rpms/java-25-openjdk
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Merge branch 'c10s' into a10s

Browse Source
This commit is contained in:
eabdullin 2025-12-10 15:45:38 +03:00
commit c2ea89ad5d
3 changed files with 171 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

92
fips-25u-df044414ef4.patch Normal file
View File

@ -0,0 +1,92 @@
diff --git a/src/java.base/share/classes/java/security/Provider.java b/src/java.base/share/classes/java/security/Provider.java
index de2845fb550..b1e416b90f4 100644
--- a/src/java.base/share/classes/java/security/Provider.java
+++ b/src/java.base/share/classes/java/security/Provider.java
@@ -1203,6 +1203,39 @@ public Set<Service> getServices() {
return serviceSet;
}
+ /* vvvvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvvvv */
+ private static final class RedHatFIPSFilter {
+ static final boolean IS_ON = Boolean.parseBoolean(
+ Security.getProperty("__redhat_fips_filter__"));
+ private static final Set<String> ANY_SERVICE_TYPE = Set.of();
+ private static final Map<String, Set<String>> ALLOW_LIST = Map.of(
+ "SunPKCS11-FIPS", ANY_SERVICE_TYPE,
+ "SUN", Set.of(
+ "AlgorithmParameterGenerator",
+ "AlgorithmParameters", "CertificateFactory",
+ "CertPathBuilder", "CertPathValidator", "CertStore",
+ "Configuration", "KeyStore"),
+ "SunEC", Set.of(
+ "AlgorithmParameters", "KeyFactory"),
+ "SunJSSE", ANY_SERVICE_TYPE,
+ "SunJCE", Set.of(
+ "AlgorithmParameters",
+ "AlgorithmParameterGenerator", "KeyFactory",
+ "SecretKeyFactory"),
+ "SunRsaSign", Set.of(
+ "KeyFactory", "AlgorithmParameters"),
+ "XMLDSig", ANY_SERVICE_TYPE
+ );
+
+ static boolean isAllowed(String provName, String serviceType) {
+ Set<String> allowedServiceTypes = ALLOW_LIST.get(provName);
+ return allowedServiceTypes != null &&
+ (allowedServiceTypes == ANY_SERVICE_TYPE ||
+ allowedServiceTypes.contains(serviceType));
+ }
+ }
+ /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ */
+
/**
* Add a service. If a service of the same type with the same algorithm
* name exists, and it was added using {@link #putService putService()},
@@ -1231,6 +1264,15 @@ protected void putService(Service s) {
("service.getProvider() must match this Provider object");
}
String type = s.getType();
+ /* vvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvv */
+ if (RedHatFIPSFilter.IS_ON && !RedHatFIPSFilter.isAllowed(name, type)) {
+ if (debug != null) {
+ debug.println("The previous " + name + ".putService() call " +
+ "was skipped by " + RedHatFIPSFilter.class.getName());
+ }
+ return;
+ }
+ /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^ */
String algorithm = s.getAlgorithm();
ServiceKey key = new ServiceKey(type, algorithm, true);
implRemoveService(serviceMap.get(key));
diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
index 6969fe8a8e1..4501d5971c4 100644
--- a/src/java.base/share/classes/java/security/Security.java
+++ b/src/java.base/share/classes/java/security/Security.java
@@ -323,7 +323,27 @@ public Properties getInitialProperties() {
}
private static void initialize() {
+ /* vvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvv */
+ /* This 'include'-directives-only magic property is an internal */
+ /* implementation detail that could (and probably will!) change. */
+ /* Red Hat customers should NOT rely on this for their own use. */
+ String fipsKernelFlag = "/proc/sys/crypto/fips_enabled";
+ boolean fipsModeOn;
+ try (InputStream is = new java.io.FileInputStream(fipsKernelFlag)) {
+ fipsModeOn = is.read() == '1';
+ } catch (IOException ioe) {
+ fipsModeOn = false;
+ if (sdebug != null) {
+ sdebug.println("Failed to read FIPS kernel file: " + ioe);
+ }
+ }
+ String fipsMagicPropName = "__redhat_fips__";
+ System.setProperty(fipsMagicPropName, "" + fipsModeOn);
+ /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^ */
SecPropLoader.loadAll();
+ /* vvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvv */
+ System.clearProperty(fipsMagicPropName);
+ /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^ */
initialSecurityProperties = (Properties) props.clone();
if (sdebug != null) {
for (String key : props.stringPropertyNames()) {

