diff --git a/.gitignore b/.gitignore index 09ab344..82100af 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/jdk-updates-jdk11u-jdk-11.0.12+7-4curve.tar.xz +SOURCES/jdk-updates-jdk11u-jdk-11.0.13+7-4curve.tar.xz SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/.java-11-openjdk.metadata b/.java-11-openjdk.metadata index 42cb995..df078f3 100644 --- a/.java-11-openjdk.metadata +++ b/.java-11-openjdk.metadata @@ -1,2 +1,2 @@ -7459fbf6c597831b6039c3a608048131cb637528 SOURCES/jdk-updates-jdk11u-jdk-11.0.12+7-4curve.tar.xz +a460b6663729a172c3d9464b8dc5e6bf2f92ff98 SOURCES/jdk-updates-jdk11u-jdk-11.0.13+7-4curve.tar.xz c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/SOURCES/NEWS b/SOURCES/NEWS index 26c3f66..830abd1 100644 --- a/SOURCES/NEWS +++ b/SOURCES/NEWS @@ -3,6 +3,331 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 11.0.13 (2021-10-19): +============================================= +Live versions of these release notes can be found at: + * https://bitly.com/openjdk11013 + * https://builds.shipilev.net/backports-monitor/release-notes-11.0.13.txt + +* Other changes + - JDK-8024368: private methods are allocated vtable indices + - JDK-8042902: Test java/net/Inet6Address/serialize/Inet6AddressSerializationTest.java fails intermittently + - JDK-8140466: ChaCha20 and Poly1305 TLS Cipher Suites + - JDK-8158066: SourceDebugExtensionTest fails to rename file + - JDK-8163326: Update the default enabled cipher suites preference + - JDK-8168304: Make all of DependencyContext_test available in product mode + - JDK-8169246: java/net/DatagramSocket/ReportSocketClosed.java fails intermittently with BindException + - JDK-8181313: SA: Remove libthread_db dependency on Linux + - JDK-8193214: Incorrect annotations.without.processors warnings with JDK 9 + - JDK-8194230: jdk/internal/jrtfs/remote/RemoteRuntimeImageTest.java fails with java.lang.NullPointerException + - JDK-8196092: javax/swing/JComboBox/8032878/bug8032878.java fails + - JDK-8199931: java/net/MulticastSocket/UnreferencedMulticastSockets.java fails with "incorrect data received" + - JDK-8206083: Make tools/javac/api/T6265137.java robust to JDK version changes + - JDK-8206350: java/util/Locale/bcp47u/SystemPropertyTests.java failed on Mac 10.13 with zh_CN and zh_TW locales. + - JDK-8207316: java/nio/channels/spi/SelectorProvider/inheritedChannel/InheritedChannelTest.java failed + - JDK-8208227: tools/jdeps/DotFileTest.java fails on Win-X64 + - JDK-8208363: test/jdk/java/lang/Package/PackageFromManifest.java missing module dependencies declaration + - JDK-8209380: ARM: cleanup maybe-uninitialized and reorder compiler warnings + - JDK-8209768: Refactor java/util/prefs/CheckUserPrefsStorage.sh to plain java test + - JDK-8209772: Refactor shell test java/util/ServiceLoader/basic/basic.sh to java + - JDK-8209773: Refactor shell test javax/naming/module/basic.sh to java + - JDK-8209832: Refactor jdk/internal/reflect/Reflection/GetCallerClassTest.sh to plain java test + - JDK-8209930: Refactor java/util/zip/ZipFile/deletetempjar.sh to plain java test + - JDK-8210406: Refactor java.util.PluggableLocale:i18n shell tests to plain java tests + - JDK-8210407: Refactor java.util.Calendar:i18n shell tests to plain java tests + - JDK-8210495: compiler crashes because of illegal signature in otherwise legal code + - JDK-8210669: Some launcher tests assume a pre-JDK 9 run-time image layout + - JDK-8210802: temp files left by tests in jdk/java/net/httpclient + - JDK-8210819: Update the host name in CNameTest.java + - JDK-8210908: Refactor java/util/prefs/PrefsSpi.sh to plain java test + - JDK-8210934: Move sun/net/www/protocol/http/GetErrorStream.java to OpenJDK + - JDK-8210959: JShell fails and exits when statement throws an exception whose message contains a '%'. + - JDK-8211055: Provide print to a file (PDF) feature even when printer was not connected + - JDK-8211092: test/jdk/sun/net/www/http/HttpClient/MultiThreadTest.java fails intermittently when cleaning up + - JDK-8211296: Remove HotSpot deprecation warning suppression for Mac/clang + - JDK-8211325: test/jdk/java/net/Socket/LingerTest.java fails with cleaning up + - JDK-8212040: Compilation error due to wrong usage of NSPrintJobDispositionValue in mac10.12 + - JDK-8212695: Add explicit timeout to several HTTP Client tests + - JDK-8212718: Refactor some annotation processor tests to better use collections + - JDK-8213007: Update the link in test/jdk/sun/security/provider/SecureRandom/DrbgCavp.java + - JDK-8213137: Remove static initialization of monitor/mutex instances + - JDK-8213235: java/nio/channels/SocketChannel/AsyncCloseChannel.java fails with threads that didn't exit + - JDK-8213409: Refactor sun.text.IntHashtable:i18n shell tests to plain java tests + - JDK-8213576: Make test AsyncCloseChannel.java run in othervm + - JDK-8213694: Test Timeout.java should run in othervm mode + - JDK-8213718: [TEST] Wrong classname in vmTestbase/nsk/stress/except/except002 and except003 + - JDK-8213922: fix ctw stand-alone build + - JDK-8214195: Align stdout messages in test/jdk/java/math/BigInteger/PrimitiveConversionTests.java + - JDK-8214520: [TEST_BUG] sun/security/mscapi/nonUniqueAliases/NonUniqueAliases.java failed with incorrect jtreg tags order + - JDK-8214937: sun/security/tools/jarsigner/warnings/NoTimestampTest.java failed due to unexpected expiration date + - JDK-8216532: tools/launcher/Test7029048.java fails (Solaris) + - JDK-8217825: Verify @AfterTest is used correctly in WebSocket tests + - JDK-8218145: block_if_requested is not proper inlined due to size + - JDK-8219417: bump jtreg requiredVersion to b14 + - JDK-8219552: bump jtreg requiredVersion to b14 in test/jdk/sanity/client/ + - JDK-8219804: java/net/MulticastSocket/Promiscuous.java fails intermittently due to NumberFormatException + - JDK-8220445: Support for side by side MSVC Toolset versions + - JDK-8221988: add possibility to build with Visual Studio 2019 + - JDK-8223050: JVMCI: findUniqueConcreteMethod() should not use Dependencies::find_unique_concrete_method() for non-virtual methods + - JDK-8224853: CDS address sanitizer errors + - JDK-8225082: Remove IdenTrust certificate that is expiring in September 2021 + - JDK-8225583: Examine the HttpResponse.BodySubscribers for null handling and multiple subscriptions + - JDK-8225690: Multiple AttachListener threads can be created + - JDK-8225790: Two NestedDialogs tests fail on Ubuntu + - JDK-8226319: Add forgotten test/jdk/java/net/httpclient/BodySubscribersTest.java + - JDK-8226533: JVMCI: findUniqueConcreteMethod should handle statically bindable methods directly + - JDK-8226602: Test convenience reactive primitives from java.net.http with RS TCK + - JDK-8226683: Remove review suggestion from fix to 8219804 + - JDK-8227738: jvmti/DataDumpRequest/datadumpreq001 failed due to "exit code is 134" + - JDK-8227766: CheckUnhandledOops is broken in MemAllocator + - JDK-8227815: Minimal VM: set_state is not a member of AttachListener + - JDK-8230674: Heap dumps should exclude dormant CDS archived objects of unloaded classes + - JDK-8230808: Remove Access::equals() + - JDK-8230841: Remove oopDesc::equals() + - JDK-8231717: Improve performance of charset decoding when charset is always compactable + - JDK-8232243: Wrong caret position in JTextPane on Windows with a screen resolution > 100% + - JDK-8232782: Shenandoah: streamline post-LRB CAS barrier (aarch64) + - JDK-8233790: Forward output from heap dumper to jcmd/jmap + - JDK-8233989: Create an IPv4 version of java/net/MulticastSocket/SetLoopbackMode.java + - JDK-8234510: Remove file seeking requirement for writing a heap dump + - JDK-8235211: serviceability/attach/RemovingUnixDomainSocketTest.java fails with AttachNotSupportedException: Unable to open socket file + - JDK-8235216: typo in test filename + - JDK-8235866: bump jtreg requiredVersion to 4.2b16 + - JDK-8236111: narrow allowSmartActionArgs disabling + - JDK-8236413: AbstractConnectTimeout should tolerate both NoRouteToHostException and UnresolvedAddressException + - JDK-8236671: NullPointerException in JKS keystore + - JDK-8238930: problem list compiler/c2/Test8004741.java + - JDK-8238943: switch to jtreg 5.0 + - JDK-8240555: Using env of JAVA_TOOL_OPTIONS and _JAVA_OPTIONS breaks QuietOption.java test + - JDK-8240983: Incorrect copyright header in Apache Santuario 2.1.3 files + - JDK-8241336: Some java.net tests failed with NoRouteToHostException on MacOS with special network configuration + - JDK-8241353: NPE in ToolProvider.getSystemJavaCompiler + - JDK-8241768: git needs .gitattributes + - JDK-8242882: opening jar file with large manifest might throw NegativeArraySizeException + - JDK-8244973: serviceability/attach/RemovingUnixDomainSocketTest.java fails "stderr was not empty" + - JDK-8245134: test/lib/jdk/test/lib/security/KeyStoreUtils.java should allow to specify aliases + - JDK-8246261: TCKLocalTime.java failed due to "AssertionError: expected [18:14:22] but found [18:14:23]" + - JDK-8246387: switch to jtreg 5.1 + - JDK-8247421: [TESTBUG] ReturnBlobToWrongHeapTest.java failed allocating blob + - JDK-8247469: getSystemCpuLoad() returns -1 on linux when some offline cpus are present and cpusets.effective_cpus is not available + - JDK-8248352: [TEST_BUG] Test test/jdk/java/awt/font/TextLayout/ArabicDiacriticTest.java can leave frame open + - JDK-8248403: AArch64: Remove uses of kernel integer types + - JDK-8248414: AArch64: Remove uses of long and unsigned long ints + - JDK-8248657: Windows: strengthening in ThreadCritical regarding memory model + - JDK-8248666: AArch64: Use THREAD_LOCAL instead of __thread + - JDK-8248668: AArch64: Avoid MIN/MAX macros when using MSVC + - JDK-8248671: AArch64: Remove unused variables + - JDK-8248682: AArch64: Use ATTRIBUTE_ALIGNED helper + - JDK-8248816: C1: Fix signature conflict in LIRGenerator::strength_reduce_multiply + - JDK-8249095: tools/javac/launcher/SourceLauncherTest.java fails on Windows + - JDK-8249548: backward focus traversal gets stuck in button group + - JDK-8249773: Upgrade ReceiveISA.java test to be resilient to failure due to stray packets and interference + - JDK-8249897: jdk/javadoc/tool/LangVers.java uses @ignore w/o bug-id + - JDK-8249898: jdk/javadoc/tool/6176978/T6176978.java uses @ignore w/o bug-id + - JDK-8249899: jdk/javadoc/tool/InlineTagsWithBraces.java uses @ignore w/o bug-id + - JDK-8250588: Shenandoah: LRB needs to save/restore fp registers for runtime call + - JDK-8250824: AArch64: follow up for JDK-8248414 + - JDK-8251166: Add automated testcases for changes done in JDK-8214112 + - JDK-8251252: Add automated testcase for fix done in JDK-8214253 + - JDK-8251254: Add automated test for fix done in JDK-8218472 + - JDK-8251361: Potential race between Logger configuration and GCs in HttpURLConWithProxy test + - JDK-8251549: Update docs on building for Git + - JDK-8251945: SIGSEGV in PackageEntry::purge_qualified_exports() + - JDK-8252194: Add automated test for fix done in JDK-8218469 + - JDK-8252648: Shenandoah: name gang tasks consistently + - JDK-8252825: Add automated test for fix done in JDK-8218479 + - JDK-8252853: AArch64: gc/shenandoah/TestVerifyJCStress.java fails intermittently with C1 + - JDK-8252857: AArch64: Shenandoah C1 CAS is not sequentially consistent + - JDK-8253048: AArch64: When CallLeaf, no need to preserve callee-saved registers in caller + - JDK-8253424: Add support for running pre-submit testing using GitHub Actions + - JDK-8253631: Remove unimplemented CompileBroker methods after JEP-165 + - JDK-8253865: Pre-submit testing using GitHub Actions does not detect failures reliably + - JDK-8253899: Make IsClassUnloadingEnabled signature match specification + - JDK-8254024: Enhance native libs for AWT and Swing to work with GraalVM Native Image + - JDK-8254054: Pre-submit testing using GitHub Actions should not use the deprecated set-env command + - JDK-8254173: Add Zero, Minimal hotspot targets to submit workflow + - JDK-8254175: Build no-pch configuration in debug mode for submit checks + - JDK-8254244: Some code emitted by TemplateTable::branch is unused when running TieredCompilation + - JDK-8254270: linux 32 bit build doesn't compile libjdwp/log_messages.c + - JDK-8254282: Add Linux x86_32 builds to submit workflow + - JDK-8254850: Update terminology in java.awt.GridBagLayout source code comments + - JDK-8254967: com.sun.net.HttpsServer spins on TLS session close + - JDK-8255255: Update Apache Santuario (XML Signature) to version 2.2.1 + - JDK-8255305: Add Linux x86_32 tier1 to submit workflow + - JDK-8255352: Archive important test outputs in submit workflow + - JDK-8255373: Submit workflow artifact name is always "test-results_.zip" + - JDK-8255452: Doing GC during JVMTI MethodExit event posting breaks return oop + - JDK-8255718: Zero: VM should know it runs in interpreter-only mode + - JDK-8255790: GTKL&F: Java 16 crashes on initialising GTKL&F on Manjaro Linux + - JDK-8255810: Zero: build fails without JVMTI + - JDK-8255895: Submit workflow artifacts miss hs_errs/replays due to ZIP include mismatch + - JDK-8256127: Add cross-compiled foreign architectures builds to submit workflow + - JDK-8256215: Shenandoah: re-organize saving/restoring machine state in assembler code + - JDK-8256267: Relax compiler/floatingpoint/NaNTest.java for x86_32 and lower -XX:+UseSSE + - JDK-8256277: Github Action build on macOS should define OS and Xcode versions + - JDK-8256354: Github Action build on Windows should define OS and MSVC versions + - JDK-8256393: Github Actions build on Linux should define OS and GCC versions + - JDK-8256414: add optimized build to submit workflow + - JDK-8256747: GitHub Actions: decouple the hotspot build-only jobs from Linux x64 testing + - JDK-8257056: Submit workflow should apt-get update to avoid package installation errors + - JDK-8257148: Remove obsolete code in AWTView.m + - JDK-8257497: Update keytool to create AKID from the SKID of the issuing certificate as specified by RFC 5280 + - JDK-8257620: Do not use objc_msgSend_stret to get macOS version + - JDK-8257913: Add more known library locations to simplify Linux cross-compilation + - JDK-8258703: Incorrect 512-bit vector registers restore on x86_32 + - JDK-8259338: Add expiry exception for identrustdstx3 alias to VerifyCACerts.java test + - JDK-8259535: ECDSA SignatureValue do not always have the specified length + - JDK-8259679: GitHub actions should use MSVC 14.28 + - JDK-8259924: GitHub actions fail on Linux x86_32 with "Could not configure libc6:i386" + - JDK-8260460: GitHub actions still fail on Linux x86_32 with "Could not configure libc6:i386" + - JDK-8260589: Crash in JfrTraceIdLoadBarrier::load(_jclass*) + - JDK-8260923: Add more tests for SSLSocket input/output shutdown + - JDK-8261072: AArch64: Fix MacroAssembler::get_thread convention + - JDK-8261147: C2: Node is wrongly marked as reduction resulting in a wrong execution due to wrong vector instructions + - JDK-8261238: NMT should not limit baselining by size threshold + - JDK-8261496: Shenandoah: reconsider pacing updates memory ordering + - JDK-8261652: Remove some dead comments from os_bsd_x86 + - JDK-8261846: [JVMCI] c2v_iterateFrames can get out of sync with the StackFrameStream + - JDK-8262000: jdk/jfr/event/gc/detailed/TestPromotionFailedEventWithParallelScavenge.java failed with "OutOfMemoryError: Java heap space" + - JDK-8262017: C2: assert(n != __null) failed: Bad immediate dominator info. + - JDK-8262392: Update Mesa 3-D Headers to version 21.0.3 + - JDK-8262409: sun/security/ssl/SSLSocketImpl/SSLSocketImplThrowsWrongExceptions. SSL test failures caused by java failed with "Server reported the wrong exception" + - JDK-8262470: Printed GlyphVector outline with low DPI has bad quality on Windows + - JDK-8262862: Harden tests sun/security/x509/URICertStore/ExtensionsWithLDAP.java and krb5/canonicalize/Test.java + - JDK-8263136: C4530 was reported from VS 2019 at access bridge + - JDK-8263227: C2: inconsistent spilling due to dead nodes in exception block + - JDK-8263382: java/util/logging/ParentLoggersTest.java failed with "checkLoggers: getLoggerNames() returned unexpected loggers" + - JDK-8263407: SPARC64 detection fails on Athena (SPARC64-X) + - JDK-8263432: javac may report an invalid package/class clash on case insensitive filesystems + - JDK-8263490: [macos] Crash occurs on JPasswordField with activated InputMethod + - JDK-8263531: Remove unused buffer int + - JDK-8263667: Avoid running GitHub actions on branches named pr/* + - JDK-8263776: [JVMCI] add helper to perform Java upcalls + - JDK-8264016: [JVMCI] add some thread local fields for use by JVMCI + - JDK-8264752: SIGFPE crash with option FlightRecorderOptions:threadbuffersize=30M + - JDK-8265132: C2 compilation fails with assert "missing precedence edge" + - JDK-8265231: (fc) ReadDirect and WriteDirect tests fail after fix for JDK-8264821 + - JDK-8265335: Epsilon: Minor typo in EpsilonElasticTLABDecay description + - JDK-8265756: AArch64: initialize memory allocated for locals according to Windows AArch64 stack page growth requirement in template interpreter + - JDK-8265761: Font with missed font family name is not properly printed on Windows + - JDK-8265773: incorrect jdeps message "jdk8internals" to describe a removed JDK internal API + - JDK-8265836: OperatingSystemImpl.getCpuLoad() returns incorrect CPU load inside a container + - JDK-8266018: Shenandoah: fix an incorrect assert + - JDK-8266206: Build failure after JDK-8264752 with