rpms/java-17-openjdk
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import java-17-openjdk-17.0.2.0.8-15.el8

Browse Source
This commit is contained in:
CentOS Sources 2022-05-10 02:59:36 -04:00 committed by Stepan Oksanichenko
parent 806b0e8864
commit d8bb67f343
10 changed files with 910 additions and 684 deletions

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/openjdk-jdk17u-17usec.17.0.3+5-220408.tar.xz
SOURCES/openjdk-jdk17u-jdk-17.0.2+8.tar.xz
SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

2
.java-17-openjdk.metadata
View File

@ -1,2 +1,2 @@
15b13a23d8a862fc881ab110858c0054cf34180e SOURCES/openjdk-jdk17u-17usec.17.0.3+5-220408.tar.xz
47c1e3a97ba6f63908c2a9f55e1514b52f0b8333 SOURCES/openjdk-jdk17u-jdk-17.0.2+8.tar.xz
c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

204
SOURCES/NEWS
View File

@ -3,210 +3,6 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
New in release OpenJDK 17.0.3 (2022-04-19):
===========================================
Live versions of these release notes can be found at:
* https://bitly.com/openjdk1703
* https://builds.shipilev.net/backports-monitor/release-notes-17.0.3.txt
* Security fixes
- JDK-8269938: Enhance XML processing passes redux
- JDK-8270504, CVE-2022-21426: Better XPath expression handling
- JDK-8272255: Completely handle MIDI files
- JDK-8272261: Improve JFR recording file processing
- JDK-8272588: Enhanced recording parsing
- JDK-8272594: Better record of recordings
- JDK-8274221: More definite BER encodings
- JDK-8275082, JDK-8278008, CVE-2022-21476: Update XML Security for Java to 2.3.0
- JDK-8275151, CVE-2022-21443: Improved Object Identification
- JDK-8277227: Better identification of OIDs
- JDK-8277233, CVE-2022-21449: Improve ECDSA signature support
- JDK-8277672, CVE-2022-21434: Better invocation handler handling
- JDK-8278356: Improve file creation
- JDK-8278449: Improve keychain support
- JDK-8278798: Improve supported intrinsic
- JDK-8278805: Enhance BMP image loading
- JDK-8278972, CVE-2022-21496: Improve URL supports
- JDK-8281388: Change wrapping of EncryptedPrivateKeyInfo
* Other changes
- JDK-8177814: jdk/editpad is not in jdk TEST.groups
- JDK-8186670: Implement _onSpinWait() intrinsic for AArch64
- JDK-8190748: java/text/Format/DateFormat/DateFormatTest.java and NonGregorianFormatTest fail intermittently
- JDK-8225559: assertion error at TransTypes.visitApply
- JDK-8236505: Mark jdk/editpad/EditPadTest.java as @headful
- JDK-8239502: [TEST_BUG] Test javax/swing/text/FlowView/6318524/bug6318524.java never fails
- JDK-8244602: Add JTREG_REPEAT_COUNT to repeat execution of a test
- JDK-8247980: Exclusive execution of java/util/stream tests slows down tier1
- JDK-8251216: Implement MD5 intrinsics on AArch64
- JDK-8253197: vmTestbase/nsk/jvmti/StopThread/stopthrd007/TestDescription.java fails with "ERROR: DebuggeeSleepingThread: ThreadDeath lost"
- JDK-8262134: compiler/uncommontrap/TestDeoptOOM.java failed with "guarantee(false) failed: wrong number of expression stack elements during deopt"
- JDK-8263567: gtests don't terminate the VM safely
- JDK-8265150: AsyncGetCallTrace crashes on ResourceMark
- JDK-8266490: Extend the OSContainer API to support the pids controller of cgroups
- JDK-8269032: Stringdedup tests are failing if the ergonomically select GC does not support it
- JDK-8269037: jsig/Testjsig.java doesn't have to be restricted to linux only
- JDK-8269087: CheckSegmentedCodeCache test fails in an emulated-client VM
- JDK-8269175: [macosx-aarch64] wrong CPU speed in hs_err file
- JDK-8269206: A small typo in comment in test/lib/sun/hotspot/WhiteBox.java
- JDK-8269523: runtime/Safepoint/TestAbortOnVMOperationTimeout.java failed when expecting 'VM operation took too long'
- JDK-8269616: serviceability/dcmd/framework/VMVersionTest.java fails with Address already in use error
- JDK-8269849: vmTestbase/gc/gctests/PhantomReference/phantom002/TestDescription.java failed with "OutOfMemoryError: Java heap space: failed reallocation of scalar replaced objects"
