rpms/java-17-openjdk
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import java-17-openjdk-17.0.2.0.8-15.el8

Browse Source
This commit is contained in:
CentOS Sources 2022-05-10 02:59:36 -04:00 committed by Stepan Oksanichenko
parent 806b0e8864
commit d8bb67f343
10 changed files with 910 additions and 684 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/openjdk-jdk17u-17usec.17.0.3+5-220408.tar.xz
SOURCES/openjdk-jdk17u-jdk-17.0.2+8.tar.xz
SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

2
.java-17-openjdk.metadata
View File

@ -1,2 +1,2 @@
15b13a23d8a862fc881ab110858c0054cf34180e SOURCES/openjdk-jdk17u-17usec.17.0.3+5-220408.tar.xz
47c1e3a97ba6f63908c2a9f55e1514b52f0b8333 SOURCES/openjdk-jdk17u-jdk-17.0.2+8.tar.xz
c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

204
SOURCES/NEWS
View File

@ -3,210 +3,6 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
New in release OpenJDK 17.0.3 (2022-04-19):
===========================================
Live versions of these release notes can be found at:
* https://bitly.com/openjdk1703
* https://builds.shipilev.net/backports-monitor/release-notes-17.0.3.txt
* Security fixes
- JDK-8269938: Enhance XML processing passes redux
- JDK-8270504, CVE-2022-21426: Better XPath expression handling
- JDK-8272255: Completely handle MIDI files
- JDK-8272261: Improve JFR recording file processing
- JDK-8272588: Enhanced recording parsing
- JDK-8272594: Better record of recordings
- JDK-8274221: More definite BER encodings
- JDK-8275082, JDK-8278008, CVE-2022-21476: Update XML Security for Java to 2.3.0
- JDK-8275151, CVE-2022-21443: Improved Object Identification
- JDK-8277227: Better identification of OIDs
- JDK-8277233, CVE-2022-21449: Improve ECDSA signature support
- JDK-8277672, CVE-2022-21434: Better invocation handler handling
- JDK-8278356: Improve file creation
- JDK-8278449: Improve keychain support
- JDK-8278798: Improve supported intrinsic
- JDK-8278805: Enhance BMP image loading
- JDK-8278972, CVE-2022-21496: Improve URL supports
- JDK-8281388: Change wrapping of EncryptedPrivateKeyInfo
* Other changes
- JDK-8177814: jdk/editpad is not in jdk TEST.groups
- JDK-8186670: Implement _onSpinWait() intrinsic for AArch64
- JDK-8190748: java/text/Format/DateFormat/DateFormatTest.java and NonGregorianFormatTest fail intermittently
- JDK-8225559: assertion error at TransTypes.visitApply
- JDK-8236505: Mark jdk/editpad/EditPadTest.java as @headful
- JDK-8239502: [TEST_BUG] Test javax/swing/text/FlowView/6318524/bug6318524.java never fails
- JDK-8244602: Add JTREG_REPEAT_COUNT to repeat execution of a test
- JDK-8247980: Exclusive execution of java/util/stream tests slows down tier1
- JDK-8251216: Implement MD5 intrinsics on AArch64
- JDK-8253197: vmTestbase/nsk/jvmti/StopThread/stopthrd007/TestDescription.java fails with "ERROR: DebuggeeSleepingThread: ThreadDeath lost"
- JDK-8262134: compiler/uncommontrap/TestDeoptOOM.java failed with "guarantee(false) failed: wrong number of expression stack elements during deopt"
- JDK-8263567: gtests don't terminate the VM safely
- JDK-8265150: AsyncGetCallTrace crashes on ResourceMark
- JDK-8266490: Extend the OSContainer API to support the pids controller of cgroups
- JDK-8269032: Stringdedup tests are failing if the ergonomically select GC does not support it
- JDK-8269037: jsig/Testjsig.java doesn't have to be restricted to linux only
- JDK-8269087: CheckSegmentedCodeCache test fails in an emulated-client VM
- JDK-8269175: [macosx-aarch64] wrong CPU speed in hs_err file
- JDK-8269206: A small typo in comment in test/lib/sun/hotspot/WhiteBox.java
- JDK-8269523: runtime/Safepoint/TestAbortOnVMOperationTimeout.java failed when expecting 'VM operation took too long'
- JDK-8269616: serviceability/dcmd/framework/VMVersionTest.java fails with Address already in use error
- JDK-8269849: vmTestbase/gc/gctests/PhantomReference/phantom002/TestDescription.java failed with "OutOfMemoryError: Java heap space: failed reallocation of scalar replaced objects"