older GCCs + - JDK-8266248: Compilation failure in PLATFORM_API_MacOSX_MidiUtils.c with Xcode 12.5 + - JDK-8266288: assert root method not found in witnessed_reabstraction_in_supers is too strong + - JDK-8266404: Fatal error report generated with -XX:+CrashOnOutOfMemoryError should not contain suggestion to submit a bug report + - JDK-8266480: Implicit null check optimization does not update control of hoisted memory operation + - JDK-8266615: C2 incorrectly folds subtype checks involving an interface array + - JDK-8266642: Improve ResolvedMethodTable hash function + - JDK-8266749: AArch64: Backtracing broken on PAC enabled systems + - JDK-8266761: AssertionError in sun.net.httpserver.ServerImpl.responseCompleted + - JDK-8266813: Shenandoah: Use shorter instruction sequence for checking if marking in progress + - JDK-8267042: bug in monitor locking/unlocking on ARM32 C1 due to uninitialized BasicObjectLock::_displaced_header + - JDK-8267348: Rewrite gc/epsilon/TestClasses.java to use Metaspace with less classes + - JDK-8267396: Avoid recording "pc" in unhandled oops detector for better performance + - JDK-8267399: C2: java/text/Normalizer/ConformanceTest.java test failed with assertion + - JDK-8267424: CTW: C1 fails with "State must not be null" + - JDK-8267459: Pasting Unicode characters into JShell does not work. + - JDK-8267625: AARCH64: typo in LIR_Assembler::emit_profile_type + - JDK-8267666: Add option to jcmd GC.heap_dump to use existing file + - JDK-8267695: Bump update version for OpenJDK: jdk-11.0.13 + - JDK-8267751: (test) jtreg.SkippedException has no serial VersionUID + - JDK-8267773: PhaseStringOpts::int_stringSize doesn't handle min_jint correctly + - JDK-8268103: JNI functions incorrectly return a double after JDK-8265836 + - JDK-8268127: Shenandoah: Heap size may be too small for region to align to large page size + - JDK-8268261: C2: assert(n != __null) failed: Bad immediate dominator info. + - JDK-8268347: C2: nested locks optimization may create unbalanced monitor enter/exit code + - JDK-8268360: Missing check for infinite loop during node placement + - JDK-8268362: [REDO] C2 crash when compile negative Arrays.copyOf length after loop + - JDK-8268366: Incorrect calculation of has_fpu_registers in C1 linear scan + - JDK-8268369: SIGSEGV in PhaseCFG::implicit_null_check due to missing null check + - JDK-8268417: Add test from JDK-8268360 + - JDK-8268427: Improve AlgorithmConstraints:checkAlgorithm performance + - JDK-8268617: [11u REDO] - WebSocket over authenticating proxy fails with NPE + - JDK-8268620: InfiniteLoopException test may fail on x86 platforms + - JDK-8268635: Corrupt oop in ClassLoaderData + - JDK-8268699: Shenandoah: Add test for JDK-8268127 + - JDK-8268771: javadoc -notimestamp option does not work on index.html + - JDK-8268775: Password is being converted to String in AccessibleJPasswordField + - JDK-8268776: Test `ADatagramSocket.java` missing /othervm from @run tag + - JDK-8268965: TCP Connection Reset when connecting simple socket to SSL server + - JDK-8269304: Regression ~5% in 2005 in b27 + - JDK-8269415: [11u] Remove ea from DEFAULT_PROMOTED_VERSION_PRE in OpenJDK 11u + - JDK-8269478: Shenandoah: gc/shenandoah/mxbeans tests should be more resilient + - JDK-8269529: javax/swing/reliability/HangDuringStaticInitialization.java fails in Windows debug build + - JDK-8269594: assert(_handle_mark_nesting > 1) failed: memory leak: allocating handle outside HandleMark + - JDK-8269614: [s390] Interpreter checks wrong bit for slow path instance allocation + - JDK-8269650: Optimize gc-locker in [Get|Release]StringCritical for latin string + - JDK-8269661: JNI_GetStringCritical does not lock char array + - JDK-8269668: [aarch64] java.library.path not including /usr/lib64 + - JDK-8269795: C2: Out of bounds array load floats above its range check in loop peeling resulting in SEGV + - JDK-8269847: JDK-8269594 backport breaks 11u builds + - JDK-8269850: Most JDK releases report macOS version 12 as 10.16 instead of 12.0 + - JDK-8269851: OperatingSystemMXBean getProcessCpuLoad reports incorrect process cpu usage in containers + - JDK-8269882: stack-use-after-scope in NewObjectA + - JDK-8269934: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in java_lang_Thread::get_thread_status + - JDK-8270096: Shenandoah: Optimize gc/shenandoah/TestRefprocSanity.java for interpreter mode + - JDK-8270137: Kerberos Credential Retrieval from Cache not Working in Cross-Realm Setup + - JDK-8270184: [TESTBUG] Add coverage for jvmci ResolvedJavaType.toJavaName() for lambdas + - JDK-8270196: [11u] [JVMCI] JavaType.toJavaName() returns incorrect type name for lambdas + - JDK-8270556: Exclude security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA + - JDK-8270893: IndexOutOfBoundsException while reading large TIFF file + - JDK-8272078: Wrong Checksums in Temurin BootJDK dependencies + - JDK-8272124: Cgroup v1 initialization causes NullPointerException when cgroup path contains colon + - JDK-8272131: PhaseMacroExpand::generate_slow_arraycopy crash when clone null CallProjections.fallthrough_ioproj + - JDK-8272197: Update 11u GHA workflow with Shenandoah configurations + - JDK-8272332: --with-harfbuzz=system doesn't add -lharfbuzz after JDK-8255790 + - JDK-8272472: StackGuardPages test doesn't build with glibc 2.34 + - JDK-8272602: [macos] not all KEY_PRESSED events sent when control modifier is used + - JDK-8272628: Problemlist gc/stress/gcbasher/TestGCBasherWithCMS.java for x86_32 + - JDK-8272700: [macos] Build failure with Xcode 13.0 after JDK-8264848 + - JDK-8272772: Shenandoah: compiler/c2/aarch64/TestVolatilesShenandoah.java fails in 11u + - JDK-8273939: Backport of 8248414 to JDK11 breaks MacroAssembler::adrp + +Notes on individual issues: +=========================== + +security-libs/java.security: + +JDK-8271434: Removed IdenTrust Root Certificate +=============================================== +The following root certificate from IdenTrust has been removed from +the `cacerts` keystore: + +Alias Name: identrustdstx3 [jdk] +Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co. + +JDK-8261922: Updated keytool to Create AKID From SKID of Issuing Certificate as Specified by RFC 5280 +===================================================================================================== +The `gencert` command of the `keytool` utility has been updated to +create AKID from the SKID of the issuing certificate as specified by +RFC 5280. + +security-libs/javax.net.ssl: + +JDK-8210799: ChaCha20 and Poly1305 TLS Cipher Suites +==================================================== +New TLS cipher suites using the `ChaCha20-Poly1305` algorithm have +been added to JSSE. These cipher suites are enabled by default. The +TLS_CHACHA20_POLY1305_SHA256 cipher suite is available for TLS 1.3. +The following cipher suites are available for TLS 1.2: + +* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 +* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 +* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + +Refer to the "Java Secure Socket Extension (JSSE) Reference Guide" for +details on these new TLS cipher suites. + +JDK-8219551: Updated the Default Enabled Cipher Suites Preference +================================================================= +The preference of the default enabled cipher suites has been +changed. The compatibility impact should be minimal. If needed, +applications can customize the enabled cipher suites and the +preference. For more details, refer to the SunJSSE provider +documentation and the JSSE Reference Guide documentation. + New in release OpenJDK 11.0.12 (2021-07-20): ============================================= Live versions of these release notes can be found at: diff --git a/SOURCES/jdk8269668-rh1977671-aarch64_lib_path_fix.patch b/SOURCES/jdk8269668-rh1977671-aarch64_lib_path_fix.patch deleted file mode 100644 index ddf686c..0000000 --- a/SOURCES/jdk8269668-rh1977671-aarch64_lib_path_fix.patch +++ /dev/null @@ -1,32 +0,0 @@ -From ec03fdb752f2dc0833784a6877a4c232a8cdd9d2 Mon Sep 17 00:00:00 2001 -From: Severin Gehwolf -Date: Wed, 14 Jul 2021 12:06:39 +0200 -Subject: [PATCH] Backport e14801cdd9b108aa4ca47d0bc1dc67fca575764c - ---- - src/hotspot/os/linux/os_linux.cpp | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/src/hotspot/os/linux/os_linux.cpp b/src/hotspot/os/linux/os_linux.cpp -index e8baf704e3a..12b75b733b5 100644 ---- a/src/hotspot/os/linux/os_linux.cpp -+++ b/src/hotspot/os/linux/os_linux.cpp -@@ -413,8 +413,15 @@ void os::init_system_properties_values() { - // 7: The default directories, normally /lib and /usr/lib. - #if defined(AMD64) || (defined(_LP64) && defined(SPARC)) || defined(PPC64) || defined(S390) - #define DEFAULT_LIBPATH "/usr/lib64:/lib64:/lib:/usr/lib" -+#else -+#if defined(AARCH64) -+ // Use 32-bit locations first for AARCH64 (a 64-bit architecture), since some systems -+ // might not adhere to the FHS and it would be a change in behaviour if we used -+ // DEFAULT_LIBPATH of other 64-bit architectures which prefer the 64-bit paths. -+ #define DEFAULT_LIBPATH "/lib:/usr/lib:/usr/lib64:/lib64" - #else - #define DEFAULT_LIBPATH "/lib:/usr/lib" -+#endif // AARCH64 - #endif - - // Base path of extensions installed on the system. --- -2.31.1 - diff --git a/SOURCES/rh1991003-enable_fips_keys_import.patch b/SOURCES/rh1991003-enable_fips_keys_import.patch new file mode 100644 index 0000000..ac9bdb5 --- /dev/null +++ b/SOURCES/rh1991003-enable_fips_keys_import.patch @@ -0,0 +1,590 @@ +diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java +index 53f32d12cc..28ab184617 100644 +--- openjdk.orig/src/java.base/share/classes/java/security/Security.java ++++ openjdk/src/java.base/share/classes/java/security/Security.java +@@ -82,6 +82,10 @@ public final class Security { + public boolean isSystemFipsEnabled() { + return SystemConfigurator.isSystemFipsEnabled(); + } ++ @Override ++ public boolean isPlainKeySupportEnabled() { ++ return SystemConfigurator.isPlainKeySupportEnabled(); ++ } + }); + + // doPrivileged here because there are multiple +diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +index 5565acb7c6..874c6221eb 100644 +--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -55,6 +55,7 @@ final class SystemConfigurator { + CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; + + private static boolean systemFipsEnabled = false; ++ private static boolean plainKeySupportEnabled = false; + + private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; + +@@ -149,6 +150,16 @@ final class SystemConfigurator { + } + loadedProps = true; + systemFipsEnabled = true; ++ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport", ++ "true"); ++ plainKeySupportEnabled = !"false".equals(plainKeySupport); ++ if (sdebug != null) { ++ if (plainKeySupportEnabled) { ++ sdebug.println("FIPS support enabled with plain key support"); ++ } else { ++ sdebug.println("FIPS support enabled without plain key support"); ++ } ++ } + } + } catch (Exception e) { + if (sdebug != null) { +@@ -176,6 +187,19 @@ final class SystemConfigurator { + return systemFipsEnabled; + } + ++ /** ++ * Returns {@code true} if system FIPS alignment is enabled ++ * and plain key support is allowed. Plain key support is ++ * enabled by default but can be disabled with ++ * {@code -Dcom.redhat.fips.plainKeySupport=false}. ++ * ++ * @return a boolean indicating whether plain key support ++ * should be enabled. ++ */ ++ static boolean isPlainKeySupportEnabled() { ++ return plainKeySupportEnabled; ++ } ++ + /* + * OpenJDK FIPS mode will be enabled only if the com.redhat.fips + * system property is true (default) and the system is in FIPS mode. +diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java +index d8caa5640c..21bc6d0b59 100644 +--- openjdk.orig/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java ++++ openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java +@@ -27,4 +27,5 @@ package jdk.internal.misc; + + public interface JavaSecuritySystemConfiguratorAccess { + boolean isSystemFipsEnabled(); ++ boolean isPlainKeySupportEnabled(); + } +diff --git openjdk.orig/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java openjdk/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java +index ffee2c1603..ff3d5e0e4a 100644 +--- openjdk.orig/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java ++++ openjdk/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java +@@ -33,8 +33,13 @@ import java.security.KeyStore.*; + + import javax.net.ssl.*; + ++import jdk.internal.misc.SharedSecrets; ++ + abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { + ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ + X509ExtendedKeyManager keyManager; + boolean isInitialized; + +@@ -62,7 +67,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { + KeyStoreException, NoSuchAlgorithmException, + UnrecoverableKeyException { + if ((ks != null) && SunJSSE.isFIPS()) { +- if (ks.getProvider() != SunJSSE.cryptoProvider) { ++ if (ks.getProvider() != SunJSSE.cryptoProvider && ++ !plainKeySupportEnabled) { + throw new KeyStoreException("FIPS mode: KeyStore must be " + + "from provider " + SunJSSE.cryptoProvider.getName()); + } +@@ -91,8 +97,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { + keyManager = new X509KeyManagerImpl( + Collections.emptyList()); + } else { +- if (SunJSSE.isFIPS() && +- (ks.getProvider() != SunJSSE.cryptoProvider)) { ++ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider) ++ && !plainKeySupportEnabled) { + throw new KeyStoreException( + "FIPS mode: KeyStore must be " + + "from provider " + SunJSSE.cryptoProvider.getName()); +diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +new file mode 100644 +index 0000000000..b848a1fd78 +--- /dev/null ++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +@@ -0,0 +1,290 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.pkcs11; ++ ++import java.math.BigInteger; ++import java.security.KeyFactory; ++import java.security.Provider; ++import java.security.Security; ++import java.util.HashMap; ++import java.util.Map; ++import java.util.concurrent.locks.ReentrantLock; ++ ++import javax.crypto.Cipher; ++import javax.crypto.spec.DHPrivateKeySpec; ++import javax.crypto.spec.IvParameterSpec; ++ ++import sun.security.jca.JCAUtil; ++import sun.security.pkcs11.TemplateManager; ++import sun.security.pkcs11.wrapper.CK_ATTRIBUTE; ++import sun.security.pkcs11.wrapper.CK_MECHANISM; ++import static sun.security.pkcs11.wrapper.PKCS11Constants.*; ++import sun.security.pkcs11.wrapper.PKCS11Exception; ++import sun.security.rsa.RSAUtil.KeyType; ++import sun.security.util.Debug; ++import sun.security.util.ECUtil; ++ ++final class FIPSKeyImporter { ++ ++ private static final Debug debug = ++ Debug.getInstance("sunpkcs11"); ++ ++ private static P11Key importerKey = null; ++ private static final ReentrantLock importerKeyLock = new ReentrantLock(); ++ private static CK_MECHANISM importerKeyMechanism = null; ++ private static Cipher importerCipher = null; ++ ++ private static Provider sunECProvider = null; ++ private static final ReentrantLock sunECProviderLock = new ReentrantLock(); ++ ++ private static KeyFactory DHKF = null; ++ private static final ReentrantLock DHKFLock = new ReentrantLock(); ++ ++ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) ++ throws PKCS11Exception { ++ long keyID = -1; ++ Token token = sunPKCS11.getToken(); ++ if (debug != null) { ++ debug.println("Private or Secret key will be imported in" + ++ " system FIPS mode."); ++ } ++ if (importerKey == null) { ++ importerKeyLock.lock(); ++ try { ++ if (importerKey == null) { ++ if (importerKeyMechanism == null) { ++ // Importer Key creation has not been tried yet. Try it. ++ createImporterKey(token); ++ } ++ if (importerKey == null || importerCipher == null) { ++ if (debug != null) { ++ debug.println("Importer Key could not be" + ++ " generated."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ if (debug != null) { ++ debug.println("Importer Key successfully" + ++ " generated."); ++ } ++ } ++ } finally { ++ importerKeyLock.unlock(); ++ } ++ } ++ long importerKeyID = importerKey.getKeyID(); ++ try { ++ byte[] keyBytes = null; ++ byte[] encKeyBytes = null; ++ long keyClass = 0L; ++ long keyType = 0L; ++ Map attrsMap = new HashMap<>(); ++ for (CK_ATTRIBUTE attr : attributes) { ++ if (attr.type == CKA_CLASS) { ++ keyClass = attr.getLong(); ++ } else if (attr.type == CKA_KEY_TYPE) { ++ keyType = attr.getLong(); ++ } ++ attrsMap.put(attr.type, attr); ++ } ++ BigInteger v = null; ++ if (keyClass == CKO_PRIVATE_KEY) { ++ if (keyType == CKK_RSA) { ++ if (debug != null) { ++ debug.println("Importing an RSA private key..."); ++ } ++ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey( ++ KeyType.RSA, ++ null, ++ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ } else if (keyType == CKK_DSA) { ++ if (debug != null) { ++ debug.println("Importing a DSA private key..."); ++ } ++ keyBytes = new sun.security.provider.DSAPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else if (keyType == CKK_EC) { ++ if (debug != null) { ++ debug.println("Importing an EC private key..."); ++ } ++ if (sunECProvider == null) { ++ sunECProviderLock.lock(); ++ try { ++ if (sunECProvider == null) { ++ sunECProvider = Security.getProvider("SunEC"); ++ } ++ } finally { ++ sunECProviderLock.unlock(); ++ } ++ } ++ keyBytes = ECUtil.generateECPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ECUtil.getECParameterSpec(sunECProvider, ++ attrsMap.get(CKA_EC_PARAMS).getByteArray())) ++ .getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else if (keyType == CKK_DH) { ++ if (debug != null) { ++ debug.println("Importing a Diffie-Hellman private key..."); ++ } ++ if (DHKF == null) { ++ DHKFLock.lock(); ++ try { ++ if (DHKF == null) { ++ DHKF = KeyFactory.getInstance( ++ "DH", P11Util.getSunJceProvider()); ++ } ++ } finally { ++ DHKFLock.unlock(); ++ } ++ } ++ DHPrivateKeySpec spec = new DHPrivateKeySpec ++ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO); ++ keyBytes = DHKF.generatePrivate(spec).getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else { ++ if (debug != null) { ++ debug.println("Unrecognized private key type."