- JDK-8270117: Broken jtreg link in "Building the JDK" page
- JDK-8270874: JFrame paint artifacts when dragged from standard monitor to HiDPI monitor
- JDK-8271056: C2: "assert(no_dead_loop) failed: dead loop detected" due to cmoving identity
- JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key
- JDK-8271202: C1: assert(false) failed: live_in set of first block must be empty
- JDK-8271506: Add ResourceHashtable support for deleting selected entries
- JDK-8271721: Split gc/g1/TestMixedGCLiveThreshold into separate tests
- JDK-8272167: AbsPathsInImage.java should skip *.dSYM directories
- JDK-8272327: Shenandoah: Avoid enqueuing duplicate string candidates
- JDK-8272398: Update DockerTestUtils.buildJdkDockerImage()
- JDK-8272541: Incorrect overflow test in Toom-Cook branch of BigInteger multiplication
- JDK-8272553: several hotspot runtime/CommandLine tests don't check exit code
- JDK-8272600: (test) Use native "sleep" in Basic.java
- JDK-8272866: java.util.random package summary contains incorrect mixing function in table
- JDK-8272996: JNDI DNS provider fails to resolve SRV entries when IPV6 stack is enabled
- JDK-8273162: AbstractSplittableWithBrineGenerator does not create a random salt
- JDK-8273277: C2: Move conditional negation into rc_predicate
- JDK-8273341: Update Siphash to version 1.0
- JDK-8273351: bad tag in jdk.random module-info.java
- JDK-8273366: [testbug] javax/swing/UIDefaults/6302464/bug6302464.java fails on macOS12
- JDK-8273381: Assert in PtrQueueBufferAllocatorTest.stress_free_list_allocator_vm
- JDK-8273387: remove some unreferenced gtk-related functions
- JDK-8273433: Enable parallelism in vmTestbase_nsk_sysdict tests
- JDK-8273438: Enable parallelism in vmTestbase/metaspace/stressHierarchy tests
- JDK-8273526: Extend the OSContainer API pids controller with pids.current
- JDK-8273634: [TEST_BUG] Improve javax/swing/text/ParagraphView/6364882/bug6364882.java
- JDK-8273655: content-types.properties files are missing some common types
- JDK-8273682: Upgrade Jline to 3.20.0
- JDK-8273704: DrawStringWithInfiniteXform.java failed : drawString with InfiniteXform transform takes long time
- JDK-8273895: compiler/ciReplay/TestVMNoCompLevel.java fails due to wrong data size with TieredStopAtLevel=2,3
- JDK-8273933: [TESTBUG] Test must run without preallocated exceptions
- JDK-8273967: gtest os.dll_address_to_function_and_library_name_vm fails on macOS12
- JDK-8273972: Multi-core choke point in CMM engine (LCMSTransform.doTransform)
- JDK-8274130: C2: MulNode::Ideal chained transformations may act on wrong nodes
- JDK-8274171: java/nio/file/Files/probeContentType/Basic.java failed on "Content type" mismatches
- JDK-8274465: Fix javax/swing/text/ParagraphView/6364882/bug6364882.java failures
- JDK-8274471: Add support for RSASSA-PSS in OCSP Response
- JDK-8274506: TestPids.java and TestPidsLimit.java fail with podman run as root
- JDK-8274524: SSLSocket.close() hangs if it is called during the ssl handshake
- JDK-8274562: (fs) UserDefinedFileAttributeView doesn't correctly determine if supported when using OverlayFS
- JDK-8274658: ISO 4217 Amendment 170 Update
- JDK-8274714: Incorrect verifier protected access error message
- JDK-8274750: java/io/File/GetXSpace.java failed: '/dev': 191488 != 190976
- JDK-8274753: ZGC: SEGV in MetaspaceShared::link_shared_classes
- JDK-8274795: AArch64: avoid spilling and restoring r18 in macro assembler
- JDK-8274935: dumptime_table has stale entry
- JDK-8274944: AppCDS dump causes SEGV in VM thread while adjusting lambda proxy class info
- JDK-8275326: C2: assert(no_dead_loop) failed: dead loop detected
- JDK-8275330: C2: assert(n->is_Root() || n->is_Region() || n->is_Phi() || n->is_MachMerge() || def_block->dominates(block)) failed: uses must be dominated by definitions
- JDK-8275536: Add test to check that File::lastModified returns same time stamp as Files.getLastModifiedTime
