Portable build

2025-12-06 04:19:20 +00:00 · 2025-12-06 04:19:20 +00:00 · 0c1b531c29
commit 0c1b531c29
parent 708f8165e7
3 changed files with 134 additions and 1 deletions
--- a/fips-25u-df044414ef4.patch
+++ b/fips-25u-df044414ef4.patch
@ -0,0 +1,92 @@
+diff --git a/src/java.base/share/classes/java/security/Provider.java b/src/java.base/share/classes/java/security/Provider.java
+index de2845fb550..b1e416b90f4 100644
+--- a/src/java.base/share/classes/java/security/Provider.java
+++ b/src/java.base/share/classes/java/security/Provider.java
+@@ -1203,6 +1203,39 @@ public Set<Service> getServices() {
+         return serviceSet;
+     }
+ 
+    /* vvvvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvvvv */
+    private static final class RedHatFIPSFilter {
+        static final boolean IS_ON = Boolean.parseBoolean(
+                Security.getProperty("__redhat_fips_filter__"));
+        private static final Set<String> ANY_SERVICE_TYPE = Set.of();
+        private static final Map<String, Set<String>> ALLOW_LIST = Map.of(
+                "SunPKCS11-FIPS", ANY_SERVICE_TYPE,
+                "SUN", Set.of(
+                        "AlgorithmParameterGenerator",
+                        "AlgorithmParameters", "CertificateFactory",
+                        "CertPathBuilder", "CertPathValidator", "CertStore",
+                        "Configuration", "KeyStore"),
+                "SunEC", Set.of(
+                        "AlgorithmParameters", "KeyFactory"),
+                "SunJSSE", ANY_SERVICE_TYPE,
+                "SunJCE", Set.of(
+                        "AlgorithmParameters",
+                        "AlgorithmParameterGenerator", "KeyFactory",
+                        "SecretKeyFactory"),
+                "SunRsaSign", Set.of(
+                        "KeyFactory", "AlgorithmParameters"),
+                "XMLDSig", ANY_SERVICE_TYPE
+        );
+
+        static boolean isAllowed(String provName, String serviceType) {
+            Set<String> allowedServiceTypes = ALLOW_LIST.get(provName);
+            return allowedServiceTypes != null &&
+                    (allowedServiceTypes == ANY_SERVICE_TYPE ||
+                            allowedServiceTypes.contains(serviceType));
+        }
+    }
+    /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ */
+
+     /**
+      * Add a service. If a service of the same type with the same algorithm
+      * name exists, and it was added using {@link #putService putService()},
+@@ -1231,6 +1264,15 @@ protected void putService(Service s) {
+                     ("service.getProvider() must match this Provider object");
+         }
+         String type = s.getType();
+        /* vvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvv */
+        if (RedHatFIPSFilter.IS_ON && !RedHatFIPSFilter.isAllowed(name, type)) {
+            if (debug != null) {
+                debug.println("The previous " + name + ".putService() call " +
+                        "was skipped by " + RedHatFIPSFilter.class.getName());
+            }
+            return;
+        }
+        /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^ */
+         String algorithm = s.getAlgorithm();
+         ServiceKey key = new ServiceKey(type, algorithm, true);
+         implRemoveService(serviceMap.get(key));
+diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
+index 6969fe8a8e1..4501d5971c4 100644
+--- a/src/java.base/share/classes/java/security/Security.java
+++ b/src/java.base/share/classes/java/security/Security.java
+@@ -323,7 +323,27 @@ public Properties getInitialProperties() {
+     }
+ 
+     private static void initialize() {
+        /* vvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvv */
+        /*   This 'include'-directives-only magic property is an internal     */
+        /*   implementation detail that could (and probably will!) change.    */
+        /*   Red Hat customers should NOT rely on this for their own use.     */
+        String fipsKernelFlag = "/proc/sys/crypto/fips_enabled";
+        boolean fipsModeOn;
+        try (InputStream is = new java.io.FileInputStream(fipsKernelFlag)) {
+            fipsModeOn = is.read() == '1';
+        } catch (IOException ioe) {
+            fipsModeOn = false;
+            if (sdebug != null) {
+                sdebug.println("Failed to read FIPS kernel file: " + ioe);
+            }
+        }
+        String fipsMagicPropName = "__redhat_fips__";
+        System.setProperty(fipsMagicPropName, "" + fipsModeOn);
+        /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^ */
+         SecPropLoader.loadAll();
+        /* vvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvv */
+        System.clearProperty(fipsMagicPropName);
+        /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^ */
+         initialSecurityProperties = (Properties) props.clone();
+         if (sdebug != null) {
+             for (String key : props.stringPropertyNames()) {
--- a/java-25-openjdk-portable.specfile
+++ b/java-25-openjdk-portable.specfile
@ -1967,7 +1967,7 @@ done
 %endif