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ } else if (keyClass == CKO_SECRET_KEY) { ++ if (debug != null) { ++ debug.println("Importing a secret key..."); ++ } ++ keyBytes = attrsMap.get(CKA_VALUE).getByteArray(); ++ } ++ if (keyBytes == null || keyBytes.length == 0) { ++ if (debug != null) { ++ debug.println("Private or secret key plain bytes could" + ++ " not be obtained. Import failed."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey, ++ new IvParameterSpec((byte[])importerKeyMechanism.pParameter), ++ null); ++ attributes = new CK_ATTRIBUTE[attrsMap.size()]; ++ attrsMap.values().toArray(attributes); ++ encKeyBytes = importerCipher.doFinal(keyBytes); ++ attributes = token.getAttributes(TemplateManager.O_IMPORT, ++ keyClass, keyType, attributes); ++ keyID = token.p11.C_UnwrapKey(hSession, ++ importerKeyMechanism, importerKeyID, encKeyBytes, attributes); ++ if (debug != null) { ++ debug.println("Imported key ID: " + keyID); ++ } ++ } catch (Throwable t) { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } finally { ++ importerKey.releaseKeyID(); ++ } ++ return Long.valueOf(keyID); ++ } ++ ++ private static void createImporterKey(Token token) { ++ if (debug != null) { ++ debug.println("Generating Importer Key..."); ++ } ++ byte[] iv = new byte[16]; ++ JCAUtil.getSecureRandom().nextBytes(iv); ++ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); ++ try { ++ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE, ++ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] { ++ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), ++ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)}); ++ Session s = null; ++ try { ++ s = token.getObjSession(); ++ long keyID = token.p11.C_GenerateKey( ++ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN), ++ attributes); ++ if (debug != null) { ++ debug.println("Importer Key ID: " + keyID); ++ } ++ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES", ++ 256 >> 3, null); ++ } catch (PKCS11Exception e) { ++ // best effort ++ } finally { ++ token.releaseSession(s); ++ } ++ if (importerKey != null) { ++ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); ++ } ++ } catch (Throwable t) { ++ // best effort ++ importerKey = null; ++ importerCipher = null; ++ // importerKeyMechanism value is kept initialized to indicate that ++ // Importer Key creation has been tried and failed. ++ } ++ } ++} +diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +index 1eca1f8f0a..72674a7330 100644 +--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java ++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +@@ -26,6 +26,9 @@ + package sun.security.pkcs11; + + import java.io.*; ++import java.lang.invoke.MethodHandle; ++import java.lang.invoke.MethodHandles; ++import java.lang.invoke.MethodType; + import java.util.*; + + import java.security.*; +@@ -64,6 +67,26 @@ public final class SunPKCS11 extends AuthProvider { + private static final boolean systemFipsEnabled = SharedSecrets + .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); + ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ ++ private static final MethodHandle fipsImportKey; ++ static { ++ MethodHandle fipsImportKeyTmp = null; ++ if (plainKeySupportEnabled) { ++ try { ++ fipsImportKeyTmp = MethodHandles.lookup().findStatic( ++ FIPSKeyImporter.class, "importKey", ++ MethodType.methodType(Long.class, SunPKCS11.class, ++ long.class, CK_ATTRIBUTE[].class)); ++ } catch (Throwable t) { ++ throw new SecurityException("FIPS key importer initialization" + ++ " failed", t); ++ } ++ } ++ fipsImportKey = fipsImportKeyTmp; ++ } ++ + private static final long serialVersionUID = -1354835039035306505L; + + static final Debug debug = Debug.getInstance("sunpkcs11"); +@@ -319,10 +342,15 @@ public final class SunPKCS11 extends AuthProvider { + // request multithreaded access first + initArgs.flags = CKF_OS_LOCKING_OK; + PKCS11 tmpPKCS11; ++ MethodHandle fipsKeyImporter = null; ++ if (plainKeySupportEnabled) { ++ fipsKeyImporter = MethodHandles.insertArguments( ++ fipsImportKey, 0, this); ++ } + try { + tmpPKCS11 = PKCS11.getInstance( + library, functionList, initArgs, +- config.getOmitInitialize()); ++ config.getOmitInitialize(), fipsKeyImporter); + } catch (PKCS11Exception e) { + if (debug != null) { + debug.println("Multi-threaded initialization failed: " + e); +@@ -338,7 +366,7 @@ public final class SunPKCS11 extends AuthProvider { + initArgs.flags = 0; + } + tmpPKCS11 = PKCS11.getInstance(library, +- functionList, initArgs, config.getOmitInitialize()); ++ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter); + } + p11 = tmpPKCS11; + +diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +index 04a369f453..8d2081abaa 100644 +--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java ++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper; + + import java.io.File; + import java.io.IOException; ++import java.lang.invoke.MethodHandle; + import java.util.*; + + import java.security.AccessController; +@@ -150,16 +151,28 @@ public class PKCS11 { + + public static synchronized PKCS11 getInstance(String pkcs11ModulePath, + String functionList, CK_C_INITIALIZE_ARGS pInitArgs, +- boolean omitInitialize) throws IOException, PKCS11Exception { ++ boolean omitInitialize, MethodHandle fipsKeyImporter) ++ throws IOException, PKCS11Exception { + // we may only call C_Initialize once per native .so/.dll + // so keep a cache using the (non-canonicalized!) path + PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath); + if (pkcs11 == null) { ++ boolean nssFipsMode = fipsKeyImporter != null; + if ((pInitArgs != null) + && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) { +- pkcs11 = new PKCS11(pkcs11ModulePath, functionList); ++ if (nssFipsMode) { ++ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList, ++ fipsKeyImporter); ++ } else { ++ pkcs11 = new PKCS11(pkcs11ModulePath, functionList); ++ } + } else { +- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); ++ if (nssFipsMode) { ++ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath, ++ functionList, fipsKeyImporter); ++ } else { ++ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); ++ } + } + if (omitInitialize == false) { + try { +@@ -1909,4 +1922,69 @@ static class SynchronizedPKCS11 extends PKCS11 { + super.C_GenerateRandom(hSession, randomData); + } + } ++ ++// PKCS11 subclass that allows using plain private or secret keys in ++// FIPS-configured NSS Software Tokens. Only used when System FIPS ++// is enabled. ++static class FIPSPKCS11 extends PKCS11 { ++ private MethodHandle fipsKeyImporter; ++ FIPSPKCS11(String pkcs11ModulePath, String functionListName, ++ MethodHandle fipsKeyImporter) throws IOException { ++ super(pkcs11ModulePath, functionListName); ++ this.fipsKeyImporter = fipsKeyImporter; ++ } ++ ++ public synchronized long C_CreateObject(long hSession, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ // Creating sensitive key objects from plain key material in a ++ // FIPS-configured NSS Software Token is not allowed. We apply ++ // a key-unwrapping scheme to achieve so. ++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { ++ try { ++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) ++ .longValue(); ++ } catch (Throwable t) { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ } ++ return super.C_CreateObject(hSession, pTemplate); ++ } ++} ++ ++// FIPSPKCS11 synchronized counterpart. ++static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 { ++ private MethodHandle fipsKeyImporter; ++ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName, ++ MethodHandle fipsKeyImporter) throws IOException { ++ super(pkcs11ModulePath, functionListName); ++ this.fipsKeyImporter = fipsKeyImporter; ++ } ++ ++ public synchronized long C_CreateObject(long hSession, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ // See FIPSPKCS11::C_CreateObject. ++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { ++ try { ++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) ++ .longValue(); ++ } catch (Throwable t) { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ } ++ return super.C_CreateObject(hSession, pTemplate); ++ } ++} ++ ++private static class FIPSPKCS11Helper { ++ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) { ++ for (CK_ATTRIBUTE attr : pTemplate) { ++ if (attr.type == CKA_CLASS && ++ (attr.getLong() == CKO_PRIVATE_KEY || ++ attr.getLong() == CKO_SECRET_KEY)) { ++ return true; ++ } ++ } ++ return false; ++ } ++} + } diff --git a/SPECS/java-11-openjdk.spec b/SPECS/java-11-openjdk.spec index 3f501e9..1eb26d0 100644 --- a/SPECS/java-11-openjdk.spec +++ b/SPECS/java-11-openjdk.spec @@ -7,12 +7,12 @@ # Produce release, fastdebug *and* slowdebug builds on x86_64 (default): # $ rpmbuild -ba java-11-openjdk.spec # -# Produce only release builds (no debug builds) on x86_64: +# Produce only release builds (no slowdebug builds) on x86_64: # $ rpmbuild -ba java-11-openjdk.spec --without slowdebug --without fastdebug # # Only produce a release build on x86_64: # $ rhpkg mockbuild --without slowdebug --without fastdebug -# + # Enable fastdebug builds by default on relevant arches. %bcond_without fastdebug # Enable slowdebug builds by default on relevant arches. @@ -21,6 +21,8 @@ %bcond_without release # Enable static library builds by default. %bcond_without staticlibs +# Remove build artifacts by default +%bcond_with artifacts # Workaround for stripping of debug symbols from static libraries %if %{with staticlibs} @@ -120,7 +122,7 @@ # Set of architectures for which alt-java has SSB mitigation %global ssbd_arches x86_64 -# By default, we build a debug build during main build on JIT architectures +# By default, we build a slowdebug build during main build on JIT architectures %if %{with slowdebug} %ifarch %{debug_arches} %global include_debug_build 1 @@ -174,7 +176,7 @@ # If you disable both builds, then the build fails # Build and test slowdebug first as it provides the best diagnostics -%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} +%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} %if %{include_staticlibs} %global staticlibs_loop %{staticlibs_suffix} @@ -188,22 +190,28 @@ %global bootstrap_build 1 %endif -%if %{bootstrap_build} -%global release_targets bootcycle-images docs-zip -%else -%global release_targets images docs-zip -%endif -# No docs nor bootcycle for debug builds -%global debug_targets images - %if %{include_staticlibs} # Extra target for producing the static-libraries. Separate from # other targets since this target is configured to use in-tree # AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib # and possibly others %global static_libs_target static-libs-image +%else +%global static_libs_target %{nil} %endif +# RPM JDK builds keep the debug symbols internal, to be later stripped by RPM +%global debug_symbols internal + +# unlike portables,the rpms have to use static_libs_target very dynamically +%global bootstrap_targets images +%global release_targets images docs-zip +# No docs nor bootcycle for debug builds +%global debug_targets images + +# Disable LTO as this causes build failures at the moment. +# See RHBZ#1861401 +%define _lto_cflags %{nil} # Filter out flags from the optflags macro that cause problems with the OpenJDK build # We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2 @@ -289,7 +297,7 @@ # New Version-String scheme-style defines %global featurever 11 %global interimver 0 -%global updatever 12 +%global updatever 13 %global patchver 0 # If you bump featurever, you must bump also vendor_version_string # Used via new version scheme. JDK 11 was @@ -337,7 +345,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 7 -%global rpmrelease 4 +%global rpmrelease 1 #%%global tagsuffix %%{nil} # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk @@ -351,7 +359,7 @@ # for techpreview, using 1, so slowdebugs can have 0 %global priority %( printf '%08d' 1 ) %endif -%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} +%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} # Omit trailing 0 in filenames when the patch version is 0 %if 0%{?patchver} > 0 @@ -366,7 +374,7 @@ # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, # - N%%{?extraver}{?dist} for GA releases -%global is_ga 1 +%global is_ga 0 %if %{is_ga} %global ea_designator "" %global ea_designator_zip "" @@ -387,6 +395,7 @@ %global static_libs_image static-libs # output dir stub %define buildoutputdir() %{expand:build/jdk11.build%{?1}} +%define installoutputdir() %{expand:install/jdk11.install%{?1}} # we can copy the javadoc to not arched dir, or make it not noarch %define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}} # main id and dir of this jdk @@ -1022,12 +1031,8 @@ OrderWithRequires: copy-jdk-configs Requires: cups-libs # Post requires alternatives to install tool alternatives Requires(post): %{alternatives_requires} -# in version 1.7 and higher for --family switch -Requires(post): chkconfig >= 1.7 # Postun requires alternatives to uninstall tool alternatives Requires(postun): %{alternatives_requires} -# in version 1.7 and higher for --family switch -Requires(postun): chkconfig >= 1.7 # for optional support of kernel stream control, card reader and printing bindings %if 0%{?rhel} >= 8 Suggests: lksctp-tools%{?_isa}, pcsc-lite-devel%{?_isa} @@ -1052,12 +1057,8 @@ Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release} OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} # Post requires alternatives to install tool alternatives Requires(post): %{alternatives_requires} -# in version 1.7 and higher for --family switch -Requires(post): chkconfig >= 1.7 # Postun requires alternatives to uninstall tool alternatives Requires(postun): %{alternatives_requires} -# in version 1.7 and higher for --family switch -Requires(postun): chkconfig >= 1.7 # Standard JPackage devel provides Provides: java-sdk-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release} @@ -1098,6 +1099,7 @@ Provides: java-%{javaver}-demo%{?1} = %{epoch}:%{version}-%{release} Provides: java-%{javaver}-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release} %if %is_system_jdk Provides: java-demo%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release} %endif } @@ -1105,12 +1107,8 @@ Provides: java-demo%{?1} = %{epoch}:%{version}-%{release} OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} # Post requires alternatives to install javadoc alternative Requires(post): %{alternatives_requires} -# in version 1.7 and higher for --family switch -Requires(post): chkconfig >= 1.7 # Postun requires alternatives to uninstall javadoc alternative Requires(postun): %{alternatives_requires} -# in version 1.7 and higher for --family switch -Requires(postun): chkconfig >= 1.7 # Standard JPackage javadoc provides Provides: java-%{javaver}-javadoc%{?1} = %{epoch}:%{version}-%{release} @@ -1128,6 +1126,7 @@ Provides: java-%{javaver}-src%{?1} = %{epoch}:%{version}-%{release} Provides: java-%{javaver}-%{origin}-src%{?1} = %{epoch}:%{version}-%{release} %if %is_system_jdk Provides: java-src%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release} %endif } @@ -1149,7 +1148,9 @@ Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} Epoch: 1 Summary: %{origin_nice} %{featurever} Runtime Environment +%if 0%{?rhel} <= 8 Group: Development/Languages +%endif # HotSpot code is licensed under GPLv2 # JDK library code is licensed under GPLv2 with the Classpath exception @@ -1217,7 +1218,7 @@ Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch Patch2: rh1648644-java_access_bridge_privileged_security.patch # NSS via SunPKCS11 Provider (disabled due to memory leak). Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch -# enable build of speculative store bypass hardened alt-java +# RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639) Patch600: rh1750419-redhat_alt_java.patch # RH1582504: Use RSA as default for keytool, as DSA is disabled in all crypto policies except LEGACY Patch1003: rh1842572-rsa_default_for_keytool.patch @@ -1236,6 +1237,8 @@ Patch1008: rh1929465-improve_system_FIPS_detection.patch # RH1996182: Login to the NSS software token in FIPS mode Patch1009: rh1996182-login_to_nss_software_token.patch Patch1010: rh1996182-extend_security_policy.patch +# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false +Patch1011: rh1991003-enable_fips_keys_import.patch ############################################# # @@ -1269,8 +1272,6 @@ Patch7: pr3695-toggle_system_crypto_policy.patch # able to be removed once that release is out # and used by this RPM. ############################################# -# JDK-8269668, RH1977671: [aarch64] java.library.path not including /usr/lib64 -Patch8: jdk8269668-rh1977671-aarch64_lib_path_fix.patch BuildRequires: autoconf BuildRequires: automake @@ -1317,6 +1318,7 @@ BuildRequires: gcc >= 4.8.3-8 %if %{with_systemtap} BuildRequires: systemtap-sdt-devel %endif +BuildRequires: make # this is always built, also during debug-only build # when it is built in debug-only this package is just placeholder @@ -1328,7 +1330,9 @@ The %{origin_nice} %{featurever} runtime environment. %if %{include_debug_build} %package slowdebug Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on} +%if 0%{?rhel} <= 8 Group: Development/Languages +%endif %{java_rpo -- %{debug_suffix_unquoted}} %description slowdebug @@ -1339,7 +1343,9 @@ The %{origin_nice} %{featurever} runtime environment. %if %{include_fastdebug_build} %package fastdebug Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on} +%if 0%{?rhel} <= 8 Group: Development/Languages +%endif %{java_rpo -- %{fastdebug_suffix_unquoted}} %description fastdebug @@ -1350,7 +1356,9 @@ The %{origin_nice} %{featurever} runtime environment. %if %{include_normal_build} %package headless Summary: %{origin_nice} %{featurever} Headless Runtime Environment +%if 0%{?rhel} <= 8 Group: Development/Languages +%endif %{java_headless_rpo %{nil}} @@ -1385,7 +1393,9 @@ The %{origin_nice} %{featurever} runtime environment without audio and video sup %if %{include_normal_build} %package devel Summary: %{origin_nice} %{featurever} Development Environment -Group: Development/Tools +%if 0%{?rhel} <= 8 +Group: Development/Languages +%endif %{java_devel_rpo %{nil}} @@ -1396,7 +1406,9 @@ The %{origin_nice} %{featurever} development tools. %if %{include_debug_build} %package devel-slowdebug Summary: %{origin_nice} %{featurever} Development Environment %{debug_on} -Group: Development/Tools +%if 0%{?rhel} <= 8 +Group: Development/Languages +%endif %{java_devel_rpo -- %{debug_suffix_unquoted}} @@ -1457,7 +1469,9 @@ The %{origin_nice} %{featurever} libraries for static linking. %if %{include_normal_build} %package jmods Summary: JMods for %{origin_nice} %{featurever} -Group: Development/Tools +%if 0%{?rhel} <= 8 +Group: Development/Languages +%endif %{java_jmods_rpo %{nil}} @@ -1468,7 +1482,9 @@ The JMods for %{origin_nice} %{featurever}. %if %{include_debug_build} %package jmods-slowdebug Summary: JMods for %{origin_nice} %{featurever} %{debug_on} -Group: Development/Tools +%if 0%{?rhel} <= 8 +Group: Development/Languages +%endif %{java_jmods_rpo -- %{debug_suffix_unquoted}} @@ -1492,7 +1508,9 @@ The JMods for %{origin_nice} %{featurever}. %if %{include_normal_build} %package demo Summary: %{origin_nice} %{featurever} Demos +%if 0%{?rhel} <= 8 Group: Development/Languages +%endif %{java_demo_rpo %{nil}} @@ -1503,7 +1521,9 @@ The %{origin_nice} %{featurever} demos. %if %{include_debug_build} %package demo-slowdebug Summary: %{origin_nice} %{featurever} Demos %{debug_on} +%if 0%{?rhel} <= 8 Group: Development/Languages +%endif %{java_demo_rpo -- %{debug_suffix_unquoted}} @@ -1527,7 +1547,9 @@ The %{origin_nice} %{featurever} demos. %if %{include_normal_build} %package src Summary: %{origin_nice} %{featurever} Source Bundle +%if 0%{?rhel} <= 8 Group: Development/Languages +%endif %{java_src_rpo %{nil}} @@ -1539,7 +1561,9 @@ class library source code for use by IDE indexers and debuggers. %if %{include_debug_build} %package src-slowdebug Summary: %{origin_nice} %{featurever} Source Bundle %{for_debug} +%if 0%{?rhel} <= 8 Group: Development/Languages +%endif %{java_src_rpo -- %{debug_suffix_unquoted}} @@ -1563,7 +1587,9 @@ The %{compatiblename}-src-fastdebug sub-package contains the complete %{origin_n %if %{include_normal_build} %package javadoc Summary: %{origin_nice} %{featurever} API documentation +%if 0%{?rhel} <= 8 Group: Documentation +%endif Requires: javapackages-filesystem Obsoletes: javadoc-debug @@ -1574,7 +1600,9 @@ The %{origin_nice} %{featurever} API documentation. %package javadoc-zip Summary: %{origin_nice} %{featurever} API documentation compressed in a single archive +%if 0%{?rhel} <= 8 Group: Documentation +%endif Requires: javapackages-filesystem Obsoletes: javadoc-zip-debug @@ -1634,7 +1662,6 @@ pushd %{top_level_dir_name} %patch3 -p1 %patch4 -p1 %patch7 -p1 -%patch8 -p1 popd # openjdk %patch1000 @@ -1647,6 +1674,7 @@ popd # openjdk %patch1008 %patch1009 %patch1010 +%patch1011 # Extract systemtap tapsets %if %{with_systemtap} @@ -1658,7 +1686,6 @@ cp -r tapset tapset%{debug_suffix} cp -r tapset tapset%{fastdebug_suffix} %endif - for suffix in %{build_loop} ; do for file in "tapset"$suffix/*.in; do OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"` @@ -1727,45 +1754,33 @@ EXTRA_CPP_FLAGS="%ourcppflags" # fix rpmlint warnings EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing" %endif +# Fixes annocheck warnings in assembler files due to missing build notes EXTRA_ASFLAGS="${EXTRA_CFLAGS} -Wa,--generate-missing-build-notes=yes" export EXTRA_CFLAGS EXTRA_ASFLAGS -for suffix in %{build_loop} ; do -if [ "x$suffix" = "x" ] ; then - debugbuild=release -else - # change --something to something - debugbuild=`echo $suffix | sed "s/-//g"` -fi +function buildjdk() { + local outputdir=${1} + local installdir=${2} + local buildjdk=${3} + local maketargets="${4}" + local debuglevel=${5} + local link_opt=${6} -for loop in %{main_suffix} %{staticlibs_loop} ; do + local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name} + local top_dir_abs_build_path=$(pwd)/${outputdir} -if test "x${loop}" = "x%{main_suffix}" ; then - # Copy the source tree so we can remove all in-tree libraries - cp -a %{top_level_dir_name} %{top_level_dir_name_backup} - # Remove all libraries that are linked - sh %{SOURCE12} %{top_level_dir_name} full - # Variable used by configure and hs_err hook on build failures - link_opt="system" - # Debug builds don't need same targets as release for - # build speed-up - maketargets="%{release_targets}" - if echo $debugbuild | grep -q "debug" ; then - maketargets="%{debug_targets}" - fi -else - # Variable used by configure and hs_err hook on build failures - link_opt="bundled" - # Static library cycle only builds the static libraries - maketargets="%{static_libs_target}" -fi + echo "Using output directory: ${outputdir}"; + echo "Checking build JDK ${buildjdk} is operational..." + ${buildjdk}/bin/java -version + echo "Using make targets: ${maketargets}" + echo "Using debuglevel: ${debuglevel}" + echo "Using link_opt: ${link_opt}" + echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}" -top_dir_abs_src_path=$(pwd)/%{top_level_dir_name} -top_dir_abs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}${loop}} -mkdir -p ${top_dir_abs_build_path} -pushd ${top_dir_abs_build_path} + mkdir -p ${outputdir} ${installdir} + pushd ${outputdir} -bash ${top_dir_abs_src_path}/configure \ + bash ${top_dir_abs_src_path}/configure \ %ifnarch %{jit_arches} --with-jvm-variants=zero \ %endif @@ -1780,9 +1795,9 @@ bash ${top_dir_abs_src_path}/configure \ --with-vendor-url="%{oj_vendor_url}" \ --with-vendor-bug-url="%{oj_vendor_bug_url}" \ --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \ - --with-boot-jdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk \ - --with-debug-level=$debugbuild \ - --with-native-debug-symbols=internal \ + --with-boot-jdk=${buildjdk} \ + --with-debug-level=${debuglevel} \ + --with-native-debug-symbols="%{debug_symbols}" \ --enable-sysconf-nss \ --enable-unlimited-crypto \ --with-zlib=system \ @@ -1801,54 +1816,121 @@ bash ${top_dir_abs_src_path}/configure \ --with-jvm-features="%{shenandoah_feature},%{zgc_feature}" \ --disable-warnings-as-errors -make \ - JAVAC_FLAGS=-g \ - LOG=trace \ - WARNINGS_ARE_ERRORS="-Wno-error" \ - CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \ - $maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false ) + cat spec.gmk -popd >& /dev/null + make \ + JAVAC_FLAGS=-g \ + LOG=trace \ + WARNINGS_ARE_ERRORS="-Wno-error" \ + CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \ + $maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false ) -# Restore original source tree if we modified it by removing full in-tree sources -if [ -d %{top_level_dir_name_backup} ] ; then - rm -rf %{top_level_dir_name} - mv %{top_level_dir_name_backup} %{top_level_dir_name} -fi + popd -done # end of main / staticlibs loop + echo "Installing build from ${outputdir} to ${installdir}..." + echo "Installing images..." + mv ${outputdir}/images ${installdir} + if [ -d ${outputdir}/bundles ] ; then + echo "Installing bundles..."; + mv ${outputdir}/bundles ${installdir} ; + fi + if [ -d ${outputdir}/docs ] ; then + echo "Installing docs..."; + mv ${outputdir}/docs ${installdir} ; + fi -top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} +%if !