- JDK-8275586: Zero: Simplify interpreter initialization
- JDK-8275608: runtime/Metaspace/elastic/TestMetaspaceAllocationMT2 too slow
- JDK-8275610: C2: Object field load floats above its null check resulting in a segfault
- JDK-8275643: C2's unaryOp vector intrinsic does not properly handle LongVector.neg
- JDK-8275645: [JVMCI] avoid unaligned volatile reads on AArch64
- JDK-8275650: Problemlist java/io/File/createTempFile/SpecialTempFile.java for Windows 11
- JDK-8275687: runtime/CommandLine/PrintTouchedMethods test shouldn't catch RuntimeException
- JDK-8275800: Redefinition leaks MethodData::_extra_data_lock
- JDK-8275847: Scheduling fails with "too many D-U pinch points" on small method
- JDK-8275874: [JVMCI] only support aligned reads in c2v_readFieldValue
- JDK-8276057: Update JMH devkit to 1.33
- JDK-8276141: XPathFactory set/getProperty method
- JDK-8276177: nsk/jvmti/RedefineClasses/StressRedefineWithoutBytecodeCorruption failed with "assert(def_ik->is_being_redefined()) failed: should be being redefined to get here"
- JDK-8276314: [JVMCI] check alignment of call displacement during code installation
- JDK-8276623: JDK-8275650 accidentally pushed "out" file
- JDK-8276654: element-list order is non deterministic
- JDK-8276662: Scalability bottleneck in SymbolTable::lookup_common()
- JDK-8276764: Enable deterministic file content ordering for Jar and Jmod
- JDK-8276766: Enable jar and jmod to produce deterministic timestamped content
- JDK-8276841: Add support for Visual Studio 2022
- JDK-8277069: [REDO] JDK-8276743 Make openjdk build Zip Archive generation "reproducible"
- JDK-8277137: Set OnSpinWaitInst/OnSpinWaitInstCount defaults to "isb"/1 for Arm Neoverse N1
- JDK-8277180: Intrinsify recursive ObjectMonitor locking for C2 x64 and A64
- JDK-8277299: STACK_OVERFLOW in Java_sun_awt_shell_Win32ShellFolder2_getIconBits
- JDK-8277328: jdk/jshell/CommandCompletionTest.java failures on Windows
- JDK-8277342: vmTestbase/nsk/stress/strace/strace004.java fails with SIGSEGV in InstanceKlass::jni_id_for
- JDK-8277383: VM.metaspace optionally show chunk freelist details
- JDK-8277385: Zero: Enable CompactStrings support
- JDK-8277441: CompileQueue::add fails with assert(_last->next() == __null) failed: not last
- JDK-8277447: Hotspot C1 compiler crashes on Kotlin suspend fun with loop
- JDK-8277449: compiler/vectorapi/TestLongVectorNeg.java fails with release VMs
- JDK-8277488: Add expiry exception for Digicert (geotrustglobalca) expiring in May 2022
- JDK-8277497: Last column cell in the JTable row is read as empty cell
- JDK-8277503: compiler/onSpinWait/TestOnSpinWaitAArch64DefaultFlags.java failed with "OnSpinWaitInst with the expected value 'isb' not found."
- JDK-8277762: Allow configuration of HOTSPOT_BUILD_USER
- JDK-8277777: [Vector API] assert(r->is_XMMRegister()) failed: must be in x86_32.ad
- JDK-8277795: ldap connection timeout not honoured under contention
- JDK-8277846: Implement fast-path for ASCII-compatible CharsetEncoders on ppc64
- JDK-8277919: OldObjectSample event causing bloat in the class constant pool in JFR recording
- JDK-8277992: Add fast jdk_svc subtests to jdk:tier3
- JDK-8278016: Add compiler tests to tier{2,3}
- JDK-8278020: ~13% variation in Renaissance-Scrabble
- JDK-8278080: Add --with-cacerts-src='user cacerts folder' to enable deterministic cacerts generation
- JDK-8278099: two sun/security/pkcs11/Signature tests failed with AssertionError
- JDK-8278104: C1 should support the compiler directive 'BreakAtExecute'
- JDK-8278115: gc/stress/gclocker/TestGCLockerWithSerial.java has duplicate -Xmx
- JDK-8278116: runtime/modules/LoadUnloadModuleStress.java has duplicate -Xmx
- JDK-8278163: --with-cacerts-src variable resolved after GenerateCacerts recipe setup
- JDK-8278172: java/nio/channels/FileChannel/BlockDeviceSize.java should only run on Linux
- JDK-8278185: Custom JRE cannot find non-ASCII named module inside