- JDK-8270117: Broken jtreg link in "Building the JDK" page
- JDK-8270874: JFrame paint artifacts when dragged from standard monitor to HiDPI monitor
- JDK-8271056: C2: "assert(no_dead_loop) failed: dead loop detected" due to cmoving identity
- JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key
- JDK-8271202: C1: assert(false) failed: live_in set of first block must be empty
- JDK-8271506: Add ResourceHashtable support for deleting selected entries
- JDK-8271721: Split gc/g1/TestMixedGCLiveThreshold into separate tests
- JDK-8272167: AbsPathsInImage.java should skip *.dSYM directories
- JDK-8272327: Shenandoah: Avoid enqueuing duplicate string candidates
- JDK-8272398: Update DockerTestUtils.buildJdkDockerImage()
- JDK-8272541: Incorrect overflow test in Toom-Cook branch of BigInteger multiplication
- JDK-8272553: several hotspot runtime/CommandLine tests don't check exit code
- JDK-8272600: (test) Use native "sleep" in Basic.java
- JDK-8272866: java.util.random package summary contains incorrect mixing function in table
- JDK-8272996: JNDI DNS provider fails to resolve SRV entries when IPV6 stack is enabled
- JDK-8273162: AbstractSplittableWithBrineGenerator does not create a random salt
- JDK-8273277: C2: Move conditional negation into rc_predicate
- JDK-8273341: Update Siphash to version 1.0
- JDK-8273351: bad tag in jdk.random module-info.java
- JDK-8273366: [testbug] javax/swing/UIDefaults/6302464/bug6302464.java fails on macOS12
- JDK-8273381: Assert in PtrQueueBufferAllocatorTest.stress_free_list_allocator_vm
- JDK-8273387: remove some unreferenced gtk-related functions
- JDK-8273433: Enable parallelism in vmTestbase_nsk_sysdict tests
- JDK-8273438: Enable parallelism in vmTestbase/metaspace/stressHierarchy tests
- JDK-8273526: Extend the OSContainer API pids controller with pids.current
- JDK-8273634: [TEST_BUG] Improve javax/swing/text/ParagraphView/6364882/bug6364882.java
- JDK-8273655: content-types.properties files are missing some common types
- JDK-8273682: Upgrade Jline to 3.20.0
- JDK-8273704: DrawStringWithInfiniteXform.java failed : drawString with InfiniteXform transform takes long time
- JDK-8273895: compiler/ciReplay/TestVMNoCompLevel.java fails due to wrong data size with TieredStopAtLevel=2,3
- JDK-8273933: [TESTBUG] Test must run without preallocated exceptions
- JDK-8273967: gtest os.dll_address_to_function_and_library_name_vm fails on macOS12
- JDK-8273972: Multi-core choke point in CMM engine (LCMSTransform.doTransform)
- JDK-8274130: C2: MulNode::Ideal chained transformations may act on wrong nodes
- JDK-8274171: java/nio/file/Files/probeContentType/Basic.java failed on "Content type" mismatches
- JDK-8274465: Fix javax/swing/text/ParagraphView/6364882/bug6364882.java failures
- JDK-8274471: Add support for RSASSA-PSS in OCSP Response
- JDK-8274506: TestPids.java and TestPidsLimit.java fail with podman run as root
- JDK-8274524: SSLSocket.close() hangs if it is called during the ssl handshake
- JDK-8274562: (fs) UserDefinedFileAttributeView doesn't correctly determine if supported when using OverlayFS
- JDK-8274658: ISO 4217 Amendment 170 Update
- JDK-8274714: Incorrect verifier protected access error message
- JDK-8274750: java/io/File/GetXSpace.java failed: '/dev': 191488 != 190976
- JDK-8274753: ZGC: SEGV in MetaspaceShared::link_shared_classes
- JDK-8274795: AArch64: avoid spilling and restoring r18 in macro assembler
- JDK-8274935: dumptime_table has stale entry
- JDK-8274944: AppCDS dump causes SEGV in VM thread while adjusting lambda proxy class info
- JDK-8275326: C2: assert(no_dead_loop) failed: dead loop detected
- JDK-8275330: C2: assert(n->is_Root() || n->is_Region() || n->is_Phi() || n->is_MachMerge() || def_block->dominates(block)) failed: uses must be dominated by definitions
- JDK-8275536: Add test to check that File::lastModified returns same time stamp as Files.getLastModifiedTime