%{with artifacts} + echo "Removing output directory..."; + rm -rf ${outputdir} +%endif +} -# the build (erroneously) removes read permissions from some jars -# this is a regression in OpenJDK 7 (our compiler): -# http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 -find ${top_dir_abs_main_build_path}/images/%{jdkimage} -iname '*.jar' -exec chmod ugo+r {} \; +function installjdk() { + local imagepath=${1} -# Build screws up permissions on binaries -# https://bugs.openjdk.java.net/browse/JDK-8173610 -find ${top_dir_abs_main_build_path}/images/%{jdkimage} -iname '*.so' -exec chmod +x {} \; -find ${top_dir_abs_main_build_path}/images/%{jdkimage}/bin/ -exec chmod +x {} \; + # the build (erroneously) removes read permissions from some jars + # this is a regression in OpenJDK 7 (our compiler): + # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 + find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \; -# Install nss.cfg right away as we will be using the JRE above -export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} + # Build screws up permissions on binaries + # https://bugs.openjdk.java.net/browse/JDK-8173610 + find ${imagepath} -iname '*.so' -exec chmod +x {} \; + find ${imagepath}/bin/ -exec chmod +x {} \; -# Install nss.cfg right away as we will be using the JRE above -install -m 644 nss.cfg $JAVA_HOME/conf/security/ + # Install nss.cfg right away as we will be using the JRE above + install -m 644 nss.cfg ${imagepath}/conf/security/ -# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) -install -m 644 nss.fips.cfg $JAVA_HOME/conf/security/ + # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) + install -m 644 nss.fips.cfg ${imagepath}/conf/security/ -# Use system-wide tzdata -rm $JAVA_HOME/lib/tzdb.dat -ln -s %{_datadir}/javazi-1.8/tzdb.dat $JAVA_HOME/lib/tzdb.dat + # Use system-wide tzdata + rm ${imagepath}/lib/tzdb.dat + ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat -# Create fake alt-java as a placeholder for future alt-java -pushd ${JAVA_HOME} -# add alt-java man page -echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 -cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 -popd + # Create fake alt-java as a placeholder for future alt-java + pushd ${imagepath} + # add alt-java man page + echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 + cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 + popd +} + +for suffix in %{build_loop} ; do + + if [ "x$suffix" = "x" ] ; then + debugbuild=release + else + # change --something to something + debugbuild=`echo $suffix | sed "s/-//g"` + fi + + systemjdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk + + for loop in %{main_suffix} %{staticlibs_loop} ; do + + builddir=%{buildoutputdir -- ${suffix}${loop}} + bootbuilddir=boot${builddir} + installdir=%{installoutputdir -- ${suffix}${loop}} + bootinstalldir=boot${installdir} + + if test "x${loop}" = "x%{main_suffix}" ; then + # Copy the source tree so we can remove all in-tree libraries + cp -a %{top_level_dir_name} %{top_level_dir_name_backup} + # Remove all libraries that are linked + sh %{SOURCE12} %{top_level_dir_name} full + # Use system libraries + link_opt="system" + # Debug builds don't need same targets as release for + # build speed-up + maketargets="%{release_targets}" + if echo $debugbuild | grep -q "debug" ; then + maketargets="%{debug_targets}" + fi +%if %{bootstrap_build} + buildjdk ${bootbuilddir} ${bootinstalldir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt} + buildjdk ${builddir} ${installdir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt} + %{!?with_artifacts:rm -rf ${bootinstalldir}} +%else + buildjdk ${builddir} ${installdir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} +%endif + # Restore original source tree we modified by removing full in-tree sources + rm -rf %{top_level_dir_name} + mv %{top_level_dir_name_backup} %{top_level_dir_name} + else + # Use bundled libraries for building statically + link_opt="bundled" + # Static library cycle only builds the static libraries + maketargets="%{static_libs_target}" + # Always just do the one build for the static libraries + buildjdk ${builddir} ${installdir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} + fi + + done # end of main / staticlibs loop + + # Final setup on the main image + top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{main_suffix}} + installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage} # build cycles done # end of release / debug cycle loop @@ -1858,9 +1940,9 @@ done # end of release / debug cycle loop # We test debug first as it will give better diagnostics on a crash for suffix in %{build_loop} ; do -top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} +top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{main_suffix}} %if %{include_staticlibs} -top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}} +top_dir_abs_staticlibs_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{staticlibs_loop}} %endif export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} @@ -1903,8 +1985,9 @@ readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c %endif +so_suffix="so" # Check debug symbols are present and can identify code -find "$JAVA_HOME" -iname '*.so' -print0 | while read -d $'\0' lib +find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib do if [ -f "$lib" ] ; then echo "Testing $lib for debug symbols" @@ -1964,10 +2047,16 @@ quit end run -version EOF +%if 0%{?fedora} > 0 +# This fails on s390x for some reason. Disable for now. See: +# https://koji.fedoraproject.org/koji/taskinfo?taskID=41499227 +%ifnarch s390x grep 'JavaCallWrapper::JavaCallWrapper' gdb.out +%endif +%endif # Check src.zip has all sources. See RHBZ#1130490 -jar -tf $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe' +$JAVA_HOME/bin/jar -tf $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe' # Check class files include useful debugging information $JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from" @@ -1987,9 +2076,9 @@ STRIP_KEEP_SYMTAB=libjvm* for suffix in %{build_loop} ; do -top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} +top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{main_suffix}} %if %{include_staticlibs} -top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}} +top_dir_abs_staticlibs_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{staticlibs_loop}} %endif jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage} @@ -2057,7 +2146,7 @@ if ! echo $suffix | grep -q "debug" ; then fi # Install release notes -commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir $suffix} +commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir -- $suffix} install -d -m 755 ${commondocdir} cp -a %{SOURCE10} ${commondocdir} @@ -2237,7 +2326,6 @@ end %posttrans devel-slowdebug %{posttrans_devel -- %{debug_suffix_unquoted}} - %endif %if %{include_fastdebug_build} @@ -2333,7 +2421,6 @@ end %files src-slowdebug %{files_src -- %{debug_suffix_unquoted}} - %endif %if %{include_fastdebug_build} @@ -2363,6 +2450,49 @@ end %endif %changelog +* Tue Oct 12 2021 Andrew Hughes - 1:11.0.13.0.7-0.1.ea +- Update to jdk-11.0.13.0+7 +- Update release notes to 11.0.13.0+7 +- Resolves: rhbz#1999938 + +* Mon Oct 11 2021 Andrew Hughes - 1:11.0.13.0.1-0.1.ea +- Update to jdk-11.0.13.0+1 +- Update release notes to 11.0.13.0+1 +- Update tarball generation script to use git following OpenJDK 11u's move to github +- Switch to EA mode for 11.0.13 pre-release builds. +- Remove "-clean" suffix as no 11.0.13 builds are unclean. +- Drop JDK-8269668 patch which is now applied upstream. +- Related: rhbz#1999938 + +* Sun Oct 10 2021 Andrew Hughes - 1:11.0.12.0.7-9 +- The bootstrap JDK is now in bootinstalldir, not bootbuilddir. +- Related: rhbz#1999938 + +* Sun Oct 10 2021 Andrew Hughes - 1:11.0.12.0.7-9 +- Reduce disk footprint by removing build artifacts by default. +- Related: rhbz#1999938 + +* Sun Oct 10 2021 Andrew Hughes - 1:11.0.12.0.7-8 +- Restructure the build so a minimal initial build is then used for the final build (with docs) +- This reduces pressure on the system JDK and ensures the JDK being built can do a full build +- Related: rhbz#1999938 + +* Tue Oct 05 2021 Andrew Hughes - 1:11.0.12.0.7-7 +- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false +- Resolves: rhbz#1991003 + +* Tue Oct 05 2021 Martin Balao - 1:11.0.12.0.7-7 +- Add patch to allow plain key import. +- Resolves: rhbz#1991003 + +* Mon Sep 06 2021 Jiri Vanek - 1:11.0.12.0.7-6 +- Minor cosmetic improvements to make spec more comparable between variants +- Related: rhbz#1999938 + +* Mon Sep 06 2021 Andrew Hughes - 1:11.0.12.0.7-5 +- Remove non-Free test from source tarball. +- Related: rhbz#1999938 + * Mon Aug 30 2021 Andrew Hughes - 1:11.0.12.0.7-4 - Extend the default security policy to accomodate PKCS11 accessing jdk.internal.misc. - Resolves: rhbz#1997357