86
java-25-openjdk.spec
View File

@ -204,27 +204,6 @@
%endif
%endif
%if %{include_staticlibs}
# Extra target for producing the static-libraries. Separate from
# other targets since this target is configured to use in-tree
# AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib
# and possibly others
%global static_libs_target static-libs-image
%else
%global static_libs_target %{nil}
%endif
# RPM JDK builds keep the debug symbols internal, to be later stripped by RPM
%global debug_symbols internal
# unlike portables,the rpms have to use static_libs_target very dynamically
%global bootstrap_targets images
%global release_targets images docs-zip
# No docs nor bootcycle for debug builds
%global debug_targets images
# Target to use to just build HotSpot
%global hotspot_target hotspot
# debugedit tool for rewriting ELF file paths
%if 0%{?rhel} >= 10
# From RHEL 10, the tool is in its own package installed in the usual location
@ -234,15 +213,6 @@
%global debugedit %{_rpmconfigdir}/debugedit
%endif
# Filter out flags from the optflags macro that cause problems with the OpenJDK build
# We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2
# We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs)
# We replace it with -Wformat (required by -Werror=format-security) and -Wno-cpp to avoid FORTIFY_SOURCE warnings
# We filter out -fexceptions as the HotSpot build explicitly does -fno-exceptions and it's otherwise the default for C++
%global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||')
%global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||')
%global ourldflags %{__global_ldflags}
# In some cases, the arch used by the JDK does
# not match _arch.
# Also, in some cases, the machine name used by SystemTap
@ -352,9 +322,10 @@
# Define IcedTea version used for SystemTap tapsets and desktop file
%global icedteaver 6.0.0pre00-c848b93a8598
# Define current Git revision for the crypto policy & FIPS support patches
%global fipsver 9203d50836c
# Define nssadapter version
%global fipsver df044414ef4
# Define nssadapter variables
%global nssadapter_version 0.1.0
%global nssadapter_name nssadapter-%{nssadapter_version}
# Define whether the crypto policy is expected to be active when testing
%global crypto_policy_active true
# Define JDK versions
@ -378,9 +349,9 @@
%global top_level_dir_name %{vcstag}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 8
%global rpmrelease 4
%global rpmrelease 5
# Settings used by the portable build
%global portablerelease 1
%global portablerelease 2
# Portable suffix differs between RHEL and CentOS
%if 0%{?centos} == 0
%global portablerhel %{?pkgos:7_9}%{!?pkgos:8}
@ -439,9 +410,6 @@
# parametrized macros are order-sensitive
%global compatiblename java-%{featurever}-%{origin}
%global fullversion %{compatiblename}-%{version}-%{release}
# images directories from upstream build
%global jdkimage jdk
%global static_libs_image static-libs
# output dir stub
%define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}}
# we can copy the javadoc to not arched dir, or make it not noarch
@ -1092,7 +1060,6 @@ fi
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/lib*.a
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/%{vm_variant}/lib*.a
}
%define files_javadoc() %{expand:
@ -1388,7 +1355,7 @@ Source30: 0008-Tools.gmk-Use-update-repository-on-RHEL-rather-than-.patch
# FIPS support sources.
# For libnssadapter.so (RHEL-128413)
Source31: https://github.com/rh-openjdk/nss-native-fips-key-import-export-adapter/releases/download/%{nssadapter_version}/nssadapter-%{nssadapter_version}.tar.xz
Source31: https://github.com/rh-openjdk/nss-native-fips-key-import-export-adapter/releases/download/%{nssadapter_version}/%{nssadapter_name}.tar.xz
# Create OpenJDK's crypto-policies hierarchy (RHEL-128409)
Source32: create-redhat-properties-files.bash
@ -1410,7 +1377,7 @@ Source32: create-redhat-properties-files.bash
