r1
* X25519
* X448
When large numbers of weak named curves need to be disabled, adding
individual named curves to each `disabledAlgorithms` property would be
overwhelming. To relieve this, a new security property,
`jdk.disabled.namedCurves`, is implemented that can list the named
curves common to all of the `disabledAlgorithms` properties. To use
the new property in the `disabledAlgorithms` properties, precede the
full property name with the keyword `include`. Users can still add
individual named curves to `disabledAlgorithms` properties separate
from this new property. No other properties can be included in the
`disabledAlgorithms` properties.
To restore the named curves, remove the `include
jdk.disabled.namedCurves` either from specific or from all
`disabledAlgorithms` security properties. To restore one or more
curves, remove the specific named curve(s) from the
`jdk.disabled.namedCurves` property.
JDK-8244286: Tools Warn If Weak Algorithms Are Used Before Restricting Them
===========================================================================
The `keytool` and `jarsigner` tools have been updated to warn users
about weak cryptographic algorithms being used before they are
disabled. In this release, the tools issue warnings for the SHA-1 hash
algorithm and 1024-bit RSA/DSA keys.
security-libs/javax.net.ssl:
JDK-8242147: New System Properties to Configure the TLS Signature Schemes
=========================================================================
Two new system properties have been added to customize the TLS
signature schemes in JDK. `jdk.tls.client.SignatureSchemes` has been
added for the TLS client side, and `jdk.tls.server.SignatureSchemes`
has been added for the server side.
Each system property contains a comma-separated list of supported
signature scheme names specifying the signature schemes that could be
used for the TLS connections.
The names are described in the "Signature Schemes" section of the
*Java Security Standard Algorithm Names Specification*.
security-libs/javax.security:
JDK-8242059: Support for canonicalize in krb5.conf
==================================================
The 'canonicalize' flag in the [krb5.conf file][0] is now supported by
the JDK Kerberos implementation. When set to *true*, RFC 6806 [1] name
canonicalization is requested by clients in TGT requests to KDC
services (AS protocol). Otherwise, and by default, it is not
requested.
The new default behavior is different from previous releases where
name canonicalization was always requested by clients in TGT requests
to KDC services (provided that support for RFC 6806[1] was not
explicitly disabled with the *sun.security.krb5.disableReferrals*
system or security properties).
[0]: https://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html
[1]: https://tools.ietf.org/html/rfc6806
JDK-8254177: US/Pacific-New Zone name removed as part of tzdata2020b
====================================================================
Following JDK's update to tzdata2020b, the long-obsolete files
pacificnew and systemv have been removed. As a result, the
"US/Pacific-New" zone name declared in the pacificnew data file is no
longer available for use.
Information regarding the update can be viewed at
https://mm.icann.org/pipermail/tz-announce/2020-October/000059.html
New in release OpenJDK 11.0.8 (2020-07-14):
===========================================
Live versions of these release notes can be found at:
* https://bitly.com/oj1108
* https://builds.shipilev.net/backports-monitor/release-notes-11.0.8.txt
* Security fixes
- JDK-8230613: Better ASCII conversions
- JDK-8231800: Better listing of arrays
- JDK-8232014: Expand DTD support
- JDK-8233234: Better Zip Naming
- JDK-8233239, CVE-2020-14562: Enhance TIFF support
- JDK-8233255: Better Swing Buttons
- JDK-8234032: Improve basic calendar services
- JDK-8234042: Better factory production of certificates
- JDK-8234418: Better parsing with CertificateFactory
- JDK-8234836: Improve serialization handling
- JDK-8236191: Enhance OID processing
- JDK-8236867, CVE-2020-14573: Enhance Graal interface handling
- JDK-8237117, CVE-2020-14556: Better ForkJoinPool behavior
- JDK-8237592, CVE-2020-14577: Enhance certificate verification
- JDK-8238002, CVE-2020-14581: Better matrix operations
- JDK-8238013: Enhance String writing
- JDK-8238804: Enhance key handling process
- JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable
- JDK-8238843: Enhanced font handing
- JDK-8238920, CVE-2020-14583: Better Buffer support
- JDK-8238925: Enhance WAV file playback
- JDK-8240119, CVE-2020-14593: Less Affine Transformations
- JDK-8240482: Improved WAV file playback
- JDK-8241379: Update JCEKS support
- JDK-8241522: Manifest improved jar headers redux
- JDK-8242136, CVE-2020-14621: Better XML namespace handling
* Other changes
- JDK-6933331: (d3d/ogl) java.lang.IllegalStateException: Buffers have not been created
- JDK-7124307: JSpinner and changing value by mouse
- JDK-8022574: remove HaltNode code after uncommon trap calls
- JDK-8039082: [TEST_BUG] Test java/awt/dnd/BadSerializationTest/BadSerializationTest.java fails
- JDK-8040630: Popup menus and tooltips flicker with previous popup contents when first shown
- JDK-8044365: (dc) MulticastSendReceiveTests.java failing with ENOMEM when joining group (OS X 10.9)
- JDK-8048215: [TESTBUG] java/lang/management/ManagementFactory/ThreadMXBeanProxy.java Expected non-null LockInfo
- JDK-8051349: nsk/jvmti/scenarios/sampling/SP06/sp06t003 fails in nightly
- JDK-8080353: JShell: Better error message on attempting to add default method
- JDK-8139876: Exclude hanging nsk/stress/stack from execution with deoptimization enabled
- JDK-8146090: java/lang/ref/ReachabilityFenceTest.java fails with -XX:+DeoptimizeALot
- JDK-8153430: jdk regression test MletParserLocaleTest, ParserInfiniteLoopTest reduce default timeout
- JDK-8156207: Resource allocated BitMaps are often cleared unnecessarily
- JDK-8159740: JShell: corralled declarations do not have correct source to wrapper mapping
- JDK-8175984: ICC_Profile has un-needed, not-empty finalize method
- JDK-8176359: Frame#setMaximizedbounds not working properly in multi screen environments
- JDK-8183369: RFC unconformity of HttpURLConnection with proxy
- JDK-8187078: -XX:+VerifyOops finds numerous problems when running JPRT
- JDK-8191169: java/net/Authenticator/B4769350.java failed intermittently
- JDK-8191930: [Graal] emits unparseable XML into compile log
- JDK-8193879: Java debugger hangs on method invocation
- JDK-8196019: java/awt/Window/Grab/GrabTest.java fails on Windows
- JDK-8196181: sun/java2d/GdiRendering/InsetClipping.java fails
- JDK-8198000: java/awt/List/EmptyListEventTest/EmptyListEventTest.java debug assert on Windows
- JDK-8198001: java/awt/Menu/WrongParentAfterRemoveMenu/WrongParentAfterRemoveMenu.java debug assert on Windows
- JDK-8198339: Test javax/swing/border/Test6981576.java is unstable
- JDK-8200701: jdk/jshell/ExceptionsTest.java fails on Windows, after JDK-8198801
- JDK-8203264: JNI exception pending in PlainDatagramSocketImpl.c:740
- JDK-8203672: JNI exception pending in PlainSocketImpl.c
- JDK-8203673: JNI exception pending in DualStackPlainDatagramSocketImpl.c:398
- JDK-8204834: Fix confusing "allocate" naming in OopStorage
- JDK-8205399: Set node color on pinned HashMap.TreeNode deletion
- JDK-8205653: test/jdk/sun/management/jmxremote/bootstrap/RmiRegistrySslTest.java and RmiSslBootstrapTest.sh fail with handshake_failure
- JDK-8206179: com/sun/management/OperatingSystemMXBean/GetCommittedVirtualMemorySize.java fails with Committed virtual memory size illegal value
