diff --git a/fips-25u-df044414ef4.patch b/fips-25u-df044414ef4.patch new file mode 100644 index 0000000..8b210e6 --- /dev/null +++ b/fips-25u-df044414ef4.patch @@ -0,0 +1,92 @@ +diff --git a/src/java.base/share/classes/java/security/Provider.java b/src/java.base/share/classes/java/security/Provider.java +index de2845fb550..b1e416b90f4 100644 +--- a/src/java.base/share/classes/java/security/Provider.java ++++ b/src/java.base/share/classes/java/security/Provider.java +@@ -1203,6 +1203,39 @@ public Set getServices() { + return serviceSet; + } + ++ /* vvvvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvvvv */ ++ private static final class RedHatFIPSFilter { ++ static final boolean IS_ON = Boolean.parseBoolean( ++ Security.getProperty("__redhat_fips_filter__")); ++ private static final Set ANY_SERVICE_TYPE = Set.of(); ++ private static final Map> ALLOW_LIST = Map.of( ++ "SunPKCS11-FIPS", ANY_SERVICE_TYPE, ++ "SUN", Set.of( ++ "AlgorithmParameterGenerator", ++ "AlgorithmParameters", "CertificateFactory", ++ "CertPathBuilder", "CertPathValidator", "CertStore", ++ "Configuration", "KeyStore"), ++ "SunEC", Set.of( ++ "AlgorithmParameters", "KeyFactory"), ++ "SunJSSE", ANY_SERVICE_TYPE, ++ "SunJCE", Set.of( ++ "AlgorithmParameters", ++ "AlgorithmParameterGenerator", "KeyFactory", ++ "SecretKeyFactory"), ++ "SunRsaSign", Set.of( ++ "KeyFactory", "AlgorithmParameters"), ++ "XMLDSig", ANY_SERVICE_TYPE ++ ); ++ ++ static boolean isAllowed(String provName, String serviceType) { ++ Set allowedServiceTypes = ALLOW_LIST.get(provName); ++ return allowedServiceTypes != null && ++ (allowedServiceTypes == ANY_SERVICE_TYPE || ++ allowedServiceTypes.contains(serviceType)); ++ } ++ } ++ /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ */ ++ + /** + * Add a service. If a service of the same type with the same algorithm + * name exists, and it was added using {@link #putService putService()}, +@@ -1231,6 +1264,15 @@ protected void putService(Service s) { + ("service.getProvider() must match this Provider object"); + } + String type = s.getType(); ++ /* vvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvv */ ++ if (RedHatFIPSFilter.IS_ON && !RedHatFIPSFilter.isAllowed(name, type)) { ++ if (debug != null) { ++ debug.println("The previous " + name + ".putService() call " + ++ "was skipped by " + RedHatFIPSFilter.class.getName()); ++ } ++ return; ++ } ++ /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^ */ + String algorithm = s.getAlgorithm(); + ServiceKey key = new ServiceKey(type, algorithm, true); + implRemoveService(serviceMap.get(key)); +diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java +index 6969fe8a8e1..4501d5971c4 100644 +--- a/src/java.base/share/classes/java/security/Security.java ++++ b/src/java.base/share/classes/java/security/Security.java +@@ -323,7 +323,27 @@ public Properties getInitialProperties() { + } + + private static void initialize() { ++ /* vvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvv */ ++ /* This 'include'-directives-only magic property is an internal */ ++ /* implementation detail that could (and probably will!) change. */ ++ /* Red Hat customers should NOT rely on this for their own use. */ ++ String fipsKernelFlag = "/proc/sys/crypto/fips_enabled"; ++ boolean fipsModeOn; ++ try (InputStream is = new java.io.FileInputStream(fipsKernelFlag)) { ++ fipsModeOn = is.read() == '1'; ++ } catch (IOException ioe) { ++ fipsModeOn = false; ++ if (sdebug != null) { ++ sdebug.println("Failed to read FIPS kernel file: " + ioe); ++ } ++ } ++ String fipsMagicPropName = "__redhat_fips__"; ++ System.setProperty(fipsMagicPropName, "" + fipsModeOn); ++ /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^ */ + SecPropLoader.loadAll(); ++ /* vvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvv */ ++ System.clearProperty(fipsMagicPropName); ++ /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^ */ + initialSecurityProperties = (Properties) props.clone(); + if (sdebug != null) { + for (String key : props.stringPropertyNames()) { diff --git a/java-25-openjdk.spec b/java-25-openjdk.spec index 418355b..2ff045f 100644 --- a/java-25-openjdk.spec +++ b/java-25-openjdk.spec @@ -204,27 +204,6 @@ %endif %endif -%if %{include_staticlibs} -# Extra target for producing the static-libraries. Separate from -# other targets since this target is configured to use in-tree -# AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib -# and possibly others -%global static_libs_target static-libs-image -%else -%global static_libs_target %{nil} -%endif - -# RPM JDK builds keep the debug symbols internal, to be later stripped by RPM -%global debug_symbols internal - -# unlike portables,the rpms have to use static_libs_target very dynamically -%global bootstrap_targets images -%global release_targets images docs-zip -# No docs nor bootcycle for debug builds -%global debug_targets images -# Target to use to just build HotSpot -%global hotspot_target hotspot - # debugedit tool for rewriting ELF file paths %if 0%{?rhel} >= 10 # From RHEL 10, the tool is in its own package installed in the usual location @@ -234,15 +213,6 @@ %global debugedit %{_rpmconfigdir}/debugedit %endif -# Filter out flags from the optflags macro that cause problems with the OpenJDK build -# We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2 -# We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs) -# We replace it with -Wformat (required by -Werror=format-security) and -Wno-cpp to avoid FORTIFY_SOURCE warnings -# We filter out -fexceptions as the HotSpot build explicitly does -fno-exceptions and it's otherwise the default for C++ -%global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||') -%global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||') -%global ourldflags %{__global_ldflags} - # In some cases, the arch used by the JDK does # not match _arch. # Also, in some cases, the machine name used by SystemTap @@ -352,9 +322,10 @@ # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 # Define current Git revision for the crypto policy & FIPS support patches -%global fipsver 9203d50836c -# Define nssadapter version +%global fipsver df044414ef4 +# Define nssadapter variables %global nssadapter_version 0.1.0 +%global nssadapter_name nssadapter-%{nssadapter_version} # Define whether the crypto policy is expected to be active when testing %global crypto_policy_active true # Define JDK versions @@ -378,9 +349,9 @@ %global top_level_dir_name %{vcstag} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 8 -%global rpmrelease 4 +%global rpmrelease 5 # Settings used by the portable build -%global portablerelease 1 +%global portablerelease 2 # Portable suffix differs between RHEL and CentOS %if 