# Crypto policy and FIPS support patches
# Patch is generated from the fips-25u tree at https://github.com/rh-openjdk/jdk/tree/fips-25u
# as follows: git diff %%{vcstag} src make test > fips-21u-$(git show -s --format=%h HEAD).patch
# as follows: git diff %%{vcstag} src make test > fips-25u-$(git show -s --format=%h HEAD).patch
# Diff is limited to src and make subdirectories to exclude .github changes
# Fixes currently included:
# PR3183, RH1340845: Follow system wide crypto policy
@ -1444,6 +1411,7 @@ Source32: create-redhat-properties-files.bash
# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class
# RH1940064: Enable XML Signature provider in FIPS mode
# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized [now part of JDK-8301553 upstream]
Patch1001: fips-%{featurever}u-%{fipsver}.patch
#############################################
#
@ -1469,6 +1437,13 @@ Source32: create-redhat-properties-files.bash
# Currently empty
#############################################
#
# NSS adapter patches
#
#############################################
Patch2001: nssadapter-ldflags.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: alsa-lib-devel
@ -1985,10 +1960,14 @@ sh %{SOURCE12} %{top_level_dir_name}
# rpmbuild.
pushd %{top_level_dir_name}
# Add crypto policy and FIPS support
# Disabled until 25
#%patch -P1001 -p1
%patch -P1001 -p1
popd # openjdk
# Patch NSS adapter
pushd %{nssadapter_name}
%patch -P2001 -p1
popd # nssadapter
# The OpenJDK version file includes the current
# upstream version information. For some reason,
# configure does not automatically use the
@ -2060,16 +2039,16 @@ for suffix in %{build_loop} ; do
if [ "x$suffix" = "x" ] ; then
jdkzip=%{releasezip}
staticlibzip=%{staticlibzip}
make -C nssadapter-%{nssadapter_version}
make -C %{nssadapter_name} CFLAGS="%{build_cflags}" LDFLAGS="%{build_ldflags}"
elif [ "x$suffix" = "x%{fastdebug_suffix_unquoted}" ] ; then
jdkzip=%{fastdebugzip}
staticlibzip=%{fastdebugstaticlibzip}
make -C nssadapter-%{nssadapter_version}
make -C %{nssadapter_name} CFLAGS="%{build_cflags}" LDFLAGS="%{build_ldflags}"
else # slowdebug
jdkzip=%{slowdebugzip}
staticlibzip=%{slowdebugstaticlibzip}
# Disable _FORTIFY_SOURCE to allow for no optimization
make -C nssadapter-%{nssadapter_version} CFLAGS="${CFLAGS} -O0 -Wp,-U_FORTIFY_SOURCE"
make -C %{nssadapter_name} CFLAGS="%{build_cflags} -O0 -Wp,-U_FORTIFY_SOURCE" LDFLAGS="%{build_ldflags}"
fi
installdir=%{installoutputdir -- ${suffix}}
@ -2080,8 +2059,8 @@ for suffix in %{build_loop} ; do
mv java-%{featurever}-openjdk* ${installdir}
# Install and clean libnssadapter.so
install -m 755 nssadapter-%{nssadapter_version}/bin/libnssadapter.so ${installdir}/lib
make -C nssadapter-%{nssadapter_version} clean
install -m 755 %{nssadapter_name}/bin/libnssadapter.so ${installdir}/lib
make -C %{nssadapter_name} clean
# Fix build paths in ELF files so it looks like we built them
portablenvr="%{name}-%{VERSION}-%{prelease}.%{portablesuffix}.%{_arch}"
@ -2656,9 +2635,20 @@ exit 0
%endif
%changelog
* Sat Nov 29 2025 Eduard Abdullin <eabdullin@almalinux.org> - 1:25.0.1.0.8-4.alma.1
* Wed Dec 10 2025 Eduard Abdullin <eabdullin@almalinux.org> - 1:25.0.1.0.8-5.alma.1
- Use el9 portable packages
* Thu Dec 04 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.1.0.8-5
- Incorporate new FIPS patch for 25u
- Drop static libjvm.a following adjusted build target for portable build
- Remove redundant (and now outdated) build targets, jdkimage and static_libs_image
- Pass ourflags and ourldflags into the nssadapter build using CFLAGS & LDFLAGS
- Patch the nssadapter build to recognise LDFLAGS
- Remove OpenJDK compiler flag filters and use build_{c,ld}flags directly
- Resolves: RHEL-133733
- Resolves: RHEL-133735
- Resolves: RHEL-133763
* Wed Nov 26 2025 Thomas Fitzsimmons <fitzsim@redhat.com> - 1:25.0.1.0.8-4
- Add java-25-openjdk-crypto-adapter subpackage
- Update library setting in create-redhat-properties-files.bash