- JDK-8207334: VM times out in VM_HandshakeAllThreads::doit() with RunThese30M
- JDK-8208277: Code cache heap (-XX:ReservedCodeCacheSize) doesn't work with 1GB LargePages
- JDK-8209113: Use WeakReference for lastFontStrike for created Fonts
- JDK-8209333: Socket reset issue for TLS 1.3 socket close
- JDK-8209439: C2 library_call can potentially ignore Math.pow intrinsic or use null pointer
- JDK-8209534: [TESTBUG]runtime/appcds/cacheObject/ArchivedModuleCompareTest.java fails with EnableJVMCI.
- JDK-8210147: adjust some WSAGetLastError usages in windows network coding
- JDK-8210284: "assert((av & 0x00000001) == 0) failed: unsupported V8" on Solaris 11.4
- JDK-8210303: VM_HandshakeAllThreads fails assert with "failed: blocked and not walkable"
- JDK-8210515: [TESTBUG]CheckArchivedModuleApp.java needs to check if EnableJVMCI is set.
- JDK-8210788: Javadoc for Thread.join(long, int) should specify that it waits forever when both arguments are zero
- JDK-8211301: [macos] support full window content options
- JDK-8211332: Space for stub routines (code_size2) is too small on new Skylake CPUs
- JDK-8211339: NPE during SSL handshake caused by HostnameChecker
- JDK-8211392: compiler/profiling/spectrapredefineclass_classloaders/Launcher.java times out in JDK12 CI
- JDK-8211743: [AOT] crash in ScopeDesc::decode_body() when JVMTI walks AOT frames
- JDK-8212154: [TESTBUG] CheckArchivedModuleApp fails with NPE when JVMCI is absent
- JDK-8212167: JShell : Stack trace of exception has wrong line number
- JDK-8212933: Thread-SMR: requesting a VM operation whilst holding a ThreadsListHandle can cause deadlocks
- JDK-8212986: Make Visual Studio compiler check less strict
- JDK-8213250: CDS archive creation aborts due to metaspace object allocation failure
- JDK-8213516: jck test api/javax_accessibility/AccessibleState/fields.html fails intermittent
- JDK-8213947: ARM32: failed check_simd should set UsePopCountInstruction to false
- JDK-8214418: half-closed SSLEngine status may cause application dead loop
- JDK-8214440: ldap over a TLS connection negotiate failed with "javax.net.ssl.SSLPeerUnverifiedException: hostname of the server '' does not match the hostname in the server's certificate"
- JDK-8214444: Wrong strncat limits in dfa.cpp
- JDK-8214481: freetype path does not disable TrueType hinting with AA+FM hints
- JDK-8214571: -Xdoclint of array serialField gives "error: array type not allowed here"
- JDK-8214856: Errors with JSZip in web console after upgrade to 3.1.5
- JDK-8214862: assert(proj != __null) at compile.cpp:3251
- JDK-8215369: Jcstress pollute /var/tmp with temporary files.
- JDK-8215551: Missing case label in nmethod::reloc_string_for()
- JDK-8215555: TieredCompilation C2 threads can excessively block handshakes
- JDK-8215711: Missing key_share extension for (EC)DHE key exchange should alert missing_extension
- JDK-8216151: [Graal] Module jdk.internal.vm.compiler.management has not been granted accessClassInPackage.org.graalvm.compiler.debug
- JDK-8216154: C4819 warnings at HotSpot sources on Windows
- JDK-8216541: CompiledICHolders of VM locked unloaded nmethods are released too late
- JDK-8217230: assert(t == t_no_spec) failure in NodeHash::check_no_speculative_types()
- JDK-8217404: --with-jvm-features doesn't work when multiple features are explicitly disabled
- JDK-8217447: Develop flag TraceICs is broken
- JDK-8217606: LdapContext#reconnect always opens a new connection
- JDK-8218807: Compilation database (compile_commands.json) may contain obsolete items
- JDK-8219214: Infinite Loop in CodeSection::dump()
- JDK-8219904: ClassCastException when calling FlightRecorderMXBean#getRecordings()
- JDK-8219991: New fix of the deadlock in sun.security.ssl.SSLSocketImpl
- JDK-8221121: applications/microbenchmarks are encountering crashes in tier5
- JDK-8221445: FastSysexMessage constructor crashes MIDI receiption thread
- JDK-8221482: Initialize VMRegImpl::regName[] earlier to prevent assert during PrintStubCode
- JDK-8221741: ClassCastException can happen when fontconfig.properties is used
- JDK-8221823: Requested JDialog width is ignored
- JDK-8223108: Test java/awt/EventQueue/NonComponentSourcePost.java is unstable
- JDK-8223935: PIT: java/awt/font/WindowsIndicFonts.java fails on windows10
- JDK-8224109: Text spaced incorrectly by drawString under rotation with fractional metric
- JDK-8224632: testbug: java/awt/dnd/RemoveDropTargetCrashTest/RemoveDropTargetCrashTest.java fails on MacOS
- JDK-8224793: os::die() does not honor CreateCoredumpOnCrash option
- JDK-8224847: gc/stress/TestReclaimStringsLeaksMemory.java fails with reserved greater than expected
- JDK-8224931: disable JAOTC invokedynamic support until 8223533 is fixed
- JDK-8224997: ChaCha20-Poly1305 TLS cipher suite decryption throws ShortBufferException
- JDK-8225068: Remove DocuSign root certificate that is expiring in May 2020
- JDK-8225069: Remove Comodo root certificate that is expiring in May 2020
- JDK-8225126: Test SetBoundsPaintTest.html faild on Windows when desktop is scaled
- JDK-8225325: Add tests for redefining a class' private method during resolution of the bootstrap specifier
- JDK-8225622: [AOT] runtime/SharedArchiveFile/TestInterpreterMethodEntries.java crashed with AOTed java.base
- JDK-8225653: Provide more information when hitting SIGILL from HaltNode
- JDK-8225783: Incorrect use of binary operators on booleans in type.cpp
- JDK-8225789: Empty method parameter type should generate ClassFormatError
- JDK-8226198: use of & instead of && in LibraryCallKit::arraycopy_restore_alloc_state
- JDK-8226253: JAWS reports wrong number of radio buttons when buttons are hidden.
- JDK-8226653: [accessibility] Can edit text cell correctly, but Accessibility Tool reads nothing about editor
- JDK-8226806: [macOS 10.14] Methods of Java Robot should be called from appropriate thread
- JDK-8226879: Memory leak in Type::hashcons
- JDK-8227632: Incorrect PrintCompilation message: made not compilable on levels 0 1 2 3 4
- JDK-8228407: JVM crashes with shared archive file mismatch
- JDK-8228482: fix xlc16/xlclang comparison of distinct pointer types and string literal conversion warnings
- JDK-8228757: Fail fast if the handshake type is unknown
- JDK-8229158: make UseSwitchProfiling non-experimental or false by-default
- JDK-8229421: The logic of java/net/ipv6tests/TcpTest.java is flawed
- JDK-8229855: C2 fails with assert(false) failed: bad AD file
- JDK-8230591: AArch64: Missing intrinsics for Math.ceil, floor, rint
- JDK-8231118: ARM32: Math tests failures
- JDK-8231213: Migrate SimpleDateFormatConstTest to JDK Repo
- JDK-8231243: [TESTBUG] CustomFont.java cannot find font file
- JDK-8231438: [macOS] Dark mode for the desktop is not supported
- JDK-8231550: C2: ShouldNotReachHere() in verify_strip_mined_scheduling
- JDK-8231564: setMaximizedBounds is broken with large display scale and multiple monitors
- JDK-8231572: Use -lobjc instead of -fobjc-link-runtime in libosxsecurity
- JDK-8231631: sun/net/ftp/FtpURLConnectionLeak.java fails intermittently with NPE
- JDK-8231671: Fix copyright headers in hotspot (missing comma after year)
- JDK-8231720: Some perf regressions after 8225653
- JDK-8231779: crash HeapWord*ParallelScavengeHeap::failed_mem_allocate
- JDK-8231863: Crash if classpath is read from @argument file and the main gets option argument
- JDK-8232080: jlink plugins for vendor information and run-time options
- JDK-8232106: [x86] C2: SIGILL due to usage of SSSE3 instructions on processors which don't support it