- JDK-8278239: vmTestbase/nsk/jvmti/RedefineClasses/StressRedefine failed with EXCEPTION_ACCESS_VIOLATION at 0x000000000000000d
- JDK-8278241: Implement JVM SpinPause on linux-aarch64
- JDK-8278309: [windows] use of uninitialized OSThread::_state
- JDK-8278344: sun/security/pkcs12/KeytoolOpensslInteropTest.java test fails because of different openssl output
- JDK-8278346: java/nio/file/Files/probeContentType/Basic.java fails on Linux SLES15 machine
- JDK-8278381: [GCC 11] Address::make_raw() does not initialize rspec
- JDK-8278384: Bytecodes::result_type() for arraylength returns T_VOID instead of T_INT
- JDK-8278389: SuspendibleThreadSet::_suspend_all should be volatile/atomic
- JDK-8278526: [macos] Screen reader reads SwingSet2 JTable row selection as null, dimmed row for last column
- JDK-8278604: SwingSet2 table demo does not have accessible description set for images
- JDK-8278627: Shenandoah: TestHeapDump test failed
- JDK-8278758: runtime/BootstrapMethod/BSMCalledTwice.java fails with release VMs after JDK-8262134
- JDK-8278822: Bump update version for OpenJDK: jdk-17.0.3
- JDK-8278824: Uneven work distribution when scanning heap roots in G1
- JDK-8278871: [JVMCI] assert((uint)reason < 2* _trap_hist_limit) failed: oob
- JDK-8278951: containers/cgroup/PlainRead.java fails on Ubuntu 21.10
- JDK-8278987: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in __write_sample_info__
- JDK-8279011: JFR: JfrChunkWriter incorrectly handles int64_t chunk size as size_t
- JDK-8279076: C2: Bad AD file when matching SqrtF with UseSSE=0
- JDK-8279124: VM does not handle SIGQUIT during initialization
- JDK-8279225: [arm32] C1 longs comparison operation destroys argument registers
- JDK-8279300: [arm32] SIGILL when running GetObjectSizeIntrinsicsTest
- JDK-8279379: GHA: Print tests that are in error
- JDK-8279385: [test] Adjust sun/security/pkcs12/KeytoolOpensslInteropTest.java after 8278344
- JDK-8279412: [JVMCI] failed speculations list must outlive any nmethod that refers to it
- JDK-8279445: Update JMH devkit to 1.34
- JDK-8279453: Disable tools/jar/ReproducibleJar.java on 32-bit platforms
- JDK-8279505: Update documentation for RETRY_COUNT and REPEAT_COUNT
- JDK-8279669: test/jdk/com/sun/jdi/TestScaffold.java uses wrong condition
- JDK-8279695: [TESTBUG] modify compiler/loopopts/TestSkeletonPredicateNegation.java to run on C1 also
- JDK-8279702: [macosx] ignore xcodebuild warnings on M1
- JDK-8279833: Loop optimization issue in String.encodeUTF8_UTF16
- JDK-8279924: [PPC64, s390] implement frame::is_interpreted_frame_valid checks
- JDK-8279998: PPC64 debug builds fail with "untested: RangeCheckStub: predicate_failed_trap_id"
- JDK-8280002: jmap -histo may leak stream
- JDK-8280155: [PPC64, s390] frame size checks are not yet correct
- JDK-8280373: Update Xalan serializer / SystemIDResolver to align with JDK-8270492
- JDK-8280414: Memory leak in DefaultProxySelector
- JDK-8280526: x86_32 Math.sqrt performance regression with -XX:UseSSE={0,1}
- JDK-8281061: [s390] JFR runs into assertions while validating interpreter frames
- JDK-8281460: Let ObjectMonitor have its own NMT category
- JDK-8282219: jdk/java/lang/ProcessBuilder/Basic.java fails on AIX
- JDK-8282300: Throws NamingException instead of InvalidNameException after JDK-8278972
- JDK-8282397: createTempFile method of java.io.File is failing when called with suffix of spaces character
- JDK-8282761: XPathFactoryImpl remove setProperty and getProperty methods
- JDK-8284548: Invalid XPath expression causes StringIndexOutOfBoundsException
Notes on individual issues:
===========================
security-libs/java.security:
JDK-8274791: Support for RSASSA-PSS in OCSP Response
====================================================
An OCSP response signed with the RSASSA-PSS algorithm is now supported.
New in release OpenJDK 17.0.2 (2022-01-18):
===========================================
Live versions of these release notes can be found at:

26
SOURCES/jdk8275535-rh2053256-ldap_auth.patch Normal file
View File

@ -0,0 +1,26 @@
diff --git openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
index 70903206ea0..09956084cf9 100644
--- openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
+++ openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
@@ -189,6 +189,10 @@ public final class LdapCtxFactory implements ObjectFactory, InitialContextFactor
ctx = getLdapCtxFromUrl(
r.getDomainName(), url, new LdapURL(u), env);
return ctx;
+ } catch (AuthenticationException e) {
+ // do not retry on a different endpoint to avoid blocking
+ // the user if authentication credentials are wrong.
+ throw e;
} catch (NamingException e) {
// try the next element
lastException = e;
@@ -241,6 +245,10 @@ public final class LdapCtxFactory implements ObjectFactory, InitialContextFactor
for (String u : urls) {
try {
return getUsingURL(u, env);
+ } catch (AuthenticationException e) {
+ // do not retry on a different URL to avoid blocking
+ // the user if authentication credentials are wrong.
+ throw e;
} catch (NamingException e) {
ex = e;
}

96
SOURCES/jdk8284548-jaxp_regression.patch
View File

@ -1,96 +0,0 @@
From 722bf5b20de2ee64e0fdabb2f5e5fa89e043e3f1 Mon Sep 17 00:00:00 2001
From: Christoph Langer <clanger@openjdk.org>
Date: Fri, 8 Apr 2022 14:06:47 +0200
Subject: [PATCH] 8284548: Unexpected StringIndexOutOfBoundsException can occur
for invalid XPath expressions after JDK-8270504
---
.../apache/xpath/internal/compiler/Lexer.java | 4 +-
.../javax/xml/jaxp/XPath/InvalidXPath.java | 53 +++++++++++++++++++
2 files changed, 54 insertions(+), 3 deletions(-)
create mode 100644 test/jdk/javax/xml/jaxp/XPath/InvalidXPath.java
diff --git openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java
index 54595e2d036..b7b3f419eb2 100644
--- openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java
+++ openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java
@@ -24,7 +24,6 @@ import com.sun.org.apache.xalan.internal.res.XSLMessages;
import com.sun.org.apache.xml.internal.utils.PrefixResolver;
import com.sun.org.apache.xpath.internal.res.XPATHErrorResources;
import java.util.List;
-import java.util.Objects;
import javax.xml.transform.TransformerException;
import jdk.xml.internal.XMLSecurityManager;
import jdk.xml.internal.XMLSecurityManager.Limit;
@@ -451,8 +450,7 @@ class Lexer
* @return the next char
*/
private char peekNext(String s, int index) {
- Objects.checkIndex(index, s.length());
- if (s.length() > index) {
+ if (index >= 0 && index < s.length() - 1) {
return s.charAt(index + 1);
}
return 0;
diff --git openjdk.orig/test/jdk/javax/xml/jaxp/XPath/InvalidXPath.java openjdk/test/jdk/javax/xml/jaxp/XPath/InvalidXPath.java
new file mode 100644
index 00000000000..478f4212d5b
--- /dev/null
+++ openjdk/test/jdk/javax/xml/jaxp/XPath/InvalidXPath.java
@@ -0,0 +1,53 @@
+/*
+ * Copyright (c) 2022, SAP SE. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8284548
+ * @summary Test whether the expected exception is thrown when
+ * trying to compile an invalid XPath expression.
+ * @run main InvalidXPath
+ */
+
+import javax.xml.xpath.XPathExpressionException;
+import javax.xml.xpath.XPathFactory;
+
+public class InvalidXPath {
+
+ public static void main(String... args) {
+ // define an invalid XPath expression
+ final String invalidXPath = ">>";
+
+ // expect XPathExpressionException when the invalid XPath expression is compiled
+ try {
+ XPathFactory.newInstance().newXPath().compile(invalidXPath);
+ } catch (XPathExpressionException e) {
+ System.out.println("Caught expected exception: " + e.getClass().getName() +
+ "(" + e.getMessage() + ").");
+ } catch (Exception e) {
+ System.out.println("Caught unexpected exception: " + e.getClass().getName() +
+ "(" + e.getMessage() + ")!");
+ throw e;
+ }
+ }
+}
--
2.35.1.windows.2