41
nssadapter-ldflags.patch Normal file
View File

@ -0,0 +1,41 @@
diff --git a/Makefile b/Makefile
index 5175f21..571748a 100644
--- a/Makefile
+++ b/Makefile
@@ -13,12 +13,12 @@ DEVEL_PKGS = nss nss-softokn
LIB_DIR = $(shell pkg-config --variable=libdir nss-softokn)
SHARED_LIBS = pthread softokn3 nss3
STATIC_LIBS = freebl
-SHR_CFLAGS = -shared -fPIC -fvisibility=hidden -Wl,--exclude-libs,ALL \
- $(addprefix -l,$(SHARED_LIBS)) \
+SHR_CFLAGS = -shared -fPIC -fvisibility=hidden \
$(strip $(shell pkg-config --cflags $(DEVEL_PKGS))) \
-Wpedantic -Wall -Wextra -Wconversion -Werror
DBG_CFLAGS = -Wno-error=unused-variable -Wno-error=unused-parameter -DDEBUG \
-O0 -g
+SHR_LDFLAGS = -Wl,--exclude-libs,ALL $(addprefix -l,$(SHARED_LIBS))
# https://clang.llvm.org/docs/ClangFormatStyleOptions.html
CLANG_FORMAT_STYLE = { \
@@ -53,10 +53,12 @@ endif
.PHONY: release ## Build the library in RELEASE mode (default)
release: BLD_CFLAGS = $(SHR_CFLAGS) $(CFLAGS)
+release: BLD_LDFLAGS = $(SHR_LDFLAGS) $(LDFLAGS)
release: $(CLEAN_IF_PREVIOUS_BUILD_MODE_IS_DEBUG) $(OUTPUT)
.PHONY: debug ## Build the library in DEBUG mode
debug: BLD_CFLAGS = $(SHR_CFLAGS) $(DBG_CFLAGS) $(CFLAGS)
+debug: BLD_LDFLAGS = $(SHR_LDFLAGS) $(LDFLAGS)
debug: CREATE_DBG_SENTINEL_IF_NEEDED = touch $(DBG_SENTINEL)
debug: $(CLEAN_IF_PREVIOUS_BUILD_MODE_IS_RELEASE) $(OUTPUT)
@@ -73,7 +75,7 @@ $(BIN_DIR):
$(OUTPUT): $(BIN_DIR) $(SRC_FILES)
@$(CREATE_DBG_SENTINEL_IF_NEEDED)
- $(CC) $(BLD_CFLAGS) $(filter %.c, $+) \
+ $(CC) $(BLD_CFLAGS) $(filter %.c, $+) $(BLD_LDFLAGS) \
$(addprefix $(LIB_DIR)/lib,$(addsuffix .a,$(STATIC_LIBS))) -o $@