- JDK-8275586: Zero: Simplify interpreter initialization
- JDK-8275608: runtime/Metaspace/elastic/TestMetaspaceAllocationMT2 too slow
- JDK-8275610: C2: Object field load floats above its null check resulting in a segfault
- JDK-8275643: C2's unaryOp vector intrinsic does not properly handle LongVector.neg
- JDK-8275645: [JVMCI] avoid unaligned volatile reads on AArch64
- JDK-8275650: Problemlist java/io/File/createTempFile/SpecialTempFile.java for Windows 11
- JDK-8275687: runtime/CommandLine/PrintTouchedMethods test shouldn't catch RuntimeException
- JDK-8275800: Redefinition leaks MethodData::_extra_data_lock
- JDK-8275847: Scheduling fails with "too many D-U pinch points" on small method
- JDK-8275874: [JVMCI] only support aligned reads in c2v_readFieldValue
- JDK-8276057: Update JMH devkit to 1.33
- JDK-8276141: XPathFactory set/getProperty method
- JDK-8276177: nsk/jvmti/RedefineClasses/StressRedefineWithoutBytecodeCorruption failed with "assert(def_ik->is_being_redefined()) failed: should be being redefined to get here"
- JDK-8276314: [JVMCI] check alignment of call displacement during code installation
- JDK-8276623: JDK-8275650 accidentally pushed "out" file
- JDK-8276654: element-list order is non deterministic
- JDK-8276662: Scalability bottleneck in SymbolTable::lookup_common()
- JDK-8276764: Enable deterministic file content ordering for Jar and Jmod
- JDK-8276766: Enable jar and jmod to produce deterministic timestamped content
- JDK-8276841: Add support for Visual Studio 2022
- JDK-8277069: [REDO] JDK-8276743 Make openjdk build Zip Archive generation "reproducible"
- JDK-8277137: Set OnSpinWaitInst/OnSpinWaitInstCount defaults to "isb"/1 for Arm Neoverse N1
- JDK-8277180: Intrinsify recursive ObjectMonitor locking for C2 x64 and A64
- JDK-8277299: STACK_OVERFLOW in Java_sun_awt_shell_Win32ShellFolder2_getIconBits
- JDK-8277328: jdk/jshell/CommandCompletionTest.java failures on Windows
- JDK-8277342: vmTestbase/nsk/stress/strace/strace004.java fails with SIGSEGV in InstanceKlass::jni_id_for
- JDK-8277383: VM.metaspace optionally show chunk freelist details
- JDK-8277385: Zero: Enable CompactStrings support
- JDK-8277441: CompileQueue::add fails with assert(_last->next() == __null) failed: not last
- JDK-8277447: Hotspot C1 compiler crashes on Kotlin suspend fun with loop
- JDK-8277449: compiler/vectorapi/TestLongVectorNeg.java fails with release VMs
- JDK-8277488: Add expiry exception for Digicert (geotrustglobalca) expiring in May 2022
- JDK-8277497: Last column cell in the JTable row is read as empty cell
- JDK-8277503: compiler/onSpinWait/TestOnSpinWaitAArch64DefaultFlags.java failed with "OnSpinWaitInst with the expected value 'isb' not found."
- JDK-8277762: Allow configuration of HOTSPOT_BUILD_USER
- JDK-8277777: [Vector API] assert(r->is_XMMRegister()) failed: must be in x86_32.ad
- JDK-8277795: ldap connection timeout not honoured under contention
- JDK-8277846: Implement fast-path for ASCII-compatible CharsetEncoders on ppc64
- JDK-8277919: OldObjectSample event causing bloat in the class constant pool in JFR recording
- JDK-8277992: Add fast jdk_svc subtests to jdk:tier3
- JDK-8278016: Add compiler tests to tier{2,3}
- JDK-8278020: ~13% variation in Renaissance-Scrabble
- JDK-8278080: Add --with-cacerts-src='user cacerts folder' to enable deterministic cacerts generation
- JDK-8278099: two sun/security/pkcs11/Signature tests failed with AssertionError
- JDK-8278104: C1 should support the compiler directive 'BreakAtExecute'
- JDK-8278115: gc/stress/gclocker/TestGCLockerWithSerial.java has duplicate -Xmx
- JDK-8278116: runtime/modules/LoadUnloadModuleStress.java has duplicate -Xmx
- JDK-8278163: --with-cacerts-src variable resolved after GenerateCacerts recipe setup
- JDK-8278172: java/nio/channels/FileChannel/BlockDeviceSize.java should only run on Linux
- JDK-8278185: Custom JRE cannot find non-ASCII named module inside