102
SOURCES/jdk8284920-incorrect_token_type.patch
View File

@ -1,102 +0,0 @@
From 0d3aea2f11df585b491ae5c07de9f66679601d58 Mon Sep 17 00:00:00 2001
From: Anton Kozlov <akozlov@azul.com>
Date: Fri, 15 Apr 2022 14:07:52 +0300
Subject: [PATCH] 8284920: Incorrect Token type causes XPath expression to
return empty result
Reviewed-by:
---
.../com/sun/org/apache/xpath/internal/compiler/Lexer.java | 4 ++--
.../com/sun/org/apache/xpath/internal/compiler/Token.java | 4 ++--
.../org/apache/xpath/internal/compiler/XPathParser.java | 8 ++++----
3 files changed, 8 insertions(+), 8 deletions(-)
diff --git openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java
index b7b3f419eb2..41b58da8e99 100644
--- openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java
+++ openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java
@@ -360,7 +360,7 @@ class Lexer
addToTokenQueue(pat.substring(i, i + 1));
break;
- case Token.COLON :
+ case Token.COLON_CHAR:
if (i>0)
{
if (posOfNSSep == (i - 1))
@@ -615,7 +615,7 @@ class Lexer
resetTokenMark(tokPos + 1);
}
- if (m_processor.lookahead(Token.COLON, 1))
+ if (m_processor.lookahead(Token.COLON_CHAR, 1))
{
tokPos += 2;
}
diff --git openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Token.java openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Token.java
index 8c4fee146c6..7bce14e5770 100644
--- openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Token.java
+++ openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Token.java
@@ -45,10 +45,9 @@ public final class Token {
static final char LPAREN = '(';
static final char RPAREN = ')';
static final char COMMA = ',';
- static final char DOT = '.';
static final char AT = '@';
static final char US = '_';
- static final char COLON = ':';
+ static final char COLON_CHAR = ':';
static final char SQ = '\'';
static final char DQ = '"';
static final char DOLLAR = '$';
@@ -58,6 +57,7 @@ public final class Token {
static final String DIV = "div";
static final String MOD = "mod";
static final String QUO = "quo";
+ static final String DOT = ".";
static final String DDOT = "..";
static final String DCOLON = "::";
static final String ATTR = "attribute";
diff --git openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/XPathParser.java openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/XPathParser.java
index c3f9e1494be..22192fd06f6 100644
--- openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/XPathParser.java
+++ openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/XPathParser.java
@@ -1413,7 +1413,7 @@ public class XPathParser
matchFound = true;
}
- else if (lookahead(Token.LPAREN, 1) || (lookahead(Token.COLON, 1) && lookahead(Token.LPAREN, 3)))
+ else if (lookahead(Token.LPAREN, 1) || (lookahead(Token.COLON_CHAR, 1) && lookahead(Token.LPAREN, 3)))
{
matchFound = FunctionCall();
}
@@ -1457,7 +1457,7 @@ public class XPathParser
int opPos = m_ops.getOp(OpMap.MAPINDEX_LENGTH);
- if (lookahead(Token.COLON, 1))
+ if (lookahead(Token.COLON_CHAR, 1))
{
appendOp(4, OpCodes.OP_EXTFUNCTION);
@@ -1841,7 +1841,7 @@ public class XPathParser
m_ops.setOp(m_ops.getOp(OpMap.MAPINDEX_LENGTH), OpCodes.NODENAME);
m_ops.setOp(OpMap.MAPINDEX_LENGTH, m_ops.getOp(OpMap.MAPINDEX_LENGTH) + 1);
- if (lookahead(Token.COLON, 1))
+ if (lookahead(Token.COLON_CHAR, 1))
{
if (tokenIs(Token.STAR))
{
@@ -1944,7 +1944,7 @@ public class XPathParser
protected void QName() throws TransformerException
{
// Namespace
- if(lookahead(Token.COLON, 1))
+ if(lookahead(Token.COLON_CHAR, 1))
{
m_ops.setOp(m_ops.getOp(OpMap.MAPINDEX_LENGTH), m_queueMark - 1);
m_ops.setOp(OpMap.MAPINDEX_LENGTH, m_ops.getOp(OpMap.MAPINDEX_LENGTH) + 1);
--
2.24.3