- JDK-8232134: Change to Visual Studio 2017 15.9.16 for building on Windows at Oracle
- JDK-8232226: [macos 10.15] test/jdk/java/awt/color/EqualityTest/EqualityTest.java may fail
- JDK-8232357: Compare version info of Santuario to legal notice
- JDK-8232572: Add hooks for custom output dir in Bundles.gmk
- JDK-8232634: Problem List ICMColorDataTest.java
- JDK-8232748: Build static versions of certain JDK libraries
- JDK-8232846: ProcessHandle.Info command with non-English shows question marks
- JDK-8233033: C2 produces wrong result while unswitching a loop due to lost control dependencies
- JDK-8233137: runtime/ErrorHandling/VeryEarlyAssertTest.java fails after 8232080
- JDK-8233197: Invert JvmtiExport::post_vm_initialized() and Jfr:on_vm_start() start-up order for correct option parsing
- JDK-8233291: [TESTBUG] tools/jlink/plugins/VendorInfoPluginsTest.java fails with debug or non-server VMs
- JDK-8233364: Fix undefined behavior in Canonicalizer::do_ShiftOp
- JDK-8233573: Toolkit.getScreenInsets(GraphicsConfiguration) may throw ClassCastException
- JDK-8233608: Minimal build broken after JDK-8233494
- JDK-8233621: Mismatch in jsse.enableMFLNExtension property name
- JDK-8233696: [TESTBUG]Some jtreg tests fail when CAPS_LOCK is ON
- JDK-8233707: systemScale.cpp could not compile with VS2019
- JDK-8233801: GCMEmptyIv.java test fails on Solaris 11.4
- JDK-8233880: Support compilers with multi-digit major version numbers
- JDK-8233920: MethodHandles::tryFinally generates illegal bytecode for long/double return type
- JDK-8234137: The "AutoTestOnTop.java" test may run external applications
- JDK-8234146: compiler/jsr292/ContinuousCallSiteTargetChange.java times out on SPARC
- JDK-8234184: [TESTBUG] java/awt/Mouse/EnterExitEvents/ModalDialogEnterExitEventsTest.java fails in Windows
- JDK-8234270: [REDO] JDK-8204128 NMT might report incorrect numbers for Compiler area
- JDK-8234332: [TESTBUG] java/awt/Focus/DisposedWindow/DisposeDialogNotActivateOwnerTest/DisposeDialogNotActivateOwnerTest.java fails on linux-x64 nightly
- JDK-8234398: Replace ID2D1Factory::GetDesktopDpi with GetDeviceCaps
- JDK-8234522: [macos] Crash with use of native file dialog
- JDK-8234691: Potential double-free in ParallelSPCleanupTask constructor
- JDK-8234696: tools/jlink/plugins/VendorInfoPluginsTest.java times out
- JDK-8234727: sun/security/ssl/X509TrustManagerImpl tests support TLSv1.3
- JDK-8234728: Some security tests should support TLSv1.3
- JDK-8234779: Provide idiom for declaring classes noncopyable
- JDK-8234968: check calloc rv in libinstrument InvocationAdapter
- JDK-8235153: [TESTBUG] [macos 10.15] java/awt/Graphics/DrawImageBG/SystemBgColorTest.java fails
- JDK-8235183: Remove the "HACK CODE" in comment
- JDK-8235263: Revert TLS 1.3 change that wrapped IOExceptions
- JDK-8235311: Tag mismatch may alert bad_record_mac
- JDK-8235332: TestInstanceCloneAsLoadsStores.java fails with -XX:+StressGCM
- JDK-8235452: Strip mined loop verification fails with assert(is_OuterStripMinedLoop()) failed: invalid node class
- JDK-8235584: UseProfiledLoopPredicate fails with assert(_phase->get_loop(c) == loop) failed: have to be in the same loop
- JDK-8235620: Broken merge between JDK-8006406 and JDK-8003559
- JDK-8235638: NPE in LWWindowPeer.getOnscreenGraphics()
- JDK-8235686: Add more custom hooks in Bundles.gmk
- JDK-8235739: Rare NPE at WComponentPeer.getGraphics()
- JDK-8235762: JVM crash in SWPointer during C2 compilation
- JDK-8235834: IBM-943 charset encoder needs updating
- JDK-8235874: The ordering of Cipher Suites is not maintained provided through jdk.tls.client.cipherSuites and jdk.tls.server.cipherSuites system property.
- JDK-8235908: omit ThreadPriorityPolicy warning when value is set from image
- JDK-8235984: C2: assert(out->in(PhiNode::Region) == head || out->in(PhiNode::Region) == slow_head) failed: phi must be either part of the slow or the fast loop
- JDK-8236211: [Graal] compiler/graalunit/GraphTest.java is skipped in all testing
- JDK-8236470: Deal with ECDSA using ecdsa-with-SHA2 plus hash algorithm as AlgorithmId
- JDK-8236545: Compilation error in mach5 java/awt/FileDialog/MacOSGoToFolderCrash.java
- JDK-8236700: Upgrading JSZip from v3.1.5 to v3.2.2
- JDK-8236759: ShouldNotReachHere in PhaseIdealLoop::verify_strip_mined_scheduling
- JDK-8236897: Fix the copyright header for pkcs11gcm2.h
- JDK-8236921: Add build target to produce a JDK image suitable for a Graal/SVM build
- JDK-8236953: [macos] JavaFX SwingNode is not rendered on macOS
- JDK-8236996: Incorrect Roboto font rendering on Windows with subpixel antialiasing
- JDK-8237045: JVM uses excessive memory with -XX:+EnableJVMCI -XX:JVMCICounterSize=2147483648
- JDK-8237055: [TESTBUG] compiler/c2/TestJumpTable.java fails with release VMs
- JDK-8237086: assert(is_MachReturn()) running CTW with fix for JDK-8231291
- JDK-8237192: Generate stripped/public pdbs on Windows for jdk images
- JDK-8237396: JvmtiTagMap::weak_oops_do() should not trigger barriers
- JDK-8237474: Default SSLEngine should create in server role
- JDK-8237859: C2: Crash when loads float above range check
- JDK-8237951: CTW: C2 compilation fails with "malformed control flow"
- JDK-8237962: give better error output for invalid OCSP response intervals in CertPathValidator checks
- JDK-8238190: [JVMCI] Fix single implementor speculation for diamond shapes.
- JDK-8238356: CodeHeap::blob_count() overestimates the number of blobs
- JDK-8238452: Keytool generates wrong expiration date if validity is set to 2050/01/01
- JDK-8238555: Allow Initialization of SunPKCS11 with NSS when there are external FIPS modules in the NSSDB
- JDK-8238575: DragSourceEvent.getLocation() returns wrong value on HiDPI screens (Windows)
- JDK-8238676: jni crashes on accessing it from process exit hook
- JDK-8238721: Add failing client jtreg tests to the Problem List
- JDK-8238738: AudioSystem.getMixerInfo() takes about 30 sec to report a gone audio device
- JDK-8238756: C2: assert(((n) == __null || !VerifyIterativeGVN || !((n)->is_dead()))) failed: can not use dead node
- JDK-8238765: PhaseCFG::schedule_pinned_nodes cannot handle precedence edges from unmatched CFG nodes correctly
- JDK-8238898: Missing hash characters for header on license file
- JDK-8238942: Rendering artifacts with LCD text and fractional metrics
- JDK-8238985: [TESTBUG] The arrow image is blue instead of green
- JDK-8239000: handle ContendedPaddingWidth in vm_version_ppc
- JDK-8239055: Wrong implementation of VMState.hasListener
- JDK-8239091: Reversed arguments in call to strstr in freetype "debug" code.
- JDK-8239142: C2's UseUniqueSubclasses optimization is broken for array accesses
- JDK-8239224: libproc_impl.c previous_thr may be used uninitialized warning
- JDK-8239351: Give more meaningful InternalError messages in Deflater.c
- JDK-8239365: ProcessBuilder test modifications for AIX execution
- JDK-8239456: vtable stub generation: assert failure (code size estimate)
- JDK-8239457: call ReleaseStringUTFChars before early returns in Java_sun_security_pkcs11_wrapper_PKCS11_connect
- JDK-8239462: jdk.hotspot.agent misses some ReleaseStringUTFChars calls in case of early returns
- JDK-8239557: [TESTBUG] VeryEarlyAssertTest.java validating "END." marker at lastline is not always true
- JDK-8239787: AArch64: String.indexOf may incorrectly handle empty strings
- JDK-8239792: Bump update version for OpenJDK: jdk-11.0.8
- JDK-8239798: SSLSocket closes socket both socket endpoints on a SocketTimeoutException
- JDK-8239819: XToolkit: Misread of screen information memory
