diff --git a/fips-25u-df044414ef4.patch b/fips-25u-df044414ef4.patch new file mode 100644 index 0000000..8b210e6 --- /dev/null +++ b/fips-25u-df044414ef4.patch @@ -0,0 +1,92 @@ +diff --git a/src/java.base/share/classes/java/security/Provider.java b/src/java.base/share/classes/java/security/Provider.java +index de2845fb550..b1e416b90f4 100644 +--- a/src/java.base/share/classes/java/security/Provider.java ++++ b/src/java.base/share/classes/java/security/Provider.java +@@ -1203,6 +1203,39 @@ public Set getServices() { + return serviceSet; + } + ++ /* vvvvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvvvv */ ++ private static final class RedHatFIPSFilter { ++ static final boolean IS_ON = Boolean.parseBoolean( ++ Security.getProperty("__redhat_fips_filter__")); ++ private static final Set ANY_SERVICE_TYPE = Set.of(); ++ private static final Map> ALLOW_LIST = Map.of( ++ "SunPKCS11-FIPS", ANY_SERVICE_TYPE, ++ "SUN", Set.of( ++ "AlgorithmParameterGenerator", ++ "AlgorithmParameters", "CertificateFactory", ++ "CertPathBuilder", "CertPathValidator", "CertStore", ++ "Configuration", "KeyStore"), ++ "SunEC", Set.of( ++ "AlgorithmParameters", "KeyFactory"), ++ "SunJSSE", ANY_SERVICE_TYPE, ++ "SunJCE", Set.of( ++ "AlgorithmParameters", ++ "AlgorithmParameterGenerator", "KeyFactory", ++ "SecretKeyFactory"), ++ "SunRsaSign", Set.of( ++ "KeyFactory", "AlgorithmParameters"), ++ "XMLDSig", ANY_SERVICE_TYPE ++ ); ++ ++ static boolean isAllowed(String provName, String serviceType) { ++ Set allowedServiceTypes = ALLOW_LIST.get(provName); ++ return allowedServiceTypes != null && ++ (allowedServiceTypes == ANY_SERVICE_TYPE || ++ allowedServiceTypes.contains(serviceType)); ++ } ++ } ++ /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ */ ++ + /** + * Add a service. If a service of the same type with the same algorithm + * name exists, and it was added using {@link #putService putService()}, +@@ -1231,6 +1264,15 @@ protected void putService(Service s) { + ("service.getProvider() must match this Provider object"); + } + String type = s.getType(); ++ /* vvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvv */ ++ if (RedHatFIPSFilter.IS_ON && !RedHatFIPSFilter.isAllowed(name, type)) { ++ if (debug != null) { ++ debug.println("The previous " + name + ".putService() call " + ++ "was skipped by " + RedHatFIPSFilter.class.getName()); ++ } ++ return; ++ } ++ /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^ */ + String algorithm = s.getAlgorithm(); + ServiceKey key = new ServiceKey(type, algorithm, true); + implRemoveService(serviceMap.get(key)); +diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java +index 6969fe8a8e1..4501d5971c4 100644 +--- a/src/java.base/share/classes/java/security/Security.java ++++ b/src/java.base/share/classes/java/security/Security.java +@@ -323,7 +323,27 @@ public Properties getInitialProperties() { + } + + private static void initialize() { ++ /* vvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvv */ ++ /* This 'include'-directives-only magic property is an internal */ ++ /* implementation detail that could (and probably will!) change. */ ++ /* Red Hat customers should NOT rely on this for their own use. */ ++ String fipsKernelFlag = "/proc/sys/crypto/fips_enabled"; ++ boolean fipsModeOn; ++ try (InputStream is = new java.io.FileInputStream(fipsKernelFlag)) { ++ fipsModeOn = is.read() == '1'; ++ } catch (IOException ioe) { ++ fipsModeOn = false; ++ if (sdebug != null) { ++ sdebug.println("Failed to read FIPS kernel file: " + ioe); ++ } ++ } ++ String fipsMagicPropName = "__redhat_fips__"; ++ System.setProperty(fipsMagicPropName, "" + fipsModeOn); ++ /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^ */ + SecPropLoader.loadAll(); ++ /* vvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvv */ ++ System.clearProperty(fipsMagicPropName); ++ /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^ */ + initialSecurityProperties = (Properties) props.clone(); + if (sdebug != null) { + for (String key : props.stringPropertyNames()) { diff --git a/java-25-openjdk.spec b/java-25-openjdk.spec index 0b18950..1d11f45 100644 --- a/java-25-openjdk.spec +++ b/java-25-openjdk.spec @@ -226,7 +226,7 @@ # other targets since this target is configured to use in-tree # AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib # and possibly others -%global static_libs_target static-libs-image +%global static_libs_target static-libs-graal-image %else %global static_libs_target %{nil} %endif @@ -376,7 +376,7 @@ # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 # Define current Git revision for the FIPS support patches -%global fipsver 9203d50836c +%global fipsver df044414ef4 # Define JDK versions %global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} %global javaver %{featurever} @@ -391,7 +391,7 @@ %global top_level_dir_name %{vcstag} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 8 -%global rpmrelease 1 +%global rpmrelease 2 #%%global tagsuffix %%{nil} # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk @@ -430,7 +430,7 @@ %global fullversion %{compatiblename}-%{version}-%{release} # images directories from upstream build %global jdkimage jdk -%global static_libs_image static-libs +%global static_libs_image static-libs-graal # output dir stub %define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}} %define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}} @@ -640,7 +640,7 @@ Source18: TestTranslations.java ############################################ # Crypto policy and FIPS support patches # Patch is generated from the fips-25u tree at https://github.com/rh-openjdk/jdk/tree/fips-25u -# as follows: git diff %%{vcstag} src make test > fips-21u-$(git show -s --format=%h HEAD).patch +# as follows: git diff %%{vcstag} src make test > fips-25u-$(git show -s --format=%h HEAD).patch # Diff is limited to src and make subdirectories to exclude .github changes # Fixes currently included: # PR3183, RH1340845: Follow system wide crypto policy @@ -674,7 +674,7 @@ Source18: TestTranslations.java # test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class # RH1940064: Enable XML Signature provider in FIPS mode # RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized [now part of JDK-8301553 upstream] -# Disabled until 25: Patch1001: fips-%{featurever}u-%{fipsver}.patch +Patch1001: fips-%{featurever}u-%{fipsver}.patch ############################################# # @@ -1003,8 +1003,7 @@ sh %{SOURCE12} %{top_level_dir_name} # rpmbuild. pushd %{top_level_dir_name} # Add crypto policy and FIPS support -# Disabled until 25 -#%patch -P1001 -p1 +%patch -P1001 -p1 popd # openjdk echo "Generating %{alt_java_name} man page" @@ -1967,6 +1966,14 @@ done %endif %changelog +* Tue Dec 02 2025 Severin Gehwolf - 1:25.0.1.0.8-2 +- Switch from static-libs-image to static-libs-graal-image to avoid large unneeded libjvm.a +- Resolves: OPENJDK-4197 + +* Tue Dec 02 2025 Andrew Hughes - 1:25.0.1.0.8-2 +- Incorporate new FIPS patch for 25u +- Resolves: OPENJDK-4184 + * Mon Nov 10 2025 Andrew Hughes - 1:25.0.1.0.8-1 - Update to jdk-25.0.1+8 (GA) - Update release notes to 25.0.1+8