2
SOURCES/nss.fips.cfg.in
View File

@ -1,6 +1,6 @@
name = NSS-FIPS
nssLibraryDirectory = @NSS_LIBDIR@
nssSecmodDirectory = @NSS_SECMOD@
nssSecmodDirectory = sql:/etc/pki/nssdb
nssDbMode = readOnly
nssModule = fips

99
SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch Normal file
View File

@ -0,0 +1,99 @@
commit 0cd8cee94fe0f867b0b39890e00be620af1d9b07
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Tue Jan 18 02:09:27 2022 +0000
RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
index 28ab1846173..f9726741afd 100644
--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
+++ openjdk/src/java.base/share/classes/java/security/Security.java
@@ -61,10 +61,6 @@ public final class Security {
private static final Debug sdebug =
Debug.getInstance("properties");
- /* System property file*/
- private static final String SYSTEM_PROPERTIES =
- "/etc/crypto-policies/back-ends/java.config";
-
/* The java.security properties */
private static Properties props;
@@ -206,22 +202,36 @@ public final class Security {
}
}
+ if (!loadedProps) {
+ initializeStatic();
+ if (sdebug != null) {
+ sdebug.println("unable to load security properties " +
+ "-- using defaults");
+ }
+ }
+
String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
"true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
- if (SystemConfigurator.configure(props)) {
- loadedProps = true;
+ if (!SystemConfigurator.configureSysProps(props)) {
+ if (sdebug != null) {
+ sdebug.println("WARNING: System properties could not be loaded.");
+ }
}
}
- if (!loadedProps) {
- initializeStatic();
+ // FIPS support depends on the contents of java.security so
+ // ensure it has loaded first
+ if (loadedProps) {
+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
if (sdebug != null) {
- sdebug.println("unable to load security properties " +
- "-- using defaults");
+ if (fipsEnabled) {
+ sdebug.println("FIPS support enabled.");
+ } else {
+ sdebug.println("FIPS support disabled.");
+ }
}
}
-
}
/*
diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
index 874c6221ebe..b7ed41acf0f 100644
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -76,7 +76,7 @@ final class SystemConfigurator {
* java.security.disableSystemPropertiesFile property is not set and
* security.useSystemPropertiesFile is true.
*/
- static boolean configure(Properties props) {
+ static boolean configureSysProps(Properties props) {
boolean loadedProps = false;
try (BufferedInputStream bis =
@@ -96,11 +96,19 @@ final class SystemConfigurator {
e.printStackTrace();
}
}
+ return loadedProps;
+ }
+
+ /*
+ * Invoked at the end of java.security.Security initialisation
+ * if java.security properties have been loaded
+ */
+ static boolean configureFIPS(Properties props) {
+ boolean loadedProps = false;
try {
if (enableFips()) {
if (sdebug != null) { sdebug.println("FIPS mode detected"); }
- loadedProps = false;
// Remove all security providers
Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
while (i.hasNext()) {