- JDK-8278239: vmTestbase/nsk/jvmti/RedefineClasses/StressRedefine failed with EXCEPTION_ACCESS_VIOLATION at 0x000000000000000d
- JDK-8278241: Implement JVM SpinPause on linux-aarch64
- JDK-8278309: [windows] use of uninitialized OSThread::_state
- JDK-8278344: sun/security/pkcs12/KeytoolOpensslInteropTest.java test fails because of different openssl output
- JDK-8278346: java/nio/file/Files/probeContentType/Basic.java fails on Linux SLES15 machine
- JDK-8278381: [GCC 11] Address::make_raw() does not initialize rspec
- JDK-8278384: Bytecodes::result_type() for arraylength returns T_VOID instead of T_INT
- JDK-8278389: SuspendibleThreadSet::_suspend_all should be volatile/atomic
- JDK-8278526: [macos] Screen reader reads SwingSet2 JTable row selection as null, dimmed row for last column
- JDK-8278604: SwingSet2 table demo does not have accessible description set for images
- JDK-8278627: Shenandoah: TestHeapDump test failed
- JDK-8278758: runtime/BootstrapMethod/BSMCalledTwice.java fails with release VMs after JDK-8262134
- JDK-8278822: Bump update version for OpenJDK: jdk-17.0.3
- JDK-8278824: Uneven work distribution when scanning heap roots in G1
- JDK-8278871: [JVMCI] assert((uint)reason < 2* _trap_hist_limit) failed: oob
- JDK-8278951: containers/cgroup/PlainRead.java fails on Ubuntu 21.10
- JDK-8278987: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in __write_sample_info__
- JDK-8279011: JFR: JfrChunkWriter incorrectly handles int64_t chunk size as size_t
- JDK-8279076: C2: Bad AD file when matching SqrtF with UseSSE=0
- JDK-8279124: VM does not handle SIGQUIT during initialization
- JDK-8279225: [arm32] C1 longs comparison operation destroys argument registers
- JDK-8279300: [arm32] SIGILL when running GetObjectSizeIntrinsicsTest
- JDK-8279379: GHA: Print tests that are in error
- JDK-8279385: [test] Adjust sun/security/pkcs12/KeytoolOpensslInteropTest.java after 8278344
- JDK-8279412: [JVMCI] failed speculations list must outlive any nmethod that refers to it
- JDK-8279445: Update JMH devkit to 1.34
- JDK-8279453: Disable tools/jar/ReproducibleJar.java on 32-bit platforms
- JDK-8279505: Update documentation for RETRY_COUNT and REPEAT_COUNT
- JDK-8279669: test/jdk/com/sun/jdi/TestScaffold.java uses wrong condition
- JDK-8279695: [TESTBUG] modify compiler/loopopts/TestSkeletonPredicateNegation.java to run on C1 also
- JDK-8279702: [macosx] ignore xcodebuild warnings on M1
- JDK-8279833: Loop optimization issue in String.encodeUTF8_UTF16
- JDK-8279924: [PPC64, s390] implement frame::is_interpreted_frame_valid checks
- JDK-8279998: PPC64 debug builds fail with "untested: RangeCheckStub: predicate_failed_trap_id"
- JDK-8280002: jmap -histo may leak stream
- JDK-8280155: [PPC64, s390] frame size checks are not yet correct
- JDK-8280373: Update Xalan serializer / SystemIDResolver to align with JDK-8270492
- JDK-8280414: Memory leak in DefaultProxySelector
- JDK-8280526: x86_32 Math.sqrt performance regression with -XX:UseSSE={0,1}
- JDK-8281061: [s390] JFR runs into assertions while validating interpreter frames
- JDK-8281460: Let ObjectMonitor have its own NMT category
- JDK-8282219: jdk/java/lang/ProcessBuilder/Basic.java fails on AIX
- JDK-8282300: Throws NamingException instead of InvalidNameException after JDK-8278972
- JDK-8282397: createTempFile method of java.io.File is failing when called with suffix of spaces character
- JDK-8282761: XPathFactoryImpl remove setProperty and getProperty methods
- JDK-8284548: Invalid XPath expression causes StringIndexOutOfBoundsException
Notes on individual issues:
===========================
security-libs/java.security:
JDK-8274791: Support for RSASSA-PSS in OCSP Response
====================================================
An OCSP response signed with the RSASSA-PSS algorithm is now supported.
New in release OpenJDK 17.0.2 (2022-01-18):
===========================================
Live versions of these release notes can be found at:

26
SOURCES/jdk8275535-rh2053256-ldap_auth.patch Normal file
View File

@ -0,0 +1,26 @@
diff --git openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
index 70903206ea0..09956084cf9 100644
--- openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
+++ openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
@@ -189,6 +189,10 @@ public final class LdapCtxFactory implements ObjectFactory, InitialContextFactor
ctx = getLdapCtxFromUrl(
r.getDomainName(), url, new LdapURL(u), env);
return ctx;
+ } catch (AuthenticationException e) {
+ // do not retry on a different endpoint to avoid blocking
+ // the user if authentication credentials are wrong.
+ throw e;
} catch (NamingException e) {
// try the next element
lastException = e;
@@ -241,6 +245,10 @@ public final class LdapCtxFactory implements ObjectFactory, InitialContextFactor
for (String u : urls) {
try {
return getUsingURL(u, env);
+ } catch (AuthenticationException e) {
+ // do not retry on a different URL to avoid blocking
+ // the user if authentication credentials are wrong.
+ throw e;
} catch (NamingException e) {
ex = e;
}

96
SOURCES/jdk8284548-jaxp_regression.patch
View File

@ -1,96 +0,0 @@
From 722bf5b20de2ee64e0fdabb2f5e5fa89e043e3f1 Mon Sep 17 00:00:00 2001
From: Christoph Langer <clanger@openjdk.org>
Date: Fri, 8 Apr 2022 14:06:47 +0200
Subject: [PATCH] 8284548: Unexpected StringIndexOutOfBoundsException can occur
for invalid XPath expressions after JDK-8270504
---
.../apache/xpath/internal/compiler/Lexer.java | 4 +-
.../javax/xml/jaxp/XPath/InvalidXPath.java | 53 +++++++++++++++++++
2 files changed, 54 insertions(+), 3 deletions(-)
create mode 100644 test/jdk/javax/xml/jaxp/XPath/InvalidXPath.java
diff --git openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java
index 54595e2d036..b7b3f419eb2 100644
--- openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java
+++ openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java
@@ -24,7 +24,6 @@ import com.sun.org.apache.xalan.internal.res.XSLMessages;
import com.sun.org.apache.xml.internal.utils.PrefixResolver;
import com.sun.org.apache.xpath.internal.res.XPATHErrorResources;
import java.util.List;
-import java.util.Objects;
import javax.xml.transform.TransformerException;
import jdk.xml.internal.XMLSecurityManager;
import jdk.xml.internal.XMLSecurityManager.Limit;
@@ -451,8 +450,7 @@ class Lexer
* @return the next char
*/
private char peekNext(String s, int index) {
- Objects.checkIndex(index, s.length());
- if (s.length() > index) {
+ if (index >= 0 && index < s.length() - 1) {
return s.charAt(index + 1);
}
return 0;
diff --git openjdk.orig/test/jdk/javax/xml/jaxp/XPath/InvalidXPath.java openjdk/test/jdk/javax/xml/jaxp/XPath/InvalidXPath.java
new file mode 100644
index 00000000000..478f4212d5b
--- /dev/null
+++ openjdk/test/jdk/javax/xml/jaxp/XPath/InvalidXPath.java
@@ -0,0 +1,53 @@
+/*
+ * Copyright (c) 2022, SAP SE. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8284548
+ * @summary Test whether the expected exception is thrown when
+ * trying to compile an invalid XPath expression.
+ * @run main InvalidXPath
+ */
+
+import javax.xml.xpath.XPathExpressionException;
+import javax.xml.xpath.XPathFactory;
+
+public class InvalidXPath {
+
+ public static void main(String... args) {
+ // define an invalid XPath expression
+ final String invalidXPath = ">>";
+
+ // expect XPathExpressionException when the invalid XPath expression is compiled
+ try {
+ XPathFactory.newInstance().newXPath().compile(invalidXPath);
+ } catch (XPathExpressionException e) {
+ System.out.println("Caught expected exception: " + e.getClass().getName() +
+ "(" + e.getMessage() + ").");
+ } catch (Exception e) {
+ System.out.println("Caught unexpected exception: " + e.getClass().getName() +
+ "(" + e.getMessage() + ")!");
+ throw e;
+ }
+ }
+}
--
2.35.1.windows.2