 %changelog
-* Sat Nov 29 2025 eabdullin <eabdullin@almalinux.org> - 1:25.0.1.0.8-1
+* Sat Dec 06 2025 eabdullin <eabdullin@almalinux.org> - 1:25.0.1.0.8-1
 - Portable build

 * Mon Nov 10 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.1.0.8-1
--- a/nssadapter-ldflags.patch
+++ b/nssadapter-ldflags.patch
@ -0,0 +1,41 @@
+diff --git a/Makefile b/Makefile
+index 5175f21..571748a 100644
+--- a/Makefile
+++ b/Makefile
+@@ -13,12 +13,12 @@ DEVEL_PKGS    = nss nss-softokn
+ LIB_DIR       = $(shell pkg-config --variable=libdir nss-softokn)
+ SHARED_LIBS   = pthread softokn3 nss3
+ STATIC_LIBS   = freebl
+-SHR_CFLAGS    = -shared -fPIC -fvisibility=hidden -Wl,--exclude-libs,ALL       \
+-                $(addprefix -l,$(SHARED_LIBS))                                 \
+SHR_CFLAGS    = -shared -fPIC -fvisibility=hidden                              \
+                 $(strip $(shell pkg-config --cflags $(DEVEL_PKGS)))            \
+                 -Wpedantic -Wall -Wextra -Wconversion -Werror
+ DBG_CFLAGS    = -Wno-error=unused-variable -Wno-error=unused-parameter -DDEBUG \
+                 -O0 -g
+SHR_LDFLAGS   = -Wl,--exclude-libs,ALL $(addprefix -l,$(SHARED_LIBS))
+ 
+ # https://clang.llvm.org/docs/ClangFormatStyleOptions.html
+ CLANG_FORMAT_STYLE = {                                                         \
+@@ -53,10 +53,12 @@ endif
+ 
+ .PHONY: release ## Build the library in RELEASE mode (default)
+ release: BLD_CFLAGS = $(SHR_CFLAGS) $(CFLAGS)
+release: BLD_LDFLAGS = $(SHR_LDFLAGS) $(LDFLAGS)
+ release: $(CLEAN_IF_PREVIOUS_BUILD_MODE_IS_DEBUG) $(OUTPUT)
+ 
+ .PHONY: debug ## Build the library in DEBUG mode
+ debug: BLD_CFLAGS = $(SHR_CFLAGS) $(DBG_CFLAGS) $(CFLAGS)
+debug: BLD_LDFLAGS = $(SHR_LDFLAGS) $(LDFLAGS)
+ debug: CREATE_DBG_SENTINEL_IF_NEEDED = touch $(DBG_SENTINEL)
+ debug: $(CLEAN_IF_PREVIOUS_BUILD_MODE_IS_RELEASE) $(OUTPUT)
+ 
+@@ -73,7 +75,7 @@ $(BIN_DIR):
+ 
+ $(OUTPUT): $(BIN_DIR) $(SRC_FILES)
+ 	@$(CREATE_DBG_SENTINEL_IF_NEEDED)
+-	$(CC) $(BLD_CFLAGS) $(filter %.c, $+)                                      \
+	$(CC) $(BLD_CFLAGS) $(filter %.c, $+) $(BLD_LDFLAGS) \
+ 	      $(addprefix $(LIB_DIR)/lib,$(addsuffix .a,$(STATIC_LIBS))) -o $@
+ 
+