- JDK-8239852: java/util/concurrent tests fail with -XX:+VerifyGraphEdges: assert(!VerifyGraphEdges) failed: verification should have failed
- JDK-8239893: Windows handle Leak when starting processes using ProcessBuilder
- JDK-8239915: Zero VM crashes when handling dynamic constant
- JDK-8239931: [win][x86] vtable stub generation: assert failure (code size estimate) follow-up
- JDK-8239976: Put JDK-8239965 on the ProblemList.txt
- JDK-8240073: Fix 'test-make' build target in 11u
- JDK-8240197: Cannot start JVM when $JAVA_HOME includes CJK characters
- JDK-8240202: A few client tests leave mouse buttons pressed
- JDK-8240220: IdealLoopTree::dump_head predicate printing is broken
- JDK-8240223: Use consistent predicate order in and with PhaseIdealLoop::find_predicate
- JDK-8240227: Loop predicates should be copied to unswitched loops
- JDK-8240286: [TESTBUG] Test command error in hotspot/jtreg/compiler/loopopts/superword/SumRedAbsNeg_Float.java
- JDK-8240518: Incorrect JNU_ReleaseStringPlatformChars in Windows Print
- JDK-8240529: CheckUnhandledOops breaks NULL check in Modules::define_module
- JDK-8240576: JVM crashes after transformation in C2 IdealLoopTree::merge_many_backedges
- JDK-8240603: Windows 32bit compile error after 8238676
- JDK-8240629: argfiles parsing broken for argfiles with comment cross 4096 bytes chunk
- JDK-8240711: TestJstatdPort.java failed due to "ExportException: Port already in use:"
- JDK-8240786: [TESTBUG] The test java/awt/Window/GetScreenLocation/GetScreenLocationTest.java fails on HiDPI screen
- JDK-8240824: enhance print_full_memory_info on Linux by THP related information
- JDK-8240827: Downport SSLSocketImpl.java from "8221882: Use fiber-friendly java.util.concurrent.locks in JSSE"
- JDK-8240905: assert(mem == (Node*)1 || mem == mem2) failed: multiple Memories being matched at once?
- JDK-8240972: macOS codesign fail on macOS 10.13.5 or older
- JDK-8241445: Fix copyright in test/jdk/tools/launcher/ArgFileSyntax.java
- JDK-8241458: [JVMCI] add mark value to expose CodeOffsets::Frame_Complete
- JDK-8241464: [11u] Backport: make rehashing be a needed guaranteed safepoint cleanup action
- JDK-8241556: Memory leak if -XX:CompileCommand is set
- JDK-8241568: (fs) UserPrincipalLookupService.lookupXXX failure with IOE "Operation not permitted"
- JDK-8241586: compiler/cpuflags/TestAESIntrinsicsOnUnsupportedConfig.java fails on aarch64
- JDK-8241638: launcher time metrics always report 1 on Linux when _JAVA_LAUNCHER_DEBUG set
- JDK-8241660: Add virtualization information output to hs_err file on macOS
- JDK-8241808: [TESTBUG] The JDK-8039467 bug appeared on macOS
- JDK-8241888: Mirror jdk.security.allowNonCaAnchor system property with a security one
- JDK-8241900: Loop unswitching may cause dependence on null check to be lost
- JDK-8241948: enhance list of environment variables printed in hs_err file
- JDK-8241996: on linux set full relro in the linker flags
- JDK-8242108: Performance regression after fix for JDK-8229496
- JDK-8242141: New System Properties to configure the TLS signature schemes
- JDK-8242154: Backport parts of JDK-4947890 to OpenJDK 11u
- JDK-8242174: [macos] The NestedModelessDialogTest test make the macOS unstable
- JDK-8242239: [Graal] javax/management/generified/GenericTest.java fails: FAILED: queryMBeans sets same
- JDK-8242294: JSSE Client does not throw SSLException when an alert occurs during handshaking
- JDK-8242379: [TESTBUG] compiler/loopopts/TestLoopUnswitchingLostCastDependency.java fails with release VMs
- JDK-8242470: Update Xerces to Version 2.12.1
- JDK-8242498: Invalid "sun.awt.TimedWindowEvent" object leads to JVM crash
- JDK-8242541: Small charset issues (ISO8859-16, x-eucJP-Open, x-IBM834 and x-IBM949C)
- JDK-8242626: enhance posix print_rlimit_info
- JDK-8243059: Build fails when --with-vendor-name contains a comma
- JDK-8243539: Copyright info (Year) should be updated for fix of 8241638
- JDK-8243541: (tz) Upgrade time-zone data to tzdata2020a
- JDK-8244407: JVM crashes after transformation in C2 IdealLoopTree::split_fall_in
- JDK-8244520: problemlist java/awt/font/Rotate/RotatedFontTest.java on linux
- JDK-8244777: ClassLoaderStats VM Op uses constant hash value
- JDK-8244853: The static build of libextnet is missing the JNI_OnLoad_extnet function
- JDK-8244951: Missing entitlements for hardened runtime
- JDK-8245047: [PPC64] C2: ReverseBytes + Load always match to unordered Load (acquire semantics missing)
- JDK-8245649: Revert 8245397 backport of 8230591
- JDK-8246031: SSLSocket.getSession() doesn't close connection for timeout/ interrupts
- JDK-8246613: Choose the default SecureRandom algo based on registration ordering
- JDK-8248505: Unexpected NoSuchAlgorithmException when using secure random impl from BCFIPS provider
Notes on individual issues:
===========================
security-libs/java.security:
JDK-8244167: Removal of Comodo Root CA Certificate
==================================================
The following expired Comodo root CA certificate was removed from the `cacerts` keystore: +
alias name "addtrustclass1ca [jdk]"
Distinguished Name: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
JDK-8244166: Removal of DocuSign Root CA Certificate
====================================================
The following expired DocuSign root CA certificate was removed from the `cacerts` keystore: +
alias name "keynectisrootca [jdk]"
Distinguished Name: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR
security-libs/javax.crypto:pkcs11:
JDK-8240191: Allow SunPKCS11 initialization with NSS when external FIPS modules are present in the Security Modules Database
============================================================================================================================
The SunPKCS11 security provider can now be initialized with NSS when
FIPS-enabled external modules are configured in the Security Modules
Database (NSSDB). Prior to this change, the SunPKCS11 provider would
throw a RuntimeException with the message: "FIPS flag set for
non-internal module" when such a library was configured for NSS in
non-FIPS mode.
This change allows the JDK to work properly with recent NSS releases
in GNU/Linux operating systems when the system-wide FIPS policy is
turned on.
Further information can be found in JDK-8238555.
security-libs/javax.net.ssl:
JDK-8245077: Default SSLEngine Should Create in Server Role
===========================================================
In JDK 11 and later, `javax.net.ssl.SSLEngine` by default used client
mode when handshaking. As a result, the set of default enabled
protocols may differ to what is expected. `SSLEngine` would usually be
used in server mode. From this JDK release onwards, `SSLEngine` will
default to server mode. The
`javax.net.ssl.SSLEngine.setUseClientMode(boolean mode)` method may
be used to configure the mode.
JDK-8242147: New System Properties to Configure the TLS Signature Schemes
=========================================================================
Two new System Properties are added to customize the TLS signature
schemes in JDK. `jdk.tls.client.SignatureSchemes` is added for TLS
client side, and `jdk.tls.server.SignatureSchemes` is added for server
side.
Each System Property contains a comma-separated list of supported
signature scheme names specifying the signature schemes that could be
used for the TLS connections.
The names are described in the "Signature Schemes" section of the
*Java Security Standard Algorithm Names Specification*.
New in release OpenJDK 11.0.7 (2020-04-14):
===========================================
Live versions of these release notes can be found at:

480
SOURCES/jdk8236512-pkcs11_incorrrect_session_closure.patch Normal file
View File

@ -0,0 +1,480 @@
# HG changeset patch
# User valeriep
# Date 1581468987 0
# Wed Feb 12 00:56:27 2020 +0000
# Node ID e47d22d82b0464720ccb7641e290080972b6ce88
# Parent 5c41dc4c48f85e5a1e1ce6e3836b54674f273367
8236512: PKCS11 Connection closed after Cipher.doFinal and NoPadding
Summary: Removed killSession() calls in certain impl classes when cancelling operations
Reviewed-by: xuelei
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java
@@ -1,4 +1,5 @@
-/* Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
+/*
+ * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -334,25 +335,25 @@
}
private void cancelOperation() {
+ // cancel operation by finishing it; avoid killSession as some
+ // hardware vendors may require re-login
+ int bufLen = doFinalLength(0);
+ byte[] buffer = new byte[bufLen];
+ byte[] in = dataBuffer.toByteArray();
+ int inLen = in.length;
try {
- if (session.hasObjects() == false) {
- session = token.killSession(session);
- return;
+ if (encrypt) {
+ token.p11.C_Encrypt(session.id(), 0, in, 0, inLen,
+ 0, buffer, 0, bufLen);
} else {
- // cancel operation by finishing it
- int bufLen = doFinalLength(0);
- byte[] buffer = new byte[bufLen];
-
- if (encrypt) {
- token.p11.C_Encrypt(session.id(), 0, buffer, 0, bufLen,
- 0, buffer, 0, bufLen);
- } else {
- token.p11.C_Decrypt(session.id(), 0, buffer, 0, bufLen,
- 0, buffer, 0, bufLen);
- }
+ token.p11.C_Decrypt(session.id(), 0, in, 0, inLen,
+ 0, buffer, 0, bufLen);
}
} catch (PKCS11Exception e) {
- throw new ProviderException("Cancel failed", e);
+ if (encrypt) {
+ throw new ProviderException("Cancel failed", e);
+ }
+ // ignore failure for decryption
}
}
@@ -434,18 +435,21 @@
if (!initialized) {
return;
}
+ initialized = false;
+
try {
if (session == null) {
return;
}
+
if (doCancel && token.explicitCancel) {
cancelOperation();
}
} finally {
p11Key.releaseKeyID();
session = token.releaseSession(session);
+ dataBuffer.reset();
}
- initialized = false;
}
// see JCE spec
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -409,10 +409,12 @@
return;
}
initialized = false;
+
try {
if (session == null) {
return;
}
+
if (doCancel && token.explicitCancel) {
cancelOperation();
}
@@ -426,22 +428,21 @@
private void cancelOperation() {
token.ensureValid();
- if (session.hasObjects() == false) {
- session = token.killSession(session);
- return;
- } else {
- try {
- // cancel operation by finishing it
- int bufLen = doFinalLength(0);
- byte[] buffer = new byte[bufLen];
- if (encrypt) {
- token.p11.C_EncryptFinal(session.id(), 0, buffer, 0, bufLen);
- } else {
- token.p11.C_DecryptFinal(session.id(), 0, buffer, 0, bufLen);
- }
- } catch (PKCS11Exception e) {
+ // cancel operation by finishing it; avoid killSession as some
+ // hardware vendors may require re-login
+ try {
+ int bufLen = doFinalLength(0);
+ byte[] buffer = new byte[bufLen];
+ if (encrypt) {
+ token.p11.C_EncryptFinal(session.id(), 0, buffer, 0, bufLen);
+ } else {
+ token.p11.C_DecryptFinal(session.id(), 0, buffer, 0, bufLen);
+ }
+ } catch (PKCS11Exception e) {
+ if (encrypt) {
throw new ProviderException("Cancel failed", e);
}
+ // ignore failure for decryption
}
}
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -124,10 +124,12 @@
return;
}
initialized = false;
+
try {
if (session == null) {
return;
}
+
if (doCancel && token.explicitCancel) {
cancelOperation();
}
@@ -139,15 +141,12 @@
private void cancelOperation() {
token.ensureValid();
- if (session.hasObjects() == false) {
- session = token.killSession(session);
- return;
- } else {
- try {
- token.p11.C_SignFinal(session.id(), 0);
- } catch (PKCS11Exception e) {
- throw new ProviderException("Cancel failed", e);
- }
+ // cancel operation by finishing it; avoid killSession as some
+ // hardware vendors may require re-login
+ try {
+ token.p11.C_SignFinal(session.id(), 0);
+ } catch (PKCS11Exception e) {
+ throw new ProviderException("Cancel failed", e);
}
}
@@ -209,7 +208,6 @@
ensureInitialized();
return token.p11.C_SignFinal(session.id(), 0);
} catch (PKCS11Exception e) {
- reset(true);
throw new ProviderException("doFinal() failed", e);
} finally {
reset(false);
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -223,10 +223,12 @@
return;
}
initialized = false;
+
try {
if (session == null) {
return;
}
+
if (doCancel && token.explicitCancel) {
cancelOperation();
}
@@ -242,14 +244,10 @@
token.ensureValid();
if (DEBUG) System.out.print("Cancelling operation");
- if (session.hasObjects() == false) {
- if (DEBUG) System.out.println(" by killing session");
- session = token.killSession(session);
- return;
- }
- // "cancel" operation by finishing it
- if (mode == M_SIGN) {
- try {
+ // cancel operation by finishing it; avoid killSession as some
+ // hardware vendors may require re-login
+ try {
+ if (mode == M_SIGN) {
if (type == T_UPDATE) {
if (DEBUG) System.out.println(" by C_SignFinal");
token.p11.C_SignFinal(session.id(), 0);
@@ -259,11 +257,7 @@
if (DEBUG) System.out.println(" by C_Sign");
token.p11.C_Sign(session.id(), digest);
}
- } catch (PKCS11Exception e) {
- throw new ProviderException("cancel failed", e);
- }
- } else { // M_VERIFY
- try {
+ } else { // M_VERIFY
byte[] signature =
new byte[(p11Key.length() + 7) >> 3];
if (type == T_UPDATE) {
@@ -275,10 +269,12 @@
if (DEBUG) System.out.println(" by C_Verify");
token.p11.C_Verify(session.id(), digest, signature);
}
- } catch (PKCS11Exception e) {
- // will fail since the signature is incorrect
- // XXX check error code
}
+ } catch (PKCS11Exception e) {
+ if (mode == M_SIGN) {
+ throw new ProviderException("cancel failed", e);
+ }
+ // ignore failure for verification
}
}
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11RSACipher.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11RSACipher.java
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11RSACipher.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11RSACipher.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -247,10 +247,12 @@
return;
}
initialized = false;
+
try {
if (session == null) {
return;
}
+
if (doCancel && token.explicitCancel) {
cancelOperation();
}
@@ -264,36 +266,33 @@
// state variables such as "initialized"
private void cancelOperation() {
token.ensureValid();
- if (session.hasObjects() == false) {
- session = token.killSession(session);
- return;
- } else {
- try {
- PKCS11 p11 = token.p11;
- int inLen = maxInputSize;
- int outLen = buffer.length;
- long sessId = session.id();
- switch (mode) {
- case MODE_ENCRYPT:
- p11.C_Encrypt(sessId, 0, buffer, 0, inLen, 0, buffer, 0, outLen);
- break;
- case MODE_DECRYPT:
- p11.C_Decrypt(sessId, 0, buffer, 0, inLen, 0, buffer, 0, outLen);
- break;
- case MODE_SIGN:
- byte[] tmpBuffer = new byte[maxInputSize];
- p11.C_Sign(sessId, tmpBuffer);
- break;
- case MODE_VERIFY:
- p11.C_VerifyRecover(sessId, buffer, 0, inLen, buffer,
- 0, outLen);
- break;
- default:
- throw new ProviderException("internal error");
- }
- } catch (PKCS11Exception e) {
- // XXX ensure this always works, ignore error
+ // cancel operation by finishing it; avoid killSession as some
+ // hardware vendors may require re-login
+ try {
+ PKCS11 p11 = token.p11;
+ int inLen = maxInputSize;
+ int outLen = buffer.length;
+ long sessId = session.id();
+ switch (mode) {
+ case MODE_ENCRYPT:
+ p11.C_Encrypt(sessId, 0, buffer, 0, inLen, 0, buffer, 0, outLen);
+ break;
+ case MODE_DECRYPT:
+ p11.C_Decrypt(sessId, 0, buffer, 0, inLen, 0, buffer, 0, outLen);
+ break;
+ case MODE_SIGN:
+ byte[] tmpBuffer = new byte[maxInputSize];
+ p11.C_Sign(sessId, tmpBuffer);
+ break;
+ case MODE_VERIFY:
+ p11.C_VerifyRecover(sessId, buffer, 0, inLen, buffer,
+ 0, outLen);
+ break;
+ default:
+ throw new ProviderException("internal error");
}
+ } catch (PKCS11Exception e) {
+ // XXX ensure this always works, ignore error
}
}
@@ -362,6 +361,7 @@
private int implDoFinal(byte[] out, int outOfs, int outLen)
throws BadPaddingException, IllegalBlockSizeException {
if (bufOfs > maxInputSize) {
+ reset(true);
throw new IllegalBlockSizeException("Data must not be longer "
+ "than " + maxInputSize + " bytes");
}
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -270,10 +270,12 @@
return;
}
initialized = false;
+
try {
if (session == null) {
return;
}
+
if (doCancel && token.explicitCancel) {
cancelOperation();
}
@@ -284,59 +286,51 @@
}
private void cancelOperation() {
-
token.ensureValid();
- if (session.hasObjects() == false) {
- session = token.killSession(session);
- return;
- } else {
- // "cancel" operation by finishing it
- // XXX make sure all this always works correctly
+ // cancel operation by finishing it; avoid killSession as some
+ // hardware vendors may require re-login
+ try {
if (mode == M_SIGN) {
- try {
- if (type == T_UPDATE) {
- token.p11.C_SignFinal(session.id(), 0);
- } else {
- byte[] digest;
- if (type == T_DIGEST) {
- digest = md.digest();
- } else { // T_RAW
- digest = buffer;
- }
- token.p11.C_Sign(session.id(), digest);
+ if (type == T_UPDATE) {
+ token.p11.C_SignFinal(session.id(), 0);
+ } else {
+ byte[] digest;
+ if (type == T_DIGEST) {
+ digest = md.digest();
+ } else { // T_RAW
+ digest = buffer;
}
- } catch (PKCS11Exception e) {
- throw new ProviderException("cancel failed", e);
+ token.p11.C_Sign(session.id(), digest);
}
} else { // M_VERIFY
byte[] signature;
- try {
- if (keyAlgorithm.equals("DSA")) {
- signature = new byte[40];
- } else {
- signature = new byte[(p11Key.length() + 7) >> 3];
+ if (keyAlgorithm.equals("DSA")) {
+ signature = new byte[40];
+ } else {
+ signature = new byte[(p11Key.length() + 7) >> 3];
+ }
+ if (type == T_UPDATE) {
+ token.p11.C_VerifyFinal(session.id(), signature);
+ } else {
+ byte[] digest;
+ if (type == T_DIGEST) {
+ digest = md.digest();
+ } else { // T_RAW
+ digest = buffer;
}
- if (type == T_UPDATE) {
- token.p11.C_VerifyFinal(session.id(), signature);
- } else {
- byte[] digest;
- if (type == T_DIGEST) {
- digest = md.digest();
- } else { // T_RAW
- digest = buffer;
- }
- token.p11.C_Verify(session.id(), digest, signature);
- }
- } catch (PKCS11Exception e) {
- long errorCode = e.getErrorCode();
- if ((errorCode == CKR_SIGNATURE_INVALID) ||
- (errorCode == CKR_SIGNATURE_LEN_RANGE)) {
- // expected since signature is incorrect
- return;
- }
- throw new ProviderException("cancel failed", e);
+ token.p11.C_Verify(session.id(), digest, signature);
}
}
+ } catch (PKCS11Exception e) {
+ if (mode == M_VERIFY) {
+ long errorCode = e.getErrorCode();
+ if ((errorCode == CKR_SIGNATURE_INVALID) ||
+ (errorCode == CKR_SIGNATURE_LEN_RANGE)) {
+ // expected since signature is incorrect
+ return;
+ }
+ }
+ throw new ProviderException("cancel failed", e);
}
}