102
SOURCES/jdk8284920-incorrect_token_type.patch
View File

@ -1,102 +0,0 @@
From 0d3aea2f11df585b491ae5c07de9f66679601d58 Mon Sep 17 00:00:00 2001
From: Anton Kozlov <akozlov@azul.com>
Date: Fri, 15 Apr 2022 14:07:52 +0300
Subject: [PATCH] 8284920: Incorrect Token type causes XPath expression to
return empty result
Reviewed-by:
---
.../com/sun/org/apache/xpath/internal/compiler/Lexer.java | 4 ++--
.../com/sun/org/apache/xpath/internal/compiler/Token.java | 4 ++--
.../org/apache/xpath/internal/compiler/XPathParser.java | 8 ++++----
3 files changed, 8 insertions(+), 8 deletions(-)
diff --git openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java
index b7b3f419eb2..41b58da8e99 100644
--- openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java
+++ openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java
@@ -360,7 +360,7 @@ class Lexer
addToTokenQueue(pat.substring(i, i + 1));
break;
- case Token.COLON :
+ case Token.COLON_CHAR:
if (i>0)
{
if (posOfNSSep == (i - 1))
@@ -615,7 +615,7 @@ class Lexer
resetTokenMark(tokPos + 1);
}
- if (m_processor.lookahead(Token.COLON, 1))
+ if (m_processor.lookahead(Token.COLON_CHAR, 1))
{
tokPos += 2;
}
diff --git openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Token.java openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Token.java
index 8c4fee146c6..7bce14e5770 100644
--- openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Token.java
+++ openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Token.java
@@ -45,10 +45,9 @@ public final class Token {
static final char LPAREN = '(';
static final char RPAREN = ')';
static final char COMMA = ',';
- static final char DOT = '.';
static final char AT = '@';
static final char US = '_';
- static final char COLON = ':';
+ static final char COLON_CHAR = ':';
static final char SQ = '\'';
static final char DQ = '"';
static final char DOLLAR = '$';
@@ -58,6 +57,7 @@ public final class Token {
static final String DIV = "div";
static final String MOD = "mod";
static final String QUO = "quo";
+ static final String DOT = ".";
static final String DDOT = "..";
static final String DCOLON = "::";
static final String ATTR = "attribute";
diff --git openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/XPathParser.java openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/XPathParser.java
index c3f9e1494be..22192fd06f6 100644
--- openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/XPathParser.java
+++ openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/XPathParser.java
@@ -1413,7 +1413,7 @@ public class XPathParser
matchFound = true;
}
- else if (lookahead(Token.LPAREN, 1) || (lookahead(Token.COLON, 1) && lookahead(Token.LPAREN, 3)))
+ else if (lookahead(Token.LPAREN, 1) || (lookahead(Token.COLON_CHAR, 1) && lookahead(Token.LPAREN, 3)))
{
matchFound = FunctionCall();
}
@@ -1457,7 +1457,7 @@ public class XPathParser
int opPos = m_ops.getOp(OpMap.MAPINDEX_LENGTH);
- if (lookahead(Token.COLON, 1))
+ if (lookahead(Token.COLON_CHAR, 1))
{
appendOp(4, OpCodes.OP_EXTFUNCTION);
@@ -1841,7 +1841,7 @@ public class XPathParser
m_ops.setOp(m_ops.getOp(OpMap.MAPINDEX_LENGTH), OpCodes.NODENAME);
m_ops.setOp(OpMap.MAPINDEX_LENGTH, m_ops.getOp(OpMap.MAPINDEX_LENGTH) + 1);
- if (lookahead(Token.COLON, 1))
+ if (lookahead(Token.COLON_CHAR, 1))
{
if (tokenIs(Token.STAR))
{
@@ -1944,7 +1944,7 @@ public class XPathParser
protected void QName() throws TransformerException
{
// Namespace
- if(lookahead(Token.COLON, 1))
+ if(lookahead(Token.COLON_CHAR, 1))
{
m_ops.setOp(m_ops.getOp(OpMap.MAPINDEX_LENGTH), m_queueMark - 1);
m_ops.setOp(OpMap.MAPINDEX_LENGTH, m_ops.getOp(OpMap.MAPINDEX_LENGTH) + 1);
--
2.24.3