0%{?centos} == 0 %global portablerhel %{?pkgos:7_9}%{!?pkgos:8} @@ -439,9 +410,6 @@ # parametrized macros are order-sensitive %global compatiblename java-%{featurever}-%{origin} %global fullversion %{compatiblename}-%{version}-%{release} -# images directories from upstream build -%global jdkimage jdk -%global static_libs_image static-libs # output dir stub %define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}} # we can copy the javadoc to not arched dir, or make it not noarch @@ -1092,7 +1060,6 @@ fi %dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall} %dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/lib*.a -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/%{vm_variant}/lib*.a } %define files_javadoc() %{expand: @@ -1388,7 +1355,7 @@ Source30: 0008-Tools.gmk-Use-update-repository-on-RHEL-rather-than-.patch # FIPS support sources. # For libnssadapter.so (RHEL-128413) -Source31: https://github.com/rh-openjdk/nss-native-fips-key-import-export-adapter/releases/download/%{nssadapter_version}/nssadapter-%{nssadapter_version}.tar.xz +Source31: https://github.com/rh-openjdk/nss-native-fips-key-import-export-adapter/releases/download/%{nssadapter_version}/%{nssadapter_name}.tar.xz # Create OpenJDK's crypto-policies hierarchy (RHEL-128409) Source32: create-redhat-properties-files.bash @@ -1410,7 +1377,7 @@ Source32: create-redhat-properties-files.bash # Crypto policy and FIPS support patches # Patch is generated from the fips-25u tree at https://github.com/rh-openjdk/jdk/tree/fips-25u -# as follows: git diff %%{vcstag} src make test > fips-21u-$(git show -s --format=%h HEAD).patch +# as follows: git diff %%{vcstag} src make test > fips-25u-$(git show -s --format=%h HEAD).patch # Diff is limited to src and make subdirectories to exclude .github changes # Fixes currently included: # PR3183, RH1340845: Follow system wide crypto policy @@ -1469,6 +1436,13 @@ Source32: create-redhat-properties-files.bash # Currently empty +############################################# +# +# NSS adapter patches +# +############################################# +Patch2001: nssadapter-ldflags.patch + BuildRequires: autoconf BuildRequires: automake BuildRequires: alsa-lib-devel @@ -1985,10 +1959,14 @@ sh %{SOURCE12} %{top_level_dir_name} # rpmbuild. pushd %{top_level_dir_name} # Add crypto policy and FIPS support -# Disabled until 25 -#%patch -P1001 -p1 +%patch -P1001 -p1 popd # openjdk +# Patch NSS adapter +pushd %{nssadapter_name} +%patch -P2001 -p1 +popd # nssadapter + # The OpenJDK version file includes the current # upstream version information. For some reason, # configure does not automatically use the @@ -2060,16 +2038,16 @@ for suffix in %{build_loop} ; do if [ "x$suffix" = "x" ] ; then jdkzip=%{releasezip} staticlibzip=%{staticlibzip} - make -C nssadapter-%{nssadapter_version} + make -C %{nssadapter_name} CFLAGS="%{build_cflags}" LDFLAGS="%{build_ldflags}" elif [ "x$suffix" = "x%{fastdebug_suffix_unquoted}" ] ; then jdkzip=%{fastdebugzip} staticlibzip=%{fastdebugstaticlibzip} - make -C nssadapter-%{nssadapter_version} + make -C %{nssadapter_name} CFLAGS="%{build_cflags}" LDFLAGS="%{build_ldflags}" else # slowdebug jdkzip=%{slowdebugzip} staticlibzip=%{slowdebugstaticlibzip} # Disable _FORTIFY_SOURCE to allow for no optimization - make -C nssadapter-%{nssadapter_version} CFLAGS="${CFLAGS} -O0 -Wp,-U_FORTIFY_SOURCE" + make -C %{nssadapter_name} CFLAGS="%{build_cflags} -O0 -Wp,-U_FORTIFY_SOURCE" LDFLAGS="%{build_ldflags}" fi installdir=%{installoutputdir -- ${suffix}} @@ -2080,8 +2058,8 @@ for suffix in %{build_loop} ; do mv java-%{featurever}-openjdk* ${installdir} # Install and clean libnssadapter.so - install -m 755 nssadapter-%{nssadapter_version}/bin/libnssadapter.so ${installdir}/lib - make -C nssadapter-%{nssadapter_version} clean + install -m 755 %{nssadapter_name}/bin/libnssadapter.so ${installdir}/lib + make -C %{nssadapter_name} clean # Fix build paths in ELF files so it looks like we built them portablenvr="%{name}-%{VERSION}-%{prelease}.%{portablesuffix}.%{_arch}" @@ -2656,9 +2634,20 @@ exit 0 %endif %changelog -* Sat Nov 29 2025 Eduard Abdullin - 1:25.0.1.0.8-4.alma.1 +* Wed Dec 10 2025 Eduard Abdullin - 1:25.0.1.0.8-5.alma.1 - Use el9 portable packages +* Thu Dec 04 2025 Andrew Hughes - 1:25.0.1.0.8-5 +- Incorporate new FIPS patch for 25u +- Drop static libjvm.a following adjusted build target for portable build +- Remove redundant (and now outdated) build targets, jdkimage and static_libs_image +- Pass ourflags and ourldflags into the nssadapter build using CFLAGS & LDFLAGS +- Patch the nssadapter build to recognise LDFLAGS +- Remove OpenJDK compiler flag filters and use build_{c,ld}flags directly +- Resolves: RHEL-133733 +- Resolves: RHEL-133735 +- Resolves: RHEL-133763 + * Wed Nov 26 2025 Thomas Fitzsimmons - 1:25.0.1.0.8-4 - Add java-25-openjdk-crypto-adapter subpackage - Update library setting in create-redhat-properties-files.bash diff --git a/nssadapter-ldflags.patch b/nssadapter-ldflags.patch new file mode 100644 index 0000000..04171b2 --- /dev/null +++ b/nssadapter-ldflags.patch @@ -0,0 +1,41 @@ +diff --git a/Makefile b/Makefile +index 5175f21..571748a 100644 +--- a/Makefile ++++ b/Makefile +@@ -13,12 +13,12 @@ DEVEL_PKGS = nss nss-softokn + LIB_DIR = $(shell pkg-config --variable=libdir nss-softokn) + SHARED_LIBS = pthread softokn3 nss3 + STATIC_LIBS = freebl +-SHR_CFLAGS = -shared -fPIC -fvisibility=hidden -Wl,--exclude-libs,ALL \ +- $(addprefix -l,$(SHARED_LIBS)) \ ++SHR_CFLAGS = -shared -fPIC -fvisibility=hidden \ + $(strip $(shell pkg-config --cflags $(DEVEL_PKGS))) \ + -Wpedantic -Wall -Wextra -Wconversion -Werror + DBG_CFLAGS = -Wno-error=unused-variable -Wno-error=unused-parameter -DDEBUG \ + -O0 -g ++SHR_LDFLAGS = -Wl,--exclude-libs,ALL $(addprefix -l,$(SHARED_LIBS)) + + # https://clang.llvm.org/docs/ClangFormatStyleOptions.html + CLANG_FORMAT_STYLE = { \ +@@ -53,10 +53,12 @@ endif + + .PHONY: release ## Build the library in RELEASE mode (default) + release: BLD_CFLAGS = $(SHR_CFLAGS) $(CFLAGS) ++release: BLD_LDFLAGS = $(SHR_LDFLAGS) $(LDFLAGS) + release: $(CLEAN_IF_PREVIOUS_BUILD_MODE_IS_DEBUG) $(OUTPUT) + + .PHONY: debug ## Build the library in DEBUG mode + debug: BLD_CFLAGS = $(SHR_CFLAGS) $(DBG_CFLAGS) $(CFLAGS) ++debug: BLD_LDFLAGS = $(SHR_LDFLAGS) $(LDFLAGS) + debug: CREATE_DBG_SENTINEL_IF_NEEDED = touch $(DBG_SENTINEL) + debug: $(CLEAN_IF_PREVIOUS_BUILD_MODE_IS_RELEASE) $(OUTPUT) + +@@ -73,7 +75,7 @@ $(BIN_DIR): + + $(OUTPUT): $(BIN_DIR) $(SRC_FILES) + @$(CREATE_DBG_SENTINEL_IF_NEEDED) +- $(CC) $(BLD_CFLAGS) $(filter %.c, $+) \ ++ $(CC) $(BLD_CFLAGS) $(filter %.c, $+) $(BLD_LDFLAGS) \ + $(addprefix $(LIB_DIR)/lib,$(addsuffix .a,$(STATIC_LIBS))) -o $@ + +