32
SOURCES/jdk8250861-rh1895274-crash_in_MinINode_Ideal.patch Normal file
View File

@ -0,0 +1,32 @@
# HG changeset patch
# User thartmann
# Date 1604482955 -3600
# Node ID 27723943c0dd65a191cbefe031cec001521e4b13
# Parent e9d90c9daf895b469b461b727b6887e7780b4ac2
8250861: Crash in MinINode::Ideal(PhaseGVN*, bool)
Summary: Added missing NULL checks.
Reviewed-by: kvn, chagedorn
diff -r e9d90c9daf89 -r 27723943c0dd src/hotspot/share/opto/addnode.cpp
--- a/src/hotspot/share/opto/addnode.cpp Mon Nov 02 20:20:05 2020 +0100
+++ b/src/hotspot/share/opto/addnode.cpp Wed Nov 04 10:42:35 2020 +0100
@@ -917,7 +917,7 @@
// Transform MIN2(x + c0, MIN2(x + c1, z)) into MIN2(x + MIN2(c0, c1), z)
// if x == y and the additions can't overflow.
- if (phase->eqv(x,y) &&
+ if (phase->eqv(x,y) && tx != NULL &&
!can_overflow(tx, x_off) &&
!can_overflow(tx, y_off)) {
return new MinINode(phase->transform(new AddINode(x, phase->intcon(MIN2(x_off, y_off)))), r->in(2));
@@ -925,7 +925,7 @@
} else {
// Transform MIN2(x + c0, y + c1) into x + MIN2(c0, c1)
// if x == y and the additions can't overflow.
- if (phase->eqv(x,y) &&
+ if (phase->eqv(x,y) && tx != NULL &&
!can_overflow(tx, x_off) &&
!can_overflow(tx, y_off)) {
return new AddINode(x,phase->intcon(MIN2(x_off,y_off)));

2041
SOURCES/jdk8254177-tzdata2020b.patch Normal file
View File

File diff suppressed because it is too large Load Diff

61
SOURCES/rh1566890-CVE_2018_3639-speculative_store_bypass.patch
View File

@ -1,61 +0,0 @@
diff --git openjdk/src/hotspot/os/linux/os_linux.cpp openjdk/src/hotspot/os/linux/os_linux.cpp
--- openjdk/src/hotspot/os/linux/os_linux.cpp
+++ openjdk/src/hotspot/os/linux/os_linux.cpp
@@ -107,6 +107,8 @@
# include <inttypes.h>
# include <sys/ioctl.h>
+#include <sys/prctl.h>
+
#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#include <sched.h>
@@ -4984,6 +4986,48 @@
extern void report_error(char* file_name, int line_no, char* title,
char* format, ...);
+/* Per task speculation control */
+#ifndef PR_GET_SPECULATION_CTRL
+# define PR_GET_SPECULATION_CTRL 52
+#endif
+#ifndef PR_SET_SPECULATION_CTRL
+# define PR_SET_SPECULATION_CTRL 53
+#endif
+/* Speculation control variants */
+#ifndef PR_SPEC_STORE_BYPASS
+# define PR_SPEC_STORE_BYPASS 0
+#endif
+/* Return and control values for PR_SET/GET_SPECULATION_CTRL */
+
+#ifndef PR_SPEC_NOT_AFFECTED
+# define PR_SPEC_NOT_AFFECTED 0
+#endif
+#ifndef PR_SPEC_PRCTL
+# define PR_SPEC_PRCTL (1UL << 0)
+#endif
+#ifndef PR_SPEC_ENABLE
+# define PR_SPEC_ENABLE (1UL << 1)
+#endif
+#ifndef PR_SPEC_DISABLE
+# define PR_SPEC_DISABLE (1UL << 2)
+#endif
+#ifndef PR_SPEC_FORCE_DISABLE
+# define PR_SPEC_FORCE_DISABLE (1UL << 3)
+#endif
+#ifndef PR_SPEC_DISABLE_NOEXEC
+# define PR_SPEC_DISABLE_NOEXEC (1UL << 4)
+#endif
+
+static void set_speculation() __attribute__((constructor));
+static void set_speculation() {
+ if ( prctl(PR_SET_SPECULATION_CTRL,
+ PR_SPEC_STORE_BYPASS,
+ PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) {
+ return;
+ }
+ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
+}
+
// this is called _before_ most of the global arguments have been parsed
void os::init(void) {
char dummy; // used to get a guess on initial stack address

12
SOURCES/rh1655466-global_crypto_and_fips.patch
View File

@ -1,6 +1,6 @@
diff --git a/src/java.base/share/classes/javopenjdk.orig///security/Security.java openjdk///src/java.base/share/classes/java/security/Security.java
--- openjdk.orig///src/java.base/share/classes/java/security/Security.java
+++ openjdk///src/java.base/share/classes/java/security/Security.java
--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
+++ openjdk/src/java.base/share/classes/java/security/Security.java
@@ -196,26 +196,8 @@
if (disableSystemProps == null &&
"true".equalsIgnoreCase(props.getProperty
@ -32,7 +32,7 @@ diff --git a/src/java.base/share/classes/javopenjdk.orig///security/Security.jav
diff --git a/src/java.base/share/classes/javopenjdk.orig///security/SystemConfigurator.java openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java
new file mode 100644
--- /dev/null
+++ openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -0,0 +1,151 @@
+/*
+ * Copyright (c) 2019, Red Hat, Inc.
@ -174,7 +174,7 @@ new file mode 100644
+ * and the com.redhat.fips property is true.
+ */
+ private static boolean enableFips() throws Exception {
+ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "false"));
+ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
+ if (fipsEnabled) {
+ String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
+ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
@ -186,8 +186,8 @@ new file mode 100644
+ }
+}
diff --git openjdk.orig///src/java.base/share/conf/security/java.security openjdk///src/java.base/share/conf/security/java.security
--- openjdk.orig///src/java.base/share/conf/security/java.security
+++ openjdk///src/java.base/share/conf/security/java.security
--- openjdk.orig/src/java.base/share/conf/security/java.security
+++ openjdk/src/java.base/share/conf/security/java.security
@@ -87,6 +87,14 @@
#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg

111
SOURCES/rh1750419-redhat_alt_java.patch Normal file
View File

@ -0,0 +1,111 @@
diff -r 1356affa5e44 make/launcher/Launcher-java.base.gmk
--- openjdk/make/launcher/Launcher-java.base.gmk Wed Nov 25 08:27:15 2020 +0100
+++ openjdk/make/launcher/Launcher-java.base.gmk Tue Dec 01 12:29:30 2020 +0100
@@ -41,6 +41,15 @@
OPTIMIZATION := HIGH, \
))
+$(eval $(call SetupBuildLauncher, alt-java, \
+ CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA, \
+ LDFLAGS_solaris := -R$(OPENWIN_HOME)/lib$(OPENJDK_TARGET_CPU_ISADIR), \
+ LIBS_windows := user32.lib comctl32.lib, \
+ EXTRA_RC_FLAGS := $(JAVA_RC_FLAGS), \
+ VERSION_INFO_RESOURCE := $(JAVA_VERSION_INFO_RESOURCE), \
+ OPTIMIZATION := HIGH, \
+))
+
ifeq ($(OPENJDK_TARGET_OS), windows)
$(eval $(call SetupBuildLauncher, javaw, \
CFLAGS := -DJAVAW -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES, \
diff -r 25e94aa812b2 src/share/bin/alt_main.h
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ openjdk/src/java.base/share/native/launcher/alt_main.h Tue Jun 02 17:15:28 2020 +0100
@@ -0,0 +1,73 @@
+/*
+ * Copyright (c) 2019, Red Hat, Inc. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+#ifdef REDHAT_ALT_JAVA
+
+#include <sys/prctl.h>
+
+
+/* Per task speculation control */
+#ifndef PR_GET_SPECULATION_CTRL
+# define PR_GET_SPECULATION_CTRL 52
+#endif
+#ifndef PR_SET_SPECULATION_CTRL
+# define PR_SET_SPECULATION_CTRL 53
+#endif
+/* Speculation control variants */
+#ifndef PR_SPEC_STORE_BYPASS
+# define PR_SPEC_STORE_BYPASS 0
+#endif
+/* Return and control values for PR_SET/GET_SPECULATION_CTRL */
+
+#ifndef PR_SPEC_NOT_AFFECTED
+# define PR_SPEC_NOT_AFFECTED 0
+#endif
+#ifndef PR_SPEC_PRCTL
+# define PR_SPEC_PRCTL (1UL << 0)
+#endif
+#ifndef PR_SPEC_ENABLE
+# define PR_SPEC_ENABLE (1UL << 1)
+#endif
+#ifndef PR_SPEC_DISABLE
+# define PR_SPEC_DISABLE (1UL << 2)
+#endif
+#ifndef PR_SPEC_FORCE_DISABLE
+# define PR_SPEC_FORCE_DISABLE (1UL << 3)
+#endif
+#ifndef PR_SPEC_DISABLE_NOEXEC
+# define PR_SPEC_DISABLE_NOEXEC (1UL << 4)
+#endif
+
+static void set_speculation() __attribute__((constructor));
+static void set_speculation() {
+ if ( prctl(PR_SET_SPECULATION_CTRL,
+ PR_SPEC_STORE_BYPASS,
+ PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) {
+ return;
+ }
+ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
+}
+
+#endif // REDHAT_ALT_JAVA
diff -r 25e94aa812b2 src/share/bin/main.c
--- openjdk/src/java.base/share/native/launcher/main.c Wed Feb 05 12:20:36 2020 -0300
+++ openjdk/src/java.base/share/native/launcher/main.c Tue Jun 02 17:15:28 2020 +0100
@@ -34,6 +34,10 @@
#include "jli_util.h"
#include "jni.h"
+#if defined(linux) && defined(__x86_64)
+#include "alt_main.h"
+#endif
+
#ifdef _MSC_VER
#if _MSC_VER > 1400 && _MSC_VER < 1600

52
SOURCES/rh1818909-fips_default_keystore_type.patch Normal file
View File

@ -0,0 +1,52 @@
diff -r 6efbd7b35a10 src/share/classes/java/security/SystemConfigurator.java
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Mon Mar 02 19:20:17 2020 -0300
@@ -123,6 +123,33 @@
}
props.put(fipsProviderKey, fipsProviderValue);
}
+ // Add other security properties
+ String keystoreTypeValue = (String) props.get("fips.keystore.type");
+ if (keystoreTypeValue != null) {
+ String nonFipsKeystoreType = props.getProperty("keystore.type");
+ props.put("keystore.type", keystoreTypeValue);
+ if (keystoreTypeValue.equals("PKCS11")) {
+ // If keystore.type is PKCS11, javax.net.ssl.keyStore
+ // must be "NONE". See JDK-8238264.
+ System.setProperty("javax.net.ssl.keyStore", "NONE");
+ }
+ if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
+ // If no trustStoreType has been set, use the
+ // previous keystore.type under FIPS mode. In
+ // a default configuration, the Trust Store will
+ // be 'cacerts' (JKS type).
+ System.setProperty("javax.net.ssl.trustStoreType",
+ nonFipsKeystoreType);
+ }
+ if (sdebug != null) {
+ sdebug.println("FIPS mode default keystore.type = " +
+ keystoreTypeValue);
+ sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
+ System.getProperty("javax.net.ssl.keyStore", ""));
+ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
+ System.getProperty("javax.net.ssl.trustStoreType", ""));
+ }
+ }
loadedProps = true;
}
} catch (Exception e) {
diff -r 6efbd7b35a10 src/share/lib/security/java.security-linux
--- openjdk.orig/src/java.base/share/conf/security/java.security Thu Jan 23 18:22:31 2020 -0300
+++ openjdk/src/java.base/share/conf/security/java.security Mon Mar 02 19:20:17 2020 -0300
@@ -299,6 +299,11 @@
keystore.type=pkcs12
#
+# Default keystore type used when global crypto-policies are set to FIPS.
+#
+fips.keystore.type=PKCS11
+
+#
# Controls compatibility mode for JKS and PKCS12 keystore types.
#
# When set to 'true', both JKS and PKCS12 keystore types support loading

12
SOURCES/rh1842572-rsa_default_for_keytool.patch Normal file
View File

@ -0,0 +1,12 @@
diff --git openjdk.orig/src/java.base/share/classes/sun/security/tools/keytool/Main.java openjdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java
--- openjdk.orig/src/java.base/share/classes/sun/security/tools/keytool/Main.java
+++ openjdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java
@@ -1122,7 +1122,7 @@
}
} else if (command == GENKEYPAIR) {
if (keyAlgName == null) {
- keyAlgName = "DSA";
+ keyAlgName = "RSA";
}
doGenKeyPair(alias, dname, keyAlgName, keysize, sigAlgName);
kssave = true;