213
SOURCES/rh2052829-fips_runtime_nss_detection.patch Normal file
View File

@ -0,0 +1,213 @@
commit 090ea0389db5c2e0c8ee13652bccd544b17872c2
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Mon Feb 7 15:33:27 2022 +0000
RH2051605: Detect NSS at Runtime for FIPS detection
diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
index caf678a7dd6..8dcb7d9073f 100644
--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
@@ -23,26 +23,37 @@
* questions.
*/
-#include <dlfcn.h>
#include <jni.h>
#include <jni_util.h>
+#include "jvm_md.h"
#include <stdio.h>
#ifdef SYSCONF_NSS
#include <nss3/pk11pub.h>
+#else
+#include <dlfcn.h>
#endif //SYSCONF_NSS
#include "java_security_SystemConfigurator.h"
-#define MSG_MAX_SIZE 96
+#define MSG_MAX_SIZE 256
+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
+
+typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
+static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
static jmethodID debugPrintlnMethodID = NULL;
static jobject debugObj = NULL;
-// Only used when NSS is unavailable and FIPS_ENABLED_PATH is read
-#ifndef SYSCONF_NSS
-
-#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
+static void dbgPrint(JNIEnv *env, const char* msg)
+{
+ jstring jMsg;
+ if (debugObj != NULL) {
+ jMsg = (*env)->NewStringUTF(env, msg);
+ CHECK_NULL(jMsg);
+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
+ }
+}
static void throwIOException(JNIEnv *env, const char *msg)
{
@@ -51,18 +62,61 @@ static void throwIOException(JNIEnv *env, const char *msg)
(*env)->ThrowNew(env, cls, msg);
}
-#endif
+static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
+{
+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+ dbgPrint(env, msg);
+ } else {
+ dbgPrint(env, "systemconf: cannot render message");
+ }
+}
-static void dbgPrint(JNIEnv *env, const char* msg)
+// Only used when NSS is not linked at build time
+#ifndef SYSCONF_NSS
+
+static void *nss_handle;
+
+static jboolean loadNSS(JNIEnv *env)
{
- jstring jMsg;
- if (debugObj != NULL) {
- jMsg = (*env)->NewStringUTF(env, msg);
- CHECK_NULL(jMsg);
- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
- }
+ char msg[MSG_MAX_SIZE];
+ int msg_bytes;
+ const char* errmsg;
+
+ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
+ if (nss_handle == NULL) {
+ errmsg = dlerror();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
+ errmsg);
+ handle_msg(env, msg, msg_bytes);
+ return JNI_FALSE;
+ }
+ dlerror(); /* Clear errors */
+ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
+ if ((errmsg = dlerror()) != NULL) {
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
+ errmsg);
+ handle_msg(env, msg, msg_bytes);
+ return JNI_FALSE;
+ }
+ return JNI_TRUE;
+}
+
+static void closeNSS(JNIEnv *env)
+{
+ char msg[MSG_MAX_SIZE];
+ int msg_bytes;
+ const char* errmsg;
+
+ if (dlclose(nss_handle) != 0) {
+ errmsg = dlerror();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
+ errmsg);
+ handle_msg(env, msg, msg_bytes);
+ }
}
+#endif
+
/*
* Class: java_security_SystemConfigurator
* Method: JNI_OnLoad
@@ -104,6 +158,14 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
debugObj = (*env)->NewGlobalRef(env, debugObj);
}
+#ifdef SYSCONF_NSS
+ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
+#else
+ if (loadNSS(env) == JNI_FALSE) {
+ dbgPrint(env, "libsystemconf: Failed to load NSS library.");
+ }
+#endif
+
return (*env)->GetVersion(env);
}
@@ -119,6 +181,9 @@ JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
return; /* Should not happen */
}
+#ifndef SYSCONF_NSS
+ closeNSS(env);
+#endif
(*env)->DeleteGlobalRef(env, debugObj);
}
}
@@ -130,44 +195,30 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
char msg[MSG_MAX_SIZE];
int msg_bytes;
-#ifdef SYSCONF_NSS
-
- dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
- fips_enabled = SECMOD_GetSystemFIPSEnabled();
- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
- " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
- dbgPrint(env, msg);
+ if (getSystemFIPSEnabled != NULL) {
+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
+ fips_enabled = (*getSystemFIPSEnabled)();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
+ handle_msg(env, msg, msg_bytes);
+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
} else {
- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
- " SECMOD_GetSystemFIPSEnabled return value");
- }
- return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
+ FILE *fe;
-#else // SYSCONF_NSS
-
- FILE *fe;
-
- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
return JNI_FALSE;
- }
- fips_enabled = fgetc(fe);
- fclose(fe);
- if (fips_enabled == EOF) {
+ }
+ fips_enabled = fgetc(fe);
+ fclose(fe);
+ if (fips_enabled == EOF) {
throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
return JNI_FALSE;
+ }
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " read character is '%c'", fips_enabled);
+ handle_msg(env, msg, msg_bytes);
+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
}
- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
- " read character is '%c'", fips_enabled);
- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
- dbgPrint(env, msg);
- } else {
- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
- " read character");
- }
- return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
-
-#endif // SYSCONF_NSS
}

848
SPECS/java-17-openjdk.spec
View File

File diff suppressed because it is too large Load Diff