2
SOURCES/nss.fips.cfg.in
View File

@ -1,6 +1,6 @@
name = NSS-FIPS
nssLibraryDirectory = @NSS_LIBDIR@
nssSecmodDirectory = @NSS_SECMOD@
nssSecmodDirectory = sql:/etc/pki/nssdb
nssDbMode = readOnly
nssModule = fips

99
SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch Normal file
View File

@ -0,0 +1,99 @@
commit 0cd8cee94fe0f867b0b39890e00be620af1d9b07
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Tue Jan 18 02:09:27 2022 +0000
RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
index 28ab1846173..f9726741afd 100644
--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
+++ openjdk/src/java.base/share/classes/java/security/Security.java
@@ -61,10 +61,6 @@ public final class Security {
private static final Debug sdebug =
Debug.getInstance("properties");
- /* System property file*/
- private static final String SYSTEM_PROPERTIES =
- "/etc/crypto-policies/back-ends/java.config";
-
/* The java.security properties */
private static Properties props;
@@ -206,22 +202,36 @@ public final class Security {
}
}
+ if (!loadedProps) {
+ initializeStatic();
+ if (sdebug != null) {
+ sdebug.println("unable to load security properties " +
+ "-- using defaults");
+ }
+ }
+
String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
"true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
- if (SystemConfigurator.configure(props)) {
- loadedProps = true;
+ if (!SystemConfigurator.configureSysProps(props)) {
+ if (sdebug != null) {
+ sdebug.println("WARNING: System properties could not be loaded.");
+ }
}
}
- if (!loadedProps) {
- initializeStatic();
+ // FIPS support depends on the contents of java.security so
+ // ensure it has loaded first
+ if (loadedProps) {
+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
if (sdebug != null) {
- sdebug.println("unable to load security properties " +
- "-- using defaults");
+ if (fipsEnabled) {
+ sdebug.println("FIPS support enabled.");
+ } else {
+ sdebug.println("FIPS support disabled.");
+ }
}
}
-
}
/*
diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
index 874c6221ebe..b7ed41acf0f 100644
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -76,7 +76,7 @@ final class SystemConfigurator {
* java.security.disableSystemPropertiesFile property is not set and
* security.useSystemPropertiesFile is true.
*/
- static boolean configure(Properties props) {
+ static boolean configureSysProps(Properties props) {
boolean loadedProps = false;
try (BufferedInputStream bis =
@@ -96,11 +96,19 @@ final class SystemConfigurator {
e.printStackTrace();
}
}
+ return loadedProps;
+ }
+
+ /*
+ * Invoked at the end of java.security.Security initialisation
+ * if java.security properties have been loaded
+ */
+ static boolean configureFIPS(Properties props) {
+ boolean loadedProps = false;
try {
if (enableFips()) {
if (sdebug != null) { sdebug.println("FIPS mode detected"); }
- loadedProps = false;
// Remove all security providers
Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
while (i.hasNext()) {