311
SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch Normal file
View File

@ -0,0 +1,311 @@
diff -r bbc65dfa59d1 src/java.base/share/classes/java/security/SystemConfigurator.java
--- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Sat Aug 01 23:16:51 2020 -0300
@@ -1,11 +1,13 @@
/*
- * Copyright (c) 2019, Red Hat, Inc.
+ * Copyright (c) 2019, 2020, Red Hat, Inc.
*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
@@ -34,10 +36,10 @@
import java.util.Iterator;
import java.util.Map.Entry;
import java.util.Properties;
-import java.util.function.Consumer;
-import java.util.regex.Matcher;
import java.util.regex.Pattern;
+import jdk.internal.misc.SharedSecrets;
+import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess;
import sun.security.util.Debug;
/**
@@ -47,7 +49,7 @@
*
*/
-class SystemConfigurator {
+final class SystemConfigurator {
private static final Debug sdebug =
Debug.getInstance("properties");
@@ -61,15 +63,16 @@
private static final String CRYPTO_POLICIES_CONFIG =
CRYPTO_POLICIES_BASE_DIR + "/config";
- private static final class SecurityProviderInfo {
- int number;
- String key;
- String value;
- SecurityProviderInfo(int number, String key, String value) {
- this.number = number;
- this.key = key;
- this.value = value;
- }
+ private static boolean systemFipsEnabled = false;
+
+ static {
+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
+ new JavaSecuritySystemConfiguratorAccess() {
+ @Override
+ public boolean isSystemFipsEnabled() {
+ return SystemConfigurator.isSystemFipsEnabled();
+ }
+ });
}
/*
@@ -128,9 +131,9 @@
String nonFipsKeystoreType = props.getProperty("keystore.type");
props.put("keystore.type", keystoreTypeValue);
if (keystoreTypeValue.equals("PKCS11")) {
- // If keystore.type is PKCS11, javax.net.ssl.keyStore
- // must be "NONE". See JDK-8238264.
- System.setProperty("javax.net.ssl.keyStore", "NONE");
+ // If keystore.type is PKCS11, javax.net.ssl.keyStore
+ // must be "NONE". See JDK-8238264.
+ System.setProperty("javax.net.ssl.keyStore", "NONE");
}
if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
// If no trustStoreType has been set, use the
@@ -144,12 +147,13 @@
sdebug.println("FIPS mode default keystore.type = " +
keystoreTypeValue);
sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
- System.getProperty("javax.net.ssl.keyStore", ""));
+ System.getProperty("javax.net.ssl.keyStore", ""));
sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
System.getProperty("javax.net.ssl.trustStoreType", ""));
}
}
loadedProps = true;
+ systemFipsEnabled = true;
}
} catch (Exception e) {
if (sdebug != null) {
@@ -160,13 +164,30 @@
return loadedProps;
}
+ /**
+ * Returns whether or not global system FIPS alignment is enabled.
+ *
+ * Value is always 'false' before java.security.Security class is
+ * initialized.
+ *
+ * Call from out of this package through SharedSecrets:
+ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ * .isSystemFipsEnabled();
+ *
+ * @return a boolean value indicating whether or not global
+ * system FIPS alignment is enabled.
+ */
+ static boolean isSystemFipsEnabled() {
+ return systemFipsEnabled;
+ }
+
/*
* FIPS is enabled only if crypto-policies are set to "FIPS"
* and the com.redhat.fips property is true.
*/
private static boolean enableFips() throws Exception {
- boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
- if (fipsEnabled) {
+ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
+ if (shouldEnable) {
String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java Sat Aug 01 23:16:51 2020 -0300
@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2020, Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package jdk.internal.misc;
+
+public interface JavaSecuritySystemConfiguratorAccess {
+ boolean isSystemFipsEnabled();
+}
diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
--- openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java Thu Jan 23 18:22:31 2020 -0300
+++ openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java Sat Aug 01 23:16:51 2020 -0300
@@ -76,6 +76,7 @@
private static JavaIORandomAccessFileAccess javaIORandomAccessFileAccess;
private static JavaSecuritySignatureAccess javaSecuritySignatureAccess;
private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess;
+ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess;
public static JavaUtilJarAccess javaUtilJarAccess() {
if (javaUtilJarAccess == null) {
@@ -361,4 +362,12 @@
}
return javaxCryptoSealedObjectAccess;
}
+
+ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) {
+ javaSecuritySystemConfiguratorAccess = jssca;
+ }
+
+ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
+ return javaSecuritySystemConfiguratorAccess;
+ }
}
diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
--- openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Thu Jan 23 18:22:31 2020 -0300
+++ openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Sat Aug 01 23:16:51 2020 -0300
@@ -31,6 +31,7 @@
import java.security.cert.*;
import java.util.*;
import javax.net.ssl.*;
+import jdk.internal.misc.SharedSecrets;
import sun.security.action.GetPropertyAction;
import sun.security.provider.certpath.AlgorithmChecker;
import sun.security.validator.Validator;
@@ -542,20 +543,38 @@
static {
if (SunJSSE.isFIPS()) {
- supportedProtocols = Arrays.asList(
- ProtocolVersion.TLS13,
- ProtocolVersion.TLS12,
- ProtocolVersion.TLS11,
- ProtocolVersion.TLS10
- );
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ .isSystemFipsEnabled()) {
+ // RH1860986: TLSv1.3 key derivation not supported with
+ // the Security Providers available in system FIPS mode.
+ supportedProtocols = Arrays.asList(
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ );
- serverDefaultProtocols = getAvailableProtocols(
- new ProtocolVersion[] {
- ProtocolVersion.TLS13,
- ProtocolVersion.TLS12,
- ProtocolVersion.TLS11,
- ProtocolVersion.TLS10
- });
+ serverDefaultProtocols = getAvailableProtocols(
+ new ProtocolVersion[] {
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ });
+ } else {
+ supportedProtocols = Arrays.asList(
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ );
+
+ serverDefaultProtocols = getAvailableProtocols(
+ new ProtocolVersion[] {
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ });
+ }
} else {
supportedProtocols = Arrays.asList(
ProtocolVersion.TLS13,
@@ -620,6 +639,16 @@
static ProtocolVersion[] getSupportedProtocols() {
if (SunJSSE.isFIPS()) {
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ .isSystemFipsEnabled()) {
+ // RH1860986: TLSv1.3 key derivation not supported with
+ // the Security Providers available in system FIPS mode.
+ return new ProtocolVersion[] {
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ };
+ }
return new ProtocolVersion[] {
ProtocolVersion.TLS13,
ProtocolVersion.TLS12,
@@ -949,6 +978,16 @@
static ProtocolVersion[] getProtocols() {
if (SunJSSE.isFIPS()) {
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ .isSystemFipsEnabled()) {
+ // RH1860986: TLSv1.3 key derivation not supported with
+ // the Security Providers available in system FIPS mode.
+ return new ProtocolVersion[] {
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ };
+ }
return new ProtocolVersion[]{
ProtocolVersion.TLS13,
ProtocolVersion.TLS12,
diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SunJSSE.java
--- openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java Thu Jan 23 18:22:31 2020 -0300
+++ openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java Sat Aug 01 23:16:51 2020 -0300
@@ -27,6 +27,8 @@
import java.security.*;
import java.util.*;
+
+import jdk.internal.misc.SharedSecrets;
import sun.security.rsa.SunRsaSignEntries;
import static sun.security.util.SecurityConstants.PROVIDER_VER;
import static sun.security.provider.SunEntries.createAliases;
@@ -195,8 +197,13 @@
"sun.security.ssl.SSLContextImpl$TLS11Context", null, null);
ps("SSLContext", "TLSv1.2",
"sun.security.ssl.SSLContextImpl$TLS12Context", null, null);
- ps("SSLContext", "TLSv1.3",
- "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
+ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ .isSystemFipsEnabled()) {
+ // RH1860986: TLSv1.3 key derivation not supported with
+ // the Security Providers available in system FIPS mode.
+ ps("SSLContext", "TLSv1.3",
+ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
+ }
ps("SSLContext", "TLS",
"sun.security.ssl.SSLContextImpl$TLSContext",
(isfips? null : createAliases("SSL")), null);

12
SOURCES/rh1868740-cryptoki_access_to_sunjce.patch Normal file
View File

@ -0,0 +1,12 @@
diff -r eba0f976c468 -r 1fceafb49be5 src/java.base/share/classes/module-info.java
--- openjdk/src/java.base/share/classes/module-info.java Thu Jul 30 15:05:22 2020 +0200
+++ openjdk/src/java.base/share/classes/module-info.java Thu Aug 13 15:17:59 2020 +0200
@@ -132,6 +132,8 @@
// additional qualified exports may be inserted at build time
// see make/gensrc/GenModuleInfo.gmk
+ exports com.sun.crypto.provider to
+ jdk.crypto.cryptoki;
exports com.sun.security.ntlm to
java.security.sasl;
exports jdk.internal to

21
SOURCES/rh1868754-pkcs11_cancel_on_failure.patch Normal file
View File

@ -0,0 +1,21 @@
diff -r e10f558e1df5 openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java
--- openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java Mon Aug 31 16:12:32 2020 +0100
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java Mon Aug 31 15:17:50 2020 -0300
@@ -628,7 +628,7 @@
throw (ShortBufferException)
(new ShortBufferException().initCause(e));
}
- reset(false);
+ reset(true);
throw new ProviderException("update() failed", e);
}
}
@@ -746,7 +746,7 @@
throw (ShortBufferException)
(new ShortBufferException().initCause(e));
}
- reset(false);
+ reset(true);
throw new ProviderException("update() failed", e);
}
}

60
SOURCES/rh1883849-cryptoki_access_to_sunjce_with_security_manager.patch Normal file
View File

@ -0,0 +1,60 @@
# HG changeset patch
# User Zdenek Zambersky <zzambers@redhat.com>
# Date 1601403587 -7200
# Tue Sep 29 20:19:47 2020 +0200
# Node ID f77ac813eee61b2e9616b2d71a2c5372d0cbd158
# Parent d484fdfcc7d5c21812de8a0712236d077b0f2dde
Fixed default policy for jdk.crypto.cryptoki
diff -r d484fdfcc7d5 -r f77ac813eee6 src/java.base/share/lib/security/default.policy
--- openjdk.orig/src/java.base/share/lib/security/default.policy Wed Sep 02 07:36:15 2020 +0200
+++ openjdk/src/java.base/share/lib/security/default.policy Tue Sep 29 20:19:47 2020 +0200
@@ -124,6 +124,8 @@
grant codeBase "jrt:/jdk.crypto.cryptoki" {
permission java.lang.RuntimePermission
"accessClassInPackage.sun.security.*";
+ permission java.lang.RuntimePermission
+ "accessClassInPackage.com.sun.crypto.provider";
permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
permission java.lang.RuntimePermission "loadLibrary.j2pkcs11";
permission java.util.PropertyPermission "sun.security.pkcs11.allowSingleThreadedModules", "read";
# HG changeset patch
# User Zdenek Zambersky <zzambers@redhat.com>
# Date 1601419086 -7200
# Wed Sep 30 00:38:06 2020 +0200
# Node ID 02c8b154f728be3dd06239a98519d654e2127186
# Parent f77ac813eee61b2e9616b2d71a2c5372d0cbd158
P11Util: Create provider in priviledged block
diff -r f77ac813eee6 -r 02c8b154f728 src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java Tue Sep 29 20:19:47 2020 +0200
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java Wed Sep 30 00:38:06 2020 +0200
@@ -87,14 +87,20 @@
}
p = Security.getProvider(providerName);
if (p == null) {
- try {
- @SuppressWarnings("deprecation")
- Object o = Class.forName(className).newInstance();
- p = (Provider)o;
- } catch (Exception e) {
- throw new ProviderException
- ("Could not find provider " + providerName, e);
- }
+ p = AccessController.doPrivileged(
+ new PrivilegedAction<Provider>() {
+ public Provider run() {
+ try {
+ @SuppressWarnings("deprecation")
+ Object o = Class.forName(className).newInstance();
+ return (Provider) o;
+ } catch (Exception e) {
+ throw new ProviderException
+ ("Could not find provider " + providerName, e);
+ }
+ }
+ }
+ );
}
return p;
}

701
SPECS/java-11-openjdk.spec
View File

File diff suppressed because it is too large Load Diff