213
SOURCES/rh2052829-fips_runtime_nss_detection.patch Normal file
View File

@ -0,0 +1,213 @@
commit 090ea0389db5c2e0c8ee13652bccd544b17872c2
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Mon Feb 7 15:33:27 2022 +0000
RH2051605: Detect NSS at Runtime for FIPS detection
diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
index caf678a7dd6..8dcb7d9073f 100644
--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
@@ -23,26 +23,37 @@
* questions.
*/
-#include <dlfcn.h>
#include <jni.h>
#include <jni_util.h>
+#include "jvm_md.h"
#include <stdio.h>
#ifdef SYSCONF_NSS
#include <nss3/pk11pub.h>
+#else
+#include <dlfcn.h>
#endif //SYSCONF_NSS
#include "java_security_SystemConfigurator.h"
-#define MSG_MAX_SIZE 96
+#define MSG_MAX_SIZE 256
+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
+
+typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
+static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
static jmethodID debugPrintlnMethodID = NULL;
static jobject debugObj = NULL;
-// Only used when NSS is unavailable and FIPS_ENABLED_PATH is read
-#ifndef SYSCONF_NSS
-
-#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
+static void dbgPrint(JNIEnv *env, const char* msg)
+{
+ jstring jMsg;
+ if (debugObj != NULL) {
+ jMsg = (*env)->NewStringUTF(env, msg);
+ CHECK_NULL(jMsg);
+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
+ }
+}
static void throwIOException(JNIEnv *env, const char *msg)
{
@@ -51,18 +62,61 @@ static void throwIOException(JNIEnv *env, const char *msg)
(*env)->ThrowNew(env, cls, msg);
}
-#endif
+static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
+{
+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+ dbgPrint(env, msg);
+ } else {
+ dbgPrint(env, "systemconf: cannot render message");
+ }
+}
-static void dbgPrint(JNIEnv *env, const char* msg)
+// Only used when NSS is not linked at build time
+#ifndef SYSCONF_NSS
+
+static void *nss_handle;
+
+static jboolean loadNSS(JNIEnv *env)
{
- jstring jMsg;
- if (debugObj != NULL) {
- jMsg = (*env)->NewStringUTF(env, msg);
- CHECK_NULL(jMsg);
- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
- }
+ char msg[MSG_MAX_SIZE];
+ int msg_bytes;
+ const char* errmsg;
+
+ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
+ if (nss_handle == NULL) {
+ errmsg = dlerror();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
+ errmsg);
+ handle_msg(env, msg, msg_bytes);
+ return JNI_FALSE;
+ }
+ dlerror(); /* Clear errors */
+ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
+ if ((errmsg = dlerror()) != NULL) {
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
+ errmsg);
+ handle_msg(env, msg, msg_bytes);
+ return JNI_FALSE;
+ }
+ return JNI_TRUE;
+}
+
+static void closeNSS(JNIEnv *env)
+{
+ char msg[MSG_MAX_SIZE];
+ int msg_bytes;
+ const char* errmsg;
+
+ if (dlclose(nss_handle) != 0) {
+ errmsg = dlerror();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
+ errmsg);
+ handle_msg(env, msg, msg_bytes);
+ }
}
+#endif
+
/*
* Class: java_security_SystemConfigurator
* Method: JNI_OnLoad
@@ -104,6 +158,14 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
debugObj = (*env)->NewGlobalRef(env, debugObj);
}
+#ifdef SYSCONF_NSS
+ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
+#else
+ if (loadNSS(env) == JNI_FALSE) {
+ dbgPrint(env, "libsystemconf: Failed to load NSS library.");
+ }
+#endif
+
return (*env)->GetVersion(env);
}
@@ -119,6 +181,9 @@ JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
return; /* Should not happen */
}
+#ifndef SYSCONF_NSS
+ closeNSS(env);
+#endif
(*env)->DeleteGlobalRef(env, debugObj);
}
}
@@ -130,44 +195,30 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
char msg[MSG_MAX_SIZE];
int msg_bytes;
-#ifdef SYSCONF_NSS
-
- dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
- fips_enabled = SECMOD_GetSystemFIPSEnabled();
- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
- " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
- dbgPrint(env, msg);
+ if (getSystemFIPSEnabled != NULL) {
+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
+ fips_enabled = (*getSystemFIPSEnabled)();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
+ handle_msg(env, msg, msg_bytes);
+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
} else {
- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
- " SECMOD_GetSystemFIPSEnabled return value");
- }
- return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
+ FILE *fe;
-#else // SYSCONF_NSS
-
- FILE *fe;
-
- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
return JNI_FALSE;
- }
- fips_enabled = fgetc(fe);
- fclose(fe);
- if (fips_enabled == EOF) {
+ }
+ fips_enabled = fgetc(fe);
+ fclose(fe);
+ if (fips_enabled == EOF) {
throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
return JNI_FALSE;
+ }
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " read character is '%c'", fips_enabled);
+ handle_msg(env, msg, msg_bytes);
+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
}
- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
- " read character is '%c'", fips_enabled);
- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
- dbgPrint(env, msg);
- } else {
- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
- " read character");
- }
- return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
-
-#endif // SYSCONF_NSS
}

848
SPECS/java-17-openjdk.spec
View File

File diff suppressed because it is too large Load Diff